[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU shishi branch, master, updated. shishi-1-0-2-9-gefd918c
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU shishi branch, master, updated. shishi-1-0-2-9-gefd918c |
|
Date: |
Fri, 12 Apr 2013 17:33:54 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU shishi".
http://git.savannah.gnu.org/cgit/shishi.git/commit/?id=efd918c3b905383e9289cc1461dd808bf2128b70
The branch, master has been updated
via efd918c3b905383e9289cc1461dd808bf2128b70 (commit)
from d2c4bdeae6a64dfa647fd4e495ee12789b7c141b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit efd918c3b905383e9289cc1461dd808bf2128b70
Author: Mats Erik Andersson <address@hidden>
Date: Fri Apr 12 19:25:20 2013 +0200
pam_shishi: Three module options.
Implement options 'debug', 'realm=', and 'principal='
for service control in authentication facility.
Add minimal syslog trace for Linux-PAM and OpenPAM.
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 7 ++-
extra/pam_shishi/pam_shishi.c | 118 +++++++++++++++++++++++++++++++++++++++-
2 files changed, 120 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index b3f92f4..4abb553 100644
--- a/configure.ac
+++ b/configure.ac
@@ -115,9 +115,12 @@ AM_CONDITIONAL(ENABLE_SHISHID, test "$ac_cv_search_syslog"
!= "no")
AC_ARG_ENABLE(pam,
AC_HELP_STRING([--disable-pam], [Don't use PAM even if available]))
if test "$enable_pam" != "no"; then
- AC_CHECK_HEADERS(security/pam_appl.h)
- AC_CHECK_HEADERS(security/pam_modules.h, [], [],
+ AC_CHECK_HEADERS([security/pam_appl.h security/pam_ext.h])
+ AC_CHECK_HEADERS([security/pam_modules.h security/openpam.h], [], [],
[
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
#if HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
#endif
diff --git a/extra/pam_shishi/pam_shishi.c b/extra/pam_shishi/pam_shishi.c
index 28422a3..0fa7ffe 100644
--- a/extra/pam_shishi/pam_shishi.c
+++ b/extra/pam_shishi/pam_shishi.c
@@ -29,6 +29,7 @@
# include <stdlib.h>
# include <stdarg.h>
# include <ctype.h>
+# include <string.h>
#endif
#include <shishi.h>
@@ -39,6 +40,10 @@
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
#ifdef HAVE_SECURITY_PAM_APPL_H
# include <security/pam_appl.h>
#endif
@@ -46,6 +51,16 @@
# include <security/pam_modules.h>
#endif
+#ifdef HAVE_SECURITY_PAM_EXT_H
+# include <syslog.h>
+# include <security/pam_ext.h>
+# define SHISHI_LINUXPAM_LOGGING 1
+#endif
+#ifdef HAVE_SECURITY_OPENPAM_H
+# include <security/openpam.h>
+# define SHISHI_OPENPAM_LOGGING 1
+#endif
+
#if defined DEBUG_PAM && defined HAVE_SECURITY__PAM_MACROS_H
# define DEBUG
# include <security/_pam_macros.h>
@@ -61,6 +76,30 @@
# define PAM_EXTERN
#endif /* !PAM_EXTERN */
+/* Flagging of options. */
+static int opt_debug;
+static const char *opt_principal = NULL;
+static const char *opt_realm = NULL;
+
+static char *servername = NULL;
+static char *principal = NULL;
+
+void
+parse_argv (int argc, const char **argv)
+{
+ int i;
+
+ for (i = 0; i < argc; i++)
+ {
+ if (!strcmp ("debug", argv[i]))
+ opt_debug++;
+ else if (!strncmp ("principal=", argv[i], strlen ("principal=")))
+ opt_principal = argv[i] + strlen ("principal=");
+ else if (!strncmp ("realm=", argv[i], strlen ("realm=")))
+ opt_realm = argv[i] + strlen ("realm=");
+ }
+}
+
PAM_EXTERN int
pam_sm_authenticate (pam_handle_t * pamh,
int flags, int argc, const char **argv)
@@ -68,9 +107,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
Shishi *h = NULL;
Shishi_key *key = NULL;
Shishi_tkt *tkt = NULL;
+ Shishi_tkts_hint hint;
int retval, rc;
const char *user = NULL;
const char *password = NULL;
+ char *realm = NULL;
int i;
struct pam_conv *conv;
struct pam_message *pmsg[1], msg[1];
@@ -82,6 +123,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
for (i = 0; i < argc; i++)
D (("argv[%d]=%s", i, argv[i]));
+ parse_argv (argc, argv);
+
rc = shishi_init (&h);
if (rc != SHISHI_OK)
{
@@ -91,6 +134,29 @@ pam_sm_authenticate (pam_handle_t * pamh,
goto done;
}
+ /* Extract overriding realm setting. */
+ if (opt_realm && *opt_realm)
+ shishi_realm_default_set (h, opt_realm);
+
+ /* Extract overriding host principal name. */
+ if (opt_principal && *opt_principal)
+ {
+ rc = shishi_parse_name (h, opt_principal, &principal, &realm);
+ if (rc != SHISHI_OK)
+ {
+ D (("Could not parse name: %s\n", shishi_strerror (rc)));
+ retval = PAM_AUTHINFO_UNAVAIL;
+ goto done;
+ }
+
+ /* The present REALM is allowed to override OPT_REALM.
