aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDiego Elio 'Flameeyes' Pettenò <flameeyes@gmail.com>2010-07-23 15:59:44 +0200
committerDiego Elio 'Flameeyes' Pettenò <flameeyes@gmail.com>2010-07-23 15:59:44 +0200
commit736f9b9f43c2468dd0cb5c5343cb8969d5492a4d (patch)
tree74950657d26fb7e78b254ca64e1acbbd69cca32d
parentImprove handling of services and the session chain. (diff)
downloadpambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.tar.gz
pambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.tar.bz2
pambase-736f9b9f43c2468dd0cb5c5343cb8969d5492a4d.zip
Add support for pam_krb5 module for Kerberos authentication.
This implements drop-in support for Kerberos (pam_krb5) in Gentoo systems; if the kerberos USE flag has been enabled, it'll use pam_krb5 for login, ignoring pam_unix, but no other module in the chain. It requires Linux-PAM.
-rw-r--r--Makefile4
-rw-r--r--basic-conf32
-rw-r--r--system-auth.in11
-rw-r--r--system-session.inc12
4 files changed, 55 insertions, 4 deletions
diff --git a/Makefile b/Makefile
index 6a80ec5..18a30d2 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,10 @@ ifeq "$(PAM_SSH)" "yes"
PAMFLAGS += -DHAVE_PAM_SSH=1
endif
+ifeq "$(KRB5)" "yes"
+PAMFLAGS += -DHAVE_KRB5=1
+endif
+
ifeq "$(SHA512)" "yes"
PAMFLAGS += -DWANT_SHA512=1
endif
diff --git a/basic-conf b/basic-conf
index 902ff8d..e40a2f6 100644
--- a/basic-conf
+++ b/basic-conf
@@ -1,9 +1,19 @@
// Only use_authtok (authentication token) when using cracklib or some other module
-// that checks for passwords.
+// that checks for passwords, or pam_krb5
+#define AUTHTOK use_authtok
+
#if HAVE_CRACKLIB || HAVE_PASSWDQC
-# define AUTHTOK use_authtok
+# define PASSWORD_STRENGTH 1
+#endif
+
+#if HAVE_KRB5 && PASSWORD_STRENGTH
+# define KRB5_AUTHTOK AUTHTOK
+#endif
+
+#if HAVE_KRB5 || PASSWORD_STRENGTH
+# define UNIX_AUTHTOK AUTHTOK
#else
-# define AUTHTOK
+# define UNIX_AUTHTOK AUTHTOK
#endif
// Define DEBUG to an empty string unless it was required by the user
@@ -18,3 +28,19 @@
#ifndef LIKEAUTH
#define LIKEAUTH
#endif
+
+#define KRB5_PARAMS DEBUG ignore_root try_first_pass
+
+/* By using the extended Linux-PAM syntax for this, it is possible to
+ fine-tune the Kerberos handling so that it works out of hte box on
+ most desktop systems.
+
+ What this control operation does is ignore failures and errors from
+ Kerberos (falling back on local pam_unix auth), but if it's good,
+ it'll skip over the following module (pam_unix) with an accepted
+ status.
+
+ IMPORTANT! Make sure that the only thing that comes right after
+ pam_krb5 with KRB5_CONTROL is pam_unix!
+ */
+#define KRB5_CONTROL [success=1 default=ignore]
diff --git a/system-auth.in b/system-auth.in
index 941d925..85ea443 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -4,8 +4,14 @@ auth required pam_env.so DEBUG
#if HAVE_PAM_SSH
auth sufficient pam_ssh.so
#endif
+#if HAVE_KRB5
+auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
+#endif
auth required pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
+#if HAVE_KRB5
+auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
+#endif
account required pam_unix.so DEBUG
#if HAVE_CRACKLIB
@@ -14,7 +20,10 @@ password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 D
#if HAVE_PASSWDQC
password required pam_passwdqc.so min=8,8,8,8,8 retry=3
#endif
-password required pam_unix.so try_first_pass AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
+#if HAVE_KRB5
+password KRB5_CONTROL pam_krb5.so KRB5_PARAMS
+#endif
+password required pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
#if HAVE_PAM_SSH
session optional pam_ssh.so
diff --git a/system-session.inc b/system-session.inc
index 9d4aea1..2ba6964 100644
--- a/system-session.inc
+++ b/system-session.inc
@@ -7,7 +7,19 @@ session required pam_env.so DEBUG
#if HAVE_MKTEMP
session optional pam_mktemp.so
#endif
+
+/* Only Linux-PAM supports session chain for pam_unix; but if it were
+ to not support it for whatever reason, still execute pam_krb5, with
+ sufficient level instead. */
#if SUPPORT_UNIX_SESSION
+# if HAVE_KRB5
+session KRB5_CONTROL pam_krb5.so KRB5_PARAMS
+# endif
session required pam_unix.so DEBUG
+#else
+# if HAVE_KRB5
+session sufficient pam_krb5.so KRB5_PARAMS
+# endif
#endif
+
session optional pam_permit.so