- extend PAM support to ksu: perform account and session management for the
target user
- pull up and merge James Leddy's changes to also set PAM_RHOST in
PAM-aware network-facing services
This commit is contained in:
Nalin Dahyabhai
parent
d3b2b69619
commit
5ebd815122
@ -28,7 +28,15 @@ is pretty much always going to be there. At run-time, login's behavior
|
|||||||
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
|
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
|
||||||
false in the [login] section of /etc/krb5.conf.
|
false in the [login] section of /etc/krb5.conf.
|
||||||
|
|
||||||
When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
Modify ksu so that it performs account and session management for the
|
||||||
|
target user account, mimicking the action of regular su. The default
|
||||||
|
service name is "ksu", because on Fedora at least the configuration used
|
||||||
|
is determined by whether or not a login shell is being opened, and so
|
||||||
|
this may need to vary, too. At run-time, ksu's behavior can be reset to
|
||||||
|
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
|
||||||
|
section of /etc/krb5.conf.
|
||||||
|
|
||||||
|
When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
|
||||||
|
|
||||||
--- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500
|
--- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500
|
||||||
+++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400
|
+++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400
|
||||||
@ -76,7 +84,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
#ifdef KERBEROS
|
#ifdef KERBEROS
|
||||||
|
|
||||||
#if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
|
#if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
|
||||||
@@ -1151,11 +1148,49 @@ void doit(f, fromp)
|
@@ -1151,11 +1148,50 @@ void doit(f, fromp)
|
||||||
goto signout_please;
|
goto signout_please;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -88,6 +96,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ 0,
|
+ 0,
|
||||||
+ locuser,
|
+ locuser,
|
||||||
+ "",
|
+ "",
|
||||||
|
+ hostname,
|
||||||
+ do_encrypt ?
|
+ do_encrypt ?
|
||||||
+ EKSHELL_PAM_SERVICE :
|
+ EKSHELL_PAM_SERVICE :
|
||||||
+ KSHELL_PAM_SERVICE) != 0) {
|
+ KSHELL_PAM_SERVICE) != 0) {
|
||||||
@ -126,7 +135,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
/* Log access to account */
|
/* Log access to account */
|
||||||
pwd = (struct passwd *) getpwnam(locuser);
|
pwd = (struct passwd *) getpwnam(locuser);
|
||||||
if (pwd && (pwd->pw_uid == 0)) {
|
if (pwd && (pwd->pw_uid == 0)) {
|
||||||
@@ -1195,7 +1230,7 @@ void doit(f, fromp)
|
@@ -1195,7 +1231,7 @@ void doit(f, fromp)
|
||||||
|
|
||||||
(void) write(2, "", 1);
|
(void) write(2, "", 1);
|
||||||
|
|
||||||
@ -135,7 +144,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
if (port&&(pipe(pv) < 0)) {
|
if (port&&(pipe(pv) < 0)) {
|
||||||
error("Can't make pipe.\n");
|
error("Can't make pipe.\n");
|
||||||
goto signout_please;
|
goto signout_please;
|
||||||
@@ -1507,6 +1542,15 @@ void doit(f, fromp)
|
@@ -1507,6 +1543,15 @@ void doit(f, fromp)
|
||||||
|
|
||||||
environ = envinit;
|
environ = envinit;
|
||||||
|
|
||||||
@ -215,13 +224,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
#ifdef KRB5_GET_TICKETS
|
#ifdef KRB5_GET_TICKETS
|
||||||
{"krb5_get_tickets", &login_krb5_get_tickets},
|
{"krb5_get_tickets", &login_krb5_get_tickets},
|
||||||
#endif
|
#endif
|
||||||
