Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 298364 Details for
Bug 437940
Adding ip auth to pam_mysql
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to enable the extra functionality
pam_mysql_ip_column.patch (text/plain), 12.16 KB, created by
epablo
on 2008-03-18 10:49:57 UTC
(
hide
)
Description:
Patch to enable the extra functionality
Filename:
MIME Type:
Creator:
epablo
Created:
2008-03-18 10:49:57 UTC
Size:
12.16 KB
patch
obsolete
>--- pam_mysql-0.7RC1/pam_mysql.c 2006-01-09 11:35:59.000000000 +0100 >+++ pam_mysql-0.7RC1-p/pam_mysql.c 2008-03-18 10:02:43.000000000 +0100 >@@ -115,6 +115,14 @@ > #include <netdb.h> > #endif > >+#ifdef _RESOLV_H_ >+#include <resolv.h> >+#endif >+ >+#ifdef _ARPA_INET_H >+#include <arpa/inet.h> >+#endif >+ > #ifdef HAVE_CRYPT_H > #include <crypt.h> > #endif >@@ -189,7 +197,8 @@ > PAM_MYSQL_ERR_IO = 7, > PAM_MYSQL_ERR_SYNTAX = 8, > PAM_MYSQL_ERR_EOF = 9, >- PAM_MYSQL_ERR_NOTIMPL = 10 >+ PAM_MYSQL_ERR_NOTIMPL = 10, >+ PAM_MYSQL_ERR_SET_FAILED = 11 > }; > > enum _pam_mysql_config_token_t { >@@ -212,35 +221,36 @@ > /* {{{ typedefs */ > /* {{{ typedef struct pam_mysql_ctx_t */ > typedef struct _pam_mysql_ctx_t { >- MYSQL *mysql_hdl; >- char *host; >- char *where; >- char *db; >- char *user; >- char *passwd; >- char *table; >- char *update_table; >- char *usercolumn; >- char *passwdcolumn; >- char *statcolumn; >- int crypt_type; >- int use_323_passwd; >- int md5; >- int sqllog; >- int verbose; >- int use_first_pass; >- int try_first_pass; >- int disconnect_every_op; >- char *logtable; >- char *logmsgcolumn; >- char *logpidcolumn; >- char *logusercolumn; >- char *loghostcolumn; >- char *logrhostcolumn; >- char *logtimecolumn; >- char *config_file; >- char *my_host_info; >-} pam_mysql_ctx_t; /*Max length for most MySQL fields is 16 */ >+ MYSQL *mysql_hdl; >+ char *host; >+ char *where; >+ char *db; >+ char *user; >+ char *passwd; >+ char *table; >+ char *update_table; >+ char *usercolumn; >+ char *passwdcolumn; >+ char *statcolumn; >+ char *ipcolumn; //epablo >+ int crypt_type; >+ int use_323_passwd; >+ int md5; >+ int sqllog; >+ int verbose; >+ int use_first_pass; >+ int try_first_pass; >+ int disconnect_every_op; >+ char *logtable; >+ char *logmsgcolumn; >+ char *logpidcolumn; >+ char *logusercolumn; >+ char *loghostcolumn; >+ char *logrhostcolumn; >+ char *logtimecolumn; >+ char *config_file; >+ char *my_host_info; >+ } pam_mysql_ctx_t; /*Max length for most MySQL fields is 16 */ > /* }}} */ > > /* {{{ typedef enum pam_mysql_err_t */ >@@ -360,7 +370,7 @@ > static pam_mysql_err_t pam_mysql_open_db(pam_mysql_ctx_t *); > static void pam_mysql_close_db(pam_mysql_ctx_t *); > static pam_mysql_err_t pam_mysql_check_passwd(pam_mysql_ctx_t *ctx, >- const char *user, const char *passwd, int null_inhibited); >+ const char *user, const char *passwd, const char *rhost, int null_inhibited); > static pam_mysql_err_t pam_mysql_update_passwd(pam_mysql_ctx_t *, > const char *user, const char *new_passwd); > static pam_mysql_err_t pam_mysql_query_user_stat(pam_mysql_ctx_t *, >@@ -379,6 +389,9 @@ > static void xfree(void *ptr); > static void xfree_overwrite(char *ptr); > /* }}} */ >+static int name2ip(const char *name, struct in_addr *addr); >+ >+ > /* }}} */ > > /* {{{ strnncpy */ >@@ -466,6 +479,34 @@ > } > /* }}} */ > >+/* {{{ name2ip */ >+ >+static int name2ip(const char *name, struct in_addr *addr) >+{ >+ struct hostent *he; >+ >+ addr->s_addr = inet_addr(name); >+ if (addr->s_addr == INADDR_NONE) { >+ he = gethostbyname(name); >+ if (he != NULL) { >+ if (he->h_addrtype == AF_INET) { >+ bcopy(he->h_addr, &(addr->s_addr), 4 /* he->h_length */); >+ return 0; >+ } >+ else >+ return -2; >+ } >+ else >+ return -1; >+ } >+ else >+ return 0; >+} >+ >+ >+/* }}} */ >+ >+ > /* {{{ memspn */ > static void *memspn(void *buf, size_t buf_len, const unsigned char *delims, > size_t ndelims) >@@ -779,6 +820,7 @@ > PAM_MYSQL_DEF_OPTION(usercolumn, &pam_mysql_string_opt_accr), > PAM_MYSQL_DEF_OPTION(passwdcolumn, &pam_mysql_string_opt_accr), > PAM_MYSQL_DEF_OPTION(statcolumn, &pam_mysql_string_opt_accr), >+ PAM_MYSQL_DEF_OPTION(ipcolumn, &pam_mysql_string_opt_accr), // epablo > PAM_MYSQL_DEF_OPTION2(crypt, crypt_type, &pam_mysql_crypt_opt_accr), > PAM_MYSQL_DEF_OPTION(md5, &pam_mysql_boolean_opt_accr), > PAM_MYSQL_DEF_OPTION(sqllog, &pam_mysql_boolean_opt_accr), >@@ -1676,6 +1718,7 @@ > PAM_MYSQL_DEF_OPTION2(users.user_column, usercolumn, &pam_mysql_string_opt_accr), > PAM_MYSQL_DEF_OPTION2(users.password_column, passwdcolumn, &pam_mysql_string_opt_accr), > PAM_MYSQL_DEF_OPTION2(users.status_column, statcolumn, &pam_mysql_string_opt_accr), >+ PAM_MYSQL_DEF_OPTION2(users.ip_column, ipcolumn, &pam_mysql_string_opt_accr), // epablo > PAM_MYSQL_DEF_OPTION2(users.password_crypt, crypt_type, &pam_mysql_crypt_opt_accr), > PAM_MYSQL_DEF_OPTION2(users.use_md5, md5, &pam_mysql_boolean_opt_accr), > PAM_MYSQL_DEF_OPTION2(verbose, verbose, &pam_mysql_boolean_opt_accr), >@@ -1953,6 +1996,7 @@ > ctx->usercolumn = NULL; > ctx->passwdcolumn = NULL; > ctx->statcolumn = xstrdup("0"); >+ ctx->ipcolumn = NULL; //epablo > ctx->crypt_type = 0; > ctx->use_323_passwd = 0; > ctx->md5 = -1; >@@ -1970,7 +2014,6 @@ > ctx->logtimecolumn = NULL; > ctx->config_file = NULL; > ctx->my_host_info = NULL; >- > return PAM_MYSQL_ERR_SUCCESS; > } > /* }}} */ >@@ -2014,6 +2057,9 @@ > xfree(ctx->statcolumn); > ctx->statcolumn = NULL; > >+ xfree(ctx->ipcolumn); //epablo >+ ctx->passwdcolumn = NULL; >+ > xfree(ctx->logtable); > ctx->logtable = NULL; > >@@ -2040,6 +2086,7 @@ > > xfree(ctx->my_host_info); > ctx->my_host_info = NULL; >+ > } > /* }}} */ > >@@ -2557,14 +2604,14 @@ > /* {{{ pam_mysql_check_passwd > */ > static pam_mysql_err_t pam_mysql_check_passwd(pam_mysql_ctx_t *ctx, >- const char *user, const char *passwd, int null_inhibited) >+ const char *user, const char *passwd, const char *rhost, int null_inhibited) > { > pam_mysql_err_t err; > pam_mysql_str_t query; > MYSQL_RES *result = NULL; > MYSQL_ROW row; > int vresult; >- >+ > if (ctx->verbose) { > syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "pam_mysql_check_passwd() called."); > } >@@ -2577,13 +2624,25 @@ > if ((err = pam_mysql_str_init(&query, 1))) { > return err; > } >- >- err = pam_mysql_format_string(ctx, &query, >- (ctx->where == NULL ? >- "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s'": >- "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' AND (%S)"), >- 