--- libpam-krb5-3.13.orig/debian/docs +++ libpam-krb5-3.13/debian/docs @@ -0,0 +1,2 @@ +README +TODO --- libpam-krb5-3.13.orig/debian/watch +++ libpam-krb5-3.13/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://archives.eyrie.org/software/kerberos/pam-krb5-(.*)\.tar\.gz --- libpam-krb5-3.13.orig/debian/prerm +++ libpam-krb5-3.13/debian/prerm @@ -0,0 +1,20 @@ +#!/bin/sh + +set -e + +# pam-auth-update --remove removes the named profile from the active config. +# It arguably should be called during deconfigure as well, but deconfigure +# can happen in some cases during a dist-upgrade and we don't want to +# deconfigure all PAM modules in the middle of a dist-upgrade by accident. +# +# More importantly, with the current implementation, --remove also removes +# all local preferences for the named config (such as whether it's enabled +# or disabled), which we don't want to do on deconfigure. +# +# This may need to change later as pam-auth-update evolves. + +if [ "$1" = "remove" ] ; then + pam-auth-update --package --remove krb5 +fi + +#DEBHELPER# --- libpam-krb5-3.13.orig/debian/postinst +++ libpam-krb5-3.13/debian/postinst @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +pam-auth-update --package + +#DEBHELPER# --- libpam-krb5-3.13.orig/debian/compat +++ libpam-krb5-3.13/debian/compat @@ -0,0 +1 @@ +7 --- libpam-krb5-3.13.orig/debian/control +++ libpam-krb5-3.13/debian/control @@ -0,0 +1,21 @@ +Source: libpam-krb5 +Section: net +Priority: optional +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Russ Allbery +Uploaders: Sam Hartman +Standards-Version: 3.8.0 +Build-Depends: debhelper (>= 7), libkrb5-dev, libpam0g-dev +Homepage: http://www.eyrie.org/~eagle/software/pam-krb5/ +Vcs-Git: git://git.debian.org/git/pkg-k5-afs/pam-krb5.git +Vcs-Browser: http://git.debian.org/?p=pkg-k5-afs/pam-krb5.git + +Package: libpam-krb5 +Architecture: any +Depends: ${shlibs:Depends}, ${misc:DependS}, krb5-config, libpam-runtime (>= 1.0.1-6) +Conflicts: libpam-heimdal +Description: PAM module for MIT Kerberos + A Kerberos v5 PAM module build against the MIT Kerberos libraries. It + supports authenticating against a Kerberos v5 KDC, obtaining tickets and + populating an initial ticket cache, authorizing users via a ~/.k5login + file, and changing Kerberos v5 passwords. --- libpam-krb5-3.13.orig/debian/pam-auth-update +++ libpam-krb5-3.13/debian/pam-auth-update @@ -0,0 +1,20 @@ +Name: Kerberos authentication +Default: yes +Priority: 704 +Conflicts: krb5-openafs +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass +Auth-Initial: + [success=end default=ignore] pam_krb5.so minimum_uid=1000 +Account-Type: Additional +Account: + required pam_krb5.so minimum_uid=1000 +Password-Type: Primary +Password: + requisite pam_krb5.so use_authtok try_first_pass minimum_uid=1000 +Password-Initial: + requisite pam_krb5.so minimum_uid=1000 +Session-Type: Additional +Session: + optional pam_krb5.so minimum_uid=1000 --- libpam-krb5-3.13.orig/debian/README.Debian +++ libpam-krb5-3.13/debian/README.Debian @@ -0,0 +1,69 @@ +libpam-krb5 for Debian +---------------------- + +After installing this package, you must modify your PAM configuration +before you will be able to use Kerberos to authenticate. For a system +where user account authentication should be handled primarily through +Kerberos and password changes should be made against Kerberos, with +fallback to local authentication, the following basic configuration should +work. In /etc/pam.d/common-auth, put: + + auth sufficient pam_krb5.so minimum_uid=1000 + auth required pam_unix.so try_first_pass nullok_secure + +In /etc/pam.d/common-session: + + session optional pam_krb5.so minimum_uid=1000 + session required pam_unix.so + +In /etc/pam.d/common-account: + + account required pam_krb5.so minimum_uid=1000 + account required pam_unix.so + +(Note that the account function of pam_krb5.so will return ignore if the +user didn't log in via Kerberos, so this is will still allow access via a +local password. It will ensure that, if the user did log in via Kerberos, +their Kerberos authentication is checked against ~/.k5login if present.) + +Finally, in /etc/pam.d/common-password: + + password sufficient pam_krb5.so minimum_uid=1000 + password required pam_unix.so nullok obscure min=4 max=8 md5 + +Note the minimum_uid=1000 on all of these lines. This is optional, but +normally sites do not create a single root@example.com Kerberos principal +and use it for authentication to root accounts, and normally you don't +want to allow Kerberos