3 files changed, 468 insertions, 0 deletions

diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile
index 1c2831facd50..ddd5c17ad259 100644
--- a/lib/libpam/modules/pam_krb5/Makefile
+++ b/lib/libpam/modules/pam_krb5/Makefile
@@ -23,6 +23,56 @@
 # SUCH DAMAGE.
 #
 
+.include <src.opts.mk>
+
+.if ${MK_MITKRB5} != "no"
+SRCDIR= ${SRCTOP}/contrib/pam-krb5
+.PATH:	${SRCDIR}/module \
+	${SRCDIR}/portable \
+	${SRCDIR}/pam-util \
+	${SRCDIR}
+
+PACKAGE=	krb5
+LIB=	pam_krb5
+LIBADD=	com_err krb5
+
+SRCS=	account.c \
+	alt-auth.c \
+	args.c \
+	auth.c \
+	cache.c \
+	context.c \
+	dummy.c \
+	fast.c \
+	krb5-extra.c \
+	logging.c \
+	pam-util_options.c \
+	module_options.c \
+	pam_syslog.c \
+	pam_vsyslog.c \
+	password.c \
+	prompting.c \
+	public.c \
+	setcred.c \
+	support.c \
+	vector.c
+
+CFLAGS=	-I${SRCDIR} \
+	-I${.CURDIR} \
+	-fno-strict-aliasing \
+	-Wno-error=incompatible-pointer-types-discards-qualifiers \
+	-DHAVE_CONFIG_H
+
+WARNS?=	3
+
+CLEANFILES=	pam-util_options.c module_options.c
+
+pam-util_options.c:	.PHONY
+	cp ${SRCDIR}/pam-util/options.c pam-util_options.c
+
+module_options.c:	.PHONY
+	cp ${SRCDIR}/module/options.c module_options.c
+.else
 PACKAGE=	kerberos
 
