pool/pam_krb5
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 79471 from home:mcalmer:branches:network

Browse Source 
- update to version 2.3.13
  * don't bother creating a v5 ccache in "external" mode
  * add a "trace" option to enable libkrb5 tracing, if available
  * avoid trying to get password-change creds twice
  * use an in-memory ccache when obtaining tokens using v5 creds
  * turn off creds==session in "sshd"
  * add a "validate_user_user" option to control trying to perform
    user-to-user authentication to validate TGTs when a keytab is not
    available
  * add an "ignore_k5login" option to control whether or not the module
    will use the krb5_kuserok() function to perform additional
    authorization checks
  * turn on validation by default - verify_ap_req_nofail controls how we
    treat errors reading keytab files now
  * add an "always_allow_localname" option when we can use
    krb5_aname_to_localname() to second-guess the krb5_kuserok() check
  * prefer krb5_change_password() to krb5_set_password()

OBS-URL: https://build.opensuse.org/request/show/79471
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19
This commit is contained in:
Michael Calmer 2011-08-22 08:25:27 +00:00 committed by Git OBS Bridge
parent 6699af2688
commit 4ccaaa958f
11 changed files with 105 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
bug-641008_pam_krb5-2.3.11-setcred-log.diff
View File

@ -1,7 +1,8 @@
diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c Index: pam_krb5-2.3.13-1/src/auth.c
--- pam_krb5-2.3.11-1.orig/src/auth.c 2010-09-21 15:58:10.021370000 +0200 ===================================================================
+++ pam_krb5-2.3.11-1/src/auth.c 2010-09-21 17:02:33.329265000 +0200 --- pam_krb5-2.3.13-1.orig/src/auth.c
@@ -522,13 +522,32 @@ +++ pam_krb5-2.3.13-1/src/auth.c
@@ -532,13 +532,32 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags, pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv) int argc, PAM_KRB5_MAYBE_CONST char **argv)
{ {
@ -28,18 +29,18 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
+ +
+ if (options->debug) { + if (options->debug) {
+ debug("pam_setcred (%s) called", + debug("pam_setcred (%s) called",
+ (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ (flags & PAM_REFRESH_CRED)?"refresh credential": + (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); + (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+ } + }
if (flags & PAM_ESTABLISH_CRED) { if (flags & PAM_ESTABLISH_CRED) {
+ _pam_krb5_options_free(pamh, ctx, options); + _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx); + krb5_free_context(ctx);
return pam_sm_open_session(pamh, flags, argc, argv); return _pam_krb5_open_session(pamh, flags, argc, argv,
} "pam_setcred(PAM_ESTABLISH_CRED)",
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { _pam_krb5_session_caller_setcred);
@@ -541,19 +560,29 @@ @@ -553,21 +572,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
} }
saved_perms = NULL; saved_perms = NULL;
@ -50,7 +51,7 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
- debug("looks unsafe - ignore refresh"); - debug("looks unsafe - ignore refresh");
+ if (options->debug) { + if (options->debug) {
+ debug("looks unsafe - ignore refresh"); + debug("looks unsafe - ignore refresh");
+ } + }
if (saved_perms != NULL) { if (saved_perms != NULL) {
_pam_krb5_restore_perms_r2e(saved_perms); _pam_krb5_restore_perms_r2e(saved_perms);
} }
@ -63,7 +64,9 @@ diff -ur pam_krb5-2.3.11-1.orig/src/auth.c pam_krb5-2.3.11-1/src/auth.c
if (flags & PAM_DELETE_CRED) { if (flags & PAM_DELETE_CRED) {
+ _pam_krb5_options_free(pamh, ctx, options); + _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx); + krb5_free_context(ctx);
return pam_sm_close_session(pamh, flags, argc, argv); return _pam_krb5_close_session(pamh, flags, argc, argv,
"pam_setcred(PAM_DELETE_CRED)",
_pam_krb5_session_caller_setcred);
} }
warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED"); warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED");
+ _pam_krb5_options_free(pamh, ctx, options); + _pam_krb5_options_free(pamh, ctx, options);

2
pam_krb5-2.2.0-0.5-configure_ac.dif
View File

@ -2,7 +2,7 @@ Index: configure.ac
=================================================================== ===================================================================
--- configure.ac.orig --- configure.ac.orig
+++ configure.ac +++ configure.ac
@@ -109,14 +109,14 @@ AC_SUBST(KRB5_BINDIR) @@ -157,14 +157,14 @@ AC_SUBST(KRB5_BINDIR)
AC_CHECK_LIB(resolv,main) AC_CHECK_LIB(resolv,main)
KRB5_CFLAGS=`$KRB5_CONFIG --cflags krb5` KRB5_CFLAGS=`$KRB5_CONFIG --cflags krb5`
KRB5_LIBS=`$KRB5_CONFIG --libs krb5` KRB5_LIBS=`$KRB5_CONFIG --libs krb5`

