New port, Kerberos V 1.2.4-beta1.

svn path=/head/; revision=54500

security/krb5-beta/Makefile

@@ -0,0 +1,127 @@
+# Ports collection Makefile for:	MIT Kerberos V Beta
+# Date created:				2/10/2002
+# Whom:					cy@FreeBSD.org
+#
+# $FreeBSD$
+#
+
+PORTNAME=		krb5
+PORTVERSION=		1.2.4b1
+CATEGORIES=		security
+MASTER_SITES=		# manual download
+DISTNAME=		krb5-1.2.4-beta1
+
+MAINTAINER=		cy@FreeBSD.org
+
+BUILD_DEPENDS=		gm4:${PORTSDIR}/devel/m4
+
+KERBEROSV_URL=		http://web.mit.edu/network/kerberos-form.html
+USE_GMAKE=		yes
+INSTALLS_SHLIB=		yes
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS?=	--enable-shared --with-ccopts="${CFLAGS}"
+CONFIGURE_ENV=		INSTALL="${INSTALL}"
+MAKE_ARGS=		INSTALL="${INSTALL}"
+KRB5_KRB4_COMPAT?=	YES
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
+MASTER_SITES=          http://www.crypto-publish.org/dist/mit-kerberos5/
+.endif
+
+.if !defined(KRB5_KRB4_COMPAT) || ${KRB5_KRB4_COMPAT} == "NO"
+CONFIGURE_ARGS+=	--without-krb4
+.endif
+
+.if defined(KRB5_HOME)
+PREFIX=			${KRB5_HOME}
+.endif
+
+RESTRICTED=		"Crypto; export-controlled"
+# Set USA_RESIDENT appropriately in /etc/make.conf if you like
+
+INFO_FILES=		krb425.info krb5-admin.info krb5-admin.info-1 \
+			krb5-admin.info-2 krb5-admin.info-3 krb5-install.info \
+			krb5-install.info-1 krb5-install.info-2 krb5-user.info
+
+MAN1=			krb5-send-pr.1 kpasswd.1 v5passwd.1 klist.1 kinit.1 \
+			kdestroy.1 ksu.1 sclient.1 rsh.1 rcp.1 rlogin.1     \
+			v4rcp.1 ftp.1 telnet.1 kerberos.1 kvno.1
+MAN5=			kdc.conf.5 krb5.conf.5 .k5login.5
+MAN8=			krb5kdc.8 kadmin.8 kadmin.local.8 kdb5_util.8 \
+			ktutil.8 kadmind.8 kprop.8 kpropd.8 sserver.8 \
+			kshd.8 klogind.8 login.krb5.8 ftpd.8 telnetd.8
+
+WRKSRC=			${WRKDIR}/${DISTNAME}/src
+
+WANT_HTML?=		YES
+HTML_DOC_DIR=		${WRKDIR}/${DISTNAME}/doc
+HTML_DOCS=		admin.html install_foot.html user-guide.html          \
+			admin_foot.html install_toc.html user-guide_foot.html \
+			admin_toc.html krb425.html user-guide_toc.html        \
+			install.html krb425_toc.html
+
+.if !defined(USA_RESIDENT) || ${USA_RESIDENT} == "YES"
+do-fetch:
+	@if [ ! -f ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX} ]; then        \
+	${ECHO} "";							\
+	${ECHO} ">> Kerberos V contains encryption software and is";    \
+	${ECHO} "   export restricted.  If you are not a USA resident,";\
+	${ECHO} "   then you cannot obtain the Kerberos V sources from";\
+	${ECHO} "   within the United States.";                         \
+	${ECHO} "";							\
+	${ECHO} ">> The Kerberos V sources must be fetched manually.";  \
+	${ECHO} "   Please visit ${KERBEROSV_URL}";                     \
+	${ECHO} "   to download ${DISTNAME}${EXTRACT_SUFX} and place";  \
+	${ECHO} "   it in ${DISTDIR}.  Then run make again.";           \
+	${FALSE};							\
+	fi
+.endif
+
+pre-build:
+.if !defined(KRB5_KRB4_COMPAT)
+	@${ECHO} "------------------------------------------------------"
+	@${ECHO} "Set KRB5_KRB4_COMPAT=NO if you do not want to build   "
+	@${ECHO} "the KerberosIV compatibility libraries.               "
+	@${ECHO} "------------------------------------------------------"
+.endif
+
+post-build:
+	@(cd ${WRKSRC}/../doc && \
+	${MAKE} ${INFO_FILES})
+
+.include <bsd.port.pre.mk>
+
+post-install:
+# html documentation
+.if defined(WANT_HTML) && ${WANT_HTML} == "YES"
+	@${MKDIR} ${PREFIX}/share/doc/krb5
+.for html in ${HTML_DOCS}
+	${INSTALL_MAN} ${HTML_DOC_DIR}/${html} ${PREFIX}/share/doc/krb5
+.endfor
+.endif
+# handle info files
+.for info in ${INFO_FILES}
+	${INSTALL_MAN} ${WRKSRC}/../doc/${info} ${PREFIX}/info/${info}
+.endfor
+.for info in ${INFO_FILES:M*.info}
+	install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir
+.endfor
+# fixup packing list (no libs without version numbers in aout case)
+.if ${PORTOBJFORMAT} == "aout"
+	${ECHO_MSG} "Fixing packing list for a.out"
+	${MV} ${TMPPLIST} ${TMPPLIST}.new
+	${GREP} -v '\.so$$' ${TMPPLIST}.new > ${TMPPLIST}
+	${RM} ${TMPPLIST}.new
+.endif
+	@${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR} > ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${ECHO} "------------------------------------------------------"
+	@${ECHO} "This port of MIT Kerberos 5 includes remote login     "
+	@${ECHO} "daemons (telnetd and klogind).  These daemons default "
+	@${ECHO} "to using the system login program (/usr/bin/login).   "
+	@${ECHO} "Please see the file                                   "
+	@${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD"
+	@${ECHO} "for more information.                                 "
+	@${ECHO} "------------------------------------------------------"
+
+.include <bsd.port.post.mk>

