From rt-comment at krbdev.mit.edu Mon Jun 1 18:39:34 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 1 Jun 2009 22:39:34 +0000 (UTC) Subject: [krbdev.mit.edu #6506] SVN Commit In-Reply-To: Message-ID: krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls back to the old stash file format. If the stash file was in keytab format, but didn't contain the desired master key, we would try to read a keytab file as a stash file. This could succeed or fail depending on byte order and other unpredictable factors. The upshot was that one of the libkadm5 unit tests (init 108) was getting a different error code on different platforms. To fix this, only try the stash file format if we get KRB5_KEYTAB_BADVNO trying the keytab format. This requires reworking the error handling logic. http://src.mit.edu/fisheye/changelog/krb5/?cs=22397 Commit By: ghudson Revision: 22397 Changed Files: U trunk/src/lib/kdb/kdb_default.c From rt-comment at krbdev.mit.edu Mon Jun 1 20:12:07 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Tue, 2 Jun 2009 00:12:07 +0000 (UTC) Subject: [krbdev.mit.edu #6507] kdb5_util update_princ_encryption uses latest mkey instead of active mkey In-Reply-To: Message-ID: Another bug which Tom found, and I've investigated a little bit: 1. kdb5_util add_mkey -s 2. kdb5_util update_princ_encryption The second command updates all of the principles to the new key even though it hasn't been activated with use_mkey yet. From rt-comment at krbdev.mit.edu Fri Jun 5 23:55:47 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Sat, 6 Jun 2009 03:55:47 +0000 (UTC) Subject: [krbdev.mit.edu #6508] SVN Commit In-Reply-To: Message-ID: The variable sp is never initialized. If the first argument to the function is null, the code falls through to freeing sp if valid. However, sp is never set. http://src.mit.edu/fisheye/changelog/krb5/?cs=22402 Commit By: epeisach Revision: 22402 Changed Files: U trunk/src/lib/kadm5/srv/server_acl.c From rt-comment at krbdev.mit.edu Sat Jun 6 09:46:08 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Sat, 6 Jun 2009 13:46:08 +0000 (UTC) Subject: [krbdev.mit.edu #6509] SVN Commit In-Reply-To: Message-ID: In kadm5int_acl_parse_line, if you setup an acl w/ restrictions (i.e. the four argument acl format) - but have an error parsing the first few fields, acle is NULLed out, and is then derefed. This adds a conditional and indents according to the krb5 c-style... http://src.mit.edu/fisheye/changelog/krb5/?cs=22403 Commit By: epeisach Revision: 22403 Changed Files: U trunk/src/lib/kadm5/srv/server_acl.c From rt-comment at krbdev.mit.edu Mon Jun 8 06:01:59 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 8 Jun 2009 10:01:59 +0000 (UTC) Subject: [krbdev.mit.edu #6510] SVN Commit In-Reply-To: Message-ID: Add enough static linking support to run the test suite without shared libraries, to facilitate gcov and other kinds of instrumentation. The necessary changes include: * Undo some of the changes which removed static linking support, and cannibalize the defunct krb5_force_static conditional block in aclocal.m4. * Add --enable-static-only configure option. * For plugins, use a different symbol name for static and dynamic builds, via a macro in k5plugin.h. * Add build machinery for building static libraries for plugins (somewhat grotty due to the difference in names). * Move plugin subdirs earlier in SUBDIRS in src/Makefile.in. * Make the in-tree KDB5 plugins dependencies of libkdb5 in a static build (aclocal.m4 has to know what they are). * In kdb5.c, cannibalize the broken _KDB5_STATIC_LINK support to allow "loading" of statically linked plugin libraries. Preauth, authdata, locate, and GSSAPI plugins are not handled by this change, as they are not currently necessary to the test suite. Supporting GSSAPI plugins may be a bit tricky but the others should be straightforward if they become needed. $(STLIBEXT) changes from .a-nobuild to .a in a normal shared build as a result of these changes (except on AIX where aclocal.m4 changes it). This does not seem to be important as we avoid selecting the static library for building via other means. http://src.mit.edu/fisheye/changelog/krb5/?cs=22406 Commit By: ghudson Revision: 22406 Changed Files: U trunk/src/Makefile.in U trunk/src/aclocal.m4 U trunk/src/config/libnover.in U trunk/src/config/libpriv.in U trunk/src/config/pre.in U trunk/src/include/k5-plugin.h U trunk/src/lib/kdb/kdb5.c U trunk/src/plugins/authdata/greet/Makefile.in U trunk/src/plugins/kdb/db2/Makefile.in U trunk/src/plugins/kdb/db2/db2_exp.c U trunk/src/plugins/kdb/ldap/Makefile.in U trunk/src/plugins/kdb/ldap/ldap_exp.c U trunk/src/plugins/locate/python/Makefile.in U trunk/src/plugins/preauth/encrypted_challenge/Makefile.in U trunk/src/plugins/preauth/pkinit/Makefile.in U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c U trunk/src/plugins/preauth/pkinit/pkinit_srv.c From rt-comment at krbdev.mit.edu Tue Jun 9 14:23:20 2009 From: rt-comment at krbdev.mit.edu (pgp@psu.edu via RT) Date: Tue, 9 Jun 2009 18:23:20 +0000 (UTC) Subject: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP In-Reply-To: Message-ID: Not a diff, but here are the two locations in 1.7 where the two |if| statements need switched around: Location 1: 941 /* The client's password must not be expired, unless the server is 942 a KRB5_KDC_PWCHANGE_SERVICE. */ 943 if (client.pw_expiration && client.pw_expiration < kdc_time && 944 !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { 945 *status = "CLIENT KEY EXPIRED"; 946 #ifdef KRBCONF_VAGUE_ERRORS 947 return(KRB_ERR_GENERIC); 948 #else 949 return(KDC_ERR_KEY_EXP); 950 #endif 951 } 952 953 /* The client must not be expired */ 954 if (client.expiration && client.expiration < kdc_time) { 955 *status = "CLIENT EXPIRED"; 956 #ifdef KRBCONF_VAGUE_ERRORS 957 return(KRB_ERR_GENERIC); 958 #else 959 return(KDC_ERR_NAME_EXP); 960 #endif 961 } Location 2: 1873 /* The client's password must not be expired, unless the server is 1874 a KRB5_KDC_PWCHANGE_SERVICE. */ 1875 if (client->pw_expiration && client->pw_expiration < kdc_time) { 1876 *status = "CLIENT KEY EXPIRED"; 1877 return KDC_ERR_KEY_EXP; 1878 } 1879 1880 /* The client must not be expired */ 1881 if (client->expiration && client->expiration < kdc_time) { 1882 *status = "CLIENT EXPIRED"; 1883 return KDC_ERR_NAME_EXP; 1884 } -Phil From rt-comment at krbdev.mit.edu Tue Jun 9 22:55:24 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Wed, 10 Jun 2009 02:55:24 +0000 (UTC) Subject: [krbdev.mit.edu #6511] SVN Commit In-Reply-To: Message-ID: clang picked up on a path in which krberror is not set and passed as an argument to krb5_free_error(). Essentially if the clearresult length < 2 but everything decodes - you can hit this path... http://src.mit.edu/fisheye/changelog/krb5/?cs=22409 Commit By: epeisach Revision: 22409 Changed Files: U trunk/src/lib/krb5/krb/chpw.c From rt-comment at krbdev.mit.edu Thu Jun 11 13:01:16 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Thu, 11 Jun 2009 17:01:16 +0000 (UTC) Subject: [krbdev.mit.edu #6512] SVN Commit In-Reply-To: Message-ID: krb5int_yarrow_final tests if the Yarrow_CTX* is valid (not NULL) - and if not - signals and error for return - but still invokes mem_zero (memset) with it as an argument. This will only happen in an out-of-memory situation. http://src.mit.edu/fisheye/changelog/krb5/?cs=22410 Commit By: epeisach Revision: 22410 Changed Files: U trunk/src/lib/crypto/yarrow/yarrow.c From rt-comment at krbdev.mit.edu Tue Jun 16 18:08:45 2009 From: rt-comment at krbdev.mit.edu (Ed Ravin via RT) Date: Tue, 16 Jun 2009 22:08:45 +0000 (UTC) Subject: [krbdev.mit.edu #6513] krb-1.7 kadmind not logging IP address of requests In-Reply-To: Message-ID: Using NetBSD 5.0 on Intel. Upgraded from krb5-1.6.3 with patches to krb5-1.7. kadmind logging now looks like this: Jun 16 16:35:36 juggler.panix.com kadmind[14915](Notice): chpw request from for elr at PANIX.COM: success Looked a little deeper - it's this code in src/kadmin/server/schpw.c that is kicking in: if (getnameinfo(ss2sa(&ss), salen, addrbuf, sizeof(addrbuf), NULL, 0, NI_NUMERICHOST | NI_NUMERICSERV) != 0) strlcpy(addrbuf, "", sizeof(addrbuf)); And the return code from getnameinfo was 4 (name resolution failure). I'm confused by this code, which appears in several spots in krb5 - it seems to disable logging of source IP addresses of requests if there's a local resolution error? Why not just show the IP address and leave it at that? My build process gave these flags to ./configure (same as what we used for previous versions): configflags="\ --prefix=/pkg/$PRODUCT \ --mandir=/pkg/$PRODUCT/man \ CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2' \ --sysconfdir=/etc/kerberosV \ --localstatedir=/var \ --libdir=/pkg/$PRODUCT/kerblib \ --enable-shared \ " krb5-config info: -I/pkg/krb5-1.7/include -L/pkg/krb5-1.7/kerblib -R/pkg/krb5-1.7/kerblib -lkrb5 -lk5crypto -lcom_err -lresolv Thanks, -- Ed From rt-comment at krbdev.mit.edu Tue Jun 16 20:18:26 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 17 Jun 2009 00:18:26 +0000 (UTC) Subject: [krbdev.mit.edu #6513] krb-1.7 kadmind not logging IP address of requests In-Reply-To: Message-ID: On Jun 16, 2009, at 18:08, Ed Ravin via RT wrote: > Looked a little deeper - it's this code in src/kadmin/server/schpw.c > that is kicking in: > > if (getnameinfo(ss2sa(&ss), salen, > addrbuf, sizeof(addrbuf), NULL, 0, > NI_NUMERICHOST | NI_NUMERICSERV) != 0) > strlcpy(addrbuf, "", sizeof(addrbuf)); > > And the return code from getnameinfo was 4 (name resolution failure). Since NI_NUMERICHOST means to return the numeric form of the host address and not look up a name, and NI_NUMERICSERV means to do likewise for the service/port, this sounds like a bug. Though, when no buffer for the service name is supplied, it is kind of odd to be passing the NI_NUMERICSERV flag. However, "name resolution failure" is kind of a strange way to complain about it. I just tried this little test program on my netbsd 5.0 system and it seems to work fine, printing out the address as "10.10.10.10": #include #include #include struct sockaddr_in s = { .sin_len = sizeof(s), .sin_family = AF_INET, .sin_addr = { .s_addr = 0x0a0a0a0a }, .sin_port = 47, }; char addrbuf[NI_MAXHOST]; int main () { int r = getnameinfo((struct sockaddr*)&s, sizeof s, addrbuf, sizeof(addrbuf), NULL, 0, NI_NUMERICHOST | NI_NUMERICSERV); printf("retval=%d/%s addrbuf=%s\n", r, gai_strerror(r), addrbuf); } Perhaps something else is amiss, like salen or ss.ss_len being incorrect and getnameinfo being picky? Or it's unhappy about some other field in a sockaddr_in6 structure? > I'm confused by this code, which appears in several spots in krb5 - it > seems to disable logging of source IP addresses of requests if there's > a local resolution error? Why not just show the IP address and > leave it > at that? We are, in fact, trying to do that. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From rt-comment at krbdev.mit.edu Wed Jun 17 13:51:32 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Wed, 17 Jun 2009 17:51:32 +0000 (UTC) Subject: [krbdev.mit.edu #6512] SVN Commit In-Reply-To: Message-ID: In the previous patch - I neglected a potential NULL deref in the call to krb5int_yarrow_cipher_final. Trivial fix. http://src.mit.edu/fisheye/changelog/krb5/?cs=22413 Commit By: epeisach Revision: 22413 Changed Files: U trunk/src/lib/crypto/yarrow/yarrow.c From rt-comment at krbdev.mit.edu Thu Jun 18 17:56:50 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 18 Jun 2009 21:56:50 +0000 (UTC) Subject: [krbdev.mit.edu #6514] SVN Commit In-Reply-To: Message-ID: The replay cache type implementations are responsible for freeing the main rcache structure when the cache handle is closed. The 'none' rcache type wasn't doing this, resulting in a small memory leak each time such a cache was opened and closed. Not a big deal for a server process servicing a single client, but it could accumulate (very very slowly) for a long-running server. http://src.mit.edu/fisheye/changelog/krb5/?cs=22417 Commit By: raeburn Revision: 22417 Changed Files: _U trunk/ U trunk/src/lib/krb5/rcache/rc_none.c From rt-comment at krbdev.mit.edu Thu Jun 18 19:25:27 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 18 Jun 2009 23:25:27 +0000 (UTC) Subject: [krbdev.mit.edu #6515] SVN Commit In-Reply-To: Message-ID: In profile_node_iterator we unlock a mutex in order to call profile_update_file_data, which wants to lock that mutex itself, and then when it returns we re-lock the mutex. (We don't use recursive mutexes, and I would continue to argue that we shouldn't.) On the Mac, when running multiple threads, it appears that this results in very poor peformance, and much system and user CPU time is spent working with the locks. (Linux doesn't seem to suffer as much.) So: Split profile_update_file_data into a locking wrapper, and an inner routine that does the real work but requires that the lock be held on entry. Call the latter from profile_node_iterator *without* unlocking first, and only unlock if there's an error. This doesn't move any significant amount of work into the locking region; it pretty much just joins locking regions that were disjoint for no good reason. On my tests on an 8-core Mac, in a test program running gss_init_sec_context in a loop in 6 threads, this brought CPU usage per call down by 40%, and improved wall-clock time even more. Single-threaded performance improved very slightly, probably in the noise. Linux showed modest improvement (5% or less) in CPU usage in a 3-thread test on a 4-core system. Similar tests with gss_accept_sec_context showed similar contention around the profile-library mutexes, but I haven't analyzed the performance changes there from this patch. More work is needed, but this will help. http://src.mit.edu/fisheye/changelog/krb5/?cs=22418 Commit By: raeburn Revision: 22418 Changed Files: U trunk/src/util/profile/prof_file.c U trunk/src/util/profile/prof_int.h U trunk/src/util/profile/prof_tree.c From rt-comment at krbdev.mit.edu Sun Jun 21 13:42:06 2009 From: rt-comment at krbdev.mit.edu (megacz@cs.berkeley.edu via RT) Date: Sun, 21 Jun 2009 17:42:06 +0000 (UTC) Subject: [krbdev.mit.edu #6516] Re: Reading kerberos-adm from DNS (PATCH) In-Reply-To: Message-ID: The following message is a courtesy copy of an article that has been posted to gmane.comp.encryption.kerberos.general,gmane.comp.encryption.kerberos.devel as well. It seems that this patch didn't wind up in the recent kerberos release. Do you think somebody could review it for inclusion soon, so that it has a chance of making it into the next release? If any changes need to be made, please let me know and I will make them. Thanks! - a Ken Raeburn writes: > Sure. :) > At first glance it looks good, but I want to have a closer look > before committing it (unless someone else gets to it first). Thanks > for sending it in! > > Adam Megacz writes: > > Hi, would it be possible for the Kerberos maintainers to consider the > > patch below for inclusion in the main libkadm5 distribution? > > > > - a > > > > Adam Megacz writes: > >> Ken Raeburn writes: > >>>> I believe the future has already arrived. Current MIT code should > >>>> be capable of finding and using records like this: > >>>> > >>>> spam% dig _kerberos-adm._tcp.umich.edu srv > >>> > >>> This is used for the password-changing service, but unfortunately the > >>> RPC code used for the kadmin program still looks up admin_server, and > >>> uses the first IP address found when looking up that hostname. No > >>> DNS, one hostname, one address, no service-location plugin support, > >>> no IPv6. These do need to be fixed.... > >> > >> This should help. > >> > >> - a > >> > >> > >> diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c > >> index bb87f88..48b1792 100644 > >> --- a/src/lib/kadm5/alt_prof.c > >> +++ b/src/lib/kadm5/alt_prof.c > >> @@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, > >> params.admin_server = strdup(params_in->admin_server); > >> if (params.admin_server) > >> params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> - } else if (aprofile && > >> - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { > >> - params.admin_server = svalue; > >> - params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + } else if (aprofile) { > >> + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { > >> + params.admin_server = svalue; > >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + } else { > >> + struct addrlist addrlist; > >> + int i; > >> + krb5_data drealm; > >> + drealm.data = (void*)params.realm; > >> + drealm.length = strlen(params.realm); > >> + if (!krb5int_locate_server(context, &drealm, &addrlist, 0, > >> + "admin_server", "_kerberos-adm", 1, > >> + DEFAULT_KPASSWD_PORT, 0, 0)) { > >> + for (i=0;i >> + struct addrinfo *a = addrlist.addrs[i]; > >> + if (a->ai_family == AF_INET) { > >> + params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr)); > >> + params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port); > >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + params.mask |= KADM5_CONFIG_KADMIND_PORT; > >> + break; > >> + } > >> + } > >> + } > >> + } > >> } > >> if (params.mask & KADM5_CONFIG_ADMIN_SERVER) { > >> char *p; > >> > >> ________________________________________________ > >> Kerberos mailing list Kerberos at mit.edu > >> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > > > > -- > > > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > -- > From rt-comment at krbdev.mit.edu Mon Jun 22 16:54:49 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 22 Jun 2009 20:54:49 +0000 (UTC) Subject: [krbdev.mit.edu #1019] v4 has its own random number generator In-Reply-To: Message-ID: No longer relevant now that we have removed krb4. From rt-comment at krbdev.mit.edu Mon Jun 22 17:01:18 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 22 Jun 2009 21:01:18 +0000 (UTC) Subject: [krbdev.mit.edu #1019] v4 has its own random number generator In-Reply-To: Message-ID: I think it was also not true for a long time. As part of the yarrow integration I caused des425 to call into libk5crypto. From rt-comment at krbdev.mit.edu Mon Jun 22 17:07:55 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 22 Jun 2009 21:07:55 +0000 (UTC) Subject: [krbdev.mit.edu #3665] suggestion to use coverity to scan sources In-Reply-To: Message-ID: We are now regularly using Coverity to scan the source tree. From rt-comment at krbdev.mit.edu Mon Jun 22 21:00:43 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 23 Jun 2009 01:00:43 +0000 (UTC) Subject: [krbdev.mit.edu #4693] Delay kadmind random number initialization until after fork In-Reply-To: Message-ID: Just for reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364308 From rt-comment at krbdev.mit.edu Mon Jun 22 21:04:21 