9 files changed, 210 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index 64f051206972..70c51c2e0add 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -572,6 +572,7 @@
     SUBDIR += pam_jail
     SUBDIR += pam_kde
     SUBDIR += pam_krb5
+    SUBDIR += pam_krb5-rh
     SUBDIR += pam_ldap
     SUBDIR += pam_mkhomedir
     SUBDIR += pam_p11
diff --git a/security/pam_krb5-rh/Makefile b/security/pam_krb5-rh/Makefile
new file mode 100644
index 000000000000..c91a4142e2df
--- /dev/null
+++ b/security/pam_krb5-rh/Makefile
@@ -0,0 +1,51 @@
+# New ports collection makefile for:	pam_krb5
+# Date created:				18 October 2011
+# Whom:					Ryan Steinmetz <zi@FreeBSD.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	pam_krb5
+DISTVERSION=	2.3.13-1
+CATEGORIES=	security
+MASTER_SITES=	https://fedorahosted.org/released/${PORTNAME}/ \
+		http://people.rit.edu/rpsfa/distfiles/
+PKGNAMESUFFIX=	-rh
+
+MAINTAINER=	zi@FreeBSD.org
+COMMENT=	The Red Hat Pluggable Authentication Module for Kerberos 5
+
+LICENSE=	LGPL21 BSD
+LICENSE_COMB=	dual
+
+CONFLICTS=	pam_krb5-4.*
+
+USE_ICONV=	yes
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS+=--with-libiconv-prefix=${LOCALBASE} --without-afs \
+		--with-libintl-prefix=${LOCALBASE} --with-krb4=no \
+		--without-keyutils
+LDFLAGS=	-L${LOCALBASE}/lib
+
+MAN5=		pam_krb5.5
+MAN8=		pam_krb5.8 pam_krb5_storetmp.8
+
+.if defined(WITHOUT_NLS)
+PLIST_SUB+=	NLS="@comment "
+CONFIGURE_ARGS+=--disable-nls
+.else
+PLIST_SUB+=	NLS=""
+LDFLAGS+=	-lintl
+USE_GETTEXT=	yes
+.endif
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|libdir)/security|libdir)|g' ${WRKSRC}/src/Makefile.in
+	@${REINPLACE_CMD} -e 's|/lib64/security|${LOCALBASE}/lib|g' \
+		${WRKSRC}/src/*.8
+	@${REINPLACE_CMD} -e 's|-ldl||g' ${WRKSRC}/tests/tools/Makefile.in
+	@${REINPLACE_CMD} -e 's|PAM_BAD_ITEM|PAM_SYMBOL_ERR|g' ${WRKSRC}/src/conv.c
+	@${REINPLACE_CMD} -e 's|PAM_AUTHTOK_RECOVER_ERR|PAM_AUTHTOK_RECOVERY_ERR|g' \
+		${WRKSRC}/src/password.c
+
+.include <bsd.port.mk>
diff --git a/security/pam_krb5-rh/distinfo b/security/pam_krb5-rh/distinfo
new file mode 100644
index 000000000000..54fc02854c4e
--- /dev/null
+++ b/security/pam_krb5-rh/distinfo
@@ -0,0 +1,2 @@
+SHA256 (pam_krb5-2.3.13-1.tar.gz) = bc5b45afcb5951edc0c4b98a3342d96a3b59cedd4234560b6d1450ebe990195f
+SIZE (pam_krb5-2.3.13-1.tar.gz) = 566365
diff --git a/security/pam_krb5-rh/files/patch-src__acct.c b/security/pam_krb5-rh/files/patch-src__acct.c
new file mode 100644
index 000000000000..9ee36b600c47
--- /dev/null
+++ b/security/pam_krb5-rh/files/patch-src__acct.c
@@ -0,0 +1,10 @@
+--- ./src/acct.c.orig	2011-07-29 15:31:01.000000000 -0400
++++ ./src/acct.c	2011-10-18 11:49:37.000000000 -0400
+@@ -38,7 +38,6 @@
+ 
+ #ifdef HAVE_SECURITY_PAM_MODULES_H
+ #define PAM_SM_ACCT_MGMT
+-#include <security/pam_modules.h>
+ #endif
+ 
+ #include <errno.h>
diff --git a/security/pam_krb5-rh/files/patch-src__kuserok.c b/security/pam_krb5-rh/files/patch-src__kuserok.c
new file mode 100644
index 000000000000..d59f45186619
--- /dev/null
+++ b/security/pam_krb5-rh/files/patch-src__kuserok.c
@@ -0,0 +1,10 @@
+--- ./src/kuserok.c.orig	2011-07-29 15:31:01.000000000 -0400
++++ ./src/kuserok.c	2011-10-18 11:46:19.000000000 -0400
+@@ -36,6 +36,7 @@
+ #include <sys/select.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
++#include <sys/signal.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
diff --git a/security/pam_krb5-rh/files/patch-src__storetmp.c b/security/pam_krb5-rh/files/patch-src__storetmp.c
new file mode 100644
index 000000000000..ae7894a30a11
--- /dev/null
+++ b/security/pam_krb5-rh/files/patch-src__storetmp.c
@@ -0,0 +1,10 @@
+--- ./src/storetmp.c.orig	2011-10-18 11:47:04.000000000 -0400
++++ ./src/storetmp.c	2011-10-18 11:47:16.000000000 -0400
+@@ -36,6 +36,7 @@
+ #include <sys/select.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
++#include <sys/signal.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
diff --git a/security/pam_krb5-rh/files/patch-src__v5.c b/security/pam_krb5-rh/files/patch-src__v5.c
new file mode 100644
index 000000000000..ec9fa8296269
--- /dev/null
+++ b/security/pam_krb5-rh/files/patch-src__v5.c
@@ -0,0 +1,70 @@
+--- ./src/v5.c.orig	2011-07-29 15:31:01.000000000 -0400
++++ ./src/v5.c	2011-10-24 09:25:15.000000000 -0400
+@@ -1350,6 +1350,9 @@
+ 	krb5_creds tmpcreds;
+ 	krb5_ccache ccache;
+ 	krb5_get_init_creds_opt *tmp_gicopts;
++	krb5_timestamp sec;
++	const char *e = NULL;
++	char *p;
+ 
+ 	/* In case we already have creds, get rid of them. */
+ 	krb5_free_cred_contents(ctx, creds);
+@@ -1393,23 +1396,50 @@
+ 		memset(&service_principal, 0, sizeof(service_principal));
+ 		if (krb5_parse_name(ctx, realm_service,
+ 				    &service_principal) == 0) {
+-			if (options->debug) {
+-				debug("attempting to read existing credentials "
+-				      "from %s", krb5_cc_default_name(ctx));
+-			}
+ 			memset(&ccache, 0, sizeof(ccache));
