Permalink
Please sign in to comment.
Browse files
Extend "default authentication", and make it usable to PAM parameter.
- Loading branch information...
Showing
with
134 additions
and 0 deletions.
6
debian/changelog
127
debian/patches/0001-Extend-default-authentication-and-make-it-usable-PAM.patch
| @@ -0,0 +1,127 @@ | ||
| +From: Kouhei Maeda <mkouhei@palmtb.net> | ||
| +Date: Sun, 27 Oct 2013 23:54:14 +0900 | ||
| +Subject: Extend "default authentication", and make it usable PAM for | ||
| + parameters. | ||
| + | ||
| +Signed-off-by: Kouhei Maeda <mkouhei@palmtb.net> | ||
| +--- | ||
| + config.c | 20 ++++++++++++++++++++ | ||
| + default_fn.c | 11 +++++++++-- | ||
| + pwlib.c | 21 ++++++++++++++++++--- | ||
| + tac_plus.h | 7 +++++++ | ||
| + 4 files changed, 54 insertions(+), 5 deletions(-) | ||
| + | ||
| +diff --git a/config.c b/config.c | ||
| +index 10aa9da..40bf975 100644 | ||
| +--- a/config.c | ||
| ++++ b/config.c | ||
| +@@ -783,10 +783,30 @@ parse_decls() | ||
| + } | ||
| + parse(S_authentication); | ||
| + parse(S_separator); | ||
| ++#if HAVE_PAM | ||
| ++ if (sym_code == S_pam) { | ||
| ++ parse(S_pam); | ||
| ++ authen_default = tac_strdup(sym_buf); | ||
| ++ default_authen_type = TAC_PLUS_DEFAULT_AUTHEN_TYPE_PAM; | ||
| ++ continue; | ||
| ++ } else if (sym_code == S_file) { | ||
| ++ parse(S_file); | ||
| ++ authen_default = tac_strdup(sym_buf); | ||
| ++ default_authen_type = TAC_PLUS_DEFAULT_AUTHEN_TYPE_FILE; | ||
| ++ sym_get(); | ||
| ++ continue; | ||
| ++ } else { | ||
| ++ parse_error("not support value defined authentication default on " | ||
| ++ "line %d", sym_line); | ||
| ++ return(1); | ||
| ++ } | ||
| ++#else | ||
| + parse(S_file); | ||
| + authen_default = tac_strdup(sym_buf); | ||
| ++ default_authen_type = TAC_PLUS_DEFAULT_AUTHEN_TYPE_FILE; | ||
| + sym_get(); | ||
| + continue; | ||
| ++#endif | ||
| + | ||
| + case S_authorization: | ||
| + parse(S_authorization); | ||
| +diff --git a/default_fn.c b/default_fn.c | ||
| +index dc1be81..e40d522 100644 | ||
| +--- a/default_fn.c | ||
| ++++ b/default_fn.c | ||
| +@@ -245,6 +245,14 @@ tac_login(struct authen_data *data, struct private_data *p) | ||
| + /* Do we have a password? */ | ||
| + passwd = p->password; | ||
| + | ||
| ++#if HAVE_PAM | ||
| ++ cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE); | ||
| ++ if ((cfg_passwd == NULL) && (!passwd[0])) { | ||
| ++ verify(name, passwd, data, TAC_PLUS_RECURSE); | ||
| ++ return; | ||
| ++ } | ||
| ++#endif | ||
| ++ | ||
| + if (!passwd[0]) { | ||
| + /* | ||
| + * no password yet. Either we need to ask for one and expect to get | ||
| +@@ -274,8 +282,7 @@ tac_login(struct authen_data *data, struct private_data *p) | ||
| + } | ||
| + #if HAVE_PAM | ||
| + /* if the authen method is PAM, let PAM prompt for the password */ | ||
| +- if ((cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE)) | ||
| +- != NULL) { | ||
| ++ if (cfg_passwd != NULL) { | ||
| + if (strcmp(cfg_passwd, "PAM") == 0) | ||
| + break; | ||
| + } | ||
| +diff --git a/pwlib.c b/pwlib.c | ||
| +index 03723c9..7e3cab0 100644 | ||
| +--- a/pwlib.c | ||
| ++++ b/pwlib.c | ||
| +@@ -136,9 +136,24 @@ verify(char *name, char *passwd, struct authen_data *data, int recurse) | ||
| + * has been issued, attempt to use this password file | ||
| + */ | ||
| + if (!cfg_passwd) { | ||
| +- char *file = cfg_get_authen_default(); | ||
| +- if (file) { | ||
| +- return(passwd_file_verify(name, passwd, data, file)); | ||
| ++ if (default_authen_type == TAC_PLUS_DEFAULT_AUTHEN_TYPE_FILE) { | ||
| ++ char *file = cfg_get_authen_default(); | ||
| ++ if (file) { | ||
| ++ return(passwd_file_verify(name, passwd, data, file)); | ||
| ++ } | ||
| ++#if HAVE_PAM | ||
| ++ } else if (default_authen_type == TAC_PLUS_DEFAULT_AUTHEN_TYPE_PAM) { | ||
| ++ /* try to verify the password via PAM */ | ||
| ++ if (!pam_verify(name, passwd)) { | ||
| ++ data->status = TAC_PLUS_AUTHEN_STATUS_FAIL; | ||
| ++ return(0); | ||
| ++ } else | ||
| ++ data->status = TAC_PLUS_AUTHEN_STATUS_PASS; | ||
| ++ | ||
| ++ exp_date = cfg_get_expires(name, recurse); | ||
| ++ set_expiration_status(exp_date, data); | ||
| ++ return(data->status == TAC_PLUS_AUTHEN_STATUS_PASS); | ||
| ++#endif | ||
| + } | ||
| + | ||
| + /* otherwise, we fail */ | ||
| +diff --git a/tac_plus.h b/tac_plus.h | ||
| +index c7f791c..4b638e9 100644 | ||
| +--- a/tac_plus.h | ||
| ++++ b/tac_plus.h | ||
| +@@ -307,6 +307,13 @@ extern struct timeval started_at; | ||
| + extern char *wtmpfile; | ||
| + extern int wtmpfd; | ||
| + | ||
| ++/* extend default authentication */ | ||
| ++int default_authen_type; | ||
| ++#define TAC_PLUS_DEFAULT_AUTHEN_TYPE_FILE 1 | ||
| ++#if HAVE_PAM | ||
| ++#define TAC_PLUS_DEFAULT_AUTHEN_TYPE_PAM 2 | ||
| ++#endif | ||
| ++ | ||
| + #define HASH_TAB_SIZE 157 /* user and group hash table sizes */ | ||
| + | ||
| + typedef struct tac_plus_pak_hdr HDR; |
1
debian/patches/series
| @@ -0,0 +1 @@ | ||
| +0001-Extend-default-authentication-and-make-it-usable-PAM.patch |
0 comments on commit
1c4a929