From root@scatcat.thn.saeab.se  Wed May 26 12:52:28 2004
Return-Path: <root@scatcat.thn.saeab.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 80EB316A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 May 2004 12:52:28 -0700 (PDT)
Received: from mailfe04.swip.net (mailfe04.swip.net [212.247.154.97])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5A243D4C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 May 2004 12:52:26 -0700 (PDT)
	(envelope-from root@scatcat.thn.saeab.se)
Received: from [213.100.92.163] (HELO scatcat.thn.saeab.se)
  by mailfe04.swip.net (CommuniGate Pro SMTP 4.2b4a)
  with ESMTP id 50563262; Wed, 26 May 2004 21:52:12 +0200
Received: from scatcat.thn.saeab.se (localhost [127.0.0.1])
	by scatcat.thn.saeab.se (8.12.11/8.12.11) with ESMTP id i4QJqASL000571;
	Wed, 26 May 2004 21:52:10 +0200 (CEST)
	(envelope-from root@scatcat.thn.saeab.se)
Received: (from root@localhost)
	by scatcat.thn.saeab.se (8.12.11/8.12.11/Submit) id i4QJq9FP000570;
	Wed, 26 May 2004 21:52:09 +0200 (CEST)
	(envelope-from root)
Message-Id: <200405261952.i4QJq9FP000570@scatcat.thn.saeab.se>
Date: Wed, 26 May 2004 21:52:09 +0200 (CEST)
From: thn@saeab.se
Reply-To: thn@saeab.se
To: FreeBSD-gnats-submit@freebsd.org
Cc: thn@saeab.se
Subject: [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         67231
>Category:       bin
>Synopsis:       [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 26 13:00:45 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Nystrm
>Release:        FreeBSD 5.2.1-RELEASE-p7 i386
>Organization:
Sv. Aktuell Elektronik AB
>Environment:
System: FreeBSD home.thn.saeab.se 5.2.1-RELEASE-p7 FreeBSD 5.2.1-RELEASE-p7 #0: Tue May 25 23:00:03 CEST 2004 root@home.thn.saeab.se:/home/obj/src/5/src/sys/THN.HOME i386

>Description:
The pam_krb5 module have no way of saying that retrieved ticket should
be without addresses. That parameter could be set in /etc/krb5.conf
but pam_krb5 doesn't honor the default flags from that file.

>How-To-Repeat:
Login using pam_krb5 and try to get tickets without addresses.
The result can be checked with 'klist -v'.
Ticket without addresses is needed if the ticket should be used
across a firewall.

>Fix:
Changed file:
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.18 2003/05/31 17:19:03 des Exp $");

--- pam.diff begins here ---
--- pam_krb5.c.original	Wed May 26 19:42:17 2004
+++ pam_krb5.c	Wed May 26 20:54:48 2004
@@ -137,11 +137,6 @@
 
 	krb5_get_init_creds_opt_init(&opts);
 
-	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
-		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
-
-	PAM_LOG("Credentials initialised");
-
 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
 	if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
@@ -183,6 +178,14 @@
 	}
 
 	PAM_LOG("Got principal: %s", princ_name);
+
+	krb5_get_init_creds_opt_set_default_flags(pam_context, "login",
+					    princ->realm, &opts);
+
+	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
+		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+
+	PAM_LOG("Credentials flags initialised");
 
 	/* Get password */
 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
--- pam.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:
