Hello community,
here is the log from the commit of package pam_krb5
checked in at Thu Jul 5 01:17:14 CEST 2007.
--------
--- pam_krb5/pam_krb5.changes 2007-03-15 12:37:52.000000000 +0100
+++ /mounts/work_src_done/STABLE/pam_krb5/pam_krb5.changes 2007-07-02 10:39:45.684633000 +0200
@@ -1,0 +2,8 @@
+Mon Jul 2 10:09:34 CEST 2007 - mc@suse.de
+
+- version 2.2.12
+ * add a "pwhelp" option.
+ * Display the KDC error to users.
+ * lots of bugfixes
+
+-------------------------------------------------------------------
Old:
----
pam_krb5-2.2.11-1.tar.bz2
New:
----
pam_krb5-2.2.12-1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_krb5.spec ++++++
--- /var/tmp/diff_new_pack.C14671/_old 2007-07-05 01:16:10.000000000 +0200
+++ /var/tmp/diff_new_pack.C14671/_new 2007-07-05 01:16:10.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package pam_krb5 (Version 2.2.11)
+# spec file for package pam_krb5 (Version 2.2.12)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -13,12 +13,12 @@
Name: pam_krb5
BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel
%define PAM_RELEASE 1
-License: GNU General Public License (GPL)
+License: GPL v2 or later
Group: Productivity/Networking/Security
Provides: pam_krb
Autoreqprov: on
-Version: 2.2.11
-Release: 27
+Version: 2.2.12
+Release: 1
Summary: PAM Module for Kerberos Authentication
URL: http://sourceforge.net/projects/pam-krb5/
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
@@ -47,7 +47,7 @@
%build
%{suse_update_config -f}
autoreconf --verbose --force --install
-CFLAGS="$RPM_OPT_FLAGS -fstack-protector " \
+CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \
./configure --libdir=/%_lib/ \
--prefix=/usr \
--mandir=%{_mandir} \
@@ -66,7 +66,7 @@
%files
%defattr(444,root,root,755)
-%doc TODO README* COPYING* ChangeLog INSTALL AUTHORS NEWS
+%doc TODO README* COPYING* ChangeLog AUTHORS NEWS
%attr(555,root,root) /%{_lib}/security/pam_krb5.so
%attr(555,root,root) /%{_lib}/security/pam_krb5afs.so
%dir /%{_lib}/security/pam_krb5
@@ -75,6 +75,11 @@
%attr(755,root,root) /usr/bin/afs5log
%changelog
+* Mon Jul 02 2007 - mc@suse.de
+- version 2.2.12
+ * add a "pwhelp" option.
+ * Display the KDC error to users.
+ * lots of bugfixes
* Thu Mar 15 2007 - mc@suse.de
- drop privileges in _pam_krb5_sly_maybe_refresh when
running in set uid and restore them on exit of this
++++++ pam_krb5-2.2.0-0.5-configure_ac.dif ++++++
--- /var/tmp/diff_new_pack.C14671/_old 2007-07-05 01:16:10.000000000 +0200
+++ /var/tmp/diff_new_pack.C14671/_new 2007-07-05 01:16:10.000000000 +0200
@@ -1,6 +1,8 @@
---- configure.ac
-+++ configure.ac 2005/03/31 13:00:53
-@@ -42,14 +42,14 @@
+Index: configure.ac
+===================================================================
+--- configure.ac.orig
++++ configure.ac
+@@ -80,14 +80,14 @@ AC_SUBST(KRB5_BINDIR)
AC_CHECK_LIB(resolv,main)
KRB5_CFLAGS=`$KRB5_CONFIG --cflags krb5`
KRB5_LIBS=`$KRB5_CONFIG --libs krb5`
++++++ pam_krb5-2.2.0-2-noafsonarm.patch ++++++
--- /var/tmp/diff_new_pack.C14671/_old 2007-07-05 01:16:10.000000000 +0200
+++ /var/tmp/diff_new_pack.C14671/_new 2007-07-05 01:16:10.000000000 +0200
@@ -1,6 +1,8 @@
---- src/minikafs.c
+Index: src/minikafs.c
+===================================================================
+--- src/minikafs.c.orig
+++ src/minikafs.c
-@@ -178,7 +178,13 @@
+@@ -179,7 +179,13 @@ minikafs_ioctlcall(long function, long a
static int
minikafs_syscall(long function, long arg1, long arg2, long arg3, long arg4)
{
++++++ pam_krb5-2.2.11-1.tar.bz2 -> pam_krb5-2.2.12-1.tar.bz2 ++++++
++++ 16799 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/ChangeLog new/pam_krb5-2.2.12-1/ChangeLog
--- old/pam_krb5-2.2.11-1/ChangeLog 2006-09-25 10:09:07.000000000 +0200
+++ new/pam_krb5-2.2.12-1/ChangeLog 2007-06-25 10:20:55.000000000 +0200
@@ -1,3 +1,54 @@
+2007-06-24:
+ * src/password.c: display the right string.
+ * tests/run-tests: start to adjust for getting-prompts-changes-passwords
+ behavior.