@@ -1292,6 +1294,18 @@ int main(argc, argv)
|
@@ -1292,6 +1300,19 @@ int main(argc, argv)
|
||||||
if (!unix_needs_passwd())
|
if (!unix_needs_passwd())
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+#ifdef USE_PAM
|
+#ifdef USE_PAM
|
||||||
+ if (login_use_pam) {
|
+ if (login_use_pam) {
|
||||||
+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
|
+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
|
||||||
|
+ hostname,
|
||||||
+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
|
+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
|
||||||
+ break;
|
+ break;
|
||||||
+ } else {
|
+ } else {
|
||||||
@ -234,14 +244,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
/* we have several sets of code:
|
/* we have several sets of code:
|
||||||
1) get v5 tickets alone -DKRB5_GET_TICKETS
|
1) get v5 tickets alone -DKRB5_GET_TICKETS
|
||||||
2) get v4 tickets alone [** don't! only get them *with* v5 **]
|
2) get v4 tickets alone [** don't! only get them *with* v5 **]
|
||||||
@@ -1406,6 +1420,24 @@ int main(argc, argv)
|
@@ -1406,6 +1427,24 @@ int main(argc, argv)
|
||||||
/* committed to login -- turn off timeout */
|
/* committed to login -- turn off timeout */
|
||||||
(void) alarm((u_int) 0);
|
(void) alarm((u_int) 0);
|
||||||
|
|
||||||
+#ifdef USE_PAM
|
+#ifdef USE_PAM
|
||||||
+ if (login_use_pam) {
|
+ if (login_use_pam) {
|
||||||
+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
|
+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
|
||||||
+ ttyname(STDIN_FILENO)) != 0) {
|
+ hostname, ttyname(STDIN_FILENO)) != 0) {
|
||||||
+ printf("Login incorrect\n");
|
+ printf("Login incorrect\n");
|
||||||
+ sleepexit(1);
|
+ sleepexit(1);
|
||||||
+ }
|
+ }
|
||||||
@ -259,7 +269,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
/*
|
/*
|
||||||
* If valid so far and root is logging in, see if root logins on
|
* If valid so far and root is logging in, see if root logins on
|
||||||
* this terminal are permitted.
|
* this terminal are permitted.
|
||||||
@@ -1446,6 +1478,21 @@ int main(argc, argv)
|
@@ -1446,6 +1487,21 @@ int main(argc, argv)
|
||||||
sleepexit(0);
|
sleepexit(0);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@ -281,7 +291,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
|
|
||||||
if (chdir(pwd->pw_dir) < 0) {
|
if (chdir(pwd->pw_dir) < 0) {
|
||||||
printf("No directory %s!\n", pwd->pw_dir);
|
printf("No directory %s!\n", pwd->pw_dir);
|
||||||
@@ -1792,6 +1839,11 @@ int main(argc, argv)
|
@@ -1792,6 +1846,11 @@ int main(argc, argv)
|
||||||
}
|
}
|
||||||
#endif /* KRB5_GET_TICKETS */
|
#endif /* KRB5_GET_TICKETS */
|
||||||
|
|
||||||
@ -295,11 +305,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
if (pwd->pw_uid == 0)
|
if (pwd->pw_uid == 0)
|
||||||
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
|
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
|
||||||
+++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400
|
+++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400
|
||||||
@@ -0,0 +1,414 @@
|
@@ -0,0 +1,424 @@
|
||||||
+/*
|
+/*
|
||||||
+ * src/appl/bsd/pam.c
|
+ * src/appl/bsd/pam.c
|
||||||
+ *
|
+ *
|
||||||
+ * Copyright 2007 Red Hat, Inc.
|
+ * Copyright 2007,2009 Red Hat, Inc.
|
||||||
+ *
|
+ *
|
||||||
+ * All Rights Reserved.
|
+ * All Rights Reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -332,6 +342,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ * Convenience wrappers for using PAM.
|
+ * Convenience wrappers for using PAM.