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 23 Jun 2009 01:04:21 +0000 (UTC) Subject: [krbdev.mit.edu #3488] be a little less paranoid with PRNG seeding In-Reply-To: Message-ID: Probably dealt with by #4693 (already fixed) and #1233 (in progress) From rt-comment at krbdev.mit.edu Mon Jun 22 21:07:39 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Tue, 23 Jun 2009 01:07:39 +0000 (UTC) Subject: [krbdev.mit.edu #920] Debian build can't find tcl In-Reply-To: Message-ID: Modern versions of Debian appear to have no problem finding an installed copy of tcl when building krb5. Redundant instances of -I/usr/include or -L/usr/lib may occur, but that's a separate problem. From rt-comment at krbdev.mit.edu Wed Jun 24 13:45:28 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 24 Jun 2009 17:45:28 +0000 (UTC) Subject: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP In-Reply-To: Message-ID: "pgp at psu.edu via RT" writes: > Not a diff, but here are the two locations in 1.7 where the two |if| > statements need switched around: Thanks for the information, and sorry for the delay. Is it correct to assume that your excerpts are from src/kdc/kdc_util.c? It's not completely clear why the KDC validation proceeds in the order it currently does. I will ask around to confirm that there is no good reason for the existing ordering. From rt-comment at krbdev.mit.edu Wed Jun 24 14:02:11 2009 From: rt-comment at krbdev.mit.edu (pgp@psu.edu via RT) Date: Wed, 24 Jun 2009 18:02:11 +0000 (UTC) Subject: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP In-Reply-To: Message-ID: On 6/24/09 1:45 PM, Tom Yu via RT wrote: > Thanks for the information, and sorry for the delay. Is it correct to > assume that your excerpts are from src/kdc/kdc_util.c? Correct. > It's not completely clear why the KDC validation proceeds in the order > it currently does. I will ask around to confirm that there is no good > reason for the existing ordering. OK. Thanks! -Phil From Sharma at krbdev.mit.edu Wed Jun 24 15:34:12 2009 From: Sharma at krbdev.mit.edu (Sharma@krbdev.mit.edu) Date: Wed, 24 Jun 2009 19:34:12 +0000 (UTC) Subject: [krbdev.mit.edu #6518] Krb documentation: Mapping Hostnames onto Kerberos Realms and Hostnames for KDCs In-Reply-To: Message-ID: I came across some discrepancy in documentation and the krb source code related to hostname for kdc. The krb documentation mentions that one can create these CNAME records in DNS to locate the KRB KDC. kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit I did not find any api call in krb source code (1.4, 1.5, 1.6 etc.) where anyone is trying to find KDC names using CNAME records. The default REALM TXT record works fine as well as new SVR records to locate the KDC names. Can someone please look into the CNAME related krb documentation and source code together whether I missed some thing. I debugged the krb code extensively to locate the code to find KDC names using CNAME records. Anyway the SVR DNS records are better way to program the KDC names. I will try to create a bug in krb bug tracking system as I could not find a way to do so yet. SHAMBHULAL SHARMA Software Engineer General Atomics 3550 General Atomics Court San Diego, CA 92121-1122 Off 1-858-455-2557 sam.sharma at gat.com From rt-comment at krbdev.mit.edu Thu Jun 25 22:43:22 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 26 Jun 2009 02:43:22 +0000 (UTC) Subject: [krbdev.mit.edu #6428] SVN Commit In-Reply-To: Message-ID: Check for principal expiration prior to checking for password expiration. Reported by Phil Pishioneri. http://src.mit.edu/fisheye/changelog/krb5/?cs=22422 Commit By: tlyu Revision: 22422 Changed Files: U trunk/src/kdc/kdc_util.c From rt-comment at krbdev.mit.edu Thu Jun 25 22:44:42 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 26 Jun 2009 02:44:42 +0000 (UTC) Subject: [krbdev.mit.edu #6428] SVN Commit In-Reply-To: Message-ID: Add test case omitted in last commit. http://src.mit.edu/fisheye/changelog/krb5/?cs=22423 Commit By: tlyu Revision: 22423 Changed Files: A trunk/src/tests/dejagnu/krb-standalone/princexpire.exp From rt-comment at krbdev.mit.edu Fri Jun 26 12:36:31 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 26 Jun 2009 16:36:31 +0000 (UTC) Subject: [krbdev.mit.edu #6518] Krb documentation: Mapping Hostnames onto Kerberos Realms and Hostnames for KDCs In-Reply-To: Message-ID: "Sharma, Shambhulal via RT" writes: > Can someone please look into the CNAME related krb documentation and > source code together whether I missed some thing. I debugged the krb > code extensively to locate the code to find KDC names using CNAME > records. Anyway the SVR DNS records are better way to program the > KDC names. > > I will try to create a bug in krb bug tracking system as I could not > find a way to do so yet. Thanks; sending mail to krb5-bugs at mit.edu is sufficient to create a bug in the bug tracking system. Do you have suggestions for how to update this documentation? The suggestion in the documentation of using CNAME records is to support the (obsolete) practice of listing of hostname aliases in client configuration files. For example, client configuration such as: [realms] EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com } will allow site administrators to replace KDC hosts with ones having different canonical hostnames, as long as they update the CNAME records in DNS to reflect those changes. There is no explicit krb5 library code to handle CNAME records in this situation; the library calls getaddrinfo() (it formerly called gethostbyname() or similar) to look up the IP addresses, which would automatically handle CNAME records. Deployment experience has largely been that it is useful to minimize the amount of explicit configuration on client hosts, so we no longer recommend explicitly listing KDC hostnames (or aliases) in client configuration files. The documentation could probably make the above information more clear. What specific documentation changes do you think will best convey the rationale for using CNAME records? From rt-comment at krbdev.mit.edu Fri Jun 26 17:48:47 2009 From: rt-comment at krbdev.mit.edu (The RT System itself via RT) Date: Fri, 26 Jun 2009 21:48:47 +0000 (UTC) Subject: [krbdev.mit.edu #6520] struct utmp's ut_tv isn't always a struct timeval In-Reply-To: Message-ID: >From krb5-bugs-incoming-bounces at PCH.mit.edu Fri Jun 26 21:48:47 2009 Return-Path: X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id E752ECC8E5; Fri, 26 Jun 2009 21:48:46 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QLmkUu030475; Fri, 26 Jun 2009 17:48:46 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QKsv65019081 for ; Fri, 26 Jun 2009 16:54:57 -0400 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n5QKsoNg025721 for ; Fri, 26 Jun 2009 16:54:50 -0400 (EDT) Received: from mx1.redhat.com (localhost [127.0.0.1]) by mit.edu (Spam Firewall) with ESMTP id A472315787A1 for ; Fri, 26 Jun 2009 16:54:49 -0400 (EDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu with ESMTP id 0WZ3EnWXNLHInC64 for ; Fri, 26 Jun 2009 16:54:49 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n5QKslL6013801 for ; Fri, 26 Jun 2009 16:54:47 -0400 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n5QKsiRa021504 for ; Fri, 26 Jun 2009 16:54:46 -0400 Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1]) by blade.bos.redhat.com (8.14.3/8.14.2) with ESMTP id n5QKsiB7019598 for ; Fri, 26 Jun 2009 16:54:44 -0400 Received: (from nalin at localhost) by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id n5QKsiUD019592; Fri, 26 Jun 2009 16:54:44 -0400 Date: Fri, 26 Jun 2009 16:54:44 -0400 Message-Id: <200906262054.n5QKsiUD019592 at blade.bos.redhat.com> To: krb5-bugs at mit.edu Subject: struct utmp's ut_tv isn't always a struct timeval From: nalin at redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.42 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Spam-Score: 0.00 X-Spam-Flag: NO X-Mailman-Approved-At: Fri, 26 Jun 2009 17:48:44 -0400 X-BeenThere: krb5-bugs-incoming at mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin at redhat.com Sender: krb5-bugs-incoming-bounces at PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: struct utmp's ut_tv isn't always a struct timeval >Severity: non-critical >Priority: medium >Category: pty >Class: sw-bug >Release: 1.7 >Environment: System: Linux blade.bos.redhat.com 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: On my x86_64 Fedora system using glibc, the ut_tv field of a utmp structure isn't a struct timeval (which would contain a pair of 64-bit time_t values), but is an anonymous structure which has a pair of int32_t values with the same names. Here's the snippet from : /* The ut_session and ut_tv fields must be the same size when compiled 32- and 64-bit. This allows data files and shared memory to be shared between 32- and 64-bit applications. */ #if __WORDSIZE == 64 && defined __WORDSIZE_COMPAT32 int32_t ut_session; /* Session ID, used for windowing. */ struct { int32_t tv_sec; /* Seconds. */ int32_t tv_usec; /* Microseconds. */ } ut_tv; /* Time entry was made. */ #else long int ut_session; /* Session ID, used for windowing. */ struct timeval ut_tv; /* Time entry was made. */ #endif Passing the address of this ut_tv to gettimeofday() triggers a compiler warning. >How-To-Repeat: (Compiler warnings.) >Fix: This patch quiets the warnings for me. In