Index: src/v5.c =================================================================== --- src/v5.c.orig +++ src/v5.c @@ -1,5 +1,5 @@ /* - * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc. + * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -889,11 +889,19 @@ v5_get_creds(krb5_context ctx, tmpcreds.server = service_principal; i = krb5_cc_retrieve_cred(ctx, ccache, 0, &tmpcreds, creds); - /* FIXME: check if the creds are expired? - * What's the right error code if we check, and - * they are? */ memset(&tmpcreds, 0, sizeof(tmpcreds)); krb5_cc_close(ctx, ccache); + switch (v5_validate(ctx, creds, options)) { + case 0: + /* we're fine */ + break; + default: + /* something (anything) went wrong -- + * discard them */ + krb5_free_cred_contents(ctx, creds); + i = KRB5KRB_ERR_GENERIC; + break; + } } else { warn("error opening default ccache"); i = KRB5_CC_NOTFOUND; Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -360,6 +360,18 @@ if test x$keyutils != xno ; then AC_SUBST(KEYUTILS_LIBS) fi +AC_MSG_CHECKING(whether to link directly with libpam) +AC_ARG_WITH(libpam, +[AC_HELP_STRING(--without-libpam,[Refrain from linking directly with libpam.])], + [with_libpam=$withval], + [with_libpam=yes]) +if test "$with_libpam" != no ; then + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi +AM_CONDITIONAL(WITH_DIRECT_LIBPAM,test "$with_libpam" != no) + AC_ARG_ENABLE(default-realm,AC_HELP_STRING([--enable-default-realm=REALM],[last-ditch fallback realm (default is EXAMPLE.COM)]),default_realm=$enableval,default_realm=EXAMPLE.COM) AC_DEFINE_UNQUOTED(DEFAULT_REALM,"$default_realm",[Define to the realm name which will be used if no realm is given as a parameter and none is given in krb5.conf.]) AC_MSG_RESULT([Using "$default_realm" as the default realm.]) Index: src/Makefile.am =================================================================== --- src/Makefile.am.orig +++ src/Makefile.am @@ -21,6 +21,12 @@ man_MANS += afs5log.1 noinst_PROGRAMS += pagsh endif +if WITH_DIRECT_LIBPAM +DIRECT_LIBPAM = -lpam +else +DIRECT_LIBPAM = +endif + libpam_krb5_la_SOURCES = \ conv.c \ conv.h \ @@ -47,7 +53,7 @@ libpam_krb5_la_SOURCES = \ v5.h pam_krb5_la_LDFLAGS = -avoid-version -export-dynamic -module -export-symbols-regex 'pam_sm.*' @SYMBOLIC_LINKER_FLAG@ -pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ +pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ $(DIRECT_LIBPAM) pam_krb5_la_SOURCES = \ initopts.c \ initopts.h \ Index: src/options.c =================================================================== --- src/options.c.orig +++ src/options.c @@ -105,7 +105,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST ret = -1; /* configured service yes */ - if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) { + if ((ret == -1) && (realm != NULL) && + (service != NULL) && (strlen(service) > 0)) { list = option_l(argc, argv, ctx, realm, s, ""); for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { if (strcmp(list[i], service) == 0) { @@ -116,7 +117,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST } /* configured service no */ - if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) { + if ((ret == -1) && (realm != NULL) && + (service != NULL) && (strlen(service) > 0)) { for (i = 0; i < (sizeof(prefix) / sizeof(prefix[0])); i++) { nots = malloc(strlen(prefix[i]) + strlen(s) + 1); if (nots != NULL) { @@ -142,7 +144,7 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST } /* configured boolean */ - if (ret == -1) { + if ((ret == -1) && (realm != NULL)) { v5_appdefault_boolean(ctx, realm, s, -1, &ret); } @@ -331,6 +333,11 @@ _pam_krb5_options_init(pam_handle_t *pam _pam_krb5_get_item_text(pamh, PAM_SERVICE, &service); } + /* command-line option */ + options->debug = option_b(argc, argv, ctx, NULL, + service, NULL, NULL, + "debug", 0); + for (i = 0; i < argc; i++) { if (strncmp(argv[i], "realm=", 6) == 0) { if (options->realm != NULL) {