2 # Add in extra PAM options compared to upstream's own PAM code:
3 # * Add an extra option PamAuth to control use of PAM separately from
5 # * Add support for DefaultPamUser - try that if the specified
8 # Patch by Steve McIntyre <steve@einval.com>
9 diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
10 --- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
11 +++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
12 @@ -2662,8 +2662,18 @@
13 system has PAM (Pluggable Authentication Modules)
14 and your @sc{cvs} server executable was configured to
15 use it at compile time (using @code{./configure --enable-pam} - see the
16 -INSTALL file for more). In this case, PAM will be consulted instead.
17 -This means that @sc{cvs} can be configured to use any password
18 +INSTALL file for more). In this case, PAM may be
19 +consulted first (or instead). The
20 +"fallback" behaviour can be controlled using the two
21 +variables @code{PamAuth} and @code{SystemAuth}. On a
22 +Debian system, @code{PamAuth} defaults to @code{yes}
23 +and @code{SystemAuth} to @code{no} - after all, PAM can
24 +supports passwd file lookups itself. Changing these is
25 +possible by setting @code{PamAuth=no} and
26 +@code{SystemAuth=yes} in the @sc{cvs} @file{config}
27 +file, @pxref{config}).
29 +Use of PAM means that @sc{cvs} can be configured to use any password
30 authentication source PAM can be configured to use (possibilities
31 include a simple UNIX password, NIS, LDAP, and others) in its
32 global configuration file (usually @file{/etc/pam.conf}
34 cvs session required pam_unix.so
37 -The the equivalent @file{/etc/pam.d/cvs} would contain
38 +The equivalent @file{/etc/pam.d/cvs} would contain
41 auth required pam_unix.so
42 @@ -2715,6 +2725,13 @@
43 feature should not be used if you may not have control of the name
44 @sc{cvs} will be invoked as.
46 +If you wish to use PAM for authentication, and details
47 +of your users are not available using getpwnam(), you
48 +may set a default name for the account on the server
49 +that will be used after authentication. To do this,
50 +either set @code{DefaultPamUser=user} in the @sc{cvs}
51 +@file{config} file, @pxref{config}.
53 Be aware, also, that falling back to system
54 authentication might be a security risk: @sc{cvs}
55 operations would then be authenticated with that user's
56 diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
57 --- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
58 +++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
61 #endif /* PROXY_SUPPORT */
62 #ifdef AUTH_SERVER_SUPPORT
63 - new->system_auth = true;
64 + new->system_auth = false;
65 #endif /* AUTH_SERVER_SUPPORT */
67 + new->PamAuth = true;
68 + new->DefaultPamUser = NULL;
74 readSizeT (infopath, "MaxCompressionLevel", p,
75 &retval->MaxCompressionLevel);
76 #endif /* SERVER_SUPPORT */
78 + else if (!strcmp (line, "DefaultPamUser"))
79 + retval->DefaultPamUser = xstrdup(p);
80 + else if (!strcmp (line, "PamAuth"))
81 + readBool (infopath, "PamAuth", p,
85 /* We may be dealing with a keyword which was added in a
86 subsequent version of CVS. In that case it is a good idea
87 diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
88 --- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
89 +++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
91 #ifdef PRESERVE_PERMISSIONS_SUPPORT
93 #endif /* PRESERVE_PERMISSIONS_SUPPORT */
95 + char *DefaultPamUser;
100 bool parse_error (const char *, unsigned int);
101 diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
102 --- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
103 +++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
104 @@ -6919,6 +6919,15 @@
106 pam_stage = "get pam user";
107 retval = pam_get_item (pamh, PAM_USER, (const void **)username);
108 + if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
110 + /* An issue with using pam is that the host may well not have
111 + a local user entry to match the authenticated user. If this
112 + has failed, optionally fall back to a specified local
114 + *username = xstrdup(config->DefaultPamUser);
115 + retval = PAM_SUCCESS;
119 if (retval != PAM_SUCCESS)
120 @@ -7022,7 +7031,11 @@
125 + if (!config->system_auth && !config->PamAuth)
127 if (!config->system_auth)
130 /* Note that the message _does_ distinguish between the case in
131 which we check for a system password and the case in which
132 @@ -7037,9 +7050,10 @@
134 /* No cvs password found, so try /etc/passwd. */
136 - if (check_pam_password (&username, password))
137 + if ( (config->PamAuth && check_pam_password (&username, password)) ||
138 + (config->system_auth && check_system_password (username, password)))
139 #else /* !HAVE_PAM */
140 - if (check_system_password (username, password))
141 + if (config->system_auth && check_system_password (username, password))
142 #endif /* HAVE_PAM */
143 host_user = xstrdup (username);