jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-22 08:50:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pam-multi-cell-support-20020725

Browse Source 
"will let you do
something like:

auth optional   /lib/security/pam_afs.so cell other-cell.domain.net
auth sufficient /lib/security/pam_afs.so try_first_pass refresh_token \
	cell main-cell.domain.net
auth required   /lib/security/pam_unix.so

You need to specify "refresh_token" the second time you call it to prevent
it from getting a second PAG and making your first token useless.

Or, you can just use it once to authenticate to a cell other than what's
in /usr/vice/etc/ThisCell.  Not specifying the "cell" argument causes the
expected behavior of authenticating against the local cell."
This commit is contained in:
Charles Clancy 2002-07-26 06:56:04 +00:00 committed by Derrick Brashear
parent 2ee7d7e0fb
commit 77efb238b1
5 changed files with 35 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/pam/afs_auth.c
View File

@ -47,6 +47,7 @@ pam_sm_authenticate(
int ignore_uid = 0; int ignore_uid = 0;
uid_t ignore_uid_id = 0; uid_t ignore_uid_id = 0;
char my_password_buf[256]; char my_password_buf[256];
char *cell_ptr=NULL;
/* /*
* these options are added to handle stupid apps, which won't call * these options are added to handle stupid apps, which won't call
* pam_set_cred() * pam_set_cred()
@ -109,6 +110,14 @@ pam_sm_authenticate(
pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]); pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
} }
} }
} else if (strcasecmp(argv[i], "cell") == 0) {
i++;
if (i == argc) {
pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
} else {
cell_ptr=argv[i];
pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
}
} else if (strcasecmp(argv[i], "refresh_token" ) == 0) { } else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
refresh_token = 1; refresh_token = 1;
} else if (strcasecmp(argv[i], "set_token" ) == 0) { } else if (strcasecmp(argv[i], "set_token" ) == 0) {
@ -280,9 +289,9 @@ try_auth:
*/ */
if (use_klog) { /* used by kdm 2.x */ if (use_klog) { /* used by kdm 2.x */
if (refresh_token || set_token) { if (refresh_token || set_token) {
i = do_klog(user, password, NULL); i = do_klog(user, password, NULL, cell_ptr);
} else { } else {
i = do_klog(user, password, "00:00:01"); i = do_klog(user, password, "00:00:01", cell_ptr);
ktc_ForgetAllTokens(); ktc_ForgetAllTokens();
} }
if (logmask && LOG_MASK(LOG_DEBUG)) if (logmask && LOG_MASK(LOG_DEBUG))
@ -299,7 +308,7 @@ try_auth:
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* default lifetime */ 0, /* default lifetime */
&password_expires, &password_expires,
@ -309,7 +318,7 @@ try_auth:
code = ka_VerifyUserPassword(KA_USERAUTH_VERSION, code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* spare 2 */ 0, /* spare 2 */
&reason /* error string */ ); &reason /* error string */ );
@ -350,7 +359,7 @@ try_auth:
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* default lifetime */ 0, /* default lifetime */
&password_expires, &password_expires,
@ -360,7 +369,7 @@ try_auth:
code = ka_VerifyUserPassword(KA_USERAUTH_VERSION, code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* spare 2 */ 0, /* spare 2 */
&reason /* error string */ ); &reason /* error string */ );

1
src/pam/afs_message.c
View File

@ -85,6 +85,7 @@ static char *fallback_messages[] = {
"ka error, code=%d", /* 44: KAERROR */ "ka error, code=%d", /* 44: KAERROR */
"Passwords are not equal", /* 45: NE_PASSWORD */ "Passwords are not equal", /* 45: NE_PASSWORD */
"AFS ignoring unregistered user %s\n" /* 46: IGNORE_UNREG */ "AFS ignoring unregistered user %s\n" /* 46: IGNORE_UNREG */
"Alternate cell name: %s\n", /* 47: OTHERCELL */
}; };
static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *); static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *);

