diff options
author | nectar <nectar@FreeBSD.org> | 2000-11-07 03:01:43 +0800 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2000-11-07 03:01:43 +0800 |
commit | 026f262f0c7f9f974c881f00ed9ff2d182b32984 (patch) | |
tree | 23bf452bc0e4e861e846fd9ba9a149f3598c4f13 /security | |
parent | c1232c176628ce34f5b4142c22f648b0fb9597db (diff) | |
download | freebsd-ports-gnome-026f262f0c7f9f974c881f00ed9ff2d182b32984.tar.gz freebsd-ports-gnome-026f262f0c7f9f974c881f00ed9ff2d182b32984.tar.zst freebsd-ports-gnome-026f262f0c7f9f974c881f00ed9ff2d182b32984.zip |
A Pluggable Authentication Module for Kerberos 5.
Diffstat (limited to 'security')
-rw-r--r-- | security/Makefile | 1 | ||||
-rw-r--r-- | security/pam_krb5/Makefile | 53 | ||||
-rw-r--r-- | security/pam_krb5/distinfo | 1 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-aa | 89 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ab | 10 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ac | 40 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ad | 286 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ae | 140 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-af | 176 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ag | 52 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ah | 24 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ai | 24 | ||||
-rw-r--r-- | security/pam_krb5/pkg-comment | 1 | ||||
-rw-r--r-- | security/pam_krb5/pkg-descr | 4 | ||||
-rw-r--r-- | security/pam_krb5/pkg-plist | 1 |
15 files changed, 902 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 355bff570b47..ee354546913a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -80,6 +80,7 @@ SUBDIR += p5-PGP-Sign SUBDIR += pad SUBDIR += pam-mysql + SUBDIR += pam_krb5 SUBDIR += pgp SUBDIR += pgp5 SUBDIR += pgp6 diff --git a/security/pam_krb5/Makefile b/security/pam_krb5/Makefile new file mode 100644 index 000000000000..98bf93a7e9c8 --- /dev/null +++ b/security/pam_krb5/Makefile @@ -0,0 +1,53 @@ +# Ports collection Makefile for: pam_krb5 +# Date created: 11/03/2000 +# Whom: nectar@FreeBSD.org +# +# $FreeBSD$ +# + +PORTNAME= pam_krb5 +PORTVERSION= 1.0 +CATEGORIES= security +MASTER_SITES= http://www.fcusack.com/soft/ + +MAINTAINER= nectar@FreeBSD.org + +WRKSRC= ${WRKDIR}/pam_krb5 +PREFIX?= ${DESTDIR}/usr +MANPREFIX?= ${DESTDIR}/usr/share +MAKE_ENV= PREFIX="${PREFIX}" MANPREFIX="${MANPREFIX}" \ + KRB5BASE="${KRB5BASE}" KRB5_IMPL="${KRB5_IMPL}" + +MAN8= pam_krb5.8 + +# Try hard to figure out which Kerberos implementation we should use to +# build this thing. There are three possibilities: +# Heimdal in the base system -- XXX disabled for now (missing libraries) +# Heimdal from ports +# MIT Kerberos from ports +.if defined(KRB5BASE) && defined(KRB5_IMPL) +# the user thinks he knows what he is doing, so let it be +.elif exists(/usr/include/heim_err.h) && defined(REALLY_WANT_BASE) && (${REALLY_WANT_BASE} == "yes") +KRB5BASE=/usr +KRB5_IMPL="heimdal" +.elif defined(HEIMDAL_HOME) && exists(${HEIMDAL_HOME}/include/heim_err.h) +KRB5BASE=${HEIMDAL_HOME} +KRB5_IMPL=heimdal +LIB_DEPENDS+= krb5.13:${PORTSDIR}/security/heimdal +.elif exists(${LOCALBASE}/include/heim_err.h) +KRB5BASE=${LOCALBASE} +KRB5_IMPL=heimdal +LIB_DEPENDS+= krb5.13:${PORTSDIR}/security/heimdal +.elif defined(KRB5_HOME) && exists(${KRB5_HOME}/include/mit-sipb-copyright.h) +KRB5BASE=${KRB5_HOME} +KRB5_IMPL=mit +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 +.elif exists(${LOCALBASE}/include/mit-sipb-copyright.h) +KRB5BASE=${LOCALBASE} +KRB5_IMPL=mit +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 +.else +.error "No version of Kerberos is installed." +.endif + +.include <bsd.port.mk> diff --git a/security/pam_krb5/distinfo b/security/pam_krb5/distinfo new file mode 100644 index 000000000000..54736530a4ab --- /dev/null +++ b/security/pam_krb5/distinfo @@ -0,0 +1 @@ +MD5 (pam_krb5-1.0.tar.gz) = dd4ca3cc1b6b6b124625544e870968cb diff --git a/security/pam_krb5/files/patch-aa b/security/pam_krb5/files/patch-aa new file mode 100644 