isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove the old Kerberos IV support

Browse Source
This commit is contained in:
Todd C. Miller
2011-11-13 09:12:43 -05:00
parent f190bcf94b
commit c86561e502
12 changed files with 1 additions and 525 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
INSTALL
View File

@@ -173,12 +173,6 @@ Special features/options:
DIR is the base directory containing the compiled FWTK package
(or at least the library and header files).
--with-kerb4[=DIR]
Enable Kerberos IV support. If specified, DIR is the base
directory containing the Kerberos IV include and lib dirs.
This uses Kerberos passphrases for authentication but does
not use the Kerberos cookie scheme.
--with-kerb5[=DIR]
Enable Kerberos V support. If specified, DIR is the base
directory containing the Kerberos V include and lib dirs.

1
MANIFEST
View File

@@ -134,7 +134,6 @@ plugins/sudoers/auth/aix_auth.c
plugins/sudoers/auth/bsdauth.c
plugins/sudoers/auth/dce.c
plugins/sudoers/auth/fwtk.c
plugins/sudoers/auth/kerb4.c
plugins/sudoers/auth/kerb5.c
plugins/sudoers/auth/pam.c
plugins/sudoers/auth/passwd.c

3
config.h.in
View File

@@ -241,9 +241,6 @@
shadow enabled) */
#undef HAVE_ISSECURE
/* Define to 1 if you use Kerberos IV. */
#undef HAVE_KERB4
/* Define to 1 if you use Kerberos V. */
#undef HAVE_KERB5

321
configure vendored
View File

@@ -803,7 +803,6 @@ with_opie
with_long_otp_prompt
with_SecurID
with_fwtk
with_kerb4
with_kerb5
with_aixauth
with_pam
@@ -1571,7 +1570,6 @@ Optional Packages:
--with-long-otp-prompt use a two line OTP (skey/opie) prompt
--with-SecurID[=DIR] enable SecurID support
--with-fwtk[=DIR] enable FWTK AuthSRV support
--with-kerb4[=DIR] enable Kerberos IV support
--with-kerb5[=DIR] enable Kerberos V support
--with-aixauth enable AIX general authentication support
--with-pam enable PAM support
@@ -4062,21 +4060,6 @@ fi
# Check whether --with-kerb4 was given.
if test "${with_kerb4+set}" = set; then :
withval=$with_kerb4; case $with_kerb4 in
no) ;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try kerberos IV authentication" >&5
$as_echo_n "checking whether to try kerberos IV authentication... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
AUTH_REG="$AUTH_REG kerb4"
;;
esac
fi
# Check whether --with-kerb5 was given.
if test "${with_kerb5+set}" = set; then :
withval=$with_kerb5; case $with_kerb5 in
@@ -18196,309 +18179,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
done
fi
if test ${with_kerb4-'no'} != "no"; then
$as_echo "#define HAVE_KERB4 1" >>confdefs.h
O_LDFLAGS="$LDFLAGS"
if test "$with_kerb4" = "yes"; then
found=no
O_CPPFLAGS="$CPPFLAGS"
for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <krb.h>
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_cpp "$LINENO"; then :
found=yes; break
fi
rm -f conftest.err conftest.i conftest.$ac_ext
done
test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
else
if test X"$with_rpath" = X"yes"; then
case "$host" in
*-*-hpux*) LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib -Wl,+b,${with_kerb4}/lib"
;;
*) LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib -Wl,-R${with_kerb4}/lib"
;;
esac
else
LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib"
fi
if test X"$blibpath" != X"" -a "LDFLAGS" = "SUDO_LDFLAGS"; then
blibpath_add="${blibpath_add}:${with_kerb4}/lib"
fi
if test X"$with_rpath" = X"yes"; then
case "$host" in
*-*-hpux*) SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib -Wl,+b,${with_kerb4}/lib"
;;
*) SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib -Wl,-R${with_kerb4}/lib"
;;
esac
else
SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib"
fi
if test X"$blibpath" != X"" -a "SUDOERS_LDFLAGS" = "SUDO_LDFLAGS"; then
blibpath_add="${blibpath_add}:${with_kerb4}/lib"
fi
CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
ac_fn_c_check_header_mongrel "$LINENO" "krb.h" "ac_cv_header_krb_h" "$ac_includes_default"
if test "x$ac_cv_header_krb_h" = xyes; then :
found=yes
else
found=no
fi
fi
if test X"$found" = X"no"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&5
$as_echo "$as_me: WARNING: Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&2;}
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for des_cbc_encrypt in -ldes" >&5
$as_echo_n "checking for des_cbc_encrypt in -ldes... " >&6; }
if ${ac_cv_lib_des_des_cbc_encrypt+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-ldes $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char des_cbc_encrypt ();
int
main ()
{
return des_cbc_encrypt ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_des_des_cbc_encrypt=yes
else
ac_cv_lib_des_des_cbc_encrypt=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_des_des_cbc_encrypt" >&5
$as_echo "$ac_cv_lib_des_des_cbc_encrypt" >&6; }
if test "x$ac_cv_lib_des_des_cbc_encrypt" = xyes; then :
K4LIBS="-ldes"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for des_cbc_encrypt in -ldes425" >&5
$as_echo_n "checking for des_cbc_encrypt in -ldes425... " >&6; }
if ${ac_cv_lib_des425_des_cbc_encrypt+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-ldes425 $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char des_cbc_encrypt ();
int
main ()
{
return des_cbc_encrypt ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_des425_des_cbc_encrypt=yes
else
ac_cv_lib_des425_des_cbc_encrypt=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_des425_des_cbc_encrypt" >&5
$as_echo "$ac_cv_lib_des425_des_cbc_encrypt" >&6; }
if test "x$ac_cv_lib_des425_des_cbc_encrypt" = xyes; then :
K4LIBS="-ldes425"
else
K4LIBS=""
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using KTH Kerberos IV" >&5
$as_echo_n "checking whether we are using KTH Kerberos IV... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <krb.h>
int
main ()
{
const char *tmp = krb4_version;
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
K4LIBS="${K4LIBS} -lcom_err"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lroken" >&5
$as_echo_n "checking for main in -lroken... " >&6; }
if ${ac_cv_lib_roken_main+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lroken $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
return main ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_roken_main=yes
else
ac_cv_lib_roken_main=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_roken_main" >&5
$as_echo "$ac_cv_lib_roken_main" >&6; }
if test "x$ac_cv_lib_roken_main" = xyes; then :
K4LIBS="${K4LIBS} -lroken"
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
as_ac_Lib=`$as_echo "ac_cv_lib_krb_main$K4LIBS" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb" >&5
$as_echo_n "checking for main in -lkrb... " >&6; }
if eval \${$as_ac_Lib+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lkrb $K4LIBS $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
return main ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
eval "$as_ac_Lib=yes"
else
eval "$as_ac_Lib=no"
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
eval ac_res=\$$as_ac_Lib
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
K4LIBS="-lkrb $K4LIBS"
else
as_ac_Lib=`$as_echo "ac_cv_lib_krb4_main$K4LIBS" | $as_tr_sh`
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb4" >&5
$as_echo_n "checking for main in -lkrb4... " >&6; }
if eval \${$as_ac_Lib+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lkrb4 $K4LIBS $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
return main ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
eval "$as_ac_Lib=yes"
else
eval "$as_ac_Lib=no"
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
eval ac_res=\$$as_ac_Lib
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
K4LIBS="-lkrb4 $K4LIBS"
else
K4LIBS="-lkrb $K4LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS" >&5
$as_echo "$as_me: WARNING: Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS" >&2;}
fi
fi
LDFLAGS="$O_LDFLAGS"
SUDOERS_LIBS="${SUDOERS_LIBS} $K4LIBS"
AUTH_OBJS="$AUTH_OBJS kerb4.lo"
fi
if test ${with_kerb5-'no'} != "no"; then
# Extract the first word of "krb5-config", so it can be a program name with args.
set dummy krb5-config; ac_word=$2
@@ -22487,6 +22167,5 @@ fi

