1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-23 00:43:28 +00:00

Brand new MIT KRB5 beta.

This commit is contained in:
Cy Schubert 2004-01-26 04:13:21 +00:00
parent 76a7e4739b
commit 6c8e7e98c6
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=99158
32 changed files with 1015 additions and 1 deletions

2
MOVED
View File

@ -163,7 +163,7 @@ biology/gaussian||2003-01-31|deleted maintain is hard and gray in license
graphics/xine_dvdnav_plugin||2003-02-01|integrated into graphics/libxine
devel/ossp-mm||2003-02-01|accidental dupe of devel/mm
archivers/linux_rar||2003-02-03|FreeBSD/i386 binary is available
security/krb5-beta||2003-08-07|deleted: no longer in beta, MIT KRB5 1.3 released
security/krb5-beta||2004-01-25|resurrected: brand new MIT KRB5 1.3.2 beta
security/pam_krb5||2003-02-12|resurrected: required when MIT KRB5 used in place of base system KRB5
deskutils/gnucash|finance/gnucash|2003-02-05|new category
x11-toolkits/crux||2003-02-07|deleted: added to GNOME 2.2 desktop

View File

@ -137,6 +137,7 @@
SUBDIR += knocker
SUBDIR += krb4
SUBDIR += krb5
SUBDIR += krb5-beta
SUBDIR += kripp
SUBDIR += kssh
SUBDIR += l0pht-watch

