diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2002-02-10 22:45:32 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2002-02-10 22:45:32 +0000 |
| commit | 0d5e01e01dc6c1127ac2e0b1279fc2cf4371fc0a (patch) | |
| tree | 89859ace9b7e6561b94f63fe37080b1aa3fd8ae5 /security | |
| parent | cc99216876a77c6fb4ac13b642926d167fa943de (diff) | |
| download | ports-0d5e01e01dc6c1127ac2e0b1279fc2cf4371fc0a.tar.gz ports-0d5e01e01dc6c1127ac2e0b1279fc2cf4371fc0a.zip | |
Notes
Diffstat (limited to 'security')
24 files changed, 904 insertions, 0 deletions
diff --git a/security/krb5-beta/Makefile b/security/krb5-beta/Makefile new file mode 100644 index 000000000000..35fbeedc56c3 --- /dev/null +++ b/security/krb5-beta/Makefile @@ -0,0 +1,127 @@ +# Ports collection Makefile for: MIT Kerberos V Beta +# Date created: 2/10/2002 +# Whom: cy@FreeBSD.org +# +# $FreeBSD$ +# + +PORTNAME= krb5 +PORTVERSION= 1.2.4b1 +CATEGORIES= security +MASTER_SITES= # manual download +DISTNAME= krb5-1.2.4-beta1 + +MAINTAINER= cy@FreeBSD.org + +BUILD_DEPENDS= gm4:${PORTSDIR}/devel/m4 + +KERBEROSV_URL= http://web.mit.edu/network/kerberos-form.html +USE_GMAKE= yes +INSTALLS_SHLIB= yes +GNU_CONFIGURE= yes +CONFIGURE_ARGS?= --enable-shared --with-ccopts="${CFLAGS}" +CONFIGURE_ENV= INSTALL="${INSTALL}" +MAKE_ARGS= INSTALL="${INSTALL}" +KRB5_KRB4_COMPAT?= YES + +.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO" +MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/ +.endif + +.if !defined(KRB5_KRB4_COMPAT) || ${KRB5_KRB4_COMPAT} == "NO" +CONFIGURE_ARGS+= --without-krb4 +.endif + +.if defined(KRB5_HOME) +PREFIX= ${KRB5_HOME} +.endif + +RESTRICTED= "Crypto; export-controlled" +# Set USA_RESIDENT appropriately in /etc/make.conf if you like + +INFO_FILES= krb425.info krb5-admin.info krb5-admin.info-1 \ + krb5-admin.info-2 krb5-admin.info-3 krb5-install.info \ + krb5-install.info-1 krb5-install.info-2 krb5-user.info + +MAN1= krb5-send-pr.1 kpasswd.1 v5passwd.1 klist.1 kinit.1 \ + kdestroy.1 ksu.1 sclient.1 rsh.1 rcp.1 rlogin.1 \ + v4rcp.1 ftp.1 telnet.1 kerberos.1 kvno.1 +MAN5= kdc.conf.5 krb5.conf.5 .k5login.5 +MAN8= krb5kdc.8 kadmin.8 kadmin.local.8 kdb5_util.8 \ + ktutil.8 kadmind.8 kprop.8 kpropd.8 sserver.8 \ + kshd.8 klogind.8 login.krb5.8 ftpd.8 telnetd.8 + +WRKSRC= ${WRKDIR}/${DISTNAME}/src + +WANT_HTML?= YES +HTML_DOC_DIR= ${WRKDIR}/${DISTNAME}/doc +HTML_DOCS= admin.html install_foot.html user-guide.html \ + admin_foot.html install_toc.html user-guide_foot.html \ + admin_toc.html krb425.html user-guide_toc.html \ + install.html krb425_toc.html + +.if !defined(USA_RESIDENT) || ${USA_RESIDENT} == "YES" +do-fetch: + @if [ ! -f ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX} ]; then \ + ${ECHO} ""; \ + ${ECHO} ">> Kerberos V contains encryption software and is"; \ + ${ECHO} " export restricted. If you are not a USA resident,";\ + ${ECHO} " then you cannot obtain the Kerberos V sources from";\ + ${ECHO} " within the United States."; \ + ${ECHO} ""; \ + ${ECHO} ">> The Kerberos V sources must be fetched manually."; \ + ${ECHO} " Please visit ${KERBEROSV_URL}"; \ + ${ECHO} " to download ${DISTNAME}${EXTRACT_SUFX} and place"; \ + ${ECHO} " it in ${DISTDIR}. Then run make again."; \ + ${FALSE}; \ + fi +.endif + +pre-build: +.if !defined(KRB5_KRB4_COMPAT) + @${ECHO} "------------------------------------------------------" + @${ECHO} "Set KRB5_KRB4_COMPAT=NO if you do not want to build " + @${ECHO} "the KerberosIV compatibility libraries. " + @${ECHO} "------------------------------------------------------" +.endif + +post-build: + @(cd ${WRKSRC}/../doc && \ + ${MAKE} ${INFO_FILES}) + +.include <bsd.port.pre.mk> + +post-install: +# html documentation +.if defined(WANT_HTML) && ${WANT_HTML} == "YES" + @${MKDIR} ${PREFIX}/share/doc/krb5 +.for html in ${HTML_DOCS} + ${INSTALL_MAN} ${HTML_DOC_DIR}/${html} ${PREFIX}/share/doc/krb5 +.endfor +.endif +# handle info files +.for info in ${INFO_FILES} + ${INSTALL_MAN} ${WRKSRC}/../doc/${info} ${PREFIX}/info/${info} +.endfor +.for info in ${INFO_FILES:M*.info} + install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir +.endfor +# fixup packing list (no libs without