Date: Wed, 26 May 2004 21:52:09 +0200 (CEST) From: thn@saeab.se To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/67231: [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf Message-ID: <200405261952.i4QJq9FP000570@scatcat.thn.saeab.se> Resent-Message-ID: <200405262000.i4QK0jjk013180@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67231
>Category: bin
>Synopsis: [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 26 13:00:45 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Thomas Nyström
>Release: FreeBSD 5.2.1-RELEASE-p7 i386
>Organization:
Sv. Aktuell Elektronik AB
>Environment:
System: FreeBSD home.thn.saeab.se 5.2.1-RELEASE-p7 FreeBSD 5.2.1-RELEASE-p7 #0: Tue May 25 23:00:03 CEST 2004 root@home.thn.saeab.se:/home/obj/src/5/src/sys/THN.HOME i386
>Description:
The pam_krb5 module have no way of saying that retrieved ticket should
be without addresses. That parameter could be set in /etc/krb5.conf
but pam_krb5 doesn't honor the default flags from that file.
>How-To-Repeat:
Login using pam_krb5 and try to get tickets without addresses.
The result can be checked with 'klist -v'.
Ticket without addresses is needed if the ticket should be used
across a firewall.
>Fix:
Changed file:
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.18 2003/05/31 17:19:03 des Exp $");
--- pam.diff begins here ---
--- pam_krb5.c.original Wed May 26 19:42:17 2004
+++ pam_krb5.c Wed May 26 20:54:48 2004
@@ -137,11 +137,6 @@
krb5_get_init_creds_opt_init(&opts);
- if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
- krb5_get_init_creds_opt_set_forwardable(&opts, 1);
-
- PAM_LOG("Credentials initialised");
-
krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
@@ -183,6 +178,14 @@
}
PAM_LOG("Got principal: %s", princ_name);
+
+ krb5_get_init_creds_opt_set_default_flags(pam_context, "login",
+ princ->realm, &opts);
+
+ if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
+ krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+
+ PAM_LOG("Credentials flags initialised");
/* Get password */
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
--- pam.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405261952.i4QJq9FP000570>