Accepting request 79471 from home:mcalmer:branches:network
- update to version 2.3.13
* don't bother creating a v5 ccache in "external" mode
* add a "trace" option to enable libkrb5 tracing, if available
* avoid trying to get password-change creds twice
* use an in-memory ccache when obtaining tokens using v5 creds
* turn off creds==session in "sshd"
* add a "validate_user_user" option to control trying to perform
user-to-user authentication to validate TGTs when a keytab is not
available
* add an "ignore_k5login" option to control whether or not the module
will use the krb5_kuserok() function to perform additional
authorization checks
* turn on validation by default - verify_ap_req_nofail controls how we
treat errors reading keytab files now
* add an "always_allow_localname" option when we can use
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
* prefer krb5_change_password() to krb5_set_password()
OBS-URL: https://build.opensuse.org/request/show/79471
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19
This commit is contained in:
Michael Calmer
Git OBS Bridge
parent
6699af2688
commit
4ccaaa958f
@ -1,7 +1,8 @@
|
||||
diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
|
||||
--- pam_krb5-2.3.11-1.orig/src/auth.c 2010-09-21 15:58:10.021370000 +0200
|
||||
+++ pam_krb5-2.3.11-1/src/auth.c 2010-09-21 17:02:33.329265000 +0200
|
||||
@@ -522,13 +522,32 @@
|
||||
Index: pam_krb5-2.3.13-1/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.13-1.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.13-1/src/auth.c
|
||||
@@ -532,13 +532,32 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
@ -28,18 +29,18 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
|
||||
+
|
||||
+ if (options->debug) {
|
||||
+ debug("pam_setcred (%s) called",
|
||||
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
||||
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
||||
+ }
|
||||
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
||||
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
||||
+ }
|
||||
if (flags & PAM_ESTABLISH_CRED) {
|
||||
+ _pam_krb5_options_free(pamh, ctx, options);
|
||||
+ krb5_free_context(ctx);
|
||||
return pam_sm_open_session(pamh, flags, argc, argv);
|
||||
}
|
||||
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
|
||||
@@ -541,19 +560,29 @@
|
||||
return _pam_krb5_open_session(pamh, flags, argc, argv,
|
||||
"pam_setcred(PAM_ESTABLISH_CRED)",
|
||||
_pam_krb5_session_caller_setcred);
|
||||
@@ -553,21 +572,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
}
|
||||
saved_perms = NULL;
|
||||
|
||||
@ -50,7 +51,7 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
|
||||
- debug("looks unsafe - ignore refresh");
|
||||
+ if (options->debug) {
|
||||
+ debug("looks unsafe - ignore refresh");
|
||||
+ }
|
||||
+ }
|
||||
if (saved_perms != NULL) {
|
||||
_pam_krb5_restore_perms_r2e(saved_perms);
|
||||
}
|
||||
@ -63,7 +64,9 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
|
||||
if (flags & PAM_DELETE_CRED) {
|
||||
+ _pam_krb5_options_free(pamh, ctx, options);
|
||||
+ krb5_free_context(ctx);
|
||||
return pam_sm_close_session(pamh, flags, argc, argv);
|
||||
return _pam_krb5_close_session(pamh, flags, argc, argv,
|
||||
"pam_setcred(PAM_DELETE_CRED)",
|
||||
_pam_krb5_session_caller_setcred);
|
||||
}
|
||||
warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED");
|
||||
+ _pam_krb5_options_free(pamh, ctx, options);
|
||||
|
||||
@ -2,7 +2,7 @@ Index: configure.ac
|
||||
===================================================================
|
||||
--- configure.ac.orig
|
||||
+++ configure.ac