+ * tests/config/kdc.conf.in: place the location of files in the right
+ part of the file
+
+2007-06-24:
+ * src/password.c(pam_sm_chauthtok): always display result_text for
+ the user's sake. Actually check that we opened the pwhelp file,
+ like Luke's original patch did.
+
+2007-06-24:
+ * tests/pwhelp.txt,tests/run-tests: add a test for the pwhelp option.
+
+2007-06-24:
+ * Makefile.am: don't use the gmake $(shell) option; use backticks.
+
+2007-06-24:
+ * src/options.c: add a "pwhelp" option.
+ * src/password.c(pam_sm_chauthtok): display the contents of the
+ pwhelp file before doing anything else when in the preliminary check
+ phase (#230465, Luke Howard).
+
+2007-06-24:
+ * src/prompter.c(_pam_krb5_always_fail_prompter,
+ _pam_krb5_previous_prompter): output the banner and name information
+ if it was given (#230450).
+
+2007-06-24:
+ * src/password.c(pam_sm_chauthtok): when returning, note whether
+ we are here for the preliminary check or the actual update in the
+ debug message (#230444, Luke Howard).
+
+2007-06-24:
+ * src/password.c(pam_sm_chauthtok): set v5_attempted to 1 for
+ correctness (#230446, Luke Howard, Pieter Krul).
+
+2007-06-24:
+ * src/options.c: don't pass in PAM handles when we don't actually use
+ them.
+
+2007-06-24:
+ * src/acct.c(pam_sm_acct_mgmt): return PAM_USER_UNKNOWN in event of
+ a client-revoked error (#230442, Luke Howard, Christian Bolz, Pieter
+ Krul)
+
+2007-06-24:
+ * src/stash.c(_pam_krb5_stash_shm_read_v5): correct an argument size
+ mismatch calling the logging function.
+
2006-09-21:
* src/auth.c(pam_sm_authenticate): try again to clean up the three
possible setups (pre-entered password, one for which we prompt directly,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/Makefile.am new/pam_krb5-2.2.12-1/Makefile.am
--- old/pam_krb5-2.2.11-1/Makefile.am 2006-06-30 10:32:07.000000000 +0200
+++ new/pam_krb5-2.2.12-1/Makefile.am 2007-06-25 10:20:55.000000000 +0200
@@ -6,8 +6,8 @@
VERSION=$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec --qf '%{version}\n' | head -n1)
RELEASE=$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec --qf '%{release}\n' | head -n1)
-CVSTAG=pam_krb5-$(shell echo $(VERSION) | tr . _)-$(shell echo $(RELEASE) | tr . _)
-distdir=$(PACKAGE)-$(VERSION)-$(RELEASE)
+CVSTAG=pam_krb5-$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec --qf '%{version}-%{release}\n' | head -n1 | tr . _)
+distdir=$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec | head -n1)
DISTCLEANFILES = tests/kdc/krb5cc_* tests/kdc/tkt*
tag:
@@ -16,8 +16,8 @@
force-tag:
cvs tag -cF $(CVSTAG)
-CVSROOT=$(shell test -d CVS && cat CVS/Root)
-REPOSITORY=$(shell test -d CVS && cat CVS/Repository)
+CVSROOT=$(shell test -d $(top_srcdir)/CVS && cat $(top_srcdir)/CVS/Root)
+REPOSITORY=$(shell test -d $(top_srcdir)/CVS && cat $(top_srcdir)/CVS/Repository)
ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
archive:
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/NEWS new/pam_krb5-2.2.12-1/NEWS
--- old/pam_krb5-2.2.11-1/NEWS 2006-09-25 10:09:07.000000000 +0200
+++ new/pam_krb5-2.2.12-1/NEWS 2007-06-25 10:20:55.000000000 +0200
@@ -1,3 +1,4 @@
+- 2.2.12: * add a "pwhelp" option. Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
our authentication callback simply failed to authenticate (#207410)
* fix setting of items for password-changing modules which get called
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/pam_krb5.spec new/pam_krb5-2.2.12-1/pam_krb5.spec
--- old/pam_krb5-2.2.11-1/pam_krb5.spec 2006-09-25 10:09:07.000000000 +0200
+++ new/pam_krb5-2.2.12-1/pam_krb5.spec 2007-06-25 10:20:55.000000000 +0200
@@ -1,6 +1,6 @@
Summary: A Pluggable Authentication Module for Kerberos 5.