security/krb5-beta/distinfo

@@ -0,0 +1 @@
+MD5 (krb5-1.2.4-beta1.tar.gz) = a58727b616cf8a5f88ebdb539f6e46a2

security/krb5-beta/files/README.FreeBSD

@@ -0,0 +1,32 @@
+The MIT KRB5 port provides its own login program at
+${PREFIX}/sbin/login.krb5.  However, login.krb5 does not make use of
+the FreeBSD login.conf and login.access files that provide a means of
+setting up and controlling sessions under FreeBSD.  To overcome this,
+the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
+interactive login password authentication instead of the login.krb5
+program provided by MIT KRB5.  The FreeBSD /usr/bin/login program does
+not have support for Kerberos V password authentication,
+e.g. authentication at the console.  The pam_krb5 port must be used to
+provide Kerberos V password authentication.
+
+For more information about pam_krb5, please see pam(8) and pam_krb5(8).
+
+If you wish to use login.krb5 that is provided by the MIT KRB5 port,
+the arguments "-L ${PREFIX}/sbin/login.krb5" must be
+specified as arguments to klogind and KRB5 telnetd, e.g.
+
+klogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -L ${PREFIX}/sbin/login.krb5
+eklogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
+telnet	stream	tcp	nowait	root	${PREFIX}/sbin/telnetd	telnetd -a none -L ${PREFIX}/sbin/login.krb5
+
+Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
+of the FreeBSD provided /usr/bin/login for local tty logins,
+"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
+
+default:\
+	:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
+	:if=/etc/issue:\
+	:lo=${PREFIX}/sbin/login.krb5:
+
+It is recommended that the FreeBSD /usr/bin/login be used with the
+pam_krb5 port instead of the MIT KRB5 provided login.krb5.

security/krb5-beta/files/patch-ac

@@ -0,0 +1,13 @@
+--- ../doc/admin.texinfo	Fri Feb  6 21:40:56 1998
++++ admin.texinfo	Fri Jun 19 15:13:45 1998
+@@ -5,6 +5,10 @@
+ @c guide
+ @setfilename krb5-admin.info
+ @settitle Kerberos V5 System Administrator's Guide
++@dircategory Kerberos V5
++@direntry
++* Admin Guide: (krb5-admin).            Kerberos V5 System Admin's Guide
++@end direntry
+ @setchapternewpage odd                  @c chapter begins on next odd page
+ @c @setchapternewpage on                   @c chapter begins on next page
+ @c @smallbook                              @c Format for 7" X 9.25" paper

security/krb5-beta/files/patch-ad

@@ -0,0 +1,13 @@
+--- ../doc/user-guide.texinfo	Fri Feb  6 21:40:58 1998
++++ user-guide.texinfo	Fri Jun 19 15:13:45 1998
+@@ -3,6 +3,10 @@
+ @c guide
+ @setfilename krb5-user.info
+ @settitle Kerberos V5 UNIX User's Guide
++@dircategory Kerberos V5
++@direntry
++* User's Guide: (krb5-user).             Kerberos V5 UNIX User's Guide
++@end direntry
+ @setchapternewpage odd                  @c chapter begins on next odd page
+ @c @setchapternewpage on                   @c chapter begins on next page
+ @c @smallbook                              @c Format for 7" X 9.25" paper

