Add --enable-kerb5-instance configure option to allow people using
Kerberos V authentication to use a custom instance. Adapted from a diff by Michael E Burr.
This commit is contained in:
Todd C. Miller
7
INSTALL
7
INSTALL
@@ -180,6 +180,13 @@ Special features/options:
|
|||||||
does not use the Kerberos cookie scheme. Will not work for
|
does not use the Kerberos cookie scheme. Will not work for
|
||||||
Kerberos V older than version 1.1.
|
Kerberos V older than version 1.1.
|
||||||
|
|
||||||
|
--enable-kerb5-instance=string
|
||||||
|
By default, the user name is used as the principal name
|
||||||
|
when authenticating via Kerberos V. If this option is
|
||||||
|
enabled, the specified instance string will be appended to
|
||||||
|
the user name (separated by a slash) when creating the
|
||||||
|
principal name.
|
||||||
|
|
||||||
--with-ldap[=DIR]
|
--with-ldap[=DIR]
|
||||||
Enable LDAP support. If specified, DIR is the base directory
|
Enable LDAP support. If specified, DIR is the base directory
|
||||||
containing the LDAP include and lib directories. Please see
|
containing the LDAP include and lib directories. Please see
|
||||||
|
|||||||
@@ -767,6 +767,10 @@
|
|||||||
/* The name of the sudoers plugin, including extension. */
|
/* The name of the sudoers plugin, including extension. */
|
||||||
#undef SUDOERS_PLUGIN
|
#undef SUDOERS_PLUGIN
|
||||||
|
|
||||||
|
/* An instance string to append to the username (separated by a slash) for
|
||||||
|
Kerberos V authentication */
|
||||||
|
#undef SUDO_KRB5_INSTANCE
|
||||||
|
|
||||||
/* The umask that the sudo-run prog should use. */
|
/* The umask that the sudo-run prog should use. */
|
||||||
#undef SUDO_UMASK
|
#undef SUDO_UMASK
|
||||||
|
|
||||||
|
|||||||
27
configure
vendored
27
configure
vendored
@@ -891,6 +891,7 @@ enable_sia
|
|||||||
enable_largefile
|
enable_largefile
|
||||||
with_pam_login
|
with_pam_login
|
||||||
enable_pam_session
|
enable_pam_session
|
||||||
|
enable_kerb5_instance
|
||||||
'
|
'
|
||||||
ac_precious_vars='build_alias
|
ac_precious_vars='build_alias
|
||||||
host_alias
|
host_alias
|
||||||
@@ -1547,6 +1548,8 @@ Optional Features:
|
|||||||
--disable-sia Disable SIA on Digital UNIX
|
--disable-sia Disable SIA on Digital UNIX
|
||||||
--disable-largefile omit support for large files
|
--disable-largefile omit support for large files
|
||||||
--disable-pam-session Disable PAM session support
|
--disable-pam-session Disable PAM session support
|
||||||
|
--enable-kerb5-instance instance string to append to the username (separated
|
||||||
|
by a slash)
|
||||||
|
|
||||||
Optional Packages:
|
Optional Packages:
|
||||||
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
||||||
@@ -18399,6 +18402,29 @@ done
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
LIBS="$_LIBS"
|
LIBS="$_LIBS"
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use an instance name for Kerberos V" >&5
