packages: krb5/krb5.spec, krb5/krb5-ftp_fdleak.patch (NEW), krb5/krb5-ftp_g...
baggins
baggins at pld-linux.org
Wed Jun 3 17:15:11 CEST 2009
Author: baggins Date: Wed Jun 3 15:15:11 2009 GMT
Module: packages Tag: HEAD
---- Log message:
- fixes/featurs from FC (descriptions in patches)
---- Files affected:
packages/krb5:
krb5.spec (1.130 -> 1.131) , krb5-ftp_fdleak.patch (NONE -> 1.1) (NEW), krb5-ftp_glob_runique.patch (NONE -> 1.1) (NEW), krb5-key_exp.patch (NONE -> 1.1) (NEW), krb5-ldap-init.patch (NONE -> 1.1) (NEW), krb5-ldap-man.patch (NONE -> 1.1) (NEW), krb5-lucid-acceptor.patch (NONE -> 1.1) (NEW), krb5-pam.patch (NONE -> 1.1) (NEW), krb5-selinux-label.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/krb5/krb5.spec
diff -u packages/krb5/krb5.spec:1.130 packages/krb5/krb5.spec:1.131
--- packages/krb5/krb5.spec:1.130 Wed Jun 3 16:14:34 2009
+++ packages/krb5/krb5.spec Wed Jun 3 17:15:05 2009
@@ -66,6 +66,14 @@
Patch32: %{name}-tests.patch
Patch33: %{name}-config.patch
Patch34: %{name}-any-fixup.patch
+Patch35: %{name}-ftp_fdleak.patch
+Patch36: %{name}-ftp_glob_runique.patch
+Patch37: %{name}-key_exp.patch
+Patch38: %{name}-ldap-init.patch
+Patch39: %{name}-ldap-man.patch
+Patch40: %{name}-lucid-acceptor.patch
+Patch41: %{name}-pam.patch
+Patch42: %{name}-selinux-label.patch
Patch100: %{name}-CVE-2007-5901.patch
Patch101: %{name}-CVE-2007-5971.patch
Patch102: %{name}-CVE-2008-0062,0063.patch
@@ -595,6 +603,14 @@
%patch32 -p1
%patch33 -p1
%patch34 -p0
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p0
+%patch39 -p0
+%patch40 -p0
+%patch41 -p1
+%patch42 -p1
%patch100 -p0
%patch101 -p0
@@ -1011,6 +1027,9 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.131 2009/06/03 15:15:05 baggins
+- fixes/featurs from FC (descriptions in patches)
+
Revision 1.130 2009/06/03 14:14:34 baggins
- added fixes from krb5 trunk
- removed outdated patches
================================================================
Index: packages/krb5/krb5-ftp_fdleak.patch
diff -u /dev/null packages/krb5/krb5-ftp_fdleak.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-ftp_fdleak.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,67 @@
+Don't open a new socket without closing a possibly already-open one. RT#5597.
+diff -uNr krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c
+--- krb5/src/appl/gssftp/ftp/ftp.c
++++ krb5/src/appl/gssftp/ftp/ftp.c
+@@ -196,7 +196,7 @@ char *
+ hookup(char* host, int port)
+ {
+ register struct hostent *hp = 0;
+- int s;
++ int s, t;
+ socklen_t len;
+ #ifdef IP_TOS
+ #ifdef IPTOS_LOWDELAY
+@@ -274,8 +274,13 @@ hookup(char* host, int port)
+ }
+ #endif
+ #endif
++#ifndef _WIN32
++ t = dup(s);
++#else
++ t = s;
++#endif
+ cin = FDOPEN_SOCKET(s, "r");
+- cout = FDOPEN_SOCKET(s, "w");
++ cout = FDOPEN_SOCKET(t, "w");
+ if (cin == NULL || cout == NULL) {
+ fprintf(stderr, "ftp: fdopen failed.\n");
+ if (cin) {
+@@ -1448,6 +1453,8 @@
+ int a1,a2,a3,a4,p1,p2;
+
+ if (passivemode) {
++ if (data != INVALID_SOCKET)
++ (void) closesocket(data);
+ data = socket(AF_INET, SOCK_STREAM, 0);
+ if (data == INVALID_SOCKET) {
+ PERROR_SOCKET("ftp: socket");
+@@ -2366,4 +2371,16 @@ FILE* fdopen_socket(SOCKET s, char* mode
+
+ return f;
+ }
++#else
++/* Non-Win32 case takes the address of the variable so that we can "take
++ * ownership" of the descriptor number. */
++FILE* fdopen_socket(int *s, char* mode)
++{
++ FILE *fp;
++ fp = fdopen(*s, mode);
++ if (fp) {
++ *s = INVALID_SOCKET;
++ }
++ return fp;
++}
+ #endif /* _WIN32 */
+diff -up krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h
+--- krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:35.000000000 -0400
++++ krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:39.000000000 -0400
+@@ -48,7 +48,8 @@ FILE* fdopen_socket(SOCKET s, char* mode
+ #define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0)
+ #else
+ #define FCLOSE_SOCKET(f) fclose(f)
+-#define FDOPEN_SOCKET(s, mode) fdopen(s, mode)
++FILE* fdopen_socket(int *s, char* mode);
++#define FDOPEN_SOCKET(s, mode) fdopen_socket(&s, mode)
+ #define SOCKETNO(fd) (fd)
+ #define PERROR_SOCKET(str) perror(str)
+ #endif
================================================================
Index: packages/krb5/krb5-ftp_glob_runique.patch
diff -u /dev/null packages/krb5/krb5-ftp_glob_runique.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-ftp_glob_runique.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,14 @@
+Fix mget when runique is enabled and the globbing patch has been applied.