security/krb5-beta/files/patch-ae

@@ -0,0 +1,13 @@
+--- ../doc/install.texinfo	Fri Feb  6 21:40:56 1998
++++ install.texinfo	Fri Jun 19 15:13:45 1998
+@@ -5,6 +5,10 @@
+ @c guide
+ @setfilename krb5-install.info
+ @settitle Kerberos V5 Installation Guide
++@dircategory Kerberos V5
++@direntry
++* Installation Guide: (krb5-install).    Kerberos V5 Installation Guide
++@end direntry
+ @setchapternewpage odd                  @c chapter begins on next odd page
+ @c @setchapternewpage on                   @c chapter begins on next page
+ @c @smallbook                              @c Format for 7" X 9.25" paper

security/krb5-beta/files/patch-af

@@ -0,0 +1,13 @@
+--- ../doc/krb425.texinfo	Fri Feb  6 21:40:57 1998
++++ krb425.texinfo	Fri Jun 19 15:13:45 1998
+@@ -5,6 +5,10 @@
+ @c guide
+ @setfilename krb425.info
+ @settitle Upgrading to Kerberos V5 from Kerberos V4
++@dircategory Kerberos V5
++@direntry
++* Upgrading from V4 to V5: (krb425).     Upgrading from Kerberos V4 to V5
++@end direntry
+ @setchapternewpage odd                  @c chapter begins on next odd page
+ @c @setchapternewpage on                   @c chapter begins on next page
+ @c @smallbook                              @c Format for 7" X 9.25" paper

security/krb5-beta/files/patch-ai

@@ -0,0 +1,28 @@
+--- appl/gssftp/ftpd/ftpd.c.orig	Wed Jan  9 14:26:51 2002
++++ appl/gssftp/ftpd/ftpd.c	Thu Jan 10 19:00:13 2002
+@@ -487,7 +487,13 @@
+ #ifndef LOG_DAEMON
+ #define LOG_DAEMON 0
+ #endif
+-	openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON);
++
++#ifndef LOG_FTP
++#define FACILITY	LOG_DAEMON
++#else
++#define FACILITY	LOG_FTP
++#endif
++	openlog("ftpd", LOG_PID | LOG_NDELAY, FACILITY);
+ 
+ 	addrlen = sizeof (his_addr);
+ 	if (getpeername(0, (struct sockaddr *)&his_addr, &addrlen) < 0) {
+@@ -2312,6 +2318,10 @@
+ 		if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum),
+ 					  &kdata.session,&ctrl_addr, &his_addr)) == -1) {
+ 			secure_error("ADAT: krb_mk_safe failed");
++			return(0);
++		}
++		if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
++			secure_error("ADAT: reply too long");
+ 			return(0);
+ 		}
+ 		if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {

security/krb5-beta/files/patch-aj

@@ -0,0 +1,19 @@
+*** appl/gssftp/ftpd/logwtmp.c.ORIG	Fri Feb  6 19:41:25 1998
+--- appl/gssftp/ftpd/logwtmp.c	Tue Jun 30 19:46:01 1998
+***************
+*** 66,72 ****
+  	struct stat buf;
+  	time_t time();
+  
+! 	if (fd < 0 && (fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0)
+  		return;
+  	if (fstat(fd, &buf) == 0) {
+  		(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));
+--- 66,72 ----
+  	struct stat buf;
+  	time_t time();
+  
+! 	if (fd < 0 && (fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0)
+  		return;
+  	if (fstat(fd, &buf) == 0) {
+  		(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));

security/krb5-beta/files/patch-appl::bsd::Makefile.in

@@ -0,0 +1,11 @@
+--- appl/bsd/Makefile.in.orig	Wed Feb 28 14:06:43 2001
++++ appl/bsd/Makefile.in	Mon Dec 31 21:52:45 2001
+@@ -28,7 +28,7 @@
+ 	-DUCB_RSH=\"$(UCB_RSH)\" -DUCB_RCP=\"$(UCB_RCP)\"
+ 
+ DEFINES = $(RSH) $(BSD) $(RPROGS) \
+-	-DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
++	-DLOGIN_PROGRAM=\"/usr/bin/login\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
+ 
+ all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP)
+ 

security/krb5-beta/files/patch-appl::bsd::klogind.M

@@ -0,0 +1,34 @@
+--- appl/bsd/klogind.M.orig	Wed Feb 28 14:06:43 2001
++++ appl/bsd/klogind.M	Mon Dec 31 21:22:27 2001
+@@ -14,6 +14,7 @@
+ ]
+ [
+ [ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]] ]
++[\fB\-L\fP \fIloginpath\fP]
+ .SH DESCRIPTION
+ .I Klogind
+ is the server for the 
+@@ -107,6 +108,10 @@
+ Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+ authentication from succeeding in the default mode.
+ 
++.IP \fB\-L\ loginpath\fP
++Specify pathname to an alternative login program.  Default: /usr/bin/login.
++KRB5_HOME/sbin/login.krb5 may be specified.
++
+ 
+ .PP
+ If the
+@@ -157,12 +162,6 @@
+ 
+ .IP \fB\-M\ realm\fP
+ Set the Kerberos realm to use.
+-
+-.IP \fB\-L\ login\fP
+-Set the login program to use.  This option only has an effect if
+-DO_NOT_USE_K_LOGIN was not defined when
+-.I klogind
+-was compiled.
+ .SH DIAGNOSTICS
+ All diagnostic messages are returned on the connection
+ associated with the

