Commit 22c5ffde authored by Sergei Golubchik's avatar Sergei Golubchik

a simple pam user mapper module

parent 7ca49db5
......@@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so';
create user test_pam identified via pam using 'mariadb_mtr';
#
# athentication is successful, challenge/pin are ok
# note that current_user() differts from user()
# note that current_user() differs from user()
#
Challenge input first.
Enter: not very secret challenge
......
......@@ -29,7 +29,7 @@ EOF
--echo #
--echo # athentication is successful, challenge/pin are ok
--echo # note that current_user() differts from user()
--echo # note that current_user() differs from user()
--echo #
--exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
......
/*
Pam module to change user names arbitrarily in the pam stack.
Compile as
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
Install as appropriate (for example, in /lib/security/).
Add to your /etc/pam.d/mysql (preferrably, at the end) this line:
=========================================================
auth required pam_user_map.so
=========================================================
And create /etc/security/user_map.conf with the desired mapping
in the format: orig_user_name: mapped_user_name
=========================================================
#comments and emty lines are ignored
john: jack
bob: admin
top: accounting
=========================================================
*/
#include <stdio.h>
#include <syslog.h>
#include <security/pam_modules.h>
#define FILENAME "/etc/security/user_map.conf"
#define skip(what) while (*s && (what)) s++
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
int pam_err, line= 0;
const char *username;
char buf[256];
FILE *f;
f= fopen(FILENAME, "r");
if (f == NULL)
{
pam_syslog(pamh, LOG_ERR, "Cannot open '%s'\n", FILENAME);
return PAM_SYSTEM_ERR;
}
pam_err = pam_get_item(pamh, PAM_USER, (const void**)&username);
if (pam_err != PAM_SUCCESS)
goto ret;
while (fgets(buf, sizeof(buf), f) != NULL)
{
char *s= buf, *from, *to, *end_from, *end_to;
line++;
skip(isspace(*s));
if (*s == '#' || *s == 0) continue;
from= s;
skip(isalnum(*s) || (*s == '_'));
end_from= s;
skip(isspace(*s));
if (end_from == from || *s++ != ':') goto syntax_error;
skip(isspace(*s));
to= s;
skip(isalnum(*s) || (*s == '_'));
end_to= s;
if (end_to == to) goto syntax_error;
*end_from= *end_to= 0;
if (strcmp(username, from) == 0)
{
pam_err= pam_set_item(pamh, PAM_USER, to);
goto ret;
}
}
pam_err= PAM_SUCCESS;
goto ret;
syntax_error:
pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
pam_err= PAM_SYSTEM_ERR;
ret:
fclose(f);
return pam_err;
}
int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
return PAM_SUCCESS;
}
......@@ -10,7 +10,7 @@
Create /etc/pam.d/mariadb_mtr with
=========================================================
auth required pam_mariadb_mtr.so pam_test
account required pam_mariadb_mtr.so
account required pam_permit.so
=========================================================
*/
......@@ -21,9 +21,8 @@ account required pam_mariadb_mtr.so
#define N 3
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
struct pam_conv *conv;
struct pam_response *resp = 0;
......@@ -69,17 +68,8 @@ ret:
return retval;
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
return PAM_SUCCESS;
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
return PAM_SUCCESS;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment