From 77efb238b1a1cfe347d822322b7cc5c7a8ff110a Mon Sep 17 00:00:00 2001
From: Charles Clancy <security@xauth.net>
Date: Fri, 26 Jul 2002 06:56:04 +0000
Subject: [PATCH] pam-multi-cell-support-20020725

"will let you do
something like:

auth optional   /lib/security/pam_afs.so cell other-cell.domain.net
auth sufficient /lib/security/pam_afs.so try_first_pass refresh_token \
	cell main-cell.domain.net
auth required   /lib/security/pam_unix.so

You need to specify "refresh_token" the second time you call it to prevent
it from getting a second PAG and making your first token useless.

Or, you can just use it once to authenticate to a cell other than what's
in /usr/vice/etc/ThisCell.  Not specifying the "cell" argument causes the
expected behavior of authenticating against the local cell."
---
 src/pam/afs_auth.c    | 21 +++++++++++++++------
 src/pam/afs_message.c |  1 +
 src/pam/afs_message.h |  2 +-
 src/pam/afs_setcred.c | 17 +++++++++++++----
 src/pam/afs_util.c    |  6 +++++-
 5 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/src/pam/afs_auth.c b/src/pam/afs_auth.c
index d1c7c14e16..eb3dde929f 100644
--- a/src/pam/afs_auth.c
+++ b/src/pam/afs_auth.c
@@ -47,6 +47,7 @@ pam_sm_authenticate(
     int ignore_uid  = 0;
     uid_t ignore_uid_id = 0;
     char my_password_buf[256];
+    char *cell_ptr=NULL;
     /*
      * these options are added to handle stupid apps, which won't call
      * pam_set_cred()
@@ -109,6 +110,14 @@ pam_sm_authenticate(
 		        pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
                 }
 	    }
+	} else if (strcasecmp(argv[i], "cell") == 0) {
+	    i++;
+	    if (i == argc) {
+                pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
+	    } else {
+		cell_ptr=argv[i];
+                pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
+	    }	    
 	} else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
 	    refresh_token = 1;
 	} else if (strcasecmp(argv[i], "set_token" ) == 0) {
@@ -280,9 +289,9 @@ try_auth:
      */
 	if (use_klog) { /* used by kdm 2.x */
 	   if (refresh_token || set_token) {
-	      i = do_klog(user, password, NULL);
+	      i = do_klog(user, password, NULL, cell_ptr);
 	   } else {
-	      i = do_klog(user, password, "00:00:01");
+	      i = do_klog(user, password, "00:00:01", cell_ptr);
 	      ktc_ForgetAllTokens();
            }
 	   if (logmask && LOG_MASK(LOG_DEBUG))
@@ -299,7 +308,7 @@ try_auth:
                  code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
 				    user, /* kerberos name */
 				    (char *)0, /* instance */
-				    (char *)0, /* realm */
+				    cell_ptr, /* realm */
 				    password, /* password */
 				    0, /* default lifetime */
                                     &password_expires,
@@ -309,7 +318,7 @@ try_auth:
                  code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
 				    user, /* kerberos name */
 				    (char *)0, /* instance */
-				    (char *)0, /* realm */
+				    cell_ptr, /* realm */
 				    password, /* password */
 				    0, /* spare 2 */
 				    &reason /* error string */ );
@@ -350,7 +359,7 @@ try_auth:
             code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
 				    user, /* kerberos name */
 				    (char *)0, /* instance */
-				    (char *)0, /* realm */
+				    cell_ptr, /* realm */
 				    password, /* password */
 				    0, /* default lifetime */
                                     &password_expires,
@@ -360,7 +369,7 @@ try_auth:
             code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
 				    user, /* kerberos name */
 				    (char *)0, /* instance */
-				    (char *)0, /* realm */
+				    cell_ptr, /* realm */
 				    password, /* password */
 				    0, /* spare 2 */
 				    &reason /* error string */ );
diff --git a/src/pam/afs_message.c b/src/pam/afs_message.c
index 7ba30225a8..b2e083017c 100644
--- a/src/pam/afs_message.c
+++ b/src/pam/afs_message.c
@@ -85,6 +85,7 @@ static char *fallback_messages[] = {
     "ka error, code=%d",                        /* 44: KAERROR          */
     "Passwords are not equal",                  /* 45: NE_PASSWORD      */
     "AFS ignoring unregistered user %s\n"       /* 46: IGNORE_UNREG     */
+    "Alternate cell name: %s\n",		/* 47: OTHERCELL	*/
 };
 