security/krb5-beta/files/patch-appl::telnet::telnetd::Makefile.in

@@ -0,0 +1,11 @@
+--- appl/telnet/telnetd/Makefile.in.orig	Wed Feb 28 14:06:51 2001
++++ appl/telnet/telnetd/Makefile.in	Mon Dec 31 21:51:19 2001
+@@ -24,7 +24,7 @@
+ #	@(#)Makefile.generic	5.5 (Berkeley) 3/1/91
+ #
+ 
+-AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
++AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=\"/usr/bin/login\"
+ OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
+ LOCALINCLUDES=-I.. -I$(srcdir)/..
+ DEFINES = $(AUTH_DEF) $(OTHERDEFS)

security/krb5-beta/files/patch-appl::telnet::telnetd::telnetd.8

@@ -0,0 +1,22 @@
+--- appl/telnet/telnetd/telnetd.8.orig	Wed Feb 28 14:06:51 2001
++++ appl/telnet/telnetd/telnetd.8	Mon Dec 31 21:16:55 2001
+@@ -43,7 +43,7 @@
+ [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
+ [\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP]
+ [\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]]
+-[\fB\-debug\fP [\fIport\fP]]
++[\fB\-debug\fP] [\fB\-L\fP \fIloginpath\fP] [\fIport\fP]
+ .SH DESCRIPTION
+ The
+ .B telnetd
+@@ -221,6 +221,10 @@
+ in response to a
+ .SM DO TIMING-MARK)
+ for kludge linemode support.
++.TP
++\fB\-L\fP \fIloginpath\fP
++Specify pathname to an alternative login program.  Default: /usr/bin/login.
++KRB5_HOME/sbin/login.krb5 may be specified.
+ .TP
+ .B \-l
+ Specifies line mode.  Tries to force clients to use line-at-a-time

security/krb5-beta/files/patch-appl::telnet::telnetd::utility.c

@@ -0,0 +1,38 @@
+--- appl/telnet/telnetd/utility.c.orig	Wed Jan  9 14:26:59 2002
++++ appl/telnet/telnetd/utility.c	Fri Jan 11 13:10:33 2002
+@@ -408,18 +408,25 @@
+ int
+ netwrite(const char *buf, size_t len)
+ {
+-	size_t remain;
++	int remaining, copied;
++	
++	remaining = BUFSIZ - (nfrontp - netobuf);
++	while (len > 0) {
++		/* Free up enough space if the room is too low*/
++		if ((len > BUFSIZ ? BUFSIZ : len) > remaining) {
++			netflush();
++			remaining = BUFSIZ - (nfrontp - netobuf);
++		}
+ 
+-	remain = sizeof(netobuf) - (nfrontp - netobuf);
+-	if (remain < len) {
+-		netflush();
+-		remain = sizeof(netobuf) - (nfrontp - netobuf);
++		/* Copy out as much as will fit */
++		copied = remaining > len ? len : remaining;
++		memmove(nfrontp, buf, copied);
++		nfrontp += copied;
++		len -= copied;
++		remaining -= copied;
++		buf += copied;
+ 	}
+-	if (remain < len)
+-		return 0;
+-	memcpy(nfrontp, buf, len);
+-	nfrontp += len;
+-	return len;
++	return copied;
+ }
+ 
+ /*

