|
From: | Brian Murphy |
Subject: | Re: PAM access policy may be circumvented |
Date: | Sun, 12 Oct 2003 18:18:55 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529 |
Marc Singer wrote:
Sorry, but you must be using another patch than the one in the official cvs source repository. The official 1.11.x branch has no PAM support. The new PAM support in the 1.12 branch was written by me and has nothing that looks like the lines above in it. Please check out/download the official releases to see for yourself. In fact no official release has been made with PAMOn Sat, Oct 11, 2003 at 06:48:47PM +0200, Brian Murphy wrote:This is *not* the PAM support in cvs that you refer to. The PAM patch in cvs chooses either PAM or traditional /etc/passwd support but not both.See for yourself. Here's the source from server.c. #line 5869 server.c #ifdef HAVE_PAM if (system_auth) host_user = check_pam_password (username, descrambled_password, repository); #endif /* HAVE_PAM */ if(NULL == host_user) host_user = check_password (username, descrambled_password, repository); if (host_user == NULL) When the check_pam_password () call fails, CVS will then call check_password (). check_password () is the non-PAM call to verify a user's identity. Thus, when PAM fails, CVS does a fall-back to the non-PAM authentication. My change was simply to #ifndef HAVE_PAM on the check_password () call. Cheers.
support as the changes are after the unstable branches' last release.I know for instance that debian patches CVS for PAM support - perhaps you use debian and
have looked at their patched source? /Brian
[Prev in Thread] | Current Thread | [Next in Thread] |