index 000000000000..879bc993df0b --- /dev/null +++ b/security/pam_krb5/files/patch-aa @@ -0,0 +1,89 @@ +--- Makefile.orig Tue Jan 4 19:08:51 2000 ++++ Makefile Mon Nov 6 10:59:16 2000 +@@ -1,48 +1,51 @@ + # + # Makefile for pam_krb5 + # ++CC = cc ++CFLAGS = -O -fPIC -Wall ++LDFLAGS = -shared + +-CC = gcc +-CFLAGS = -O2 -fPIC +-#LDFLAGS = -shared +-LDFLAGS = -G ++OSLIBS = -lpam + +-DESTDIR = /usr/lib/security +-MANDIR = /opt/local/man/man5 ++# HEIMDAL ++LIBS_heimdal = ${KRB5BASE}/lib/libkrb5.a ${KRB5BASE}/lib/libasn1.a \ ++ ${KRB5BASE}/lib/libcom_err.a ${KRB5BASE}/lib/libroken.a \ ++ ${KRB5BASE}/lib/libgssapi.a ${KRB5BASE}/lib/libdes.a + +-OSLIBS = -lpam -lnsl -lsocket +-KRB5LIBS = -L/opt/local/lib -lkrb5 -lk5crypto -lcom_err ++# MIT ++LIBS_mit = ${KRB5BASE}/lib/libkrb5.a ${KRB5BASE}/lib/libcom_err.a \ ++ ${KRB5BASE}/lib/libk5crypto.a + +-LIBS = $(OSLIBS) $(KRB5LIBS) ++LIBS = $(OSLIBS) ${LIBS_${KRB5_IMPL}} ++COMPAT = compat_${KRB5_IMPL}.c + +-INC = -I/opt/local/include ++INC = -I${KRB5BASE}/include + + + #################################################################### + # No changes below this line + + SRCS = pam_krb5_auth.c pam_krb5_pass.c pam_krb5_acct.c pam_krb5_sess.c \ +- support.c ++ support.c ${COMPAT} + + OBJS = pam_krb5_auth.o pam_krb5_pass.o pam_krb5_acct.o pam_krb5_sess.o \ +- support.o ++ support.o ${COMPAT:.c=.o} + +-all: pam_krb5.so.1 ++all: pam_krb5.so + +-pam_krb5.so.1: $(OBJS) ++pam_krb5.so: $(OBJS) + $(CC) -o $@ $(LDFLAGS) $(OBJS) $(LIBS) + + install: +- cp pam_krb5.so.1 $(DESTDIR) +- chown root:sys $(DESTDIR)/pam_krb5.so.1 +- ln -s ./pam_krb5.so.1 $(DESTDIR)/pam_krb5.so +- cp pam_krb5.5 $(MANDIR) +- chown root:sys $(MANDIR)/pam_krb5.5 ++ ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 0555 pam_krb5.so \ ++ ${PREFIX}/lib/pam_krb5.so ++ ${INSTALL} -c -o ${MANOWN} -g ${MANGRP} -m 0444 pam_krb5.5 \ ++ ${MANPREFIX}/man/man8/pam_krb5.8 + + clean: +- rm -f *.so.1 *.o ++ rm -f *.so *.o + +-pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h ++pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h krb5compat.h + $(CC) -c $(CFLAGS) $(INC) $< + + pam_krb5_pass.o: pam_krb5_pass.c pam_krb5.h +@@ -54,6 +57,12 @@ + pam_krb5_sess.o: pam_krb5_sess.c pam_krb5.h + $(CC) -c $(CFLAGS) $(INC) $< + +-support.o: support.c pam_krb5.h ++support.o: support.c pam_krb5.h krb5compat.h ++ $(CC) -c $(CFLAGS) $(INC) $< ++ ++compat_heimdal.o: compat_heimdal.c krb5compat.h ++ $(CC) -c $(CFLAGS) $(INC) $< ++ ++compat_mit.o: compat_mit.c krb5compat.h + $(CC) -c $(CFLAGS) $(INC) $< + diff --git a/security/pam_krb5/files/patch-ab b/security/pam_krb5/files/patch-ab new file mode 100644 index 000000000000..8e35ac8f6486 --- /dev/null +++ b/security/pam_krb5/files/patch-ab @@ -0,0 +1,10 @@ +--- pam_krb5.h.orig Tue Jan 4 19:08:51 2000 ++++ pam_krb5.h Mon Nov 6 10:21:49 2000 +@@ -6,6 +6,6 @@ + + int get_user_info(pam_handle_t *, char *, int, char **); + krb5_error_code pam_prompter(krb5_context, void *, const char *, +- const char *, int, krb5_prompt[]); ++ int, krb5_prompt[]); + int verify_krb_v5_tgt(krb5_context, krb5_ccache, int); + void cleanup_cache(pam_handle_t *, void *, int); diff --git a/security/pam_krb5/files/patch-ac b/security/pam_krb5/files/patch-ac new file mode 100644 index 000000000000..20a5fc0f9ffb --- /dev/null +++ b/security/pam_krb5/files/patch-ac @@ -0,0 +1,40 @@ +--- pam_krb5_acct.c.orig Tue Jan 4 19:08:51 2000 ++++ pam_krb5_acct.c Mon Nov 6 10:21:49 2000 +@@ -11,6 +11,7 @@ + #include <security/pam_appl.h> + #include <security/pam_modules.h> + #include <krb5.h> ++#include <com_err.h> + #include "pam_krb5.h" + + /* A useful logging macro */ +@@ -38,12 +39,12 @@ + } + + /* Get username */ +- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { ++ if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { + return PAM_PERM_DENIED;; + } + + /* Get service name */ +- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); ++ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + if (!service) + service = "unknown"; + +@@ -55,12 +56,12 @@ + return PAM_SUCCESS; + } + +- if (krb5_init_context(&pam_context)) { ++ if ((krbret = krb5_init_context(&pam_context)) != 0) { + DLOG("krb5_init_context()", error_message(krbret)); + return PAM_PERM_DENIED;; + } + +- if (krbret = krb5_cc_get_principal(pam_context, ccache, &princ)) { ++ if ((krbret = krb5_cc_get_principal(pam_context, ccache, &princ)) != 0) { + DLOG("krb5_cc_get_principal()", error_message(krbret)); + pamret = PAM_PERM_DENIED;; + goto cleanup; diff --git a/security/pam_krb5/files/patch-ad b/security/pam_krb5/files/patch-ad new file mode 100644 index 000000000000..ee2624929723 --- /dev/null +++ b/security/pam_krb5/files/patch-ad @@ -0,0 +1,286 @@ +--- pam_krb5_auth.c.orig Tue Jan 4 19:08:51 2000 ++++ pam_krb5_auth.c Mon Nov 6 10:46:08 2000 +@@ -7,9 +7,11 @@ + + static const char rcsid[] = "$Id: pam_krb5_auth.c,v 1.18 2000/01/04 08:44:08 fcusack Exp $"; + ++#include <errno.h> + #include <limits.h> /* PATH_MAX */ + #include <pwd.h> /* getpwnam */ + #include <stdio.h> /* tmpnam */ ++#include <stdlib.h> /* malloc */ + #include <strings.h> /* strchr */ + #include <syslog.h> /* syslog */ + #include <unistd.h> /* chown */ +@@ -19,7 +21,9 @@ + #include <security/pam_modules.h> + + #include <krb5.h> ++#include <com_err.h> + #include "pam_krb5.h" ++#include "krb5compat.h" + + extern krb5_cc_ops krb5_mcc_ops; + +@@ -42,7 +46,7 @@ + krb5_get_init_creds_opt opts; + + int pamret, i; +- char *name, *name2; ++ const char *name; + char *princ_name = NULL; + char *pass = NULL, *service = NULL; + char *prompt = NULL; +@@ -74,13 +78,13 @@ + } + + /* Get service name */ +- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); ++ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + if (!service) + service = "unknown"; + + DLOG("entry", ""); + +- if (krb5_init_context(&pam_context)) { ++ if ((krbret = krb5_init_context(&pam_context)) != 0) { + DLOG("krb5_init_context()", error_message(krbret)); + return PAM_SERVICE_ERR; + } +@@ -93,7 +97,7 @@ + krb5_get_init_creds_opt_set_forwardable(&opts, 1); + + /* For CNS */ +- if (krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE)) { ++ if ((krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE)) != 0) { + /* Solaris dtlogin doesn't call pam_end() on failure */ + if (krbret != KRB5_CC_TYPE_EXISTS) { + DLOG("krb5_cc_register()", error_message(krbret)); +@@ -103,14 +107,14 @@ + } + + /* Get principal name */ +- if (krbret = krb5_parse_name(pam_context, name, &princ)) { ++ if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { + DLOG("krb5_parse_name()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup3; + } + + /* Now convert the principal name into something human readable */ +- if (krbret = krb5_unparse_name(pam_context, princ, &princ_name)) { ++ if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { + DLOG("krb5_unparse_name()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; +@@ -126,18 +130,19 @@ + (void) sprintf(prompt, "Password for %s: ", princ_name); + + if (try_first_pass || use_first_pass) +- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); ++ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); + + get_pass: + if (!pass) { + try_first_pass = 0; +- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { ++ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, ++ &pass)) != 0) { + DLOG("get_user_info()", pam_strerror(pamh, pamret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; + } + /* We have to free pass. */ +- if (pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) { ++ if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { + DLOG("pam_set_item()", pam_strerror(pamh, pamret)); + free(pass); + pamret = PAM_SERVICE_ERR; +@@ -145,25 +150,26 @@ + } + free(pass); + /* Now we get it back from the library. */ +- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); ++ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); + } + + /* Verify the local user exists (AFTER getting the password) */ + if (strchr(name, '@')) { + /* get a local account name for this