update_utmp.c, it uses a temporary. In login.c, the variables involved don't appear to be used, so the code can just be removed. Index: src/appl/libpty/update_utmp.c =================================================================== --- src/appl/libpty/update_utmp.c (revision 22423) +++ src/appl/libpty/update_utmp.c (working copy) @@ -291,6 +291,12 @@ * The ut_exit field seems to exist in utmp, but not utmpx. The files * utmp and wtmp seem to exist, but not utmpx, or wtmpx. * + * glibc: + * + * The ut_tv field of struct utmp/utmpx may be an anonymous structure + * containing 32-bit values on systems where time_t is 64 bits. Its + * fields have the same names, though. + * * libpty Implementation Decisions: * -------------------------------- * @@ -505,6 +511,8 @@ const char *line, const char *host, int flags) { PTY_STRUCT_UTMPX utx, *utxtmp, utx2; + struct timeval ut_tv; + time_t login_time; const char *cp; size_t len; char utmp_id[5]; @@ -577,10 +585,13 @@ utxtmp = best_utxent(&utx); #ifdef HAVE_SETUTXENT - if (gettimeofday(&utx.ut_tv, NULL)) + if (gettimeofday(&ut_tv, NULL)) return errno; + utx.ut_tv.tv_sec = ut_tv.tv_sec; + utx.ut_tv.tv_usec = ut_tv.tv_usec; #else - (void)time(&utx.ut_time); + (void)time(&login_time); + utx.ut_time = login_time; #endif /* * On what system is there not ut_host? Unix98 doesn't mandate Index: src/appl/bsd/login.c =================================================================== --- src/appl/bsd/login.c (revision 22423) +++ src/appl/bsd/login.c (working copy) @@ -719,7 +719,6 @@ char *domain, **envinit, *ttyn, *tty; char tbuf[MAXPATHLEN + 2]; char *ttyname(), *crypt(), *getpass(); - time_t login_time; int retval; int rewrite_ccache = 1; /*try to write out ccache*/ #ifdef KRB5_GET_TICKETS @@ -1071,9 +1070,6 @@ /* nothing else left to fail -- really log in */ { - struct utmp utmp; - - login_time = time(&utmp.ut_time); if ((retval = pty_update_utmp(PTY_USER_PROCESS, getpid(), username, ttyn, hostname, PTY_TTYSLOT_USABLE)) < 0) From rt-comment at krbdev.mit.edu Fri Jun 26 17:48:47 2009 From: rt-comment at krbdev.mit.edu (The RT System itself via RT) Date: Fri, 26 Jun 2009 21:48:47 +0000 (UTC) Subject: [krbdev.mit.edu #6519] krb5_copy_error_message() calls krb5int_clear_error() incorrectly In-Reply-To: Message-ID: >From krb5-bugs-incoming-bounces at PCH.mit.edu Fri Jun 26 21:48:47 2009 Return-Path: X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id E93CECCEF8; Fri, 26 Jun 2009 21:48:46 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QLmke1030478; Fri, 26 Jun 2009 17:48:46 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QLYRat027700 for ; Fri, 26 Jun 2009 17:34:27 -0400 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n5QLYNZE005933 for ; Fri, 26 Jun 2009 17:34:24 -0400 (EDT) Received: from mx1.redhat.com (localhost [127.0.0.1]) by mit.edu (Spam Firewall) with ESMTP id 7EBB91578BEA for ; Fri, 26 Jun 2009 17:34:23 -0400 (EDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu with ESMTP id B1Dq9PHFW5PgpBdu for ; Fri, 26 Jun 2009 17:34:23 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n5QLYNw6005448 for ; Fri, 26 Jun 2009 17:34:23 -0400 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n5QLYMNR011620 for ; Fri, 26 Jun 2009 17:34:22 -0400 Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1]) by blade.bos.redhat.com (8.14.3/8.14.2) with ESMTP id n5QLYMIa019356 for ; Fri, 26 Jun 2009 17:34:22 -0400 Received: (from nalin at localhost) by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id n5QLYMoW019352; Fri, 26 Jun 2009 17:34:22 -0400 Date: Fri, 26 Jun 2009 17:34:22 -0400 Message-Id: <200906262134.n5QLYMoW019352 at blade.bos.redhat.com> To: krb5-bugs at mit.edu Subject: krb5_copy_error_message() calls krb5int_clear_error() incorrectly From: nalin at redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.42 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Spam-Score: 0.55 X-Spam-Flag: NO X-Mailman-Approved-At: Fri, 26 Jun 2009 17:48:44 -0400 X-BeenThere: krb5-bugs-incoming at mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin at redhat.com Sender: krb5-bugs-incoming-bounces at PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: krb5_copy_error_message() calls krb5int_clear_error() incorrectly >Severity: non-critical >Priority: medium >Category: krb5-libs >Class: sw-bug >Release: 1.7 >Environment: System: Linux blade.bos.redhat.com 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: When krb5_copy_error_message() calls krb5int_clear_error(), it passes it the entire destination context instead of the relevant field in the structure. >Fix: Here's the trivial fix: Index: src/lib/krb5/krb/kerrs.c =================================================================== --- src/lib/krb5/krb/kerrs.c (revision 22423) +++ src/lib/krb5/krb/kerrs.c (working copy) @@ -108,7 +108,7 @@ krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", src_ctx->err.msg); } else { - krb5int_clear_error(dest_ctx); + krb5int_clear_error(&dest_ctx->err); } } From rt-comment at krbdev.mit.edu Fri Jun 26 17:48:47 2009 From: rt-comment at krbdev.mit.edu (The RT System itself via RT) Date: Fri, 26 Jun 2009 21:48:47 +0000 (UTC) Subject: [krbdev.mit.edu #6521] ftp.c makes questionable use of strlen() In-Reply-To: Message-ID: >From krb5-bugs-incoming-bounces at PCH.mit.edu Fri Jun 26 21:48:47 2009 Return-Path: X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 1D14D5C00D; Fri, 26 Jun 2009 21:48:47 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QLmlPY030481; Fri, 26 Jun 2009 17:48:47 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QKKkMv010668 for ; Fri, 26 Jun 2009 16:20:46 -0400 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id n5QKKd55024646 for ; Fri, 26 Jun 2009 16:20:39 -0400 (EDT) Received: from mx1.redhat.com (localhost [127.0.0.1]) by mit.edu (Spam Firewall) with ESMTP id 7BA2C15775F9 for ; Fri, 26 Jun 2009 16:20:37 -0400 (EDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu with ESMTP id ozPCFFqKYAZFG1XK for ; Fri, 26 Jun 2009 16:20:37 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n5QKKaXV025776 for ; Fri, 26 Jun 2009 16:20:36 -0400 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n5QKKaja000462 for ; Fri, 26 Jun 2009 16:20:36 -0400 Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1]) by blade.bos.redhat.com (8.14.3/8.14.2) with ESMTP id n5QKKZ3D026285 for ; Fri, 26 Jun 2009 16:20:36 -0400 Received: (from nalin at localhost) by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id n5QKKZ8E026242; Fri, 26 Jun 2009 16:20:35 -0400 Date: Fri, 26 Jun 2009 16:20:35 -0400 Message-Id: <200906262020.n5QKKZ8E026242 at blade.bos.redhat.com> To: krb5-bugs at mit.edu Subject: questionable use of strlen() in ftp.c From: Nalin Dahyabhai X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.42 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Spam-Score: 0.00 X-Spam-Flag: NO X-Mailman-Approved-At: Fri, 26 Jun 2009 17:48:44 -0400 X-BeenThere: krb5-bugs-incoming at mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin at redhat.com Sender: krb5-bugs-incoming-bounces at PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: ftp.c makes questionable use of strlen() >Severity: non-critical >Priority: low >Category: krb5-appl >Class: sw-bug >Release: 1.7 >Environment: System: Linux blade.bos.redhat.com 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: Looking at the ftp sources, there's some odd use of strlen() where the intent appears to be to guard against having string buffers that aren't zero-terminated, but the code is instead writing a zero byte to a location which we know already has that value. >How-To-Repeat: (Haven't noticed any odd behavior.) >Fix: This patch fixes the instances where it looks like something based on the size of the destination buffer was intended: Index: src/appl/gssftp/ftp/ftp.c =================================================================== --- src/appl/gssftp/ftp/ftp.c (revision 22423) +++ src/appl/gssftp/ftp/ftp.c (working copy) @@ -1655,21 +1655,21 @@ ip->ntflg = ntflag; ntflag = op->ntflg; (void) strncpy(ip->nti, ntin, sizeof(ip->nti) - 1); - (ip->nti)[strlen(ip->nti)] = '\0'; + (ip->nti)[sizeof(ip->nti) - 1] = '\0'; (void) strncpy(ntin, op->nti, sizeof(ntin) - 1); ntin[sizeof(ntin) - 1] = '\0'; (void) strncpy(ip->nto, ntout, sizeof(ip->nto) - 1); - (ip->nto)[strlen(ip->nto)] = '\0'; + (ip->nto)[sizeof(ip->nto) - 1] = '\0'; (void) strncpy(ntout, op->nto, sizeof(ntout) - 1); ntout[sizeof(ntout) - 1] = '\0'; ip->mapflg = mapflag; mapflag = op->mapflg; - (void) strncpy(ip->mi, mapin, MAXPATHLEN - 1); - (ip->mi)[strlen(ip->mi)] = '\0'; + (void) strncpy(ip->mi, mapin, sizeof(ip->mi) - 1); + (ip->mi)[sizeof(ip->mi) - 1] = '\0'; (void) strncpy(mapin, op->mi, sizeof(mapin) - 1); mapin[sizeof(mapin) - 1] = '\0'; - (void) strncpy(ip->mo, mapout, MAXPATHLEN - 1); - (ip->mo)[strlen(ip->mo)] = '\0'; + (void) strncpy(ip->mo, mapout, sizeof(ip->mo) - 1); + (ip->mo)[sizeof(ip->mo) - 1] = '\0'; (void) strncpy(mapout, op->mo, sizeof(mapout) - 1); mapout[sizeof(mapout) - 1] = '\0'; ip->authtype = auth_type; From rt-comment at krbdev.mit.edu Fri Jun 26 18:05:48 2009 From: rt-comment at krbdev.mit.edu (nalin@redhat.com via RT) Date: Fri, 26 Jun 2009 22:05:48 +0000 (UTC) Subject: [krbdev.mit.edu #5939] PAM support for rshd, login, ftpd, and ksu In-Reply-To: Message-ID: Here's an updated version which should apply to 1.7 and the current trunk. * It now sets PAM_RHOST