security/krb5-beta/files/patch-as

@@ -0,0 +1,199 @@
+--- clients/ksu/main.c.orig	Wed Feb 28 14:06:55 2001
++++ clients/ksu/main.c	Thu Sep  6 16:21:46 2001
+@@ -31,6 +31,10 @@
+ #include <sys/wait.h>
+ #include <signal.h>
+ 
++#ifdef LOGIN_CAP
++#include <login_cap.h>
++#endif
++
+ /* globals */
+ char * prog_name;
+ int auth_debug =0;     
+@@ -60,7 +64,7 @@
+    ill specified arguments to commands */        
+ 
+ void usage (){
+-	fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
++	fprintf(stderr, "Usage: %s [target user] [-m] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
+ }
+ 
+ /* for Ultrix and friends ... */
+@@ -76,6 +80,7 @@
+ 	int argc;
+ 	char ** argv;
+ { 
++int asme = 0;
+ int hp =0;
+ int some_rest_copy = 0;	
+ int all_rest_copy = 0;	
+@@ -90,6 +95,7 @@
+ char * cc_target_tag = NULL; 
+ char * target_user = NULL;
+ char * source_user;
++char * source_shell;
+ 
+ krb5_ccache cc_source = NULL;
+ const char * cc_source_tag = NULL; 
+@@ -118,6 +124,11 @@
+ char * dir_of_cc_target;     
+ char * dir_of_cc_source; 
+ 
++#ifdef LOGIN_CAP
++login_cap_t *lc;
++int setwhat;
++#endif
++
+     options.opt = KRB5_DEFAULT_OPTIONS;
+     options.lifetime = KRB5_DEFAULT_TKT_LIFE;
+     options.rlife =0; 
+@@ -181,7 +192,7 @@
+ 	com_err (prog_name, errno, "while setting euid to source user");
+ 	exit (1);
+     }
+-    while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
++    while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkmql:e:")) != -1)){
+ 	switch (option) {
+ 	case 'r':
+ 	    options.opt |= KDC_OPT_RENEWABLE;
+@@ -227,6 +238,9 @@
+ 		errflg++;
+ 	    }
+ 	    break;
++	case 'm':
++	    asme = 1;
++	    break;
+ 	case 'n': 
+ 	    if ((retval = krb5_parse_name(ksu_context, optarg, &client))){
+ 		com_err(prog_name, retval, "when parsing name %s", optarg); 
+@@ -341,6 +355,7 @@
+ 
+ 	/* allocate space and copy the usernamane there */        
+ 	source_user = xstrdup(pwd->pw_name);
++	source_shell = xstrdup(pwd->pw_shell);
+ 	source_uid = pwd->pw_uid;
+ 	source_gid = pwd->pw_gid;
+ 
+@@ -668,43 +683,64 @@
+ 	/* get the shell of the user, this will be the shell used by su */      
+ 	target_pwd = getpwnam(target_user);
+ 
+-	if (target_pwd->pw_shell)
+-		shell = xstrdup(target_pwd->pw_shell);
+-	else {
+-		shell = _DEF_CSH;  /* default is cshell */   
+-    	}
++	if (asme) {
++		if (source_shell && *source_shell) {
++			shell = strdup(source_shell);
++		} else {
++			shell = _DEF_CSH;
++		}
++	} else {
++		if (target_pwd->pw_shell)
++			shell = strdup(target_pwd->pw_shell);
++		else {
++			shell = _DEF_CSH;  /* default is cshell */   
++		}
++	}
+ 
+ #ifdef HAVE_GETUSERSHELL
+ 
+       /* insist that the target login uses a standard shell (root is omited) */ 
+ 
+-       if (!standard_shell(target_pwd->pw_shell) && source_uid) {
+-	       fprintf(stderr, "ksu: permission denied (shell).\n");
+-	       sweep_up(ksu_context, cc_target);
+-	       exit(1);
++	if (asme) {
++		if (!standard_shell(pwd->pw_shell) && source_uid) {
++			fprintf(stderr, "ksu: permission denied (shell).\n");
++			sweep_up(ksu_context, cc_target);
++			exit(1);
++		}
++	} else {
++		if (!standard_shell(target_pwd->pw_shell) && source_uid) {
++			fprintf(stderr, "ksu: permission denied (shell).\n");
++			sweep_up(ksu_context, cc_target);
++			exit(1);
++		}
+ 	}
+ #endif /* HAVE_GETUSERSHELL */
+ 	
+-       if (target_pwd->pw_uid){
+-	
+-	      if(set_env_var("USER", target_pwd->pw_name)){
+-   		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+-	        sweep_up(ksu_context, cc_target);
+-	        exit(1);
+-	      } 			
+-       }	
++	if (!asme) {
++		if (target_pwd->pw_uid){
++		      if (set_env_var("USER", target_pwd->pw_name)){
++			fprintf(stderr,"ksu: couldn't set environment variable USER\n");
++			sweep_up(ksu_context, cc_target);
++			exit(1);
++		      } 			
++		}
+ 
+-      if(set_env_var( "HOME", target_pwd->pw_dir)){
+-		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+-	        sweep_up(ksu_context, cc_target);
+-	        exit(1);
+-      } 			
++		if (set_env_var( "HOME", target_pwd->pw_dir)){
++			fprintf(stderr,"ksu: couldn't set environment variable USER\n");
++			sweep_up(ksu_context, cc_target);
++			exit(1);
++		}
+ 
+-      if(set_env_var( "SHELL", shell)){
+-		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+-	        sweep_up(ksu_context, cc_target);
+-	        exit(1);
+-      } 			
++		if (set_env_var( "SHELL", shell)){
++			fprintf(stderr,"ksu: couldn't set environment variable USER\n");
++			sweep_up(ksu_context, cc_target);
++			exit(1);
++		} 			
++	}
++
++#ifdef LOGIN_CAP
++	lc = login_getpwclass(pwd);
++#endif
+ 
+       /* set the cc env name to target */         	
+ 
+@@ -714,7 +750,18 @@
+ 	        sweep_up(ksu_context, cc_target);
+ 	        exit(1);
+       } 			
+-
++#ifdef LOGIN_CAP
++        setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
++	setwhat |= LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV;
++	/*
++	 * Don't touch resource/priority settings if -m has been
++	 * used or -l and -c hasn't, and we're not su'ing to root.
++	 */
++        if (target_pwd->pw_uid)
++		setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
++	if (setusercontext(lc, target_pwd, target_pwd->pw_uid, setwhat) < 0)
++		err(1, "setusercontext");
++#else
+    	/* set permissions */
+         if (setgid(target_pwd->pw_gid) < 0) {
+ 		   perror("ksu: setgid");
+@@ -754,7 +801,8 @@
+ 		   perror("ksu: setuid");
+ 	           sweep_up(ksu_context, cc_target);
+ 		   exit(1);
+-       }   
++       }
++#endif
+ 
+        if (access( cc_target_tag_tmp, R_OK | W_OK )){
+               com_err(prog_name, errno,