|
||||||
+ */
|
+ */
|
||||||
+
|
+
|
||||||
|
+#include "autoconf.h"
|
||||||
+#ifdef USE_PAM
|
+#ifdef USE_PAM
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+#include <stdio.h>
|
+#include <stdio.h>
|
||||||
@ -549,6 +560,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+appl_pam_start(const char *service, int interactive,
|
+appl_pam_start(const char *service, int interactive,
|
||||||
+ const char *login_username,
|
+ const char *login_username,
|
||||||
+ const char *non_interactive_password,
|
+ const char *non_interactive_password,
|
||||||
|
+ const char *hostname,
|
||||||
+ const char *tty)
|
+ const char *tty)
|
||||||
+{
|
+{
|
||||||
+ static int exit_handler_registered;
|
+ static int exit_handler_registered;
|
||||||
@ -577,6 +589,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ ret = pam_start(service, login_username,
|
+ ret = pam_start(service, login_username,
|
||||||
+ &appl_pam_conv, &appl_pamh);
|
+ &appl_pam_conv, &appl_pamh);
|
||||||
+ if (ret == 0) {
|
+ if (ret == 0) {
|
||||||
|
+ if (hostname != NULL) {
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
|
||||||
|
+#endif
|
||||||
|
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
|
||||||
|
+ }
|
||||||
+ if (tty != NULL) {
|
+ if (tty != NULL) {
|
||||||
+#ifdef DEBUG
|
+#ifdef DEBUG
|
||||||
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
|
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
|
||||||
@ -602,11 +620,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+appl_pam_authenticate(const char *service, int interactive,
|
+appl_pam_authenticate(const char *service, int interactive,
|
||||||
+ const char *login_username,
|
+ const char *login_username,
|
||||||
+ const char *non_interactive_password,
|
+ const char *non_interactive_password,
|
||||||
|
+ const char *hostname,
|
||||||
+ const char *tty)
|
+ const char *tty)
|
||||||
+{
|
+{
|
||||||
+ int ret;
|
+ int ret;
|
||||||
+ ret = appl_pam_start(service, interactive, login_username,
|
+ ret = appl_pam_start(service, interactive, login_username,
|
||||||
+ non_interactive_password, tty);
|
+ non_interactive_password, hostname, tty);
|
||||||
+ if (ret == 0) {
|
+ if (ret == 0) {
|
||||||
+ ret = pam_authenticate(appl_pamh, 0);
|
+ ret = pam_authenticate(appl_pamh, 0);
|
||||||
+ }
|
+ }
|
||||||
@ -616,12 +635,13 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+appl_pam_acct_mgmt(const char *service, int interactive,
|
+appl_pam_acct_mgmt(const char *service, int interactive,
|
||||||
+ const char *login_username,
|
+ const char *login_username,
|
||||||
+ const char *non_interactive_password,
|
+ const char *non_interactive_password,
|
||||||
|
+ const char *hostname,
|
||||||
+ const char *tty)
|
+ const char *tty)
|
||||||
+{
|
+{
|
||||||
+ int ret;
|
+ int ret;
|
||||||
+ appl_pam_pwchange_required = 0;
|
+ appl_pam_pwchange_required = 0;
|
||||||
+ ret = appl_pam_start(service, interactive, login_username,
|
+ ret = appl_pam_start(service, interactive, login_username,
|
||||||
+ non_interactive_password, tty);
|
+ non_interactive_password, hostname, tty);
|
||||||
+ if (ret == 0) {
|
+ if (ret == 0) {
|
||||||
+#ifdef DEBUG
|
+#ifdef DEBUG
|
||||||
+ printf("Calling pam_acct_mgmt().\n");
|
+ printf("Calling pam_acct_mgmt().\n");
|
||||||
@ -712,11 +732,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+#endif
|
+#endif
|
||||||
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
|
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
|
||||||
+++ krb5-1.6.1/src/appl/bsd/pam.h 2007-06-22 14:27:05.000000000 -0400
|
+++ krb5-1.6.1/src/appl/bsd/pam.h 2007-06-22 14:27:05.000000000 -0400
|
||||||
@@ -0,0 +1,61 @@
|
@@ -0,0 +1,63 @@
|
||||||
+/*
|
+/*
|
||||||
+ * src/appl/bsd/pam.h
|
+ * src/appl/bsd/pam.h
|
||||||
+ *
|
+ *
|
||||||
+ * Copyright 2007 Red Hat, Inc.
