From 1f83fab4c719ab79882a004619a41c5073d61140 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 19 Mar 2010 21:15:33 +0000 Subject: [PATCH] - remove the krb5-appl bits (the -workstation-clients and -workstation-servers subpackages) now that krb5-appl is its own package --- eklogin.xinetd | 13 - ekrb5-telnet.xinetd | 14 - ekshell.pamd | 15 - gssftp.pamd | 13 - gssftp.xinetd | 14 - klogin.xinetd | 12 - krb5-1.2.1-passive.patch | 32 - krb5-1.3-ftp-glob.patch | 273 ------- krb5-1.3-netkit-rsh.patch | 16 - krb5-1.4.1-telnet-environ.patch | 164 ----- krb5-1.6.3-ftp_fdleak.patch | 67 -- krb5-1.6.3-ftp_glob_runique.patch | 14 - krb5-1.7-rcp-markus.patch | 25 - krb5-1.7-sizeof.patch | 33 - krb5-appl-1.0-io.patch | 251 ------- krb5-appl-1.0-largefile.patch | 276 ------- krb5-appl-1.0-manpaths.patch | 107 --- krb5-appl-1.0-manpaths.txt | 4 - krb5-appl-1.0-pam.patch | 1066 --------------------------- krb5-appl-1.0-rlogind-environ.patch | 53 -- krb5-telnet.xinetd | 13 - krb5-trunk-ftp_mget_case.patch | 19 - krb5.csh | 6 - krb5.sh | 6 - krb5.spec | 249 +------ krlogin | 2 - krsh | 2 - kshell.pamd | 15 - kshell.xinetd | 13 - sources | 2 - 30 files changed, 10 insertions(+), 2779 deletions(-) delete mode 100644 eklogin.xinetd delete mode 100644 ekrb5-telnet.xinetd delete mode 100644 ekshell.pamd delete mode 100644 gssftp.pamd delete mode 100644 gssftp.xinetd delete mode 100644 klogin.xinetd delete mode 100644 krb5-1.2.1-passive.patch delete mode 100644 krb5-1.3-ftp-glob.patch delete mode 100644 krb5-1.3-netkit-rsh.patch delete mode 100644 krb5-1.4.1-telnet-environ.patch delete mode 100644 krb5-1.6.3-ftp_fdleak.patch delete mode 100644 krb5-1.6.3-ftp_glob_runique.patch delete mode 100644 krb5-1.7-rcp-markus.patch delete mode 100644 krb5-1.7-sizeof.patch delete mode 100644 krb5-appl-1.0-io.patch delete mode 100644 krb5-appl-1.0-largefile.patch delete mode 100644 krb5-appl-1.0-manpaths.patch delete mode 100644 krb5-appl-1.0-manpaths.txt delete mode 100644 krb5-appl-1.0-pam.patch delete mode 100644 krb5-appl-1.0-rlogind-environ.patch delete mode 100644 krb5-telnet.xinetd delete mode 100644 krb5-trunk-ftp_mget_case.patch delete mode 100755 krb5.csh delete mode 100755 krb5.sh delete mode 100644 krlogin delete mode 100644 krsh delete mode 100644 kshell.pamd delete mode 100644 kshell.xinetd diff --git a/eklogin.xinetd b/eklogin.xinetd deleted file mode 100644 index 285cd9a..0000000 --- a/eklogin.xinetd +++ /dev/null @@ -1,13 +0,0 @@ -# default: off -# description: The encrypting kerberized rlogin server accepts rlogin sessions \ -# authenticated and encrypted with Kerberos 5. -service eklogin -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/klogind - server_args = -e - disable = yes -} diff --git a/ekrb5-telnet.xinetd b/ekrb5-telnet.xinetd deleted file mode 100644 index b377341..0000000 --- a/ekrb5-telnet.xinetd +++ /dev/null @@ -1,14 +0,0 @@ -# default: off -# description: The kerberized telnet server accepts only telnet sessions, \ -# which use Kerberos 5 authentication and encryption. -service telnet -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/telnetd - server_args = -e - log_on_failure += USERID - disable = yes -} diff --git a/ekshell.pamd b/ekshell.pamd deleted file mode 100644 index 5b67b05..0000000 --- a/ekshell.pamd +++ /dev/null @@ -1,15 +0,0 @@ -#%PAM-1.0 -# For root login to succeed here with pam_securetty, "ekshell" must be -# listed in /etc/securetty. -auth required pam_nologin.so -auth required pam_securetty.so -auth required pam_env.so -auth required pam_rhosts.so -account include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session include system-auth -# pam_selinux.so open should only be called for sessions to be executed in the user context -session required pam_loginuid.so -session required pam_selinux.so open diff --git a/gssftp.pamd b/gssftp.pamd deleted file mode 100644 index 442dfa7..0000000 --- a/gssftp.pamd +++ /dev/null @@ -1,13 +0,0 @@ -#%PAM-1.0 -auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth required pam_shells.so -auth include system-auth -account required pam_nologin.so -account include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session include system-auth -# pam_selinux.so open should only be called for sessions to be executed in the user context -session required pam_loginuid.so -session required pam_selinux.so open diff --git a/gssftp.xinetd b/gssftp.xinetd deleted file mode 100644 index 3f9f73e..0000000 --- a/gssftp.xinetd +++ /dev/null @@ -1,14 +0,0 @@ -# default: off -# description: The kerberized FTP server accepts FTP connections \ -# that can be authenticated with Kerberos 5. -service ftp -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/ftpd - server_args = -l -a - log_on_failure += USERID - disable = yes -} diff --git a/klogin.xinetd b/klogin.xinetd deleted file mode 100644 index 941b431..0000000 --- a/klogin.xinetd +++ /dev/null @@ -1,12 +0,0 @@ -# default: off -# description: The kerberized rlogin server accepts BSD-style rlogin sessions, \ -# but uses Kerberos 5 authentication. -service klogin -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/klogind - disable = yes -} diff --git a/krb5-1.2.1-passive.patch b/krb5-1.2.1-passive.patch deleted file mode 100644 index 8983d42..0000000 --- a/krb5-1.2.1-passive.patch +++ /dev/null @@ -1,32 +0,0 @@ -We set all of the FTP clients to passive mode by default. Or at least that's -the intention. - ---- krb5-1.2.1/src/appl/gssftp/ftp/main.c.passive Thu Jun 29 22:27:07 2000 -+++ krb5-1.2.1/src/appl/gssftp/ftp/main.c Wed Aug 16 13:15:08 2000 -@@ -178,7 +178,7 @@ - cpend = 0; /* no pending replies */ - proxy = 0; /* proxy not active */ - #ifndef NO_PASSIVE_MODE -- passivemode = 0; /* passive mode not active */ -+ passivemode = 1; /* passive mode active by default */ - #endif - crflag = 1; /* strip c.r. on ascii gets */ - sendport = -1; /* not using ports */ ---- krb5-1.2.1/src/appl/gssftp/ftp/ftp.M.passive Wed Aug 16 13:15:26 2000 -+++ krb5-1.2.1/src/appl/gssftp/ftp/ftp.M Wed Aug 16 13:17:19 2000 -@@ -619,10 +619,11 @@ - will forward a copy of the user's Kerberos tickets to the remote host. - .TP - .B passive --Toggle passive data transfer mode. In passive mode, the client initiates --the data connection by listening on the data port. Passive mode may --be necessary for operation from behind firewalls which do not permit --incoming connections. -+Toggle passive data transfer mode off. In passive mode, the client initiates -+the data connection by connecting to the data port. Passive mode is -+often necessary for operation from behind firewalls which do not permit -+incoming connections, but may need to be disabled if you connect to an -+FTP server which does not support passive operation. - .TP - .B private - Set the protection level on data transfers to ``private''. Data diff --git a/krb5-1.3-ftp-glob.patch b/krb5-1.3-ftp-glob.patch deleted file mode 100644 index 1da3abf..0000000 --- a/krb5-1.3-ftp-glob.patch +++ /dev/null @@ -1,273 +0,0 @@ ---- krb5-1.3/src/appl/gssftp/ftp/cmds.c -+++ krb5-1.3/src/appl/gssftp/ftp/cmds.c -@@ -99,6 +99,62 @@ - static void quote1 (char *, int, char **); - static char *dotrans (char *); - static char *domap (char *); -+static int checkglob(const char *filename, const char *pattern); -+ -+/* -+ * pipeprotect: protect against "special" local filenames by prepending -+ * "./". Special local filenames are "-" and any "filename" which begins -+ * with either "|" or "/". -+ */ -+static char *pipeprotect(char *name) -+{ -+ static char nu[MAXPATHLEN]; -+ if ((name == NULL) || -+ ((strcmp(name, "-") != 0) && (*name != '|') && (*name != '/'))) { -+ return name; -+ } -+ strcpy(nu, "."); -+ if (*name != '/') strcat(nu, "/"); -+ if (strlen(nu) + strlen(name) >= sizeof(nu)) { -+ return NULL; -+ } -+ strcat(nu, name); -+ return nu; -+} -+ -+/* -+ * Look for embedded ".." in a pathname and change it to "!!", printing -+ * a warning. -+ */ -+static char *pathprotect(char *name) -+{ -+ int gotdots=0, i, len; -+ -+ /* Convert null terminator to trailing / to catch a trailing ".." */ -+ len = strlen(name)+1; -+ name[len-1] = '/'; -+ -+ /* -+ * State machine loop. gotdots is < 0 if not looking at dots, -+ * 0 if we just saw a / and thus might start getting dots, -+ * and the count of dots seen so far if we have seen some. -+ */ -+ for (i=0; i=0) gotdots++; -+ else if (name[i]=='/' && gotdots<0) gotdots=0; -+ else if (name[i]=='/' && gotdots==2) { -+ printf("Warning: embedded .. in %.*s (changing to !!)\n", -+ len-1, name); -+ name[i-1] = '!'; -+ name[i-2] = '!'; -+ gotdots = 0; -+ } -+ else if (name[i]=='/') gotdots = 0; -+ else gotdots = -1; -+ } -+ name[len-1] = '\0'; -+ return name; -+} - - /* - * `Another' gets another argument, and stores the new argc and argv. -@@ -844,7 +900,15 @@ - - if (argc == 2) { - argc++; -- argv[2] = argv[1]; -+ /* -+ * Protect the user from accidentally retrieving special -+ * local names. -+ */ -+ argv[2] = pipeprotect(argv[1]); -+ if (!argv[2]) { -+ code = -1; -+ return 0; -+ } - loc++; - } - if (argc < 2 && !another(&argc, &argv, "remote-file")) -@@ -1016,8 +1080,19 @@ - if (mapflag) { - tp = domap(tp); - } -- recvrequest("RETR", tp, cp, "w", -- tp != cp || !interactive, 1); -+ -+ /* Reject embedded ".." */ -+ tp = pathprotect(tp); -+ -+ /* Prepend ./ to "-" or "!*" or leading "/" */ -+ tp = pipeprotect(tp); -+ if (tp == NULL) { -+ /* hmm... how best to handle this? */ -+ mflag = 0; -+ } else { -+ recvrequest("RETR", tp, cp, "w", -+ tp != cp || !interactive, 1); -+ } - if (!mflag && fromatty) { - ointer = interactive; - interactive = 1; -@@ -1045,8 +1120,8 @@ - static char buf[MAXPATHLEN]; - static FILE *ftemp = NULL; - static char **args; -- int oldverbose, oldhash; -- char *cp, *rmode; -+ int oldverbose, oldhash, badglob = 0; -+ char *cp; - - if (!mflag) { - if (!doglob) { -@@ -1075,23 +1150,46 @@ - return (NULL); - } - #else -- (void) strncpy(temp, _PATH_TMP, sizeof(temp) - 1); -- temp[sizeof(temp) - 1] = '\0'; -- (void) mktemp(temp); -+ int fd; -+ mode_t oldumask; -+ (void) strcpy(temp, _PATH_TMP); -+ -+ /* libc 5.2.18 creates with mode 0666, which is dumb */ -+ oldumask = umask(077); -+ fd = mkstemp(temp); -+ umask(oldumask); -+ -+ if (fd<0) { -+ printf("Error creating temporary file, oops\n"); -+ return NULL; -+ } -+ close(fd); - #endif /* !