Hello community,
here is the log from the commit of package pam_krb5
checked in at Wed Nov 21 22:40:47 CET 2007.
--------
--- pam_krb5/pam_krb5.changes 2007-11-09 12:02:07.000000000 +0100
+++ /mounts/work_src_done/STABLE/pam_krb5/pam_krb5.changes 2007-11-21 16:57:50.539277000 +0100
@@ -1,0 +2,5 @@
+Wed Nov 21 16:37:51 CET 2007 - mc@suse.de
+
+- some bugfixes from upstream
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_krb5.spec ++++++
--- /var/tmp/diff_new_pack.wC2775/_old 2007-11-21 22:40:19.000000000 +0100
+++ /var/tmp/diff_new_pack.wC2775/_new 2007-11-21 22:40:19.000000000 +0100
@@ -18,7 +18,7 @@
Provides: pam_krb
AutoReqProv: on
Version: 2.2.21
-Release: 1
+Release: 5
Summary: PAM Module for Kerberos Authentication
Url: http://sourceforge.net/projects/pam-krb5/
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
@@ -73,6 +73,8 @@
%attr(444,root,root) %_mandir/man*/*.*
%attr(755,root,root) /usr/bin/afs5log
%changelog
+* Wed Nov 21 2007 - mc@suse.de
+- some bugfixes from upstream
* Fri Nov 09 2007 - mc@suse.de
- version 2.2.21
* fix permissions problems on keyring ccaches, so that users can write
++++++ pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif ++++++
--- /var/tmp/diff_new_pack.wC2775/_old 2007-11-21 22:40:19.000000000 +0100
+++ /var/tmp/diff_new_pack.wC2775/_new 2007-11-21 22:40:19.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- src/auth.c.orig
+++ src/auth.c
-@@ -436,9 +436,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -494,9 +494,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
return pam_sm_open_session(pamh, flags, argc, argv);
}
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
++++++ pam_krb5-2.2.21-1.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_krb5-2.2.21-1/ChangeLog new/pam_krb5-2.2.21-1/ChangeLog
--- old/pam_krb5-2.2.21-1/ChangeLog 2007-11-09 11:51:00.000000000 +0100
+++ new/pam_krb5-2.2.21-1/ChangeLog 2007-11-21 16:35:27.000000000 +0100
@@ -1,3 +1,11 @@
+2007-11-09:
+ * src/auth.c: fetch tokens when "tokens" is enabled and we're not
+ configured to use krb4, instead of not doing anything like that
+ * src/auth.c(pam_sm_authenticate): fetch tokens (if we haven't
+ already) before checking the user's .k5login with krb5_kuserok()
+ * src/acct.c(pam_sm_acct_mgmt): fetch tokens before checking the
+ user's .k5login with krb5_kuserok()
+
2007-11-08:
* src/stash.c: if we're about to create a ccache with a name identical
to one which we've already created (and haven't since destroyed), try
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_krb5-2.2.21-1/NEWS new/pam_krb5-2.2.21-1/NEWS
--- old/pam_krb5-2.2.21-1/NEWS 2007-11-09 11:51:00.000000000 +0100
+++ new/pam_krb5-2.2.21-1/NEWS 2007-11-21 16:35:26.000000000 +0100
@@ -1,5 +1,7 @@
- 2.2.21: * fix permissions problems on keyring ccaches, so that users can write
to them after we've set them up, and we can still do the cleanup
+ * fix permission problems accessing .k5login files in home directories
+ which live in AFS (#371761)
- 2.2.20: * fixes for credential refreshing
* avoid running afoul of SELinux policy when attempting to get tokens
- 2.2.19: * the "keytab" option can now be used to specify a custom location
@@ -36,7 +38,7 @@
- 2.2.13: * make it possible to have more than one ccache (and tktfile) at a
time to work around apps which open a session, set the environment,
and initialize creds (when we previously created a ccache, removing
- the one which was named in the environment)
+ the one which was named in the environment) (#204939)
- 2.2.12: * add a "pwhelp" option. Display the KDC error to users.