Name: pam_krb5
-Version: 2.2.11
+Version: 2.2.12
Release: 1
Source0: pam_krb5-%{version}-%{release}.tar.gz
License: LGPL
@@ -45,8 +45,11 @@
%{_mandir}/man8/*
%doc README* COPYING* ChangeLog NEWS
-# $Id: pam_krb5.spec,v 1.159 2006/09/22 03:27:37 nalin Exp $
+# $Id: pam_krb5.spec,v 1.162 2007/06/25 04:01:21 nalin Exp $
%changelog
+* Sun Jun 24 2007 Nalin Dahyabhai - 2.2.12-1
+- update to 2.2.12
+
* Thu Sep 21 2006 Nalin Dahyabhai - 2.2.11-1
- update to 2.2.11
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/acct.c new/pam_krb5-2.2.12-1/src/acct.c
--- old/pam_krb5-2.2.11-1/src/acct.c 2006-09-25 10:09:07.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/acct.c 2007-06-25 10:20:56.000000000 +0200
@@ -62,7 +62,7 @@
#include "v5.h"
#include "v4.h"
-#ident "$Id: acct.c,v 1.21 2006/09/22 02:46:40 nalin Exp $"
+#ident "$Id: acct.c,v 1.22 2007/06/25 01:40:16 nalin Exp $"
int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
@@ -195,12 +195,17 @@
case KRB5_REALM_CANT_RESOLVE:
notice("account checks fail for '%s': "
"can't resolve KDC addresses", user);
- return PAM_AUTHINFO_UNAVAIL;
+ retval = PAM_AUTHINFO_UNAVAIL;
break;
case KRB5_KDC_UNREACH:
notice("account checks fail for '%s': "
"KDCs are unreachable", user);
- return PAM_AUTHINFO_UNAVAIL;
+ retval = PAM_AUTHINFO_UNAVAIL;
+ break;
+ case KRB5KDC_ERR_CLIENT_REVOKED:
+ notice("account checks fail for '%s': "
+ "account is locked", user);
+ retval = PAM_USER_UNKNOWN;
break;
default:
notice("account checks fail for '%s': "
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/options.c new/pam_krb5-2.2.12-1/src/options.c
--- old/pam_krb5-2.2.11-1/src/options.c 2006-09-14 11:30:58.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/options.c 2007-06-25 10:20:56.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2003,2004,2005,2006 Red Hat, Inc.
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -65,12 +65,12 @@
#include "v5.h"
#include "xstr.h"
-#ident "$Id: options.c,v 1.29 2006/09/13 21:57:01 nalin Exp $"
+#ident "$Id: options.c,v 1.31 2007/06/25 02:55:16 nalin Exp $"
#define LIST_SEPARATORS " \t,"
static krb5_boolean
-option_b(pam_handle_t *pamh, int argc, PAM_KRB5_MAYBE_CONST char **argv,
+option_b(int argc, PAM_KRB5_MAYBE_CONST char **argv,
krb5_context ctx, const char *realm, const char *s)
{
int i;
@@ -111,7 +111,7 @@
return ret;
}
static char *
-option_s(pam_handle_t *pamh, int argc, PAM_KRB5_MAYBE_CONST char **argv,
+option_s(int argc, PAM_KRB5_MAYBE_CONST char **argv,
krb5_context ctx, const char *realm, const char *s,
const char *default_value)
{
@@ -139,7 +139,7 @@
#else
static long
#endif
-option_i(pam_handle_t *pamh, int argc, PAM_KRB5_MAYBE_CONST char **argv,
+option_i(int argc, PAM_KRB5_MAYBE_CONST char **argv,
krb5_context ctx, const char *realm, const char *s)
{
char *tmp, *p;
@@ -149,7 +149,7 @@
long i;
#endif
- tmp = option_s(pamh, argc, argv, ctx, realm, s, "");
+ tmp = option_s(argc, argv, ctx, realm, s, "");
#ifdef HAVE_STRTOLL
i = strtoll(tmp, &p, 10);
@@ -164,14 +164,14 @@
return i;
}
static krb5_deltat
-option_t(pam_handle_t *pamh, int argc, PAM_KRB5_MAYBE_CONST char **argv,
+option_t(int argc, PAM_KRB5_MAYBE_CONST char **argv,
krb5_context ctx, const char *realm, const char *s)
{
char *tmp, *p;
krb5_deltat d;
long i;
- tmp = option_s(pamh, argc, argv, ctx, realm, s, "");
+ tmp = option_s(argc, argv, ctx, realm, s, "");
i = strtol(tmp, &p, 10);
if ((p == NULL) || (p == tmp) || (*p != '\0')) {
@@ -186,13 +186,13 @@
return i;
}
static char **
-option_l(pam_handle_t *pamh, int argc, PAM_KRB5_MAYBE_CONST char **argv,
+option_l(int argc, PAM_KRB5_MAYBE_CONST char **argv,
krb5_context ctx, const char *realm, const char *s)
{
int i;
char *o, *p, *q, **list;
- o = option_s(pamh, argc, argv, ctx, realm, s, "");
+ o = option_s(argc, argv, ctx, realm, s, "");
list = malloc((strlen(o) + 1) * sizeof(char*));
if (list == NULL) {
return NULL;
@@ -245,7 +245,9 @@
memset(options, 0, sizeof(struct _pam_krb5_options));
service = NULL;
- _pam_krb5_get_item_text(pamh, PAM_SERVICE, &service);
+ if (pamh != NULL) {
+ _pam_krb5_get_item_text(pamh, PAM_SERVICE, &service);
+ }
for (i = 0; i < argc; i++) {
if (strncmp(argv[i], "realm=", 6) == 0) {
@@ -278,31 +280,31 @@
for (i = 0; i < argc; i++) {
if (strcmp(argv[i], "debug_parser") == 0) {
char *s, **l;
- i = option_b(pamh, argc, argv, ctx, options->realm,
+ i = option_b(argc, argv, ctx, options->realm,
"boolean_parameter_1");
debug("boolean_parameter_1 = %d", i);
- i = option_b(pamh, argc, argv, ctx, options->realm,
