- Add OPTION to use Kerberos from the base system instead of requiring the port
- Add OPTION to apply a patch that allows one to specify the keytab location/SPN when using rlm_krb5 - Do not bump PORTREVISION
This commit is contained in:
Ryan Steinmetz
parent
ea762b7c07
commit
a82ac9635c
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=290129
@ -25,11 +25,8 @@ LICENSE= GPLv2
|
||||
|
||||
LIB_DEPENDS= gdbm.4:${PORTSDIR}/databases/gdbm
|
||||
|
||||
USE_GMAKE= yes
|
||||
|
||||
USE_BZIP2= yes
|
||||
|
||||
LOGDIR?= /var/log
|
||||
KRB5_CONFIG?= /usr/bin/krb5-config --libs
|
||||
|
||||
CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* \
|
||||
freeradius-mysql-[0-9].* freeradius-[013-9].*
|
||||
@ -37,6 +34,7 @@ CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* \
|
||||
USE_RC_SUBR= radiusd.sh
|
||||
USE_AUTOTOOLS= libltdl libtool autoconf
|
||||
USE_GMAKE= yes
|
||||
USE_BZIP2= yes
|
||||
USE_OPENSSL= yes
|
||||
MAKE_ARGS+= LDFLAGS="-L${LOCALBASE}/lib ${PTHREAD_LIBS}"
|
||||
CFLAGS+= -I${LOCALBASE}/include -L${LOCALBASE}/lib
|
||||
@ -47,6 +45,8 @@ PLIST_SUB= PORTVERSION=${DISTVERSION}
|
||||
OPTIONS= USER "Run as user freeradius, group freeradius" on \
|
||||
KERBEROS "With Kerberos support" off \
|
||||
HEIMDAL "With Heimdal Kerberos support" off \
|
||||
HEIMDAL_PORT "Use Heimdal Kerberos from ports" off \
|
||||
HEIMDAL_PATCH "Enhanced Heimdal support (specify SPN/keytab)" off \
|
||||
LDAP "With LDAP database support" off \
|
||||
MYSQL "With MySQL database support" off \
|
||||
PGSQL "With PostgreSQL database support" off \
|
||||
@ -86,20 +86,33 @@ WITH_KERBEROS= yes
|
||||
|
||||
.ifdef(WITH_KERBEROS)
|
||||
.ifdef(WITH_HEIMDAL)
|
||||
.ifdef(WITH_HEIMDAL_PORT)
|
||||
LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal
|
||||
.endif
|
||||
CONFIGURE_ARGS+=--enable-heimdal-krb5
|
||||
.else
|
||||
LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
|
||||
.endif
|
||||
CONFIGURE_ARGS+=--with-rlm_krb5
|
||||
.if defined (WITH_HEIMDAL) && !defined(WITH_HEIMDAL_PORT)
|
||||
CONFIGURE_ARGS+=--with-rlm-krb5-lib-dir=/usr/lib
|
||||
CONFIGURE_ARGS+=--with-rlm-krb5-include-dir=/usr/include
|
||||
CONFIGURE_ENV+= KRB5LIBS="$$(${KRB5_CONFIG})"
|
||||
.else
|
||||
CONFIGURE_ARGS+=--with-rlm-krb5-lib-dir=${LOCALBASE}/lib
|
||||
CONFIGURE_ARGS+=--with-rlm-krb5-include-dir=${LOCALBASE}/include
|
||||
.endif
|
||||
PLIST_SUB+= KRB5=""
|
||||
.else
|
||||
CONFIGURE_ARGS+=--without-rlm_krb5
|
||||
PLIST_SUB+= KRB5="@comment "
|
||||
.endif
|
||||
|
||||
# Patch rlm_krb5.c to add Heimdal support for specifying keytab+SPN
|
||||
.ifdef(WITH_HEIMDAL_PATCH)
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-src__modules__rlm_krb5__rlm_krb5.c
|
||||
.endif
|
||||
|
||||
.ifdef(WITH_LDAP)
|
||||
USE_OPENLDAP= YES
|
||||
CONFIGURE_ARGS+=--with-rlm_ldap
|
||||
@ -333,6 +346,12 @@ post-patch:
|
||||
@${FIND} -E ${WRKSRC}/raddb/certs \
|
||||
-regex '.*/(bootstrap|Makefile)\.(orig|bak)$$' \
|
||||
-delete
|
||||
# If we're using Heimdal from base, alter the LIBS variable
|
||||
.if defined(WITH_HEIMDAL) && !defined(WITH_HEIMDAL_PORT)
|
||||
@${REINPLACE_CMD} -e 's|LIBS|KRB5LIBS|g' ${WRKSRC}/src/modules/rlm_krb5/configure
|
||||
@${REINPLACE_CMD} -e 's|-lkrb5|$$(${KRB5_CONFIG})|g' \
|
||||
${WRKSRC}/src/modules/rlm_krb5/configure
|
||||
.endif
|
||||
# If DHCPis enabled, enable the DHCP dictionary
|
||||
.ifdef(WITH_DHCP)
|
||||
@${REINPLACE_CMD} -Ee 's:^#(.+ dictionary\.dhcp)$$:\1:g' \
|
||||
|
||||
@ -0,0 +1,131 @@
|
||||
--- ./src/modules/rlm_krb5/rlm_krb5.c.orig 2011-09-30 10:12:07.000000000 -0400
|
||||
+++ ./src/modules/rlm_krb5/rlm_krb5.c 2012-01-29 12:06:04.000000000 -0500
|
||||
@@ -322,16 +322,41 @@
|
||||
#else /* HEIMDAL_KRB5 */
|
||||
|
||||
/* validate user/pass, heimdal krb5 way */
|
||||
-static int krb5_auth(void *instance, REQUEST *request)
|
||||
+static int krb5_auth(rlm_krb5_t *instance, REQUEST *request)