and PAM_TTY when applicable, and performs account and session management in ksu. * It passes the flag which signals that we're attempting to change an expired password when we attempt to change an expired password. * It allows attempts to change an expired password when called from login, which by virtue of having a controlling terminal can actually interact with the user correctly. -- Modify krshd so that it performs PAM account and session management. It must now always fork so that it can always clean up the session. The PAM session is opened and credentials initialized after any forwarded credentials are stored to disk and before access to the user's home directory is attempted. The default service name is "kshell" or "ekshell", depending on whether or not encryption is in use, to avoid a dependency or conflict on the plain rsh server's configuration file. At run-time, krshd's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [rshd] section of /etc/krb5.conf. Modify ftpd so that authentication with a plaintext password goes through PAM, and it performs PAM account and session management. The PAM session is opened and credentials initialized after any forwarded credentials are stored to disk. The default service name is "gssftp", mainly to avoid conflicts with other FTP servers' configuration files. At run-time, krshd's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [ftpd] section of /etc/krb5.conf. Modify login so that instead of directly obtaining v5 or v4 credentials or running aklog, it calls PAM for authentication if strong authentication hasn't already been performed, so that it performs account management using PAM (prompting for a password change if need be), and that it performs session management. The PAM session is opened and credentials initialized after any forwarded credentials are stored to disk. The default service name is "login", because its configuration is pretty much always going to be there. At run-time, login's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [login] section of /etc/krb5.conf. Modify ksu so that it performs account and session management for the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used is determined by whether or not a login shell is being opened, and so this may need to vary, too. At run-time, ksu's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] section of /etc/krb5.conf. When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam. diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 --- krb5-1.7/src/aclocal.m4 2009-02-18 19:38:17.000000000 -0500 +++ krb5-1.7/src/aclocal.m4 2009-06-04 13:45:57.000000000 -0400 @@ -1771,3 +1771,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ ])) ])dnl dnl +dnl +dnl Use PAM instead of local crypt() compare for checking local passwords, +dnl and perform PAM account, session management, and password-changing where +dnl appropriate. +dnl +AC_DEFUN(KRB5_WITH_PAM,[ +AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], + withpam="$withval",withpam=auto) +AC_ARG_WITH(pam-login-service,[AC_HELP_STRING(--with-login-service,[PAM service name for login ["login"]])], + withloginpamservice="$withval",withloginpamservice=login) +AC_ARG_WITH(pam-kshell-service,[AC_HELP_STRING(--with-kshell-service,[PAM service name for unencrypted rsh ["kshell"]])], + withkshellpamservice="$withval",withkshellpamservice=kshell) +AC_ARG_WITH(pam-ekshell-service,[AC_HELP_STRING(--with-ekshell-service,[PAM service name for encrypted rsh ["ekshell"]])], + withekshellpamservice="$withval",withekshellpamservice=ekshell) +AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])], + withftppamservice="$withval",withftppamservice=gssftp) +AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], + withksupamservice="$withval",withksupamservice=ksu) +old_LIBS="$LIBS" +if test "$withpam" != no ; then + AC_MSG_RESULT([checking for PAM...]) + PAM_LIBS= + + AC_CHECK_HEADERS(security/pam_appl.h) + if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then + if test "$withpam" = auto ; then + AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) + withpam=no + else + AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) + fi + fi + + LIBS= + unset ac_cv_func_pam_start + AC_CHECK_FUNCS(putenv pam_start) + if test "x$ac_cv_func_pam_start" = xno ; then + unset ac_cv_func_pam_start + AC_CHECK_LIB(dl,dlopen) + AC_CHECK_FUNCS(pam_start) + if test "x$ac_cv_func_pam_start" = xno ; then + AC_CHECK_LIB(pam,pam_start) + unset ac_cv_func_pam_start + unset ac_cv_func_pam_getenvlist + AC_CHECK_FUNCS(pam_start pam_getenvlist) + if test "x$ac_cv_func_pam_start" = xyes ; then + PAM_LIBS="$LIBS" + else + if test "$withpam" = auto ; then + AC_MSG_RESULT([Unable to locate libpam.]) + withpam=no + else + AC_MSG_ERROR([Unable to locate libpam.]) + fi + fi + fi + fi + if test "$withpam" != no ; then + AC_MSG_NOTICE([building with PAM support]) + AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) + AC_DEFINE_UNQUOTED(LOGIN_PAM_SERVICE,"$withloginpamservice", + [Define to the name of the PAM service name to be used by login.]) + AC_DEFINE_UNQUOTED(KSHELL_PAM_SERVICE,"$withkshellpamservice", + [Define to the name of the PAM service name to be used by rshd for unencrypted sessions.]) + AC_DEFINE_UNQUOTED(EKSHELL_PAM_SERVICE,"$withekshellpamservice", + [Define to the name of the PAM service name to be used by rshd for encrypted sessions.]) + AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice", + [Define to the name of the PAM service name to be used by ftpd.]) + AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", + [Define to the name of the PAM service name to be used by ksu.]) + PAM_LIBS="$LIBS" + NON_PAM_MAN=".\\\" " + PAM_MAN= + else + PAM_MAN=".\\\" " + NON_PAM_MAN= + fi +fi +LIBS="$old_LIBS" +AC_SUBST(PAM_LIBS) +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in --- krb5-1.7/src/appl/bsd/configure.in 2008-12-15 15:29:01.000000000 -0500 +++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:45:57.000000000 -0400 @@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main, AC_CHECK_LIB(cfg,main, LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" ))) +KRB5_WITH_PAM dnl dnl Make our operating system-specific security checks and definitions for dnl login. diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c --- krb5-1.7/src/appl/bsd/krshd.c 2009-04-15 16:07:15.000000000 -0400 +++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 13:45:57.000000000 -0400 @@ -161,6 +161,10 @@ char copyright[] = #include #endif +#ifdef USE_PAM +#include "pam.h" +#endif + #ifndef MAXDNAME #define MAXDNAME 256 /*per the rfc*/ #endif @@ -181,6 +185,7 @@ void fatal(int, const char *); int require_encrypt = 0; int do_encrypt = 0; +int force_fork = 0; int anyport = 0; char *kprogdir = KPROGDIR; int netf; @@ -1030,14 +1035,6 @@ void doit(f, fromp) } #endif /*CRAY*/ - if (chdir(pwd->pw_dir) < 0) { - if(chdir("/") < 0) { - error("No remote directory.\n"); - goto signout_please; - } - pwd->pw_dir = "/"; - } - #ifdef KERBEROS /* krb5_kuserok returns 1 if OK */ if (!krb5_kuserok(bsd_context, client, locuser)){ @@ -1067,11 +1064,51 @@ void doit(f, fromp) goto signout_please; } +#ifdef USE_PAM + if (appl_pam_enabled(bsd_context, "rshd")) { + if (appl_pam_acct_mgmt(do_encrypt ? + EKSHELL_PAM_SERVICE : + KSHELL_PAM_SERVICE, + 0, + locuser, + "", + hostname, + NULL, + do_encrypt ? + EKSHELL_PAM_SERVICE : + KSHELL_PAM_SERVICE) != 0) { + error("Login denied.\n"); + goto signout_please; + } + if (appl_pam_requires_chauthtok()) { + error("Password change required, but not possible over rsh.\n"); + goto signout_please; + } + force_fork = 1; + appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); + if (appl_pam_session_open() != 0) { + error("Login failure.\n"); + goto signout_please; + } + if (appl_pam_cred_init()) { + error("Login failure.\n"); + goto signout_please; + } + } else +#endif if (pwd->pw_uid && !access(NOLOGIN, F_OK)) { error("Logins currently disabled.\n"); goto signout_please; } + if (chdir(pwd->pw_dir) < 0) { + if (chdir("/") < 0) { + error("No remote directory.\n"); + goto signout_please; + } + pwd->pw_dir = "/"; + } + /* Log access to account */ pwd = (struct passwd *) getpwnam(locuser); if (pwd && (pwd->pw_uid == 0)) { @@ -1111,7 +1148,7 @@ void doit(f, fromp) (void) write(2, "", 1); - if (port||do_encrypt) { + if (port||do_encrypt||force_fork) { if (port&&(pipe(pv) < 0)) { error("Can't make pipe.\n"); goto signout_please; @@ -1416,6 +1453,15 @@ void doit(f, fromp) environ = envinit; +#ifdef USE_PAM + if (appl_pam_enabled(bsd_context, "rshd")) { + if (appl_pam_setenv() != 0) { + error("Login failure.