2
src/pam/afs_message.h
View File

@ -57,7 +57,7 @@
#define PAMAFS_KAERROR 44 /* "ka error, code=%d" */ #define PAMAFS_KAERROR 44 /* "ka error, code=%d" */
#define PAMAFS_NE_PASSWORD 45 /* "Passwords are not equal" */ #define PAMAFS_NE_PASSWORD 45 /* "Passwords are not equal" */
#define PAMAFS_IGNORE_UNREG 46 /* "AFS ignoring unregistered user" */ #define PAMAFS_IGNORE_UNREG 46 /* "AFS ignoring unregistered user" */
#define PAMAFS_OTHERCELL 47 /* "Alternate cell name" */
char *pam_afs_message(int msgnum, int *freeit); char *pam_afs_message(int msgnum, int *freeit);
void pam_afs_syslog(int priority, int msgid, ...); void pam_afs_syslog(int priority, int msgid, ...);

17
src/pam/afs_setcred.c
View File

@ -57,6 +57,7 @@ pam_sm_setcred(
int i; int i;
struct pam_conv *pam_convp = NULL; struct pam_conv *pam_convp = NULL;
char my_password_buf[256]; char my_password_buf[256];
char *cell_ptr=NULL;
char sbuffer[100]; char sbuffer[100];
char *password = NULL; char *password = NULL;
int torch_password = 1; int torch_password = 1;
@ -102,6 +103,14 @@ pam_sm_setcred(
pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]); pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
} }
} }
} else if (strcasecmp(argv[i], "cell") == 0) {
i++;
if (i == argc) {
pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
} else {
cell_ptr = argv[i];
pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
}
} else if (strcasecmp(argv[i], "no_unlog") == 0) { } else if (strcasecmp(argv[i], "no_unlog") == 0) {
no_unlog = 1; no_unlog = 1;
} else if (strcasecmp(argv[i], "refresh_token" ) == 0) { } else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
@ -269,14 +278,14 @@ pam_sm_setcred(
if ( flags & PAM_REFRESH_CRED ) { if ( flags & PAM_REFRESH_CRED ) {
if (use_klog) { if (use_klog) {
auth_ok = ! do_klog(user, password, "00:00:01"); auth_ok = ! do_klog(user, password, "00:00:01", cell_ptr);
ktc_ForgetAllTokens(); ktc_ForgetAllTokens();
} else { } else {
if ( ka_VerifyUserPassword( if ( ka_VerifyUserPassword(
KA_USERAUTH_VERSION, KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* spare 2 */ 0, /* spare 2 */
&reason /* error string */ &reason /* error string */
@ -289,13 +298,13 @@ pam_sm_setcred(
} }
if ( flags & PAM_ESTABLISH_CRED ) { if ( flags & PAM_ESTABLISH_CRED ) {
if (use_klog) auth_ok = ! do_klog(user, password, NULL); if (use_klog) auth_ok = ! do_klog(user, password, NULL, cell_ptr);
else { else {
if ( ka_UserAuthenticateGeneral( if ( ka_UserAuthenticateGeneral(
KA_USERAUTH_VERSION, KA_USERAUTH_VERSION,
user, /* kerberos name */ user, /* kerberos name */
(char *)0, /* instance */ (char *)0, /* instance */
(char *)0, /* realm */ cell_ptr, /* realm */
password, /* password */ password, /* password */
0, /* default lifetime */ 0, /* default lifetime */
&password_expires, &password_expires,

6
src/pam/afs_util.c
View File

@ -91,7 +91,7 @@ char *cv2string(ttp, aval)
return tp; return tp;
} }
int do_klog(const char* user, const char* password, const char* lifetime) int do_klog(const char* user, const char* password, const char* lifetime, const char* cell_name)
{ {
pid_t pid; pid_t pid;
int pipedes[2]; int pipedes[2];
@ -117,6 +117,10 @@ int ret = 1;
argv[argc++] = "klog"; argv[argc++] = "klog";
#endif #endif
argv[argc++] = (char*)user; argv[argc++] = (char*)user;
if (cell_name) {
argv[argc++] = "-cell";
argv[argc++] = (char*)cell_name;
}
argv[argc++] = "-silent"; argv[argc++] = "-silent";
argv[argc++] = "-pipe"; argv[argc++] = "-pipe";
if (lifetime != NULL) { if (lifetime != NULL) {