|
||||
@@ -109,14 +109,14 @@ AC_SUBST(KRB5_BINDIR)
|
||||
@@ -157,14 +157,14 @@ AC_SUBST(KRB5_BINDIR)
|
||||
AC_CHECK_LIB(resolv,main)
|
||||
KRB5_CFLAGS=`$KRB5_CONFIG --cflags krb5`
|
||||
KRB5_LIBS=`$KRB5_CONFIG --libs krb5`
|
||||
|
||||
@ -2,9 +2,9 @@ Index: src/auth.c
|
||||
===================================================================
|
||||
--- src/auth.c.orig
|
||||
+++ src/auth.c
|
||||
@@ -554,6 +554,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
if (flags & PAM_DELETE_CRED) {
|
||||
return pam_sm_close_session(pamh, flags, argc, argv);
|
||||
@@ -568,6 +568,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
"pam_setcred(PAM_DELETE_CRED)",
|
||||
_pam_krb5_session_caller_setcred);
|
||||
}
|
||||
- warn("pam_setcred() called with no flags");
|
||||
- return PAM_SERVICE_ERR;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Index: pam_krb5-2.3.7-1/src/acct.c
|
||||
Index: pam_krb5-2.3.13-1/src/acct.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.7-1.orig/src/acct.c
|
||||
+++ pam_krb5-2.3.7-1/src/acct.c
|
||||
--- pam_krb5-2.3.13-1.orig/src/acct.c
|
||||
+++ pam_krb5-2.3.13-1/src/acct.c
|
||||
@@ -96,6 +96,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
||||
krb5_free_context(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -13,11 +13,11 @@ Index: pam_krb5-2.3.7-1/src/acct.c
|
||||
|
||||
/* Get information about the user and the user's principal name. */
|
||||
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
||||
Index: pam_krb5-2.3.7-1/src/auth.c
|
||||
Index: pam_krb5-2.3.13-1/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.7-1.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.7-1/src/auth.c
|
||||
@@ -114,9 +114,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||
--- pam_krb5-2.3.13-1.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.13-1/src/auth.c
|
||||
@@ -115,9 +115,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
if (options->debug) {
|
||||
@ -30,7 +30,7 @@ Index: pam_krb5-2.3.7-1/src/auth.c
|
||||
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
||||
|
||||
/* Prompt for the password, as we might need to. */
|
||||
@@ -520,6 +521,11 @@ int
|
||||
@@ -530,6 +531,11 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
@ -40,12 +40,12 @@ Index: pam_krb5-2.3.7-1/src/auth.c
|
||||
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
||||
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
||||
if (flags & PAM_ESTABLISH_CRED) {
|
||||
return pam_sm_open_session(pamh, flags, argc, argv);
|
||||
}
|
||||
Index: pam_krb5-2.3.7-1/src/password.c
|
||||
return _pam_krb5_open_session(pamh, flags, argc, argv,
|
||||
"pam_setcred(PAM_ESTABLISH_CRED)",
|
||||
Index: pam_krb5-2.3.13-1/src/password.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.7-1.orig/src/password.c
|
||||
+++ pam_krb5-2.3.7-1/src/password.c
|
||||
--- pam_krb5-2.3.13-1.orig/src/password.c
|
||||
+++ pam_krb5-2.3.13-1/src/password.c
|
||||
@@ -116,6 +116,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
krb5_free_context(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -63,11 +63,11 @@ Index: pam_krb5-2.3.7-1/src/password.c
|
||||
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
||||
|
||||
/* Get information about the user and the user's principal name. */
|
||||
Index: pam_krb5-2.3.7-1/src/session.c
|
||||
Index: pam_krb5-2.3.13-1/src/session.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.7-1.orig/src/session.c
|
||||
+++ pam_krb5-2.3.7-1/src/session.c
|
||||
@@ -101,6 +101,10 @@ pam_sm_open_session(pam_handle_t *pamh,
|
||||
--- pam_krb5-2.3.13-1.orig/src/session.c
|