157
security/krb5-beta/Makefile Normal file
View File

@ -0,0 +1,157 @@
# Ports collection Makefile for: MIT Kerberos V
# Date created: 6/5/1998
# Whom: nectar@FreeBSD.org
#
# $FreeBSD$
#
PORTNAME= krb5
PORTVERSION= 1.3.2.b1
CATEGORIES= security
# USE_TARBALL tells the port that the user has fetched the source
# directly from MIT or crypto-publish.org (CRYTPO-PUBLISH).
USE_KRB5_TARBALL?= MIT
.if defined(USE_KRB5_TARBALL) && ${USE_KRB5_TARBALL} == "CRYPTO-PUBLISH"
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/
EXTRACT_SUFX= .tar.gz
.else
MASTER_SITES= http://web.mit.edu/kerberos/www/dist/krb5/${PORTVERSION:C/\.[0-9]*\.b[0-9]$//}/
EXTRACT_SUFX= .tar
.endif
DISTNAME= ${PORTNAME}-${PORTVERSION:S/.b/-beta/}
MAINTAINER= cy@FreeBSD.org
COMMENT= An authentication system developed at MIT, successor to Kerberos IV
BUILD_DEPENDS= gm4:${PORTSDIR}/devel/m4
KERBEROSV_URL= http://web.mit.edu/network/kerberos-form.html
USE_REINPLACE= yes
USE_GMAKE= yes
USE_PERL5_BUILD= yes
INSTALLS_SHLIB= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS?= --enable-shared
CONFIGURE_ENV= INSTALL="${INSTALL}" YACC=/usr/bin/yacc \
CFLAGS="${CFLAGS}"
MAKE_ARGS= INSTALL="${INSTALL}"
KRB5_KRB4_COMPAT?= NO
.if !defined(KRB5_KRB4_COMPAT) || ${KRB5_KRB4_COMPAT} == "NO"
CONFIGURE_ARGS+= --without-krb4
PLIST_SUB+= KRB4="@comment "
.else
PLIST_SUB+= KRB4=""
.endif
.if defined(KRB5_HOME)
PREFIX= ${KRB5_HOME}
.endif
INFO_FILES= krb425.info krb5-admin.info krb5-admin.info-1 \
krb5-admin.info-2 krb5-admin.info-3 krb5-install.info \
krb5-install.info-1 krb5-install.info-2 krb5-user.info
MAN1= krb5-send-pr.1 kpasswd.1 v5passwd.1 klist.1 kinit.1 \
kdestroy.1 ksu.1 sclient.1 rsh.1 rcp.1 rlogin.1 \
ftp.1 telnet.1 kerberos.1 kvno.1 compile_et.1
.if defined(KRB5_KRB4_COMPAT) && ${KRB5_KRB4_COMPAT} != "NO"
MAN1+= v4rcp.1
.endif
MAN5= kdc.conf.5 krb5.conf.5 .k5login.5
MAN8= krb5kdc.8 kadmin.8 kadmin.local.8 kdb5_util.8 \
ktutil.8 kadmind.8 kprop.8 kpropd.8 sserver.8 \
kshd.8 klogind.8 login.krb5.8 ftpd.8 telnetd.8 \
k5srvutil.8
WRKSRC= ${WRKDIR}/${DISTNAME}/src
WANT_HTML?= YES
HTML_DOC_DIR= ${WRKDIR}/${DISTNAME}/doc
HTML_DOCS= admin.html user-guide.html install.html
HTML_OUTDIRS= krb5-admin krb5-install
.include <bsd.port.pre.mk>
.if defined(USE_KRB5_TARBALL) && ${USE_KRB5_TARBALL} == "MIT"
post-extract:
@${TAR} -C ${WRKDIR} -xzf ${WRKDIR}/${DISTNAME}.tar.gz
@${RM} ${WRKDIR}/${DISTNAME}.tar.gz ${WRKDIR}/${DISTNAME}.tar.gz.asc
.if !defined(EXTRACT_PRESERVE_OWNERSHIP)
@if [ `id -u` = 0 ]; then \
${CHMOD} -R ug-s,go-w ${WRKDIR}/${DISTNAME}; \
${CHOWN} -R 0:0 ${WRKDIR}/${DISTNAME}; \
fi
.endif
.endif
post-patch:
.if ${OSVERSION} >= 500000
@${REINPLACE_CMD} -e '1s,^#!\/usr\/athena,#!${LOCALBASE},' \
${WRKSRC}/../doc/man2html
.else
@${REINPLACE_CMD} -e '1s,^#!\/usr\/athena,#!\/usr,' \
${WRKSRC}/../doc/man2html
.endif
pre-build:
.if !defined(KRB5_KRB4_COMPAT)
@${ECHO} "------------------------------------------------------"
@${ECHO} "Set KRB5_KRB4_COMPAT=NO if you do not want to build "
@${ECHO} "the KerberosIV compatibility libraries. "
@${ECHO} "------------------------------------------------------"
.endif
post-build:
@(cd ${WRKSRC}/../doc && \
${MAKE} ${INFO_FILES})
.if defined(WANT_HTML) && ${WANT_HTML} == "YES"
@(cd ${WRKSRC}/../doc && \
${MAKE} ${HTML_DOCS})
.endif
post-install:
# html documentation
.if defined(WANT_HTML) && ${WANT_HTML} == "YES"
@${MKDIR} ${PREFIX}/share/doc/krb5
for html in ${HTML_DOC_DIR}/*.html; do \
${INSTALL_MAN} $${html} ${PREFIX}/share/doc/krb5; \
${ECHO_CMD} share/doc/krb5/`${BASENAME} $${html}` >> ${TMPPLIST}; \
done
.for htmldir in ${HTML_OUTDIRS}
@${MKDIR} ${PREFIX}/share/doc/krb5/${htmldir}
for html in ${HTML_DOC_DIR}/${htmldir}/*; do \
${INSTALL_MAN} $${html} ${PREFIX}/share/doc/krb5/${htmldir}; \
${ECHO_CMD} share/doc/krb5/${htmldir}/`${BASENAME} $${html}` >> ${TMPPLIST}; \
done
${ECHO_CMD} @dirrm share/doc/krb5/${htmldir} >> ${TMPPLIST}
.endfor
.endif
${ECHO_CMD} @dirrm share/doc/krb5 >> ${TMPPLIST}
# handle info files
.for info in ${INFO_FILES}
${INSTALL_MAN} ${WRKSRC}/../doc/${info} ${PREFIX}/info/${info}
.endfor
.for info in ${INFO_FILES:M*.info}
install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir
.endfor
# fixup packing list (no libs without version numbers in aout case)
.if ${PORTOBJFORMAT} == "aout"
${ECHO_MSG} "Fixing packing list for a.out"
${MV} ${TMPPLIST} ${TMPPLIST}.new
${GREP} -v '\.so$$' ${TMPPLIST}.new > ${TMPPLIST}
${RM} ${TMPPLIST}.new
.endif
@${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR}/README.FreeBSD > ${PREFIX}/share/doc/krb5/README.FreeBSD
@${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD
@${ECHO} "------------------------------------------------------"
@${ECHO} "This port of MIT Kerberos 5 includes remote login "
@${ECHO} "daemons (telnetd and klogind). These daemons default "
@${ECHO} "to using the system login program (/usr/bin/login). "
@${ECHO} "Please see the file "
@${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD"
@${ECHO} "for more information. "
@${ECHO} "------------------------------------------------------"
.include <bsd.port.post.mk>

