#
296373 |
|
04-Mar-2016 |
marius |
- Copy stable/10@296371 to releng/10.3 in preparation for 10.3-RC1 builds. - Update newvers.sh to reflect RC1. - Update __FreeBSD_version to reflect 10.3. - Update default pkg(8) configuration to use the quarterly branch.
Approved by: re (implicit) |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
233406 |
|
24-Mar-2012 |
stas |
- Avoid using deprecated heimdal functions in pam_krb5.
|
#
233294 |
|
22-Mar-2012 |
stas |
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well.
- This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
|
#
204585 |
|
02-Mar-2010 |
uqs |
Always assign WARNS using ?=
- fix some nearby style bugs - include Makefile.inc where it makes sense and reduces duplication
Approved by: ed (co-mentor)
|
#
202522 |
|
17-Jan-2010 |
marcel |
Unbreak builds with _FREEFALL_CONFIG=yes, by forcing a lower WARNS level in that case.
|
#
201381 |
|
02-Jan-2010 |
ed |
Build lib/ with WARNS=6 by default.
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and lower it when needed.
I'm setting WARNS?=0 for secure/. It seems secure/ includes the Makefile.inc provided by lib/. I'm not going to touch that directory. Most of the code there is contributed anyway.
|
#
178828 |
|
07-May-2008 |
dfr |
Fix conflicts after heimdal-1.1 import and add build infrastructure. Import all non-style changes made by heimdal to our own libgssapi.
|
#
147830 |
|
08-Jul-2005 |
kensmith |
Missed one piece of the cluster's quirk. Need to override WARNS because if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c no longer uses any of its parameters.
Pointy hat: kensmith Approved by: re (scottl)
|
#
147810 |
|
07-Jul-2005 |
kensmith |
This is sort of an MFS. Peter made these changes to the RELENG_* branches but missed HEAD. This patch extends his a little bit, setting it up via the Makefiles so that adding _FREEFALL_CONFIG to /etc/make.conf is the only thing needed to cluster-ize things (current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches: > Add the freebsd.org custer's source modifications under #ifdefs to aid > keeping things in sync. For ksu: > * install suid-root by default > * don't fall back to asking for a unix password (ie: be pure kerberos) > * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days Approved by: re (dwhite)
|
#
133196 |
|
06-Aug-2004 |
cperciva |
Join the 21st century: Cryptography is no longer an optional component of releases. The -DNOCRYPT build option still exists for anyone who really wants to build non-cryptographic binaries, but the "crypto" release distribution is now part of "base", and anyone installing from a release will get cryptographic binaries.
Approved by: re (scottl), markm Discussed on: freebsd-current, in late April 2004
|
#
125426 |
|
04-Feb-2004 |
ru |
This module doesn't use libgssapi (and it looks never did).
|
#
124675 |
|
18-Jan-2004 |
ru |
Deal better with the crypto version of the PAM library that goes on the release media -- only put what is different in the crypto version compared to the base version. This reduces PAM entries in /usr/lib in the "crypto" distribution to:
libpam.a libpam.so@ libpam.so.2 pam_krb5.so@ pam_krb5.so.2 pam_ksu.so@ pam_ksu.so.2 pam_ssh.so@ pam_ssh.so.2
The libpam.so* is still redundant (it is identical to the "base" version), but we can't set DISTRIBUTION differently for libpam.a and libpam.so.
(The removal of libpam.so* from the crypto distribution could be addressed by the release/scripts/crypto-make.sh script, but then we'd also need to remove redundant PAM headers, and I'm not sure this is worth a hassle.)
|
#
112044 |
|
09-Mar-2003 |
obrien |
style.Makefile(5) police (I've tried to keep to the spirit of the original formatting)
Reviewed by: des
|
#
94372 |
|
10-Apr-2002 |
ru |
Moved SHLIB_NAME definition into one place.
Approved by: des
|
#
94370 |
|
10-Apr-2002 |
ru |
Fix broken `checkdpadd'.
-lroken is an installable library, there's no need to give an explicit path to it. In any case, -L paths should be specified in LDFLAGS if needed.
Approved by: des
|
#
94027 |
|
07-Apr-2002 |
des |
Turn on NO_WERROR due to namespace pollution in krb5 headers.
|
#
91714 |
|
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
#
90315 |
|
06-Feb-2002 |
markm |
Remove NO_WERROR, now that WARNS=n is gone.
|
#
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
#
81477 |
|
10-Aug-2001 |
markm |
Clean up this module very extensively. Fix the logging, the coding standards and the option handling. This module is now much more easy to maintain as a part of the FreeBSD tree.
|
#
77720 |
|
04-Jun-2001 |
markm |
Big module cleanup.
Move common stuff into Makefile.inc, and tidy up all the Makefiles as a result.
Build new modules.
Put a commented-out dependancy on libpam for the (shared) modules. I can't bring this in just yet, as the dependancy (modules->libpam) is reversed for the static case (libpam->modules).
|
#
76575 |
|
14-May-2001 |
markm |
Bring in a few useful PAM modules.
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff" if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise it fails.
pam_wheel silently succeeds if the user is a member of group "wheel" (or another nominated group), and fails otherwise.
There is an issue with kerberosIV and kerberos5 - if both are being built, then static linking fails with duplicate symbols. This will take a bit of work to sort out in the kerberii.
|