+diff -up krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c
+--- krb5/src/appl/gssftp/ftp/ftp.c
++++ krb5/src/appl/gssftp/ftp/ftp.c
+@@ -1188,7 +1188,8 @@ void recvrequest(char *cmd, char *volati
+ return;
+ }
+ }
+- else if (runique && (local = gunique(local)) == NULL) {
++ else if (runique && strcmp(cmd, "NLST") &&
++ (local = gunique(local)) == NULL) {
+ (void) signal(SIGINT, oldintr);
+ code = -1;
+ return;
================================================================
Index: packages/krb5/krb5-key_exp.patch
diff -u /dev/null packages/krb5/krb5-key_exp.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-key_exp.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,20 @@
+Sadique Puthen notes that the warning on the client side seems to be correspond
+to the wrong attribute on the KDC. Do what RFC4120 says we should do. RT#5755.
+--- krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:06.000000000 -0400
++++ krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:08.000000000 -0400
+@@ -371,7 +371,14 @@ process_as_req(krb5_kdc_req *request, kr
+ goto errout;
+ }
+ reply_encpart.nonce = request->nonce;
+- reply_encpart.key_exp = client.expiration;
++ if (client.expiration == 0) {
++ reply_encpart.key_exp = client.pw_expiration;
++ } else if (client.pw_expiration == 0) {
++ reply_encpart.key_exp = client.expiration;
++ } else {
++ reply_encpart.key_exp = client.pw_expiration < client.expiration ?
++ client.pw_expiration : client.expiration;
++ }
+ reply_encpart.flags = enc_tkt_reply.flags;
+ reply_encpart.server = ticket_reply.server;
+
================================================================
Index: packages/krb5/krb5-ldap-init.patch
diff -u /dev/null packages/krb5/krb5-ldap-init.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-ldap-init.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,17 @@
+fix an uninitialized length value which could cause a crash when parsing
+key data coming from a directory server
+
+Index: src/lib/krb5/asn.1/ldap_key_seq.c
+===================================================================
+--- src/lib/krb5/asn.1/ldap_key_seq.c (revision 19509)
++++ src/lib/krb5/asn.1/ldap_key_seq.c (working copy)
+@@ -341,7 +341,8 @@
+ if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */
+ ret = decode_tagged_octetstring (&slt, 1, &keylen,
+ &key->key_data_contents[1]); checkerr;
+- }
++ } else
++ keylen = 0;
+ safe_syncbuf (&subbuf, &slt);
+ key->key_data_length[1] = keylen; /* XXX range check?? */
+
================================================================
Index: packages/krb5/krb5-ldap-man.patch
diff -u /dev/null packages/krb5/krb5-ldap-man.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-ldap-man.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,24 @@
+correct a typo in the krb5.conf man page
+
+Index: src/config-files/krb5.conf.M
+===================================================================
+--- src/config-files/krb5.conf.M (revision 19507)
++++ src/config-files/krb5.conf.M (working copy)
+@@ -600,7 +600,7 @@
+ objects used for starting the Kerberos servers. This value is used if no
+ service password file is mentioned in the configuration section under dbmodules.
+
+-.IP ldap_server
++.IP ldap_servers
+ This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
+ is whitespace-separated. The LDAP server is specified by a LDAP URI.
+ This value is used if no LDAP servers are mentioned in the configuration
+@@ -641,7 +641,7 @@
+ This LDAP specific tag indicates the file containing the stashed passwords for the
+ objects used for starting the Kerberos servers.
