jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-22 00:41:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pam-multi-cell-support-20020725

Browse Source 
"will let you do
something like:

auth optional   /lib/security/pam_afs.so cell other-cell.domain.net
auth sufficient /lib/security/pam_afs.so try_first_pass refresh_token \
	cell main-cell.domain.net
auth required   /lib/security/pam_unix.so

You need to specify "refresh_token" the second time you call it to prevent
it from getting a second PAG and making your first token useless.

Or, you can just use it once to authenticate to a cell other than what's
in /usr/vice/etc/ThisCell.  Not specifying the "cell" argument causes the
expected behavior of authenticating against the local cell."
This commit is contained in:
Charles Clancy 2002-07-26 06:56:04 +00:00 committed by Derrick Brashear
parent 2ee7d7e0fb
commit 77efb238b1
5 changed files with 35 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/pam/afs_auth.c
View File

@ -47,6 +47,7 @@ pam_sm_authenticate(
int ignore_uid = 0;
uid_t ignore_uid_id = 0;
char my_password_buf[256];
char *cell_ptr=NULL;
/*
* these options are added to handle stupid apps, which won't call
* pam_set_cred()
@ -109,6 +110,14 @@ pam_sm_authenticate(
pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
}
}
} else if (strcasecmp(argv[i], "cell") == 0) {
i++;
if (i == argc) {
pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
} else {
cell_ptr=argv[i];
pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
}
} else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
refresh_token = 1;
} else if (strcasecmp(argv[i], "set_token" ) == 0) {
@ -280,9 +289,9 @@ try_auth:
*/
if (use_klog) { /* used by kdm 2.x */
if (refresh_token || set_token) {
i = do_klog(user, password, NULL);
i = do_klog(user, password, NULL, cell_ptr);
} else {
i = do_klog(user, password, "00:00:01");
i = do_klog(user, password, "00:00:01", cell_ptr);
ktc_ForgetAllTokens();
}
if (logmask && LOG_MASK(LOG_DEBUG))
@ -299,7 +308,7 @@ try_auth:
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* default lifetime */
&password_expires,
@ -309,7 +318,7 @@ try_auth:
code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* spare 2 */
&reason /* error string */ );
@ -350,7 +359,7 @@ try_auth:
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* default lifetime */
&password_expires,
@ -360,7 +369,7 @@ try_auth:
code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* spare 2 */
&reason /* error string */ );

1
src/pam/afs_message.c
View File

@ -85,6 +85,7 @@ static char *fallback_messages[] = {
"ka error, code=%d", /* 44: KAERROR */
"Passwords are not equal", /* 45: NE_PASSWORD */
"AFS ignoring unregistered user %s\n" /* 46: IGNORE_UNREG */
"Alternate cell name: %s\n", /* 47: OTHERCELL */
};
static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *);

2
src/pam/afs_message.h
View File

@ -57,7 +57,7 @@
#define PAMAFS_KAERROR 44 /* "ka error, code=%d" */
#define PAMAFS_NE_PASSWORD 45 /* "Passwords are not equal" */
#define PAMAFS_IGNORE_UNREG 46 /* "AFS ignoring unregistered user" */
#define PAMAFS_OTHERCELL 47 /* "Alternate cell name" */
char *pam_afs_message(int msgnum, int *freeit);
void pam_afs_syslog(int priority, int msgid, ...);

17
src/pam/afs_setcred.c
View File

@ -57,6 +57,7 @@ pam_sm_setcred(
int i;
struct pam_conv *pam_convp = NULL;
char my_password_buf[256];
char *cell_ptr=NULL;
char sbuffer[100];
char *password = NULL;
int torch_password = 1;
@ -102,6 +103,14 @@ pam_sm_setcred(
pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
}
}
} else if (strcasecmp(argv[i], "cell") == 0) {
i++;
if (i == argc) {
pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
} else {
cell_ptr = argv[i];
pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
}
} else if (strcasecmp(argv[i], "no_unlog") == 0) {
no_unlog = 1;
} else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
@ -269,14 +278,14 @@ pam_sm_setcred(
if ( flags & PAM_REFRESH_CRED ) {
if (use_klog) {
auth_ok = ! do_klog(user, password, "00:00:01");
auth_ok = ! do_klog(user, password, "00:00:01", cell_ptr);
ktc_ForgetAllTokens();
} else {
if ( ka_VerifyUserPassword(
KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* spare 2 */
&reason /* error string */
@ -289,13 +298,13 @@ pam_sm_setcred(
}
if ( flags & PAM_ESTABLISH_CRED ) {
if (use_klog) auth_ok = ! do_klog(user, password, NULL);
if (use_klog) auth_ok = ! do_klog(user, password, NULL, cell_ptr);
else {
if ( ka_UserAuthenticateGeneral(
KA_USERAUTH_VERSION,
user, /* kerberos name */
(char *)0, /* instance */
(char *)0, /* realm */
cell_ptr, /* realm */
password, /* password */
0, /* default lifetime */
&password_expires,

6
src/pam/afs_util.c
View File

@ -91,7 +91,7 @@ char *cv2string(ttp, aval)
return tp;
}
int do_klog(const char* user, const char* password, const char* lifetime)
int do_klog(const char* user, const char* password, const char* lifetime, const char* cell_name)
{
pid_t pid;
int pipedes[2];
@ -117,6 +117,10 @@ int ret = 1;
argv[argc++] = "klog";
#endif
argv[argc++] = (char*)user;
if (cell_name) {
argv[argc++] = "-cell";
argv[argc++] = (char*)cell_name;
}
argv[argc++] = "-silent";
argv[argc++] = "-pipe";
if (lifetime != NULL) {