_WIN32 */ - oldverbose = verbose, verbose = 0; - oldhash = hash, hash = 0; - if (doswitch) { - pswitch(!proxy); - } -- for (rmode = "w"; *++argv != NULL; rmode = "a") -- recvrequest ("NLST", temp, *argv, rmode, 0, 0); -+ -+ while (*++argv != NULL) { -+ recvrequest ("NLST", temp, *argv, "a", 0, 0); -+ if (!checkglob(temp, *argv)) { -+ badglob = 1; -+ break; -+ } -+ } -+ - if (doswitch) { - pswitch(!proxy); - } - verbose = oldverbose; hash = oldhash; - ftemp = fopen(temp, "r"); - (void) unlink(temp); -+ if (badglob) { -+ printf("Refusing to handle insecure file list\n"); -+ fclose(ftemp); -+ return NULL; -+ } - #ifdef _WIN32 - free(temp); - temp = NULL; -@@ -1110,6 +1208,105 @@ - return (buf); - } - -+/* -+ * Check whether given pattern matches `..' -+ * We assume only a glob pattern starting with a dot will match -+ * dot entries on the server. -+ */ -+static int -+isdotdotglob(const char *pattern) -+{ -+ int havedot = 0; -+ char c; -+ -+ if (*pattern++ != '.') -+ return 0; -+ while ((c = *pattern++) != '\0' && c != '/') { -+ if (c == '*' || c == '?') -+ continue; -+ if (c == '.' && havedot++) -+ return 0; -+ } -+ return 1; -+} -+ -+/* -+ * This function makes sure the list of globbed files returned from -+ * the server doesn't contain anything dangerous such as -+ * /home//.forward, or ../.forward, -+ * or |mail foe@doe = MAXPATHLEN) { -+ printf("Incredible pattern: %s\n", pattern); -+ return 0; -+ } -+ dotdot[nrslash++] = isdotdotglob(sp); -+ } -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) { -+ perror("fopen"); -+ return 0; -+ } -+ -+ while (okay && fgets(buffer, sizeof(buffer), fp) != NULL) { -+ char *sp; -+ -+ if ((sp = strchr(buffer, '\n')) != 0) { -+ *sp = '\0'; -+ } else { -+ printf("Extremely long filename from server: %s", -+ buffer); -+ okay = 0; -+ break; -+ } -+ if (buffer[0] == '|' -+ || (buffer[0] != '/' && initial) -+ || (buffer[0] == '/' && !initial)) -+ okay = 0; -+ for (sp = buffer, nr = 0; sp; sp = strchr(sp, '/'), nr++) { -+ while (*sp == '/') -+ sp++; -+ if (sp[0] == '.' && !strncmp(sp, "../", 3) -+ && (nr >= nrslash || !dotdot[nr])) -+ okay = 0; -+ } -+ } -+ -+ if (!okay) -+ printf("Filename provided by server " -+ "doesn't match pattern `%s': %s\n", pattern, buffer); -+ -+ fclose(fp); -+ return okay; -+} -+ - static char * - onoff(bool) - int bool; diff --git a/krb5-1.3-netkit-rsh.patch b/krb5-1.3-netkit-rsh.patch deleted file mode 100644 index 6c044d3..0000000 --- a/krb5-1.3-netkit-rsh.patch +++ /dev/null @@ -1,16 +0,0 @@ -We ship netkit rsh, which isn't smart enough to deal with the oddball case -where argv[0] is an option flag. - ---- krb5-1.3/src/appl/bsd/krsh.c -+++ krb5-1.3/src/appl/bsd/krsh.c -@@ -616,8 +616,10 @@ - else - host = argv[0]; - -+#ifdef BERKELEY_RSH - if (!strcmp(host, "rsh")) - argv++; -+#endif - - fprintf(stderr,"trying normal rsh (%s)\n", - UCB_RSH); diff --git a/krb5-1.4.1-telnet-environ.patch b/krb5-1.4.1-telnet-environ.patch deleted file mode 100644 index 05da88b..0000000 --- a/krb5-1.4.1-telnet-environ.patch +++ /dev/null @@ -1,164 +0,0 @@ -Port of fixes originally made to the NetKit telnet client. - -Previous behavior: - Well-defined or exported variables are sent to the server on initial connect. - The "environ list" command prints "*" before these variable names. - Other variables are sent to the server if it requests them. - The "environ list" command prints " " before these variable names. -New behavior: - Well-defined variables are sent to the server on initial connect. - The "environ list" command prints "*" before these variable names. - Exported variables are sent to the server on initial connect. - The "environ list" command prints "+" before these variable names. - Other variables are NOT sent to the server. - The "environ list" command prints " " before these variable names. - -diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c ---- krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2002-11-15 15:21:34.000000000 -0500 -+++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2005-06-29 21:06:39.000000000 -0400 -@@ -83,13 +83,6 @@ - } - - char * --telnet_getenv(val) -- char *val; --{ -- return((char *)env_getvalue((unsigned char *)val)); --} -- -- char * - telnet_gets(tprompt, result, length, echo) - char *tprompt; - char *result; -diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c ---- krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-04-07 17:17:26.000000000 -0400 -+++ krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-06-29 21:11:34.000000000 -0400 -@@ -1889,8 +1889,9 @@ - register struct env_lst *ep; - - for (ep = envlisthead.next; ep; ep = ep->next) { -- printf("%c %-20s %s\r\n", ep->export ? '*' : ' ', -- ep->var, ep->value); -+ printf("%c %-20s %s\r\n", -+ " +*"[(ep->welldefined ? 2 : (ep->export > 0))], -+ ep->var, ep->value); - } - } - -@@ -1914,13 +1915,15 @@ - } - - unsigned char * --env_getvalue(var) -+env_getvalue(var, export_only) - unsigned char *var; -+ int export_only; - { - register struct env_lst *ep; - - if ((ep = env_find(var))) -- return(ep->value); -+ if (ep->export || !export_only) -+ return(ep->value); - return(NULL); - } - -diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h ---- krb5-1.4.1/src/appl/telnet/telnet/externs.h 2003-04-23 23:27:56.000000000 -0400 -+++ krb5-1.4.1/src/appl/telnet/telnet/externs.h 2005-06-29 21:05:16.000000000 -0400 -@@ -347,7 +347,7 @@ - - extern unsigned char - *env_default (int, int), -- *env_getvalue (unsigned char *); -+ *env_getvalue (unsigned char *, int); - - extern int - env_is_exported (unsigned char *); -diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c ---- krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:13:29.000000000 -0400 -+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:09:13.000000000 -0400 -@@ -552,7 +552,7 @@ - #endif - - case TELOPT_XDISPLOC: /* X Display location */ -- if (env_getvalue((unsigned char *)"DISPLAY") && -+ if (env_getvalue((unsigned char *)"DISPLAY", 0) && - env_is_exported((unsigned char *)"DISPLAY")) - new_state_ok = 1; - break; -@@ -813,7 +813,7 @@ - resettermname = 0; - if (tnamep && tnamep != unknown) - free(tnamep); -- if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) && -+ if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) && - (setupterm(tname, 1, &err) == 0)) { - tnamep = mklist(termbuf, tname); - } else { -@@ -988,7 +988,7 @@ - unsigned char temp[50], *dp; - int len; - -- if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) || -+ if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) || - (! env_is_exported((unsigned char *)"DISPLAY"))) { - /* - * Something happened, we no longer have a DISPLAY -@@ -1669,7 +1669,7 @@ - env_opt_add(ep); - return; - } -- vp = env_getvalue(ep); -+ vp = env_getvalue(ep, 1); - elen = 2 * (vp ? strlen((char *)vp) : 0) + - 2 * strlen((char *)ep) + 6; - if ((opt_replyend - opt_replyp) < elen) -@@ -2327,7 +2327,7 @@ - send_will(TELOPT_LINEMODE, 1); - send_will(TELOPT_NEW_ENVIRON, 1); - send_do(TELOPT_STATUS, 1); -- if (env_getvalue((unsigned char *)"DISPLAY") && -+ if (env_getvalue((unsigned char *)"DISPLAY", 0) && - env_is_exported((unsigned char *)"DISPLAY")) - send_will(TELOPT_XDISPLOC, 1); - if (eight) ---- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:09.000000000 -0400 -+++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:13.000000000 -0400 -@@ -67,14 +67,6 @@ - } - - char * --telnet_getenv(val) -- char *val; --{ -- extern char *getenv(); -- return(getenv(val)); --} -- -- char * - telnet_gets(prompt, result, length, echo) - char *prompt; - char *result; ---- krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:26:55.000000000 -0400 -+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:29:05.000000000 -0400 -@@ -401,7 +401,7 @@ - .I variable - to have a value of - .IR value . --Any variables defined by this command are automatically exported. The -+Variables defined by this command are not automatically exported. The - .I value - may be enclosed in single or double quotes so that tabs and spaces may - be included. -@@ -423,8 +423,8 @@ - .TP - .B list - List the current set of environment variables. Those marked with a \&* --will be sent automatically; other variables will only be sent if --explicitly requested. -+will be sent automatically; those marked with a \&+ will be sent if the -+other end requests their values, and other variables will not be sent. - .TP - .B \&? - Prints out help information for the diff --git a/krb5-1.6.3-ftp_fdleak.patch b/krb5-1.6.3-ftp_fdleak.patch deleted file mode 100644 index 7a9272b..0000000 --- a/krb5-1.6.3-ftp_fdleak.patch +++ /dev/null @@ -1,67 +0,0 @@ -Don't open a new socket without closing a possibly already-open one. RT#5597. -diff -uNr krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c ---- krb5/src/appl/gssftp/ftp/ftp.c -+++ krb5/src/appl/gssftp/ftp/ftp.c -@@ -196,7 +196,7 @@ char * - hookup(char* host, int port) - { - register struct hostent *hp = 0; -- int s; -+ int s, t; - socklen_t len; - #ifdef IP_TOS - #ifdef IPTOS_LOWDELAY -@@ -274,8 +274,13 @@ hookup(char* host, int port) - } - #endif - #endif -+#ifndef _WIN32 -+ t = dup(s); -+#else -+ t = s; -+#endif - cin = FDOPEN_SOCKET(s, "r"); -- cout = FDOPEN_SOCKET(s, "w"); -+ cout = FDOPEN_SOCKET(t, "w"); - if (cin == NULL || cout == NULL) { - fprintf(stderr, "ftp: fdopen failed.\n"); - if (cin) { -@@ -1448,6 +1453,8 @@ - int a1,a2,a3,a4,p1,p2; - - if (passivemode) { -+ if (data != INVALID_SOCKET) -+ (void) closesocket(data); - data = socket(AF_INET, SOCK_STREAM, 0); - if (data == INVALID_SOCKET) { - PERROR_SOCKET("ftp: socket"); -@@ -2366,4 +2371,16 @@ FILE* fdopen_socket(SOCKET s, char* mode - - return f; - } -+#else -+/* Non-Win32 case takes the address of the variable so that we can "take -+ * ownership" of the descriptor number. */ -+FILE* fdopen_socket(int *s, char* mode) -+{ -+ FILE *fp; -+ fp = fdopen(*s, mode); -+ if (fp) { -+ *s = INVALID_SOCKET; -+ } -+ return fp; -+} - #endif /* _WIN32 */ -diff -up krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h ---- krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:35.000000000 -0400 -+++ krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:39.000000000 -0400 -@@ -48,7 +48,8 @@ FILE* fdopen_socket(SOCKET s, char* mode - #define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0) - #else - #define FCLOSE_SOCKET(f) fclose(f) --#define FDOPEN_SOCKET(s, mode) fdopen(s, mode) -+FILE* fdopen_socket(int *s, char* mode); -+#define FDOPEN_SOCKET(s, mode) fdopen_socket(&s, mode) - #define SOCKETNO(fd) (fd) - #define PERROR_SOCKET(str) perror(str) - #endif diff --git a/krb5-1.6.3-ftp_glob_runique.patch b/krb5-1.6.3-ftp_glob_runique.patch deleted file mode 100644 index c4614a1..0000000 --- a/krb5-1.6.3-ftp_glob_runique.patch +++ /dev/null @@ -1,14 +0,0 @@ -Fix mget when runique is enabled and the globbing patch has been applied. -diff -up krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c ---- krb5/src/appl/gssftp/ftp/ftp.c -+++ krb5/src/appl/gssftp/ftp/ftp.c -@@ -1188,7 +1188,8 @@ void recvrequest(char *cmd, char *volati - return; - } - } -- else if (runique && (local = gunique(local)) == NULL) { -+ else if (runique && strcmp(cmd, "NLST") && -+ (local = gunique(local)) == NULL) { - (void) signal(SIGINT, oldintr); - code = -1; - return; diff --git a/krb5-1.7-rcp-markus.patch b/krb5-1.7-rcp-markus.patch deleted file mode 100644 index b060df2..0000000 --- a/krb5-1.7-rcp-markus.patch +++ /dev/null @@ -1,25 +0,0 @@ -Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp. - -diff -up krb5-1.7/src/appl/bsd/krcp.c krb5-1.7/src/appl/bsd/krcp.c ---- krb5-1.7/src/appl/bsd/krcp.c 2009-06-04 14:27:20.