From: Todd C. Miller Date: Sun, 13 Nov 2011 14:12:43 +0000 (-0500) Subject: Remove the old Kerberos IV support X-Git-Tag: SUDO_1_8_4~158^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c86561e502b2da5f2c5e85a73fab11592c6ff9aa;p=sudo Remove the old Kerberos IV support --- diff --git a/INSTALL b/INSTALL index 5ddbd2dff..6f25c6f00 100644 --- a/INSTALL +++ b/INSTALL @@ -173,12 +173,6 @@ Special features/options: DIR is the base directory containing the compiled FWTK package (or at least the library and header files). - --with-kerb4[=DIR] - Enable Kerberos IV support. If specified, DIR is the base - directory containing the Kerberos IV include and lib dirs. - This uses Kerberos passphrases for authentication but does - not use the Kerberos cookie scheme. - --with-kerb5[=DIR] Enable Kerberos V support. If specified, DIR is the base directory containing the Kerberos V include and lib dirs. diff --git a/MANIFEST b/MANIFEST index 07d70ae89..d44a59c5e 100644 --- a/MANIFEST +++ b/MANIFEST @@ -134,7 +134,6 @@ plugins/sudoers/auth/aix_auth.c plugins/sudoers/auth/bsdauth.c plugins/sudoers/auth/dce.c plugins/sudoers/auth/fwtk.c -plugins/sudoers/auth/kerb4.c plugins/sudoers/auth/kerb5.c plugins/sudoers/auth/pam.c plugins/sudoers/auth/passwd.c diff --git a/config.h.in b/config.h.in index ecad06b17..8f428591b 100644 --- a/config.h.in +++ b/config.h.in @@ -241,9 +241,6 @@ shadow enabled) */ #undef HAVE_ISSECURE -/* Define to 1 if you use Kerberos IV. */ -#undef HAVE_KERB4 - /* Define to 1 if you use Kerberos V. */ #undef HAVE_KERB5 diff --git a/configure b/configure index a133ca690..beee5a2d0 100755 --- a/configure +++ b/configure @@ -803,7 +803,6 @@ with_opie with_long_otp_prompt with_SecurID with_fwtk -with_kerb4 with_kerb5 with_aixauth with_pam @@ -1571,7 +1570,6 @@ Optional Packages: --with-long-otp-prompt use a two line OTP (skey/opie) prompt --with-SecurID[=DIR] enable SecurID support --with-fwtk[=DIR] enable FWTK AuthSRV support - --with-kerb4[=DIR] enable Kerberos IV support --with-kerb5[=DIR] enable Kerberos V support --with-aixauth enable AIX general authentication support --with-pam enable PAM support @@ -4062,21 +4060,6 @@ fi -# Check whether --with-kerb4 was given. -if test "${with_kerb4+set}" = set; then : - withval=$with_kerb4; case $with_kerb4 in - no) ;; - *) { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try kerberos IV authentication" >&5 -$as_echo_n "checking whether to try kerberos IV authentication... " >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - AUTH_REG="$AUTH_REG kerb4" - ;; -esac -fi - - - # Check whether --with-kerb5 was given. if test "${with_kerb5+set}" = set; then : withval=$with_kerb5; case $with_kerb5 in @@ -18196,309 +18179,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then done fi -if test ${with_kerb4-'no'} != "no"; then - $as_echo "#define HAVE_KERB4 1" >>confdefs.h - - O_LDFLAGS="$LDFLAGS" - if test "$with_kerb4" = "yes"; then - found=no - O_CPPFLAGS="$CPPFLAGS" - for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do - CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - found=yes; break -fi -rm -f conftest.err conftest.i conftest.$ac_ext - done - test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS" - else - - if test X"$with_rpath" = X"yes"; then - case "$host" in - *-*-hpux*) LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib -Wl,+b,${with_kerb4}/lib" - ;; - *) LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib -Wl,-R${with_kerb4}/lib" - ;; - esac - else - LDFLAGS="${LDFLAGS} -L${with_kerb4}/lib" - fi - if test X"$blibpath" != X"" -a "LDFLAGS" = "SUDO_LDFLAGS"; then - blibpath_add="${blibpath_add}:${with_kerb4}/lib" - fi - - - if test X"$with_rpath" = X"yes"; then - case "$host" in - *-*-hpux*) SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib -Wl,+b,${with_kerb4}/lib" - ;; - *) SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib -Wl,-R${with_kerb4}/lib" - ;; - esac - else - SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -L${with_kerb4}/lib" - fi - if test X"$blibpath" != X"" -a "SUDOERS_LDFLAGS" = "SUDO_LDFLAGS"; then - blibpath_add="${blibpath_add}:${with_kerb4}/lib" - fi - - CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include" - ac_fn_c_check_header_mongrel "$LINENO" "krb.h" "ac_cv_header_krb_h" "$ac_includes_default" -if test "x$ac_cv_header_krb_h" = xyes; then : - found=yes -else - found=no -fi - - - fi - if test X"$found" = X"no"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&5 -$as_echo "$as_me: WARNING: Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&2;} - fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for des_cbc_encrypt in -ldes" >&5 -$as_echo_n "checking for des_cbc_encrypt in -ldes... " >&6; } -if ${ac_cv_lib_des_des_cbc_encrypt+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldes $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char des_cbc_encrypt (); -int -main () -{ -return des_cbc_encrypt (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_des_des_cbc_encrypt=yes -else - ac_cv_lib_des_des_cbc_encrypt=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_des_des_cbc_encrypt" >&5 -$as_echo "$ac_cv_lib_des_des_cbc_encrypt" >&6; } -if test "x$ac_cv_lib_des_des_cbc_encrypt" = xyes; then : - K4LIBS="-ldes" -else - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for des_cbc_encrypt in -ldes425" >&5 -$as_echo_n "checking for des_cbc_encrypt in -ldes425... " >&6; } -if ${ac_cv_lib_des425_des_cbc_encrypt+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldes425 $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char des_cbc_encrypt (); -int -main () -{ -return des_cbc_encrypt (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_des425_des_cbc_encrypt=yes -else - ac_cv_lib_des425_des_cbc_encrypt=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_des425_des_cbc_encrypt" >&5 -$as_echo "$ac_cv_lib_des425_des_cbc_encrypt" >&6; } -if test "x$ac_cv_lib_des425_des_cbc_encrypt" = xyes; then : - K4LIBS="-ldes425" -else - K4LIBS="" -fi - - -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using KTH Kerberos IV" >&5 -$as_echo_n "checking whether we are using KTH Kerberos IV... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -const char *tmp = krb4_version; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - K4LIBS="${K4LIBS} -lcom_err" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lroken" >&5 -$as_echo_n "checking for main in -lroken... " >&6; } -if ${ac_cv_lib_roken_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lroken $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_roken_main=yes -else - ac_cv_lib_roken_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_roken_main" >&5 -$as_echo "$ac_cv_lib_roken_main" >&6; } -if test "x$ac_cv_lib_roken_main" = xyes; then : - K4LIBS="${K4LIBS} -lroken" -fi - - -else - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - - -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - as_ac_Lib=`$as_echo "ac_cv_lib_krb_main$K4LIBS" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb" >&5 -$as_echo_n "checking for main in -lkrb... " >&6; } -if eval \${$as_ac_Lib+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lkrb $K4LIBS $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "$as_ac_Lib=yes" -else - eval "$as_ac_Lib=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -eval ac_res=\$$as_ac_Lib - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : - K4LIBS="-lkrb $K4LIBS" -else - - as_ac_Lib=`$as_echo "ac_cv_lib_krb4_main$K4LIBS" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb4" >&5 -$as_echo_n "checking for main in -lkrb4... " >&6; } -if eval \${$as_ac_Lib+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lkrb4 $K4LIBS $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "$as_ac_Lib=yes" -else - eval "$as_ac_Lib=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -eval ac_res=\$$as_ac_Lib - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : - K4LIBS="-lkrb4 $K4LIBS" -else - K4LIBS="-lkrb $K4LIBS" - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS" >&5 -$as_echo "$as_me: WARNING: Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS" >&2;} - -fi - - -fi - - LDFLAGS="$O_LDFLAGS" - SUDOERS_LIBS="${SUDOERS_LIBS} $K4LIBS" - AUTH_OBJS="$AUTH_OBJS kerb4.lo" -fi - if test ${with_kerb5-'no'} != "no"; then # Extract the first word of "krb5-config", so it can be a program name with args. set dummy krb5-config; ac_word=$2 @@ -22487,6 +22167,5 @@ fi - diff --git a/configure.in b/configure.in index a5f38120b..0e41dd37c 100644 --- a/configure.in +++ b/configure.in @@ -402,15 +402,6 @@ AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV su ;; esac]) -AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])], -[case $with_kerb4 in - no) ;; - *) AC_MSG_CHECKING(whether to try kerberos IV authentication) - AC_MSG_RESULT(yes) - AUTH_REG="$AUTH_REG kerb4" - ;; -esac]) - AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])], [case $with_kerb5 in no) ;; @@ -2517,65 +2508,6 @@ if test -z "${AUTH_EXCL}" -a -n "$AUTH_DEF"; then done fi -dnl -dnl Kerberos IV -dnl -if test ${with_kerb4-'no'} != "no"; then - AC_DEFINE(HAVE_KERB4) - dnl - dnl Use the specified directory, if any, else search for correct inc dir - dnl - O_LDFLAGS="$LDFLAGS" - if test "$with_kerb4" = "yes"; then - found=no - O_CPPFLAGS="$CPPFLAGS" - for dir in "" "kerberosIV/" "krb4/" "kerberos4/" "kerberosv4/"; do - CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" - AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[#include ]])], [found=yes; break]) - done - test X"$found" = X"no" && CPPFLAGS="$O_CPPFLAGS" - else - SUDO_APPEND_LIBPATH(LDFLAGS, [${with_kerb4}/lib]) - SUDO_APPEND_LIBPATH(SUDOERS_LDFLAGS, [${with_kerb4}/lib]) - CPPFLAGS="$CPPFLAGS -I${with_kerb4}/include" - AC_CHECK_HEADER([krb.h], [found=yes], [found=no]) - fi - if test X"$found" = X"no"; then - AC_MSG_WARN([Unable to locate Kerberos IV include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS]) - fi - - dnl - dnl Check for -ldes vs. -ldes425 - dnl - AC_CHECK_LIB(des, des_cbc_encrypt, [K4LIBS="-ldes"], [ - AC_CHECK_LIB(des425, des_cbc_encrypt, [K4LIBS="-ldes425"], [K4LIBS=""]) - ]) - dnl - dnl Try to determine whether we have KTH or MIT/CNS Kerberos IV - dnl - AC_MSG_CHECKING(whether we are using KTH Kerberos IV) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[const char *tmp = krb4_version;]])], [ - AC_MSG_RESULT(yes) - K4LIBS="${K4LIBS} -lcom_err" - AC_CHECK_LIB(roken, main, [K4LIBS="${K4LIBS} -lroken"]) - ], [ - AC_MSG_RESULT(no) - ] - ) - dnl - dnl The actual Kerberos IV lib might be -lkrb or -lkrb4 - dnl - AC_CHECK_LIB(krb, main, [K4LIBS="-lkrb $K4LIBS"], [ - AC_CHECK_LIB(krb4, main, [K4LIBS="-lkrb4 $K4LIBS"], - [K4LIBS="-lkrb $K4LIBS"] - [AC_MSG_WARN([Unable to locate Kerberos IV libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDOERS_LDFLAGS and possibly add Kerberos libs to SUDOERS_LIBS])] - , [$K4LIBS]) - ], [$K4LIBS]) - LDFLAGS="$O_LDFLAGS" - SUDOERS_LIBS="${SUDOERS_LIBS} $K4LIBS" - AUTH_OBJS="$AUTH_OBJS kerb4.lo" -fi - dnl dnl Kerberos V dnl There is an easy way and a hard way... @@ -3166,7 +3098,6 @@ AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.]) AH_TEMPLATE(HAVE_IN6_ADDR, [Define to 1 if contains struct in6_addr.]) AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)]) AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)]) -AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.]) AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.]) AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.]) AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.]) diff --git a/doc/TROUBLESHOOTING b/doc/TROUBLESHOOTING index d1cd7289f..7ff528424 100644 --- a/doc/TROUBLESHOOTING +++ b/doc/TROUBLESHOOTING @@ -121,9 +121,6 @@ A) Sudo removes the following "dangerous" environment variables _RLD_* SHLIB_PATH (HP-UX only) LIBPATH (AIX only) - KRB_CONF (kerb4 only) - KRBCONFDIR (kerb4 only) - KRBTKFILE (kerb4 only) KRB5_CONFIG (kerb5 only) VAR_ACE (SecurID only) USR_ACE (SecurID only) diff --git a/mkdep.pl b/mkdep.pl index 77f309fc8..e4828da24 100755 --- a/mkdep.pl +++ b/mkdep.pl @@ -54,7 +54,7 @@ sub mkdep { $makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:; $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead - $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb4.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid.lo securid5.lo sia.lo:; + $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid.lo securid5.lo sia.lo:; $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mktemp.lo nanosleep.lo setenv.lo siglist.