The NetBSD Project

CVS log for src/lib/libpam/modules/pam_krb5/pam_krb5.c

[BACK] Up to [cvs.NetBSD.org] / src / lib / libpam / modules / pam_krb5

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.26.18.2: download - view: text, markup, annotated - select for diffs
Mon Oct 2 13:09:01 2023 UTC (14 months ago) by martin
Branches: netbsd-8
CVS tags: netbsd-8-3-RELEASE
Diff to: previous 1.26.18.1: preferred, colored; branchpoint 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26.18.1: +5 -3 lines
Pull up following revision(s) (requested by riastradh in ticket #1898):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.26.28.2: download - view: text, markup, annotated - select for diffs
Mon Oct 2 13:07:12 2023 UTC (14 months ago) by martin
Branches: netbsd-9
CVS tags: netbsd-9-4-RELEASE
Diff to: previous 1.26.28.1: preferred, colored; branchpoint 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26.28.1: +5 -3 lines
Pull up following revision(s) (requested by riastradh in ticket #1734):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.30.2.2: download - view: text, markup, annotated - select for diffs
Mon Oct 2 13:05:41 2023 UTC (14 months ago) by martin
Branches: netbsd-10
CVS tags: netbsd-10-0-RELEASE, netbsd-10-0-RC6, netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1
Diff to: previous 1.30.2.1: preferred, colored; branchpoint 1.30: preferred, colored; next MAIN 1.31: preferred, colored
Changes since revision 1.30.2.1: +5 -3 lines
Pull up following revision(s) (requested by riastradh in ticket #380):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.32: download - view: text, markup, annotated - select for diffs
Thu Sep 28 02:31:04 2023 UTC (14 months, 1 week ago) by riastradh
Branches: MAIN
CVS tags: perseant-exfatfs-base-20240630, perseant-exfatfs-base, perseant-exfatfs, HEAD
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +5 -3 lines
pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

XXX pullup-10
XXX pullup-9
XXX pullup-8

Revision 1.26.18.1: download - view: text, markup, annotated - select for diffs
Wed Jun 21 22:04:13 2023 UTC (17 months, 2 weeks ago) by martin
Branches: netbsd-8
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +96 -39 lines
Pull up following revision(s) (requested by riastradh in ticket #1844):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.26.28.1: download - view: text, markup, annotated - select for diffs
Wed Jun 21 22:00:57 2023 UTC (17 months, 2 weeks ago) by martin
Branches: netbsd-9
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +96 -39 lines
Pull up following revision(s) (requested by riastradh in ticket #1652):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.30.2.1: download - view: text, markup, annotated - select for diffs
Wed Jun 21 21:54:12 2023 UTC (17 months, 2 weeks ago) by martin
Branches: netbsd-10
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +97 -40 lines
Pull up following revision(s) (requested by riastradh in ticket #206):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.31: download - view: text, markup, annotated - select for diffs
Tue Jun 20 22:17:18 2023 UTC (17 months, 2 weeks ago) by riastradh
Branches: MAIN
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +97 -40 lines
pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:

- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.30: download - view: text, markup, annotated - select for diffs
Sun Jan 16 10:52:18 2022 UTC (2 years, 10 months ago) by rillig
Branches: MAIN
CVS tags: netbsd-10-base
Branch point for: netbsd-10
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +3 -3 lines
libpam: remove stray semicolon

No binary change.

Revision 1.29: download - view: text, markup, annotated - select for diffs
Fri Jun 12 01:20:32 2020 UTC (4 years, 5 months ago) by fox
Branches: MAIN
CVS tags: cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +4 -5 lines
lib/libpam: Fix the possible -Werror=stringop-truncation

Replace strncpy(3) with the safer strlcpy(3) and adjust the code.

Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag.

Reviewed by: kamil@, christos@

Revision 1.26.26.1: download - view: text, markup, annotated - select for diffs
Wed Apr 8 14:07:15 2020 UTC (4 years, 7 months ago) by martin
Branches: phil-wifi
Diff to: previous 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26: +25 -10 lines
Merge changes from current as of 20200406

Revision 1.28: download - view: text, markup, annotated - select for diffs
Fri Feb 7 23:28:59 2020 UTC (4 years, 9 months ago) by christos
Branches: MAIN
CVS tags: phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, is-mlppp-base, is-mlppp
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +2 -3 lines
there is no potential overflow anymore (thanks Kamil)

Revision 1.27: download - view: text, markup, annotated - select for diffs
Fri Feb 7 22:13:35 2020 UTC (4 years, 9 months ago) by christos
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +25 -9 lines
stop using sprintf and check for buffer overflow.

