KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module.

7 files changed, 0 insertions, 454 deletions

diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc
index 5a1794f..e61e062e 100644
--- a/lib/libpam/Makefile.inc
+++ b/lib/libpam/Makefile.inc
@@ -27,9 +27,6 @@
 SHLIB_MAJOR=	2
 
 .if !defined(NOCRYPT) && !defined(NO_OPENSSL)
-.if defined(MAKE_KERBEROS4) 
-DISTRIBUTION+=	krb4
-.endif
 .if defined(MAKE_KERBEROS5)
 DISTRIBUTION+=	krb5
 .endif
diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc
index 355b609..471200e 100644
--- a/lib/libpam/modules/modules.inc
+++ b/lib/libpam/modules/modules.inc
@@ -7,9 +7,6 @@ MODULES		+= pam_exec
 MODULES		+= pam_ftp
 MODULES		+= pam_ftpusers
 MODULES		+= pam_group
-.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
-MODULES		+= pam_kerberosIV
-.endif
 .if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL)
 MODULES		+= pam_krb5
 MODULES		+= pam_ksu
diff --git a/lib/libpam/modules/pam_kerberosIV/Makefile b/lib/libpam/modules/pam_kerberosIV/Makefile
deleted file mode 100644
index a64aa51..0000000
--- a/lib/libpam/modules/pam_kerberosIV/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright 1998 Juniper Networks, Inc.
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# $FreeBSD$
-
-LIB=		pam_kerberosIV
-SRCS=		pam_kerberosIV.c klogin.c
-NO_WERROR=	yes
-CFLAGS+=	-DKERBEROS
-DPADD=		${LIBKRB} ${LIBCRYPTO} ${LIBCOM_ERR}
-LDADD=		-lkrb -lcrypto -lcom_err
-MAN=		pam_kerberosIV.8
-
-.include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.c b/lib/libpam/modules/pam_kerberosIV/klogin.c
deleted file mode 100644
index 0743e86..0000000
--- a/lib/libpam/modules/pam_kerberosIV/klogin.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*-
- * Copyright (c) 1990, 1993, 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#ifndef lint
-static const char sccsid[] = "@(#)klogin.c	8.3 (Berkeley) 4/2/94";
-#endif /* not lint */
-
-#ifdef KERBEROS
-#include <sys/param.h>
-#include <sys/syslog.h>
-#include <openssl/des.h>
-#include <krb.h>
-
-#include <err.h>
-#include <netdb.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "klogin.h"
-
-#define	INITIAL_TICKET	"krbtgt"
-#define	VERIFY_SERVICE	"rcmd"
-
-extern int notickets;
-extern char *krbtkfile_env;
-
-/*
- * Attempt to log the user in using Kerberos authentication
- *
- * return 0 on success (will be logged in)
- *	  1 if Kerberos failed (try local password in login)
- */
-int
-klogin(struct passwd *pw, char *instance, char *localhost, const char *password)
-{
-	int kerror;
-	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
-	char tkt_location[MAXPATHLEN];
-	extern int noticketsdontcomplain;
-
-#ifdef	KLOGIN_PARANOID
-	AUTH_DAT authdata;
-	KTEXT_ST ticket;
-	struct hostent *hp;
-	unsigned long faddr;
-
-	noticketsdontcomplain = 0; /* enable warning message */
-#endif
-
-	/*
-	 * Root logins don't use Kerberos.
-	 * If we have a realm, try getting a ticket-granting ticket
-	 * and using it to authenticate.  Otherwise, return
-	 * failure so that we can try the normal passwd file
-	 * for a password.  If that's ok, log the user in
-	 * without issuing any tickets.
-	 */
-	if (strcmp(pw->pw_name, "root") == 0 ||
-	    krb_get_lrealm(realm, 0) != KSUCCESS)
-		return (1);
-
-	noticketsdontcomplain = 0; /* enable warning message */
-
-	/*
-	 * get TGT for local realm
-	 * tickets are stored in a file named TKT_ROOT plus uid
-	 * except for user.root tickets.
