pool/pam_krb5
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a4df8241ad
pam_krb5/bug-641008_pam_krb5-2.3.11-setcred-log.diff
Michael Calmer 4ccaaa958f Accepting request 79471 from home:mcalmer:branches:network 
- update to version 2.3.13
  * don't bother creating a v5 ccache in "external" mode
  * add a "trace" option to enable libkrb5 tracing, if available
  * avoid trying to get password-change creds twice
  * use an in-memory ccache when obtaining tokens using v5 creds
  * turn off creds==session in "sshd"
  * add a "validate_user_user" option to control trying to perform
    user-to-user authentication to validate TGTs when a keytab is not
    available
  * add an "ignore_k5login" option to control whether or not the module
    will use the krb5_kuserok() function to perform additional
    authorization checks
  * turn on validation by default - verify_ap_req_nofail controls how we
    treat errors reading keytab files now
  * add an "always_allow_localname" option when we can use
    krb5_aname_to_localname() to second-guess the krb5_kuserok() check
  * prefer krb5_change_password() to krb5_set_password()

OBS-URL: https://build.opensuse.org/request/show/79471
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19
2011-08-22 08:25:27 +00:00

76 lines
2.5 KiB
Diff
Raw Blame History

Index: pam_krb5-2.3.13-1/src/auth.c
===================================================================
--- pam_krb5-2.3.13-1.orig/src/auth.c
+++ pam_krb5-2.3.13-1/src/auth.c
@@ -532,13 +532,32 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv)
{
+ krb5_context ctx;
+ struct _pam_krb5_options *options;
struct _pam_krb5_perms *saved_perms;
- notice("pam_setcred (%s) called",
- (flags & PAM_ESTABLISH_CRED)?"establish credential":
- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
- (flags & PAM_REFRESH_CRED)?"refresh credential":
- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+
+ if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
+ warn("error initializing Kerberos");
+ return PAM_SERVICE_ERR;
+ }
+
+ options = _pam_krb5_options_init(pamh, argc, argv, ctx);
+ if (options == NULL) {
+ warn("error parsing options (shouldn't happen)");
+ krb5_free_context(ctx);
+ return PAM_SERVICE_ERR;
+ }
+
+ if (options->debug) {
+ debug("pam_setcred (%s) called",
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+ }
if (flags & PAM_ESTABLISH_CRED) {
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return _pam_krb5_open_session(pamh, flags, argc, argv,
"pam_setcred(PAM_ESTABLISH_CRED)",
_pam_krb5_session_caller_setcred);
@@ -553,21 +572,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
}
saved_perms = NULL;
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return i;
} else {
- debug("looks unsafe - ignore refresh");
+ if (options->debug) {
+ debug("looks unsafe - ignore refresh");
+ }
if (saved_perms != NULL) {
_pam_krb5_restore_perms_r2e(saved_perms);
}
saved_perms = NULL;
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return PAM_IGNORE;
}
}
if (flags & PAM_DELETE_CRED) {
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return _pam_krb5_close_session(pamh, flags, argc, argv,
"pam_setcred(PAM_DELETE_CRED)",
_pam_krb5_session_caller_setcred);
}
warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED");
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return pam_sm_open_session(pamh, (flags | PAM_ESTABLISH_CRED), argc, argv);
}
Reference in New Issue View Git Blame Copy Permalink