6
pam_krb5-2.2.3-1-setcred-assume-establish.dif
View File

@ -2,9 +2,9 @@ Index: src/auth.c
=================================================================== ===================================================================
--- src/auth.c.orig --- src/auth.c.orig
+++ src/auth.c +++ src/auth.c
@@ -554,6 +554,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f @@ -568,6 +568,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
if (flags & PAM_DELETE_CRED) { "pam_setcred(PAM_DELETE_CRED)",
return pam_sm_close_session(pamh, flags, argc, argv); _pam_krb5_session_caller_setcred);
} }
- warn("pam_setcred() called with no flags"); - warn("pam_setcred() called with no flags");
- return PAM_SERVICE_ERR; - return PAM_SERVICE_ERR;

42
pam_krb5-2.3.1-log-choise.dif
View File

@ -1,7 +1,7 @@
Index: pam_krb5-2.3.7-1/src/acct.c Index: pam_krb5-2.3.13-1/src/acct.c
=================================================================== ===================================================================
--- pam_krb5-2.3.7-1.orig/src/acct.c --- pam_krb5-2.3.13-1.orig/src/acct.c
+++ pam_krb5-2.3.7-1/src/acct.c +++ pam_krb5-2.3.13-1/src/acct.c
@@ -96,6 +96,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int @@ -96,6 +96,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
krb5_free_context(ctx); krb5_free_context(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
@ -13,11 +13,11 @@ Index: pam_krb5-2.3.7-1/src/acct.c
/* Get information about the user and the user's principal name. */ /* Get information about the user and the user's principal name. */
userinfo = _pam_krb5_user_info_init(ctx, user, options); userinfo = _pam_krb5_user_info_init(ctx, user, options);
Index: pam_krb5-2.3.7-1/src/auth.c Index: pam_krb5-2.3.13-1/src/auth.c
=================================================================== ===================================================================
--- pam_krb5-2.3.7-1.orig/src/auth.c --- pam_krb5-2.3.13-1.orig/src/auth.c
+++ pam_krb5-2.3.7-1/src/auth.c +++ pam_krb5-2.3.13-1/src/auth.c
@@ -114,9 +114,10 @@ pam_sm_authenticate(pam_handle_t *pamh, @@ -115,9 +115,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
if (options->debug) { if (options->debug) {
@ -30,7 +30,7 @@ Index: pam_krb5-2.3.7-1/src/auth.c
_pam_krb5_set_init_opts(ctx, gic_options, options); _pam_krb5_set_init_opts(ctx, gic_options, options);
/* Prompt for the password, as we might need to. */ /* Prompt for the password, as we might need to. */
@@ -520,6 +521,11 @@ int @@ -530,6 +531,11 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags, pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv) int argc, PAM_KRB5_MAYBE_CONST char **argv)
{ {
@ -40,12 +40,12 @@ Index: pam_krb5-2.3.7-1/src/auth.c
+ (flags & PAM_REFRESH_CRED)?"refresh credential": + (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); + (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
if (flags & PAM_ESTABLISH_CRED) { if (flags & PAM_ESTABLISH_CRED) {
return pam_sm_open_session(pamh, flags, argc, argv); return _pam_krb5_open_session(pamh, flags, argc, argv,
} "pam_setcred(PAM_ESTABLISH_CRED)",
Index: pam_krb5-2.3.7-1/src/password.c Index: pam_krb5-2.3.13-1/src/password.c
=================================================================== ===================================================================
--- pam_krb5-2.3.7-1.orig/src/password.c --- pam_krb5-2.3.13-1.orig/src/password.c
+++ pam_krb5-2.3.7-1/src/password.c +++ pam_krb5-2.3.13-1/src/password.c
@@ -116,6 +116,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int @@ -116,6 +116,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
krb5_free_context(ctx); krb5_free_context(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
@ -63,11 +63,11 @@ Index: pam_krb5-2.3.7-1/src/password.c
_pam_krb5_set_init_opts(ctx, gic_options, options); _pam_krb5_set_init_opts(ctx, gic_options, options);
/* Get information about the user and the user's principal name. */ /* Get information about the user and the user's principal name. */
Index: pam_krb5-2.3.7-1/src/session.c Index: pam_krb5-2.3.13-1/src/session.c
=================================================================== ===================================================================
--- pam_krb5-2.3.7-1.orig/src/session.c --- pam_krb5-2.3.13-1.orig/src/session.c
+++ pam_krb5-2.3.7-1/src/session.c +++ pam_krb5-2.3.13-1/src/session.c
@@ -101,6 +101,10 @@ pam_sm_open_session(pam_handle_t *pamh, @@ -104,6 +104,10 @@ _pam_krb5_open_session(pam_handle_t *pam
krb5_free_context(ctx); krb5_free_context(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
@ -76,11 +76,11 @@ Index: pam_krb5-2.3.7-1/src/session.c
+ options->realm); + options->realm);
+ } + }
/* Get information about the user and the user's principal name. */ /* If we're in a no-cred-session situation, return. */
userinfo = _pam_krb5_user_info_init(ctx, user, options); if ((!options->cred_session) &&
@@ -331,7 +335,10 @@ pam_sm_close_session(pam_handle_t *pamh, @@ -358,7 +362,10 @@ _pam_krb5_close_session(pam_handle_t *pa
krb5_free_context(ctx); krb5_free_context(ctx);
return PAM_SERVICE_ERR; return PAM_SUCCESS;
} }
- -
+ if (options->debug) { + if (options->debug) {