|
+ * Copyright 2007,2009 Red Hat, Inc.
|
||||||
+ *
|
+ *
|
||||||
+ * All Rights Reserved.
|
+ * All Rights Reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -761,10 +781,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+int appl_pam_authenticate(const char *service, int interactive,
|
+int appl_pam_authenticate(const char *service, int interactive,
|
||||||
+ const char *local_username,
|
+ const char *local_username,
|
||||||
+ const char *non_interactive_password,
|
+ const char *non_interactive_password,
|
||||||
|
+ const char *hostname,
|
||||||
+ const char *tty);
|
+ const char *tty);
|
||||||
+int appl_pam_acct_mgmt(const char *service, int interactive,
|
+int appl_pam_acct_mgmt(const char *service, int interactive,
|
||||||
+ const char *local_username,
|
+ const char *local_username,
|
||||||
+ const char *non_interactive_password,
|
+ const char *non_interactive_password,
|
||||||
|
+ const char *hostname,
|
||||||
+ const char *tty);
|
+ const char *tty);
|
||||||
+int appl_pam_requires_chauthtok(void);
|
+int appl_pam_requires_chauthtok(void);
|
||||||
+int appl_pam_chauthtok(void);
|
+int appl_pam_chauthtok(void);
|
||||||
@ -825,7 +847,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <setjmp.h>
|
#include <setjmp.h>
|
||||||
#ifndef POSIX_SETJMP
|
#ifndef POSIX_SETJMP
|
||||||
@@ -803,6 +807,16 @@
|
@@ -803,6 +806,21 @@
|
||||||
}
|
}
|
||||||
#endif /* KRB5_KRB4_COMPAT */
|
#endif /* KRB5_KRB4_COMPAT */
|
||||||
|
|
||||||
@ -833,16 +855,21 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ if (appl_pam_enabled(kcontext, "ftpd")) {
|
+ if (appl_pam_enabled(kcontext, "ftpd")) {
|
||||||
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
|
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
|
||||||
+ pw->pw_name, "",
|
+ pw->pw_name, "",
|
||||||
|
+ hostname,
|
||||||
+ FTP_PAM_SERVICE) != 0) {
|
+ FTP_PAM_SERVICE) != 0) {
|
||||||
+ reply(530, "Login incorrect.");
|
+ reply(530, "Login incorrect.");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
|
+ if (appl_pam_requires_chauthtok()) {
|
||||||
|
+ reply(530, "Password change required.");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
|
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
|
||||||
strncat(buf, "; Access denied.",
|
strncat(buf, "; Access denied.",
|
||||||
sizeof(buf) - strlen(buf) - 1);
|
sizeof(buf) - strlen(buf) - 1);
|
||||||
@@ -903,6 +916,10 @@ end_login()
|
@@ -903,6 +921,10 @@ end_login()
|
||||||
(void) krb5_seteuid((uid_t)0);
|
(void) krb5_seteuid((uid_t)0);
|
||||||
if (logged_in)
|
if (logged_in)
|
||||||
pty_logwtmp(ttyline, "", "");
|
pty_logwtmp(ttyline, "", "");
|
||||||
@ -853,7 +880,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
if (have_creds) {
|
if (have_creds) {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
krb5_cc_destroy(kcontext, ccache);
|
krb5_cc_destroy(kcontext, ccache);
|
||||||
@@ -1073,9 +1090,17 @@ pass(passwd)
|
@@ -1073,9 +1095,18 @@ pass(passwd)
|
||||||
* kpass fails and the user has no local password
|
* kpass fails and the user has no local password
|
||||||
* kpass fails and the provided password doesn't match pw
|
* kpass fails and the provided password doesn't match pw
|
||||||
*/
|
*/
|
||||||
@ -865,6 +892,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ appl_pam_enabled(kcontext, "ftpd") ?
