Some more patches.
1) I found the cause of a problem with gdm segfaulting.
2) Also - I tested/fixedsome variations that give more flexibility in the PAM
module.
gdm, now, allows you to use any of the three variations:
TOKEN/PIN only
TOKEN/PIN + Password
If Token/Reader is missing, ask for password. Otherwise, use Token/PIN
3) There was also a small bug in the makefile, where "make install" didn't
recompile.
4) Minor spelling errors
diff -ru MusclePAM.old/Makefile MusclePAM/Makefile
--- MusclePAM.old/Makefile 2004-10-04 13:33:31.000000000 -0400
+++ MusclePAM/Makefile 2004-10-07 09:50:50.000000000 -0400
@@ -20,7 +20,7 @@
test:
$(CC) -o testpam testpam.c $(OBJ) $(LIBS)
-install:
+install: pam_musclecard.so
install --directory $(DESTDIR)/lib/security/
install --mode=755 pam_musclecard.so $(DESTDIR)/lib/security/
install --directory $(DESTDIR)/etc/musclepam
diff -ru MusclePAM.old/pam_smartcard.c MusclePAM/pam_smartcard.c
--- MusclePAM.old/pam_smartcard.c 2004-10-04 14:23:56.000000000 -0400
+++ MusclePAM/pam_smartcard.c 2004-10-07 10:39:16.000000000 -0400
@@ -214,7 +214,7 @@
rv = checkCert(rootCert);
if (rv == -1) {
- syslog(LOG_ERR, "root certificate expiret or recoked");
+ syslog(LOG_ERR, "root certificate expired or revoked");
pcsc_release(&pConnection);
pam_release_data(sd);
return PAM_AUTHINFO_UNAVAIL;
@@ -259,9 +259,11 @@
unsigned char homeFile[200];
/* tries to get a public key information from the user's public key certificate */
- /* Is userpath defined? If so, use it as a way to find someone's
- home directory. I'm using this because the existence of the
- specified file overrides the end user's default certificate */
+ /* Is userpath defined? If so, use it as a way to 'find' someone's
+ home directory (ignoring the value in the password file).
+ I'm using this because the existence of the
+ specified file overrides the end user's default certificate in their
+ home directory - so userpath is defined for debugging only */
if (strlen(pr.userpath)>0) {
snprintf(homeFile, 200, "%s%s/.muscle/%s", pr.userpath, sd->user,
pr.certname);
@@ -324,7 +326,7 @@
int try_first_pass, use_first_pass;
unsigned char error[150];
//unsigned char nameBuf[100];
- X509 *userCert;
+ X509 *userCert = 0;
EVP_PKEY *pubkey;
reader = 0;
@@ -349,7 +351,16 @@
if (rv != MSC_SUCCESS) {
syslog(LOG_ERR, "musclecard error during pcsc_init: %s", msc_error(rv));
pam_release_data(sd);
+ /* if we return PAM_AUTHINFO_UNAVAIL, then we cannot use pam "auth
+ sufficient" That is, if the token is unavailable, will you
+ allow a password to be used. If we return PAM_AUTHINFO_UNAVAIL,
+ we cannot fall back on a password. Therefore, return PAM_ERR,
+ allowing password to be sufficient.
+
return PAM_AUTHINFO_UNAVAIL;
+ */
+ result = PAM_AUTH_ERR;
+
}
if (pr.debug) printf("Welcome to pam_musclecard.so verification Module\n");
@@ -588,8 +599,9 @@
/* Release certificates */
- X509_free(userCert);
-
+ if (!userCert) {
+ X509_free(userCert);
+ }
/* release pcsc */
pcsc_release(&pConnection);
diff -ru MusclePAM.old/README MusclePAM/README
--- MusclePAM.old/README 2004-10-04 15:02:36.000000000 -0400
+++ MusclePAM/README 2004-10-07 09:50:50.000000000 -0400
@@ -134,42 +134,47 @@
The modifications to the /etc/pam.d/* files only change the auth
values (lines whose first column is "auth")
-Gdm requires both a password and a PIN value.
-xscreeensaver only requires a PIN value, but asks for a password.
-This seems to be a bug in xscreensaver.
+Gdm can be configured in several ways.
+Variation #1: If the reader is present, and the token inserted
+ only ask for the PIN, and not the password
+ If the reader or token is not present, ask for the password
+------------
+auth sufficient pam_musclecard.so service=system-auth debug
+auth required pam_stack.so service=system-auth
+-------------
-::::::::::::::
-gdm-autologin
-::::::::::::::
-#%PAM-1.0
-auth required pam_env.so
-auth required pam_musclecard.so service=system-auth
+Variation #2: Only use the smartcard, never the password
+------------
+auth required pam_musclecard.so service=system-auth debug
+#auth required pam_stack.so service=system-auth
+-------------
+
+
+Variation #3: Require a password (first) and a pin (second)
+------------
+auth required pam_stack.so service=system-auth
+auth required pam_musclecard.so service=system-auth debug
+-------------
+
+Note that you can optionally allow root to log in without a smartcard by adding
+------------
auth required pam_nologin.so
-auth required pam_permit.so
-account required pam_stack.so service=system-auth
-password required pam_stack.so service=system-auth
-session required pam_stack.so service=system-auth
-session optional pam_console.so
-::::::::::::::
-gdmsetup
-::::::::::::::
-#%PAM-1.0
-auth sufficient pam_rootok.so
-auth sufficient pam_timestamp.so
-auth required pam_stack.so service=system-auth
-auth required pam_musclecard.so service=system-auth debug
-session required pam_permit.so
-session optional pam_xauth.so
-session optional pam_timestamp.so
-account required pam_permit.so
+------------
+
+xscreeensaver only requires a PIN value, but prompts for a password.
+This seems to be a bug in xscreensaver.
+
+
::::::::::::::
gdm
::::::::::::::
#%PAM-1.0
auth required pam_env.so
-#auth required pam_stack.so service=system-auth
+# If the next line is sufficient, no password is needed if a token is present
auth required pam_musclecard.so service=system-auth debug
+# If this next line is commented out, then users don't need a password
+#auth required pam_stack.so service=system-auth
# If you are sure, you may want to remove the next line
# It allows root to log in without a smartcard
auth required pam_nologin.so
_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle