sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 09:49:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security/sssd: pam fixes

Browse source 
PR:		184464
Submitted by:	maintainer
This commit is contained in:
William Grzybowski 2014-06-12 14:35:01 +00:00
parent efcd879e04
commit ecd905d2bd
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=357602
3 changed files with 46 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
security/sssd/Makefile
View file

@ -3,7 +3,7 @@
PORTNAME= sssd PORTNAME= sssd
DISTVERSION= 1.9.6 DISTVERSION= 1.9.6
PORTREVISION= 4 PORTREVISION= 5
CATEGORIES= security CATEGORIES= security
MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ \ MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ \
http://mirrors.rit.edu/zi/ http://mirrors.rit.edu/zi/

32
security/sssd/files/patch-src__man__pam_sss.8.xml
View file

@ -1,27 +1,30 @@
From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001 From 4f866ccca80bb8ed4013bc8ed48ab9ae2b9587ff Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com> From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
Date: Sat, 22 Mar 2014 15:09:34 +0100 Date: Tue, 3 Jun 2014 22:10:50 +0200
Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml
--- ---
src/man/pam_sss.8.xml | 13 +++++++++++++ src/man/pam_sss.8.xml | 27 +++++++++++++++++++++++++++
1 file changed, 13 insertions(+) 1 file changed, 27 insertions(+)
diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml
index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644 index 72b497ab34a520d21964824080c7f276b26706f4..69678dac5874067fc95ec47f72ed894854c5d569 100644
--- src/man/pam_sss.8.xml --- src/man/pam_sss.8.xml
+++ src/man/pam_sss.8.xml +++ src/man/pam_sss.8.xml
@@ -37,6 +37,9 @@ @@ -37,6 +37,12 @@
<arg choice='opt'> <arg choice='opt'>
<replaceable>retry=N</replaceable> <replaceable>retry=N</replaceable>
</arg> </arg>
+ <arg choice='opt'> + <arg choice='opt'>
+ <replaceable>ignore_unknown_user</replaceable> + <replaceable>ignore_unknown_user</replaceable>
+ </arg>
+ <arg choice='opt'>
+ <replaceable>ignore_authinfo_unavail</replaceable>
+ </arg> + </arg>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@@ -103,6 +106,16 @@ @@ -103,6 +109,27 @@
<option>PasswordAuthentication</option>.</para> <option>PasswordAuthentication</option>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -34,10 +37,21 @@ index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296be
+ exist, the PAM module will return PAM_IGNORE. This causes + exist, the PAM module will return PAM_IGNORE. This causes
+ the PAM framework to ignore this module.</para> + the PAM framework to ignore this module.</para>
+ </listitem> + </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>ignore_authinfo_unavail</option>
+ </term>
+ <listitem>
+ <para>
+ Specifies that the PAM module should return PAM_IGNORE
+ if it cannot contact the SSSD daemon. This causes
+ the PAM framework to ignore this module.</para>
+ </listitem>
+ </varlistentry> + </varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
-- --
1.8.5.3 1.9.3

33
security/sssd/files/patch-src__sss_client__pam_sss.c
View file

@ -1,25 +1,26 @@
From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001 From 18bce9f12311c6e7a7fe4350150120a98b3ec106 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lukas.slebodnik@intrak.sk> From: Lukas Slebodnik <lukas.slebodnik@intrak.sk>
Date: Sat, 27 Jul 2013 15:02:31 +0200 Date: Wed, 6 Nov 2013 22:01:21 +0100
Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c
--- ---
src/sss_client/pam_sss.c | 13 +++++++++++++ src/sss_client/pam_sss.c | 24 ++++++++++++++++++++++++
1 file changed, 13 insertions(+) 1 file changed, 24 insertions(+)
diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644 index 5fd276ccba15da1f689b1939a02288dda7a09d89..e35552f7e612d3e68f957845998a8105437af301 100644
--- src/sss_client/pam_sss.c --- src/sss_client/pam_sss.c
+++ src/sss_client/pam_sss.c +++ src/sss_client/pam_sss.c
@@ -52,6 +52,7 @@ @@ -52,6 +52,8 @@
#define FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_USE_FIRST_PASS (1 << 0)
#define FLAGS_FORWARD_PASS (1 << 1) #define FLAGS_FORWARD_PASS (1 << 1)
#define FLAGS_USE_AUTHTOK (1 << 2) #define FLAGS_USE_AUTHTOK (1 << 2)
+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) +#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
#define PWEXP_FLAG "pam_sss:password_expired_flag" #define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor" #define FD_DESTRUCTOR "pam_sss:fd_destructor"
@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) @@ -125,10 +127,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
static void close_fd(pam_handle_t *pamh, void *ptr, int err) static void close_fd(pam_handle_t *pamh, void *ptr, int err)
{ {
@ -32,26 +33,32 @@ index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe410
D(("Closing the fd")); D(("Closing the fd"));
sss_pam_close_fd(); sss_pam_close_fd();
@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, @@ -1292,6 +1296,10 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
} }
} else if (strcmp(*argv, "quiet") == 0) { } else if (strcmp(*argv, "quiet") == 0) {
*quiet_mode = true; *quiet_mode = true;
+ } else if (strcmp(*argv, "ignore_unknown_user") == 0) { + } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
+ *flags |= FLAGS_IGNORE_UNKNOWN_USER; + *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
+ *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
} else { } else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv); logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
} }
@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, @@ -1429,6 +1437,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, &pi); ret = get_pam_items(pamh, &pi);
if (ret != PAM_SUCCESS) { if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret))); D(("get items returned error: %s", pam_strerror(pamh,ret)));
+ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+ ret = PAM_IGNORE; + ret = PAM_IGNORE;
+ }
+ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ && ret == PAM_AUTHINFO_UNAVAIL) {
+ ret = PAM_IGNORE;
+ } + }
return ret; return ret;
} }
@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, @@ -1467,6 +1482,15 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
pam_status = send_and_receive(pamh, &pi, task, quiet_mode); pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
@ -59,10 +66,14 @@ index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe410
+ && pam_status == PAM_USER_UNKNOWN) { + && pam_status == PAM_USER_UNKNOWN) {
+ pam_status = PAM_IGNORE; + pam_status = PAM_IGNORE;
+ } + }
+ if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ && pam_status == PAM_AUTHINFO_UNAVAIL) {
+ pam_status = PAM_IGNORE;
+ }
+ +
switch (task) { switch (task) {
case SSS_PAM_AUTHENTICATE: case SSS_PAM_AUTHENTICATE:
/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
-- --
1.8.5.3 1.9.3