|
+ appl_pam_enabled(kcontext, "ftpd") ?
|
||||||
+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
|
+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
|
||||||
+ pw->pw_name, passwd,
|
+ pw->pw_name, passwd,
|
||||||
|
+ hostname,
|
||||||
+ FTP_PAM_SERVICE) != 0) :
|
+ FTP_PAM_SERVICE) != 0) :
|
||||||
+#endif
|
+#endif
|
||||||
+ (!kpass(pw->pw_name, passwd) &&
|
+ (!kpass(pw->pw_name, passwd) &&
|
||||||
@ -874,7 +902,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
pw = NULL;
|
pw = NULL;
|
||||||
sleep(5);
|
sleep(5);
|
||||||
if (++login_attempts >= 3) {
|
if (++login_attempts >= 3) {
|
||||||
@@ -1092,6 +1117,17 @@ pass(passwd)
|
@@ -1092,6 +1123,22 @@ pass(passwd)
|
||||||
}
|
}
|
||||||
login_attempts = 0; /* this time successful */
|
login_attempts = 0; /* this time successful */
|
||||||
|
|
||||||
@ -882,17 +910,22 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ if (appl_pam_enabled(kcontext, "ftpd")) {
|
+ if (appl_pam_enabled(kcontext, "ftpd")) {
|
||||||
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
|
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
|
||||||
+ pw->pw_name, passwd,
|
+ pw->pw_name, passwd,
|
||||||
|
+ hostname,
|
||||||
+ FTP_PAM_SERVICE) != 0) {
|
+ FTP_PAM_SERVICE) != 0) {
|
||||||
+ reply(530, "Login incorrect.");
|
+ reply(530, "Login incorrect.");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
|
+ if (appl_pam_requires_chauthtok()) {
|
||||||
|
+ reply(530, "Password change required.");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
login(passwd, 0);
|
login(passwd, 0);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -1110,6 +1146,18 @@ login(passwd, logincode)
|
@@ -1110,6 +1157,18 @@ login(passwd, logincode)
|
||||||
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -911,7 +944,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
|
|
||||||
(void) krb5_setegid((gid_t)pw->pw_gid);
|
(void) krb5_setegid((gid_t)pw->pw_gid);
|
||||||
(void) initgroups(pw->pw_name, pw->pw_gid);
|
(void) initgroups(pw->pw_name, pw->pw_gid);
|
||||||
@@ -2125,6 +2173,10 @@ dologout(status)
|
@@ -2125,6 +2194,10 @@ dologout(status)
|
||||||
dest_tkt();
|
dest_tkt();
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -955,7 +988,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
INSTALL_STRIP=
|
INSTALL_STRIP=
|
||||||
--- krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
|
--- krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
|
||||||
+++ krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
|
+++ krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
|
||||||
@@ -1823,3 +1823,82 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
@@ -1823,3 +1823,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||||
]))
|
]))
|
||||||
])dnl
|
])dnl
|
||||||
dnl
|
dnl
|
||||||
@ -975,6 +1008,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
|
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
|
||||||
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
|
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
|
||||||
+ withftppamservice="$withval",withftppamservice=gssftp)
|
+ withftppamservice="$withval",withftppamservice=gssftp)
|
||||||
|
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
|
||||||
|
+ withksupamservice="$withval",withksupamservice=ksu)
|
||||||
+old_LIBS="$LIBS"
|
+old_LIBS="$LIBS"
|
||||||
+if test "$withpam" != no ; then
|
+if test "$withpam" != no ; then
|
||||||
+ AC_MSG_RESULT([checking for PAM...])
|
+ AC_MSG_RESULT([checking for PAM...])
|
||||||
@ -1025,6 +1060,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
|
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
|
||||||
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
|
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
|
||||||
+ [Define to the name of the PAM service name to be used by ftpd.])
|
+ [Define to the name of the PAM service name to be used by ftpd.])
