|
 |
36e843 |
diff -up cvs-1.11.23/configure.in.pam cvs-1.11.23/configure.in
|
|
|
36e843 |
--- cvs-1.11.23/configure.in.pam 2008-07-15 15:40:50.000000000 -0400
|
|
|
36e843 |
+++ cvs-1.11.23/configure.in 2008-07-15 15:40:50.000000000 -0400
|
|
|
36e843 |
@@ -904,6 +904,36 @@ if test no != "$enable_server"; then
|
|
|
36e843 |
[The high water mark in bytes for server flow control. Required if
|
|
|
36e843 |
SERVER_FLOWCONTROL is defined, and useless otherwise.])
|
|
|
36e843 |
fi # enable_server_flow_control
|
|
|
36e843 |
+
|
|
|
36e843 |
+ dnl
|
|
|
36e843 |
+ dnl Give the confiscator control over whether the pam support is used
|
|
|
36e843 |
+ dnl
|
|
|
36e843 |
+ AC_ARG_ENABLE(
|
|
|
36e843 |
+ [pam],
|
|
|
36e843 |
+ AC_HELP_STRING(
|
|
|
36e843 |
+ [--enable-pam],
|
|
|
36e843 |
+ [Include code for running with pam code (default)]), ,
|
|
|
36e843 |
+ [if test "$ac_cv_search_connect" != yes; then
|
|
|
36e843 |
+ enable_pam=no
|
|
|
36e843 |
+ fi])
|
|
|
36e843 |
+
|
|
|
36e843 |
+ if test no != "$enable_pam"; then
|
|
|
36e843 |
+ AC_DEFINE(
|
|
|
36e843 |
+ [PAM_SUPPORT], [1],
|
|
|
36e843 |
+ [Define if you want CVS to be able to serve repositories to remote
|
|
|
36e843 |
+ clients.])
|
|
|
36e843 |
+
|
|
|
36e843 |
+ dnl
|
|
|
36e843 |
+ dnl Finding the pam_authenticate function.
|
|
|
36e843 |
+ dnl
|
|
|
36e843 |
+ AC_SEARCH_LIBS(
|
|
|
36e843 |
+ [pam_authenticate], [pam],
|
|
|
36e843 |
+ [AC_DEFINE(
|
|
|
36e843 |
+ [HAVE_PAM], [1],
|
|
|
36e843 |
+ [Define if you have the pam_authenticate function.])
|
|
|
36e843 |
+ ]) dnl AC_SEARCH_LIBS
|
|
|
36e843 |
+ fi #enable_pam
|
|
|
36e843 |
+
|
|
|
36e843 |
fi # enable_server
|
|
|
36e843 |
|
|
|
36e843 |
|
|
|
36e843 |
diff -up cvs-1.11.23/src/server.c.pam cvs-1.11.23/src/server.c
|
|
|
36e843 |
--- cvs-1.11.23/src/server.c.pam 2008-07-15 15:40:50.000000000 -0400
|
|
|
36e843 |
+++ cvs-1.11.23/src/server.c 2008-07-15 15:42:02.000000000 -0400
|
|
|
36e843 |
@@ -20,6 +20,12 @@
|
|
|
36e843 |
# include <process.h>
|
|
|
36e843 |
#endif
|
|
|
36e843 |
|
|
|
36e843 |
+/* needed for PAM authentication - fk 2000 */
|
|
|
36e843 |
+#if PAM_SUPPORT
|
|
|
36e843 |
+#include <security/pam_appl.h>
|
|
|
36e843 |
+#include <security/pam_misc.h>
|
|
|
36e843 |
+#endif
|
|
|
36e843 |
+
|
|
|
36e843 |
int server_active = 0;
|
|
|
36e843 |
|
|
|
36e843 |
#if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
|
|
|
36e843 |
@@ -5673,7 +5679,36 @@ check_repository_password (username, pas
|
|
|
36e843 |
return retval;
|
|
|
36e843 |
}
|
|
|
36e843 |
|
|
|
36e843 |
-
|
|
|
36e843 |
+/* callback for PAM authentication - fk 2000 */
|
|
|
36e843 |
+#if PAM_SUPPORT
|
|
|
36e843 |
+int silent_conv(int num_msg, const struct pam_message **msgm,
|
|
|
36e843 |
+ struct pam_response **response, void *appdata) {
