[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pam-smb
Subject:    Re: [Pam_smb] pam_smb and cvs pserver
From:       Steve McIntyre <smcintyre () software ! plasmon ! com>
Date:       2002-06-06 15:59:14
[Download RAW message or body]

On Thu, Jun 06, 2002 at 08:39:23AM -0700, Garg, Pankaj K. wrote:
>
> I've been using CVS with PAM and pam_smb for some time now in a production
>environment here at HP with good success.
>
> The stock CVS distributions do not support PAM. Steve McIntyre,
>(smcintyre@software.plasmon.com), cc'd on this message, has created
>a patch for CVS V1.11.1.1 do add PAM support. This patch used to be
>distributed at www.cvshome.org, but I haven't checked lately. Steve
>can tell us where to obtain his latest patch.
>
> If he is not available for some reason, let me know and I'll dig
>out his patch and send it to you.

Attached here. I haven't had the time lately to work on it any more to
get it into the stock CVS release, and it needs more testing, but here
it is.

-- 
Steve McIntyre, Plasmon                      smcintyre@software.plasmon.com
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer

["cvs-pam.diff" (text/plain)]

--- cvs-1.11.1p1.orig/src/Makefile.in
+++ cvs-1.11.1p1/src/Makefile.in
@@ -180,7 +180,7 @@
 cvs_LDADD = \
 	../diff/libdiff.a \
 	../lib/libcvs.a \
-	../zlib/libz.a \
+	-lz -ldl -lpam \
 	version.o
 
 cvs_EXTRA_DIST = version.c
--- cvs-1.11.1p1.orig/src/server.c
+++ cvs-1.11.1p1/src/server.c
@@ -16,6 +16,13 @@
 #include "getline.h"
 #include "buffer.h"
 
+#define HAVE_PAM
+
+#ifdef HAVE_PAM
+#include <security/pam_misc.h>
+#include <security/pam_appl.h>
+#endif
+
 #if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
 # ifdef HAVE_GSSAPI
 /* This stuff isn't included solely with SERVER_SUPPORT since some of these
@@ -5526,6 +5536,106 @@
     return retval;
 }
 
+#ifdef HAVE_PAM
+/* The callback function that the pam modules will use to talk to
+   us. Modelled closely on the misc_conv module of Linux-PAM. This
+   blatantly subverts one of the principles of PAM - PAM is meant to
+   handle all the password work. Bu this does the job and means I can
+   transition to LDAP right now. */
+int cvs_conv(int num_msg, const struct pam_message **msgm,
+	     struct pam_response **response, void *appdata_ptr)
+{
+    int count=0;
+    struct pam_response *reply;
+
+    if (num_msg <= 0)
+	return PAM_CONV_ERR;
+    
+    reply = (struct pam_response *) calloc(num_msg,
+					   sizeof(struct pam_response));
+    if (reply == NULL)
+	return PAM_CONV_ERR;
+    
+    for (count=0; count < num_msg; ++count) 
+    {
+	char *string=NULL;
+
+	switch (msgm[count]->msg_style) 
+	{
+	    case PAM_PROMPT_ECHO_OFF:
+	    case PAM_PROMPT_ECHO_ON:
+		string = (char *)appdata_ptr;
+		break;
+	    default:
+		break;
+	}
+
+	if (string) /* must add to reply array */
+	{   
+	    /* add string to list of responses */    
+	    reply[count].resp_retcode = 0;
+	    reply[count].resp = string;
+	    string = NULL;
+	}
+    }
+
+    *response = reply;
+    reply = NULL;
+
+    return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+    cvs_conv,
+    NULL
+};
+
+/* Modelled very closely on the example code in "The Linux-PAM
+   Application Developers' Guide" by Andrew G. Morgan. */
+static int
+check_pam_password (username, password, repository, host_user_ptr)
+     char *username, *password, *repository, **host_user_ptr;
+{
+    pam_handle_t *pamh=NULL;
+    int retval;
+    int rc = 0;
+
+    conv.appdata_ptr = password;
+
+    retval = pam_start("cvs", username, &conv, &pamh);
+
+    if (retval == PAM_SUCCESS)
+	retval = pam_authenticate(pamh, 0);    /* is user really user? */
+
+    if (retval == PAM_SUCCESS)
+	retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
+
+    /* This is where we have been authorized or not. */
+
+    switch(retval)
+    {
+	case PAM_SUCCESS:
+	    *host_user_ptr = xstrdup(username);
+	    rc = 1;
+	    break;
+	case PAM_AUTH_ERR:
+	    *host_user_ptr = NULL;
+	    rc = 2;
+	    break;
+	default:
+	    *host_user_ptr = NULL;
+	    rc = 0;
+	    break;
+    }
+    
+    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close PAM */
+	pamh = NULL;
+	fprintf(stderr, "failed to release authenticator\n");
+    }
+
+    return rc;       /* indicate success */
+}
+#endif /* HAVE_PAM */
 
 /* Return a hosting username if password matches, else NULL. */
 static char *
@@ -5552,6 +5662,24 @@
         /* host_user already set by reference, so just return. */
         goto handle_return;
     }
+
+#ifdef HAVE_PAM
+    else if(rc == 0 && system_auth)
+    {
+	rc = check_pam_password (username, password, repository,
+				 &host_user);
+	if (rc == 2)
+	    return NULL;
+	
+	/* else */
+	
+	if (rc == 1)
+	{
+	    /* host_user already set by reference, so just return. */
+	    goto handle_return;
+	}
+    }
+#else /* HAVE_PAM */
     else if (rc == 0 && system_auth)
     {
 	/* No cvs password found, so try /etc/passwd. */
@@ -5613,6 +5741,7 @@
             goto handle_return;
         }
     }
+#endif /* HAVE_PAM */
     else if (rc == 0)
     {
 	/* Note that the message _does_ distinguish between the case in

_______________________________________________
Pam_smb mailing list
Pam_smb@csn.ul.ie
http://mailman.csn.ul.ie/mailman/listinfo.cgi/pam_smb

[prev in list] [next in list] [prev in thread] [next in thread]