Russ Allbery wrote:
Douglas E Engert <[EMAIL PROTECTED]> writes:
Package: libpam-krb5
Version: 2.3
Russ, Sam,
Down loaded pam-krb5-2.3 from ftp://ftp.eyrie.org/pub/software/kerberos
to test with Heimdal snapshot 20061002 on Ubuntu Edgy. I built from your
source not the debian source.
I had to make the following changes to get it run and work with gdm
and gdm-screensaver.
compat_heimdal.c
o added #include <errno.h>
o pamk5_compat_store_realm renamed to pamk5_compat_set_realm
o added return 0;
These were already applied to my development copy and will be in the
upcoming release.
o The Heimdal prompter has the name prameter. According to
the ChangeLog2001 this was done in 2001-05-11
Hm, I'm surprised that nothing has caught this, even though there's a PAM
module in Debian now that's built against Heimdal. I would have thought
that there would be a type mismatch in building against Heimdal when the
prompter was assigned. But this change does appear to be correct.
In the PAM the user and password are gotten by pam_get_item. But with the
PKINIT you really need to get the PIN via the prompter. There are smartcard
readers that have a keypad on the reader, and the reader can be told to get
the pin and send it directly to the card, thus avoiding keyboard sniffers,
and caching of the pin. So using the prompter lets the next lower level
code handle the situation and can use the prommpter to only prompt, or
prompt and read the PIN.
Ah, indeed, the Heimdal module was reporting a build warning, and the only
reason why this worked is that we normally don't use the prompter.
The nice thing about this change is that it makes MIT and Heimdal
identical, so I can remove the compat code entirely for this function.
context.c
o The use of the MIT error_message was replaced with the compat
version.
That's a general com_err function. Does Heimdal not provide it at all?
I got a compile error thats why I changed it. It looks like error_message
is in the Heimdal code. I will look again at why it did not like it.
Its use in that one place was intentional since I'm reporting an error in
creating the context at all. That means that the context is going to be
NULL, and I didn't know if I could pass NULL in to krb5_get_err_text.
However, looking at the Heimdal source, it appears to do the right thing
with a NULL context, so I'll go ahead and make this change.
P.S. I got the PKINIT code in PAM working this afternoon too. There are some
questions about how the MIT code will handle PKINIT. I will send a note to
you, MIT Heimdal and UMich on this tommorrow.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
