From 24f0b4ca2d565cdbb4fe7839ff28320706bf2386 Mon Sep 17 00:00:00 2001
From: Cy Schubert <cy@FreeBSD.org>
Date: Wed, 16 Apr 2025 19:13:41 -0700
Subject: pam-krb5: Import/add pam-krb5 from eyeire.org

From https://www.eyrie.org/~eagle/software/pam-krb5/:

pam-krb5 provides a Kerberos PAM module that supports authentication,
user ticket cache handling, simple authorization (via .k5login or
checking Kerberos principals against local usernames), and password
changing. It can be configured through either options in the PAM
configuration itself or through entries in the system krb5.conf file,
and it tries to work around PAM implementation flaws in commonly-used
PAM-enabled applications such as OpenSSH and xdm. It supports both
PKINIT and FAST to the extent that the underlying Kerberos libraries
support these features.

The reason for this import is to provide an MIT KRB5 compatible
pam_krb5 PAM module. The existing pam_krb5 in FreeBS only works
with Heimdal.

Sponsored by:	The FreeBSD Foundation
---
 tests/data/scripts/basic/force-first-debug | 32 ++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 tests/data/scripts/basic/force-first-debug

(limited to 'tests/data/scripts/basic/force-first-debug')

diff --git a/tests/data/scripts/basic/force-first-debug b/tests/data/scripts/basic/force-first-debug
new file mode 100644
index 000000000000..539345316183
--- /dev/null
+++ b/tests/data/scripts/basic/force-first-debug
@@ -0,0 +1,32 @@
+# Test force_first_pass without an authtok.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache debug
+    account = no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) no stored password
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
-- 
cgit v1.2.3