From 4ccaaa958f902ede53d4d99f22f7a3b272e3a82d5bc25f10f71e9f5eb2968c52 Mon Sep 17 00:00:00 2001 From: Michael Calmer Date: Mon, 22 Aug 2011 08:25:27 +0000 Subject: [PATCH] Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 --- bug-641008_pam_krb5-2.3.11-setcred-log.diff | 33 ++++++++------- pam_krb5-2.2.0-0.5-configure_ac.dif | 2 +- pam_krb5-2.2.3-1-setcred-assume-establish.dif | 6 +-- pam_krb5-2.3.1-log-choise.dif | 42 +++++++++---------- pam_krb5-2.3.1-switch-perms-on-refresh.dif | 26 ++++++------ pam_krb5-2.3.11-1.tar.bz2 | 3 -- pam_krb5-2.3.13-1.tar.bz2 | 3 ++ pam_krb5-LINGUAS.dif | 16 ++----- pam_krb5.changes | 21 ++++++++++ pam_krb5.spec | 11 +++-- use-urandom-for-tests.dif | 13 ++++++ 11 files changed, 105 insertions(+), 71 deletions(-) delete mode 100644 pam_krb5-2.3.11-1.tar.bz2 create mode 100644 pam_krb5-2.3.13-1.tar.bz2 create mode 100644 use-urandom-for-tests.dif diff --git a/bug-641008_pam_krb5-2.3.11-setcred-log.diff b/bug-641008_pam_krb5-2.3.11-setcred-log.diff index b59a302..0acc9af 100644 --- a/bug-641008_pam_krb5-2.3.11-setcred-log.diff +++ b/bug-641008_pam_krb5-2.3.11-setcred-log.diff @@ -1,7 +1,8 @@ -diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c ---- pam_krb5-2.3.11-1.orig/src/auth.c 2010-09-21 15:58:10.021370000 +0200 -+++ pam_krb5-2.3.11-1/src/auth.c 2010-09-21 17:02:33.329265000 +0200 -@@ -522,13 +522,32 @@ +Index: pam_krb5-2.3.13-1/src/auth.c +=================================================================== +--- pam_krb5-2.3.13-1.orig/src/auth.c ++++ pam_krb5-2.3.13-1/src/auth.c +@@ -532,13 +532,32 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) { @@ -28,18 +29,18 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c + + if (options->debug) { + debug("pam_setcred (%s) called", -+ (flags & PAM_ESTABLISH_CRED)?"establish credential": -+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -+ (flags & PAM_REFRESH_CRED)?"refresh credential": -+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); -+ } ++ (flags & PAM_ESTABLISH_CRED)?"establish credential": ++ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": ++ (flags & PAM_REFRESH_CRED)?"refresh credential": ++ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); ++ } if (flags & PAM_ESTABLISH_CRED) { + _pam_krb5_options_free(pamh, ctx, options); + krb5_free_context(ctx); - return pam_sm_open_session(pamh, flags, argc, argv); - } - if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { -@@ -541,19 +560,29 @@ + return _pam_krb5_open_session(pamh, flags, argc, argv, + "pam_setcred(PAM_ESTABLISH_CRED)", + _pam_krb5_session_caller_setcred); +@@ -553,21 +572,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f } saved_perms = NULL; @@ -50,7 +51,7 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c - debug("looks unsafe - ignore refresh"); + if (options->debug) { + debug("looks unsafe - ignore refresh"); -+ } ++ } if (saved_perms != NULL) { _pam_krb5_restore_perms_r2e(saved_perms); } @@ -63,7 +64,9 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c if (flags & PAM_DELETE_CRED) { + _pam_krb5_options_free(pamh, ctx, options); + krb5_free_context(ctx); - return pam_sm_close_session(pamh, flags, argc, argv); + return _pam_krb5_close_session(pamh, flags, argc, argv, + "pam_setcred(PAM_DELETE_CRED)", + _pam_krb5_session_caller_setcred); } warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED"); + _pam_krb5_options_free(pamh, ctx, options); diff --git a/pam_krb5-2.2.0-0.5-configure_ac.dif b/pam_krb5-2.2.0-0.5-configure_ac.dif index 08c7661..2805f2f 100644 --- a/pam_krb5-2.2.0-0.5-configure_ac.dif +++ b/pam_krb5-2.2.0-0.5-configure_ac.dif @@ -2,7 +2,7 @@ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac -@@ -109,14 +109,14 @@ AC_SUBST(KRB5_BINDIR) +@@ -157,14 +157,14 @@ AC_SUBST(KRB5_BINDIR) AC_CHECK_LIB(resolv,main) KRB5_CFLAGS=`$KRB5_CONFIG --cflags krb5` KRB5_LIBS=`$KRB5_CONFIG --libs krb5` diff --git a/pam_krb5-2.2.3-1-setcred-assume-establish.dif b/pam_krb5-2.2.3-1-setcred-assume-establish.dif index 18bb651..cc91f40 100644 --- a/pam_krb5-2.2.3-1-setcred-assume-establish.dif +++ b/pam_krb5-2.2.3-1-setcred-assume-establish.dif @@ -2,9 +2,9 @@ Index: src/auth.c =================================================================== --- src/auth.c.orig +++ src/auth.c -@@ -554,6 +554,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f - if (flags & PAM_DELETE_CRED) { - return pam_sm_close_session(pamh, flags, argc, argv); +@@ -568,6 +568,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f + "pam_setcred(PAM_DELETE_CRED)", + _pam_krb5_session_caller_setcred); } - warn("pam_setcred() called with no flags"); - return PAM_SERVICE_ERR; diff --git a/pam_krb5-2.3.1-log-choise.dif b/pam_krb5-2.3.1-log-choise.dif index e2f45a1..55b60f1 100644 --- a/pam_krb5-2.3.1-log-choise.dif +++ b/pam_krb5-2.3.1-log-choise.dif @@ -1,7 +1,7 @@ -Index: pam_krb5-2.3.7-1/src/acct.c +Index: pam_krb5-2.3.13-1/src/acct.c =================================================================== ---- pam_krb5-2.3.7-1.orig/src/acct.c -+++ pam_krb5-2.3.7-1/src/acct.c +--- pam_krb5-2.3.13-1.orig/src/acct.c ++++ pam_krb5-2.3.13-1/src/acct.c @@ -96,6 +96,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int krb5_free_context(ctx); return PAM_SERVICE_ERR; @@ -13,11 +13,11 @@ Index: pam_krb5-2.3.7-1/src/acct.c /* Get information about the user and the user's principal name. */ userinfo = _pam_krb5_user_info_init(ctx, user, options); -Index: pam_krb5-2.3.7-1/src/auth.c +Index: pam_krb5-2.3.13-1/src/auth.c =================================================================== ---- pam_krb5-2.3.7-1.orig/src/auth.c -+++ pam_krb5-2.3.7-1/src/auth.c -@@ -114,9 +114,10 @@ pam_sm_authenticate(pam_handle_t *pamh, +--- pam_krb5-2.3.13-1.orig/src/auth.c ++++ pam_krb5-2.3.13-1/src/auth.c +@@ -115,9 +115,10 @@ pam_sm_authenticate(pam_handle_t *pamh, return PAM_SERVICE_ERR; } if (options->debug) { @@ -30,7 +30,7 @@ Index: pam_krb5-2.3.7-1/src/auth.c _pam_krb5_set_init_opts(ctx, gic_options, options); /* Prompt for the password, as we might need to. */ -@@ -520,6 +521,11 @@ int +@@ -530,6 +531,11 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) { @@ -40,12 +40,12 @@ Index: pam_krb5-2.3.7-1/src/auth.c + (flags & PAM_REFRESH_CRED)?"refresh credential": + (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); if (flags & PAM_ESTABLISH_CRED) { - return pam_sm_open_session(pamh, flags, argc, argv); - } -Index: pam_krb5-2.3.7-1/src/password.c + return _pam_krb5_open_session(pamh, flags, argc, argv, + "pam_setcred(PAM_ESTABLISH_CRED)", +Index: pam_krb5-2.3.13-1/src/password.c =================================================================== ---- pam_krb5-2.3.7-1.orig/src/password.c -+++ pam_krb5-2.3.7-1/src/password.c +--- pam_krb5-2.3.13-1.orig/src/password.c ++++ pam_krb5-2.3.13-1/src/password.c @@ -116,6 +116,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int krb5_free_context(ctx); return PAM_SERVICE_ERR; @@ -63,11 +63,11 @@ Index: pam_krb5-2.3.7-1/src/password.c _pam_krb5_set_init_opts(ctx, gic_options, options); /* Get information about the user and the user's principal name. */ -Index: pam_krb5-2.3.7-1/src/session.c +Index: pam_krb5-2.3.13-1/src/session.c =================================================================== ---- pam_krb5-2.3.7-1.orig/src/session.c -+++ pam_krb5-2.3.7-1/src/session.c -@@ -101,6 +101,10 @@ pam_sm_open_session(pam_handle_t *pamh, +--- pam_krb5-2.3.13-1.orig/src/session.c ++++ pam_krb5-2.3.13-1/src/session.c +@@ -104,6 +104,10 @@ _pam_krb5_open_session(pam_handle_t *pam krb5_free_context(ctx); return PAM_SERVICE_ERR; } @@ -76,11 +76,11 @@ Index: pam_krb5-2.3.7-1/src/session.c + options->realm); + } - /* Get information about the user and the user's principal name. */ - userinfo = _pam_krb5_user_info_init(ctx, user, options); -@@ -331,7 +335,10 @@ pam_sm_close_session(pam_handle_t *pamh, + /* If we're in a no-cred-session situation, return. */ + if ((!options->cred_session) && +@@ -358,7 +362,10 @@ _pam_krb5_close_session(pam_handle_t *pa krb5_free_context(ctx); - return PAM_SERVICE_ERR; + return PAM_SUCCESS; } - + if (options->debug) { diff --git a/pam_krb5-2.3.1-switch-perms-on-refresh.dif b/pam_krb5-2.3.1-switch-perms-on-refresh.dif index 886d9f1..c0edf48 100644 --- a/pam_krb5-2.3.1-switch-perms-on-refresh.dif +++ b/pam_krb5-2.3.1-switch-perms-on-refresh.dif @@ -1,7 +1,7 @@ -Index: pam_krb5-2.3.10-3/src/auth.c +Index: pam_krb5-2.3.13-1/src/auth.c =================================================================== ---- pam_krb5-2.3.10-3.orig/src/auth.c -+++ pam_krb5-2.3.10-3/src/auth.c +--- pam_krb5-2.3.13-1.orig/src/auth.c ++++ pam_krb5-2.3.13-1/src/auth.c @@ -62,6 +62,7 @@ #include "items.h" #include "kuserok.h" @@ -9,8 +9,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c +#include "perms.h" #include "options.h" #include "prompter.h" - #include "sly.h" -@@ -521,6 +522,7 @@ int + #include "session.h" +@@ -531,6 +532,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) { @@ -18,8 +18,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c notice("pam_setcred (%s) called", (flags & PAM_ESTABLISH_CRED)?"establish credential": (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -@@ -530,10 +532,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f - return pam_sm_open_session(pamh, flags, argc, argv); +@@ -542,10 +544,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f + _pam_krb5_session_caller_setcred); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); @@ -43,10 +43,10 @@ Index: pam_krb5-2.3.10-3/src/auth.c return PAM_IGNORE; } } -Index: pam_krb5-2.3.10-3/src/perms.c +Index: pam_krb5-2.3.13-1/src/perms.c =================================================================== ---- pam_krb5-2.3.10-3.orig/src/perms.c -+++ pam_krb5-2.3.10-3/src/perms.c +--- pam_krb5-2.3.13-1.orig/src/perms.c ++++ pam_krb5-2.3.13-1/src/perms.c @@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; @@ -97,10 +97,10 @@ Index: pam_krb5-2.3.10-3/src/perms.c + } + return ret; +} -Index: pam_krb5-2.3.10-3/src/perms.h +Index: pam_krb5-2.3.13-1/src/perms.h =================================================================== ---- pam_krb5-2.3.10-3.orig/src/perms.h -+++ pam_krb5-2.3.10-3/src/perms.h +--- pam_krb5-2.3.13-1.orig/src/perms.h ++++ pam_krb5-2.3.13-1/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); diff --git a/pam_krb5-2.3.11-1.tar.bz2 b/pam_krb5-2.3.11-1.tar.bz2 deleted file mode 100644 index a2b1f61..0000000 --- a/pam_krb5-2.3.11-1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:784f400c85d27dc92fc7039c8286467086d3465c066bbac1bafc0cb0453cbed3 -size 430477 diff --git a/pam_krb5-2.3.13-1.tar.bz2 b/pam_krb5-2.3.13-1.tar.bz2 new file mode 100644 index 0000000..df03733 --- /dev/null +++ b/pam_krb5-2.3.13-1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bcb8fd3a440a07738851bb5f726ccdf618d95ddf4dd57e026de6718b7b1ac157 +size 432029 diff --git a/pam_krb5-LINGUAS.dif b/pam_krb5-LINGUAS.dif index 136c7ce..01d527e 100644 --- a/pam_krb5-LINGUAS.dif +++ b/pam_krb5-LINGUAS.dif @@ -2,25 +2,17 @@ Index: po/LINGUAS =================================================================== --- po/LINGUAS.orig +++ po/LINGUAS -@@ -15,3 +15,21 @@ ro - sr - sr@latin - sv +@@ -33,3 +33,13 @@ te + uk + zh_CN + zh_TW +ar +bg -+da +fi -+fr +hr -+ja +ka +km -+ko +nb +pt -+ru +th -+uk +wa -+zh_CN -+zh_TW diff --git a/pam_krb5.changes b/pam_krb5.changes index 3786c1f..4c4f701 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Sun Aug 21 15:17:26 UTC 2011 - mc@novell.com + +- update to version 2.3.13 + * don't bother creating a v5 ccache in "external" mode + * add a "trace" option to enable libkrb5 tracing, if available + * avoid trying to get password-change creds twice + * use an in-memory ccache when obtaining tokens using v5 creds + * turn off creds==session in "sshd" + * add a "validate_user_user" option to control trying to perform + user-to-user authentication to validate TGTs when a keytab is not + available + * add an "ignore_k5login" option to control whether or not the module + will use the krb5_kuserok() function to perform additional + authorization checks + * turn on validation by default - verify_ap_req_nofail controls how we + treat errors reading keytab files now + * add an "always_allow_localname" option when we can use + krb5_aname_to_localname() to second-guess the krb5_kuserok() check + * prefer krb5_change_password() to krb5_set_password() + ------------------------------------------------------------------- Tue Mar 1 17:41:57 CET 2011 - mc@suse.de diff --git a/pam_krb5.spec b/pam_krb5.spec index 1eeeb3c..b4fb0a9 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -30,7 +30,7 @@ AutoReqProv: on Obsoletes: pam_krb5-64bit %endif # -Version: 2.3.11 +Version: 2.3.13 Release: 9 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ @@ -43,6 +43,7 @@ Patch3: pam_krb5-LINGUAS.dif Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif Patch6: bug-641008_pam_krb5-2.3.11-setcred-log.diff +Patch7: use-urandom-for-tests.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -58,13 +59,17 @@ supports updating your Kerberos password. %patch4 -p1 %patch5 %patch6 -p1 - +%patch7 -p1 %build CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \ ./configure --libdir=/%_lib/ \ --prefix=/usr \ --mandir=%{_mandir} \ - --with-os-distribution="openSUSE" + --with-os-distribution="openSUSE" \ + --with-default-use-shmem="sshd" \ + --with-default-external="sshd sshd-rekey gssftp" \ + --with-default-multiple-ccaches="su su-l" \ + --with-default-no-cred-session="sshd" make %{?jobs:-j%jobs} make -C po update-po make check diff --git a/use-urandom-for-tests.dif b/use-urandom-for-tests.dif new file mode 100644 index 0000000..4f01e4c --- /dev/null +++ b/use-urandom-for-tests.dif @@ -0,0 +1,13 @@ +Index: pam_krb5-2.3.13-1/tests/testenv.sh.in +=================================================================== +--- pam_krb5-2.3.13-1.orig/tests/testenv.sh.in ++++ pam_krb5-2.3.13-1/tests/testenv.sh.in +@@ -72,7 +72,7 @@ fi + test_kdcinitdb() { + test -d @abs_builddir@/kdc || mkdir -p @abs_builddir@/kdc + kdb5_util destroy -f 2> /dev/null > /dev/null +- (echo .; echo .; echo .) | kdb5_util create -s 2> /dev/null > /dev/null ++ (echo .; echo .; echo .) | kdb5_util create -s -W 2> /dev/null > /dev/null + + $kadmin -q 'addpol -minlength 6 minimum_six' 2> /dev/null > /dev/null + $kadmin -q 'ank -pw foo '$test_principal 2> /dev/null > /dev/null