diff options
| author | Jacques Vidrine <nectar@FreeBSD.org> | 2001-07-24 17:14:44 +0000 |
|---|---|---|
| committer | Jacques Vidrine <nectar@FreeBSD.org> | 2001-07-24 17:14:44 +0000 |
| commit | 598e7cdedd17cf7cbf0e0cdd562c90b81be458f0 (patch) | |
| tree | f7e9d187e4d3086ced4883cc82c76b8ed904b297 /security/pam_krb5 | |
| parent | 818599d4d6b7c2cb4c962d2f2067fa93d87e25e1 (diff) | |
| download | ports-598e7cdedd17cf7cbf0e0cdd562c90b81be458f0.tar.gz ports-598e7cdedd17cf7cbf0e0cdd562c90b81be458f0.zip | |
Notes
Diffstat (limited to 'security/pam_krb5')
| -rw-r--r-- | security/pam_krb5/Makefile | 77 | ||||
| -rw-r--r-- | security/pam_krb5/distinfo | 2 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-aa | 95 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ab | 22 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ac | 40 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ad | 337 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ae | 140 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-af | 274 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ag | 52 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ah | 128 | ||||
| -rw-r--r-- | security/pam_krb5/files/patch-ai | 143 | ||||
| -rw-r--r-- | security/pam_krb5/pkg-plist | 1 |
12 files changed, 40 insertions, 1271 deletions
diff --git a/security/pam_krb5/Makefile b/security/pam_krb5/Makefile index 8ca177815d85..5493d8138bf8 100644 --- a/security/pam_krb5/Makefile +++ b/security/pam_krb5/Makefile @@ -6,51 +6,50 @@ # PORTNAME= pam_krb5 -PORTVERSION= 1.0 -PORTREVISION= 2 +PORTVERSION= 1.0.1 CATEGORIES= security -MASTER_SITES= http://www.fcusack.com/soft/ +MASTER_SITES= http://www.nectar.com/distfiles/ MAINTAINER= nectar@FreeBSD.org -WRKSRC= ${WRKDIR}/pam_krb5 -PREFIX?= ${DESTDIR}/usr -MANPREFIX?= ${DESTDIR}/usr/share -MAKE_ENV= PREFIX="${PREFIX}" MANPREFIX="${MANPREFIX}" \ - KRB5BASE="${KRB5BASE}" KRB5_IMPL="${KRB5_IMPL}" - MAN8= pam_krb5.8 -.include <bsd.port.pre.mk> - -# Try hard to figure out which Kerberos implementation we should use to -# build this thing. There are three possibilities: -# Heimdal in the base system -- XXX disabled for now (missing libraries) -# Heimdal from ports -# MIT Kerberos from ports -.if defined(KRB5BASE) && defined(KRB5_IMPL) -# the user thinks he knows what he is doing, so let it be -.elif exists(/usr/include/heim_err.h) && defined(REALLY_WANT_BASE) && (${REALLY_WANT_BASE} == "yes") -KRB5BASE=/usr -KRB5_IMPL="heimdal" -.elif defined(HEIMDAL_HOME) && exists(${HEIMDAL_HOME}/include/heim_err.h) -KRB5BASE=${HEIMDAL_HOME} -KRB5_IMPL=heimdal -LIB_DEPENDS+= krb5.16:${PORTSDIR}/security/heimdal -.elif exists(${LOCALBASE}/include/heim_err.h) -KRB5BASE=${LOCALBASE} -KRB5_IMPL=heimdal -LIB_DEPENDS+= krb5.16:${PORTSDIR}/security/heimdal -.elif defined(KRB5_HOME) && exists(${KRB5_HOME}/include/mit-sipb-copyright.h) -KRB5BASE=${KRB5_HOME} -KRB5_IMPL=mit -LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 -.elif exists(${LOCALBASE}/include/mit-sipb-copyright.h) -KRB5BASE=${LOCALBASE} -KRB5_IMPL=mit -LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 +USE_BZIP2= yes +GNU_CONFIGURE= yes + +.if defined(PACKAGE_BUILDING) +KRB5_IMPL= heimdal +.endif + +.if defined(KRB5_IMPL) && ${KRB5_IMPL} == heimdal +LIB_DEPENDS= krb5.18:${PORTSDIR}/security/heimdal +.if defined(HEIMDAL_HOME) +KRB5_DIR?= ${HEIMDAL_HOME} +.endif +.elif defined(KRB5_IMPL) && ${KRB5_IMPL} == mit +LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 +.if defined(KRB5_HOME) +KRB5_DIR?= ${KRB5_HOME} +.endif +.else +BROKEN= You must define KRB5_IMPL to be \"mit\" or \"heimdal\" +.endif + +.if defined(PREFIX) +MANDIR= ${PREFIX}/man .else -BROKEN= "No version of Kerberos is installed." +PREFIX= ${DESTDIR}/usr +MANPREFIX= ${DESTDIR}/usr/share +MANDIR= ${PREFIX}/share/man .endif +KRB5_DIR?= ${LOCALBASE} +CONFIGURE_ENV= CFLAGS="${CFLAGS}" +CONFIGURE_ARGS= --with-krb5="${KRB5_DIR}" \ + --with-pamdir="${PREFIX}/lib" \ + --with-man-sect=8 \ + --mandir=${MANDIR} + +post-install: + cd ${WRKSRC} && ${MAKE} install-man -.include <bsd.port.post.mk> +.include <bsd.port.mk> diff --git a/security/pam_krb5/distinfo b/security/pam_krb5/distinfo index 54736530a4ab..f8a28dd1042e 100644 --- a/security/pam_krb5/distinfo +++ b/security/pam_krb5/distinfo @@ -1 +1 @@ -MD5 (pam_krb5-1.0.tar.gz) = dd4ca3cc1b6b6b124625544e870968cb +MD5 (pam_krb5-1.0.1.tar.bz2) = 3aa146141dd1cba31d98e608f333f7e4 diff --git a/security/pam_krb5/files/patch-aa b/security/pam_krb5/files/patch-aa deleted file mode 100644 index 73a1e0e78aea..000000000000 --- a/security/pam_krb5/files/patch-aa +++ /dev/null @@ -1,95 +0,0 @@ ---- Makefile.orig Tue Jan 4 19:08:51 2000 -+++ Makefile Tue Jan 23 15:38:42 2001 -@@ -1,46 +1,56 @@ - # - # Makefile for pam_krb5 - # -+CC = cc -+CFLAGS = -O -fPIC -Wall -+# WHAT? shared and static? are you mad? -+# No, this allows us to make a shared object that has minimal undefined -+# references. -+LDFLAGS = -shared -Wl,-Bstatic -+ -+OSLIBS = -lpam -+ -+# We have to specify full paths to some of these libraries so that we -+# are sure we get the right version... in most cases, we don't want the -+# version in the base system. Version numbers don't help us, because we -+# are not looking for