\n"); + goto signout_please; + } + } +#endif + #ifdef KERBEROS /* To make Kerberos rcp work correctly, we must ensure that we invoke Kerberos rcp on this end, not normal rcp, even if the diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c --- krb5-1.7/src/appl/bsd/login.c 2008-12-15 15:29:01.000000000 -0500 +++ krb5-1.7/src/appl/bsd/login.c 2009-06-04 13:45:57.000000000 -0400 @@ -145,6 +145,11 @@ typedef sigtype (*handler)(); #include "osconf.h" #endif /* KRB5_GET_TICKETS */ +#ifdef USE_PAM +#include "pam.h" +int login_use_pam = 1; +#endif + #ifndef __STDC__ #ifndef volatile #define volatile @@ -294,6 +299,9 @@ static struct login_confs { char *flagname; int *flag; } login_conf_set[] = { +#ifdef USE_PAM + {USE_PAM_CONFIGURATION_KEYWORD, &login_use_pam}, +#endif #ifdef KRB5_GET_TICKETS {"krb5_get_tickets", &login_krb5_get_tickets}, {"krb_run_aklog", &login_krb_run_aklog}, @@ -933,6 +941,21 @@ int main(argc, argv) if (!unix_needs_passwd()) break; +#ifdef USE_PAM + if (login_use_pam) { + if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "", + hostname, + NULL, + ttyname(STDIN_FILENO)) == PAM_SUCCESS) { + break; + } else { + /* the goto target label is in a different nesting scope, but + * it's roughly where we want to land */ + goto bad_login; + } + } +#endif + #ifdef KRB5_GET_TICKETS if (login_krb5_get_tickets) { /* rename these to something more verbose */ @@ -1020,6 +1043,24 @@ int main(argc, argv) /* committed to login -- turn off timeout */ (void) alarm((u_int) 0); +#ifdef USE_PAM + if (login_use_pam) { + if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "", + hostname, NULL, ttyname(STDIN_FILENO)) != 0) { + printf("Login incorrect\n"); + sleepexit(1); + } + if (appl_pam_requires_chauthtok()) { + if (appl_pam_chauthtok() != 0) { + printf("Failed to change password.\n"); + sleepexit(1); + } + } + } else { + /* the "else" here is the non-PAM behavior which continues until the + * next ifdef USE_PAM block, as of this writing more or less + * duplicating the work of pam_securetty and an OQUOTA check */ +#endif /* * If valid so far and root is logging in, see if root logins on * this terminal are permitted. @@ -1060,6 +1101,21 @@ int main(argc, argv) sleepexit(0); } #endif +#ifdef USE_PAM + } +#endif /* USE_PAM */ + +#ifdef USE_PAM + if (login_use_pam) { + appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); + if (appl_pam_session_open() != 0) { + sleepexit(1); + } + if (appl_pam_cred_init() != 0) { + sleepexit(1); + } + } +#endif /* USE_PAM */ if (chdir(pwd->pw_dir) < 0) { printf("No directory %s!\n", pwd->pw_dir); @@ -1347,6 +1403,11 @@ int main(argc, argv) } #endif /* KRB5_GET_TICKETS */ +#ifdef USE_PAM + if (login_use_pam) + appl_pam_setenv(); +#endif + if (tty[sizeof("tty")-1] == 'd') syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); if (pwd->pw_uid == 0) diff -up krb5-1.7/src/appl/bsd/Makefile.in krb5-1.7/src/appl/bsd/Makefile.in --- krb5-1.7/src/appl/bsd/Makefile.in 2009-01-05 15:27:53.000000000 -0500 +++ krb5-1.7/src/appl/bsd/Makefile.in 2009-06-04 13:45:57.000000000 -0400 @@ -11,12 +11,13 @@ SETENVOBJ=@SETENVOBJ@ LOGINLIBS=@LOGINLIBS@ LIBOBJS=@LIBOBJS@ KRSHDLIBS=@KRSHDLIBS@ +PAMOBJS=pam.o SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \ $(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \ $(srcdir)/krlogind.c OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o $(SETENVOBJ) login.o krshd.o \ - krlogind.o $(LIBOBJS) + krlogind.o $(LIBOBJS) $(PAMOBJS) UCB_RLOGIN = @UCB_RLOGIN@ UCB_RSH = @UCB_RSH@ @@ -53,8 +54,8 @@ install:: ) || exit 1; \ done -kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) +kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) + $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(APPUTILS_LIB) klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) @@ -71,8 +72,8 @@ install:: # No program name transformation is done with login.krb5 since it is directly # referenced by klogind. # -login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) +login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) install:: $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5 diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c --- /dev/null 2009-06-04 10:34:55.169007373 -0400 +++ krb5-1.7/src/appl/bsd/pam.c 2009-06-04 13:45:57.000000000 -0400 @@ -0,0 +1,433 @@ +/* + * src/appl/bsd/pam.c + * + * Copyright 2007,2009 Red Hat, Inc. + * + * All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of Red Hat, Inc. nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Convenience wrappers for using PAM. + */ + +#include "autoconf.h" +#ifdef USE_PAM +#include +#include +#include +#include +#include +#include "k5-int.h" +#include "pam.h" + +#ifndef MAXPWSIZE +#define MAXPWSIZE 128 +#endif + +static int appl_pam_started; +static pid_t appl_pam_starter = -1; +static int appl_pam_session_opened; +static int appl_pam_creds_initialized; +static int appl_pam_pwchange_required; +static pam_handle_t *appl_pamh; +static struct pam_conv appl_pam_conv; +static char *appl_pam_user; +struct appl_pam_non_interactive_args { + const char *user; + const char *password; +}; + +int +appl_pam_enabled(krb5_context context, const char *section) +{ + int enabled = 1; + if ((context != NULL) && (context->profile != NULL)) { + if (profile_get_boolean(context->profile, + section, + USE_PAM_CONFIGURATION_KEYWORD, + NULL, + enabled, &enabled) != 0) { + enabled = 1; + } + } + return enabled; +} + +void +appl_pam_cleanup(void) +{ + if (getpid() != appl_pam_starter) { + return; + } +#ifdef DEBUG + printf("Called to clean up PAM.\n"); +#endif + if (appl_pam_creds_initialized) { +#ifdef DEBUG + printf("Deleting PAM credentials.\n"); +#endif + pam_setcred(appl_pamh, PAM_DELETE_CRED); + appl_pam_creds_initialized = 0; + } + if (appl_pam_session_opened) { +#ifdef DEBUG + printf("Closing PAM session.\n"); +#endif + pam_close_session(appl_pamh, 0); + appl_pam_session_opened = 0; + } + appl_pam_pwchange_required = 0; + if (appl_pam_started) { +#ifdef DEBUG + printf("Shutting down PAM.\n"); +#endif + pam_end(appl_pamh, 0); + appl_pam_started = 0; + appl_pam_starter = -1; + free(appl_pam_user); + appl_pam_user = NULL; + } +} +static int +appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, + struct pam_response **presp, void *appdata_ptr) +{ + const struct pam_message *message; + struct pam_response *resp; + int i, code; + char *pwstring, pwbuf[MAXPWSIZE]; + unsigned int pwsize; + resp = malloc(sizeof(struct pam_response) * num_msg); + if (resp == NULL) { + return PAM_BUF_ERR; + } + memset(resp, 0, sizeof(struct pam_response) * num_msg); + code = PAM_SUCCESS; + for (i = 0; i < num_msg; i++) { + message = &(msg[0][i]); /* XXX */ + message = msg[i]; /* XXX */ + pwstring = NULL; + switch (message->msg_style) { + case PAM_TEXT_INFO: + case PAM_ERROR_MSG: + printf("[%s]\n", message->msg ? message->msg : ""); + fflush(stdout); + resp[i].resp = NULL; + resp[i].resp_retcode = PAM_SUCCESS; + break; + case PAM_PROMPT_ECHO_ON: + case PAM_PROMPT_ECHO_OFF: + if (message->msg_style == PAM_PROMPT_ECHO_ON) { + if (fgets(pwbuf, sizeof(pwbuf), + stdin) != NULL) { + pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; + pwstring = pwbuf; + } + } else { + pwstring = getpass(message->msg ? + message->msg : + ""); + } + if ((pwstring != NULL) && (pwstring[0] != '\0')) { + pwsize = strlen(pwstring); + resp[i].resp = malloc(pwsize + 1); + if (resp[i].resp == NULL) { + resp[i].resp_retcode = PAM_BUF_ERR; + } else { + memcpy(resp[i].resp, pwstring, pwsize); + resp[i].resp[pwsize] = '\0'; + resp[i].resp_retcode = PAM_SUCCESS; + } + } else { + resp[i].resp_retcode = PAM_CONV_ERR; + code = PAM_CONV_ERR; + } + break; + default: + break; + } + } + *presp = resp; + return code; +} +static int +appl_pam_non_interactive_converse(int num_msg, + const struct pam_message **msg, + struct pam_response **presp, + void *appdata_ptr) +{ + const struct pam_message *message; + struct pam_response *resp; + int i, code; + unsigned int pwsize; + struct appl_pam_non_interactive_args *args; + const char *pwstring; + resp = malloc(sizeof(struct pam_response) * num_msg); + if (resp == NULL) { + return PAM_BUF_ERR; + } + args = appdata_ptr; + memset(resp, 0, sizeof(struct pam_response) * num_msg); + code = PAM_SUCCESS; + for (i = 0; i < num_msg; i++) { + message = &((*msg)[i]); + message = msg[i]; + pwstring = NULL; + switch (message->msg_style) { + case PAM_TEXT_INFO: + case PAM_ERROR_MSG: + break; + case PAM_PROMPT_ECHO_ON: + case PAM_PROMPT_ECHO_OFF: + if (message->msg_style == PAM_PROMPT_ECHO_ON) { + /* assume "user" */ + pwstring = args->user; + } else { + /* assume "password" */ + pwstring = args->password; + } + if ((pwstring != NULL) && (pwstring[0] != '\0')) { + pwsize = strlen(pwstring); + resp[i].resp = malloc(pwsize + 1); + if (resp[i].resp == NULL) { + resp[i].resp_retcode = PAM_BUF_ERR; + } else { + memcpy(resp[i].resp, pwstring, pwsize); + resp[i].resp[pwsize] = '\0'; + resp[i].resp_retcode = PAM_SUCCESS; + } + } else { + resp[i].resp_retcode = PAM_CONV_ERR; + code = PAM_CONV_ERR; + } + break; + default: + break; + } + } + *presp = resp; + return code; +} +void +appl_pam_set_forwarded_ccname(const char *ccname) +{ + char *ccname2; + if (appl_pam_started && (ccname != NULL) && (strlen(ccname) > 0)) { + ccname2 = malloc(strlen(KRB5_ENV_CCNAME) + strlen(ccname) + 2); + if (ccname2 != NULL) { +#ifdef DEBUG + printf("Setting %s to \"%s\" in PAM environment.\n", + KRB5_ENV_CCNAME, ccname); +#endif + sprintf(ccname2, "%s=%s", KRB5_ENV_CCNAME, ccname); + pam_putenv(appl_pamh, ccname2); + } + } +} +static int +appl_pam_start(const char *service, int interactive, + const char *login_username, + const char *non_interactive_password, + const char *hostname, + const char *ruser, + const char *tty) +{ + static int exit_handler_registered; + static struct appl_pam_non_interactive_args args; + int ret = 0; + if (appl_pam_started && + (strcmp(login_username, appl_pam_user) != 0)) { + appl_pam_cleanup(); + appl_pam_user = NULL; + } + if (!appl_pam_started) { +#ifdef DEBUG + printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", + service, login_username); +#endif + memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); + appl_pam_conv.conv = interactive ? + &appl_pam_interactive_converse : + &appl_pam_non_interactive_converse; + memset(&args, 0, sizeof(args)); + args.user = strdup(login_username); + args.password = non_interactive_password ? + strdup(non_interactive_password) : + NULL; + appl_pam_conv.appdata_ptr = &args; + ret = pam_start(service, login_username, + &appl_pam_conv, &appl_pamh); + if (ret == 0) { + if (hostname != NULL) { +#ifdef DEBUG + printf("Setting PAM_RHOST to \"%s\".