security/krb5-beta/files/patch-at

@@ -0,0 +1,14 @@
+*** include/sys/syslog.h.ORIG	Fri Feb  6 19:42:12 1998
+--- include/sys/syslog.h	Tue Jun 30 19:46:02 1998
+***************
+*** 34,39 ****
+--- 34,42 ----
+  #define LOG_LPR		(6<<3)	/* line printer subsystem */
+  #define LOG_NEWS	(7<<3)	/* network news subsystem */
+  #define LOG_UUCP	(8<<3)	/* UUCP subsystem */
++ #if (defined(BSD) && (BSD >= 199306))
++ #define LOG_FTP		(11<<3) /* ftp daemon */
++ #endif
+  	/* other codes through 15 reserved for system use */
+  #define LOG_LOCAL0	(16<<3)	/* reserved for local use */
+  #define LOG_LOCAL1	(17<<3)	/* reserved for local use */

security/krb5-beta/files/patch-av

@@ -0,0 +1,15 @@
+*** clients/ksu/Makefile.in.ORIG	Sun Aug  2 16:51:18 1998
+--- clients/ksu/Makefile.in	Sun Aug  2 16:53:48 1998
+***************
+*** 3,7 ****
+  mydir=ksu
+  BUILDTOP=$(REL)$(U)$(S)$(U)
+! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+  CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
+  
+--- 3,7 ----
+  mydir=ksu
+  BUILDTOP=$(REL)$(U)$(S)$(U)
+! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"'
+  CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
+  

security/krb5-beta/files/patch-ax

@@ -0,0 +1,11 @@
+--- ../doc/Makefile.orig	Wed Jan 20 21:57:45 1999
++++ ../doc/Makefile	Wed Jan 20 21:59:19 1999
+@@ -1,7 +1,7 @@
+ SRCDIR=../src
+ DVI=texi2dvi
+ DVIPS=dvips -o "$@"
+-INFO=makeinfo
++INFO=makeinfo --no-validate
+ HTML=texi2html
+ RM=rm -f
+ TAR=tar -chvf

security/krb5-beta/files/patch-ay

@@ -0,0 +1,50 @@
+--- util/pty/getpty.c.orig	Wed Jan  9 14:28:37 2002
++++ util/pty/getpty.c	Thu Jan 10 21:30:40 2002
+@@ -24,13 +24,26 @@
+ #include "libpty.h"
+ #include "pty-int.h"
+ 
++#ifdef __FreeBSD__
++#define PTYCHARS1	"pqrsPQRS"
++#define PTYCHARS2	"0123456789abcdefghijklmnopqrstuv"
++#endif
++
++#ifndef PTYCHARS1
++#define PTYCHARS1	"pqrstuvwxyzPQRST"
++#endif
++
++#ifndef PTYCHARS2
++#define PTYCHARS2	"0123456789abcdef"
++#endif
++
+ long
+ ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt)
+ {
++    int ptynum;
++    char *cp1, *cp2;
+ #if !defined(HAVE__GETPTY) && !defined(HAVE_OPENPTY)
+-    char *cp;
+     char *p;
+-    int i,ptynum;
+     struct stat stb;
+     char slavebuf[1024];
+ #endif
+@@ -115,14 +128,14 @@
+ 	strncpy(slave, slavebuf, slavelength);
+ 	return 0;
+     } else {
+-    	for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
++    	for (cp1 = PTYCHARS1; *cp1 != '\0'; cp1++) {
+ 	    sprintf(slavebuf,"/dev/ptyXX");
+-	    slavebuf[sizeof("/dev/pty") - 1] = *cp;
++	    slavebuf[sizeof("/dev/pty") - 1] = *cp1;
+ 	    slavebuf[sizeof("/dev/ptyp") - 1] = '0';
+ 	    if (stat(slavebuf, &stb) < 0)
+ 		break;
+-	    for (i = 0; i < 16; i++) {
+-		slavebuf[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
++	    for (cp2 = PTYCHARS2; *cp2 != '\0'; cp2++) {
++		slavebuf[sizeof("/dev/ptyp") - 1] = *cp2;
+ 		*fd = open(slavebuf, O_RDWR);
+ 		if (*fd < 0) continue;
+ 

