pam-krb5 3.9 released (patch for AIX NAS library)

Markus Moeller huaraz at moeller.plus.com
Tue Dec 25 14:06:36 EST 2007 

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87wsr24qw7.fsf at windlord.stanford.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
>> find attached a patch which allows to compile pam-krb5 against IBM's NAS
>> libraries (which are based on MIT 1.4.x) . Unfortunatly IBM doesn't seem 
>> to
>> export  the profile calls, so I included them into options.c. I didn't
>> update configure.in yet. I only changed in configure the KRB5EXTRA 
>> statement
>> -  KRB5EXTRA="-lk5crypto -lcom_err"
>> +  KRB5EXTRA="-lk5profile -lksvc"
>
> Is there some specific function I should look for in ksvc to see whether
> or not I need that library?  (What function wasn't found without it?)
>

It is for the error_message replacement:

const char *KRB5_CALLCONV error_message(long code) {
 char *msg=NULL;
 krb5_svc_get_msg(code,&msg);
 return msg;
}

It also has com_err in it.

>> diff -w -B -r -u -N pam-krb5-3.9/api-auth.c pam-krb5-3.9-aix/api-auth.c
>> --- pam-krb5-3.9/api-auth.c 2007-12-25 14:37:27.000000000 +0000
>> +++ pam-krb5-3.9-aix/api-auth.c 2007-12-05 15:41:50.000000000 +0000
>> @@ -27,6 +27,9 @@
>>  # include <pam/pam_modules.h>
>>  #endif
>>  #include <stdio.h>
>> +#ifdef _AIX
>> +extern int snprintf(char *__restrict__, size_t, const char 
>> *__restrict__, ...);
>> +#endif
>
> Why was this needed?  Do I maybe need to add the Autoconf logic to define
> _ALL_SOURCE instead so that I can get the native AIX prototype?  I was
> hoping AIX wouldn't need that by now.
>

If I didn't define snprintf  I got warnings and it is defined in stdio.h as 
follows:

#if (_XOPEN_SOURCE >= 500) || defined(_ISOC99_SOURCE)
extern int      snprintf(char *__restrict__, size_t, const char 
*__restrict__, ...);
#endif /* _XOPEN_SOURCE >= 500 */

So I guess _ALL_SOURCE will define it.

>> --- pam-krb5-3.9/options.c 2007-11-13 00:20:39.000000000 +0000
>> +++ pam-krb5-3.9-aix/options.c 2007-12-13 13:34:05.000000000 +0000
>
> [...]
>
>> +void KRB5_CALLCONV
>> +krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
>> +{
>> +   opt->flags = 0;
>> +}
>
> AIX provides the functions for verifying initial creds and the struct, but
> doesn't provide the initialization function?
>

Not that I know. Here is a list of calls which seem to be available.

dump -T libkrb5.a | grep "krb5_.*init_creds"
[346]   0x2000812c   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_keytab
[349]   0x20008174   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_tkt_life
[350]   0x20008180   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_renew_life
[352]   0x20008198   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_salt
[353]   0x200081a4   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_preauth_list
[354]   0x200081b0   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_address_list
[355]   0x200081bc   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_etype_list
[356]   0x200081c8   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_proxiable
[357]   0x200081d4   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_set_forwardable
[358]   0x200081e0   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_opt_init
[359]   0x200081ec   0x0002     0x02   0x0a    0x1          0x0000 
krb5_get_init_creds_password
[425]   0x20008714   0x0002     0x02   0x0a    0x1          0x0000 
krb5_verify_init_creds


>> +        if (realmstr) {
>> +                names[2] = realmstr;
>> +                names[3] = option;
>> +                names[4] = 0;
>> +                retval = profile_get_values(profile, names, &nameval);
>> +                if (retval == 0 && nameval && nameval[0]) {
>> +                        *ret_value = strdup(nameval[0]);
>> +                        goto goodbye;
>> +                }
>> +        }
>
> Hm, the functions like profile_get_values are internal Kerberos library
> functions.  They're exported on AIX?  I'm leery of calling them directly,
> since they're supposed to be internal and could therefore disappear again.
>

Yes the whole appdefault_get function is not exported, so I copied it from 
the MIT sources and since
it is internal I didn't have access to the context structure why I had to 
exclude a check of context->magic.
But the profile I could get with krb5_get_profile.

+/*MM
+ * context structure is only available internally
+ * for the moment ignore test
+            if (!context || (context->magic != KV5M_CONTEXT))
+            return KV5M_CONTEXT;
+            profile = context->profile;
+*/
+            if (!context)
+            return KV5M_CONTEXT;
+            krb5_get_profile(context, &profile);


> Thank you very much for the patch and the detective work.  It sounds like
> that implementation of Kerberos is substantially different than MIT's.  I
> wonder why it varies so heavily.
>

It is mainly the same as MIT only some internal functions are not exported

Markus

> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list