1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
#
# Add in extra PAM options compared to upstream's own PAM code:
# * Add an extra option PamAuth to control use of PAM separately from
# SystemAuth
# * Add support for DefaultPamUser - try that if the specified
# user does not exist
#
# Patch by Steve McIntyre <steve@einval.com>
diff -Nur doc/cvs.texinfo doc/cvs.texinfo
--- doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
+++ doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
@@ -2662,8 +2662,18 @@
system has PAM (Pluggable Authentication Modules)
and your @sc{cvs} server executable was configured to
use it at compile time (using @code{./configure --enable-pam} - see the
-INSTALL file for more). In this case, PAM will be consulted instead.
-This means that @sc{cvs} can be configured to use any password
+INSTALL file for more). In this case, PAM may be
+consulted first (or instead). The
+"fallback" behaviour can be controlled using the two
+variables @code{PamAuth} and @code{SystemAuth}. On a
+Debian system, @code{PamAuth} defaults to @code{yes}
+and @code{SystemAuth} to @code{no} - after all, PAM can
+supports passwd file lookups itself. Changing these is
+possible by setting @code{PamAuth=no} and
+@code{SystemAuth=yes} in the @sc{cvs} @file{config}
+file, @pxref{config}).
+
+Use of PAM means that @sc{cvs} can be configured to use any password
authentication source PAM can be configured to use (possibilities
include a simple UNIX password, NIS, LDAP, and others) in its
global configuration file (usually @file{/etc/pam.conf}
@@ -2691,7 +2701,7 @@
cvs session required pam_unix.so
@end example
-The the equivalent @file{/etc/pam.d/cvs} would contain
+The equivalent @file{/etc/pam.d/cvs} would contain
@example
auth required pam_unix.so
@@ -2715,6 +2725,13 @@
feature should not be used if you may not have control of the name
@sc{cvs} will be invoked as.
+If you wish to use PAM for authentication, and details
+of your users are not available using getpwnam(), you
+may set a default name for the account on the server
+that will be used after authentication. To do this,
+either set @code{DefaultPamUser=user} in the @sc{cvs}
+@file{config} file, @pxref{config}.
+
Be aware, also, that falling back to system
authentication might be a security risk: @sc{cvs}
operations would then be authenticated with that user's
diff -Nur src/parseinfo.c src/parseinfo.c
--- src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
+++ src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
@@ -303,8 +303,12 @@
*/
#endif /* PROXY_SUPPORT */
#ifdef AUTH_SERVER_SUPPORT
- new->system_auth = true;
+ new->system_auth = false;
#endif /* AUTH_SERVER_SUPPORT */
+#ifdef HAVE_PAM
+ new->PamAuth = true;
+ new->DefaultPamUser = NULL;
+#endif
return new;
}
@@ -696,6 +700,13 @@
readSizeT (infopath, "MaxCompressionLevel", p,
&retval->MaxCompressionLevel);
#endif /* SERVER_SUPPORT */
+#ifdef HAVE_PAM
+ else if (!strcmp (line, "DefaultPamUser"))
+ retval->DefaultPamUser = xstrdup(p);
+ else if (!strcmp (line, "PamAuth"))
+ readBool (infopath, "PamAuth", p,
+ &retval->PamAuth);
+#endif
else
/* We may be dealing with a keyword which was added in a
subsequent version of CVS. In that case it is a good idea
diff -Nur src/parseinfo.h src/parseinfo.h
--- src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
+++ src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
@@ -59,6 +59,10 @@
#ifdef PRESERVE_PERMISSIONS_SUPPORT
bool preserve_perms;
#endif /* PRESERVE_PERMISSIONS_SUPPORT */
+#ifdef HAVE_PAM
+ char *DefaultPamUser;
+ bool PamAuth;
+#endif
};
bool parse_error (const char *, unsigned int);
diff -Nur src/server.c src/server.c
--- src/server.c 2005-09-28 16:25:59.000000000 +0100
+++ src/server.c 2006-05-20 00:45:14.000000000 +0100
@@ -6919,6 +6919,15 @@
{
pam_stage = "get pam user";
retval = pam_get_item (pamh, PAM_USER, (const void **)username);
+ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
+ {
+ /* An issue with using pam is that the host may well not have
+ a local user entry to match the authenticated user. If this
+ has failed, optionally fall back to a specified local
+ username */
+ *username = xstrdup(config->DefaultPamUser);
+ retval = PAM_SUCCESS;
+ }
}
if (retval != PAM_SUCCESS)
@@ -7022,7 +7031,11 @@
assert (rc == 0);
+#ifdef HAVE_PAM
+ if (!config->system_auth && !config->PamAuth)
+#else
if (!config->system_auth)
+#endif
{
/* Note that the message _does_ distinguish between the case in
which we check for a system password and the case in which
@@ -7037,9 +7050,10 @@
/* No cvs password found, so try /etc/passwd. */
#ifdef HAVE_PAM
- if (check_pam_password (&username, password))
+ if ( (config->PamAuth && check_pam_password (&username, password)) ||
+ (config->system_auth && check_system_password (username, password)))
#else /* !HAVE_PAM */
- if (check_system_password (username, password))
+ if (config->system_auth && check_system_password (username, password))
#endif /* HAVE_PAM */
host_user = xstrdup (username);
else
|
