diff -up cvs-1.11.23/configure.in.pam cvs-1.11.23/configure.in
--- cvs-1.11.23/configure.in.pam 2008-07-15 15:40:50.000000000 -0400
+++ cvs-1.11.23/configure.in 2008-07-15 15:40:50.000000000 -0400
@@ -904,6 +904,36 @@ if test no != "$enable_server"; then
[The high water mark in bytes for server flow control. Required if
SERVER_FLOWCONTROL is defined, and useless otherwise.])
fi # enable_server_flow_control
+
+ dnl
+ dnl Give the confiscator control over whether the pam support is used
+ dnl
+ AC_ARG_ENABLE(
+ [pam],
+ AC_HELP_STRING(
+ [--enable-pam],
+ [Include code for running with pam code (default)]), ,
+ [if test "$ac_cv_search_connect" != yes; then
+ enable_pam=no
+ fi])
+
+ if test no != "$enable_pam"; then
+ AC_DEFINE(
+ [PAM_SUPPORT], [1],
+ [Define if you want CVS to be able to serve repositories to remote
+ clients.])
+
+ dnl
+ dnl Finding the pam_authenticate function.
+ dnl
+ AC_SEARCH_LIBS(
+ [pam_authenticate], [pam],
+ [AC_DEFINE(
+ [HAVE_PAM], [1],
+ [Define if you have the pam_authenticate function.])
+ ]) dnl AC_SEARCH_LIBS
+ fi #enable_pam
+
fi # enable_server
diff -up cvs-1.11.23/src/server.c.pam cvs-1.11.23/src/server.c
--- cvs-1.11.23/src/server.c.pam 2008-07-15 15:40:50.000000000 -0400
+++ cvs-1.11.23/src/server.c 2008-07-15 15:42:02.000000000 -0400
@@ -20,6 +20,12 @@
# include <process.h>
#endif
+/* needed for PAM authentication - fk 2000 */
+#if PAM_SUPPORT
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#endif
+
int server_active = 0;
#if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT)
@@ -5673,7 +5679,36 @@ check_repository_password (username, pas
return retval;
}
-
+/* callback for PAM authentication - fk 2000 */
+#if PAM_SUPPORT
+int silent_conv(int num_msg, const struct pam_message **msgm,
+ struct pam_response **response, void *appdata) {
+ int replies;
+ struct pam_response *reply = NULL;
+
+ reply = calloc(num_msg,sizeof(struct pam_response));
+ for (replies=0; replies<num_msg; replies++) {
+ switch (msgm[replies]->msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ /* printf("Prompt: %s\n",msgm[replies]->msg); */
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies].resp = strdup((char*)appdata);
+ break;
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ reply[replies].resp_retcode = PAM_SUCCESS;
+ reply[replies].resp = NULL;
+ break;
+ default:
+ free(reply);
+ return PAM_CONV_ERR;
+ }
+ }
+ *response = reply;
+ return PAM_SUCCESS;
+}
+#endif
/* Return a hosting username if password matches, else NULL. */
static char *
@@ -5761,6 +5796,34 @@ error 0 %s: no such user\n", username);
if (*found_passwd)
{
/* user exists and has a password */
+#if PAM_SUPPORT
+ pam_handle_t *pamh = NULL;
+ struct pam_conv conv;
+ int retval;
+
+ conv.conv = silent_conv;
+ conv.appdata_ptr = password;
+
+ retval = pam_start("cvs", username, &conv, &pamh);
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate(pamh, 0); /* is user really user? */
+
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
+
+ /* This is where we have been authorized or not. */
+
+ if (retval == PAM_SUCCESS) {
+ host_user = xstrdup (username);
+ } else {
+ host_user = NULL;
+ }
+
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
+ pamh = NULL;
+ }
+#else
if (strcmp (found_passwd, crypt (password, found_passwd)) == 0)
{
host_user = xstrdup (username);
@@ -5774,6 +5837,7 @@ error 0 %s: no such user\n", username);
crypt(password, found_passwd), found_passwd);
#endif
}
+#endif
goto handle_return;
}