diff --git a/.cvsignore b/.cvsignore index e69de29..b55ff38 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +krb5-1.2.1.tar diff --git a/eklogin.xinetd b/eklogin.xinetd new file mode 100644 index 0000000..d05b161 --- /dev/null +++ b/eklogin.xinetd @@ -0,0 +1,13 @@ +# default: off +# description: The encrypting kerberized rlogin server accepts rlogin sessions \ +# authenticated and encrypted with Kerberos 5. +service eklogin +{ + flags = REUSE + socket_type = stream + wait = no + user = root + server = /usr/kerberos/sbin/klogind + server_args = -e -5 + disable = yes +} diff --git a/gssftp.xinetd b/gssftp.xinetd new file mode 100644 index 0000000..3f9f73e --- /dev/null +++ b/gssftp.xinetd @@ -0,0 +1,14 @@ +# default: off +# description: The kerberized FTP server accepts FTP connections \ +# that can be authenticated with Kerberos 5. +service ftp +{ + flags = REUSE + socket_type = stream + wait = no + user = root + server = /usr/kerberos/sbin/ftpd + server_args = -l -a + log_on_failure += USERID + disable = yes +} diff --git a/kadm5.acl b/kadm5.acl new file mode 100644 index 0000000..dc93eb0 --- /dev/null +++ b/kadm5.acl @@ -0,0 +1 @@ +*/admin@EXAMPLE.COM * diff --git a/kadmind.init b/kadmind.init new file mode 100755 index 0000000..dc826cd --- /dev/null +++ b/kadmind.init @@ -0,0 +1,79 @@ +#!/bin/sh +# +# kadmind Start and stop the Kerberos 5 administrative server. +# +# chkconfig: - 35 65 +# description: Kerberos 5 is a trusted third-party authentication system. \ +# This script starts and stops the Kerberos 5 administrative \ +# server, which should only be run on the master server for a \ +# realm. +# processname: kadmind +# + +# Get config. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# Source function library. +. /etc/init.d/functions + +RETVAL=0 + +# Sheel functions to cut down on useless shell instances. +start() { + if [ ! -f /var/kerberos/krb5kdc/principal ] ; then + exit 0 + fi + if [ -f /var/kerberos/krb5kdc/kpropd.acl ] ; then + exit 0 + else + if [ ! -f /var/kerberos/krb5kdc/kadm5.keytab ] ; then + echo "Extracting kadm5 Service Keys" + /usr/kerberos/sbin/kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw" && success || fail + echo + fi + fi + echo -n "Starting Kerberos 5 Admin Server" + daemon /usr/kerberos/sbin/kadmind + RETVAL=$? + echo + [ $RETVAL = 0 ] && touch /var/lock/subsys/kadmin +} +stop() { + echo -n "Stopping Kerberos 5 Admin Server" + killproc kadmind + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f /var/lock/subsys/kadmin +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + status) + status kadmind + ;; + condrestart) + if [ -f /var/lock/subsys/kadmin ] ; then + stop + start + fi + ;; + *) + echo "Usage: $0 {start|stop|status|condrestart|restart}" + RETVAL=1 + ;; +esac + +exit $RETVAL diff --git a/kdc.conf b/kdc.conf new file mode 100644 index 0000000..07adeb6 --- /dev/null +++ b/kdc.conf @@ -0,0 +1,10 @@ +[kdcdefaults] + acl_file = /var/kerberos/krb5kdc/kadm5.acl + dict_file = /usr/dict/words + admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + +[realms] + EXAMPLE.COM = { + master_key_type = des-cbc-crc + supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3 + } diff --git a/kdcrotate b/kdcrotate new file mode 100644 index 0000000..35bd894 --- /dev/null +++ b/kdcrotate @@ -0,0 +1,45 @@ +#!/bin/sh +# +# kdcrotate This shell script rotates the list of KDCs in /etc/krb5.conf +# +# Author: Based on SysV Init in RHS Linux by Damien Neil +# Written by Nalin Dahyabhai +# +# chkconfig: 345 99 01 +# +# description: Rotate the list of KDCs listed in /etc/krb5.conf +# + +PATH=/sbin:$PATH + +# Only run in runlevels where we're 'enabled', which should only be 345. +if [ "$1" != "start" ] ; then + exit 0 +fi + +# source function library +. /etc/rc.d/init.d/functions + +action "Rotating KDC list" "awk ' /^[[:space:]]*kdc[[:space:]]*=/ { \\ + if(length(firstkdc) == 0) { \\ + firstkdc = \$0; \\ + } else { \\ + if(length(kdclist) > 0) { \\ + kdclist = kdclist ORS; \\ + } \\ + kdclist = kdclist \$0; \\ + } \\ + next; \\ + } \\ + { \\ + if(length(kdclist) > 0) { \\ + NEWCONFIG = NEWCONFIG kdclist ORS; \\ + } \\ + if(length(firstkdc) > 0) { \\ + NEWCONFIG = NEWCONFIG firstkdc ORS; \\ + } \\ + firstkdc = \"\"; \\ + kdclist = \"\"; \\ + NEWCONFIG = NEWCONFIG \$0 ORS; \\ + } \\ + END {printf \"%s\", NEWCONFIG > \"/etc/krb5.conf\"}' /etc/krb5.conf" diff --git a/klogin.xinetd b/klogin.xinetd new file mode 100644 index 0000000..aa229a4 --- /dev/null +++ b/klogin.xinetd @@ -0,0 +1,13 @@ +# default: off +# description: The kerberized rlogin server accepts BSD-style rlogin sessions, \ +# but uses Kerberos 5 authentication. +service klogin +{ + flags = REUSE + socket_type = stream + wait = no + user = root + server = /usr/kerberos/sbin/klogind + server_args = -5 + disable = yes +} diff --git a/kpropd.init b/kpropd.init new file mode 100755 index 0000000..185996a --- /dev/null +++ b/kpropd.init @@ -0,0 +1,71 @@ +#!/bin/sh +# +# kpropd.init Start and stop the Kerberos 5 propagation client. +# +# chkconfig: - 35 65 +# description: Kerberos 5 is a trusted third-party authentication system. \ +# This script starts and stops the service that allows this \ +# KDC to receive updates from your master KDC. +# processname: kpropd +# + +# Get config. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# Source function library. +. /etc/init.d/functions + +RETVAL=0 + +# Sheel functions to cut down on useless shell instances. +start() { + if [ ! -f /var/kerberos/krb5kdc/principal ] ; then + exit 0 + fi + if [ ! -f /var/kerberos/krb5kdc/kpropd.acl ] ; then + exit 0 + fi + echo -n "Starting Kerberos 5 Propagation Server:" + daemon /usr/kerberos/sbin/kpropd -S + RETVAL=$? + [ $RETVAL = 0 ] && touch /var/lock/subsys/kprop +} +stop() { + echo -n "Stopping Kerberos 5 Propagation Server:" + killproc kpropd + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f /var/lock/subsys/kprop +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + status) + status kpropd + ;; + condrestart) + if [ -f /var/lock/subsys/kprop ] ; then + stop + start + fi + ;; + *) + echo "Usage: $0 {start|stop|status|restart|condrestart}" + RETVAL=1 + ;; +esac + +exit $RETVAL diff --git a/krb5-1.2.1-passive.patch b/krb5-1.2.1-passive.patch new file mode 100644 index 0000000..e5cc528 --- /dev/null +++ b/krb5-1.2.1-passive.patch @@ -0,0 +1,29 @@ +--- krb5-1.2.1/src/appl/gssftp/ftp/main.c.passive Thu Jun 29 22:27:07 2000 ++++ krb5-1.2.1/src/appl/gssftp/ftp/main.c Wed Aug 16 13:15:08 2000 +@@ -178,7 +178,7 @@ + cpend = 0; /* no pending replies */ + proxy = 0; /* proxy not active */ + #ifndef NO_PASSIVE_MODE +- passivemode = 0; /* passive mode not active */ ++ passivemode = 1; /* passive mode active by default */ + #endif + crflag = 1; /* strip c.r. on ascii gets */ + sendport = -1; /* not using ports */ +--- krb5-1.2.1/src/appl/gssftp/ftp/ftp.M.passive Wed Aug 16 13:15:26 2000 ++++ krb5-1.2.1/src/appl/gssftp/ftp/ftp.M Wed Aug 16 13:17:19 2000 +@@ -619,10 +619,11 @@ + will forward a copy of the user's Kerberos tickets to the remote host. + .TP + .B passive +-Toggle passive data transfer mode. In passive mode, the client initiates +-the data connection by listening on the data port. Passive mode may +-be necessary for operation from behind firewalls which do not permit +-incoming connections. ++Toggle passive data transfer mode off. In passive mode, the client initiates ++the data connection by connecting to the data port. Passive mode is ++often necessary for operation from behind firewalls which do not permit ++incoming connections, but may need to be disabled if you connect to an ++FTP server which does not support passive operation. + .TP + .B private + Set the protection level on data transfers to ``private''. Data diff --git a/krb5-telnet.xinetd b/krb5-telnet.xinetd new file mode 100644 index 0000000..341ef3a --- /dev/null +++ b/krb5-telnet.xinetd @@ -0,0 +1,13 @@ +# default: off +# description: The kerberized telnet server accepts normal telnet sessions, \ +# but can also use Kerberos 5 authentication. +service telnet +{ + flags = REUSE + socket_type = stream + wait = no + user = root + server = /usr/kerberos/sbin/telnetd + log_on_failure += USERID + disable = yes +} diff --git a/krb5.conf b/krb5.conf new file mode 100644 index 0000000..caf341d --- /dev/null +++ b/krb5.conf @@ -0,0 +1,31 @@ +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + ticket_lifetime = 24000 + default_realm = EXAMPLE.COM + dns_lookup_realm = false + dns_lookup_kdc = false + +[realms] + EXAMPLE.COM = { + kdc = kerberos.example.com:88 + admin_server = kerberos.example.com:749 + default_domain = example.com + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + +[kdc] + profile = /var/kerberos/krb5kdc/kdc.conf + +[pam] + debug = false + ticket_lifetime = 36000 + renew_lifetime = 36000 + forwardable = true + krb4_convert = false diff --git a/krb5.csh b/krb5.csh new file mode 100755 index 0000000..04ef510 --- /dev/null +++ b/krb5.csh @@ -0,0 +1,8 @@ +if ( /usr/kerberos/bin !~ "${path}" ) then + set path = ( /usr/kerberos/bin $path ) +endif +if ( /usr/kerberos/sbin !~ "${path}" ) then + if ( `id -u` == 0 ) then + set path = ( /usr/kerberos/sbin $path ) + endif +endif diff --git a/krb5.sh b/krb5.sh new file mode 100755 index 0000000..eb94fd9 --- /dev/null +++ b/krb5.sh @@ -0,0 +1,8 @@ +if ! echo ${PATH} | grep -q /usr/kerberos/bin ; then + PATH=/usr/kerberos/bin:${PATH} +fi +if ! echo ${PATH} | grep -q /usr/kerberos/sbin ; then + if [ `id -u` = 0 ] ; then + PATH=/usr/kerberos/sbin:${PATH} + fi +fi diff --git a/krb5.spec b/krb5.spec new file mode 100644 index 0000000..785adb1 --- /dev/null +++ b/krb5.spec @@ -0,0 +1,603 @@ +%define prefix %{_prefix}/kerberos + +Summary: The Kerberos network authentication system. +Name: krb5 +Version: 1.2.1 +Release: 8 +Source0: krb5-%{version}.tar +Source1: kpropd.init +Source2: krb524d.init +Source3: kadmind.init +Source4: krb5kdc.init +Source5: krb5.conf +Source6: krb5.sh +Source7: krb5.csh +Source8: kdcrotate +Source9: kdc.conf +Source10: kadm5.acl +Source11: krsh +Source12: krlogin +Source13: eklogin.xinetd +Source14: klogin.xinetd +Source15: kshell.xinetd +Source16: krb5-telnet.xinetd +Source17: gssftp.xinetd +Source18: krb5server.init +Patch0: krb5-1.1-db.patch +Patch1: krb5-1.1.1-tiocgltc.patch +Patch2: krb5-1.1.1-libpty.patch +Patch3: krb5-1.1.1-fixinfo.patch +Patch4: krb5-1.1.1-manpages.patch +Patch5: krb5-1.1.1-netkitr.patch +Patch6: krb5-1.2-rlogind.patch +Patch7: krb5-1.2-ksu.patch +Patch8: krb5-1.2-ksu.options.patch +Patch9: krb5-1.2-ksu.man.patch +Patch10: krb5-1.2-quiet.patch +Patch11: krb5-1.1.1-brokenrev.patch +Patch12: krb5-1.2-spelling.patch +Patch13: krb5-1.2.1-term.patch +Patch14: krb5-1.2.1-passive.patch +Copyright: MIT, freely distributable. +URL: http://web.mit.edu/kerberos/www/ +Group: System Environment/Libraries +BuildRoot: %{_tmppath}/%{name}-root +Prereq: grep, info, sh-utils, /sbin/install-info +BuildPrereq: e2fsprogs-devel, gzip, rsh, tcl, texinfo, tar + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. + +%package devel +Summary: Development files needed for compiling Kerberos 5 programs. +Group: Development/Libraries +Requires: %{name}-libs = %{version} + +%description devel +Kerberos is a network authentication system. The krb5-devel package +contains the header files and libraries needed for compiling Kerberos +5 programs. If you want to develop Kerberos-aware programs, you'll +need to install this package. + +%package libs +Summary: The shared libraries used by Kerberos 5. +Group: System Environment/Libraries +Prereq: grep, /sbin/ldconfig, sh-utils + +%description libs +Kerberos is a network authentication system. The krb5-libs package +contains the shared libraries needed by Kerberos 5. If you're using +Kerberos, you'll need to install this package. + +%package server +Group: System Environment/Daemons +Summary: The server programs for Kerberos 5. +Requires: %{name}-libs = %{version}, %{name}-workstation = %{version} +Prereq: grep, /sbin/install-info, /bin/sh, sh-utils, /etc/init.d + +%description server +Kerberos is a network authentication system. The krb5-server package +contains the programs that must be installed on a Kerberos 5 server. +If you're installing a Kerberos 5 server, you need to