pam-krb5 3.9 released (patch for AIX NAS library)
Markus Moeller
huaraz at moeller.plus.com
Tue Dec 25 14:06:36 EST 2007
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87wsr24qw7.fsf at windlord.stanford.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
>> find attached a patch which allows to compile pam-krb5 against IBM's NAS
>> libraries (which are based on MIT 1.4.x) . Unfortunatly IBM doesn't seem
>> to
>> export the profile calls, so I included them into options.c. I didn't
>> update configure.in yet. I only changed in configure the KRB5EXTRA
>> statement
>> - KRB5EXTRA="-lk5crypto -lcom_err"
>> + KRB5EXTRA="-lk5profile -lksvc"
>
> Is there some specific function I should look for in ksvc to see whether
> or not I need that library? (What function wasn't found without it?)
>
It is for the error_message replacement:
const char *KRB5_CALLCONV error_message(long code) {
char *msg=NULL;
krb5_svc_get_msg(code,&msg);
return msg;
}
It also has com_err in it.
>> diff -w -B -r -u -N pam-krb5-3.9/api-auth.c pam-krb5-3.9-aix/api-auth.c
>> --- pam-krb5-3.9/api-auth.c 2007-12-25 14:37:27.000000000 +0000
>> +++ pam-krb5-3.9-aix/api-auth.c 2007-12-05 15:41:50.000000000 +0000
>> @@ -27,6 +27,9 @@
>> # include <pam/pam_modules.h>
>> #endif
>> #include <stdio.h>
>> +#ifdef _AIX
>> +extern int snprintf(char *__restrict__, size_t, const char
>> *__restrict__, ...);
>> +#endif
>
> Why was this needed? Do I maybe need to add the Autoconf logic to define
> _ALL_SOURCE instead so that I can get the native AIX prototype? I was
> hoping AIX wouldn't need that by now.
>
If I didn't define snprintf I got warnings and it is defined in stdio.h as
follows:
#if (_XOPEN_SOURCE >= 500) || defined(_ISOC99_SOURCE)
extern int snprintf(char *__restrict__, size_t, const char
*__restrict__, ...);
#endif /* _XOPEN_SOURCE >= 500 */
So I guess _ALL_SOURCE will define it.
>> --- pam-krb5-3.9/options.c 2007-11-13 00:20:39.000000000 +0000
>> +++ pam-krb5-3.9-aix/options.c 2007-12-13 13:34:05.000000000 +0000
>
> [...]
>
>> +void KRB5_CALLCONV
>> +krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
>> +{
>> + opt->flags = 0;
>> +}
>
> AIX provides the functions for verifying initial creds and the struct, but
> doesn't provide the initialization function?
>
Not that I know. Here is a list of calls which seem to be available.
dump -T libkrb5.a | grep "krb5_.*init_creds"
[346] 0x2000812c 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_keytab
[349] 0x20008174 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_tkt_life
[350] 0x20008180 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_renew_life
[352] 0x20008198 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_salt
[353] 0x200081a4 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_preauth_list
[354] 0x200081b0 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_address_list
[355] 0x200081bc 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_etype_list
[356] 0x200081c8 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_proxiable
[357] 0x200081d4 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_set_forwardable
[358] 0x200081e0 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_opt_init
[359] 0x200081ec 0x0002 0x02 0x0a 0x1 0x0000
krb5_get_init_creds_password
[425] 0x20008714 0x0002 0x02 0x0a 0x1 0x0000
krb5_verify_init_creds
>> + if (realmstr) {
>> + names[2] = realmstr;
>> + names[3] = option;
>> + names[4] = 0;
>> + retval = profile_get_values(profile, names, &nameval);
>> + if (retval == 0 && nameval && nameval[0]) {
>> + *ret_value = strdup(nameval[0]);
>> + goto goodbye;
>> + }
>> + }
>
> Hm, the functions like profile_get_values are internal Kerberos library
> functions. They're exported on AIX? I'm leery of calling them directly,
> since they're supposed to be internal and could therefore disappear again.
>
Yes the whole appdefault_get function is not exported, so I copied it from
the MIT sources and since
it is internal I didn't have access to the context structure why I had to
exclude a check of context->magic.
But the profile I could get with krb5_get_profile.
+/*MM
+ * context structure is only available internally
+ * for the moment ignore test
+ if (!context || (context->magic != KV5M_CONTEXT))
+ return KV5M_CONTEXT;
+ profile = context->profile;
+*/
+ if (!context)
+ return KV5M_CONTEXT;
+ krb5_get_profile(context, &profile);
> Thank you very much for the patch and the detective work. It sounds like
> that implementation of Kerberos is substantially different than MIT's. I
> wonder why it varies so heavily.
>
It is mainly the same as MIT only some internal functions are not exported
Markus
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list