-	 */
-
-	if (strcmp(instance, "root") != 0)
-		(void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
-	else {
-		(void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
-		krbtkfile_env = tkt_location;
-	}
-	(void)krb_set_tkt_string(tkt_location);
-
-	/*
-	 * Set real as well as effective ID to 0 for the moment,
-	 * to make the kerberos library do the right thing.
-	 */
-	if (setuid(0) < 0) {
-		warnx("setuid");
-		return (1);
-	}
-	kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
-		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
-
-	/*
-	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
-	 * ensure that we are not talking to a bogus Kerberos server.
-	 *
-	 * There are 2 cases where we still allow a login:
-	 *	1: the VERIFY_SERVICE doesn't exist in the KDC
-	 *	2: local host has no srvtab, as (hopefully) indicated by a
-	 *	   return value of RD_AP_UNDEC from krb_rd_req().
-	 */
-	if (kerror != INTK_OK) {
-		if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
-			syslog(LOG_ERR, "Kerberos intkt error: %s",
-			    krb_err_txt[kerror]);
-			dest_tkt();
-		}
-		return (1);
-	}
-
-	if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
-		syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
-
-	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
-	savehost[sizeof(savehost)-1] = NULL;
-
-#ifdef KLOGIN_PARANOID
-	/*
-	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
-	 * still allow login with tickets, but log the error condition.
-	 */
-
-	kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
-	if (kerror == KDC_PR_UNKNOWN) {
-		syslog(LOG_NOTICE,
-    		    "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
-		    krb_err_txt[kerror], VERIFY_SERVICE, savehost);
-		notickets = 0;
-		return (0);
-	}
-
-	if (kerror != KSUCCESS) {
-		warnx("unable to use TGT: (%s)", krb_err_txt[kerror]);
-		syslog(LOG_NOTICE, "unable to use TGT: (%s)",
-		    krb_err_txt[kerror]);
-		dest_tkt();
-		return (1);
-	}
-
-	if (!(hp = gethostbyname(localhost))) {
-		syslog(LOG_ERR, "couldn't get local host address");
-		dest_tkt();
-		return (1);
-	}
-
-	memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
-
-	kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
-	    &authdata, "");
-
-	if (kerror == KSUCCESS) {
-		notickets = 0;
-		return (0);
-	}
-
-	/* undecipherable: probably didn't have a srvtab on the local host */
-	if (kerror == RD_AP_UNDEC) {
-		syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
-		dest_tkt();
-		return (1);
-	}
-	/* failed for some other reason */
-	warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE,
-	    krb_err_txt[kerror]);
-	syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
-	    krb_err_txt[kerror]);
-	dest_tkt();
-	return (1);
-#else
-	notickets = 0;
-	return (0);
-#endif
-}
-#endif
diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.h b/lib/libpam/modules/pam_kerberosIV/klogin.h
deleted file mode 100644
index e126a0b..0000000
--- a/lib/libpam/modules/pam_kerberosIV/klogin.h
+++ /dev/null
@@ -1,5 +0,0 @@
-/*
- * $FreeBSD$
- */
-
-int klogin(struct passwd *, char *, char *, const char *);
diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8 b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8
deleted file mode 100644
index d305603..0000000
--- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.8
+++ /dev/null
@@ -1,65 +0,0 @@
-.\" Copyright (c) 2003 Networks Associates Technology, Inc.
-.\" All rights reserved.
-.\"
-.\" Portions of this software were developed for the FreeBSD Project by
-.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
-.\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
-.\" ("CBOSS"), as part of the DARPA CHATS research program.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. The name of the author may not be used to endorse or promote
-.\"    products derived from this software without specific prior written
-.\"    permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd February 6, 2003
-.Dt PAM_KERBEROSIV 8
-.Os
-.Sh NAME
-.Nm pam_kerberosIV
-.Nd Kerberos IV PAM module
-.Sh SYNOPSIS
-.Op Ar service-name
-.Ar module-type
-.Ar control-flag
-.Pa pam_kerberosIV
-.Op Ar arguments
-.Sh DESCRIPTION
-The Kerberos IV service module for PAM implements user authentication
-by way of Kerberos IV.
