Page MenuHomeFreeBSD
Differential D50696

pam_krb5: Stitch pam-krb5 plumbing into libpam
ClosedPublic
Actions

Authored by cy on Jun 5 2025, 5:58 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 18, 11:17 AM
Unknown Object (File)
Sat, Oct 18, 12:53 AM
Unknown Object (File)
Wed, Oct 15, 6:18 AM
Unknown Object (File)
Tue, Oct 14, 11:56 AM
Unknown Object (File)
Tue, Oct 14, 11:56 AM
Unknown Object (File)
Tue, Oct 14, 11:56 AM
Unknown Object (File)
Tue, Oct 14, 11:56 AM
Unknown Object (File)
Tue, Oct 14, 11:56 AM
View All 69 Files
Subscribers
None

Details

Reviewers
imp
jhb
jrm
emaste
brooks
kevans
sjg
bapt
markj
fuz
des
Commits
rG3d79be24cf16: pam_krb5: Stitch pam-krb5 plumbing into libpam
Summary

The eyeire.org pam-krb5 supports MIT KRB5 and Heimdal. FreeBSD will use
it to implement pam_krb5 for MIT KRB5. The existing libpam pam_krb5
only supports Heimdal and therefore cannot be used with the MIT KRB5
import.

Sponsored by: The FreeBSD Foundation

Test Plan

Already running here

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

cy requested review of this revision.Jun 5 2025, 5:58 AM
cy created this revision.
jhb added inline comments.Jun 5 2025, 1:33 PM
lib/libpam/modules/pam_krb5/pam_krb5.c
63

Why is this diff here if you aren't using this file with MIT?

lib/libpam/modules/pam_ksu/pam_ksu.c
85 ↗(On Diff #156568)

I don't understand how this can work though as you are freeing the realm right away? Doesn't that mean you get a use after free below when you call krb5_build_principal_va? That is, should this be more like:

krb5_error_code rc;
va_list ap;
krb5_realm tem_realm = NULL;

if (realm == NULL) {
    rc = krb5_get_default_realm(context, &temp_realm);
    if (rc != 0)
        return (rc);
}

va_start(ap, realm);
rc = krb5_build_principal_va(...);
va_end(ap);
free(temp_realm);
return (rc);
91 ↗(On Diff #156568)

I don't understand this comment at all. The calling code does indeed call krb5_free_principal, and this function is only called with principal == NULL, so this seems like it would always fault immediately? Have you tested this case? It seems to me that this should be taking a pointer to principal just as in the KTH case, and then this code should indeed be calling the alloc version, and this whole comment should go away.

288 ↗(On Diff #156568)

Call to krb5_free_principal that the comment seems to claim doesn't exist.

cy added a comment.Jun 5 2025, 4:27 PM

I will regen this patch to exclude pam_ksu. This review and commit should only touch pam_krb5. A new review will be submitted for pam_ksu.

lib/libpam/modules/pam_ksu/pam_ksu.c
85 ↗(On Diff #156568)

I don't understand how this can work though as you are freeing the realm right away? Doesn't that mean you get a use after free below when you call krb5_build_principal_va? That is, should this be more like:

krb5_error_code rc;
va_list ap;
krb5_realm tem_realm = NULL;

if (realm == NULL) {
    rc = krb5_get_default_realm(context, &temp_realm);
    if (rc != 0)
        return (rc);
}

va_start(ap, realm);
rc = krb5_build_principal_va(...);
va_end(ap);
free(temp_realm);
return (rc);

You are correct. I can't say what I was thinking at the time (a year ago). Embarrassing.

85 ↗(On Diff #156568)

I don't understand how this can work though as you are freeing the realm right away? Doesn't that mean you get a use after free below when you call krb5_build_principal_va? That is, should this be more like:

krb5_error_code rc;
va_list ap;
krb5_realm tem_realm = NULL;

if (realm == NULL) {
    rc = krb5_get_default_realm(context, &temp_realm);
    if (rc != 0)
        return (rc);
}

va_start(ap, realm);
rc = krb5_build_principal_va(...);
va_end(ap);
free(temp_realm);
return (rc);
91 ↗(On Diff #156568)

The comment is correct. We are using krb5_build_principal_va() but it is deprecated in MIT. See https://web.mit.edu/kerberos/krb5-devel/doc/appdev/refs/api/krb5_build_principal_va.html, This is a mental note to me to use krb5_build_principal_alloc_va() instead. We have some time to replace the call. Just a reminder.

cy updated this revision to Diff 156586.Jun 5 2025, 4:30 PM

My mistake for including pam_ksu in this review/commit. My fault.

cy updated this revision to Diff 156805.Jun 10 2025, 8:23 PM

-U99999 version.

cy updated this revision to Diff 156895.Jun 12 2025, 2:43 PM

Updated patch based on a comment left by markj@ in another review.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 16 2025, 2:52 AM
Closed by commit rG3d79be24cf16: pam_krb5: Stitch pam-krb5 plumbing into libpam (authored by cy). · Explain Why
This revision was automatically updated to reflect the committed changes.
cy added a commit: rG3d79be24cf16: pam_krb5: Stitch pam-krb5 plumbing into libpam.

Revision Contents
Changeset List

PathSize
lib/
libpam/
modules/
pam_krb5/
52 lines
412 lines
3 lines

Diff 156586

View Options

lib/libpam/modules/pam_krb5/Makefile

Loading...
View Options

lib/libpam/modules/pam_krb5/config.h

Loading...
View Options

lib/libpam/modules/pam_krb5/pam_krb5.c

Loading...