View File

@ -0,0 +1 @@
MD5 (krb5-1.3.2-beta1.tar) = b457d2c6cc43a3220469dec4b7f66d48

View File

@ -0,0 +1,32 @@
The MIT KRB5 port provides its own login program at
${PREFIX}/sbin/login.krb5. However, login.krb5 does not make use of
the FreeBSD login.conf and login.access files that provide a means of
setting up and controlling sessions under FreeBSD. To overcome this,
the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
interactive login password authentication instead of the login.krb5
program provided by MIT KRB5. The FreeBSD /usr/bin/login program does
not have support for Kerberos V password authentication,
e.g. authentication at the console. The pam_krb5 port must be used to
provide Kerberos V password authentication.
For more information about pam_krb5, please see pam(8) and pam_krb5(8).
If you wish to use login.krb5 that is provided by the MIT KRB5 port,
the arguments "-L ${PREFIX}/sbin/login.krb5" must be
specified as arguments to klogind and KRB5 telnetd, e.g.
klogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -L ${PREFIX}/sbin/login.krb5
eklogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
telnet stream tcp nowait root ${PREFIX}/sbin/telnetd telnetd -a none -L ${PREFIX}/sbin/login.krb5
Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
of the FreeBSD provided /usr/bin/login for local tty logins,
"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:\
:lo=${PREFIX}/sbin/login.krb5:
It is recommended that the FreeBSD /usr/bin/login be used with the
pam_krb5 port instead of the MIT KRB5 provided login.krb5.

View File

@ -0,0 +1,13 @@
--- ../doc/admin.texinfo Fri Feb 6 21:40:56 1998
+++ admin.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb5-admin.info
@settitle Kerberos V5 System Administrator's Guide
+@dircategory Kerberos V5
+@direntry
+* Admin Guide: (krb5-admin). Kerberos V5 System Admin's Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/user-guide.texinfo Fri Feb 6 21:40:58 1998
+++ user-guide.texinfo Fri Jun 19 15:13:45 1998
@@ -3,6 +3,10 @@
@c guide
@setfilename krb5-user.info
@settitle Kerberos V5 UNIX User's Guide
+@dircategory Kerberos V5
+@direntry
+* User's Guide: (krb5-user). Kerberos V5 UNIX User's Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/install.texinfo Fri Feb 6 21:40:56 1998
+++ install.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb5-install.info
@settitle Kerberos V5 Installation Guide
+@dircategory Kerberos V5
+@direntry
+* Installation Guide: (krb5-install). Kerberos V5 Installation Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/krb425.texinfo Fri Feb 6 21:40:57 1998
+++ krb425.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb425.info
@settitle Upgrading to Kerberos V5 from Kerberos V4
+@dircategory Kerberos V5
+@direntry
+* Upgrading from V4 to V5: (krb425). Upgrading from Kerberos V4 to V5
+@end direntry
@c @setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,28 @@
--- appl/gssftp/ftpd/ftpd.c.orig Wed Jan 9 14:26:51 2002
+++ appl/gssftp/ftpd/ftpd.c Thu Jan 10 19:00:13 2002
@@ -487,7 +487,13 @@
#ifndef LOG_DAEMON
#define LOG_DAEMON 0
#endif
- openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON);
+
+#ifndef LOG_FTP
+#define FACILITY LOG_DAEMON
+#else
+#define FACILITY LOG_FTP
+#endif
+ openlog("ftpd", LOG_PID | LOG_NDELAY, FACILITY);
addrlen = sizeof (his_addr);
if (getpeername(0, (struct sockaddr *)&his_addr, &addrlen) < 0) {
@@ -2312,6 +2318,10 @@
if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum),
&kdata.session,&ctrl_addr, &his_addr)) == -1) {
secure_error("ADAT: krb_mk_safe failed");
+ return(0);
+ }
+ if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
+ secure_error("ADAT: reply too long");
return(0);
}
if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {

View File

@ -0,0 +1,19 @@
*** appl/gssftp/ftpd/logwtmp.c.ORIG Fri Feb 6 19:41:25 1998
--- appl/gssftp/ftpd/logwtmp.c Tue Jun 30 19:46:01 1998
***************
*** 66,72 ****
struct stat buf;
time_t time();
! if (fd < 0 && (fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0)
return;
if (fstat(fd, &buf) == 0) {
(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));
--- 66,72 ----
struct stat buf;
time_t time();
! if (fd < 0 && (fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0)
return;
if (fstat(fd, &buf) == 0) {
(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));

View File

@ -0,0 +1,12 @@
--- appl/bsd/Makefile.in.orig Wed Feb 28 14:06:43 2001
+++ appl/bsd/Makefile.in Mon Dec 31 21:52:45 2001
@@ -31,8 +31,8 @@
-DUCB_RSH=\"$(UCB_RSH)\" -DUCB_RCP=\"$(UCB_RCP)\"
DEFINES = $(RSH) $(BSD) $(RPROGS) -DKERBEROS \
- -DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\" \
+ -DLOGIN_PROGRAM=\"/usr/bin/login\" -DKPROGDIR=\"$(CLIENT_BINDIR)\" \
-DHEIMDAL_FRIENDLY
all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP)