\n", hostname); +#endif + pam_set_item(appl_pamh, PAM_RHOST, hostname); + } + if (ruser != NULL) { +#ifdef DEBUG + printf("Setting PAM_RUSER to \"%s\".\n", ruser); +#endif + pam_set_item(appl_pamh, PAM_RUSER, ruser); + } + if (tty != NULL) { +#ifdef DEBUG + printf("Setting PAM_TTY to \"%s\".\n", tty); +#endif + pam_set_item(appl_pamh, PAM_TTY, tty); + } + if (!exit_handler_registered && + (atexit(appl_pam_cleanup) != 0)) { + pam_end(appl_pamh, 0); + appl_pamh = NULL; + ret = -1; + } else { + appl_pam_started = 1; + appl_pam_starter = getpid(); + appl_pam_user = strdup(login_username); + exit_handler_registered = 1; + } + } + } + return ret; +} +int +appl_pam_authenticate(const char *service, int interactive, + const char *login_username, + const char *non_interactive_password, + const char *hostname, + const char *ruser, + const char *tty) +{ + int ret; + ret = appl_pam_start(service, interactive, login_username, + non_interactive_password, hostname, ruser, tty); + if (ret == 0) { + ret = pam_authenticate(appl_pamh, 0); + } + return ret; +} +int +appl_pam_acct_mgmt(const char *service, int interactive, + const char *login_username, + const char *non_interactive_password, + const char *hostname, + const char *ruser, + const char *tty) +{ + int ret; + appl_pam_pwchange_required = 0; + ret = appl_pam_start(service, interactive, login_username, + non_interactive_password, hostname, ruser, tty); + if (ret == 0) { +#ifdef DEBUG + printf("Calling pam_acct_mgmt().\n"); +#endif + ret = pam_acct_mgmt(appl_pamh, 0); + switch (ret) { + case PAM_IGNORE: + ret = 0; + break; + case PAM_NEW_AUTHTOK_REQD: + appl_pam_pwchange_required = 1; + ret = 0; + break; + default: + break; + } + } + return ret; +} +int +appl_pam_requires_chauthtok(void) +{ + return appl_pam_pwchange_required; +} +int +appl_pam_chauthtok(void) +{ + int ret = 0; + if (appl_pam_started) { +#ifdef DEBUG + printf("Changing PAM expired authentication token.\n"); +#endif + ret = pam_chauthtok(appl_pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + } + return ret; +} +int +appl_pam_session_open(void) +{ + int ret = 0; + if (appl_pam_started) { +#ifdef DEBUG + printf("Opening PAM session.\n"); +#endif + ret = pam_open_session(appl_pamh, 0); + if (ret == 0) { + appl_pam_session_opened = 1; + } + } + return ret; +} +int +appl_pam_setenv(void) +{ + int ret = 0; +#ifdef HAVE_PAM_GETENVLIST +#ifdef HAVE_PUTENV + int i; + char **list; + if (appl_pam_started) { + list = pam_getenvlist(appl_pamh); + for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { +#ifdef DEBUG + printf("Setting \"%s\" in environment.\n", list[i]); +#endif + putenv(list[i]); + } + } +#endif +#endif + return ret; +} +int +appl_pam_cred_init(void) +{ + int ret = 0; + if (appl_pam_started) { +#ifdef DEBUG + printf("Initializing PAM credentials.\n"); +#endif + ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); + if (ret == 0) { + appl_pam_creds_initialized = 1; + } + } + return ret; +} +#endif diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h --- /dev/null 2009-06-04 10:34:55.169007373 -0400 +++ krb5-1.7/src/appl/bsd/pam.h 2009-06-04 13:45:57.000000000 -0400 @@ -0,0 +1,65 @@ +/* + * src/appl/bsd/pam.h + * + * Copyright 2007,2009 Red Hat, Inc. + * + * All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of Red Hat, Inc. nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Convenience wrappers for using PAM. + */ + +#include +#ifdef HAVE_SECURITY_PAM_APPL_H +#include +#endif + +#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" + +#ifdef USE_PAM +int appl_pam_enabled(krb5_context context, const char *section); +int appl_pam_authenticate(const char *service, int interactive, + const char *local_username, + const char *non_interactive_password, + const char *hostname, + const char *ruser, + const char *tty); +int appl_pam_acct_mgmt(const char *service, int interactive, + const char *local_username, + const char *non_interactive_password, + const char *hostname, + const char *ruser, + const char *tty); +int appl_pam_requires_chauthtok(void); +int appl_pam_chauthtok(void); +void appl_pam_set_forwarded_ccname(const char *ccname); +int appl_pam_session_open(void); +int appl_pam_setenv(void); +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in --- krb5-1.7/src/appl/gssftp/configure.in 2006-03-31 16:00:40.000000000 -0500 +++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:45:57.000000000 -0400 @@ -17,6 +17,7 @@ DECLARE_SYS_ERRLIST AC_REPLACE_FUNCS(getdtablesize) AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) AC_CHECK_LIB(crypt,crypt) dnl +KRB5_WITH_PAM KRB5_AC_LIBUTIL dnl dnl copied from appl/bsd/configure.in diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd.c --- krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-01-28 00:42:11.000000000 -0500 +++ krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-06-04 13:45:57.000000000 -0400 @@ -67,6 +67,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40 #ifdef HAVE_SHADOW #include #endif +#ifdef USE_PAM +#include "../../bsd/pam.h" +#endif #include #include #ifndef POSIX_SETJMP @@ -745,6 +748,22 @@ user(name) name); } #endif /* GSSAPI */ +#ifdef USE_PAM + if (appl_pam_enabled(kcontext, "ftpd")) { + if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, + pw->pw_name, "", + hostname, + NULL, + FTP_PAM_SERVICE) != 0) { + reply(530, "Login incorrect."); + return; + } + if (appl_pam_requires_chauthtok()) { + reply(530, "Password change required."); + return; + } + } +#endif if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) { strncat(buf, "; Access denied.", @@ -846,6 +865,10 @@ end_login() (void) krb5_seteuid((uid_t)0); if (logged_in) pty_logwtmp(ttyline, "", ""); +#ifdef USE_PAM + if (appl_pam_enabled(kcontext, "ftpd")) + appl_pam_cleanup(); +#endif if (have_creds) { #ifdef GSSAPI krb5_cc_destroy(kcontext, ccache); @@ -954,9 +977,19 @@ pass(passwd) * kpass fails and the user has no local password * kpass fails and the provided password doesn't match pw */ - if (pw == NULL || (!kpass(pw->pw_name, passwd) && - (want_creds || !*pw->pw_passwd || - strcmp(xpasswd, pw->pw_passwd)))) { + if ((pw == NULL) || +#ifdef USE_PAM + appl_pam_enabled(kcontext, "ftpd") ? + (appl_pam_authenticate(FTP_PAM_SERVICE, 0, + pw->pw_name, passwd, + hostname, + NULL, + FTP_PAM_SERVICE) != 0) : +#endif + (!kpass(pw->pw_name, passwd) && + (want_creds || + !*pw->pw_passwd || + strcmp(xpasswd, pw->pw_passwd)))) { pw = NULL; sleep(5); if (++login_attempts >= 3) { @@ -973,6 +1006,23 @@ pass(passwd) } login_attempts = 0; /* this time successful */ +#ifdef USE_PAM + if (appl_pam_enabled(kcontext, "ftpd")) { + if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, + pw->pw_name, passwd, + hostname, + NULL, + FTP_PAM_SERVICE) != 0) { + reply(530, "Login incorrect."); + return; + } + if (appl_pam_requires_chauthtok()) { + reply(530, "Password change required."); + return; + } + } +#endif + login(passwd, 0); return; } @@ -988,6 +1038,18 @@ login(passwd, logincode) chown(ccname, pw->pw_uid, pw->pw_gid); #endif } +#ifdef USE_PAM + if (appl_pam_enabled(kcontext, "ftpd")) { + if (appl_pam_session_open() != 0) { + reply(550, "Can't open PAM session."); + goto bad; + } + if (appl_pam_cred_init() != 0) { + reply(550, "Can't establish PAM credentials."); + goto bad; + } + } +#endif (void) krb5_setegid((gid_t)pw->pw_gid); (void) initgroups(pw->pw_name, pw->pw_gid); @@ -1960,6 +2022,10 @@ dologout(status) krb5_cc_destroy(kcontext, ccache); #endif } +#ifdef USE_PAM + if (appl_pam_enabled(kcontext, "ftpd")) + appl_pam_cleanup(); +#endif /* beware of flushing buffers after a SIGPIPE */ _exit(status); } diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd/Makefile.in --- krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-01-05 15:27:53.000000000 -0500 +++ krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-06-04 13:45:57.000000000 -0400 @@ -14,23 +14,25 @@ SETENVOBJ=@SETENVOBJ@ LIBOBJS=@LIBOBJS@ COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a FTPD_LIBS=@FTPD_LIBS@ +PAM_LIBS=@PAM_LIBS@ SRCS = $(srcdir)/ftpd.c ftpcmd.c $(srcdir)/popen.c \ $(srcdir)/vers.c \ $(srcdir)/../ftp/glob.c \ $(srcdir)/../ftp/radix.c \ $(srcdir)/../ftp/secure.c \ + $(srcdir)/../../bsd/pam.c \ $(srcdir)/../../bsd/getdtablesize.c $(SETENVSRC) OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \ - secure.o $(LIBOBJS) $(SETENVOBJ) + secure.o pam.o getdtablesize.o $(LIBOBJS) $(SETENVOBJ) LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) all:: ftpd ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) + $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) $(PAM_LIBS) generate-files-mac: ftpcmd.c @@ -62,6 +64,8 @@ secure.o: $(srcdir)/../ftp/secure.c getdtablesize.o: $(srcdir)/../../bsd/getdtablesize.c $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/getdtablesize.c +pam.o: $(srcdir)/../../bsd/pam.c + $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c setenv.o: $(srcdir)/../../bsd/setenv.c $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/setenv.c diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c --- krb5-1.7/src/clients/ksu/main.c 2008-12-01 12:09:59.000000000 -0500 +++ krb5-1.7/src/clients/ksu/main.c 2009-06-04 13:45:57.000000000 -0400 @@ -25,6 +25,7 @@ * KSU was writen by: Ari Medvinsky, ari at isi.edu */ +#include "autoconf.h" #include "ksu.h" #include "adm_proto.h" #include @@ -32,6 +33,11 @@ #include #include +#ifdef USE_PAM +#include "../../appl/bsd/pam.h" +int force_fork = 0; +#endif + /* globals */ char * prog_name; int auth_debug =0; @@ -791,7 +797,24 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } - if( keep_target_cache ) { +#ifdef USE_PAM + if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, + NULL, source_user, ttyname(STDERR_FILENO)) != 0) { + fprintf(stderr, "Access denied for %s.