Revision 1.25.10.1: download - view: text, markup, annotated - select for diffs
Wed Aug 20 00:02:19 2014 UTC (10 years, 3 months ago) by tls
Branches: tls-maxphys
Diff to: previous 1.25: preferred, colored; next MAIN 1.26: preferred, colored
Changes since revision 1.25: +6 -6 lines
Rebase to HEAD as of a few days ago.

Revision 1.25.4.1: download - view: text, markup, annotated - select for diffs
Thu May 22 11:36:58 2014 UTC (10 years, 6 months ago) by yamt
Branches: yamt-pagecache
Diff to: previous 1.25: preferred, colored; next MAIN 1.26: preferred, colored
Changes since revision 1.25: +6 -6 lines
sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs.  ("Protocol error: too many arguments")

Revision 1.26: download - view: text, markup, annotated - select for diffs
Sat Dec 28 18:04:03 2013 UTC (10 years, 11 months ago) by christos
Branches: MAIN
CVS tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, phil-wifi-base, phil-wifi-20191119, phil-wifi-20190609, pgoyette-localcount-base, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, pgoyette-localcount, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-9-base, netbsd-9-3-RELEASE, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, matt-nb8-mediatek-base, matt-nb8-mediatek, localcount-20160914, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Branch point for: phil-wifi, netbsd-9, netbsd-8
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +6 -6 lines
avoid using freed pointers and non-format strings

Revision 1.25: download - view: text, markup, annotated - select for diffs
Mon Apr 25 22:22:25 2011 UTC (13 years, 7 months ago) by christos
Branches: MAIN
CVS tags: yamt-pagecache-tag8, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, cherry-xenmp-base, cherry-xenmp, agc-symver-base, agc-symver
Branch point for: yamt-pagecache, tls-maxphys
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +63 -113 lines
- make log_krb5 varyadic
- centralize error handling to one function
- check for NULL context

Revision 1.24: download - view: text, markup, annotated - select for diffs
Sun Apr 24 18:48:04 2011 UTC (13 years, 7 months ago) by elric
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +148 -73 lines
Remove use of functions marked as deprecated in Heimdal.

Revision 1.23: download - view: text, markup, annotated - select for diffs
Sat Apr 2 10:22:09 2011 UTC (13 years, 8 months ago) by mbalmer
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +3 -3 lines
Fix misplaced parenthesis, from henning.petersen@t-online.de, thanks.

Revision 1.21.12.1: download - view: text, markup, annotated - select for diffs
Wed May 13 19:18:35 2009 UTC (15 years, 6 months ago) by jym
Branches: jym-xensuspend
Diff to: previous 1.21: preferred, colored; next MAIN 1.22: preferred, colored
Changes since revision 1.21: +3 -3 lines
Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

Revision 1.22: download - view: text, markup, annotated - select for diffs
Sun Mar 8 19:38:03 2009 UTC (15 years, 9 months ago) by christos
Branches: MAIN
CVS tags: matt-premerge-20091211, matt-mips64-premerge-20101231, jym-xensuspend-nbase, jym-xensuspend-base, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +3 -3 lines
consistency in password prompt setting code (and with ssh)

Revision 1.20.4.1: download - view: text, markup, annotated - select for diffs
Sun Mar 23 00:40:28 2008 UTC (16 years, 8 months ago) by matt
Branches: matt-armv6
Diff to: previous 1.20: preferred, colored; next MAIN 1.21: preferred, colored
Changes since revision 1.20: +5 -5 lines
sync with HEAD

Revision 1.21: download - view: text, markup, annotated - select for diffs
Sun Jan 27 01:23:20 2008 UTC (16 years, 10 months ago) by christos
Branches: MAIN
CVS tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, mjf-devfs2-base, mjf-devfs2, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, matt-armv6-nbase, keiichi-mipv6-base, keiichi-mipv6, hpcarm-cleanup-nbase, hpcarm-cleanup-base
Branch point for: jym-xensuspend
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +5 -5 lines
Fix compilation

Revision 1.20: download - view: text, markup, annotated - select for diffs
Sat Mar 10 18:30:45 2007 UTC (17 years, 9 months ago) by christos
Branches: MAIN
CVS tags: matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf
Branch point for: matt-armv6
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +3 -3 lines
off by one, reported by jukka salmi.

