The NetBSD Project

CVS log for src/lib/libpam/modules/pam_krb5/pam_krb5.c

[BACK] Up to [cvs.NetBSD.org] / src / lib / libpam / modules / pam_krb5

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.26.18.2 / (download) - annotate - [select for diffs], Mon Oct 2 13:09:01 2023 UTC (4 months, 3 weeks ago) by martin
Branch: netbsd-8
Changes since 1.26.18.1: +5 -3 lines
Diff to previous 1.26.18.1 (colored) to branchpoint 1.26 (colored) next main 1.27 (colored)

Pull up following revision(s) (requested by riastradh in ticket #1898):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.26.28.2 / (download) - annotate - [select for diffs], Mon Oct 2 13:07:12 2023 UTC (4 months, 3 weeks ago) by martin
Branch: netbsd-9
Changes since 1.26.28.1: +5 -3 lines
Diff to previous 1.26.28.1 (colored) to branchpoint 1.26 (colored) next main 1.27 (colored)

Pull up following revision(s) (requested by riastradh in ticket #1734):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.30.2.2 / (download) - annotate - [select for diffs], Mon Oct 2 13:05:41 2023 UTC (4 months, 3 weeks ago) by martin
Branch: netbsd-10
CVS Tags: netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1
Changes since 1.30.2.1: +5 -3 lines
Diff to previous 1.30.2.1 (colored) to branchpoint 1.30 (colored) next main 1.31 (colored)

Pull up following revision(s) (requested by riastradh in ticket #380):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

Revision 1.32 / (download) - annotate - [select for diffs], Thu Sep 28 02:31:04 2023 UTC (5 months ago) by riastradh
Branch: MAIN
CVS Tags: HEAD
Changes since 1.31: +5 -3 lines
Diff to previous 1.31 (colored)

pam_krb5: Fix PR lib/57631.

Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing.  Evidently we need automatic
tests for this pam business.

XXX pullup-10
XXX pullup-9
XXX pullup-8

Revision 1.26.18.1 / (download) - annotate - [select for diffs], Wed Jun 21 22:04:13 2023 UTC (8 months, 1 week ago) by martin
Branch: netbsd-8
Changes since 1.26: +96 -39 lines
Diff to previous 1.26 (colored)

Pull up following revision(s) (requested by riastradh in ticket #1844):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.26.28.1 / (download) - annotate - [select for diffs], Wed Jun 21 22:00:57 2023 UTC (8 months, 1 week ago) by martin
Branch: netbsd-9
Changes since 1.26: +96 -39 lines
Diff to previous 1.26 (colored)

Pull up following revision(s) (requested by riastradh in ticket #1652):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.30.2.1 / (download) - annotate - [select for diffs], Wed Jun 21 21:54:12 2023 UTC (8 months, 1 week ago) by martin
Branch: netbsd-10
Changes since 1.30: +97 -40 lines
Diff to previous 1.30 (colored)

Pull up following revision(s) (requested by riastradh in ticket #206):

	lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
	lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.31 / (download) - annotate - [select for diffs], Tue Jun 20 22:17:18 2023 UTC (8 months, 1 week ago) by riastradh
Branch: MAIN
Changes since 1.30: +97 -40 lines
Diff to previous 1.30 (colored)

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:

- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

Revision 1.30 / (download) - annotate - [select for diffs], Sun Jan 16 10:52:18 2022 UTC (2 years, 1 month ago) by rillig
Branch: MAIN
CVS Tags: netbsd-10-base
Branch point for: netbsd-10
Changes since 1.29: +3 -3 lines
Diff to previous 1.29 (colored)

libpam: remove stray semicolon

No binary change.

Revision 1.29 / (download) - annotate - [select for diffs], Fri Jun 12 01:20:32 2020 UTC (3 years, 8 months ago) by fox
Branch: MAIN
CVS Tags: cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x
Changes since 1.28: +4 -5 lines
Diff to previous 1.28 (colored)

lib/libpam: Fix the possible -Werror=stringop-truncation

Replace strncpy(3) with the safer strlcpy(3) and adjust the code.

Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag.

