From 736f9b9f43c2468dd0cb5c5343cb8969d5492a4d Mon Sep 17 00:00:00 2001 From: Diego Elio 'Flameeyes' Pettenò Date: Fri, 23 Jul 2010 15:59:44 +0200 Subject: Add support for pam_krb5 module for Kerberos authentication. This implements drop-in support for Kerberos (pam_krb5) in Gentoo systems; if the kerberos USE flag has been enabled, it'll use pam_krb5 for login, ignoring pam_unix, but no other module in the chain. It requires Linux-PAM. --- Makefile | 4 ++++ basic-conf | 32 +++++++++++++++++++++++++++++--- system-auth.in | 11 ++++++++++- system-session.inc | 12 ++++++++++++ 4 files changed, 55 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 6a80ec5..18a30d2 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,10 @@ ifeq "$(PAM_SSH)" "yes" PAMFLAGS += -DHAVE_PAM_SSH=1 endif +ifeq "$(KRB5)" "yes" +PAMFLAGS += -DHAVE_KRB5=1 +endif + ifeq "$(SHA512)" "yes" PAMFLAGS += -DWANT_SHA512=1 endif diff --git a/basic-conf b/basic-conf index 902ff8d..e40a2f6 100644 --- a/basic-conf +++ b/basic-conf @@ -1,9 +1,19 @@ // Only use_authtok (authentication token) when using cracklib or some other module -// that checks for passwords. +// that checks for passwords, or pam_krb5 +#define AUTHTOK use_authtok + #if HAVE_CRACKLIB || HAVE_PASSWDQC -# define AUTHTOK use_authtok +# define PASSWORD_STRENGTH 1 +#endif + +#if HAVE_KRB5 && PASSWORD_STRENGTH +# define KRB5_AUTHTOK AUTHTOK +#endif + +#if HAVE_KRB5 || PASSWORD_STRENGTH +# define UNIX_AUTHTOK AUTHTOK #else -# define AUTHTOK +# define UNIX_AUTHTOK AUTHTOK #endif // Define DEBUG to an empty string unless it was required by the user @@ -18,3 +28,19 @@ #ifndef LIKEAUTH #define LIKEAUTH #endif + +#define KRB5_PARAMS DEBUG ignore_root try_first_pass + +/* By using the extended Linux-PAM syntax for this, it is possible to + fine-tune the Kerberos handling so that it works out of hte box on + most desktop systems. + + What this control operation does is ignore failures and errors from + Kerberos (falling back on local pam_unix auth), but if it's good, + it'll skip over the following module (pam_unix) with an accepted + status. + + IMPORTANT! Make sure that the only thing that comes right after + pam_krb5 with KRB5_CONTROL is pam_unix! + */ +#define KRB5_CONTROL [success=1 default=ignore] diff --git a/system-auth.in b/system-auth.in index 941d925..85ea443 100644 --- a/system-auth.in +++ b/system-auth.in @@ -4,8 +4,14 @@ auth required pam_env.so DEBUG #if HAVE_PAM_SSH auth sufficient pam_ssh.so #endif +#if HAVE_KRB5 +auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS +#endif auth required pam_unix.so try_first_pass LIKEAUTH nullok DEBUG +#if HAVE_KRB5 +auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS +#endif account required pam_unix.so DEBUG #if HAVE_CRACKLIB @@ -14,7 +20,10 @@ password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 D #if HAVE_PASSWDQC password required pam_passwdqc.so min=8,8,8,8,8 retry=3 #endif -password required pam_unix.so try_first_pass AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG +#if HAVE_KRB5 +password KRB5_CONTROL pam_krb5.so KRB5_PARAMS +#endif +password required pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG #if HAVE_PAM_SSH session optional pam_ssh.so diff --git a/system-session.inc b/system-session.inc index 9d4aea1..2ba6964 100644 --- a/system-session.inc +++ b/system-session.inc @@ -7,7 +7,19 @@ session required pam_env.so DEBUG #if HAVE_MKTEMP session optional pam_mktemp.so #endif + +/* Only Linux-PAM supports session chain for pam_unix; but if it were + to not support it for whatever reason, still execute pam_krb5, with + sufficient level instead. */ #if SUPPORT_UNIX_SESSION +# if HAVE_KRB5 +session KRB5_CONTROL pam_krb5.so KRB5_PARAMS +# endif session required pam_unix.so DEBUG +#else +# if HAVE_KRB5 +session sufficient pam_krb5.so KRB5_PARAMS +# endif #endif + session optional pam_permit.so -- cgit v1.2.3-65-gdbad