File pam_krb5.spec of Package pam_krb5
#
# spec file for package pam_krb5 (Version 2.3.1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: pam_krb5
BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel
%define PAM_RELEASE 1
License: BSD 3-Clause; LGPL v2.0 or later
Group: Productivity/Networking/Security
Provides: pam_krb
AutoReqProv: on
Version: 2.3.1
Release: 42
Summary: PAM Module for Kerberos Authentication
Url: http://sourceforge.net/projects/pam-krb5/
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
Source2: pam_krb5-po.tar.gz
Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif
Patch3: pam_krb5-2.3.1-log-choise.dif
Patch4: pam_krb5-po-Makevars.dif
Patch5: pam_krb5-LINGUAS.dif
Patch6: pam_krb5-2.3.1-post.dif
Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch
Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This PAM module supports authentication against a Kerberos KDC. It also
supports updating your Kerberos password.
Authors:
--------
Balazs Gal <balsa@rit.bme.hu>
Nalin Dahyabhai <nalin@redhat.com>
%prep
%setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
%setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
%patch1
%patch3 -p1
%patch4 -p1
%patch5
%patch6
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
%{suse_update_config -f}
autoreconf --verbose --force --install
CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE " \
./configure --libdir=/%_lib/ \
--prefix=/usr \
--mandir=%{_mandir} \
--with-os-distribution="openSUSE"
make %{?jobs:-j%jobs}
make -C po update-po
make check
%install
make install DESTDIR=$RPM_BUILD_ROOT
ln -sf pam_krb5.so $RPM_BUILD_ROOT/%_lib/security/pam_krb5afs.so
rm -f $RPM_BUILD_ROOT/%_lib/security/*.la
# Create filelist with translatins
%{find_lang} pam_krb5
%clean
rm -rf $RPM_BUILD_ROOT
%files -f pam_krb5.lang
%defattr(444,root,root,755)
%doc TODO README* COPYING* ChangeLog AUTHORS NEWS
%attr(555,root,root) /%{_lib}/security/pam_krb5.so
%attr(555,root,root) /%{_lib}/security/pam_krb5afs.so
%dir /%{_lib}/security/pam_krb5
%attr(755,root,root) /%{_lib}/security/pam_krb5/pam_krb5_storetmp
%attr(444,root,root) %_mandir/man*/*.*
%attr(755,root,root) /usr/bin/afs5log
%changelog
* Fri Nov 21 2008 mc@suse.de
- update translations
* Wed Nov 05 2008 mc@suse.de
- update translations
* Wed Oct 29 2008 mc@suse.de
- use the upstream fix for
pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
* Tue Oct 28 2008 mc@suse.de
- simplify switch permissions of refresh credentials
(remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
add pam_krb5-2.3.1-switch-perms-on-refresh.dif)
* Fri Oct 24 2008 mc@suse.de
- write new ticket into shmem after password change if requested.
(bnc#438181)
- update translations
* Mon Oct 06 2008 mc@suse.de
- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825)
(bnc#425861)
* Thu Sep 04 2008 mc@suse.de
- if the realm name given to us is NULL, don't bother consulting
the appdefaults
- check for the "debug" flag earlier
* Mon Sep 01 2008 mc@suse.de
- validate new fetched credentials
* Fri Jun 20 2008 mc@suse.de
- version 2.3.1
* translations for messages!