principal */ +- if (krbret = krb5_aname_to_localname(pam_context, princ, +- sizeof(lname), lname)) { ++ if ((krbret = krb5_aname_to_localname(pam_context, princ, ++ sizeof(lname), lname)) != 0) { + DLOG("krb5_aname_to_localname()", error_message(krbret)); + pamret = PAM_USER_UNKNOWN; + goto cleanup2; + } + DLOG("changing PAM_USER to", lname); +- if (pamret = pam_set_item(pamh, PAM_USER, lname)) { ++ if ((pamret = pam_set_item(pamh, PAM_USER, lname)) != 0) { + DLOG("pam_set_item()", pam_strerror(pamh, pamret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; + } +- if (pamret = pam_get_item(pamh, PAM_USER, (void **) &name)) { ++ if ((pamret = pam_get_item(pamh, PAM_USER, (const void **) &name) ++ != 0)) { + DLOG("pam_get_item()", pam_strerror(pamh, pamret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; +@@ -177,9 +183,8 @@ + } + + /* Get a TGT */ +- if (krbret = krb5_get_init_creds_password(pam_context, &creds, princ, +- pass, pam_prompter, pamh, +- 0, NULL, &opts)) { ++ if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, ++ pass, pam_prompter, pamh, 0, NULL, &opts)) != 0) { + DLOG("krb5_get_init_creds_password()", error_message(krbret)); + if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + pass = NULL; +@@ -193,17 +198,17 @@ + strcpy(cache_name, "MEMORY:"); + (void) tmpnam(&cache_name[7]); + +- if (krbret = krb5_cc_resolve(pam_context, cache_name, &ccache)) { ++ if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache)) != 0) { + DLOG("krb5_cc_resolve()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup; + } +- if (krbret = krb5_cc_initialize(pam_context, ccache, princ)) { ++ if ((krbret = krb5_cc_initialize(pam_context, ccache, princ)) != 0) { + DLOG("krb5_cc_initialize()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup; + } +- if (krbret = krb5_cc_store_cred(pam_context, ccache, &creds)) { ++ if ((krbret = krb5_cc_store_cred(pam_context, ccache, &creds)) != 0) { + DLOG("krb5_cc_store_cred()", error_message(krbret)); + (void) krb5_cc_destroy(pam_context, ccache); + pamret = PAM_SERVICE_ERR; +@@ -224,7 +229,7 @@ + pamret = PAM_AUTH_ERR; + goto cleanup; + } +- if (pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) { ++ if ((pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) != 0) { + DLOG("pam_set_data()", pam_strerror(pamh, pamret)); + (void) krb5_cc_destroy(pam_context, ccache); + pamret = PAM_SERVICE_ERR; +@@ -288,22 +293,22 @@ + else if (strcmp(argv[i], "no_ccache") == 0) + return PAM_SUCCESS; + else if (strstr(argv[i], "ccache=") == argv[i]) +- cache_name = &argv[i][7]; /* save for later */ ++ cache_name = (char *) &argv[i][7]; /* save for later */ + } + + /* Get username */ +- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { ++ if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { + return PAM_SERVICE_ERR; + } + + /* Get service name */ +- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); ++ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + if (!service) + service = "unknown"; + + DLOG("entry", ""); + +- if (krb5_init_context(&pam_context)) { ++ if ((krbret = krb5_init_context(&pam_context)) != 0) { + DLOG("krb5_init_context()", error_message(krbret)); + return PAM_SERVICE_ERR; + } +@@ -311,7 +316,8 @@ + euid = geteuid(); /* Usually 0 */ + + /* Retrieve the cache name */ +- if (pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp)) { ++ if ((pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp)) ++ != 0) { + DLOG("pam_get_data()", pam_strerror(pamh, pamret)); + pamret = PAM_CRED_UNAVAIL; + goto cleanup3; +@@ -340,7 +346,7 @@ + pamret = PAM_BUF_ERR; + goto cleanup3; + } +- sprintf(cache_name, "FILE:/tmp/krb5cc_%ld", pw->pw_uid); ++ sprintf(cache_name, "FILE:/tmp/krb5cc_%d", pw->pw_uid); + } else { + /* cache_name was supplied */ + char *p = calloc(PATH_MAX + 10, 1); /* should be plenty */ +@@ -357,10 +363,10 @@ + if (*q == '%') { + q++; + if (*q == 'u') { +- sprintf(p, "%ld", pw->pw_uid); ++ sprintf(p, "%d", pw->pw_uid); + p += strlen(p); + } else if (*q == 