version numbers in aout case) +.if ${PORTOBJFORMAT} == "aout" + ${ECHO_MSG} "Fixing packing list for a.out" + ${MV} ${TMPPLIST} ${TMPPLIST}.new + ${GREP} -v '\.so$$' ${TMPPLIST}.new > ${TMPPLIST} + ${RM} ${TMPPLIST}.new +.endif + @${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR} > ${PREFIX}/share/doc/krb5/README.FreeBSD + @${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD + @${ECHO} "------------------------------------------------------" + @${ECHO} "This port of MIT Kerberos 5 includes remote login " + @${ECHO} "daemons (telnetd and klogind). These daemons default " + @${ECHO} "to using the system login program (/usr/bin/login). " + @${ECHO} "Please see the file " + @${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD" + @${ECHO} "for more information. " + @${ECHO} "------------------------------------------------------" + +.include <bsd.port.post.mk> diff --git a/security/krb5-beta/distinfo b/security/krb5-beta/distinfo new file mode 100644 index 000000000000..225d61b0f06f --- /dev/null +++ b/security/krb5-beta/distinfo @@ -0,0 +1 @@ +MD5 (krb5-1.2.4-beta1.tar.gz) = a58727b616cf8a5f88ebdb539f6e46a2 diff --git a/security/krb5-beta/files/README.FreeBSD b/security/krb5-beta/files/README.FreeBSD new file mode 100644 index 000000000000..e888e689eb04 --- /dev/null +++ b/security/krb5-beta/files/README.FreeBSD @@ -0,0 +1,32 @@ +The MIT KRB5 port provides its own login program at +${PREFIX}/sbin/login.krb5. However, login.krb5 does not make use of +the FreeBSD login.conf and login.access files that provide a means of +setting up and controlling sessions under FreeBSD. To overcome this, +the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide +interactive login password authentication instead of the login.krb5 +program provided by MIT KRB5. The FreeBSD /usr/bin/login program does +not have support for Kerberos V password authentication, +e.g. authentication at the console. The pam_krb5 port must be used to +provide Kerberos V password authentication. + +For more information about pam_krb5, please see pam(8) and pam_krb5(8). + +If you wish to use login.krb5 that is provided by the MIT KRB5 port, +the arguments "-L ${PREFIX}/sbin/login.krb5" must be +specified as arguments to klogind and KRB5 telnetd, e.g. + +klogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -L ${PREFIX}/sbin/login.krb5 +eklogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -e -L ${PREFIX}/sbin/login.krb5 +telnet stream tcp nowait root ${PREFIX}/sbin/telnetd telnetd -a none -L ${PREFIX}/sbin/login.krb5 + +Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead +of the FreeBSD provided /usr/bin/login for local tty logins, +"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g., + +default:\ + :cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\ + :if=/etc/issue:\ + :lo=${PREFIX}/sbin/login.krb5: + +It is recommended that the FreeBSD /usr/bin/login be used with the +pam_krb5 port instead of the MIT KRB5 provided login.krb5. diff --git a/security/krb5-beta/files/patch-ac b/security/krb5-beta/files/patch-ac new file mode 100644 index 000000000000..8bca5437d964 --- /dev/null +++ b/security/krb5-beta/files/patch-ac @@ -0,0 +1,13 @@ +--- ../doc/admin.texinfo Fri Feb 6 21:40:56 1998 ++++ admin.texinfo Fri Jun 19 15:13:45 1998 +@@ -5,6 +5,10 @@ + @c guide + @setfilename krb5-admin.info + @settitle Kerberos V5 System Administrator's Guide ++@dircategory Kerberos V5 ++@direntry ++* Admin Guide: (krb5-admin). Kerberos V5 System Admin's Guide ++@end direntry + @setchapternewpage odd @c chapter begins on next odd page + @c @setchapternewpage on @c chapter begins on next page + @c @smallbook @c Format for 7" X 9.25" paper diff --git a/security/krb5-beta/files/patch-ad b/security/krb5-beta/files/patch-ad new file mode 100644 index 000000000000..c8b6d3e99e91 --- /dev/null +++ b/security/krb5-beta/files/patch-ad @@ -0,0 +1,13 @@ +--- ../doc/user-guide.texinfo Fri Feb 6 21:40:58 1998 ++++ user-guide.texinfo Fri Jun 19 15:13:45 1998 +@@ -3,6 +3,10 @@ + @c guide + @setfilename krb5-user.info + @settitle Kerberos V5 UNIX User's Guide ++@dircategory Kerberos V5 ++@direntry ++* User's Guide: (krb5-user). Kerberos