View File

@ -0,0 +1,35 @@
--- appl/bsd/klogind.M.orig Wed Feb 28 14:06:43 2001
+++ appl/bsd/klogind.M Mon Dec 31 21:22:27 2001
@@ -14,7 +14,7 @@
.B \-kr54cpPef
]
[[ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP ]] ]
-[ \fB\-D\fP \fIport\fP ]
+[ \fB\-D\fP \fIport\fP ] [\fB\-L\fP \fIloginpath\fP]
.SH DESCRIPTION
.I Klogind
is the server for the
@@ -107,6 +108,10 @@
Beta5 (May 1995)--present bogus checksums that prevent Kerberos
authentication from succeeding in the default mode.
+.IP \fB\-L\ loginpath\fP
+Specify pathname to an alternative login program. Default: /usr/bin/login.
+KRB5_HOME/sbin/login.krb5 may be specified.
+
.PP
If the
@@ -157,12 +162,6 @@
.IP \fB\-M\ realm\fP
Set the Kerberos realm to use.
-
-.IP \fB\-L\ login\fP
-Set the login program to use. This option only has an effect if
-DO_NOT_USE_K_LOGIN was not defined when
-.I klogind
-was compiled.
.IP \fB\-D\ port\fP
Run in standalone mode, listening on \fBport\fP. The daemon will exit

View File

@ -0,0 +1,23 @@
--- appl/gssftp/ftp/ftp_var.h.orig Tue Jun 17 02:37:40 2003
+++ appl/gssftp/ftp/ftp_var.h Sat Aug 30 05:30:44 2003
@@ -33,6 +33,10 @@
* @(#)ftp_var.h 5.9 (Berkeley) 6/1/90
*/
+#if defined(__FreeBSD_cc_version) && __FreeBSD_cc_version > 500000
+#undef __BSD_VISIBLE
+#endif
+
#ifdef _WIN32
#include <windows.h>
#include <winsock2.h>
@@ -57,9 +61,7 @@
typedef void (*sig_t)(int);
typedef void sigtype;
#else
-#define sig_t my_sig_t
#define sigtype krb5_sigtype
-typedef sigtype (*sig_t)();
#endif
/*

View File

@ -0,0 +1,11 @@
--- appl/telnet/telnetd/Makefile.in.orig Wed Feb 28 14:06:51 2001
+++ appl/telnet/telnetd/Makefile.in Mon Dec 31 21:51:19 2001
@@ -24,7 +24,7 @@
# @(#)Makefile.generic 5.5 (Berkeley) 3/1/91
#
-AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=\"/usr/bin/login\"
OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
LOCALINCLUDES=-I.. -I$(srcdir)/..
DEFINES = $(AUTH_DEF) $(OTHERDEFS)

View File

@ -0,0 +1,22 @@
--- appl/telnet/telnetd/telnetd.8.orig Wed Feb 28 14:06:51 2001
+++ appl/telnet/telnetd/telnetd.8 Mon Dec 31 21:16:55 2001
@@ -43,7 +43,7 @@
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
[\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP]
[\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]]
-[\fB\-debug\fP [\fIport\fP]]
+[\fB\-debug\fP] [\fB\-L\fP \fIloginpath\fP] [\fIport\fP]
.SH DESCRIPTION
The
.B telnetd
@@ -221,6 +221,10 @@
in response to a
.SM DO TIMING-MARK)
for kludge linemode support.
+.TP
+\fB\-L\fP \fIloginpath\fP
+Specify pathname to an alternative login program. Default: /usr/bin/login.
+KRB5_HOME/sbin/login.krb5 may be specified.
.TP
.B \-l
Specifies line mode. Tries to force clients to use line-at-a-time

View File

@ -0,0 +1,38 @@
--- appl/telnet/telnetd/utility.c.orig Wed Jan 9 14:26:59 2002
+++ appl/telnet/telnetd/utility.c Fri Jan 11 13:10:33 2002
@@ -408,18 +408,25 @@
int
netwrite(const char *buf, size_t len)
{
- size_t remain;
+ int remaining, copied;
+
+ remaining = BUFSIZ - (nfrontp - netobuf);
+ while (len > 0) {
+ /* Free up enough space if the room is too low*/
+ if ((len > BUFSIZ ? BUFSIZ : len) > remaining) {
+ netflush();
+ remaining = BUFSIZ - (nfrontp - netobuf);
+ }
- remain = sizeof(netobuf) - (nfrontp - netobuf);
- if (remain < len) {
- netflush();
- remain = sizeof(netobuf) - (nfrontp - netobuf);
+ /* Copy out as much as will fit */
+ copied = remaining > len ? len : remaining;
+ memmove(nfrontp, buf, copied);
+ nfrontp += copied;
+ len -= copied;
+ remaining -= copied;
+ buf += copied;
}
- if (remain < len)
- return 0;
- memcpy(nfrontp, buf, len);
- nfrontp += len;
- return len;
+ return copied;
}
/*