 LIB=	pam_krb5
@@ -35,4 +85,6 @@ WARNS?=	3
 
 LIBADD+=	krb5
 
+.endif
+
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_krb5/config.h b/lib/libpam/modules/pam_krb5/config.h
new file mode 100644
index 000000000000..75695eef66a1
--- /dev/null
+++ b/lib/libpam/modules/pam_krb5/config.h
@@ -0,0 +1,412 @@
+/* config.h.  Generated from config.h.in by configure.  */
+/* config.h.in.  Generated from configure.ac by autoheader.  */
+
+/* Define to 1 if you have the `asprintf' function. */
+#define HAVE_ASPRINTF 1
+
+/* Define to 1 if you have the declaration of `krb5_kt_free_entry', and to 0
+   if you don't. */
+#define HAVE_DECL_KRB5_KT_FREE_ENTRY 1
+
+/* Define to 1 if you have the declaration of `reallocarray', and to 0 if you
+   don't. */
+#define HAVE_DECL_REALLOCARRAY 1
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if you have the <et/com_err.h> header file. */
+/* #undef HAVE_ET_COM_ERR_H */
+
+/* Define to 1 if you have the `explicit_bzero' function. */
+#define HAVE_EXPLICIT_BZERO 1
+
+/* Define to 1 if you have the <hx509_err.h> header file. */
+/* #undef HAVE_HX509_ERR_H */
+
+/* Define to 1 if you have the <ibm_svc/krb5_svc.h> header file. */
+/* #undef HAVE_IBM_SVC_KRB5_SVC_H */
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the `issetugid' function. */
+#define HAVE_ISSETUGID 1
+
+/* Define to 1 if you have the <k5profile.h> header file. */
+/* #undef HAVE_K5PROFILE_H */
+
+/* Define to enable kadmin client features. */
+#define HAVE_KADM5CLNT 1
+
+/* Define to 1 if you have the `kadm5_init_krb5_context' function. */
+#define HAVE_KADM5_INIT_KRB5_CONTEXT 1
+
+/* Define to 1 if you have the `kadm5_init_with_skey_ctx' function. */
+/* #undef HAVE_KADM5_INIT_WITH_SKEY_CTX */
+
+/* Define to 1 if you have the <kadm5/kadm5_err.h> header file. */
+#define HAVE_KADM5_KADM5_ERR_H 1
+
+/* Define to 1 if you have the <kerberosv5/com_err.h> header file. */
+/* #undef HAVE_KERBEROSV5_COM_ERR_H */
+
+/* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
+/* #undef HAVE_KERBEROSV5_KRB5_H */
+
+/* Define to enable Kerberos features. */
+#define HAVE_KRB5 1
+
+/* Define to 1 if you have the `krb5_appdefault_string' function. */
+#define HAVE_KRB5_APPDEFAULT_STRING 1
+
+/* Define to 1 if you have the `krb5_cc_get_full_name' function. */
+#define HAVE_KRB5_CC_GET_FULL_NAME 1
+
+/* Define to 1 if you have the `krb5_data_free' function. */
+/* #undef HAVE_KRB5_DATA_FREE */
+
+/* Define to 1 if you have the `krb5_free_default_realm' function. */
+#define HAVE_KRB5_FREE_DEFAULT_REALM 1
+
+/* Define to 1 if you have the `krb5_free_error_message' function. */
+#define HAVE_KRB5_FREE_ERROR_MESSAGE 1
+
+/* Define to 1 if you have the `krb5_free_string' function. */
+#define HAVE_KRB5_FREE_STRING 1
+
+/* Define to 1 if you have the `krb5_get_error_message' function. */
+#define HAVE_KRB5_GET_ERROR_MESSAGE 1
+
+/* Define to 1 if you have the `krb5_get_error_string' function. */
+/* #undef HAVE_KRB5_GET_ERROR_STRING */
+
+/* Define to 1 if you have the `krb5_get_err_txt' function. */
+/* #undef HAVE_KRB5_GET_ERR_TXT */
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_free' function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_FREE 1
+
+/* Define if krb5_get_init_creds_opt_free takes two arguments. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_2_ARGS 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_anonymous'
+   function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ANONYMOUS 1
+
+/* Define to 1 if you have the
+   `krb5_get_init_creds_opt_set_change_password_prompt' function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_default_flags'
+   function. */
+/* #undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS */
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_fast_ccache_name'
+   function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_out_ccache'
+   function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_pa' function. */
+#define HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_set_pkinit' function.
+   */
+/* #undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT */
+
+/* Define if krb5_get_init_creds_opt_set_pkinit takes 9 arguments. */
+/* #undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT_9_ARGS */
+