|
|
|
36e843 |
+ int replies;
|
|
|
36e843 |
+ struct pam_response *reply = NULL;
|
|
|
36e843 |
+
|
|
|
36e843 |
+ reply = calloc(num_msg,sizeof(struct pam_response));
|
|
|
36e843 |
+ for (replies=0; replies
|
|
|
36e843 |
+ switch (msgm[replies]->msg_style) {
|
|
|
36e843 |
+ case PAM_PROMPT_ECHO_ON:
|
|
|
36e843 |
+ case PAM_PROMPT_ECHO_OFF:
|
|
|
36e843 |
+ /* printf("Prompt: %s\n",msgm[replies]->msg); */
|
|
|
36e843 |
+ reply[replies].resp_retcode = PAM_SUCCESS;
|
|
|
36e843 |
+ reply[replies].resp = strdup((char*)appdata);
|
|
|
36e843 |
+ break;
|
|
|
36e843 |
+ case PAM_ERROR_MSG:
|
|
|
36e843 |
+ case PAM_TEXT_INFO:
|
|
|
36e843 |
+ reply[replies].resp_retcode = PAM_SUCCESS;
|
|
|
36e843 |
+ reply[replies].resp = NULL;
|
|
|
36e843 |
+ break;
|
|
|
36e843 |
+ default:
|
|
|
36e843 |
+ free(reply);
|
|
|
36e843 |
+ return PAM_CONV_ERR;
|
|
|
36e843 |
+ }
|
|
|
36e843 |
+ }
|
|
|
36e843 |
+ *response = reply;
|
|
|
36e843 |
+ return PAM_SUCCESS;
|
|
|
36e843 |
+}
|
|
|
36e843 |
+#endif
|
|
|
36e843 |
|
|
|
36e843 |
/* Return a hosting username if password matches, else NULL. */
|
|
|
36e843 |
static char *
|
|
|
36e843 |
@@ -5761,6 +5796,34 @@ error 0 %s: no such user\n", username);
|
|
|
36e843 |
if (*found_passwd)
|
|
|
36e843 |
{
|
|
|
36e843 |
/* user exists and has a password */
|
|
|
36e843 |
+#if PAM_SUPPORT
|
|
|
36e843 |
+ pam_handle_t *pamh = NULL;
|
|
|
36e843 |
+ struct pam_conv conv;
|
|
|
36e843 |
+ int retval;
|
|
|
36e843 |
+
|
|
|
36e843 |
+ conv.conv = silent_conv;
|
|
|
36e843 |
+ conv.appdata_ptr = password;
|
|
|
36e843 |
+
|
|
|
36e843 |
+ retval = pam_start("cvs", username, &conv, &pamh);
|
|
|
36e843 |
+
|
|
|
36e843 |
+ if (retval == PAM_SUCCESS)
|
|
|
36e843 |
+ retval = pam_authenticate(pamh, 0); /* is user really user? */
|
|
|
36e843 |
+
|
|
|
36e843 |
+ if (retval == PAM_SUCCESS)
|
|
|
36e843 |
+ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
|
|
|
36e843 |
+
|
|
|
36e843 |
+ /* This is where we have been authorized or not. */
|
|
|
36e843 |
+
|
|
|
36e843 |
+ if (retval == PAM_SUCCESS) {
|
|
|
36e843 |
+ host_user = xstrdup (username);
|
|
|
36e843 |
+ } else {
|
|
|
36e843 |
+ host_user = NULL;
|
|
|
36e843 |
+ }
|
|
|
36e843 |
+
|
|
|
36e843 |
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
|
|
|
36e843 |
+ pamh = NULL;
|
|
|
36e843 |
+ }
|
|
|
36e843 |
+#else
|
|
|
36e843 |
if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
|
|
|
36e843 |
{
|
|
|
36e843 |
host_user = xstrdup (username);
|
|
|
36e843 |
@@ -5774,6 +5837,7 @@ error 0 %s: no such user\n", username);
|
|
|
36e843 |
crypt(password, found_passwd), found_passwd);
|
|
|
36e843 |
#endif
|
|
|
36e843 |
}
|
|
|
36e843 |
+#endif
|
|
|
36e843 |
goto handle_return;
|
|
|
36e843 |
}
|
|
|
36e843 |
|