authentication to system accounts. Also, trying to +do Kerberos authentication when the network is down may cause delays or +timeouts, and this way such authentication is never attempted for a root +login. On Debian systems, regular user accounts normally start at UID +1000; you may need to change this for local policy. + +This configuration will still require that users be listed in /etc/shadow, +since otherwise the pam_unix account module will fail. Normally, accounts +that should only use Kerberos authentication should be created with +adduser --disabled-password. If you don't want the accounts to be listed +in /etc/shadow at all (if, for example, you're using some other source +than files for your nsswitch configuration), you can mark the pam_krb5 +account module as sufficient rather than required so that pam_unix isn't +run. This will mean that you won't be able to disable accounts locally. + +If you regularly use ticket forwarding (such as with Kerberos rlogin or +ssh with GSSAPI support), you may wish to add the "forwardable" option to +the pam_krb5.so line in /etc/pam.d/common-auth or equivalently set +forwardable in /etc/krb5.conf (in either [libdefaults] for all Kerberos +applications or in a pam group in [appdefaults] just for the PAM module). + +This configuration assumes that one can generate a person's Kerberos +credential by appending the default realm to the local username. If this +is not the case for your system, make sure that every account for which +this is not the case has a .k5login file in their home directory listing +the Kerberos principals that should have access (or which is empty if none +should). Otherwise, someone will be able to access that account if they +know the password of the Kerberos principal in the default realm with the +same name. In this situation, you will probably also want to add the +"search_k5login" option to the pam_krb5.so line in /etc/pam.d/common-auth; +see the pam_krb5(5) man page for more information. + + -- Russ Allbery , Thu, 13 Nov 2008 10:29:10 -0800 --- libpam-krb5-3.13.orig/debian/rules +++ libpam-krb5-3.13/debian/rules @@ -0,0 +1,29 @@ +#!/usr/bin/make -f + +build: build-arch build-indep +build-arch: build-stamp +build-indep: +build-stamp: + dh build --before configure + dh_auto_configure -- --enable-reduced-depends --libdir=/lib + dh build --after configure + touch $@ + +install: install-stamp +install-stamp: + dh install --until dh_installdirs + install -m 644 debian/pam-auth-update \ + $(CURDIR)/debian/libpam-krb5/usr/share/pam-configs/krb5 + dh_installchangelogs NEWS + dh install --remaining + touch $@ + +binary: binary-arch binary-indep +binary-indep: +binary-arch: install-stamp + dh $@ + +%: + dh $@ + +.PHONY: binary binary-arch binary-indep build build-arch build-indep install --- libpam-krb5-3.13.orig/debian/changelog +++ libpam-krb5-3.13/debian/changelog @@ -0,0 +1,502 @@ +libpam-krb5 (3.13-2ubuntu2) karmic; urgency=low + + * No-change rebuild against libkrb5-3. + + -- Steve Langasek Mon, 08 Jun 2009 11:02:00 +0000 + +libpam-krb5 (3.13-2ubuntu1) jaunty; urgency=low + + * Merge from Debian unstable, remaining changes: + - debian/{pam-auth-update,postinst,prerm}, debian/rules, debian/dirs: + enable pam_krb5 by default using the new pam-auth-update support. + - debian/control: depend on libpam-runtime (>= 1.0.1-6) for the + above. + * Logging is now done with the LOG_AUTHPRIV facility. LP: #227531. + + -- Steve Langasek Wed, 04 Mar 2009 02:54:58 +0000 + +libpam-krb5 (3.13-2) unstable; urgency=low + + * Upload to unstable. + + -- Russ Allbery Tue, 17 Feb 2009 07:50:53 -0800 + +libpam-krb5 (3.13-1) experimental; urgency=high + + * New upstream release. + - SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore + user environment variables that specify the local keytab and + Kerberos configuration. Protects against a privilege escalation + vulnerability. + - SECURITY (CVE-2009-0361): Protect against applications calling + pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid + context. This API call is designed to reinitialize an existing + Kerberos ticket cache and therefore trusts the KRB5CCNAME + environment variable, but in a setuid context, this may allow + overwriting arbitrary files. + * Install the upstream NEWS file as an upstream changelog. + * Add ${misc:Depends} to the package dependencies. + * Improve wording for the GPL pointer. The package may be distributed + under any version of the GPL. + + -- Russ Allbery Wed, 11 Feb 2009 10:47:51 -0800 + +libpam-krb5 (3.12-1) experimental; urgency=low + + * New upstream release. + - New alt_auth_map, force_alt_auth, and only_alt_auth options to map + usernames to alternative Kerberos principals for authentication. + - Log to authpriv, not auth. + - Correctly log an exit status of ignore during debugging. + - Document ssh session requirement. (Closes: #492039) + - Document ignore handling with [] actions. (Closes: #492379) + * Update to debhelper compatibility mode V7. + - Use debhelper rule minimization except for configure. + - Let the upstream Makefile do the installation. + * Remove NEWS.Debian, only of interest in upgrades from sarge. + + -- Russ Allbery Thu, 13 Nov 2008 10:56:30 -0800 + +libpam-krb5 (3.11-4ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/libpam-krb5.{pam-auth-update,install,postinst,prerm}, + debian/rules, debian/dirs: enable pam_krb5 by default using the new + pam-auth-update support. LP: #275169. + - debian/control: depend on libpam-runtime (>= 1.0.1-4ubuntu1) for the + above. + + -- Marc Deslauriers Thu, 12 Feb 2009 03:55:42 +0000 + +libpam-krb5 (3.11-4) testing-security; urgency=high + + * SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore user + environment variables that specify the local keytab and Kerberos + configuration. Protects against a privilege escalation vulnerability. + * SECURITY (CVE-2009-0361): Protect against applications calling + pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid context. + This API call is designed to reinitialize an existing Kerberos ticket + cache and therefore trusts the KRB5CCNAME environment variable, but in + a setuid context, this may allow overwriting arbitrary files. + + -- Russ Allbery Thu, 29 Jan 2009 15:42:10 -0800 + +libpam-krb5 (3.11-3ubuntu1) jaunty; urgency=low + + * debian/libpam-krb5.{pam-auth-update,install,postinst,prerm}, + debian/rules, debian/dirs: enable pam_krb5 by default using the new + pam-auth-update support. LP: #275169. + * debian/control: depend on libpam-runtime (>= 1.0.1-4ubuntu1) for the + above. + + -- Steve Langasek Thu, 08 Jan 2009 09:42:55 +0000 + +libpam-krb5 (3.11-3) unstable; urgency=low + + * Fix segfault after detection of unsafe .k5login ownership when + search_k5login is set. Thanks, Andrew Deason. (Closes: #499479) + + -- Russ Allbery Thu, 18 Sep 2008 20:45:43 -0700 + +libpam-krb5 (3.11-2) unstable; urgency=low + + * Fix double-free of the cache data structure if cache creation fails + while opening a session or setting credentials. (LP: #257826) + + -- Russ Allbery Wed, 13 Aug 2008 23:36:54 -0700 + +libpam-krb5 (3.11-1) unstable; urgency=low + + * New upstream release. + - setcred, open_session, and acct_mgmt now return PAM_IGNORE instead + of PAM_SUCCESS for ignored users or non-Kerberos logins. + - New defer_pwchange option for fully correct expired password + handling. This is not the default because it will open security + holes in badly written applications. + - New force_pwchange option to force password change for expired + accounts during the authentication step even if the Kerberos library + doesn't support this. + - Warn if more than one of use_authtok, use_first_pass, and + try_first_pass are set and use the strongest. + - Remove workaround for older MIT Kerberos that improperly initialized + the credential option structure. The workaround was causing + problems for PKINIT with the current libraries (which fix this bug). + - Set explicit hidden visibility for all local symbols and further + restrict the visible symbols with a version script, removing leaks + of symbols into the application namespace. + * Install NEWS as the upstream changelog. Upstream no longer includes a + detailed CHANGES file. + * Rewrite and expand debian/copyright based on the upstream LICENSE + file. + * Add Vcs-Git and Vcs-Browser control fields. + * Update standards version to 3.8.0 (no changes required). + + -- Russ Allbery Thu, 10 Jul 2008 17:07:15 -0700 + +libpam-krb5 (3.10-1) unstable; urgency=low + + * New upstream release. + - If no_ccache is set, don't fail if we can't find module data. + - Better error handling when reading keytabs. + * Document in README.Debian that accounts must still exist in + /etc/shadow when following the standard configuration and suggest an + alternate configuration when that isn't appropriate. Thanks, Raoul + Borenius. (Closes: #452592) + * No longer build-depend on comerr-dev, since the module no longer links + to it directly. + * Update standards version to 3.7.3 (no changes required). + + -- Russ Allbery Fri, 28 Dec 2007 21:56:26 -0800 + +libpam-krb5 (3.9-1) unstable; urgency=low + + * New upstream release. + - If use_authtok is set, fail if we retrieve a NULL password, since + that's how pam_cracklib rejects passwords. (Closes: #447306) + - Add clear_on_fail option to clear the password on failed password + change to force later password modules using use_authtok to fail. + - Fix parsing of the keytab PAM option. + - Return PAM_AUTHINFO_UNAVAIL when unable to resolve the realm. + - Additional debugging information in README. + * Add Homepage control field. + + -- Russ Allbery Mon, 12 Nov 2007 16:37:21 -0800 + +libpam-krb5 (3.8-1) unstable; urgency=low + + * New upstream release. + - Restore prompting for expired passwords. (Closes: #444740) + - Correctly handle a negative minimum UID setting. + + -- Russ Allbery Sun, 30 Sep 2007 11:52:41 -0700 + +libpam-krb5 (3.7-1) unstable; urgency=low + + * New upstream release. + - Read verification principal from keytab if given one explicitly. + - Don't store context data until after authentication has succeeded, + fixing behavior when stacking multiple invocations in different + realms. + - Use pam_modutil_getpwnam for better thread safety. + - Don't store PAM data unless saving a ticket cache. + - Restore safer linker flags, broken with the last release. + * Swap Sam and I as maintainer and uploaders. I'm now upstream and the + primary maintainer. + + -- Russ Allbery Sat, 29 Sep 2007 23:29:51 -0700 + +libpam-krb5 (3.6-1) unstable; urgency=low + + * New upstream release. + - When search_k5login is enabled but the user doesn't exist locally, + fall back on standard Kerberos authentication instead of always + failing. Fix other error handling issues with search_k5login. This + fixes non-exploitable segfaults with unknown users. + - Clear ticket options when changing passwords. (Closes: #440050) + - Fix and document username canonicalization. (Closes: #437171) + - Add prompt_principal option. + + -- Russ Allbery Tue, 18 Sep 2007 19:43:18 -0700 + +libpam-krb5 (3.5-1) unstable; urgency=low + + * New upstream release. + - Fix compilation errors with Heimdal. (Closes: #413553) + - Document that ChallengeResponseAuthentication must be enabled in + sshd to prompt users to change expired passwords. (Closes: #411816) + - Support specifying a keytab other than the system keytab to use to + verify passwords. (Partly addresses #399002) + - New ticket_lifetime, banner, and expose_account config options. + - Honor PAM_SILENT where appropriate. + - Prefix the default cache type with FILE: to be explicit. + - If PAM_USER is set to a fully-qualified principal that the Kerberos + library can map to a local account name, reset PAM_USER to that + local account name after authentication. + - Return better PAM error codes for authentication failures. + - Fix various memory leaks and memory handling problems. + - Better error message handling with later Kerberos releases. + - Various improvements to debug logging. + * Update debhelper compatibility level to V5. + + -- Russ Allbery Tue, 10 Apr 2007 16:37:41 -0700 + +libpam-krb5 (2.6-1) unstable; urgency=low + + * New upstream release. + - Don't assume the return from pam_get_user will persist. + - Avoid a use of freed memory when debugging is enabled. + - Bind function calls within the PAM module where possible. + + -- Russ Allbery Wed, 29 Nov 2006 13:46:32 -0800 + +libpam-krb5 (2.5-1) unstable; urgency=low + + * New upstream release. + - Don't free the results of pam_get_item on password changes. Thanks, + Arne Nordmark. (Closes: #395041) + - Be more paranoid when checking authorization in pam_sm_acct_mgmt. + - Zero passwords before freeing them. + + -- Russ Allbery Fri, 3 Nov 2006 20:17:56 -0800 + +libpam-krb5 (2.4-1) unstable; urgency=low + + * New upstream release. + - Fix compilation with Heimdal. (Closes: #391276) + - Better error handling and several uninitialized variable fixes. + - Log when an unknown option is passed to the module. + + -- Russ Allbery Thu, 5 Oct 2006 16:34:48 -0700 + +libpam-krb5 (2.3-1) unstable; urgency=low + + * New upstream release. + - Fix prompting when the Kerberos library sends more than one prompt, + such as for changing an expired password. Thanks to Joachim Keltsch + for the analysis and an initial patch. (Closes: #385774) + - Add the retain_after_close option. + + -- Russ Allbery Sun, 3 Sep 2006 19:39:54 -0700 + +libpam-krb5 (2.2-1) unstable; urgency=low + + * New upstream release. + - Allow the default realm to be overridden in the PAM options. + - Use the realm when reading