New port: security/pam_krb5-rh

The pam_krb5 module allows PAM-aware applications to authenticate
users by performing an AS exchange with a Kerberos KDC.

This module includes many configurable options and provides functionality
and features that other pam_krb5 modules do not provide.

WWW: https://fedorahosted.org/pam_krb5/
This commit is contained in:
Ryan Steinmetz 2011-10-31 23:21:02 +00:00
parent 0f64a7859c
commit 523261f271
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=284809
9 changed files with 210 additions and 0 deletions

View file

@ -572,6 +572,7 @@
SUBDIR += pam_jail
SUBDIR += pam_kde
SUBDIR += pam_krb5
SUBDIR += pam_krb5-rh
SUBDIR += pam_ldap
SUBDIR += pam_mkhomedir
SUBDIR += pam_p11

View file

@ -0,0 +1,51 @@
# New ports collection makefile for: pam_krb5
# Date created: 18 October 2011
# Whom: Ryan Steinmetz <zi@FreeBSD.org>
#
# $FreeBSD$
#
PORTNAME= pam_krb5
DISTVERSION= 2.3.13-1
CATEGORIES= security
MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ \
http://people.rit.edu/rpsfa/distfiles/
PKGNAMESUFFIX= -rh
MAINTAINER= zi@FreeBSD.org
COMMENT= The Red Hat Pluggable Authentication Module for Kerberos 5
LICENSE= LGPL21 BSD
LICENSE_COMB= dual
CONFLICTS= pam_krb5-4.*
USE_ICONV= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS+=--with-libiconv-prefix=${LOCALBASE} --without-afs \
--with-libintl-prefix=${LOCALBASE} --with-krb4=no \
--without-keyutils
LDFLAGS= -L${LOCALBASE}/lib
MAN5= pam_krb5.5
MAN8= pam_krb5.8 pam_krb5_storetmp.8
.if defined(WITHOUT_NLS)
PLIST_SUB+= NLS="@comment "
CONFIGURE_ARGS+=--disable-nls
.else
PLIST_SUB+= NLS=""
LDFLAGS+= -lintl
USE_GETTEXT= yes
.endif
post-patch:
@${REINPLACE_CMD} -e 's|libdir)/security|libdir)|g' ${WRKSRC}/src/Makefile.in
@${REINPLACE_CMD} -e 's|/lib64/security|${LOCALBASE}/lib|g' \
${WRKSRC}/src/*.8
@${REINPLACE_CMD} -e 's|-ldl||g' ${WRKSRC}/tests/tools/Makefile.in
@${REINPLACE_CMD} -e 's|PAM_BAD_ITEM|PAM_SYMBOL_ERR|g' ${WRKSRC}/src/conv.c
@${REINPLACE_CMD} -e 's|PAM_AUTHTOK_RECOVER_ERR|PAM_AUTHTOK_RECOVERY_ERR|g' \
${WRKSRC}/src/password.c
.include <bsd.port.mk>

View file

@ -0,0 +1,2 @@
SHA256 (pam_krb5-2.3.13-1.tar.gz) = bc5b45afcb5951edc0c4b98a3342d96a3b59cedd4234560b6d1450ebe990195f
SIZE (pam_krb5-2.3.13-1.tar.gz) = 566365

View file

@ -0,0 +1,10 @@
--- ./src/acct.c.orig 2011-07-29 15:31:01.000000000 -0400
+++ ./src/acct.c 2011-10-18 11:49:37.000000000 -0400
@@ -38,7 +38,6 @@
#ifdef HAVE_SECURITY_PAM_MODULES_H
#define PAM_SM_ACCT_MGMT
-#include <security/pam_modules.h>
#endif
#include <errno.h>

View file

@ -0,0 +1,10 @@
--- ./src/kuserok.c.orig 2011-07-29 15:31:01.000000000 -0400
+++ ./src/kuserok.c 2011-10-18 11:46:19.000000000 -0400
@@ -36,6 +36,7 @@
#include <sys/select.h>
#include <sys/stat.h>
#include <sys/wait.h>
+#include <sys/signal.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>

View file

@ -0,0 +1,10 @@
--- ./src/storetmp.c.orig 2011-10-18 11:47:04.000000000 -0400
+++ ./src/storetmp.c 2011-10-18 11:47:16.000000000 -0400
@@ -36,6 +36,7 @@
#include <sys/select.h>
#include <sys/stat.h>
#include <sys/wait.h>
+#include <sys/signal.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>