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/krcp.c 2009-06-04 14:27:20.000000000 -0400 -@@ -1038,6 +1038,10 @@ void sink(argc, argv) - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); -+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ error("error: unexpected filename: %s", cp); -+ exit(1); -+ } - if (targisdir) { - if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf)) - SCREWUP("target name too long"); -@@ -1051,6 +1055,8 @@ void sink(argc, argv) - nambuf[sizeof(nambuf) - 1] = '\0'; - exists = stat(nambuf, &stb) == 0; - if (cmdbuf[0] == 'D') { -+ if (!iamrecursive) -+ SCREWUP("received directory without -r"); - if (exists) { - if ((stb.st_mode&S_IFMT) != S_IFDIR) { - errno = ENOTDIR; diff --git a/krb5-1.7-sizeof.patch b/krb5-1.7-sizeof.patch deleted file mode 100644 index fc85901..0000000 --- a/krb5-1.7-sizeof.patch +++ /dev/null @@ -1,33 +0,0 @@ -Surely "buf[strlen(buf)] = '\0'" doesn't do what we intend. RT#6521 - -diff -up krb5-1.7/src/appl/gssftp/ftp/ftp.c krb5-1.7/src/appl/gssftp/ftp/ftp.c ---- krb5-1.7/src/appl/gssftp/ftp/ftp.c 2009-06-22 16:03:48.000000000 -0400 -+++ krb5-1.7/src/appl/gssftp/ftp/ftp.c 2009-06-22 16:06:28.000000000 -0400 -@@ -1663,21 +1663,21 @@ void pswitch(int flag) - ip->ntflg = ntflag; - ntflag = op->ntflg; - (void) strncpy(ip->nti, ntin, sizeof(ip->nti) - 1); -- (ip->nti)[strlen(ip->nti)] = '\0'; -+ (ip->nti)[sizeof(ip->nti) - 1] = '\0'; - (void) strncpy(ntin, op->nti, sizeof(ntin) - 1); - ntin[sizeof(ntin) - 1] = '\0'; - (void) strncpy(ip->nto, ntout, sizeof(ip->nto) - 1); -- (ip->nto)[strlen(ip->nto)] = '\0'; -+ (ip->nto)[sizeof(ip->nto) - 1] = '\0'; - (void) strncpy(ntout, op->nto, sizeof(ntout) - 1); - ntout[sizeof(ntout) - 1] = '\0'; - ip->mapflg = mapflag; - mapflag = op->mapflg; -- (void) strncpy(ip->mi, mapin, MAXPATHLEN - 1); -- (ip->mi)[strlen(ip->mi)] = '\0'; -+ (void) strncpy(ip->mi, mapin, sizeof(ip->mi) - 1); -+ (ip->mi)[sizeof(ip->mi) - 1] = '\0'; - (void) strncpy(mapin, op->mi, sizeof(mapin) - 1); - mapin[sizeof(mapin) - 1] = '\0'; -- (void) strncpy(ip->mo, mapout, MAXPATHLEN - 1); -- (ip->mo)[strlen(ip->mo)] = '\0'; -+ (void) strncpy(ip->mo, mapout, sizeof(ip->mo) - 1); -+ (ip->mo)[sizeof(ip->mo) - 1] = '\0'; - (void) strncpy(mapout, op->mo, sizeof(mapout) - 1); - mapout[sizeof(mapout) - 1] = '\0'; - ip->authtype = auth_type; diff --git a/krb5-appl-1.0-io.patch b/krb5-appl-1.0-io.patch deleted file mode 100644 index 1bfe217..0000000 --- a/krb5-appl-1.0-io.patch +++ /dev/null @@ -1,251 +0,0 @@ -We can get stuck if a write is going to block because both ends are writing and -neither end is reading. This is a port of a patch which aims to solve that -problem, but for now it's incomplete because we don't handle partial writes. A -proper non-blocking implementation would require a bit more work. - -diff -up krb5-appl-1.0/bsd/defines.h.io krb5-appl-1.0/bsd/defines.h ---- krb5-appl-1.0/bsd/defines.h.io 2009-11-16 05:27:04.000000000 -0500 -+++ krb5-appl-1.0/bsd/defines.h 2010-03-05 11:00:06.000000000 -0500 -@@ -36,6 +36,7 @@ extern int kcmd (int *sock, char **ahost - enum kcmd_proto *protonum /* input and output */ - ); - -+extern int rcmd_stream_has_unsent_data (void); - extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary); - extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary); - extern int getport (int * /* portnum */, int * /* addrfamily */); -diff -up krb5-appl-1.0/bsd/kcmd.c.io krb5-appl-1.0/bsd/kcmd.c ---- krb5-appl-1.0/bsd/kcmd.c.io 2009-11-16 05:27:04.000000000 -0500 -+++ krb5-appl-1.0/bsd/kcmd.c 2010-03-05 11:00:06.000000000 -0500 -@@ -767,6 +767,11 @@ void rcmd_stream_init_normal() - output = twrite; - } - -+int rcmd_stream_has_unsent_data (void) -+{ -+ return (nstored > 0); -+} -+ - void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client, - protonum) - krb5_keyblock *in_keyblock; -@@ -927,7 +932,8 @@ static int v5_des_read(fd, buf, len, sec - cc = full_read(fd, &c, 1); - /* we should check for non-blocking here, but we'd have - to make it save partial reads as well. */ -- if (cc <= 0) return cc; /* read error */ -+ if (cc == 0) return nreturned; /* EOF */ -+ if (cc < 0) return cc; /* read error */ - if (cc == 1) { - if (c == 0 || !do_lencheck) break; - } -diff -up krb5-appl-1.0/bsd/krsh.c.io krb5-appl-1.0/bsd/krsh.c ---- krb5-appl-1.0/bsd/krsh.c.io 2010-03-05 11:00:05.000000000 -0500 -+++ krb5-appl-1.0/bsd/krsh.c 2010-03-05 11:00:06.000000000 -0500 -@@ -117,10 +117,11 @@ main(argc, argv0) - char **argv0; - { - int rem, pid = 0; -- char *host=0, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0; -+ char *host=0, **ap, buf[PIPE_BUF], *args, **argv = argv0, *user = 0; - register int cc; - struct passwd *pwd; - fd_set readfrom, ready; -+ fd_set writeto, ready_wr; - int one = 1; - struct servent *sp; - struct servent defaultservent; -@@ -510,9 +511,14 @@ main(argc, argv0) - FD_ZERO(&readfrom); - FD_SET(rfd2, &readfrom); - FD_SET(rem, &readfrom); -+ FD_ZERO(&writeto); - do { -+ int max_fd; -+ max_fd = (rfd2 > rem) ? rfd2 : rem; -+ max_fd = (max_fd > 2) ? max_fd : 2; - ready = readfrom; -- if (select(((rfd2 > rem) ? rfd2 : rem) + 1, &ready, 0, 0, 0) < 0) { -+ ready_wr = writeto; -+ if (select(max_fd + 1, &ready, &ready_wr, 0, 0) < 0) { - if (errno != EINTR) { - perror("select"); - exit(1); -@@ -520,22 +526,38 @@ main(argc, argv0) - continue; - } - if (FD_ISSET(rfd2, &ready)) { -- errno = 0; -- cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1); -- if (cc <= 0) { -- if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) -- FD_CLR(rfd2, &readfrom); -- } else -- (void) write(2, buf, (unsigned) cc); -+ FD_SET(2, &writeto); -+ } -+ if (FD_ISSET(2, &ready_wr)) { -+ do { -+ errno = 0; -+ cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1); -+ if (cc <= 0) { -+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) { -+ FD_CLR(rfd2, &readfrom); -+ break; -+ } -+ } else -+ (void) write(2, buf, (unsigned) cc); -+ } while (rcmd_stream_has_unsent_data()); -+ FD_CLR(2, &writeto); - } - if (FD_ISSET(rem, &ready)) { -- errno = 0; -- cc = rcmd_stream_read(rem, buf, sizeof buf, 0); -- if (cc <= 0) { -- if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) -- FD_CLR(rem, &readfrom); -- } else -- (void) write(1, buf, (unsigned) cc); -+ FD_SET(1, &writeto); -+ } -+ if (FD_ISSET(1, &ready_wr)) { -+ do { -+ errno = 0; -+ cc = rcmd_stream_read(rem, buf, sizeof buf, 0); -+ if (cc <= 0) { -+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) { -+ FD_CLR(rem, &readfrom); -+ break; -+ } -+ } else -+ (void) write(1, buf, (unsigned) cc); -+ } while (rcmd_stream_has_unsent_data()); -+ FD_CLR(1, &writeto); - } - } while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom)); - if (nflag == 0) -diff -up krb5-appl-1.0/bsd/krshd.c.io krb5-appl-1.0/bsd/krshd.c ---- krb5-appl-1.0/bsd/krshd.c.io 2010-03-05 11:00:05.000000000 -0500 -+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 11:00:06.000000000 -0500 -@@ -585,7 +585,8 @@ void doit(f, fromp) - short port; - int pv[2], pw[2], px[2], cc; - fd_set ready, readfrom; -- char buf[RCMD_BUFSIZ], sig; -+ fd_set ready_wr, writeto; -+ char buf[PIPE_BUF], sig; - struct sockaddr_storage localaddr; - #ifdef POSIX_SIGNALS - struct sigaction sa; -@@ -1216,6 +1217,10 @@ void doit(f, fromp) - if (pw[0] > maxfd) - maxfd = pw[0]; - -+ if (px[1] > maxfd) -+ maxfd = px[1]; -+ FD_ZERO(&writeto); -+ - /* read from f, write to px[1] -- child stdin */ - /* read from s, signal child */ - /* read from pv[0], write to s -- child stderr */ -@@ -1223,36 +1228,47 @@ void doit(f, fromp) - - do { - ready = readfrom; -- if (select(maxfd + 1, &ready, (fd_set *)0, -+ ready_wr = writeto; -+ if (select(maxfd + 1, &ready, &ready_wr, - (fd_set *)0, (struct timeval *)0) < 0) { - if (errno == EINTR) { - continue; - } else { - break; -- } -+ } - } - - if (port&&FD_ISSET(pv[0], &ready)) { -+ FD_SET(s, &writeto); -+ FD_CLR(pv[0], &readfrom); -+ } -+ if (port&&FD_ISSET(s, &ready_wr)) { - /* read from the child stderr, write to the net */ - errno = 0; - cc = read(pv[0], buf, sizeof (buf)); -- if (cc <= 0) { -+ if ((cc <= 0) || -+ (rcmd_stream_write(s, buf, (unsigned) cc, 1) != cc)) { - shutdown(s, 1+1); -- FD_CLR(pv[0], &readfrom); - } else { -- (void) rcmd_stream_write(s, buf, (unsigned) cc, 1); -+ FD_SET(pv[0], &readfrom); - } -+ FD_CLR(s, &writeto); - } - if (FD_ISSET(pw[0], &ready)) { -+ FD_SET(f, &writeto); -+ FD_CLR(pw[0], &readfrom); -+ } -+ if (FD_ISSET(f, &ready_wr)) { - /* read from the child stdout, write to the net */ - errno = 0; - cc = read(pw[0], buf, sizeof (buf)); -- if (cc <= 0) { -+ if ((cc <= 0) || -+ (rcmd_stream_write(f, buf, (unsigned) cc, 0) != cc)) { - shutdown(f, 1+1); -- FD_CLR(pw[0], &readfrom); - } else { -- (void) rcmd_stream_write(f, buf, (unsigned) cc, 0); -+ FD_SET(pw[0], &readfrom); - } -+ FD_CLR(f, &writeto); - } - if (port&&FD_ISSET(s, &ready)) { - /* read from the alternate channel, signal the child */ -@@ -1270,12 +1286,15 @@ void doit(f, fromp) - } - } - if (FD_ISSET(f, &ready)) { -+ FD_SET(px[1], &writeto); -+ FD_CLR(f, &readfrom); -+ } -+ if (FD_ISSET(px[1], &ready_wr)) { - /* read from the net, write to child stdin */ - errno = 0; - cc = rcmd_stream_read(f, buf, sizeof(buf), 0); - if (cc <= 0) { - (void) close(px[1]); -- FD_CLR(f, &readfrom); - } else { - int wcc; - wcc = write(px[1], buf, (unsigned) cc); -@@ -1283,17 +1302,22 @@ void doit(f, fromp) - /* pipe closed, don't read any more */ - /* might check for EPIPE */ - (void) close(px[1]); -- FD_CLR(f, &readfrom); -- } else if (wcc != cc) { -- syslog(LOG_INFO, "only wrote %d/%d to child", -- wcc, cc); -+ } else { -+ if (wcc != cc) -+ syslog(LOG_INFO, "only wrote %d/%d to child", -+ wcc, cc); -+ FD_SET(f, &readfrom); - } - } -+ FD_CLR(px[1], &writeto); - } - } while ((port&&FD_ISSET(s, &readfrom)) || - FD_ISSET(f, &readfrom) || - (port&&FD_ISSET(pv[0], &readfrom) )|| -- FD_ISSET(pw[0], &readfrom)); -+ FD_ISSET(pw[0], &readfrom) || -+ (port&&FD_ISSET(s, &writeto)) || -+ FD_ISSET(f, &writeto) || -+ FD_ISSET(px[1], &writeto)); - ignore_signals(); - #ifdef KERBEROS - syslog(LOG_INFO , diff --git a/krb5-appl-1.0-largefile.patch b/krb5-appl-1.0-largefile.patch deleted file mode 100644 index be50103..0000000 --- a/krb5-appl-1.0-largefile.patch +++ /dev/null @@ -1,276 +0,0 @@ -* Turn on large file support in gssftp and rcp (and the rest of the bsd - applications) using AC_SYS_LARGEFILE. -* The size of off_t might now be greater than that of an int or a long, so - if we have a "long long" type, assume that format specifiers for it work - correctly and that we can cast off_t values to long long for displaying - and logging. -* Check for fseeko(), which takes an off_t, and if we find it, use it - instead of fseek(), which takes a long and might not handle the full - range of values. -RT#6524 - -diff -up krb5-appl-1.0/bsd/krcp.c.largefile krb5-appl-1.0/bsd/krcp.c ---- krb5-appl-1.0/bsd/krcp.c.largefile 2010-03-05 11:06:23.000000000 -0500 -+++ krb5-appl-1.0/bsd/krcp.c 2010-03-05 11:06:24.000000000 -0500 -@@ -748,8 +748,13 @@ void source(argc, argv) - continue; - } - } -+#ifdef HAVE_LONG_LONG_INT -+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n", -+ (int) stb.st_mode&07777, (long long) stb.st_size, last); -+#else - (void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n", - (int) stb.st_mode&07777, (long ) stb.st_size, last); -+#endif - (void) rcmd_stream_write(rem, buf, strlen(buf), 0); - if (response() < 0) { - (void) close(f); -diff -up krb5-appl-1.0/configure.ac.largefile krb5-appl-1.0/configure.ac ---- krb5-appl-1.0/configure.ac.largefile 2010-03-05 11:06:23.000000000 -0500 -+++ krb5-appl-1.0/configure.ac 2010-03-05 11:06:24.000000000 -0500 -@@ -103,6 +103,10 @@ case $host in - ;; - esac - -+AC_SYS_LARGEFILE -+AC_FUNC_FSEEKO -+AC_TYPE_LONG_LONG_INT -+AC_TYPE_UNSIGNED_LONG_LONG_INT - AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp) - AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg) - AC_CHECK_FUNCS(line_push logwtmp openpty ptsname revoke rmufile rresvport_af) -diff -up krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile krb5-appl-1.0/gssftp/ftpd/ftpcmd.y ---- krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile 2009-11-05 15:15:06.