* added the ability to set up tokens in the rxk5 format
* added the "token_strategy" option to control which methods we'll
try to use for setting tokens
* merge "null_afs" functionality from Jan Iven
* when we're changing passwords, force at least one attempt to
authenticate using the KDC, even in the pathological case where
there's no previously- entered password and we were told not to ask
for one (brc#400611)
* Fri Jun 06 2008 mc@suse.de
- update i18n files
* Fri May 09 2008 mc@suse.de
- update i18n files
* Mon Apr 14 2008 mc@suse.de
- update i18n files
* Thu Apr 10 2008 ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
* Thu Mar 13 2008 mc@suse.de
- add i18n support
* Mon Feb 11 2008 mc@suse.de
- version 2.2.22
* moved .k5login checks to a subprocess to avoid screwing with the
parent process's tokens and PAG (fallout from #371761)
* all options which took true/false before ("debug", "tokens", and
so on) can now take service names
* Wed Nov 21 2007 mc@suse.de
- some bugfixes from upstream
* Fri Nov 09 2007 mc@suse.de
- version 2.2.21
* fix permissions problems on keyring ccaches, so that users can write
to them after we've set them up, and we can still do the cleanup
- remove pam_krb5-2.2.20-1-copy-cache-priv-fix.dif; fix is upstream
* Mon Nov 05 2007 mc@suse.de
- pam_krb5-2.2.20-1-copy-cache-priv-fix.dif
fix permissions on the ccache im not file case
- pam_krb5-2.2.20-1-debug-log-choice.dif
improve debug log
* Mon Oct 29 2007 mc@suse.de
- version 2.2.20
* fixes for credential refreshing
- remove obsolete patch pam_krb5-2.2.19-fix-format-error.dif
(fix is upstream)
* Fri Oct 26 2007 mc@suse.de
- version 2.2.19:
* the "keytab" option can now be used to specify a custom location
for a given service from within krb5.conf
* log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
if LOG_AUTHPRIV is not defined) instead of the application's default
or LOG_USER
* added the "pkinit_identity" option to provide a way to specify
where the user's public-key credentials are, and "pkinit_flags" to
specify arbitrary flags for libkrb5 (Heimdal only)
* added the "preauth_options" option to provide a way to specify
arbitrary preauthentication options to libkrb5 (MIT only)
* added the "ccname_template" option to provide a way to specify
where the user's credentials should be stored, so that KEYRING:
credential caches can be deployed at will.
* Tue Aug 07 2007 mc@suse.de
- version 2.2.17:
* corrected a typo in the pam_krb5(8) man page
* clarified that the "tokens" flag should only be needed for
applications which are not using PAM correctly
* don't bother using a helper for creating v4 ticket files when we're
just getting tokens
* clean up the debug message which we emit when we do v5->v4
principal name conversion
* compilation fixes
* let default "external" and "use_shmem" settings be specified at
compile-time
* correctly return a "unknown user" error when attempting to change
a password for a user who has no corresponding principal (#235020)
* don't bother using a helper for creating ccache files, which we're
just going to delete, when we need to get tokens
* Mon Jul 16 2007 mc@suse.de
- version 2.2.14
* treat a "client revoked" error as an "unknown principal" error
* some small bugfixes
* Fri Jul 13 2007 mc@suse.de
- version 2.2.13
* make it possible to have more than one ccache (and tktfile) at
a time to work around apps which open a session, set the
environment, and initialize creds (when we previously created
a ccache, removing the one which was named in the environment)
* Mon Jul 02 2007 mc@suse.de
- version 2.2.12
* add a "pwhelp" option.
* Display the KDC error to users.
* lots of bugfixes
* Thu Mar 15 2007 mc@suse.de
- drop privileges in _pam_krb5_sly_maybe_refresh when
running in set uid and restore them on exit of this
function. This enables us to refresh the ticket
after screen un-lock.
[#124611]
* Mon Sep 25 2006 mc@suse.de
- version 2.2.11
- remove two patches with are upstream now
- pam_krb5-2.2.10-0-oldauthtok.dif
- pam_krb5-2.2.10-0-testfix.dif
- make use of --with-os-distribution
* Thu Sep 14 2006 mc@suse.de
- fix pam_set_item call for AUTHTOK and OLDAUTHTOK
- fix testcase
- if the server returns an error message during password-changing,
let the user see it
- add the "debug_sensitive" option, which actually logs passwords
- add the "no_subsequent_prompt" option, to force the module to
always answer a libkrb5 prompt with the PAM_AUTHTOK value
* Tue Sep 12 2006 mc@suse.de
- version 2.2.10
* log text for server-supplied error code along with the
failure information.
* rework the prompting bits so that it makes more correct use of
the initial_prompt/use_first_pass flags and correctly disables
use of the callback for arbitrary prompts
* give the caller a way to specify which prompter callback we
should use.
* track whether or not we want to let libkrb5 ask for information
via the callbacks.