View File

@ -0,0 +1,195 @@
--- clients/ksu/main.c.orig Wed Aug 14 12:14:49 2002
+++ clients/ksu/main.c Tue Jul 29 18:46:00 2003
@@ -32,6 +32,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -61,7 +65,7 @@
ill specified arguments to commands */
void usage (){
- fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
+ fprintf(stderr, "Usage: %s [target user] [-m] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
}
/* for Ultrix and friends ... */
@@ -77,6 +81,7 @@
int argc;
char ** argv;
{
+ int asme = 0;
int hp =0;
int some_rest_copy = 0;
int all_rest_copy = 0;
@@ -91,6 +96,7 @@
char * cc_target_tag = NULL;
char * target_user = NULL;
char * source_user;
+ char * source_shell;
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
@@ -117,6 +123,11 @@
krb5_principal kdc_server;
krb5_boolean zero_password;
char * dir_of_cc_target;
+
+#ifdef LOGIN_CAP
+ login_cap_t *lc;
+ int setwhat;
+#endif
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -181,7 +192,7 @@
com_err (prog_name, errno, "while setting euid to source user");
exit (1);
}
- while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
+ while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkmql:e:")) != -1)){
switch (option) {
case 'r':
options.opt |= KDC_OPT_RENEWABLE;
@@ -227,6 +238,9 @@
errflg++;
}
break;
+ case 'm':
+ asme = 1;
+ break;
case 'n':
if ((retval = krb5_parse_name(ksu_context, optarg, &client))){
com_err(prog_name, retval, "when parsing name %s", optarg);
@@ -341,6 +355,7 @@
/* allocate space and copy the usernamane there */
source_user = xstrdup(pwd->pw_name);
+ source_shell = xstrdup(pwd->pw_shell);
source_uid = pwd->pw_uid;
source_gid = pwd->pw_gid;
@@ -672,43 +687,64 @@
/* get the shell of the user, this will be the shell used by su */
target_pwd = getpwnam(target_user);
- if (target_pwd->pw_shell)
- shell = xstrdup(target_pwd->pw_shell);
- else {
- shell = _DEF_CSH; /* default is cshell */
+ if (asme) {
+ if (source_shell && *source_shell) {
+ shell = strdup(source_shell);
+ } else {
+ shell = _DEF_CSH;
+ }
+ } else {
+ if (target_pwd->pw_shell)
+ shell = strdup(target_pwd->pw_shell);
+ else {
+ shell = _DEF_CSH; /* default is cshell */
+ }
}
#ifdef HAVE_GETUSERSHELL
/* insist that the target login uses a standard shell (root is omited) */
- if (!standard_shell(target_pwd->pw_shell) && source_uid) {
- fprintf(stderr, "ksu: permission denied (shell).\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
+ if (asme) {
+ if (!standard_shell(pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ } else {
+ if (!standard_shell(target_pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
}
#endif /* HAVE_GETUSERSHELL */
- if (target_pwd->pw_uid){
-
- if(set_env_var("USER", target_pwd->pw_name)){
+ if (!asme) {
+ if (target_pwd->pw_uid){
+ if (set_env_var("USER", target_pwd->pw_name)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+ if (set_env_var( "HOME", target_pwd->pw_dir)){
fprintf(stderr,"ksu: couldn't set environment variable USER\n");
sweep_up(ksu_context, cc_target);
exit(1);
- }
- }
-
- if(set_env_var( "HOME", target_pwd->pw_dir)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ }
- if(set_env_var( "SHELL", shell)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ if (set_env_var( "SHELL", shell)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+#ifdef LOGIN_CAP
+ lc = login_getpwclass(pwd);
+#endif
/* set the cc env name to target */
@@ -718,7 +754,19 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
-
+
+#ifdef LOGIN_CAP
+ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
+ setwhat |= LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV;
+ /*
+ * Don't touch resource/priority settings if -m has been
+ * used or -l and -c hasn't, and we're not su'ing to root.
+ */
+ if (target_pwd->pw_uid)
+ setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
+ if (setusercontext(lc, target_pwd, target_pwd->pw_uid, setwhat) < 0)
+ err(1, "setusercontext");
+#else
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -759,6 +807,7 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
+#endif
if (access( cc_target_tag_tmp, R_OK | W_OK )){
com_err(prog_name, errno,

View File

@ -0,0 +1,14 @@
*** include/syslog.h.ORIG Fri Feb 6 19:42:12 1998
--- include/syslog.h Tue Jun 30 19:46:02 1998
***************
*** 34,39 ****
--- 34,42 ----
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
+ #if (defined(BSD) && (BSD >= 199306))
+ #define LOG_FTP (11<<3) /* ftp daemon */
+ #endif
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */

