1 --- cvs-1.12.13.orig/debian/patches/60_PAM_support
2 +++ cvs-1.12.13/debian/patches/60_PAM_support
5 +# Add in extra PAM options compared to upstream's own PAM code:
6 +# * Add an extra option PamAuth to control use of PAM separately from
8 +# * Add support for DefaultPamUser - try that if the specified
11 +# Patch by Steve McIntyre <steve@einval.com>
12 +diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
13 +--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
14 ++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
15 +@@ -2662,8 +2662,18 @@
16 + system has PAM (Pluggable Authentication Modules)
17 + and your @sc{cvs} server executable was configured to
18 + use it at compile time (using @code{./configure --enable-pam} - see the
19 +-INSTALL file for more). In this case, PAM will be consulted instead.
20 +-This means that @sc{cvs} can be configured to use any password
21 ++INSTALL file for more). In this case, PAM may be
22 ++consulted first (or instead). The
23 ++"fallback" behaviour can be controlled using the two
24 ++variables @code{PamAuth} and @code{SystemAuth}. On a
25 ++Debian system, @code{PamAuth} defaults to @code{yes}
26 ++and @code{SystemAuth} to @code{no} - after all, PAM can
27 ++supports passwd file lookups itself. Changing these is
28 ++possible by setting @code{PamAuth=no} and
29 ++@code{SystemAuth=yes} in the @sc{cvs} @file{config}
30 ++file, @pxref{config}).
32 ++Use of PAM means that @sc{cvs} can be configured to use any password
33 + authentication source PAM can be configured to use (possibilities
34 + include a simple UNIX password, NIS, LDAP, and others) in its
35 + global configuration file (usually @file{/etc/pam.conf}
36 +@@ -2691,7 +2701,7 @@
37 + cvs session required pam_unix.so
40 +-The the equivalent @file{/etc/pam.d/cvs} would contain
41 ++The equivalent @file{/etc/pam.d/cvs} would contain
44 + auth required pam_unix.so
45 +@@ -2715,6 +2725,13 @@
46 + feature should not be used if you may not have control of the name
47 + @sc{cvs} will be invoked as.
49 ++If you wish to use PAM for authentication, and details
50 ++of your users are not available using getpwnam(), you
51 ++may set a default name for the account on the server
52 ++that will be used after authentication. To do this,
53 ++either set @code{DefaultPamUser=user} in the @sc{cvs}
54 ++@file{config} file, @pxref{config}.
56 + Be aware, also, that falling back to system
57 + authentication might be a security risk: @sc{cvs}
58 + operations would then be authenticated with that user's
59 +diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
60 +--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
61 ++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
64 + #endif /* PROXY_SUPPORT */
65 + #ifdef AUTH_SERVER_SUPPORT
66 +- new->system_auth = true;
67 ++ new->system_auth = false;
68 + #endif /* AUTH_SERVER_SUPPORT */
70 ++ new->PamAuth = true;
71 ++ new->DefaultPamUser = NULL;
77 + readSizeT (infopath, "MaxCompressionLevel", p,
78 + &retval->MaxCompressionLevel);
79 + #endif /* SERVER_SUPPORT */
81 ++ else if (!strcmp (line, "DefaultPamUser"))
82 ++ retval->DefaultPamUser = xstrdup(p);
83 ++ else if (!strcmp (line, "PamAuth"))
84 ++ readBool (infopath, "PamAuth", p,
88 + /* We may be dealing with a keyword which was added in a
89 + subsequent version of CVS. In that case it is a good idea
90 +diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
91 +--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
92 ++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
94 + #ifdef PRESERVE_PERMISSIONS_SUPPORT
95 + bool preserve_perms;
96 + #endif /* PRESERVE_PERMISSIONS_SUPPORT */
98 ++ char *DefaultPamUser;
103 + bool parse_error (const char *, unsigned int);
104 +diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
105 +--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
106 ++++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
107 +@@ -6919,6 +6919,15 @@
109 + pam_stage = "get pam user";
110 + retval = pam_get_item (pamh, PAM_USER, (const void **)username);
111 ++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
113 ++ /* An issue with using pam is that the host may well not have
114 ++ a local user entry to match the authenticated user. If this
115 ++ has failed, optionally fall back to a specified local
117 ++ *username = xstrdup(config->DefaultPamUser);
118 ++ retval = PAM_SUCCESS;
122 + if (retval != PAM_SUCCESS)
123 +@@ -7022,7 +7031,11 @@
128 ++ if (!config->system_auth && !config->PamAuth)
130 + if (!config->system_auth)
133 + /* Note that the message _does_ distinguish between the case in
134 + which we check for a system password and the case in which
135 +@@ -7037,9 +7050,10 @@
137 + /* No cvs password found, so try /etc/passwd. */
139 +- if (check_pam_password (&username, password))
140 ++ if ( (config->PamAuth && check_pam_password (&username, password)) ||
141 ++ (config->system_auth && check_system_password (username, password)))
142 + #else /* !HAVE_PAM */
143 +- if (check_system_password (username, password))
144 ++ if (config->system_auth && check_system_password (username, password))
145 + #endif /* HAVE_PAM */
146 + host_user = xstrdup (username);