# # spec file for package pam_krb5 (Version 2.2.22) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: pam_krb5 BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel %define PAM_RELEASE 1 License: GPL v2 or later Group: Productivity/Networking/Security Provides: pam_krb AutoReqProv: on Version: 2.2.22 Release: 28 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 Source1: pam_krb5-init-podir.tar.gz Source2: pam_krb5-po.tar.gz Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif Patch2: pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif Patch3: pam_krb5-2.2.20-1-debug-log-choice.dif Patch4: pam_krb5-i18n.dif Patch5: pam_krb5-LINGUAS.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This PAM module supports authentication against a Kerberos KDC. It also supports updating your Kerberos password. Authors: -------- Balazs Gal Nalin Dahyabhai %prep %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE} %setup -a 1 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE} %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE} %patch1 %patch2 %patch3 %patch4 -p1 %patch5 %build %{suse_update_config -f} autoreconf --verbose --force --install CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \ ./configure --libdir=/%_lib/ \ --prefix=/usr \ --mandir=%{_mandir} \ --with-os-distribution="openSUSE" make %{?jobs:-j%jobs} make check %install make install DESTDIR=$RPM_BUILD_ROOT ln -sf pam_krb5.so $RPM_BUILD_ROOT/%_lib/security/pam_krb5afs.so rm -f $RPM_BUILD_ROOT/%_lib/security/*.la # Create filelist with translatins %{find_lang} pam_krb5 %clean rm -rf $RPM_BUILD_ROOT %files -f pam_krb5.lang %defattr(444,root,root,755) %doc TODO README* COPYING* ChangeLog AUTHORS NEWS %attr(555,root,root) /%{_lib}/security/pam_krb5.so %attr(555,root,root) /%{_lib}/security/pam_krb5afs.so %dir /%{_lib}/security/pam_krb5 %attr(755,root,root) /%{_lib}/security/pam_krb5/pam_krb5_storetmp %attr(444,root,root) %_mandir/man*/*.* %attr(755,root,root) /usr/bin/afs5log %changelog * Fri May 09 2008 mc@suse.de - update i18n files * Mon Apr 14 2008 mc@suse.de - update i18n files * Thu Apr 10 2008 ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support * Thu Mar 13 2008 mc@suse.de - add i18n support * Mon Feb 11 2008 mc@suse.de - version 2.2.22 * moved .k5login checks to a subprocess to avoid screwing with the parent process's tokens and PAG (fallout from #371761) * all options which took true/false before ("debug", "tokens", and so on) can now take service names * Wed Nov 21 2007 mc@suse.de - some bugfixes from upstream * Fri Nov 09 2007 mc@suse.de - version 2.2.21 * fix permissions problems on keyring ccaches, so that users can write to them after we've set them up, and we can still do the cleanup - remove pam_krb5-2.2.20-1-copy-cache-priv-fix.dif; fix is upstream * Mon Nov 05 2007 mc@suse.de - pam_krb5-2.2.20-1-copy-cache-priv-fix.dif fix permissions on the ccache im not file case - pam_krb5-2.2.20-1-debug-log-choice.dif improve debug log * Mon Oct 29 2007 mc@suse.de - version 2.2.20 * fixes for credential refreshing - remove obsolete patch pam_krb5-2.2.19-fix-format-error.dif (fix is upstream) * Fri Oct 26 2007 mc@suse.de - version 2.2.19: * the "keytab" option can now be used to specify a custom location for a given service from within krb5.conf * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH if LOG_AUTHPRIV is not defined) instead of the application's default or LOG_USER * added the "pkinit_identity" option to provide a way to specify where the user's public-key credentials are, and "pkinit_flags" to specify arbitrary flags for libkrb5 (Heimdal only) * added the "preauth_options" option to provide a way to specify arbitrary preauthentication options to libkrb5 (MIT only) * added the "ccname_template" option to provide a way to specify where the user's credentials should be stored, so that KEYRING: credential caches can be deployed at will. * Tue Aug 07 2007 mc@suse.de - version 2.2.17: * corrected a typo in the pam_krb5(8) man page * clarified that the "tokens" flag should only be needed for applications which are not using PAM correctly * don't bother using a helper for creating v4 ticket files when we're just getting tokens * clean up the debug message which we emit when we do v5->v4 principal name conversion * compilation fixes * let default "external" and "use_shmem" settings be specified at compile-time * correctly return a "unknown user" error when attempting to change a password for a user who has no corresponding principal (#235020) * don't bother using a helper for creating ccache files, which we're just going to delete, when we need to get tokens * Mon Jul 16 2007 mc@suse.de - version 2.2.14 * treat a "client revoked" error as an "unknown principal" error * some small bugfixes * Fri Jul 13 2007 mc@suse.de - version 2.2.13 * make it possible to have more than one ccache (and tktfile) at a time to work around apps which open a session, set the environment, and initialize creds (when we previously created a ccache, removing the one which was named in the environment) * Mon