shared libraries. -+ -+# HEIMDAL -+LIBS_heimdal = ${KRB5BASE}/lib/libkrb5.a ${KRB5BASE}/lib/libgssapi.a \ -+ ${KRB5BASE}/lib/libasn1.a ${KRB5BASE}/lib/libroken.a \ -+ -lcrypto -lcrypt -+# MIT -+LIBS_mit = ${KRB5BASE}/lib/libkrb5.a ${KRB5BASE}/lib/libcom_err.a \ -+ ${KRB5BASE}/lib/libk5crypto.a - --CC = gcc --CFLAGS = -O2 -fPIC --#LDFLAGS = -shared --LDFLAGS = -G -+LIBS = $(OSLIBS) ${LIBS_${KRB5_IMPL}} -+COMPAT = compat_${KRB5_IMPL}.c - --DESTDIR = /usr/lib/security --MANDIR = /opt/local/man/man5 -- --OSLIBS = -lpam -lnsl -lsocket --KRB5LIBS = -L/opt/local/lib -lkrb5 -lk5crypto -lcom_err -- --LIBS = $(OSLIBS) $(KRB5LIBS) -- --INC = -I/opt/local/include -+INC = -I${KRB5BASE}/include - - - #################################################################### - # No changes below this line - - SRCS = pam_krb5_auth.c pam_krb5_pass.c pam_krb5_acct.c pam_krb5_sess.c \ -- support.c -+ support.c ${COMPAT} - - OBJS = pam_krb5_auth.o pam_krb5_pass.o pam_krb5_acct.o pam_krb5_sess.o \ -- support.o -+ support.o ${COMPAT:.c=.o} - --all: pam_krb5.so.1 -+all: pam_krb5.so - --pam_krb5.so.1: $(OBJS) -- $(CC) -o $@ $(LDFLAGS) $(OBJS) $(LIBS) -+pam_krb5.so: $(OBJS) -+ $(CC) -o $@ $(LDFLAGS) $(OBJS) -L${KRB5BASE}/lib $(LIBS) - - install: -- cp pam_krb5.so.1 $(DESTDIR) -- chown root:sys $(DESTDIR)/pam_krb5.so.1 -- ln -s ./pam_krb5.so.1 $(DESTDIR)/pam_krb5.so -- cp pam_krb5.5 $(MANDIR) -- chown root:sys $(MANDIR)/pam_krb5.5 -+ ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 0555 pam_krb5.so \ -+ ${PREFIX}/lib/pam_krb5.so -+ ${INSTALL} -c -o ${MANOWN} -g ${MANGRP} -m 0444 pam_krb5.5 \ -+ ${MANPREFIX}/man/man8/pam_krb5.8 - - clean: -- rm -f *.so.1 *.o -+ rm -f *.so *.o - - pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h - $(CC) -c $(CFLAGS) $(INC) $< -@@ -55,5 +65,11 @@ - $(CC) -c $(CFLAGS) $(INC) $< - - support.o: support.c pam_krb5.h -+ $(CC) -c $(CFLAGS) $(INC) $< -+ -+compat_heimdal.o: compat_heimdal.c -+ $(CC) -c $(CFLAGS) $(INC) $< -+ -+compat_mit.o: compat_mit.c - $(CC) -c $(CFLAGS) $(INC) $< - diff --git a/security/pam_krb5/files/patch-ab b/security/pam_krb5/files/patch-ab deleted file mode 100644 index f384620a3699..000000000000 --- a/security/pam_krb5/files/patch-ab +++ /dev/null @@ -1,22 +0,0 @@ ---- pam_krb5.h.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5.h Mon Jun 11 13:24:14 2001 -@@ -5,7 +5,16 @@ - */ - - int get_user_info(pam_handle_t *, char *, int, char **); --krb5_error_code pam_prompter(krb5_context, void *, const char *, -- const char *, int, krb5_prompt[]); --int verify_krb_v5_tgt(krb5_context, krb5_ccache, int); -+int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); - void cleanup_cache(pam_handle_t *, void *, int); -+ -+krb5_prompter_fct pam_prompter; -+ -+const char *compat_princ_component(krb5_context, krb5_principal, int); -+void compat_free_data_contents(krb5_context, krb5_data *); -+ -+#ifndef ENCTYPE_DES_CBC_MD5 -+#define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 -+#endif -+ -+ diff --git a/security/pam_krb5/files/patch-ac b/security/pam_krb5/files/patch-ac deleted file mode 100644 index 20a5fc0f9ffb..000000000000 --- a/security/pam_krb5/files/patch-ac +++ /dev/null @@ -1,40 +0,0 @@ ---- pam_krb5_acct.c.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5_acct.c Mon Nov 6 10:21:49 2000 -@@ -11,6 +11,7 @@ - #include <security/pam_appl.h> - #include <security/pam_modules.h> - #include <krb5.h> -+#include <com_err.h> - #include "pam_krb5.h" - - /* A useful logging macro */ -@@ -38,12 +39,12 @@ - } - - /* Get username */ -- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { -+ if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { - return PAM_PERM_DENIED;; - } - - /* Get service name */ -- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); -+ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - -@@ -55,12 +56,12 @@ - return PAM_SUCCESS; - } - -- if (krb5_init_context(&pam_context)) { -+ if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_PERM_DENIED;; - } - -- if (krbret = krb5_cc_get_principal(pam_context, ccache, &princ)) { -+ if ((krbret = krb5_cc_get_principal(pam_context, ccache, &princ)) != 0) { - DLOG("krb5_cc_get_principal()", error_message(krbret)); - pamret = PAM_PERM_DENIED;; - goto cleanup; diff --git a/security/pam_krb5/files/patch-ad b/security/pam_krb5/files/patch-ad deleted file mode 100644 index 908ea7d649aa..000000000000 --- a/security/pam_krb5/files/patch-ad +++ /dev/null @@ -1,337 +0,0 @@ ---- pam_krb5_auth.c.