install this +package (in other words, most people should NOT install this +package). + +%package workstation +Summary: Kerberos 5 programs for use on workstations. +Group: System Environment/Base +Requires: %{name}-libs = %{version} +Prereq: grep, /sbin/install-info, /bin/sh, sh-utils + +%description workstation +Kerberos is a network authentication system. The krb5-workstation +package contains the basic Kerberos programs (kinit, klist, kdestroy, +kpasswd) as well as kerberized versions of Telnet and FTP. If your +network uses Kerberos, this package should be installed on every +workstation. + +%changelog +* Wed Aug 16 2000 Nalin Dahyabhai +- fix summaries and descriptions +- switched the default transfer protocol from PORT to PASV as proposed on + bugzilla (#16134), and to match the regular ftp package's behavior + +* Wed Jul 19 2000 Jeff Johnson +- rebuild to compress man pages. + +* Sat Jul 15 2000 Bill Nottingham +- move initscript back + +* Fri Jul 14 2000 Nalin Dahyabhai +- disable servers by default to keep linuxconf from thinking they need to be + started when they don't + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Nalin Dahyabhai +- change cleanup code in post to not tickle chkconfig +- add grep as a Prereq: for -libs + +* Thu Jul 6 2000 Nalin Dahyabhai +- move condrestarts to postun +- make xinetd configs noreplace +- add descriptions to xinetd configs +- add /etc/init.d as a prereq for the -server package +- patch to properly truncate $TERM in krlogind + +* Fri Jun 30 2000 Nalin Dahyabhai +- update to 1.2.1 +- back out Tom Yu's patch, which is a big chunk of the 1.2 -> 1.2.1 update +- start using the official source tarball instead of its contents + +* Thu Jun 29 2000 Nalin Dahyabhai +- Tom Yu's patch to fix compatibility between 1.2 kadmin and 1.1.1 kadmind +- pull out 6.2 options in the spec file (sonames changing in 1.2 means it's not + compatible with other stuff in 6.2, so no need) + +* Wed Jun 28 2000 Nalin Dahyabhai +- tweak graceful start/stop logic in post and preun + +* Mon Jun 26 2000 Nalin Dahyabhai +- update to the 1.2 release +- ditch a lot of our patches which went upstream +- enable use of DNS to look up things at build-time +- disable use of DNS to look up things at run-time in default krb5.conf +- change ownership of the convert-config-files script to root.root +- compress PS docs +- fix some typos in the kinit man page +- run condrestart in server post, and shut down in preun + +* Mon Jun 19 2000 Nalin Dahyabhai +- only remove old krb5server init script links if the init script is there + +* Sat Jun 17 2000 Nalin Dahyabhai +- disable kshell and eklogin by default + +* Thu Jun 15 2000 Nalin Dahyabhai +- patch mkdir/rmdir problem in ftpcmd.y +- add condrestart option to init script +- split the server init script into three pieces and add one for kpropd + +* Wed Jun 14 2000 Nalin Dahyabhai +- make sure workstation servers are all disabled by default +- clean up krb5server init script + +* Fri Jun 9 2000 Nalin Dahyabhai +- apply second set of buffer overflow fixes from Tom Yu +- fix from Dirk Husung for a bug in buffer cleanups in the test suite +- work around possibly broken rev binary in running test suite +- move default realm configs from /var/kerberos to %{_var}/kerberos + +* Tue Jun 6 2000 Nalin Dahyabhai +- make ksu and v4rcp owned by root + +* Sat Jun 3 2000 Nalin Dahyabhai +- use %%{_infodir} to better comply with FHS +- move .so files to -devel subpackage +- tweak xinetd config files (bugs #11833, #11835, #11836, #11840) +- fix package descriptions again + +* Wed May 24 2000 Nalin Dahyabhai +- change a LINE_MAX to 1024, fix from Ken Raeburn +- add fix for login vulnerability in case anyone rebuilds without krb4 compat +- add tweaks for byte-swapping macros in krb.h, also from Ken +- add xinetd config files +- make rsh and rlogin quieter +- build with debug to fix credential forwarding +- add rsh as a build-time req because the configure scripts look for it to + determine paths + +* Wed May 17 2000 Nalin Dahyabhai +- fix config_subpackage logic + +* Tue May 16 2000 