diff --git a/0001-ksu-pam-integration.patch b/0001-ksu-pam-integration.patch index 462c367..8f87d16 100644 --- a/0001-ksu-pam-integration.patch +++ b/0001-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001 +From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH 1/8] ksu pam integration @@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1 create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 2394f7e33..53f8b6fb7 100644 +index 024d6370c..43eed3b87 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then +@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then OPENLDAP_PLUGIN=yes fi ])dnl @@ -144,11 +144,11 @@ index 8b4edce4d..9d58f29b5 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 4f03dd8ed..21a4d02bb 100644 +index af1286172..931f05404 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ - * KSU was writen by: Ari Medvinsky, ari@isi.edu + * KSU was written by: Ari Medvinsky, ari@isi.edu */ +#include "autoconf.h" @@ -174,7 +174,7 @@ index 4f03dd8ed..21a4d02bb 100644 /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -535,6 +541,23 @@ main (argc, argv) +@@ -536,6 +542,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -198,7 +198,7 @@ index 4f03dd8ed..21a4d02bb 100644 /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -595,6 +618,24 @@ main (argc, argv) +@@ -596,6 +619,24 @@ main (argc, argv) exit(1); } @@ -223,7 +223,7 @@ index 4f03dd8ed..21a4d02bb 100644 } if( some_rest_copy){ -@@ -652,6 +693,30 @@ main (argc, argv) +@@ -653,6 +694,30 @@ main (argc, argv) exit(1); } @@ -254,7 +254,7 @@ index 4f03dd8ed..21a4d02bb 100644 /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -749,7 +814,7 @@ main (argc, argv) +@@ -750,7 +815,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -263,7 +263,7 @@ index 4f03dd8ed..21a4d02bb 100644 execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -779,16 +844,35 @@ main (argc, argv) +@@ -780,16 +845,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -759,10 +759,10 @@ index 000000000..d45b9fd84 +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index 234f4281c..d1f576124 100644 +index 4eb080784..693f76a81 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -772,5 +772,5 @@ index 234f4281c..d1f576124 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.25.0 +2.30.0 diff --git a/krb5-1.18.3.tar.gz b/krb5-1.18.3.tar.gz deleted file mode 100644 index 3abc687..0000000 --- a/krb5-1.18.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719 -size 8715312 diff --git a/krb5-1.18.3.tar.gz.asc b/krb5-1.18.3.tar.gz.asc deleted file mode 100644 index 17b664c..0000000 --- a/krb5-1.18.3.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0QQcACgkQDLoIV1+D -ct8i0RAAtxhG66nmOSgL5xQ+kuTd1Gnq4GZjlAaAFKwU7xQX9wGctJNw5wThT+Ot -X8CtUXAUqZKO1odWsdiDRUV++C3ppTZdHLzo2UUzp0YbjSsMf2e/ZLolEwthJkQt -4eaqsUWTNHcePKlS9zsXdEUNRrjhzjDWS93Ppp1bLH1zQrUaPOEtLjkxY7r2yBgX -SsJIe6/W9sv0WlndWhQBfPfCE5wQmIbYDDHxCrWabnLwzsLM4HCJSnEC02oMZIAS -UiijoubyZS0UJ97EKzJLOgUr7B8h8cUmPru99FUvQfkWsTTLqt1yD5wHji8BiRU4 -Wh1z4y/E75E6GQybf97LY+x5czJbMycszteju6s/C9QHHeUoIgfpkVkoBBy4KufQ -t4fbzR7o5W1l1mdJ0s6IBwO0O97LTW2qQ7fLhIleB9jF+c1DEowBE4/Naq/NGkn5 -zMagwYcU583mUtk4boR6boLzsym0841+w14DN9hDBJ1fmI8OpKy5DE90aWSg/7qo -98J0H4gq0IZTd00QymDI8JQ97NF9mmaF+tKg1PCF77EP12nk1OnJ/X9etvNy+V8L -gWV6IAgJr8q1qLWh3FopCghI9sBDQBbM/cdgv/5jCTVKyH9zUzkw00K+Nvk26mFg -e3x3fN1soV6rEkZmtVM+e5l0NiIR1/0A2cX/SYJ8f+kB6XgW11Y= -=bdBU ------END PGP SIGNATURE----- diff --git a/krb5-1.19.1.tar.gz b/krb5-1.19.1.tar.gz new file mode 100644 index 0000000..5ee7e6e --- /dev/null +++ b/krb5-1.19.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa16f87eb7e3ec3586143c800d7eaff98b5e0dcdf0772af7d98612e49dbeb20b +size 8738142 diff --git a/krb5-1.19.1.tar.gz.asc b/krb5-1.19.1.tar.gz.asc new file mode 100644 index 0000000..588eb6e --- /dev/null +++ b/krb5-1.19.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D +ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g +4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg ++1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq +dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg +/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz +1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl +xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL +j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ +HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0 +HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA +xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0= +=PP6r +-----END PGP SIGNATURE----- diff --git a/krb5-mini.changes b/krb5-mini.changes index 15159cc..6f93c14 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero + +- Update to 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. + +------------------------------------------------------------------- +Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero + +- Update to 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). + ------------------------------------------------------------------- Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero diff --git a/krb5-mini.spec b/krb5-mini.spec index f15f3e6..8e00a77 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.18.3 +Version: 1.19.1 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT diff --git a/krb5.changes b/krb5.changes index 394ff08..510b7dc 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero + +- Update to 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. + +------------------------------------------------------------------- +Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero + +- Update to 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). + ------------------------------------------------------------------- Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero diff --git a/krb5.spec b/krb5.spec index 45e128f..779b2b9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.18.3 +Version: 1.19.1 Release: 0 Summary: MIT Kerberos5 implementation License: MIT