D53884.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D53884.diff
View Options

	diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod
	--- a/contrib/pam-krb5/docs/pam_krb5.pod
	+++ b/contrib/pam-krb5/docs/pam_krb5.pod
	@@ -57,12 +57,10 @@
	local key and that the PAM module be running as a user that can read the
	keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM
	module at a different keytab with the I<keytab> option. If that keytab
	-cannot be read or if no keys are found in it, the default (potentially
	-insecure) behavior is to skip this check. If you want to instead fail
	-authentication if the obtained tickets cannot be checked, set
	-C<verify_ap_req_nofail> to true in the [libdefaults] section of
	-F</etc/krb5.conf>. Note that this will affect applications other than
	-this PAM module.
	+cannot be read or if no keys are found in it, the default behavior is to
	+fail authentication. If you want to skip this check, set the
	+C<allow_kdc_spoof> option to true either in the [appdefaults] section of
	+F</etc/krb5.conf> or in the PAM policy.

	By default, whenever the user is authenticated, a basic authorization
	check will also be done using krb5_kuserok(). The default behavior of
	@@ -218,6 +216,11 @@

	=over 4

	+=item allow_kdc_spoof
	+
	+Allow authentication to succeed even if there is no host or service
	+key available in a keytab to authenticate the Kerberos KDC's ticket.
	+
	=item alt_auth_map=<format>

	[3.12] This functions similarly to the I<search_k5login> option. The
	diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c
	--- a/contrib/pam-krb5/module/auth.c
	+++ b/contrib/pam-krb5/module/auth.c
	@@ -696,6 +696,12 @@
	if (cursor_valid)
	krb5_kt_end_seq_get(c, keytab, &cursor);
	}
	+#ifdef __FreeBSD__
	+ if (args->config->allow_kdc_spoof)
	+ opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
	+ else
	+ opts.flags \|= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
	+#endif /* __FreeBSD__ */
	retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
	if (retval != 0)
	putil_err_krb5(args, retval, "credential verification failed");
	diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h
	--- a/contrib/pam-krb5/module/internal.h
	+++ b/contrib/pam-krb5/module/internal.h
	@@ -62,6 +62,9 @@
	long minimum_uid; /* Ignore users below this UID. */
	bool only_alt_auth; /* Alt principal must be used. */
	bool search_k5login; /* Try password with each line of .k5login. */
	+#ifdef __FreeBSD__
	+ bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
	+#endif /* __FreeBSD__ */

	/* Kerberos behavior. */
	char fast_ccache; / Cache containing armor ticket. */
	diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c
	--- a/contrib/pam-krb5/module/options.c
	+++ b/contrib/pam-krb5/module/options.c
	@@ -30,6 +30,9 @@
	#define K(name) (#name), offsetof(struct pam_config, name)
	/* clang-format off */
	static const struct option options[] = {
	+#ifdef __FreeBSD__
	+ { K(allow_kdc_spoof), true, BOOL (false) },
	+#endif /* __FreeBSD__ */
	{ K(alt_auth_map), true, STRING (NULL) },
	{ K(anon_fast), true, BOOL (false) },
	{ K(banner), true, STRING ("Kerberos") },

File Metadata

Mime Type: text/plain
Expires: Sun, Nov 23, 8:28 PM (23 h, 10 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 26031356
Default Alt Text: D53884.diff (3 KB)

D53884.diffNo OneTemporaryActions

D53884.diffView Options

File Metadata

Event Timeline

D53884.diff
No OneTemporary
Actions

D53884.diff
View Options