security/krb5-beta/files/patch-ba

@@ -0,0 +1,81 @@
+--- appl/bsd/login.c.ORIG	Wed Oct 13 12:55:47 1999
++++ appl/bsd/login.c	Wed Oct 13 12:56:29 1999
+@@ -1303,19 +1304,6 @@
+ 		setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ 	    }
+ 
+-	    /* Policy: If local password is good, user is good.
+-	       We really can't trust the Kerberos password,
+-	       because somebody on the net could spoof the
+-	       Kerberos server (not easy, but possible).
+-	       Some sites might want to use it anyways, in
+-	       which case they should change this line
+-	       to:
+-	       if (kpass_ok)
+-	    */
+-
+-	    if (lpass_ok)
+-		break;
+-
+ 	    if (got_v5_tickets) {
+ 		if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
+ 						    NULL, &xtra_creds,
+@@ -1338,6 +1326,9 @@
+ 	    }
+ #endif /* KRB4_GET_TICKETS */
+ 
++	    if (lpass_ok)
++		break;
++
+ 	bad_login:
+ 	    setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
+ 
+@@ -1640,20 +1631,28 @@
+ 	/* set up credential cache -- obeying KRB5_ENV_CCNAME 
+ 	   set earlier */
+ 	/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
+-	if (retval = krb5_cc_default(kcontext, &ccache)) {
++	retval = krb5_cc_default(kcontext, &ccache);
++	if (retval)
+ 	    com_err(argv[0], retval, "while getting default ccache");
+-	} else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
+-	    com_err(argv[0], retval, "when initializing cache");
+-	} else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
+-	    com_err(argv[0], retval, "while storing credentials");
+-	} else if (xtra_creds &&
+-		   (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+-						ccache))) {
+-	    com_err(argv[0], retval, "while storing credentials");
++	else {
++	    retval = krb5_cc_initialize(kcontext, ccache, me);
++	    if (retval)
++		com_err(argv[0], retval, "when initializing cache");
++	    else {
++		retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
++		if (retval)
++		    com_err(argv[0], retval, "while storing credentials");
++		else  {
++		    if (xtra_creds) {
++			retval = krb5_cc_copy_creds(kcontext, xtra_creds,
++						ccache);
++			if (retval)
++			    com_err(argv[0], retval, "while storing credentials");
++			krb5_cc_destroy(kcontext, xtra_creds);
++		    }
++		}
++	    }
+ 	}
+-
+-	if (xtra_creds)
+-	    krb5_cc_destroy(kcontext, xtra_creds);
+     } else if (forwarded_v5_tickets && rewrite_ccache) {
+ 	if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
+ 	    syslog(LOG_ERR,
+@@ -1727,6 +1727,7 @@
+ 
+     if (ccname)
+ 	setenv("KRB5CCNAME", ccname, 1);
++    krb5_cc_set_default_name(kcontext, ccname);
+ 
+     setenv("HOME", pwd->pw_dir, 1);
+     setenv("PATH", LPATH, 1);

security/krb5-beta/files/patch-bb

@@ -0,0 +1,10 @@
+--- appl/telnet/telnet/Makefile.in.orig	Sat Dec 18 10:47:05 1999
++++ appl/telnet/telnet/Makefile.in	Sat Dec 18 10:47:13 1999
+@@ -58,7 +58,6 @@
+ 	  $(INSTALL_DATA) $(srcdir)/$$f.1 \
+ 		${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
+ 	done
+-	$(INSTALL_DATA) $(srcdir)/tmac.doc ${DESTDIR}$(CLIENT_MANDIR)/tmac.doc
+ 
+ authenc.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)
+ commands.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)

security/krb5-beta/pkg-comment

@@ -0,0 +1 @@
+An authentication system developed at MIT, successor to Kerberos IV

security/krb5-beta/pkg-descr

@@ -0,0 +1,24 @@
+Kerberos V5 is an authentication system developed at MIT.  
+WWW: http://web.mit.edu/kerberos/www/
+
+Abridged from the User Guide:
+       Under Kerberos, a client sends a request for a ticket to the 
+   Key Distribution Center (KDC). The KDC creates a ticket-granting 
+   ticket (TGT) for the client, encrypts it using the client's 
+   password as the key, and sends the encrypted TGT back to the 
+   client. The client then attempts to decrypt the TGT, using
+   its password. If the client successfully decrypts the TGT, it 
+   keeps the decrypted TGT, which indicates proof of the client's 
+   identity. The TGT permits the client to obtain additional tickets, 
+   which give permission for specific services.
+       Since Kerberos negotiates authenticated, and optionally encrypted,   
+   communications between two points anywhere on the internet, it
+   provides a layer of security that is not dependent on which side of a
+   firewall either client is on.
+       The Kerberos V5 package is designed to be easy to use. Most of the  
+   commands are nearly identical to UNIX network programs you are already
+   used to. Kerberos V5 is a single-sign-on system, which means that you 
+   have to type your password only once per session, and Kerberos does   
+   the authenticating and encrypting transparently.  
+
+Jacques Vidrine <n@nectar.com>

