[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Add PAM support
|
From: |
Steve McIntyre |
|
Subject: |
[PATCH] Add PAM support |
|
Date: |
Tue, 16 Oct 2001 16:10:41 +0100 |
|
User-agent: |
Mutt/1.3.22i |
The patch here adds PAM support to CVS, so it now works for us in an
all-PAM (LDAP) environment:
--- cvs-1.11.1p1/src/Makefile.in Tue Oct 16 14:51:45 2001
+++ cvs-steve/src/Makefile.in Tue Oct 16 15:10:50 2001
@@ -180,7 +180,7 @@
cvs_LDADD = \
../diff/libdiff.a \
../lib/libcvs.a \
- -lz \
+ -lz -ldl -lpam \
version.o
cvs_EXTRA_DIST = version.c
diff -ur cvs-1.11.1p1/src/server.c cvs-steve/src/server.c
--- cvs-1.11.1p1/src/server.c Tue Oct 16 14:51:45 2001
+++ cvs-steve/src/server.c Tue Oct 16 14:56:16 2001
@@ -16,6 +16,13 @@
#include "getline.h"
#include "buffer.h"
+#define HAVE_PAM
+
+#ifdef HAVE_PAM
+#include <security/pam_misc.h>
+#include <security/pam_appl.h>
+#endif
+
#if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
# ifdef HAVE_GSSAPI
/* This stuff isn't included solely with SERVER_SUPPORT since some of these
@@ -5529,6 +5536,106 @@
return retval;
}
+#ifdef HAVE_PAM
+/* The callback function that the pam modules will use to talk to
+ us. Modelled closely on the misc_conv module of Linux-PAM. This
+ blatantly subverts one of the principles of PAM - PAM is meant to
+ handle all the password work. Bu this does the job and means I can
+ transition to LDAP right now. */
+int cvs_conv(int num_msg, const struct pam_message **msgm,
+ struct pam_response **response, void *appdata_ptr)
+{
+ int count=0;
+ struct pam_response *reply;
+
+ if (num_msg <= 0)
+ return PAM_CONV_ERR;
+
+ reply = (struct pam_response *) calloc(num_msg,
+ sizeof(struct pam_response));
+ if (reply == NULL)
+ return PAM_CONV_ERR;
+
+ for (count=0; count < num_msg; ++count)
+ {
+ char *string=NULL;
+
+ switch (msgm[count]->msg_style)
+ {
+ case PAM_PROMPT_ECHO_OFF:
+ case PAM_PROMPT_ECHO_ON:
+ string = (char *)appdata_ptr;
+ break;
+ default:
+ break;
+ }
+
+ if (string) /* must add to reply array */
+ {
+ /* add string to list of responses */
+ reply[count].resp_retcode = 0;
+ reply[count].resp = string;
+ string = NULL;
+ }
+ }
+
+ *response = reply;
+ reply = NULL;
+
+ return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+ cvs_conv,
+ NULL
+};
+
+/* Modelled very closely on the example code in "The Linux-PAM
+ Application Developers' Guide" by Andrew G. Morgan. */
+static int
+check_pam_password (username, password, repository, host_user_ptr)
+ char *username, *password, *repository, **host_user_ptr;
+{
+ pam_handle_t *pamh=NULL;
+ int retval;
+ int rc = 0;
+
+ conv.appdata_ptr = password;
+
+ retval = pam_start("cvs", username, &conv, &pamh);
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate(pamh, 0); /* is user really user? */
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
+
+ /* This is where we have been authorized or not. */
+
+ switch(retval)
+ {
+ case PAM_SUCCESS:
+ *host_user_ptr = xstrdup(username);
+ rc = 1;
+ break;
+ case PAM_AUTH_ERR:
+ *host_user_ptr = NULL;
+ rc = 2;
+ break;
+ default:
+ *host_user_ptr = NULL;
+ rc = 0;
+ break;
+ }
+
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close PAM */
+ pamh = NULL;
+ fprintf(stderr, "failed to release authenticator\n");
+ }
+
+ return rc; /* indicate success */
+}
+#endif /* HAVE_PAM */
/* Return a hosting username if password matches, else NULL. */
static char *
--
Steve McIntyre, Allstor Software smcintyr@allstor-sw.co.uk
<a href=http://www.chiark.greenend.org.uk/~stevem/>My home page</a>
"Can't keep my eyes from the circling sky,
"Tongue-tied & twisted, Just an earth-bound misfit, I..."
- [PATCH] Add PAM support,
Steve McIntyre <=