| < pam-afs-session To-Do List | Russ Allbery > Software > pam-afs-session | pam-afs-session License > |
Fix a configure error when built --without-krb5.
When debugging is enabled, log an exit status of PAM_IGNORE as ignore rather than failure.
Return PAM_IGNORE instead of PAM_SUCCESS from all functions when AFS isn't available, and when functions are skipped due to the configuration. We would like to do this in pam_authenticate as well (it would be much safer), but there is a bug in (at least) Linux PAM 0.99.7.1 (and probably earlier) that treats this as authentication failure if the module is configured with [default=done].
Fix Autoconf syntax error when probing for libkrb5support. Thanks, Mike Garrison.
If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work.
Set an explicit visibility of hidden for all internal functions at compile time if gcc is used to permit better optimization. Hide all functions except the official interfaces using a version script on Linux. This protects against leaking symbols into the application namespace and provides some mild optimization benefit.
Fix the probing of PAM headers for const on Mac OS X. This will suppress some harmless compiler warnings there. Thanks, Markus Moeller.
Correctly check the exit status of aklog and don't think acquiring tokens was successful when aklog failed. Thanks, Douglas Engert and Chaskiel Grundman.
Build with _REENTRANT set for correct errno handling in threaded applications on Solaris.
Build with Kerberos support by default if Kerberos libraries are found. To disable Kerberos support, pass --without-krb5 to configure. The option to specify the Kerberos library location is now --with-krb5, not --with-kerberos.
Add support for AIX's bundled Kerberos. Thanks to Markus Moeller for the porting information.
Define _ALL_SOURCE on AIX to get a prototype for vsnprintf.
Add compiler and linker flags for AIX. Thanks, Thomas Williams.
Try to determine whether the PAM headers use const in the prototypes of such things as pam_get_item and adjust accordingly. This should address compiler warnings on Solaris. Thanks, Markus Moeller.
Add additional documentation of interactions with the native pam_krb5 on Solaris to README. pam_afs_session needs to be run from the auth group, not the session group, with at least some services when used with the Solaris pam_krb5.
Document bad interactions with pam_keyinit on Linux in README.
Add example PAM configurations for Debian, Red Hat, and Solaris based on Stanford's Linux configurations and a Solaris configuration from Maciej Malek. Hopefully I didn't break anything while merging examples.
Free the results of pam_getenvlist and the command-line argument for aklog properly.
Don't de-reference a NULL pointer if memory allocation fails while parsing PAM options. Thanks, Jason D. McCormick.
Change lib to lib64 on x86_64 Linux to allow for the magical $ISA parameter in Red Hat's PAM configuration. Hopefully this won't cause problems elsewhere.
Fix linker determination when using gcc on HP-UX.
Add additional debugging output when acquiring or destroying tokens.
Added the afs_cells configuration option which specifies the list of cells in which to get tokens.
Ported to HP-UX. HP-UX's PAM libraries do not support a separate environment used for the new session, so manipulate the regular environment instead. Thanks to Joe Buehler for the port.
Document using the module with Mac OS X, now that it's been confirmed to work with sshd on that platform.
Support DESTDIR for make install.
Add a notokens configuration option which, when set, tells the module to only create a PAG and not to try to obtain tokens. Based on a patch from Jason McCormick.
When forking an external aklog, also close standard input and reopen it to /dev/null. Normal aklog programs won't try to read from standard input, but don't connect their standard input to any stray file descriptor inherited by the process just in case.
Make --with-kerberos and --without-libkafs work properly together.
Improve diagnostics around token acquisition. Thanks, Jeff Blaine.
Add support for calling the Heimdal libkafs functions for obtaining AFS tokens rather than running an external aklog program. This support is the default if libkafs and the Kerberos v5 functions were found at build time and --with-kerberos was passed to configure.
When retain_after_close is set, don't destroy tokens on DELETE_CRED either. OpenSSH calls this when the session dies. Thanks to Thomas Kula for the patch.
Don't fail during configure if Kerberos libraries couldn't be found unless --with-kerberos was explicitly requested.
Produce better error messages when Kerberos operations fail.
Added --without-libkafs to force using the internal AFS syscall implementation and not link with libkafs or libkopenafs, even if the libraries are available.
Fix installation of the man page when building outside of the source directory.
Add optional support for linking with the Kerberos libraries and obtaining configuration from the system krb5.conf file.
Add the kdestroy option which, if built with Kerberos support, removes the ticket cache after successfully running aklog.
Actually link with libkafs if we detect it at configure time.
Fix a bug in reporting unknown options.
Add --with-afs-headers to configure so that the user doesn't have to know the right syntax for setting CPPFLAGS.
When using gcc, link with -fPIC as well as compiling with it per the gcc documentation.
Add additional configuration information for Solaris.
Link explicitly against the Kerberos libraries by default when linking with libkafs, only relying on transitive shared library dependencies when --enable-reduced-depends is passed to configure. This should not be necessary on any of the currently supported platforms but may make porting easier to systems with deficient shared library support.
Support building on Mac OS X. The resulting module isn't tested and may not work. Thanks, Sebastian Hagedorn.
Compile in a default path to aklog if configure can find it on the path or if told the path with the --with-aklog option. In this case, program is now optional in the PAM configuration.
Use __func__ instead of __FUNCTION__ and provide a fallback for older versions of gcc and for systems that support neither. Should fix compilation issues with Sun's C compiler.
On platforms where we know the appropriate compiler flags, try to build the module so that symbols are resolved within the module in preference to any externally available symbols. Also add the hopefully correct compiler flags for Sun's C compiler.
Add a man page.
Add a fallback implementation of the AFS system call for platforms that use syscall, and add the signal handler protection for the k_hasafs probe for those platforms. The PAM module should now build on Solaris without requiring libkafs or libkopenafs.
Add an always_aklog option saying to always run aklog even if the user doesn't appear to have a ticket cache.
Add an aklog_homedir option saying to pass -p <homedir> to aklog. This will obtain tokens in whatever AFS cells are required to access the user's home directory and can be used when something more complex than obtaining tokens in the local default cell is needed.
Reopen stdout and stderr to /dev/null before running aklog so that any error messages from aklog don't confuse the calling program.
Log a message if aklog fails, but return PAM_SUCCESS from the module whether aklog succeeded or not. If we fail, the user may be kicked out of their session even though AFS tokens may not be necessary and only obtained as a convenience. Obtaining a PAG is still required.
Initial beta release.
Supports libkafs and libkopenafs in theory, but only the internal syscall layer has been tested. No man page yet, and the program to run to obtain tokens must be specified in the PAM options.
| < pam-afs-session To-Do List | Russ Allbery > Software > pam-afs-session | pam-afs-session License > |