Add --enable-kerb5-instance configure option to allow people using

Kerberos V authentication to use a custom instance.  Adapted from
a diff by Michael E Burr.

diff --git a/INSTALL b/INSTALL
index 7c9d32a68e5564a093579b4a585b182b9d95a9cf..c6fb02d1fa468d0aaf13e35db6444479b7206d59 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -180,6 +180,13 @@ Special features/options:
        does not use the Kerberos cookie scheme.  Will not work for
        Kerberos V older than version 1.1.
 
+  --enable-kerb5-instance=string
+        By default, the user name is used as the principal name
+        when authenticating via Kerberos V.  If this option is
+        enabled, the specified instance string will be appended to
+        the user name (separated by a slash) when creating the
+        principal name.
+
   --with-ldap[=DIR]
        Enable LDAP support.  If specified, DIR is the base directory
        containing the LDAP include and lib directories.  Please see

diff --git a/config.h.in b/config.h.in
index 823b6d954945a1819ff1ba0ea2e79b1aa5e92454..461ac16218175dc69247d94ac5b0067343967d9c 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -767,6 +767,10 @@
 /* The name of the sudoers plugin, including extension. */
 #undef SUDOERS_PLUGIN
 
+/* An instance string to append to the username (separated by a slash) for
+   Kerberos V authentication */
+#undef SUDO_KRB5_INSTANCE
+
 /* The umask that the sudo-run prog should use. */
 #undef SUDO_UMASK
 

diff --git a/configure b/configure
index 718013fdf27012f4963257b3da2528128b243dd0..5b99394e02e442a259e3bcb28964ff0dfa30a178 100755 (executable)
--- a/configure
+++ b/configure
@@ -891,6 +891,7 @@ enable_sia
 enable_largefile
 with_pam_login
 enable_pam_session
+enable_kerb5_instance
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1547,6 +1548,8 @@ Optional Features:
   --disable-sia           Disable SIA on Digital UNIX
   --disable-largefile     omit support for large files
   --disable-pam-session   Disable PAM session support
+  --enable-kerb5-instance instance string to append to the username (separated
+                          by a slash)
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -18399,6 +18402,29 @@ done
 
     fi
     LIBS="$_LIBS"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use an instance name for Kerberos V" >&5
+$as_echo_n "checking whether to use an instance name for Kerberos V... " >&6; }
+    # Check whether --enable-kerb5-instance was given.
+if test "${enable_kerb5_instance+set}" = set; then :
+  enableval=$enable_kerb5_instance;  case "$enableval" in
+           yes)        as_fn_error $? "\"must give --enable-kerb5-instance an argument.\"" "$LINENO" 5
+                       ;;
+           no)         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                       ;;
+           *)          cat >>confdefs.h <<EOF
+#define SUDO_KRB5_INSTANCE "$enableval"
+EOF
+
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enableval" >&5
+$as_echo "$enableval" >&6; }
+                       ;;
+       esac
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 fi
 
 if test ${with_AFS-'no'} = "yes"; then
@@ -22126,5 +22152,6 @@ fi
 
 
 
+
 
 

diff --git a/configure.in b/configure.in
index 86512b3d07c4c4f9eb1673ba55a097cfa2b10958..9a9d21ad9d2ff5d9cf0da191b74f9b86c9817eae 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2584,6 +2584,18 @@ if test ${with_kerb5-'no'} != "no"; then
        AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
     fi
     LIBS="$_LIBS"
+    AC_MSG_CHECKING(whether to use an instance name for Kerberos V)
+    AC_ARG_ENABLE(kerb5-instance,
+    [AS_HELP_STRING([--enable-kerb5-instance], [instance string to append to the username (separated by a slash)])],
+       [ case "$enableval" in
+           yes)        AC_MSG_ERROR(["must give --enable-kerb5-instance an argument."])
+                       ;;
+           no)         AC_MSG_RESULT(no)
+                       ;;
+           *)          SUDO_DEFINE_UNQUOTED(SUDO_KRB5_INSTANCE, "$enableval")
+                       AC_MSG_RESULT([$enableval])
+                       ;;
+       esac], AC_MSG_RESULT(no))
 fi
 
 dnl
@@ -3166,6 +3178,7 @@ AH_TEMPLATE(socklen_t, [Define to `unsigned int' if <sys/socket.h> doesn't defin
 AH_TEMPLATE(HAVE_STRUCT_UTMP_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmp'.])
 AH_TEMPLATE(HAVE_STRUCT_UTMPX_UT_EXIT, [Define to 1 if `ut_exit' is a member of `struct utmpx'.])
 AH_TEMPLATE(HAVE___FUNC__, [Define to 1 if the compiler supports the C99 __func__ variable.])
+AH_TEMPLATE(SUDO_KRB5_INSTANCE, [An instance string to append to the username (separated by a slash) for Kerberos V authentication])
 
 dnl
 dnl Bits to copy verbatim into config.h.in

diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c
index daf5743c7a613c9f9ac8d905eb93b1874977d18a..3ba7b8c5b81e4f20d4547bf1e2348b14d0c67207 100644 (file)
--- a/plugins/sudoers/auth/kerb5.c
+++ b/plugins/sudoers/auth/kerb5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2005, 2007-2008, 2010-2011
+ * Copyright (c) 1999-2005, 2007-2008, 2010-2012
  *     Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -70,6 +70,12 @@ static struct _sudo_krb5_data {
 } sudo_krb5_data = { NULL, NULL, NULL };
 typedef struct _sudo_krb5_data *sudo_krb5_datap;
 
+#ifdef SUDO_KRB5_INSTANCE
+static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
+#else
+static const char *sudo_krb5_instance = NULL;
+#endif
+
 #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
 static krb5_error_code
 krb5_get_init_creds_opt_alloc(krb5_context context,
@@ -128,31 +134,33 @@ int
 sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
 {
     krb5_context       sudo_context;
-    krb5_ccache                ccache;
-    krb5_principal     princ;
     krb5_error_code    error;
-    char               cache_name[64];
+    char               cache_name[64], *pname = pw->pw_name;
     debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
 
     auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
 
+    if (sudo_krb5_instance != NULL) {
+       easprintf(&pname, "%s%s%s", pw->pw_name,
+           sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
+    }
+
 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
     error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
 #else
     error = krb5_init_context(&(sudo_krb5_data.sudo_context));
 #endif
     if (error)
-       debug_return_int(AUTH_FAILURE);
+       goto done;
     sudo_context = sudo_krb5_data.sudo_context;
 
-    if ((error = krb5_parse_name(sudo_context, pw->pw_name,
-       &(sudo_krb5_data.princ)))) {
+    error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
+    if (error) {
        log_error(NO_EXIT|NO_MAIL,
-                 _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
+                 _("%s: unable to parse '%s': %s"), auth->name, pname,
                  error_message(error));
-       debug_return_int(AUTH_FAILURE);
+       goto done;
     }
-    princ = sudo_krb5_data.princ;
 
     (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
                    (long) getpid());
@@ -161,11 +169,13 @@ sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
        log_error(NO_EXIT|NO_MAIL,
                  _("%s: unable to resolve ccache: %s"), auth->name,
                  error_message(error));
-       debug_return_int(AUTH_FAILURE);
+       goto done;
     }
-    ccache = sudo_krb5_data.ccache;
 
-    debug_return_int(AUTH_SUCCESS);
+done:
+    if (sudo_krb5_instance != NULL)
+       efree(pname);
+    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 
 #ifdef HAVE_KRB5_VERIFY_USER