View File

@ -0,0 +1,15 @@
*** clients/ksu/Makefile.in.ORIG Sun Aug 2 16:51:18 1998
--- clients/ksu/Makefile.in Sun Aug 2 16:53:48 1998
***************
*** 3,7 ****
mydir=ksu
BUILDTOP=$(REL)$(U)$(S)$(U)
! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
--- 3,7 ----
mydir=ksu
BUILDTOP=$(REL)$(U)$(S)$(U)
! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"'
CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)

View File

@ -0,0 +1,11 @@
--- ../doc/Makefile.orig Fri Sep 20 10:35:27 2002
+++ ../doc/Makefile Tue Jul 29 18:53:08 2003
@@ -1,7 +1,7 @@
SRCDIR=../src
DVI=texi2dvi
DVIPS=dvips -o "$@"
-INFO=makeinfo
+INFO=makeinfo --no-validate
HTML=makeinfo --html
RM=rm -f
TAR=tar -chvf

View File

@ -0,0 +1,50 @@
--- util/pty/getpty.c.orig Wed Jan 9 14:28:37 2002
+++ util/pty/getpty.c Thu Jan 10 21:30:40 2002
@@ -24,13 +24,26 @@
#include "libpty.h"
#include "pty-int.h"
+#ifdef __FreeBSD__
+#define PTYCHARS1 "pqrsPQRS"
+#define PTYCHARS2 "0123456789abcdefghijklmnopqrstuv"
+#endif
+
+#ifndef PTYCHARS1
+#define PTYCHARS1 "pqrstuvwxyzPQRST"
+#endif
+
+#ifndef PTYCHARS2
+#define PTYCHARS2 "0123456789abcdef"
+#endif
+
long
ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt)
{
+ int ptynum;
+ char *cp1, *cp2;
#if !defined(HAVE__GETPTY) && !defined(HAVE_OPENPTY)
- char *cp;
char *p;
- int i,ptynum;
struct stat stb;
char slavebuf[1024];
#endif
@@ -115,14 +128,14 @@
strncpy(slave, slavebuf, slavelength);
return 0;
} else {
- for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
+ for (cp1 = PTYCHARS1; *cp1 != '\0'; cp1++) {
sprintf(slavebuf,"/dev/ptyXX");
- slavebuf[sizeof("/dev/pty") - 1] = *cp;
+ slavebuf[sizeof("/dev/pty") - 1] = *cp1;
slavebuf[sizeof("/dev/ptyp") - 1] = '0';
if (stat(slavebuf, &stb) < 0)
break;
- for (i = 0; i < 16; i++) {
- slavebuf[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
+ for (cp2 = PTYCHARS2; *cp2 != '\0'; cp2++) {
+ slavebuf[sizeof("/dev/ptyp") - 1] = *cp2;
*fd = open(slavebuf, O_RDWR);
if (*fd < 0) continue;

View File

@ -0,0 +1,77 @@
--- appl/bsd/login.c.orig Tue May 27 21:06:25 2003
+++ appl/bsd/login.c Tue Jul 29 20:52:25 2003
@@ -1342,19 +1342,6 @@
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
}
- /* Policy: If local password is good, user is good.
- We really can't trust the Kerberos password,
- because somebody on the net could spoof the
- Kerberos server (not easy, but possible).
- Some sites might want to use it anyways, in
- which case they should change this line
- to:
- if (kpass_ok)
- */
-
- if (lpass_ok)
- break;
-
if (got_v5_tickets) {
retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
NULL, &xtra_creds,
@@ -1378,6 +1365,9 @@
}
#endif /* KRB4_GET_TICKETS */
+ if (lpass_ok)
+ break;
+
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
@@ -1667,21 +1657,23 @@
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
- if ((retval = krb5_cc_default(kcontext, &ccache))) {
+ if ((retval = krb5_cc_default(kcontext, &ccache)))
com_err(argv[0], retval, "while getting default ccache");
- } else if ((retval = krb5_cc_initialize(kcontext, ccache, me))) {
- com_err(argv[0], retval, "when initializing cache");
- } else if ((retval = krb5_cc_store_cred(kcontext, ccache,
- &my_creds))) {
- com_err(argv[0], retval, "while storing credentials");
- } else if (xtra_creds &&
- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
- ccache))) {
- com_err(argv[0], retval, "while storing credentials");
+ else {
+ if (retval = krb5_cc_initialize(kcontext, ccache, me))
+ com_err(argv[0], retval, "when initializing cache");
+ else {
+ if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds))
+ com_err(argv[0], retval, "while storing credentials");
+ else {
+ if (xtra_creds &&
+ (retval = krb5_cc_copy_creds(kcontext, xtra_creds, ccache))) {
+ com_err(argv[0], retval, "while storing credentials");
+ krb5_cc_destroy(kcontext, xtra_creds);
+ }
+ }
+ }
}
-
- if (xtra_creds)
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
@@ -1762,6 +1754,7 @@
if (ccname)
setenv("KRB5CCNAME", ccname, 1);
+ krb5_cc_set_default_name(kcontext, ccname);
setenv("HOME", pwd->pw_dir, 1);
setenv("PATH", LPATH, 1);

