Patch: GN ATS+PAM

* Patch: GN ATS+PAM
@ 2002-09-23 17:19 Pankaj K Garg
  2002-09-24  6:57 ` Yngve Svendsen
  0 siblings, 1 reply; 2+ messages in thread
From: Pankaj K Garg @ 2002-09-23 17:19 UTC (permalink / raw)
  To: help-gnats

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]


 A few days ago I announced the integration of GNATS and PAM.
No one responded--so I'm guessing that there's not enough interest
in this right now. Before leaving this work, however, I did want
to post the patch in case someone finds this useful later on.

 So, I'm attaching the patch with this message. The patch is
produced using 'cvs diff -up <file>...' in the '<toplevel>/gnats'
directory.

 In addition, there's a new file (gnats-pam.c) that should be stored
in the source at '<toplevel>/gnats' directory.

 Since this is my first patch for the GNATS system, please let me
know if I've messed up somehow.

 Thanks for your time, and hope you find this useful.

 Regards

Pankaj

--- 
Pankaj K Garg              gargp@acm.org
1684 Nightingale Avenue    408-373-4027
Sunnyvale, CA 94304
http://home.earthlink.net/~gargp

[-- Attachment #2: patchfile.out --]
[-- Type: text/plain, Size: 4714 bytes --]

Index: Makefile.in
===================================================================
RCS file: /cvsroot/gnats/gnats/gnats/Makefile.in,v
retrieving revision 1.60
diff -u -p -r1.60 Makefile.in
--- Makefile.in	4 Aug 2002 17:15:39 -0000	1.60
+++ Makefile.in	23 Sep 2002 18:11:29 -0000
@@ -123,7 +123,7 @@ SHELL = /bin/sh
 
 #### Host-, target-, and site-specific makefiles are inserted here.
 
-SOURCES = btime.c cmds.c file-pr.c gen-closed-date.c gen-index.c getclose.c gnatsd.c pr-age.c pr-edit.c pr-stat.c query-pr.c queue-pr.c
+SOURCES = btime.c cmds.c file-pr.c gen-closed-date.c gen-index.c getclose.c gnatsd.c pr-age.c pr-edit.c pr-stat.c query-pr.c queue-pr.c gnats-pam.c
 
 EXTRA_OBJS = @EXTRA_OBJS@
 
@@ -182,7 +182,7 @@ query-pr: query-pr.o regex.o libgnats.a
 	$(CC) $(LDFLAGS) -o $@ query-pr.o regex.o \
 		libgnats.a $(LIBIBERTY) $(LIBS)
 
-gnatsd: gnatsd.o cmds.o regex.o file-pr.o btime.o libgnats.a
+gnatsd: gnatsd.o cmds.o regex.o file-pr.o btime.o gnats-pam.o libgnats.a
 	$(CC) $(LDFLAGS) -o $@ gnatsd.o cmds.o regex.o file-pr.o btime.o \
 	libgnats.a $(LIBRX) $(LIBIBERTY) $(LIBS)
 
Index: autoconf.h.in
===================================================================
RCS file: /cvsroot/gnats/gnats/gnats/autoconf.h.in,v
retrieving revision 1.11
diff -u -p -r1.11 autoconf.h.in
--- autoconf.h.in	6 Jan 2002 16:16:45 -0000	1.11
+++ autoconf.h.in	23 Sep 2002 18:11:29 -0000
@@ -1,4 +1,4 @@
-/* autoconf.h.in.  Generated automatically from configure.in by autoheader 2.13.  */
+/* autoconf.h.in.  Generated automatically from configure.in by autoheader.  */
 
 /* Define if on AIX 3.
    System headers sometimes define this.
@@ -116,6 +116,9 @@
 
 /* Define if you have the crypt library (-lcrypt).  */
 #undef HAVE_LIBCRYPT
+
+/* Define if you have the PAM library (-lpam).  */
+#define HAVE_LIBPAM
 
 /* Define if you have the gen library (-lgen).  */
 #undef HAVE_LIBGEN
Index: configure.in
===================================================================
RCS file: /cvsroot/gnats/gnats/gnats/configure.in,v
retrieving revision 1.30
diff -u -p -r1.30 configure.in
--- configure.in	14 Jul 2002 17:29:02 -0000	1.30
+++ configure.in	23 Sep 2002 18:11:29 -0000
@@ -199,6 +199,11 @@ AC_SUBST(KRBINCLUDE)
 AC_SUBST(EXTRA_OBJS)
 fi
 
+dnl
+dnl Check for pam support.
+dnl
+AC_SEARCH_LIBS(pam_open_session, pam)
+
 if test "x$GCC" = "xyes" ; then
 	GCC_CFLAGS="-W -Wall -ansi -pedantic -Werror -Wstrict-prototypes -Wmissing-prototypes -Wwrite-strings -Wno-format"
 fi
Index: gnatsd.c
===================================================================
RCS file: /cvsroot/gnats/gnats/gnats/gnatsd.c,v
retrieving revision 1.47
diff -u -p -r1.47 gnatsd.c
--- gnatsd.c	4 Aug 2002 10:58:29 -0000	1.47
+++ gnatsd.c	23 Sep 2002 18:11:30 -0000
@@ -248,21 +248,35 @@ match (const char *line, const char *pat
     }
 }
 