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftpd/ftpcmd.y 2010-03-05 11:06:24.000000000 -0500 -@@ -1499,12 +1499,20 @@ char *filename; - (stbuf.st_mode&S_IFMT) != S_IFREG) - reply(550, "%s: not a plain file.", filename); - else -+#ifdef HAVE_LONG_LONG_INT -+ reply(213, "%llu", (long long) stbuf.st_size); -+#else - reply(213, "%lu", (long) stbuf.st_size); -+#endif - break;} - case TYPE_A: { - FILE *fin; - register int c; -+#ifdef HAVE_LONG_LONG_INT -+ register long long count; -+#else - register long count; -+#endif - struct stat stbuf; - fin = fopen(filename, "r"); - if (fin == NULL) { -@@ -1526,7 +1534,11 @@ char *filename; - } - (void) fclose(fin); - -+#ifdef HAVE_LONG_LONG_INT -+ reply(213, "%lld", count); -+#else - reply(213, "%ld", count); -+#endif - break;} - default: - reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]); -diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile krb5-appl-1.0/gssftp/ftpd/ftpd.c ---- krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile 2010-03-05 11:06:23.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 11:06:24.000000000 -0500 -@@ -1205,8 +1205,13 @@ retrieve(cmd, name) - done: - (*closefunc)(fin); - if (logging > 2 && !cmd) { -+#ifdef HAVE_UNSIGNED_LONG_LONG_INT -+ syslog(LOG_NOTICE, "get: %llu bytes transferred", -+ (unsigned long long) byte_count); -+#else - syslog(LOG_NOTICE, "get: %lu bytes transferred", - (unsigned long) byte_count); -+#endif - } - } - -@@ -1252,7 +1257,7 @@ store_file(name, fmode, unique) - * because we are changing from reading to - * writing. - */ -- if (fseek(fout, 0L, L_INCR) < 0) { -+ if (FSEEK(fout, 0L, L_INCR) < 0) { - perror_reply(550, name); - goto done; - } -@@ -1277,8 +1282,13 @@ store_file(name, fmode, unique) - done: - (*closefunc)(fout); - if (logging > 2) { -+#ifdef HAVE_UNSIGNED_LONG_LONG_INT -+ syslog(LOG_NOTICE, "put: %llu bytes transferred", -+ (unsigned long long) byte_count); -+#else - syslog(LOG_NOTICE, "put: %lu bytes transferred", - (unsigned long) byte_count); -+#endif - } - } - -@@ -1341,8 +1351,13 @@ dataconn(name, size, fmode) - byte_count = 0; - if (size != (off_t) -1) - /* cast size to long in case sizeof(off_t) > sizeof(long) */ -+#ifdef HAVE_LONG_LONG_INT -+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)", -+ (long long)size); -+#else - (void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)", - (long)size); -+#endif - else - sizebuf[0] = '\0'; - if (pdata >= 0) { -@@ -2063,6 +2078,15 @@ myoob(sig) - siglongjmp(urgcatch, 1); - } - if (strcmp(cp, "STAT") == 0) { -+#ifdef HAVE_LONG_LONG_INT -+ if (file_size != (off_t) -1) -+ reply(213, "Status: %llu of %llu bytes transferred", -+ (unsigned long long) byte_count, -+ (unsigned long long) file_size); -+ else -+ reply(213, "Status: %llu bytes transferred", -+ (unsigned long long) byte_count); -+#else - if (file_size != (off_t) -1) - reply(213, "Status: %lu of %lu bytes transferred", - (unsigned long) byte_count, -@@ -2070,6 +2094,7 @@ myoob(sig) - else - reply(213, "Status: %lu bytes transferred", - (unsigned long) byte_count); -+#endif - } - } - -diff -up krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile krb5-appl-1.0/gssftp/ftpd/ftpd_var.h ---- krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile 2009-11-05 15:15:06.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftpd/ftpd_var.h 2010-03-05 11:06:24.000000000 -0500 -@@ -41,6 +41,12 @@ - char *radix_error (int); - int radix_encode (unsigned char *, unsigned char *, size_t *, int); - -+#ifdef HAVE_FSEEKO -+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence) -+#else -+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) -+#endif -+ - /* ftpd.c */ - void ack(char *); - int auth_data(unsigned char *); -diff -up krb5-appl-1.0/gssftp/ftp/ftp.c.largefile krb5-appl-1.0/gssftp/ftp/ftp.c ---- krb5-appl-1.0/gssftp/ftp/ftp.c.largefile 2010-03-05 11:06:24.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftp/ftp.c 2010-03-05 11:06:24.000000000 -0500 -@@ -156,7 +156,11 @@ void user_gss_error (OM_uint32, OM_uint3 - - static void proxtrans (char *, char *, char *); - static int initconn (void); -+#ifdef HAVE_LONG_LONG_INT -+static void ptransfer (char *, long long, struct timeval *, struct timeval *); -+#else - static void ptransfer (char *, long, struct timeval *, struct timeval *); -+#endif - static void abort_remote (FILE *); - static void tvsub (struct timeval *, struct timeval *, struct timeval *); - static char *gunique (char *); -@@ -787,7 +791,11 @@ void sendrequest(char *cmd, char *local, - FILE *volatile fin, *volatile dout = 0; - int (*volatile closefunc)(); - volatile sig_t oldintr, oldintp; -+#ifdef HAVE_LONG_LONG_INT -+ volatile long long bytes = 0, hashbytes = HASHBYTES; -+#else - volatile long bytes = 0, hashbytes = HASHBYTES; -+#endif - char *volatile lmode; - char buf[FTP_BUFSIZ], *bufp; - -@@ -884,7 +892,7 @@ void sendrequest(char *cmd, char *local, - - if (restart_point && - (strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) { -- if (fseek(fin, (long) restart_point, 0) < 0) { -+ if (FSEEK(fin, restart_point, 0) < 0) { - fprintf(stderr, "local: %s: %s\n", local, - strerror(errno)); - restart_point = 0; -@@ -1279,7 +1287,7 @@ void recvrequest(char *cmd, char *volati - if (restart_point) { - register int i, n, ch; - -- if (fseek(fout, 0L, L_SET) < 0) -+ if (FSEEK(fout, 0L, L_SET) < 0) - goto done; - n = restart_point; - for (i = 0; i++ < n;) { -@@ -1288,7 +1296,7 @@ void recvrequest(char *cmd, char *volati - if (ch == '\n') - i++; - } -- if (fseek(fout, 0L, L_INCR) < 0) { -+ if (FSEEK(fout, 0L, L_INCR) < 0) { - done: - fprintf(stderr, "local: %s: %s\n", local, - strerror(errno)); -@@ -1553,8 +1561,13 @@ dataconn(char *lmode) - return (FDOPEN_SOCKET(data, lmode)); - } - -+#ifdef HAVE_LONG_LONG_INT -+static void ptransfer(char *direction, long long bytes, -+ struct timeval *t0, struct timeval *t1) -+#else - static void ptransfer(char *direction, long bytes, - struct timeval *t0, struct timeval *t1) -+#endif - { - struct timeval td; - float s, kbs; -@@ -1564,8 +1577,13 @@ static void ptransfer(char *direction, l - s = td.tv_sec + (td.tv_usec / 1000000.); - #define nz(x) ((x) == 0 ? 1 : (x)) - kbs = (bytes / nz(s))/1024.0; -+#ifdef HAVE_LONG_LONG_INT -+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", -+ bytes, direction, s, kbs); -+#else - printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", - bytes, direction, s, kbs); -+#endif - } - } - -diff -up krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile krb5-appl-1.0/gssftp/ftp/ftp_var.h ---- krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile 2010-03-05 11:06:24.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftp/ftp_var.h 2010-03-05 11:06:24.000000000 -0500 -@@ -46,12 +46,18 @@ FILE* fdopen_socket(SOCKET s, char* mode - #define FDOPEN_SOCKET(s, mode) fdopen_socket(s, mode) - #define SOCKETNO(fd) _get_osfhandle(fd) - #define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0) -+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) - #else - #define FCLOSE_SOCKET(f) fclose(f) - FILE* fdopen_socket(int *s, char* mode); - #define FDOPEN_SOCKET(s, mode) fdopen_socket(&s, mode) - #define SOCKETNO(fd) (fd) - #define PERROR_SOCKET(str) perror(str) -+#ifdef HAVE_FSEEKO -+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence) -+#else -+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) -+#endif - #endif - - #ifdef _WIN32 diff --git a/krb5-appl-1.0-manpaths.patch b/krb5-appl-1.0-manpaths.patch deleted file mode 100644 index 0820c69..0000000 --- a/krb5-appl-1.0-manpaths.patch +++ /dev/null @@ -1,107 +0,0 @@ -Change the absolute paths included in the man pages so that the correct -values can be dropped in by config.status. After applying this patch, -these files should be renamed to their ".in" counterparts, and then the -configure scripts should be rebuilt. Originally RT#6525 - -diff -up krb5-appl-1.0/aclocal.m4.manpaths krb5-appl-1.0/aclocal.m4 ---- krb5-appl-1.0/aclocal.m4.manpaths 2010-03-05 10:55:58.000000000 -0500 -+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:55:58.000000000 -0500 -@@ -565,3 +565,24 @@ AC_SUBST(PAM_LIBS) - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_CONFIG_FILES($1) -+]) -diff -up krb5-appl-1.0/bsd/klogind.M.manpaths krb5-appl-1.0/bsd/klogind.M ---- krb5-appl-1.0/bsd/klogind.M.manpaths 2008-12-15 15:29:01.000000000 -0500 -+++ krb5-appl-1.0/bsd/klogind.M 2010-03-05 10:55:58.000000000 -0500 -@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - -diff -up krb5-appl-1.0/bsd/kshd.M.manpaths krb5-appl-1.0/bsd/kshd.M ---- krb5-appl-1.0/bsd/kshd.M.manpaths 2006-06-12 14:19:26.000000000 -0400 -+++ krb5-appl-1.0/bsd/kshd.M 2010-03-05 10:55:58.000000000 -0500 -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B @mansbindir@/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - -diff -up krb5-appl-1.0/configure.ac.manpaths krb5-appl-1.0/configure.ac ---- krb5-appl-1.0/configure.ac.manpaths 2010-03-05 10:55:58.000000000 -0500 -+++ krb5-appl-1.0/configure.ac 2010-03-05 10:55:58.000000000 -0500 -@@ -412,6 +412,13 @@ else - fi - AC_SUBST(HAVE_RUNTEST) - -+V5_AC_OUTPUT_MANPAGE([ -+ gssftp/ftpd/ftpd.M -+ bsd/klogind.M -+ bsd/kshd.M -+ telnet/telnetd/telnetd.8 -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. bsd libmissing libpty - gssftp gssftp/ftp gssftp/ftpd - telnet telnet/libtelnet telnet/telnet telnet/telnetd -diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths krb5-appl-1.0/gssftp/ftpd/ftpd.M ---- krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths 2009-01-28 00:42:11.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftpd/ftpd.M 2010-03-05 10:55:58.000000000 -0500 -@@ -35,7 +35,7 @@ - .SH NAME - ftpd \- DARPA Internet File Transfer Protocol server - .SH SYNOPSIS --.B ftpd -+.B @mansbindir@/ftpd - [\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP] - [\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP] - [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP] -diff -up krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths krb5-appl-1.0/telnet/telnetd/telnetd.8 ---- krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths 2004-11-15 16:25:41.000000000 -0500 -+++ krb5-appl-1.0/telnet/telnetd/telnetd.8 2010-03-05 10:55:58.000000000 -0500 -@@ -37,7 +37,7 @@ telnetd \- - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B @mansbindir@/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] diff --git a/krb5-appl-1.0-manpaths.txt b/krb5-appl-1.0-manpaths.txt deleted file mode 100644 index add3f53..0000000 --- a/krb5-appl-1.0-manpaths.txt +++ /dev/null @@ -1,4 +0,0 @@ -bsd/klogind.M -bsd/kshd.M -telnet/telnetd/telnetd.8 -gssftp/ftpd/ftpd.M diff --git a/krb5-appl-1.0-pam.patch b/krb5-appl-1.0-pam.patch deleted file mode 100644 index cc38621..0000000 --- a/krb5-appl-1.0-pam.patch +++ /dev/null @@ -1,1066 +0,0 @@ -Modify krshd so that it performs PAM account and session management. It -must now always fork so that it can always clean up the session. The -PAM session is opened and credentials initialized after any forwarded -credentials are stored to disk and before access to the user's home -directory is attempted. The default service name is "kshell" or -"ekshell", depending on whether or not encryption is in use, to avoid a -dependency or conflict on the plain rsh server's configuration file. At -run-time, krshd's behavior can be reset to the earlier, non-PAM behavior -by setting "use_pam" to