- 2.2.11: * return success from our account management callback in cases where
our authentication callback simply failed to authenticate (#207410)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_krb5-2.2.21-1/pam_krb5.spec new/pam_krb5-2.2.21-1/pam_krb5.spec
--- old/pam_krb5-2.2.21-1/pam_krb5.spec 2007-11-09 11:51:00.000000000 +0100
+++ new/pam_krb5-2.2.21-1/pam_krb5.spec 2007-11-21 16:35:27.000000000 +0100
@@ -46,9 +46,12 @@
%{_mandir}/man8/*
%doc README* COPYING* ChangeLog NEWS
-# $Id: pam_krb5.spec,v 1.176 2007/11/08 23:19:51 nalin Exp $
+# $Id: pam_krb5.spec,v 1.177 2007/11/09 22:10:42 nalin Exp $
%changelog
-* Thu Nov 8 2007 Nalin Dahyabhai - 2.2.21-1
+* Fri Nov 9 2007 Nalin Dahyabhai - 2.2.21-1
+- make sure that we have tokens when checking the user's .k5login (#371761)
+
+* Thu Nov 8 2007 Nalin Dahyabhai
- set perms on the user's KEYRING: ccache so that the user can write to it
- suppress an error message if a KEYRING: ccache we're about to destroy has
already been revoked
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_krb5-2.2.21-1/src/acct.c new/pam_krb5-2.2.21-1/src/acct.c
--- old/pam_krb5-2.2.21-1/src/acct.c 2007-11-09 11:51:00.000000000 +0100
+++ new/pam_krb5-2.2.21-1/src/acct.c 2007-11-21 16:35:26.000000000 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 2003,2004,2005,2006 Red Hat, Inc.
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -58,11 +58,12 @@
#include "options.h"
#include "prompter.h"
#include "stash.h"
+#include "tokens.h"
#include "userinfo.h"
#include "v5.h"
#include "v4.h"
-#ident "$Id: acct.c,v 1.24 2007/11/08 21:59:51 nalin Exp $"
+#ident "$Id: acct.c,v 1.25 2007/11/09 20:48:53 nalin Exp $"
int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
@@ -225,11 +226,31 @@
/* If we got this far, check the target user's .k5login file. */
if ((retval == PAM_SUCCESS) && options->user_check) {
+ if ((options->ignore_afs == 0) && tokens_useful()) {
+ v5_save_for_tokens(ctx, stash, user, userinfo,
+ options, NULL);
+ if (stash->v4present) {
+ v4_save_for_tokens(ctx, stash, userinfo,
+ options, NULL);
+ }
+ tokens_obtain(ctx, stash, options, userinfo, 1);
+ }
if (krb5_kuserok(ctx, userinfo->principal_name, user) == 0) {
notice("account checks fail for '%s': user disallowed "
"by .k5login file for '%s'",
userinfo->unparsed_name, user);
retval = PAM_PERM_DENIED;
+ } else {
+ if (options->debug) {
+ debug("'%s' passes .k5login check for '%s'",
+ userinfo->unparsed_name, user);
+ }
+ }
+ if ((options->ignore_afs == 0) && tokens_useful()) {
+ if (stash->v4present) {
+ v4_destroy(ctx, stash, options);
+ }
+ v5_destroy(ctx, stash, options);
}
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_krb5-2.2.21-1/src/auth.c new/pam_krb5-2.2.21-1/src/auth.c
--- old/pam_krb5-2.2.21-1/src/auth.c 2007-11-09 11:51:00.000000000 +0100
+++ new/pam_krb5-2.2.21-1/src/auth.c 2007-11-21 16:35:26.000000000 +0100
@@ -43,6 +43,7 @@
#endif
#include
+#include
#include
#include
#include
@@ -70,7 +71,7 @@
#include "v4.h"
#include "xstr.h"
-#ident "$Id: auth.c,v 1.32 2007/11/08 21:59:51 nalin Exp $"
