4ccaaa958f
- update to version 2.3.13
* don't bother creating a v5 ccache in "external" mode
* add a "trace" option to enable libkrb5 tracing, if available
* avoid trying to get password-change creds twice
* use an in-memory ccache when obtaining tokens using v5 creds
* turn off creds==session in "sshd"
* add a "validate_user_user" option to control trying to perform
user-to-user authentication to validate TGTs when a keytab is not
available
* add an "ignore_k5login" option to control whether or not the module
will use the krb5_kuserok() function to perform additional
authorization checks
* turn on validation by default - verify_ap_req_nofail controls how we
treat errors reading keytab files now
* add an "always_allow_localname" option when we can use
krb5_aname_to_localname() to second-guess the krb5_kuserok() check
* prefer krb5_change_password() to krb5_set_password()
OBS-URL: https://build.opensuse.org/request/show/79471
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19
93 lines
3.2 KiB
Plaintext
93 lines
3.2 KiB
Plaintext
Index: pam_krb5-2.3.13-1/src/acct.c
|
|
===================================================================
|
|
--- pam_krb5-2.3.13-1.orig/src/acct.c
|
|
+++ pam_krb5-2.3.13-1/src/acct.c
|
|
@@ -96,6 +96,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
|
krb5_free_context(ctx);
|
|
return PAM_SERVICE_ERR;
|
|
}
|
|
+ if (options->debug) {
|
|
+ debug("pam_acct_mgmt called for '%s', realm '%s'", user,
|
|
+ options->realm);
|
|
+ }
|
|
|
|
/* Get information about the user and the user's principal name. */
|
|
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
|
Index: pam_krb5-2.3.13-1/src/auth.c
|
|
===================================================================
|
|
--- pam_krb5-2.3.13-1.orig/src/auth.c
|
|
+++ pam_krb5-2.3.13-1/src/auth.c
|
|
@@ -115,9 +115,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
return PAM_SERVICE_ERR;
|
|
}
|
|
if (options->debug) {
|
|
- debug("called to authenticate '%s', realm '%s'", user,
|
|
- options->realm);
|
|
+ debug("pam_authenticate called for '%s', realm '%s'", user,
|
|
+ options->realm);
|
|
}
|
|
+
|
|
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
|
|
|
/* Prompt for the password, as we might need to. */
|
|
@@ -530,6 +531,11 @@ int
|
|
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
|
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
|
{
|
|
+ notice("pam_setcred (%s) called",
|
|
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
|
|
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
|
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
|
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
|
if (flags & PAM_ESTABLISH_CRED) {
|
|
return _pam_krb5_open_session(pamh, flags, argc, argv,
|
|
"pam_setcred(PAM_ESTABLISH_CRED)",
|
|
Index: pam_krb5-2.3.13-1/src/password.c
|
|
===================================================================
|
|
--- pam_krb5-2.3.13-1.orig/src/password.c
|
|
+++ pam_krb5-2.3.13-1/src/password.c
|
|
@@ -116,6 +116,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
|
krb5_free_context(ctx);
|
|
return PAM_SERVICE_ERR;
|
|
}
|
|
+ if (options->debug) {
|
|
+ debug("pam_chauthtok called (%s) for '%s', realm '%s'",
|
|
+ (flags & PAM_PRELIM_CHECK) ?
|
|
+ "preliminary check" :
|
|
+ ((flags & PAM_UPDATE_AUTHTOK) ?
|
|
+ "updating authtok":
|
|
+ "unknown phase"),
|
|
+ user,
|
|
+ options->realm);
|
|
+ }
|
|
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
|
|
|
/* Get information about the user and the user's principal name. */
|
|
Index: pam_krb5-2.3.13-1/src/session.c
|
|
===================================================================
|
|
--- pam_krb5-2.3.13-1.orig/src/session.c
|
|
+++ pam_krb5-2.3.13-1/src/session.c
|
|
@@ -104,6 +104,10 @@ _pam_krb5_open_session(pam_handle_t *pam
|
|
krb5_free_context(ctx);
|
|
return PAM_SERVICE_ERR;
|
|
}
|
|
+ if (options->debug) {
|
|
+ debug("pam_open_session called for '%s', realm '%s'", user,
|
|
+ options->realm);
|
|
+ }
|
|
|
|
/* If we're in a no-cred-session situation, return. */
|
|
if ((!options->cred_session) &&
|
|
@@ -358,7 +362,10 @@ _pam_krb5_close_session(pam_handle_t *pa
|
|
krb5_free_context(ctx);
|
|
return PAM_SUCCESS;
|
|
}
|
|
-
|
|
+ if (options->debug) {
|
|
+ debug("pam_close_session called for '%s', realm '%s'", user,
|
|
+ options->realm);
|
|
+ }
|
|
/* Get information about the user and the user's principal name. */
|
|
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
|
if (userinfo == NULL) {
|