1, user, ctx->where); >- >+ >+ if ( ctx->where != NULL && ctx->ipcolumn != NULL ) { >+ err = pam_mysql_format_string(ctx, &query, >+ "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' and %[ipcolumn] = '%s' AND (%S)", >+ 1, user, rhost, ctx->where); >+ }else if ( ctx->where != NULL && ctx->ipcolumn == NULL ) { >+ err = pam_mysql_format_string(ctx, &query, >+ "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' and (%S)", >+ 1, user, ctx->where); >+ }else if ( ctx->where == NULL && ctx->ipcolumn != NULL ) { >+ err = pam_mysql_format_string(ctx, &query, >+ "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' and %[ipcolumn] = '%s'", >+ 1, user, rhost); >+ }else if ( ctx->where == NULL && ctx->ipcolumn == NULL ) { >+ err = pam_mysql_format_string(ctx, &query, >+ "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s'", >+ 1, user); >+ } >+ > if (err) { > goto out; > } >@@ -2729,6 +2788,134 @@ > } > /* }}} */ > >+/* {{{ pam_mysql_check_ip >+ */ >+static pam_mysql_err_t pam_mysql_check_ip(pam_mysql_ctx_t *ctx, >+ pam_handle_t * pamh, const char *username, const char *ip, >+ int null_inhibited) >+{ >+ pam_mysql_err_t err; >+ pam_mysql_str_t query; >+ MYSQL_RES *result = NULL; >+ MYSQL_ROW row; >+ int vresult = -1; >+ >+ if (ctx->verbose) { >+ syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "pam_mysql_check_ip() called."); >+ } >+ >+ if ((err = pam_mysql_str_init(&query, 1))) { >+ return err; >+ } >+ >+ /*Lets get the username from the query, based on the IP */ >+ >+ //Create the query string >+ err = pam_mysql_format_string(ctx, &query, >+ (ctx->where == NULL ? >+ "SELECT %[usercolumn] FROM %[table] WHERE %[ipcolumn] = INET_ATON('%s')": >+ "SELECT %[usercolumn] FROM %[table] WHERE %[ipcolumn] = INET_ATON('%s') AND (%S)"), >+ 1, ip, ctx->where); >+ >+ if (err) { >+ goto out; >+ } >+ >+ if (ctx->verbose) { >+ syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "%s", query.p); >+ } >+ >+#ifdef HAVE_MYSQL_REAL_QUERY >+ if (mysql_real_query(ctx->mysql_hdl, query.p, query.len)) { >+#else >+ if (mysql_query(ctx->mysql_hdl, query.p)) { >+#endif >+ err = PAM_MYSQL_ERR_DB; >+ goto out; >+ } >+ >+ if (NULL == (result = mysql_store_result(ctx->mysql_hdl))) { >+ err = PAM_MYSQL_ERR_DB; >+ goto out; >+ } >+ >+ // Check the number of results >+ switch (mysql_num_rows(result)) { >+ case 0: >+ syslog(LOG_AUTHPRIV | LOG_ERR, "%s", PAM_MYSQL_LOG_PREFIX "SELECT returned no result."); >+ err = PAM_MYSQL_ERR_NO_ENTRY; >+ goto out; >+ >+ case 1: >+ break; >+ >+ case 2: >+ syslog(LOG_AUTHPRIV | LOG_ERR, "%s", PAM_MYSQL_LOG_PREFIX "SELECT returned an indetermined result."); >+ err = PAM_MYSQL_ERR_UNKNOWN; >+ goto out; >+ } >+ >+ >+ /* It was only one so it's all ok*/ >+ >+ /* Grab the username from RESULT_SET. */ >+ if (NULL == (row = mysql_fetch_row(result))) { >+ err = PAM_MYSQL_ERR_DB; >+ goto out; >+ } >+ >+ /* Check and see if the query returned a username*/ >+ if (row[0] != NULL){ >+ >+ // I got one so copy it into the username variable >+ username = xstrdup(row[0]); >+ >+ // Export the variable to the PAM environment handle >+ err = pam_set_item(pamh, PAM_USER, username); >+ >+ if(err != PAM_SUCCESS){ >+ err = PAM_MYSQL_ERR_UNKNOWN; //If set_item fails, then fail the whole