[Cluster-devel] conga ./conga.spec.in.in make/version.in ricci ...

kupcevic at sourceware.org kupcevic at sourceware.org
Tue Oct 24 21:59:56 UTC 2006


CVSROOT:	/cvs/cluster
Module name:	conga
Branch: 	RHEL5
Changes by:	kupcevic at sourceware.org	2006-10-24 21:59:55

Modified files:
	.              : conga.spec.in.in 
	make           : version.in 
	ricci/init.d   : ricci 
	ricci/ricci    : Auth.cpp Auth.h Makefile 

Log message:
	ricci: switch pam to sasl authentication (bz211191)

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/conga.spec.in.in.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.45&r2=1.45.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/make/version.in.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.21&r2=1.21.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/init.d/ricci.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.8&r2=1.8.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Auth.cpp.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.4&r2=1.4.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Auth.h.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.2&r2=1.2.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/ricci/ricci/Makefile.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.16&r2=1.16.2.1

--- conga/conga.spec.in.in	2006/10/16 21:01:40	1.45
+++ conga/conga.spec.in.in	2006/10/24 21:59:55	1.45.2.1
@@ -40,7 +40,10 @@
 BuildRequires: python-devel >= 2.4.1
 %endif
 BuildRequires: glibc-devel gcc-c++ libxml2-devel sed
-BuildRequires: openssl-devel dbus-devel pam-devel pkgconfig file
+#BuildRequires: pam-devel
+BuildRequires: cyrus-sasl-devel >= 2.1
+BuildRequires: openssl-devel dbus-devel pkgconfig file
+
 
 %description
 Conga is a project developing management system for remote stations. 
@@ -182,7 +185,7 @@
 Summary: Remote Management System - Managed Station
 
 Requires: initscripts
-Requires: oddjob dbus openssl pam
+Requires: oddjob dbus openssl pam cyrus-sasl >= 2.1
 Requires: sed util-linux
 Requires: modcluster >= 0.8
 
@@ -279,6 +282,7 @@
 
 
 %changelog
+
 * Wed Oct 16 2006 Stanko Kupcevic <kupcevic at redhat.com> 0.8-20
 - Minor GUI nits
 
--- conga/make/version.in	2006/10/16 21:01:40	1.21
+++ conga/make/version.in	2006/10/24 21:59:55	1.21.2.1
@@ -1,2 +1,2 @@
 VERSION=0.8
-RELEASE=20
+RELEASE=20.4
--- conga/ricci/init.d/ricci	2006/08/16 02:57:52	1.8
+++ conga/ricci/init.d/ricci	2006/10/24 21:59:55	1.8.2.1
@@ -90,6 +90,8 @@
 		    fi
 		fi
 		
+		service saslauthd start > /dev/null 2>&1
+		
 		ssl_certs_ok
 		if [ "1$?" != "10" ] ; then
 		    generate_ssl_certs
--- conga/ricci/ricci/Auth.cpp	2006/08/12 00:38:36	1.4
+++ conga/ricci/ricci/Auth.cpp	2006/10/24 21:59:55	1.4.2.1
@@ -22,33 +22,35 @@
 
 
 #include "Auth.h"
-#include "ricci_defines.h"
+#include "Mutex.h"
+#include <sasl/sasl.h>
 
-#include <errno.h>
-#include <signal.h>
-#include <sys/types.h>
-#include <sys/wait.h>
 
 
-#include <iostream>
-using namespace std;
 
+static int 
+sasl_getopts_callback(void*         context, 
+		     const char*   plugin_name,
+		     const char*   option, 
+		     const char**  result, 
+		     unsigned int* len);
 
 
-static void
-close_fd(int fd)
-{
-  int e;
-  do {
-    e = close(fd);
-  } while (e && (errno == EINTR));
-}
+static Mutex mutex;          // global sasl_lib protection mutex
+static bool inited = false;  // sasl_lib initialized?
+const static 
+sasl_callback_t callbacks[] = {
+  {SASL_CB_GETOPT, (int (*)()) sasl_getopts_callback, NULL}, 
+  {SASL_CB_LIST_END, NULL, NULL},
+};
 
 
 
-Auth::Auth() :
-  _path(AUTH_HELPER_PATH)
-{}
+Auth::Auth()
+{
+  if (!initialize_auth_system())
+    throw String("Failed to initialize authentication engine");
+}
 
 Auth::~Auth()
 {}
@@ -57,77 +59,87 @@
 bool 
 Auth::authenticate(const String& passwd) const
 {
-  if (access(_path.c_str(), X_OK))
-    throw String("missing auth helper");
+  MutexLocker l(mutex);
   
-  int _stdin_pipe[2];
-  
-  if (pipe(_stdin_pipe) == -1)
-    throw String("failure creating pipe");
-  
-  int pid = fork();
-  if (pid == -1) {
-    close_fd(_stdin_pipe[0]);
-    close_fd(_stdin_pipe[1]);
-    throw String("fork failed");
+  sasl_conn_t *conn = 0;
+  try {
+    bool success = false;
+    
+    int ret = sasl_server_new("ricci", // servicename
+			      NULL,    // hostname
+			      NULL,    // realm
+			      NULL,    // local ip:port
+			      NULL,    // remote ip:port
+			      callbacks, 
+			      0,       // connection flags
+			      &conn);
+    if (ret != SASL_OK)
+      throw String("authentication engine error");
+    
+    ret = sasl_checkpass(conn, 
+			 "root", 4, 
+			 passwd.c_str(), passwd.size());
+    if (ret == SASL_OK)
+      success = true;
+    else
+      if (ret != SASL_BADAUTH)
+	throw String("authentication engine error");
+    
+    sasl_dispose(&conn); conn = 0;
+    return success;
+  } catch ( ... ) {
+    if (conn) {
+      sasl_dispose(&conn);
+      conn = 0;
+    }
+    throw;
   }
+}
+
+
+
+bool
+Auth::initialize_auth_system()
+{
+  MutexLocker l(mutex);
   
