From 523261f2712d3aca57284de11379cd986507f390 Mon Sep 17 00:00:00 2001 From: Ryan Steinmetz Date: Mon, 31 Oct 2011 23:21:02 +0000 Subject: [PATCH] New port: security/pam_krb5-rh The pam_krb5 module allows PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC. This module includes many configurable options and provides functionality and features that other pam_krb5 modules do not provide. WWW: https://fedorahosted.org/pam_krb5/ --- security/Makefile | 1 + security/pam_krb5-rh/Makefile | 51 ++++++++++++++ security/pam_krb5-rh/distinfo | 2 + security/pam_krb5-rh/files/patch-src__acct.c | 10 +++ .../pam_krb5-rh/files/patch-src__kuserok.c | 10 +++ .../pam_krb5-rh/files/patch-src__storetmp.c | 10 +++ security/pam_krb5-rh/files/patch-src__v5.c | 70 +++++++++++++++++++ security/pam_krb5-rh/pkg-descr | 7 ++ security/pam_krb5-rh/pkg-plist | 49 +++++++++++++ 9 files changed, 210 insertions(+) create mode 100644 security/pam_krb5-rh/Makefile create mode 100644 security/pam_krb5-rh/distinfo create mode 100644 security/pam_krb5-rh/files/patch-src__acct.c create mode 100644 security/pam_krb5-rh/files/patch-src__kuserok.c create mode 100644 security/pam_krb5-rh/files/patch-src__storetmp.c create mode 100644 security/pam_krb5-rh/files/patch-src__v5.c create mode 100644 security/pam_krb5-rh/pkg-descr create mode 100644 security/pam_krb5-rh/pkg-plist diff --git a/security/Makefile b/security/Makefile index 64f051206972..70c51c2e0add 100644 --- a/security/Makefile +++ b/security/Makefile @@ -572,6 +572,7 @@ SUBDIR += pam_jail SUBDIR += pam_kde SUBDIR += pam_krb5 + SUBDIR += pam_krb5-rh SUBDIR += pam_ldap SUBDIR += pam_mkhomedir SUBDIR += pam_p11 diff --git a/security/pam_krb5-rh/Makefile b/security/pam_krb5-rh/Makefile new file mode 100644 index 000000000000..c91a4142e2df --- /dev/null +++ b/security/pam_krb5-rh/Makefile @@ -0,0 +1,51 @@ +# New ports collection makefile for: pam_krb5 +# Date created: 18 October 2011 +# Whom: Ryan Steinmetz +# +# $FreeBSD$ +# + +PORTNAME= pam_krb5 +DISTVERSION= 2.3.13-1 +CATEGORIES= security +MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ \ + http://people.rit.edu/rpsfa/distfiles/ +PKGNAMESUFFIX= -rh + +MAINTAINER= zi@FreeBSD.org +COMMENT= The Red Hat Pluggable Authentication Module for Kerberos 5 + +LICENSE= LGPL21 BSD +LICENSE_COMB= dual + +CONFLICTS= pam_krb5-4.* + +USE_ICONV= yes +GNU_CONFIGURE= yes +CONFIGURE_ARGS+=--with-libiconv-prefix=${LOCALBASE} --without-afs \ + --with-libintl-prefix=${LOCALBASE} --with-krb4=no \ + --without-keyutils +LDFLAGS= -L${LOCALBASE}/lib + +MAN5= pam_krb5.5 +MAN8= pam_krb5.8 pam_krb5_storetmp.8 + +.if defined(WITHOUT_NLS) +PLIST_SUB+= NLS="@comment " +CONFIGURE_ARGS+=--disable-nls +.else +PLIST_SUB+= NLS="" +LDFLAGS+= -lintl +USE_GETTEXT= yes +.endif + +post-patch: + @${REINPLACE_CMD} -e 's|libdir)/security|libdir)|g' ${WRKSRC}/src/Makefile.in + @${REINPLACE_CMD} -e 's|/lib64/security|${LOCALBASE}/lib|g' \ + ${WRKSRC}/src/*.8 + @${REINPLACE_CMD} -e 's|-ldl||g' ${WRKSRC}/tests/tools/Makefile.in + @${REINPLACE_CMD} -e 's|PAM_BAD_ITEM|PAM_SYMBOL_ERR|g' ${WRKSRC}/src/conv.c + @${REINPLACE_CMD} -e 's|PAM_AUTHTOK_RECOVER_ERR|PAM_AUTHTOK_RECOVERY_ERR|g' \ + ${WRKSRC}/src/password.c + +.include diff --git a/security/pam_krb5-rh/distinfo b/security/pam_krb5-rh/distinfo new file mode 100644 index 000000000000..54fc02854c4e --- /dev/null +++ b/security/pam_krb5-rh/distinfo @@ -0,0 +1,2 @@ +SHA256 (pam_krb5-2.3.13-1.tar.gz) = bc5b45afcb5951edc0c4b98a3342d96a3b59cedd4234560b6d1450ebe990195f +SIZE (pam_krb5-2.3.13-1.tar.gz) = 566365 diff --git a/security/pam_krb5-rh/files/patch-src__acct.c b/security/pam_krb5-rh/files/patch-src__acct.c new file mode 100644 index 000000000000..9ee36b600c47 --- /dev/null +++ b/security/pam_krb5-rh/files/patch-src__acct.c @@ -0,0 +1,10 @@ +--- ./src/acct.c.orig 2011-07-29 15:31:01.000000000 -0400 ++++ ./src/acct.c 2011-10-18 11:49:37.000000000 -0400 +@@ -38,7 +38,6 @@ + + #ifdef HAVE_SECURITY_PAM_MODULES_H + #define PAM_SM_ACCT_MGMT +-#include + #endif + + #include diff --git a/security/pam_krb5-rh/files/patch-src__kuserok.c b/security/pam_krb5-rh/files/patch-src__kuserok.c new file mode 100644 index 000000000000..d59f45186619 --- /dev/null +++ b/security/pam_krb5-rh/files/patch-src__kuserok.c @@ -0,0 +1,10 @@ +--- ./src/kuserok.c.orig 2011-07-29 15:31:01.000000000 -0400 ++++ ./src/kuserok.c 2011-10-18 11:46:19.000000000 -0400 +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/security/pam_krb5-rh/files/patch-src__storetmp.c b/security/pam_krb5-rh/files/patch-src__storetmp.c new file mode 100644 index 000000000000..ae7894a30a11 --- /dev/null +++ b/security/pam_krb5-rh/files/patch-src__storetmp.c @@ -0,0 +1,10 @@ +--- ./src/storetmp.c.orig 2011-10-18 11:47:04.000000000 -0400 ++++ ./src/storetmp.c 2011-10-18 11:47:16.000000000 -0400 +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/security/pam_krb5-rh/files/patch-src__v5.c b/security/pam_krb5-rh/files/patch-src__v5.c new file mode 100644 index 000000000000..ec9fa8296269 --- /dev/null +++ b/security/pam_krb5-rh/files/patch-src__v5.c @@ -0,0 +1,70 @@ +--- ./src/v5.c.orig 2011-07-29 15:31:01.000000000 -0400 ++++ ./src/v5.c 2011-10-24 09:25:15.000000000 -0400 +@@ -1350,6 +1350,9 @@ + krb5_creds tmpcreds; + krb5_ccache ccache; + krb5_get_init_creds_opt *tmp_gicopts; ++ krb5_timestamp sec; ++ const char *e = NULL; ++ char *p; + + /* In case we already have creds, get rid of them. */ + krb5_free_cred_contents(ctx, creds); +@@ -1393,23 +1396,50 @@ + memset(&service_principal, 0, sizeof(service_principal)); + if (krb5_parse_name(ctx, realm_service, + &service_principal) == 0) { +- if (options->debug) { +- debug("attempting to read existing credentials " +- "from %s", krb5_cc_default_name(ctx)); +- } + memset(&ccache, 0, sizeof(ccache)); + /* In case we're setuid/setgid, switch to the caller's + * permissions. */ + saved_perms = _pam_krb5_switch_perms(); ++ ++ e = getenv("KRB5CCNAME"); ++ if (e) { ++ p = strndup(e, 128); ++ if (p == NULL) { ++ memset(&e, 0, sizeof(e)); ++ if (options->debug) ++ debug("malloc: out of memory"); ++ return ENOMEM; ++ } ++ if ((strnlen(p, 128) > 96) || strnlen(p, 128) <= 0) { ++ memset(&e, 0, sizeof(e)); ++ if (options->debug) ++ debug("KRB5CCNAME is too long or too short, aborting"); ++ return PAM_SYSTEM_ERR; ++ } ++ if (strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')) ++ krb5_cc_set_default_name(ctx, p); ++ else { ++ if (options->debug) ++ debug("KRB5CCNAME does not start with FILE:"); ++ } ++ memset(&e, 0, sizeof(e)); ++ } ++ if (options->debug) { ++ debug("attempting to read existing credentials " ++ "from %s", krb5_cc_default_name(ctx)); ++ } + if ((saved_perms != NULL) && + (krb5_cc_default(ctx, &ccache) == 0)) { ++ krb5_timeofday (ctx, &sec); + tmpcreds.client = userinfo->principal_name; + tmpcreds.server = service_principal; + i = krb5_cc_retrieve_cred(ctx, ccache, 0, + &tmpcreds, creds); +- /* FIXME: check if the creds are expired? +- * What's the right error code