From odip@bionet.nsc.ru  Tue Aug 22 14:40:28 2006
Return-Path: <odip@bionet.nsc.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 83E8716A4DA
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 22 Aug 2006 14:40:28 +0000 (UTC)
	(envelope-from odip@bionet.nsc.ru)
Received: from manticore.bionet.nsc.ru (manticore.bionet.nsc.ru [84.237.118.164])
	by mx1.FreeBSD.org (Postfix) with SMTP id A2C3F43D5A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 22 Aug 2006 14:40:26 +0000 (GMT)
	(envelope-from odip@bionet.nsc.ru)
Received: by manticore.bionet.nsc.ru (Postfix, from userid 1001)
	id 8D3CF21846; Tue, 22 Aug 2006 21:40:24 +0700 (NOVST)
Message-Id: <20060822144024.8D3CF21846@manticore.bionet.nsc.ru>
Date: Tue, 22 Aug 2006 21:40:24 +0700 (NOVST)
From: Dmitry A Grigorovich <odip@bionet.nsc.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] kernel pppd don't using pam
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         102390
>Category:       kern
>Synopsis:       [pppd] [patch] kernel pppd don't using pam
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 22 14:50:10 GMT 2006
>Closed-Date:    Fri Jul 29 07:59:10 UTC 2011
>Last-Modified:  Fri Jul 29 07:59:10 UTC 2011
>Originator:     Dmitry A Grigorovich
>Release:        FreeBSD 5.5-RELEASE-p2 i386
>Organization:
ICiG SB RAS, Russia
>Environment:
System: FreeBSD ogre.bionet.nsc.ru 5.5-RELEASE-p2 FreeBSD 5.5-RELEASE-p2

>Description:

When I try to using ldap for pppd authentication I found that
kernel pppd in FreeBSD does not using pam !

Scanning sources of pppd confirms this conclusion.

>How-To-Repeat:

Install ldap server.
Configure your computer for ldap authentication -
use pam_ldap & nss_ldap & /etc/nsswitch.conf.
Create file /etc/pam.d/ppp

#### BOF /etc/pam.d/ppp ####

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

# session
session         required        pam_permit.so

#### EOF ####

Ldap authentication work for sshd, ftpd,
but failed for pppd !

>Fix:

Patch and rebuild pppd:
cd /usr/src
patch </path/pppd-pam.patch
cd /usr/src/usr.sbin/pppd
make obj && make depend && make && make install
make clean

Restart pppd
Now pppd work with pam !!!

--- pppd-pam.patch begins here ---
--- usr.sbin/pppd/Makefile.orig	Mon Sep 19 23:11:54 2005
+++ usr.sbin/pppd/Makefile	Mon Sep 19 23:22:27 2005
@@ -11,10 +11,10 @@
 BINOWN=	root
 BINGRP=	dialer
 
-CFLAGS+= -DHAVE_PATHS_H
+CFLAGS+= -DHAVE_PATHS_H -DUSE_PAM
 
 DPADD=	${LIBCRYPT} ${LIBUTIL} ${LIBMD}
-LDADD=	-lcrypt -lutil -lmd
+LDADD=	-lcrypt -lutil -lmd -lpam
 
 # Support SPX/IPX - not quite ready
 #CFLAGS+= -DIPX_CHANGE
--- usr.sbin/pppd/auth.c.orig	Sun Oct 26 12:01:06 2003
+++ usr.sbin/pppd/auth.c	Mon Sep 19 23:25:18 2005
@@ -771,11 +771,7 @@
 static char *PAM_username = "";
 static char *PAM_password = "";
 
-#ifdef PAM_ESTABLISH_CRED       /* new PAM defines :(^ */
 #define MY_PAM_STRERROR(err_code)  (char *) pam_strerror(pamh,err_code)
-#else
-#define MY_PAM_STRERROR(err_code)  (char *) pam_strerror(err_code)
-#endif
 
 static int pam_conv (int num_msg,
                      const struct pam_message **msg,
--- pppd-pam.patch ends here ---


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Jul 29 07:58:54 UTC 2011 
State-Changed-Why:  
pppd(8) was removed from the base long time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=102390 
>Unformatted:
