summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormarkm <markm@FreeBSD.org>2003-03-08 10:33:20 +0000
committermarkm <markm@FreeBSD.org>2003-03-08 10:33:20 +0000
commit9981c003b18c8cd85651783b293372e0a89d2115 (patch)
tree5761042659f0fabf1588f83541c2ec513d4ee17b
parent171598b3126c1d83f428465d8e8c6e53ba9ef3d0 (diff)
downloadFreeBSD-src-9981c003b18c8cd85651783b293372e0a89d2115.zip
FreeBSD-src-9981c003b18c8cd85651783b293372e0a89d2115.tar.gz
KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module.
-rw-r--r--lib/libpam/Makefile.inc3
-rw-r--r--lib/libpam/modules/modules.inc3
-rw-r--r--lib/libpam/modules/pam_kerberosIV/Makefile35
-rw-r--r--lib/libpam/modules/pam_kerberosIV/klogin.c206
-rw-r--r--lib/libpam/modules/pam_kerberosIV/klogin.h5
-rw-r--r--lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.865
-rw-r--r--lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c137
7 files changed, 0 insertions, 454 deletions
diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc
index 5a1794f..e61e062e 100644
--- a/lib/libpam/Makefile.inc
+++ b/lib/libpam/Makefile.inc
@@ -27,9 +27,6 @@
SHLIB_MAJOR= 2
.if !defined(NOCRYPT) && !defined(NO_OPENSSL)
-.if defined(MAKE_KERBEROS4)
-DISTRIBUTION+= krb4
-.endif
.if defined(MAKE_KERBEROS5)
DISTRIBUTION+= krb5
.endif
diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc
index 355b609..471200e 100644
--- a/lib/libpam/modules/modules.inc
+++ b/lib/libpam/modules/modules.inc
@@ -7,9 +7,6 @@ MODULES += pam_exec
MODULES += pam_ftp
MODULES += pam_ftpusers
MODULES += pam_group
-.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-MODULES += pam_kerberosIV
-.endif
.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
MODULES += pam_krb5
MODULES += pam_ksu
diff --git a/lib/libpam/modules/pam_kerberosIV/Makefile b/lib/libpam/modules/pam_kerberosIV/Makefile
deleted file mode 100644
index a64aa51..0000000
--- a/lib/libpam/modules/pam_kerberosIV/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright 1998 Juniper Networks, Inc.
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# $FreeBSD$
-
-LIB= pam_kerberosIV
-SRCS= pam_kerberosIV.c klogin.c
-NO_WERROR= yes
-CFLAGS+= -DKERBEROS
-DPADD= ${LIBKRB} ${LIBCRYPTO} ${LIBCOM_ERR}
-LDADD= -lkrb -lcrypto -lcom_err
-MAN= pam_kerberosIV.8
-
-.include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.c b/lib/libpam/modules/pam_kerberosIV/klogin.c
deleted file mode 100644
index 0743e86..0000000
--- a/lib/libpam/modules/pam_kerberosIV/klogin.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*-
- * Copyright (c) 1990, 1993, 1994
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#ifndef lint
-static const char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94";
-#endif /* not lint */
-
-#ifdef KERBEROS
-#include <sys/param.h>
-#include <sys/syslog.h>
-#include <openssl/des.h>
-#include <krb.h>
-
-#include <err.h>
-#include <netdb.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "klogin.h"
-
-#define INITIAL_TICKET "krbtgt"
-#define VERIFY_SERVICE "rcmd"
-
-extern int notickets;
-extern char *krbtkfile_env;
-
-/*
- * Attempt to log the user in using Kerberos authentication
- *
- * return 0 on success (will be logged in)
- * 1 if Kerberos failed (try local password in login)
- */
-int
-klogin(struct passwd *pw, char *instance, char *localhost, const char *password)
-{
- int kerror;
- char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
- char tkt_location[MAXPATHLEN];
- extern int noticketsdontcomplain;
-
-#ifdef KLOGIN_PARANOID
- AUTH_DAT authdata;
- KTEXT_ST ticket;
- struct hostent *hp;
- unsigned long faddr;
-
- noticketsdontcomplain = 0; /* enable warning message */
-#endif
-
- /*
- * Root logins don't use Kerberos.