+ * PRINCIPAL is available for later use in the ticket.
+ */
+ if (realm && *realm)
+ shishi_realm_default_set (h, realm);
+ }
+
+ /* Detect the calling user client. */
retval = pam_get_user (pamh, &user, NULL);
if (retval != PAM_SUCCESS)
{
@@ -101,6 +167,17 @@ pam_sm_authenticate (pam_handle_t * pamh,
shishi_principal_default_set (h, user);
+ if (opt_debug)
+ {
+#if defined SHISHI_LINUXPAM_LOGGING
+ pam_syslog (pamh, LOG_INFO, "Request from address@hidden'.",
+ shishi_principal_default (h), shishi_realm_default (h));
+#elif defined SHISHI_OPENPAM_LOGGING
+ openpam_log (PAM_LOG_VERBOSE, "Request from address@hidden'.",
+ shishi_principal_default (h), shishi_realm_default (h));
+#endif
+ }
+
retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
if (retval != PAM_SUCCESS)
{
@@ -147,23 +224,58 @@ pam_sm_authenticate (pam_handle_t * pamh,
}
}
- tkt = shishi_tkts_get_for_localservicepasswd (shishi_tkts_default (h),
- "host", password);
+ /* Is the service name "host" being overridden? */
+ if (principal && *principal && strchr (principal, '/'))
+ {
+ servername = strdup (principal);
+ if (!servername)
+ {
+ retval = PAM_BUF_ERR;
+ D (("failed at duplicating name: %s", principal));
+ goto done;
+ }
+ }
+
+ if (!servername)
+ servername= shishi_server_for_local_service (h, "host");
+
+ memset (&hint, 0, sizeof (hint));
+ hint.client = (char *) shishi_principal_default (h);
+ hint.server = servername;
+ hint.passwd = (char *) password;
+
+ tkt = shishi_tkts_get (shishi_tkts_default (h), &hint);
if (tkt == NULL)
{
+ free (servername);
D (("TGS exchange failed: %s\n", shishi_error (h)));
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
- key = shishi_hostkeys_for_localservice (h, "host");
+ key = shishi_hostkeys_for_serverrealm (h, servername,
+ shishi_realm_default (h));
if (key == NULL)
{
+ free (servername);
D (("Key not found: %s\n", shishi_error (h)));
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
+ if (opt_debug)
+ {
+#if defined SHISHI_LINUXPAM_LOGGING
+ pam_syslog (pamh, LOG_INFO, "Requested server address@hidden'.",
+ servername, shishi_realm_default (h));
+#elif defined SHISHI_OPENPAM_LOGGING
+ openpam_log (PAM_LOG_VERBOSE, "Requested server address@hidden'.",
+ servername, shishi_realm_default (h));
+#endif
+ }
+
+ free (servername);
+
rc = shishi_tkt_decrypt (tkt, key);
if (rc != SHISHI_OK)
{
hooks/post-receive
--
GNU shishi
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU shishi branch, master, updated. shishi-1-0-2-9-gefd918c,
Mats Erik Andersson <=