1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385
|
User-Visible pam-afs-session Changes
pam-afs-session 2.5 (2011-07-25)
Reset the SIGCHLD handler while spawning an external aklog program so
that the application SIGCHLD handler isn't invoked when aklog exits.
This unfortunately still means that there's a race condition that can
cause children to be incorrectly handled if they exit while aklog is
running, if the application's SIGCHLD handler is required. There is
unfortunately no good general solution to this other than building
against Heimdal and using the libkafs interface to obtain tokens
instead of an external program.
Default to nopag on Mac OS X, since the operating system doesn't have
PAG support.
Fix error handling when krb5_appdefault_string returns without setting
the result string. Fixes a possible segfault during configuration
parsing on Mac OS X 10.7.
Update to rra-c-util 3.7:
* Fail during configure if AFS headers are required and not found.
* Add notices to all files copied over from rra-c-util.
* Include strings.h for additional POSIX functions where found.
* Fix detection of whether PAM uses const on FreeBSD.
pam-afs-session 2.4 (2011-06-08)
Fix a memory allocation and initialization bug in the previous release
that could result in a free of unallocated memory.
pam-afs-session 2.3 (2011-06-07)
If there is no KRB5CCNAME environment variable set in the PAM
environment but there is one set in the regular environment, still run
aklog and use the KRB5CCNAME from the general environment. This
provides correct behavior in cases such as password-less sudo with the
KRB5CCNAME environment variable preserved.
Update to rra-c-util 3.6:
* Fix compilation error with --without-krb5.
* Update flags for make warnings to GCC 4.6.1.
Update to C TAP Harness 1.7:
* Add a more complete usage message and a -h command-line flag.
pam-afs-session 2.2 (2011-03-03)
Stop returning PAM_IGNORE from pam_setcred if AFS is not available or
if we're deleting credentials but the PAM module is configured not to
delete tokens. Instead, return PAM_SUCCESS. This fixes problems with
the Linux PAM library where returning PAM_IGNORE would cause
pam_setcred to fail even if other modules succeeded.
When using libkafs, close the ticket cache after obtaining tokens.
Fixes a memory leak.
Fix the error return statuses for pam_setcred. Previously, on error,
it was returning PAM_SESSION_ERR, which is a return status that's only
supposed to be used for pam_open_session and pam_close_session.
Instead, return PAM_USER_UNKNOWN or PAM_CRED_ERR as appropriate.
Update to rra-c-util 3.2:
* Check if the string being duplicated is NULL in strndup replacement.
pam-afs-session 2.1 (2011-01-23)
The program setting can now include arguments to pass to the program
to run to obtain tokens, separated by commas (or spaces or tabs if
your PAM configuration syntax supports it). If program is set in
krb5.conf, additional options can be specified separated by spaces.
As a side effect, program paths containing spaces or commas will no
longer work correctly since the text after the space or comma will be
interpreted as an argument. Please let me know if this was a feature
that you were using.
Fix compilation of the pam_syslog and pam_vsyslog replacement
functions for platforms whose PAM libraries lack those functions.
Fix compilation of the embedded kafs layer for Mac OS X 10.6 and
hopefully fix detection of whether AFS is present. Thanks, Andy
Cobaugh.
Fix broken GCC attribute markers that may have caused compilation
problems with any non-GCC compiler.
Add a replacement for strndup if the system C library doesn't provide
the function (such as on Mac OS X).
Document that "nopag" should be added to the configuration on Mac OS X
where PAGs are not supported.
Update to rra-c-util 3.1:
* Include supplemental libraries in manual Kerberos library probes.
* Avoid warnings when probing for ibm_svc/krb5_svc.h.
pam-afs-session 2.0 (2010-12-29)
If there is no PAG, create a new one and obtain tokens in pam_setcred
and pam_open_session even if the module has already run. This works
around destruction of the PAG on Linux by keyring initialization
modules, which can otherwise be hard to avoid due to the ordering
between the auth and session stacks. This support uses the
VIOC_GETPAG AFS system call if it is available and falls back on
analyzing the supplemental group list if it is not.
Add untested support for the ioctl AFS system call methods on Mac OS X
and Solaris 11 to the included kafs library, which is used if neither
libkafs nor libkopenafs is available.
Avoid returning an uninitialized value from pam_open_session when
notokens is set. Thanks, Ian Ward Comfort.
pam_close_session now removes the module data indicating that tokens
were already obtained so that opening another session using the same
PAM handle will work correctly.
pam-afs-session is now built using Automake and Libtool to bring it
more in line with other software packages. This means that it now
relies on Libtool to know how to generate a loadable module rather
than hand-configured linker rules. This may improve portability on
some platforms and may hurt it on other platforms.