+ i = option_b(argc, argv, ctx, options->realm,
"boolean_parameter_2");
debug("boolean_parameter_2 = %d", i);
- i = option_b(pamh, argc, argv, ctx, options->realm,
+ i = option_b(argc, argv, ctx, options->realm,
"boolean_parameter_3");
debug("boolean_parameter_3 = %d", i);
- s = option_s(pamh, argc, argv,
+ s = option_s(argc, argv,
ctx, options->realm, "string_parameter_1",
"default_string_value");
debug("string_parameter_1 = '%s'", s ? s : "(null)");
free_s(s);
- s = option_s(pamh, argc, argv,
+ s = option_s(argc, argv,
ctx, options->realm, "string_parameter_2",
"default_string_value");
debug("string_parameter_2 = '%s'", s ? s : "(null)");
free_s(s);
- s = option_s(pamh, argc, argv,
+ s = option_s(argc, argv,
ctx, options->realm, "string_parameter_3",
"default_string_value");
debug("string_parameter_3 = '%s'", s ? s : "(null)");
free_s(s);
- l = option_l(pamh, argc, argv,
+ l = option_l(argc, argv,
ctx, options->realm, "list_parameter_1");
for (i = 0; (l != NULL) && (l[i] != NULL); i++) {
debug("list_parameter_1[%d] = '%s'", i, l[i]);
@@ -313,8 +315,7 @@
}
/* private option */
- options->debug = option_b(pamh, argc, argv,
- ctx, options->realm, "debug");
+ options->debug = option_b(argc, argv, ctx, options->realm, "debug");
if (options->debug == -1) {
options->debug = 0;
}
@@ -323,8 +324,7 @@
}
/* private option */
- options->debug_sensitive = option_b(pamh, argc, argv,
- ctx, options->realm,
+ options->debug_sensitive = option_b(argc, argv, ctx, options->realm,
"debug_sensitive");
if (options->debug_sensitive == -1) {
options->debug_sensitive = 0;
@@ -334,13 +334,13 @@
}
/* library options */
- options->addressless = option_b(pamh, argc, argv,
+ options->addressless = option_b(argc, argv,
ctx, options->realm, "addressless");
- options->forwardable = option_b(pamh, argc, argv,
+ options->forwardable = option_b(argc, argv,
ctx, options->realm, "forwardable");
- options->proxiable = option_b(pamh, argc, argv,
+ options->proxiable = option_b(argc, argv,
ctx, options->realm, "proxiable");
- options->renewable = option_b(pamh, argc, argv,
+ options->renewable = option_b(argc, argv,
ctx, options->realm, "renewable");
if (options->debug) {
debug("flags:%s%s%s%s%s%s%s%s",
@@ -356,7 +356,7 @@
#ifdef HAVE_AFS
/* private option */
- options->ignore_afs = option_b(pamh, argc, argv,
+ options->ignore_afs = option_b(argc, argv,
ctx, options->realm, "ignore_afs");
if (options->ignore_afs == -1) {
options->ignore_afs = 0;
@@ -369,12 +369,11 @@
}
/* private option */
- options->tokens = option_b(pamh, argc, argv,
- ctx, options->realm, "tokens");
+ options->tokens = option_b(argc, argv, ctx, options->realm, "tokens");
if (options->tokens != 1) {
options->tokens = 0;
if (service != NULL) {
- list = option_l(pamh, argc, argv, ctx, options->realm,
+ list = option_l(argc, argv, ctx, options->realm,
"tokens");
for (i = 0; (list != NULL) && (list[i] != NULL); i++) {
if (strcmp(list[i], service) == 0) {
@@ -397,7 +396,7 @@
#endif
/* private option */
- options->user_check = option_b(pamh, argc, argv,
+ options->user_check = option_b(argc, argv,
ctx, options->realm, "user_check");
if (options->user_check == -1) {
options->user_check = 1;
@@ -407,7 +406,7 @@
}
/* private option */
- options->use_authtok = option_b(pamh, argc, argv,
+ options->use_authtok = option_b(argc, argv,
ctx, options->realm, "use_authtok");
if (options->use_authtok == -1) {
options->use_authtok = 0;
@@ -417,7 +416,7 @@
}
/* private option */
- options->v4 = option_b(pamh, argc, argv,
+ options->v4 = option_b(argc, argv,
ctx, options->realm, "krb4_convert");
if (options->v4 == -1) {
/* default is to have this behavior disabled... */
@@ -431,7 +430,7 @@
}
/* private option */
- options->v4_use_524 = option_b(pamh, argc, argv,
+ options->v4_use_524 = option_b(argc, argv,
ctx, options->realm, "krb4_convert_524");
if (options->v4_use_524 == -1) {
/* default is to have this behavior enabled... */
@@ -445,7 +444,7 @@
}
/* private option */
- options->v4_use_as_req = option_b(pamh, argc, argv,
+ options->v4_use_as_req = option_b(argc, argv,
ctx, options->realm,
"krb4_use_as_req");
if (options->v4_use_as_req == -1) {
@@ -463,13 +462,13 @@
options->use_first_pass = 1;
options->use_second_pass = 1;
options->use_third_pass = 1;
- use_first_pass = option_b(pamh, argc, argv,
+ use_first_pass = option_b(argc, argv,
ctx, options->realm, "use_first_pass");
- try_first_pass = option_b(pamh, argc, argv,
+ try_first_pass = option_b(argc, argv,