Reviewed by: kamil@, christos@

Revision 1.26.26.1 / (download) - annotate - [select for diffs], Wed Apr 8 14:07:15 2020 UTC (3 years, 10 months ago) by martin
Branch: phil-wifi
Changes since 1.26: +25 -10 lines
Diff to previous 1.26 (colored) next main 1.27 (colored)

Merge changes from current as of 20200406

Revision 1.28 / (download) - annotate - [select for diffs], Fri Feb 7 23:28:59 2020 UTC (4 years ago) by christos
Branch: MAIN
CVS Tags: phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, is-mlppp-base, is-mlppp
Changes since 1.27: +2 -3 lines
Diff to previous 1.27 (colored)

there is no potential overflow anymore (thanks Kamil)

Revision 1.27 / (download) - annotate - [select for diffs], Fri Feb 7 22:13:35 2020 UTC (4 years ago) by christos
Branch: MAIN
Changes since 1.26: +25 -9 lines
Diff to previous 1.26 (colored)

stop using sprintf and check for buffer overflow.

Revision 1.25.10.1 / (download) - annotate - [select for diffs], Wed Aug 20 00:02:19 2014 UTC (9 years, 6 months ago) by tls
Branch: tls-maxphys
Changes since 1.25: +6 -6 lines
Diff to previous 1.25 (colored) next main 1.26 (colored)

Rebase to HEAD as of a few days ago.

Revision 1.25.4.1 / (download) - annotate - [select for diffs], Thu May 22 11:36:58 2014 UTC (9 years, 9 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.25: +6 -6 lines
Diff to previous 1.25 (colored) next main 1.26 (colored)

sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs.  ("Protocol error: too many arguments")

Revision 1.26 / (download) - annotate - [select for diffs], Sat Dec 28 18:04:03 2013 UTC (10 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, phil-wifi-base, phil-wifi-20191119, phil-wifi-20190609, pgoyette-localcount-base, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, pgoyette-localcount, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-9-base, netbsd-9-3-RELEASE, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, matt-nb8-mediatek-base, matt-nb8-mediatek, localcount-20160914, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Branch point for: phil-wifi, netbsd-9, netbsd-8
Changes since 1.25: +6 -6 lines
Diff to previous 1.25 (colored)

avoid using freed pointers and non-format strings

Revision 1.25 / (download) - annotate - [select for diffs], Mon Apr 25 22:22:25 2011 UTC (12 years, 10 months ago) by christos
Branch: MAIN
CVS Tags: yamt-pagecache-tag8, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, cherry-xenmp-base, cherry-xenmp, agc-symver-base, agc-symver
Branch point for: yamt-pagecache, tls-maxphys
Changes since 1.24: +63 -113 lines
Diff to previous 1.24 (colored)

- make log_krb5 varyadic
- centralize error handling to one function
- check for NULL context

Revision 1.24 / (download) - annotate - [select for diffs], Sun Apr 24 18:48:04 2011 UTC (12 years, 10 months ago) by elric
Branch: MAIN
Changes since 1.23: +148 -73 lines
Diff to previous 1.23 (colored)

Remove use of functions marked as deprecated in Heimdal.

Revision 1.23 / (download) - annotate - [select for diffs], Sat Apr 2 10:22:09 2011 UTC (12 years, 11 months ago) by mbalmer
Branch: MAIN
Changes since 1.22: +3 -3 lines
Diff to previous 1.22 (colored)

Fix misplaced parenthesis, from henning.petersen@t-online.de, thanks.

Revision 1.21.12.1 / (download) - annotate - [select for diffs], Wed May 13 19:18:35 2009 UTC (14 years, 9 months ago) by jym
Branch: jym-xensuspend
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (colored) next main 1.22 (colored)

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

Revision 1.22 / (download) - annotate - [select for diffs], Sun Mar 8 19:38:03 2009 UTC (14 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: matt-premerge-20091211, matt-mips64-premerge-20101231, jym-xensuspend-nbase, jym-xensuspend-base, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (colored)

consistency in password prompt setting code (and with ssh)

Revision 1.20.4.1 / (download) - annotate - [select for diffs], Sun Mar 23 00:40:28 2008 UTC (15 years, 11 months ago) by matt
Branch: matt-armv6
Changes since 1.20: +5 -5 lines
Diff to previous 1.20 (colored) next main 1.21 (colored)

sync with HEAD

Revision 1.21 / (download) - annotate - [select for diffs], Sun Jan 27 01:23:20 2008 UTC (16 years, 1 month ago) by christos
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, mjf-devfs2-base, mjf-devfs2, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, matt-armv6-nbase, keiichi-mipv6-base, keiichi-mipv6, hpcarm-cleanup-nbase, hpcarm-cleanup-base
Branch point for: jym-xensuspend
Changes since 1.20: +5 -5 lines
Diff to previous 1.20 (colored)

Fix compilation

Revision 1.20 / (download) - annotate - [select for diffs], Sat Mar 10 18:30:45 2007 UTC (16 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf
Branch point for: matt-armv6
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)

off by one, reported by jukka salmi.