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo unsetenv.lo utimes.lo globtest.o fnm_test.o:; # Parse OBJS lines diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index ccdcb5412..8ef0e5be0 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -523,13 +523,6 @@ iolog_path.lo: $(srcdir)/iolog_path.c $(top_builddir)/config.h \ $(incdir)/gettext.h $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/iolog_path.c iolog_path.o: iolog_path.lo -kerb4.lo: $(authdir)/kerb4.c $(top_builddir)/config.h $(srcdir)/sudoers.h \ - $(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \ - $(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \ - $(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \ - $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \ - $(incdir)/gettext.h - $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/kerb4.c kerb5.lo: $(authdir)/kerb5.c $(top_builddir)/config.h $(srcdir)/sudoers.h \ $(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \ $(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \ diff --git a/plugins/sudoers/auth/kerb4.c b/plugins/sudoers/auth/kerb4.c deleted file mode 100644 index dd4e9c99c..000000000 --- a/plugins/sudoers/auth/kerb4.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1999-2005, 2007, 2010-2011 - * Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * Sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F39502-99-1-0512. - */ - -#include - -#include -#include -#include -#ifdef STDC_HEADERS -# include -# include -#else -# ifdef HAVE_STDLIB_H -# include -# endif -#endif /* STDC_HEADERS */ -#ifdef HAVE_STRING_H -# include -#endif /* HAVE_STRING_H */ -#ifdef HAVE_STRINGS_H -# include -#endif /* HAVE_STRING_H */ -#ifdef HAVE_UNISTD_H -# include -#endif /* HAVE_UNISTD_H */ -#include -#include - -#include "sudoers.h" -#include "sudo_auth.h" - -int -kerb4_init(struct passwd *pw, sudo_auth *auth) -{ - static char realm[REALM_SZ]; - debug_decl(kerb4_init, SUDO_DEBUG_AUTH) - - /* Don't try to verify root */ - if (pw->pw_uid == 0) - debug_return_int(AUTH_FAILURE); - - /* Get the local realm, or retrun failure (no krb.conf) */ - if (krb_get_lrealm(realm, 1) != KSUCCESS) - debug_return_int(AUTH_FAILURE); - - /* Stash a pointer to the realm (used in kerb4_verify) */ - auth->data = (void *) realm; - - debug_return_int(AUTH_SUCCESS); -} - -int -kerb4_verify(struct passwd *pw, char *pass, sudo_auth *auth) -{ - char tkfile[sizeof(_PATH_SUDO_TIMEDIR) + 4 + MAX_UID_T_LEN]; - char *realm = (char *) auth->data; - int error; - debug_decl(kerb4_verify, SUDO_DEBUG_AUTH) - - /* - * Set the ticket file to be in sudo sudo timedir so we don't - * wipe out other (real) kerberos tickets. - */ - (void) snprintf(tkfile, sizeof(tkfile), "%s/tkt%u", - _PATH_SUDO_TIMEDIR, (unsigned int) pw->pw_uid); - (void) krb_set_tkt_string(tkfile); - - /* Convert the password to a ticket given. */ - error = krb_get_pw_in_tkt(pw->pw_name, "", realm, "krbtgt", realm, - DEFAULT_TKT_LIFE, pass); - - switch (error) { - case INTK_OK: - dest_tkt(); /* we are done with the temp ticket */ - debug_return_int(AUTH_SUCCESS); - break; - case INTK_BADPW: - case KDC_PR_UNKNOWN: - break; - default: - (void) fprintf(stderr, "Warning: Kerberos error: %s\n", - krb_err_txt[error]); - } - - debug_return_int(AUTH_FAILURE); -} diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 2b0d07eab..8125a8979 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -82,9 +82,6 @@ static sudo_auth auth_switch[] = { #ifdef HAVE_DCE AUTH_ENTRY("dce", 0, NULL, NULL, dce_verify, NULL, NULL, NULL) #endif -#ifdef HAVE_KERB4 - AUTH_ENTRY("kerb4", 0, kerb4_init, NULL, kerb4_verify, NULL, NULL, NULL) -#endif #ifdef HAVE_KERB5 AUTH_ENTRY("kerb5", 0, kerb5_init, kerb5_setup, kerb5_verify, kerb5_cleanup, NULL, NULL) #endif diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 995edb71a..45715c1d3 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -83,8 +83,6 @@ int rfc1938_setup(struct passwd *pw, char **prompt, sudo_auth *auth); int rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth); int afs_verify(struct passwd *pw, char *pass, sudo_auth *auth); int dce_verify(struct passwd *pw, char *pass, sudo_auth *auth); -int kerb4_init(struct passwd *pw, sudo_auth *auth); -int kerb4_verify(struct passwd *pw, char *pass, sudo_auth *auth); int kerb5_init(struct passwd *pw, sudo_auth *auth); int kerb5_setup(struct passwd *pw, char **prompt, sudo_auth *auth); int kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth); diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index f045a5193..482712f83 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -131,11 +131,6 @@ static const char *initial_badenv_table[] = { #ifdef __APPLE__ "DYLD_*", #endif -#ifdef HAVE_KERB4 - "KRB_CONF*", - "KRBCONFDIR", - "KRBTKFILE", -#endif /* HAVE_KERB4 */ #ifdef HAVE_KERB5 "KRB5_CONFIG*", "KRB5_KTNAME",