ctx, options->realm, "try_first_pass");
- initial_prompt = option_b(pamh, argc, argv,
+ initial_prompt = option_b(argc, argv,
ctx, options->realm, "initial_prompt");
- subsequent_prompt = option_b(pamh, argc, argv,
+ subsequent_prompt = option_b(argc, argv,
ctx, options->realm, "subsequent_prompt");
if (initial_prompt != -1) {
options->use_second_pass = initial_prompt;
@@ -500,12 +499,12 @@
}
/* private option */
- options->use_shmem = option_b(pamh, argc, argv,
+ options->use_shmem = option_b(argc, argv,
ctx, options->realm, "use_shmem");
if (options->use_shmem != 1) {
options->use_shmem = 0;
if (service != NULL) {
- list = option_l(pamh, argc, argv, ctx, options->realm,
+ list = option_l(argc, argv, ctx, options->realm,
"use_shmem");
for (i = 0; (list != NULL) && (list[i] != NULL); i++) {
if (strcmp(list[i], service) == 0) {
@@ -524,12 +523,12 @@
}
/* private option */
- options->external = option_b(pamh, argc, argv,
+ options->external = option_b(argc, argv,
ctx, options->realm, "external");
if (options->external != 1) {
options->external = 0;
if (service != NULL) {
- list = option_l(pamh, argc, argv, ctx, options->realm,
+ list = option_l(argc, argv, ctx, options->realm,
"external");
for (i = 0; (list != NULL) && (list[i] != NULL); i++) {
if (strcmp(list[i], service) == 0) {
@@ -548,7 +547,7 @@
}
/* private option */
- options->existing_ticket = option_b(pamh, argc, argv,
+ options->existing_ticket = option_b(argc, argv,
ctx, options->realm,
"existing_ticket");
if (options->existing_ticket == -1) {
@@ -559,12 +558,12 @@
}
/* private option */
- options->validate = option_b(pamh, argc, argv,
+ options->validate = option_b(argc, argv,
ctx, options->realm, "validate");
if (options->validate != 1) {
options->validate = 0;
if (service != NULL) {
- list = option_l(pamh, argc, argv, ctx, options->realm,
+ list = option_l(argc, argv, ctx, options->realm,
"validate");
for (i = 0; (list != NULL) && (list[i] != NULL); i++) {
if (strcmp(list[i], service) == 0) {
@@ -579,7 +578,7 @@
debug("flag: validate");
}
- options->warn = option_b(pamh, argc, argv,
+ options->warn = option_b(argc, argv,
ctx, options->realm, "warn");
if (options->warn == -1) {
options->warn = 1;
@@ -589,8 +588,7 @@
}
/* private option */
- options->ticket_lifetime = option_t(pamh, argc, argv,
- ctx, options->realm,
+ options->ticket_lifetime = option_t(argc, argv, ctx, options->realm,
"ticket_lifetime");
if (options->ticket_lifetime < 0) {
options->ticket_lifetime = 0;
@@ -600,8 +598,7 @@
}
/* library option */
- options->renew_lifetime = option_t(pamh, argc, argv,
- ctx, options->realm,
+ options->renew_lifetime = option_t(argc, argv, ctx, options->realm,
"renew_lifetime");
if (options->renew_lifetime < 0) {
options->renew_lifetime = 0;
@@ -614,20 +611,20 @@
}
/* private option */
- options->minimum_uid = option_i(pamh, argc, argv,
+ options->minimum_uid = option_i(argc, argv,
ctx, options->realm, "minimum_uid");
if (options->debug && (options->minimum_uid != (uid_t) -1)) {
debug("minimum uid: %d", options->minimum_uid);
}
/* private options */
- options->banner = option_s(pamh, argc, argv,
+ options->banner = option_s(argc, argv,
ctx, options->realm, "banner",
"Kerberos 5");
if (options->debug && options->banner) {
debug("banner: %s", options->banner);
}
- options->ccache_dir = option_s(pamh, argc, argv,
+ options->ccache_dir = option_s(argc, argv,
ctx, options->realm, "ccache_dir",
DEFAULT_CCACHE_DIR);
if (strlen(options->ccache_dir) == 0) {
@@ -638,7 +635,7 @@
debug("ccache dir: %s", options->ccache_dir);
}
- options->keytab = option_s(pamh, argc, argv,
+ options->keytab = option_s(argc, argv,
ctx, options->realm, "keytab",
DEFAULT_KEYTAB_LOCATION);
if (strlen(options->keytab) == 0) {
@@ -649,7 +646,18 @@
debug("keytab: %s", options->keytab);
}
- options->hosts = option_l(pamh, argc, argv,
+ options->pwhelp = option_s(argc, argv,
+ ctx, options->realm, "pwhelp",
+ "");
+ if (strlen(options->pwhelp) == 0) {
+ xstrfree(options->pwhelp);
+ options->pwhelp = NULL;
+ }
+ if (options->debug && options->pwhelp) {
+ debug("pwhelp: %s", options->pwhelp);
+ }
+
+ options->hosts = option_l(argc, argv,
ctx, options->realm, "hosts");
if (options->hosts) {
int i;
@@ -661,18 +669,16 @@
}
}
- options->ignore_unknown_principals = option_b(pamh, argc, argv, ctx,
+ options->ignore_unknown_principals = option_b(argc, argv, ctx,
options->realm,
"ignore_unknown_principals");
if (options->ignore_unknown_principals == -1) {
- options->ignore_unknown_principals = option_b(pamh, argc, argv,