false in the [rshd] section of /etc/krb5.conf. - -Modify ftpd so that authentication with a plaintext password goes -through PAM, and it performs PAM account and session management. The -PAM session is opened and credentials initialized after any forwarded -credentials are stored to disk. The default service name is "gssftp", -mainly to avoid conflicts with other FTP servers' configuration files. -At run-time, krshd's behavior can be reset to the earlier, non-PAM -behavior by setting "use_pam" to false in the [ftpd] section of -/etc/krb5.conf. - -Modify login so that instead of directly obtaining v5 credentials -or running aklog, it calls PAM for authentication if strong -authentication hasn't already been performed, so that it performs -account management using PAM (prompting for a password change if need -be), and that it performs session management. The PAM session is opened -and credentials initialized after any forwarded credentials are stored -to disk. The default service name is "login", because its configuration -is pretty much always going to be there. At run-time, login's behavior -can be reset to the earlier, non-PAM behavior by setting "use_pam" to -false in the [login] section of /etc/krb5.conf. - -When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam. -Originally filed as RT#5939. - -diff -up krb5-appl-1.0/aclocal.m4.pam krb5-appl-1.0/aclocal.m4 ---- krb5-appl-1.0/aclocal.m4.pam 2009-11-21 15:29:19.000000000 -0500 -+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:48:50.000000000 -0500 -@@ -486,3 +486,82 @@ AC_DEFUN([KRB5_AC_LIBUTIL], - UTIL_LIB=-lutil])dnl - AC_SUBST(UTIL_LIB) - ])dnl -+dnl -+dnl Use PAM instead of local crypt() compare for checking local passwords, -+dnl and perform PAM account, session management, and password-changing where -+dnl appropriate. -+dnl -+AC_DEFUN(KRB5_WITH_PAM,[ -+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], -+ withpam="$withval",withpam=auto) -+AC_ARG_WITH(pam-login-service,[AC_HELP_STRING(--with-login-service,[PAM service name for login ["login"]])], -+ withloginpamservice="$withval",withloginpamservice=login) -+AC_ARG_WITH(pam-kshell-service,[AC_HELP_STRING(--with-kshell-service,[PAM service name for unencrypted rsh ["kshell"]])], -+ withkshellpamservice="$withval",withkshellpamservice=kshell) -+AC_ARG_WITH(pam-ekshell-service,[AC_HELP_STRING(--with-ekshell-service,[PAM service name for encrypted rsh ["ekshell"]])], -+ withekshellpamservice="$withval",withekshellpamservice=ekshell) -+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])], -+ withftppamservice="$withval",withftppamservice=gssftp) -+old_LIBS="$LIBS" -+if test "$withpam" != no ; then -+ AC_MSG_RESULT([checking for PAM...]) -+ PAM_LIBS= -+ -+ AC_CHECK_HEADERS(security/pam_appl.h) -+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then -+ if test "$withpam" = auto ; then -+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) -+ withpam=no -+ else -+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_pam_start -+ AC_CHECK_FUNCS(putenv pam_start) -+ if test "x$ac_cv_func_pam_start" = xno ; then -+ unset ac_cv_func_pam_start -+ AC_CHECK_LIB(dl,dlopen) -+ AC_CHECK_FUNCS(pam_start) -+ if test "x$ac_cv_func_pam_start" = xno ; then -+ AC_CHECK_LIB(pam,pam_start) -+ unset ac_cv_func_pam_start -+ unset ac_cv_func_pam_getenvlist -+ AC_CHECK_FUNCS(pam_start pam_getenvlist) -+ if test "x$ac_cv_func_pam_start" = xyes ; then -+ PAM_LIBS="$LIBS" -+ else -+ if test "$withpam" = auto ; then -+ AC_MSG_RESULT([Unable to locate libpam.]) -+ withpam=no -+ else -+ AC_MSG_ERROR([Unable to locate libpam.]) -+ fi -+ fi -+ fi -+ fi -+ if test "$withpam" != no ; then -+ AC_MSG_NOTICE([building with PAM support]) -+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) -+ AC_DEFINE_UNQUOTED(LOGIN_PAM_SERVICE,"$withloginpamservice", -+ [Define to the name of the PAM service name to be used by login.]) -+ AC_DEFINE_UNQUOTED(KSHELL_PAM_SERVICE,"$withkshellpamservice", -+ [Define to the name of the PAM service name to be used by rshd for unencrypted sessions.]) -+ AC_DEFINE_UNQUOTED(EKSHELL_PAM_SERVICE,"$withekshellpamservice", -+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.]) -+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice", -+ [Define to the name of the PAM service name to be used by ftpd.]) -+ PAM_LIBS="$LIBS" -+ NON_PAM_MAN=".\\\" " -+ PAM_MAN= -+ else -+ PAM_MAN=".\\\" " -+ NON_PAM_MAN= -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(PAM_LIBS) -+AC_SUBST(PAM_MAN) -+AC_SUBST(NON_PAM_MAN) -+])dnl -diff -up krb5-appl-1.0/bsd/krshd.c.pam krb5-appl-1.0/bsd/krshd.c ---- krb5-appl-1.0/bsd/krshd.c.pam 2009-11-16 05:27:04.000000000 -0500 -+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 10:48:50.000000000 -0500 -@@ -163,6 +163,10 @@ char copyright[] = - #include - #endif - -+#ifdef USE_PAM -+#include "pam.h" -+#endif -+ - #ifndef MAXDNAME - #define MAXDNAME 256 /*per the rfc*/ - #endif -@@ -183,6 +187,7 @@ void fatal(int, const char *); - - int require_encrypt = 0; - int do_encrypt = 0; -+int force_fork = 0; - int anyport = 0; - char *kprogdir = KPROGDIR; - int netf; -@@ -1032,14 +1037,6 @@ void doit(f, fromp) - } - #endif /*CRAY*/ - -- if (chdir(pwd->pw_dir) < 0) { -- if(chdir("/") < 0) { -- error("No remote directory.\n"); -- goto signout_please; -- } -- pwd->pw_dir = "/"; -- } -- - #ifdef KERBEROS - /* krb5_kuserok returns 1 if OK */ - if (!krb5_kuserok(bsd_context, client, locuser)){ -@@ -1069,11 +1066,51 @@ void doit(f, fromp) - goto signout_please; - } - -+#ifdef USE_PAM -+ if (appl_pam_enabled(bsd_context, "rshd")) { -+ if (appl_pam_acct_mgmt(do_encrypt ? -+ EKSHELL_PAM_SERVICE : -+ KSHELL_PAM_SERVICE, -+ 0, -+ locuser, -+ "", -+ hostname, -+ NULL, -+ do_encrypt ? -+ EKSHELL_PAM_SERVICE : -+ KSHELL_PAM_SERVICE) != 0) { -+ error("Login denied.\n"); -+ goto signout_please; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ error("Password change required, but not possible over rsh.\n"); -+ goto signout_please; -+ } -+ force_fork = 1; -+ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); -+ if (appl_pam_session_open() != 0) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ if (appl_pam_cred_init()) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ } else -+#endif - if (pwd->pw_uid && !access(NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - goto signout_please; - } - -+ if (chdir(pwd->pw_dir) < 0) { -+ if (chdir("/") < 0) { -+ error("No remote directory.\n"); -+ goto signout_please; -+ } -+ pwd->pw_dir = "/"; -+ } -+ - /* Log access to account */ - pwd = (struct passwd *) getpwnam(locuser); - if (pwd && (pwd->pw_uid == 0)) { -@@ -1113,7 +1150,7 @@ void doit(f, fromp) - - (void) write(2, "", 1); - -- if (port||do_encrypt) { -+ if (port||do_encrypt||force_fork) { - if (port&&(pipe(pv) < 0)) { - error("Can't make pipe.\n"); - goto signout_please; -@@ -1418,6 +1455,15 @@ void doit(f, fromp) - - environ = envinit; - -+#ifdef USE_PAM -+ if (appl_pam_enabled(bsd_context, "rshd")) { -+ if (appl_pam_setenv() != 0) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ } -+#endif -+ - #ifdef KERBEROS - /* To make Kerberos rcp work correctly, we must ensure that we - invoke Kerberos rcp on this end, not normal rcp, even if the -diff -up krb5-appl-1.0/bsd/login.c.pam krb5-appl-1.0/bsd/login.c ---- krb5-appl-1.0/bsd/login.c.pam 2009-11-21 15:29:19.000000000 -0500 -+++ krb5-appl-1.0/bsd/login.c 2010-03-05 10:48:50.000000000 -0500 -@@ -148,6 +148,11 @@ typedef sigtype (*handler)(); - #define KRB5_ENV_CCNAME "KRB5CCNAME" - #endif /* KRB5_GET_TICKETS */ - -+#ifdef USE_PAM -+#include "pam.h" -+int login_use_pam = 1; -+#endif -+ - #ifndef __STDC__ - #ifndef volatile - #define volatile -@@ -293,6 +298,9 @@ static struct login_confs { - char *flagname; - int *flag; - } login_conf_set[] = { -+#ifdef USE_PAM -+ {USE_PAM_CONFIGURATION_KEYWORD, &login_use_pam}, -+#endif - #ifdef KRB5_GET_TICKETS - {"krb5_get_tickets", &login_krb5_get_tickets}, - {"krb_run_aklog", &login_krb_run_aklog}, -@@ -934,6 +942,21 @@ int main(argc, argv) - if (!unix_needs_passwd()) - break; - -+#ifdef USE_PAM -+ if (login_use_pam) { -+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "", -+ hostname, -+ NULL, -+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) { -+ break; -+ } else { -+ /* the goto target label is in a different nesting scope, but -+ * it's roughly where we want to land */ -+ goto bad_login; -+ } -+ } -+#endif -+ - #ifdef KRB5_GET_TICKETS - if (login_krb5_get_tickets) { - /* rename these to something more verbose */ -@@ -1021,6 +1044,24 @@ int main(argc, argv) - /* committed to login -- turn off timeout */ - (void) alarm((u_int) 0); - -+#ifdef USE_PAM -+ if (login_use_pam) { -+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "", -+ hostname, NULL, ttyname(STDIN_FILENO)) != 0) { -+ printf("Login incorrect\n"); -+ sleepexit(1); -+ } -+ if (appl_pam_requires_chauthtok()) { -+ if (appl_pam_chauthtok() != 0) { -+ printf("Failed to change password.\n"); -+ sleepexit(1); -+ } -+ } -+ } else { -+ /* the "else" here is the non-PAM behavior which continues until the -+ * next ifdef USE_PAM block, as of this writing more or less -+ * duplicating the work of pam_securetty and an OQUOTA check */ -+#endif - /* - * If valid so far and root is logging in, see if root logins on - * this terminal are permitted. -@@ -1061,6 +1102,21 @@ int main(argc, argv) - sleepexit(0); - } - #endif -+#ifdef USE_PAM -+ } -+#endif /* USE_PAM */ -+ -+#ifdef USE_PAM -+ if (login_use_pam) { -+ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); -+ if (appl_pam_session_open() != 0) { -+ sleepexit(1); -+ } -+ if (appl_pam_cred_init() != 0) { -+ sleepexit(1); -+ } -+ } -+#endif /* USE_PAM */ - - if (chdir(pwd->pw_dir) < 0) { - printf("No directory %s!\n", pwd->pw_dir); -@@ -1343,6 +1399,11 @@ int main(argc, argv) - } - #endif /* KRB5_GET_TICKETS */ - -+#ifdef USE_PAM -+ if (login_use_pam) -+ appl_pam_setenv(); -+#endif -+ - if (tty[sizeof("tty")-1] == 'd') - syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); - if (pwd->pw_uid == 0) -diff -up krb5-appl-1.0/bsd/Makefile.in.pam krb5-appl-1.0/bsd/Makefile.in ---- krb5-appl-1.0/bsd/Makefile.in.pam 2009-11-05 15:10:37.000000000 -0500 -+++ krb5-appl-1.0/bsd/Makefile.in 2010-03-05 10:48:50.000000000 -0500 -@@ -3,11 +3,14 @@ BUILDTOP=$(REL).. - - LOGINLIBS=@LOGINLIBS@ - KRSHDLIBS=@KRSHDLIBS@ -+PAMOBJS=pam.o -+PAM_LIBS=@PAM_LIBS@ - - SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \ - $(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \ - $(srcdir)/krlogind.c --OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o -+OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o \ -+ $(PAMOBJS) - - UCB_RLOGIN = @UCB_RLOGIN@ - UCB_RSH = @UCB_RSH@ -@@ -50,8 +53,8 @@ install:: - ) || exit 1; \ - done - --kshd: krshd.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB) -- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS) -+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) -+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(LIBS) - - klogind: krlogind.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB) - $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS) -@@ -68,8 +71,8 @@ install:: - # No program name transformation is done with login.krb5 since it is directly - # referenced by klogind. - # --login.krb5: login.o $(PTY_DEPLIB) $(MISSING_DEPLIB) -- $(CC_LINK) -o login.krb5 login.o $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(LIBS) -+login.krb5: login.