Configuration:
- * Allow configuration of the principal of the WebAuth user information
- service (used for remctl authentication).
-
- * Allow configuration of the port of the WebAuth user information
- service.
-
* Consider changing the configuration to take the user information
service location as a URL instead of the separate server and command
parameters, matching the way that mod_webkdc is configured.
*/
struct pam_config {
char *host; /* Host for user information queries. */
+ long port; /* Port for user information queries. */
+ char *identity; /* Identity for user information queries. */
char *command; /* Base command for queries. */
char *keytab; /* Keytab for authentication. */
long timeout; /* Timeout for authentication call. */
/* Our option definition. */
#define K(name) (#name), offsetof(struct pam_config, name)
static const struct option options[] = {
- { K(command), true, STRING (NULL) },
- { K(host), true, STRING (NULL) },
- { K(keytab), true, STRING ("/etc/krb5.keytab") },
- { K(timeout), true, NUMBER (30) },
+ { K(command), true, STRING (NULL) },
+ { K(host), true, STRING (NULL) },
+ { K(identity), true, STRING (NULL) },
+ { K(keytab), true, STRING ("/etc/krb5.keytab") },
+ { K(port), true, NUMBER (0) },
+ { K(timeout), true, NUMBER (30) },
};
static const size_t optlen = sizeof(options) / sizeof(options[0]);
The hostname of the WebAuth information service against which to validate
the OTP code. This host, at least currently, must provide the WebAuth
user information service (at least the C<webkdc-validate> command) via
-remctl. The principal used for authentication will be the default host
-principal for that host, as determined by remctl's normal principal
-derivation algorithm. This option must be set.
+remctl. The principal used for authentication will default host principal
+for that host, as determined by remctl's normal principal derivation
+algorithm, but see I<principal>. This option must be set.
+
+=item identity=I<principal>
+
+Sets the identity of the WebAuth user information service. This is the
+principal to which the module will authenticate when validating OTP codes.
+The default is the normal host principal for the host on which the WebAuth
+user information service is running.
=item keytab=I<path>
client identity. The default, if not set, is F</etc/krb5.keytab>, which
will generally use the local system host credentials.
+=item port=I<port>
+
+The port of the WebAuth user information service. The default, if not
+set, is to follow the normal remctl behavior of trying the registered
+(4373) and legacy (4444) ports.
+
=item timeout=I<timeout>
How long to wait, in seconds, for a reply from the WebAuth user
memset(&config, 0, sizeof(config));
config.protocol = WA_PROTOCOL_REMCTL;
config.host = args->config->host;
+ config.port = args->config->port;
+ config.identity = args->config->identity;
config.command = args->config->command;
config.keytab = args->config->keytab;
config.timeout = args->config->timeout;