- ctx,
+ options->ignore_unknown_principals = option_b(argc, argv, ctx,
options->realm,
"ignore_unknown_spn");
}
if (options->ignore_unknown_principals == -1) {
- options->ignore_unknown_principals = option_b(pamh, argc, argv,
- ctx,
+ options->ignore_unknown_principals = option_b(argc, argv, ctx,
options->realm,
"ignore_unknown_upn");
}
@@ -691,8 +697,7 @@
}
}
}
- list = option_l(pamh, argc, argv,
- ctx, options->realm, "afs_cells");
+ list = option_l(argc, argv, ctx, options->realm, "afs_cells");
if ((list != NULL) && (list[0] != NULL)) {
int i;
char *p;
@@ -738,7 +743,7 @@
}
}
- list = option_l(pamh, argc, argv, ctx, options->realm, "mappings");
+ list = option_l(argc, argv, ctx, options->realm, "mappings");
for (i = 0; (list != NULL) && (list[i] != NULL); i++) {
/* nothing */
}
@@ -778,6 +783,8 @@
options->ccache_dir = NULL;
free_s(options->keytab);
options->keytab = NULL;
+ free_s(options->pwhelp);
+ options->pwhelp = NULL;
free_s(options->realm);
options->realm = NULL;
free_l(options->hosts);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/options.h new/pam_krb5-2.2.12-1/src/options.h
--- old/pam_krb5-2.2.11-1/src/options.h 2006-09-14 11:30:58.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/options.h 2007-06-25 10:20:56.000000000 +0200
@@ -67,6 +67,7 @@
char *banner;
char *ccache_dir;
char *keytab;
+ char *pwhelp;
char *realm;
char **hosts;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/pam_krb5.5 new/pam_krb5-2.2.12-1/src/pam_krb5.5
--- old/pam_krb5-2.2.11-1/src/pam_krb5.5 2006-09-25 10:10:57.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/pam_krb5.5 2007-07-02 10:06:51.000000000 +0200
@@ -133,6 +133,10 @@
This directive is deprecated in favor of the \fBlibdefaults\fR
\fBproxiable\fR directive.
+.IP pwhelp=
+specifies the name of a text file whose contents will be displayed to
+clients who attempt to change their passwords. There is no default.
+
.IP renew_lifetime=\fI36000\fR
default renewable lifetime. This specifies how much time you have after
getting credentials to renew them.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/pam_krb5.5.in new/pam_krb5-2.2.12-1/src/pam_krb5.5.in
--- old/pam_krb5-2.2.11-1/src/pam_krb5.5.in 2006-09-14 11:30:58.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/pam_krb5.5.in 2007-06-25 10:20:56.000000000 +0200
@@ -133,6 +133,10 @@
This directive is deprecated in favor of the \fBlibdefaults\fR
\fBproxiable\fR directive.
+.IP pwhelp=
+specifies the name of a text file whose contents will be displayed to
+clients who attempt to change their passwords. There is no default.
+
.IP renew_lifetime=\fI36000\fR
default renewable lifetime. This specifies how much time you have after
getting credentials to renew them.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/pam_krb5.8 new/pam_krb5-2.2.12-1/src/pam_krb5.8
--- old/pam_krb5-2.2.11-1/src/pam_krb5.8 2006-09-25 10:10:57.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/pam_krb5.8 2007-07-02 10:06:51.000000000 +0200
@@ -153,6 +153,10 @@
option is deprecated in favor of the \fIproxiable\fR option in the
\fIlibdefaults\fR section of \fBkrb5.conf\fR(5).
+.IP pwhelp=
+specifies the name of a text file whose contents will be displayed to
+clients who attempt to change their passwords. There is no default.
+
.IP realm=\fIrealm\fR
overrides the default realm set in \fI/etc/krb5.conf\fR, which pam_krb5.so
will attempt to authenticate users to.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/pam_krb5.8.in new/pam_krb5-2.2.12-1/src/pam_krb5.8.in
--- old/pam_krb5-2.2.11-1/src/pam_krb5.8.in 2006-09-14 11:30:58.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/pam_krb5.8.in 2007-06-25 10:20:56.000000000 +0200
@@ -153,6 +153,10 @@
option is deprecated in favor of the \fIproxiable\fR option in the
\fIlibdefaults\fR section of \fBkrb5.conf\fR(5).
+.IP pwhelp=
+specifies the name of a text file whose contents will be displayed to
+clients who attempt to change their passwords. There is no default.
+
.IP realm=\fIrealm\fR
overrides the default realm set in \fI/etc/krb5.conf\fR, which pam_krb5.so
will attempt to authenticate users to.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/password.c new/pam_krb5-2.2.12-1/src/password.c
--- old/pam_krb5-2.2.11-1/src/password.c 2006-09-25 10:09:08.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/password.c 2007-06-25 10:20:56.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2003,2004,2005,2006 Red Hat, Inc.