'p') { +- sprintf(p, "%ld", getpid()); ++ sprintf(p, "%d", getpid()); + p += strlen(p); + } else { + /* Not a special token */ +@@ -375,24 +381,27 @@ + } + + /* Initialize the new ccache */ +- if (krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ)) { ++ if ((krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ)) ++ != 0) { + DLOG("krb5_cc_get_principal()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup3; + } +- if (krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm)) { ++ if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm)) ++ != 0) { + DLOG("krb5_cc_resolve()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; + } +- if (krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) { ++ if ((krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) != 0) { + DLOG("krb5_cc_initialize()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; + } + + /* Prepare for iteration over creds */ +- if (krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor)) { ++ if ((krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor)) ++ != 0) { + DLOG("krb5_cc_start_seq_get()", error_message(krbret)); + (void) krb5_cc_destroy(pam_context, ccache_perm); + pamret = PAM_SERVICE_ERR; +@@ -400,9 +409,10 @@ + } + + /* Copy the creds (should be two of them) */ +- while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp, +- &cursor, &creds) == 0)) { +- if (krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds)) { ++ while ((krbret = compat_cc_next_cred(pam_context, ccache_temp, ++ &cursor, &creds) == 0)) { ++ if ((krbret = krb5_cc_store_cred(pam_context, ccache_perm, ++ &creds)) != 0) { + DLOG("krb5_cc_store_cred()", error_message(krbret)); + (void) krb5_cc_destroy(pam_context, ccache_perm); + krb5_free_cred_contents(pam_context, &creds); +@@ -432,7 +442,7 @@ + } + + sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name); +- if (pamret = pam_putenv(pamh, cache_env_name)) { ++ if ((pamret = pam_putenv(pamh, cache_env_name)) != 0) { + DLOG("pam_putenv()", pam_strerror(pamh, pamret)); + (void) krb5_cc_destroy(pam_context, ccache_perm); + pamret = PAM_SERVICE_ERR; diff --git a/security/pam_krb5/files/patch-ae b/security/pam_krb5/files/patch-ae new file mode 100644 index 000000000000..494de5ec23dd --- /dev/null +++ b/security/pam_krb5/files/patch-ae @@ -0,0 +1,140 @@ +--- pam_krb5_pass.c.orig Tue Jan 4 19:08:51 2000 ++++ pam_krb5_pass.c Mon Nov 6 10:21:49 2000 +@@ -7,10 +7,14 @@ + + static const char rcsid[] = "$Id: pam_krb5_pass.c,v 1.3 1999/01/19 23:43:11 fcusack Exp $"; + ++#include <errno.h> ++#include <stdio.h> /* sprintf */ ++#include <stdlib.h> /* malloc */ + #include <syslog.h> /* syslog */ + #include <security/pam_appl.h> + #include <security/pam_modules.h> + #include <krb5.h> ++#include <com_err.h> + #include "pam_krb5.h" + + /* A useful logging macro */ +@@ -27,7 +31,6 @@ + krb5_context pam_context; + krb5_creds creds; + krb5_principal princ; +- krb5_ccache ccache; + krb5_get_init_creds_opt opts; + + int result_code; +@@ -54,23 +57,23 @@ + } + + /* Get username */ +- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { ++ if ((pam_get_item(pamh, PAM_USER, (const void **) &name)) != 0) { + return PAM_SERVICE_ERR; + } + + /* Get service name */ +- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); ++ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); + if (!service) + service = "unknown"; + + DLOG("entry", ""); + +- if (krb5_init_context(&pam_context)) { ++ if ((krbret = krb5_init_context(&pam_context)) != 0) { + DLOG("krb5_init_context()", error_message(krbret)); + return PAM_SERVICE_ERR; + } + +- if (krb5_init_context(&pam_context)) { ++ if ((krbret = krb5_init_context(&pam_context)) != 0) { + DLOG("krb5_init_context()", error_message(krbret)); + return PAM_SERVICE_ERR; + } +@@ -78,14 +81,14 @@ + memset(&creds, 0, sizeof(krb5_creds)); + + /* Get principal name */ +- if (krbret = krb5_parse_name(pam_context, name, &princ)) { ++ if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { + DLOG("krb5_parse_name()", error_message(krbret)); + pamret = PAM_USER_UNKNOWN; + goto cleanup3; + } + + /* Now convert the principal name into something human readable */ +- if (krbret = krb5_unparse_name(pam_context, princ, &princ_name)) { ++ if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { + DLOG("krb5_unparse_name()", error_message(krbret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; +@@ -101,18 +104,19 @@ + (void) sprintf(prompt, "Password for %s: ", princ_name); + + if (try_first_pass || use_first_pass) +- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); ++ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); + + get_pass: + if (!pass) { + try_first_pass = 0; +- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { ++ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, ++ &pass)) != 0) { + DLOG("get_user_info()", pam_strerror(pamh, pamret)); + pamret = PAM_SERVICE_ERR; + goto cleanup2; + } + /* We have to free pass. */ +- if (pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) { ++ if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { + DLOG("pam_set_item()", pam_strerror(pamh, pamret)); + free(pass); + pamret = PAM_SERVICE_ERR; +@@ -120,12 +124,11 @@ + } + free(pass); + /* Now we get it back from the library. */ +- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); ++ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); + } + +- if (krbret = krb5_get_init_creds_password(pam_context, &creds, princ, +- pass, pam_prompter, pamh, +- 0, "kadmin/changepw", &opts)) { ++ if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, ++ pass, pam_prompter, pamh, 0, "kadmin/changepw", &opts)) != 0) { + DLOG("krb5_get_init_creds_password()", error_message(krbret)); + if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + pass = NULL; +@@ -138,14 +141,16 @@ + /* Now get the new password */ + free(prompt); + prompt = "Enter new password: "; +- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { ++ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) ++ != 0) { + DLOG("get_user_info()", pam_strerror(pamh, pamret)); + prompt = NULL; + pamret = PAM_SERVICE_ERR; + goto cleanup; + } + prompt = "Enter it again: "; +- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) { ++ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) ++ != 0) { + DLOG("get_user_info()", pam_strerror(pamh, pamret)); + prompt = NULL; + pamret = PAM_SERVICE_ERR; +@@ -160,9 +165,8 @@ + } + + /* Change it */ +- if (krbret = krb5_change_password(pam_context, &creds, pass, +- &result_code, &result_code_string, +- &result_string)) { ++ if ((krbret = krb5_change_password(pam_context, &creds, pass, ++ &result_code, &result_code_string, &result_string)) != 0) { + DLOG("krb5_change_password()", error_message(krbret)); + pamret = PAM_AUTHTOK_ERR; + goto cleanup; diff --git a/security/pam_krb5/files/patch-af b/security/pam_krb5/files/patch-af new file mode 100644 index 000000000000..dd164e81bddd --- /dev/null +++ b/security/pam_krb5/files/patch-af @@ -0,0 +1,176 @@ +--- support.c.orig Tue Jan 4 19:08:51 2000 ++++ support.c Mon Nov 6 11:55:47 2000 +@@ -6,12 +6,17 @@ + + static const char rcsid[] = "$Id: support.c,v 1.8 2000/01/04 09:50:03 fcusack Exp $"; + ++#include <errno.h> + #include <stdio.h> /* BUFSIZ */ ++#include <stdlib.h> /* malloc */ ++#include <string.h> /* strncpy */ + #include <syslog.h> /* syslog */ + #include <security/pam_appl.h> + #include <security/pam_modules.h> + #include <krb5.h> ++#include <com_err.h> + #include "pam_krb5.h" ++#include "krb5compat.h" + + /* + * Get info from the user. Disallow null responses (regardless of flags). +@@ -22,11 +27,12 @@ + get_user_info(pam_handle_t *pamh, char *prompt, int type, char **response) + { + int pamret; +- struct pam_message msg, *pmsg; ++ struct pam_message msg; ++ const struct pam_message *pmsg; + struct pam_response *resp = NULL; + struct pam_conv *conv; + +- if (pamret = pam_get_item(pamh, PAM_CONV, (void **) &conv)) ++ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) + return pamret; + + /* set up conversation