[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: problems trying to use both PAM and CVSROOT/passwd]
From: |
Brian Murphy |
Subject: |
Re: [Fwd: problems trying to use both PAM and CVSROOT/passwd] |
Date: |
Sun, 16 Jan 2005 22:05:58 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031107 Debian/1.5-3 |
Derek Price wrote:
I've created Issue #230 in the issuezilla:
<https://ccvs.cvshome.org/issues/show_bug.cgi?id=230>. Brian Murphy
has been dealing with the PAM issues. I've cc'd him.
Thanks for the report.
Derek
------------------------------------------------------------------------
Subject:
problems trying to use both PAM and CVSROOT/passwd
From:
"Neil B. Morley" <nmorley@entertainment.com>
Date:
Fri, 14 Jan 2005 11:05:12 -0800
To:
info-cvs@gnu.org
Dear cvs users,
I am trying to use the pam authentication in 1.12.11 with and ldap
database. But I want to transition my users slowly to make sure they
have no problems and downtime. However, if I have pam enabled, I can't
seem to get access for users still in the passwd file. It allows
login, but any checkout operations give me the error:
PAM open session error: System error
cvs [checkout aborted]: recv() from server cvsdns2: EOF
Does anyone have any idea if this is fixable. I see a bug report about
this behavior at http://bugs.gentoo.org/show_bug.cgi?id=72251
but not sure if this is a bug or some setup issue.
This is a bug. When CVSROOT/passwd is used for authentication then the PAM
library is not initialized. When the pam_* functions are called in
switch_to_user
they fail because pam_start has not been called.
Solution:
split out pam initialization to a seperate function which is always called.
patch attached.
Please review and give your OK to submit.
/Brian
Index: server.c
===================================================================
RCS file: /cvs/ccvs/src/server.c,v
retrieving revision 1.410
diff -u -r1.410 server.c
--- server.c 9 Dec 2004 19:33:51 -0000 1.410
+++ server.c 16 Jan 2005 20:59:44 -0000
@@ -6755,7 +6755,7 @@
}
static int
-check_pam_password (char **username, char *password)
+pam_initialize (char **username, char *password)
{
int retval, err;
struct cvs_pam_userinfo ui = { *username, password };
@@ -6770,10 +6770,16 @@
retval = pam_set_item(pamh, PAM_TTY, PAM_SERVICE_NAME);
}
- if (retval == PAM_SUCCESS) {
- pam_stage = "authenticate";
- retval = pam_authenticate(pamh, 0);
- }
+ return retval == PAM_SUCCESS; /* indicate success */
+}
+
+static int
+check_pam_password ()
+{
+ int retval, err;
+ char *pam_stage = "authenticate";
+
+ retval = pam_authenticate(pamh, 0);
if (retval == PAM_SUCCESS) {
pam_stage = "account";
@@ -6866,6 +6872,14 @@
int rc;
char *host_user = NULL;
+#ifdef HAVE_PAM
+ if (!pam_initialize(&username, password)) {
+ printf ("error 0 pam initialization failed\n");
+
+ exit (EXIT_FAILURE);
+ }
+#endif
+
/* First we see if this user has a password in the CVS-specific
password file. If so, that's enough to authenticate with. If
not, we'll check /etc/passwd or maybe whatever is configured via PAM. */