+/* Define to 1 if you have the `krb5_get_profile' function. */
+/* #undef HAVE_KRB5_GET_PROFILE */
+
+/* Define to 1 if you have the `krb5_get_prompt_types' function. */
+#define HAVE_KRB5_GET_PROMPT_TYPES 1
+
+/* Define to 1 if you have the <krb5.h> header file. */
+#define HAVE_KRB5_H 1
+
+/* Define if your Kerberos implementation is Heimdal. */
+/* #undef HAVE_KRB5_HEIMDAL */
+
+/* Define to 1 if you have the `krb5_init_secure_context' function. */
+#define HAVE_KRB5_INIT_SECURE_CONTEXT 1
+
+/* Define to 1 if you have the <krb5/krb5.h> header file. */
+#define HAVE_KRB5_KRB5_H 1
+
+/* Define if your Kerberos implementation is MIT. */
+#define HAVE_KRB5_MIT 1
+
+/* Define to 1 if you have the `krb5_principal_get_realm' function. */
+/* #undef HAVE_KRB5_PRINCIPAL_GET_REALM */
+
+/* Define to 1 if you have the `krb5_principal_set_comp_string' function. */
+/* #undef HAVE_KRB5_PRINCIPAL_SET_COMP_STRING */
+
+/* Define to 1 if the system has the type `krb5_realm'. */
+/* #undef HAVE_KRB5_REALM */
+
+/* Define to 1 if you have the `krb5_set_password' function. */
+#define HAVE_KRB5_SET_PASSWORD 1
+
+/* Define to 1 if you have the `krb5_set_trace_filename' function. */
+#define HAVE_KRB5_SET_TRACE_FILENAME 1
+
+/* Define to 1 if you have the `krb5_svc_get_msg' function. */
+/* #undef HAVE_KRB5_SVC_GET_MSG */
+
+/* Define to 1 if you have the `krb5_verify_init_creds_opt_init' function. */
+#define HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT 1
+
+/* Define to 1 if you have the `krb5_xfree' function. */
+/* #undef HAVE_KRB5_XFREE */
+
+/* Define to 1 if the system has the type `long long int'. */
+#define HAVE_LONG_LONG_INT 1
+
+/* Define to 1 if you have the <minix/config.h> header file. */
+/* #undef HAVE_MINIX_CONFIG_H */
+
+/* Define to 1 if you have the `mkstemp' function. */
+#define HAVE_MKSTEMP 1
+
+/* Define to 1 if you have the `pam_getenv' function. */
+#define HAVE_PAM_GETENV 1
+
+/* Define to 1 if you have the `pam_getenvlist' function. */
+#define HAVE_PAM_GETENVLIST 1
+
+/* Define to 1 if you have the `pam_modutil_getpwnam' function. */
+/* #undef HAVE_PAM_MODUTIL_GETPWNAM */
+
+/* Define to 1 if you have the <pam/pam_appl.h> header file. */
+/* #undef HAVE_PAM_PAM_APPL_H */
+
+/* Define to 1 if you have the <pam/pam_ext.h> header file. */
+/* #undef HAVE_PAM_PAM_EXT_H */
+
+/* Define to 1 if you have the <pam/pam_modutil.h> header file. */
+/* #undef HAVE_PAM_PAM_MODUTIL_H */
+
+/* Define to 1 if you have the `pam_syslog' function. */
+/* #undef HAVE_PAM_SYSLOG */
+
+/* Define to 1 if you have the `pam_vsyslog' function. */
+/* #undef HAVE_PAM_VSYSLOG */
+
+/* Define to 1 if you have the <profile.h> header file. */
+/* #undef HAVE_PROFILE_H */
+
+/* Define to 1 if you have the `reallocarray' function. */
+#define HAVE_REALLOCARRAY 1
+
+/* Define to 1 if you have the `regcomp' function. */
+#define HAVE_REGCOMP 1
+
+/* Define to 1 if you have the <security/pam_appl.h> header file. */
+#define HAVE_SECURITY_PAM_APPL_H 1
+
+/* Define to 1 if you have the <security/pam_ext.h> header file. */
+/* #undef HAVE_SECURITY_PAM_EXT_H */
+
+/* Define to 1 if you have the <security/pam_modutil.h> header file. */
+/* #undef HAVE_SECURITY_PAM_MODUTIL_H */
+
+/* Define to 1 if the system has the type `ssize_t'. */
+#define HAVE_SSIZE_T 1
+
+/* Define to 1 if stdbool.h conforms to C99. */
+#define HAVE_STDBOOL_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#define HAVE_STDIO_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strndup' function. */
+#define HAVE_STRNDUP 1
+
+/* Define to 1 if you have the <sys/bittypes.h> header file. */
+/* #undef HAVE_SYS_BITTYPES_H */
+
+/* Define to 1 if you have the <sys/select.h> header file. */
+#define HAVE_SYS_SELECT_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#define HAVE_SYS_TIME_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if the system has the type `unsigned long long int'. */
+#define HAVE_UNSIGNED_LONG_LONG_INT 1
+
+/* Define to 1 if you have the <wchar.h> header file. */
+#define HAVE_WCHAR_H 1
+
+/* Define to 1 if the system has the type `_Bool'. */
+#define HAVE__BOOL 1
+
+/* Define to the sub-directory where libtool stores uninstalled libraries. */
+#define LT_OBJDIR ".libs/"
+