|
||||||
|
$as_echo_n "checking whether to use an instance name for Kerberos V... " >&6; }
|
||||||
|
# Check whether --enable-kerb5-instance was given.
|
||||||
|
if test "${enable_kerb5_instance+set}" = set; then :
|
||||||
|
enableval=$enable_kerb5_instance; case "$enableval" in
|
||||||
|
yes) as_fn_error $? "\"must give --enable-kerb5-instance an argument.\"" "$LINENO" 5
|
||||||
|
;;
|
||||||
|
no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||||
|
$as_echo "no" >&6; }
|
||||||
|
;;
|
||||||
|
*) cat >>confdefs.h <<EOF
|
||||||
|
#define SUDO_KRB5_INSTANCE "$enableval"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enableval" >&5
|
||||||
|
$as_echo "$enableval" >&6; }
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||||
|
$as_echo "no" >&6; }
|
||||||
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test ${with_AFS-'no'} = "yes"; then
|
if test ${with_AFS-'no'} = "yes"; then
|
||||||
@@ -22126,5 +22152,6 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
13
configure.in
13
configure.in
@@ -2584,6 +2584,18 @@ if test ${with_kerb5-'no'} != "no"; then
|
|||||||
AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
|
AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
|
||||||
fi
|
fi
|
||||||
LIBS="$_LIBS"
|
LIBS="$_LIBS"
|
||||||
|
AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
|
||||||
|
AC_ARG_ENABLE(kerb5-instance,
|
||||||
|
[AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
|
||||||
|
[ case "$enableval" in
|
||||||
|
yes) AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
|
||||||
|
;;
|
||||||
|
no) AC_MSG_RESULT(no)
|
||||||
|
;;
|
||||||
|
*) SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
|
||||||
|
AC_MSG_RESULT([$enableval])
|
||||||
|
;;
|
||||||
|
esac], AC_MSG_RESULT(no))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dnl
|
dnl
|
||||||
@@ -3166,6 +3178,7 @@ AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't defin
|
|||||||
AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
|
AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
|
||||||
AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
|
AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
|
||||||
AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
|
AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
|
||||||
|
AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
|
||||||
|
|
||||||
dnl
|
dnl
|
||||||
dnl Bits to copy verbatim into config.h.in
|
dnl Bits to copy verbatim into config.h.in
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2011
|
* Copyright (c) 1999-2005, 2007-2008, 2010-2012
|
||||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
*
|
*
|
||||||
* Permission to use, copy, modify, and distribute this software for any
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
@@ -70,6 +70,12 @@ static struct _sudo_krb5_data {
|
|||||||
} sudo_krb5_data = { NULL, NULL, NULL };
|
} sudo_krb5_data = { NULL, NULL, NULL };
|
||||||
typedef struct _sudo_krb5_data *sudo_krb5_datap;
|
typedef struct _sudo_krb5_data *sudo_krb5_datap;
|
||||||
|
|
||||||
|
#ifdef SUDO_KRB5_INSTANCE
|
||||||
|
static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
|
||||||
|
#else
|
||||||
|
static const char *sudo_krb5_instance = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
|
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
krb5_get_init_creds_opt_alloc(krb5_context context,
|
krb5_get_init_creds_opt_alloc(krb5_context context,
|
||||||
@@ -128,31 +134,33 @@ int
|
|||||||
sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
||||||
{
|
{
|
||||||
krb5_context sudo_context;
|
krb5_context sudo_context;
|
||||||
krb5_ccache ccache;
|
|
||||||
krb5_principal princ;
|
|
||||||
krb5_error_code error;
|
krb5_error_code error;
|
||||||
char cache_name[64];
|
char cache_name[64], *pname = pw->pw_name;
|
||||||
debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
|
debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
|
||||||
|
|
||||||
auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
|
auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
|
||||||
|
|
||||||
|
if (sudo_krb5_instance != NULL) {
|
||||||
|
easprintf(&pname, "%s%s%s", pw->pw_name,
|
||||||
|
sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
|
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
|
||||||
error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
|
error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
|
||||||
#else
|
#else
|
||||||
error = krb5_init_context(&(sudo_krb5_data.sudo_context));
|
error = krb5_init_context(&(sudo_krb5_data.sudo_context));
|
||||||
#endif
|
#endif
|
||||||
if (error)
|
if (error)
|
||||||
debug_return_int(AUTH_FAILURE);
|
goto done;
|
||||||
sudo_context = sudo_krb5_data.sudo_context;
|
sudo_context = sudo_krb5_data.sudo_context;
|
||||||
|
|
||||||
if ((error = krb5_parse_name(sudo_context, pw->pw_name,
|
error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
|
||||||
&(sudo_krb5_data.princ)))) {
|
if (error) {
|
||||||
log_error(NO_EXIT|NO_MAIL,
|
log_error(NO_EXIT|NO_MAIL,
|
||||||
_("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
|
_("%s: unable to parse '%s': %s"), auth->name, pname,
|
||||||
error_message(error));
|
error_message(error));
|
||||||
debug_return_int(AUTH_FAILURE);
|
goto done;
|
||||||
}
|
}
|
||||||
princ = sudo_krb5_data.princ;
|
|
||||||
|
|
||||||
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
|
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
|
||||||
(long) getpid());
|
(long) getpid());
|
||||||
@@ -161,11 +169,13 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
|||||||
log_error(NO_EXIT|NO_MAIL,
|
log_error(NO_EXIT|NO_MAIL,
|
||||||
_("%s: unable to resolve ccache: %s"), auth->name,
|
_("%s: unable to resolve ccache: %s"), auth->name,
|
||||||
error_message(error));
|
error_message(error));
|
||||||
debug_return_int(AUTH_FAILURE);
|
goto done;
|
||||||
}
|
}
|
||||||
ccache = sudo_krb5_data.ccache;
|
|
||||||
|
|
||||||
debug_return_int(AUTH_SUCCESS);
|
done:
|
||||||
|
if (sudo_krb5_instance != NULL)
|
||||||
|
efree(pname);
|
||||||
|
debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_KRB5_VERIFY_USER
|
#ifdef HAVE_KRB5_VERIFY_USER
|
||||||
|
|||||||
Reference in New Issue
Block a user