* and more fixes
* Thu Jul 27 2006 mc@suse.de
- version 2.2.9
* look for krb5/krb5.h in preference to krb5.h (new in
MIT Kerberos 1.5)
* if the default principal in the ccache doesn't match the
userinfo structure, update the userinfo structure.
* always use the name of the v5 principal when saving
credentials, especially for the "external" case where
it may not be the value we originally guessed
* be more careful about other ways which our prompting
callback can try to break us
* go back to overwriting the template, to avoid uncontrolled
growth in the filename.
* build the new ccache name by appending the mkstemp template
instead of assuming the previous file ended with one
* and more fixes.
- remove pam_krb5-2.2.3-1-prompter-segfault.dif it is upstream now
* Wed Jun 28 2006 mc@suse.de
- update to version 2.2.8
* fix reporting of the reasons for password change failures
* add "krb4_use_as_req" to completely disallow any attempts to get
v4 credentials
* do 524 conversion for the "external" cases, too
- remove obsolete patches
* Fri Apr 21 2006 mc@suse.de
- fix segfault in prompter [#165972]
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Tue Jan 17 2006 mc@suse.de
- add two patches from upstream
* pam_krb5-upstreamfix-password-handling.dif
* pam_krb5-upstreamfix-testcase.dif
- build with more then one job
* Fri Jan 13 2006 mc@suse.de
- set /usr/bin/afs5log executable
* Wed Jan 11 2006 mc@suse.de
- add -fstack-protector to CFLAGS
* Tue Dec 20 2005 mc@suse.de
- update to version 2.2.3
- remove pam_krb5-2.2.0-0.5-NULL-fix.dif; patch is now upstream
* Fri Dec 02 2005 mc@suse.de
- update to version 2.2.2
* don't leak the keytab file descriptor
* actually check for AFS support first, so that the
ioctl-only support case will work properly.
* Mon Nov 14 2005 uli@suse.de
- no afs_syscall on ARM
* Mon Nov 14 2005 mc@suse.de
- update to version 2.2.0-2
- remove obsolete patch (debug_false is upstream now)
* Mon Oct 10 2005 mc@suse.de
- update to current CVS version
- drop some patches (they are upstream now)
- fix NULL problem
* Wed Aug 17 2005 mc@suse.de
- got official fix for the authtok problem
[#104051]
* Mon Aug 15 2005 mc@suse.de
- fix the behavior of password changing if use_authtok
is not present [#104051]
* Wed Jun 29 2005 mc@suse.de
- fix change password
* Fri Jun 10 2005 mc@suse.de
- set default for debug to false [#87005]
* Thu Apr 07 2005 mc@suse.de
- switch to version 2.2.0-0.5
* Tue Feb 22 2005 nadvornik@suse.cz
- fixed parsing of time values
* Mon Feb 21 2005 mc@suse.de
- add pam_krb5-use-krb5_afslog.dif [#51047]
* Tue Jan 18 2005 okir@suse.de
- updated to latest pam_krb5 snapshot from sourcforge CVS
* Tue Jan 11 2005 ro@suse.de
- re-added afs module (added krbafs to neededforbuild)
* Mon Nov 22 2004 ro@suse.de
- remove afs for the moment, mit-kerberos does not have support
* Wed Apr 28 2004 ro@suse.de
- added -fno-strict-aliasing
* Fri Jan 16 2004 kukuk@suse.de
- Add pam-devel to neededforbuild
* Sun Jan 11 2004 adrian@suse.de
- build as user
* Wed Jul 16 2003 nadvornik@suse.cz
- replaced by different implementation of pam_krb5
- afs support
* Fri Jun 20 2003 okir@suse.de
- fix build problem with latest heimdal
- another fix for passwd updates (#20284)
* Wed Jun 18 2003 ro@suse.de
- use kerberos-devel-packages in neededforbuild
* Tue Apr 15 2003 ro@suse.de
- fixed neededforbuild
* Wed Aug 28 2002 okir@suse.de
- Security fix (#18463): unbecome_user did not properly reassert
original privilege, and the caller didn't check the return value.
* Wed Jul 31 2002 okir@suse.de
- suse_update_config now updates the right files
* Wed Jul 24 2002 okir@suse.de
- fixed passwd(1) support; updated README
* Tue Jul 23 2002 okir@suse.de
- initial packaging
