Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape PAM special characters properly #656

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Escape PAM special characters properly #656

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4ab45c5
[_650] new escaped character processing
d-w-moore Nov 4, 2024
183e6e6
[_655] Swap names of native and pam .irodsA generation test scripts.
d-w-moore Nov 6, 2024
2520253
codacy; and, use logging.config.dictConfig
d-w-moore Nov 6, 2024
530062a
indentation
d-w-moore Nov 6, 2024
e5fa4de
whitespace needed after comma
d-w-moore Nov 7, 2024
6f59d53
add words about the internal selection of PAM auth APIs
d-w-moore Nov 8, 2024
0d5eecb
add README text for the force_use_of_dedicated_pam_api setting
d-w-moore Nov 16, 2024
feb0e04
change logging and test to use pam api name.
d-w-moore Nov 16, 2024
7ac84a5
Update irods/connection.py
d-w-moore Nov 22, 2024
bcc4b84
codacy
d-w-moore Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,13 @@ variables serving as overrides:
- Default Value: `False`
- Environment Variable Override: `PYTHON_IRODSCLIENT_CONFIG__LEGACY_AUTH__PAM__STORE_PASSWORD_TO_ENVIRONMENT`

- Setting: Force the use of PAM_AUTH_REQUEST_AN API for entering a new PAM password into the catalog. This API accommodates longer passwords and avoids the step of parsing a semicolon-delimited
"context" parameter.
- Dotted Name: `legacy_auth.pam.force_use_of_dedicated_pam_api`
- Type: `bool`
- Default Value: `False`
- Environment Variable Override: `PYTHON_IRODSCLIENT_CONFIG__LEGACY_AUTH__PAM__FORCE_USE_OF_DEDICATED_PAM_API`

- Setting: Default choice of XML parser for all new threads.
- Dotted Name: `connections.xml_parser_default`
- Type: `str`
Expand Down
7 changes: 3 additions & 4 deletions irods/connection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -489,10 +489,9 @@ def _login_pam(self):
if getattr(self,'DISALLOWING_PAM_PLAINTEXT',True):
raise PlainTextPAMPasswordError

# Normally, we use the AUTH_PLUG_REQ_AN api ( generalized to handle both PAM and GSI, as evidenced in the gsi_client_auth_request() method.)
# However, it has a practical limit to the number of characters in a context_ parameter (defined in packStruct as str[MAX_NAME_LEN].
# Whereas PAM_AUTH_REQUEST_AN is an older api and defines pamPassword as type str*, with apparently no length limit.
# TODO : perhaps we should always use PAM_AUTH_REQUEST_AN ??
# Normally, we use the AUTH_PLUG_REQ_AN api (generalized to handle both PAM and GSI, as evidenced in the gsi_client_auth_request() method.)
# However, it has a practical limit to the number of characters in a context_ parameter (defined in packStruct as "str[MAX_NAME_LEN]".
d-w-moore marked this conversation as resolved.
Show resolved Hide resolved
# Whereas PAM_AUTH_REQUEST_AN is an older api and defines pamPassword as a "str*" entry, with apparently no length limit.

use_dedicated_pam_api = (len(ctx) >= MAX_NAME_LEN) or \
cfg.legacy_auth.pam.force_use_of_dedicated_pam_api
Expand Down