[PATCH] template_user for pam_radius_auth.so
After much googling, I was unable to find a solution for Linux like BSD has for it's PAM-Radius module for specifying a system username to use upon a successful authentication. Included is my attempt at adding the "template_user" functionality from the BSD version of to pam_radius_auth. Here's what I've used in my /etc/pam.conf file: login auth required /lib/security/pam_radius_auth.so template_user=myname I haven't been able to do much testing with it yet (as I'm currently involved in other PAM integration efforts), but would definitely appreciate any feedback on this. I'm still rather new to Linux hacking, so all (positive) criticism is most welcomed. Thanks! -Thaddeus diff -Naur pam_radius-1.3.16/pam_radius_auth.c pam_radius-1.3.16-patched/pam_radius_auth.c --- pam_radius-1.3.16/pam_radius_auth.c 2003-02-27 18:01:07.000000000 +0000 +++ pam_radius-1.3.16-patched/pam_radius_auth.c 2006-09-28 19:16:42.000000000 +0000 @@ -67,7 +67,7 @@ /* internal data */ static CONST char *pam_module_name = "pam_radius_auth"; static char conf_file[BUFFER_SIZE]; /* configuration file */ - +static char template_user[BUFFER_SIZE]; /* we need to save these from open_session to close_session, since * when close_session will be called we won't be root anymore and * won't be able to access again the radius server configuration file @@ -137,7 +137,11 @@ } else if (!strcmp(*argv, "debug")) { ctrl |= PAM_DEBUG_ARG; conf->debug = 1; - + + } else if (!strncmp(*argv, "template_user=", 14)) { + ctrl |= PAM_TEMPLATE_USER; + strcpy(template_user, (*argv)+14); + } else { _pam_log(LOG_WARNING, "unrecognized option '%s'", *argv); } @@ -1223,6 +1227,8 @@ *pret = retval; pam_set_data( pamh, "rad_setcred_return", (void *) pret, _int_free ); } + if(retval == PAM_SUCCESS && (ctrl & PAM_TEMPLATE_USER)) + pam_set_item(pamh, PAM_USER, template_user); return retval; } diff -Naur pam_radius-1.3.16/pam_radius_auth.h pam_radius-1.3.16-patched/pam_radius_auth.h --- pam_radius-1.3.16/pam_radius_auth.h 2003-09-19 14:41:32.000000000 +0000 +++ pam_radius-1.3.16-patched/pam_radius_auth.h 2006-09-28 19:14:02.000000000 +0000 @@ -82,6 +82,7 @@ #define PAM_SKIP_PASSWD 2 #define PAM_USE_FIRST_PASS 4 #define PAM_TRY_FIRST_PASS 8 +#define PAM_TEMPLATE_USER 16 #define PAM_RETRY 0x30
On September 29, 2006 4:20:31 PM -0500 Thaddeus Ternes <tternes@gmail.com> wrote:
After much googling, I was unable to find a solution for Linux like BSD has for it's PAM-Radius module for specifying a system username to use upon a successful authentication.
Included is my attempt at adding the "template_user" functionality from the BSD version of to pam_radius_auth. Here's what I've used in my /etc/pam.conf file:
login auth required /lib/security/pam_radius_auth.so template_user=myname
I haven't been able to do much testing with it yet (as I'm currently involved in other PAM integration efforts), but would definitely appreciate any feedback on this. I'm still rather new to Linux hacking, so all (positive) criticism is most welcomed.
I thought no Linux applications (including openssh) supported changing of the username. You simply copy the argument into the buffer without doing any kind of bounds check. Because the current code does so is no reason to continue with this madness. At least use strncpy()! This won't work for applications that do multiple pam auths without fork/exec. Each pam auth will have the user pointing to the same memory location, which might be overwritten. So, you need to dynamically allocate the space, which will fix your buffer overflow problem at the same time. -frank
participants (2)
-
Frank Cusack -
Thaddeus Ternes