+#ident "$Id: auth.c,v 1.34 2007/11/09 20:48:53 nalin Exp $"
int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
@@ -252,7 +253,8 @@
}
if (stash->v4present &&
(options->ignore_afs == 0) &&
- (options->tokens == 1)) {
+ (options->tokens == 1) &&
+ tokens_useful()) {
v5_save_for_tokens(ctx, stash, user, userinfo,
options, NULL);
v4_save_for_tokens(ctx, stash, userinfo,
@@ -261,6 +263,16 @@
v4_destroy(ctx, stash, options);
v5_destroy(ctx, stash, options);
}
+ } else {
+ if ((retval == PAM_SUCCESS) &&
+ (options->ignore_afs == 0) &&
+ (options->tokens == 1) &&
+ tokens_useful()) {
+ v5_save_for_tokens(ctx, stash, user, userinfo,
+ options, NULL);
+ tokens_obtain(ctx, stash, options, userinfo, 1);
+ v5_destroy(ctx, stash, options);
+ }
}
}
@@ -327,7 +339,8 @@
}
if (stash->v4present &&
(options->ignore_afs == 0) &&
- (options->tokens == 1)) {
+ (options->tokens == 1) &&
+ tokens_useful()) {
v5_save_for_tokens(ctx, stash, user, userinfo,
options, NULL);
v4_save_for_tokens(ctx, stash, userinfo,
@@ -336,6 +349,16 @@
v4_destroy(ctx, stash, options);
v5_destroy(ctx, stash, options);
}
+ } else {
+ if ((retval == PAM_SUCCESS) &&
+ (options->ignore_afs == 0) &&
+ (options->tokens == 1) &&
+ tokens_useful()) {
+ v5_save_for_tokens(ctx, stash, user, userinfo,
+ options, NULL);
+ tokens_obtain(ctx, stash, options, userinfo, 1);
+ v5_destroy(ctx, stash, options);
+ }
}
}
@@ -371,7 +394,8 @@
}
if (stash->v4present &&
(options->ignore_afs == 0) &&
- (options->tokens == 1)) {
+ (options->tokens == 1) &&
+ tokens_useful()) {
v5_save_for_tokens(ctx, stash, user, userinfo,
options, NULL);
v4_save_for_tokens(ctx, stash, userinfo,
@@ -380,16 +404,50 @@
v4_destroy(ctx, stash, options);
v5_destroy(ctx, stash, options);
}
+ } else {
+ if ((retval == PAM_SUCCESS) &&
+ (options->ignore_afs == 0) &&
+ (options->tokens == 1) &&
+ tokens_useful()) {
+ v5_save_for_tokens(ctx, stash, user, userinfo,
+ options, NULL);
+ tokens_obtain(ctx, stash, options, userinfo, 1);
+ v5_destroy(ctx, stash, options);
+ }
}
}
/* If we got this far, check the target user's .k5login file. */
if ((retval == PAM_SUCCESS) && options->user_check) {
+ if ((options->tokens != 1) &&
+ (options->ignore_afs == 0) &&
+ tokens_useful()) {
+ v5_save_for_tokens(ctx, stash, user, userinfo,
+ options, NULL);
+ if (stash->v4present) {
+ v4_save_for_tokens(ctx, stash, userinfo,
+ options, NULL);
+ }
+ tokens_obtain(ctx, stash, options, userinfo, 1);
+ }
if (krb5_kuserok(ctx, userinfo->principal_name, user) == 0) {
notice("account checks fail for '%s': user disallowed "
"by .k5login file for '%s'",
userinfo->unparsed_name, user);
retval = PAM_PERM_DENIED;
+ } else {
+ if (options->debug) {
+ debug("'%s' passes .k5login check for '%s'",
+ userinfo->unparsed_name, user);
+ }
+ }
+ if ((options->tokens != 1) &&
+ (options->ignore_afs == 0) &&
+ tokens_useful()) {
+ if (stash->v4present) {
+ v4_destroy(ctx, stash, options);
+ }
+ v5_destroy(ctx, stash, options);
}
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org