Subject: lib/36073: racoon can't uses with pam_group
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <huangys@xynetsoft.com>
List: netbsd-bugs
Date: 03/24/2007 02:25:01
>Number:         36073
>Category:       lib
>Synopsis:       racoon can't uses with pam_group
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 24 02:25:00 +0000 2007
>Originator:     huangys@xynetsoft.com
>Release:        NetBSD 3.1
>Organization:
            LucidaTech
>Environment:
System: NetBSD huangys.xynetsoft.com 3.1 NetBSD 3.1 (ACY13) #15: Tue Mar 6 13:47:52 CST 2007 huangys@huangys.xynetsoft.com:/home/src/sys/arch/i386/compile/ACY13 i386
Architecture: i386
Machine: i386
>Description:
	1. If insert pam_group.so in /etc/pam.d/racoon . you will get some error like this
        in openpam_dynamic(): /usr/lib/security/pam_group.so.0:
        /usr/lib/security/pam_group.so.0:
        Undefined PLT symbol "login_getpwclass" (symnum = 22)
    2. When you uses racoon to do the RASVPN, and you want only the 
        users in some group to be let in. you always get authenticate fails.
>How-To-Repeat:

    racoon.conf
    ----------------------
            .
            .
	mode_cfg {
            .
            .
        auth_source pam;
            .
            .
    }              
            .
            .
    -------------------------

    /etc/pam.d/racoon
    -------------------------
            .
            .
    auth            required       pam_group.so            no_warn group=vpnras
            .
            .
    -------------------------

>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/racoon/Makefile,v
retrieving revision 1.12
diff -r1.12 Makefile
43c43
< LDADD+=   -lpam ${PAM_STATIC_LDADD}
---
> LDADD+=   -lpam -lutil ${PAM_STATIC_LDADD}


Index: isakmp_xauth.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c,v
retrieving revision 1.1.1.4.2.3
diff -r1.1.1.4.2.3 isakmp_xauth.c
644a645,651
> 
>   if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
>       plog(LLV_ERROR, LOCATION, NULL, 
>           "pam_set_item failed: %s\n", 
>           pam_strerror(pam, error));
>       goto out;
>   }