+/* The name of the PAM module, used by the pam_vsyslog replacement. */
+#define MODULE_NAME "pam_krb5"
+
+/* Name of package */
+#define PACKAGE "pam-krb5"
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT "eagle@eyrie.org"
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "pam-krb5"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "pam-krb5 4.11"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "pam-krb5"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "4.11"
+
+/* Define to const if PAM uses const in pam_get_item, empty otherwise. */
+#define PAM_CONST const
+
+/* Define to const if PAM uses const in pam_strerror, empty otherwise. */
+#define PAM_STRERROR_CONST const
+
+/* Define to the full path to openssl for some tests. */
+#define PATH_OPENSSL "/usr/bin/openssl"
+
+/* The size of `long', as computed by sizeof. */
+#define SIZEOF_LONG 8
+
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+   required in a freestanding environment). This macro is provided for
+   backward compatibility; new code need not use it. */
+#define STDC_HEADERS 1
+
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# define _ALL_SOURCE 1
+#endif
+/* Enable general extensions on macOS.  */
+#ifndef _DARWIN_C_SOURCE
+# define _DARWIN_C_SOURCE 1
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# define __EXTENSIONS__ 1
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE 1
+#endif
+/* Enable X/Open compliant socket functions that do not require linking
+   with -lxnet on HP-UX 11.11.  */
+#ifndef _HPUX_ALT_XOPEN_SOCKET_API
+# define _HPUX_ALT_XOPEN_SOCKET_API 1
+#endif
+/* Identify the host operating system as Minix.
+   This macro does not affect the system headers' behavior.
+   A future release of Autoconf may stop defining this macro.  */
+#ifndef _MINIX
+/* # undef _MINIX */
+#endif
+/* Enable general extensions on NetBSD.
+   Enable NetBSD compatibility extensions on Minix.  */
+#ifndef _NETBSD_SOURCE
+# define _NETBSD_SOURCE 1
+#endif
+/* Enable OpenBSD compatibility extensions on NetBSD.
+   Oddly enough, this does nothing on OpenBSD.  */
+#ifndef _OPENBSD_SOURCE
+# define _OPENBSD_SOURCE 1
+#endif
+/* Define to 1 if needed for POSIX-compatible behavior.  */
+#ifndef _POSIX_SOURCE
+/* # undef _POSIX_SOURCE */
+#endif
+/* Define to 2 if needed for POSIX-compatible behavior.  */
+#ifndef _POSIX_1_SOURCE
+/* # undef _POSIX_1_SOURCE */
+#endif
+/* Enable POSIX-compatible threading on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# define _POSIX_PTHREAD_SEMANTICS 1
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-5:2014.  */
+#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
+# define __STDC_WANT_IEC_60559_ATTRIBS_EXT__ 1
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-1:2014.  */
+#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
+# define __STDC_WANT_IEC_60559_BFP_EXT__ 1
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-2:2015.  */
+#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
+# define __STDC_WANT_IEC_60559_DFP_EXT__ 1
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-4:2015.  */
+#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
+# define __STDC_WANT_IEC_60559_FUNCS_EXT__ 1
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-3:2015.  */
+#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
+# define __STDC_WANT_IEC_60559_TYPES_EXT__ 1
+#endif
+/* Enable extensions specified by ISO/IEC TR 24731-2:2010.  */
+#ifndef __STDC_WANT_LIB_EXT2__
+# define __STDC_WANT_LIB_EXT2__ 1
+#endif
+/* Enable extensions specified by ISO/IEC 24747:2009.  */
+#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
+# define __STDC_WANT_MATH_SPEC_FUNCS__ 1
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# define _TANDEM_SOURCE 1
+#endif
+/* Enable X/Open extensions.  Define to 500 only if necessary
+   to make mbstate_t available.  */
+#ifndef _XOPEN_SOURCE
+/* # undef _XOPEN_SOURCE */
+#endif
+
+
+/* Version number of package */
+#define VERSION "4.11"
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c
index 5f448165b20a..e13c1b794d5b 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@@ -60,6 +60,10 @@
 
 #include <krb5.h>
 #include <com_err.h>
+#ifdef MK_MITKRB5
+/* For MIT KRB5 only. */
+#include <k5-int.h>
+#endif
 
 #define	PAM_SM_AUTH
 #define	PAM_SM_ACCOUNT