Commit 22c5ffde authored by Sergei Golubchik's avatar Sergei Golubchik

a simple pam user mapper module

parent 7ca49db5
...@@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so'; ...@@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so';
create user test_pam identified via pam using 'mariadb_mtr'; create user test_pam identified via pam using 'mariadb_mtr';
# #
# athentication is successful, challenge/pin are ok # athentication is successful, challenge/pin are ok
# note that current_user() differts from user() # note that current_user() differs from user()
# #
Challenge input first. Challenge input first.
Enter: not very secret challenge Enter: not very secret challenge
......
...@@ -29,7 +29,7 @@ EOF ...@@ -29,7 +29,7 @@ EOF
--echo # --echo #
--echo # athentication is successful, challenge/pin are ok --echo # athentication is successful, challenge/pin are ok
--echo # note that current_user() differts from user() --echo # note that current_user() differs from user()
--echo # --echo #
--exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt --exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
......
/*
Pam module to change user names arbitrarily in the pam stack.
Compile as
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
Install as appropriate (for example, in /lib/security/).
Add to your /etc/pam.d/mysql (preferrably, at the end) this line:
=========================================================
auth required pam_user_map.so
=========================================================
And create /etc/security/user_map.conf with the desired mapping
in the format: orig_user_name: mapped_user_name
=========================================================
#comments and emty lines are ignored
john: jack
bob: admin
top: accounting
=========================================================
*/
#include <stdio.h>
#include <syslog.h>
#include <security/pam_modules.h>
#define FILENAME "/etc/security/user_map.conf"
#define skip(what) while (*s && (what)) s++
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
int pam_err, line= 0;
const char *username;
char buf[256];
FILE *f;
f= fopen(FILENAME, "r");
if (f == NULL)
{
pam_syslog(pamh, LOG_ERR, "Cannot open '%s'\n", FILENAME);
return PAM_SYSTEM_ERR;
}
pam_err = pam_get_item(pamh, PAM_USER, (const void**)&username);
if (pam_err != PAM_SUCCESS)
goto ret;
while (fgets(buf, sizeof(buf), f) != NULL)
{
char *s= buf, *from, *to, *end_from, *end_to;
line++;
skip(isspace(*s));
if (*s == '#' || *s == 0) continue;
from= s;
skip(isalnum(*s) || (*s == '_'));
end_from= s;
skip(isspace(*s));
if (end_from == from || *s++ != ':') goto syntax_error;
skip(isspace(*s));
to= s;
skip(isalnum(*s) || (*s == '_'));
end_to= s;
if (end_to == to) goto syntax_error;
*end_from= *end_to= 0;
if (strcmp(username, from) == 0)
{
pam_err= pam_set_item(pamh, PAM_USER, to);
goto ret;
}
}
pam_err= PAM_SUCCESS;
goto ret;
syntax_error:
pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
pam_err= PAM_SYSTEM_ERR;
ret:
fclose(f);
return pam_err;
}
int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
return PAM_SUCCESS;
}
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
Create /etc/pam.d/mariadb_mtr with Create /etc/pam.d/mariadb_mtr with
========================================================= =========================================================
auth required pam_mariadb_mtr.so pam_test auth required pam_mariadb_mtr.so pam_test
account required pam_mariadb_mtr.so account required pam_permit.so
========================================================= =========================================================
*/ */
...@@ -21,8 +21,7 @@ account required pam_mariadb_mtr.so ...@@ -21,8 +21,7 @@ account required pam_mariadb_mtr.so
#define N 3 #define N 3
PAM_EXTERN int int pam_sm_authenticate(pam_handle_t *pamh, int flags,
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[]) int argc, const char *argv[])
{ {
struct pam_conv *conv; struct pam_conv *conv;
...@@ -69,16 +68,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, ...@@ -69,16 +68,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
return retval; return retval;
} }
PAM_EXTERN int int pam_sm_setcred(pam_handle_t *pamh, int flags,
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
return PAM_SUCCESS;
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc, const char *argv[]) int argc, const char *argv[])
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment