| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add symbols found in the port but not in base. This requires replacing
a shared libkrb5profile.so with libkrb5profile.a (with -fPIC so it can
be used by shared libraries). We do this by making libkrb5profile
INTERNALLIB.
Base currently has libkrb5profile in a shared library. The patch moves
those functions to the various "consumer" libraries as the port does.
Symbols that should be in the other libraries are in libkrb5profile.so.
This is causing some ports issues.
PR: 291695
Reported by: michaelo, markj, Chris Inacio <inacio@andrew.cmu.edu>
Tested by: michaelo
Fixes: ae07a5805b19
Reviewed by: michaelo (previous version)
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D54323
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Always install the manual page as pam_krb5(8) regardless of which
version we're using.
* Regenerate it using pod2mdoc instead of pod2man so it doesn't claim
to be part of “User Contributed Perl Documentation”.
* Put the correct section number in the header and footer.
* Don't cross-reference non-existent pam(7) manual page.
Reviewed by: cperciva
Differential Revision: https://reviews.freebsd.org/D53885
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These are user-facing manpages, but were installed in the runtime-dev
package since the PAM modules use bsd.lib.mk. Use MANNODEV instead of
MAN to put them in the base runtime package instead.
Fixes: 031e711647c3 ("packages: Install development manpages in the -dev package")
MFC after: 3 days
Reviewed by: bapt
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53601
|
| |
|
|
|
|
|
|
|
|
|
| |
GCC doesn't recognise
-Wno-error=incompatible-pointer-types-discards-qualifiers.
Remove it and just fix the error instead: our pam_message does not have
a const msg member.
Reviewed by: cy, emaste
Differential Revision: https://reviews.freebsd.org/D51575
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename krb5 and krb5-lib to kerberos and kerberos-lib to match the
existing Heimdal package names. Since it's not possible to build or
install both at the same time, and Heimdal will be removed anyway,
there's no benefit to using a different package name for MIT Kerberos
and doing so will create friction for pkgbase users.
Move a few things (e.g., headers) from kerberos to kerberos-lib.
Move the KDC to a new package, kerberos-kdc, so the client utilities
can be installed without the KDC. As most systems won't have the KDC
running, this saves a bit of disk space for jails/containers.
Remove a few instances of 'PACKAGE=' in target-specific Makefiles
where we can set that in the parent's Makefile.inc instead.
Revert 01c587521dd8 ("OCI: Attempt to fix "runtime" container")
which is no longer required.
The KDC init script is still installed in the 'rc' package for
compatibility with the security/krb5 port; we should fix this
at some point, possibly after Heimdal is removed.
Reviewed by: manu, kevans, des
Approved by: des (mentor), kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D51420
|
| |
|
|
|
| |
To build the man page one must run pod2man on
contrib/pam-krb5/docs/pam_krb5.pod and copy it to ${.CURDIR}.
|
| |
|
|
|
|
|
|
|
|
| |
The eyeire.org pam-krb5 supports MIT KRB5 and Heimdal. FreeBSD will use
it to implement pam_krb5 for MIT KRB5. The existing libpam pam_krb5
only supports Heimdal and therefore cannot be used with the MIT KRB5
import.
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D50696
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These were reported by `mandoc -T lint ...` as warnings:
- unusual Xr order
- unusual Xr punctuation
Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1464
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.
Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/
Sponsored by: Netflix
|
| |
|
|
| |
Remove /^\.\\"\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
| |
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
| |
|
|
|
| |
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D41300
|
| |
|
|
|
|
|
|
| |
The closing parenthesis was in the wrong location, so instead of assigning the return value to krbret and then comparing it to zero, we were assigning the result of the comparison to krbret and then comparing that to zero. This has no practical significance since the value is not used after the loop terminates.
PR: 229719
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D41299
|
| |
|
|
|
|
|
|
| |
Include a portion of the patch that was missed in 813847e49e35.
Reported by: markj
Fixes: 813847e49e35
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.
If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for. Currently, without a keytab, pam_krb5 is
vulnerable to this attack.
Reported by: Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by: so
Approved by: so
Security: FreeBSD-SA-23:04.pam_krb5
Security: CVE-2023-3326
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This allows users to install or not kerberos related utilities
and libs.
Differential Revision: https://reviews.freebsd.org/D31801
|
| |
|
|
|
|
|
| |
Sponsored by: Dell EMC Isilon
Notes:
svn path=/head/; revision=325188
|
| |
|
|
|
|
|
|
|
| |
PR: 213909
Reported by: basarevych@gmail.com
MFC after: 1 week
Notes:
svn path=/head/; revision=314598
|
| |
|
|
|
|
|
|
|
| |
Found with devel/coccinelle.
Reviewed by: des
Notes:
svn path=/head/; revision=297755
|
| |
|
|
|
|
|
| |
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=291972
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
Notes:
svn path=/head/; revision=284345
|
| | |\
| |/
|/|
| | |
Notes:
svn path=/projects/bmake/; revision=283595
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=275341
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=274694
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=266219
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=248169
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=246868
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/bmake/; revision=242788
|
| | |\
| | |
| | |
| | | |
Notes:
svn path=/projects/bmake/; revision=242545
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Requested by: Simon Gerraty <sjg@juniper.net>
Notes:
svn path=/projects/bmake/; revision=239572
|
| | |/
|/|
| |
| |
| |
| |
| | |
While here reduce a bit overlinking
Notes:
svn path=/head/; revision=275024
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Approved by: cperciva
MFC after: 1 week
Notes:
svn path=/head/; revision=241844
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
be used uninitialized.
Found by: clang 3.2
Reviewed by: des
MFC after: 1 week
Notes:
svn path=/head/; revision=239099
|
| |/
|
|
|
|
|
|
|
|
|
| |
a local account.
PR: 76678
Submitted by: daved at tamu.edu
MFC after: 2 weeks
Notes:
svn path=/head/; revision=239062
|
| |
|
|
| |
Notes:
svn path=/head/; revision=233406
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
Notes:
svn path=/head/; revision=233294
|
| |
|
|
|
|
|
| |
Forgotten by: delphij
Notes:
svn path=/head/; revision=207561
|
| |
|
|
|
|
|
|
|
|
| |
PR: bin/146186
Submitted by: myself
Approved by: delphij (mentor)
MFC after: 2 weeks
Notes:
svn path=/head/; revision=207555
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186
Submitted by: myself
Approved by: deplhij (mentor)
MFC after: 2 weeks
Notes:
svn path=/head/; revision=207553
|
| |
|
|
|
|
|
|
|
|
| |
- fix some nearby style bugs
- include Makefile.inc where it makes sense and reduces duplication
Approved by: ed (co-mentor)
Notes:
svn path=/head/; revision=204585
|
| |
|
|
|
|
|
| |
level in that case.
Notes:
svn path=/head/; revision=202522
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.
I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.
Notes:
svn path=/head/; revision=201381
|
| |
|
|
|
|
|
| |
all non-style changes made by heimdal to our own libgssapi.
Notes:
svn path=/head/; revision=178828
|
| |
|
|
| |
Notes:
svn path=/head/; revision=174837
|
| |
|
|
|
|
|
|
|
|
|
| |
if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c
no longer uses any of its parameters.
Pointy hat: kensmith
Approved by: re (scottl)
Notes:
svn path=/head/; revision=147830
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
branches but missed HEAD. This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync. For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days
Approved by: re (dwhite)
Notes:
svn path=/head/; revision=147810
|
| |
|
|
|
|
|
|
|
|
|
|
| |
copy the acquired TGT from the in-memory cache to the on-disk cache
at login. This was documented but un-implemented behavior.
MFC after: 1 week
PR: bin/64464
Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>
Notes:
svn path=/head/; revision=140747
|