- * If we have a realm, try getting a ticket-granting ticket
- * and using it to authenticate. Otherwise, return
- * failure so that we can try the normal passwd file
- * for a password. If that's ok, log the user in
- * without issuing any tickets.
- */
- if (strcmp(pw->pw_name, "root") == 0 ||
- krb_get_lrealm(realm, 0) != KSUCCESS)
- return (1);
-
- noticketsdontcomplain = 0; /* enable warning message */
-
- /*
- * get TGT for local realm
- * tickets are stored in a file named TKT_ROOT plus uid
- * except for user.root tickets.
- */
-
- if (strcmp(instance, "root") != 0)
- (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
- else {
- (void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
- krbtkfile_env = tkt_location;
- }
- (void)krb_set_tkt_string(tkt_location);
-
- /*
- * Set real as well as effective ID to 0 for the moment,
- * to make the kerberos library do the right thing.
- */
- if (setuid(0) < 0) {
- warnx("setuid");
- return (1);
- }
- kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
- realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
-
- /*
- * If we got a TGT, get a local "rcmd" ticket and check it so as to
- * ensure that we are not talking to a bogus Kerberos server.
- *
- * There are 2 cases where we still allow a login:
- * 1: the VERIFY_SERVICE doesn't exist in the KDC
- * 2: local host has no srvtab, as (hopefully) indicated by a
- * return value of RD_AP_UNDEC from krb_rd_req().
- */
- if (kerror != INTK_OK) {
- if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
- syslog(LOG_ERR, "Kerberos intkt error: %s",
- krb_err_txt[kerror]);
- dest_tkt();
- }
- return (1);
- }
-
- if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
- syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
-
- (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
- savehost[sizeof(savehost)-1] = NULL;
-
-#ifdef KLOGIN_PARANOID
- /*
- * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
- * still allow login with tickets, but log the error condition.
- */
-
- kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
- if (kerror == KDC_PR_UNKNOWN) {
- syslog(LOG_NOTICE,
- "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
- krb_err_txt[kerror], VERIFY_SERVICE, savehost);
- notickets = 0;
- return (0);
- }
-
- if (kerror != KSUCCESS) {
- warnx("unable to use TGT: (%s)", krb_err_txt[kerror]);
- syslog(LOG_NOTICE, "unable to use TGT: (%s)",
- krb_err_txt[kerror]);
- dest_tkt();
- return (1);
- }
-
- if (!(hp = gethostbyname(localhost))) {
- syslog(LOG_ERR, "couldn't get local host address");
- dest_tkt();
- return (1);
- }
-
- memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
-
- kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
- &authdata, "");
-
- if (kerror == KSUCCESS) {
- notickets = 0;
- return (0);
- }
-
- /* undecipherable: probably didn't have a srvtab on the local host */
- if (kerror == RD_AP_UNDEC) {
- syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
- dest_tkt();
- return (1);
- }
- /* failed for some other reason */
- warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE,
- krb_err_txt[kerror]);
- syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
- krb_err_txt[kerror]);
- dest_tkt();
- return (1);
-#else
- notickets = 0;
- return (0);
-#endif
-}
-#endif
diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.h b/lib/libpam/modules/pam_kerberosIV/klogin.h
deleted file mode 100644
index e126a0b..0000000
--- a/lib/libpam/modules/pam_kerberosIV/klogin.h
+++ /dev/null
@@ -1,5 +0,0 @@
-/*
- * $FreeBSD$
- */
-
-int klogin(struct passwd *, char *, char *, const char *);
diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8 b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8
deleted file mode 100644
index d305603..0000000
--- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8
+++ /dev/null
@@ -1,65 +0,0 @@
-.\" Copyright (c) 2003 Networks Associates Technology, Inc.
-.\" All rights reserved.