|
||||||
|
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
|
||||||
|
+ [Define to the name of the PAM service name to be used by ksu.])
|
||||||
+ PAM_LIBS="$LIBS"
|
+ PAM_LIBS="$LIBS"
|
||||||
+ NON_PAM_MAN=".\\\" "
|
+ NON_PAM_MAN=".\\\" "
|
||||||
+ PAM_MAN=
|
+ PAM_MAN=
|
||||||
@ -1038,3 +1075,151 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
|||||||
+AC_SUBST(PAM_MAN)
|
+AC_SUBST(PAM_MAN)
|
||||||
+AC_SUBST(NON_PAM_MAN)
|
+AC_SUBST(NON_PAM_MAN)
|
||||||
+])dnl
|
+])dnl
|
||||||
|
diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makefile.in
|
||||||
|
--- krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-21 15:07:16.000000000 -0400
|
||||||
|
+++ krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-23 13:47:36.000000000 -0400
|
||||||
|
@@ -15,6 +15,7 @@ SRCS = \
|
||||||
|
$(srcdir)/ccache.c \
|
||||||
|
$(srcdir)/authorization.c \
|
||||||
|
$(srcdir)/main.c \
|
||||||
|
+ $(srcdir)/../../appl/bsd/pam.c \
|
||||||
|
$(srcdir)/heuristic.c \
|
||||||
|
$(srcdir)/xmalloc.c \
|
||||||
|
$(srcdir)/setenv.c
|
||||||
|
@@ -23,13 +24,17 @@ OBJS = \
|
||||||
|
ccache.o \
|
||||||
|
authorization.o \
|
||||||
|
main.o \
|
||||||
|
+ pam.o \
|
||||||
|
heuristic.o \
|
||||||
|
xmalloc.o @SETENVOBJ@
|
||||||
|
|
||||||
|
all:: ksu
|
||||||
|
|
||||||
|
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||||
|
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||||
|
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||||
|
+
|
||||||
|
+pam.o: $(srcdir)/../../appl/bsd/pam.c
|
||||||
|
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||||
|
|
||||||
|
clean::
|
||||||
|
$(RM) ksu
|
||||||
|
--- krb5-1.6.3/src/clients/ksu/main.c 2006-08-15 15:27:08.000000000 -0400
|
||||||
|
+++ krb5-1.6.3/src/clients/ksu/main.c 2009-04-23 18:39:03.000000000 -0400
|
||||||
|
@@ -25,6 +25,7 @@
|
||||||
|
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include "autoconf.h"
|
||||||
|
#include "ksu.h"
|
||||||
|
#include "adm_proto.h"
|
||||||
|
#include <sys/types.h>
|
||||||
|
@@ -32,6 +33,11 @@
|
||||||
|
#include <signal.h>
|
||||||
|
#include <grp.h>
|
||||||
|
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+#include "../../appl/bsd/pam.h"
|
||||||
|
+int force_fork = 0;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* globals */
|
||||||
|
char * prog_name;
|
||||||
|
int auth_debug =0;
|
||||||
|
@@ -791,7 +797,24 @@
|
||||||
|
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if( keep_target_cache ) {
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||||
|
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
|
||||||
|
+ NULL, ttyname(STDERR_FILENO)) != 0) {
|
||||||
|
+ fprintf(stderr, "Access denied for %s.\n", target_user);
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ if (appl_pam_requires_chauthtok()) {
|
||||||
|
+ fprintf(stderr, "Password change required for %s.\n", target_user);
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ force_fork++;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if( keep_target_cache && !force_fork ) {
|
||||||
|
execv(params[0], params);
|
||||||
|
com_err(prog_name, errno, "while trying to execv %s",
|
||||||
|
params[0]);
|
||||||
|
@@ -799,6 +822,33 @@
|
||||||
|
exit(1);
|
||||||
|
}else{
|
||||||
|
statusp = 1;
|
||||||
|
+
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||||
|
+ if (appl_pam_session_open() != 0) {
|
||||||
|
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+ if (auth_debug){
|
||||||
|
+ printf(" Opened PAM session.\n");