+
+-.IP ldap_server
++.IP ldap_servers
+ This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
+ is whitespace-separated. The LDAP server is specified by a LDAP URI.
+
================================================================
Index: packages/krb5/krb5-lucid-acceptor.patch
diff -u /dev/null packages/krb5/krb5-lucid-acceptor.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-lucid-acceptor.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,14 @@
+From Kevin Coffman, via the nfs4 mailing list.
+properly export the acceptor subkey when creating a lucid context
+diff -up src/lib/gssapi/krb5/lucid_context.c ./src/lib/gssapi/krb5/lucid_context.c
+--- src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:11.000000000 -0400
++++ src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:01.000000000 -0400
+@@ -231,7 +231,7 @@ make_external_lucid_ctx_v1(
+ &lctx->cfx_kd.ctx_key)))
+ goto error_out;
+ if (gctx->have_acceptor_subkey) {
+- if ((retval = copy_keyblock_to_lucid_key(gctx->enc,
++ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
+ &lctx->cfx_kd.acceptor_subkey)))
+ goto error_out;
+ lctx->cfx_kd.have_acceptor_subkey = 1;
================================================================
Index: packages/krb5/krb5-pam.patch
diff -u /dev/null packages/krb5/krb5-pam.patch:1.1
--- /dev/null Wed Jun 3 17:15:11 2009
+++ packages/krb5/krb5-pam.patch Wed Jun 3 17:15:05 2009
@@ -0,0 +1,1040 @@
+Modify krshd so that it performs PAM account and session management. It
+must now always fork so that it can always clean up the session. The
+PAM session is opened and credentials initialized after any forwarded
+credentials are stored to disk and before access to the user's home
+directory is attempted. The default service name is "kshell" or
+"ekshell", depending on whether or not encryption is in use, to avoid a
+dependency or conflict on the plain rsh server's configuration file. At
+run-time, krshd's behavior can be reset to the earlier, non-PAM behavior
+by setting "use_pam" to false in the [rshd] section of /etc/krb5.conf.
+
+Modify ftpd so that authentication with a plaintext password goes
+through PAM, and it performs PAM account and session management. The
+PAM session is opened and credentials initialized after any forwarded
+credentials are stored to disk. The default service name is "gssftp",
+mainly to avoid conflicts with other FTP servers' configuration files.
+At run-time, krshd's behavior can be reset to the earlier, non-PAM
+behavior by setting "use_pam" to false in the [ftpd] section of
+/etc/krb5.conf.
+
+Modify login so that instead of directly obtaining v5 or v4 credentials
+or running aklog, it calls PAM for authentication if strong
+authentication hasn't already been performed, so that it performs
+account management using PAM (prompting for a password change if need
+be), and that it performs session management. The PAM session is opened
+and credentials initialized after any forwarded credentials are stored
+to disk. The default service name is "login", because its configuration
+is pretty much always going to be there. At run-time, login's behavior
+can be reset to the earlier, non-PAM behavior by setting "use_pam" to
+false in the [login] section of /etc/krb5.conf.
+
+When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+
+--- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500
++++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400
+@@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main,
+ AC_CHECK_LIB(cfg,main,
+ LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
+ )))
++KRB5_WITH_PAM
+ dnl
+ dnl Make our operating system-specific security checks and definitions for
+ dnl login.
+--- krb5-1.6.1/src/appl/bsd/krshd.c 2006-10-15 03:50:16.000000000 -0400
++++ krb5-1.6.1/src/appl/bsd/krshd.c 2007-06-22 14:28:57.000000000 -0400
+@@ -185,6 +185,10 @@ Key_schedule v4_schedule;
+ #include <arpa/nameser.h>
+ #endif
+
++#ifdef USE_PAM
++#include "pam.h"
++#endif
++
+ #ifndef MAXDNAME
+ #define MAXDNAME 256 /*per the rfc*/
+ #endif
+@@ -205,6 +209,7 @@ void fatal(int, const char *);
+
+ int require_encrypt = 0;
+ int do_encrypt = 0;
++int force_fork = 0;
+ int anyport = 0;
+ char *kprogdir = KPROGDIR;
+ int netf;
+@@ -1085,14 +1090,6 @@ void doit(f, fromp)
+ }
+ #endif /*CRAY*/
+
+- if (chdir(pwd->pw_dir) < 0) {
+- if(chdir("/") < 0) {
+- error("No remote directory.\n");
+- goto signout_please;
+- }
+- pwd->pw_dir = "/";
+- }
+-
+ #ifdef KERBEROS
+
+ #if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
+@@ -1151,11 +1148,49 @@ void doit(f, fromp)
+ goto signout_please;
+ }
+
++#ifdef USE_PAM
++ if (appl_pam_enabled(bsd_context, "rshd")) {
++ if (appl_pam_acct_mgmt(do_encrypt ?