+ 			/* In case we're setuid/setgid, switch to the caller's
+ 			 * permissions. */
+ 			saved_perms = _pam_krb5_switch_perms();
++
++			e = getenv("KRB5CCNAME");
++			if (e) {
++	        		p = strndup(e, 128);
++	        		if (p == NULL) {
++					memset(&e, 0, sizeof(e));
++					if (options->debug)
++		        			debug("malloc: out of memory");
++					return ENOMEM;
++	        		}
++	        		if ((strnlen(p, 128) > 96) || strnlen(p, 128) <= 0) {
++					memset(&e, 0, sizeof(e));
++					if (options->debug)
++		        			debug("KRB5CCNAME is too long or too short, aborting");
++					return PAM_SYSTEM_ERR;
++	        		}
++	        		if (strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '='))
++					krb5_cc_set_default_name(ctx, p);
++	        		else {
++					if (options->debug)
++		        			debug("KRB5CCNAME does not start with FILE:");
++	        		}
++	        		memset(&e, 0, sizeof(e));
++			}
++			if (options->debug) {
++				debug("attempting to read existing credentials "
++					"from %s", krb5_cc_default_name(ctx));
++			}
+ 			if ((saved_perms != NULL) &&
+ 			    (krb5_cc_default(ctx, &ccache) == 0)) {
++				krb5_timeofday (ctx, &sec);
+ 				tmpcreds.client = userinfo->principal_name;
+ 				tmpcreds.server = service_principal;
+ 				i = krb5_cc_retrieve_cred(ctx, ccache, 0,
+ 							  &tmpcreds, creds);
+-				/* FIXME: check if the creds are expired?
+-				 * What's the right error code if we check, and
+-				 * they are? */
++				if ((i == 0) && creds->times.endtime < sec) {
++					if (options->debug)
++						warn("Credentials expired");
++					i = KRB5_KPASSWD_AUTHERROR;
++				}
+ 				memset(&tmpcreds, 0, sizeof(tmpcreds));
+ 				krb5_cc_close(ctx, ccache);
+ 				/* In case we're setuid/setgid, restore the
diff --git a/security/pam_krb5-rh/pkg-descr b/security/pam_krb5-rh/pkg-descr
new file mode 100644
index 000000000000..6aa41b6cccdc
--- /dev/null
+++ b/security/pam_krb5-rh/pkg-descr
@@ -0,0 +1,7 @@
+The pam_krb5 module allows PAM-aware applications to authenticate
+users by performing an AS exchange with a Kerberos KDC.
+
+This module includes many configurable options and provides functionality
+and features that other pam_krb5 modules do not provide.
+
+WWW: https://fedorahosted.org/pam_krb5/
diff --git a/security/pam_krb5-rh/pkg-plist b/security/pam_krb5-rh/pkg-plist
new file mode 100644
index 000000000000..70c618007345
--- /dev/null
+++ b/security/pam_krb5-rh/pkg-plist
@@ -0,0 +1,49 @@
+lib/pam_krb5/pam_krb5_storetmp
+lib/pam_krb5.so
+lib/pam_krb5.la
+@dirrm lib/pam_krb5
+%%NLS%%share/locale/as/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/bn_IN/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ca/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/cs/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/da/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/de/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/el/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/es/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/fa/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/fr/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/gu/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/hi/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/hu/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/it/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ja/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/kn/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ko/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ml/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/mr/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ms/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/nl/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/or/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/pa/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/pl/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/pt_BR/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ro/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ru/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/sr/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/sr@latin/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/sv/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/ta/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/te/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/uk/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/zh_CN/LC_MESSAGES/pam_krb5.mo
+%%NLS%%share/locale/zh_TW/LC_MESSAGES/pam_krb5.mo
+%%NLS%%@dirrmtry share/locale/as/LC_MESSAGES
+%%NLS%%@dirrmtry share/locale/bn_IN/LC_MESSAGES
+%%NLS%%@dirrmtry share/locale/mr/LC_MESSAGES
+%%NLS%%@dirrmtry share/locale/sr@latin/LC_MESSAGES
+%%NLS%%@dirrmtry share/locale/te/LC_MESSAGES
+%%NLS%%@dirrmtry share/locale/as
+%%NLS%%@dirrmtry share/locale/bn_IN
+%%NLS%%@dirrmtry share/locale/mr
+%%NLS%%@dirrmtry share/locale/sr@latin
+%%NLS%%@dirrmtry share/locale/te