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5_auth.c Mon Jun 11 13:22:45 2001 -@@ -7,18 +7,22 @@ - - static const char rcsid[] = "$Id: pam_krb5_auth.c,v 1.18 2000/01/04 08:44:08 fcusack Exp $"; - -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <errno.h> - #include <limits.h> /* PATH_MAX */ - #include <pwd.h> /* getpwnam */ - #include <stdio.h> /* tmpnam */ -+#include <stdlib.h> /* malloc */ - #include <strings.h> /* strchr */ - #include <syslog.h> /* syslog */ - #include <unistd.h> /* chown */ --#include <sys/types.h> /* chown */ - - #include <security/pam_appl.h> - #include <security/pam_modules.h> - - #include <krb5.h> -+#include <com_err.h> - #include "pam_krb5.h" - - extern krb5_cc_ops krb5_mcc_ops; -@@ -42,7 +46,7 @@ - krb5_get_init_creds_opt opts; - - int pamret, i; -- char *name, *name2; -+ const char *name; - char *princ_name = NULL; - char *pass = NULL, *service = NULL; - char *prompt = NULL; -@@ -74,13 +78,13 @@ - } - - /* Get service name */ -- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); -+ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - -- if (krb5_init_context(&pam_context)) { -+ if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } -@@ -93,7 +97,7 @@ - krb5_get_init_creds_opt_set_forwardable(&opts, 1); - - /* For CNS */ -- if (krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE)) { -+ if ((krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE)) != 0) { - /* Solaris dtlogin doesn't call pam_end() on failure */ - if (krbret != KRB5_CC_TYPE_EXISTS) { - DLOG("krb5_cc_register()", error_message(krbret)); -@@ -103,14 +107,14 @@ - } - - /* Get principal name */ -- if (krbret = krb5_parse_name(pam_context, name, &princ)) { -+ if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { - DLOG("krb5_parse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - - /* Now convert the principal name into something human readable */ -- if (krbret = krb5_unparse_name(pam_context, princ, &princ_name)) { -+ if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { - DLOG("krb5_unparse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; -@@ -126,18 +130,19 @@ - (void) sprintf(prompt, "Password for %s: ", princ_name); - - if (try_first_pass || use_first_pass) -- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); -+ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - - get_pass: - if (!pass) { - try_first_pass = 0; -- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { -+ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, -+ &pass)) != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - /* We have to free pass. */ -- if (pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) { -+ if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - free(pass); - pamret = PAM_SERVICE_ERR; -@@ -145,25 +150,26 @@ - } - free(pass); - /* Now we get it back from the library. */ -- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); -+ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - } - - /* Verify the local user exists (AFTER getting the password) */ - if (strchr(name, '@')) { - /* get a local account name for this principal */ -- if (krbret = krb5_aname_to_localname(pam_context, princ, -- sizeof(lname), lname)) { -+ if ((krbret = krb5_aname_to_localname(pam_context, princ, -+ sizeof(lname), lname)) != 0) { - DLOG("krb5_aname_to_localname()", error_message(krbret)); - pamret = PAM_USER_UNKNOWN; - goto cleanup2; - } - DLOG("changing PAM_USER to", lname); -- if (pamret = pam_set_item(pamh, PAM_USER, lname)) { -+ if ((pamret = pam_set_item(pamh, PAM_USER, lname)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } -- if (pamret = pam_get_item(pamh, PAM_USER, (void **) &name)) { -+ if ((pamret = pam_get_item(pamh, PAM_USER, (const void **) &name) -+ != 0)) { - DLOG("pam_get_item()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; -@@ -177,9 +183,8 @@ - } - - /* Get a TGT */ -- if (krbret = krb5_get_init_creds_password(pam_context, &creds, princ, -- pass, pam_prompter, pamh, -- 0, NULL, &opts)) { -+ if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, -+ pass, pam_prompter, pamh, 0, NULL, &opts)) != 0) { - DLOG("krb5_get_init_creds_password()", error_message(krbret)); - if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - pass = NULL; -@@ -193,17 +198,17 @@ - strcpy(cache_name, "MEMORY:"); - (void) tmpnam(&cache_name[7]); - -- if (krbret = krb5_cc_resolve(pam_context, cache_name, &ccache)) { -+ if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache)) != 0) { - DLOG("krb5_cc_resolve()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } -- if (krbret = krb5_cc_initialize(pam_context, ccache, princ)) { -+ if ((krbret = krb5_cc_initialize(pam_context, ccache, princ)) != 0) { - DLOG("krb5_cc_initialize()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } -- if (krbret = krb5_cc_store_cred(pam_context, ccache, &creds)) { -+ if ((krbret = krb5_cc_store_cred(pam_context, ccache, &creds)) != 0) { - DLOG("krb5_cc_store_cred()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_SERVICE_ERR; -@@ -211,7 +216,7 @@ - } - - /* Verify it */ -- if (verify_krb_v5_tgt(pam_context, ccache, debug) == -1) { -+ if (verify_krb_v5_tgt(pam_context, ccache, service, debug) == -1) { - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_AUTH_ERR; - goto cleanup; -@@ -224,7 +229,7 @@ - pamret = PAM_AUTH_ERR; - goto cleanup; - } -- if (pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) { -+ if ((pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) != 0) { - DLOG("pam_set_data()", pam_strerror(pamh, pamret)); - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_SERVICE_ERR; -@@ -275,6 +280,7 @@ - - int debug = 0; - uid_t euid; -+ gid_t egid; - - if (flags == PAM_REINITIALIZE_CRED) - return PAM_SUCCESS; /* XXX Incorrect behavior */ -@@ -288,30 +294,32 @@ - else if (strcmp(argv[i], "no_ccache") == 0) - return PAM_SUCCESS; - else if (strstr(argv[i], "ccache=") == argv[i]) -- cache_name = &argv[i][7]; /* save for