The symbols exported by the PAM module are now limited to only the
public API on all platforms where Libtool supports limiting symbol
exports.
On Linux, if configured with a prefix of /usr (rather than /usr/local,
the default), the module will be installed into /lib/security (or
/lib32/security or /lib64/security if they exist) rather than
/usr/lib/security to match the default PAM configuration.
The module is now installed under $libdir/security, rather than a
lib32 or lib64 directory, except for the special case of /usr. To
install into another lib32 or lib64 directory, use the --libdir option
to configure.
Fix a configure error when built --without-krb5.
When debugging is enabled, log an exit status of PAM_IGNORE as ignore
rather than failure.
Update the embedded kafs code to rra-c-util 3.0, adding
--with-libkafs-include, --with-libkafs-lib, --with-afs-include, and
--with-afs-lib configure options for finer control. Remove obsolete
--with-afs-headers configure option (use --with-afs-include instead).
Add an initial test suite that tests basic functionality and some
options.
Update to rra-c-util 3.0:
* Add --with-krb5-include and --with-krb5-lib configure options.
* Don't break if the user clobbers CPPFLAGS at build time.
* Fall back on manual probing if krb5-config results don't work.
* Suppress error output from krb5-config probes.
* Search for krb5-config in /usr/kerberos/bin for Red Hat systems.
* Add support for the old Heimdal krb5_get_error_string interface.
* Handle the bundled Heimdal on OpenBSD without a separate libroken.
* Add portability to systems with a broken snprintf or vsnprintf.
* Update make warnings flags for gcc 4.4.
Update to C TAP Harness 1.6:
* Flush standard error before results in the C TAP library.
* Improve test failure output formatting in some edge cases.
pam-afs-session 1.7 (2008-07-10)
Return PAM_IGNORE instead of PAM_SUCCESS from all functions when AFS
isn't available, and when functions are skipped due to the
configuration. We would like to do this in pam_authenticate as well
(it would be much safer), but there is a bug in (at least) Linux PAM
0.99.7.1 (and probably earlier) that treats this as authentication
failure if the module is configured with [default=done].
Fix Autoconf syntax error when probing for libkrb5support. Thanks,
Mike Garrison.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Set an explicit visibility of hidden for all internal functions at
compile time if gcc is used to permit better optimization. Hide all
functions except the official interfaces using a version script on
Linux. This protects against leaking symbols into the application
namespace and provides some mild optimization benefit.
Fix the probing of PAM headers for const on Mac OS X. This will
suppress some harmless compiler warnings there. Thanks, Markus
Moeller.
pam-afs-session 1.6 (2008-03-08)
Correctly check the exit status of aklog and don't think acquiring
tokens was successful when aklog failed. Thanks, Douglas Engert
and Chaskiel Grundman.
Build with _REENTRANT set for correct errno handling in threaded
applications on Solaris.
Build with Kerberos support by default if Kerberos libraries are
found. To disable Kerberos support, pass --without-krb5 to
configure. The option to specify the Kerberos library location is now
--with-krb5, not --with-kerberos.
Add support for AIX's bundled Kerberos. Thanks to Markus Moeller for
the porting information.
Define _ALL_SOURCE on AIX to get a prototype for vsnprintf.
Add compiler and linker flags for AIX. Thanks, Thomas Williams.
Try to determine whether the PAM headers use const in the prototypes
of such things as pam_get_item and adjust accordingly. This should
address compiler warnings on Solaris. Thanks, Markus Moeller.
Add additional documentation of interactions with the native pam_krb5
on Solaris to README. pam_afs_session needs to be run from the auth
group, not the session group, with at least some services when used
with the Solaris pam_krb5.
Document bad interactions with pam_keyinit on Linux in README.
Add example PAM configurations for Debian, Red Hat, and Solaris based
on Stanford's Linux configurations and a Solaris configuration from
Maciej Malek. Hopefully I didn't break anything while merging
examples.
pam-afs-session 1.5 (2007-09-30)
Free the results of pam_getenvlist and the command-line argument for
aklog properly.
Don't de-reference a NULL pointer if memory allocation fails while
parsing PAM options. Thanks, Jason D. McCormick.
Change lib to lib64 on x86_64 Linux to allow for the magical $ISA
parameter in Red Hat's PAM configuration. Hopefully this won't cause
problems elsewhere.