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) -+ $(CC_LINK) -o login.krb5 login.o $(PAMOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(PAM_LIBS) $(LIBS) - - install:: - $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5 -diff -up krb5-appl-1.0/bsd/pam.c.pam krb5-appl-1.0/bsd/pam.c ---- krb5-appl-1.0/bsd/pam.c.pam 2010-03-05 10:48:50.000000000 -0500 -+++ krb5-appl-1.0/bsd/pam.c 2010-03-05 10:48:50.000000000 -0500 -@@ -0,0 +1,438 @@ -+/* -+ * src/appl/bsd/pam.c -+ * -+ * Copyright 2007,2009,2010 Red Hat, Inc. -+ * -+ * All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * Convenience wrappers for using PAM. -+ */ -+ -+#include "autoconf.h" -+#ifdef USE_PAM -+#include -+#include -+#include -+#include -+#include -+#include -+#include "pam.h" -+ -+#ifndef MAXPWSIZE -+#define MAXPWSIZE 128 -+#endif -+ -+#ifndef KRB5_ENV_CCNAME -+#define KRB5_ENV_CCNAME "KRB5CCNAME" -+#endif -+ -+static int appl_pam_started; -+static pid_t appl_pam_starter = -1; -+static int appl_pam_session_opened; -+static int appl_pam_creds_initialized; -+static int appl_pam_pwchange_required; -+static pam_handle_t *appl_pamh; -+static struct pam_conv appl_pam_conv; -+static char *appl_pam_user; -+struct appl_pam_non_interactive_args { -+ const char *user; -+ const char *password; -+}; -+ -+int -+appl_pam_enabled(krb5_context context, const char *section) -+{ -+ int enabled = 1; -+ profile_t profile = NULL; -+ if ((context != NULL) && (krb5_get_profile(context, &profile) == 0)) { -+ if (profile_get_boolean(profile, -+ section, -+ USE_PAM_CONFIGURATION_KEYWORD, -+ NULL, -+ enabled, &enabled) != 0) { -+ enabled = 1; -+ } -+ } -+ return enabled; -+} -+ -+void -+appl_pam_cleanup(void) -+{ -+ if (getpid() != appl_pam_starter) { -+ return; -+ } -+#ifdef DEBUG -+ printf("Called to clean up PAM.\n"); -+#endif -+ if (appl_pam_creds_initialized) { -+#ifdef DEBUG -+ printf("Deleting PAM credentials.\n"); -+#endif -+ pam_setcred(appl_pamh, PAM_DELETE_CRED); -+ appl_pam_creds_initialized = 0; -+ } -+ if (appl_pam_session_opened) { -+#ifdef DEBUG -+ printf("Closing PAM session.\n"); -+#endif -+ pam_close_session(appl_pamh, 0); -+ appl_pam_session_opened = 0; -+ } -+ appl_pam_pwchange_required = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Shutting down PAM.\n"); -+#endif -+ pam_end(appl_pamh, 0); -+ appl_pam_started = 0; -+ appl_pam_starter = -1; -+ free(appl_pam_user); -+ appl_pam_user = NULL; -+ } -+} -+static int -+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, -+ struct pam_response **presp, void *appdata_ptr) -+{ -+ const struct pam_message *message; -+ struct pam_response *resp; -+ int i, code; -+ char *pwstring, pwbuf[MAXPWSIZE]; -+ unsigned int pwsize; -+ resp = malloc(sizeof(struct pam_response) * num_msg); -+ if (resp == NULL) { -+ return PAM_BUF_ERR; -+ } -+ memset(resp, 0, sizeof(struct pam_response) * num_msg); -+ code = PAM_SUCCESS; -+ for (i = 0; i < num_msg; i++) { -+ message = &(msg[0][i]); /* XXX */ -+ message = msg[i]; /* XXX */ -+ pwstring = NULL; -+ switch (message->msg_style) { -+ case PAM_TEXT_INFO: -+ case PAM_ERROR_MSG: -+ printf("[%s]\n", message->msg ? message->msg : ""); -+ fflush(stdout); -+ resp[i].resp = NULL; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ break; -+ case PAM_PROMPT_ECHO_ON: -+ case PAM_PROMPT_ECHO_OFF: -+ if (message->msg_style == PAM_PROMPT_ECHO_ON) { -+ if (fgets(pwbuf, sizeof(pwbuf), -+ stdin) != NULL) { -+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; -+ pwstring = pwbuf; -+ } -+ } else { -+ pwstring = getpass(message->msg ? -+ message->msg : -+ ""); -+ } -+ if ((pwstring != NULL) && (pwstring[0] != '\0')) { -+ pwsize = strlen(pwstring); -+ resp[i].resp = malloc(pwsize + 1); -+ if (resp[i].resp == NULL) { -+ resp[i].resp_retcode = PAM_BUF_ERR; -+ } else { -+ memcpy(resp[i].resp, pwstring, pwsize); -+ resp[i].resp[pwsize] = '\0'; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ } -+ } else { -+ resp[i].resp_retcode = PAM_CONV_ERR; -+ code = PAM_CONV_ERR; -+ } -+ break; -+ default: -+ break; -+ } -+ } -+ *presp = resp; -+ return code; -+} -+static int -+appl_pam_non_interactive_converse(int num_msg, -+ const struct pam_message **msg, -+ struct pam_response **presp, -+ void *appdata_ptr) -+{ -+ const struct pam_message *message; -+ struct pam_response *resp; -+ int i, code; -+ unsigned int pwsize; -+ struct appl_pam_non_interactive_args *args; -+ const char *pwstring; -+ resp = malloc(sizeof(struct pam_response) * num_msg); -+ if (resp == NULL) { -+ return PAM_BUF_ERR; -+ } -+ args = appdata_ptr; -+ memset(resp, 0, sizeof(struct pam_response) * num_msg); -+ code = PAM_SUCCESS; -+ for (i = 0; i < num_msg; i++) { -+ message = &((*msg)[i]); -+ message = msg[i]; -+ pwstring = NULL; -+ switch (message->msg_style) { -+ case PAM_TEXT_INFO: -+ case PAM_ERROR_MSG: -+ break; -+ case PAM_PROMPT_ECHO_ON: -+ case PAM_PROMPT_ECHO_OFF: -+ if (message->msg_style == PAM_PROMPT_ECHO_ON) { -+ /* assume "user" */ -+ pwstring = args->user; -+ } else { -+ /* assume "password" */ -+ pwstring = args->password; -+ } -+ if ((pwstring != NULL) && (pwstring[0] != '\0')) { -+ pwsize = strlen(pwstring); -+ resp[i].resp = malloc(pwsize + 1); -+ if (resp[i].resp == NULL) { -+ resp[i].resp_retcode = PAM_BUF_ERR; -+ } else { -+ memcpy(resp[i].resp, pwstring, pwsize); -+ resp[i].resp[pwsize] = '\0'; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ } -+ } else { -+ resp[i].resp_retcode = PAM_CONV_ERR; -+ code = PAM_CONV_ERR; -+ } -+ break; -+ default: -+ break; -+ } -+ } -+ *presp = resp; -+ return code; -+} -+void -+appl_pam_set_forwarded_ccname(const char *ccname) -+{ -+ char *ccname2; -+ if (appl_pam_started && (ccname != NULL) && (strlen(ccname) > 0)) { -+ ccname2 = malloc(strlen(KRB5_ENV_CCNAME) + strlen(ccname) + 2); -+ if (ccname2 != NULL) { -+#ifdef DEBUG -+ printf("Setting %s to \"%s\" in PAM environment.\n", -+ KRB5_ENV_CCNAME, ccname); -+#endif -+ sprintf(ccname2, "%s=%s", KRB5_ENV_CCNAME, ccname); -+ pam_putenv(appl_pamh, ccname2); -+ } -+ } -+} -+static int -+appl_pam_start(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ static int exit_handler_registered; -+ static struct appl_pam_non_interactive_args args; -+ int ret = 0; -+ if (appl_pam_started && -+ (strcmp(login_username, appl_pam_user) != 0)) { -+ appl_pam_cleanup(); -+ appl_pam_user = NULL; -+ } -+ if (!appl_pam_started) { -+#ifdef DEBUG -+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", -+ service, login_username); -+#endif -+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); -+ appl_pam_conv.conv = interactive ? -+ &appl_pam_interactive_converse : -+ &appl_pam_non_interactive_converse; -+ memset(&args, 0, sizeof(args)); -+ args.user = strdup(login_username); -+ args.password = non_interactive_password ? -+ strdup(non_interactive_password) : -+ NULL; -+ appl_pam_conv.appdata_ptr = &args; -+ ret = pam_start(service, login_username, -+ &appl_pam_conv, &appl_pamh); -+ if (ret == 0) { -+ if (hostname != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_RHOST to \"%s\".\n", hostname); -+#endif -+ pam_set_item(appl_pamh, PAM_RHOST, hostname); -+ } -+ if (ruser != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_RUSER to \"%s\".\n", ruser); -+#endif -+ pam_set_item(appl_pamh, PAM_RUSER, ruser); -+ } -+ if (tty != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_TTY to \"%s\".\n", tty); -+#endif -+ pam_set_item(appl_pamh, PAM_TTY, tty); -+ } -+ if (!exit_handler_registered && -+ (atexit(appl_pam_cleanup) != 0)) { -+ pam_end(appl_pamh, 0); -+ appl_pamh = NULL; -+ ret = -1; -+ } else { -+ appl_pam_started = 1; -+ appl_pam_starter = getpid(); -+ appl_pam_user = strdup(login_username); -+ exit_handler_registered = 1; -+ } -+ } -+ } -+ return ret; -+} -+int -+appl_pam_authenticate(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ int ret; -+ ret = appl_pam_start(service, interactive, login_username, -+ non_interactive_password, hostname, ruser, tty); -+ if (ret == 0) { -+ ret = pam_authenticate(appl_pamh, 0); -+ } -+ return ret; -+} -+int -+appl_pam_acct_mgmt(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ int ret; -+ appl_pam_pwchange_required = 0; -+ ret = appl_pam_start(service, interactive, login_username, -+ non_interactive_password, hostname, ruser, tty); -+ if (ret == 0) { -+#ifdef DEBUG -+ printf("Calling pam_acct_mgmt().\n"); -+#endif -+ ret = pam_acct_mgmt(appl_pamh, 0); -+ switch (ret) { -+ case PAM_IGNORE: -+ ret = 0; -+ break; -+ case PAM_NEW_AUTHTOK_REQD: -+ appl_pam_pwchange_required = 1; -+ ret = 0; -+ break; -+ default: -+ break; -+ } -+ } -+ return ret; -+} -+int -+appl_pam_requires_chauthtok(void) -+{ -+ return appl_pam_pwchange_required; -+} -+int -+appl_pam_chauthtok(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Changing PAM expired authentication token.\n"); -+#endif -+ ret = pam_chauthtok(appl_pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ } -+ return ret; -+} -+int -+appl_pam_session_open(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Opening PAM session.\n"); -+#endif -+ ret = pam_open_session(appl_pamh, 0); -+ if (ret == 0) { -+ appl_pam_session_opened = 1; -+ } -+ } -+ return ret; -+} -+int -+appl_pam_setenv(void) -+{ -+ int ret = 0; -+#ifdef HAVE_PAM_GETENVLIST -+#ifdef HAVE_PUTENV -+ int i; -+ char **list; -+ if (appl_pam_started) { -+ list = pam_getenvlist(appl_pamh); -+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { -+#ifdef DEBUG -+ printf("Setting \"%s\" in environment.\n", list[i]); -+#endif -+ putenv(list[i]); -+ } -+ } -+#endif -+#endif -+ return ret; -+} -+int -+appl_pam_cred_init(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Initializing PAM credentials.\n"); -+#endif -+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); -+ if (ret == 0) { -+ appl_pam_creds_initialized = 1; -+ } -+ } -+ return ret; -+} -+#endif -diff -up krb5-appl-1.0/bsd/pam.h.pam krb5-appl-1.0/bsd/pam.h ---- krb5-appl-1.0/bsd/pam.h.pam 2010-03-05 10:48:50.000000000 -0500 -+++ krb5-appl-1.0/bsd/pam.h 2010-03-05 10:48:50.000000000 -0500 -@@ -0,0 +1,65 @@ -+/* -+ * src/appl/bsd/pam.h -+ * -+ * Copyright 2007,2009 Red Hat, Inc. -+ * -+ * All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * Convenience wrappers for using PAM. -+ */ -+ -+#include -+#ifdef HAVE_SECURITY_PAM_APPL_H -+#include -+#endif -+ -+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" -+ -+#ifdef USE_PAM -+int appl_pam_enabled(krb5_context context, const char *section); -+int appl_pam_authenticate(const char *service, int interactive, -+ const char *local_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty); -+int appl_pam_acct_mgmt(const char *service, int interactive, -+ const char *local_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty); -+int appl_pam_requires_chauthtok(void); -+int appl_pam_chauthtok(void); -+void appl_pam_set_forwarded_ccname(const char *ccname); -+int appl_pam_session_open(void); -+int appl_pam_setenv(void); -+int appl_pam_cred_init(void); -+void appl_pam_cleanup(void); -+#endif -diff -up krb5-appl-1.0/configure.ac.pam krb5-appl-1.0/configure.ac ---- krb5-appl-1.0/configure.ac.pam 2009-11-21 16:46:39.000000000 -0500 -+++ krb5-appl-1.0/configure.ac 2010-03-05 10:48:50.000000000 -0500 -@@ -156,6 +156,8 @@ AC_CHECK_FUNC(tgetent, , - [AC_MSG_ERROR([Could not find tgetent; are you missing a curses/ncurses library?])]) - LIBS="$old_LIBS" - -+KRB5_WITH_PAM -+ - # Make our operating system-specific security checks and definitions - # for libpty, login, and ftpd. The following code decides what - # streams modules will be pushed onto a pty. In particular, if -diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam krb5-appl-1.0/gssftp/ftpd/ftpd.c ---- krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam 2009-11-18 00:07:46.000000000 -0500 -+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 10:48:50.000000000 -0500 -@@ -69,6 +69,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40 - #ifdef HAVE_SHADOW - #include - #endif -+#ifdef USE_PAM -+#include "../../bsd/pam.h" -+#endif - #include - #include - #ifndef POSIX_SETJMP -@@ -743,6 +746,22 @@ user(name) - name); - } - #endif /* GSSAPI */ -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, -+ name, "", -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) { -+ reply(530, "Login incorrect."); -+ return; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ reply(530, "Password change required."); -+ return; -+ } -+ } -+#endif - - if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) { - strncat(buf, "; Access denied.", -@@ -843,6 +862,10 @@ end_login() - (void) krb5_seteuid((uid_t)0); - if (logged_in) - pty_logwtmp(ttyline, "", ""); -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) -+ appl_pam_cleanup(); -+#endif - if (have_creds) { - #ifdef GSSAPI - krb5_cc_destroy(kcontext, ccache); -@@ -951,9 +974,19 @@ pass(passwd) - * kpass fails and the user has no local password - * kpass fails and the provided password doesn't match pw - */ -- if (pw == NULL || (!kpass(pw->pw_name, passwd) && -- (want_creds || !