V5 UNIX User's Guide ++@end direntry + @setchapternewpage odd @c chapter begins on next odd page + @c @setchapternewpage on @c chapter begins on next page + @c @smallbook @c Format for 7" X 9.25" paper diff --git a/security/krb5-beta/files/patch-ae b/security/krb5-beta/files/patch-ae new file mode 100644 index 000000000000..f5643b5aa04f --- /dev/null +++ b/security/krb5-beta/files/patch-ae @@ -0,0 +1,13 @@ +--- ../doc/install.texinfo Fri Feb 6 21:40:56 1998 ++++ install.texinfo Fri Jun 19 15:13:45 1998 +@@ -5,6 +5,10 @@ + @c guide + @setfilename krb5-install.info + @settitle Kerberos V5 Installation Guide ++@dircategory Kerberos V5 ++@direntry ++* Installation Guide: (krb5-install). Kerberos V5 Installation Guide ++@end direntry + @setchapternewpage odd @c chapter begins on next odd page + @c @setchapternewpage on @c chapter begins on next page + @c @smallbook @c Format for 7" X 9.25" paper diff --git a/security/krb5-beta/files/patch-af b/security/krb5-beta/files/patch-af new file mode 100644 index 000000000000..e054b18bbef5 --- /dev/null +++ b/security/krb5-beta/files/patch-af @@ -0,0 +1,13 @@ +--- ../doc/krb425.texinfo Fri Feb 6 21:40:57 1998 ++++ krb425.texinfo Fri Jun 19 15:13:45 1998 +@@ -5,6 +5,10 @@ + @c guide + @setfilename krb425.info + @settitle Upgrading to Kerberos V5 from Kerberos V4 ++@dircategory Kerberos V5 ++@direntry ++* Upgrading from V4 to V5: (krb425). Upgrading from Kerberos V4 to V5 ++@end direntry + @setchapternewpage odd @c chapter begins on next odd page + @c @setchapternewpage on @c chapter begins on next page + @c @smallbook @c Format for 7" X 9.25" paper diff --git a/security/krb5-beta/files/patch-ai b/security/krb5-beta/files/patch-ai new file mode 100644 index 000000000000..f5b733194344 --- /dev/null +++ b/security/krb5-beta/files/patch-ai @@ -0,0 +1,28 @@ +--- appl/gssftp/ftpd/ftpd.c.orig Wed Jan 9 14:26:51 2002 ++++ appl/gssftp/ftpd/ftpd.c Thu Jan 10 19:00:13 2002 +@@ -487,7 +487,13 @@ + #ifndef LOG_DAEMON + #define LOG_DAEMON 0 + #endif +- openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON); ++ ++#ifndef LOG_FTP ++#define FACILITY LOG_DAEMON ++#else ++#define FACILITY LOG_FTP ++#endif ++ openlog("ftpd", LOG_PID | LOG_NDELAY, FACILITY); + + addrlen = sizeof (his_addr); + if (getpeername(0, (struct sockaddr *)&his_addr, &addrlen) < 0) { +@@ -2312,6 +2318,10 @@ + if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum), + &kdata.session,&ctrl_addr, &his_addr)) == -1) { + secure_error("ADAT: krb_mk_safe failed"); ++ return(0); ++ } ++ if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) { ++ secure_error("ADAT: reply too long"); + return(0); + } + if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) { diff --git a/security/krb5-beta/files/patch-aj b/security/krb5-beta/files/patch-aj new file mode 100644 index 000000000000..c3bb8dfd6960 --- /dev/null +++ b/security/krb5-beta/files/patch-aj @@ -0,0 +1,19 @@ +*** appl/gssftp/ftpd/logwtmp.c.ORIG Fri Feb 6 19:41:25 1998 +--- appl/gssftp/ftpd/logwtmp.c Tue Jun 30 19:46:01 1998 +*************** +*** 66,72 **** + struct stat buf; + time_t time(); + +! if (fd < 0 && (fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0) + return; + if (fstat(fd, &buf) == 0) { + (void)strncpy(ut.ut_line, line, sizeof(ut.ut_line)); +--- 66,72 ---- + struct stat buf; + time_t time(); + +! if (fd < 0 && (fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0) + return; + if (fstat(fd, &buf) == 0) { + (void)strncpy(ut.ut_line, line, sizeof(ut.ut_line)); diff --git a/security/krb5-beta/files/patch-appl::bsd::Makefile.in b/security/krb5-beta/files/patch-appl::bsd::Makefile.in new file mode 100644 index 000000000000..603c399a287f --- /dev/null +++ b/security/krb5-beta/files/patch-appl::bsd::Makefile.in @@ -0,0 +1,11 @@ +--- appl/bsd/Makefile.in.orig Wed Feb 28 14:06:43 2001 ++++ appl/bsd/Makefile.in Mon Dec 31 21:52:45 2001 +@@ -28,7 +28,7 @@ + -DUCB_RSH=\"$(UCB_RSH)\" -DUCB_RCP=\"$(UCB_RCP)\" + + DEFINES = $(RSH) $(BSD) $(RPROGS) \ +- -DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\" ++ -DLOGIN_PROGRAM=\"/usr/bin/login\" -DKPROGDIR=\"$(CLIENT_BINDIR)\" + + all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP) + diff --git a/security/krb5-beta/files/patch-appl::bsd::klogind.M b/security/krb5-beta/files/patch-appl::bsd::klogind.M new file mode 100644 index 000000000000..1523c3d593df --- /dev/null +++ b/security/krb5-beta/files/patch-appl::bsd::klogind.M @@ -0,0 +1,34 @@ +--- appl/bsd/klogind.M.orig Wed Feb 28 14:06:43 2001 ++++ appl/bsd/klogind.M Mon Dec 31 21:22:27 2001 +@@ -14,6 +14,7 @@ + ] + [ + [ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]] ] ++[\fB\-L\fP \fIloginpath\fP] + .SH DESCRIPTION + .I Klogind + is the server for the +@@ -107,6 +108,10 @@ + Beta5 (May 1995)--present bogus checksums that prevent Kerberos + authentication from succeeding in the default mode. + ++.IP \fB\-L\ loginpath\fP ++Specify pathname to an alternative login program. Default: /usr/bin/login. ++KRB5_HOME/sbin/login.krb5 may be specified. ++ + + .PP + If the +@@ -157,12 +162,6 @@ + + .IP \fB\-M\ realm\fP + Set the Kerberos realm to use. +- +-.IP \fB\-L\ login\fP +-Set the login program to use. This option only has an effect if +-DO_NOT_USE_K_LOGIN was not defined when +-.I klogind +-was compiled. + .SH DIAGNOSTICS + All diagnostic messages are returned on the connection + associated with the diff --git a/security/krb5-beta/files/patch-appl::telnet::telnetd::Makefile.in b/security/krb5-beta/files/patch-appl::telnet::telnetd::Makefile.in new file mode 100644 index 000000000000..cb5a0e26d49d --- /dev/null +++ b/security/krb5-beta/files/patch-appl::telnet::telnetd::Makefile.in @@ -0,0 +1,11 @@ +--- appl/telnet/telnetd/Makefile.in.orig Wed Feb 28 14:06:51 2001 ++++ appl/telnet/telnetd/Makefile.in Mon Dec 31 21:51:19 2001 +@@ -24,7 +24,7 @@ + # @(#)Makefile.generic 5.5 (Berkeley) 3/1/91 + # + +-AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN ++AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=\"/usr/bin/login\" + OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON + LOCALINCLUDES=-I.. -I$(srcdir)/.. + DEFINES = $(AUTH_DEF) $(OTHERDEFS) diff --git a/security/krb5-beta/files/patch-appl::telnet::telnetd::telnetd.8 b/security/krb5-beta/files/patch-appl::telnet::telnetd::telnetd.8 new file mode 100644 index 000000000000..951ee0d5692a --- /dev/null +++ b/security/krb5-beta/files/patch-appl::telnet::telnetd::telnetd.8 @@ -0,0 +1,22 @@ +--- appl/telnet/telnetd/telnetd.8.orig Wed Feb 28 14:06:51 2001 ++++ appl/telnet/telnetd/telnetd.8 Mon Dec 31 21:16:55 2001 +@@ -43,7 +43,7 @@ + [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] + [\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP] + [\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]] +-[\fB\-debug\fP [\fIport\fP]] ++[\fB\-debug\fP] [\fB\-L\fP \fIloginpath\fP] [\fIport\fP] + .SH DESCRIPTION + The + .B telnetd +@@ -221,6 +221,10 @@ + in response to a + .SM DO TIMING-MARK) + for kludge linemode support. ++.TP ++\fB\-L\fP \fIloginpath\fP ++Specify pathname to an alternative login program. Default: /usr/bin/login. ++KRB5_HOME/sbin/login.krb5 may be specified. + .TP + .B \-l + Specifies line mode. Tries to force clients to use line-at-a-time diff --git a/security/krb5-beta/files/patch-appl::telnet::telnetd::utility.c b/security/krb5-beta/files/patch-appl::telnet::telnetd::utility.c new file mode 100644 index 000000000000..8bb656dc0673 --- /dev/null +++ b/security/krb5-beta/files/patch-appl::telnet::telnetd::utility.c @@ -0,0 +1,38 @@ +--- appl/telnet/telnetd/utility.c.orig Wed Jan 9 14:26:59 2002 ++++ appl/telnet/telnetd/utility.c Fri Jan 11 13:10:33 2002 +@@ -408,18 +408,25 @@ + int + netwrite(const char *buf, size_t len) + { +- size_t remain; ++ int remaining, copied; ++ ++ remaining = BUFSIZ - (nfrontp - netobuf); ++ while (len > 0) { ++ /* Free up enough space if the room is too low*/ ++ if ((len > BUFSIZ ? BUFSIZ : len) > remaining) { ++ netflush(); ++ remaining = BUFSIZ - (nfrontp - netobuf); ++ } + +- remain = sizeof(netobuf) - (nfrontp - netobuf); +- if (remain < len) { +- netflush(); +- remain = sizeof(netobuf) - (nfrontp - netobuf); ++ /* Copy out as much as will fit */ ++ copied = remaining > len ? len : remaining; ++ memmove(nfrontp, buf, copied); ++ nfrontp += copied; ++ len -= copied; ++ remaining -= copied; ++ buf += copied; + } +- if (remain < len) +- return 0; +- memcpy(nfrontp, buf, len); +- nfrontp += len; +- return len; ++ return copied; + } + + /* diff --git a/security/krb5-beta/files/patch-as b/security/krb5-beta/files/patch-as new file mode 100644 index 000000000000..0b26c449fe11 --- /dev/null +++ b/security/krb5-beta/files/patch-as @@ -0,0 +1,199 @@ +--- clients/ksu/main.c.orig Wed Feb 28 14:06:55 2001 ++++ clients/ksu/main.c Thu Sep 6 16:21:46 2001 +@@ -31,6 +31,10 @@ + #include <sys/wait.h> + #include <signal.h> + ++#ifdef LOGIN_CAP ++#include <login_cap.h> ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -60,7 +64,7 @@ + ill specified arguments to commands */ + + void usage (){ +- fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); ++ fprintf(stderr, "Usage: %s [target user] [-m] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name); + } + + /* for Ultrix and friends ... */ +@@ -76,6 +80,7 @@ + int argc; + char ** argv; + { ++int asme = 0; + int hp =0; + int some_rest_copy = 0; + int all_rest_copy = 0; +@@ -90,6 +95,7 @@ + char * cc_target_tag = NULL; + char * target_user = NULL; + char * source_user; ++char * source_shell; + + krb5_ccache cc_source = NULL; + const char * cc_source_tag = NULL; +@@ -118,6 +124,11 @@ + char * dir_of_cc_target; + char * dir_of_cc_source; + ++#ifdef LOGIN_CAP ++login_cap_t *lc; ++int setwhat; ++#endif ++ + options.opt = KRB5_DEFAULT_OPTIONS; + options.lifetime = KRB5_DEFAULT_TKT_LIFE; + options.rlife =0; +@@ -181,7 +192,7 @@ + com_err (prog_name, errno, "while setting euid to source user"); + exit (1); + } +- while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){ ++ while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkmql:e:")) != -1)){ + switch (option) { + case 'r': + options.opt |= KDC_OPT_RENEWABLE; +@@ -227,6 +238,9 @@ + errflg++; + } + break; ++ case 'm': ++ asme = 1; ++ break; + case 'n': + if ((retval = krb5_parse_name(ksu_context, optarg, &client))){ + com_err(prog_name, retval, "when parsing name %s", optarg); +@@ -341,6 +355,7 @@ + + /* allocate space and copy the usernamane there */ + source_user = xstrdup(pwd->pw_name); ++ source_shell = xstrdup(pwd->pw_shell); + source_uid = pwd->pw_uid; + source_gid = pwd->pw_gid; + +@@ -668,43 +683,64 @@ + /* get the shell of the user, this will be the shell used by su */ + target_pwd = getpwnam(target_user); + +- if (target_pwd->pw_shell) +- shell = xstrdup(target_pwd->pw_shell); +- else { +- shell = _DEF_CSH; /* default is cshell */ +- } ++ if (asme) { ++ if (source_shell && *source_shell) { ++ shell = strdup(source_shell); ++ } else { ++ shell = _DEF_CSH; ++ } ++ } else { ++ if (target_pwd->pw_shell) ++ shell = strdup(target_pwd->pw_shell); ++ else { ++ shell = _DEF_CSH; /* default is cshell */ ++ } ++ } + + #ifdef HAVE_GETUSERSHELL + + /* insist that the target login uses a standard shell (root is omited) */ + +- if (!standard_shell(target_pwd->pw_shell) && source_uid) { +- fprintf(stderr, "ksu: permission denied (shell).\n"); +- sweep_up(ksu_context, cc_target); +- exit(1); ++ if (asme) { ++ if (!standard_shell(pwd->pw_shell) && source_uid) { ++ fprintf(stderr, "ksu: permission denied (shell).\n"); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ } else { ++ if (!standard_shell(target_pwd->pw_shell) && source_uid) { ++ fprintf(stderr, "ksu: permission denied (shell).\n"); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } + } + #endif /* HAVE_GETUSERSHELL */ + +- if (target_pwd->pw_uid){ +- +- if(set_env_var("USER", target_pwd->pw_name)){ +- fprintf(stderr,"ksu: couldn't set environment variable USER\n"); +- sweep_up(ksu_context, cc_target); +- exit(1); +- } +- } ++ if (!asme) { ++ if (target_pwd->pw_uid){ ++ if (set_env_var("USER", target_pwd->pw_name)){ ++ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ } + +- if(set_env_var( "HOME", target_pwd->pw_dir)){ +- fprintf(stderr,"ksu: couldn't set environment variable USER\n"); +- sweep_up(ksu_context, cc_target); +- exit(1); +- } ++ if (set_env_var( "HOME", target_pwd->pw_dir)){ ++ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } + +- if(set_env_var( "SHELL", shell)){ +- fprintf(stderr,"ksu: couldn't set environment variable USER\n"); +- sweep_up(ksu_context, cc_target); +- exit(1); +- } ++ if (set_env_var( "SHELL", shell)){ ++ fprintf(stderr,"ksu: couldn't set environment variable USER\n"); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ } ++ ++#ifdef LOGIN_CAP ++ lc = login_getpwclass(pwd); ++#endif + + /* set the cc env name to target */ + +@@ -714,7 +750,18 @@ + sweep_up(ksu_context, cc_target); + exit(1); + } +- ++#ifdef LOGIN_CAP ++ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; ++ setwhat |= LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV; ++ /* ++ * Don't touch resource/priority settings if -m has been ++ * used or -l and -c hasn't, and we're not su'ing to root. ++ */ ++ if (target_pwd->pw_uid) ++ setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES); ++ if (setusercontext(lc, target_pwd, target_pwd->pw_uid, setwhat) < 0) ++ err(1, "setusercontext"); ++#else + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -754,7 +801,8 @@ + perror("ksu: setuid"); + sweep_up(ksu_context, cc_target); + exit(1); +- } ++ } ++#endif + + if (access( cc_target_tag_tmp, R_OK | W_OK )){ + com_err(prog_name, errno, diff --git a/security/krb5-beta/files/patch-at b/security/krb5-beta/files/patch-at new file mode 100644 index 000000000000..ef9ea4856f7a --- /dev/null +++ b/security/krb5-beta/files/patch-at @@ -0,0 +1,14 @@ +*** include/sys/syslog.h.ORIG Fri Feb 6 19:42:12 1998 +--- include/sys/syslog.h Tue Jun 30 19:46:02 1998 +*************** +*** 34,39 **** +--- 34,42 ---- + #define LOG_LPR (6<<3) /* line printer subsystem */ + #define LOG_NEWS (7<<3) /* network news subsystem */ + #define LOG_UUCP (8<<3) /* UUCP subsystem */ ++ #if (defined(BSD) && (BSD >= 199306)) ++ #define LOG_FTP (11<<3) /* ftp daemon */ ++ #endif + /* other codes through 15 reserved for system use */ + #define LOG_LOCAL0 (16<<3) /* reserved for local use */ + #define LOG_LOCAL1 (17<<3) /* reserved for local use */ diff --git a/security/krb5-beta/files/patch-av b/security/krb5-beta/files/patch-av new file mode 100644 index 000000000000..8363b8bb1e2d --- /dev/null +++ b/security/krb5-beta/files/patch-av @@ -0,0 +1,15 @@ +*** clients/ksu/Makefile.in.ORIG Sun Aug 2 16:51:18 1998 +--- clients/ksu/Makefile.in Sun Aug 2 16:53:48 1998 +*************** +*** 3,7 **** + mydir=ksu + BUILDTOP=$(REL)$(U)$(S)$(U) +! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE) + +--- 3,7 ---- + mydir=ksu + BUILDTOP=$(REL)$(U)$(S)$(U) +! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"' + CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE) + diff --git a/security/krb5-beta/files/patch-ax b/security/krb5-beta/files/patch-ax new file mode 100644 index 000000000000..58cfe89d9294 --- /dev/null +++ b/security/krb5-beta/files/patch-ax @@ -0,0 +1,11 @@ +--- ../doc/Makefile.orig Wed Jan 20 21:57:45 1999 ++++ ../doc/Makefile Wed Jan 20 21:59:19 1999 +@@ -1,7 +1,7 @@ + SRCDIR=../src + DVI=texi2dvi + DVIPS=dvips -o "$@" +-INFO=makeinfo ++INFO=makeinfo --no-validate + HTML=texi2html + RM=rm -f + TAR=tar -chvf diff --git a/security/krb5-beta/files/patch-ay b/security/krb5-beta/files/patch-ay new file mode 100644 index 000000000000..54c041e205f1 --- /dev/null +++ b/security/krb5-beta/files/patch-ay @@ -0,0 +1,50 @@ +--- util/pty/getpty.c.orig Wed Jan 9 14:28:37 2002 ++++ util/pty/getpty.c Thu Jan 10 21:30:40 2002 +@@ -24,13 +24,26 @@ + #include "libpty.h" + #include "pty-int.h" + ++#ifdef __FreeBSD__ ++#define PTYCHARS1 "pqrsPQRS" ++#define PTYCHARS2 "0123456789abcdefghijklmnopqrstuv" ++#endif ++ ++#ifndef PTYCHARS1 ++#define PTYCHARS1 "pqrstuvwxyzPQRST" ++#endif ++ ++#ifndef PTYCHARS2 ++#define PTYCHARS2 "0123456789abcdef" ++#endif ++ + long + ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt) + { ++ int ptynum; ++ char *cp1, *cp2; + #if !defined(HAVE__GETPTY) && !defined(HAVE_OPENPTY) +- char *cp; + char *p; +- int i,ptynum; + struct stat stb; + char slavebuf[1024]; + #endif +@@ -115,14 +128,14 @@ + strncpy(slave, slavebuf, slavelength); + return 0; + } else { +- for (cp = "pqrstuvwxyzPQRST";*cp; cp++) { ++ for (cp1 = PTYCHARS1; *cp1 != '\0'; cp1++) { + sprintf(slavebuf,"/dev/ptyXX"); +- slavebuf[sizeof("/dev/pty") - 