69
configure.in
View File

@@ -402,15 +402,6 @@ AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV su
;;
esac])
AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])],
[case $with_kerb4 in
no) ;;
*) AC_MSG_CHECKING(whether to try kerberos IV authentication)
AC_MSG_RESULT(yes)
AUTH_REG="$AUTH_REG kerb4"
;;
esac])
AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
[case $with_kerb5 in
no) ;;
@@ -2517,65 +2508,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then
done
fi
dnl
dnl Kerberos IV
dnl
if test ${with_kerb4-'no'} != "no"; then
AC_DEFINE(HAVE_KERB4)
dnl
dnl Use the specified directory, if any, else search for correct inc dir
dnl
O_LDFLAGS="$LDFLAGS"
if test "$with_kerb4" = "yes"; then
found=no
O_CPPFLAGS="$CPPFLAGS"
for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do
CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]])], [found=yes; break])
done
test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS"
else
SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib])
SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb4}/lib])
CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include"
AC_CHECK_HEADER([krb.h], [found=yes], [found=no])
fi
if test X"$found" = X"no"; then
AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
fi
dnl
dnl Check for -ldes vs. -ldes425
dnl
AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [
AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""])
])
dnl
dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV
dnl
AC_MSG_CHECKING(whether we are using KTH Kerberos IV)
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb.h>]], [[const char *tmp = krb4_version;]])], [
AC_MSG_RESULT(yes)
K4LIBS="${K4LIBS} -lcom_err"
AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"])
], [
AC_MSG_RESULT(no)
]
)
dnl
dnl The actual Kerberos IV lib might be -lkrb or -lkrb4
dnl
AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [
AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"],
[K4LIBS="-lkrb $K4LIBS"]
[AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS])]
, [$K4LIBS])
], [$K4LIBS])
LDFLAGS="$O_LDFLAGS"
SUDOERS_LIBS="${SUDOERS_LIBS} $K4LIBS"
AUTH_OBJS="$AUTH_OBJS kerb4.lo"
fi
dnl
dnl Kerberos V
dnl There is an easy way and a hard way...
@@ -3166,7 +3098,6 @@ AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.])
AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if <netinet/in.h> contains struct in6_addr.])
AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])
AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)])
AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])