-  if (pid == 0) {
-    /* child */
-    close_fd(0);
-    close_fd(1);
-    close_fd(2);
-    
-    close_fd(_stdin_pipe[1]);
-    dup2(_stdin_pipe[0], 0);
-    close_fd(_stdin_pipe[0]);
-    
-    // restore signals
-    for (int x = 1; x < _NSIG; x++)
-      signal(x, SIG_DFL);
-    sigset_t set;
-    sigfillset(&set);
-    sigprocmask(SIG_UNBLOCK, &set, NULL);
-    
-    /* exec */
-    execl(_path.c_str(), _path.c_str(), NULL);
-    _exit(1);
+  if (!inited) {
+    int ret = sasl_server_init(callbacks, "ricci");
+    inited = (ret == SASL_OK);
   }
-  
-  
-  /* parent */
-  
-  close_fd(_stdin_pipe[0]);
-  
+  return inited;
+}
+
+int 
+sasl_getopts_callback(void*         context, 
+		      const char*   plugin_name,
+		      const char*   option, 
+		      const char**  result, 
+		      unsigned * len)
+{
   try {
-    String pass = passwd + "\n";
-    do {
-      int size = write(_stdin_pipe[1], pass.c_str(), pass.size());
-      if (size == -1) {
-	if (errno == EINTR)
-	  continue;
-	else {
-	  cout << errno << endl;
-	  throw String("write() error");
-	}
+    static const char authd_option[]         = "pwcheck_method";
+    static const char authd_result[]         = "saslauthd";
+    
+    static const char authd_version_option[] = "saslauthd_version";
+    static const char authd_version_result[] = "2";
+    
+    
+    if (result) {
+      *result = 0;
+      if (strcmp(option, authd_option) == 0)
+	*result = authd_result;
+      else if (strcmp(option, authd_version_option) == 0)
+	*result = authd_version_result;
+      else {
+	// modify more options we'd like to use
       }
-      pass = pass.substr(size, pass.npos);
-    } while (!pass.empty());
+    }
+    if (len)
+      *len = 0;
+    
+    return SASL_OK;
   } catch ( ... ) {
-    close_fd(_stdin_pipe[1]);
-    throw;
-  }
-  close_fd(_stdin_pipe[1]);
-  
-  bool success = false;
-  int ret, status;
-  do {
-    ret = waitpid(pid, &status, 0);
-  } while ((ret < 0) && (errno == EINTR));
-  
-  if (WIFEXITED(status)) {
-    status = WEXITSTATUS(status);
-    success = (status == 0);
+    return SASL_FAIL;
   }
-  return success;
 }
--- conga/ricci/ricci/Auth.h	2006/08/10 22:53:09	1.2
+++ conga/ricci/ricci/Auth.h	2006/10/24 21:59:55	1.2.2.1
@@ -27,6 +27,9 @@
 #include "String.h"
 
 
+// thread safe
+
+
 class Auth
 {
  public:
@@ -34,9 +37,10 @@
   virtual ~Auth();
   
   bool authenticate(const String& passwd) const;
- private:
   
-  String _path;
+  
+  static bool initialize_auth_system();  // to be called at start-up (not required)
+  
   
 };
 
--- conga/ricci/ricci/Makefile	2006/08/22 23:01:17	1.16
+++ conga/ricci/ricci/Makefile	2006/10/24 21:59:55	1.16.2.1
@@ -44,7 +44,8 @@
 LDFLAGS     += `pkg-config --libs dbus-1`
 
 
-all: ${TARGET} ${TARGET_AUTH} ${TARGET_WORKER}
+#all: ${TARGET} ${TARGET_AUTH} ${TARGET_WORKER}
+all: ${TARGET} ${TARGET_WORKER}
 
 *.o: *.h ../include/*.h
 
@@ -52,7 +53,7 @@
 	$(INSTALL_DIR)  ${sbindir}
 	$(INSTALL_BIN)  ${TARGET} ${sbindir}
 	$(INSTALL_DIR)  ${libexecdir}/ricci
-	install -m 4755 ${TARGET_AUTH}   ${libexecdir}/ricci
+	#install -m 4755 ${TARGET_AUTH}   ${libexecdir}/ricci
 	$(INSTALL_BIN)  ${TARGET_WORKER} ${libexecdir}/ricci
 	$(INSTALL_DIR)  ${localstatedir}/lib/ricci/queue
 	$(INSTALL_DIR)  ${localstatedir}/lib/ricci/certs
@@ -77,10 +78,14 @@
 
 
 $(TARGET): $(OBJECTS) 
-	$(CXX) -o $(TARGET) $(OBJECTS) $(LDFLAGS)
+	$(CXX) -o $(TARGET) $(OBJECTS) $(LDFLAGS) -lsasl2
 
 ${TARGET_AUTH}: $(TARGET_AUTH_OBJECTS)
 	$(CXX) -o ${TARGET_AUTH} $(TARGET_AUTH_OBJECTS) ${LDFLAGS} -lpam
 
 ${TARGET_WORKER}: ${TARGET_WORKER_OBJECTS}
 	$(CXX) -o ${TARGET_WORKER} ${TARGET_WORKER_OBJECTS} ${LDFLAGS}
+
+
+Auth_test: Auth_test.o Auth.o
+	$(CXX) -o Auth_test Auth_test.o Auth.o ${LDFLAGS} -lsasl2




More information about the Cluster-devel mailing list