 static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *);
diff --git a/src/pam/afs_message.h b/src/pam/afs_message.h
index 6ed88e1533..27ee9b2db8 100644
--- a/src/pam/afs_message.h
+++ b/src/pam/afs_message.h
@@ -57,7 +57,7 @@
 #define PAMAFS_KAERROR          44 /* "ka error, code=%d"               */
 #define PAMAFS_NE_PASSWORD      45 /* "Passwords are not equal"         */
 #define PAMAFS_IGNORE_UNREG     46 /* "AFS ignoring unregistered user"  */
-
+#define PAMAFS_OTHERCELL	47 /* "Alternate cell name"		*/
 
 char *pam_afs_message(int msgnum, int *freeit);
 void pam_afs_syslog(int priority, int msgid, ...);
diff --git a/src/pam/afs_setcred.c b/src/pam/afs_setcred.c
index 05e9eb8c90..00de66ee0d 100644
--- a/src/pam/afs_setcred.c
+++ b/src/pam/afs_setcred.c
@@ -57,6 +57,7 @@ pam_sm_setcred(
     int i;
     struct pam_conv *pam_convp = NULL;
     char my_password_buf[256];
+    char *cell_ptr=NULL;
     char sbuffer[100];
     char *password = NULL;
     int torch_password = 1;
@@ -102,6 +103,14 @@ pam_sm_setcred(
 		        pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
                 }
 	    }
+        } else if (strcasecmp(argv[i], "cell") == 0) {
+            i++;
+            if (i == argc) {
+                pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
+            } else {
+		cell_ptr = argv[i];
+                pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
+            }
 	} else if (strcasecmp(argv[i], "no_unlog") == 0) {
 	    no_unlog = 1;
 	} else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
@@ -269,14 +278,14 @@ pam_sm_setcred(
 
 	if ( flags & PAM_REFRESH_CRED ) {
 	    if (use_klog) {
-               auth_ok = ! do_klog(user, password, "00:00:01");
+               auth_ok = ! do_klog(user, password, "00:00:01", cell_ptr);
 	       ktc_ForgetAllTokens();
 	    } else {
             if ( ka_VerifyUserPassword(
                            KA_USERAUTH_VERSION,
                            user, /* kerberos name */
                            (char *)0, /* instance */
-                           (char *)0, /* realm */
+                           cell_ptr, /* realm */
                             password, /* password */
                             0, /* spare 2 */
                             &reason /* error string */
@@ -289,13 +298,13 @@ pam_sm_setcred(
 	}
 	    
 	if (  flags & PAM_ESTABLISH_CRED ) {
-	   if (use_klog) auth_ok = ! do_klog(user, password, NULL);
+	   if (use_klog) auth_ok = ! do_klog(user, password, NULL, cell_ptr);
 	   else {
 	    if ( ka_UserAuthenticateGeneral(
                            KA_USERAUTH_VERSION,
                            user, /* kerberos name */
                            (char *)0, /* instance */
-                           (char *)0, /* realm */
+                           cell_ptr, /* realm */
                             password, /* password */
                             0, /* default lifetime */
                             &password_expires,
diff --git a/src/pam/afs_util.c b/src/pam/afs_util.c
index ea1daad213..0f49d377ea 100644
--- a/src/pam/afs_util.c
+++ b/src/pam/afs_util.c
@@ -91,7 +91,7 @@ char *cv2string(ttp, aval)
     return tp;
 }
 
-int do_klog(const char* user, const char* password, const char* lifetime)
+int do_klog(const char* user, const char* password, const char* lifetime, const char* cell_name)
 {
 pid_t	pid;
 int	pipedes[2];
@@ -117,6 +117,10 @@ int	ret = 1;
    argv[argc++] = "klog";
 #endif
    argv[argc++] = (char*)user;
+   if (cell_name) {
+      argv[argc++] = "-cell";
+      argv[argc++] = (char*)cell_name;
+   }
    argv[argc++] = "-silent";
    argv[argc++] = "-pipe";
    if (lifetime != NULL) {