+version 0.0.3 11 Sep 2001
+ - make sure we use the DEFAULT_KEYTAB define, since we have it available.
+ - add support for min_uid option, submitted by Gordon Tetlow
+ <gordont@gnf.org>
+
version 0.0.2 26 Apr 2001
- fix bug in cleanup handling; now that we're passing in the right
kind of void pointer, we shouldn't be leaving temp files around
debug turn debug logging on
keytab=<file> use alternate keytab for authentication
(default is /etc/security/pam_krb5.keytab)
+min_uid=<uid> don't add principals for uid's lower than <uid>.
+ (default is 100)
principal=<name> use the key for <name> instead of the default
pam_migrate/<hostname> key
realm=<REALM> update the database for a realm other than the
/*
Kerberos 5 migration module
- Version 0.0.1.
+ Version 0.0.3.
PAM authentication module to transparently add passwords to a Kerberos 5
database.
- Copyright (C) Steve Langasek 2000
+ Copyright (C) Steve Langasek 2000-2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "pam_krb5_migrate.h"
#define DEFAULT_KEYTAB "/etc/security/pam_krb5.keytab"
-
+#define MIN_UID 100
/* Cleanup function for pam data. */
static void _cleanup(pam_handle_t * pamh, void *x, int error_status)
kadm5_policy_ent_rec defpol;
long mask = 0;
void *handle = NULL;
+ uid_t min_uid = MIN_UID;
+ struct passwd *pwent = NULL;
/* Get a few bytes so we can pass our return value to pam_sm_setcred(). */
retval = PAM_BUF_ERR;
goto cleanup;
}
+ } else if (!strncmp(*argv, "min_uid=", 8)) {
+ min_uid = atoi(*argv+8);
} else {
_log_err(LOG_ERR, pamh, "unrecognized option [%s]", *argv);
retval = PAM_SYSTEM_ERR;
#ifndef KADMIN_LOCAL
/* Get default keytab if none was provided. */
if (!keytab_name) {
- keytab_name = _xstrdup(pamh, "/etc/security/pam_krb5.keytab");
+ keytab_name = _xstrdup(pamh, DEFAULT_KEYTAB);
if (keytab_name == NULL) {
retval = PAM_BUF_ERR;
goto cleanup;
_log_err(LOG_DEBUG, pamh, "username [%s] obtained", lname);
}
+ pwent = getpwnam(lname);
+ if (pwent != NULL && pwent->pw_uid < min_uid) {
+ if (debug) {
+ _log_err(LOG_DEBUG, pamh, "username [%s] has uid less than %d, not creating a principal", lname, min_uid);
+ }
+ retval = PAM_IGNORE;
+ goto cleanup;
+ }
+
name = malloc(strlen(lname) + strlen(def_realm) + 2);
if (name == NULL) {
_log_err(LOG_CRIT, pamh, "no memory for principal name");
/*
Kerberos 5 migration module
- Version 0.0.1.
+ Version 0.0.3.
PAM authentication module to transparently add passwords to a Kerberos 5
database.
- Copyright (C) Steve Langasek 2000
+ Copyright (C) Steve Langasek 2000-2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#define _PAM_KRB5_MIGRATE_H
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <pwd.h>
#include <krb5.h>
#include <kadm5/admin.h>