From 2900aadba46b0794b71a25b87153292c5cd8247a Mon Sep 17 00:00:00 2001 From: hno <> Date: Wed, 5 Nov 2003 16:37:42 +0000 Subject: [PATCH] Disable the use of persistent PAM connections by default as this is somewhat outside of the PAM specifications. Add support for clearing the new PAM_AUTHTOK attribute when using persistent PAM connections. Changelog update --- helpers/basic_auth/PAM/pam_auth.8 | 18 +++++++----------- helpers/basic_auth/PAM/pam_auth.c | 28 ++++++++++++++++++++++------ 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/helpers/basic_auth/PAM/pam_auth.8 b/helpers/basic_auth/PAM/pam_auth.8 index 2d8ef4ae17..5f9daa7b20 100644 --- a/helpers/basic_auth/PAM/pam_auth.8 +++ b/helpers/basic_auth/PAM/pam_auth.8 @@ -1,4 +1,4 @@ -.TH pam_auth 8 "15 May 2002" "Squid PAM Auth" +.TH pam_auth 8 "5 Sep 2003" "Squid PAM Auth" . .SH NAME pam_auth - Squid PAM authentication helper @@ -17,22 +17,18 @@ Specifies the PAM service name Squid uses, defaults to "squid" . .TP .BI "-t " TTL -Unless the -1 option is used, this specified for how long -the connection to the PAM database should be kept open and -reused for new logins. Defaults to 60 seconds. +Enables persistent PAM connections where the connection to the PAM +database is kept open and reused for new logins. The TTL specifies +how long the connetion will be kept open (in seconds). Default is +to not keep PAM connections open. Please note that the use of +persistent PAM connections is slightly outside the PAM +specification and may not work with all PAM configurations. . .TP .BI "-o" Do not perform the PAM account management group (account expiration etc) -.TP -.BI "-1" -Specifies "One shot" mode, where a new PAM connection will -be opened for each new user. This is how PAM is normally -used and may be required by some backend databases. -The default is to reuse the PAM connection to maximize -performance. (see -t above) . .SH CONFIGURATION . diff --git a/helpers/basic_auth/PAM/pam_auth.c b/helpers/basic_auth/PAM/pam_auth.c index 144f2018b1..92c9326093 100644 --- a/helpers/basic_auth/PAM/pam_auth.c +++ b/helpers/basic_auth/PAM/pam_auth.c @@ -1,8 +1,8 @@ /* - * $Id: pam_auth.c,v 1.12 2003/01/23 00:35:35 robertc Exp $ + * $Id: pam_auth.c,v 1.13 2003/11/05 09:37:43 hno Exp $ * * PAM authenticator module for Squid. - * Copyright (C) 1999,2002 Henrik Nordstrom + * Copyright (C) 1999,2002,2003 Henrik Nordstrom * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -37,6 +37,15 @@ * * Change Log: * + * Version 2.2, 2003-11-05 + * One shot mode is now the default mode of operation + * with persistent PAM connections enabled by -t option. + * Support for clearing the PAM_AUTHTOK attribute on + * persistent PAM connections. + * + * Version 2.1, 2002-08-12 + * Squid-2.5 support (URL encoded login, password strings) + * * Version 2.0, 2002-01-07 * One shot mode, command line options * man page @@ -76,7 +85,7 @@ /* The default TTL */ #ifndef DEFAULT_SQUID_PAM_TTL -#define DEFAULT_SQUID_PAM_TTL 60 +#define DEFAULT_SQUID_PAM_TTL 0 #endif static char *password = NULL; /* Workaround for Solaris 2.6 brokenness */ @@ -221,12 +230,11 @@ start: } pamh_created = time(NULL); } + /* Authentication */ retval = PAM_SUCCESS; if (ttl != 0) { if (retval == PAM_SUCCESS) retval = pam_set_item(pamh, PAM_USER, user); - if (retval == PAM_SUCCESS) - retval = pam_set_item(pamh, PAM_CONV, &conv); } if (retval == PAM_SUCCESS) retval = pam_authenticate(pamh, 0); @@ -238,7 +246,15 @@ start: error: fprintf(stdout, "ERR\n"); } - if (ttl == 0) { + /* cleanup */ + if (ttl != 0) { + retval = pam_set_item(pamh, PAM_CONV, &conv); +#ifdef PAM_AUTHTOK + if (retval == PAM_SUCCESS) + retval = pam_set_item(pamh, PAM_AUTHTOK, NULL); +#endif + } + if (ttl == 0 || retval != PAM_SUCCESS) { retval = pam_end(pamh, retval); if (retval != PAM_SUCCESS) { fprintf(stderr, "WARNING: failed to release PAM authenticator\n"); -- 2.47.2