krb5.conf configuration. + + -- Russ Allbery Mon, 28 Aug 2006 16:39:31 -0700 + +libpam-krb5 (2.1-1) unstable; urgency=low + + * New upstream release. + - Strip off a FILE: prefix from the cache path before creating it in + case the user set ccache or ccache_dir with a cache type prefix. + * Upstream now uses Autoconf, so update the build rules accordingly. + * Upstream renamed CHANGES.old to CHANGES-old. + + -- Russ Allbery Sat, 26 Aug 2006 01:35:12 -0700 + +libpam-krb5 (2.0-1) unstable; urgency=low + + * New upstream release from a new upstream maintainer. + - Incorporated all Debian packages into the upstream release. + - Added new use_authtok, ignore_k5login, minimum_uid, and + renew_lifetime configuration options. (Closes: #360601, #355970) + - Support setting some options in krb5.conf. + - Better support for password changing, including more correct saving + of passwords in the PAM stack, support for initial checks, and + better behavior as part of a password change stack. + - Fall back to the default ticket cache when reinitializing + credentials without a KRB5CCNAME setting. + - Understand the FILE: prefix to Kerberos ticket caches when + initializing the cache. (Closes: #381849) + - Improved support for the no_ccache option. + - Rewritten and significantly improved documentation. + - Use standard Kerberos library calls for ticket validation. + - Add a trailing nul to the password in the prompter function, + matching the behavior of the default Kerberos prompter. + - Extensive code, error status, memory, and namespace cleanup. + * Improve the package long description, removing the misleading caution + about use with network services. + * Update standards version to 3.7.2 (no changes required). + * Add build-arch and build-indep rulies just in case. + + -- Russ Allbery Fri, 11 Aug 2006 14:12:02 -0700 + +libpam-krb5 (1.2.0-3) unstable; urgency=low + + * Only call krb5_kuserok when the account to which we're authenticating + is a local account to allow use of pam_krb5 for application + authentication of users without local accounts. (Closes: #354133) + * Restructure the code to do user validation after obtaining their + initial tickets. This eliminates a lot of confusing special cases and + deferred checking and makes it easier to audit the code. + * Don't create the ticket cache until after successful authentication. + Otherwise, we leave files behind in /tmp. + * Document what principals libpam_krb5.so looks for in the system keytab + to do ticket validation. (Closes: #350556) + + -- Russ Allbery Wed, 8 Mar 2006 16:58:13 -0800 + +libpam-krb5 (1.2.0-2) unstable; urgency=low + + * Always use a disk cache for temporary storage of credentials and cope + with not having module-specific data during pam_sm_setcred by passing + the cache path in an environment variable. This is required to cope + with OpenSSH's technique (when using ChallengeResponseAuthentication) + of doing PAM authentication in a child process and then opening the + session in the parent. (Closes: #339734) + * Only initialize the ticket cache once no matter how many times setcred + is called. Saves duplicate work and works around a bug in xdm, which + calls setcred repeatedly and discards the environment set by the final + call. + * Don't assume we already have a context when changing passwords; passwd + doesn't work that way. (Closes: #344003) + * Fix the test for the new password. I don't think this would have + worked at all before. + * Improve debugging output for password changes. + * If search_k5login is specified but no .k5login is found, still check + the user with krb5_kuserok in case there are custom principal mappings + defined. + * Handle ignore_root in a cleaner fashion and add support for + ignore_root on password changes. + * Depend on krb5-config. (Closes: #342271) + * Document that ccache and ccache_dir must be specified as options to + the session module. (Closes: #341926) + * Document that pam_sm_authenticate and pam_sm_setcred also call + krb5_kuserok. + * Properly override the upstream CFLAGS so that debugging builds work. + * Don't ignore errors from make clean. + * Providing binary-indep in debian/rules is required by Policy even if + there are no arch-independent packages. Whoops. + + -- Russ Allbery Mon, 16 Jan 2006 18:11:57 -0800 + +libpam-krb5 (1.2.0-1) unstable; urgency=low + + * New upstream maintainer and version. + - Now supports reinitialization of credentials properly, allowing + programs such as xlock to refresh credentials. (Closes: #309345) + This currently