Package: libpam-krb5
Version: 1.2.0-3
Severity: wishlist
Tags: patch
I added support for creation of renewable credentials (for use with
'kinit -R').
The patch adds the option "renewlifetime" to set the maximal renewable
time for the the ticket. It uses krb5_deltat for setting of the time,
but parse_args still lacks support for reading parameters consisting of
several words. So 'renewlifetime=62d' works, 'renewlifetime="2 hours
fortnight"' does not.
Maybe you want to include this feature.
Thanks,
Holger Mense
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.15.6-client
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libpam-krb5 depends on:
ii krb5-config 1.6 Configuration files for Kerberos V
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libkrb53 1.3.6-2sarge2 MIT Kerberos runtime libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- no debconf information
diff -Naur -x .project -x .cdtproject libpam-krb5.orig/pam_krb5.5
libpam-krb5/pam_krb5.5
--- libpam-krb5.orig/pam_krb5.5 2006-04-03 16:07:17.000000000 +0200
+++ libpam-krb5/pam_krb5.5 2006-04-03 16:34:53.000000000 +0200
@@ -101,6 +101,10 @@
.B forwardable
Obtain forwardable Kerberos credentials for the user.
.TP
+.B renewlifetime=<lifetime>
+Obtain renewable Kerberos credentials for the user, with a total life time of
+.IR lifetime .
+.TP
.B no_ccache
Do not save the obtained credentials in a credentials cache. This is a
useful option if the authentication module is used for services such
diff -Naur -x .project -x .cdtproject libpam-krb5.orig/pam_krb5.h
libpam-krb5/pam_krb5.h
--- libpam-krb5.orig/pam_krb5.h 2006-04-03 16:07:17.000000000 +0200
+++ libpam-krb5/pam_krb5.h 2006-04-03 16:13:33.000000000 +0200
@@ -21,6 +21,7 @@
int try_first_pass;
int use_first_pass;
int forwardable;
+ char *renewlifetime;
int reuse_ccache;
int no_ccache;
int ignore_root;
diff -Naur -x .project -x .cdtproject libpam-krb5.orig/support.c
libpam-krb5/support.c
--- libpam-krb5.orig/support.c 2006-04-03 16:07:17.000000000 +0200
+++ libpam-krb5/support.c 2006-04-03 16:18:15.000000000 +0200
@@ -27,6 +27,7 @@
int i;
memset(&pam_args, 0, sizeof(pam_args));
+ pam_args.renewlifetime = NULL;
for (i = 0; i < argc; i++) {
if (strcmp(argv[i], "debug") == 0)
pam_args.debug = 1;
@@ -36,6 +37,8 @@
pam_args.use_first_pass = 1;
else if (strcmp(argv[i], "forwardable") == 0)
pam_args.forwardable = 1;
+ else if (strncmp(argv[i], "renewlifetime=", 14) == 0)
+ pam_args.renewlifetime = (char *) &argv[i][14];
else if (strcmp(argv[i], "reuse_ccache") == 0)
pam_args.reuse_ccache = 1;
else if (strcmp(argv[i], "no_ccache") == 0)
@@ -181,6 +184,21 @@
if (pam_args.forwardable)
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+ if (pam_args.renewlifetime)
+ {
+ krb5_deltat rlife;
+ retval = krb5_string_to_deltat(pam_args.renewlifetime, &rlife);
+ if (retval != 0 || rlife == 0) {
+ dlog(ctx, "krb5_string_to_deltat(): %s",
error_message(retval));
+ retval = PAM_SERVICE_ERR;
+ goto done;
+ }
+ else
+ {
+ krb5_get_init_creds_opt_set_renew_life(&opts, rlife);
+ }
+ }
+
if (pam_args.ignore_root && strcmp("root", ctx->name) == 0) {
dlog(ctx, "ignoring root user login");
retval = PAM_SERVICE_ERR;
