[Pkg-shadow-devel] shadow-trunk patch for openpam compatibility

Seraphim Mellos mellos at ceid.upatras.gr
Mon Jul 21 19:20:31 UTC 2008 

Hello people, 

  I'm currently a student and I'm taking part in this years GSoC with
Gentoo. My project is to implement Linux compatible OpenPAM modules
which could replace LinuxPAM and its set of modules. While developing 
the modules, I came across some problems which were caused by the fact
that OpenPAM and Linux-PAM while API compliant were not ABI compliant. 
That forced me to recompile shadow against OpenPAM instead of Linux-PAM. 
Later on, with the help of Diego Petteno (a Gentoo dev and pam
maintainer), I developed a small patch which enables shadow to compile on 
a system either using Linux-PAM or OpenPAM, depending on which is
available. 

The patch is included as an attachment.

Regards, 
Seraphim Mellos
-------------- next part --------------
Index: configure.in
===================================================================
--- configure.in	(revision 2206)
+++ configure.in	(working copy)
@@ -340,13 +340,29 @@
 		AC_MSG_ERROR(libpam not found)
 	fi
 
-	AC_CHECK_LIB(pam_misc, main,
-	             [pam_misc_lib="yes"], [pam_misc_lib="no"])
-	if test "$pam_misc_lib$with_libpam" = "noyes" ; then
-		AC_MSG_ERROR(libpam_misc not found)
+	LIBPAM="-lpam"
+	pam_conv_function="no"
+
+	AC_CHECK_LIB(pam, openpam_ttyconv,
+		[pam_conv_function="openpam_ttyconv"],
+		AC_CHECK_LIB(pam_misc, misc_conv,
+			[pam_conv_function="misc_conv"; LIBPAM="$LIBPAM -lpam_misc"])
+		)
+
+	if test "$pam_conv_function$with_libpam" = "noyes" ; then
+		AC_MSG_ERROR(PAM conversation function not found)
 	fi
 
-	if test "$pam_lib$pam_misc_lib" = "yesyes" ; then
+	pam_headers_found=no
+	AC_CHECK_HEADERS( [security/openpam.h security/pam_misc.h],
+			 [ pam_headers_found=yes ; break ], [],
+			 [ #include <security/pam_appl.h> ] )
+        if test "$pam_headers_found$with_libpam" = "noyes" ; then
+	                AC_MSG_ERROR(PAM headers not found)
+        fi
+
+
+	if test "$pam_lib$pam_headers_found" = "yesyes" -a "$pam_conv_function" != "no" ; then
 		with_libpam="yes"
 	else
 		with_libpam="no"
@@ -354,9 +370,22 @@
 fi
 dnl Now with_libpam is either yes or no
 if test "$with_libpam" = "yes"; then
+	AC_CHECK_DECLS([PAM_ESTABLISH_CRED,
+		PAM_DELETE_CRED,
+		PAM_NEW_AUTHTOK_REQD,
+		PAM_DATA_SILENT],
+		[], [], [#include <security/pam_appl.h>])
+
+
+	save_libs=$LIBS
+        LIBS="$LIBS $LIBPAM"
+	AC_CHECK_FUNCS([pam_fail_delay])
+	LIBS=$save_libs
+
 	AC_DEFINE(USE_PAM, 1, [Define to support Pluggable Authentication Modules])
+	AC_DEFINE_UNQUOTED(SHADOW_PAM_CONVERSATION, [$pam_conv_function],[PAM converstation to use])
 	AM_CONDITIONAL(USE_PAM, [true])
-	LIBPAM="-lpam -lpam_misc"
+
 	AC_MSG_CHECKING(use login and su access checking if PAM not used)
 	AC_MSG_RESULT(no)
 else
Index: src/login.c
===================================================================
--- src/login.c	(revision 2206)
+++ src/login.c	(working copy)
@@ -691,9 +691,11 @@
 			  failed = false;
 
 			  failcount++;
+#ifdef HAVE_PAM_FAIL_DELAY
 			  if (delay > 0) {
 			    retcode = pam_fail_delay(pamh, 1000000*delay);
 			  }
+#endif
 
 			  retcode = pam_authenticate (pamh, 0);
 
Index: lib/pam_defs.h
===================================================================
--- lib/pam_defs.h	(revision 2206)
+++ lib/pam_defs.h	(working copy)
@@ -28,24 +28,31 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include <config.h>
 #include <security/pam_appl.h>
-#include <security/pam_misc.h>
+#ifdef HAVE_SECURITY_PAM_MISC_H
+# include <security/pam_misc.h>
+#endif
+#ifdef HAVE_SECURITY_OPENPAM_H
+# include <security/openpam.h>
+#endif
 
+
 static struct pam_conv conv = {
-	misc_conv,
+	SHADOW_PAM_CONVERSATION,
 	NULL
 };
 
 /* compatibility with different versions of Linux-PAM */
-#ifndef PAM_ESTABLISH_CRED
+#if !HAVE_DECL_PAM_ESTABLISH_CRED
 #define PAM_ESTABLISH_CRED PAM_CRED_ESTABLISH
 #endif
-#ifndef PAM_DELETE_CRED
+#if !HAVE_DECL_PAM_DELETE_CRED
 #define PAM_DELETE_CRED PAM_CRED_DELETE
 #endif
-#ifndef PAM_NEW_AUTHTOK_REQD
+#if !HAVE_DECL_PAM_NEW_AUTHTOK_REQD
 #define PAM_NEW_AUTHTOK_REQD PAM_AUTHTOKEN_REQD
 #endif
-#ifndef PAM_DATA_SILENT
+#if !HAVE_DECL_PAM_DATA_SILENT
 #define PAM_DATA_SILENT 0
 #endif

More information about the Pkg-shadow-devel mailing list