-.\"
-.\" Portions of this software were developed for the FreeBSD Project by
-.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
-.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
-.\" ("CBOSS"), as part of the DARPA CHATS research program.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. The name of the author may not be used to endorse or promote
-.\" products derived from this software without specific prior written
-.\" permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd February 6, 2003
-.Dt PAM_KERBEROSIV 8
-.Os
-.Sh NAME
-.Nm pam_kerberosIV
-.Nd Kerberos IV PAM module
-.Sh SYNOPSIS
-.Op Ar service-name
-.Ar module-type
-.Ar control-flag
-.Pa pam_kerberosIV
-.Op Ar arguments
-.Sh DESCRIPTION
-The Kerberos IV service module for PAM implements user authentication
-by way of Kerberos IV.
-It provides no other services than authentication.
-.Sh SEE ALSO
-.Xr pam.conf 5 ,
-.Xr pam 8 ,
-.Xr pam_krb5 8
-.Sh AUTHORS
-The
-.Nm
-module was donated to the
-.Fx
-Project by Juniper Networks, Inc.
-This manual page was written by
-ThinkSec AS and NAI Labs, the Security Research Division of Network
-Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
-.Pq Dq CBOSS ,
-as part of the DARPA CHATS research program.
diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
deleted file mode 100644
index 40f5a72..0000000
--- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/*-
- * Copyright 1998 Juniper Networks, Inc.
- * All rights reserved.
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * Portions of this software were developed for the FreeBSD Project by
- * ThinkSec AS and NAI Labs, the Security Research Division of Network
- * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
- * ("CBOSS"), as part of the DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior written
- * permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <sys/param.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#define PAM_SM_AUTH
-#include <security/pam_appl.h>
-#include <security/pam_modules.h>
-#include <security/pam_mod_misc.h>
-
-#include "klogin.h"
-
-/* Globals used by klogin.c */
-int notickets = 1;
-int noticketsdontcomplain = 1;
-char *krbtkfile_env;
-
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc __unused, const char *argv[] __unused)
-{
- int retval;
- const char *user;
- char *principal;
- char *instance;
- const char *password;
- char localhost[MAXHOSTNAMELEN + 1];
- struct passwd *pwd;
-
- retval = pam_get_user(pamh, &user, NULL);
- if (retval != PAM_SUCCESS)
- return (retval);
-
- PAM_LOG("Got user: %s", user);
-
- retval = pam_get_authtok(pamh, PAM_AUTHTOK, &password, NULL);
- if (retval != PAM_SUCCESS)
- return (retval);
-
- PAM_LOG("Got password");
-
- if (gethostname(localhost, sizeof localhost - 1) == -1)
- return (PAM_SYSTEM_ERR);
-
- PAM_LOG("Got localhost: %s", localhost);
-
- principal = strdup(user);
- if (principal == NULL)
- return (PAM_BUF_ERR);
-
- instance = strchr(principal, '.');
- if (instance != NULL)
- *instance++ = '\0';
- else
- instance = strchr(principal, '\0');
-
- PAM_LOG("Got principal.instance: %s.%s", principal, instance);
-
- retval = PAM_AUTH_ERR;
- pwd = getpwnam(user);
- if (pwd != NULL) {
- if (klogin(pwd, instance, localhost, password) == 0) {
- if (notickets && !noticketsdontcomplain)
- PAM_VERBOSE_ERROR("Warning: no Kerberos tickets issued");
- /*
- * XXX - I think the ticket file isn't supposed to
- * be created until pam_sm_setcred() is called.
- */
- if (krbtkfile_env != NULL)
- setenv("KRBTKFILE", krbtkfile_env, 1);
- retval = PAM_SUCCESS;
- }
-
- PAM_LOG("Done klogin()");
-
- }
- /*
- * The PAM infrastructure will obliterate the cleartext
- * password before returning to the application.
- */
- free(principal);
-
- if (retval != PAM_SUCCESS)
- PAM_VERBOSE_ERROR("Kerberos IV refuses you");
-
- return (retval);
-}
-
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
- int argc __unused, const char *argv[] __unused)
-{
-
- return (PAM_SUCCESS);
-}
-
-PAM_MODULE_ENTRY("pam_kerberosIV");
OpenPOWER on IntegriCloud