debian/0000775000000000000000000000000013415461656007203 5ustar debian/krb5-doc.doc-base.build0000664000000000000000000000046712272025331013277 0ustar Document: build Title: Building MIT Kerberos Author: MIT Abstract: Configuration and compilation instructions for MIT Kerberos. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/build/index.html Files: /usr/share/doc/krb5-doc/build/* Format: PDF Files: /usr/share/doc/krb5-doc/build.pdf.gz debian/krb5-kdc.postinst0000664000000000000000000000334312272025332012400 0ustar #! /bin/sh set -e if [ "configure" = "$1" ] || [ "reconfigure" = "$1" ] ; then . /usr/share/debconf/confmodule db_version 2.0 db_get krb5-config/default_realm || true KRB5LD_DEFAULT_REALM="$RET" if [ -z "$KRB5LD_DEFAULT_REALM" ] ; then KRB5LD_DEFAULT_REALM=EXAMPLE.COM fi export KRB5LD_DEFAULT_REALM db_get krb5-kdc/debconf DEBCONF="$RET" if [ ! -f /etc/krb5kdc/kdc.conf ] && [ $DEBCONF = "true" ] ; then sed -e "s/@MYREALM/$KRB5LD_DEFAULT_REALM/" \ /usr/share/krb5-kdc/kdc.conf.template > /etc/krb5kdc/kdc.conf fi if [ $DEBCONF = "true" ] ; then if [ -f "/etc/default/krb5-kdc" ] ; then . /etc/default/krb5-kdc fi cat <<'EOF' > /etc/default/krb5-kdc # Automatically generated. Only the value of DAEMON_ARGS will be preserved. # If you change anything in this file other than DAEMON_ARGS, first run # dpkg-reconfigure krb5-kdc and disable managing the KDC configuration with # debconf. Otherwise, changes will be overwritten. EOF if [ -n "$DAEMON_ARGS" ] ; then echo "DAEMON_ARGS=\"$DAEMON_ARGS\"" >> /etc/default/krb5-kdc fi fi db_stop fi # Only try to add the inetd line on an initial installation. Add it # commented out in a way that will not be automatically enabled, since the # Kerberos administrator should do that manually when ready. # # If update-inetd isn't available, don't bother, since it's just an example. if [ "configure" = "$1" ] && which update-inetd >/dev/null 2>&1 ; then if [ -z "$2" ] || [ x"$2" = x"" ] ; then update-inetd --add --group Kerberos \ '#krb5_prop\tstream\ttcp\tnowait\troot\t/usr/sbin/kpropd kpropd' fi fi #DEBHELPER# exit 0 debian/gbp.conf0000664000000000000000000000010712272025331010602 0ustar [DEFAULT] pristene-tar=True [git-import-orig] filter=doc/krb5-protocol debian/libkrb5-3.install0000664000000000000000000000003012272025332012241 0ustar usr/lib/*/libkrb5.so.3* debian/krb5-admin-server.links0000664000000000000000000000010412272025331013457 0ustar usr/share/man/man8/kadmin.8.gz usr/share/man/man8/kadmin.local.8.gz debian/libgssapi-krb5-2.symbols0000664000000000000000000002024312272025332013556 0ustar libgssapi_krb5.so.2 libgssapi-krb5-2 #MINVER# GSS_C_ATTR_LOCAL_LOGIN_USER@gssapi_krb5_2_MIT 1.9.1+dfsg GSS_C_INQ_SSPI_SESSION_KEY@gssapi_krb5_2_MIT 1.7+dfsg GSS_C_MA_AUTH_INIT@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_AUTH_INIT_ANON@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_AUTH_INIT_INIT@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_AUTH_TARG@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_AUTH_TARG_ANON@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_AUTH_TARG_INIT@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_CBINDINGS@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_COMPRESS@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_CONF_PROT@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_CTX_TRANS@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_DELEG_CRED@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_DEPRECATED@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_INTEG_PROT@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_ITOK_FRAMED@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MECH_COMPOSITE@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MECH_CONCRETE@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MECH_GLUE@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MECH_NEGO@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MECH_PSEUDO@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_MIC@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_NOT_DFLT_MECH@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_NOT_MECH@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_OOS_DET@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_PFS@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_PROT_READY@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_REPLAY_DET@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_MA_WRAP@gssapi_krb5_2_MIT 1.9+dfsg~beta1 GSS_C_NT_ANONYMOUS@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_COMPOSITE_EXPORT@gssapi_krb5_2_MIT 1.11+dfsg GSS_C_NT_EXPORT_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_HOSTBASED_SERVICE@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_HOSTBASED_SERVICE_X@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_MACHINE_UID_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_STRING_UID_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_C_NT_USER_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 GSS_KRB5_NT_PRINCIPAL_NAME@gssapi_krb5_2_MIT 1.6.dfsg.2 HIDDEN@HIDDEN 1.6.dfsg.2 gss_accept_sec_context@gssapi_krb5_2_MIT 1.8+dfsg gss_acquire_cred@gssapi_krb5_2_MIT 1.10+dfsg~ gss_acquire_cred_from@gssapi_krb5_2_MIT 1.11+dfsg gss_acquire_cred_impersonate_name@gssapi_krb5_2_MIT 1.8+dfsg gss_acquire_cred_with_password@gssapi_krb5_2_MIT 1.10+dfsg~ gss_add_buffer_set_member@gssapi_krb5_2_MIT 1.7+dfsg gss_add_cred@gssapi_krb5_2_MIT 1.10+dfsg~ gss_add_cred_from@gssapi_krb5_2_MIT 1.11+dfsg gss_add_cred_impersonate_name@gssapi_krb5_2_MIT 1.8+dfsg gss_add_oid_set_member@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_authorize_localname@gssapi_krb5_2_MIT 1.9.1+dfsg gss_canonicalize_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_compare_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_complete_auth_token@gssapi_krb5_2_MIT 1.7+dfsg gss_context_time@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_create_empty_buffer_set@gssapi_krb5_2_MIT 1.7+dfsg gss_create_empty_oid_set@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_decapsulate_token@gssapi_krb5_2_MIT 1.9.1+dfsg gss_delete_name_attribute@gssapi_krb5_2_MIT 1.8+dfsg gss_delete_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_display_mech_attr@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_display_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_display_name_ext@gssapi_krb5_2_MIT 1.8+dfsg gss_display_status@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_duplicate_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_encapsulate_token@gssapi_krb5_2_MIT 1.9.1+dfsg gss_export_cred@gssapi_krb5_2_MIT 1.11+dfsg gss_export_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_export_name_composite@gssapi_krb5_2_MIT 1.8+dfsg gss_export_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_get_mic@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_get_mic_iov@gssapi_krb5_2_MIT 1.12~alpha1+dfsg gss_get_mic_iov_length@gssapi_krb5_2_MIT 1.12~alpha1+dfsg gss_get_name_attribute@gssapi_krb5_2_MIT 1.8+dfsg gss_import_cred@gssapi_krb5_2_MIT 1.11+dfsg gss_import_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_import_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_indicate_mechs@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_indicate_mechs_by_attrs@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_init_sec_context@gssapi_krb5_2_MIT 1.10+dfsg~ gss_inquire_attrs_for_mech@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_inquire_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_inquire_cred@gssapi_krb5_2_MIT 1.10+dfsg~ gss_inquire_cred_by_mech@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_inquire_cred_by_oid@gssapi_krb5_2_MIT 1.7+dfsg gss_inquire_mech_for_saslname@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_inquire_mechs_for_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_inquire_name@gssapi_krb5_2_MIT 1.8+dfsg gss_inquire_names_for_mech@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_inquire_saslname_for_mech@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_inquire_sec_context_by_oid@gssapi_krb5_2_MIT 1.7+dfsg gss_krb5_ccache_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5_copy_ccache@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5_export_lucid_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5_free_lucid_sec_context@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5_get_tkt_flags@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5_import_cred@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_krb5_set_allowable_enctypes@gssapi_krb5_2_MIT 1.9.1 gss_krb5_set_cred_rcache@gssapi_krb5_2_MIT 1.7+dfsg gss_krb5int_make_seal_token_v3@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_krb5int_unseal_token_v3@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_localname@gssapi_krb5_2_MIT 1.9.1+dfsg gss_map_name_to_any@gssapi_krb5_2_MIT 1.8+dfsg gss_mech_iakerb@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_mech_krb5@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_krb5_old@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_krb5_wrong@gssapi_krb5_2_MIT 1.10.2+dfsg gss_mech_set_krb5@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_set_krb5_both@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_mech_set_krb5_old@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_exported_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_krb5_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_krb5_principal@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_machine_uid_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_service_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_service_name_v2@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_string_uid_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_nt_user_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_oid_equal@gssapi_krb5_2_MIT 1.9.1+dfsg gss_oid_to_str@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_pname_to_uid@gssapi_krb5_2_MIT 1.9.1+dfsg gss_process_context_token@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_pseudo_random@gssapi_krb5_2_MIT 1.8+dfsg gss_release_any_name_mapping@gssapi_krb5_2_MIT 1.8+dfsg gss_release_buffer@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_release_buffer_set@gssapi_krb5_2_MIT 1.7+dfsg gss_release_cred@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_release_iov_buffer@gssapi_krb5_2_MIT 1.7+dfsg gss_release_name@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_release_oid@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_release_oid_set@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_seal@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_set_cred_option@gssapi_krb5_2_MIT 1.9+dfsg~beta1 gss_set_name_attribute@gssapi_krb5_2_MIT 1.8+dfsg gss_set_neg_mechs@gssapi_krb5_2_MIT 1.8+dfsg gss_set_sec_context_option@gssapi_krb5_2_MIT 1.7+dfsg gss_sign@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_store_cred@gssapi_krb5_2_MIT 1.8+dfsg gss_store_cred_into@gssapi_krb5_2_MIT 1.11+dfsg gss_str_to_oid@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_test_oid_set_member@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_unseal@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_unwrap@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_unwrap_aead@gssapi_krb5_2_MIT 1.7+dfsg gss_unwrap_iov@gssapi_krb5_2_MIT 1.7+dfsg gss_userok@gssapi_krb5_2_MIT 1.9.1+dfsg gss_verify@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_verify_mic@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_verify_mic_iov@gssapi_krb5_2_MIT 1.12~alpha1+dfsg gss_wrap@gssapi_krb5_2_MIT 1.6.dfsg.2 gss_wrap_aead@gssapi_krb5_2_MIT 1.7+dfsg gss_wrap_iov@gssapi_krb5_2_MIT 1.7+dfsg gss_wrap_iov_length@gssapi_krb5_2_MIT 1.7+dfsg gss_wrap_size_limit@gssapi_krb5_2_MIT 1.6.dfsg.2 gssapi_krb5_2_MIT@gssapi_krb5_2_MIT 1.6.dfsg.2 gsskrb5_extract_authtime_from_sec_context@gssapi_krb5_2_MIT 1.7+dfsg gsskrb5_extract_authz_data_from_sec_context@gssapi_krb5_2_MIT 1.7+dfsg gssspi_mech_invoke@gssapi_krb5_2_MIT 1.7+dfsg gssspi_set_cred_option@gssapi_krb5_2_MIT 1.7+dfsg krb5_gss_dbg_client_expcreds@gssapi_krb5_2_MIT 1.6.dfsg.2 krb5_gss_register_acceptor_identity@gssapi_krb5_2_MIT 1.6.dfsg.2 krb5_gss_use_kdc_context@gssapi_krb5_2_MIT 1.6.dfsg.2 debian/krb5-doc.doc-base.basic0000664000000000000000000000044312272025331013253 0ustar Document: basic Title: Kerberos Concepts Author: MIT Abstract: Basic concepts and introduction to Kerberos. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/basic/index.html Files: /usr/share/doc/krb5-doc/basic/* Format: PDF Files: /usr/share/doc/krb5-doc/basic.pdf.gz debian/libkadm5clnt-mit9.symbols0000664000000000000000000001446212271473454014053 0ustar libkadm5clnt_mit.so.9 libkadm5clnt-mit9 #MINVER# HIDDEN@HIDDEN 1.12~alpha1+dfsg _kadm5_check_handle@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg _kadm5_chpass_principal_util@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_chpass_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_chpass_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_chpass_principal_util@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_create_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_create_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_create_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_decrypt_key@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_delete_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_delete_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_destroy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_flush@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_config_params@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_key_data@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_name_list@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_policy_ent@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_principal_ent@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_free_strings@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_admin_service_name@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_config_params@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_policies@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_principals@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_privs@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_get_strings@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_anonymous@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_iprop@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_krb5_context@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_with_creds@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_with_password@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_init_with_skey@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_lock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_modify_policy@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_modify_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_purgekeys@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_randkey_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_randkey_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_rename_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_set_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_setkey_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_setkey_principal_3@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_setv4key_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5_unlock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg kadm5clnt_mit_9_MIT@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_finish@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_get_boolean@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_get_deltat@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_get_int32@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_get_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_getvals@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_aprof_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_flags_to_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_free_key_data_contents@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_input_flag_to_string@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_keysalt_is_present@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_keysalt_iterate@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_klog_close@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_klog_init@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_klog_reopen@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_klog_syslog@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_string_to_flags@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg krb5_string_to_keysalts@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_chpass3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_chpass_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_chrand3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_chrand_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_chrand_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_cpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_cprinc3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_cprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_dpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_dprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_generic_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_getprivs_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gpol_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gpols_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gpols_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gprinc_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gprincs_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_gprincs_ret@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_kadm5_policy_ent_rec@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_kadm5_principal_ent_rec@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_kadm5_ret_t@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_deltat@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_enctype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_flags@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_int16@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_key_data_nocontents@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_key_salt_tuple@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_keyblock@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_kvno@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_octet@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_principal@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_salttype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_timestamp@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_tl_data@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_ui_2@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_krb5_ui_4@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_mpol_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_mprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_nullstring@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_nulltype@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_rprinc_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_setkey3_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_setkey_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_setv4key_arg@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg xdr_ui_4@kadm5clnt_mit_9_MIT 1.12~alpha1+dfsg debian/krb5-user.docs0000664000000000000000000000000712272025331011653 0ustar README debian/krb5-user.install0000664000000000000000000000065612272025331012403 0ustar usr/bin/kdestroy usr/share/man/man1/kdestroy.1 usr/bin/kinit usr/share/man/man1/kinit.1 usr/bin/klist usr/share/man/man1/klist.1 usr/bin/kpasswd usr/share/man/man1/kpasswd.1 usr/bin/ksu usr/share/man/man1/ksu.1 usr/bin/kvno usr/share/man/man1/kvno.1 usr/bin/k5srvutil usr/share/man/man1/k5srvutil.1 usr/bin/kadmin usr/share/man/man1/kadmin.1 usr/bin/ktutil usr/share/man/man1/ktutil.1 usr/bin/kswitch usr/share/man/man1/kswitch.1 debian/README.source0000664000000000000000000000421712272025331011350 0ustar This package is managed with git-dpm. If you are not familiar with git-dpm, then treat it as a standard quilt package stored in git with patches applied; it will become obvious the next time that git-dpm is used that cleanup is required and the appropriate cherry-picks can be made. Submitting Patch to the Maintainer: It's best to clone the git repository mentioned in debian/control and use the git format-patch command to generate patches. Attach these patches to bugs on the krb5 source package. Preparing a new Upstream version: You'll need two things to do this correctly. First, you'll need the upstream tarball. Secondly, you'll need a clone of the upstream git repository git://github.com/krb5/krb5.git . My work flow combines the process of making DFSG modifications with the process of handling the SCM issues. From within a git repository containing both the upstream tag for the release and the debian packaging: 1) Make sure there is a local upstream branch that descends from origin/upstream 2) debian/prepsource upstream_tarfile tag_from_subversion upstream/version_number This will update the upstream branch and create an upstream tag. 2) Use git archive to generate a tarball with dfsg modifications. 3) git dpm new-upstream that tarball. 4) git dpm checkout-patched&&git rebase upstream_tag 5) git dpm update-patches Old repository: The packaging for krb-1.11 and later is in the repository pointed to by the VCS fields in the control file. The previous repository (based off upstream's testing git export, prior to their conversion to git) is at git.debian.org/git/pkg-k5-afs/debian-krb5.git . Old old repository: There's an old old repository at git://git.debian.org/git/pkg-k5-afs/krb5-debian-2011.git containing old packaging. If you want to merge or otherwise work across the boundary with that old repository then you may want to copy debian/source/grafts.old_repository to .git/info/grafts Do not commit anything based on the old repositories to the new one. Ideally the commit hooks should stop you. -- Sam Hartman , Tue, 27 Dec 2011 06:11:15 -0500 -- Benjamin Kaduk , Fri 28 Oct 2013 15:55:54 -0400 debian/krb5-kdc.templates0000664000000000000000000000227712272025331012517 0ustar # These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # for an advice to debian-l10n-english@lists.debian.org # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: krb5-kdc/debconf Type: boolean Default: true _Description: Create the Kerberos KDC configuration automatically? The Kerberos Key Distribution Center (KDC) configuration files, in /etc/krb5kdc, may be created automatically. . By default, an example template will be copied into this directory with local parameters filled in. . Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes. Template: krb5-kdc/purge_data_too Type: boolean Default: false _Description: Should the KDC database be deleted? By default, removing this package will not delete the KDC database in /var/lib/krb5kdc/principal since this database cannot be recovered once it is deleted. . Choose this option if you wish to delete the KDC database now, deleting all of the user accounts and passwords in the KDC. debian/krb5-multidev.dirs.in0000664000000000000000000000015512272025331013150 0ustar usr/include/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 debian/NEWS0000664000000000000000000000461012272025331007665 0ustar krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low This version of MIT Kerberos disables DES and 56-bit RC4 by default. These encryption types are generally regarded as weak; defeating them is well within the expected resources of some attackers. However, some applications, such as OpenAFS or Kerberized NFS, still rely on DES. To re-enable DES support add allow_weak_crypto=true to the libdefaults section of /etc/krb5.conf -- Sam Hartman Fri, 08 Jan 2010 22:41:14 -0500 krb5 (1.6.dfsg.4~beta1-7) unstable; urgency=low * In response to MIT's 2006 announcement that Kerberos 4 is at end of life and no longer under development, this version of the krb5 package removes most support for krb4. In particular, krb4 headers are no longer included; applications with krb4 support cannot be built using libkrb5-dev. In addition, krb4 support has been removed from the KDC and user utilities. If you do not use Kerberos 4 and do not have krb4-config installed, you should notice no changes. However, if you do use Kerberos 4, you must transition away from Kerberos 4 before upgrading to this version. * Downgrading from this version to a previous version can be difficult because of library name changes. Please follow these instructions: - Get the libkrb53 and libkadm55 debs you want to downgrade to -dpkg --force-depends --remove libkrb5-3 libkrb5support0 libdes425-3 libgssapi-krb5-2 libgssrpc4 libkadm5clnt5 libkadm5srv5 libkdb5-4 libk5crypto3 - At this point your system has broken Kerberos libraries - dpkg -i libkrb53*deb libkadm55*deb (using the debs you got above) - aptitude -f install to fix any other packages that may be broken -- Sam Hartman Thu, 26 Feb 2009 21:12:41 -0500 krb5 (1.6.1-1) unstable; urgency=low * Note that in this version, the behavior for finding what realm a server lives in has changed. In particular, if there is no domain_realm entry in krb5.conf, a server will assume that its key lives in the default realm set in krb5.conf. Previous versions would strip the hostname from the domain of the server. So, if the server's key is not in the default realm, add a domain_realm mapping. Clients still use DNS as a heuristic in some cases. -- Sam Hartman Wed, 25 Apr 2007 23:40:13 -0400 debian/krb5-multidev.links.in0000664000000000000000000000034212272025331013325 0ustar usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5/libkadm5clnt_mit.so usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5/libkadm5clnt.so usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5/libkadm5srv_mit.so usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5/libkadm5srv.so debian/krb5-multidev.install.in0000664000000000000000000000161312272025332013656 0ustar usr/lib/${DEB_HOST_MULTIARCH}/lib*.so usr/lib/${DEB_HOST_MULTIARCH}/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5-gssapi.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/gssrpc.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/kadm-client.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/kadm-server.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/kdb.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/krb5-gssapi.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/krb5.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/mit-krb5 usr/include/* usr/include/mit-krb5 debian/krb5-kdc.postrm0000664000000000000000000000133212272025331012034 0ustar #!