||||
+++ pam_krb5-2.3.13-1/src/session.c
|
||||
@@ -104,6 +104,10 @@ _pam_krb5_open_session(pam_handle_t *pam
|
||||
krb5_free_context(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
@ -76,11 +76,11 @@ Index: pam_krb5-2.3.7-1/src/session.c
|
||||
+ options->realm);
|
||||
+ }
|
||||
|
||||
/* Get information about the user and the user's principal name. */
|
||||
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
||||
@@ -331,7 +335,10 @@ pam_sm_close_session(pam_handle_t *pamh,
|
||||
/* If we're in a no-cred-session situation, return. */
|
||||
if ((!options->cred_session) &&
|
||||
@@ -358,7 +362,10 @@ _pam_krb5_close_session(pam_handle_t *pa
|
||||
krb5_free_context(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
-
|
||||
+ if (options->debug) {
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Index: pam_krb5-2.3.10-3/src/auth.c
|
||||
Index: pam_krb5-2.3.13-1/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.10-3.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.10-3/src/auth.c
|
||||
--- pam_krb5-2.3.13-1.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.13-1/src/auth.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "items.h"
|
||||
#include "kuserok.h"
|
||||
@ -9,8 +9,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c
|
||||
+#include "perms.h"
|
||||
#include "options.h"
|
||||
#include "prompter.h"
|
||||
#include "sly.h"
|
||||
@@ -521,6 +522,7 @@ int
|
||||
#include "session.h"
|
||||
@@ -531,6 +532,7 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
@ -18,8 +18,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c
|
||||
notice("pam_setcred (%s) called",
|
||||
(flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
@@ -530,10 +532,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
return pam_sm_open_session(pamh, flags, argc, argv);
|
||||
@@ -542,10 +544,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
_pam_krb5_session_caller_setcred);
|
||||
}
|
||||
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
|
||||
+ saved_perms = _pam_krb5_switch_perms_r2e();
|
||||
@ -43,10 +43,10 @@ Index: pam_krb5-2.3.10-3/src/auth.c
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
}
|
||||
Index: pam_krb5-2.3.10-3/src/perms.c
|
||||
Index: pam_krb5-2.3.13-1/src/perms.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.10-3.orig/src/perms.c
|
||||
+++ pam_krb5-2.3.10-3/src/perms.c
|
||||
--- pam_krb5-2.3.13-1.orig/src/perms.c
|
||||
+++ pam_krb5-2.3.13-1/src/perms.c
|
||||
@@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
|
||||
}
|
||||
return ret;
|
||||
@ -97,10 +97,10 @@ Index: pam_krb5-2.3.10-3/src/perms.c
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
Index: pam_krb5-2.3.10-3/src/perms.h
|
||||
Index: pam_krb5-2.3.13-1/src/perms.h
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.10-3.orig/src/perms.h
|
||||
+++ pam_krb5-2.3.10-3/src/perms.h
|
||||
--- pam_krb5-2.3.13-1.orig/src/perms.h
|
||||
+++ pam_krb5-2.3.13-1/src/perms.h
|
||||
@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
|
||||
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
|
||||
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:784f400c85d27dc92fc7039c8286467086d3465c066bbac1bafc0cb0453cbed3
|
||||
size 430477
|
||||
3
pam_krb5-2.3.13-1.tar.bz2
Normal file
3
pam_krb5-2.3.13-1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:bcb8fd3a440a07738851bb5f726ccdf618d95ddf4dd57e026de6718b7b1ac157
|
||||
size 432029
|
||||
@ -2,25 +2,17 @@ Index: po/LINGUAS
|
||||
===================================================================
|
||||
--- po/LINGUAS.orig
|
||||
+++ po/LINGUAS
|
||||
