From bc63565d2622875b08aa8e2cbfa9b0b56d1e1539 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Sep 13 2004 21:43:03 +0000 Subject: * pam_krb5afs.c: call krb5_userok() during authentication as well (Douglas E. Engert). * pam_krb5afs.c: skip the krb5_kuserok() call in account management if we're skipping user checks -- krb5_kuserok fails if getpwnam() fails. --- diff --git a/ChangeLog b/ChangeLog index ebf2b4f..e292b3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2004-09-13 nalin: + * pam_krb5afs.c: call krb5_userok() during authentication as well + (Douglas E. Engert). + +2004-07-14 nalin: + * pam_krb5afs.c: skip the krb5_kuserok() call in account management + if we're skipping user checks -- krb5_kuserok fails if getpwnam() fails. + 2004-05-07 nalin: * pam_krb5afs.c: return PAM_AUTHINFO_UNAVAIL if we can't resolve or reach the KDC. Allocate twice as much space as we should need to for diff --git a/pam_krb5afs.c b/pam_krb5afs.c index 489b1e1..cbb3549 100644 --- a/pam_krb5afs.c +++ b/pam_krb5afs.c @@ -1981,6 +1981,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) } } + /* The principal and the user name are enough for us to go on. */ + if (RC_OK && config->user_check) { + /* This is bit silly due to the fact that PAM doesn't let us + * authenticate as one user and authorize as another, but the + * empty .k5login case might crop up here. Unlike most krb5 + * API functions, kuserok returns 1 on success, 0 on failure. */ + krc = krb5_kuserok(context, princ, user); + DEBUG("krb5_kuserok(%s, %s) = %d", user, user, krc); + if (krc == 0) { + /* Failure means we don't let the user in. */ + prc = PAM_PERM_DENIED; + } else { + /* Success means we continue on to other checks. */ + krc = KRB5_SUCCESS; + } + } + /* Log something. */ if (RC_OK) { INFO("authentication succeeds for `%s'", user); @@ -2565,7 +2582,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } /* The principal and the user name are enough for us to go on. */ - if (RC_OK) { + if (RC_OK && config->user_check) { /* This is bit silly due to the fact that PAM doesn't let us * authenticate as one user and authorize as another, but the * empty .k5login case might crop up here. Unlike most krb5