Date: Wed, 26 May 2004 21:52:09 +0200 (CEST) From: thn@saeab.se To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/67231: [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf Message-ID: <200405261952.i4QJq9FP000570@scatcat.thn.saeab.se> Resent-Message-ID: <200405262000.i4QK0jjk013180@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67231 >Category: bin >Synopsis: [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 26 13:00:45 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Thomas Nyström >Release: FreeBSD 5.2.1-RELEASE-p7 i386 >Organization: Sv. Aktuell Elektronik AB >Environment: System: FreeBSD home.thn.saeab.se 5.2.1-RELEASE-p7 FreeBSD 5.2.1-RELEASE-p7 #0: Tue May 25 23:00:03 CEST 2004 root@home.thn.saeab.se:/home/obj/src/5/src/sys/THN.HOME i386 >Description: The pam_krb5 module have no way of saying that retrieved ticket should be without addresses. That parameter could be set in /etc/krb5.conf but pam_krb5 doesn't honor the default flags from that file. >How-To-Repeat: Login using pam_krb5 and try to get tickets without addresses. The result can be checked with 'klist -v'. Ticket without addresses is needed if the ticket should be used across a firewall. >Fix: Changed file: __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.18 2003/05/31 17:19:03 des Exp $"); --- pam.diff begins here --- --- pam_krb5.c.original Wed May 26 19:42:17 2004 +++ pam_krb5.c Wed May 26 20:54:48 2004 @@ -137,11 +137,6 @@ krb5_get_init_creds_opt_init(&opts); - if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) - krb5_get_init_creds_opt_set_forwardable(&opts, 1); - - PAM_LOG("Credentials initialised"); - krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE); if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) { PAM_VERBOSE_ERROR("Kerberos 5 error"); @@ -183,6 +178,14 @@ } PAM_LOG("Got principal: %s", princ_name); + + krb5_get_init_creds_opt_set_default_flags(pam_context, "login", + princ->realm, &opts); + + if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) + krb5_get_init_creds_opt_set_forwardable(&opts, 1); + + PAM_LOG("Credentials flags initialised"); /* Get password */ retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT); --- pam.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405261952.i4QJq9FP000570>