Fix linker determination when using gcc on HP-UX.
Add additional debugging output when acquiring or destroying tokens.
pam-afs-session 1.4 (2007-05-10)
Added the afs_cells configuration option which specifies the list of
cells in which to get tokens.
Ported to HP-UX. HP-UX's PAM libraries do not support a separate
environment used for the new session, so manipulate the regular
environment instead. Thanks to Joe Buehler for the port.
Document using the module with Mac OS X, now that it's been confirmed
to work with sshd on that platform.
Support DESTDIR for make install.
pam-afs-session 1.3 (2007-04-11)
Add a notokens configuration option which, when set, tells the module
to only create a PAG and not to try to obtain tokens. Based on a
patch from Jason McCormick.
When forking an external aklog, also close standard input and reopen
it to /dev/null. Normal aklog programs won't try to read from
standard input, but don't connect their standard input to any stray
file descriptor inherited by the process just in case.
Make --with-kerberos and --without-libkafs work properly together.
Improve diagnostics around token acquisition. Thanks, Jeff Blaine.
pam-afs-session 1.2 (2007-03-24)
Add support for calling the Heimdal libkafs functions for obtaining
AFS tokens rather than running an external aklog program. This
support is the default if libkafs and the Kerberos v5 functions were
found at build time and --with-kerberos was passed to configure.
When retain_after_close is set, don't destroy tokens on DELETE_CRED
either. OpenSSH calls this when the session dies. Thanks to Thomas
Kula for the patch.
Don't fail during configure if Kerberos libraries couldn't be found
unless --with-kerberos was explicitly requested.
Produce better error messages when Kerberos operations fail.
Added --without-libkafs to force using the internal AFS syscall
implementation and not link with libkafs or libkopenafs, even if the
libraries are available.
Fix installation of the man page when building outside of the source
directory.
pam-afs-session 1.1 (2006-12-18)
Add optional support for linking with the Kerberos libraries and
obtaining configuration from the system krb5.conf file.
Add the kdestroy option which, if built with Kerberos support, removes
the ticket cache after successfully running aklog.
Actually link with libkafs if we detect it at configure time.
Fix a bug in reporting unknown options.
pam-afs-session 1.0 (2006-12-06)
Add --with-afs-headers to configure so that the user doesn't have to
know the right syntax for setting CPPFLAGS.
When using gcc, link with -fPIC as well as compiling with it per the
gcc documentation.
Add additional configuration information for Solaris.
Link explicitly against the Kerberos libraries by default when linking
with libkafs, only relying on transitive shared library dependencies
when --enable-reduced-depends is passed to configure. This should not
be necessary on any of the currently supported platforms but may make
porting easier to systems with deficient shared library support.
Support building on Mac OS X. The resulting module isn't tested and
may not work. Thanks, Sebastian Hagedorn.
pam-afs-session 0.3 (2006-11-28)
Compile in a default path to aklog if configure can find it on the
path or if told the path with the --with-aklog option. In this case,
program is now optional in the PAM configuration.
Use __func__ instead of __FUNCTION__ and provide a fallback for older
versions of gcc and for systems that support neither. Should fix
compilation issues with Sun's C compiler.
On platforms where we know the appropriate compiler flags, try to
build the module so that symbols are resolved within the module in
preference to any externally available symbols. Also add the
hopefully correct compiler flags for Sun's C compiler.
pam-afs-session 0.2 (2006-11-17)
Add a man page.
Add a fallback implementation of the AFS system call for platforms
that use syscall, and add the signal handler protection for the
k_hasafs probe for those platforms. The PAM module should now build
on Solaris without requiring libkafs or libkopenafs.
Add an always_aklog option saying to always run aklog even if the user
doesn't appear to have a ticket cache.
Add an aklog_homedir option saying to pass -p <homedir> to aklog.
This will obtain tokens in whatever AFS cells are required to access
the user's home directory and can be used when something more complex
than obtaining tokens in the local default cell is needed.
Reopen stdout and stderr to /dev/null before running aklog so that any
error messages from aklog don't confuse the calling program.
Log a message if aklog fails, but return PAM_SUCCESS from the module
whether aklog succeeded or not. If we fail, the user may be kicked
out of their session even though AFS tokens may not be necessary and
only obtained as a convenience. Obtaining a PAG is still required.
pam-afs-session 0.1 (2006-11-10)
Initial beta release.
Supports libkafs and libkopenafs in theory, but only the internal
syscall layer has been tested. No man page yet, and the program to
run to obtain tokens must be specified in the PAM options.
|