View File

@ -0,0 +1,10 @@
--- appl/telnet/telnet/Makefile.in.orig Sat Dec 18 10:47:05 1999
+++ appl/telnet/telnet/Makefile.in Sat Dec 18 10:47:13 1999
@@ -58,7 +58,6 @@
$(INSTALL_DATA) $(srcdir)/$$f.1 \
${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
- $(INSTALL_DATA) $(srcdir)/tmac.doc ${DESTDIR}$(CLIENT_MANDIR)/tmac.doc
authenc.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)
commands.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)

View File

@ -0,0 +1,10 @@
--- config/pre.in.orig Tue May 27 21:06:28 2003
+++ config/pre.in Wed Aug 6 11:11:54 2003
@@ -152,6 +152,7 @@
INSTALL=@INSTALL@
INSTALL_STRIP=
INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
+INSTALL_SCRIPT=@INSTALL_SCRIPT@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root

View File

@ -0,0 +1,19 @@
--- config/shlib.conf.orig Sun Mar 2 23:09:45 2003
+++ config/shlib.conf Tue Jul 29 18:16:43 2003
@@ -179,14 +179,15 @@
PICFLAGS=-fpic
if test "x$objformat" = "xelf" ; then
SHLIBVEXT='.so.$(LIBMAJOR)'
+ LDCOMBINE='cc -shared -Wl,-soname,lib$(LIB)$(SHLIBVEXT)'
RPATH_FLAG='-Wl,-rpath -Wl,'
else
+ LDCOMBINE='ld -Bshareable'
RPATH_FLAG=-R
SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
fi
CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
SHLIBEXT=.so
- LDCOMBINE='ld -Bshareable'
SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'

View File

@ -0,0 +1,11 @@
--- kadmin/cli/Makefile.in.orig Fri Feb 7 13:41:20 2003
+++ kadmin/cli/Makefile.in Tue Aug 5 16:32:02 2003
@@ -21,7 +21,7 @@
install::
$(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
- $(INSTALL_PROGRAM) $(srcdir)/k5srvutil.sh ${DESTDIR}$(ADMIN_BINDIR)/k5srvutil
+ $(INSTALL_SCRIPT) $(srcdir)/k5srvutil.sh ${DESTDIR}$(ADMIN_BINDIR)/k5srvutil
$(INSTALL_DATA) $(srcdir)/k5srvutil.M ${DESTDIR}$(ADMIN_MANDIR)/k5srvutil.8
$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8
$(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8

View File

@ -0,0 +1,12 @@
--- lib/krb5/krb/srv_rcache.c 1999-09-24 17:19:48.000000000 -0400
+++ lib/krb5/krb/srv_rcache.c 2003-02-03 19:29:32.000000000 -0500
@@ -48,6 +48,9 @@
unsigned long uid = geteuid();
#endif
+ if (piece == NULL)
+ return ENOMEM;
+
rcache = (krb5_rcache) malloc(sizeof(*rcache));
if (!rcache)
return ENOMEM;

View File

@ -0,0 +1,14 @@
--- lib/krb5/os/hst_realm.c.orig Tue Oct 15 15:51:50 2002
+++ lib/krb5/os/hst_realm.c Sat Jan 24 20:11:05 2004
@@ -438,9 +438,11 @@
return EAFNOSUPPORT;
case EAI_MEMORY:
return ENOMEM;
+#ifdef EAI_NODATA
#if EAI_NODATA != EAI_NONAME
case EAI_NODATA:
return KRB5_EAI_NODATA;
+#endif
#endif
case EAI_NONAME:
return KRB5_EAI_NONAME;

View File

@ -0,0 +1,13 @@
--- lib/krb5/os/locate_kdc.c.orig Mon Jun 9 14:27:56 2003
+++ lib/krb5/os/locate_kdc.c Sun Jan 25 13:28:01 2004
@@ -185,8 +185,10 @@
#ifdef EAI_ADDRFAMILY
case EAI_ADDRFAMILY:
#endif
+#ifdef EAI_NODATA
#if EAI_NODATA != EAI_NONAME
case EAI_NODATA:
+#endif
#endif
case EAI_NONAME:
/* Name not known or no address data, but no error. Do