call */ +@@ -34,7 +40,7 @@ + msg.msg_style = type; + msg.msg = prompt; + +- if (pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr)) ++ if ((pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr)) != 0) + return pamret; + + /* Caller should ignore errors for non-response conversations */ +@@ -53,8 +59,8 @@ + + + krb5_error_code +-pam_prompter(krb5_context context, void *data, const char *name, +- const char *banner, int num_prompts, krb5_prompt prompts[]) ++pam_prompter(krb5_context context, void *data, const char *banner, int ++ num_prompts, krb5_prompt prompts[]) + { + int pam_prompts = num_prompts; + int pamret, i; +@@ -64,12 +70,9 @@ + struct pam_conv *conv; + pam_handle_t *pamh = (pam_handle_t *) data; + +- if (pamret = pam_get_item(pamh, PAM_CONV, (void **) &conv)) ++ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) + return KRB5KRB_ERR_GENERIC; + +- if (name) +- pam_prompts++; +- + if (banner) + pam_prompts++; + +@@ -80,21 +83,11 @@ + /* Now use pam_prompts as an index */ + pam_prompts = 0; + +- /* Sigh. malloc all the prompts. */ +- if (name) { +- msg[pam_prompts].msg = malloc(strlen(name) + 1); +- if (!msg[pam_prompts].msg) +- goto cleanup; +- strcpy(msg[pam_prompts].msg, name); +- msg[pam_prompts].msg_style = PAM_TEXT_INFO; +- pam_prompts++; +- } +- + if (banner) { + msg[pam_prompts].msg = malloc(strlen(banner) + 1); + if (!msg[pam_prompts].msg) + goto cleanup; +- strcpy(msg[pam_prompts].msg, banner); ++ strcpy((char *) msg[pam_prompts].msg, banner); + msg[pam_prompts].msg_style = PAM_TEXT_INFO; + pam_prompts++; + } +@@ -103,13 +96,14 @@ + msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); + if (!msg[pam_prompts].msg) + goto cleanup; +- sprintf(msg[pam_prompts].msg, "%s: ", prompts[i].prompt); ++ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); + msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF + : PAM_PROMPT_ECHO_ON; + pam_prompts++; + } + +- if (pamret = conv->conv(pam_prompts, &msg, &resp, conv->appdata_ptr)) ++ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, ++ &resp, conv->appdata_ptr)) != 0) + goto cleanup; + + if (!resp) +@@ -117,8 +111,6 @@ + + /* Reuse pam_prompts as a starting index */ + pam_prompts = 0; +- if (name) +- pam_prompts++; + if (banner) + pam_prompts++; + +@@ -142,7 +134,7 @@ + + for (i = 0; i < pam_prompts; i++) { + if (msg[i].msg) +- free(msg[i].msg); ++ free((char *) msg[i].msg); + } + free(msg); + +@@ -189,8 +181,6 @@ + krb5_keyblock * keyblock = 0; + krb5_data packet; + krb5_auth_context auth_context = NULL; +- krb5_keytab keytab = NULL; +- char * kt_name = NULL; + + packet.data = 0; + +@@ -198,8 +188,8 @@ + * Get the server principal for the local host. + * (Use defaults of "host" and canonicalized local name.) + */ +- if (retval = krb5_sname_to_principal(context, NULL, NULL, +- KRB5_NT_SRV_HST, &princ)) { ++ if ((retval = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST, ++ &princ)) != 0) { + if (debug) + syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", + "krb5_sname_to_principal()", error_message(retval)); +@@ -207,7 +197,7 @@ + } + + /* Extract the name directly. */ +- strncpy(phost, krb5_princ_component(c, princ, 1)->data, BUFSIZ); ++ strncpy(phost, compat_princ_component(context, princ, 1), BUFSIZ); + phost[BUFSIZ - 1] = '\0'; + + /* +@@ -215,8 +205,8 @@ + * (use default/configured keytab, kvno IGNORE_VNO to get the + * first match, and enctype is currently ignored anyhow.) + */ +- if (retval = krb5_kt_read_service_key(context, NULL, princ, 0, +- ENCTYPE_DES_CBC_MD5, &keyblock)) { ++ if ((retval = krb5_kt_read_service_key(context, NULL, princ, 0, ++ ENCTYPE_DES_CBC_MD5, &keyblock)) != 0) { + /* Keytab or service key does not exist */ + if (debug) + syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", +@@ -256,7 +246,7 @@ + + cleanup: + if (packet.data) +- krb5_free_data_contents(context, &packet); ++ compat_free_data_contents(context, &packet); + krb5_free_principal(context, princ); + return retval; + diff --git a/security/pam_krb5/files/patch-ag b/security/pam_krb5/files/patch-ag new file mode 100644 index 000000000000..2e1c65eb640c --- /dev/null +++ b/security/pam_krb5/files/patch-ag @@ -0,0 +1,52 @@ +--- pam_krb5.5.orig Tue Jan 4 19:08:51 2000 ++++ pam_krb5.5 Mon Nov 6 10:27:01 2000 +@@ -1,24 +1,24 @@ + .