From: Steve Hill <steve@opendium.com>
Date: Sun, 17 Mar 2013 23:40:08 +0000 (-0600)
Subject: basic_pam_auth: Add -r option to strip NTLM/Negotiate domain from username
X-Git-Tag: SQUID_3_4_0_1~234
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8219a52ef2077f0c96ed5f4adb3426e37d94dfb5;p=thirdparty%2Fsquid.git

basic_pam_auth: Add -r option to strip NTLM/Negotiate domain from username

This option helps reduce end-user confusion accessing Squid using Basic
auth PAM helper as a backup to NTLM and/or Negotiate authentication.

The user can enter their NTLM/Negotiate user+domain details in the popup
which may occur without needing to know which auth scheme is in play.
---

diff --git a/helpers/basic_auth/PAM/basic_pam_auth.cc b/helpers/basic_auth/PAM/basic_pam_auth.cc
index f48cacac60..86fe23eb71 100644
--- a/helpers/basic_auth/PAM/basic_pam_auth.cc
+++ b/helpers/basic_auth/PAM/basic_pam_auth.cc
@@ -158,6 +158,7 @@ static void usage(char *program)
     fprintf(stderr, "           to authenticate all users\n");
     fprintf(stderr, " -o        Do not perform account mgmt (account expiration etc)\n");
     fprintf(stderr, " -1        Only one user authentication per PAM connection\n");
+    fprintf(stderr, " -r        Detect and remove Negotiate/NTLM realm from username\n");
 }
 
 int
@@ -172,12 +173,13 @@ main(int argc, char *argv[])
     int ttl = DEFAULT_SQUID_PAM_TTL;
     const char *service = DEFAULT_SQUID_PAM_SERVICE;
     int no_acct_mgmt = 0;
+    int no_realm = 0;
 
     /* make standard output line buffered */
     setvbuf(stdout, NULL, _IOLBF, 0);
 
     while (1) {
-        int ch = getopt(argc, argv, "1n:t:o");
+        int ch = getopt(argc, argv, "1n:t:or");
         switch (ch) {
         case -1:
             goto start;
@@ -193,6 +195,9 @@ main(int argc, char *argv[])
         case 'o':
             no_acct_mgmt = 1;
             break;
+        case 'r':
+            no_realm = 1;
+            break;
         default:
             fprintf(stderr, "FATAL: Unknown getopt value '%c'\n", ch);
             usage(argv[0]);
@@ -225,6 +230,18 @@ start:
         rfc1738_unescape(password_buf);
         conv.appdata_ptr = (char *) password_buf;	/* from buf above. not allocated */
 
+        if (no_realm) {
+            /* Remove DOMAIN\.. and ...@domain from the user name in case the user
+             * thought this was an NTLM or Negotiate authentication popup box
+             */
+            char * user_ptr = strchr(user, '@');
+            if (user_ptr) *user_ptr = 0;
+            else {
+                user_ptr = strchr(user, '\\');
+                if (user_ptr) user = user_ptr + 1;
+            }
+        }
+
 #if _SQUID_SOLARIS_
         /* Workaround for Solaris 2.6 where the PAM library is broken
          * and does not pass appdata_ptr to the conversation routine