26
pam_krb5-2.3.1-switch-perms-on-refresh.dif
View File

@ -1,7 +1,7 @@
Index: pam_krb5-2.3.10-3/src/auth.c Index: pam_krb5-2.3.13-1/src/auth.c
=================================================================== ===================================================================
--- pam_krb5-2.3.10-3.orig/src/auth.c --- pam_krb5-2.3.13-1.orig/src/auth.c
+++ pam_krb5-2.3.10-3/src/auth.c +++ pam_krb5-2.3.13-1/src/auth.c
@@ -62,6 +62,7 @@ @@ -62,6 +62,7 @@
#include "items.h" #include "items.h"
#include "kuserok.h" #include "kuserok.h"
@ -9,8 +9,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c
+#include "perms.h" +#include "perms.h"
#include "options.h" #include "options.h"
#include "prompter.h" #include "prompter.h"
#include "sly.h" #include "session.h"
@@ -521,6 +522,7 @@ int @@ -531,6 +532,7 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags, pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv) int argc, PAM_KRB5_MAYBE_CONST char **argv)
{ {
@ -18,8 +18,8 @@ Index: pam_krb5-2.3.10-3/src/auth.c
notice("pam_setcred (%s) called", notice("pam_setcred (%s) called",
(flags & PAM_ESTABLISH_CRED)?"establish credential": (flags & PAM_ESTABLISH_CRED)?"establish credential":
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
@@ -530,10 +532,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f @@ -542,10 +544,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
return pam_sm_open_session(pamh, flags, argc, argv); _pam_krb5_session_caller_setcred);
} }
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+ saved_perms = _pam_krb5_switch_perms_r2e(); + saved_perms = _pam_krb5_switch_perms_r2e();
@ -43,10 +43,10 @@ Index: pam_krb5-2.3.10-3/src/auth.c
return PAM_IGNORE; return PAM_IGNORE;
} }
} }
Index: pam_krb5-2.3.10-3/src/perms.c Index: pam_krb5-2.3.13-1/src/perms.c
=================================================================== ===================================================================
--- pam_krb5-2.3.10-3.orig/src/perms.c --- pam_krb5-2.3.13-1.orig/src/perms.c
+++ pam_krb5-2.3.10-3/src/perms.c +++ pam_krb5-2.3.13-1/src/perms.c
@@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 @@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
} }
return ret; return ret;
@ -97,10 +97,10 @@ Index: pam_krb5-2.3.10-3/src/perms.c
+ } + }
+ return ret; + return ret;
+} +}
Index: pam_krb5-2.3.10-3/src/perms.h Index: pam_krb5-2.3.13-1/src/perms.h
=================================================================== ===================================================================
--- pam_krb5-2.3.10-3.orig/src/perms.h --- pam_krb5-2.3.13-1.orig/src/perms.h
+++ pam_krb5-2.3.10-3/src/perms.h +++ pam_krb5-2.3.13-1/src/perms.h
@@ -37,4 +37,7 @@ struct _pam_krb5_perms; @@ -37,4 +37,7 @@ struct _pam_krb5_perms;
struct _pam_krb5_perms *_pam_krb5_switch_perms(void); struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);