Nalin Dahyabhai +- remove setuid bit on v4rcp and ksu +- apply patches from Jeffrey Schiller to fix overruns Chris Evans found +- reintroduce configs subpackage for use in the errata +- add PreReq: sh-utils + +* Mon May 15 2000 Nalin Dahyabhai +- fix double-free in the kdc (patch merged into MIT tree) +- include convert-config-files script as a documentation file + +* Wed May 03 2000 Nalin Dahyabhai +- patch ksu man page because the -C option never works +- add access() checks and disable debug mode in ksu +- modify default ksu build arguments to specify more directories in CMD_PATH + and to use getusershell() + +* Wed May 03 2000 Bill Nottingham +- fix configure stuff for ia64 + +* Mon Apr 10 2000 Nalin Dahyabhai +- add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653) +- change Requires: for/in subpackages to include %{version} + +* Wed Apr 05 2000 Nalin Dahyabhai +- add man pages for kerberos(1), kvno(1), .k5login(5) +- add kvno to -workstation + +* Mon Apr 03 2000 Nalin Dahyabhai +- Merge krb5-configs back into krb5-libs. The krb5.conf file is marked as + a %%config file anyway. +- Make krb5.conf a noreplace config file. + +* Thu Mar 30 2000 Nalin Dahyabhai +- Make klogind pass a clean environment to children, like NetKit's rlogind does. + +* Wed Mar 08 2000 Nalin Dahyabhai +- Don't enable the server by default. +- Compress info pages. +- Add defaults for the PAM module to krb5.conf + +* Mon Mar 06 2000 Nalin Dahyabhai +- Correct copyright: it's exportable now, provided the proper paperwork is + filed with the government. + +* Fri Mar 03 2000 Nalin Dahyabhai +- apply Mike Friedman's patch to fix format string problems +- don't strip off argv[0] when invoking regular rsh/rlogin + +* Thu Mar 02 2000 Nalin Dahyabhai +- run kadmin.local correctly at startup + +* Mon Feb 28 2000 Nalin Dahyabhai +- pass absolute path to kadm5.keytab if/when extracting keys at startup + +* Sat Feb 19 2000 Nalin Dahyabhai +- fix info page insertions + +* Wed Feb 9 2000 Nalin Dahyabhai +- tweak server init script to automatically extract kadm5 keys if + /var/kerberos/krb5kdc/kadm5.keytab doesn't exist yet +- adjust package descriptions + +* Thu Feb 3 2000 Nalin Dahyabhai +- fix for potentially gzipped man pages + +* Fri Jan 21 2000 Nalin Dahyabhai +- fix comments in krb5-configs + +* Fri Jan 7 2000 Nalin Dahyabhai +- move /usr/kerberos/bin to end of PATH + +* Tue Dec 28 1999 Nalin Dahyabhai +- install kadmin header files + +* Tue Dec 21 1999 Nalin Dahyabhai +- patch around TIOCGTLC defined on alpha and remove warnings from libpty.h +- add installation of info docs +- remove krb4 compat patch because it doesn't fix workstation-side servers + +* Mon Dec 20 1999 Nalin Dahyabhai +- remove hesiod dependency at build-time + +* Sun Dec 19 1999 Nalin Dahyabhai +- rebuild on 1.1.1 + +* Thu Oct 7 1999 Nalin Dahyabhai +- clean up init script for server, verify that it works [jlkatz] +- clean up rotation script so that rc likes it better +- add clean stanza + +* Mon Oct 4 1999 Nalin Dahyabhai +- backed out ncurses and makeshlib patches +- update for krb5-1.1 +- add KDC rotation to rc.boot, based on ideas from Michael's C version + +* Mon Sep 26 1999 Nalin Dahyabhai +- added -lncurses to telnet and telnetd makefiles + +* Mon Jul 5 1999 Nalin Dahyabhai +- added krb5.csh and krb5.sh to /etc/profile.d + +* Mon Jun 22 1999 Nalin Dahyabhai +- broke out configuration files + +* Mon Jun 14 1999 Nalin Dahyabhai +- fixed server package so that it works now + +* Sat May 15 1999 Nalin Dahyabhai +- started changelog +- updated existing 1.0.5 RPM from Eos Linux to krb5 1.0.6 +- added --force to makeinfo commands to skip errors during build + +%prep +%setup -q -c +gzip -dc krb5-%{version}.src.tar.gz | tar -xf - -C .. +gzip -dc krb5-%{version}.crypto.tar.gz | tar -xf - -C .. +gzip -dc krb5-%{version}.doc.tar.gz | tar -xf - -C .. +%patch0 -p0 -b .db +%patch1 -p0 -b .tciogltc +%patch2 -p0 -b .libpty +%patch3 -p0 -b .fixinfo +%patch4 -p0 -b .manpages +%patch5 -p0 -b .netkitr +%patch6 -p1 -b .rlogind +%patch7 -p1 -b .ksu +%patch8 -p1 -b .ksu-options +%patch9 -p1 -b .ksu-man +%patch10 -p1 -b .quiet +%patch11 -p1 -b .brokenrev +%patch12 -p1 -b .spelling +%patch13 -p1 -b .term +%patch14 -p1 -b .passive +find . -type f -name "*.fixinfo" -exec rm -fv "{}" ";" +gzip doc/*.ps + +%build +cd src +libtoolize --copy --force +cp config.