-It provides no other services than authentication.
-.Sh SEE ALSO
-.Xr pam.conf 5 ,
-.Xr pam 8 ,
-.Xr pam_krb5 8
-.Sh AUTHORS
-The
-.Nm
-module was donated to the
-.Fx
-Project by Juniper Networks, Inc.
-This manual page was written by
-ThinkSec AS and NAI Labs, the Security Research Division of Network
-Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
-.Pq Dq CBOSS ,
-as part of the DARPA CHATS research program.
diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
deleted file mode 100644
index 40f5a72..0000000
--- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/*-
- * Copyright 1998 Juniper Networks, Inc.
- * All rights reserved.
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * Portions of this software were developed for the FreeBSD Project by
- * ThinkSec AS and NAI Labs, the Security Research Division of Network
- * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
- * ("CBOSS"), as part of the DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- *    products derived from this software without specific prior written
- *    permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <sys/param.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#define PAM_SM_AUTH
-#include <security/pam_appl.h>
-#include <security/pam_modules.h>
-#include <security/pam_mod_misc.h>
-
-#include "klogin.h"
-
-/* Globals used by klogin.c */
-int	notickets = 1;
-int	noticketsdontcomplain = 1;
-char	*krbtkfile_env;
-
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags,
-    int argc __unused, const char *argv[] __unused)
-{
-	int retval;
-	const char *user;
-	char *principal;
-	char *instance;
-	const char *password;
-	char localhost[MAXHOSTNAMELEN + 1];
-	struct passwd *pwd;
-
-	retval = pam_get_user(pamh, &user, NULL);
-	if (retval != PAM_SUCCESS)
-		return (retval);
-
-	PAM_LOG("Got user: %s", user);
-
-	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &password, NULL);
-	if (retval != PAM_SUCCESS)
-		return (retval);
-
-	PAM_LOG("Got password");
-
-	if (gethostname(localhost, sizeof localhost - 1) == -1)
-		return (PAM_SYSTEM_ERR);
-
-	PAM_LOG("Got localhost: %s", localhost);
-
-	principal = strdup(user);
-	if (principal == NULL)
-		return (PAM_BUF_ERR);
-
-	instance = strchr(principal, '.');
-	if (instance != NULL)
-		*instance++ = '\0';
-	else
-		instance = strchr(principal, '\0');
-
-	PAM_LOG("Got principal.instance: %s.%s", principal, instance);
-
-	retval = PAM_AUTH_ERR;
-	pwd = getpwnam(user);
-	if (pwd != NULL) {
-		if (klogin(pwd, instance, localhost, password) == 0) {
-			if (notickets && !noticketsdontcomplain)
-				PAM_VERBOSE_ERROR("Warning: no Kerberos tickets issued");
-			/*
-			 * XXX - I think the ticket file isn't supposed to
-			 * be created until pam_sm_setcred() is called.
-			 */
-			if (krbtkfile_env != NULL)
-				setenv("KRBTKFILE", krbtkfile_env, 1);
-			retval = PAM_SUCCESS;
-		}
-
-		PAM_LOG("Done klogin()");
-
-	}
-	/*
-	 * The PAM infrastructure will obliterate the cleartext
-	 * password before returning to the application.
-	 */
-	free(principal);
-
-	if (retval != PAM_SUCCESS)
-		PAM_VERBOSE_ERROR("Kerberos IV refuses you");
-
-	return (retval);
-}
-
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
-{
-
-	return (PAM_SUCCESS);
-}
-
-PAM_MODULE_ENTRY("pam_kerberosIV");