Revision 1.19: download - view: text, markup, annotated - select for diffs
Sat Mar 10 17:47:21 2007 UTC (17 years, 9 months ago) by christos
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +24 -2 lines
PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets

Revision 1.6.2.4: download - view: text, markup, annotated - select for diffs
Fri Jan 5 14:14:53 2007 UTC (17 years, 11 months ago) by tron
Branches: netbsd-3
Diff to: previous 1.6.2.3: preferred, colored; branchpoint 1.6: preferred, colored; next MAIN 1.7: preferred, colored
Changes since revision 1.6.2.3: +74 -62 lines
Apply patch (request by ghen in ticket #1617):
Update OpenPAM to 20050616 ("Figwort") and add the pam_afslog(8)
authentication module.

Revision 1.18: download - view: text, markup, annotated - select for diffs
Fri Nov 3 18:55:40 2006 UTC (18 years, 1 month ago) by christos
Branches: MAIN
CVS tags: wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +3 -3 lines
init the syslog data.

Revision 1.17: download - view: text, markup, annotated - select for diffs
Fri Nov 3 18:04:20 2006 UTC (18 years, 1 month ago) by christos
Branches: MAIN
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +12 -6 lines
use the re-entrant syslog functions so that we don't depend on the syslog
settings of the calling program.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Thu May 25 15:27:35 2006 UTC (18 years, 6 months ago) by christos
Branches: MAIN
CVS tags: abandoned-netbsd-4-base, abandoned-netbsd-4
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +3 -3 lines
Coverity CID 3783: Fix uninit variable.

Revision 1.15: download - view: text, markup, annotated - select for diffs
Tue May 23 00:58:42 2006 UTC (18 years, 6 months ago) by christos
Branches: MAIN
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +6 -2 lines
Coverity CID 3677: Plug memory leak

Revision 1.14: download - view: text, markup, annotated - select for diffs
Sun Mar 19 21:21:18 2006 UTC (18 years, 8 months ago) by christos
Branches: MAIN
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +6 -4 lines
Coverity CID 1909: Prevent memory leak.

Revision 1.13: download - view: text, markup, annotated - select for diffs
Sun Mar 19 21:15:21 2006 UTC (18 years, 8 months ago) by christos
Branches: MAIN
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +3 -3 lines
Coverity CID 2480: Move variable initialization higher up to prevent
uninitialized access during error cleanup.

Revision 1.12: download - view: text, markup, annotated - select for diffs
Sun Mar 19 21:11:28 2006 UTC (18 years, 8 months ago) by christos
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +3 -3 lines
Coverity CID 2481: Move initialization of variable higher up to prevent
uninitialized access in error path.

Revision 1.11: download - view: text, markup, annotated - select for diffs
Sun Mar 19 21:07:55 2006 UTC (18 years, 8 months ago) by christos
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -3 lines
Coverity CID 2595: Don't call cc_destroy after cc_close because cc_close
free's the second argument.

Revision 1.10: download - view: text, markup, annotated - select for diffs
Tue Sep 27 14:38:19 2005 UTC (19 years, 2 months ago) by tsarna
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +64 -57 lines
Implement PAM_REFRESH_CRED / PAM_REINITIALIZE_CRED
support in pam_sm_setcred()

With this and a suitably pam-aware screen locker (eg xscreensaver built
with PAM), you now get the nice Windows-style behavior of having
your tickets refreshed (and tokens, with pam_afslog) when you unlock
your screen.