@@ -15,3 +15,21 @@ ro
|
||||
sr
|
||||
sr@latin
|
||||
sv
|
||||
@@ -33,3 +33,13 @@ te
|
||||
uk
|
||||
zh_CN
|
||||
zh_TW
|
||||
+ar
|
||||
+bg
|
||||
+da
|
||||
+fi
|
||||
+fr
|
||||
+hr
|
||||
+ja
|
||||
+ka
|
||||
+km
|
||||
+ko
|
||||
+nb
|
||||
+pt
|
||||
+ru
|
||||
+th
|
||||
+uk
|
||||
+wa
|
||||
+zh_CN
|
||||
+zh_TW
|
||||
|
||||
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Aug 21 15:17:26 UTC 2011 - mc@novell.com
|
||||
|
||||
- update to version 2.3.13
|
||||
* don't bother creating a v5 ccache in "external" mode
|
||||
* add a "trace" option to enable libkrb5 tracing, if available
|
||||
* avoid trying to get password-change creds twice
|
||||
* use an in-memory ccache when obtaining tokens using v5 creds
|
||||
* turn off creds==session in "sshd"
|
||||
* add a "validate_user_user" option to control trying to perform
|
||||
user-to-user authentication to validate TGTs when a keytab is not
|
||||
available
|
||||
* add an "ignore_k5login" option to control whether or not the module
|
||||
will use the krb5_kuserok() function to perform additional
|
||||
authorization checks
|
||||
* turn on validation by default - verify_ap_req_nofail controls how we
|
||||
treat errors reading keytab files now
|
||||
* add an "always_allow_localname" option when we can use
|
||||
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
|
||||
* prefer krb5_change_password() to krb5_set_password()
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 1 17:41:57 CET 2011 - mc@suse.de
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ AutoReqProv: on
|
||||
Obsoletes: pam_krb5-64bit
|
||||
%endif
|
||||
#
|
||||
Version: 2.3.11
|
||||
Version: 2.3.13
|
||||
Release: 9
|
||||
Summary: PAM Module for Kerberos Authentication
|
||||
Url: http://sourceforge.net/projects/pam-krb5/
|
||||
@ -43,6 +43,7 @@ Patch3: pam_krb5-LINGUAS.dif
|
||||
Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif
|
||||
Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif
|
||||
Patch6: bug-641008_pam_krb5-2.3.11-setcred-log.diff
|
||||
Patch7: use-urandom-for-tests.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -58,13 +59,17 @@ supports updating your Kerberos password.
|
||||
%patch4 -p1
|
||||
%patch5
|
||||
%patch6 -p1
|
||||
|
||||
%patch7 -p1
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \
|
||||
./configure --libdir=/%_lib/ \
|
||||
--prefix=/usr \
|
||||
--mandir=%{_mandir} \
|
||||
--with-os-distribution="openSUSE"
|
||||
--with-os-distribution="openSUSE" \
|
||||
--with-default-use-shmem="sshd" \
|
||||
--with-default-external="sshd sshd-rekey gssftp" \
|
||||
--with-default-multiple-ccaches="su su-l" \
|
||||
--with-default-no-cred-session="sshd"
|
||||
make %{?jobs:-j%jobs}
|
||||
make -C po update-po
|
||||
make check
|
||||
|
||||
13
use-urandom-for-tests.dif
Normal file
13
use-urandom-for-tests.dif
Normal file
@ -0,0 +1,13 @@
|
||||
Index: pam_krb5-2.3.13-1/tests/testenv.sh.in
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.13-1.orig/tests/testenv.sh.in
|
||||
+++ pam_krb5-2.3.13-1/tests/testenv.sh.in
|
||||
@@ -72,7 +72,7 @@ fi
|
||||
test_kdcinitdb() {
|
||||
test -d @abs_builddir@/kdc || mkdir -p @abs_builddir@/kdc
|
||||
kdb5_util destroy -f 2> /dev/null > /dev/null
|
||||
- (echo .; echo .; echo .) | kdb5_util create -s 2> /dev/null > /dev/null
|
||||
+ (echo .; echo .; echo .) | kdb5_util create -s -W 2> /dev/null > /dev/null
|
||||
|
||||
$kadmin -q 'addpol -minlength 6 minimum_six' 2> /dev/null > /dev/null
|
||||
$kadmin -q 'ank -pw foo '$test_principal 2> /dev/null > /dev/null
|
||||
Loading…
Reference in New Issue
Block a user