rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- extend PAM support to ksu: perform account and session management for the

Browse Source 
target user
- pull up and merge James Leddy's changes to also set PAM_RHOST in
    PAM-aware network-facing services
This commit is contained in:
Nalin Dahyabhai 2009-04-23 22:43:26 +00:00
parent d3b2b69619
commit 5ebd815122
3 changed files with 218 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

229
krb5-1.6.1-pam.patch
View File

@ -28,7 +28,15 @@ is pretty much always going to be there. At run-time, login's behavior
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
false in the [login] section of /etc/krb5.conf.
When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
Modify ksu so that it performs account and session management for the
target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
section of /etc/krb5.conf.
When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
--- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500
+++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400
@ -76,7 +84,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
#ifdef KERBEROS
#if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
@@ -1151,11 +1148,49 @@ void doit(f, fromp)
@@ -1151,11 +1148,50 @@ void doit(f, fromp)
goto signout_please;
}
@ -88,6 +96,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ 0,
+ locuser,
+ "",
+ hostname,
+ do_encrypt ?
+ EKSHELL_PAM_SERVICE :
+ KSHELL_PAM_SERVICE) != 0) {
@ -126,7 +135,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
/* Log access to account */
pwd = (struct passwd *) getpwnam(locuser);
if (pwd && (pwd->pw_uid == 0)) {
@@ -1195,7 +1230,7 @@ void doit(f, fromp)
@@ -1195,7 +1231,7 @@ void doit(f, fromp)
(void) write(2, "", 1);
@ -135,7 +144,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
if (port&&(pipe(pv) < 0)) {
error("Can't make pipe.\n");
goto signout_please;
@@ -1507,6 +1542,15 @@ void doit(f, fromp)
@@ -1507,6 +1543,15 @@ void doit(f, fromp)
environ = envinit;
@ -215,13 +224,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
#ifdef KRB5_GET_TICKETS
{"krb5_get_tickets", &login_krb5_get_tickets},
#endif
@@ -1292,6 +1294,18 @@ int main(argc, argv)
@@ -1292,6 +1300,19 @@ int main(argc, argv)
if (!unix_needs_passwd())
break;
+#ifdef USE_PAM
+ if (login_use_pam) {
+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
+ hostname,
+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
+ break;
+ } else {
@ -234,14 +244,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
/* we have several sets of code:
1) get v5 tickets alone -DKRB5_GET_TICKETS
2) get v4 tickets alone [** don't! only get them *with* v5 **]
@@ -1406,6 +1420,24 @@ int main(argc, argv)
@@ -1406,6 +1427,24 @@ int main(argc, argv)
/* committed to login -- turn off timeout */
(void) alarm((u_int) 0);
+#ifdef USE_PAM
+ if (login_use_pam) {
+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
+ ttyname(STDIN_FILENO)) != 0) {
+ hostname, ttyname(STDIN_FILENO)) != 0) {
+ printf("Login incorrect\n");
+ sleepexit(1);
+ }
@ -259,7 +269,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
/*
* If valid so far and root is logging in, see if root logins on
* this terminal are permitted.
@@ -1446,6 +1478,21 @@ int main(argc, argv)
@@ -1446,6 +1487,21 @@ int main(argc, argv)
sleepexit(0);
}
#endif
@ -281,7 +291,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
@@ -1792,6 +1839,11 @@ int main(argc, argv)
@@ -1792,6 +1846,11 @@ int main(argc, argv)
}
#endif /* KRB5_GET_TICKETS */
@ -295,11 +305,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
if (pwd->pw_uid == 0)
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
+++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400
@@ -0,0 +1,414 @@
@@ -0,0 +1,424 @@
+/*
+ * src/appl/bsd/pam.c
+ *
+ * Copyright 2007 Red Hat, Inc.
+ * Copyright 2007,2009 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
@ -332,6 +342,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ * Convenience wrappers for using PAM.
+ */
+
+#include "autoconf.h"
+#ifdef USE_PAM
+#include <sys/types.h>
+#include <stdio.h>
@ -549,6 +560,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+appl_pam_start(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *tty)
+{
+ static int exit_handler_registered;
@ -577,6 +589,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ ret = pam_start(service, login_username,
+ &appl_pam_conv, &appl_pamh);
+ if (ret == 0) {
+ if (hostname != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
+#endif
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
+ }
+ if (tty != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
@ -602,11 +620,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+appl_pam_authenticate(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *tty)
+{
+ int ret;
+ ret = appl_pam_start(service, interactive, login_username,
+ non_interactive_password, tty);
+ non_interactive_password, hostname, tty);
+ if (ret == 0) {
+ ret = pam_authenticate(appl_pamh, 0);
+ }
@ -616,12 +635,13 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *tty)
+{
+ int ret;
+ appl_pam_pwchange_required = 0;
+ ret = appl_pam_start(service, interactive, login_username,
+ non_interactive_password, tty);
+ non_interactive_password, hostname, tty);
+ if (ret == 0) {
+#ifdef DEBUG
+ printf("Calling pam_acct_mgmt().\n");
@ -712,11 +732,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+#endif
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
+++ krb5-1.6.1/src/appl/bsd/pam.h 2007-06-22 14:27:05.000000000 -0400
@@ -0,0 +1,61 @@
@@ -0,0 +1,63 @@
+/*
+ * src/appl/bsd/pam.h
+ *
+ * Copyright 2007 Red Hat, Inc.
+ * Copyright 2007,2009 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
@ -761,10 +781,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+int appl_pam_authenticate(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *tty);
+int appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *tty);
+int appl_pam_requires_chauthtok(void);
+int appl_pam_chauthtok(void);
@ -825,7 +847,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
#include <grp.h>
#include <setjmp.h>
#ifndef POSIX_SETJMP