Revision 1.6.2.3: download - view: text, markup, annotated - select for diffs
Mon Jul 11 11:29:04 2005 UTC (19 years, 4 months ago) by tron
Branches: netbsd-3
CVS tags: netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0
Diff to: previous 1.6.2.2: preferred, colored; branchpoint 1.6: preferred, colored
Changes since revision 1.6.2.2: +2 -1 lines
Pull up revision 1.9 (requested by lukem in ticket #539):
getpw*_r() may return 0 and set pwd==NULL

Revision 1.6.2.2: download - view: text, markup, annotated - select for diffs
Mon Jul 11 11:23:34 2005 UTC (19 years, 4 months ago) by tron
Branches: netbsd-3
Diff to: previous 1.6.2.1: preferred, colored; branchpoint 1.6: preferred, colored
Changes since revision 1.6.2.1: +2 -1 lines
Pull up revision 1.8 (requested by lukem in ticket #539):
check for pwd != in getpw*_r functions.

Revision 1.9: download - view: text, markup, annotated - select for diffs
Tue Apr 19 03:38:47 2005 UTC (19 years, 7 months ago) by lukem
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +4 -3 lines
getpw*_r() may return 0 and set pwd==NULL

Revision 1.8: download - view: text, markup, annotated - select for diffs
Tue Apr 19 03:15:35 2005 UTC (19 years, 7 months ago) by christos
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +4 -3 lines
check for pwd != in getpw*_r functions.

Revision 1.6.2.1: download - view: text, markup, annotated - select for diffs
Mon Apr 4 17:55:36 2005 UTC (19 years, 8 months ago) by tron
Branches: netbsd-3
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +10 -10 lines
Pull up revision 1.7 (requested by thorpej in ticket #96):
Use getpwnam_r().

Revision 1.7: download - view: text, markup, annotated - select for diffs
Thu Mar 31 15:11:54 2005 UTC (19 years, 8 months ago) by thorpej
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +10 -10 lines
Use getpwnam_r().

Revision 1.6: download - view: text, markup, annotated - select for diffs
Sat Feb 26 18:25:28 2005 UTC (19 years, 9 months ago) by thorpej
Branches: MAIN
CVS tags: netbsd-3-base
Branch point for: netbsd-3
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +20 -11 lines
Place some limits on the creds acquired for password change.  Other
minor cleanup inspired by passwd(1).

Revision 1.5: download - view: text, markup, annotated - select for diffs
Sat Feb 26 18:10:35 2005 UTC (19 years, 9 months ago) by thorpej
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +11 -5 lines
Use the more familar princ@realm style of password prompt.

Revision 1.4: download - view: text, markup, annotated - select for diffs
Sat Feb 26 18:03:37 2005 UTC (19 years, 9 months ago) by thorpej
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +11 -4 lines
Check for PAM_PRELIM_CHECK and simply do nothing.  (Did this even work
in FreeBSD?)

Revision 1.3: download - view: text, markup, annotated - select for diffs
Sat Feb 26 15:57:57 2005 UTC (19 years, 9 months ago) by thorpej
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +10 -5 lines
Merge PAM20050226.

Revision 1.1.1.2 (vendor branch): download - view: text, markup, annotated - select for diffs
Sat Feb 26 15:49:27 2005 UTC (19 years, 9 months ago) by thorpej
Branches: FREEBSD
CVS tags: PAM20050226
Diff to: previous 1.1.1.1: preferred, colored
Changes since revision 1.1.1.1: +8 -3 lines
Import FreeBSD's PAM modules corresponding to the ones we currently
support as of today (20050226).  This brings in some fixes to a few
of the PAM modules.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Sun Dec 12 08:18:45 2004 UTC (19 years, 11 months ago) by christos
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +8 -2 lines
- NetBSD build glue
- Warning fixes
- RCSID's

Revision 1.1.1.1 (vendor branch): download - view: text, markup, annotated - select for diffs
Sun Dec 12 06:45:43 2004 UTC (19 years, 11 months ago) by christos
Branches: FREEBSD
CVS tags: PAM20041212
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +0 -0 lines
- Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
  with them.
- Imported radius and ssh, although they will not work until we
  import libradius and re-structure our tree to install libssh.

Revision 1.1: download - view: text, markup, annotated - select for diffs
Sun Dec 12 06:45:43 2004 UTC (19 years, 11 months ago) by christos
Branches: MAIN
Initial revision

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>