if we check, and +- * they are? */ ++ if ((i == 0) && creds->times.endtime < sec) { ++ if (options->debug) ++ warn("Credentials expired"); ++ i = KRB5_KPASSWD_AUTHERROR; ++ } + memset(&tmpcreds, 0, sizeof(tmpcreds)); + krb5_cc_close(ctx, ccache); + /* In case we're setuid/setgid, restore the diff --git a/security/pam_krb5-rh/pkg-descr b/security/pam_krb5-rh/pkg-descr new file mode 100644 index 000000000000..6aa41b6cccdc --- /dev/null +++ b/security/pam_krb5-rh/pkg-descr @@ -0,0 +1,7 @@ +The pam_krb5 module allows PAM-aware applications to authenticate +users by performing an AS exchange with a Kerberos KDC. + +This module includes many configurable options and provides functionality +and features that other pam_krb5 modules do not provide. + +WWW: https://fedorahosted.org/pam_krb5/ diff --git a/security/pam_krb5-rh/pkg-plist b/security/pam_krb5-rh/pkg-plist new file mode 100644 index 000000000000..70c618007345 --- /dev/null +++ b/security/pam_krb5-rh/pkg-plist @@ -0,0 +1,49 @@ +lib/pam_krb5/pam_krb5_storetmp +lib/pam_krb5.so +lib/pam_krb5.la +@dirrm lib/pam_krb5 +%%NLS%%share/locale/as/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/bn_IN/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ca/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/cs/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/da/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/de/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/el/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/es/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/fa/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/fr/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/gu/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/hi/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/hu/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/it/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ja/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/kn/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ko/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ml/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/mr/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ms/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/nl/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/or/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/pa/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/pl/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/pt_BR/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ro/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ru/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/sr/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/sr@latin/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/sv/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/ta/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/te/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/uk/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/zh_CN/LC_MESSAGES/pam_krb5.mo +%%NLS%%share/locale/zh_TW/LC_MESSAGES/pam_krb5.mo +%%NLS%%@dirrmtry share/locale/as/LC_MESSAGES +%%NLS%%@dirrmtry share/locale/bn_IN/LC_MESSAGES +%%NLS%%@dirrmtry share/locale/mr/LC_MESSAGES +%%NLS%%@dirrmtry share/locale/sr@latin/LC_MESSAGES +%%NLS%%@dirrmtry share/locale/te/LC_MESSAGES +%%NLS%%@dirrmtry share/locale/as +%%NLS%%@dirrmtry share/locale/bn_IN +%%NLS%%@dirrmtry share/locale/mr +%%NLS%%@dirrmtry share/locale/sr@latin +%%NLS%%@dirrmtry share/locale/te