diff options
Diffstat (limited to 'crypto/heimdal/lib/auth/pam')
-rw-r--r-- | crypto/heimdal/lib/auth/pam/Makefile.in | 194 | ||||
-rw-r--r-- | crypto/heimdal/lib/auth/pam/pam.c | 80 | ||||
-rw-r--r-- | crypto/heimdal/lib/auth/pam/pam.conf.add | 64 |
3 files changed, 156 insertions, 182 deletions
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in index 37f8d22f1dd3..87759deb8d8b 100644 --- a/crypto/heimdal/lib/auth/pam/Makefile.in +++ b/crypto/heimdal/lib/auth/pam/Makefile.in @@ -1,6 +1,6 @@ -# Makefile.in generated automatically by automake 1.4 from Makefile.am +# Makefile.in generated automatically by automake 1.4a from Makefile.am -# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc. +# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -10,15 +10,6 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ - - -# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ - - -# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $ - - SHELL = @SHELL@ srcdir = @srcdir@ @@ -40,8 +31,6 @@ mandir = @mandir@ includedir = @includedir@ oldincludedir = /usr/include -DESTDIR = - pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ @@ -54,9 +43,10 @@ AUTOMAKE = @AUTOMAKE@ AUTOHEADER = @AUTOHEADER@ INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS) +INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_FLAG = transform = @program_transform_name@ NORMAL_INSTALL = : @@ -65,26 +55,39 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : + +@SET_MAKE@ host_alias = @host_alias@ host_triplet = @host@ -AFS_EXTRA_LD = @AFS_EXTRA_LD@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AMDEP = @AMDEP@ +AMTAR = @AMTAR@ +AS = @AS@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ CC = @CC@ +CPP = @CPP@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ DBLIB = @DBLIB@ +DEPDIR = @DEPDIR@ +DIR_des = @DIR_des@ +DIR_roken = @DIR_roken@ +DLLTOOL = @DLLTOOL@ EXEEXT = @EXEEXT@ EXTRA_LIB45 = @EXTRA_LIB45@ GROFF = @GROFF@ +INCLUDES_roken = @INCLUDES_roken@ INCLUDE_ = @INCLUDE_@ -LD = @LD@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBTOOL = @LIBTOOL@ LIB_ = @LIB_@ LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ +LIB_des = @LIB_des@ +LIB_des_appl = @LIB_des_appl@ LIB_kdb = @LIB_kdb@ LIB_otp = @LIB_otp@ LIB_roken = @LIB_roken@ @@ -92,31 +95,43 @@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ -MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@ -MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@ -MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NM = @NM@ NROFF = @NROFF@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ RANLIB = @RANLIB@ +STRIP = @STRIP@ VERSION = @VERSION@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ WFLAGS = @WFLAGS@ WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ YACC = @YACC@ +dpagaix_CFLAGS = @dpagaix_CFLAGS@ +dpagaix_LDADD = @dpagaix_LDADD@ +install_sh = @install_sh@ + +# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ + + +# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ + + +# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $ + AUTOMAKE_OPTIONS = foreign no-dependencies SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x -INCLUDES = -I$(top_builddir)/include +INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) AM_CFLAGS = $(WFLAGS) +CP = cp + COMPILE_ET = $(top_builddir)/lib/com_err/compile_et buildinclude = $(top_builddir)/include @@ -136,6 +151,7 @@ LIB_getsockopt = @LIB_getsockopt@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ LIB_odm_initialize = @LIB_odm_initialize@ +LIB_pidfile = @LIB_pidfile@ LIB_readline = @LIB_readline@ LIB_res_search = @LIB_res_search@ LIB_setpcred = @LIB_setpcred@ @@ -144,6 +160,8 @@ LIB_socket = @LIB_socket@ LIB_syslog = @LIB_syslog@ LIB_tgetent = @LIB_tgetent@ +LIBS = @LIBS@ + HESIODLIB = @HESIODLIB@ HESIODINCLUDE = @HESIODINCLUDE@ INCLUDE_hesiod = @INCLUDE_hesiod@ @@ -152,26 +170,23 @@ LIB_hesiod = @LIB_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ LIB_krb4 = @LIB_krb4@ +INCLUDE_openldap = @INCLUDE_openldap@ +LIB_openldap = @LIB_openldap@ + INCLUDE_readline = @INCLUDE_readline@ LEXLIB = @LEXLIB@ -cat1dir = $(mandir)/cat1 -cat3dir = $(mandir)/cat3 -cat5dir = $(mandir)/cat5 -cat8dir = $(mandir)/cat8 - -MANRX = \(.*\)\.\([0-9]\) -CATSUFFIX = @CATSUFFIX@ - NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \ +@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la +@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la CHECK_LOCAL = $(PROGRAMS) +subdir = lib/auth/pam mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = ../../../include/config.h CONFIG_CLEAN_FILES = @@ -179,13 +194,14 @@ CFLAGS = @CFLAGS@ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +DIST_SOURCES = +depcomp = DIST_COMMON = Makefile.am Makefile.in -DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: @@ -203,17 +219,16 @@ TAGS: distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir) -subdir = lib/auth/pam - distdir: $(DISTFILES) @for file in $(DISTFILES); do \ d=$(srcdir); \ if test -d $$d/$$file; then \ - cp -pr $$/$$file $(distdir)/$$file; \ + cp -pR $$d/$$file $(distdir) \ + || exit 1; \ else \ test -f $(distdir)/$$file \ - || ln $$d/$$file $(distdir)/$$file 2> /dev/null \ - || cp -p $$d/$$file $(distdir)/$$file || :; \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ fi; \ done $(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook @@ -242,7 +257,7 @@ uninstall: uninstall-am all-am: Makefile all-local all-redirect: all-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install + $(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install installdirs: @@ -255,6 +270,7 @@ distclean-generic: -rm -f config.cache config.log stamp-h stamp-h[0-9]* maintainer-clean-generic: + -rm -f Makefile.in mostlyclean-am: mostlyclean-generic mostlyclean: mostlyclean-am @@ -277,8 +293,8 @@ maintainer-clean: maintainer-clean-am .PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \ installcheck-am installcheck install-exec-am install-exec \ install-data-local install-data-am install-data install-am install \ -uninstall-am uninstall all-local all-redirect all-am all installdirs \ -mostlyclean-generic distclean-generic clean-generic \ +uninstall-am uninstall all-local all-redirect all-am all install-strip \ +installdirs mostlyclean-generic distclean-generic clean-generic \ maintainer-clean-generic clean mostlyclean distclean maintainer-clean @@ -287,7 +303,10 @@ install-suid-programs: for file in $$foo; do \ x=$(DESTDIR)$(bindir)/$$file; \ if chown 0:0 $$x && chmod u+s $$x; then :; else \ - chmod 0 $$x; fi; done + echo "*"; \ + echo "* Failed to install $$x setuid root"; \ + echo "*"; \ + fi; done install-exec-hook: install-suid-programs @@ -299,8 +318,8 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ) else file="$$f"; fi; \ if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ : ; else \ - echo " cp $$file $(buildinclude)/$$f"; \ - cp $$file $(buildinclude)/$$f; \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ fi ; \ done @@ -369,87 +388,8 @@ dist-cat8-mans: dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans -install-cat1-mans: - @ext=1;\ - foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat1dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat3-mans: - @ext=3;\ - foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat3dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat5-mans: - @ext=5;\ - foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat5dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat8-mans: - @ext=8;\ - foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done; \ - if test "$$foo"; then \ - $(mkinstalldirs) $(DESTDIR)$(cat8dir); \ - for x in $$foo; do \ - f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \ - if test -f "$(srcdir)/$$f"; then \ - b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ - echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\ - $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\ - fi; \ - done ;\ - fi - -install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans +install-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) install-data-local: install-cat-mans diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c index 1a385e0cf103..c207756898c1 100644 --- a/crypto/heimdal/lib/auth/pam/pam.c +++ b/crypto/heimdal/lib/auth/pam/pam.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include<config.h> -RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $"); +RCSID("$Id: pam.c,v 1.26 2000/10/04 20:22:15 bg Exp $"); #endif #include <stdio.h> @@ -60,12 +60,12 @@ RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $"); #endif static void -log_error(int level, const char *format, ...) +psyslog(int level, const char *format, ...) { va_list args; va_start(args, format); openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(level | LOG_AUTH, format, args); + vsyslog(level, format, args); va_end(args); closelog(); } @@ -115,7 +115,7 @@ parse_ctrl(int argc, const char **argv) break; if (j >= KRB4_CTRLS) - log_error(LOG_ALERT, "unrecognized option [%s]", *argv); + psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); else ctrl_flags |= krb4_args[j].flag; } @@ -128,13 +128,13 @@ pdeb(const char *format, ...) if (ctrl_off(KRB4_DEBUG)) return; va_start(args, format); - openlog("pam_krb4", LOG_PID, LOG_AUTH); - vsyslog(LOG_DEBUG | LOG_AUTH, format, args); + openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); + vsyslog(LOG_DEBUG, format, args); va_end(args); closelog(); } -#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid()) +#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) static void set_tkt_string(uid_t uid) @@ -182,9 +182,14 @@ verify_pass(pam_handle_t *pamh, old_euid = geteuid(); setreuid(0, 0); ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - if (setreuid(old_ruid, old_euid) != 0) + pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", + name, inst, realm, krb_verify, + krb_get_err_text(ret)); + setreuid(old_ruid, old_euid); + if (getuid() != old_ruid || geteuid() != old_euid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", + old_ruid, old_euid, __LINE__); exit(1); } @@ -220,7 +225,7 @@ krb4_auth(pam_handle_t *pamh, ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); if (ret != PAM_SUCCESS) { - log_error(LOG_ERR , "pam_get_item returned error to get-password"); + psyslog(LOG_ERR , "pam_get_item returned error to get-password"); return ret; } else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) @@ -271,6 +276,8 @@ pam_sm_authenticate(pam_handle_t *pamh, struct passwd *pw; uid_t uid = -1; const char *name, *inst; + char realm[REALM_SZ]; + realm[0] = 0; parse_ctrl(argc, argv); ENTRY("pam_sm_authenticate"); @@ -316,11 +323,9 @@ pam_sm_authenticate(pam_handle_t *pamh, */ if (ret == PAM_SUCCESS && inst[0] != 0) { - char realm[REALM_SZ]; uid_t old_euid = geteuid(); uid_t old_ruid = getuid(); - realm[0] = 0; setreuid(0, 0); /* To read ticket file. */ if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) ret = PAM_SERVICE_ERR; @@ -334,28 +339,44 @@ pam_sm_authenticate(pam_handle_t *pamh, if (ret != PAM_SUCCESS) { dest_tkt(); /* Passwd known, ok to kill ticket. */ - log_error(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); + psyslog(LOG_NOTICE, + "%s.%s@%s is not allowed to log in as %s", + name, inst, realm, user); } - if (setreuid(old_ruid, old_euid) != 0) + setreuid(old_ruid, old_euid); + if (getuid() != old_ruid || geteuid() != old_euid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", + old_ruid, old_euid, __LINE__); exit(1); } } if (ret == PAM_SUCCESS) - chown(tkt_string(), uid, -1); - - /* Sun dtlogin unlock screen does not call any other pam_* funcs. */ - if (ret == PAM_SUCCESS - && ctrl_on(KRB4_REAFSLOG) - && k_hasafs() - && (pw = getpwnam(user)) != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir); + { + psyslog(LOG_INFO, + "%s.%s@%s authenticated as user %s", + name, inst, realm, user); + if (chown(tkt_string(), uid, -1) == -1) + { + dest_tkt(); + psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); + exit(1); + } + } + /* + * Kludge alert!!! Sun dtlogin unlock screen fails to call + * pam_setcred(3) with PAM_REFRESH_CRED after a successful + * authentication attempt, sic. + * + * This hack is designed as a workaround to that problem. + */ + if (ctrl_on(KRB4_REAFSLOG)) + if (ret == PAM_SUCCESS) + pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); + return ret; } @@ -364,14 +385,13 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { parse_ctrl(argc, argv); ENTRY("pam_sm_setcred"); - pdeb("flags = 0x%x", flags); switch (flags & ~PAM_SILENT) { case 0: case PAM_ESTABLISH_CRED: if (k_hasafs()) k_setpag(); - /* Fill PAG with credentials below. */ + /* Fall through, fill PAG with credentials below. */ case PAM_REINITIALIZE_CRED: case PAM_REFRESH_CRED: if (k_hasafs()) @@ -393,7 +413,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) k_unlog(); break; default: - log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); + psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); break; } @@ -417,9 +437,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) ENTRY("pam_sm_close_session"); /* This isn't really kosher, but it's handy. */ - dest_tkt(); - if (k_hasafs()) - k_unlog(); + pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); return PAM_SUCCESS; } diff --git a/crypto/heimdal/lib/auth/pam/pam.conf.add b/crypto/heimdal/lib/auth/pam/pam.conf.add index 64a4915dbf48..7db3e3d85a30 100644 --- a/crypto/heimdal/lib/auth/pam/pam.conf.add +++ b/crypto/heimdal/lib/auth/pam/pam.conf.add @@ -32,36 +32,52 @@ To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: # # Password management --------------------------------------------------------------------------- -To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches: +To enable PAM in /bin/login and xdm under Red Hat 6.? apply these patches: ---- /etc/pam.d/login~ Thu Jul 8 00:14:02 1999 -+++ /etc/pam.d/login Mon Aug 30 14:33:12 1999 +--- /etc/pam.d/login~ Tue Dec 7 12:01:35 1999 ++++ /etc/pam.d/login Wed May 31 16:27:55 2000 @@ -1,9 +1,12 @@ #%PAM-1.0 +# Updated to work with kerberos -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so nullok use_authtok shadow -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so ---- /etc/pam.d/xdm~ Mon Jun 14 17:39:05 1999 -+++ /etc/pam.d/xdm Mon Aug 30 14:54:51 1999 -@@ -1,8 +1,10 @@ ++auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 + auth required /lib/security/pam_securetty.so + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow ++session required /usr/athena/lib/pam_krb4.so.1.0.1 + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so +--- /etc/pam.d/xdm~ Wed May 31 16:33:54 2000 ++++ /etc/pam.d/xdm Wed May 31 16:28:29 2000 +@@ -1,8 +1,11 @@ #%PAM-1.0 -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so shadow nullok use_authtok -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so ++# Updated to work with kerberos ++auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so shadow nullok use_authtok ++session required /usr/athena/lib/pam_krb4.so.1.0.1 + session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so +--- /etc/pam.d/gdm~ Wed May 31 16:33:54 2000 ++++ /etc/pam.d/gdm Wed May 31 16:34:28 2000 +@@ -1,8 +1,11 @@ + #%PAM-1.0 ++# Updated to work with kerberos ++auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1 + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so shadow nullok use_authtok ++session required /usr/athena/lib/pam_krb4.so.1.0.1 + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so + -------------------------------------------------------------------------- This stuff may work under some other system. |