3
pam_krb5-2.3.11-1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:784f400c85d27dc92fc7039c8286467086d3465c066bbac1bafc0cb0453cbed3
size 430477

3
pam_krb5-2.3.13-1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bcb8fd3a440a07738851bb5f726ccdf618d95ddf4dd57e026de6718b7b1ac157
size 432029

16
pam_krb5-LINGUAS.dif
View File

@ -2,25 +2,17 @@ Index: po/LINGUAS
=================================================================== ===================================================================
--- po/LINGUAS.orig --- po/LINGUAS.orig
+++ po/LINGUAS +++ po/LINGUAS
@@ -15,3 +15,21 @@ ro @@ -33,3 +33,13 @@ te
sr uk
sr@latin zh_CN
sv zh_TW
+ar +ar
+bg +bg
+da
+fi +fi
+fr
+hr +hr
+ja
+ka +ka
+km +km
+ko
+nb +nb
+pt +pt
+ru
+th +th
+uk
+wa +wa
+zh_CN
+zh_TW

21
pam_krb5.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Sun Aug 21 15:17:26 UTC 2011 - mc@novell.com
- update to version 2.3.13
* don't bother creating a v5 ccache in "external" mode
* add a "trace" option to enable libkrb5 tracing, if available
* avoid trying to get password-change creds twice
* use an in-memory ccache when obtaining tokens using v5 creds
* turn off creds==session in "sshd"
* add a "validate_user_user" option to control trying to perform
user-to-user authentication to validate TGTs when a keytab is not
available
* add an "ignore_k5login" option to control whether or not the module
will use the krb5_kuserok() function to perform additional
authorization checks
* turn on validation by default - verify_ap_req_nofail controls how we
treat errors reading keytab files now
* add an "always_allow_localname" option when we can use
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
* prefer krb5_change_password() to krb5_set_password()
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 1 17:41:57 CET 2011 - mc@suse.de Tue Mar 1 17:41:57 CET 2011 - mc@suse.de

11
pam_krb5.spec
View File

@ -30,7 +30,7 @@ AutoReqProv: on
Obsoletes: pam_krb5-64bit Obsoletes: pam_krb5-64bit
%endif %endif
# #
Version: 2.3.11 Version: 2.3.13
Release: 9 Release: 9
Summary: PAM Module for Kerberos Authentication Summary: PAM Module for Kerberos Authentication
Url: http://sourceforge.net/projects/pam-krb5/ Url: http://sourceforge.net/projects/pam-krb5/
@ -43,6 +43,7 @@ Patch3: pam_krb5-LINGUAS.dif
Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif
Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif
Patch6: bug-641008_pam_krb5-2.3.11-setcred-log.diff Patch6: bug-641008_pam_krb5-2.3.11-setcred-log.diff
Patch7: use-urandom-for-tests.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -58,13 +59,17 @@ supports updating your Kerberos password.
%patch4 -p1 %patch4 -p1
%patch5 %patch5
%patch6 -p1 %patch6 -p1
%patch7 -p1
%build %build
CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \
./configure --libdir=/%_lib/ \ ./configure --libdir=/%_lib/ \
--prefix=/usr \ --prefix=/usr \
--mandir=%{_mandir} \ --mandir=%{_mandir} \
--with-os-distribution="openSUSE" --with-os-distribution="openSUSE" \
--with-default-use-shmem="sshd" \
--with-default-external="sshd sshd-rekey gssftp" \
--with-default-multiple-ccaches="su su-l" \
--with-default-no-cred-session="sshd"
make %{?jobs:-j%jobs} make %{?jobs:-j%jobs}
make -C po update-po make -C po update-po
make check make check

13
use-urandom-for-tests.dif Normal file
View File

@ -0,0 +1,13 @@
Index: pam_krb5-2.3.13-1/tests/testenv.sh.in
===================================================================
--- pam_krb5-2.3.13-1.orig/tests/testenv.sh.in
+++ pam_krb5-2.3.13-1/tests/testenv.sh.in
@@ -72,7 +72,7 @@ fi
test_kdcinitdb() {
test -d @abs_builddir@/kdc || mkdir -p @abs_builddir@/kdc
kdb5_util destroy -f 2> /dev/null > /dev/null
- (echo .; echo .; echo .) | kdb5_util create -s 2> /dev/null > /dev/null
+ (echo .; echo .; echo .) | kdb5_util create -s -W 2> /dev/null > /dev/null
$kadmin -q 'addpol -minlength 6 minimum_six' 2> /dev/null > /dev/null
$kadmin -q 'ank -pw foo '$test_principal 2> /dev/null > /dev/null