*pw->pw_passwd || -- strcmp(xpasswd, pw->pw_passwd)))) { -+ if ((pw == NULL) || ( -+#ifdef USE_PAM -+ appl_pam_enabled(kcontext, "ftpd") ? -+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0, -+ pw->pw_name, passwd, -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) : -+#endif -+ (!kpass(pw->pw_name, passwd) && -+ (want_creds || -+ !*pw->pw_passwd || -+ strcmp(xpasswd, pw->pw_passwd))))) { - pw = NULL; - sleep(5); - if (++login_attempts >= 3) { -@@ -970,6 +1003,23 @@ pass(passwd) - } - login_attempts = 0; /* this time successful */ - -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, -+ pw->pw_name, passwd, -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) { -+ reply(530, "Login incorrect."); -+ return; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ reply(530, "Password change required."); -+ return; -+ } -+ } -+#endif -+ - login(passwd, 0); - return; - } -@@ -985,6 +1035,18 @@ login(passwd, logincode) - chown(ccname, pw->pw_uid, pw->pw_gid); - #endif - } -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_session_open() != 0) { -+ reply(550, "Can't open PAM session."); -+ goto bad; -+ } -+ if (appl_pam_cred_init() != 0) { -+ reply(550, "Can't establish PAM credentials."); -+ goto bad; -+ } -+ } -+#endif - - (void) krb5_setegid((gid_t)pw->pw_gid); - (void) initgroups(pw->pw_name, pw->pw_gid); -@@ -1966,6 +2028,10 @@ dologout(status) - krb5_cc_destroy(kcontext, ccache); - #endif - } -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) -+ appl_pam_cleanup(); -+#endif - /* beware of flushing buffers after a SIGPIPE */ - _exit(status); - } -diff -up krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam krb5-appl-1.0/gssftp/ftpd/Makefile.in ---- krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam 2009-07-20 13:21:24.000000000 -0400 -+++ krb5-appl-1.0/gssftp/ftpd/Makefile.in 2010-03-05 10:48:50.000000000 -0500 -@@ -6,22 +6,24 @@ PROG_LIBPATH=-L$(TOPLIBD) - PROG_RPATH=$(KRB5_LIBDIR) - - FTPD_LIBS=@FTPD_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = $(srcdir)/ftpd.c ftpcmd.c $(srcdir)/popen.c \ - $(srcdir)/vers.c \ - $(srcdir)/../ftp/glob.c \ - $(srcdir)/../ftp/radix.c \ -- $(srcdir)/../ftp/secure.c -+ $(srcdir)/../ftp/secure.c \ -+ $(srcdir)/../../bsd/pam.c - - OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \ -- secure.o -+ secure.o pam.o - - LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) - - all:: ftpd - - ftpd: $(OBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) -- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(PAM_LIBS) $(LIBS) - - generate-files-mac: ftpcmd.c - -@@ -61,4 +63,7 @@ ftpcmd.o: ftpcmd.c - popen.o: $(srcdir)/popen.c - vers.o: $(srcdir)/vers.c - -+pam.o: $(srcdir)/../../bsd/pam.c -+ $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c -+ - # NOPOSTFIX diff --git a/krb5-appl-1.0-rlogind-environ.patch b/krb5-appl-1.0-rlogind-environ.patch deleted file mode 100644 index 1034dcf..0000000 --- a/krb5-appl-1.0-rlogind-environ.patch +++ /dev/null @@ -1,53 +0,0 @@ -Start with only TERM defined in the environment, like NetKit rlogind does, and -KRB5CCNAME, which we set ourselves. - -diff -up krb5-appl-1.0/bsd/krlogind.c.rlogind-environ krb5-appl-1.0/bsd/krlogind.c ---- krb5-appl-1.0/bsd/krlogind.c.rlogind-environ 2009-11-21 15:29:19.000000000 -0500 -+++ krb5-appl-1.0/bsd/krlogind.c 2010-03-05 11:07:34.000000000 -0500 -@@ -667,6 +667,9 @@ void doit(f, fromp) - #else - struct sgttyb b; - #endif /* POSIX_TERMIOS */ -+ char environ_term[sizeof(term) + 6], environ_ccname[sizeof(environ_term)]; -+ char *bare_environ[] = {environ_term, environ_ccname, NULL}; -+ - if ((retval = pty_open_slave(line, &t))) { - fatal(f, pty_error_message(retval)); - exit(1); -@@ -773,11 +776,15 @@ void doit(f, fromp) - /* use the vendors login, which has -p and -f. Tested on - * AIX 4.1.4 and HPUX 10 - */ -+ memset(environ_term, '\0', sizeof(environ_term)); -+ memset(environ_ccname, '\0', sizeof(environ_ccname)); -+ if (getenv("KRB5CCNAME") != NULL) -+ snprintf(environ_ccname, sizeof(environ_ccname) - 1, "KRB5CCNAME=%s", getenv("KRB5CCNAME")); - { - char *cp; -- if ((cp = strchr(term,'/'))) -+ snprintf(environ_term, sizeof(environ_term) - 1, "TERM=%s", term); -+ if ((cp = strchr(environ_term,'/'))) - *cp = '\0'; -- setenv("TERM",term, 1); - } - - retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen, -@@ -786,13 +793,13 @@ void doit(f, fromp) - if (retval) - fatalperror(f, "failed make_sane_hostname"); - if (passwd_req) -- execl(login_program, "login", "-p", "-h", rhost_sane, -- lusername, (char *)NULL); -+ execle(login_program, "login", "-p", "-h", rhost_sane, -+ lusername, NULL, bare_environ); - else -- execl(login_program, "login", "-p", "-h", rhost_sane, -- "-f", lusername, (char *)NULL); -+ execle(login_program, "login", "-p", "-h", rhost_sane, -+ "-f", lusername, NULL, bare_environ); - #else /* USE_LOGIN_F */ -- execl(login_program, "login", "-r", rhost_sane, (char *)NULL); -+ execle(login_program, "login", "-r", rhost_sane, NULL, bare_environ); - #endif /* USE_LOGIN_F */ - syslog(LOG_ERR, "failed exec of %s: %s", - login_program, error_message(errno)); diff --git a/krb5-telnet.xinetd b/krb5-telnet.xinetd deleted file mode 100644 index 341ef3a..0000000 --- a/krb5-telnet.xinetd +++ /dev/null @@ -1,13 +0,0 @@ -# default: off -# description: The kerberized telnet server accepts normal telnet sessions, \ -# but can also use Kerberos 5 authentication. -service telnet -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/telnetd - log_on_failure += USERID - disable = yes -} diff --git a/krb5-trunk-ftp_mget_case.patch b/krb5-trunk-ftp_mget_case.patch deleted file mode 100644 index 5076107..0000000 --- a/krb5-trunk-ftp_mget_case.patch +++ /dev/null @@ -1,19 +0,0 @@ -When "case" is enabled, we've been setting the target filename to the buffer -in which we'd store the lower-cased version of the name, even if we ended up -not generating a lower-cased version of the name, causing the client to store -the incoming data in whichever file whose name we'd last generated. ITS#5940. -diff -up src/appl/gssftp/ftp/cmds.c src/appl/gssftp/ftp/cmds.c ---- src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:13.000000000 -0400 -+++ src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:16.000000000 -0400 -@@ -1013,8 +1013,10 @@ void mget(argc, argv) - tp++; - tp2++; - } -+ tp = tmpbuf; -+ } else { -+ tp = cp; - } -- tp = tmpbuf; - } - if (ntflag) { - tp = dotrans(tp); diff --git a/krb5.csh b/krb5.csh deleted file mode 100755 index ed5e7c6..0000000 --- a/krb5.csh +++ /dev/null @@ -1,6 +0,0 @@ -if ( "${path}" !~ */usr/kerberos/bin* ) then - set path = ( /usr/kerberos/bin $path ) -endif -if ( "${path}" !~ */usr/kerberos/sbin* ) then - set path = ( /usr/kerberos/sbin $path ) -endif diff --git a/krb5.sh b/krb5.sh deleted file mode 100755 index 760c0b3..0000000 --- a/krb5.sh +++ /dev/null @@ -1,6 +0,0 @@ -if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then - PATH=/usr/kerberos/bin:${PATH} -fi -if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then - PATH=/usr/kerberos/sbin:${PATH} -fi diff --git a/krb5.spec b/krb5.spec index 9154f1e..d7bf34a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -2,8 +2,6 @@ %global WITH_OPENSSL 1 %global WITH_DIRSRV 1 -%global krb5prefix %{_prefix}/kerberos - # For consistency with regular login. %global login_pam_service remote @@ -13,80 +11,46 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.8 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc -# Everything that needs a krb5-appl counterpart will have it with number + 100 -# until we get the package split done, else the telnet/ftp/rcmd stuff will just -# "vanish". -Source100: krb5-appl-%{appl_version}.tar.gz -Source101: krb5-appl-%{appl_version}.tar.gz.asc Source2: kpropd.init Source4: kadmind.init Source5: krb5kdc.init Source6: krb5.conf -Source7: krb5.sh -Source8: krb5.csh Source10: kdc.conf Source11: kadm5.acl -Source12: krsh -Source13: krlogin -Source14: eklogin.xinetd -Source15: klogin.xinetd -Source16: kshell.xinetd -Source17: krb5-telnet.xinetd -Source18: gssftp.xinetd Source19: krb5kdc.sysconfig Source20: kadmin.sysconfig -Source22: ekrb5-telnet.xinetd # The same source files we "check", generated with "krb5-tex-pdf.sh create" # and tarred up. Source23: krb5-%{version}-pdf.tar.gz Source24: krb5-tex-pdf.sh Source25: krb5-1.8-manpaths.txt -Source125: krb5-appl-1.0-manpaths.txt -Source26: gssftp.pamd -Source27: kshell.pamd -Source28: ekshell.pamd Source29: ksu.pamd Source30: kerberos-iv.portreserve Source31: kerberos-adm.portreserve Source32: krb5_prop.portreserve -Patch3: krb5-1.3-netkit-rsh.patch -Patch4: krb5-appl-1.0-rlogind-environ.patch Patch5: krb5-1.8-ksu-access.patch Patch6: krb5-1.8-ksu-path.patch -Patch11: krb5-1.2.1-passive.patch Patch12: krb5-1.7-ktany.patch -Patch14: krb5-1.3-ftp-glob.patch Patch16: krb5-1.7-buildconf.patch Patch23: krb5-1.3.1-dns.patch Patch29: krb5-1.8-kprop-mktemp.patch Patch30: krb5-1.3.4-send-pr-tempfile.patch -Patch33: krb5-appl-1.0-io.patch -Patch36: krb5-1.7-rcp-markus.patch Patch39: krb5-1.8-api.patch -Patch40: krb5-1.4.1-telnet-environ.patch Patch53: krb5-1.7-nodeplibs.patch Patch56: krb5-1.7-doublelog.patch -Patch57: krb5-appl-1.0-login_chdir.patch Patch58: krb5-1.8-key_exp.patch Patch59: krb5-1.8-kpasswd_tcp.patch Patch60: krb5-1.8-pam.patch -Patch160: krb5-appl-1.0-pam.patch Patch61: krb5-1.8-manpaths.patch -Patch161: krb5-appl-1.0-manpaths.patch Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.8-dirsrv-accountlock.patch -Patch72: krb5-1.6.3-ftp_fdleak.patch -Patch73: krb5-1.6.3-ftp_glob_runique.patch -Patch79: krb5-trunk-ftp_mget_case.patch -Patch88: krb5-1.7-sizeof.patch -Patch89: krb5-appl-1.0-largefile.patch Patch95: krb5-1.8-opte.patch