only works with versions of xlock that try to refresh + credentials (xlockmore does not). + - Do not include the principal name in the prompt. This breaks some + SSH clients and isn't necessary. (Closes: #321319) + - New ignore_root option to skip this module for root authentication, + ameliorating pam_krb5 problems when the network is down. Partially + addresses #315622. + * Bug fixes to upstream version (all sent back to the maintainer): + - Succeed silently in account management if Kerberos wasn't used. + - Parse ccache_dir correctly. + - Bring the man page up to date. + - Link with -z defs to ensure all symbols were found. + * Readd the ccache option with a better implementation and allow for + randomization of the filename using mkstemp even if ccache is used. + * Add search_k5login option to allow authentication based on the + principals listed in ~/.k5login when the local account name doesn't + easily map to the Kerberos principal. + * Add specific configuration recommendations to README.Debian. + * Install upstream changelog now that there is one. + * Add a watch file. + * Update standards version to 3.6.2 (no changes required). + * Remove maintainer from uploaders; dak can handle this properly. + * Update uploader address. + * Remove unnecessary code from debian/rules. + + -- Russ Allbery Fri, 18 Nov 2005 14:48:57 -0800 + +libpam-krb5 (1.0-12) unstable; urgency=low + + * Revert the PAM_REINITIALIZE_CREDS change as it breaks sshd with + UsePAM. Add a source comment explaining the confusion about the + meaning of this flag. + + -- Russ Allbery Wed, 13 Apr 2005 16:01:45 -0700 + +libpam-krb5 (1.0-11) unstable; urgency=low + + * Return PAM_CRED_UNAVAIL to PAM_REINITIALIZE_CREDS as the apparently + most appropriate error message. (Closes: #191001) + * Remove reference to non-existant man page pam.conf(8) and change + pam(8) to pam(7). Thanks, Nik A. Melchior. (Closes: #271066) + * Include the user UID in the default ticket cache name so that rpc.gssd + and similar programs can find the ticket cache. Document the random + string in the default ticket cache name in the man page. Thanks, + Steinar H. Gunderson. (Closes: #295027) + * Really remove stray ex.doc-base.package file. + + -- Russ Allbery Wed, 13 Apr 2005 13:54:47 -0700 + +libpam-krb5 (1.0-10) unstable; urgency=low + + * Free authentication context used to prevent KDC spoofing, fixing a + file descriptor leak. Thanks, Martin Kögler. (Closes: #194542) + * Fix use_first_pass and try_first_pass for password changes and report + password change errors via the PAM conversation. Thanks, Martin Mares. + (Closes: #133461) + * Return PAM_USER_UNKNOWN and PAM_AUTHINFO_UNAVAIL where appropriate + when authenticating. Thanks, Roland Bauerschmidt. (Closes: #239399) + * Add missing includes to eliminate warnings. + * Update standards version to 3.6.1. + - Build with -g -O2 by default and support requesting no optimization. + * Simplified the build system. The copy of source files into a + subdirectory isn't needed since we don't apply patches at build time, + so the package can be built normally with a regular make invocation. + * Be sure not to pass -I/usr/include to the compiler. + * Updated the build system to debhelper 4. + - Removed unneeded call to dh_suidregister. + - Use dh_installman rather than dh_installmanpages. + * Flesh out the package description. + * Removed stray ex.doc-base.package file. + * Refer to /usr/share/common-licenses in debian/copyright for the GPL + and remove dh_make boilerplate language. + + -- Russ Allbery Mon, 6 Sep 2004 16:39:13 -0400 + +libpam-krb5 (1.0-9) unstable; urgency=high + + * Upload with no code changes in order to pick up symbol versions, + Closes: #260372 + * High urgency because we want this to make it into sarge. + * Don't build-depend on libdb2-dev, Closes: #248517 + + -- Sam Hartman Wed, 18 Aug 2004 13:47:38 -0400 + +libpam-krb5 (1.0-8) unstable; urgency=low + + * Don't require user to exist in NSS, Closes: #141288 + * Conflict with libpam-heimdal, Closes: #146279 + * Fix pam_silent handling thanks to nocturne@permabit.com, Closes: #114475 + + -- Sam Hartman Sun, 4 Aug 2002 17:57:28 -0400 + +libpam-krb5 (1.0-7) unstable; urgency=low + + * Move fron non-us to main--second to last package of mine + + -- Sam Hartman Sat, 6 Apr 2002 20:55:14 -0500 + +libpam-krb5 (1.0-6) unstable; urgency=low + + * New version that supports sessions management. You may want to use + this to write out credentials at session managemment time, for example + so they can be used by