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -32,6 +32,9 @@
#include "../config.h"
+#include
+#include
+
#ifdef HAVE_SECURITY_PAM_APPL_H
#include
#endif
@@ -54,6 +57,7 @@
#endif
#endif
+#include "conv.h"
#include "init.h"
#include "initopts.h"
#include "items.h"
@@ -66,7 +70,7 @@
#include "v4.h"
#include "xstr.h"
-#ident "$Id: password.c,v 1.22 2006/09/22 02:47:34 nalin Exp $"
+#ident "$Id: password.c,v 1.27 2007/06/25 03:54:04 nalin Exp $"
int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
@@ -81,6 +85,10 @@
krb5_get_init_creds_opt gic_options;
int tmp_result;
int i, retval;
+ char *pwhelp;
+ struct stat st;
+ FILE *fp;
+ struct pam_message message;
/* Initialize Kerberos. */
if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
@@ -150,6 +158,58 @@
if (flags & PAM_PRELIM_CHECK) {
retval = PAM_AUTH_ERR;
password = NULL;
+
+ /* Display password help text. */
+ if ((options->pwhelp != NULL) && (options->pwhelp[0] != '\0')) {
+ fp = fopen(options->pwhelp, "r");
+ if (fp != NULL) {
+ if (options->debug) {
+ debug("opened help file '%s'",
+ options->pwhelp);
+ }
+ if (fstat(fileno(fp), &st) != -1) {
+ pwhelp = malloc(st.st_size + 1);
+ if (pwhelp == NULL) {
+ memset(prompt, '\0',
+ sizeof(prompt));
+ i = fread(prompt, 1,
+ sizeof(prompt) -1,
+ fp);
+ pwhelp = prompt;
+ } else {
+ memset(pwhelp, '\0',
+ st.st_size + 1);
+ i = fread(pwhelp, 1,
+ st.st_size, fp);
+ if (options->debug) {
+ debug("read %d bytes",
+ (int) st.st_size);
+ }
+ }
+ } else {
+ memset(prompt, '\0', sizeof(prompt));
+ i = fread(prompt, 1,
+ sizeof(prompt) - 1, fp);
+ pwhelp = prompt;
+ }
+ if (i > 0) {
+ message.msg = pwhelp;
+ message.msg_style = PAM_TEXT_INFO;
+ _pam_krb5_conv_call(pamh, &message, 1,
+ NULL);
+ }
+ if (pwhelp != prompt) {
+ xstrfree(pwhelp);
+ }
+ fclose(fp);
+ } else {
+ if (options->debug) {
+ debug("failed to open help file '%s'",
+ options->pwhelp);
+ }
+ }
+ }
+
/* Obtain the current password. */
if (options->use_first_pass) {
/* Read the stored password. */
@@ -311,15 +371,15 @@
(char *) result_code_string.data,
result_string.length,
(char *) result_string.data);
- if ((result_string.length > 0) ||
- (result_code_string.length > 0)) {
- notice_user(pamh, "%s: %.*s (%.*s)",
- v5_passwd_error_message(result_code),
- result_code_string.length,
- result_code_string.data,
- result_string.length,
- result_string.data);
- }
+ }
+ if ((result_string.length > 0) ||
+ (result_code_string.length > 0)) {
+ notice_user(pamh, "%s: %.*s (%.*s)",
+ v5_passwd_error_message(result_code),
+ result_code_string.length,
+ result_code_string.data,
+ result_string.length,
+ result_string.data);
}
}
}
@@ -337,6 +397,7 @@
password, &gic_options,
_pam_krb5_always_fail_prompter,
&stash->v5result);
+ stash->v5attempted = 1;
if ((i == PAM_SUCCESS) &&
((options->v4 == 1) || (options->v4_for_afs == 1))) {
v4_get_creds(ctx, pamh, stash, userinfo,
@@ -356,8 +417,10 @@
/* Clean up. */
if (options->debug) {
- debug("pam_chauthtok returning %d (%s)", retval,
- pam_strerror(pamh, retval));
+ debug("pam_chauthtok (%s) returning %d (%s)",
+ (flags & PAM_PRELIM_CHECK) ?