View File

@ -0,0 +1,24 @@
Kerberos V5 is an authentication system developed at MIT.
WWW: http://web.mit.edu/kerberos/www/
Abridged from the User Guide:
Under Kerberos, a client sends a request for a ticket to the
Key Distribution Center (KDC). The KDC creates a ticket-granting
ticket (TGT) for the client, encrypts it using the client's
password as the key, and sends the encrypted TGT back to the
client. The client then attempts to decrypt the TGT, using
its password. If the client successfully decrypts the TGT, it
keeps the decrypted TGT, which indicates proof of the client's
identity. The TGT permits the client to obtain additional tickets,
which give permission for specific services.
Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the internet, it
provides a layer of security that is not dependent on which side of a
firewall either client is on.
The Kerberos V5 package is designed to be easy to use. Most of the
commands are nearly identical to UNIX network programs you are already
used to. Kerberos V5 is a single-sign-on system, which means that you
have to type your password only once per session, and Kerberos does
the authenticating and encrypting transparently.
Jacques Vidrine <n@nectar.com>

View File

@ -0,0 +1,108 @@
@unexec install-info --delete %D/info/krb425.info %D/info/dir
@unexec install-info --delete %D/info/krb5-admin.info %D/info/dir
@unexec install-info --delete %D/info/krb5-install.info %D/info/dir
@unexec install-info --delete %D/info/krb5-user.info %D/info/dir
bin/compile_et
bin/ftp
bin/gss-client
bin/kdestroy
bin/kinit
bin/klist
bin/kpasswd
bin/krb5-config
%%KRB4%%bin/krb524init
bin/ksu
bin/kvno
bin/rcp
bin/rlogin
bin/rsh
bin/sclient
bin/sim_client
bin/telnet
bin/uuclient
%%KRB4%%bin/v4rcp
bin/v5passwd
include/com_err.h
include/gssapi/gssapi.h
include/gssapi/gssapi_generic.h
include/gssapi/gssapi_krb5.h
%%KRB4%%include/kerberosIV/des.h
%%KRB4%%include/kerberosIV/kadm_err.h
%%KRB4%%include/kerberosIV/krb.h
%%KRB4%%include/kerberosIV/krb_err.h
%%KRB4%%include/kerberosIV/mit-copyright.h
include/krb5.h
include/profile.h
info/krb425.info
info/krb5-admin.info
info/krb5-admin.info-1
info/krb5-admin.info-2
info/krb5-admin.info-3
info/krb5-install.info
info/krb5-install.info-1
info/krb5-install.info-2
info/krb5-user.info
lib/libcom_err.a
lib/libcom_err.so
lib/libcom_err.so.3
lib/libdes425.a
lib/libdes425.so
lib/libdes425.so.3
lib/libgssapi_krb5.a
lib/libgssapi_krb5.so
lib/libgssapi_krb5.so.2
lib/libgssrpc.a
lib/libgssrpc.so
lib/libgssrpc.so.3
lib/libk5crypto.a
lib/libk5crypto.so
lib/libk5crypto.so.3
lib/libkadm5clnt.a
lib/libkadm5clnt.so
lib/libkadm5clnt.so.5
lib/libkadm5srv.a
lib/libkadm5srv.so
lib/libkadm5srv.so.5
lib/libkdb5.a
lib/libkdb5.so
lib/libkdb5.so.4
%%KRB4%%lib/libkrb4.a
%%KRB4%%lib/libkrb4.so
%%KRB4%%lib/libkrb4.so.2
lib/libkrb5.a
lib/libkrb5.so
lib/libkrb5.so.3
sbin/ftpd
sbin/gss-server
sbin/k5srvutil
sbin/kadmin
sbin/kadmin.local
sbin/kadmind
%%KRB4%%sbin/kadmind4
sbin/kdb5_util
sbin/klogind
sbin/kprop
sbin/kpropd
sbin/krb5-send-pr
%%KRB4%%sbin/krb524d
sbin/krb5kdc
sbin/kshd
sbin/ktutil
sbin/login.krb5
sbin/sim_server
sbin/sserver
sbin/telnetd
sbin/uuserver
sbin/v5passwdd
share/doc/krb5/README.FreeBSD
share/et/et_c.awk
share/et/et_h.awk
share/gnats/mit
@dirrm include/gssapi
@dirrm include/kerberosIV
@dirrm share/et
@dirrm share/gnats
@exec install-info %D/info/krb425.info %D/info/dir
@exec install-info %D/info/krb5-admin.info %D/info/dir
@exec install-info %D/info/krb5-install.info %D/info/dir
@exec install-info %D/info/krb5-user.info %D/info/dir