@@ -803,6 +807,16 @@
@@ -803,6 +806,21 @@
}
#endif /* KRB5_KRB4_COMPAT */
@ -833,16 +855,21 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ if (appl_pam_enabled(kcontext, "ftpd")) {
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
+ pw->pw_name, "",
+ hostname,
+ FTP_PAM_SERVICE) != 0) {
+ reply(530, "Login incorrect.");
+ return;
+ }
+ if (appl_pam_requires_chauthtok()) {
+ reply(530, "Password change required.");
+ return;
+ }
+ }
+#endif
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
strncat(buf, "; Access denied.",
sizeof(buf) - strlen(buf) - 1);
@@ -903,6 +916,10 @@ end_login()
@@ -903,6 +921,10 @@ end_login()
(void) krb5_seteuid((uid_t)0);
if (logged_in)
pty_logwtmp(ttyline, "", "");
@ -853,7 +880,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
if (have_creds) {
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
@@ -1073,9 +1090,17 @@ pass(passwd)
@@ -1073,9 +1095,18 @@ pass(passwd)
* kpass fails and the user has no local password
* kpass fails and the provided password doesn't match pw
*/
@ -865,6 +892,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ appl_pam_enabled(kcontext, "ftpd") ?
+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
+ pw->pw_name, passwd,
+ hostname,
+ FTP_PAM_SERVICE) != 0) :
+#endif
+ (!kpass(pw->pw_name, passwd) &&
@ -874,7 +902,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
pw = NULL;
sleep(5);
if (++login_attempts >= 3) {
@@ -1092,6 +1117,17 @@ pass(passwd)
@@ -1092,6 +1123,22 @@ pass(passwd)
}
login_attempts = 0; /* this time successful */
@ -882,17 +910,22 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ if (appl_pam_enabled(kcontext, "ftpd")) {
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
+ pw->pw_name, passwd,
+ hostname,
+ FTP_PAM_SERVICE) != 0) {
+ reply(530, "Login incorrect.");
+ return;
+ }
+ if (appl_pam_requires_chauthtok()) {
+ reply(530, "Password change required.");
+ return;
+ }
+ }
+#endif
+
login(passwd, 0);
return;
}
@@ -1110,6 +1146,18 @@ login(passwd, logincode)
@@ -1110,6 +1157,18 @@ login(passwd, logincode)
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
#endif
}
@ -911,7 +944,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
(void) krb5_setegid((gid_t)pw->pw_gid);
(void) initgroups(pw->pw_name, pw->pw_gid);
@@ -2125,6 +2173,10 @@ dologout(status)
@@ -2125,6 +2194,10 @@ dologout(status)
dest_tkt();
#endif
}
@ -955,7 +988,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
INSTALL_STRIP=
--- krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
+++ krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
@@ -1823,3 +1823,82 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
@@ -1823,3 +1823,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
@ -975,6 +1008,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
+ withftppamservice="$withval",withftppamservice=gssftp)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
@ -1025,6 +1060,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
+ [Define to the name of the PAM service name to be used by ftpd.])
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
@ -1038,3 +1075,151 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makefile.in
--- krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-21 15:07:16.000000000 -0400
+++ krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-23 13:47:36.000000000 -0400
@@ -15,6 +15,7 @@ SRCS = \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/../../appl/bsd/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -23,13 +24,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: $(srcdir)/../../appl/bsd/pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
--- krb5-1.6.3/src/clients/ksu/main.c 2006-08-15 15:27:08.000000000 -0400
+++ krb5-1.6.3/src/clients/ksu/main.c 2009-04-23 18:39:03.000000000 -0400
@@ -25,6 +25,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
#include "ksu.h"
#include "adm_proto.h"
#include <sys/types.h>
@@ -32,6 +33,11 @@
#include <signal.h>
#include <grp.h>
+#ifdef USE_PAM
+#include "../../appl/bsd/pam.h"
+int force_fork = 0;
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -791,7 +797,24 @@
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
+
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -799,6 +822,33 @@
exit(1);
}else{
statusp = 1;
+
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Opened PAM session.\n");
+ }
+#endif
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Initialized PAM credentials.\n");
+ }
+#endif
+ }
+#endif
+
switch ((child_pid = fork())) {
default:
if (auth_debug){
@@ -822,15 +872,34 @@
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, "while trying to fork.");
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_setenv() != 0) {
+ fprintf(stderr, "Error setting up environment for %s.\n",
+ target_user);
+ exit (1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Set up PAM environment.\n");
+ }
+#endif
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s", params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}

9
krb5.spec
View File

@ -44,6 +44,7 @@ Source25: krb5-trunk-manpaths.txt
Source26: gssftp.pamd
Source27: kshell.pamd
Source28: ekshell.pamd
Source29: ksu.pamd
Patch3: krb5-1.3-netkit-rsh.patch
Patch4: krb5-1.3-rlogind-environ.patch
@ -227,6 +228,12 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%changelog
* Thu Apr 23 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-104
- extend PAM support to ksu: perform account and session management for the
target user
- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware
network-facing services
* Tue Apr 21 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-103
- fix a typo in a ksu error message (Marek Mahut)
- "rev" works the way the test suite expects now, so don't disable tests
@ -1587,7 +1594,7 @@ done
# PAM configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
for pam in kshell ekshell gssftp ; do
for pam in kshell ekshell gssftp ksu ; do
install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
$RPM_BUILD_ROOT/etc/pam.d/$pam
done

3
ksu.pamd Normal file
View File

@ -0,0 +1,3 @@
#%PAM-1.0
account include su
session include su