\" + .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ +-.TH pam_krb5 5 "15 Jan 1999" ++.TH pam_krb5 8 "15 Jan 1999" + .SH NAME + pam_krb5 \- Kerberos 5 PAM module + .SH SYNOPSIS + .LP +-.B /usr/lib/security/pam_krb5.so.1 ++.B /usr/lib/pam_krb5.so + .LP + .SH DESCRIPTION + .IX "pam_krb5" "" "\fLpam_krb5\fP \(em Kerberos 5 PAM module" + .PP + The Kerberos 5 service module for PAM, typically +-.BR /usr/lib/security/pam_krb5.so.1 , ++.BR /usr/lib/pam_krb5.so , + provides functionality for three PAM categories: + authentication, + account management, + and password management. + It also provides null functions for session management. + The +-.B pam_krb5.so.1 ++.B pam_krb5.so + module is a shared object + that can be dynamically loaded to provide + the necessary functionality upon demand. +@@ -177,10 +177,9 @@ + .SH SEE ALSO + .BR kdestroy (1), + .BR passwd (1), +-.BR pam (3), ++.BR pam (8), + .BR syslog (3), +-.BR libpam (4), +-.BR pam.conf (4). ++.BR pam.conf (5). + .SH NOTES + Applications should not call + .B pam_authenticate() +@@ -189,7 +188,3 @@ + and + .B pam_end() + when using the Kerberos 5 PAM module. +-.LP +-dtlogin will not successfully authenticate a user who enters a realm +-name as part of their username (even if the authentication +-module returns success). diff --git a/security/pam_krb5/files/patch-ah b/security/pam_krb5/files/patch-ah new file mode 100644 index 000000000000..8f62854e32d5 --- /dev/null +++ b/security/pam_krb5/files/patch-ah @@ -0,0 +1,24 @@ +--- compat_heimdal.c.orig Mon Nov 6 10:21:49 2000 ++++ compat_heimdal.c Mon Nov 6 10:48:37 2000 +@@ -0,0 +1,21 @@ ++#include <krb5.h> ++#include "krb5compat.h" ++ ++const char * ++compat_princ_component(krb5_context context, krb5_principal princ, int n) ++{ ++ return princ->name.name_string.val[n]; ++} ++ ++void ++compat_free_data_contents(krb5_context context, krb5_data *data) ++{ ++ krb5_xfree(data); ++} ++ ++krb5_error_code ++compat_cc_next_cred(krb5_context context, const krb5_ccache id, ++ krb5_cc_cursor *cursor, krb5_creds *creds) ++{ ++ return krb5_cc_next_cred(context, id, creds, cursor); ++} diff --git a/security/pam_krb5/files/patch-ai b/security/pam_krb5/files/patch-ai new file mode 100644 index 000000000000..df90dd56633e --- /dev/null +++ b/security/pam_krb5/files/patch-ai @@ -0,0 +1,24 @@ +--- compat_mit.c.orig Mon Nov 6 10:21:49 2000 ++++ compat_mit.c Mon Nov 6 10:49:14 2000 +@@ -0,0 +1,21 @@ ++#include <krb5.h> ++#include "krb5compat.h" ++ ++const char * ++compat_princ_component(krb5_context context, krb5_principal princ, int n) ++{ ++ return krb5_princ_component(context, princ, n)->data; ++} ++ ++void ++compat_free_data_contents(krb5_context context, krb5_data *data) ++{ ++ krb5_free_data_contents(context, data); ++} ++ ++krb5_error_code ++compat_cc_next_cred(krb5_context context, const krb5_ccache id, ++ krb5_cc_cursor *cursor, krb5_creds *creds) ++{ ++ return krb5_cc_next_cred(context, id, cursor, creds); ++} diff --git a/security/pam_krb5/pkg-comment b/security/pam_krb5/pkg-comment new file mode 100644 index 000000000000..7e718e8bbb10 --- /dev/null +++ b/security/pam_krb5/pkg-comment @@ -0,0 +1 @@ +A Pluggable Authentication Module for Kerberos 5 diff --git a/security/pam_krb5/pkg-descr b/security/pam_krb5/pkg-descr new file mode 100644 index 000000000000..89603de2f45b --- /dev/null +++ b/security/pam_krb5/pkg-descr @@ -0,0 +1,4 @@ +A Pluggable Authentication Module for Kerberos 5, which can +be compiled for either Heimdal or MIT Kerberos. + +WWW: http://www.fcusack.com/ diff --git a/security/pam_krb5/pkg-plist b/security/pam_krb5/pkg-plist new file mode 100644 index 000000000000..ed0796d89284 --- /dev/null +++ b/security/pam_krb5/pkg-plist @@ -0,0 +1 @@ +lib/pam_krb5.so |