/bin/sh set -e if [ $1 = "purge" ] ; then rm -f /etc/krb5kdc/kdc.conf 2>/dev/null || true rm -f /etc/default/krb5-kdc 2>/dev/null || true rm -f /etc/krb5kdc/kadm5.keytab 2>/dev/null || true rm -f /etc/krb5kdc/kadm5.acl 2>/dev/null || true rm -f /etc/krb5kdc/stash 2>/dev/null || true # Prompt for whether we should remove the database. if [ -d /var/lib/krb5kdc ] && [ -e /usr/share/debconf/confmodule ] ; then . /usr/share/debconf/confmodule db_version 2.0 db_input medium krb5-kdc/purge_data_too || true db_go || true db_get krb5-kdc/purge_data_too if [ "$RET" = true ] ; then rm -rf /var/lib/krb5kdc fi fi fi #DEBHELPER# debian/krb5-kdc.lintian-overrides0000664000000000000000000000004012272025331014141 0ustar krb5-kdc: non-standard-dir-perm debian/.git-dpm0000664000000000000000000000042712272025332010533 0ustar # see git-dpm(1) from git-dpm package beca90c378b55451f1d932f1e59fac06077700c9 beca90c378b55451f1d932f1e59fac06077700c9 f696745c10160c960a4dd7580aed7ed4eaeaae1b f696745c10160c960a4dd7580aed7ed4eaeaae1b krb5_1.12+dfsg.orig.tar.gz 47eb80f1c7429210295ed3d69abfd663b6af031f 11704009 debian/clean0000664000000000000000000000022512272025332010172 0ustar debian/krb5-kdc.dirs debian/krb5-multidev.dirs debian/krb5-multidev.links debian/krb5-multidev.install debian/libkrb5-3.dirs debian/libkrb5-dev.dirs debian/krb5-admin-server.postinst0000664000000000000000000000174612272025331014237 0ustar #! /bin/sh set -e if [ "configure" = "$1" ] || [ "reconfigure" = "$1" ] ; then . /usr/share/debconf/confmodule db_version 2.0 db_get krb5-kdc/debconf DEBCONF="$RET" if [ $DEBCONF = "true" ] ; then if [ -f "/etc/default/krb5-admin-server" ] ; then . /etc/default/krb5-admin-server fi cat <<'EOF' > /etc/default/krb5-admin-server # Automatically generated. If you change anything in this file other than the # values of RUN_KADMIND or DAEMON_ARGS, first run dpkg-reconfigure # krb5-admin-server and disable managing the kadmin configuration with # debconf. Otherwise, changes will be overwritten. EOF db_get krb5-admin-server/kadmind RUN_KADMIND="$RET" echo "RUN_KADMIND=$RUN_KADMIND" >> /etc/default/krb5-admin-server if [ -n "$DAEMON_ARGS" ] ; then echo "DAEMON_ARGS=\"$DAEMON_ARGS\"" \ >> /etc/default/krb5-admin-server fi fi db_stop fi #DEBHELPER# exit 0 debian/krb5-otp.install0000664000000000000000000000004712271473454012235 0ustar usr/lib/*/krb5/plugins/preauth/otp.so debian/libkrb5-3.dirs.in0000664000000000000000000000006012272025331012143 0ustar usr/lib/${DEB_HOST_MULTIARCH}/krb5/plugins/krb5 debian/krb5-kdc.init0000775000000000000000000000603012272025331011456 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: krb5-kdc # Required-Start: $local_fs $remote_fs $network $syslog # Required-Stop: $local_fs $remote_fs $network $syslog # X-Start-Before: $x-display-manager # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: MIT Kerberos KDC # Description: Starts, stops, or restarts the MIT Kerberos KDC. This # daemon responds to ticket requests from Kerberos # clients. ### END INIT INFO # Author: Sam Hartman # Author: Russ Allbery # # Based on the /etc/init.d/skeleton template as found in initscripts version # 2.86.ds1-15. PATH=/usr/sbin:/usr/bin:/sbin:/bin DESC="Kerberos KDC" NAME=krb5kdc DAEMON=/usr/sbin/$NAME DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/krb5-kdc # Exit if the package is not installed. [ -x "$DAEMON" ] || exit 0 # Read configuration if it is present. [ -r /etc/default/krb5-kdc ] && . /etc/default/krb5-kdc # Get the setting of VERBOSE and other rcS variables. [ -f /etc/default/rcS ] && . /etc/default/rcS # Define LSB log functions (requires lsb-base >= 3.0-6). . /lib/lsb/init-functions # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started do_start_kdc() { start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME --test \ > /dev/null || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME \ -- -P $PIDFILE $DAEMON_ARGS || return 2 } # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred do_stop_kdc() { start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 rm -f $PIDFILE return "$RETVAL" } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start_kdc case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop_kdc case "$?" in 0|1) [ "$VERBOSE" != no ] && log_progress_msg "krb524d" ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" do_stop_kdc case "$?" in 0|1) do_start_kdc case "$?" in 0) log_end_msg 0 ;; 1|2) log_end_msg 1 ;; esac ;; *) log_end_msg 1 ;; esac ;; status) status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 3 ;; esac : debian/libkrb5-dev.dirs.in0000664000000000000000000000014412272025331012562 0ustar usr/lib/${DEB_HOST_MULTIARCH} usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig usr/include usr/share/aclocal debian/libgssapi-krb5-2.install0000664000000000000000000000003712272025332013533 0ustar usr/lib/*/libgssapi_krb5.so.2* debian/libkadm5srv-mit9.install0000664000000000000000000000004012271473454013666 0ustar usr/lib/*/libkadm5srv_mit.so.9* debian/krb5-admin-server.init0000775000000000000000000000700212272025332013312 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: krb5-admin-server # Required-Start: $local_fs $remote_fs $network $syslog # Required-Stop: $local_fs $remote_fs $network $syslog # Should-Start: krb5-kdc # Should-Stop: krb5-kdc # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: MIT Kerberos KDC administrative daemon # Description: Starts, stops, or restarts the MIT Kerberos KDC # administrative daemon (kadmind). This daemon answers # requests from kadmin clients and allows administrators # to create, delete, and modify principals in the KDC # database. ### END INIT INFO # Author: Sam Hartman # Author: Russ Allbery # # Based on the /etc/init.d/skeleton template as found in initscripts version # 2.86.ds1-15. PATH=/usr/sbin:/usr/bin:/sbin:/bin DESC="Kerberos administrative servers" NAME=kadmind DAEMON=/usr/sbin/$NAME DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/krb5-admin-server DEFAULT=/etc/default/krb5-admin-server # Exit if the package is not installed. [ -x "$DAEMON" ] || exit 0 # Read configuration if it is present. [ -r "$DEFAULT" ] && . "$DEFAULT" # Get the setting of VERBOSE and other rcS variables. [ -f /etc/default/rcS ] && . /etc/default/rcS # Define LSB log functions (requires lsb-base >= 3.0-6). . /lib/lsb/init-functions # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started do_start() { start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME --test \ > /dev/null || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --startas $DAEMON --name $NAME \ -- -P $PIDFILE $DAEMON_ARGS || return 2 } # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred do_stop() { start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 rm -f $PIDFILE return "$RETVAL" } case "$1" in start) if [ "$RUN_KADMIND" = false ] ; then if [ "$VERBOSE" != no ] ; then log_action_msg "Not starting $DESC per configuration" fi exit 0 fi [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; restart|force-reload) if [ "$RUN_KADMIND" = false ] ; then if [ "$VERBOSE" != no ] ; then log_action_msg "Not restarting $DESC per configuration" fi exit 0 fi log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; *) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; *) log_end_msg 1 ;; esac ;; status) status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 3 ;; esac : debian/libkrb5support0.install0000664000000000000000000000003712272025331013624 0ustar usr/lib/*/libkrb5support.so.0* debian/krb5-doc.doc-base.appdev0000664000000000000000000000051712272025331013453 0ustar Document: appdev Title: Kerberos Application Developer Guide Author: MIT Abstract: Application development guide and API reference for MIT Kerberos. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/appdev/index.html Files: /usr/share/doc/krb5-doc/appdev/* Format: PDF Files: /usr/share/doc/krb5-doc/appdev.pdf.gz debian/krb5-admin-server.install0000664000000000000000000000025712272025332014017 0ustar usr/sbin/kadmin.local usr/share/man/man8/kadmin.local.8 usr/sbin/kadmind usr/share/man/man8/kadmind.8 usr/sbin/kprop usr/share/man/man8/kprop.8 usr/share/man/man5/kadm5.acl.5 debian/krb5-kdc-ldap.install0000664000000000000000000000021312272025331013071 0ustar usr/sbin/kdb5_ldap_util usr/share/man/man8/kdb5_ldap_util.8 usr/lib/*/krb5/*.so* usr/lib/*/krb5/plugins/kdb/kldap.so etc/insserv/overrides debian/krb5-kdc.dirs.in0000664000000000000000000000017612272025331012063 0ustar usr/lib/${DEB_HOST_MULTIARCH}/krb5/plugins/kdb var/lib/krb5kdc etc/krb5kdc usr/share/doc/krb5-kdc/examples usr/share/krb5-kdc debian/krb5-kdc-ldap.docs0000664000000000000000000000014012272025331012352 0ustar src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema debian/krb5-user.lintian-overrides0000664000000000000000000000003112272025332014357 0ustar krb5-user: setuid-binary debian/krb5-kdc.config0000664000000000000000000000040012272025331011750 0ustar #!/bin/sh set -e . /usr/share/debconf/confmodule db_version 2.0 db_input low krb5-kdc/debconf || true db_go db_get krb5-kdc/debconf if [ x"$RET" = xtrue ] ; then if [ -f "/etc/default/krb5-kdc" ] ; then . /etc/default/krb5-kdc fi fi debian/README.Debian0000664000000000000000000000765612272025331011244 0ustar MIT Kerberos for Debian Kerberos Package Roadmap Most systems using Kerberos should install at least krb5-user, which contains the basic kinit, klist, and kdestroy binaries to manage user Kerberos credentials, as well as other basic utilities. In order to use Kerberos passwords for local authentication and obtain Kerberos credentials automatically when logging in, install and configure libpam-krb5. To log on to other systems using Kerberos authentication, most sites will find a Kerberos-enabled sshd the most convenient. Either the openssh-client and openssh-server packages version 1:4.2p1-2 or later (preferrable) or openssh-krb5 (for older Debian releases) will work. See the ssh documentation for information on enabling GSSAPI authentication (which is how Kerberos authentication is done over the ssh protocol). Some sites will instead prefer to use Kerberos-enabled versions of the standard Unix login utilities (rsh, rlogin, telnet, ftp). The clients are available in the krb5-clients package and the servers are available in the krb5-rsh-server, krb5-telnetd, and krb5-ftpd packages. Please note that the telnetd and ftpd included in those packages do not use PAM (this is not supported upstream and may or may not ever be supported); they only support Kerberos and will not run other PAM modules. For more flexible login support, use Kerberos-enabled ssh instead. The krb5-kdc and krb5-admin-server packages are only needed and used on Kerberos KDCs, only one set of which is needed for each independently managed Kerberos realm. For more information on how to set up a Kerberos realm using the Debian packages, install krb5-kdc and then read /usr/share/doc/krb5-kdc/README.KDC. Documentation All Kerberos binaries and most configuration files have manual pages. For the info pages and reference manual, install krb5-doc. If you need additional information, see . Debian-Specific Information MIT distributes the Kerberos sources as a tarball and a PGP signature, tarred up into a single .tar file. In order to create the Debian original upstream source (.orig.tar.gz), I untarred the parent tarball, checked the PGP signature, and used the contained tarball as the upstream source. Since krb5-1.7, a separate "krb5-appl" tarball contains the kerberized client utilities (rlogin, rsh, etc.) with a similar nested-tarball scheme. MIT Kerberos is built against the libcom_err and libss provided by the e2fsprogs source package. It is built against the version of db included in src/util/db2 in the Kerberos sources. In the future, krb5-kdc may change to use db4, although doing so will make upgrades somewhat difficult. None of the sample clients and servers are installed. As a general rule, these are not useful unless you are doing development, and in such a situation you probably want to build them from source. Note that by default, no unencrypted services are enabled. That means, if you are using krb5-clients and the supporting server packages, you need to use rlogin -x to connect to a Debian system and if you use rsh or rcp without the -x option you will get an error that encryption is required. In this day and age, not encrypting network traffic is a good way to get attacked. If installed, krb5-rsh-server by default allows any user in the local realm whose principal matches a local account name to log on to that account. See the klogind and kshd man pages. If this isn't the behavior you want, one option is to create an empty .k5login file in the home directory of every user and then add principals to those files where it's appropriate. One way to do this for all newly created users is: touch /etc/skel/.k5login This will cause an empty .k5login file to be put in the home directory of newly created users. -- Russ Allbery , Fri Dec 2 21:05:05 2005 debian/kdc.conf0000664000000000000000000000113312272025331010573 0ustar [kdcdefaults] kdc_ports = 750,88 [realms] @MYREALM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } debian/prepsource0000775000000000000000000000102112272025332011275 0ustar #!/bin/sh set -e if [ $# -lt 2 ]; then echo Usage: $0 tarfile merge_tag upstream_tag exit 2 fi tarfile=$1 merge_tag=$2 upstream_tag=$3 dir=$( basename $(tar tzf $tarfile |head -1 ) ) tar xzf $tarfile rm -rf $dir/doc/krb5-protocol git add -f $dir tree=$( git write-tree --prefix=${dir}/ ) commit=$( echo "Merge in $merge_tag to upstream by unpacking $tarfile." | \ git commit-tree $tree -p upstream -p $( git rev-list -n1 $merge_tag ) ) git branch -f upstream $commit git tag $upstream_tag $commit git rm -q -r -f $dir debian/po/0000775000000000000000000000000012272025333007605 5ustar debian/po/ja.po0000664000000000000000000001205712272025332010543 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # msgid "" msgstr "" "Project-Id-Version: krb5 1.4.4-7\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2009-03-05 23:36+0900\n" "Last-Translator: TANAKA, Atushi \n" "Language-Team: Japanese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Kerberos レルムã®è¨­å®š" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "ã“ã®ãƒ‘ッケージ㯠Kerberos ã®ãƒžã‚¹ã‚¿ãƒ¼ã‚µãƒ¼ãƒãƒ¼ã‚’稼åƒã•ã›ã‚‹ã®ã«å¿…è¦ãªç®¡ç†ç”¨ã®" "é“å…·ã‚’å«ã¿ã¾ã™ã€‚" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "ãŸã ã—ã€ã“ã®ãƒ‘ッケージをインストールã™ã‚‹ã ã‘ã§è‡ªå‹•çš„ã«Kerberos ã®ãƒ¬ãƒ«ãƒ ãŒè¨­å®š" "ã•ã‚Œã‚‹ã‚ã‘ã§ã¯ã‚ã‚Šã¾ã›ã‚“。\"krb5_newrealm\" コマンドを実行ã™ã‚‹ã“ã¨ã§ã€ã“れを" "ã‚ã¨ã§è¡Œãªãˆã¾ã™ã€‚" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "/usr/share/doc/krb5-kdc/README.KDC 㨠krb5-doc パッケージã«ã‚る管ç†æ¡ˆå†…も読ん" "ã§ãã ã•ã„。" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Kerberos5 管ç†ãƒ‡ãƒ¼ãƒ¢ãƒ³ (kadmind) ã‚’èµ·å‹•ã—ã¾ã™ã‹?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "kadmind 㯠Kerberos データベースã®ãƒ—リンシパルã®è¿½åŠ /変更/消去ã®è¦æ±‚ã«å¿œã˜ã¾" "ã™ã€‚" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "ã“ã‚Œã¯ã€ãƒ‘スワードã®å¤‰æ›´ã§ä½¿ã‚れるã€kpasswd プログラムã§å¿…è¦ã¨ã•ã‚Œã¾ã™ã€‚普通" "ã®è¨­å®šã§ã¯ã€ã“ã®ãƒ‡ãƒ¼ãƒ¢ãƒ³ã¯ãƒžã‚¹ã‚¿ãƒ¼ KDC ã§ç¨¼åƒã•ã›ã‚‹ã¹ãã§ã™ã€‚" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Kerberos KDC ã®è¨­å®šã‚’自動的ã«ä½œæˆã—ã¾ã™ã‹?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Kerberos Key Distribution Center (KDC) ã® /etc/krb5kdc ã«ã‚る設定ファイルã¯" "自動的ã«ä½œæˆã•ã›ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "デフォルトã§ã¯ã€ãƒ†ãƒ³ãƒ—レートãŒã“ã®ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«ã‚³ãƒ”ーã•ã‚Œã€ãƒ­ãƒ¼ã‚«ãƒ«ãª" "パラメーターã®å€¤ãŒä¸Žãˆã‚‰ã‚Œã¾ã™ã€‚" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Kerberos ã®è¨­å®šã‚’管ç†ã™ã‚‹ã‚¤ãƒ³ãƒ•ãƒ©ãŒæ—¢ã«ã‚ã‚‹å ´åˆã€è‡ªå‹•çš„ã«è¨­å®šã‚’変更ã•ã›ãªã„" "ã“ã¨ã‚’望むã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "KDC データベースを消去ã™ã¹ãã§ã™ã‹?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "デフォルトã§ã¯ã€ã“ã®ãƒ‘ッケージを削除ã—ã¦ã‚‚ /var/lib/krb5kdc/principal ã® KDC " "データベースã¯æ¶ˆåŽ»ã•ã‚Œã¾ã›ã‚“。ã¨ã„ã†ã®ã‚‚ã€ã“ã®ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã¯ä¸€æ—¦å‰Šé™¤ã•ã‚Œã‚‹ã¨" "復活ä¸èƒ½ã ã‹ã‚‰ã§ã™ã€‚" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "ã‚‚ã—ã€KDC データベースをã™ã消去ã—ã€KDC ã®å…¨ã¦ã®ãƒ¦ãƒ¼ã‚¶ã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã¨ãƒ‘スワー" "ドを削除ã—ãŸã„å ´åˆã¯ã“ã®ã‚ªãƒ—ションをé¸ã‚“ã§ãã ã•ã„。" debian/po/POTFILES.in0000664000000000000000000000014312272025332011357 0ustar [type: gettext/rfc822deb] krb5-admin-server.templates [type: gettext/rfc822deb] krb5-kdc.templates debian/po/gl.po0000664000000000000000000002633312272025332010555 0ustar # Galician translation of krb5's debconf templates. # This file is distributed under the same license as the krb5 package. # # Jacobo Tarrio , 2006, 2007. # marce villarino , 2009. msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2009-03-12 17:14-0700\n" "Last-Translator: marce villarino \n" "Language-Team: Galician \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 0.2\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configuración dun reino Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Este paquete contén as ferramentas administrativas precisas para que " "funcione o servidor mestre de Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Porén, ao instalar este paquete non se configura automaticamente un " "reino Kerberos. Isto pódese facer despois executando a orde «krb5_newrealm" "»." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Consulte tamén o ficheiro /usr/share/doc/krb5-kdc/README.KDC e a guía do " "administrador que hai no paquete krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Desexa executar o servizo de administración de Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind serve peticións para engadir/modificar/eliminar principais na base " "de datos Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Precisa del o programa kpasswd, que se emprega para cambiar os contrasinais. " "Coas configuracións estándar, este servizo debería estar a funcionar no KDC " "mestre." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Desexa crear automaticamente a configuración do KDC de Kerberos?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Pódense crear automaticamente os ficheiros de configuración do Centro de " "Distribución de Chaves de Kerberos (KDC) en /etc/krb5kdc." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Por omisión hase copiar un modelo de exemplo neste directorio preenchendo os " "parámetros locais." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Os administradores que xa teñan unha infraestrutura para xestionar a " "configuración de Kerberos poden ter que desactivar estas modificacións de " "configuración automáticas." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Desexa eliminar a base de datos do KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Por omisión, ao eliminar este paquete non se ha borrar a base de datos do " "KDC de /var/lib/krb5kdc/principal, xa que esta base de datos non se pode " "recuperar despois de borrala." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Escolla esta opción se quere borrar a base de datos do KDC agora, eliminando " "todas as contas de usuario e contrasinais do KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Modo de compatibilidade con Kerberos V4 a empregar:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Por defecto admítense as peticións Kerberos V4 desde os principais que " #~ "non precisan de preautenticación (\"nopreauth\"). Isto permite que os " #~ "servizos Kerberos V4 sigan a existir mentres se require que a maioría dos " #~ "usuarios empreguen clientes Kerberos V5 para obter os seus tiquets " #~ "iniciais. Eses tiquets logo pódense converter en tiquets Kerberos V4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "De xeito alternativo, pode cambiarse ao modo \"full\" (completo), o que " #~ "permite que os clientes Kerberos V4 obteñan tiquets iniciais incluso " #~ "cando se precisaría normalmente de preautenticación; ao modo \"disable" #~ "\" (desactivado), o que fai que se devolvan erros de versión do protocolo " #~ "aos clientes Kerberos V4, ou a \"none\" (ningún), o que indica ao KDC que " #~ "non resposte en absoluto ás peticións Kerberos V4." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "¿Executar un servizo de conversións de tiquets Kerberos V5 a Kerberos V4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "O servizo krb524d convirte os tiquets Kerberos V5 a tiquets Kerberos V4 " #~ "para os programas, tales coma krb524init, que obteñen tiquets Kerberos V4 " #~ "por compatibilidade coas aplicacións antigas." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Recoméndase activar este servizo se se activa Kerberos V4, especialmente " #~ "se se establece a compatibilidade Kerberos V4 a \"nopreauth\"." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "¿Deben purgarse os datos cos ficheiros dos paquetes?" #~ msgid "disable" #~ msgstr "desactivado" #~ msgid "full" #~ msgstr "completo" #~ msgid "nopreauth" #~ msgstr "nopreauth" #~ msgid "none" #~ msgstr "ningún" #~ msgid "" #~ "This package contains the administrative tools necessary to run on the " #~ "Kerberos master server. However, installing this package does not " #~ "automatically set up a Kerberos realm. Doing so requires entering " #~ "passwords and as such is not well-suited for package installation. To " #~ "create the realm, run the krb5_newrealm command. You may also wish to " #~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide " #~ "found in the krb5-doc package." #~ msgstr "" #~ "Este paquete contén as ferramentas administrativas necesarias para " #~ "executar no servidor mestre de Kerberos. Nembargantes, a instalación " #~ "deste paquete non configura automaticamente un reino Kerberos. Para " #~ "facelo hai que introducir contrasinais, e por iso non se axusta ben á " #~ "instalación do paquete. Para crear o reini execute o programa " #~ "krb5_newrealm. Tamén é importante que lea o ficheiro /usr/sare/doc/krb5-" #~ "kdc/README.KDC e a guía administrativa que se atopa no paquete krb5-doc." #~ msgid "" #~ "Don't forget to set up DNS information so your clients can find your KDC " #~ "and admin servers. Doing so is documented in the administration guide." #~ msgstr "" #~ "Non esqueza configurar a información do DNS para que os clientes poidan " #~ "atopar o KDC e o servidor administrativo. O xeito de o facer documéntase " #~ "na guía de administración." #~ msgid "" #~ "Kadmind serves requests to add/modify/remove principals in the Kerberos " #~ "database. It also must be running for the kpasswd program to be used to " #~ "change passwords. Normally, this daemon runs on the master KDC." #~ msgstr "" #~ "Kadmind serve peticións para engadir/modificar/eliminar principais na " #~ "base de datos Kerberos. Tamén ten que estar a funcionar para que o " #~ "programa kpasswd o empregue para cambiar contrasinais. Normalmente este " #~ "servizo funciona no KDC mestre." #~ msgid "" #~ "Many sites will wish to have this script automatically create Kerberos " #~ "KDC configuration files in /etc/krb5kdc. By default an example template " #~ "will be copied into this directory with local parameters filled in. Some " #~ "sites who already have infrastructure to manage their own Kerberos " #~ "configuration will wish to disable any automatic configuration changes." #~ msgstr "" #~ "En moitos sitios se ha querer que este script cree automaticamente os " #~ "ficheiros de configuración do KDC de Kerberos en /etc/krb5kdc. Por " #~ "defecto hase copiar un patrón de exemplo neste directorio cos parámetros " #~ "locais introducidos. Os sitios que xa teñan a infraestructura para " #~ "xestionar a súa propia configuración de Kerberos poden ter que desactivar " #~ "os cambios automáticos na configuración." #~ msgid "disable, full, nopreauth, none" #~ msgstr "desactivado, completo, nopreauth, ningún" #~ msgid "Run a krb524d?" #~ msgstr "¿Executar krb524d?" #~ msgid "" #~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 " #~ "tickets for the krb524init program. If you have Kerberos4 enabled at " #~ "all, then you probably want to run this program. Especially when " #~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you " #~ "have any Kerberos4 services." #~ msgstr "" #~ "Krb524d é un servizo que convirte os tiquets Kerberos5 en tiquets " #~ "Kerberos4 para o programa krb524init. Se ten Kerberos4 activado é " #~ "probable que queira executar este programa. Krb524d é importante se ten " #~ "servizos Kerberos4, especialmente se a compatibilidade con Kerberos4 é " #~ "nopreauth." debian/po/fi.po0000664000000000000000000001103712272025332010544 0ustar msgid "" msgstr "" "Project-Id-Version: krb5_1.6.dfsg.3~beta1-2\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2009-03-14 20:56+0200\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: Finnish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Finnish\n" "X-Poedit-Country: FINLAND\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Kerberos-toimialueen asetus" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Tämä paketti sisältää Kerberos-isäntäpalvelimen pidossa tarvittavat " "ylläpitotyökalut." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Paketin asentaminen ei kuitenkaan automaattisesti aseta Kerberos-" "toimialuetta. Tämä voidaan tehdä myöhemmin ajamalla komento â€krb5_newrealmâ€." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Lue myös /usr/share/doc/krb5-kdc/README.KDC ja paketista krb5-doc löytyvä " "ylläpito-opas." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Ajetaanko Kerberos V5 -ylläpitotaustaohjelmaa (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind palvelee pyyntöjä lisätä, muuttaa tai poistaa käyttäjiä Kerberos-" "tietokannasta." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Salasanojen vaihtoon käytetty ohjelma kpasswd vaatii tämän. Normaaleissa " "asennuksissa taustaohjelmaa tulisi ajaa isäntä-KDC:llä." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Luodaanko Kerberos KDC -asetukset automaattisesti?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Kerberos-avainten jakokeskuksen (Kerberos Key Distribution Center, KDC) " "hakemistossa /etc/krb5kdc olevat asetustiedostot voidaan luoda " "automaattisesti." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Oletuksena mallitiedosto kopioidaan tähän hakemistoon ja siihen lisätään " "paikalliset parametrit." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Ylläpitäjät, joilla on jo järjestelmä Kerberos-asetustensa hallitsemiseen, " "saattavat haluta poistaa käytöstä tämän asetusten automaattisen muokkaamisen." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Tulisiko KDC-tietokanta poistaa?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Tämän paketin siivoaminen ei oletuksena poista hakemistossa /var/lib/krb5kdc/" "principal olevaa KDC-tietokantaa, koska tätä tietokantaa ei voida palauttaa " "kun se kerran on poistettu." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Valitse tämä vaihtoehto, jos KDC-tietokanta halutaan poistaa nyt. Tällöin " "poistetaan kaikki KDC:n käyttäjätunnukset ja salasanat." debian/po/it.po0000664000000000000000000001160512272025332010563 0ustar # Italian (it) translation of debconf templates for krb5 # Copyright (C) 2008 Software in the Public Interest # This file is distributed under the same license as the krb5 package. # Luca Monducci , 2008-2009. # msgid "" msgstr "" "Project-Id-Version: krb5 1.6.dfsg.3 italian debconf templates\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2009-03-10 21:41+0100\n" "Last-Translator: Luca Monducci \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Impostazione di un Realm Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Questo pacchetto contiene gli strumenti d'amministrazione necessari per " "l'esecuzione del server principale Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Comunque l'installazione di questo pacchetto non comporta la configurazione " "automatica di un realm Kerberos, che può essere fatta in seguito usando il " "comando \"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Leggere anche il file /usr/share/doc/krb5-kdc/README.KDC e la guida per " "l'amministrazione, entrambi contenuti nel pacchetto krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Attivare il demone di amministrazione Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmin evade le richieste di inserimento/modifica/rimozione dei principal " "nel database Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Questo servizio è necessario per il programma kpasswd, usato per cambiare le " "password. Con la configurazione standard, questo demone viene eseguito sul " "KDC principale." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Creare automaticamente la configurazione del KDC Kerberos?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "I file di configurazione del KDC (Key Distribution Center) Kerberos, in /etc" "/krb5kdc, possono essere creati automaticamente." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Un modello d'esempio verrà copiato all'interno di quella directory con la " "parte relativa ai parametri locali già compilata." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Gli amministratori che hanno già un'infrastruttura per la gestione della " "configurazione di Kerberos potrebbero voler disabilitare le modifiche " "automatiche della configurazione." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Eliminare il database del KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Normalmente la rimozione di questo pacchetto non elimina il database del KDC " "in /var/lib/krb5kdc/principal poiché questo database non può essere " "ripristinato una volta cancellato." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Scegliere questa opzione se si desidera eliminare adesso il database del " "KDC, perdendo tutti gli account e le password degli utenti nel KDC." debian/po/vi.po0000664000000000000000000001257512272025332010574 0ustar # Vietnamese Translation for krb5. # Copyright © 2010 Free Software Foundation, Inc. # Clytie Siddall , 2005-2010. # msgid "" msgstr "" "Project-Id-Version: krb5 1.8.3+dfsg-2\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2010-10-27 15:10+1030\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.8\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Thiết lập má»™t Äịa hạt Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Gói này chứa các công cụ quản trị cần thiết để chạy trình phục vụ chủ " "Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Tuy nhiên, việc cài đặt gói này không phải tá»± Ä‘á»™ng thiết lập má»™t địa hạt " "(realm) Kerberos. Có thể làm đó vá» sau, bằng cách chạy câu lệnh « " "krb5_newrealm »." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Xem thêm tập tin Äá»c Äi « /usr/share/doc/krb5-kdc/README.KDC » và sổ tay quản " "trị (administration guide) nằm trong gói tài liệu « krb5-doc »." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Chạy trình ná»n quản trị phiên bản 5 Kerberos (kadmind) không?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind phục vụ yêu cầu để thêm/sá»­a đổi/gỡ bá» Ä‘iá»u tiá»n gốc trong cÆ¡ sở dữ " "liệu Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Nó bị chÆ°Æ¡ng trình kpasswd cần thiết để thay đổi mật khẩu. Äối vá»›i thiết " "lập tiêu chuẩn, trình ná»n này nên chạy trên KDC chủ." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Tá»± Ä‘á»™ng tạo cấu hình KDC Kerberos không?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Những tập tin cấu hình Trung tâm Phân phối Khoá Kerberos (KDC), trong thÆ° " "mục « /etc/krb5kdc », cÅ©ng có thể được tá»± Ä‘á»™ng tạo." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Mặc định là má»™t mẫu thí dụ sẽ được sao chép vào thÆ° mục này vá»›i các tham số " "cục bá»™ được Ä‘iá»n sẵn." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Quản trị đã có ná»n tảng để quản lý cấu hình Kerberos thì có thể muốn tắt các " "thay đổi cấu hình tá»± Ä‘á»™ng này." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Có nên xoá cÆ¡ sở dữ liệu KDC không?" # By default, purging this package will not delete the KDC database in /var/ # lib/krb5kdc/principal since this database cannot be recovered once it is # deleted. If you wish to delete your KDC database when this package is # purged, knowing that purging this package will then mean deleting all of # the user accounts and passwords in the KDC, enable this option. #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Mặc định là việc gỡ bá» gói này sẽ không xoá cÆ¡ sở dữ liệu KDC trong « /var/" "lib/krb5kdc/principal », vì má»™t khi xoá cÆ¡ sở dữ liệu này, không thể phục " "hồi lại." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Hãy bật tùy chá»n này nếu bạn muốn xoá cÆ¡ sở dữ liệu KDC ngay bây giá», thì " "cÅ©ng xoá má»i tài khoản và mật khẩu của ngÆ°á»i dùng trong KDC." debian/po/tr.po0000664000000000000000000001117012272025332010571 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the krb5 package. # Atila KOÇ , 2012. # msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2012-02-07 22:37+0200\n" "Last-Translator: Atila KOÇ \n" "Language-Team: Turkish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Bir Kerberos Bölgesi kuruluyor" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "This package contains the administrative tools required to run the Kerberos master server." msgstr "Bu paket Kerberos ana sunucusunu iÅŸletmek için gerekli yönetimsel araçları barındırır." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "However, installing this package does not automatically set up a Kerberos realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "Öte yandan, bu paketi yüklemek kendiliÄŸinden bir Kerberos bölgesi kurmaz. Bu iÅŸlem \"krb5_newrealm\" komutu ile sonradan yapılabilir." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the krb5-doc package." msgstr "Lütfen krb5-doc paketinde yer alan yönetim kılavuzunu ve /usr/share/doc/krb5-kdc/README.KDC dosyasını okuyunuz." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Kerberos V5 yönetimi artalan süreci (kadmind) çalıştırılsın mı?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Kadmind serves requests to add/modify/remove principals in the Kerberos database." msgstr "Kadmind Kerberos veritabanına yönelik özlük ekleme/düzenleme/kaldırma isteklerini yanıtlar." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should run on the master KDC." msgstr "Bunlara ek olarak kpasswd programının ÅŸifreleri deÄŸiÅŸtirebilmesi için de gereklidir. Sıradan kurulumlarda, bu artalan süreci ana KDC üzerinde çalışmalıdır." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Kerberos KDC yapılandırması kendiliÄŸinden yaratılsın mı?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/krb5kdc, may be created automatically." msgstr "/etc/krb5kdc dizininde yer alan Kerberos Anahtar Dağıtım Merkezi (KDC) yapılandırma dosyaları kendiliÄŸinden yaratılabilir." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "By default, an example template will be copied into this directory with local parameters filled in." msgstr "Öntanımlı olarak, yerel deÄŸerleri doldurulmuÅŸ halde örnek bir ÅŸablon bu dizine kaydedilecektir." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes." msgstr "Kerberos yapılandırmalarını yönetmek için altyapıları hazır olan yöneticiler, kendiliÄŸinden yapılacak bu yapılandırma deÄŸiÅŸikliklerini atlayabilirler." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "KDC veritabanı silinsin mi?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "By default, removing this package will not delete the KDC database in /var/lib/krb5kdc/principal since this database cannot be recovered once it is deleted." msgstr "Öntanımlı olarak bu paketin kaldırılması /var/lib/krb5kdc/principal dizinindeki veritabanını kaldırmayacaktır. Çünkü bu veritabanı bir kez silindi mi bir daha kurtarılamaz." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Choose this option if you wish to delete the KDC database now, deleting all of the user accounts and passwords in the KDC." msgstr "Bu seçeneÄŸi KDC veritabanını ÅŸimdi silmek istiyorsanız seçin, bu durumda KDC'de yer alan tüm kullanıcı hesapları ve ÅŸifreler de silinecektir." debian/po/nl.po0000664000000000000000000001153512272025332010562 0ustar # Dutch krb5 po-debconf translation, # Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the krb5 package. # Vincent Zweije , 2008. # Vincent Zweije , 2011. # msgid "" msgstr "" "Project-Id-Version: krb5 1.9+dfsg-1\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2011-05-22 17:40+0000\n" "Last-Translator: Vincent Zweije \n" "Language-Team: Debian-Dutch \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Aanmaken van een Kerberos autoriteitsgebied (realm)" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Dit pakket bevat de administratieve hulpmiddelen die nodig zijn om de " "Kerberos hoofd-server te draaien." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "De installatie van dit pakket maakt echter niet automatisch een Kerberos " "autoriteitsgebied (realm) aan. Dit kan later worden gedaan door het " "programma \"krb5_newrealm\" uit te voeren." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Lees alstublieft ook het bestand /usr/share/doc/krb5-kdc/README.KDC en de " "administratiehandleiding in pakket krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "De Kerberos-V5 administratie-achtergronddienst (kadmind) starten?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind handelt aanvragen af om principals in de Kerberos database toe te " "voegen, te wijzigen of te verwijderen." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Het is vereist voor het programma kpasswd, dat wordt gebruikt voor het " "wijzigen van wachtwoorden. Gewoonlijk werkt deze achtergronddienst op de " "hoofd-KDC." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Kerberos KDC configuratie aanmaken met debconf?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "De configuratiebestanden van het Kerberos sleuteldistributiecentrum (Key " "Distribution Center, KDC), in /etc/krb5kdc, kunnen automatisch worden " "aangemaakt." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Standaard zal een sjabloon naar deze map worden gekopieerd, waarin de locale " "parameters al zijn ingevuld." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Beheerders die reeds infrastructuur hebben om hun Kerberos configuratie te " "beheren kunnen deze automatische configuratiewijzigingen uitschakelen." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Dient de KDC database te worden verwijderd?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Standaard zal het wissen (purge) van dit pakket de KDC database in /var/lib/" "krb5kdc/principal niet verwijderen, aangezien deze database niet kan worden " "hersteld als deze is verwijderd." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Accepteer deze optie indien u de KDC database nu wilt verwijderen, waarbij " "alle gebruikers en wachtwoorden verloren gaan." debian/po/eu.po0000664000000000000000000001600312272025332010555 0ustar # translation of krb5-eu.po to Euskara # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Piarres Beobide , 2007, 2008. msgid "" msgstr "" "Project-Id-Version: krb5-eu\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2008-05-22 15:38+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Kerberos eremu bat ezartzen" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Pakete honek Kerberos zerbitzari nagusia abiarazteko lanabes " "administratiboak ditu." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Hala ere, pakete hau instalatzeak ez du Kerberos eremu bat automatikoki " "konfiguratzen. Hori beranduago egin daiteke \"krb5_newrealm\" komandoa " "erabiliaz." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Mesedez irakurri ere /usr/share/doc/krb5-kdc/README.KDC fitxategia eta krb5-" "doc paketean aurki daitekeen administrazio gidaliburua." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Kerberos 5 administrazio deabrua (kadmind) abiarazi?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind-ek Kerberos datu-baseko gehitze/eraldatze/ezabatze eskaera nagusiak " "zerbitzatzen ditu." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Hau pasahitzak aldatzeko erabiltzen den kpasswd programaren eskakizun bat " "da. Konfigurazio estandarrarekin, deabru hau KDC nagusian abiarazi behar da." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Kerberos KDC konfigurazioa automatikoki sortu?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Kerberos gako banaketa zentru (KDC) konfigurazio fitxategiak, automatikoki " "sortuko dira /etc/krb5kdc direktorioan." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Lehenespen bezala, parametro lokalak beterik dituen adibide txantiloi bat " "kopiatuko da direktorio horretan." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Kerberos konfigurazioa kudeatzeko azpiegitura duten kudeatzaileek " "konfigurazio aldaketa automatiko hauek ezgaitu nahi ditzakete." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "KDC datu-basea ezabatu egin behar al da?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Lehenespen bezala, pakete hu garbitzean ez da /var/lib/krb5kdc/principal-eko " "KDC datu-basea ezabatuko ezin bait da berreskuratu ezabatzen bada." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Aukera hau hautatu paketea garbitzean KDC datu-basea ezabatzea nahi baduzu, " "horrela KDC-an dauden erabiltzaile kontu eta pasahitz guztiak ezabatuko dira." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Erabiliko den Kerberos 4 bateragarritasun modua:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Lehenespen bezala, Kerberos 4 eskaerak onartzen dira aurreautentifikazioa " #~ "(\"nopreauth\") eskatzen ez duten nagusietatik onartzen dira. Honek " #~ "Kerberos 4 zerbitzuak egoteko aukera ematen du erabiltzaile gehienei " #~ "Kerberos 5 bezeroak eskatzen zaienean hasierako tiketak eskuratzeko. " #~ "Tiket horiek Kerberos 4 tiketak bihurtu daitezke." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Bestela, modua \"full\" bezala ezarri daiteke Kerberos 4 bezeroei hasiera " #~ "tiketak eskuratzen uzteko nahiz arruntean aurreautentifikazioa eskatuko " #~ "zen; \"disable\" Kerberos 4 bezeroei protokolo errore bat itzultzeko; edo " #~ "\"none\" bezala ezarri KDC-al Kerberos 4 eskaerei ez erantzuteko." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "Kerberos 5-etik Kerberos 4-ra tiketak bihurtzeko deabrua abiarazi?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "krb524d deabruak Kerberos 5 tiketak Kerberos 4-ra bihurtzen ditu " #~ "krb524init bezala aplikazioa zaharrekin bateragarritasuna mantentzeko " #~ "kerberos 4 tiketak eskuratzen dituzten programentzat." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Gomendagarria da deabrua gaitzea Kerberos 4 instalaturik badago bereiziki " #~ "\"nopreauth\" bateragarritasun modua ezarririk badago." debian/po/templates.pot0000664000000000000000000000622012272025332012326 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" debian/po/de.po0000664000000000000000000002671512272025332010547 0ustar # Translation of krb5 debconf templates to German # Copyright (C): # Jens Nachtigall , 2005. # Helge Kreutzmann , 2007-2009. # This file is distributed under the same license as the krb5 package. # msgid "" msgstr "" "Project-Id-Version: krb5 1.6.dfsg.4~beta1-10\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2009-03-05 22:45+0100\n" "Last-Translator: Helge Kreutzmann \n" "Language-Team: de \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-15\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Einrichten des Kerberos-Realm" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Dieses Paket enthält die administrativen Werkzeuge, die zum Betrieb des " "Kerberos-Master-Servers benötigt werden." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Allerdings führt die Installation dieses Pakets nicht automatisch zur " "Einrichtung einer Kerberos-Realm. Dies kann später mit dem Befehl " "»krb5_newrealm« erfolgen." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Bitte lesen Sie auch die Datei /usr/share/doc/krb5-kdc/README.KDC und den " "administrativen Leitfaden im krb5-doc-Paket." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Soll der Kerberos V5-Administrations-Daemon (kadmind) laufen?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind bedient Anfragen, um Prinzipale in der Kerberos-Datenbank " "hinzuzufügen/zu verändern/zu entfernen." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Es wird vom Kpasswd-Programm benötigt, dass zum Ändern von Passwörtern " "verwendet wird. Im Normalfall sollte der Daemon auf dem Master-KDC laufen." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Die Kerberos-KDC-Konfiguration automatisch erstellen?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Die Konfigurationsdateien des »Kerberos Key Distribution Center« (KDC) in /etc/" "krb5kdc können automatisch erstellt werden." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Standardmäßig wird eine Beispielvorlage in dieses Verzeichnis kopiert, in " "der lokale Parameter eingetragen sind." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administratoren, die bereits über eine Infrastruktur zur Verwaltung ihrer " "Kerberos-Konfiguration verfügen, möchten diese automatischen " "Konfigurationsänderungen eventuell deaktivieren." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Soll die KDC-Datenbank gelöscht werden?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Standardmäßig wird während des Entfernens des Paketes die KDC-Datenbank in /" "var/lib/krb5kdc/principal nicht entfernt, da diese Datenbank nicht " "wiederhergestellt werden kann, nachdem sie gelöscht wurde." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Wählen Sie diese Option, falls Sie möchten, dass die KDC-Datenbank jetzt " "gelöscht werden soll. Dies löscht alle Benutzerkonten und Passwörter in dem " "KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Zu benutzender Kerberos V4-Kompatibilitäts-Modus:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Standardmäßig werden Kerberos V4-Anfragen von Prinzipalen erlaubt, die " #~ "keine vorherige Authentifizierung benötigen (»nopreauth«). Das ermöglicht " #~ "Kerberos V4-Dienste zu betreiben, während gleichzeitig die meisten " #~ "Benutzer Kerberos V5-Clients verwenden müssen, um ihr anfängliches Ticket " #~ "zu bekommen. Diese Tickets können in Kerberos V4-Tickets umgewandelt " #~ "werden. " #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Alternativ kann der Modus auch auf »full« gesetzt werden, wodurch Kerberos " #~ "V4-Clients anfängliche Tickets ohne vorherige Authentifizierung erhalten " #~ "können, selbst wenn prauth normalerweise nötig wäre. Eine weitere " #~ "Möglichkeit ist »disable«, wobei dann Protokollversionsfehler an alle " #~ "Kerberos V4-Clients gesandt werden und »none«, der den KDC anweist, auf " #~ "Kerberos V4-Anfragen überhaupt nicht zu reagieren." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "Einen Kerberos V5-auf-V4 Ticket-Konvertier-Daemon betreiben?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Der Krb524d-Daemon konvertiert V5-Tickets in V4-Tickest für Programme wie " #~ "Krb524init, die Kerberos V4-Tickets zur Kompatibilität für ältere " #~ "Anwendungen besorgen." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Es wird empfohlen, diesen Daemon zu aktivieren, falls Kerberos V4 " #~ "aktiviert ist, insbesondere wenn Kerberos V4-Kompatibilität auf " #~ "»nopreauth« gesetzt ist." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "" #~ "Sollen die Daten genauso wie die Paket-Dateien vollständig entfernt " #~ "werden?" #~ msgid "disable" #~ msgstr "deaktivieren" #~ msgid "full" #~ msgstr "komplett" #~ msgid "nopreauth" #~ msgstr "nopreauth" #~ msgid "none" #~ msgstr "keinen" #~ msgid "" #~ "This package contains the administrative tools necessary to run on the " #~ "Kerberos master server. However, installing this package does not " #~ "automatically set up a Kerberos realm. Doing so requires entering " #~ "passwords and as such is not well-suited for package installation. To " #~ "create the realm, run the krb5_newrealm command. You may also wish to " #~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide " #~ "found in the krb5-doc package." #~ msgstr "" #~ "Dieses Paket enthält die administrativen Werkzeuge, die für den Kerberos-" #~ "Masterserver benötigt werden. Die Installation dieses Pakets bedeutet " #~ "jedoch nicht, dass der Kerberos-Realm automatisch eingerichtet wird. Dazu " #~ "wäre die Eingabe von Passwörtern notwendig und deshalb ist dies nicht " #~ "sonderlich für die Paket-Installation geeignet. Um den Realm zu " #~ "erstellen, führen Sie bitte den Befehl »krb5_newrealm« aus. Lesen Sie " #~ "eventuell auch /usr/share/doc/krb5-kdc/README.KDC oder den " #~ "Administrations-Leitfaden, welcher im Paket krb5-doc zu finden ist." #~ msgid "" #~ "Don't forget to set up DNS information so your clients can find your KDC " #~ "and admin servers. Doing so is documented in the administration guide." #~ msgstr "" #~ "Vergessen Sie nicht DNS einzurichten, damit Ihre Clients auch Ihre KDC- " #~ "und Admin-Server finden. Wie Sie dazu vorgehen müssen, steht im " #~ "Administrations-Leitfaden." #~ msgid "" #~ "Kadmind serves requests to add/modify/remove principals in the Kerberos " #~ "database. It also must be running for the kpasswd program to be used to " #~ "change passwords. Normally, this daemon runs on the master KDC." #~ msgstr "" #~ "Kadmind beantwortet Anfragen um »Principals« in die Kerberos-Datenbank " #~ "einzufügen, zu verändern oder aus der Datenbank zu entfernen. Kadmind " #~ "muss laufen, damit das Programm kpasswd in der Lage ist, Passwörter zu " #~ "verändern. Normalerweise läuft dieser Daemon auf dem Master-KDC." #~ msgid "" #~ "Many sites will wish to have this script automatically create Kerberos " #~ "KDC configuration files in /etc/krb5kdc. By default an example template " #~ "will be copied into this directory with local parameters filled in. Some " #~ "sites who already have infrastructure to manage their own Kerberos " #~ "configuration will wish to disable any automatic configuration changes." #~ msgstr "" #~ "Viele Sites werden es bevorzugen, wenn dieses Skript automatisch die " #~ "Kerberos-KDC-Konfigurationsdateien in /etc/krb5kdc erstellt. " #~ "Standardmäßig wird eine Beispiel-Vorlage in dieses Verzeichnis kopiert " #~ "und mit lokalen Parametern ausgefüllt. Einige Sites, welche bereits die " #~ "Infrastruktur besitzen um Ihre eigene Kerberos-Konfiguration zu " #~ "verwalten, werden es bevorzugen, jede automatische Veränderung der " #~ "Konfiguration zu deaktivieren." #~ msgid "disable, full, nopreauth, none" #~ msgstr "deaktivieren, total, ohne vorherige Authenfizierung, keiner" #~ msgid "Run a krb524d?" #~ msgstr "Soll krb524d laufen?" #~ msgid "" #~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 " #~ "tickets for the krb524init program. If you have Kerberos4 enabled at " #~ "all, then you probably want to run this program. Especially when " #~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you " #~ "have any Kerberos4 services." #~ msgstr "" #~ "Krb524d ist ein Daemon, der Kerberos5-Tickets für das Programm krb524init " #~ "in Kerberos4-Tickets umwandelt. Haben Sie Kerberos4 aktiviert, dann " #~ "sollten Sie wahrscheinlich diesen Dienst laufen lassen. Insbesondere wenn " #~ "der Kerberos4-Kompatibilitäts-Modus auf »ohne vorherige Authentifizierung« " #~ "gesetzt ist, ist krb524d wichtig, wenn Sie irgendwelche Kerberos4-Dienste " #~ "haben." debian/po/es.po0000664000000000000000000002070112272025332010553 0ustar # krb5 po-debconf translation to Spanish # Copyright (C) 2006, 2008, 2009 Software in the Public Interest # This file is distributed under the same license as the krb5 package. # # Changes: # - Initial translation # Fernando Cerezal López , 2006 # # - Updates # Diego Lucio D'Onofrio , 2008 # Ignacio Mondino , 2008 # Francisco Javier Cuadrado , 2009 # # Traductores, si no conocen el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traducción al español, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas y normas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: krb5 1.6.dfsg.4~beta1-10\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-09 18:12+0100\n" "Last-Translator: Francisco Javier Cuadrado \n" "Language-Team: Debian l10n Spanish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configuración de un reino de Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Este paquete contiene las herramientas administrativas necesarias para " "ejecutar el servidor maestro Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Sin embargo, el instalar este paquete no configura automáticamente un reino " "de Kerberos. Esto se puede hacer más tarde ejecutando la orden " "«krb5_newrealm»." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Por favor, lea también el fichero «/usr/share/doc/krb5-kdc/README.KDC» y la " "guía de administración que se encuentra en el paquete krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "¿Desea ejecutar el demonio de administración de Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind sirve peticiones para agregar/modificar/quitar principales de la " "base de datos de Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "El programa kpasswd necesita esto para poder cambiar las contraseñas. Con la " "configuración estándar, este demonio debe ejecutarse en el KDC maestro." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "¿Desea crear la configuración del KDC de Kerberos automáticamente?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Los archivos de configuración, ubicados en «/etc/krb5kdc», del centro de " "distribución de claves de Kerberos (KDC) se podrán crear automáticamente." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Por omisión, una plantilla de ejemplo se copiará en este directorio con los " "parámetros locales completados." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Los administradores que ya posean la infraestructura para manejar su " "configuración de Kerberos podrían querer deshabilitar estos cambios de " "configuración automáticos." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "¿Desea eliminar la base de datos de KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Por omisión, eliminar este paquete no borrará la base de datos KDC en «/var/" "lib/krb5kdc/principal», ya que esta base de datos no se puede recuperar una " "vez eliminada." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Seleccione esta opción si desea eliminar la base de datos de KDC ahora, " "eliminando todas las cuentas de usuarios y contraseñas en KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Modo de compatibilidad con Kerberos V4 a utilizar:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Por omisión, se permiten las peticiones Kerberos V4 desde los principales " #~ "que no necesiten preautenticación («nopreauth»). Esto permite que los " #~ "servicios de Kerberos V4 existan mientras se solicita a la mayoría de los " #~ "usuarios que utilicen clientes Kerberos V5 para obtener sus «tickets» " #~ "iniciales. Estos «tickets» se pueden convertir entonces a «tickets» de " #~ "Kerberos V4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Alternativamente, el modo puede ser establecido como «full», permitiendo a " #~ "losclientes de Kerberos V4 conseguir «tickets» iniciales aún cuando " #~ "normalmente se requiera preautenticación; como «disable», devolviendo " #~ "errores de versión de protocolo a todos los clientes de Kerberos V4; o " #~ "como «none», lo cual ordenará a KDC no responder nada las peticiones de " #~ "Kerberos V4 de ninguna forma." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "¿Desea ejecutar el demonio de conversión de «tickets» de Kerberos V5 a " #~ "Kerberos V4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "El demonio krb524d convierte los «tickets» de Kerberos V5 a «tickets» de " #~ "Kerberos V4 para que programas tales como krb524init obtengan «tickets» " #~ "Kerberos V4 compatibles con aplicaciones antiguas." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Es recomendable habilitar este demonio si Kerberos V4 está habilitado, " #~ "especialmente cuando la compatibilidad de Kerberos V4 está establecida " #~ "como «nopreauth»." debian/po/da.po0000664000000000000000000001124712272025332010535 0ustar # Dansih translation krb5. # Copyright (C) 2010 krb5 & nedenstÃ¥ende oversættere. # This file is distributed under the same license as the krb5 package. # Claus Hindsgaul , 2006. # Joe Hansen , 2010. # msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2010-06-02 17:30+01:00\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Sætter et Kerberos-rige op" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Denne pakke indeholder de administrative værktøjer krævet til at køre " "Kerberos' masterserver." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Installation af denne pakke medfører dog ikke automatisk, at et " "Kerberos-rige bliver sat op. Dette kan gøres senere ved at køre kommandoen " "»krb5_newrealm«." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Læs venligst ogsÃ¥ filen /usr/share/doc/krb5-kdc/README.KDC og " "administrationsvejledningen, der kan ses i pakken krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Skal administrationsdæmonen Kerberos5 (kadmind) køres?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmindservere anmoder om at tilføje/ændre/fjerne vigtige ting i " "kerberosdatabasen." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Den er krævet af kpasswd-programmet, brugt til at ændre adgangskoder. " "Med standardopsætning, skal denne dæmon køre pÃ¥ master-KDC'en." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Opret automatisk Kerberos KDC-konfigurationen?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Konfigurationsfilerne for Kerberos Key Distribution Center (KDC) i /etc/" "krb5kdc, kan oprettes automatisk." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Som standard vil en eksempelskabelon blive kopieret ind i denne mappe med " "lokale parametre udfyldt." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administratorer, som allerede har infrastruktur til hÃ¥ndtering af deres " "Kerberoskonfiguration, vil mÃ¥ske ønske at deaktivere disse automatiske " "konfigurationsændringer." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Skal KDC-databasen slettes?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Som udgangspunkt vil KDC-databasen i /var/lib/krb5kdc/principal ikke blive " "slettet, nÃ¥r pakken afinstalleres, da denne database ikke kan genskabes, nÃ¥r " "den er slettet." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Vælg denne indstilling hvis du ønsker at slette KDC-databasen nu, dermed " "slettes alle brugerkonti og adgangskoder i KDC'en." debian/po/sv.po0000664000000000000000000001664212272025332010605 0ustar # translation of krb5_1.6.dfsg.3-2_sv.po to swedish # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Martin Bagge , 2008. msgid "" msgstr "" "Project-Id-Version: krb5_1.6.dfsg.3-2_sv\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-05 15:55+0100\n" "Last-Translator: Martin Bagge \n" "Language-Team: swedish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" "X-Poedit-Language: swedish\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Ställer in ett Kerberos realm " #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Detta paket innehÃ¥ller administrationsverktygen för att köra en huvudserver " "av Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Att bara installera paketet ger dock inte automatiskt en fix och färdig " "Kerberos realm. Detta kan göras vid ett senare tillfälle genom att köra " "\"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Läs ocksÃ¥ /usr/share/doc/krb5-kdc/README.KDC och administrationsguiden i " "paketet 'krb5-doc'." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Vill du köra administrationstjänsten för Kerberos V5(kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind tar emot förfrÃ¥gningar om att lägga till/ändra/ta bort innehÃ¥ll i " "Kerberosdatabasen." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "kpasswd (används för att byta lösenord) behöver den. I standardutförandet sÃ¥ " "ska den köras pÃ¥ huvud-KDC." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Vill du skapa Kerberos KDC-konfigurationen automatiskt?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Konfigurationsfiler för Kerberos Key Distribution Center (KDC) kan skapas " "automatiskt i /etc/krb5kdc." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Standardutförandet är att kopiera lokala inställningar till en exempelfil " "kompieras som läggs i denna katalog." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administratörer som redan har infrastruktur för att ta hand om Kerberos " "konfigurationsfiler kan stänga av denna automatiska körning." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Vill du radera KDC-databasen?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "I standardläget sÃ¥ tas bara paketfilerna bort och KDC-databasen i /var/lib/" "krb5kdc/principal lämnas kvar dÃ¥ den inte kan Ã¥terskapas om den tas bort." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Välj detta alternativ om du vill ta bortKDC-databasen när paketet är " "borttaget. Alla användare och lösenord i KDC kommer dÃ¥ att tas bort." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Kompabilitetsläge för Kerberos v4-anslutningar:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Standardutförandet är att tillÃ¥ta Kerberos v4-klienter som inte kräver " #~ "förautentisiering (\"nopreauth\"). DÃ¥ kan en Kerberos v4-tjänster finnas " #~ "kvar men man kräver att de flesta användarna har en Kerberos v5-klient " #~ "som hämtar deras första biljett (eng: ticket), dessa kan sedan " #~ "konverteras till Kerberos v4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Du kan ange läget som \"full\"och därmed tillÃ¥ta Kerberos v4-klienter att " #~ "skaffa sina biljetter även om förautentisiering skulle varit i bruk. " #~ "Eller vidare sÃ¥ kan läget ställas till \"avaktivera\", dÃ¥ sänds " #~ "felmeddelanden till Kerbers v4-klienterna, eller slutligen \"ingen\" som " #~ "anger att KDC inte ska svara alls pÃ¥ förfrÃ¥gningar frÃ¥n Kerberos v4-" #~ "klienter." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "Vill du köra en tjänst som konverterar mellan Kerberos v5 och Kerberos v4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Tjänsten krb524 konverterar Kerberos v5-biljetter till Kerberos v4-" #~ "biljetter för äldre program som inte kan läsa Kerberos v5-biljetter." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Du bör aktivera tjänsten om Kerberos v4 är aktiverat, särskilt om " #~ "Kerberos v4-kompabilitet är satt till \"utan förautentisiering\"." #~ msgid "disable" #~ msgstr "avaktivera" #~ msgid "full" #~ msgstr "full" #, fuzzy #~ msgid "nopreauth" #~ msgstr "utan förautentisiering (eng: nopreauth)" #~ msgid "none" #~ msgstr "ingen" #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "Vill du göra dig av med bÃ¥de datafiler och paketfiler?" debian/po/pt_BR.po0000664000000000000000000001164612272025332011162 0ustar # krb5 Brazilian Portuguese translation # Copyright (C) 2008 THE krb5'S COPYRIGHT HOLDER # This file is distributed under the same license as the krb5 package. # Eder L. Marques , 2008, 2009. # Fernando Ike de Oliveira (fike) . 2013. # msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2013-08-04 13:54-0300\n" "Last-Translator: Fernando Ike de Oliveira (fike) \n" "Language-Team: Brazilian Portuguese \n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configurando um Realm Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Este pacote contém as ferramentas administrativas necessárias para executar " "o servidor mestre Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Contudo, instalar este pacote não configura automaticamente um realm " "Kerberos. Isto pode ser feito posteriormente executando o comando " "\"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Por favor, leia também o arquivo /usr/share/doc/krb5-kdc/README.KDC e o guia " "de administração encontrado no pacote krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Executar o daemon de administração do Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "O kadmind atende requisições para adicionar/modificar/remover \"principals\" " "no banco de dados do Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Ele é necessário para o programa kpasswd, usado para alterar senhas. Com " "configurações padrão, este daemon deveria ser executado no KDC mestre." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Criar a configuração do Kerberos KDC automaticamente?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Os arquivos de configuração do Centro de Distribuição de Chaves Kerberos " "(KDC -- \"Kerberos Key Distribution Center\"), em /etc/krb5kdc, podem ser " "criados automaticamente." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Por padrão, um modelo de exemplo será copiado para este diretório com os " "parâmetros locais preenchidos." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administradores que já possuem infraestrutura para administrar suas " "configurações Kerberos podem desejar desabilitar estas mudanças automáticas " "de configuração." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "O banco de dados do KDC deve ser excluído?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Por padrão, remover este pacote não excluirá o banco de dados do KDC em /var/" "lib/krb5kdc/principal visto que este banco de dados não pode ser recuperado " "uma vez excluído." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Escolha esta opção se você deseja excluir o banco de dados do KDC agora, " "excluindo todas as contas de usuários e senhas do KDC." debian/po/fr.po0000664000000000000000000001773012272025332010563 0ustar # Translation of krb5 debconf templates to French # Copyright (C) 2005-2009 Debian French l10n team # This file is distributed under the same license as the krb5 package. # # Translators: # Christian Perrier , 2005, 2008, 2009, 2011. msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-02-21 13:55-0500\n" "PO-Revision-Date: 2011-06-17 19:57+0200\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.2\n" "Language: fr\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configuration d'un royaume (« Realm ») Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Ce paquet contient les outils d'administration utiles pour un serveur maître " "Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Cependant, la simple installation de ce paquet ne suffit pas pour mettre en " "service automatiquement un royaume Kerberos. Pour créer le royaume, veuillez " "utiliser la commande « krb5_newrealm »." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Vous pouvez aussi consulter le fichier /usr/share/doc/krb5-kdc/README.KDC et " "le guide d'administration fourni dans le paquet krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Faut-il lancer le démon d'administration de Kerberos v5 (kadmind) ?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind répond aux requêtes d'ajout, modification et suppression des " "enregistrements dans la base de données de Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Il est également indispensable pour que le programme kpasswd puisse changer " "les " "mots de passe. Habituellement, ce démon doit être opérationnel sur le " "centre de distribution de clés Kerberos (KDC)." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "" "Faut-il créer la configuration du centre de distribution de clés Kerberos " "automatiquement ?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Les fichiers de configuration du centre de distribution de clés Kerberos " "(KDC : Key Distribution Center), " "situés dans /etc/krb5kdc, peuvent être créés automatiquement." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Par défaut, des fichiers d'exemples comportant des paramètres locaux seront " "placés dans ce répertoire." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Les administrateurs qui utilisent déjà une infrastructure de gestion de la " "configuration de Kerberos souhaiteront probablement désactiver toute " "modification automatique de la configuration." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Faut-il supprimer la base de données KDC ?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Par défaut, la suppression complète de ce paquet ne supprimera pas la base " "de données KDC dans /var/lib/krb5kdc/principal car cette base de données ne " "peut pas être récupérée une fois supprimée." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Choisissez cette option si vous souhaitez supprimer la base de données KDC " "maintenant, ce qui supprimera tous les comptes des utilisateurs ainsi que " "les mots de passe, sur le ecntre de distribution de clés Kerberos (KDC)." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Mode de compatibilité avec Kerberos v4 à utiliser :" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Par défaut, les requêtes Kerberos v4 sont autorisées pour les " #~ "enregistrements (« principals ») qui n'ont pas besoin de pré-" #~ "authentification (« nopreauth »). Cela permet que les services Kerberos v4 " #~ "fonctionnent mais la majorité des utilisateurs devront utiliser des " #~ "clients Kerberos v5 pour obtenir leurs tickets initiaux. Ces tickets " #~ "pourront ensuite être convertis en tickets Kerberos v4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Ce mode peut également être configuré comme complet (« full »), ce qui " #~ "permet aux clients Kerberos v4 d'obtenir leurs tickets initiaux même " #~ "lorsque la pré-authentification est requise. Un autre réglage possible " #~ "est de le désactiver (« disable ») ce qui renvoie une erreur de version de " #~ "protocole à tous les clients Kerberos v4, ou de désactiver totalement les " #~ "réponses aux requêtes Kerberos v4 (« none »)." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "Faut-il lancer un démon de conversion des tickets Kerberos v5 en Kerberos " #~ "v4 ?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Krb524d est un démon qui permet de convertir les tickets Kerberos v5 en " #~ "tickets Kerberos v4 pour les programmes tels que krb524init, qui " #~ "obtiennent des tickets Kerberos v4 pour préserver la compatibilité avec " #~ "d'anciennes applications." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Ce démon est indispensable lorsque Kerberos4 est activé, notamment si le " #~ "mode de compatibilié est « pas de pré-authentification » (nopreauth)." debian/po/pl.po0000664000000000000000000001152512272025332010563 0ustar # Translation of krb5 debconf templates to Polish. # Copyright (C) 2009 # This file is distributed under the same license as the krb5 package. # # MichaÅ‚ KuÅ‚ach , 2012. msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2012-02-03 01:06+0100\n" "Last-Translator: MichaÅ‚ KuÅ‚ach \n" "Language-Team: Polish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: pl\n" "X-Generator: Lokalize 1.2\n" "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2);\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Konfigurowanie Kerberos Realm" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Pakiet zawiera narzÄ™dzia administracyjne potrzebne do dziaÅ‚ania głównego " "serwera Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Zainstalowanie tego pakietu nie skonfiguruje jednak tzw. realm (dziedziny, " "domeny) systemu Kerberos w sposób " "automatyczny. Można to uczynić później, poleceniem \"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "ProszÄ™ również zapoznać siÄ™ z plikiem /usr/share/doc/krb5-kdc/README.KDC oraz " "z przewodnikiem administracyjnym z pakietu krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Uruchomić demona administracyjnego Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind obsÅ‚uguje żądania dodania/zmodyfikowania/usuniÄ™cia tzw. principal " "(użytkowników) w bazie danych Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Jest wymagany przez program kpasswd, używany do zmiany haseÅ‚. W standardowej " "konfiguracji demon powinien dziaÅ‚ać na głównym KDC." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Utworzyć konfiguracjÄ™ Kerberos KDC automatycznie?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Pliki konfiguracyjne Kerberos Key Distribution Center (KDC), w /etc/krb5dc, " "mogÄ… zostać utworzone automatycznie." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "DomyÅ›lnie, przykÅ‚adowy szablon zostanie skopiowany do tego katalogu i " "wypeÅ‚niony lokalnymi parametrami." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administratorzy, którzy posiadajÄ… infrastrukturÄ™ do zarzÄ…dzania swojÄ… " "konfiguracjÄ… Kerberos, mogÄ… chcieć wyÅ‚Ä…czyć automatycznÄ… zmianÄ™ konfiguracji." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Czy baza danych KDC ma zostać usuniÄ™ta?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "DomyÅ›lnie, usuniÄ™cie tego pakietu nie usunie bazy danych KDC z " "/var/lib/krb5kdc/principal, ponieważ nie może ona zostać odzyskana po " "usuniÄ™ciu." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "ProszÄ™ wybrać \"tak\" aby skasować bazÄ™ danych KDC teraz, usuwajÄ…c wszystkie " "konta i hasÅ‚a użytkowników z KDC." debian/po/ca.po0000664000000000000000000001151312272025332010530 0ustar # krb5 po-debconf translation to Catalan # Copyright (C) 2006, 2008, 2009 Software in the Public Interest # This file is distributed under the same license as the PACKAGE package. # Innocent De Marchi , 2011. # msgid "" msgstr "" "Project-Id-Version: 1.6.dfsg.4~beta1-10\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2011-06-17 18:08+0100\n" "Last-Translator: Innocent De Marchi \n" "Language-Team: catalan \n" "X-Poedit-Language: Catalan\n" "X-Poedit-Country: SPAIN\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configuració d'un regne Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "This package contains the administrative tools required to run the Kerberos master server." msgstr "Aquest paquet conté les eines administratives necessàries per executar el servidor principal de Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "However, installing this package does not automatically set up a Kerberos realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "No obstant això, amb la instal lació d'aquest paquet no es configura automàticament un regne Kerberos. Això es pot fer més endavant mitjançant l'execució de l'ordre «krb5_newrealm »." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the krb5-doc package." msgstr "Llegiu també el fitxer «/usr/share/doc/krb5-kdc/README.KDC» i la guia d'administració disponible en el paquet «krb5-doc»." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Voleu executar el dimoni d'administració de Kerberos V5 («kadmind»)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Kadmind serves requests to add/modify/remove principals in the Kerberos database." msgstr "Kadmind gestiona les peticions per afegir, modificar i esborrar els registres a la base de dades Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should run on the master KDC." msgstr "És necessari pel programa «kpasswd», que s'utilitza per canviar les contrasenyes. Amb les configuracions estàndard, aquest dimoni s'ha d'executar en el KDC principal" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Generar la configuració de Kerberos KDC de forma automàtica?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/krb5kdc, may be created automatically." msgstr "Els fitxer de configuració del «Kerberos Key Distribution Center» (KDC), a «/etc/krb5kdc», es poden generar automàticament." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "By default, an example template will be copied into this directory with local parameters filled in." msgstr "Per defecte, una plantilla d'exemple, amb els paràmetres locals emplenats, es copiarà en aquest directori." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes." msgstr "Els administradors que ja tenen la infraestructura per administrar la configuració de Kerberos probablement voldran deshabilitar els canvis de la configuració automàtica." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Voleu esborrar la base de dades KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "By default, removing this package will not delete the KDC database in /var/lib/krb5kdc/principal since this database cannot be recovered once it is deleted." msgstr "Per defecte, la desinstal·lació d'aquest paquet no esborrarà la base de dades de KDC a «/var/lib/krb5kdc/principal», degut a que aquesta base de dades no es recuperable desprès d'esborrar-la." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Choose this option if you wish to delete the KDC database now, deleting all of the user accounts and passwords in the KDC." msgstr "Seleccioneu aquesta opció si desitja esborrar la base de dades KDC ara, esborrant tots els comptes d'usuari i contrasenyes en el KDC." debian/po/ru.po0000664000000000000000000002325112272025332010575 0ustar # Translation of krb5 to Russian # This file is distributed under the same license as the PACKAGE package. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER. # # Yuri Kozlov , 2006, 2007. # Alyoshin Sergey , 2007, 2008, 2009. msgid "" msgstr "" "Project-Id-Version: krb5_1.6.dfsg.4~beta1-10\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-09 00:11:57+0300\n" "Last-Translator: Alyoshin Sergey \n" "Language-Team: Russian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" "10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "ÐаÑтройка облаÑти Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Этот пакет Ñодержит управлÑющие инÑтрументы, требующиеÑÑ Ð´Ð»Ñ Ñ€Ð°Ð±Ð¾Ñ‚Ñ‹ маÑтер-" "Ñервера Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Однако при уÑтановке пакета не выполнÑетÑÑ Ð°Ð²Ñ‚Ð¾Ð¼Ð°Ñ‚Ð¸Ñ‡ÐµÑÐºÐ°Ñ Ð½Ð°Ñтройка облаÑти " "Kerberos. Это может быть Ñделано позже Ñ Ð¿Ð¾Ð¼Ð¾Ñ‰ÑŒÑŽ команды \"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "ПожалуйÑта, прочтите также файл /usr/share/doc/krb5-kdc/README.KDC и " "руководÑтво админиÑтратора из пакета krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "ЗапуÑкать Ñлужбу админиÑÑ‚Ñ€Ð¸Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind обÑлуживает запроÑÑ‹ на добавление, изменение и/или удаление " "принципалов в базе данных Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Он требуетÑÑ Ð¿Ñ€Ð¾Ð³Ñ€Ð°Ð¼Ð¼Ðµ kpasswd, иÑпользуемой Ð´Ð»Ñ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ Ð¿Ð°Ñ€Ð¾Ð»ÐµÐ¹. При " "Ñтандартной уÑтановке Ñта Ñлужба должна работать на главном KDC." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Создать конфигурацию Kerberos KDC автоматичеÑки?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Конфигурационные файлы центра раÑÐ¿Ñ€ÐµÐ´ÐµÐ»ÐµÐ½Ð¸Ñ ÐºÐ»ÑŽÑ‡ÐµÐ¹ Kerberos (KDC) в " "каталоге /etc/krb5kdc могут быть Ñозданы автоматичеÑки." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "По умолчанию в Ñтот каталог будет Ñкопирован образец шаблона Ñ Ð·Ð°Ð¿Ð¾Ð»Ð½ÐµÐ½Ð½Ñ‹Ð¼Ð¸ " "локальными параметрами." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "ÐдминиÑтраторы, у которых уже еÑÑ‚ÑŒ инфраÑтруктура, обÑÐ»ÑƒÐ¶Ð¸Ð²Ð°ÐµÐ¼Ð°Ñ Ð¸Ñ… " "конфигурацией Kerberos, возможно, не захотÑÑ‚ выполнÑÑ‚ÑŒ автоматичеÑкое " "изменение конфигурации." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Удалить базу данных KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "По умолчанию, удаление данного пакета не приводит к удалению базы данных KDC " "в /var/lib/krb5kdc/principal, так как Ñта база данных не может быть " "воÑÑтановлена поÑле удалениÑ." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Выберите Ñтот параметр, еÑли хотите удалить базу данных KDC ÑейчаÑ, при Ñтом " "будут удалены вÑе пользовательÑкие учётные запиÑи и пароли в KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "ИÑпользуемый режим ÑовмеÑтимоÑти Ñ Kerberos V4:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "По умолчанию, запроÑÑ‹ Kerberos V4 разрешены от принципалов, Ð´Ð»Ñ ÐºÐ¾Ñ‚Ð¾Ñ€Ñ‹Ñ… " #~ "не требуетÑÑ Ð¿Ñ€ÐµÐ´Ð²Ð°Ñ€Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð°Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ñ (\"nopreauth\", \"без " #~ "предварительной аутентификации\"). Это позволÑет ÑущеÑтвовать ÑервиÑам " #~ "Kerberos V4, но требует от большинÑтва пользователей иÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ " #~ "клиента Kerberos V5 Ð´Ð»Ñ Ð¿Ð¾Ð»ÑƒÑ‡ÐµÐ½Ð¸Ñ Ð½Ð°Ñ‡Ð°Ð»ÑŒÐ½Ñ‹Ñ… мандатов. Затем Ñти мандаты " #~ "могут быть преобразованы в мандаты Kerberos V4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Кроме того, могут быть уÑтановлены режимы: \"full\" (\"полный\"), который " #~ "позволÑет клиентам Kerberos V4 получить начальные мандаты, даже еÑли " #~ "обычно требуетÑÑ Ð¿Ñ€ÐµÐ´Ð²Ð°Ñ€Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð°Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ñ; \"disable\" (\"отключён" #~ "\"), при котором вÑем клиентам Kerberos V4 возвращаютÑÑ Ð¾ÑˆÐ¸Ð±ÐºÐ¸ верÑии " #~ "протокола; \"none\" (\"никакой\"), при котором KDC вообще не отвечает на " #~ "запроÑÑ‹ Kerberos V4." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "ЗапуÑтить демон Ð¿Ñ€ÐµÐ¾Ð±Ñ€Ð°Ð·Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¼Ð°Ð½Ð´Ð°Ñ‚Ð¾Ð² Kerberos V5 в Kerberos V4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Демон krb524d преобразует мандаты Kerberos V5 в мандаты Kerberos V4 Ð´Ð»Ñ " #~ "таких программ как krb524init, ÐºÐ¾Ñ‚Ð¾Ñ€Ð°Ñ Ð¿Ð¾Ð»ÑƒÑ‡Ð°ÐµÑ‚ мандаты Kerberos V4 Ð´Ð»Ñ " #~ "ÑовмеÑтимоÑти Ñо Ñтарыми приложениÑми." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "РекомендуетÑÑ Ð²ÐºÐ»ÑŽÑ‡Ð¸Ñ‚ÑŒ Ñтот демон, еÑли работает Kerberos V4, оÑобенно " #~ "еÑли режим ÑовмеÑтимоÑти Kerberos V4 уÑтановлен в \"nopreauth\" (\"без " #~ "предварительной аутентификации\")." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "Вычищать данные при удалении файлов пакета?" #~ msgid "disable" #~ msgstr "отключён" #~ msgid "full" #~ msgstr "полный" #~ msgid "nopreauth" #~ msgstr "без предварительной аутентификации" #~ msgid "none" #~ msgstr "никакой" debian/po/pt.po0000664000000000000000000002625312272025332010577 0ustar # Portuguese translation for krb5's debconf messages # Copyright (C) 2007 Miguel Figueiredo # This file is distributed under the same license as the krb5 package. # Miguel Figueiredo , 2007-2009. # msgid "" msgstr "" "Project-Id-Version: krb5 1.4.4-6\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-09 19:50+0000\n" "Last-Translator: Miguel Figueiredo \n" "Language-Team: Portuguese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Configurar um Reino Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Este pacote contém as ferramentas administrativas necessárias para correr o " "servidor mestre Kerberos." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "No entanto, instalar este pacote não configura automaticamente um reino " "Kerberos. Isto pode ser feito posteriormente ao correr o comando " "\"krb5_newrealm\"." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Por favor leia o ficheiro /usr/share/doc/krb5-kdc/README.KDC e o guia de " "administração que se encontra no pacote krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Correr o daemon de administração (kadmind) do Kerberos V5?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "O Kadmind serve pedidos para acrescentar/modificar/remover conteúdos na base " "de dados do Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Isto é necessário para o programa kpasswd, utilizado para alterar palavras-" "passe. Com as configurações standard, este daemon deve correr no KDC mestre." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Criar automaticamente a configuração do KDC Kerberos?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "Os ficheiros de configuração do Kerberos Key Distribution Center (KDC), em /" "etc/krb5kdc, podem ser criados automaticamente." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "Por pré-definição, será copiado um exemplo de modelo para este directório " "com os parâmetros locais preenchidos." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Os administradores que já tenham uma infraestrutura para gerir a sua " "configuração do Kerberos podem desejar desabilitar estas mudanças de " "configuração automática." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Deve a base de dados KDC ser apagada?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Por pré-definição, remover este pacote não irá apagar a base de dados do KDC " "em /var/lib/krb5kdc/principal já que a base de dados não pode ser recuperada " "depois de apagada." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Escolha esta opção se deseja apagar agora a base de dados KDC, apagando " "todas as contas e palavras-passe de utilizadores no KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Modo de compatibilidade Kerberos V4 a utilizar:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Por pré-definição, os pedidos Kerberos V4 são permitidos a partir de " #~ "conteúdos que não necessitem de pré-autenticação (\"nopreauth\"). Isto " #~ "permite que existam serviços Kerberos V4 enquanto que requer que a " #~ "maioria dos utilizadores utilizem clientes Kerberos V5 para obter os seus " #~ "tickets iniciais. Estes tickets podem então ser convertidos para tickets " #~ "Kerberos V4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Alternativamente, o modo pode ser definido para \"full\", permitindo a " #~ "clientes Kerberos V4 obter os tickets iniciais mesmo quando a pré-" #~ "autenticação seria normalmente necessária; para \"disable\", retornando " #~ "erros de versão de protocolo para todos os clientes Kerberos V4; ou para " #~ "\"none\", que diz ao KDC para não responder a nenhum pedido Kerberos V4." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "Correr um daemon de conversão de tickets de Kerberos V5 para Kerberos V4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "O daemon krb524d converte tickets Kerberos V5 para tickets Kerberos V4 " #~ "para programas, tais como o krb524init, que obtém tickets Kerberos V4 " #~ "para compatibilidade com aplicativos antigos." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "É recomendado habilitar este daemon se o Kerberos V4 estiver habilitado, " #~ "especialmente quando a compatibilidade Kerberos V4 estiver definida para " #~ "\"nopreauth\"." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "Devem os dados ser purgados assim como os ficheiros do pacote?" #~ msgid "disable" #~ msgstr "desabilitar" #~ msgid "full" #~ msgstr "total" #~ msgid "nopreauth" #~ msgstr "nopreauth" #~ msgid "none" #~ msgstr "nenhum" #~ msgid "" #~ "This package contains the administrative tools necessary to run on the " #~ "Kerberos master server. However, installing this package does not " #~ "automatically set up a Kerberos realm. Doing so requires entering " #~ "passwords and as such is not well-suited for package installation. To " #~ "create the realm, run the krb5_newrealm command. You may also wish to " #~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide " #~ "found in the krb5-doc package." #~ msgstr "" #~ "Este pacote contém ferramentas administrativas necessárias para correr no " #~ "servidor master de Kerberos. No entanto, instalar este pacote não " #~ "configura automaticamente um reino Kerberos. Fazê-lo necessita que sejam " #~ "introduzidas palavras-chaves e tal não é indicado para a instalação de " #~ "pacotes. Para criar o reino, corra o comando krb5_newrealm. Também " #~ "poderá querer ler /usr/share/doc/krb5-kdc/README.KDC e o guia de " #~ "administração que se encontra no pacote krb5-doc." #~ msgid "" #~ "Don't forget to set up DNS information so your clients can find your KDC " #~ "and admin servers. Doing so is documented in the administration guide." #~ msgstr "" #~ "Não se esqueça de configurar a informação de DNS para que os seus " #~ "clientes possam encontrar os servidores de administração e de KDC. Como " #~ "o fazer está documentado no guia de administração." #~ msgid "" #~ "Kadmind serves requests to add/modify/remove principals in the Kerberos " #~ "database. It also must be running for the kpasswd program to be used to " #~ "change passwords. Normally, this daemon runs on the master KDC." #~ msgstr "" #~ "O kadmind serve pedidos para acrescentar/modificar/remover principais na " #~ "base de dados Kerberos. Terá que estar a correr para que o programa " #~ "kpasswd possa ser usado para alterar palavras-chave. Normalmente este " #~ "daemon corre no KDC master." #~ msgid "" #~ "Many sites will wish to have this script automatically create Kerberos " #~ "KDC configuration files in /etc/krb5kdc. By default an example template " #~ "will be copied into this directory with local parameters filled in. Some " #~ "sites who already have infrastructure to manage their own Kerberos " #~ "configuration will wish to disable any automatic configuration changes." #~ msgstr "" #~ "Muitos sites irão querer ter este script a criar automaticamente os " #~ "ficheiros de configuração Kerberos KDC em /etc/krb5kdc. Por omissão, " #~ "será copiado um modelo de exemplo para este directório com os parâmetros " #~ "locais preenchidos. Alguns sites que já têm infra-estrutura para gerir a " #~ "sua própria configuração Kerberos irão querer desabilitar as alterações " #~ "automáticas de configuração." #~ msgid "disable, full, nopreauth, none" #~ msgstr "disable, full, nopreauth, none" #~ msgid "Run a krb524d?" #~ msgstr "Correr um krb524d?" #~ msgid "" #~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 " #~ "tickets for the krb524init program. If you have Kerberos4 enabled at " #~ "all, then you probably want to run this program. Especially when " #~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you " #~ "have any Kerberos4 services." #~ msgstr "" #~ "Krb524d é um daemon que converte tickets Kerberos5 para tickets Kerberos4 " #~ "para o programa krb524init. Se tem o Kerberos4 habilitado, então " #~ "provavelmente quererá correr este programa. Especialmente quando a " #~ "compatibilidade Kerberos4 está definida para nopreauth, krb524d é " #~ "importante se tem quaisquer serviços Kerberos4." debian/po/cs.po0000664000000000000000000002144512272025332010557 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: krb5\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-07 20:26+0100\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Nastavení Kerberovy říše" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Tento balík obsahuje nezbytné administrativní nástroje pro bÄ›h hlavního " "kerberovského serveru." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "Pouhou instalací tohoto balíku se vÅ¡ak Kerberova říše nenastaví. Pro " "vytvoÅ™ení říše spusÅ¥te po instalaci příkaz „krb5_newrealm“." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "Také je vhodné si pÅ™eÄíst soubor /usr/share/doc/krb5-kdc/README.KDC a " "příruÄku administrátora v balíku krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Spustit administraÄní daemon Kerbera v5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind obsluhuje požadavky na pÅ™idání/zmÄ›nu/smazání záznamů v databázi " "Kerbera." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Také je vyžadován programem kpasswd, který se používá pro zmÄ›nu hesel. Tento " "daemon obvykle běží na hlavním KDC." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "VytvoÅ™it nastavení KDC automaticky?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "KonfiguraÄní soubory KDC (Kerberos Key Domain Controller) v /etc/krb5kdc " "mohou být vytvoÅ™eny automaticky." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "StandardnÄ› se do tohoto adresáře nakopíruje ukázková Å¡ablona s " "pÅ™edvyplnÄ›nými lokálními údaji." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "AdministrátoÅ™i, kteří již disponují infrastrukturou pro správu konfigurace " "Kerbera, budou nejspíš chtít tyto automatické zmÄ›ny v konfiguraci zakázat." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Má se smazat KDC databáze?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "Ve výchozím nastavení se pÅ™i odstranÄ›ní balíku ze systému nesmaže KDC " "databáze ve /var/lib/krb5kdc/principal, protože ji po smazání nelze obnovit." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "Chcete-li nyní smazat KDC databázi, tuto volbu povolte. Smazáním databáze se " "odstraní vÅ¡echny uživatelské úÄty a vÅ¡echna hesla v KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Režim zpÄ›tné kompatibility s Kerberem v4:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Ve výchozím nastavení jsou povoleny požadavky z Kerbera v4, které " #~ "nevyžadují pÅ™edautentizaci („nopreauth“). To umožňuje, aby existovaly " #~ "služby Kerbera v4, ovÅ¡em vyžaduje, aby vÄ›tÅ¡ina klientů používala pro " #~ "získání prvotního lístku klienta Kerbera v5. Tyto lístky pak mohou být " #~ "pÅ™emÄ›nÄ›ny na lístky Kerbera v4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "VolitelnÄ› můžete zapnout plnou podporu („full“), což umožní klientům " #~ "Kerbera v4 získat prvotní lístky i když by normálnÄ› byla vyžadována " #~ "pÅ™edautentizace. Možnost zakázat („disable“) bude vÅ¡em klientům Kerbera " #~ "v4 vracet chyby o nepodporované verzi, režim žádný („none“) znamená, že " #~ "Kerberos nebude na tyto požadavky odpovídat vůbec." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "Spustit daemon pro konverzi lístků Kerbera v5 na lístky Kerbera v4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Daemon krb524d pÅ™evádí lístky z Kerbera5 na lístky Kerbera4 pro programy " #~ "typu krb524init, které vyžadují lístky Kerbera v4 pro zajiÅ¡tÄ›ní " #~ "kompatibility se staršími aplikacemi." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Jestliže používáte aplikace pro Kerbera v4, doporuÄuje se povolit i " #~ "tohoto daemona, obzvláštÄ› pokud je kompatibilita s Kerberem v4 nastavena " #~ "na „nopreauth“." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "Mají se pÅ™i úplném odstranÄ›ní balíku smazat i data?" #~ msgid "disable" #~ msgstr "zakázat" #~ msgid "full" #~ msgstr "plný" #~ msgid "nopreauth" #~ msgstr "nopreauth" #~ msgid "none" #~ msgstr "žádný" #~ msgid "" #~ "Don't forget to set up DNS information so your clients can find your KDC " #~ "and admin servers. Doing so is documented in the administration guide." #~ msgstr "" #~ "Nezapomeňte nastavit DNS, aby klienti mohli najít váš KDC a " #~ "administrátorské servery. VÅ¡e je popsáno v příruÄce administrátora." #~ msgid "" #~ "Many sites will wish to have this script automatically create Kerberos " #~ "KDC configuration files in /etc/krb5kdc. By default an example template " #~ "will be copied into this directory with local parameters filled in. Some " #~ "sites who already have infrastructure to manage their own Kerberos " #~ "configuration will wish to disable any automatic configuration changes." #~ msgstr "" #~ "Mnoho správců bude chtít, aby za nÄ› debconf provedl poÄáteÄní nastavení " #~ "kerberova KDC v /etc/krb5kdc. StandardnÄ› se do tohoto adresáře zkopíruje " #~ "Å¡ablona s pÅ™edvyplnÄ›nými parametry. NÄ›které servery, které již mají svou " #~ "vlastní infrastrukturu pro správu Kerbera, asi tuto automatickou " #~ "konfiguraci nepovolí, aby se jim nepÅ™epsalo nastavení." debian/po/ro.po0000664000000000000000000002645212272025332010575 0ustar # translation of ro.po to Romanian # Romanian translation of krb5. # Copyright (C) 2006 THE krb5'S COPYRIGHT HOLDER # This file is distributed under the same license as the krb5 package. # # Stan Ioan-Eugen , 2006. # Eddy PetriÈ™or , 2008, 2009. msgid "" msgstr "" "Project-Id-Version: ro\n" "Report-Msgid-Bugs-To: krb5@packages.debian.org\n" "POT-Creation-Date: 2009-03-12 15:40-0700\n" "PO-Revision-Date: 2009-03-12 01:34+0200\n" "Last-Translator: Eddy PetriÈ™or \n" "Language-Team: Romanian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " "20)) ? 1 : 2;\n" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "Setting up a Kerberos Realm" msgstr "Se configurează un Domeniu Kerberos" #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "This package contains the administrative tools required to run the Kerberos " "master server." msgstr "" "Acest pachet conÈ›ine uneltele administrative necesare pentru a rula serverul " "principal Kerberos." # XRO: realm e „tărâm†sau „domeniuâ€? #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "However, installing this package does not automatically set up a Kerberos " "realm. This can be done later by running the \"krb5_newrealm\" command." msgstr "" "TotuÈ™i, prin instalarea acestui pachet nu se configurează automat un domeniu " "Kerberos. Aceasta se poate face mai târziu rulând comanda „krb5_newrealmâ€." #. Type: note #. Description #: ../krb5-admin-server.templates:2001 msgid "" "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the " "administration guide found in the krb5-doc package." msgstr "" "CitiÈ›i, de asemenea, fiÈ™ierul /usr/share/doc/krb5-kdc/README.KDC È™i ghidul " "de administrare din pachetul krb5-doc." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "Run the Kerberos V5 administration daemon (kadmind)?" msgstr "Se rulează demonul de administrare Kerberos V5 (kadmind)?" #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "Kadmind serves requests to add/modify/remove principals in the Kerberos " "database." msgstr "" "Kadmind serveÈ™te cereri de adăugare/modificare/È™tergere de directori în " "baza de date Kerberos." #. Type: boolean #. Description #: ../krb5-admin-server.templates:3001 msgid "" "It is required by the kpasswd program, used to change passwords. With " "standard setups, this daemon should run on the master KDC." msgstr "" "Este necesar programului kpasswd, program folosit pentru schimbarea " "parolelor. ÃŽn configuraÈ›iile standard, acest serviciu ar trebui să ruleze pe " "KDC-ul principal." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "Create the Kerberos KDC configuration automatically?" msgstr "Se crează automat configuraÈ›ia Kerberos KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/" "krb5kdc, may be created automatically." msgstr "" "FiÈ™ierele de configurare ale centrului de distribuÈ›ie de chei Kerberos " "(KDC), din /etc/krb5kdc, pot fi create automat." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "By default, an example template will be copied into this directory with " "local parameters filled in." msgstr "" "ÃŽn mod implicit, un È™ablon-exemplu cu parametrii locali completaÈ›i în el, va " "fi copiat în acest director." #. Type: boolean #. Description #: ../krb5-kdc.templates:2001 msgid "" "Administrators who already have infrastructure to manage their Kerberos " "configuration may wish to disable these automatic configuration changes." msgstr "" "Administratorii care deÈ›in deja o infrastructură de management a " "configuraÈ›iei Kerberos, probabil că vor prefera să dezactiveze schimbările " "automate ale configuraÈ›iei." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "Should the KDC database be deleted?" msgstr "Se È™terge baza de date KDC?" #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "By default, removing this package will not delete the KDC database in /var/" "lib/krb5kdc/principal since this database cannot be recovered once it is " "deleted." msgstr "" "ÃŽn mod implicit, dacă se È™terge acest pachet, nu se È™terge È™i baza de date " "KDC din /var/lib/krb5kdc/principal deoarece, odată È™tearsă, nu poate fi " "recuperată." #. Type: boolean #. Description #: ../krb5-kdc.templates:3001 msgid "" "Choose this option if you wish to delete the KDC database now, deleting all " "of the user accounts and passwords in the KDC." msgstr "" "AlegeÈ›i această opÈ›iune, dacă doriÈ›i să È™tergeÈ›i baza de date KDC acum, " "È™tergând astfel toate conturile utilizatorilor È™i toate parolele din KDC." #~ msgid "Kerberos V4 compatibility mode to use:" #~ msgstr "Modul de compatibilitate Kerberos V4 folosit:" #~ msgid "" #~ "By default, Kerberos V4 requests are allowed from principals that do not " #~ "require preauthentication (\"nopreauth\"). This allows Kerberos V4 " #~ "services to exist while requiring most users to use Kerberos V5 clients " #~ "to get their initial tickets. These tickets can then be converted to " #~ "Kerberos V4 tickets." #~ msgstr "" #~ "Implicit, cererile Kerberos4 sunt permise de la directori care nu " #~ "necesită preautentificare („nopreauthâ€). Acest lucru permite existenÈ›a " #~ "serviciilor Kerberos4 în timp ce utilizatorii trebuie să folosească " #~ "clienÈ›i Kerberos5 pentru a obÈ›ine tichete iniÈ›iale. Aceste tichete pot fi " #~ "convertite în tichete pentru Kerberos V4." #~ msgid "" #~ "Alternatively, the mode can be set to \"full\", allowing Kerberos V4 " #~ "clients to get initial tickets even when preauthentication would normally " #~ "be required; to \"disable\", returning protocol version errors to all " #~ "Kerberos V4 clients; or to \"none\", which tells the KDC to not respond " #~ "to Kerberos V4 requests at all." #~ msgstr "" #~ "Există È™i posibilitatea ca modul selectat să fie unul din următoarele: " #~ "„fullâ€, astfel permițând clienÈ›ilor Kerberos V4 să obÈ›ină tichetele " #~ "iniÈ›iale chiar È™i atunci când, în mod normal, ar fi necesară " #~ "preautentificarea; „disable†face ca toÈ›i clienÈ›ii Kerberos V4 să " #~ "primească erori de versiune de protocol; „none†va instrui KDC-ul să nu " #~ "răspundă deloc clienÈ›ilor Kerberos V4." #~ msgid "Run a Kerberos V5 to Kerberos V4 ticket conversion daemon?" #~ msgstr "" #~ "Se rulează un serviciu de conversie a tichetelor Kerberos V5 în tichete " #~ "Kerberos V4?" #~ msgid "" #~ "The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets " #~ "for programs, such as krb524init, that obtain Kerberos V4 tickets for " #~ "compatibility with old applications." #~ msgstr "" #~ "Serviciul krb524d converteÈ™te tichete Kerberos V5 în tichete Kerberos V4 " #~ "pentru programe precum krb524init, acestea obÈ›inând tichete Kerberos V4 " #~ "pentru compatibilitate cu aplicaÈ›iile vechi." #~ msgid "" #~ "It is recommended to enable that daemon if Kerberos V4 is enabled, " #~ "especially when Kerberos V4 compatibility is set to \"nopreauth\"." #~ msgstr "" #~ "Se recomandă activarea acestui serviciu, în condiÈ›iile în care Kerberos " #~ "V4 este activ, mai ales când modul de compatibilitate cu Kerberos V4 este " #~ "configurat ca fiind „nopreauthâ€." #~ msgid "Should the data be purged as well as the package files?" #~ msgstr "Să se È™teargă atât datele cât È™i fiÈ™ierele pachetului?" #~ msgid "" #~ "This package contains the administrative tools necessary to run on the " #~ "Kerberos master server. However, installing this package does not " #~ "automatically set up a Kerberos realm. Doing so requires entering " #~ "passwords and as such is not well-suited for package installation. To " #~ "create the realm, run the krb5_newrealm command. You may also wish to " #~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide " #~ "found in the krb5-doc package." #~ msgstr "" #~ "Acest pachet conÈ›ine uneltele de administrare necesare rulării pe un " #~ "server master Kerberos. TotuÈ™i, instalând acest pachet nu se " #~ "configurează automat un domeniu Kerberos. Un asemenea lucru necesită " #~ "introducerea de parole operaÈ›ie care nu este potrivită la instalarea " #~ "pachetului. Pentru a crea domeniul, executaÈ›i comanda krb5_newrealm. " #~ "VeÈ›i dori probabil să citiÈ›i È™i /usr/share/doc/krb5-kdc/README.KDC È™i " #~ "ghidul de administrare din pachetul krb5-doc." #~ msgid "" #~ "Don't forget to set up DNS information so your clients can find your KDC " #~ "and admin servers. Doing so is documented in the administration guide." #~ msgstr "" #~ "Nu uitaÈ›i să configuraÈ›i informaÈ›iile pentru DNS astfel încât clienÈ›ii să " #~ "poată gasi serverele È™i KDC-ul dumneavoastră. Acest lucru este " #~ "documentat în ghidul de administrare." #~ msgid "" #~ "Kadmind serves requests to add/modify/remove principals in the Kerberos " #~ "database. It also must be running for the kpasswd program to be used to " #~ "change passwords. Normally, this daemon runs on the master KDC." #~ msgstr "" #~ "Kadmind rezolvă cereri de adăugare/modificare/îndepărtare a directorilor " #~ "din baza de date Kerberos. Acesta trebuie să ruleze È™i pentru ca " #~ "programul kpasswd să poată fi folosit pentru a schimba parolele. ÃŽn mod " #~ "normal, acest demon ruleaza pe serverul master KDC." #~ msgid "" #~ "Many sites will wish to have this script automatically create Kerberos " #~ "KDC configuration files in /etc/krb5kdc. By default an example template " #~ "will be copied into this directory with local parameters filled in. Some " #~ "sites who already have infrastructure to manage their own Kerberos " #~ "configuration will wish to disable any automatic configuration changes." #~ msgstr "" #~ "Multe situri vor dori ca acest script să creeze automat fiÈ™ierele de " #~ "configurare Kerberos KDC în /etc/krb5kdc. Implicit un È™ablon va fi " #~ "copiat în acest director, cu parametrii locali completaÈ›i. Unele situri " #~ "care au deja o infrastructură pentru a administra configuraÈ›iile Kerberos " #~ "vor dori să dezactiveze orice modificare automată a configuraÈ›iei." #~ msgid "disable, full, nopreauth, none" #~ msgstr "dezactivat, complet, fără preautentificare, nici unul" #~ msgid "Run a krb524d?" #~ msgstr "Se rulează krb524d?" #~ msgid "" #~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 " #~ "tickets for the krb524init program. If you have Kerberos4 enabled at " #~ "all, then you probably want to run this program. Especially when " #~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you " #~ "have any Kerberos4 services." #~ msgstr "" #~ "Krb524d este un demon care converteÈ™te tichetele Kerberos5 în tichete " #~ "Kerberos4 pentru programul krb524init. Dacă aveÈ›i activat Kerberos4 " #~ "atunci probabil că veÈ›i dori să rulaÈ›i acest program. Krb524 este " #~ "important dacă aveÈ›i servicii Kerberos4, în special dacă modulu de " #~ "compatibilitate Kerberos4 este fără preautentificare." debian/krb5-pkinit.install0000664000000000000000000000005212272025332012712 0ustar usr/lib/*/krb5/plugins/preauth/pkinit.so debian/libgssrpc4.symbols0000664000000000000000000001562512272025331012664 0ustar libgssrpc.so.4 libgssrpc4 #MINVER# HIDDEN@HIDDEN 1.6.dfsg.2 gssrpc_4_MIT@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_debug_gss@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_debug_gssapi@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_create_default@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_display_status@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_seal_seq@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_unseal_seq@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_unwrap_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_auth_gssapi_wrap_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authgss_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authgss_create_default@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authgss_get_private_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authgss_service@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authnone_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authunix_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_authunix_create_default@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_bindresvport@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_callrpc@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_broadcast@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_create@gssrpc_4_MIT 1.9+dfsg gssrpc_clnt_pcreateerror@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_perrno@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_perror@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_spcreateerror@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_sperrno@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnt_sperror@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clntraw_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clnttcp_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clntudp_bufcreate@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_clntudp_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_get_myaddress@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_getrpcport@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_log_debug@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_log_hexdump@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_log_status@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_misc_debug_gss@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_misc_debug_gssapi@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_pmap_getmaps@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_pmap_getport@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_pmap_rmtcall@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_pmap_set@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_pmap_unset@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_registerrpc@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_rpc_createrr@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_auth_gss_creds@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_auth_gss_ops@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_auth_gssapi_ops@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_auth_none@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_auth_none_ops@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_debug_gss@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_debug_gssapi@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_fdset@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_fdset_init@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_getreq@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_getreqset@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_maxfd@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_register@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_run@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_sendreply@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svc_unregister@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gss_get_principal@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gss_set_log_badauth2_func@gssrpc_4_MIT 1.12~beta2+dfsg gssrpc_svcauth_gss_set_log_badauth_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gss_set_log_badverf_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gss_set_log_miscerr_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gss_set_svc_name@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gssapi_set_log_badauth2_func@gssrpc_4_MIT 1.12~beta2+dfsg gssrpc_svcauth_gssapi_set_log_badauth_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gssapi_set_log_badverf_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gssapi_set_log_miscerr_func@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gssapi_set_names@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcauth_gssapi_unset_names@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_auth@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_decode@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_noproc@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_noprog@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_progvers@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_systemerr@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcerr_weakauth@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcfd_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcraw_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svctcp_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcudp_bufcreate@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcudp_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_svcudp_enablecache@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_accepted_reply@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_array@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_authgssapi_creds@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_authgssapi_init_arg@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_authgssapi_init_res@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_authunix_parms@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_bool@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_bytes@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_callhdr@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_callmsg@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_char@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_des_block@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_enum@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_free@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_gss_buf@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_int32@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_int@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_long@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_netobj@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_opaque@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_opaque_auth@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_pmap@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_pmaplist@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_pointer@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_reference@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rejected_reply@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_replymsg@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rmtcall_args@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rmtcallres@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_buf@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_cred@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_init_args@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_init_res@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_unwrap_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_rpc_gss_wrap_data@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_short@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_sizeof@gssrpc_4_MIT 1.7dfsg~alpha1 gssrpc_xdr_string@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_u_char@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_u_int32@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_u_int@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_u_long@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_u_short@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_union@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_vector@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_void@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdr_wrapstring@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdralloc_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdralloc_getdata@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdralloc_release@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrmem_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrrec_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrrec_endofrecord@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrrec_eof@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrrec_skiprecord@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xdrstdio_create@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xprt_register@gssrpc_4_MIT 1.6.dfsg.2 gssrpc_xprt_unregister@gssrpc_4_MIT 1.6.dfsg.2 debian/libkrad-dev.install0000664000000000000000000000005012271473454012750 0ustar usr/include/krad.h usr/lib/*/libkrad.so debian/patches/0000775000000000000000000000000013415442003010613 5ustar debian/patches/CVE-2014-4344.patch0000664000000000000000000000345112412233003013226 0ustar From 524688ce87a15fc75f87efc8c039ba4c7d5c197b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 15 Jul 2014 12:56:01 -0400 Subject: [PATCH] Fix null deref in SPNEGO acceptor [CVE-2014-4344] When processing a continuation token, acc_ctx_cont was dereferencing the initial byte of the token without checking the length. This could result in a null dereference. CVE-2014-4344: In MIT krb5 1.5 and newer, an unauthenticated or partially authenticated remote attacker can cause a NULL dereference and application crash during a SPNEGO negotiation by sending an empty token as the second or later context token from initiator to acceptor. The attacker must provide at least one valid context token in the security context negotiation before sending the empty token. This can be done by an unauthenticated attacker by forcing SPNEGO to renegotiate the underlying mechanism, or by using IAKERB to wrap an unauthenticated AS-REQ as the first token. CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [kaduk@mit.edu: CVE summary, CVSSv2 vector] ticket: 7970 (new) subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] target_version: 1.12.2 tags: pullup --- src/lib/gssapi/spnego/spnego_mech.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/spnego_mech.c 2014-08-07 15:29:18.755531797 -0400 +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c 2014-08-07 15:29:18.751531797 -0400 @@ -1432,7 +1432,7 @@ ptr = bufstart = buf->value; #define REMAIN (buf->length - (ptr - bufstart)) - if (REMAIN > INT_MAX) + if (REMAIN == 0 || REMAIN > INT_MAX) return GSS_S_DEFECTIVE_TOKEN; /* debian/patches/CVE-2018-5729-CVE-2018-5730.patch0000664000000000000000000003341313415442003014650 0ustar From e1caf6fb74981da62039846931ebdffed71309d1 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 12 Jan 2018 11:43:01 -0500 Subject: [PATCH] Fix flaws in LDAP DN checking KDB_TL_USER_INFO tl-data is intended to be internal to the LDAP KDB module, and not used in disk or wire principal entries. Prevent kadmin clients from sending KDB_TL_USER_INFO tl-data by giving it a type number less than 256 and filtering out type numbers less than 256 in kadm5_create_principal_3(). (We already filter out low type numbers in kadm5_modify_principal()). In the LDAP KDB module, if containerdn and linkdn are both specified in a put_principal operation, check both linkdn and the computed standalone_principal_dn for container membership. To that end, factor out the checks into helper functions and call them on all applicable client-influenced DNs. CVE-2018-5729: In MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can cause a null dereference in kadmind, or circumvent a DN container check, by supplying tagged data intended to be internal to the database module. Thanks to Sharwan Ram and Pooja Anil for discovering the potential null dereference. CVE-2018-5730: In MIT krb5 1.6 or later, an authenticated kadmin user with permission to add principals to an LDAP Kerberos database can circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. ticket: 8643 (new) tags: pullup target_version: 1.16-next target_version: 1.15-next --- src/lib/kadm5/srv/svr_principal.c | 7 + src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 +- .