+ "preliminary check" : "updating authtok",
+ retval, pam_strerror(pamh, retval));
}
_pam_krb5_user_info_free(ctx, userinfo);
_pam_krb5_options_free(pamh, ctx, options);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/prompter.c new/pam_krb5-2.2.12-1/src/prompter.c
--- old/pam_krb5-2.2.11-1/src/prompter.c 2006-09-25 10:09:08.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/prompter.c 2007-06-25 10:20:56.000000000 +0200
@@ -51,7 +51,7 @@
#include "prompter.h"
#include "xstr.h"
-#ident "$Id: prompter.c,v 1.12 2006/09/22 02:55:37 nalin Exp $"
+#ident "$Id: prompter.c,v 1.13 2007/06/25 02:38:53 nalin Exp $"
void
_pam_krb5_maybe_free_responses(struct pam_response *responses, int n_responses)
@@ -101,6 +101,9 @@
krb5_error_code ret;
ret = 0;
+ if ((name != NULL) || (banner != NULL)) {
+ _pam_krb5_normal_prompter(context, data, name, banner, 0, NULL);
+ }
for (i = 0; i < num_prompts; i++) {
if (_pam_krb5_prompt_is_password(&prompts[i], pdata)) {
if (pdata->options->debug &&
@@ -138,6 +141,9 @@
struct _pam_krb5_prompter_data *pdata = data;
int i;
+ if ((name != NULL) || (banner != NULL)) {
+ _pam_krb5_normal_prompter(context, data, name, banner, 0, NULL);
+ }
if (pdata->previous_password == NULL) {
return KRB5_LIBOS_CANTREADPWD;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/src/stash.c new/pam_krb5-2.2.12-1/src/stash.c
--- old/pam_krb5-2.2.11-1/src/stash.c 2006-09-11 16:12:12.000000000 +0200
+++ new/pam_krb5-2.2.12-1/src/stash.c 2007-06-25 10:20:56.000000000 +0200
@@ -66,7 +66,7 @@
#include "v5.h"
#include "xstr.h"
-#ident "$Id: stash.c,v 1.28 2006/09/08 18:54:15 nalin Exp $"
+#ident "$Id: stash.c,v 1.29 2007/06/25 01:35:33 nalin Exp $"
static int
_pam_krb5_get_data_stash(pam_handle_t *pamh, const char *key,
@@ -112,7 +112,7 @@
/* Sanity checks. */
if (blob_size < sizeof(int) * 3) {
warn("saved creds too small: %d bytes, need at least %d bytes",
- blob_size, sizeof(int) * 3);
+ (int) blob_size, (int) (sizeof(int) * 3));
return;
}
blob_creds = blob;
@@ -120,7 +120,8 @@
blob_creds_size = ((int*)blob)[0];
if (blob_creds_size + sizeof(int) * 3 > blob_size) {
warn("saved creds too small: %d bytes, need %d bytes",
- blob_size, blob_creds_size + sizeof(int) * 3);
+ (int) blob_size,
+ (int) (blob_creds_size + sizeof(int) * 3));
return;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/tests/config/kdc.conf.in new/pam_krb5-2.2.12-1/tests/config/kdc.conf.in
--- old/pam_krb5-2.2.11-1/tests/config/kdc.conf.in 2003-08-08 21:21:27.000000000 +0200
+++ new/pam_krb5-2.2.12-1/tests/config/kdc.conf.in 2007-06-25 10:20:56.000000000 +0200
@@ -1,12 +1,12 @@
[kdcdefaults]
- acl_file = @TESTDIR@/config/kadm5.acl
- admin_keytab = @TESTDIR@/kdc/kadm5.keytab
v4_mode = nopreauth
kdc_ports = 8800
- dict_file = /usr/share/dict/words
[realms]
EXAMPLE.COM = {
+ acl_file = @TESTDIR@/config/kadm5.acl
+ admin_keytab = @TESTDIR@/kdc/kadm5.keytab
+ dict_file = /usr/share/dict/words
database_name = @TESTDIR@/kdc/principal
key_stash_file = @TESTDIR@/kdc/stash_file
master_key_type = des-cbc-crc
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_krb5-2.2.11-1/tests/run-tests new/pam_krb5-2.2.12-1/tests/run-tests
--- old/pam_krb5-2.2.11-1/tests/run-tests 2006-09-25 10:09:08.000000000 +0200
+++ new/pam_krb5-2.2.12-1/tests/run-tests 2007-06-25 10:20:56.000000000 +0200
@@ -161,7 +161,7 @@
kadmin.local -q 'cpw -pw foo '$principal 2> /dev/null > /dev/null
kadmin.local -q 'modprinc -pwexpire now '$principal 2> /dev/null > /dev/null
settle
-run -auth -account $principal $pam_krb5 $flags -- foo
+run -auth -account $principal $pam_krb5 $flags -- foo bar bar
echo "";echo Succeed: correct password, do not warn about expiration.
kadmin.local -q 'cpw -pw foo '$principal 2> /dev/null > /dev/null
@@ -173,7 +173,7 @@
kadmin.local -q 'cpw -pw foo '$principal 2> /dev/null > /dev/null
kadmin.local -q 'modprinc -pwexpire now '$principal 2> /dev/null > /dev/null
settle
-run -auth -account -chauthtok -setcred -session $principal $pam_krb5 $flags no_warn -- foo foo bar bar
+run -auth -account -chauthtok -setcred -session $principal $pam_krb5 $flags no_warn -- foo bar bar bar baz baz
# Check password changing.
echo "";echo Resetting password to \"foo\".
@@ -248,5 +248,9 @@
kadmin.local -q 'cpw -pw foo '$principal 2> /dev/null > /dev/null
run -chauthtok $principal $pam_krb5 $flags banner="K3RB3R05 S" -- foo bar bar
+echo "";echo Password-change Help Text
+kadmin.local -q 'cpw -pw foo '$principal 2> /dev/null > /dev/null
+run -chauthtok $principal $pam_krb5 $flags pwhelp=$testdir/pwhelp.txt -- foo bar bar
+
# Stop the KDC.
kdcstop
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org