operation >+ goto out; >+ } >+ else >+ err = PAM_MYSQL_ERR_SUCCESS; //since it works, then set success >+ >+ err = pam_set_item(pamh, PAM_RUSER, username); >+ >+ if(err != PAM_SUCCESS){ >+ err = PAM_MYSQL_ERR_UNKNOWN; //If set_item fails, then fail the whole operation >+ goto out; >+ } >+ else >+ err = PAM_MYSQL_ERR_SUCCESS; //since it works, then set success >+ >+ >+ }else { // row[0] == NULL There was a problem with the DB >+ err = PAM_MYSQL_ERR_DB; >+ } >+ >+ >+out: >+ if (err == PAM_MYSQL_ERR_DB) { >+ syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "MySQL error(%s)", mysql_error(ctx->mysql_hdl)); >+ } >+ >+ if (result != NULL) { >+ mysql_free_result(result); >+ } >+ >+ pam_mysql_str_destroy(&query); >+ >+ if (ctx->verbose) { >+ syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "pam_mysql_check_ip() returning %i.", err); >+ } >+ >+ return err; >+} >+/* }}} pam_mysql_check_ip */ >+ >+ >+ > /* {{{ pam_mysql_saltify() > * Create a random salt for use with CRYPT() when changing passwords */ > static void pam_mysql_saltify(pam_mysql_ctx_t *ctx, char *salt, const char *salter) >@@ -3282,7 +3469,8 @@ > pam_mysql_ctx_t *ctx = NULL; > char **resps = NULL; > int passwd_is_local = 0; >- >+ struct in_addr addr; >+ > switch (pam_mysql_retrieve_ctx(&ctx, pamh)) { > case PAM_MYSQL_ERR_SUCCESS: > break; >@@ -3342,7 +3530,25 @@ > default: > rhost = NULL; > } >+ > >+ //Make sure the rhost is in dot notation >+ err = 0; >+ err = name2ip(rhost, &addr); >+ //the result is in addr->s_addr man inet_addr >+ if (!err) >+ rhost = xstrdup(inet_ntoa(addr)); >+ else{ >+ retval = PAM_USER_UNKNOWN; >+ goto out; >+ } >+ >+ >+ if (ctx->verbose) { >+ syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "pam_sm_authenticate() - checking with rhost %s called.", rhost); >+ } >+ >+ > if (ctx->use_first_pass || ctx->try_first_pass) { > retval = pam_get_item(pamh, PAM_AUTHTOK, > (PAM_GET_ITEM_CONST void **)&passwd); >@@ -3378,7 +3584,7 @@ > goto out; > } > >- err = pam_mysql_check_passwd(ctx, user, passwd, >+ err = pam_mysql_check_passwd(ctx, user, passwd, rhost, > !(flags & PAM_DISALLOW_NULL_AUTHTOK)); > > if (err == PAM_MYSQL_ERR_SUCCESS) { >@@ -3468,7 +3674,7 @@ > (void) pam_set_item(pamh, PAM_AUTHTOK, passwd); > } > >- err = pam_mysql_check_passwd(ctx, user, passwd, >+ err = pam_mysql_check_passwd(ctx, user, passwd, rhost, > !(flags & PAM_DISALLOW_NULL_AUTHTOK)); > > if (err == PAM_MYSQL_ERR_SUCCESS) { >@@ -3667,6 +3873,7 @@ > #ifdef DEBUG > syslog(LOG_INFO, "%s", PAM_MYSQL_LOG_PREFIX "setcred called but not implemented."); > #endif >+ > return PAM_SUCCESS; > } > /* }}} */ >@@ -3856,7 +4063,7 @@ > } > > if (old_passwd != NULL) { >- switch (pam_mysql_check_passwd(ctx, user, old_passwd, 0)) { >+ switch (pam_mysql_check_passwd(ctx, user, old_passwd, rhost, 0)) { > case PAM_MYSQL_ERR_SUCCESS: > retval = PAM_SUCCESS; > break; >@@ -3911,7 +4118,7 @@ > goto out; > } > >- switch (pam_mysql_check_passwd(ctx, user, old_passwd, 0)) { >+ switch (pam_mysql_check_passwd(ctx, user, old_passwd, rhost, 0)) { > case PAM_MYSQL_ERR_SUCCESS: > retval = PAM_SUCCESS; > break;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=298364">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 437940
: 298364