Jul 02 2007 mc@suse.de - version 2.2.12 * add a "pwhelp" option. * Display the KDC error to users. * lots of bugfixes * Thu Mar 15 2007 mc@suse.de - drop privileges in _pam_krb5_sly_maybe_refresh when running in set uid and restore them on exit of this function. This enables us to refresh the ticket after screen un-lock. [#124611] * Mon Sep 25 2006 mc@suse.de - version 2.2.11 - remove two patches with are upstream now - pam_krb5-2.2.10-0-oldauthtok.dif - pam_krb5-2.2.10-0-testfix.dif - make use of --with-os-distribution * Thu Sep 14 2006 mc@suse.de - fix pam_set_item call for AUTHTOK and OLDAUTHTOK - fix testcase - if the server returns an error message during password-changing, let the user see it - add the "debug_sensitive" option, which actually logs passwords - add the "no_subsequent_prompt" option, to force the module to always answer a libkrb5 prompt with the PAM_AUTHTOK value * Tue Sep 12 2006 mc@suse.de - version 2.2.10 * log text for server-supplied error code along with the failure information. * rework the prompting bits so that it makes more correct use of the initial_prompt/use_first_pass flags and correctly disables use of the callback for arbitrary prompts * give the caller a way to specify which prompter callback we should use. * track whether or not we want to let libkrb5 ask for information via the callbacks. * and more fixes * Thu Jul 27 2006 mc@suse.de - version 2.2.9 * look for krb5/krb5.h in preference to krb5.h (new in MIT Kerberos 1.5) * if the default principal in the ccache doesn't match the userinfo structure, update the userinfo structure. * always use the name of the v5 principal when saving credentials, especially for the "external" case where it may not be the value we originally guessed * be more careful about other ways which our prompting callback can try to break us * go back to overwriting the template, to avoid uncontrolled growth in the filename. * build the new ccache name by appending the mkstemp template instead of assuming the previous file ended with one * and more fixes. - remove pam_krb5-2.2.3-1-prompter-segfault.dif it is upstream now * Wed Jun 28 2006 mc@suse.de - update to version 2.2.8 * fix reporting of the reasons for password change failures * add "krb4_use_as_req" to completely disallow any attempts to get v4 credentials * do 524 conversion for the "external" cases, too - remove obsolete patches * Fri Apr 21 2006 mc@suse.de - fix segfault in prompter [#165972] * Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires * Tue Jan 17 2006 mc@suse.de - add two patches from upstream * pam_krb5-upstreamfix-password-handling.dif * pam_krb5-upstreamfix-testcase.dif - build with more then one job * Fri Jan 13 2006 mc@suse.de - set /usr/bin/afs5log executable * Wed Jan 11 2006 mc@suse.de - add -fstack-protector to CFLAGS * Tue Dec 20 2005 mc@suse.de - update to version 2.2.3 - remove pam_krb5-2.2.0-0.5-NULL-fix.dif; patch is now upstream * Fri Dec 02 2005 mc@suse.de - update to version 2.2.2 * don't leak the keytab file descriptor * actually check for AFS support first, so that the ioctl-only support case will work properly. * Mon Nov 14 2005 uli@suse.de - no afs_syscall on ARM * Mon Nov 14 2005 mc@suse.de - update to version 2.2.0-2 - remove obsolete patch (debug_false is upstream now) * Mon Oct 10 2005 mc@suse.de - update to current CVS version - drop some patches (they are upstream now) - fix NULL problem * Wed Aug 17 2005 mc@suse.de - got official fix for the authtok problem [#104051] * Mon Aug 15 2005 mc@suse.de - fix the behavior of password changing if use_authtok is not present [#104051] * Wed Jun 29 2005 mc@suse.de - fix change password * Fri Jun 10 2005 mc@suse.de - set default for debug to false [#87005] * Thu Apr 07 2005 mc@suse.de - switch to version 2.2.0-0.5 * Tue Feb 22 2005 nadvornik@suse.cz - fixed parsing of time values * Mon Feb 21 2005 mc@suse.de - add pam_krb5-use-krb5_afslog.dif [#51047] * Tue Jan 18 2005 okir@suse.de - updated to latest pam_krb5 snapshot from sourcforge CVS * Tue Jan 11 2005 ro@suse.de - re-added afs module (added krbafs to neededforbuild) * Mon Nov 22 2004 ro@suse.de - remove afs for the moment, mit-kerberos does not have support * Wed Apr 28 2004 ro@suse.de - added -fno-strict-aliasing * Fri Jan 16 2004 kukuk@suse.de - Add pam-devel to neededforbuild * Sun Jan 11 2004 adrian@suse.de - build as user * Wed Jul 16 2003 nadvornik@suse.cz - replaced by different implementation of pam_krb5 - afs support * Fri Jun 20 2003 okir@suse.de - fix build problem with latest heimdal - another fix for passwd updates (#20284) * Wed Jun 18 2003 ro@suse.de - use kerberos-devel-packages in neededforbuild * Tue Apr 15 2003 ro@suse.de - fixed neededforbuild * Wed Aug 28 2002 okir@suse.de - Security fix (#18463): unbecome_user did not properly reassert original privilege, and the caller didn't check the return value. * Wed Jul 31 2002 okir@suse.de - suse_update_config now updates the right files * Wed Jul 24 2002 okir@suse.de - fixed passwd(1) support; updated README * Tue Jul 23 2002 okir@suse.de - initial packaging