Some more patches. 

        1) I found the cause of a problem with gdm segfaulting. 

        2) Also - I tested/fixedsome variations that give more flexibility in the PAM 
module.
        gdm, now, allows you to use any of the three variations:
                TOKEN/PIN only
                TOKEN/PIN + Password
                If Token/Reader is missing, ask for password. Otherwise, use Token/PIN


        3) There was also a small bug in the makefile, where "make install" didn't 
recompile.
        4) Minor spelling errors



diff -ru MusclePAM.old/Makefile MusclePAM/Makefile
--- MusclePAM.old/Makefile      2004-10-04 13:33:31.000000000 -0400
+++ MusclePAM/Makefile  2004-10-07 09:50:50.000000000 -0400
@@ -20,7 +20,7 @@
 test:
        $(CC) -o testpam testpam.c $(OBJ) $(LIBS)
 
-install:
+install: pam_musclecard.so
        install --directory $(DESTDIR)/lib/security/
        install --mode=755 pam_musclecard.so $(DESTDIR)/lib/security/
        install --directory $(DESTDIR)/etc/musclepam
diff -ru MusclePAM.old/pam_smartcard.c MusclePAM/pam_smartcard.c
--- MusclePAM.old/pam_smartcard.c       2004-10-04 14:23:56.000000000 -0400
+++ MusclePAM/pam_smartcard.c   2004-10-07 10:39:16.000000000 -0400
@@ -214,7 +214,7 @@
   rv = checkCert(rootCert);
 
   if (rv == -1) {
-    syslog(LOG_ERR, "root certificate expiret or recoked");
+    syslog(LOG_ERR, "root certificate expired or revoked");
     pcsc_release(&pConnection);
     pam_release_data(sd);
     return PAM_AUTHINFO_UNAVAIL;
@@ -259,9 +259,11 @@
   unsigned char homeFile[200];
   /* tries to get a public key information from the user's public key certificate */
 
-  /* Is userpath defined? If so, use it as a way to find someone's
-   home directory. I'm using this because the existence of the
-   specified file overrides the end user's default certificate */
+  /* Is userpath defined? If so, use it as a way to 'find' someone's
+   home directory (ignoring the value in the password file). 
+   I'm using this because the existence of the
+   specified file overrides the end user's default certificate in their 
+   home directory  - so userpath is defined for debugging only */
  
   if (strlen(pr.userpath)>0) {
        snprintf(homeFile, 200, "%s%s/.muscle/%s", pr.userpath, sd->user, 
pr.certname);  
@@ -324,7 +326,7 @@
   int try_first_pass, use_first_pass;
   unsigned char error[150];
   //unsigned char nameBuf[100];
-  X509 *userCert;
+  X509 *userCert = 0;
   EVP_PKEY *pubkey;
 
   reader = 0;
@@ -349,7 +351,16 @@
   if (rv != MSC_SUCCESS) {
     syslog(LOG_ERR, "musclecard error during pcsc_init: %s", msc_error(rv));
     pam_release_data(sd);
+    /* if we return PAM_AUTHINFO_UNAVAIL, then we cannot use pam "auth
+       sufficient" That is, if the token is unavailable, will you
+       allow a password to be used. If we return PAM_AUTHINFO_UNAVAIL,
+       we cannot fall back on a password. Therefore, return PAM_ERR,
+       allowing password to be sufficient.
+
     return PAM_AUTHINFO_UNAVAIL;
+    */
+    result = PAM_AUTH_ERR; 
+
   }
 
   if (pr.debug) printf("Welcome to pam_musclecard.so verification Module\n");
@@ -588,8 +599,9 @@
   
 
   /* Release certificates */
-  X509_free(userCert);
-
+  if (!userCert) {
+    X509_free(userCert);
+  }
   /* release pcsc */
   pcsc_release(&pConnection);
 
diff -ru MusclePAM.old/README MusclePAM/README
--- MusclePAM.old/README        2004-10-04 15:02:36.000000000 -0400
+++ MusclePAM/README    2004-10-07 09:50:50.000000000 -0400
@@ -134,42 +134,47 @@
 The modifications to the /etc/pam.d/* files only change the auth
 values (lines whose first column is "auth")
 
-Gdm requires both a password and a PIN value.
-xscreeensaver only requires a PIN value, but asks for a password.
-This seems to be a bug in xscreensaver.
+Gdm can be configured in several ways.
 
+Variation #1: If the reader is present, and the token inserted
+               only ask for the PIN, and not the password
+               If the reader or token is not present, ask for the password
+------------
+auth       sufficient  pam_musclecard.so service=system-auth debug
+auth       required    pam_stack.so service=system-auth
+-------------
 
-::::::::::::::
-gdm-autologin
-::::::::::::::
-#%PAM-1.0
-auth       required    pam_env.so
-auth       required    pam_musclecard.so service=system-auth
+Variation #2: Only use the smartcard, never the password
+------------
+auth       required    pam_musclecard.so service=system-auth debug
+#auth       required   pam_stack.so service=system-auth
+-------------
+ 
+
+Variation #3: Require a password (first) and a pin (second)
+------------
+auth       required    pam_stack.so service=system-auth
+auth       required    pam_musclecard.so service=system-auth debug
+-------------
+
+Note that you can optionally allow root to log in without a smartcard by adding
+------------
 auth       required    pam_nologin.so
-auth       required    pam_permit.so
-account    required    pam_stack.so service=system-auth
-password   required    pam_stack.so service=system-auth
-session    required    pam_stack.so service=system-auth
-session    optional     pam_console.so
-::::::::::::::
-gdmsetup
-::::::::::::::
-#%PAM-1.0
-auth       sufficient   pam_rootok.so
-auth       sufficient   pam_timestamp.so
-auth       required     pam_stack.so service=system-auth
-auth       required     pam_musclecard.so service=system-auth debug
-session    required     pam_permit.so
-session    optional     pam_xauth.so
-session    optional     pam_timestamp.so
-account    required     pam_permit.so
+------------
+
+xscreeensaver only requires a PIN value, but prompts for a password.
+This seems to be a bug in xscreensaver.
+
+
 ::::::::::::::
 gdm
 ::::::::::::::
 #%PAM-1.0
 auth       required    pam_env.so
-#auth       required   pam_stack.so service=system-auth
+# If the next line is sufficient, no password is needed if a token is present
 auth       required    pam_musclecard.so service=system-auth debug
+# If this next line is commented out, then users don't need a password
+#auth       required   pam_stack.so service=system-auth
 # If you are sure, you may want to remove the next line
 # It allows root to log in without a smartcard
 auth       required    pam_nologin.so


_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle

Reply via email to