+#ifdef HAVE_LIBPAM
+extern int check_pam_password (const char *, const char *);
+#endif
+
 /* Return true iff `password' matches `hash'.
    `hash' is a possibly encrypted password, according to the $?$ convention. */
 static int
-password_match (const char *password, const char *hash)
+password_match (const char *user, const char *password, const char *hash)
 {
   if (! strncmp (hash, "$0$", 3))
     {
+      printf ("201 Checking plain password: %s for user %s\r\n", password, user);
       /* explicit plain-text password */
       return ! match (password, hash, TRUE);
     }
+#ifdef HAVE_LIBPAM
+  else if (! strncmp (hash, "$2$", 3))
+    {
+      // printf ("201 Checking PAM password: %s for user %s\r\n", password, user);
+      /* use PAM authentication for user */
+      return ! check_pam_password(user, password);
+    }
+#endif
   else
     {
       /* DES crypt or MD5 hash of the password */
 #ifdef HAVE_LIBCRYPT
       char *encrypted = crypt (password, hash);
+      // printf ("201 Checking crypt or MD5 password: %s for user %s\r\n", password, user);
       return encrypted && ! strcmp (encrypted, hash);
 #else
       /* TODO: log some warning */
@@ -422,6 +436,7 @@ findUserAccessLevel (const char *file, c
   acc = fopen (file, "r");
   if (acc == NULL)
     {
+      printf ("200- No access control file found.\r\n");
       return 0;
     }
 
@@ -447,7 +462,7 @@ findUserAccessLevel (const char *file, c
 	  if ((ent->fieldcount == 3 || ent->fieldcount == 4)
 	      && match (user, ent->admFields[0], TRUE))
 	    {
-	      if (! password_match (passwd, ent->admFields[1]))
+	      if (! password_match (user, passwd, ent->admFields[1]))
 		{
 		  /* Username matched but password didn't.  */
 		  *access = ACCESS_NONE;

[-- Attachment #3: gnats-pam.c --]
[-- Type: text/plain, Size: 4162 bytes --]

/* PAM integration for GNATS server.
   Copyright (C) 2002  Pankaj K Garg.
   Copyright (C) 2000, 2001 Milan Zamazal.
   Copyright (C) 1994, 95, 96, 1997, 1999, 2000 Free Software Foundation, Inc.
   Contributed by Brendan Kehoe (brendan@cygnus.com).
   Further hacked by Milan Zamazal (pdm@zamazal.org).

This file is part of GNU GNATS.

GNU GNATS is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.

GNU GNATS is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with GNU GNATS; see the file COPYING.  If not, write to the Free
Software Foundation, 59 Temple Place - Suite 330, Boston, MA 02111, USA.  */

#include "config.h"

#ifdef HAVE_LIBPAM
#include <security/pam_misc.h>
#include <security/pam_appl.h>

/* Code taken from Steve McIntyre (scmintyre@software.plasmon.com)'s
   implementation of PAM authentication for CVS.
   -Pankaj K Garg gargp@acm.org
*/

int gnats_conv(int, const struct pam_message **,
	       struct pam_response **, void *);

int check_pam_password (const char *, const char *);

/* The callback function that the pam modules will use to talk to
   us. Modelled closely on the misc_conv module of Linux-PAM. This
   blatantly subverts one of the principles of PAM - PAM is meant to
   handle all the password work. But this does the job and means I can
   transition to LDAP right now. SAM 2001/12/23 */

int gnats_conv(int num_msg, const struct pam_message **msgm,
	       struct pam_response **response, void *appdata_ptr)
{
    int count=0;
    struct pam_response *reply;

    if (num_msg <= 0)
       return PAM_CONV_ERR;
    
    reply = (struct pam_response *) calloc(num_msg,
                                          sizeof(struct pam_response));
    if (reply == NULL)
       return PAM_CONV_ERR;
    
    for (count=0; count < num_msg; ++count) 
    {
       char *string=NULL;

       switch (msgm[count]->msg_style) 
       {
           case PAM_PROMPT_ECHO_OFF:
           case PAM_PROMPT_ECHO_ON:
               string = (char *)appdata_ptr;
               break;
           default:
               break;
       }

       if (string) /* must add to reply array */
       {   
           /* add string to list of responses */    
           reply[count].resp_retcode = 0;
           reply[count].resp = string;
           string = NULL;
       }
    }

    *response = reply;
    reply = NULL;

    return PAM_SUCCESS;
}

static struct pam_conv conv = {
    gnats_conv,
    NULL
};

/* Modelled very closely on the example code in "The Linux-PAM
   Application Developers' Guide" by Andrew G. Morgan. */

/* Return:
   0: if authentication and authorization is successful
   1: if there was an authorization error
   2: if something went wrong, and we don't know what was wrong */

int
check_pam_password (const char *username, const char *password)
{
    pam_handle_t *pamh = NULL;
    int retval;
    int rc = 0;

    conv.appdata_ptr = strdup(password);

    retval = pam_start("support", username, &conv, &pamh);

    if (retval == PAM_SUCCESS)
       retval = pam_authenticate(pamh, 0);    /* is user really user? */

    if (retval == PAM_SUCCESS)
       retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */

    /* This is where we have been authorized or not. */

    switch(retval)
    {
       case PAM_SUCCESS:
           rc = 0;
           break;
       case PAM_AUTH_ERR:
           rc = 1;
           break;
       default:
           rc = 2;
           break;
    }

    /* now close PAM */
    if (pam_end(pamh,retval) != PAM_SUCCESS) 
    {     
	pamh = NULL;
	fprintf(stderr, "failed to release authenticator\n");
    }

    return rc;
}
#endif

^ permalink raw reply	[flat|nested] 2+ messages in thread