PAM CAS Autor: Juan C. Sánchez-DelBarrio <[email protected]> PAM CAS ....................................................................................................................................................... 1 Instalación y configuración ....................................................................................................................... 1 cas-bsc.patch ............................................................................................................................................ 2 INSTALACIÓN Y CONFIGURACIÓN A modo de ejemplo se mostrará el uso del PAM CAS con el Webmail. Para crear el módulo de PAM que nos permite hacer autenticación vía proxy se ha de hacer: 1. 2. 3. 4. Bajar la última versión de PAM CAS. Los requisitos de compilación son que estén instalados pam-devel y openssl-devel. Extraer el contenido y aplicar el parche cas-bsc.patch. Este parche nos permite extraer el nombre del usuario del dominio al que se registra. Acceder al directorio y ejecutar: node$ node$ node$ node$ node# node# 5. cd sources cp Makefile.Redhat Makefile make make test cp pam_cas.so /lib64/security/ chmod 644 /lib64/security/pam_cas.so Crear el fichero /etc/pam_cas.conf: # host from CAS server. mandatory host www.bsc.es # port from CAS server. Default to 80 or 443, depends from ssl instruction port 443 # uri to validate ticket. Default to /proxyValidate uriValidate /cas/proxyValidate # https or no. values on or off. Default to on. ssl on # debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off debug on # proxy or proxies who deliver Proxy Ticket. # If no proxy, pam_cas doesn't control it # It may be several proxy instructions #proxy https://imp.its.yale.edu/cas/casProxy.php #proxy https://uportal1.its.yale.edu/CasProxyServlet #proxy https://uportal2.its.yale.edu/CasProxyServlet # # # # # trusted_ca. mandatory if ssl on. It a file in pem format. It can contents several certificates If the CAS server certificate is auto-signed, the file must content the certificate If the certificate is trusted by an Certificate Autority, The file must content # certificate from high level CA trusted_ca /etc/tls/cacert/terena.crt 6. Finalmente, configuraremos el servicio, por ejemplo /etc/pam.d/dovecot con las siguientes entradas: auth required pam_cas.so -s<service_id> -f/etc/pam_cas.conf account sufficient pam_permit.so donde <service_id> será el identificador del servicio que se validará. CAS-BSC.PATCH Files ../Pam_cas-2.0.11-esup-2.0.5/sources/castest and ./sources/castest differ diff -urN ../Pam_cas-2.0.11-esup-2.0.5/sources/Makefile.redhat ./sources/Makefile.redhat --- ../Pam_cas-2.0.11-esup-2.0.5/sources/Makefile.redhat 2006-05-23 13:49:57.000000000 +0200 +++ ./sources/Makefile.redhat 2010-06-15 11:16:12.000000000 +0200 @@ -5,7 +5,7 @@ LDFLAGS = PAM_LDFLAGS = ${LDFLAGS} -shared LIBS = -CPFLAGS = -O2 +CPFLAGS = -fPIC -O2 #CPFLAGS = -g -Wall SRCS =\ diff -urN ../Pam_cas-2.0.11-esup-2.0.5/sources/pam_cas.c ./sources/pam_cas.c --- ../Pam_cas-2.0.11-esup-2.0.5/sources/pam_cas.c 2009-03-11 13:57:07.000000000 +0100 +++ ./sources/pam_cas.c 2010-06-17 12:33:32.000000000 +0200 @@ -65,6 +65,69 @@ static int _get_authtok (pam_handle_t * pamh); +char **split ( char *string, const char sep) { + + char **lista; + char *p = string; + int i = 0; + + int pos; + const int len = strlen (string); + + lista = (char **) malloc (sizeof (char *)); + if (lista == NULL) { /* Cannot allocate memory */ + return NULL; + } + + lista[pos=0] = NULL; + + while (i <len) { + + while ((p[i] == sep) && (i <len)) + i++; + + if (i <len) { + + char **tmp = (char **) realloc (lista , (pos + 2) * sizeof (char *)); + if (tmp == NULL) { /* Cannot allocate memory */ + free (lista); + return NULL; + } + lista = tmp; + tmp = NULL; + + lista[pos + 1] = NULL; + lista[pos] = (char *) malloc (sizeof (char)); + if (lista[pos] == NULL) { /* Cannot allocate memory */ + for (i = 0; i <pos; i++) + free (lista[i]); + free (lista); + return NULL; + } + + int j = 0; + for (i; ((p[i] != sep) && (i <len)); i++) { + lista[pos][j] = p[i]; + j++; + + char *tmp2 = (char *) realloc (lista[pos],(j + 1) * sizeof (char)); + if (lista[pos] == NULL) { /* Cannot allocate memory */ + for (i = 0; i <pos; i++) + free (lista[i]); + free (lista); + return NULL; + } + lista[pos] = tmp2; + tmp2 = NULL; + } + lista[pos][j] = '\0'; + pos++; + } + } + + return lista; +} + int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -72,6 +135,7 @@ char *configFile = NULL; char *user, *pw; char *service = NULL; + char **luser; char netid[CAS_LEN_NETID]; int i, success, res, ret; @@ -88,6 +152,12 @@ END(PAM_AUTH_ERR); } + + + + + + syslog(LOG_ERR, "User before change '%s'.", user); luser = split(user,'@'); if (luser[0] != NULL) { user = luser[0]; } syslog(LOG_ERR, "User after change '%s'.", user); if (!pw) { if (_get_authtok(pamh) != PAM_SUCCESS){