]>
Commit | Line | Data |
---|---|---|
3a862a5e AM |
1 | # |
2 | # Add in extra PAM options compared to upstream's own PAM code: | |
3 | # * Add an extra option PamAuth to control use of PAM separately from | |
4 | # SystemAuth | |
5 | # * Add support for DefaultPamUser - try that if the specified | |
6 | # user does not exist | |
7 | # | |
8 | # Patch by Steve McIntyre <steve@einval.com> | |
9 | diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo | |
10 | --- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100 | |
11 | +++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100 | |
12 | @@ -2662,8 +2662,18 @@ | |
13 | system has PAM (Pluggable Authentication Modules) | |
14 | and your @sc{cvs} server executable was configured to | |
15 | use it at compile time (using @code{./configure --enable-pam} - see the | |
16 | -INSTALL file for more). In this case, PAM will be consulted instead. | |
17 | -This means that @sc{cvs} can be configured to use any password | |
18 | +INSTALL file for more). In this case, PAM may be | |
19 | +consulted first (or instead). The | |
20 | +"fallback" behaviour can be controlled using the two | |
21 | +variables @code{PamAuth} and @code{SystemAuth}. On a | |
22 | +Debian system, @code{PamAuth} defaults to @code{yes} | |
23 | +and @code{SystemAuth} to @code{no} - after all, PAM can | |
24 | +supports passwd file lookups itself. Changing these is | |
25 | +possible by setting @code{PamAuth=no} and | |
26 | +@code{SystemAuth=yes} in the @sc{cvs} @file{config} | |
27 | +file, @pxref{config}). | |
28 | + | |
29 | +Use of PAM means that @sc{cvs} can be configured to use any password | |
30 | authentication source PAM can be configured to use (possibilities | |
31 | include a simple UNIX password, NIS, LDAP, and others) in its | |
32 | global configuration file (usually @file{/etc/pam.conf} | |
33 | @@ -2691,7 +2701,7 @@ | |
34 | cvs session required pam_unix.so | |
35 | @end example | |
36 | ||
37 | -The the equivalent @file{/etc/pam.d/cvs} would contain | |
38 | +The equivalent @file{/etc/pam.d/cvs} would contain | |
39 | ||
40 | @example | |
41 | auth required pam_unix.so | |
42 | @@ -2715,6 +2725,13 @@ | |
43 | feature should not be used if you may not have control of the name | |
44 | @sc{cvs} will be invoked as. | |
45 | ||
46 | +If you wish to use PAM for authentication, and details | |
47 | +of your users are not available using getpwnam(), you | |
48 | +may set a default name for the account on the server | |
49 | +that will be used after authentication. To do this, | |
50 | +either set @code{DefaultPamUser=user} in the @sc{cvs} | |
51 | +@file{config} file, @pxref{config}. | |
52 | + | |
53 | Be aware, also, that falling back to system | |
54 | authentication might be a security risk: @sc{cvs} | |
55 | operations would then be authenticated with that user's | |
56 | diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c | |
57 | --- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100 | |
58 | +++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100 | |
59 | @@ -303,8 +303,12 @@ | |
60 | */ | |
61 | #endif /* PROXY_SUPPORT */ | |
62 | #ifdef AUTH_SERVER_SUPPORT | |
63 | - new->system_auth = true; | |
64 | + new->system_auth = false; | |
65 | #endif /* AUTH_SERVER_SUPPORT */ | |
66 | +#ifdef HAVE_PAM | |
67 | + new->PamAuth = true; | |
68 | + new->DefaultPamUser = NULL; | |
69 | +#endif | |
70 | ||
71 | return new; | |
72 | } | |
73 | @@ -696,6 +700,13 @@ | |
74 | readSizeT (infopath, "MaxCompressionLevel", p, | |
75 | &retval->MaxCompressionLevel); | |
76 | #endif /* SERVER_SUPPORT */ | |
77 | +#ifdef HAVE_PAM | |
78 | + else if (!strcmp (line, "DefaultPamUser")) | |
79 | + retval->DefaultPamUser = xstrdup(p); | |
80 | + else if (!strcmp (line, "PamAuth")) | |
81 | + readBool (infopath, "PamAuth", p, | |
82 | + &retval->PamAuth); | |
83 | +#endif | |
84 | else | |
85 | /* We may be dealing with a keyword which was added in a | |
86 | subsequent version of CVS. In that case it is a good idea | |
87 | diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h | |
88 | --- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100 | |
89 | +++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100 | |
90 | @@ -59,6 +59,10 @@ | |
91 | #ifdef PRESERVE_PERMISSIONS_SUPPORT | |
92 | bool preserve_perms; | |
93 | #endif /* PRESERVE_PERMISSIONS_SUPPORT */ | |
94 | +#ifdef HAVE_PAM | |
95 | + char *DefaultPamUser; | |
96 | + bool PamAuth; | |
97 | +#endif | |
98 | }; | |
99 | ||
100 | bool parse_error (const char *, unsigned int); | |
101 | diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c | |
102 | --- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100 | |
103 | +++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100 | |
104 | @@ -6919,6 +6919,15 @@ | |
105 | { | |
106 | pam_stage = "get pam user"; | |
107 | retval = pam_get_item (pamh, PAM_USER, (const void **)username); | |
108 | + if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser)) | |
109 | + { | |
110 | + /* An issue with using pam is that the host may well not have | |
111 | + a local user entry to match the authenticated user. If this | |
112 | + has failed, optionally fall back to a specified local | |
113 | + username */ | |
114 | + *username = xstrdup(config->DefaultPamUser); | |
115 | + retval = PAM_SUCCESS; | |
116 | + } | |
117 | } | |
118 | ||
119 | if (retval != PAM_SUCCESS) | |
120 | @@ -7022,7 +7031,11 @@ | |
121 | ||
122 | assert (rc == 0); | |
123 | ||
124 | +#ifdef HAVE_PAM | |
125 | + if (!config->system_auth && !config->PamAuth) | |
126 | +#else | |
127 | if (!config->system_auth) | |
128 | +#endif | |
129 | { | |
130 | /* Note that the message _does_ distinguish between the case in | |
131 | which we check for a system password and the case in which | |
132 | @@ -7037,9 +7050,10 @@ | |
133 | ||
134 | /* No cvs password found, so try /etc/passwd. */ | |
135 | #ifdef HAVE_PAM | |
136 | - if (check_pam_password (&username, password)) | |
137 | + if ( (config->PamAuth && check_pam_password (&username, password)) || | |
138 | + (config->system_auth && check_system_password (username, password))) | |
139 | #else /* !HAVE_PAM */ | |
140 | - if (check_system_password (username, password)) | |
141 | + if (config->system_auth && check_system_password (username, password)) | |
142 | #endif /* HAVE_PAM */ | |
143 | host_user = xstrdup (username); | |
144 | else |