3
doc/TROUBLESHOOTING
View File

@@ -121,9 +121,6 @@ A) Sudo removes the following "dangerous" environment variables
_RLD_*
SHLIB_PATH (HP-UX only)
LIBPATH (AIX only)
KRB_CONF (kerb4 only)
KRBCONFDIR (kerb4 only)
KRBTKFILE (kerb4 only)
KRB5_CONFIG (kerb5 only)
VAR_ACE (SecurID only)
USR_ACE (SecurID only)

2
mkdep.pl
View File

@@ -54,7 +54,7 @@ sub mkdep {
$makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb4.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid.lo securid5.lo sia.lo:;
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid.lo securid5.lo sia.lo:;
$makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mktemp.lo nanosleep.lo setenv.lo siglist.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo unsetenv.lo utimes.lo globtest.o fnm_test.o:;
# Parse OBJS lines

7
plugins/sudoers/Makefile.in
View File

@@ -523,13 +523,6 @@ iolog_path.lo: $(srcdir)/iolog_path.c $(top_builddir)/config.h \
$(incdir)/gettext.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/iolog_path.c
iolog_path.o: iolog_path.lo
kerb4.lo: $(authdir)/kerb4.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \
$(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \
$(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/kerb4.c
kerb5.lo: $(authdir)/kerb5.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \
$(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \

104
plugins/sudoers/auth/kerb4.c
View File

@@ -1,104 +0,0 @@
/*
* Copyright (c) 1999-2005, 2007, 2010-2011
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
#include <config.h>
#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
# include <string.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <pwd.h>
#include <krb.h>
#include "sudoers.h"
#include "sudo_auth.h"
int
kerb4_init(struct passwd *pw, sudo_auth *auth)
{
static char realm[REALM_SZ];
debug_decl(kerb4_init, SUDO_DEBUG_AUTH)
/* Don't try to verify root */
if (pw->pw_uid == 0)
debug_return_int(AUTH_FAILURE);
/* Get the local realm, or retrun failure (no krb.conf) */
if (krb_get_lrealm(realm, 1) != KSUCCESS)
debug_return_int(AUTH_FAILURE);
/* Stash a pointer to the realm (used in kerb4_verify) */
auth->data = (void *) realm;
debug_return_int(AUTH_SUCCESS);
}
int
kerb4_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
char tkfile[sizeof(_PATH_SUDO_TIMEDIR) + 4 + MAX_UID_T_LEN];
char *realm = (char *) auth->data;
int error;
debug_decl(kerb4_verify, SUDO_DEBUG_AUTH)
/*
* Set the ticket file to be in sudo sudo timedir so we don't
* wipe out other (real) kerberos tickets.
*/
(void) snprintf(tkfile, sizeof(tkfile), "%s/tkt%u",
_PATH_SUDO_TIMEDIR, (unsigned int) pw->pw_uid);
(void) krb_set_tkt_string(tkfile);
/* Convert the password to a ticket given. */
error = krb_get_pw_in_tkt(pw->pw_name, "", realm, "krbtgt", realm,
DEFAULT_TKT_LIFE, pass);
switch (error) {
case INTK_OK:
dest_tkt(); /* we are done with the temp ticket */
debug_return_int(AUTH_SUCCESS);
break;
case INTK_BADPW:
case KDC_PR_UNKNOWN:
break;
default:
(void) fprintf(stderr, "Warning: Kerberos error: %s\n",
krb_err_txt[error]);
}
debug_return_int(AUTH_FAILURE);
}

3
plugins/sudoers/auth/sudo_auth.c
View File

@@ -82,9 +82,6 @@ static sudo_auth auth_switch[] = {
#ifdef HAVE_DCE
AUTH_ENTRY("dce", 0, NULL, NULL, dce_verify, NULL, NULL, NULL)
#endif
#ifdef HAVE_KERB4
AUTH_ENTRY("kerb4", 0, kerb4_init, NULL, kerb4_verify, NULL, NULL, NULL)
#endif
#ifdef HAVE_KERB5
AUTH_ENTRY("kerb5", 0, kerb5_init, kerb5_setup, kerb5_verify, kerb5_cleanup, NULL, NULL)
#endif

2
plugins/sudoers/auth/sudo_auth.h
View File

@@ -83,8 +83,6 @@ int rfc1938_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
int rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int afs_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int dce_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int kerb4_init(struct passwd *pw, sudo_auth *auth);
int kerb4_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int kerb5_init(struct passwd *pw, sudo_auth *auth);
int kerb5_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
int kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth);

5
plugins/sudoers/env.c
View File

@@ -131,11 +131,6 @@ static const char *initial_badenv_table[] = {
#ifdef __APPLE__
"DYLD_*",
#endif
#ifdef HAVE_KERB4
"KRB_CONF*",
"KRBCONFDIR",
"KRBTKFILE",
#endif /* HAVE_KERB4 */
#ifdef HAVE_KERB5
"KRB5_CONFIG*",
"KRB5_KTNAME",