From owner-svn-ports-all@freebsd.org  Thu Apr 19 15:36:37 2018
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76BCEF85137;
 Thu, 19 Apr 2018 15:36:37 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.13])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id B5DF06ED59;
 Thu, 19 Apr 2018 15:36:36 +0000 (UTC)
 (envelope-from cy.schubert@cschubert.com)
Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA
 id 9BX4fezGpXziT9BX6fjzvX; Thu, 19 Apr 2018 09:31:37 -0600
X-Authority-Analysis: v=2.3 cv=X6B81lbe c=1 sm=1 tr=0
 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17
 a=Kd1tUaAdevIA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=tJH9xGPiAAAA:8
 a=Pso0WqMm72qv4ZEY1VYA:9 a=dNn07TYTscL82Ub6:21 a=8tnU09B5FvaBRMIM:21
 a=QEXdDO2ut3YA:10 a=HXGNIdnjUp2j6fWT-8UA:9 a=zJyKgLeWqtxF4o4m:21
 a=bVccpmI1PWHFUK4M:21 a=iv5EBa_DwOoSRzlm:21 a=_W_S_7VecoQA:10
 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=HBD_kRSUtkV9tavlhyFi:22
Received: from [10.168.3.176] (S0106d4ca6d8943b0.gv.shawcable.net
 [70.66.132.207])
 by spqr.komquats.com (Postfix) with ESMTPSA id 1EDF7C2E;
 Thu, 19 Apr 2018 08:31:20 -0700 (PDT)
MIME-Version: 1.0
From: Cy Schubert <Cy.Schubert@cschubert.com>
Subject: RE: svn commit: r467768 - head/security/sudo
Date: Thu, 19 Apr 2018 08:31:24 -0700
To: Renato Botelho <garga@FreeBSD.org>, 
 "ports-committers@freebsd.org" <ports-committers@freebsd.org>, 
 "svn-ports-all@freebsd.org" <svn-ports-all@freebsd.org>, 
 "svn-ports-head@freebsd.org" <svn-ports-head@freebsd.org>
Message-Id: <20180419153120.1EDF7C2E@spqr.komquats.com>
X-CMAE-Envelope: MS4wfD7l2XrV0WCyzl8BKNEEGYKemR4rjPUBD8wMlRVcy/0dK5Tf4l69Tq1IwwADJsV31hmJBo63YQiUiuvRLAuJd9ewpTbTTQ7Y6xs03BdtUrzhwxnTupv5
 /Ci4kD07zhWgrgDbZ0xCKaIRR6WiklYV7srcZMlri8mu3wQk5RA5sTNk6FL2WKazm1CCiLozk6F5iuTwvZ2XBplwD0O7vZ2SqnpY31AKPG7Dh6kpW6WsbZP1
 MnEBdNBiWcSb5jEjJ3FyLV7pHzQW59fHqbURYfdzUN75rg/uQo5zkqXxbrxLf8FHGk+j2QXkKxQISRNzMKO1Mw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2018 15:36:37 -0000

You can already use sudo with Kerberos through pam.

---
Sent using a tiny phone keyboard.
Apologies for any typos and autocorrect.
Also, this old phone only supports top post. Apologies.

Cy Schubert
<Cy.Schubert@cschubert.com> or <cy@freebsd.org>
The need of the many outweighs the greed of the few.
---

-----Original Message-----
From: Renato Botelho
Sent: 19/04/2018 06:11
To: ports-committers@freebsd.org; svn-ports-all@freebsd.org; svn-ports-head=
@freebsd.org
Subject: svn commit: r467768 - head/security/sudo

Author: garga
Date: Thu Apr 19 13:11:34 2018
New Revision: 467768
URL: https://svnweb.freebsd.org/changeset/ports/467768

Log:
  - Add new options to security/sudo to make it possible to build it with
    kerberos support.
  - Bump PORTREVISION
 =20
  PR:		225498
  Submitted by:	Cullum Smith <cullum@c0ffee.net>
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Modified:
  head/security/sudo/Makefile