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 200 ++++++++++-------- src/tests/t_kdb.py | 11 + 4 files changed, 125 insertions(+), 95 deletions(-) diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 2420f2c2be..a59a65e8f6 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -411,6 +411,13 @@ kadm5_create_principal_3(void *server_handle, return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) return KADM5_BAD_MASK; + if (mask & KADM5_TL_DATA) { + for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; + tl_data_tail = tl_data_tail->tl_data_next) { + if (tl_data_tail->tl_data_type < 256) + return KADM5_BAD_TL_TYPE; + } + } /* * Check to see if the principal exists diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 535a1f309e..8b8420faa9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -140,7 +140,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) -#define KDB_TL_USER_INFO 0x7ffe +#define KDB_TL_USER_INFO 0xff #define KDB_TL_PRINCTYPE 0x01 #define KDB_TL_PRINCCOUNT 0x02 diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 88a1704950..b7c9212cb2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -486,6 +486,107 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, return 0; } +static krb5_error_code +check_dn_in_container(krb5_context context, const char *dn, + char *const *subtrees, unsigned int ntrees) +{ + unsigned int i; + size_t dnlen = strlen(dn), stlen; + + for (i = 0; i < ntrees; i++) { + if (subtrees[i] == NULL || *subtrees[i] == '\0') + return 0; + stlen = strlen(subtrees[i]); + if (dnlen >= stlen && + strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && + (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) + return 0; + } + + krb5_set_error_message(context, EINVAL, _("DN is out of the realm subtree")); + return EINVAL; +} + +static krb5_error_code +check_dn_exists(krb5_context context, + krb5_ldap_server_handle *ldap_server_handle, + const char *dn, krb5_boolean nonkrb_only) +{ + krb5_error_code st = 0, tempst; + krb5_ldap_context *ldap_context = context->dal_handle->db_context; + LDAP *ld = ldap_server_handle->ldap_handle; + LDAPMessage *result = NULL, *ent; + char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; + char **values; + + LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); + if (st != LDAP_SUCCESS) + return set_ldap_error(context, st, OP_SEARCH); + + ent = ldap_first_entry(ld, result); + CHECK_NULL(ent); + + values = ldap_get_values(ld, ent, "krbticketpolicyreference"); + if (values != NULL) + ldap_value_free(values); + + values = ldap_get_values(ld, ent, "krbprincipalname"); + if (values != NULL) { + ldap_value_free(values); + if (nonkrb_only) { + st = EINVAL; + krb5_set_error_message(context, st, _("ldap object is already kerberized")); + goto cleanup; + } + } + +cleanup: + ldap_msgfree(result); + return st; +} + +static krb5_error_code +validate_xargs(krb5_context context, + krb5_ldap_server_handle *ldap_server_handle, + const xargs_t *xargs, const char *standalone_dn, + char *const *subtrees, unsigned int ntrees) +{ + krb5_error_code st; + + if (xargs->dn != NULL) { + /* The supplied dn must be within a realm container. */ + st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); + if (st) + return st; + /* The supplied dn must exist without Kerberos attributes. */ + st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); + if (st) + return st; + } + + if (xargs->linkdn != NULL) { + /* The supplied linkdn must be within a realm container. */ + st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); + if (st) + return st; + /* The supplied linkdn must exist. */ + st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, + FALSE); + if (st) + return st; + } + + if (xargs->containerdn != NULL && standalone_dn != NULL) { + /* standalone_dn (likely composed using containerdn) must be within a + * container. */ + st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); + if (st) + return st; + } + + return 0; +} + krb5_error_code krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) @@ -496,11 +597,11 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, LDAPMessage *result=NULL, *ent=NULL; char *user=NULL, *subtree=NULL, *principal_dn=NULL; - char **values=NULL, *strval[10]={NULL}, errbuf[1024]; + char *strval[10]={NULL}, errbuf[1024]; char *filtuser=NULL; struct berval **bersecretkey=NULL; LDAPMod **mods=NULL; krb5_boolean create_standalone_prinicipal=FALSE; - krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; + krb5_boolean establish_links=FALSE; char *standalone_principal_dn=NULL; krb5_tl_data *tl_data=NULL; krb5_key_data **keys=NULL; @@ -698,26 +763,8 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, * any of the subtrees */ if (xargs.dn_from_kbd == TRUE) { - /* make sure the DN falls in the subtree */ unsigned int tre=0, ntrees=0; - int dnlen=0, subtreelen=0; char **subtreelist=NULL; - char *dn=NULL; - krb5_boolean outofsubtree=TRUE; - - if (xargs.dn != NULL) { - dn = xargs.dn; - } else if (xargs.linkdn != NULL) { - dn = xargs.linkdn; - } else if (standalone_principal_dn != NULL) { - /* - * Even though the standalone_principal_dn is constructed - * within this function, there is the containerdn input - * from the user that can become part of the it. - */ - dn = standalone_principal_dn; - } - /* get the current subtree list */ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; @@ -722,85 +805,14 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) goto cleanup; - for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { - outofsubtree = FALSE; - break; - } - } - } - for (tre=0; tre < ntrees; ++tre) { free(subtreelist[tre]); } - if (outofsubtree == TRUE) { - st = EINVAL; - krb5_set_error_message(context, st, - _("DN is out of the realm subtree")); + st = validate_xargs(context, ldap_server_handle, &xargs, + standalone_principal_dn, subtreelist, ntrees); + if (st) goto cleanup; - } - - /* - * dn value will be set either by dn, linkdn or the standalone_principal_dn - * In the first 2 cases, the dn should be existing and in the last case we - * are supposed to create the ldap object. so the below should not be - * executed for the last case. - */ - - if (standalone_principal_dn == NULL) { - /* - * If the ldap object is missing, this results in an error. - */ - - /* - * Search for krbprincipalname attribute here. - * This is to find if a kerberos identity is already present - * on the ldap object, in which case adding a kerberos identity - * on the ldap object should result in an error. - */ - char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; - - LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); - if (st == LDAP_SUCCESS) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - krb_identity_exists = TRUE; - ldap_value_free(values); - } - } - ldap_msgfree(result); - } else { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - } - } - - /* - * If xargs.dn is set then the request is to add a - * kerberos principal on a ldap object, but if - * there is one already on the ldap object this - * should result in an error. - */ - - if (xargs.dn != NULL && krb_identity_exists == TRUE) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - _("ldap object is already kerberized")); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; } if (xargs.linkdn != NULL) { diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 217f2cdc3b..6e563b1032 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -146,6 +146,13 @@ def ldap_add(dn, objectclass, attrs=[]): out = realm.run_kadminl('ank -randkey -x dn=cn=krb5 princ1') if 'DN is out of the realm subtree' not in out: fail('Unexpected kadmin.local output for out-of-realm dn') +# Check that the DN container check is a hierarchy test, not a simple +# suffix match (CVE-2018-5730). We expect this operation to fail +# either way (because "xcn" isn't a valid DN tag) but the container +# check should happen before the DN is parsed. +out = realm.run_kadminl('ank -randkey -x dn=xcn=t1,cn=krb5 princ1') +if 'DN is out of the realm subtree' not in out: + fail('Invalid DN tag') out = realm.run_kadminl('ank -randkey -x dn=cn=t2,cn=krb5 princ1') if 'Principal "princ1@KRBTEST.COM" created.\n' not in out: fail('Unexpected kadmin.local output for specified dn') @@ -182,6 +188,11 @@ def ldap_add(dn, objectclass, attrs=[]): out = realm.run_kadminl('modprinc -x containerdn=cn=t2,cn=krb5 princ3') if 'containerdn option not supported' not in out: fail('Unexpected kadmin.local output trying to reset containerdn') +# Verify that containerdn is checked when linkdn is also supplied +# (CVE-2018-5730). +realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', + '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, + expected_msg='DN is out of the realm subtree') # Create and modify a ticket policy. kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', debian/patches/CVE-2014-9421.patch0000664000000000000000000000352412465221527013250 0ustar From a197e92349a4aa2141b5dff12e9dd44c2a2166e3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 27 Dec 2014 14:16:13 -0500 Subject: [PATCH] Fix kadm5/gssrpc XDR double free [CVE-2014-9421] [MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free partial deserialization results upon failure to deserialize. This responsibility belongs to the callers, svctcp_getargs() and svcudp_getargs(); doing it in the unwrap function results in freeing the results twice. In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers we are freeing, as other XDR functions such as xdr_bytes() and xdr_string(). ticket: 8056 (new) target_version: 1.13.1 tags: pullup --- src/lib/kadm5/kadm_rpc_xdr.c | 2 ++ src/lib/rpc/auth_gssapi_misc.c | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 42ac783..975f94c 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -320,6 +320,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) free(tl); tl = tl2; } + *tl_data_head = NULL; break; case XDR_ENCODE: @@ -1096,6 +1097,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) case XDR_FREE: if(*objp != NULL) krb5_free_principal(context, *objp); + *objp = NULL; break; } return TRUE; diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c index 53bdb98..a05ea19 100644 --- a/src/lib/rpc/auth_gssapi_misc.c +++ b/src/lib/rpc/auth_gssapi_misc.c @@ -322,7 +322,6 @@ bool_t auth_gssapi_unwrap_data( if (! (*xdr_func)(&temp_xdrs, xdr_ptr)) { PRINTF(("gssapi_unwrap_data: deserializing arguments failed\n")); gss_release_buffer(minor, &out_buf); - xdr_free(xdr_func, xdr_ptr); XDR_DESTROY(&temp_xdrs); return FALSE; } debian/patches/CVE-2014-4343.patch0000664000000000000000000000545012412233003013226 0ustar From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 15 Jul 2014 12:54:15 -0400 Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343] In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the pointer sc->internal_mech became an alias into sc->mech_set->elements, which should be considered constant for the duration of the SPNEGO context. So don't free it. CVE-2014-4343: In MIT krb5 releases 1.10 and newer, an unauthenticated remote attacker with the ability to spoof packets appearing to be from a GSSAPI acceptor can cause a double-free condition in GSSAPI initiators (clients) which are using the SPNEGO mechanism, by returning a different underlying mechanism than was proposed by the initiator. At this stage of the negotiation, the acceptor is unauthenticated, and the acceptor's response could be spoofed by an attacker with the ability to inject traffic to the initiator. Historically, some double-free vulnerabilities can be translated into remote code execution, though the necessary exploits must be tailored to the individual application and are usually quite complicated. Double-frees can also be exploited to cause an application crash, for a denial of service. However, most GSSAPI client applications are not vulnerable, as the SPNEGO mechanism is not used by default (when GSS_C_NO_OID is passed as the mech_type argument to gss_init_sec_context()). The most common use of SPNEGO is for HTTP-Negotiate, used in web browsers and other web clients. Most such clients are believed to not offer HTTP-Negotiate by default, instead requiring a whitelist of sites for which it may be used to be configured. If the whitelist is configured to only allow HTTP-Negotiate over TLS connections ("https://"), a successful attacker must also spoof the web server's SSL certificate, due to the way the WWW-Authenticate header is sent in a 401 (Unauthorized) response message. Unfortunately, many instructions for enabling HTTP-Negotiate in common web browsers do not include a TLS requirement. CVSSv2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C [kaduk@mit.edu: CVE summary and CVSSv2 vector] ticket: 7969 (new) target_version: 1.12.2 tags: pullup --- src/lib/gssapi/spnego/spnego_mech.c | 1 - 1 file changed, 1 deletion(-) Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/spnego_mech.c 2014-08-07 15:29:11.639531607 -0400 +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c 2014-08-07 15:29:11.631531606 -0400 @@ -787,7 +787,6 @@ OM_uint32 tmpmin; size_t i; - generic_gss_release_oid(&tmpmin, &sc->internal_mech); gss_delete_sec_context(&tmpmin, &sc->ctx_handle, GSS_C_NO_BUFFER); debian/patches/CVE-2014-4345.patch0000664000000000000000000000521312412233003013225 0ustar From 81c332e29f10887c6b9deb065f81ba259f4c7e03 Mon Sep 17 00:00:00 2001 From: Tomas Kuthan Date: Fri, 1 Aug 2014 15:25:50 +0200 Subject: [PATCH] Fix LDAP key data segmentation [CVE-2014-4345] For principal entries having keys with multiple kvnos (due to use of -keepold), the LDAP KDB module makes an attempt to store all the keys having the same kvno into a single krbPrincipalKey attribute value. There is a fencepost error in the loop, causing currkvno to be set to the just-processed value instead of the next kvno. As a result, the second and all following groups of multiple keys by kvno are each stored in two krbPrincipalKey attribute values. Fix the loop to use the correct kvno value. CVE-2014-4345: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overrun) by performing multiple cpw -keepold operations. An off-by-one error while copying key information to the new database entry results in keys sharing a common kvno being written to different array buckets, in an array whose size is determined by the number of kvnos present. After sufficient iterations, the extra writes extend past the end of the (NULL-terminated) array. The NULL terminator is always written after the end of the loop, so no out-of-bounds data is read, it is only written. Historically, it has been possible to convert an out-of-bounds write into remote code execution in some cases, though the necessary exploits must be tailored to the individual application and are usually quite complicated. Depending on the allocated length of the array, an out-of-bounds write may also cause a segmentation fault and/or application crash. CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C [ghudson@mit.edu: clarified commit message] [kaduk@mit.edu: CVE summary, CVSSv2 vector] ticket: 7980 (new) target_version: 1.12.2 tags: pullup --- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c =================================================================== --- krb5-1.12+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.701796377 -0400 +++ krb5-1.12+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2014-08-08 14:58:43.693796376 -0400 @@ -443,7 +443,8 @@ j++; last = i + 1; - currkvno = key_data[i].key_data_kvno; + if (i < n_key_data - 1) + currkvno = key_data[i + 1].key_data_kvno; } } ret[num_versions] = NULL; debian/patches/CVE-2014-4341-4342.patch0000664000000000000000000001321012412233003013607 0ustar From fb99962cbd063ac04c9a9d2cc7c75eab73f3533d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 19 Jun 2014 13:49:16 -0400 Subject: [PATCH] Handle invalid RFC 1964 tokens [CVE-2014-4341...] Detect the following cases which would otherwise cause invalid memory accesses and/or integer underflow: * An RFC 1964 token being processed by an RFC 4121-only context [CVE-2014-4342] * A header with fewer than 22 bytes after the token ID or an incomplete checksum [CVE-2014-4341 CVE-2014-4342] * A ciphertext shorter than the confounder [CVE-2014-4341] * A declared padding length longer than the plaintext [CVE-2014-4341] If we detect a bad pad byte, continue on to compute the checksum to avoid creating a padding oracle, but treat the checksum as invalid even if it compares equal. CVE-2014-4341: In MIT krb5, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE-2014-4342: In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C [tlyu@mit.edu: CVE summaries, CVSS] ticket: 7949 (new) subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] taget_version: 1.12.2 tags: pullup --- src/lib/gssapi/krb5/k5unseal.c | 41 +++++++++++++++++++++++++++++++-------- src/lib/gssapi/krb5/k5unsealiov.c | 9 ++++++++- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 30c12b9..0573958 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -74,6 +74,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, int conflen = 0; int signalg; int sealalg; + int bad_pad = 0; gss_buffer_desc token; krb5_checksum cksum; krb5_checksum md5cksum; @@ -86,6 +87,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, krb5_ui_4 seqnum; OM_uint32 retval; size_t sumlen; + size_t padlen; krb5_keyusage sign_usage = KG_USAGE_SIGN; if (toktype == KG_TOK_SEAL_MSG) { @@ -93,18 +95,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, message_buffer->value = NULL; } - /* get the sign and seal algorithms */ - - signalg = ptr[0] + (ptr[1]<<8); - sealalg = ptr[2] + (ptr[3]<<8); - /* Sanity checks */ - if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + if ((bodysize < 22) || (ptr[4] != 0xff) || (ptr[5] != 0xff)) { *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } + signalg = ptr[0] + (ptr[1]<<8); + sealalg = ptr[2] + (ptr[3]<<8); + if ((toktype != KG_TOK_SEAL_MSG) && (sealalg != 0xffff)) { *minor_status = 0; @@ -153,6 +160,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, return GSS_S_DEFECTIVE_TOKEN; } + if ((size_t)bodysize < 14 + cksum_len) { + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + /* get the token parameters */ if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction, @@ -207,7 +219,20 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plainlen = tmsglen; conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); - token.length = tmsglen - conflen - plain[tmsglen-1]; + if (tmsglen < conflen) { + if (sealalg != 0xffff) + xfree(plain); + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + padlen = plain[tmsglen - 1]; + if (tmsglen - conflen < padlen) { + /* Don't error out yet, to avoid padding oracle attacks. We will + * treat this as a checksum failure later on. */ + padlen = 0; + bad_pad = 1; + } + token.length = tmsglen - conflen - padlen; if (token.length) { if ((token.value = (void *) gssalloc_malloc(token.length)) == NULL) { @@ -403,7 +428,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, /* compare the computed checksum against the transmitted checksum */ - if (code) { + if (code || bad_pad) { if (toktype == KG_TOK_SEAL_MSG) gssalloc_free(token.value); *minor_status = 0; diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index f7828b8..b654c66 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -69,7 +69,14 @@ kg_unseal_v1_iov(krb5_context context, return GSS_S_DEFECTIVE_TOKEN; } - if (header->buffer.length < token_wrapper_len + 14) { + if (ctx->seq == NULL) { + /* ctx was established using a newer enctype, and cannot process RFC + * 1964 tokens. */ + *minor_status = 0; + return GSS_S_DEFECTIVE_TOKEN; + } + + if (header->buffer.length < token_wrapper_len + 22) { *minor_status = 0; return GSS_S_DEFECTIVE_TOKEN; } -- 2.0.3 debian/patches/Use-TAILQ-macros-instead-of-CIRCLEQ-in-libdb2.patch0000664000000000000000000001333612412233003021371 0ustar From c7bb9278ad12c9278f316479af56f9e952f4d650 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 17 Feb 2014 00:18:41 -0500 Subject: [PATCH] Use TAILQ macros instead of CIRCLEQ in libdb2 The optimizer in gcc 4.8.1 (but not the current gcc head revision) breaks the queue.h CIRCLEQ macros, apparently due to an overzealous strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code instead. (cherry picked from commit 26d874412983c4c9979a9f5e7bec51834ad4cda5) ticket: 7860 version_fixed: 1.12.2 status: resolved --- src/plugins/kdb/db2/libdb2/mpool/mpool.c | 43 +++++++++++++++----------------- src/plugins/kdb/db2/libdb2/mpool/mpool.h | 8 +++--- 2 files changed, 24 insertions(+), 27 deletions(-) Index: gss-infinite-loop/src/plugins/kdb/db2/libdb2/mpool/mpool.c =================================================================== --- gss-infinite-loop.orig/src/plugins/kdb/db2/libdb2/mpool/mpool.c 2014-07-30 21:02:43.442581194 -0400 +++ gss-infinite-loop/src/plugins/kdb/db2/libdb2/mpool/mpool.c 2014-07-30 21:02:43.442581194 -0400 @@ -81,9 +81,9 @@ /* Allocate and initialize the MPOOL cookie. */ if ((mp = (MPOOL *)calloc(1, sizeof(MPOOL))) == NULL) return (NULL); - CIRCLEQ_INIT(&mp->lqh); + TAILQ_INIT(&mp->lqh); for (entry = 0; entry < HASHSIZE; ++entry) - CIRCLEQ_INIT(&mp->hqh[entry]); + TAILQ_INIT(&mp->hqh[entry]); mp->maxcache = maxcache; mp->npages = sb.st_size / pagesize; mp->pagesize = pagesize; @@ -143,8 +143,8 @@ bp->flags = MPOOL_PINNED | MPOOL_INUSE; head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_INSERT_HEAD(head, bp, hq); - CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); + TAILQ_INSERT_HEAD(head, bp, hq); + TAILQ_INSERT_TAIL(&mp->lqh, bp, q); return (bp->page); } @@ -168,8 +168,8 @@ /* Remove from the hash and lru queues. */ head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_REMOVE(head, bp, hq); - CIRCLEQ_REMOVE(&mp->lqh, bp, q); + TAILQ_REMOVE(head, bp, hq); + TAILQ_REMOVE(&mp->lqh, bp, q); free(bp); return (RET_SUCCESS); @@ -208,10 +208,10 @@ * of the lru chain. */ head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_REMOVE(head, bp, hq); - CIRCLEQ_INSERT_HEAD(head, bp, hq); - CIRCLEQ_REMOVE(&mp->lqh, bp, q); - CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); + TAILQ_REMOVE(head, bp, hq); + TAILQ_INSERT_HEAD(head, bp, hq); + TAILQ_REMOVE(&mp->lqh, bp, q); + TAILQ_INSERT_TAIL(&mp->lqh, bp, q); /* Return a pinned page. */ bp->flags |= MPOOL_PINNED; @@ -261,8 +261,8 @@ * of the lru chain. */ head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_INSERT_HEAD(head, bp, hq); - CIRCLEQ_INSERT_TAIL(&mp->lqh, bp, q); + TAILQ_INSERT_HEAD(head, bp, hq); + TAILQ_INSERT_TAIL(&mp->lqh, bp, q); /* Run through the user's filter. */ if (mp->pgin != NULL) @@ -311,8 +311,8 @@ BKT *bp; /* Free up any space allocated to the lru pages. */ - while ((bp = mp->lqh.cqh_first) != (void *)&mp->lqh) { - CIRCLEQ_REMOVE(&mp->lqh, mp->lqh.cqh_first, q); + while ((bp = mp->lqh.tqh_first) != NULL) { + TAILQ_REMOVE(&mp->lqh, mp->lqh.tqh_first, q); free(bp); } @@ -332,8 +332,7 @@ BKT *bp; /* Walk the lru chain, flushing any dirty pages to disk. */ - for (bp = mp->lqh.cqh_first; - bp != (void *)&mp->lqh; bp = bp->q.cqe_next) + for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) if (bp->flags & MPOOL_DIRTY && mpool_write(mp, bp) == RET_ERROR) return (RET_ERROR); @@ -363,8 +362,7 @@ * off any lists. If we don't find anything we grow the cache anyway. * The cache never shrinks. */ - for (bp = mp->lqh.cqh_first; - bp != (void *)&mp->lqh; bp = bp->q.cqe_next) + for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) if (!(bp->flags & MPOOL_PINNED)) { /* Flush if dirty. */ if (bp->flags & MPOOL_DIRTY && @@ -375,8 +373,8 @@ #endif /* Remove from the hash and lru queues. */ head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_REMOVE(head, bp, hq); - CIRCLEQ_REMOVE(&mp->lqh, bp, q); + TAILQ_REMOVE(head, bp, hq); + TAILQ_REMOVE(&mp->lqh, bp, q); #if defined(DEBUG) && !defined(DEBUG_IDX0SPLIT) { void *spage; spage = bp->page; @@ -450,7 +448,7 @@ BKT *bp; head = &mp->hqh[HASHKEY(pgno)]; - for (bp = head->cqh_first; bp != (void *)head; bp = bp->hq.cqe_next) + for (bp = head->tqh_first; bp != NULL; bp = bp->hq.tqe_next) if ((bp->pgno == pgno) && (bp->flags & MPOOL_INUSE)) { #ifdef STATISTICS ++mp->cachehit; @@ -494,8 +492,7 @@ sep = ""; cnt = 0; - for (bp = mp->lqh.cqh_first; - bp != (void *)&mp->lqh; bp = bp->q.cqe_next) { + for (bp = mp->lqh.tqh_first; bp != NULL; bp = bp->q.tqe_next) { (void)fprintf(stderr, "%s%d", sep, bp->pgno); if (bp->flags & MPOOL_DIRTY) (void)fprintf(stderr, "d"); Index: gss-infinite-loop/src/plugins/kdb/db2/libdb2/mpool/mpool.h =================================================================== --- gss-infinite-loop.orig/src/plugins/kdb/db2/libdb2/mpool/mpool.h 2014-07-30 21:02:43.442581194 -0400 +++ gss-infinite-loop/src/plugins/kdb/db2/libdb2/mpool/mpool.h 2014-07-30 21:02:43.442581194 -0400 @@ -47,8 +47,8 @@ /* The BKT structures are the elements of the queues. */ typedef struct _bkt { - CIRCLEQ_ENTRY(_bkt) hq; /* hash queue */ - CIRCLEQ_ENTRY(_bkt) q; /* lru queue */ + TAILQ_ENTRY(_bkt) hq; /* hash queue */ + TAILQ_ENTRY(_bkt) q; /* lru queue */ void *page; /* page */ db_pgno_t pgno; /* page number */ @@ -59,9 +59,9 @@ } BKT; typedef struct MPOOL { - CIRCLEQ_HEAD(_lqh, _bkt) lqh; /* lru queue head */ + TAILQ_HEAD(_lqh, _bkt) lqh; /* lru queue head */ /* hash queue array */ - CIRCLEQ_HEAD(_hqh, _bkt) hqh[HASHSIZE]; + TAILQ_HEAD(_hqh, _bkt) hqh[HASHSIZE]; db_pgno_t curcache; /* current number of cached pages */ db_pgno_t maxcache; /* max number of cached pages */ db_pgno_t npages; /* number of pages in the file */ debian/patches/CVE-2014-5353.patch0000664000000000000000000000520012465221515013236 0ustar From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 5 Dec 2014 14:01:39 -0500 Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353] In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns successfully with no results, return KRB5_KDB_NOENTRY instead of returning success with a zeroed-out policy object. This fixes a null dereference when an admin attempts to use an LDAP ticket policy name as a password policy name. CVE-2014-5353: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by attempting to use a named ticket policy object as a password policy for a principal. The attacker needs to be authenticated as a user who has the elevated privilege for setting password policy by adding or modifying principals. Queries to LDAP scoped to the krbPwdPolicy object class will correctly not return entries of other classes, such as ticket policy objects, but may return success with no returned elements if an object with the requested DN exists in a different object class. In this case, the routine to retrieve a password policy returned success with a password policy object that consisted entirely of zeroed memory. In particular, accesses to the policy name will dereference a NULL pointer. KDC operation does not access the policy name field, but most kadmin operations involving the principal with incorrect password policy will trigger the crash. Thanks to Patrik Kis for reporting this problem. CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C [kaduk@mit.edu: CVE description and CVSS score] ticket: 8051 (new) target_version: 1.13.1 tags: pullup --- src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index 522773e..6779f51 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); ent=ldap_first_entry(ld, result); - if (ent != NULL) { - if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0) - goto cleanup; + if (ent == NULL) { + st = KRB5_KDB_NOENTRY; + goto cleanup; } + st = populate_policy(context, ld, ent, pol_name, *policy); cleanup: ldap_msgfree(result); debian/patches/CVE-2015-8629.patch0000664000000000000000000000272113415155004013250 0ustar From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 8 Jan 2016 12:45:25 -0500 Subject: [PATCH] Verify decoded kadmin C strings [CVE-2015-8629] In xdr_nullstring(), check that the decoded string is terminated with a zero byte and does not contain any internal zero bytes. CVE-2015-8629: In all versions of MIT krb5, an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C ticket: 8341 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 2bef858631..ba67084105 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) return FALSE; } } - return (xdr_opaque(xdrs, *objp, size)); + if (!xdr_opaque(xdrs, *objp, size)) + return FALSE; + /* Check that the unmarshalled bytes are a C string. */ + if ((*objp)[size - 1] != '\0') + return FALSE; + if (memchr(*objp, '\0', size - 1) != NULL) + return FALSE; + return TRUE; case XDR_ENCODE: if (size != 0) debian/patches/CVE-2017-11368-1.patch0000664000000000000000000000735213415162041013466 0ustar From ffb35baac6981f9e8914f8f3bffd37f284b85970 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 13 Jul 2017 12:14:20 -0400 Subject: [PATCH] Prevent KDC unset status assertion failures Assign status values if S4U2Self padata fails to decode, if an S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request uses an evidence ticket which does not match the canonicalized request server principal name. Reported by Samuel Cabrero. If a status value is not assigned during KDC processing, default to "UNKNOWN_REASON" rather than failing an assertion. This change will prevent future denial of service bugs due to similar mistakes, and will allow us to omit assigning status values for unlikely errors such as small memory allocation failures. CVE-2017-11368: In MIT krb5 1.7 and later, an authenticated attacker can cause an assertion failure in krb5kdc by sending an invalid S4U2Self or S4U2Proxy request. CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C ticket: 8599 (new) target_version: 1.15-next target_version: 1.14-next tags: pullup --- src/kdc/do_as_req.c | 4 ++-- src/kdc/do_tgs_req.c | 3 ++- src/kdc/kdc_util.c | 10 ++++++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 2d3ad134d0..9b256c8764 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) did_log = 1; egress: - if (errcode != 0) - assert (state->status != 0); + if (errcode != 0 && state->status == NULL) + state->status = "UNKNOWN_REASON"; au_state->status = state->status; au_state->reply = &state->reply; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index cdc79ad2f1..d8d67199b9 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, free(reply.enc_part.ciphertext.data); cleanup: - assert(status != NULL); + if (status == NULL) + status = "UNKNOWN_REASON"; if (reply_key) krb5_free_keyblock(kdc_context, reply_key); if (errcode) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 778a629e52..b710aefe4c 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm, req_data.data = (char *)pa_data->contents; code = decode_krb5_pa_for_user(&req_data, &for_user); - if (code) + if (code) { + *status = "DECODE_PA_FOR_USER"; return code; + } code = verify_for_user_checksum(kdc_context, tgs_session, for_user); if (code) { @@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context, req_data.data = (char *)pa_data->contents; code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user); - if (code) + if (code) { + *status = "DECODE_PA_S4U_X509_USER"; return code; + } code = verify_s4u_x509_user_checksum(context, tgs_subkey ? tgs_subkey : @@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, * that is validated previously in validate_tgs_request(). */ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) { + *status = "INVALID_S4U2PROXY_OPTIONS"; return KRB5KDC_ERR_BADOPTION; } @@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, if (!krb5_principal_compare(kdc_context, server->princ, /* after canon */ server_princ)) { + *status = "EVIDENCE_TICKET_MISMATCH"; return KRB5KDC_ERR_SERVER_NOMATCH; } debian/patches/debian-local/0000775000000000000000000000000012272025333013130 5ustar debian/patches/debian-local/0006-gssapi-never-unload-mechanisms.patch0000664000000000000000000000244012271473454022556 0ustar From c365e88d5f3803edd8e268816441618e0cd9b23f Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Fri, 29 Mar 2013 17:18:40 -0400 Subject: gssapi: never unload mechanisms It turns out that many GSSAPI mechanisms link to the main gss-api library creating a circular reference. Depending on how the linker breaks the cycle at process exit time, the linker may unload the GSS library after unloading the mechanisms. The explicit dlclose from the GSS library tends to cause a libdl assertion failure at that point. So, never unload plugins. They are refcounted, so dlopen handles will not leak, although obviously the memory from the plugin is never reclaimed. ticket: 7135 Patch-Category: debian-local --- src/lib/gssapi/mechglue/g_initialize.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c index 48a825e..0c37063 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -489,8 +489,6 @@ releaseMechInfo(gss_mech_info *pCf) memset(cf->mech, 0, sizeof(*cf->mech)); free(cf->mech); } - if (cf->dl_handle != NULL) - krb5int_close_plugin(cf->dl_handle); if (cf->int_mech_type != GSS_C_NO_OID) generic_gss_release_oid(&minor_status, &cf->int_mech_type); debian/patches/debian-local/0005-debian-install-ldap-library-in-subdirectory.patch0000664000000000000000000000321512272025332025121 0ustar From 71596b8ff1e249e4d22fc47d7341400783ee6c97 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:12:39 -0500 Subject: debian: install ldap library in subdirectory Debian received a request to install the internal ldap library not in the main lib directory. We are changing SHLIB_DIRS from the default that upstream sets in the makefile includes; assign unconditionally the full value. Patch-Category: debian-local --- src/plugins/kdb/ldap/Makefile.in | 1 + src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 + 2 files changed, 2 insertions(+) diff --git a/src/plugins/kdb/ldap/Makefile.in b/src/plugins/kdb/ldap/Makefile.in index 3dd4ba6..9aaad52 100644 --- a/src/plugins/kdb/ldap/Makefile.in +++ b/src/plugins/kdb/ldap/Makefile.in @@ -20,6 +20,7 @@ SHLIB_EXPDEPS = \ $(TOPLIBD)/libkrb5$(SHLIBEXT) \ $(TOPLIBD)/lib$(SUPPORT_LIBNAME)$(SHLIBEXT) SHLIB_EXPLIBS= -lkdb_ldap $(GSSRPC_LIBS) -lkrb5 -lcom_err -lk5crypto -lkrb5support $(LIBS) +SHLIB_DIRS=-L$(TOPLIBD) -Wl,-rpath,$(KRB5_LIBDIR)/krb5 SRCS= $(srcdir)/ldap_exp.c diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in index b9ea339..11d11a4 100644 --- a/src/plugins/kdb/ldap/ldap_util/Makefile.in +++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in @@ -2,6 +2,7 @@ mydir=plugins$(S)kdb$(S)ldap$(S)ldap_util BUILDTOP=$(REL)..