\n", target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } + if (appl_pam_requires_chauthtok()) { + fprintf(stderr, "Password change required for %s.\n", target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } + force_fork++; + } +#endif + + if( keep_target_cache && !force_fork ) { execv(params[0], params); com_err(prog_name, errno, "while trying to execv %s", params[0]); @@ -799,6 +822,33 @@ main (argc, argv) exit(1); }else{ statusp = 1; + +#ifdef USE_PAM + if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_session_open() != 0) { + fprintf(stderr, "Error opening session for %s.\n", target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG + if (auth_debug){ + printf(" Opened PAM session.\n"); + } +#endif + if (appl_pam_cred_init()) { + fprintf(stderr, "Error initializing credentials for %s.\n", + target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG + if (auth_debug){ + printf(" Initialized PAM credentials.\n"); + } +#endif + } +#endif + switch ((child_pid = fork())) { default: if (auth_debug){ @@ -822,15 +872,34 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, "while calling waitpid"); } - sweep_up(ksu_context, cc_target); + if( !keep_target_cache ) { + sweep_up(ksu_context, cc_target); + } exit (statusp); case -1: com_err(prog_name, errno, "while trying to fork."); sweep_up(ksu_context, cc_target); exit (1); case 0: +#ifdef USE_PAM + if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_setenv() != 0) { + fprintf(stderr, "Error setting up environment for %s.\n", + target_user); + exit (1); + } +#ifdef DEBUG + if (auth_debug){ + printf(" Set up PAM environment.\n"); + } +#endif + } +#endif execv(params[0], params); com_err(prog_name, errno, "while trying to execv %s", params[0]); + if( keep_target_cache ) { + sweep_up(ksu_context, cc_target); + } exit (1); } } diff -up krb5-1.7/src/clients/ksu/Makefile.in krb5-1.7/src/clients/ksu/Makefile.in --- krb5-1.7/src/clients/ksu/Makefile.in 2009-01-05 15:27:53.000000000 -0500 +++ krb5-1.7/src/clients/ksu/Makefile.in 2009-06-04 13:45:57.000000000 -0400 @@ -15,6 +15,7 @@ SRCS = \ $(srcdir)/ccache.c \ $(srcdir)/authorization.c \ $(srcdir)/main.c \ + $(srcdir)/../../appl/bsd/pam.c \ $(srcdir)/heuristic.c \ $(srcdir)/xmalloc.c \ $(srcdir)/setenv.c @@ -23,13 +24,17 @@ OBJS = \ ccache.o \ authorization.o \ main.o \ + pam.o \ heuristic.o \ xmalloc.o @SETENVOBJ@ all:: ksu ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) + $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) + +pam.o: $(srcdir)/../../appl/bsd/pam.c + $(CC) $(ALL_CFLAGS) -c $< clean:: $(RM) ksu diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in --- krb5-1.7/src/config/pre.in 2009-04-15 16:06:35.000000000 -0400 +++ krb5-1.7/src/config/pre.in 2009-06-04 13:45:57.000000000 -0400 @@ -181,6 +181,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ LDARGS = @LDARGS@ LIBS = @LIBS@ +PAM_LIBS = @PAM_LIBS@ INSTALL=@INSTALL@ INSTALL_STRIP= diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in --- krb5-1.7/src/configure.in 2009-04-15 16:07:03.000000000 -0400 +++ krb5-1.7/src/configure.in 2009-06-04 13:45:57.000000000 -0400 @@ -1040,6 +1040,8 @@ fi dnl AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) +KRB5_WITH_PAM + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) V5_AC_OUTPUT_MAKEFILE(. From rt-comment at krbdev.mit.edu Fri Jun 26 18:45:24 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Fri, 26 Jun 2009 22:45:24 +0000 (UTC) Subject: [krbdev.mit.edu #6522] bugs in generating kadmin service principal name from hostname In-Reply-To: Message-ID: I think kadm5_get_admin_service_name should be using krb5_sname_to_principal. As the code is now, it doesn't follow the same logic for generating the host-based principal names for kadmin as we use for other host-based services. (You can argue that that logic in sn2princ is wrong, and we shouldn't be doing the DNS lookups, blah blah blah, but I think being inconsistent and wrong in two places is worse than being consistently wrong and doing it in one place.) If there's a reason for it not to use krb5_sname_to_principal, it should probably at least force the hostname to lower-case when constructing the principal name. The only reason I can think of is consistency with Sun's behavior, but I would think we'd want that more globally, or more generally configurable, not just confined to kadmin. From rt-comment at krbdev.mit.edu Fri Jun 26 19:01:00 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Fri, 26 Jun 2009 23:01:00 +0000 (UTC) Subject: [krbdev.mit.edu #5916] Re: [krbdev.mit.edu #6516] Re: Reading kerberos-adm from DNS (PATCH) In-Reply-To: Message-ID: On Jun 21, 2009, at 13:42, megacz at cs.berkeley.edu via RT wrote: > It seems that this patch didn't wind up in the recent kerberos > release. Do you think somebody could review it for inclusion soon, so > that it has a chance of making it into the next release? If any > changes need to be made, please let me know and I will make them. Hi, Adam. I'm sorry it took so long to get back to this one. I've looked at the patch in more detail, and see some problems in using it with the current code: First, a minor point, the source code you're patching has changed. There are now a macro and helper function used to fetch a string parameter from either the command-line data or supplied profile. That change probably doesn't need to be undone, it merely means the patch doesn't apply trivially. Second, also a minor point, locate_server is going to check the profile referenced in the context. It should use a subset of the config files supplied in the profile argument passed in, and in the same order, so it shouldn't get wrong results if the profile search has already failed, but it is doing redundant work. That could be worked around a couple of ways -- supply an explicit profile to locate_server through yet another argument, or have it skip the use of the profile if the relevant string argument is instead a null pointer. I haven't checked to see if that will do something reasonable when invoking service-location plugins though, and that should be supported here as well. (Using locate_server will get that support, so it is the right way to go.) If it turns out to be difficult or ugly, we can probably just live with the redundant checks for now and not worry about it; locating the kadmin server is rarely something performance-critical. Third, more serious: One of the changes in the kadmin code in recent years was to add support for using kadmin/serverhostname as an alternative service principal name. Logically, we should probably use the name presented in the SRV record, rather than having to go look the address up again in DNS. (Currently kadm5_get_admin_service_name does use DNS to get the canonical name, but we should keep that mistake localized to one place where we can fix it later when we've got solid name canonicalization support, and we should use the same process for getting the principal name whether we got the host name from the config file or from DNS. And, the CNAME processing done by gethostbyname is not necessarily going to give the same result that gethostbyaddr/getnameinfo will return for an address.) This may get messier to fix than the others... I think we want all of the mechanisms that can be used to get a server address, including plugins (and the sample Python plugin) to supply a host name, probably in addition to the address, not instead of it. This will probably mean changing some of the internal interfaces. I'm uncertain whether that interface should permit a null pointer or empty string, and what that should mean -- should the library look up the address to get a name, or should it not fall back to host-based principal naming for that case? And a smart plugin could know that for the KDC case we don't care about the host name, and omit it. (Should it return a service principal name instead/too?) Fourth, and related to ticket #5890, kadm5_get_admin_service_name will need tweaking for the DNS SRV usage, too; might as well fix the various problems at once. (Or fix 5890 first, designing the changes with the future SRV support in mind.) Ken -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From rt-comment at krbdev.mit.edu Fri Jun 26 21:00:07 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sat, 27 Jun 2009 01:00:07 +0000 (UTC) Subject: [krbdev.mit.edu #6519] SVN Commit In-Reply-To: Message-ID: In krb5_copy_error_message, pass correct pointer to krb5int_clear_error. http://src.mit.edu/fisheye/changelog/krb5/?cs=22424 Commit By: ghudson Revision: 22424 Changed Files: U trunk/src/lib/krb5/krb/kerrs.c