openafs. + + -- Sam Hartman Sat, 12 May 2001 18:41:49 -0400 + +libpam-krb5 (1.0-5) unstable; urgency=low + + * Fix build-depends, closes: #80555 + + -- Sam Hartman Wed, 27 Dec 2000 17:02:18 -0500 + +libpam-krb5 (1.0-4) unstable; urgency=medium + + * Wildcard enctype matching so that you don't have to have a des-cbc-md5 + key. Previously, if you did not have a des-cbc-md5 key, it looks like + the code might not verify the ticket against the key, treating it as + if you had no local key and blindly trusted the KDC. In practice this + is not an issue with most Kerberos setups. + * Test against pam service keys like imap rather than just the host + service key. We still prefer host to service keys. + + -- Sam Hartman Tue, 19 Dec 2000 17:49:12 -0500 + +libpam-krb5 (1.0-3) unstable; urgency=low + + * Add code to destroy ccache on logout. + * Upload to Debian (Closes: BUG#79001) + + -- Sam Hartman Fri, 8 Dec 2000 13:46:06 -0500 + +libpam-krb5 (1.0-2) unstable; urgency=low + + * Release MIT Kerberos5 version of PAM module. + + -- Sam Hartman Thu, 30 Nov 2000 17:49:41 -0500 + +libpam-heimdal (1.0-1) unstable; urgency=low + + * Initial Release. + + -- Brian May Fri, 17 Nov 2000 10:32:40 +1100 + --- libpam-krb5-3.13.orig/debian/copyright +++ libpam-krb5-3.13/debian/copyright @@ -0,0 +1,270 @@ +Original package by Brian May 2000-11-09 +Built for MIT Kerberos by Sam Hartman 2000-11-30 + +It was downloaded from: + + + +Upstream Authors: + + Russ Allbery + Andres Salomon + Frank Cusack + +Upstream Maintainer: + + Russ Allbery + +Debian packaging copyright: + + Copyright 2005, 2006, 2007, 2008 Russ Allbery + Copyright 2005, 2006, 2007, 2008 + Board of Trustees, Leland Stanford Jr. University + Copyright 2000, 2001, 2002, 2004 Sam Hartman + Copyright 2000 Brian May + + All files and modifications related to Debian packaging are covered + under the same license terms as the rest of the package. + +The pam-krb5 package as a whole is: + + Copyright (c) 2005, 2006, 2007, 2008 Russ Allbery + Copyright (c) 2005 Andres Salomon + Copyright (c) Frank Cusack, 1999-2000. + fcusack@fcusack.com + All rights reserved + +and covered under the following license: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + + ALTERNATIVELY, this product may be distributed under the terms of + the GNU Public License, in which case the provisions of the GPL are + required INSTEAD OF the above restrictions. (This clause is + necessary due to a potential bad interaction between the GPL and + the restrictions contained in a BSD-style copyright.) + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +You can find the latest version of the GPL /usr/share/common-licenses/GPL +on Debian systems. You may distribute this package under any version of +the GPL that you choose. + +Collected copyright notices for the entire package: + + Copyright 2005, 2006, 2007, 2008 Russ Allbery + Copyright 2005, 2006, 2007, 2008 + Board of Trustees, Leland Stanford Jr. University + Copyright 2007, 2008 Markus Moeller + Copyright 1985-2005 Massachusetts Institute of Technology + Copyright 2005 Andres Salomon + Copyright 1999, 2000 Frank Cusack + Copyright 1997 The Regents of the University of Michigan + Copyright 1996 Derrick J. Brashear + Copyright 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, + 2002, 2003, 2004, 2005, 2006, 2007, 2008 + Free Software Foundation, Inc. + Copyright 1994 X Consortium + +The original version of this module was based on an earlier Kerberos v5 +PAM module by Naomaru Itoi: + + PAM-kerberos5 module Copyright notice. + Naomaru Itoi , June 24, 1997. + + COPYRIGHT (c) 1997 + THE REGENTS OF THE UNIVERSITY OF MICHIGAN + ALL RIGHTS RESERVED + + PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND + REDISTRIBUTE THIS SOFTWARE AND SUCH DERIVATIVE WORKS FOR ANY PURPOSE, + SO LONG AS THE NAME OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY + ADVERTISING OR PUBLICITY PERTAINING TO THE USE OR DISTRIBUTION OF THIS + SOFTWARE WITHOUT SPECIFIC, WRITTEN PRIOR AUTHORIZATION. IF THE ABOVE + COPYRIGHT NOTICE OR ANY OTHER IDENTIFICATION OF THE UNIVERSITY OF + MICHIGAN IS INCLUDED IN ANY COPY OF ANY PORTION OF THIS SOFTWARE, THEN + THE DISCLAIMER BELOW MUST ALSO BE INCLUDED. + + THE SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE + UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT + WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR + IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF + MERCHANTABITILY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF + THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, + INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, + WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE + OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE + POSSIBILITY OF SUCH DAMAGES. + + PAM-kerberos5 module is written based on PAM-kerberos4 module by + Derrick J. Brashear and kerberos5-1.0pl1 by M.I.T. kerberos team. + Permission to use, copy, modify, distribute this software is hereby + granted, as long as it is granted by Derrick J. Brashear and + M.I.T. kerberos team. + +This module was in turn based on a Kerberos v4 PAM module by Derrick J. +Brashear: + + Copyright (c) Derrick J. Brashear, 1996. All rights reserved + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + + ALTERNATIVELY, this product may be distributed under the terms of + the GNU Public License, in which case the provisions of the GPL are + required INSTEAD OF the above restrictions. (This clause is + necessary due to a potential bad interaction between the GPL and + the restrictions contained in a BSD-style copyright.) + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +compat-aix.c is taken from the MIT Kerberos distribution and is covered by +the following copyright and license: + + Copyright (C) 1985-2005 by the Massachusetts Institute of Technology. + + All rights reserved. + + Export of this software from the United States of America may require + a specific license from the United States Government. It is the + responsibility of any person or organization contemplating export to + obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of M.I.T. not be used in advertising or publicity pertaining + to distribution of the software without specific, written prior + permission. Furthermore if you modify this software you must label + your software as modified software and not distribute it in such a + fashion that it might be confused with the original MIT software. + M.I.T. makes no representations about the suitability of this software + for any purpose. It is provided "as is" without express or implied + warranty. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + + Individual source code files are copyright MIT, Cygnus Support, + OpenVision, Oracle, Sun Soft, FundsXpress, and others. + + Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, + and Zephyr are trademarks of the Massachusetts Institute of Technology + (MIT). No commercial use of these trademarks may be made without + prior written permission of MIT. + + "Commercial use" means use of a name in a product or other for-profit + manner. It does NOT prevent a commercial firm from referring to the + MIT trademarks in order to convey information (although in doing so, + recognition of their trademark status should be given). + +The file configure is generated by GNU Autoconf and is covered by the +following copyright and license: + + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, + 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + +The files build-aux/config.guess and build-aux/config.sub are taken from +the Debian autotools-dev package and are covered by the following +copyright and license: + + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1999, 2000, 2002, + 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2, or (at your option) any + later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + As a special exception to the GNU General Public License, if you + distribute this file as part of a program that contains a configuration + script generated by Autoconf, you may include it under the same + distribution terms that you use for the rest of that program. + +For the pam-krb5 distribution, the option described in the last paragraph +has been accepted and these files are distributed under the same terms as +the pam-krb5 package as a whole, as described at the top of this file. +You can find the GPL version 2 in /usr/share/common-licenses/GPL-2 on +Debian systems. + +The file build-aux/install-sh is covered by the following copyright and +license: + + Copyright (C) 1994 X Consortium + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + + Except as contained in this notice, the name of the X Consortium shall + not be used in advertising or otherwise to promote the sale, use or + other dealings in this Software without prior written authorization + from the X Consortium. + + FSF changes to this file are in the public domain. --- libpam-krb5-3.13.orig/debian/dirs +++ libpam-krb5-3.13/debian/dirs @@ -0,0 +1 @@ +usr/share/pam-configs