++ EKSHELL_PAM_SERVICE :
++ KSHELL_PAM_SERVICE,
++ 0,
++ locuser,
++ "",
++ do_encrypt ?
++ EKSHELL_PAM_SERVICE :
++ KSHELL_PAM_SERVICE) != 0) {
++ error("Login denied.\n");
++ goto signout_please;
++ }
++ if (appl_pam_requires_chauthtok()) {
++ error("Password change required, but not possible over rsh.\n");
++ goto signout_please;
++ }
++ force_fork = 1;
++ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME"));
++ if (appl_pam_session_open() != 0) {
++ error("Login failure.\n");
++ goto signout_please;
++ }
++ if (appl_pam_cred_init()) {
++ error("Login failure.\n");
++ goto signout_please;
++ }
++ } else
++#endif
+ if (pwd->pw_uid && !access(NOLOGIN, F_OK)) {
+ error("Logins currently disabled.\n");
+ goto signout_please;
+ }
+
++ if (chdir(pwd->pw_dir) < 0) {
++ if (chdir("/") < 0) {
++ error("No remote directory.\n");
++ goto signout_please;
++ }
++ pwd->pw_dir = "/";
++ }
++
+ /* Log access to account */
+ pwd = (struct passwd *) getpwnam(locuser);
+ if (pwd && (pwd->pw_uid == 0)) {
+@@ -1195,7 +1230,7 @@ void doit(f, fromp)
+
+ (void) write(2, "", 1);
+
+- if (port||do_encrypt) {
++ if (port||do_encrypt||force_fork) {
+ if (port&&(pipe(pv) < 0)) {
+ error("Can't make pipe.\n");
+ goto signout_please;
+@@ -1507,6 +1542,15 @@ void doit(f, fromp)
+
+ environ = envinit;
+
++#ifdef USE_PAM
++ if (appl_pam_enabled(bsd_context, "rshd")) {
++ if (appl_pam_setenv() != 0) {
++ error("Login failure.\n");
++ goto signout_please;
++ }
++ }
++#endif
++
+ #ifdef KERBEROS
+ /* To make Kerberos rcp work correctly, we must ensure that we
+ invoke Kerberos rcp on this end, not normal rcp, even if the
+--- krb5-1.6.1/src/appl/bsd/Makefile.in 2006-10-06 17:17:56.000000000 -0400
++++ krb5-1.6.1/src/appl/bsd/Makefile.in 2007-06-21 17:39:57.000000000 -0400
+@@ -14,13 +14,14 @@ LIBOBJS=@LIBOBJS@
+ V4RCP=@V4RCP@
+ V4RCPO=@V4RCPO@
+ KRSHDLIBS=@KRSHDLIBS@
++PAMOBJS=pam.o
+
+ SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \
+ $(srcdir)/forward.c $(srcdir)/compat_recv.c \
+ $(srcdir)/login.c $(srcdir)/krshd.c $(srcdir)/krlogind.c \
+ $(srcdir)/v4rcp.c
+ OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) \
+- login.o krshd.o krlogind.o $(V4RCPO) $(LIBOBJS)
++ login.o krshd.o krlogind.o $(V4RCPO) $(LIBOBJS) $(PAMOBJS)
+
+ UCB_RLOGIN = @UCB_RLOGIN@
+ UCB_RSH = @UCB_RSH@
+@@ -66,8 +67,8 @@ install::
+ ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
+ fi
+
+-kshd: krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
+- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
++kshd: krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
++ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o compat_recv.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(PAM_LIBS) $(APPUTILS_LIB)
+
+ klogind: krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB)
+ $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB)
+@@ -84,8 +85,8 @@ install::
+ # No program name transformation is done with login.krb5 since it is directly
+ # referenced by klogind.
+ #
+-login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB4COMPAT_LIBS)
++login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS)
++ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB4COMPAT_LIBS) $(PAM_LIBS)
+
+ install::
+ $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5
+--- krb5-1.6.1/src/appl/bsd/login.c 2006-08-08 15:26:40.000000000 -0400
++++ krb5-1.6.1/src/appl/bsd/login.c 2007-06-22 14:09:41.000000000 -0400
+@@ -159,6 +159,11 @@ typedef sigtype (*handler)();
+ #include "osconf.h"
+ #endif /* KRB5_GET_TICKETS */
+
++#ifdef USE_PAM
++#include "pam.h"
++int login_use_pam = 1;
++#endif
++
+ #ifdef KRB4_KLOGIN
+ /* support for running under v4 klogind, -k -K flags */
+ #define KRB4
+@@ -351,6 +356,9 @@ static struct login_confs {
+ char *flagname;
+ int *flag;
+ } login_conf_set[] = {
++#ifdef USE_PAM
++ {USE_PAM_CONFIGURATION_KEYWORD, &login_use_pam},
++#endif
+ #ifdef KRB5_GET_TICKETS
+ {"krb5_get_tickets", &login_krb5_get_tickets},
+ #endif
+@@ -1292,6 +1294,18 @@ int main(argc, argv)
+ if (!unix_needs_passwd())
+ break;
+
++#ifdef USE_PAM
++ if (login_use_pam) {
++ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
++ ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
++ break;
++ } else {
++ /* the goto target label is in a different nesting scope, but
++ * it's roughly where we want to land */
++ goto bad_login;
++ }
++ }
++#endif
+ /* we have several sets of code:
+ 1) get v5 tickets alone -DKRB5_GET_TICKETS
+ 2) get v4 tickets alone [** don't! only get them *with* v5 **]
+@@ -1406,6 +1420,24 @@ int main(argc, argv)
+ /* committed to login -- turn off timeout */
+ (void) alarm((u_int) 0);
+
++#ifdef USE_PAM
++ if (login_use_pam) {
++ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
++ ttyname(STDIN_FILENO)) != 0) {
++ printf("Login incorrect\n");
++ sleepexit(1);
++ }
++ if (appl_pam_requires_chauthtok()) {
++ if (appl_pam_chauthtok() != 0) {
++ printf("Failed to change password.\n");
++ sleepexit(1);
++ }
++ }
++ } else {
++ /* the "else" here is the non-PAM behavior which continues until the
++ * next ifdef USE_PAM block, as of this writing more or less
++ * duplicating the work of pam_securetty and an OQUOTA check */
++#endif
+ /*
+ * If valid so far and root is logging in, see if root logins on
+ * this terminal are permitted.
+@@ -1446,6 +1478,21 @@ int main(argc, argv)
+ sleepexit(0);
+ }
+ #endif
++#ifdef USE_PAM
++ }
++#endif /* USE_PAM */
++
++#ifdef USE_PAM
++ if (login_use_pam) {
++ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME"));
++ if (appl_pam_session_open() != 0) {
++ sleepexit(1);
++ }
++ if (appl_pam_cred_init() != 0) {
++ sleepexit(1);
++ }
++ }
++#endif /* USE_PAM */
+
+ if (chdir(pwd->pw_dir) < 0) {
+ printf("No directory %s!\n", pwd->pw_dir);
+@@ -1792,6 +1839,11 @@ int main(argc, argv)
+ }
+ #endif /* KRB5_GET_TICKETS */
+
++#ifdef USE_PAM
++ if (login_use_pam)
++ appl_pam_setenv();
++#endif
++
+ if (tty[sizeof("tty")-1] == 'd')
+ syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
+ if (pwd->pw_uid == 0)
+--- /dev/null 2007-06-22 10:29:46.741860805 -0400
++++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400
+@@ -0,0 +1,414 @@
++/*
++ * src/appl/bsd/pam.c
++ *
++ * Copyright 2007 Red Hat, Inc.
++ *
++ * All Rights Reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ * Redistributions of source code must retain the above copyright notice, this
++ * list of conditions and the following disclaimer.
++ *
++ * Redistributions in binary form must reproduce the above copyright notice,
++ * this list of conditions and the following disclaimer in the documentation
++ * and/or other materials provided with the distribution.
++ *
++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
++ * used to endorse or promote products derived from this software without
++ * specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Convenience wrappers for using PAM.
++ */
++
++#ifdef USE_PAM
++#include <sys/types.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include "k5-int.h"
++#include "pam.h"
++
++#ifndef MAXPWSIZE
++#define MAXPWSIZE 128
++#endif
++
++static int appl_pam_started;
++static pid_t appl_pam_starter = -1;
++static int appl_pam_session_opened;
++static int appl_pam_creds_initialized;
++static int appl_pam_pwchange_required;
++static pam_handle_t *appl_pamh;
++static struct pam_conv appl_pam_conv;
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/krb5/krb5.spec?r1=1.130&r2=1.131&f=u
More information about the pld-cvs-commit
mailing list