o use krb5_verify_user() if available instead of doing it by hand

 o use krb5_init_secure_context() if we have it
 o pass an encryption type of 0 to krb5_kt_read_service_key() instead of
   ENCTYPE_DES_CBC_MD5 to let kerberos choose.

diff --git a/auth/kerb5.c b/auth/kerb5.c
index b0a0ebde97bfe3e764cea8316b9e94ec953a62a2..0824b274791ce0a35e82ce12b7232def24660ae9 100644 (file)
--- a/auth/kerb5.c
+++ b/auth/kerb5.c
@@ -46,6 +46,9 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
 #include <krb5.h>
+#ifdef HAVE_HEIMDAL
+#include <com_err.h>
+#endif
 
 #include "sudo.h"
 #include "sudo_auth.h"
@@ -57,12 +60,13 @@ __unused static const char rcsid[] = "$Sudo$";
 #ifdef HAVE_HEIMDAL
 # define extract_name(c, p)            krb5_principal_get_comp_string(c, p, 1)
 # define krb5_free_data_contents(c, d) krb5_data_free(d)
-# define ENCTYPE_DES_CBC_MD5           ETYPE_DES_CBC_MD5       /* XXX */
 #else
 # define extract_name(c, p)            (krb5_princ_component(c, p, 1)->data)
 #endif
 
+#ifndef HAVE_KRB5_VERIFY_USER
 static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
+#endif
 static struct _sudo_krb5_data {
     krb5_context       sudo_context;
     krb5_principal     princ;
@@ -87,7 +91,12 @@ kerb5_init(pw, promptp, auth)
 
     auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
 
-    if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))
+#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
+    error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
+#else
+    error = krb5_init_context(&(sudo_krb5_data.sudo_context));
+#endif
+    if (error)
        return(AUTH_FAILURE);
     sudo_context = sudo_krb5_data.sudo_context;
 
@@ -150,6 +159,26 @@ kerb5_init(pw, promptp, auth)
     return(AUTH_SUCCESS);
 }
 
+#ifdef HAVE_KRB5_VERIFY_USER
+int
+kerb5_verify(pw, pass, auth)
+    struct passwd *pw;
+    char *pass;
+    sudo_auth *auth;
+{
+    krb5_context       sudo_context;
+    krb5_principal     princ;
+    krb5_ccache                ccache;
+    krb5_error_code    error;
+
+    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
+    princ = ((sudo_krb5_datap) auth->data)->princ;
+    ccache = ((sudo_krb5_datap) auth->data)->ccache;
+
+    error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
+    return (error ? AUTH_FAILURE : AUTH_SUCCESS);
+}
+#else
 int
 kerb5_verify(pw, pass, auth)
     struct passwd *pw;
@@ -195,6 +224,7 @@ kerb5_verify(pw, pass, auth)
     krb5_free_cred_contents(sudo_context, &creds);
     return (error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
+#endif
 
 int
 kerb5_cleanup(pw, auth)
@@ -220,6 +250,7 @@ kerb5_cleanup(pw, auth)
     return(AUTH_SUCCESS);
 }
 
+#ifndef HAVE_KRB5_VERIFY_USER
 /*
  * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
  *
@@ -269,7 +300,7 @@ verify_krb_v5_tgt(sudo_context, ccache, auth_name)
      * and enctype is currently ignored anyhow.)
      */
     if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
-                                        ENCTYPE_DES_CBC_MD5, &keyblock))) {
+                                        0, &keyblock))) {
        /* Keytab or service key does not exist. */
        log_error(NO_EXIT,
                  "%s: host service key not found: %s", auth_name,
@@ -302,3 +333,4 @@ cleanup:
                  error_message(error));
     return(error);
 }
+#endif

diff --git a/config.h.in b/config.h.in
index 5502a8491b023bee881ddedde25dd3b6db0160e5..ffe79a1cee8497e84192ceecc4f9089671d7a537 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -191,6 +191,12 @@
 /* Define to 1 if you use Kerberos V. */
 #undef HAVE_KERB5
 
+/* Define to 1 if you have the `krb5_init_secure_context' function. */
+#undef HAVE_KRB5_INIT_SECURE_CONTEXT
+
+/* Define to 1 if you have the `krb5_verify_user' function. */
+#undef HAVE_KRB5_VERIFY_USER
+
 /* Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not) */
 #undef HAVE_LBER_H
 

diff --git a/configure.in b/configure.in
index 579cf83e6d97c5641a0f08413aea53715fea3785..716ececbca3ae5d80b02767cbcf223ad6aa44bc5 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1897,6 +1897,8 @@ if test "$with_kerb5" = "yes"; then
        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
                AC_MSG_RESULT(yes)
                AC_DEFINE(HAVE_HEIMDAL)
+           ], [
+               AC_MSG_RESULT(no)
            ]
        )
     fi
@@ -1930,7 +1932,8 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
     AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
            AC_MSG_RESULT(yes)
            AC_DEFINE(HAVE_HEIMDAL)
-           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -ldes -lcom_err -lasn1"
+           # XXX - need to check whether -lcrypo is needed!
+           SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
            AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
        ], [
            AC_MSG_RESULT(no)
@@ -1942,6 +1945,10 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
     else
        AUTH_OBJS="${AUTH_OBJS} kerb5.o"
     fi
+    _LIBS="$LIBS"
+    LIBS="${LIBS} ${SUDO_LIBS}"
+    AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
+    LIBS="$_LIBS"
 fi
 
 dnl