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ if (appl_pam_cred_init()) {
|
||||||
|
+ fprintf(stderr, "Error initializing credentials for %s.\n",
|
||||||
|
+ target_user);
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+ if (auth_debug){
|
||||||
|
+ printf(" Initialized PAM credentials.\n");
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
switch ((child_pid = fork())) {
|
||||||
|
default:
|
||||||
|
if (auth_debug){
|
||||||
|
@@ -822,15 +872,34 @@
|
||||||
|
if (ret_pid == -1) {
|
||||||
|
com_err(prog_name, errno, "while calling waitpid");
|
||||||
|
}
|
||||||
|
- sweep_up(ksu_context, cc_target);
|
||||||
|
+ if( !keep_target_cache ) {
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ }
|
||||||
|
exit (statusp);
|
||||||
|
case -1:
|
||||||
|
com_err(prog_name, errno, "while trying to fork.");
|
||||||
|
sweep_up(ksu_context, cc_target);
|
||||||
|
exit (1);
|
||||||
|
case 0:
|
||||||
|
+#ifdef USE_PAM
|
||||||
|
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||||
|
+ if (appl_pam_setenv() != 0) {
|
||||||
|
+ fprintf(stderr, "Error setting up environment for %s.\n",
|
||||||
|
+ target_user);
|
||||||
|
+ exit (1);
|
||||||
|
+ }
|
||||||
|
+#ifdef DEBUG
|
||||||
|
+ if (auth_debug){
|
||||||
|
+ printf(" Set up PAM environment.\n");
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
execv(params[0], params);
|
||||||
|
com_err(prog_name, errno, "while trying to execv %s", params[0]);
|
||||||
|
+ if( keep_target_cache ) {
|
||||||
|
+ sweep_up(ksu_context, cc_target);
|
||||||
|
+ }
|
||||||
|
exit (1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -44,6 +44,7 @@ Source25: krb5-trunk-manpaths.txt
|
|||||||
Source26: gssftp.pamd
|
Source26: gssftp.pamd
|
||||||
Source27: kshell.pamd
|
Source27: kshell.pamd
|
||||||
Source28: ekshell.pamd
|
Source28: ekshell.pamd
|
||||||
|
Source29: ksu.pamd
|
||||||
|
|
||||||
Patch3: krb5-1.3-netkit-rsh.patch
|
Patch3: krb5-1.3-netkit-rsh.patch
|
||||||
Patch4: krb5-1.3-rlogind-environ.patch
|
Patch4: krb5-1.3-rlogind-environ.patch
|
||||||
@ -227,6 +228,12 @@ to obtain initial credentials from a KDC using a private key and a
|
|||||||
certificate.
|
certificate.
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 23 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-104
|
||||||
|
- extend PAM support to ksu: perform account and session management for the
|
||||||
|
target user
|
||||||
|
- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware
|
||||||
|
network-facing services
|
||||||
|
|
||||||
* Tue Apr 21 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-103
|
* Tue Apr 21 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-103
|
||||||
- fix a typo in a ksu error message (Marek Mahut)
|
- fix a typo in a ksu error message (Marek Mahut)
|
||||||
- "rev" works the way the test suite expects now, so don't disable tests
|
- "rev" works the way the test suite expects now, so don't disable tests
|
||||||
@ -1587,7 +1594,7 @@ done
|
|||||||
|
|
||||||
# PAM configuration files.
|
# PAM configuration files.
|
||||||
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
|
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
for pam in kshell ekshell gssftp ; do
|
for pam in kshell ekshell gssftp ksu ; do
|
||||||
install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
|
install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
|
||||||
$RPM_BUILD_ROOT/etc/pam.d/$pam
|
$RPM_BUILD_ROOT/etc/pam.d/$pam
|
||||||
done
|
done
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user