#
315151 |
|
12-Mar-2017 |
des |
MFH (r314598): load default options before requesting ticket
PR: 213909
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
297755 |
|
09-Apr-2016 |
pfg |
libpam: replace 0 with NULL for pointers.
Found with devel/coccinelle.
Reviewed by: des
|
#
241844 |
|
22-Oct-2012 |
eadler |
remove duplicate semicolons where possible.
Approved by: cperciva MFC after: 1 week
|
#
239099 |
|
06-Aug-2012 |
dim |
Fix two instances in pam_krb5(8), where the variable 'princ_name' could be used uninitialized.
Found by: clang 3.2 Reviewed by: des MFC after: 1 week
|
#
239062 |
|
05-Aug-2012 |
dfr |
Add an option for pam_krb5 to allow it to authenticate users which don't have a local account.
PR: 76678 Submitted by: daved at tamu.edu MFC after: 2 weeks
|
#
233406 |
|
23-Mar-2012 |
stas |
- Avoid using deprecated heimdal functions in pam_krb5.
|
#
207555 |
|
03-May-2010 |
mm |
Code indent according to style(9).
PR: bin/146186 Submitted by: myself Approved by: delphij (mentor) MFC after: 2 weeks
|
#
207553 |
|
03-May-2010 |
mm |
Implement the no_user_check option to pam_krb5.
This option is available in the Linux implementation of pam_krb5 and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory) via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186 Submitted by: myself Approved by: deplhij (mentor) MFC after: 2 weeks
|
#
174837 |
|
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
#
147810 |
|
07-Jul-2005 |
kensmith |
This is sort of an MFS. Peter made these changes to the RELENG_* branches but missed HEAD. This patch extends his a little bit, setting it up via the Makefiles so that adding _FREEFALL_CONFIG to /etc/make.conf is the only thing needed to cluster-ize things (current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches: > Add the freebsd.org custer's source modifications under #ifdefs to aid > keeping things in sync. For ksu: > * install suid-root by default > * don't fall back to asking for a unix password (ie: be pure kerberos) > * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days Approved by: re (dwhite)
|
#
140747 |
|
24-Jan-2005 |
rwatson |
When "no_ccache" is set as an argument to the pam_krb5 module, don't copy the acquired TGT from the in-memory cache to the on-disk cache at login. This was documented but un-implemented behavior.
MFC after: 1 week PR: bin/64464 Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>
|
#
140667 |
|
23-Jan-2005 |
rwatson |
The final argument to verify_krb_v5_tgt() is the debug flag, not the ticket forwardable flag, so key generation of debugging output to "debug" rather than "forwardable".
Update copyright.
MFC after: 3 days
|
#
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
#
123454 |
|
11-Dec-2003 |
des |
More strict aliasing fixes.
Submitted by: Andreas Hauser <andy-freebsd@splashground.de>
|
#
115470 |
|
31-May-2003 |
des |
Update copyright dates.
|
#
115465 |
|
31-May-2003 |
des |
Remove all instances of pam_std_option()
|
#
111985 |
|
08-Mar-2003 |
markm |
Comment-only assistance to lint to kill warnings.
|
#
110275 |
|
03-Feb-2003 |
des |
In pam_sm_acct_mgmt(), retrieve the cached credentials before trying to initialize the context. This way, a failure to initialize the context is not fatal unless we actually have work to do - because if we don't, we return PAM_SUCCESS without even trying to initialize the context.
|
#
110274 |
|
03-Feb-2003 |
des |
Whitespace cleanup
|
#
110056 |
|
29-Jan-2003 |
nectar |
Do not return inappropriate error codes in pam_sm_setcred.
|
#
109069 |
|
10-Jan-2003 |
nectar |
About September 2001, I consulted with all the previous authors of pam_krb5 to consolidate the copyright texts. The semi-official pam_krb5 module has been distributed with this new license text ever since, but I'm just now getting around to updating the text here.
|
#
106864 |
|
13-Nov-2002 |
nectar |
The pam_krb5 module stored a reference to a krb5_ccache structure as PAM module state (created in pam_sm_authenticate and referenced later in pam_sm_setcred and pam_sm_acct_mgmt). However, the krb5_ccache structure shares some data members with the krb5_context structure that was used in its creation. Since a new krb5_context is created and destroyed at each PAM entry point, this inevitably caused the krb5_ccache structure to reference free'd memory.
Now instead of storing a pointer to the krb5_ccache structure, we store the name of the cache (e.g. `MEMORY:0x123CACHE') in pam_sm_authenticate, and resolve the name in the other entry points.
This bug was uncovered by phkmalloc's free'd memory scrubbing.
Approved by: re (jhb)
|
#
106862 |
|
13-Nov-2002 |
nectar |
Use `krb5_get_err_text' instead of `error_message' so that instead of e.g.
Unknown error: -1765328378
we get
Client not found in Kerberos database
Another way to accomplish this would have been to leave `error_message' alone, but to explicitly load the Kerberos com_err error tables. However, I don't really like the idea of a PAM module dorking with global tables.
Approved by: re (jhb)
|
#
96444 |
|
12-May-2002 |
des |
Don't declare krb5_mcc_ops, it's already declared in <krb5.h>
|
#
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
#
93984 |
|
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
#
91752 |
|
06-Mar-2002 |
roam |
Unbreak the pam_krb5 build: cast a couple of const pointers to normal char *. A better fix might be some const'ifying of the Heimdal code, but this will do to fix the build for the present.
Approved by: des
|
#
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
#
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
#
85485 |
|
25-Oct-2001 |
sobomax |
Don't put an extra space after password prompts, because it violates POLA, makes FreeBSD inconsistent with previous releases and "other unices" as well as with some internal password-asking services (e.g. ftp) within the same release.
|
#
84218 |
|
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
#
81477 |
|
10-Aug-2001 |
markm |
Clean up this module very extensively. Fix the logging, the coding standards and the option handling. This module is now much more easy to maintain as a part of the FreeBSD tree.
|