Patch96: krb5-1.8-exp_warn.patch Patch98: krb5-1.8-kpasswd_ccache.patch @@ -191,32 +155,6 @@ package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). If your network uses Kerberos, this package should be installed on every workstation. -%package workstation-clients -Summary: Kerberos 5 clients for use on workstations -Group: System Environment/Base -Requires: %{name}-workstation = %{version}-%{release} - -%description workstation-clients -Kerberos is a network authentication system. The krb5-workstation-clients -package contains kerberized versions of Telnet, FTP, and rsh/rlogin -clients. If your network uses these services this package should be -installed on systems which expect to connect to servers which provide -these services. - -%package workstation-servers -Summary: Kerberos 5 servers for use on workstations -Group: System Environment/Base -Requires: %{name}-workstation = %{version}-%{release} -Requires(post): initscripts -Requires(postun): initscripts -Requires: xinetd, /etc/pam.d/%{login_pam_service} - -%description workstation-servers -Kerberos is a network authentication system. The krb5-workstation-servers -package contains kerberized versions of Telnet, FTP, and rsh/rlogin -servers. If your network uses Kerberos, this package should be -installed on systems which are meant provide these services. - %package pkinit-openssl Summary: The PKINIT module for Kerberos 5 Group: System Environment/Libraries @@ -229,65 +167,32 @@ to obtain initial credentials from a KDC using a private key and a certificate. %prep -%setup -q -a 23 -a 100 +%setup -q -a 23 ln -s NOTICE LICENSE %patch60 -p1 -b .pam -pushd krb5-appl-%{appl_version} -%patch160 -p1 -b .pam -popd %patch61 -p1 -b .manpaths -pushd krb5-appl-%{appl_version} -%patch161 -p1 -b .manpaths -popd %patch63 -p1 -b .selinux-label -pushd krb5-appl-%{appl_version} -%patch3 -p3 -b .netkit-rsh -%patch4 -p1 -b .rlogind-environ -popd %patch5 -p1 -b .ksu-access %patch6 -p1 -b .ksu-path -pushd krb5-appl-%{appl_version} -%patch11 -p3 -b .passive -popd %patch12 -p1 -b .ktany -pushd krb5-appl-%{appl_version} -%patch14 -p3 -b .ftp-glob -popd %patch16 -p1 -b .buildconf %patch23 -p1 -b .dns %patch29 -p1 -b .kprop-mktemp %patch30 -p1 -b .send-pr-tempfile -pushd krb5-appl-%{appl_version} -%patch33 -p1 -b .io -%patch36 -p3 -b .rcp-markus -popd %patch39 -p1 -b .api -pushd krb5-appl-%{appl_version} -%patch40 -p3 -b .telnet-environ -popd %patch53 -p1 -b .nodeplibs %patch56 -p1 -b .doublelog -pushd krb5-appl-%{appl_version} -%patch57 -p1 -b .login_chdir -popd %patch58 -p1 -b .key_exp %patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock -pushd krb5-appl-%{appl_version} -%patch72 -p3 -b .ftp_fdleak -%patch73 -p3 -b .ftp_glob_runique -%patch79 -p2 -b .ftp_mget_case -%patch88 -p3 -b .sizeof -%patch89 -p1 -b .largefile -popd %patch95 -p1 -b .opte %patch96 -p1 -b .exp_warn -%patch98 -p1 -b .kpasswd-ccache +%patch98 -p0 -b .kpasswd-ccache %patch99 -p0 -b .kpasswd-ipv6 %patch100 -p0 -b .tktlifetime gzip doc/*.ps @@ -310,11 +215,6 @@ cat %{SOURCE25} | while read manpage ; do mv "$manpage" "$manpage".in done popd -pushd krb5-appl-%{appl_version} -cat %{SOURCE125} | while read manpage ; do - mv "$manpage" "$manpage".in -done -popd # Check that the PDFs we built earlier match this source tree, using the # "krb5-tex-pdf.sh" source file. @@ -342,11 +242,6 @@ autoheader autoconf popd -pushd krb5-appl-%{appl_version} -autoheader -autoconf -popd - %build pushd src # Work out the CFLAGS and CPPFLAGS which we intend to use. @@ -388,35 +283,12 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" make %{?_smp_mflags} popd -# The applications, too. Build everything position-independent. We only get -# away with this if our build dependencies drag an older krb5-devel onto the -# system. -pushd krb5-appl-%{appl_version} -CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIE -fno-strict-aliasing`" -LDFLAGS="-pie" -%configure \ - CFLAGS="$CFLAGS" \ - LDFLAGS="$LDFLAGS" \ - --bindir=%{krb5prefix}/bin \ - --mandir=%{krb5prefix}/man \ - --sbindir=%{krb5prefix}/sbin \ - --datadir=%{krb5prefix}/share \ - --with-pam \ - --with-pam-login-service=%{login_pam_service} -make %{?_smp_mflags} -popd - # Run the test suite. We can't actually do this in the build system. : make -C src check TMPDIR=%{_tmppath} %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT -# Shell scripts wrappers for Kerberized rsh and rlogin (source files). -mkdir -p $RPM_BUILD_ROOT%{krb5prefix}/{bin,man/man{1,5,8},sbin,share} -install -m 755 %{SOURCE12} $RPM_BUILD_ROOT/%{krb5prefix}/bin/ -install -m 755 %{SOURCE13} $RPM_BUILD_ROOT/%{krb5prefix}/bin/ - # Info docs. mkdir -p $RPM_BUILD_ROOT%{_infodir} install -m 644 doc/*.info* $RPM_BUILD_ROOT%{_infodir}/ @@ -434,15 +306,6 @@ install -pm 600 %{SOURCE11} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ mkdir -p $RPM_BUILD_ROOT/etc install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf -# Login-time scriptlets (krb5.sh, krb5.csh) to fix the PATH variable. -mkdir -p $RPM_BUILD_ROOT/etc/profile.d -for subpackage in workstation-clients workstation-servers ; do - install -pm 644 %{SOURCE7} \ - $RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.sh - install -pm 644 %{SOURCE8} \ - $RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.csh -done - # Server init scripts (krb5kdc,kadmind,kpropd) and their sysconfig files. mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d for init in \ @@ -474,25 +337,10 @@ for portreserve in \ $RPM_BUILD_ROOT/etc/portreserve/`basename ${portreserve} .portreserve` done -# Xinetd configuration files. -mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d/ -for xinetd in \ - %{SOURCE14} \ - %{SOURCE15} \ - %{SOURCE16} \ - %{SOURCE17} \ - %{SOURCE18} \ - %{SOURCE22} ; do - install -pm 644 ${xinetd} \ - $RPM_BUILD_ROOT/etc/xinetd.d/`basename ${xinetd} .xinetd` -done # PAM configuration files. mkdir -p $RPM_BUILD_ROOT/etc/pam.d/ for pam in \ - %{SOURCE26} \ - %{SOURCE27} \ - %{SOURCE28} \ %{SOURCE29} ; do install -pm 644 ${pam} \ $RPM_BUILD_ROOT/etc/pam.d/`basename ${pam} .pamd` @@ -505,7 +353,6 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata # The rest of the binaries, headers, libraries, and docs. make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/examples install -make -C krb5-appl-%{appl_version} DESTDIR=$RPM_BUILD_ROOT install # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the @@ -579,21 +426,6 @@ if [ "$2" -eq "0" ] ; then fi exit 0 -%triggerun workstation-servers -- krb5-workstation-servers < 1.6.3-100 -if [ "$2" -eq "0" ] ; then - /sbin/service krb524 stop > /dev/null 2>&1 || : - /sbin/chkconfig --del krb524 > /dev/null 2>&1 || : -fi -exit 0 - -%post workstation-servers -/sbin/service xinetd reload > /dev/null 2>&1 || : -exit 0 - -%postun workstation-servers -/sbin/service xinetd reload > /dev/null 2>&1 || : -exit 0 - %post workstation /sbin/install-info %{_infodir}/krb5-user.info %{_infodir}/dir exit 0 @@ -643,73 +475,6 @@ exit 0 %{_datadir}/gnats/mit %{_mandir}/man1/krb5-send-pr.1* -%files workstation-clients -%defattr(-,root,root,-) -%docdir %{krb5prefix}/man -%attr(0755,root,root) %doc src/config-files/convert-config-files - -%config(noreplace) /etc/profile.d/krb5-workstation-clients.sh -%config(noreplace) /etc/profile.d/krb5-workstation-clients.csh - -%dir %{krb5prefix} -%dir %{krb5prefix}/bin -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 - -# Used by both clients and servers. -%{krb5prefix}/bin/rcp -%{krb5prefix}/man/man1/rcp.1* - -# Client network bits. -%{krb5prefix}/bin/ftp -%{krb5prefix}/man/man1/ftp.1* -%{krb5prefix}/bin/krlogin -%{krb5prefix}/bin/rlogin -%{krb5prefix}/man/man1/rlogin.1* -%{krb5prefix}/bin/krsh -%{krb5prefix}/bin/rsh -%{krb5prefix}/man/man1/rsh.1* -%{krb5prefix}/bin/telnet -%{krb5prefix}/man/man1/telnet.1* -%{krb5prefix}/man/man1/tmac.doc* - -%files workstation-servers -%defattr(-,root,root,-) -%docdir %{krb5prefix}/man - -%config(noreplace) /etc/profile.d/krb5-workstation-servers.sh -%config(noreplace) /etc/profile.d/krb5-workstation-servers.csh - -%dir %{krb5prefix} -%dir %{krb5prefix}/bin -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/man/man8 -%dir %{krb5prefix}/sbin - -# Used by both clients and servers. -%{krb5prefix}/bin/rcp -%{krb5prefix}/man/man1/rcp.1* - -%config(noreplace) /etc/xinetd.d/* -%config(noreplace) /etc/pam.d/kshell -%config(noreplace) /etc/pam.d/ekshell -%config(noreplace) /etc/pam.d/gssftp - -# Login is used by telnetd and klogind. -%{krb5prefix}/sbin/login.krb5 -%{krb5prefix}/man/man8/login.krb5.8* - -# Application servers. -%{krb5prefix}/sbin/ftpd -%{krb5prefix}/man/man8/ftpd.8* -%{krb5prefix}/sbin/klogind -%{krb5prefix}/man/man8/klogind.8* -%{krb5prefix}/sbin/kshd -%{krb5prefix}/man/man8/kshd.8* -%{krb5prefix}/sbin/telnetd -%{krb5prefix}/man/man8/telnetd.8* - %files server %defattr(-,root,root,-) %docdir %{_mandir} @@ -810,7 +575,6 @@ exit 0 %dir %{_libdir}/krb5/plugins/* %{_libdir}/krb5/plugins/preauth/encrypted_challenge.so %{_libdir}/krb5/plugins/kdb/db2.so -%{krb5prefix}/share %if %{WITH_OPENSSL} %files pkinit-openssl @@ -864,6 +628,13 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Mar 19 2010 Nalin Dahyabhai - 1.8-4 +- remove the krb5-appl bits (the -workstation-clients and -workstation-servers + subpackages) now that krb5-appl is its own package +- replace our patch for #563431 (kpasswd doesn't fall back to guessing your + principal name using your user name if you don't have a ccache) with the + on upstream uses + * Fri Mar 12 2010 Nalin Dahyabhai - 1.8-3 - add documentation for the ticket_lifetime option (#561174) diff --git a/krlogin b/krlogin deleted file mode 100644 index ed10d0d..0000000 --- a/krlogin +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/usr/kerberos/bin/rlogin -x "$@" diff --git a/krsh b/krsh deleted file mode 100644 index ec52717..0000000 --- a/krsh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/usr/kerberos/bin/rsh -x "$@" diff --git a/kshell.pamd b/kshell.pamd deleted file mode 100644 index 90aa311..0000000 --- a/kshell.pamd +++ /dev/null @@ -1,15 +0,0 @@ -#%PAM-1.0 -# For root login to succeed here with pam_securetty, "kshell" must be -# listed in /etc/securetty. -auth required pam_nologin.so -auth required pam_securetty.so -auth required pam_env.so -auth required pam_rhosts.so -account include system-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session optional pam_keyinit.so force revoke -session include system-auth -# pam_selinux.so open should only be called for sessions to be executed in the user context -session required pam_loginuid.so -session required pam_selinux.so open diff --git a/kshell.xinetd b/kshell.xinetd deleted file mode 100644 index 7bf0096..0000000 --- a/kshell.xinetd +++ /dev/null @@ -1,13 +0,0 @@ -# default: off -# description: The kerberized rshell server accepts rshell commands \ -# authenticated and encrypted with Kerberos 5. -service kshell -{ - flags = REUSE - socket_type = stream - wait = no - user = root - server = /usr/kerberos/sbin/kshd - server_args = -e - disable = yes -} diff --git a/sources b/sources index f69edfc..e9b1063 100644 --- a/sources +++ b/sources @@ -1,5 +1,3 @@ a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc -4ecf03dad0df7f2ded49f0cfd9786157 krb5-appl-1.0.tar.gz -33056e617e2cbad7c8e8b732aa0fdd91 krb5-appl-1.0.tar.gz.asc 32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz