|
|
56e51f |
diff -up ./plugins/sudoers/auth/pam.c.krb5ccname ./plugins/sudoers/auth/pam.c
|
|
|
56e51f |
--- ./plugins/sudoers/auth/pam.c.krb5ccname 2019-10-28 13:27:38.000000000 +0100
|
|
|
56e51f |
+++ ./plugins/sudoers/auth/pam.c 2021-12-06 11:14:15.580226222 +0100
|
|
|
56e51f |
@@ -119,10 +119,10 @@ conv_filter_init(void)
|
|
|
56e51f |
|
|
|
56e51f |
/*
|
|
|
56e51f |
* Messages from PAM account management when trusted mode is enabled:
|
|
|
56e51f |
- * 1 Last successful login for %s: %s
|
|
|
56e51f |
- * 2 Last successful login for %s: %s on %s
|
|
|
56e51f |
- * 3 Last unsuccessful login for %s: %s
|
|
|
56e51f |
- * 4 Last unsuccessful login for %s: %s on %s
|
|
|
56e51f |
+ * 1 Last successful login for %s: %s
|
|
|
56e51f |
+ * 2 Last successful login for %s: %s on %s
|
|
|
56e51f |
+ * 3 Last unsuccessful login for %s: %s
|
|
|
56e51f |
+ * 4 Last unsuccessful login for %s: %s on %s
|
|
|
56e51f |
*/
|
|
|
56e51f |
if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) {
|
|
|
56e51f |
maxfilters += 4;
|
|
|
56e51f |
@@ -290,6 +290,7 @@ sudo_pam_init_quiet(struct passwd *pw, s
|
|
|
56e51f |
int
|
|
|
56e51f |
sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
|
|
|
56e51f |
{
|
|
|
56e51f |
+ const char *envccname;
|
|
|
56e51f |
const char *s;
|
|
|
56e51f |
int *pam_status = (int *) auth->data;
|
|
|
56e51f |
debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH)
|
|
|
56e51f |
@@ -298,8 +299,27 @@ sudo_pam_verify(struct passwd *pw, char
|
|
|
56e51f |
getpass_error = false; /* set by converse if user presses ^C */
|
|
|
56e51f |
conv_callback = callback; /* passed to conversation function */
|
|
|
56e51f |
|
|
|
56e51f |
+ /* Set KRB5CCNAME from the user environment if not set to propagate this
|
|
|
56e51f |
+ * information to PAM modules that may use it to authentication. */
|
|
|
56e51f |
+ envccname = sudo_getenv("KRB5CCNAME");
|
|
|
56e51f |
+ if (envccname == NULL && user_ccname != NULL) {
|
|
|
56e51f |
+ if (sudo_setenv("KRB5CCNAME", user_ccname, true) != 0) {
|
|
|
56e51f |
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
|
|
|
56e51f |
+ "unable to set KRB5CCNAME");
|
|
|
56e51f |
+ debug_return_int(AUTH_FAILURE);
|
|
|
56e51f |
+ }
|
|
|
56e51f |
+ }
|
|
|
56e51f |
+
|
|
|
56e51f |
/* PAM_SILENT prevents the authentication service from generating output. */
|
|
|
56e51f |
*pam_status = pam_authenticate(pamh, PAM_SILENT);
|
|
|
56e51f |
+
|
|
|
56e51f |
+ /* Restore KRB5CCNAME to its original value. */
|
|
|
56e51f |
+ if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) {
|
|
|
56e51f |
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
|
|
|
56e51f |
+ "unable to restore KRB5CCNAME");
|
|
|
56e51f |
+ debug_return_int(AUTH_FAILURE);
|
|
|
56e51f |
+ }
|
|
|
56e51f |
+
|
|
|
56e51f |
if (getpass_error) {
|
|
|
56e51f |
/* error or ^C from tgetpass() */
|
|
|
56e51f |
debug_return_int(AUTH_INTR);
|