Revision 1.19 / (download) - annotate - [select for diffs], Sat Mar 10 17:47:21 2007 UTC (16 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.18: +24 -2 lines
Diff to previous 1.18 (colored)

PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets

Revision 1.6.2.4 / (download) - annotate - [select for diffs], Fri Jan 5 14:14:53 2007 UTC (17 years, 1 month ago) by tron
Branch: netbsd-3
Changes since 1.6.2.3: +74 -62 lines
Diff to previous 1.6.2.3 (colored) to branchpoint 1.6 (colored) next main 1.7 (colored)

Apply patch (request by ghen in ticket #1617):
Update OpenPAM to 20050616 ("Figwort") and add the pam_afslog(8)
authentication module.

Revision 1.18 / (download) - annotate - [select for diffs], Fri Nov 3 18:55:40 2006 UTC (17 years, 3 months ago) by christos
Branch: MAIN
CVS Tags: wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4
Changes since 1.17: +3 -3 lines
Diff to previous 1.17 (colored)

init the syslog data.

Revision 1.17 / (download) - annotate - [select for diffs], Fri Nov 3 18:04:20 2006 UTC (17 years, 3 months ago) by christos
Branch: MAIN
Changes since 1.16: +12 -6 lines
Diff to previous 1.16 (colored)

use the re-entrant syslog functions so that we don't depend on the syslog
settings of the calling program.

Revision 1.16 / (download) - annotate - [select for diffs], Thu May 25 15:27:35 2006 UTC (17 years, 9 months ago) by christos
Branch: MAIN
CVS Tags: abandoned-netbsd-4-base, abandoned-netbsd-4
Changes since 1.15: +3 -3 lines
Diff to previous 1.15 (colored)

Coverity CID 3783: Fix uninit variable.

Revision 1.15 / (download) - annotate - [select for diffs], Tue May 23 00:58:42 2006 UTC (17 years, 9 months ago) by christos
Branch: MAIN
Changes since 1.14: +6 -2 lines
Diff to previous 1.14 (colored)

Coverity CID 3677: Plug memory leak

Revision 1.14 / (download) - annotate - [select for diffs], Sun Mar 19 21:21:18 2006 UTC (17 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.13: +6 -4 lines
Diff to previous 1.13 (colored)

Coverity CID 1909: Prevent memory leak.

Revision 1.13 / (download) - annotate - [select for diffs], Sun Mar 19 21:15:21 2006 UTC (17 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.12: +3 -3 lines
Diff to previous 1.12 (colored)

Coverity CID 2480: Move variable initialization higher up to prevent
uninitialized access during error cleanup.

Revision 1.12 / (download) - annotate - [select for diffs], Sun Mar 19 21:11:28 2006 UTC (17 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.11: +3 -3 lines
Diff to previous 1.11 (colored)

Coverity CID 2481: Move initialization of variable higher up to prevent
uninitialized access in error path.

Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 19 21:07:55 2006 UTC (17 years, 11 months ago) by christos
Branch: MAIN
Changes since 1.10: +2 -3 lines
Diff to previous 1.10 (colored)

Coverity CID 2595: Don't call cc_destroy after cc_close because cc_close
free's the second argument.

Revision 1.10 / (download) - annotate - [select for diffs], Tue Sep 27 14:38:19 2005 UTC (18 years, 5 months ago) by tsarna
Branch: MAIN
Changes since 1.9: +64 -57 lines
Diff to previous 1.9 (colored)

Implement PAM_REFRESH_CRED / PAM_REINITIALIZE_CRED
support in pam_sm_setcred()

With this and a suitably pam-aware screen locker (eg xscreensaver built
with PAM), you now get the nice Windows-style behavior of having
your tickets refreshed (and tokens, with pam_afslog) when you unlock
your screen.

Revision 1.6.2.3 / (download) - annotate - [select for diffs], Mon Jul 11 11:29:04 2005 UTC (18 years, 7 months ago) by tron
Branch: netbsd-3
CVS Tags: netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0
Changes since 1.6.2.2: +2 -1 lines
Diff to previous 1.6.2.2 (colored) to branchpoint 1.6 (colored)

Pull up revision 1.9 (requested by lukem in ticket #539):
getpw*_r() may return 0 and set pwd==NULL

Revision 1.6.2.2 / (download) - annotate - [select for diffs], Mon Jul 11 11:23:34 2005 UTC (18 years, 7 months ago) by tron
Branch: netbsd-3
Changes since 1.6.2.1: +2 -1 lines
Diff to previous 1.6.2.1 (colored) to branchpoint 1.6 (colored)

Pull up revision 1.8 (requested by lukem in ticket #539):
check for pwd != in getpw*_r functions.

Revision 1.9 / (download) - annotate - [select for diffs], Tue Apr 19 03:38:47 2005 UTC (18 years, 10 months ago) by lukem
Branch: MAIN
Changes since 1.8: +4 -3 lines
Diff to previous 1.8 (colored)

getpw*_r() may return 0 and set pwd==NULL

Revision 1.8 / (download) - annotate - [select for diffs], Tue Apr 19 03:15:35 2005 UTC (18 years, 10 months ago) by christos
Branch: MAIN
Changes since 1.7: +4 -3 lines
Diff to previous 1.7 (colored)

check for pwd != in getpw*_r functions.

Revision 1.6.2.1 / (download) - annotate - [select for diffs], Mon Apr 4 17:55:36 2005 UTC (18 years, 10 months ago) by tron
Branch: netbsd-3
Changes since 1.6: +10 -10 lines
Diff to previous 1.6 (colored)

Pull up revision 1.7 (requested by thorpej in ticket #96):
Use getpwnam_r().

Revision 1.7 / (download) - annotate - [select for diffs], Thu Mar 31 15:11:54 2005 UTC (18 years, 11 months ago) by thorpej
Branch: MAIN
Changes since 1.6: +10 -10 lines
Diff to previous 1.6 (colored)

Use getpwnam_r().

Revision 1.6 / (download) - annotate - [select for diffs], Sat Feb 26 18:25:28 2005 UTC (19 years ago) by thorpej
Branch: MAIN
CVS Tags: netbsd-3-base
Branch point for: netbsd-3
Changes since 1.5: +20 -11 lines
Diff to previous 1.5 (colored)

Place some limits on the creds acquired for password change.  Other
minor cleanup inspired by passwd(1).

Revision 1.5 / (download) - annotate - [select for diffs], Sat Feb 26 18:10:35 2005 UTC (19 years ago) by thorpej
Branch: MAIN
Changes since 1.4: +11 -5 lines
Diff to previous 1.4 (colored)

Use the more familar princ@realm style of password prompt.

Revision 1.4 / (download) - annotate - [select for diffs], Sat Feb 26 18:03:37 2005 UTC (19 years ago) by thorpej
Branch: MAIN
Changes since 1.3: +11 -4 lines
Diff to previous 1.3 (colored)

Check for PAM_PRELIM_CHECK and simply do nothing.  (Did this even work
in FreeBSD?)

Revision 1.3 / (download) - annotate - [select for diffs], Sat Feb 26 15:57:57 2005 UTC (19 years ago) by thorpej
Branch: MAIN
Changes since 1.2: +10 -5 lines
Diff to previous 1.2 (colored)

Merge PAM20050226.

Revision 1.1.1.2 / (download) - annotate - [select for diffs] (vendor branch), Sat Feb 26 15:49:27 2005 UTC (19 years ago) by thorpej
Branch: FREEBSD
CVS Tags: PAM20050226
Changes since 1.1.1.1: +8 -3 lines
Diff to previous 1.1.1.1 (colored)

Import FreeBSD's PAM modules corresponding to the ones we currently
support as of today (20050226).  This brings in some fixes to a few
of the PAM modules.

Revision 1.2 / (download) - annotate - [select for diffs], Sun Dec 12 08:18:45 2004 UTC (19 years, 2 months ago) by christos
Branch: MAIN
Changes since 1.1: +8 -2 lines
Diff to previous 1.1 (colored)

- NetBSD build glue
- Warning fixes
- RCSID's

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Sun Dec 12 06:45:43 2004 UTC (19 years, 2 months ago) by christos
Branch: FREEBSD
CVS Tags: PAM20041212
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

- Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
  with them.
- Imported radius and ssh, although they will not work until we
  import libradius and re-structure our tree to install libssh.

Revision 1.1 / (download) - annotate - [select for diffs], Sun Dec 12 06:45:43 2004 UTC (19 years, 2 months ago) by christos
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>