1] = *cp; ++ slavebuf[sizeof("/dev/pty") - 1] = *cp1; + slavebuf[sizeof("/dev/ptyp") - 1] = '0'; + if (stat(slavebuf, &stb) < 0) + break; +- for (i = 0; i < 16; i++) { +- slavebuf[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i]; ++ for (cp2 = PTYCHARS2; *cp2 != '\0'; cp2++) { ++ slavebuf[sizeof("/dev/ptyp") - 1] = *cp2; + *fd = open(slavebuf, O_RDWR); + if (*fd < 0) continue; + diff --git a/security/krb5-beta/files/patch-ba b/security/krb5-beta/files/patch-ba new file mode 100644 index 000000000000..60d70466eff3 --- /dev/null +++ b/security/krb5-beta/files/patch-ba @@ -0,0 +1,81 @@ +--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999 ++++ appl/bsd/login.c Wed Oct 13 12:56:29 1999 +@@ -1303,19 +1304,6 @@ + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + } + +- /* Policy: If local password is good, user is good. +- We really can't trust the Kerberos password, +- because somebody on the net could spoof the +- Kerberos server (not easy, but possible). +- Some sites might want to use it anyways, in +- which case they should change this line +- to: +- if (kpass_ok) +- */ +- +- if (lpass_ok) +- break; +- + if (got_v5_tickets) { + if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL, + NULL, &xtra_creds, +@@ -1338,6 +1326,9 @@ + } + #endif /* KRB4_GET_TICKETS */ + ++ if (lpass_ok) ++ break; ++ + bad_login: + setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET); + +@@ -1640,20 +1631,28 @@ + /* set up credential cache -- obeying KRB5_ENV_CCNAME + set earlier */ + /* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */ +- if (retval = krb5_cc_default(kcontext, &ccache)) { ++ retval = krb5_cc_default(kcontext, &ccache); ++ if (retval) + com_err(argv[0], retval, "while getting default ccache"); +- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) { +- com_err(argv[0], retval, "when initializing cache"); +- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) { +- com_err(argv[0], retval, "while storing credentials"); +- } else if (xtra_creds && +- (retval = krb5_cc_copy_creds(kcontext, xtra_creds, +- ccache))) { +- com_err(argv[0], retval, "while storing credentials"); ++ else { ++ retval = krb5_cc_initialize(kcontext, ccache, me); ++ if (retval) ++ com_err(argv[0], retval, "when initializing cache"); ++ else { ++ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ else { ++ if (xtra_creds) { ++ retval = krb5_cc_copy_creds(kcontext, xtra_creds, ++ ccache); ++ if (retval) ++ com_err(argv[0], retval, "while storing credentials"); ++ krb5_cc_destroy(kcontext, xtra_creds); ++ } ++ } ++ } + } +- +- if (xtra_creds) +- krb5_cc_destroy(kcontext, xtra_creds); + } else if (forwarded_v5_tickets && rewrite_ccache) { + if ((retval = krb5_cc_initialize (kcontext, ccache, me))) { + syslog(LOG_ERR, +@@ -1727,6 +1727,7 @@ + + if (ccname) + setenv("KRB5CCNAME", ccname, 1); ++ krb5_cc_set_default_name(kcontext, ccname); + + setenv("HOME", pwd->pw_dir, 1); + setenv("PATH", LPATH, 1); diff --git a/security/krb5-beta/files/patch-bb b/security/krb5-beta/files/patch-bb new file mode 100644 index 000000000000..6545ae682c53 --- /dev/null +++ b/security/krb5-beta/files/patch-bb @@ -0,0 +1,10 @@ +--- appl/telnet/telnet/Makefile.in.orig Sat Dec 18 10:47:05 1999 ++++ appl/telnet/telnet/Makefile.in Sat Dec 18 10:47:13 1999 +@@ -58,7 +58,6 @@ + $(INSTALL_DATA) $(srcdir)/$$f.1 \ + ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ + done +- $(INSTALL_DATA) $(srcdir)/tmac.doc ${DESTDIR}$(CLIENT_MANDIR)/tmac.doc + + authenc.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET) + commands.