later */ -+ cache_name = (char *) &argv[i][7]; /* save for later */ - } - - /* Get username */ -- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { -+ if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { - return PAM_SERVICE_ERR; - } - - /* Get service name */ -- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); -+ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - -- if (krb5_init_context(&pam_context)) { -+ if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - - euid = geteuid(); /* Usually 0 */ -+ egid = getegid(); - - /* Retrieve the cache name */ -- if (pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp)) { -+ if ((pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp)) -+ != 0) { - DLOG("pam_get_data()", pam_strerror(pamh, pamret)); - pamret = PAM_CRED_UNAVAIL; - goto cleanup3; -@@ -326,6 +334,11 @@ - } - - /* Avoid following a symlink as root */ -+ if (setegid(pw->pw_gid)) { -+ DLOG("setegid()", name); /* XXX should really log group name or id */ -+ pamret = PAM_SERVICE_ERR; -+ goto cleanup3; -+ } - if (seteuid(pw->pw_uid)) { - DLOG("seteuid()", name); - pamret = PAM_SERVICE_ERR; -@@ -340,7 +353,7 @@ - pamret = PAM_BUF_ERR; - goto cleanup3; - } -- sprintf(cache_name, "FILE:/tmp/krb5cc_%ld", pw->pw_uid); -+ sprintf(cache_name, "FILE:/tmp/krb5cc_%d", pw->pw_uid); - } else { - /* cache_name was supplied */ - char *p = calloc(PATH_MAX + 10, 1); /* should be plenty */ -@@ -357,10 +370,10 @@ - if (*q == '%') { - q++; - if (*q == 'u') { -- sprintf(p, "%ld", pw->pw_uid); -+ sprintf(p, "%d", pw->pw_uid); - p += strlen(p); - } else if (*q == 'p') { -- sprintf(p, "%ld", getpid()); -+ sprintf(p, "%d", getpid()); - p += strlen(p); - } else { - /* Not a special token */ -@@ -375,24 +388,27 @@ - } - - /* Initialize the new ccache */ -- if (krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ)) { -+ if ((krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ)) -+ != 0) { - DLOG("krb5_cc_get_principal()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } -- if (krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm)) { -+ if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm)) -+ != 0) { - DLOG("krb5_cc_resolve()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } -- if (krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) { -+ if ((krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) != 0) { - DLOG("krb5_cc_initialize()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - - /* Prepare for iteration over creds */ -- if (krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor)) { -+ if ((krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor)) -+ != 0) { - DLOG("krb5_cc_start_seq_get()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; -@@ -401,8 +417,9 @@ - - /* Copy the creds (should be two of them) */ - while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp, -- &cursor, &creds) == 0)) { -- if (krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds)) { -+ &cursor, &creds) == 0)) { -+ if ((krbret = krb5_cc_store_cred(pam_context, ccache_perm, -+ &creds)) != 0) { - DLOG("krb5_cc_store_cred()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - krb5_free_cred_contents(pam_context, &creds); -@@ -420,6 +437,12 @@ - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } -+ if (chmod(&cache_name[5], (S_IRUSR|S_IWUSR)) == -1) { -+ DLOG("chmod()", strerror(errno)); -+ (void) krb5_cc_destroy(pam_context, ccache_perm); -+ pamret = PAM_SERVICE_ERR; -+ goto cleanup2; -+ } - } - (void) krb5_cc_close(pam_context, ccache_perm); - -@@ -432,7 +455,7 @@ - } - - sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name); -- if (pamret = pam_putenv(pamh, cache_env_name)) { -+ if ((pamret = pam_putenv(pamh, cache_env_name)) != 0) { - DLOG("pam_putenv()", pam_strerror(pamh, pamret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; -@@ -445,6 +468,7 @@ - krb5_free_context(pam_context); - DLOG("exit", pamret ? "failure" : "success"); - (void) seteuid(euid); -+ (void) setegid(egid); - return pamret; - } - diff --git a/security/pam_krb5/files/patch-ae b/security/pam_krb5/files/patch-ae deleted file mode 100644 index 494de5ec23dd..000000000000 --- a/security/pam_krb5/files/patch-ae +++ /dev/null @@ -1,140 +0,0 @@ ---- pam_krb5_pass.c.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5_pass.c Mon Nov 6 10:21:49 2000 -@@ -7,10 +7,14 @@ - - static const char rcsid[] = "$Id: pam_krb5_pass.c,v 1.3 1999/01/19 23:43:11 fcusack Exp $"; - -+#include <errno.h> -+#include <stdio.h> /* sprintf */ -+#include <stdlib.h> /* malloc */ - #include <syslog.h> /* syslog */ - #include <security/pam_appl.h> - #include <security/pam_modules.h> - #include <krb5.h> -+#include <com_err.h> - #include "pam_krb5.h" - - /* A useful logging macro */ -@@ -27,7 +31,6 @@ - krb5_context pam_context; - krb5_creds creds; - krb5_principal princ; -- krb5_ccache ccache; - krb5_get_init_creds_opt opts; - - int result_code; -@@ -54,23 +57,23 @@ - } - - /* Get username */ -- if (pam_get_item(pamh, PAM_USER, (void **) &name)) { -+ if ((pam_get_item(pamh, PAM_USER, (const void **) &name)) != 0) { - return PAM_SERVICE_ERR; - } - - /* Get service name */ -- (void) pam_get_item(pamh, PAM_SERVICE, (void **) &service); -+ (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - -- if (krb5_init_context(&pam_context)) { -+ if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - -- if (krb5_init_context(&pam_context)) { -+ if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } -@@ -78,14 +81,14 @@ - memset(&creds, 0, sizeof(krb5_creds)); - - /* Get principal name */ -- if (krbret = krb5_parse_name(pam_context, name, &princ)) { -+ if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { - DLOG("krb5_parse_name()", error_message(krbret)); - pamret = PAM_USER_UNKNOWN; - goto cleanup3; - } - - /* Now convert the principal name into something human readable */ -- if (krbret = krb5_unparse_name(pam_context, princ, &princ_name)) { -+ if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { - DLOG("krb5_unparse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; -@@ -101,18 +104,19 @@ - (void) sprintf(prompt, "Password for %s: ", princ_name); - - if (try_first_pass || use_first_pass) -- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); -+ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - - get_pass: - if (!pass) { - try_first_pass = 0; -- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { -+ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, -+ &pass)) != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - /* We have to free pass. */ -- if (pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) { -+ if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - free(pass); - pamret = PAM_SERVICE_ERR; -@@ -120,12 +124,11 @@ - } - free(pass); - /* Now we get it back from the library. */ -- (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); -+ (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - } - -- if (krbret = krb5_get_init_creds_password(pam_context, &creds, princ, -- pass, pam_prompter, pamh, -- 0, "kadmin/changepw", &opts)) { -+ if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, -+ pass, pam_prompter, pamh, 0, "kadmin/changepw", &opts)) != 0) { - DLOG("krb5_get_init_creds_password()", error_message(krbret)); - if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - pass = NULL; -@@ -138,14 +141,16 @@ - /* Now get the new password */ - free(prompt); - prompt = "Enter new password: "; -- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) { -+ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) -+ != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - prompt = NULL; - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - prompt = "Enter it again: "; -- if (pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) { -+ if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) -+ != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - prompt = NULL; - pamret = PAM_SERVICE_ERR; -@@ -160,9 +165,8 @@ - } - - /* Change it */ -- if (krbret = krb5_change_password(pam_context, &creds, pass, -- &result_code, &result_code_string, -- &result_string)) { -+ if ((krbret = krb5_change_password(pam_context, &creds, pass, -+ &result_code, &result_code_string, &result_string)) != 0) { - DLOG("krb5_change_password()", error_message(krbret)); - pamret = PAM_AUTHTOK_ERR; - goto cleanup; diff --git a/security/pam_krb5/files/patch-af b/security/pam_krb5/files/patch-af deleted file mode 100644 index 552f6b726a86..000000000000 --- a/security/pam_krb5/files/patch-af +++ /dev/null @@ -1,274 +0,0 @@ ---- support.c.orig Tue Jan 4 19:08:51 2000 -+++ support.c Wed Jan 24 13:37:28 2001 -@@ -6,11 +6,15 @@ - - static const char rcsid[] = "$Id: support.c,v 1.8 2000/01/04 09:50:03 fcusack Exp $"; - -+#include <errno.h> - #include <stdio.h> /* BUFSIZ */ -+#include <stdlib.h> /* malloc */ -+#include <string.h> /* strncpy */ - #include <syslog.h> /* syslog */ - #include <security/pam_appl.h> - #include <security/pam_modules.h> - #include <krb5.h> -+#include <com_err.h> - #include "pam_krb5.h" - - /* -@@ -22,11 +26,12 @@ - get_user_info(pam_handle_t *pamh, char *prompt, int type, char **response) - { - int pamret; -- struct pam_message msg, *pmsg; -+ struct pam_message msg; -+ const struct pam_message *pmsg; - struct pam_response *resp = NULL; - struct pam_conv *conv; - -- if (pamret = pam_get_item(pamh, PAM_CONV, (void **) &conv)) -+ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) - return pamret; - - /* set up conversation call */ -@@ -34,7 +39,7 @@ - msg.msg_style = type; - msg.msg = prompt; - -- if (pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr)) -+ if ((pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr)) != 0) - return pamret; - - /* Caller should ignore errors for non-response conversations */ -@@ -51,172 +56,71 @@ - return pamret; - } - -- --krb5_error_code --pam_prompter(krb5_context context, void *data, const char *name, -- const char *banner, int num_prompts, krb5_prompt prompts[]) --{ -- int pam_prompts = num_prompts; -- int pamret, i; -- -- struct pam_message *msg; -- struct pam_response *resp = NULL; -- struct pam_conv *conv; -- pam_handle_t *pamh = (pam_handle_t *) data; -- -- if (pamret = pam_get_item(pamh, PAM_CONV, (void **) &conv)) -- return KRB5KRB_ERR_GENERIC; -- -- if (name) -- pam_prompts++; -- -- if (banner) -- pam_prompts++; -- -- msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); -- if (!msg) -- return