|
||||
{
|
||||
int r;
|
||||
- krb5_error_code ret;
|
||||
+ krb5_error_code ret, ret2;
|
||||
krb5_ccache id;
|
||||
krb5_principal userP;
|
||||
|
||||
krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
|
||||
const char *user, *pass;
|
||||
|
||||
+ /* arbitrary 64-byte limit on service names; I've never seen a
|
||||
+ service name this long, and hope never to. -srl */
|
||||
+ /* stolen from the above mit kerb stuff -- kula */
|
||||
+
|
||||
+ char service[64] = "host";
|
||||
+ char *servername = NULL;
|
||||
+ char *princ_name;
|
||||
+
|
||||
+ krb5_verify_opt krb_verify_options;
|
||||
+ krb5_keytab keytab;
|
||||
+
|
||||
+ if (instance->service_princ != NULL) {
|
||||
+ servername = strchr(instance->service_princ, '/');
|
||||
+ if (servername != NULL) {
|
||||
+ *servername = '\0';
|
||||
+ }
|
||||
+
|
||||
+ strncpy(service,instance->service_princ,sizeof(service));
|
||||
+ service[sizeof(service)-1] = '\0';
|
||||
+ if (servername != NULL) {
|
||||
+ *servername = '/';
|
||||
+ servername++;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We can only authenticate user requests which HAVE
|
||||
* a User-Name attribute.
|
||||
@@ -374,26 +399,70 @@
|
||||
/*
|
||||
* Heimdal krb5 verification
|
||||
*/
|
||||
- radlog(L_AUTH, "rlm_krb5: Parsed name is: %s@%s\n",
|
||||
- *userP->name.name_string.val,
|
||||
- userP->realm);
|
||||
+
|
||||
+
|
||||
+ /*
|
||||
+ * The following bit allows us to also log user/instance@REALM if someone
|
||||
+ * logs in using an instance
|
||||
+ */
|
||||
+
|
||||
+ ret = krb5_unparse_name(context, userP, &princ_name);
|
||||
+ if ( ret != 0 ) {
|
||||
+ radlog(L_AUTH, "rlm_krb5: krb5_unparse_name unparsable name\n");
|
||||
+ } else {
|
||||
+ radlog(L_AUTH, "rlm_krb5: Parsed name is: %s\n", princ_name);
|
||||
+ free(princ_name);
|
||||
+ }
|
||||
|
||||
krb5_cc_default(context, &id);
|
||||
|
||||
- ret = krb5_verify_user(context,
|
||||
- userP,
|
||||
- id,
|
||||
- pass, 1, "radius");
|
||||
+ /* Set up krb5_verify_user options */
|
||||
+ krb5_verify_opt_init(&krb_verify_options);
|
||||
|
||||
- if (ret == 0)
|
||||
- return RLM_MODULE_OK;
|
||||
+ krb5_verify_opt_set_ccache(&krb_verify_options, id);
|
||||
|
||||
- radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
|
||||
- error_message(ret),
|
||||
- *userP->name.name_string.val,
|
||||
- userP->realm);
|
||||
+ /*
|
||||
+ * Resolve keytab name. This allows us to use something other than
|
||||
+ * the default system keytab
|
||||
+ */
|
||||
|
||||
- return RLM_MODULE_REJECT;
|
||||
+ if (instance->keytab != NULL)
|
||||
+ {
|
||||
+ ret = krb5_kt_resolve(context, instance->keytab, &keytab);
|
||||
+
|
||||
+ if ( ret )
|
||||
+ {
|
||||
+ radlog(L_AUTH, "rlm_krb: unable to resolve keytab %s: %s",
|
||||
+ instance->keytab, error_message(ret));
|
||||
+ krb5_kt_close(context, keytab);
|
||||
+ return RLM_MODULE_REJECT;
|
||||
+ }
|
||||
+ krb5_verify_opt_set_keytab(&krb_verify_options, keytab);
|
||||
+ }
|
||||
+
|
||||
+ /* Verify aquired credentials against the keytab */
|
||||
+
|
||||
+ krb5_verify_opt_set_secure(&krb_verify_options, 1);
|
||||
+
|
||||
+ /* Allow us to use an arbitrary service name */
|
||||
+
|
||||
+ krb5_verify_opt_set_service(&krb_verify_options, service);
|
||||
+
|
||||
+ /* Verify the user, using the above set options */
|
||||
+ ret = krb5_verify_user_opt(context, userP, pass, &krb_verify_options);
|
||||
+
|
||||
+ /* We are done with the keytab, close it */
|
||||
+ ret2 = krb5_kt_close(context, keytab);
|
||||
+
|
||||
+ if (ret == 0)
|
||||
+ return RLM_MODULE_OK;
|
||||
+
|
||||
+ radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
|
||||
+ error_message(ret),
|
||||
+ *userP->name.name_string.val,
|
||||
+ userP->realm);
|
||||
+
|
||||
+ return RLM_MODULE_REJECT;
|
||||
}
|
||||
|
||||
#endif /* HEIMDAL_KRB5 */
|
||||
Loading…
Reference in New Issue
Block a user