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET) diff --git a/security/krb5-beta/pkg-comment b/security/krb5-beta/pkg-comment new file mode 100644 index 000000000000..339cc4cd5571 --- /dev/null +++ b/security/krb5-beta/pkg-comment @@ -0,0 +1 @@ +An authentication system developed at MIT, successor to Kerberos IV diff --git a/security/krb5-beta/pkg-descr b/security/krb5-beta/pkg-descr new file mode 100644 index 000000000000..376a48c52faf --- /dev/null +++ b/security/krb5-beta/pkg-descr @@ -0,0 +1,24 @@ +Kerberos V5 is an authentication system developed at MIT. +WWW: http://web.mit.edu/kerberos/www/ + +Abridged from the User Guide: + Under Kerberos, a client sends a request for a ticket to the + Key Distribution Center (KDC). The KDC creates a ticket-granting + ticket (TGT) for the client, encrypts it using the client's + password as the key, and sends the encrypted TGT back to the + client. The client then attempts to decrypt the TGT, using + its password. If the client successfully decrypts the TGT, it + keeps the decrypted TGT, which indicates proof of the client's + identity. The TGT permits the client to obtain additional tickets, + which give permission for specific services. + Since Kerberos negotiates authenticated, and optionally encrypted, + communications between two points anywhere on the internet, it + provides a layer of security that is not dependent on which side of a + firewall either client is on. + The Kerberos V5 package is designed to be easy to use. Most of the + commands are nearly identical to UNIX network programs you are already + used to. Kerberos V5 is a single-sign-on system, which means that you + have to type your password only once per session, and Kerberos does + the authenticating and encrypting transparently. + +Jacques Vidrine <n@nectar.com> diff --git a/security/krb5-beta/pkg-plist b/security/krb5-beta/pkg-plist new file mode 100644 index 000000000000..01977cd59d64 --- /dev/null +++ b/security/krb5-beta/pkg-plist @@ -0,0 +1,124 @@ +@unexec install-info --delete %D/info/krb425.info %D/info/dir +@unexec install-info --delete %D/info/krb5-admin.info %D/info/dir +@unexec install-info --delete %D/info/krb5-install.info %D/info/dir +@unexec install-info --delete %D/info/krb5-user.info %D/info/dir +bin/ftp +bin/gss-client +bin/kdestroy +bin/kinit +bin/klist +bin/kpasswd +bin/krb524init +bin/ksu +bin/kvno +bin/rcp +bin/rlogin +bin/rsh +bin/sclient +bin/sim_client +bin/telnet +bin/uuclient +bin/v4rcp +bin/v5passwd +include/com_err.h +include/gssapi/gssapi.h +include/gssapi/gssapi_generic.h +include/gssapi/gssapi_krb5.h +include/kerberosIV/des.h +include/kerberosIV/kadm.h +include/kerberosIV/krb.h +include/kerberosIV/krb_err.h +include/kerberosIV/mit-copyright.h +include/krb5.h +include/libpty.h +include/mit-sipb-copyright.h +include/port-sockets.h +include/profile.h +info/krb425.info +info/krb5-admin.info +info/krb5-admin.info-1 +info/krb5-admin.info-2 +info/krb5-admin.info-3 +info/krb5-install.info +info/krb5-install.info-1 +info/krb5-install.info-2 +info/krb5-user.info +lib/libcom_err.a +lib/libcom_err.so +lib/libcom_err.so.3 +lib/libdes425.a +lib/libdes425.so +lib/libdes425.so.3 +lib/libdyn.a +lib/libdyn.so +lib/libdyn.so.1 +lib/libgssapi_krb5.a +lib/libgssapi_krb5.so +lib/libgssapi_krb5.so.2 +lib/libgssrpc.a +lib/libgssrpc.so +lib/libgssrpc.so.3 +lib/libk5crypto.a +lib/libk5crypto.so +lib/libk5crypto.so.3 +lib/libkadm5clnt.a +lib/libkadm5clnt.so +lib/libkadm5clnt.so.5 +lib/libkadm5srv.a +lib/libkadm5srv.so +lib/libkadm5srv.so.5 +lib/libkdb5.a +lib/libkdb5.so +lib/libkdb5.so.3 +lib/libkrb4.a +lib/libkrb4.so +lib/libkrb4.so.2 +lib/libkrb5.a +lib/libkrb5.so +lib/libkrb5.so.3 +lib/libkrb524.a +lib/libpty.a +lib/libpty.so +lib/libpty.so.1 +lib/libss.a +sbin/ftpd +sbin/gss-server +sbin/kadmin +sbin/kadmin.local +sbin/kadmind +sbin/kadmind4 +sbin/kdb5_util +sbin/klogind +sbin/kprop +sbin/kpropd +sbin/krb5-send-pr +sbin/krb524d +sbin/krb5kdc +sbin/kshd +sbin/ktutil +sbin/login.krb5 +sbin/sim_server +sbin/sserver +sbin/telnetd +sbin/uuserver +sbin/v5passwdd +share/doc/krb5/README.FreeBSD +share/doc/krb5/admin.html +share/doc/krb5/admin_foot.html +share/doc/krb5/admin_toc.html +share/doc/krb5/install.html +share/doc/krb5/install_foot.html +share/doc/krb5/install_toc.html +share/doc/krb5/krb425.html +share/doc/krb5/krb425_toc.html +share/doc/krb5/user-guide.html +share/doc/krb5/user-guide_foot.html +share/doc/krb5/user-guide_toc.html +share/gnats/mit +@dirrm include/gssapi +@dirrm include/kerberosIV +@dirrm share/doc/krb5 +@exec install-info %D/info/krb425.info %D/info/dir +@exec install-info %D/info/krb5-admin.info %D/info/dir +@exec install-info %D/info/krb5-install.info %D/info/dir +@exec install-info %D/info/krb5-user.info %D/info/dir |