View file

@ -0,0 +1,70 @@
--- ./src/v5.c.orig 2011-07-29 15:31:01.000000000 -0400
+++ ./src/v5.c 2011-10-24 09:25:15.000000000 -0400
@@ -1350,6 +1350,9 @@
krb5_creds tmpcreds;
krb5_ccache ccache;
krb5_get_init_creds_opt *tmp_gicopts;
+ krb5_timestamp sec;
+ const char *e = NULL;
+ char *p;
/* In case we already have creds, get rid of them. */
krb5_free_cred_contents(ctx, creds);
@@ -1393,23 +1396,50 @@
memset(&service_principal, 0, sizeof(service_principal));
if (krb5_parse_name(ctx, realm_service,
&service_principal) == 0) {
- if (options->debug) {
- debug("attempting to read existing credentials "
- "from %s", krb5_cc_default_name(ctx));
- }
memset(&ccache, 0, sizeof(ccache));
/* In case we're setuid/setgid, switch to the caller's
* permissions. */
saved_perms = _pam_krb5_switch_perms();
+
+ e = getenv("KRB5CCNAME");
+ if (e) {
+ p = strndup(e, 128);
+ if (p == NULL) {
+ memset(&e, 0, sizeof(e));
+ if (options->debug)
+ debug("malloc: out of memory");
+ return ENOMEM;
+ }
+ if ((strnlen(p, 128) > 96) || strnlen(p, 128) <= 0) {
+ memset(&e, 0, sizeof(e));
+ if (options->debug)
+ debug("KRB5CCNAME is too long or too short, aborting");
+ return PAM_SYSTEM_ERR;
+ }
+ if (strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '='))
+ krb5_cc_set_default_name(ctx, p);
+ else {
+ if (options->debug)
+ debug("KRB5CCNAME does not start with FILE:");
+ }
+ memset(&e, 0, sizeof(e));
+ }
+ if (options->debug) {
+ debug("attempting to read existing credentials "
+ "from %s", krb5_cc_default_name(ctx));
+ }
if ((saved_perms != NULL) &&
(krb5_cc_default(ctx, &ccache) == 0)) {
+ krb5_timeofday (ctx, &sec);
tmpcreds.client = userinfo->principal_name;
tmpcreds.server = service_principal;
i = krb5_cc_retrieve_cred(ctx, ccache, 0,
&tmpcreds, creds);
- /* FIXME: check if the creds are expired?
- * What's the right error code if we check, and
- * they are? */
+ if ((i == 0) && creds->times.endtime < sec) {
+ if (options->debug)
+ warn("Credentials expired");
+ i = KRB5_KPASSWD_AUTHERROR;
+ }
memset(&tmpcreds, 0, sizeof(tmpcreds));
krb5_cc_close(ctx, ccache);
/* In case we're setuid/setgid, restore the

View file

@ -0,0 +1,7 @@
The pam_krb5 module allows PAM-aware applications to authenticate
users by performing an AS exchange with a Kerberos KDC.
This module includes many configurable options and provides functionality
and features that other pam_krb5 modules do not provide.
WWW: https://fedorahosted.org/pam_krb5/

View file

@ -0,0 +1,49 @@
lib/pam_krb5/pam_krb5_storetmp
lib/pam_krb5.so
lib/pam_krb5.la
@dirrm lib/pam_krb5
%%NLS%%share/locale/as/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/bn_IN/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ca/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/cs/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/da/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/de/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/el/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/es/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/fa/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/fr/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/gu/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/hi/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/hu/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/it/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ja/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/kn/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ko/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ml/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/mr/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ms/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/nl/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/or/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/pa/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/pl/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/pt_BR/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ro/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ru/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/sr/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/sr@latin/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/sv/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/ta/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/te/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/uk/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/zh_CN/LC_MESSAGES/pam_krb5.mo
%%NLS%%share/locale/zh_TW/LC_MESSAGES/pam_krb5.mo
%%NLS%%@dirrmtry share/locale/as/LC_MESSAGES
%%NLS%%@dirrmtry share/locale/bn_IN/LC_MESSAGES
%%NLS%%@dirrmtry share/locale/mr/LC_MESSAGES
%%NLS%%@dirrmtry share/locale/sr@latin/LC_MESSAGES
%%NLS%%@dirrmtry share/locale/te/LC_MESSAGES
%%NLS%%@dirrmtry share/locale/as
%%NLS%%@dirrmtry share/locale/bn_IN
%%NLS%%@dirrmtry share/locale/mr
%%NLS%%@dirrmtry share/locale/sr@latin
%%NLS%%@dirrmtry share/locale/te