{guess,sub} config + +# Can't use %%configure because we don't use the default mandir. +LDCOMBINE_TAIL="-lc"; export LDCOMBINE_TAIL +./configure \ + --with-cc=%{__cc} --with-ccopts="-ggdb" \ + --enable-shared --enable-static \ + --prefix=%{prefix} \ + --infodir=%{_infodir} \ + --localstatedir=%{_var}/kerberos \ + --with-krb4 \ + --enable-dns --enable-dns-for-kdc --enable-dns-for-realm \ + --with-netlib=-lresolv \ + --with-tcl=%{_prefix} \ + %{_target_platform} +make + +# Run the test suite. +# make check TMPDIR=%{_tmppath} + +%install +[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT + +# Our shell scripts. +mkdir -p $RPM_BUILD_ROOT%{prefix}/bin +install -m 755 $RPM_SOURCE_DIR/{krsh,krlogin} $RPM_BUILD_ROOT/%{prefix}/bin/ + +# Extra headers. +mkdir -p $RPM_BUILD_ROOT%{prefix}/include +(cd src/include + find kadm5 krb5 gssrpc gssapi -name "*.h" | \ + cpio -pdm $RPM_BUILD_ROOT/%{prefix}/include ) +sed 's^k5-int^krb5/kdb^g' < $RPM_BUILD_ROOT/%{prefix}/include/kadm5/admin.h \ + > $RPM_BUILD_ROOT/%{prefix}/include/kadm5/admin.h2 &&\ +mv $RPM_BUILD_ROOT/%{prefix}/include/kadm5/admin.h2 \ + $RPM_BUILD_ROOT/%{prefix}/include/kadm5/admin.h +find $RPM_BUILD_ROOT/%{prefix}/include -type d | xargs chmod 755 +find $RPM_BUILD_ROOT/%{prefix}/include -type f | xargs chmod 644 + +# Info docs. +mkdir -p $RPM_BUILD_ROOT%{_infodir} +install -m 644 doc/*.info* $RPM_BUILD_ROOT%{_infodir}/ +gzip $RPM_BUILD_ROOT%{_infodir}/*.info* + +# KDC config files. +mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc +install -m 644 $RPM_SOURCE_DIR/kdc.conf $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ +install -m 644 $RPM_SOURCE_DIR/kadm5.acl $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ + +# Client config files and scripts. +mkdir -p $RPM_BUILD_ROOT/etc/profile.d +install -m 644 $RPM_SOURCE_DIR/krb5.conf $RPM_BUILD_ROOT/etc/krb5.conf +install -m 755 $RPM_SOURCE_DIR/krb5.{sh,csh} $RPM_BUILD_ROOT/etc/profile.d/ + +# KDC init script. +mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d +install -m 755 $RPM_SOURCE_DIR/krb5kdc.init $RPM_BUILD_ROOT/etc/rc.d/init.d/krb5kdc +install -m 755 $RPM_SOURCE_DIR/kadmind.init $RPM_BUILD_ROOT/etc/rc.d/init.d/kadmin +install -m 755 $RPM_SOURCE_DIR/kpropd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/kprop +install -m 755 $RPM_SOURCE_DIR/krb524d.init $RPM_BUILD_ROOT/etc/rc.d/init.d/krb524 +install -m 755 $RPM_SOURCE_DIR/kdcrotate $RPM_BUILD_ROOT/etc/rc.d/init.d/ + +# The rest of the binaries and libraries and docs. +cd src +make prefix=$RPM_BUILD_ROOT%{prefix} \ + localstatedir=$RPM_BUILD_ROOT%{_var}/kerberos \ + infodir=$RPM_BUILD_ROOT%{_infodir} install + +# Fixup strange shared library permissions. +chmod 755 $RPM_BUILD_ROOT%{prefix}/lib/*.so* + +# Xinetd configuration files. +mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d/ +for xinetd in eklogin klogin kshell krb5-telnet gssftp ; do + install -m 644 $RPM_SOURCE_DIR/${xinetd}.xinetd \ + $RPM_BUILD_ROOT/etc/xinetd.d/${xinetd} +done + +# Trim off useless info. +strip $RPM_BUILD_ROOT%{prefix}/bin/* $RPM_BUILD_ROOT%{prefix}/sbin/* || : +strip -g $RPM_BUILD_ROOT%{prefix}/lib/lib* || : + +%post libs +grep -q %{prefix}/lib /etc/ld.so.conf || echo %{prefix}/lib >> /etc/ld.so.conf +/sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%post server +# Remove the init script for older servers. +[ -x /etc/rc.d/init.d/krb5server ] && /sbin/chkconfig --del krb5server +# Install the new ones. +/sbin/chkconfig --add krb5kdc +/sbin/chkconfig --add kadmin +/sbin/chkconfig --add krb524 +/sbin/chkconfig --add kprop +# Install info pages. +/sbin/install-info %{_infodir}/krb425.info.gz %{_infodir}/dir +/sbin/install-info %{_infodir}/krb5-admin.info.gz %{_infodir}/dir +/sbin/install-info %{_infodir}/krb5-install.info.gz %{_infodir}/dir + +%preun server +if [ "$1" = "0" ] ; then + /sbin/chkconfig --del krb5kdc + /sbin/chkconfig --del kadmin + /sbin/chkconfig --del krb524 + /sbin/chkconfig --del kprop + /sbin/service krb5kdc stop > /dev/null 2>&1 || : + /sbin/service kadmin stop > /dev/null 2>&1 || : + /sbin/service krb524 stop > /dev/null 2>&1 || : + /sbin/service kprop stop > /dev/null 2>&1 || : + /sbin/install-info --delete %{_infodir}/krb425.info.gz %{_infodir}/dir + /sbin/install-info --delete %{_infodir}/krb5-admin.info.gz %{_infodir}/dir + /sbin/install-info --delete %{_infodir}/krb5-install.info.gz %{_infodir}/dir +fi + +%postun server +if [ "$1" -ge 1 ] ; then + /sbin/service krb5kdc condrestart > /dev/null 2>&1 || : + /sbin/service kadmin condrestart > /dev/null 2>&1 || : + /sbin/service krb524 condrestart > /dev/null 2>&1 || : + /sbin/service kprop condrestart > /dev/null 2>&1 || : +fi + +%post workstation +/sbin/install-info %{_infodir}/krb5-user.info %{_infodir}/dir +/sbin/service xinetd reload > /dev/null 2>&1 || : + +%preun workstation +if [ "$1" = "0" ] ; then + /sbin/install-info --delete %{_infodir}/krb5-user.info %{_infodir}/dir +fi + +%postun workstation +/sbin/service xinetd reload > /dev/null 2>&1 || : + +%files workstation +%defattr(-,root,root) + +%config /etc/profile.d/krb5.sh +%config /etc/profile.d/krb5.csh + +%config(noreplace) /etc/xinetd.d/* + +%doc doc/user*.html doc/user*.ps.gz src/config-files/services.append +%attr(0755,root,root) %doc src/config-files/convert-config-files +%{_infodir}/krb5-user.info* +%{prefix}/bin/ftp +%{prefix}/man/man1/ftp.1* +%{prefix}/bin/gss-client +%{prefix}/bin/kdestroy +%{prefix}/man/man1/kdestroy.1* +%{prefix}/man/man1/kerberos.1* +%{prefix}/bin/kinit +%{prefix}/man/man1/kinit.1* +%{prefix}/bin/klist +%{prefix}/man/man1/klist.1* +%{prefix}/bin/kpasswd +%{prefix}/man/man1/kpasswd.1* +%{prefix}/bin/krb524init +%{prefix}/sbin/kadmin +%{prefix}/man/man8/kadmin.8* +%{prefix}/sbin/ktutil +%{prefix}/man/man8/ktutil.8* +%attr(0755,root,root) %{prefix}/bin/ksu +%{prefix}/man/man1/ksu.1* +%{prefix}/bin/kvno +%{prefix}/man/man1/kvno.1* +%{prefix}/bin/rcp +%{prefix}/man/man1/rcp.1* +%{prefix}/bin/krlogin +%{prefix}/bin/rlogin +%{prefix}/man/man1/rlogin.1* +%{prefix}/bin/krsh +%{prefix}/bin/rsh +%{prefix}/man/man1/rsh.1* +%{prefix}/bin/telnet +%{prefix}/man/man1/telnet.1* +%{prefix}/man/man1/tmac.doc* +%attr(0755,root,root) %{prefix}/bin/v4rcp +%{prefix}/man/man1/v4rcp.1* +%{prefix}/bin/v5passwd +%{prefix}/man/man1/v5passwd.1* +%{prefix}/bin/sim_client +%{prefix}/bin/uuclient +%{prefix}/sbin/login.krb5 +%{prefix}/man/man8/login.krb5.8* +%{prefix}/sbin/ftpd +%{prefix}/man/man8/ftpd.8* +%{prefix}/sbin/gss-server +%{prefix}/sbin/klogind +%{prefix}/man/man8/klogind.8* +%{prefix}/sbin/kshd +%{prefix}/man/man8/kshd.8* +%{prefix}/sbin/telnetd +%{prefix}/man/man8/telnetd.8* +%{prefix}/sbin/uuserver +%{prefix}/man/man5/.k5login.5* +%{prefix}/man/man5/krb5.conf.5* + +%files server +%defattr(-,root,root) + +%config /etc/rc.d/init.d/krb5kdc +%config /etc/rc.d/init.d/kadmin +%config /etc/rc.d/init.d/krb524 +%config /etc/rc.d/init.d/kprop + +%doc doc/admin*.ps.gz doc/admin*.html +%doc doc/krb425*.ps.gz doc/krb425*.html +%doc doc/install*.ps.gz doc/install*.html + +%{_infodir}/krb5-admin.info* +%{_infodir}/krb5-install.info* +%{_infodir}/krb425.info* + +%dir %{_var}/kerberos/krb5kdc +%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf +%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl + +%{prefix}/man/man5/kdc.conf.5* +%{prefix}/sbin/kadmin.local +%{prefix}/man/man8/kadmin.local.8* +%{prefix}/sbin/kadmind +%{prefix}/man/man8/kadmind.8* +%{prefix}/sbin/kadmind4 +%{prefix}/sbin/kdb5_util +%{prefix}/man/man8/kdb5_util.8* +%{prefix}/sbin/kprop +%{prefix}/man/man8/kprop.8* +%{prefix}/sbin/kpropd +%{prefix}/man/man8/kpropd.8* +%{prefix}/sbin/krb5-send-pr +%{prefix}/man/man1/krb5-send-pr.1* +%{prefix}/sbin/krb524d +%{prefix}/sbin/krb5kdc +%{prefix}/man/man8/krb5kdc.8* +%{prefix}/sbin/sim_server +%{prefix}/sbin/v5passwdd +# This is here for people who want to test their server, and also +# included in devel package for similar reasons. +%{prefix}/bin/sclient +%{prefix}/man/man1/sclient.1* +%{prefix}/sbin/sserver +%{prefix}/man/man8/sserver.8* + +%files libs +%defattr(-,root,root) +%{prefix}/lib/lib*.so.