Add --enable-kerb5-instance configure option to allow people using
Kerberos V authentication to use a custom instance. Adapted from a diff by Michael E Burr.
This commit is contained in:
Todd C. Miller
7
INSTALL
7
INSTALL
@@ -180,6 +180,13 @@ Special features/options:
|
||||
does not use the Kerberos cookie scheme. Will not work for
|
||||
Kerberos V older than version 1.1.
|
||||
|
||||
--enable-kerb5-instance=string
|
||||
By default, the user name is used as the principal name
|
||||
when authenticating via Kerberos V. If this option is
|
||||
enabled, the specified instance string will be appended to
|
||||
the user name (separated by a slash) when creating the
|
||||
principal name.
|
||||
|
||||
--with-ldap[=DIR]
|
||||
Enable LDAP support. If specified, DIR is the base directory
|
||||
containing the LDAP include and lib directories. Please see
|
||||
|
||||
@@ -767,6 +767,10 @@
|
||||
/* The name of the sudoers plugin, including extension. */
|
||||
#undef SUDOERS_PLUGIN
|
||||
|
||||
/* An instance string to append to the username (separated by a slash) for
|
||||
Kerberos V authentication */
|
||||
#undef SUDO_KRB5_INSTANCE
|
||||
|
||||
/* The umask that the sudo-run prog should use. */
|
||||
#undef SUDO_UMASK
|
||||
|
||||
|
||||
27
configure
vendored
27
configure
vendored
@@ -891,6 +891,7 @@ enable_sia
|
||||
enable_largefile
|
||||
with_pam_login
|
||||
enable_pam_session
|
||||
enable_kerb5_instance
|
||||
'
|
||||
ac_precious_vars='build_alias
|
||||
host_alias
|
||||
@@ -1547,6 +1548,8 @@ Optional Features:
|
||||
--disable-sia Disable SIA on Digital UNIX
|
||||
--disable-largefile omit support for large files
|
||||
--disable-pam-session Disable PAM session support
|
||||
--enable-kerb5-instance instance string to append to the username (separated
|
||||
by a slash)
|
||||
|
||||
Optional Packages:
|
||||
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
||||
@@ -18399,6 +18402,29 @@ done
|
||||
|
||||
fi
|
||||
LIBS="$_LIBS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use an instance name for Kerberos V" >&5
|
||||
$as_echo_n "checking whether to use an instance name for Kerberos V... " >&6; }
|
||||
# Check whether --enable-kerb5-instance was given.
|
||||
if test "${enable_kerb5_instance+set}" = set; then :
|
||||
enableval=$enable_kerb5_instance; case "$enableval" in
|
||||
yes) as_fn_error $? "\"must give --enable-kerb5-instance an argument.\"" "$LINENO" 5
|
||||
;;
|
||||
no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
;;
|
||||
*) cat >>confdefs.h <<EOF
|
||||
#define SUDO_KRB5_INSTANCE "$enableval"
|
||||
EOF
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enableval" >&5
|
||||
$as_echo "$enableval" >&6; }
|
||||
;;
|
||||
esac
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if test ${with_AFS-'no'} = "yes"; then
|
||||
@@ -22126,5 +22152,6 @@ fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
13
configure.in
13
configure.in
@@ -2584,6 +2584,18 @@ if test ${with_kerb5-'no'} != "no"; then
|
||||
AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
|
||||
fi
|
||||
LIBS="$_LIBS"
|
||||
AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
|
||||
AC_ARG_ENABLE(kerb5-instance,
|
||||
[AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
|
||||
[ case "$enableval" in
|
||||
yes) AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
|
||||
;;
|
||||
no) AC_MSG_RESULT(no)
|
||||
;;
|
||||
*) SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
|
||||
AC_MSG_RESULT([$enableval])
|
||||
;;
|
||||
esac], AC_MSG_RESULT(no))
|
||||
fi
|
||||
|
||||
dnl
|
||||
@@ -3166,6 +3178,7 @@ AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't defin
|
||||
AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
|
||||
AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
|
||||
AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
|
||||
AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
|
||||
|
||||
dnl
|
||||
dnl Bits to copy verbatim into config.h.in
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2011
|
||||
* Copyright (c) 1999-2005, 2007-2008, 2010-2012
|
||||
* Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -70,6 +70,12 @@ static struct _sudo_krb5_data {
|
||||
} sudo_krb5_data = { NULL, NULL, NULL };
|
||||
typedef struct _sudo_krb5_data *sudo_krb5_datap;
|
||||
|
||||
#ifdef SUDO_KRB5_INSTANCE
|
||||
static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
|
||||
#else
|
||||
static const char *sudo_krb5_instance = NULL;
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
|
||||
static krb5_error_code
|
||||
krb5_get_init_creds_opt_alloc(krb5_context context,
|
||||
@@ -128,31 +134,33 @@ int
|
||||
sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
||||
{
|
||||
krb5_context sudo_context;
|
||||
krb5_ccache ccache;
|
||||
krb5_principal princ;
|
||||
krb5_error_code error;
|
||||
char cache_name[64];
|
||||
char cache_name[64], *pname = pw->pw_name;
|
||||
debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
|
||||
|
||||
auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
|
||||
|
||||
if (sudo_krb5_instance != NULL) {
|
||||
easprintf(&pname, "%s%s%s", pw->pw_name,
|
||||
sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
|
||||
}
|
||||
|
||||
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
|
||||
error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
|
||||
#else
|
||||
error = krb5_init_context(&(sudo_krb5_data.sudo_context));
|
||||
#endif
|
||||
if (error)
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
goto done;
|
||||
sudo_context = sudo_krb5_data.sudo_context;
|
||||
|
||||
if ((error = krb5_parse_name(sudo_context, pw->pw_name,
|
||||
&(sudo_krb5_data.princ)))) {
|
||||
error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
|
||||
if (error) {
|
||||
log_error(NO_EXIT|NO_MAIL,
|
||||
_("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
|
||||
_("%s: unable to parse '%s': %s"), auth->name, pname,
|
||||
error_message(error));
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
goto done;
|
||||
}
|
||||
princ = sudo_krb5_data.princ;
|
||||
|
||||
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
|
||||
(long) getpid());
|
||||
@@ -161,11 +169,13 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
|
||||
log_error(NO_EXIT|NO_MAIL,
|
||||
_("%s: unable to resolve ccache: %s"), auth->name,
|
||||
error_message(error));
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
goto done;
|
||||
}
|
||||
ccache = sudo_krb5_data.ccache;
|
||||
|
||||
debug_return_int(AUTH_SUCCESS);
|
||||
done:
|
||||
if (sudo_krb5_instance != NULL)
|
||||
efree(pname);
|
||||
debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
|
||||
}
|
||||
|
||||
#ifdef HAVE_KRB5_VERIFY_USER
|
||||
|
||||
Reference in New Issue
Block a user