ENOMEM; -- -- /* Now use pam_prompts as an index */ -- pam_prompts = 0; -- -- /* Sigh. malloc all the prompts. */ -- if (name) { -- msg[pam_prompts].msg = malloc(strlen(name) + 1); -- if (!msg[pam_prompts].msg) -- goto cleanup; -- strcpy(msg[pam_prompts].msg, name); -- msg[pam_prompts].msg_style = PAM_TEXT_INFO; -- pam_prompts++; -- } -- -- if (banner) { -- msg[pam_prompts].msg = malloc(strlen(banner) + 1); -- if (!msg[pam_prompts].msg) -- goto cleanup; -- strcpy(msg[pam_prompts].msg, banner); -- msg[pam_prompts].msg_style = PAM_TEXT_INFO; -- pam_prompts++; -- } -- -- for (i = 0; i < num_prompts; i++) { -- msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); -- if (!msg[pam_prompts].msg) -- goto cleanup; -- sprintf(msg[pam_prompts].msg, "%s: ", prompts[i].prompt); -- msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF -- : PAM_PROMPT_ECHO_ON; -- pam_prompts++; -- } -- -- if (pamret = conv->conv(pam_prompts, &msg, &resp, conv->appdata_ptr)) -- goto cleanup; -- -- if (!resp) -- goto cleanup; -- -- /* Reuse pam_prompts as a starting index */ -- pam_prompts = 0; -- if (name) -- pam_prompts++; -- if (banner) -- pam_prompts++; -- -- for (i = 0; i < num_prompts; i++, pam_prompts++) { -- register int len; -- if (!resp[pam_prompts].resp) { -- pamret = PAM_AUTH_ERR; -- goto cleanup; -- } -- len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ -- if (len > prompts[i].reply->length) { -- pamret = PAM_AUTH_ERR; -- goto cleanup; -- } -- memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); -- prompts[i].reply->length = len; -- } -- --cleanup: -- /* pam_prompts is correct at this point */ -- -- for (i = 0; i < pam_prompts; i++) { -- if (msg[i].msg) -- free(msg[i].msg); -- } -- free(msg); -- -- if (resp) { -- for (i = 0; i < pam_prompts; i++) { -- /* -- * Note that PAM is underspecified wrt free()'ing resp[i].resp. -- * It's not clear if I should free it, or if the application -- * has to. Therefore most (all?) apps won't free() it, and I -- * can't either, as I am not sure it was malloc()'d. All PAM -- * implementations I've seen leak memory here. Not so bad, IFF -- * you fork/exec for each PAM authentication (as is typical). -- */ --#if 0 -- if (resp[i].resp) -- free(resp[i].resp); --#endif /* 0 */ -- } -- /* This does not lose resp[i].resp if the application saved a copy. */ -- free(resp); -- } -- -- return (pamret ? KRB5KRB_ERR_GENERIC : 0); --} -- -- - /* - * This routine with some modification is from the MIT V5B6 appl/bsd/login.c -+ * Modified by Sam Hartman <hartmans@mit.edu> to support PAM services -+ * for Debian. - * - * Verify the Kerberos ticket-granting ticket just retrieved for the - * user. If the Kerberos server doesn't respond, assume the user is - * trying to fake us out (since we DID just get a TGT from what is - * supposedly our KDC). If the host/<host> service is unknown (i.e., -- * the local keytab doesn't have it), let her in. -+ * the local keytab doesn't have it), and we cannot find another -+ * service we do have, let her in. - * - * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. - */ - int --verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, int debug) -+verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, -+ char * pam_service, int debug) - { - char phost[BUFSIZ]; -- krb5_error_code retval; -+ char *services [3]; -+ char **service; -+ krb5_error_code retval = -1; - krb5_principal princ; - krb5_keyblock * keyblock = 0; - krb5_data packet; - krb5_auth_context auth_context = NULL; -- krb5_keytab keytab = NULL; -- char * kt_name = NULL; - - packet.data = 0; - - /* -- * Get the server principal for the local host. -- * (Use defaults of "host" and canonicalized local name.) -- */ -- if (retval = krb5_sname_to_principal(context, NULL, NULL, -- KRB5_NT_SRV_HST, &princ)) { -+ * If possible we want to try and verify the ticket we have -+ * received against a keytab. We will try multiple service -+ * principals, including at least the host principal and the PAM -+ * service principal. The host principal is preferred because access -+ * to that key is generally sufficient to compromise root, while the -+ * service key for this PAM service may be less carefully guarded. -+ * It is important to check the keytab first before the KDC so we do -+ * not get spoofed by a fake KDC.*/ -+ services [0] = "host"; -+ services [1] = pam_service; -+ services [2] = NULL; -+ for ( service = &services[0]; *service != NULL; service++ ) { -+ if ((retval = krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, -+ &princ)) != 0) { - if (debug) -- syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", -- "krb5_sname_to_principal()", error_message(retval)); -+ syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", -+ "krb5_sname_to_principal()", error_message(retval)); - return -1; -- } -+ } - -- /* Extract the name directly. */ -- strncpy(phost, krb5_princ_component(c, princ, 1)->data, BUFSIZ); -- phost[BUFSIZ - 1] = '\0'; -- -- /* -- * Do we have host/<host> keys? -- * (use default/configured keytab, kvno IGNORE_VNO to get the -- * first match, and enctype is currently ignored anyhow.) -- */ -- if (retval = krb5_kt_read_service_key(context, NULL, princ, 0, -- ENCTYPE_DES_CBC_MD5, &keyblock)) { -+ /* Extract the name directly. */ -+ strncpy(phost, compat_princ_component(context, princ, 1), BUFSIZ); -+ phost[BUFSIZ - 1] = '\0'; -+ -+ /* -+ * Do we have service/<host> keys? -+ * (use default/configured keytab, kvno IGNORE_VNO to get the -+ * first match, and ignore enctype.) -+ */ -+ if ((retval = krb5_kt_read_service_key(context, NULL, princ, 0, -+ 0, &keyblock)) != 0) -+ continue; -+ break; -+ } -+ if (retval != 0 ) { /* failed to find key */ - /* Keytab or service key does not exist */ - if (debug) - syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", -@@ -228,7 +132,7 @@ - krb5_free_keyblock(context, keyblock); - - /* Talk to the kdc and construct the ticket. */ -- retval = krb5_mk_req(context, &auth_context, 0, "host", phost, -+ retval = krb5_mk_req(context, &auth_context, 0, *service, phost, - NULL, ccache, &packet); - if (auth_context) { - krb5_auth_con_free(context, auth_context); -@@ -256,7 +160,7 @@ - - cleanup: - if (packet.data) -- krb5_free_data_contents(context, &packet); -+ compat_free_data_contents(context, &packet); - krb5_free_principal(context, princ); - return retval; - diff --git a/security/pam_krb5/files/patch-ag b/security/pam_krb5/files/patch-ag deleted file mode 100644 index 2e1c65eb640c..000000000000 --- a/security/pam_krb5/files/patch-ag +++ /dev/null @@ -1,52 +0,0 @@ ---- pam_krb5.5.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5.5 Mon Nov 6 10:27:01 2000 -@@ -1,24 +1,24 @@ - .\" - .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ --.TH pam_krb5 5 "15 Jan 1999" -+.TH pam_krb5 8 "15 Jan 1999" - .SH NAME - pam_krb5 \- Kerberos 5 PAM module - .SH SYNOPSIS - .LP --.B /usr/lib/security/pam_krb5.so.1 -+.B /usr/lib/pam_krb5.so - .LP - .SH DESCRIPTION - .IX "pam_krb5" "" "\fLpam_krb5\fP \(em Kerberos 5 PAM module" - .PP - The Kerberos 5 service module for PAM, typically --.BR /usr/lib/security/pam_krb5.so.1 , -+.BR /usr/lib/pam_krb5.so , - provides functionality for three PAM categories: - authentication, - account management, - and password management. - It also provides null functions for session management. - The --.B pam_krb5.so.1 -+.B pam_krb5.so - module is a shared object - that can be dynamically loaded to provide - the necessary functionality upon demand. -@@ -177,10 +177,9 @@ - .SH SEE ALSO - .BR kdestroy (1), - .BR passwd (1), --.BR pam (3), -+.BR pam (8), - .BR syslog (3), --.BR libpam (4), --.BR pam.conf (4). -+.BR pam.conf (5). - .SH NOTES - Applications should not call - .B pam_authenticate() -@@ -189,7 +188,3 @@ - and - .B pam_end() - when using the Kerberos 5 PAM module. --.LP --dtlogin will not successfully authenticate a user who enters a realm --name as part of their username (even if the authentication --module returns success). diff --git a/security/pam_krb5/files/patch-ah b/security/pam_krb5/files/patch-ah deleted file mode 100644 index cd7fcaef3b27..000000000000 --- a/security/pam_krb5/files/patch-ah +++ /dev/null @@ -1,128 +0,0 @@ ---- compat_heimdal.c.orig Mon Jun 11 13:29:54 2001 -+++ compat_heimdal.c Mon Jun 11 13:32:00 2001 -@@ -0,0 +1,125 @@ -+#include <errno.h> -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+ -+#include <krb5.h> -+#include <security/pam_appl.h> -+#include <security/pam_modules.h> -+#include "pam_krb5.h" -+ -+const char * -+compat_princ_component(krb5_context context, krb5_principal princ, int n) -+{ -+ return princ->name.name_string.val[n]; -+} -+ -+void -+compat_free_data_contents(krb5_context context, krb5_data *data) -+{ -+ krb5_xfree(data->data); -+} -+ -+static krb5_error_code -+heimdal_pam_prompter(krb5_context context, void *data, const char *name, -+ const char *banner, int num_prompts, krb5_prompt prompts[]) -+{ -+ int pam_prompts = num_prompts; -+ int pamret, i; -+ -+ struct pam_message *msg; -+ struct pam_response *resp = NULL; -+ struct pam_conv *conv; -+ pam_handle_t *pamh = (pam_handle_t *) data; -+ -+ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) -+ return KRB5KRB_ERR_GENERIC; -+ -+ if (banner) -+ pam_prompts++; -+ -+ msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); -+ if (!msg) -+ return ENOMEM; -+ -+ /* Now use pam_prompts as an index */ -+ pam_prompts = 0; -+ -+ if (banner) { -+ msg[pam_prompts].msg = malloc(strlen(banner) + 1); -+ if (!msg[pam_prompts].msg) -+ goto cleanup; -+ strcpy((char *) msg[pam_prompts].msg, banner); -+ msg[pam_prompts].msg_style = PAM_TEXT_INFO; -+ pam_prompts++; -+ } -+ -+ for (i = 0; i < num_prompts; i++) { -+ msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); -+ if (!msg[pam_prompts].msg) -+ goto cleanup; -+ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); -+ msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF -+ : PAM_PROMPT_ECHO_ON; -+ pam_prompts++; -+ } -+ -+ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, -+ &resp, conv->appdata_ptr)) != 0) -+ goto cleanup; -+ -+ if (!resp) -+ goto cleanup; -+ -+ /* Reuse pam_prompts as a starting index */ -+ pam_prompts = 0; -+ if (banner) -+ pam_prompts++; -+ -+ for (i = 0; i < num_prompts; i++, pam_prompts++) { -+ register int len; -+ if (!resp[pam_prompts].resp) { -+ pamret = PAM_AUTH_ERR; -+ goto cleanup; -+ } -+ len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ -+ if (len > prompts[i].reply->length) { -+ pamret = PAM_AUTH_ERR; -+ goto cleanup; -+ } -+ memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); -+ prompts[i].reply->length = len; -+ } -+ -+cleanup: -+ /* pam_prompts is correct at this point */ -+ -+ for (i = 0; i < pam_prompts; i++) { -+ if (msg[i].msg) -+ free((char *) msg[i].msg); -+ } -+ free(msg); -+ -+ if (resp) { -+ for (i = 0; i < pam_prompts; i++) { -+ /* -+ * Note that PAM is underspecified wrt free()'ing resp[i].resp. -+ * It's not clear if I should free it, or if the application -+ * has to. Therefore most (all?) apps won't free() it, and I -+ * can't either, as I am not sure it was malloc()'d. All PAM -+ * implementations I've seen leak memory here. Not so bad, IFF -+ * you fork/exec for each PAM authentication (as is typical). -+ */ -+#if 0 -+ if (resp[i].resp) -+ free(resp[i].resp); -+#endif /* 0 */ -+ } -+ /* This does not lose resp[i].resp if the application saved a copy. */ -+ free(resp); -+ } -+ -+ return (pamret ? KRB5KRB_ERR_GENERIC : 0); -+} -+ -+krb5_prompter_fct pam_prompter = heimdal_pam_prompter; diff --git a/security/pam_krb5/files/patch-ai b/security/pam_krb5/files/patch-ai deleted file mode 100644 index fab81814e912..000000000000 --- a/security/pam_krb5/files/patch-ai +++ /dev/null @@ -1,143 +0,0 @@ ---- compat_mit.c.orig Mon Jun 11 13:20:39 2001 -+++ compat_mit.c Mon Jun 11 13:22:18 2001 -@@ -0,0 +1,140 @@ -+#include <errno.h> -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+ -+#include <krb5.h> -+#include <security/pam_appl.h> -+#include <security/pam_modules.h> -+#include "pam_krb5.h" -+ -+const char * -+compat_princ_component(krb5_context context, krb5_principal princ, int n) -+{ -+ return krb5_princ_component(context, princ, n)->data; -+} -+ -+void -+compat_free_data_contents(krb5_context context, krb5_data *data) -+{ -+ krb5_free_data_contents(context, data); -+} -+ -+static krb5_error_code -+mit_pam_prompter(krb5_context context, void *data, const char *name, -+ const char *banner, int num_prompts, krb5_prompt prompts[]) -+{ -+ int pam_prompts = num_prompts; -+ int pamret, i; -+ -+ struct pam_message *msg; -+ struct pam_response *resp = NULL; -+ struct pam_conv *conv; -+ pam_handle_t *pamh = (pam_handle_t *) data; -+ -+ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) -+ return KRB5KRB_ERR_GENERIC; -+ -+ if (name) -+ pam_prompts++; -+ -+ if (banner) -+ pam_prompts++; -+ -+ msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); -+ if (!msg) -+ return ENOMEM; -+ -+ /* Now use pam_prompts as an index */ -+ pam_prompts = 0; -+ -+ /* Sigh. malloc all the prompts. */ -+ if (name) { -+ msg[pam_prompts].msg = malloc(strlen(name) + 1); -+ if (!msg[pam_prompts].msg) -+ goto cleanup; -+ strcpy((char *) msg[pam_prompts].msg, name); -+ msg[pam_prompts].msg_style = PAM_TEXT_INFO; -+ pam_prompts++; -+ } -+ -+ if (banner) { -+ msg[pam_prompts].msg = malloc(strlen(banner) + 1); -+ if (!msg[pam_prompts].msg) -+ goto cleanup; -+ strcpy((char *) msg[pam_prompts].msg, banner); -+ msg[pam_prompts].msg_style = PAM_TEXT_INFO; -+ pam_prompts++; -+ } -+ -+ for (i = 0; i < num_prompts; i++) { -+ msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); -+ if (!msg[pam_prompts].msg) -+ goto cleanup; -+ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); -+ msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF -+ : PAM_PROMPT_ECHO_ON; -+ pam_prompts++; -+ } -+ -+ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, -+ &resp, conv->appdata_ptr)) != 0) -+ goto cleanup; -+ -+ if (!resp) -+ goto cleanup; -+ -+ /* Reuse pam_prompts as a starting index */ -+ pam_prompts = 0; -+ if (name) -+ pam_prompts++; -+ if (banner) -+ pam_prompts++; -+ -+ for (i = 0; i < num_prompts; i++, pam_prompts++) { -+ register int len; -+ if (!resp[pam_prompts].resp) { -+ pamret = PAM_AUTH_ERR; -+ goto cleanup; -+ } -+ len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ -+ if (len > prompts[i].reply->length) { -+ pamret = PAM_AUTH_ERR; -+ goto cleanup; -+ } -+ memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); -+ prompts[i].reply->length = len; -+ } -+ -+cleanup: -+ /* pam_prompts is correct at this point */ -+ -+ for (i = 0; i < pam_prompts; i++) { -+ if (msg[i].msg) -+ free((char *) msg[i].msg); -+ } -+ free(msg); -+ -+ if (resp) { -+ for (i = 0; i < pam_prompts; i++) { -+ /* -+ * Note that PAM is underspecified wrt free()'ing resp[i].resp. -+ * It's not clear if I should free it, or if the application -+ * has to. Therefore most (all?) apps won't free() it, and I -+ * can't either, as I am not sure it was malloc()'d. All PAM -+ * implementations I've seen leak memory here. Not so bad, IFF -+ * you fork/exec for each PAM authentication (as is typical). -+ */ -+#if 0 -+ if (resp[i].resp) -+ free(resp[i].resp); -+#endif /* 0 */ -+ } -+ /* This does not lose resp[i].resp if the application saved a copy. */ -+ free(resp); -+ } -+ -+ return (pamret ? KRB5KRB_ERR_GENERIC : 0); -+} -+ -+krb5_prompter_fct pam_prompter = mit_pam_prompter; diff --git a/security/pam_krb5/pkg-plist b/security/pam_krb5/pkg-plist index ed0796d89284..2c1938c01a42 100644 --- a/security/pam_krb5/pkg-plist +++ b/security/pam_krb5/pkg-plist @@ -1 +1,2 @@ lib/pam_krb5.so +lib/pam_krb5.so.1 |