security/krb5-beta/pkg-plist

@@ -0,0 +1,124 @@
+@unexec install-info --delete %D/info/krb425.info %D/info/dir
+@unexec install-info --delete %D/info/krb5-admin.info %D/info/dir
+@unexec install-info --delete %D/info/krb5-install.info %D/info/dir
+@unexec install-info --delete %D/info/krb5-user.info %D/info/dir
+bin/ftp
+bin/gss-client
+bin/kdestroy
+bin/kinit
+bin/klist
+bin/kpasswd
+bin/krb524init
+bin/ksu
+bin/kvno
+bin/rcp
+bin/rlogin
+bin/rsh
+bin/sclient
+bin/sim_client
+bin/telnet
+bin/uuclient
+bin/v4rcp
+bin/v5passwd
+include/com_err.h
+include/gssapi/gssapi.h
+include/gssapi/gssapi_generic.h
+include/gssapi/gssapi_krb5.h
+include/kerberosIV/des.h
+include/kerberosIV/kadm.h
+include/kerberosIV/krb.h
+include/kerberosIV/krb_err.h
+include/kerberosIV/mit-copyright.h
+include/krb5.h
+include/libpty.h
+include/mit-sipb-copyright.h
+include/port-sockets.h
+include/profile.h
+info/krb425.info
+info/krb5-admin.info
+info/krb5-admin.info-1
+info/krb5-admin.info-2
+info/krb5-admin.info-3
+info/krb5-install.info
+info/krb5-install.info-1
+info/krb5-install.info-2
+info/krb5-user.info
+lib/libcom_err.a
+lib/libcom_err.so
+lib/libcom_err.so.3
+lib/libdes425.a
+lib/libdes425.so
+lib/libdes425.so.3
+lib/libdyn.a
+lib/libdyn.so
+lib/libdyn.so.1
+lib/libgssapi_krb5.a
+lib/libgssapi_krb5.so
+lib/libgssapi_krb5.so.2
+lib/libgssrpc.a
+lib/libgssrpc.so
+lib/libgssrpc.so.3
+lib/libk5crypto.a
+lib/libk5crypto.so
+lib/libk5crypto.so.3
+lib/libkadm5clnt.a
+lib/libkadm5clnt.so
+lib/libkadm5clnt.so.5
+lib/libkadm5srv.a
+lib/libkadm5srv.so
+lib/libkadm5srv.so.5
+lib/libkdb5.a
+lib/libkdb5.so
+lib/libkdb5.so.3
+lib/libkrb4.a
+lib/libkrb4.so
+lib/libkrb4.so.2
+lib/libkrb5.a
+lib/libkrb5.so
+lib/libkrb5.so.3
+lib/libkrb524.a
+lib/libpty.a
+lib/libpty.so
+lib/libpty.so.1
+lib/libss.a
+sbin/ftpd
+sbin/gss-server
+sbin/kadmin
+sbin/kadmin.local
+sbin/kadmind
+sbin/kadmind4
+sbin/kdb5_util
+sbin/klogind
+sbin/kprop
+sbin/kpropd
+sbin/krb5-send-pr
+sbin/krb524d
+sbin/krb5kdc
+sbin/kshd
+sbin/ktutil
+sbin/login.krb5
+sbin/sim_server
+sbin/sserver
+sbin/telnetd
+sbin/uuserver
+sbin/v5passwdd
+share/doc/krb5/README.FreeBSD
+share/doc/krb5/admin.html
+share/doc/krb5/admin_foot.html
+share/doc/krb5/admin_toc.html
+share/doc/krb5/install.html
+share/doc/krb5/install_foot.html
+share/doc/krb5/install_toc.html
+share/doc/krb5/krb425.html
+share/doc/krb5/krb425_toc.html
+share/doc/krb5/user-guide.html
+share/doc/krb5/user-guide_foot.html
+share/doc/krb5/user-guide_toc.html
+share/gnats/mit
+@dirrm include/gssapi
+@dirrm include/kerberosIV
+@dirrm share/doc/krb5
+@exec install-info %D/info/krb425.info %D/info/dir
+@exec install-info %D/info/krb5-admin.info %D/info/dir
+@exec install-info %D/info/krb5-install.info %D/info/dir
+@exec install-info %D/info/krb5-user.info %D/info/dir