Modified: head/security/sudo/Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- head/security/sudo/Makefile	Thu Apr 19 13:09:58 2018	(r467767)
+++ head/security/sudo/Makefile	Thu Apr 19 13:11:34 2018	(r467768)
@@ -3,6 +3,7 @@
=20
 PORTNAME=3D	sudo
 PORTVERSION=3D	1.8.22
+PORTREVISION=3D	1
 CATEGORIES=3D	security
 MASTER_SITES=3D	SUDO
=20
@@ -28,8 +29,9 @@ CONFIGURE_ARGS=3D	--sysconfdir=3D${PREFIX}/etc \
 		--with-long-otp-prompt
=20
 OPTIONS_DEFINE=3D	LDAP INSULTS DISABLE_ROOT_SUDO DISABLE_AUTH NOARGS_SHELL=
 \
-		AUDIT OPIE NLS SSSD DOCS EXAMPLES
-OPTIONS_DEFAULT=3D	AUDIT
+		AUDIT OPIE PAM NLS SSSD DOCS EXAMPLES
+OPTIONS_RADIO=3D	KERBEROS
+OPTIONS_DEFAULT=3D	AUDIT PAM
 OPTIONS_SUB=3D	yes
=20
 INSULTS_DESC=3D	Enable insults on failures
@@ -37,9 +39,13 @@ DISABLE_ROOT_SUDO_DESC=3D	Do not allow root to run sudo
 DISABLE_AUTH_DESC=3D	Do not require authentication by default
 NOARGS_SHELL_DESC=3D	Run a shell if no arguments are given
 AUDIT_DESC=3D	Enable BSM audit support
+KERBEROS_DESC=3D	Enable Kerberos 5 authentication (no PAM support)
 OPIE_DESC=3D	Enable one-time passwords (no PAM support)
 SSSD_DESC=3D	Enable SSSD backend support.
=20
+PAM_PREVENTS=3D	OPIE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
+PAM_PREVENTS_MSG=3D	PAM cannot be combined with any other authentication p=
lugin
+
 LOGFAC?=3D	authpriv
 CONFIGURE_ARGS+=3D	--with-logfac=3D${LOGFAC}
=20
@@ -67,10 +73,24 @@ DISABLE_ROOT_SUDO_CONFIGURE_ON=3D	--disable-root-sudo
 DISABLE_AUTH_CONFIGURE_ON=3D	--disable-authentication
 NOARGS_SHELL_CONFIGURE_ENABLE=3D	noargs-shell
 AUDIT_CONFIGURE_WITH=3D	bsm-audit
+PAM_CONFIGURE_ON=3D	--with-pam
 OPIE_CONFIGURE_ON=3D	--with-opie
-OPIE_CONFIGURE_OFF=3D	--with-pam
 SSSD_CONFIGURE_ON=3D	--with-sssd
 SSSD_RUN_DEPENDS=3D	sssd:security/sssd
+
+OPTIONS_RADIO_KERBEROS=3D	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
+GSSAPI_BASE_USES=3D	gssapi
+GSSAPI_BASE_CONFIGURE_ON=3D	--with-kerb5=3D${GSSAPIBASEDIR} ${GSSAPI_CONFI=
GURE_ARGS}
+GSSAPI_HEIMDAL_USES=3D	gssapi:heimdal
+GSSAPI_HEIMDAL_CONFIGURE_ON=3D	--with-kerb5=3D${GSSAPIBASEDIR} ${GSSAPI_CO=
NFIGURE_ARGS}
+GSSAPI_MIT_USES=3D	gssapi:mit
+GSSAPI_MIT_CONFIGURE_ON=3D	--with-kerb5=3D${GSSAPIBASEDIR} ${GSSAPI_CONFIG=
URE_ARGS}
+# This is intentionally not an option.
+# SUDO_KERB5_INSTANCE is an optional instance string that will be appended=
 to kerberos
+# principals when to perform authentication. Common choices are "admin" an=
d "sudo".
+.if defined(SUDO_KERB5_INSTANCE)
+CONFIGURE_ARGS+=3D	--enable-kerb5-instance=3D"${SUDO_KERB5_INSTANCE}"
+.endif
=20
 .include <bsd.port.options.mk>
=20