*.* +%config /etc/rc.d/init.d/kdcrotate +%config(noreplace) /etc/krb5.conf + +%files devel +%defattr(-,root,root) +%doc doc/api +%doc doc/implement +%doc doc/kadm5 +%doc doc/kadmin +%doc doc/krb5-protocol +%doc doc/rpc +%{prefix}/include +%{prefix}/lib/lib*.a +%{prefix}/lib/lib*.so +%{prefix}/bin/sclient +%{prefix}/man/man1/sclient.1* +%{prefix}/sbin/sserver +%{prefix}/man/man8/sserver.8* + +%clean +[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT diff --git a/krb524d.init b/krb524d.init new file mode 100755 index 0000000..985544b --- /dev/null +++ b/krb524d.init @@ -0,0 +1,69 @@ +#!/bin/sh +# +# krb524 Start and stop the krb524 service. +# +# chkconfig: - 35 65 +# description: Kerberos 5 is a trusted third-party authentication system. \ +# This script starts and stops krb524d, which converts \ +# Kerberos 5 credentials to Kerberos IV credentials. +# processname: krb524d +# + +# Get config. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# Source function library. +. /etc/rc.d/init.d/functions + +RETVAL=0 + +# Sheel functions to cut down on useless shell instances. +start() { + if [ ! -f /var/kerberos/krb5kdc/principal ] ; then + exit 0 + fi + echo -n "Starting Kerberos 5-to-4 Server:" + daemon /usr/kerberos/sbin/krb524d -m + RETVAL=$? + echo + [ $RETVAL = 0 ] && touch /var/lock/subsys/krb524 +} +stop() { + echo -n "Stopping Kerberos 5-to-4 Server:" + killproc krb524d + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f /var/lock/subsys/krb524 +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + status) + status krb524d + ;; + condrestart) + if [ -f /var/lock/subsys/krb524 ] ; then + stop + start + fi + ;; + *) + echo "Usage: $0 {start|stop|status|restart|condrestart}" + RETVAL=1 + ;; +esac + +exit $RETVAL diff --git a/krb5kdc.init b/krb5kdc.init new file mode 100755 index 0000000..855c748 --- /dev/null +++ b/krb5kdc.init @@ -0,0 +1,69 @@ +#!/bin/sh +# +# krb5kdc Start and stop the Kerberos 5 servers. +# +# chkconfig: - 35 65 +# description: Kerberos 5 is a trusted third-party authentication system. \ +# This script starts and stops the server that Kerberos IV and 5 \ +# clients need to connect to in order to obtain credentials. +# processname: krb5kdc +# + +# Get config. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# Source function library. +. /etc/rc.d/init.d/functions + +RETVAL=0 + +# Sheel functions to cut down on useless shell instances. +start() { + if [ ! -f /var/kerberos/krb5kdc/principal ] ; then + exit 0 + fi + echo -n "Starting Kerberos 5 KDC:" + daemon /usr/kerberos/sbin/krb5kdc + RETVAL=$? + echo + [ $RETVAL = 0 ] && touch /var/lock/subsys/krb5kdc +} +stop() { + echo -n "Stopping Kerberos 5 KDC:" + killproc krb5kdc + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f /var/lock/subsys/krb5kdc +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + status) + status krb5kdc + ;; + condrestart) + if [ -f /var/lock/subsys/krb5kdc ] ; then + stop + start + fi + ;; + *) + echo "Usage: $0 {start|stop|status|restart|condrestart}" + RETVAL=1 + ;; +esac + +exit $RETVAL diff --git a/krlogin b/krlogin new file mode 100644 index 0000000..9822523 --- /dev/null +++ b/krlogin @@ -0,0 +1 @@ +/usr/kerberos/bin/rlogin -x $* diff --git a/krsh b/krsh new file mode 100644 index 0000000..9b4b6dc --- /dev/null +++ b/krsh @@ -0,0 +1 @@ +/usr/kerberos/bin/rsh -x $* diff --git a/kshell.xinetd b/kshell.xinetd new file mode 100644 index 0000000..95bd598 --- /dev/null +++ b/kshell.xinetd @@ -0,0 +1,13 @@ +# default: off +# description: The kerberized rshell server accepts rshell commands \ +# authenticated and encrypted with Kerberos 5. +service kshell +{ + flags = REUSE + socket_type = stream + wait = no + user = root + server = /usr/kerberos/sbin/kshd + server_args = -e -5 + disable = yes +} diff --git a/sources b/sources index e69de29..efdc7b4 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +a20d10cd42e0fdd0a3c825e0a1e2e08a krb5-1.2.1.tar