$(S)..$(S)..$(S).. DEFINES = -DKDB4_DISABLE LOCALINCLUDES = -I. -I$(srcdir)/../libkdb_ldap -I$(top_srcdir)/lib/kdb +PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) -Wl,-rpath,$(KRB5_LIBDIR)/krb5 #KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) KDB_DEP_LIB=$(DL_LIB) -lkdb_ldap $(THREAD_LINKOPTS) debian/patches/debian-local/0003-debian-suppress-usr-lib-in-krb5-config.patch0000664000000000000000000000272612272025332023726 0ustar From 8dda16f845aad709968e9321c21b231852339420 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:19:53 -0500 Subject: debian: suppress /usr/lib in krb5-config Handel multi-arch suppressions Patch-Category: debian-local --- src/build-tools/krb5-config.in | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in index f6184da..637bad7 100755 --- a/src/build-tools/krb5-config.in +++ b/src/build-tools/krb5-config.in @@ -138,6 +138,7 @@ if test -n "$do_help"; then echo " [--defktname] Show built-in default keytab name" echo " [--defcktname] Show built-in default client keytab name" echo " [--cflags] Compile time CFLAGS" + echo " [--deps] Include dependent libraries" echo " [--libs] List libraries required to link [LIBRARIES]" echo "Libraries:" echo " krb5 Kerberos 5 application" @@ -209,11 +210,14 @@ fi if test -n "$do_libs"; then # Assumes /usr/lib is the standard library directory everywhere... - if test "$libdir" = /usr/lib; then - libdirarg= - else - libdirarg="-L$libdir" - fi + case $libdir in + /usr/lib*) + libdirarg= + ;; + *) + libdirarg="-L$libdir" + ;; + esac # Ugly gross hack for our build tree lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \ -e 's/\$(PURE)//' \ debian/patches/debian-local/0007-Add-substpdf-target.patch0000664000000000000000000000266112271473454020360 0ustar From 33695fd1a2e20dc1e1d2de2f14d9352cc2f6fbe4 Mon Sep 17 00:00:00 2001 From: Ben Kaduk Date: Fri, 29 Mar 2013 20:53:37 -0400 Subject: Add substpdf target Akin to substhtml, so that we can build PDF documents without overwriting the upstream-provided versions and causing debian/rules clean to not return to the original state. Patch-Category: debian-local --- src/doc/Makefile.in | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in index a6bb7c5..e7a249a 100644 --- a/src/doc/Makefile.in +++ b/src/doc/Makefile.in @@ -85,6 +85,21 @@ pdf: $(PDFDIR) rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla \ ) +substpdf: rst_composite + $(SPHINX_BUILD) -t pathsubs -b latex -q rst_composite pdf_subst + mv pdf_subst/Makefile pdf_subst/GMakefile + (cd pdf_subst && \ + for i in $(PDFDOCS); do \ + texfile=`echo $${i}.tex` && \ + idxfile=`echo $${i}.idx` && \ + pdflatex $(LATEXOPTS) $$texfile && \ + pdflatex $(LATEXOPTS) $$texfile && \ + makeindex -s python.ist $$idxfile || true; \ + pdflatex $(LATEXOPTS) $$texfile && \ + pdflatex $(LATEXOPTS) $$texfile; done && \ + rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla \ + ) + # Use doxygen to generate API documentation, translate it into RST # format, and then create a composite of $(docsrc)'s RST and the # generated files in rst_composite. Used by the html and substhtml targets. debian/patches/debian-local/0004-debian-osconf.hin-path-changes.patch0000664000000000000000000000157612271473454022401 0ustar From b7209c18dafe5a1c408b7c957ecff6c5135029ce Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:20:11 -0500 Subject: debian: osconf.hin path changes Patch-Category: debian-local --- src/include/osconf.hin | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 90ab86d..83339f0 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -117,8 +117,8 @@ * krb5 slave support follows */ -#define KPROP_DEFAULT_FILE KDC_DIR "/slave_datatrans" -#define KPROPD_DEFAULT_FILE KDC_DIR "/from_master" +#define KPROP_DEFAULT_FILE "/var/lib/krb5kdc/slave_datatrans" +#define KPROPD_DEFAULT_FILE "/var/lib/krb5kdc/from_master" #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util" #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop" #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE debian/patches/debian-local/0002-Debian-HURD-compatibility.patch0000664000000000000000000000576412271473454021347 0ustar From 6100afdbc5e688a6c859a8995c7120aa69f52195 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:11:42 -0500 Subject: Debian: HURD compatibility HURD has no MAXPATHLEN or MAXHOSTLEN. Patch-Category: debian-local --- src/include/k5-int.h | 3 +++ src/kadmin/ktutil/ktutil_funcs.c | 4 ++++ src/lib/gssapi/spnego/spnego_mech.c | 3 +++ src/lib/krb5/os/sn2princ.c | 4 ++++ src/plugins/kdb/db2/libdb2/include/db-int.h | 4 ++++ src/tests/resolve/resolve.c | 4 ++++ 6 files changed, 22 insertions(+) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 623f09e..ea3b7e3 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -549,6 +549,9 @@ extern char *strdup (const char *); #ifdef HAVE_SYS_PARAM_H #include /* MAXPATHLEN */ #endif +#ifndef MAXPATHLEN +# define MAXPATHLEN 4096 +#endif #ifdef HAVE_SYS_FILE_H #include /* prototypes for file-related diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c index 20a348c..b8b61ce 100644 --- a/src/kadmin/ktutil/ktutil_funcs.c +++ b/src/kadmin/ktutil/ktutil_funcs.c @@ -33,6 +33,10 @@ #include #include +#ifndef MAXPATHLEN +# define MAXPATHLEN 4096 +#endif + /* * Free a kt_list */ diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 24c3440..af0978d 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -69,6 +69,9 @@ #include "gssapiP_spnego.h" #include +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 64 +#endif #undef g_token_size #undef g_verify_token_header diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index 86a0762..b3a1e98 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -60,6 +60,10 @@ maybe_use_reverse_dns (krb5_context context, int defalt) } +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + krb5_error_code KRB5_CALLCONV krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, krb5_principal *ret_princ) { diff --git a/src/plugins/kdb/db2/libdb2/include/db-int.h b/src/plugins/kdb/db2/libdb2/include/db-int.h index 8329ee3..6efa363 100644 --- a/src/plugins/kdb/db2/libdb2/include/db-int.h +++ b/src/plugins/kdb/db2/libdb2/include/db-int.h @@ -280,4 +280,8 @@ void __dbpanic __P((DB *dbp)); #ifndef O_BINARY #define O_BINARY 0 /* Needed for Win32 compiles */ #endif + +#ifndef MAXPATHLEN +# define MAXPATHLEN 4096 +#endif #endif /* _DB_INT_H_ */ diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c index 7339d21..38f7253 100644 --- a/src/tests/resolve/resolve.c +++ b/src/tests/resolve/resolve.c @@ -73,6 +73,10 @@ char *strchr(); #include #include +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + int main(argc, argv) int argc; debian/patches/debian-local/0009-.gbp.conf.patch0000664000000000000000000000075012271473454016325 0ustar From beca90c378b55451f1d932f1e59fac06077700c9 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Sat, 11 Jan 2014 17:29:18 -0500 Subject: .gbp.conf Include pristine-tar configuration in .gbp.conf Patch-Category: debian-local --- .gbp.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gbp.conf diff --git a/.gbp.conf b/.gbp.conf new file mode 100644 index 0000000..6723fcc --- /dev/null +++ b/.gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +pristine-tar=True debian/patches/0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch0000664000000000000000000001140412620645663021637 0ustar From 5651adc61b31dcad69a35be5ef631586cd33ff87 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Nov 2015 21:28:28 -0500 Subject: Fix IAKERB context export/import [CVE-2015-2698] The patches for CVE-2015-2696 contained a regression in the newly added IAKERB iakerb_gss_export_sec_context() function, which could cause it to corrupt memory. Fix the regression by properly dereferencing the context_handle pointer before casting it. Also, the patches did not implement an IAKERB gss_import_sec_context() function, under the erroneous belief than an exported IAKERB context would be tagged as a krb5 context. Implement it now to allow IAKERB contexts to be successfully exported and imported after establishment. CVE-2015-2698: In any MIT krb5 release with the patches for CVE-2015-2696 applied, an application which calls gss_export_sec_context() may experience memory corruption if the context was established using the IAKERB mechanism. Historically, some vulnerabilities of this nature can be translated into remote code execution, though the necessary exploits must be tailored to the individual application and are usually quite complicated. CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C ticket: 8273 (new) target_version: 1.14 tags: pullup (cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27) Patch-Category: upstream --- src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index b14788d..1ae40c9 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -1393,6 +1393,11 @@ OM_uint32 KRB5_CALLCONV iakerb_gss_export_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t interprocess_token); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_import_sec_context(OM_uint32 *minor_status, + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle); #endif /* LEAN_CLIENT */ OM_uint32 KRB5_CALLCONV diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 61a6922..4931f86 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { NULL, #else iakerb_gss_export_sec_context, - NULL, + iakerb_gss_import_sec_context, #endif krb5_gss_inquire_cred_by_mech, krb5_gss_inquire_names_for_mech, diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index e25862d..32a341e 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, gss_buffer_t interprocess_token) { OM_uint32 maj; - iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; /* We don't currently support exporting partially established contexts. */ if (!ctx->established) @@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, return maj; } -/* - * Until we implement partial context exports, there are no IAKERB exported - * context tokens, only tokens for the underlying krb5 context. So we do not - * need to implement an iakerb_gss_import_sec_context() yet; it would be - * unreachable except via a manually constructed token. - */ +OM_uint32 KRB5_CALLCONV +iakerb_gss_import_sec_context(OM_uint32 *minor_status, + gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) +{ + OM_uint32 maj, tmpmin; + krb5_error_code code; + gss_ctx_id_t gssc; + krb5_gss_ctx_id_t kctx; + iakerb_ctx_id_t ctx; + + maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); + if (maj != GSS_S_COMPLETE) + return maj; + kctx = (krb5_gss_ctx_id_t)gssc; + + if (!kctx->established) { + /* We don't currently support importing partially established + * contexts. */ + krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + code = iakerb_alloc_context(&ctx, kctx->initiate); + if (code != 0) { + krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); + *minor_status = code; + return GSS_S_FAILURE; + } + + ctx->gssc = gssc; + ctx->established = 1; + *context_handle = (gss_ctx_id_t)ctx; + return GSS_S_COMPLETE; +} #endif /* LEAN_CLIENT */ OM_uint32 KRB5_CALLCONV debian/patches/CVE-2016-3119.patch0000664000000000000000000000302213415160014013226 0ustar From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 14 Mar 2016 17:26:34 -0400 Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119] In the LDAP KDB module's process_db_args(), strtok_r() may return NULL if there is an empty string in the db_args array. Check for this case and avoid dereferencing a null pointer. CVE-2016-3119: In MIT krb5 1.6 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND ticket: 8383 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 6e591e1974..79c4cf05cc 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs, if (db_args) { for (i=0; db_args[i]; ++i) { arg = strtok_r(db_args[i], "=", &arg_val); + arg = (arg != NULL) ? arg : ""; if (strcmp(arg, TKTPOLICY_ARG) == 0) { dptr = &xargs->tktpolicydn; } else { debian/patches/0008-autoreconf.patch0000664000000000000000000007304312271473454014412 0ustar From 4631a3de8bfe35e0388c56bd205defdf4024cb56 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Sat, 8 Jun 2013 21:59:56 -0400 Subject: autoreconf --- src/configure | 284 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 146 insertions(+), 138 deletions(-) diff --git a/src/configure b/src/configure index 91f7e13..47e371d 100755 --- a/src/configure +++ b/src/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Kerberos 5 1.12. +# Generated by GNU Autoconf 2.69 for Kerberos 5 1.12. # # Report bugs to . # @@ -9,9 +9,7 @@ # # # -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software -# Foundation, Inc. +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation @@ -140,6 +138,31 @@ export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH +# Use a proper internal environment variable to ensure we don't fall + # into an infinite loop, continuously re-executing ourselves. + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then + _as_can_reexec=no; export _as_can_reexec; + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +as_fn_exit 255 + fi + # We don't want this to propagate to other subprocesses. + { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh @@ -173,7 +196,8 @@ if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi -test x\$exitcode = x0 || exit 1" +test x\$exitcode = x0 || exit 1 +test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && @@ -218,21 +242,25 @@ IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : - # We cannot yet assume a decent shell, so we have to provide a - # neutralization value for shells without unset; and this also - # works around shells that cannot unset nonexistent variables. - # Preserve -v and -x to the replacement shell. - BASH_ENV=/dev/null - ENV=/dev/null - (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV - export CONFIG_SHELL - case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; - esac - exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} + export CONFIG_SHELL + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 fi if test x$as_have_required = xno; then : @@ -335,6 +363,14 @@ $as_echo X"$as_dir" | } # as_fn_mkdir_p + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take @@ -456,6 +492,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have + # already done that, so ensure we don't try to do so again and fall + # in an infinite loop. This has already happened in practice. + _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). @@ -490,16 +530,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. + # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' + as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -511,28 +551,8 @@ else as_mkdir_p=false fi -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' -else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in #( - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -fi -as_executable_p=$as_test_x +as_test_x='test -x' +as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -1344,8 +1364,6 @@ target=$target_alias if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe - $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. - If a cross compiler is detected then cross compile mode will be used" >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi @@ -1643,9 +1661,9 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF Kerberos 5 configure 1.12 -generated by GNU Autoconf 2.68 +generated by GNU Autoconf 2.69 -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. @@ -1800,7 +1818,7 @@ $as_echo "$ac_try_echo"; } >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext + test -x conftest$ac_exeext }; then : ac_retval=0 else @@ -2165,7 +2183,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by Kerberos 5 $as_me 1.12, which was -generated by GNU Autoconf 2.68. Invocation command line was +generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2586,7 +2604,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2626,7 +2644,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2679,7 +2697,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2720,7 +2738,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue @@ -2778,7 +2796,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -2822,7 +2840,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3268,8 +3286,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include -#include -#include +struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); @@ -3382,7 +3399,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3426,7 +3443,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CXX="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3847,7 +3864,7 @@ do for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue + as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in @@ -3913,7 +3930,7 @@ do for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue + as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in @@ -4707,7 +4724,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_compile_et="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4912,11 +4929,11 @@ else int main () { -/* FIXME: Include the comments suggested by Paul. */ + #ifndef __cplusplus - /* Ultrix mips cc rejects this. */ + /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; - const charset cs; + const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; @@ -4933,8 +4950,9 @@ main () ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this. */ - char *t; + { /* SCO 3.2v4 cc rejects this sort of thing. */ + char tx; + char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; @@ -4950,10 +4968,10 @@ main () iptr p = 0; ++p; } - { /* AIX XL C 1.02.0.0 rejects this saying + { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; }; - struct s *b; b->j = 5; + struct s { int j; const int *ap[3]; } bx; + struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; @@ -5803,7 +5821,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_acx_pthread_config="yes" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5978,7 +5996,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_PTHREAD_CC="cc_r" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6976,7 +6994,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7016,7 +7034,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7067,7 +7085,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ARCHIVE="ar cqv" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7105,7 +7123,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ARADD="ar cruv" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7164,7 +7182,7 @@ case $as_dir/ in #(( # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. @@ -7236,7 +7254,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AR="ar" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7277,7 +7295,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_PERL="perl" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7680,7 +7698,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_MSGFMT="msgfmt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7888,7 +7906,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -8601,7 +8619,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_LEX="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -8633,7 +8651,8 @@ a { ECHO; } b { REJECT; } c { yymore (); } d { yyless (1); } -e { yyless (input () != 0); } +e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ + yyless ((input () != 0)); } f { unput (yytext[0]); } . { BEGIN INITIAL; } %% @@ -8752,11 +8771,11 @@ else int main () { -/* FIXME: Include the comments suggested by Paul. */ + #ifndef __cplusplus - /* Ultrix mips cc rejects this. */ + /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; - const charset cs; + const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; @@ -8773,8 +8792,9 @@ main () ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this. */ - char *t; + { /* SCO 3.2v4 cc rejects this sort of thing. */ + char tx; + char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; @@ -8790,10 +8810,10 @@ main () iptr p = 0; ++p; } - { /* AIX XL C 1.02.0.0 rejects this saying + { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; }; - struct s *b; b->j = 5; + struct s { int j; const int *ap[3]; } bx; + struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; @@ -10955,7 +10975,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_SH="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -10996,7 +11016,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_SH5="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11037,7 +11057,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_BASH="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11139,7 +11159,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_DIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11180,7 +11200,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_NSLOOKUP="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11224,7 +11244,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_YACC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11273,7 +11293,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_have_RUNTEST="runtest" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11310,7 +11330,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_have_PERL="perl" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11362,7 +11382,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PERL_PATH="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11402,7 +11422,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_EXPECT="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11485,7 +11505,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RUNTEST="runtest" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11522,7 +11542,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_PERL="perl" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12114,7 +12134,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_PYTHON="python" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12761,7 +12781,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_GROFF="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -13385,16 +13405,16 @@ if (echo >conf$$.file) 2>/dev/null; then # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -p'. + # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -p' + as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi else - as_ln_s='cp -p' + as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -13454,28 +13474,16 @@ else as_mkdir_p=false fi -if test -x / >/dev/null 2>&1; then - as_test_x='test -x' -else - if ls -dL / >/dev/null 2>&1; then - as_ls_L_option=L - else - as_ls_L_option= - fi - as_test_x=' - eval sh -c '\'' - if test -d "$1"; then - test -d "$1/."; - else - case $1 in #( - -*)set "./$1";; - esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( - ???[sx]*):;;*)false;;esac;fi - '\'' sh - ' -fi -as_executable_p=$as_test_x + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +as_test_x='test -x' +as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -13497,7 +13505,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # values after options handling. ac_log=" This file was extended by Kerberos 5 $as_me 1.12, which was -generated by GNU Autoconf 2.68. Invocation command line was +generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -13563,10 +13571,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ Kerberos 5 config.status 1.12 -configured by $0, generated by GNU Autoconf 2.68, +configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" -Copyright (C) 2010 Free Software Foundation, Inc. +Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." @@ -13656,7 +13664,7 @@ fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then - set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' debian/patches/CVE-2014-9423.patch0000664000000000000000000000626312465221537013256 0ustar From 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 29 Dec 2014 13:17:56 -0500 Subject: [PATCH] Fix gssrpc data leakage [CVE-2014-9423] [MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy bytes from the union context into the handle field we send to the client. We do not use this handle field, so just supply a fixed string of "xxxx". In gss_union_ctx_id_struct, remove the unused "interposer" field which was causing part of the union context to remain uninitialized. ticket: 8058 (new) target_version: 1.13.1 tags: pullup --- src/lib/gssapi/mechglue/mglueP.h | 1 - src/lib/rpc/svc_auth_gss.c | 25 ++----------------------- 2 files changed, 2 insertions(+), 24 deletions(-) Index: krb5-1.12.1+dfsg/src/lib/gssapi/mechglue/mglueP.h =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/mechglue/mglueP.h 2015-02-06 15:14:51.671253535 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/mechglue/mglueP.h 2015-02-06 15:14:51.667253505 -0500 @@ -25,7 +25,6 @@ */ typedef struct gss_union_ctx_id_struct { struct gss_union_ctx_id_struct *loopback; - struct gss_union_ctx_id_struct *interposer; gss_OID mech_type; gss_ctx_id_t internal_ctx_id; } gss_union_ctx_id_desc, *gss_union_ctx_id_t; Index: krb5-1.12.1+dfsg/src/lib/rpc/svc_auth_gss.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/rpc/svc_auth_gss.c 2015-02-06 15:14:51.671253535 -0500 +++ krb5-1.12.1+dfsg/src/lib/rpc/svc_auth_gss.c 2015-02-06 15:14:51.667253505 -0500 @@ -68,16 +68,6 @@ extern SVCAUTH svc_auth_none; -/* - * from mit-krb5-1.2.1 mechglue/mglueP.h: - * Array of context IDs typed by mechanism OID - */ -typedef struct gss_union_ctx_id_t { - gss_OID mech_type; - gss_ctx_id_t internal_ctx_id; -} gss_union_ctx_id_desc, *gss_union_ctx_id_t; - - static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; static auth_gssapi_log_badauth2_func log_badauth2 = NULL; @@ -242,16 +232,8 @@ gd->ctx = GSS_C_NO_CONTEXT; goto errout; } - /* - * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, - * one to the mechanism oid, one to the internal_ctx_id - */ - if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { - fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); - goto errout; - } - memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); - gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); + gr->gr_ctx.value = "xxxx"; + gr->gr_ctx.length = 4; /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ gr->gr_win = sizeof(gd->seqmask) * 8; @@ -523,8 +505,6 @@ if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { gss_release_buffer(&min_stat, &gr.gr_token); - mem_free(gr.gr_ctx.value, - sizeof(gss_union_ctx_id_desc)); ret_freegc (AUTH_FAILED); } *no_dispatch = TRUE; @@ -534,7 +514,6 @@ gss_release_buffer(&min_stat, &gr.gr_token); gss_release_buffer(&min_stat, &gd->checksum); - mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); if (!call_stat) ret_freegc (AUTH_FAILED); debian/patches/0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch0000664000000000000000000000413312620645650021604 0ustar From 8ab3d571e2ef808f0167ddcee34334d7653b914b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 25 Sep 2015 12:51:47 -0400 Subject: Fix build_principal memory bug [CVE-2015-2697] In build_principal_va(), use k5memdup0() instead of strdup() to make a copy of the realm, to ensure that we allocate the correct number of bytes and do not read past the end of the input string. This bug affects krb5_build_principal(), krb5_build_principal_va(), and krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not affected. CVE-2015-2697: In MIT krb5 1.7 and later, an authenticated attacker may be able to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte. If the KDC attempts to find a referral to answer the request, it constructs a principal name for lookup using krb5_build_principal() with the requested realm. Due to a bug in this function, the null byte causes only one byte be allocated for the realm field of the constructed principal, far less than its length. Subsequent operations on the lookup principal may cause a read beyond the end of the mapped memory region, causing the KDC process to crash. CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C ticket: 8252 (new) target_version: 1.14 tags: pullup (cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) (cherry picked from commit fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0) Patch-Category: upstream --- src/lib/krb5/krb/bld_princ.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index 3dbe356..442cbf5 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -41,10 +41,8 @@ build_principal_va(krb5_context context, krb5_principal princ, data = malloc(size * sizeof(krb5_data)); if (!data) { retval = ENOMEM; } - if (!retval) { - r = strdup(realm); - if (!r) { retval = ENOMEM; } - } + if (!retval) + r = k5memdup0(realm, rlen, &retval); while (!retval && (component = va_arg(ap, char *))) { if (count == size) { debian/patches/0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch0000664000000000000000000006573512620645641021542 0ustar From 515ddf7c62b5944e550728ee8bab284b852f8995 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 14 Sep 2015 12:28:36 -0400 Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696] The IAKERB mechanism currently replaces its context handle with the krb5 mechanism handle upon establishment, under the assumption that most GSS functions are only called after context establishment. This assumption is incorrect, and can lead to aliasing violations for some programs. Maintain the IAKERB context structure after context establishment and add new IAKERB entry points to refer to it with that type. Add initiate and established flags to the IAKERB context structure for use in gss_inquire_context() prior to context establishment. CVE-2015-2696: In MIT krb5 1.9 and later, applications which call gss_inquire_context() on a partially-established IAKERB context can cause the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. Java server applications using the native JGSS provider are vulnerable to this bug. A carefully crafted IAKERB packet might allow the gss_inquire_context() call to succeed with attacker-determined results, but applications should not make access control decisions based on gss_inquire_context() results prior to context establishment. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [ghudson@mit.edu: several bugfixes, style changes, and edge-case behavior changes; commit message and CVE description] ticket: 8244 target_version: 1.14 tags: pullup (cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a) (cherry picked from commit ebea85358bc72ec20c53130d83acb93f95853b76) Patch-Category: upstream --- src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- 3 files changed, 529 insertions(+), 41 deletions(-) diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 42d16ad..b14788d 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -618,6 +618,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext ); #endif /* LEAN_CLIENT */ +OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid +(OM_uint32*, /* minor_status */ + const gss_ctx_id_t, + /* context_handle */ + const gss_OID, /* desired_object */ + gss_buffer_set_t* /* data_set */ +); + +OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option +(OM_uint32*, /* minor_status */ + gss_ctx_id_t*, /* context_handle */ + const gss_OID, /* desired_object */ + const gss_buffer_t/* value */ +); + OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token (OM_uint32*, /* minor_status */ gss_ctx_id_t, /* context_handle */ @@ -1298,6 +1313,105 @@ OM_uint32 KRB5_CALLCONV krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, gss_cred_id_t *cred_handle); +OM_uint32 KRB5_CALLCONV +iakerb_gss_process_context_token(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + OM_uint32 *time_rec); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_inquire_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_name_t *src_name, + gss_name_t *targ_name, OM_uint32 *lifetime_rec, + gss_OID *mech_type, OM_uint32 *ctx_flags, + int *locally_initiated, int *opened); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_buffer_t message_buffer, + gss_buffer_t message_token); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_iov_buffer_desc *iov, + int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_qop_t qop_req, + gss_iov_buffer_desc *iov, int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_buffer_t msg_buffer, gss_buffer_t token_buffer, + gss_qop_t *qop_state); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t *qop_state, gss_iov_buffer_desc *iov, + int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int conf_req_flag, gss_qop_t qop_req, + gss_buffer_t input_message_buffer, int *conf_state, + gss_buffer_t output_message_buffer); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int conf_req_flag, gss_qop_t qop_req, int *conf_state, + gss_iov_buffer_desc *iov, int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, int conf_req_flag, + gss_qop_t qop_req, int *conf_state, + gss_iov_buffer_desc *iov, int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, int *conf_state, + gss_qop_t *qop_state); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int *conf_state, gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, int iov_count); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, int conf_req_flag, + gss_qop_t qop_req, OM_uint32 req_output_size, + OM_uint32 *max_input_size); + +#ifndef LEAN_CLIENT +OM_uint32 KRB5_CALLCONV +iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token); +#endif /* LEAN_CLIENT */ + +OM_uint32 KRB5_CALLCONV +iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value); + +OM_uint32 KRB5_CALLCONV +iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int prf_key, const gss_buffer_t prf_in, + ssize_t desired_output_len, gss_buffer_t prf_out); + /* Magic string to identify exported krb5 GSS credentials. Increment this if * the format changes. */ #define CRED_EXPORT_MAGIC "K5C1" diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 088219a..61a6922 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -345,7 +345,7 @@ static struct { } }; -static OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, @@ -459,7 +459,7 @@ static struct { }; #endif -static OM_uint32 KRB5_CALLCONV +OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, const gss_OID desired_object, @@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = { krb5_gss_get_mic_iov_length, }; +/* Functions which use security contexts or acquire creds are IAKERB-specific; + * other functions can borrow from the krb5 mech. */ +static struct gss_config iakerb_mechanism = { + { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, + NULL, + iakerb_gss_acquire_cred, + krb5_gss_release_cred, + iakerb_gss_init_sec_context, +#ifdef LEAN_CLIENT + NULL, +#else + iakerb_gss_accept_sec_context, +#endif + iakerb_gss_process_context_token, + iakerb_gss_delete_sec_context, + iakerb_gss_context_time, + iakerb_gss_get_mic, + iakerb_gss_verify_mic, +#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) + NULL, +#else + iakerb_gss_wrap, +#endif +#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) + NULL, +#else + iakerb_gss_unwrap, +#endif + krb5_gss_display_status, + krb5_gss_indicate_mechs, + krb5_gss_compare_name, + krb5_gss_display_name, + krb5_gss_import_name, + krb5_gss_release_name, + krb5_gss_inquire_cred, + NULL, /* add_cred */ +#ifdef LEAN_CLIENT + NULL, + NULL, +#else + iakerb_gss_export_sec_context, + NULL, +#endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, + iakerb_gss_inquire_context, + krb5_gss_internal_release_oid, + iakerb_gss_wrap_size_limit, + krb5_gss_localname, + krb5_gss_authorize_localname, + krb5_gss_export_name, + krb5_gss_duplicate_name, + krb5_gss_store_cred, + iakerb_gss_inquire_sec_context_by_oid, + krb5_gss_inquire_cred_by_oid, + iakerb_gss_set_sec_context_option, + krb5_gssspi_set_cred_option, + krb5_gssspi_mech_invoke, + NULL, /* wrap_aead */ + NULL, /* unwrap_aead */ + iakerb_gss_wrap_iov, + iakerb_gss_unwrap_iov, + iakerb_gss_wrap_iov_length, + NULL, /* complete_auth_token */ + NULL, /* acquire_cred_impersonate_name */ + NULL, /* add_cred_impersonate_name */ + NULL, /* display_name_ext */ + krb5_gss_inquire_name, + krb5_gss_get_name_attribute, + krb5_gss_set_name_attribute, + krb5_gss_delete_name_attribute, + krb5_gss_export_name_composite, + krb5_gss_map_name_to_any, + krb5_gss_release_any_name_mapping, + iakerb_gss_pseudo_random, + NULL, /* set_neg_mechs */ + krb5_gss_inquire_saslname_for_mech, + krb5_gss_inquire_mech_for_saslname, + krb5_gss_inquire_attrs_for_mech, + krb5_gss_acquire_cred_from, + krb5_gss_store_cred_into, + iakerb_gss_acquire_cred_with_password, + krb5_gss_export_cred, + krb5_gss_import_cred, + NULL, /* import_sec_context_by_mech */ + NULL, /* import_name_by_mech */ + NULL, /* import_cred_by_mech */ + iakerb_gss_get_mic_iov, + iakerb_gss_verify_mic_iov, + iakerb_gss_get_mic_iov_length, +}; + #ifdef _GSS_STATIC_LINK #include "mglueP.h" static int gss_iakerbmechglue_init(void) { struct gss_mech_config mech_iakerb; - struct gss_config iakerb_mechanism = krb5_mechanism; - - /* IAKERB mechanism mirrors krb5, but with different context SPIs */ - iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; - iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; - iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; - iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; - iakerb_mechanism.gssspi_acquire_cred_with_password - = iakerb_gss_acquire_cred_with_password; memset(&mech_iakerb, 0, sizeof(mech_iakerb)); mech_iakerb.mech = &iakerb_mechanism; diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index f30de32..4662bd9 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { gss_ctx_id_t gssc; krb5_data conv; /* conversation for checksumming */ unsigned int count; /* number of round trips */ + int initiate; + int established; krb5_get_init_creds_opt *gic_opts; }; @@ -695,7 +697,7 @@ cleanup: * Allocate and initialise an IAKERB context */ static krb5_error_code -iakerb_alloc_context(iakerb_ctx_id_t *pctx) +iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) { iakerb_ctx_id_t ctx; krb5_error_code code; @@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) ctx->magic = KG_IAKERB_CONTEXT; ctx->state = IAKERB_AS_REQ; ctx->count = 0; + ctx->initiate = initiate; + ctx->established = 0; code = krb5_gss_init_context(&ctx->k5c); if (code != 0) @@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, gss_buffer_t output_token) { - OM_uint32 major_status = GSS_S_COMPLETE; + iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; if (output_token != GSS_C_NO_BUFFER) { output_token->length = 0; @@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, } *minor_status = 0; + *context_handle = GSS_C_NO_CONTEXT; + iakerb_release_context(iakerb_ctx); - if (*context_handle != GSS_C_NO_CONTEXT) { - iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; - - if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { - iakerb_release_context(iakerb_ctx); - *context_handle = GSS_C_NO_CONTEXT; - } else { - assert(iakerb_ctx->magic == KG_CONTEXT); - - major_status = krb5_gss_delete_sec_context(minor_status, - context_handle, - output_token); - } - } - - return major_status; + return GSS_S_COMPLETE; } static krb5_boolean @@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); if (initialContextToken) { - code = iakerb_alloc_context(&ctx); + code = iakerb_alloc_context(&ctx, 0); if (code != 0) goto cleanup; @@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, time_rec, delegated_cred_handle, &exts); - if (major_status == GSS_S_COMPLETE) { - *context_handle = ctx->gssc; - ctx->gssc = NULL; - iakerb_release_context(ctx); - } + if (major_status == GSS_S_COMPLETE) + ctx->established = 1; if (mech_type != NULL) *mech_type = (gss_OID)gss_mech_krb5; } @@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); if (initialContextToken) { - code = iakerb_alloc_context(&ctx); + code = iakerb_alloc_context(&ctx, 1); if (code != 0) { *minor_status = code; goto cleanup; @@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, ret_flags, time_rec, &exts); - if (major_status == GSS_S_COMPLETE) { - *context_handle = ctx->gssc; - ctx->gssc = GSS_C_NO_CONTEXT; - iakerb_release_context(ctx); - } + if (major_status == GSS_S_COMPLETE) + ctx->established = 1; if (actual_mech_type != NULL) *actual_mech_type = (gss_OID)gss_mech_krb5; } else { @@ -1010,3 +995,309 @@ cleanup: return major_status; } + +OM_uint32 KRB5_CALLCONV +iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, int *conf_state, + gss_qop_t *qop_state) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, + output_message_buffer, conf_state, qop_state); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int conf_req_flag, gss_qop_t qop_req, + gss_buffer_t input_message_buffer, int *conf_state, + gss_buffer_t output_message_buffer) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, + input_message_buffer, conf_state, + output_message_buffer); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_process_context_token(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_buffer) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_DEFECTIVE_TOKEN; + + return krb5_gss_process_context_token(minor_status, ctx->gssc, + token_buffer); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + OM_uint32 *time_rec) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); +} + +#ifndef LEAN_CLIENT + +OM_uint32 KRB5_CALLCONV +iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token) +{ + OM_uint32 maj; + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + /* We don't currently support exporting partially established contexts. */ + if (!ctx->established) + return GSS_S_UNAVAILABLE; + + maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, + interprocess_token); + if (ctx->gssc == GSS_C_NO_CONTEXT) { + iakerb_release_context(ctx); + *context_handle = GSS_C_NO_CONTEXT; + } + return maj; +} + +/* + * Until we implement partial context exports, there are no SPNEGO exported + * context tokens, only tokens for the underlying krb5 context. So we do not + * need to implement an iakerb_gss_import_sec_context() yet; it would be + * unreachable except via a manually constructed token. + */ + +#endif /* LEAN_CLIENT */ + +OM_uint32 KRB5_CALLCONV +iakerb_gss_inquire_context(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_name_t *src_name, + gss_name_t *targ_name, OM_uint32 *lifetime_rec, + gss_OID *mech_type, OM_uint32 *ctx_flags, + int *initiate, int *opened) +{ + OM_uint32 ret; + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (src_name != NULL) + *src_name = GSS_C_NO_NAME; + if (targ_name != NULL) + *targ_name = GSS_C_NO_NAME; + if (lifetime_rec != NULL) + *lifetime_rec = 0; + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_iakerb; + if (ctx_flags != NULL) + *ctx_flags = 0; + if (initiate != NULL) + *initiate = ctx->initiate; + if (opened != NULL) + *opened = ctx->established; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_COMPLETE; + + ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, + targ_name, lifetime_rec, mech_type, + ctx_flags, initiate, opened); + + if (!ctx->established) { + /* Report IAKERB as the mech OID until the context is established. */ + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_iakerb; + + /* We don't support exporting partially-established contexts. */ + if (ctx_flags != NULL) + *ctx_flags &= ~GSS_C_TRANS_FLAG; + } + + return ret; +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, int conf_req_flag, + gss_qop_t qop_req, OM_uint32 req_output_size, + OM_uint32 *max_input_size) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, + qop_req, req_output_size, max_input_size); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_buffer_t message_buffer, + gss_buffer_t message_token) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, + message_token); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_buffer_t msg_buffer, gss_buffer_t token_buffer, + gss_qop_t *qop_state) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, + token_buffer, qop_state); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_UNAVAILABLE; + + return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, + desired_object, data_set); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; + + if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_UNAVAILABLE; + + return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, + desired_object, value); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int conf_req_flag, gss_qop_t qop_req, int *conf_state, + gss_iov_buffer_desc *iov, int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, + conf_state, iov, iov_count); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int *conf_state, gss_qop_t *qop_state, + gss_iov_buffer_desc *iov, int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, + iov, iov_count); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, int conf_req_flag, + gss_qop_t qop_req, int *conf_state, + gss_iov_buffer_desc *iov, int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, + qop_req, conf_state, iov, iov_count); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + int prf_key, const gss_buffer_t prf_in, + ssize_t desired_output_len, gss_buffer_t prf_out) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, + desired_output_len, prf_out); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_iov_buffer_desc *iov, + int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, + iov_count); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t *qop_state, gss_iov_buffer_desc *iov, + int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, + iov_count); +} + +OM_uint32 KRB5_CALLCONV +iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_qop_t qop_req, + gss_iov_buffer_desc *iov, int iov_count) +{ + iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; + + if (ctx->gssc == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; + + return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, + iov_count); +} debian/patches/CVE-2016-3120.patch0000664000000000000000000000354713415160137013240 0ustar From 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 19 Jul 2016 11:00:28 -0400 Subject: [PATCH] Fix S4U2Self KDC crash when anon is restricted In validate_as_request(), when enforcing restrict_anonymous_to_tgt, use client.princ instead of request->client; the latter is NULL when validating S4U2Self requests. CVE-2016-3120: In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C ticket: 8458 (new) target_version: 1.14-next target_version: 1.13-next --- src/kdc/kdc_util.c | 2 +- src/tests/t_pkinit.py | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 776e130e55..29f9dbbf07 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -739,7 +739,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, return(KDC_ERR_MUST_USE_USER2USER); } - if (check_anon(kdc_active_realm, request->client, request->server) != 0) { + if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; return(KDC_ERR_POLICY); } diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index b66c458dff..f0214b6529 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -93,6 +93,11 @@ if 'KDC policy rejects request' not in out: fail('Wrong error for restricted anonymous PKINIT') +# Regression test for #8458: S4U2Self requests crash the KDC if +# anonymous is restricted. +realm.kinit(realm.host_princ, flags=['-k']) +realm.run([kvno, '-U', 'user', realm.host_princ]) + # Go back to a normal KDC and disable anonymous PKINIT. realm.stop_kdc() realm.start_kdc() debian/patches/0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch0000664000000000000000000000735412620645610022145 0ustar From 8159057a3dfa382ffd6c1cceaab436011e92f435 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 24 Mar 2015 12:02:37 -0400 Subject: Prevent requires_preauth bypass [CVE-2015-2694] In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C (cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604) ticket: 8160 version_fixed: 1.13.2 status: resolved (cherry picked from commit df8afc60d970a7176a55ffe7ce21cfd57ba423cd) patch-category: upstream --- src/plugins/preauth/otp/main.c | 10 +++++++--- src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c index bf9c6a8..7941b4a 100644 --- a/src/plugins/preauth/otp/main.c +++ b/src/plugins/preauth/otp/main.c @@ -42,6 +42,7 @@ static krb5_preauthtype otp_pa_type_list[] = struct request_state { krb5_kdcpreauth_verify_respond_fn respond; void *arg; + krb5_enc_tkt_part *enc_tkt_reply; }; static krb5_error_code @@ -159,6 +160,9 @@ on_response(void *data, krb5_error_code retval, otp_response response) if (retval == 0 && response != otp_response_success) retval = KRB5_PREAUTH_FAILED; + if (retval == 0) + rs.enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + rs.respond(rs.arg, retval, NULL, NULL, NULL); } @@ -263,8 +267,6 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_data d, plaintext; char *config; - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - /* Get the FAST armor key. */ armor_key = cb->fast_armor(context, rock); if (armor_key == NULL) { @@ -298,12 +300,14 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, goto error; } - /* Create the request state. */ + /* Create the request state. Save the response callback, and the + * enc_tkt_reply pointer so we can set the TKT_FLG_PRE_AUTH flag later. */ rs = k5alloc(sizeof(struct request_state), &retval); if (rs == NULL) goto error; rs->arg = arg; rs->respond = respond; + rs->enc_tkt_reply = enc_tkt_reply; /* Get the principal's OTP configuration string. */ retval = cb->get_string(context, rock, "otp", &config); diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 1179216..279415a 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -306,7 +306,7 @@ pkinit_server_verify_padata(krb5_context context, pkiDebug("pkinit_verify_padata: entered!\n"); if (data == NULL || data->length <= 0 || data->contents == NULL) { - (*respond)(arg, 0, NULL, NULL, NULL); + (*respond)(arg, EINVAL, NULL, NULL, NULL); return; } @@ -318,7 +318,7 @@ pkinit_server_verify_padata(krb5_context context, plgctx = pkinit_find_realm_context(context, moddata, request->server); if (plgctx == NULL) { - (*respond)(arg, 0, NULL, NULL, NULL); + (*respond)(arg, EINVAL, NULL, NULL, NULL); return; } debian/patches/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch0000664000000000000000000001056112620645576021506 0ustar From 200a429df2c47467eb3a0973eb7594a475cc18fe Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 9 Dec 2014 12:37:44 -0500 Subject: Fix krb5_read_message handling [CVE-2014-5355] In recvauth_common, do not use strcmp against the data fields of krb5_data objects populated by krb5_read_message(), as there is no guarantee that they are C strings. Instead, create an expected krb5_data value and use data_eq(). In the sample user-to-user server application, check that the received client principal name is null-terminated before using it with printf and krb5_parse_name. CVE-2014-5355: In MIT krb5, when a server process uses the krb5_recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example user-to-user server application (uuserver) is similarly vulnerable to a zero-length or non-null-terminated principal name string. The krb5_recvauth function reads two version strings from the client using krb5_read_message(), which produces a krb5_data structure containing a length and a pointer to an octet sequence. krb5_recvauth assumes that the data pointer is a valid C string and passes it to strcmp() to verify the versions. If the client sends an empty octet sequence, the data pointer will be NULL and strcmp() will dereference a NULL pointer, causing the process to crash. If the client sends a non-null-terminated octet sequence, strcmp() will read beyond the end of the allocated storage, possibly causing the process to crash. uuserver similarly uses krb5_read_message() to read a client principal name, and then passes it to printf() and krb5_parse_name() without verifying that it is a valid C string. The krb5_recvauth function is used by kpropd and the Kerberized versions of the BSD rlogin and rsh daemons. These daemons are usually run out of inetd or in a mode which forks before processing incoming connections, so a process crash will generally not result in a complete denial of service. Thanks to Tim Uglow for discovering this issue. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C [tlyu@mit.edu: CVSS score] ticket: 8050 (new) target_version: 1.13.1 tags: pullup (cherry picked from commit 102bb6ebf20f9174130c85c3b052ae104e5073ec) Patch-Category: upstream --- src/appl/user_user/server.c | 4 +++- src/lib/krb5/krb/recvauth.c | 9 ++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/appl/user_user/server.c b/src/appl/user_user/server.c index dbff68e..b136c72 100644 --- a/src/appl/user_user/server.c +++ b/src/appl/user_user/server.c @@ -113,8 +113,10 @@ int main(argc, argv) } #endif + /* principal name must be sent null-terminated. */ retval = krb5_read_message(context, (krb5_pointer) &sock, &pname_data); - if (retval) { + if (retval || pname_data.length == 0 || + pname_data.data[pname_data.length - 1] != '\0') { com_err ("uu-server", retval, "reading pname"); return 2; } diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index da836283..5adc6dd 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -59,6 +59,7 @@ recvauth_common(krb5_context context, krb5_rcache rcache = 0; krb5_octet response; krb5_data null_server; + krb5_data d; int need_error_free = 0; int local_rcache = 0, local_authcon = 0; @@ -77,7 +78,8 @@ recvauth_common(krb5_context context, */ if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); - if (strcmp(inbuf.data, sendauth_version)) { + d = make_data((char *)sendauth_version, strlen(sendauth_version) + 1); + if (!data_eq(inbuf, d)) { problem = KRB5_SENDAUTH_BADAUTHVERS; response = 1; } @@ -93,8 +95,9 @@ recvauth_common(krb5_context context, */ if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); - if (appl_version && strcmp(inbuf.data, appl_version)) { - if (!problem) { + if (appl_version != NULL && !problem) { + d = make_data(appl_version, strlen(appl_version) + 1); + if (!data_eq(inbuf, d)) { problem = KRB5_SENDAUTH_BADAPPLVERS; response = 2; } debian/patches/0001-ticket-new.patch0000664000000000000000000000166212272025332014273 0ustar From dd9889002709128e0096d5fd4e36509b05e000b8 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 26 Dec 2011 18:05:13 -0500 Subject: =?UTF-8?q?ticket:=20new=0Asubject:=20fix=20ksu=20environment=20va?= =?UTF-8?q?riable=20handling?= Fix error messages from ksu patch-name: ksu-fix-env-errors --- src/clients/ksu/ksu.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h index f2c0811..cbc4a57 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -55,8 +55,12 @@ #define CHUNK 3 #define CACHE_MODE 0600 -#define MAX_CMD 2048 /* this is temp, should use realloc instead, - as done in most of the code */ +#define MAX_CMD 2048 /* this is temp, should use realloc instead, + as done in most of the code */ + +#ifndef MAXPATHLEN +# define MAXPATHLEN 4096 +#endif extern int optind; debian/patches/0036-Fix-SPNEGO-context-import.patch0000664000000000000000000000421312620645703016744 0ustar From 2767f63e5d4d35c16d8a2e4863d15341f9ac0a9b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Nov 2015 21:29:10 -0500 Subject: Fix SPNEGO context import The patches for CVE-2015-2695 did not implement a SPNEGO gss_import_sec_context() function, under the erroneous belief than an exported SPNEGO context would be tagged with the underlying context mechanism. Implement it now to allow SPNEGO contexts to be successfully exported and imported after establishment. ticket: 8273 (cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d) Patch-Category: upstream --- src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/spnego_mech.c 2015-11-11 09:08:01.168866504 -0500 +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c 2015-11-11 09:08:01.168866504 -0500 @@ -2188,12 +2188,33 @@ const gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle) { - /* - * Until we implement partial context exports, there are no SPNEGO - * exported context tokens, only tokens for underlying mechs. So just - * return an error for now. - */ - return GSS_S_UNAVAILABLE; + OM_uint32 ret, tmpmin; + gss_ctx_id_t mctx; + spnego_gss_ctx_id_t sc; + int initiate, opened; + + ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); + if (ret != GSS_S_COMPLETE) + return ret; + + ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, + &initiate, &opened); + if (ret != GSS_S_COMPLETE || !opened) { + /* We don't currently support importing partially established + * contexts. */ + (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + + sc = create_spnego_ctx(initiate); + if (sc == NULL) { + (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); + return GSS_S_FAILURE; + } + sc->ctx_handle = mctx; + sc->opened = 1; + *context_handle = (gss_ctx_id_t)sc; + return GSS_S_COMPLETE; } #endif /* LEAN_CLIENT */ debian/patches/CVE-2015-8630.patch0000664000000000000000000000543613415155014013247 0ustar From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 8 Jan 2016 12:52:28 -0500 Subject: [PATCH] Check for null kadm5 policy name [CVE-2015-8630] In kadm5_create_principal_3() and kadm5_modify_principal(), check for entry->policy being null when KADM5_POLICY is included in the mask. CVE-2015-8630: In MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C ticket: 8342 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 5b95fa3e13..1d4365c836 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, /* * Argument sanity checking, and opening up the DB */ + if (entry == NULL) + return EINVAL; if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || @@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, return KADM5_BAD_MASK; if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && entry->policy == NULL) + return KADM5_BAD_MASK; if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) return KADM5_BAD_MASK; - if (entry == NULL) - return EINVAL; /* * Check to see if the principal exists @@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, krb5_clear_error_message(handle->context); + if(entry == NULL) + return EINVAL; if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || @@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && entry->policy == NULL) + return KADM5_BAD_MASK; if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) return KADM5_BAD_MASK; - if(entry == (kadm5_principal_ent_t) NULL) - return EINVAL; if (mask & KADM5_TL_DATA) { tl_data_orig = entry->tl_data; while (tl_data_orig) { debian/patches/0034-Fix-two-IAKERB-comments.patch0000664000000000000000000000303612620645656016355 0ustar From 0874247af914192102c97c49941772b24ec5136c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 27 Oct 2015 00:44:24 -0400 Subject: Fix two IAKERB comments The comment explaining why there is no iakerb_gss_import_sec_context() erroneously referenced SPNEGO instead of IAKERB (noticed by Ben Kaduk). The comment above iakerb_gss_delete_sec_context() is out of date after the last commit. (cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) Patch-Category: upstream --- src/lib/gssapi/krb5/iakerb.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 4662bd9..e25862d 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -727,10 +727,6 @@ cleanup: return code; } -/* - * Delete an IAKERB context. This can also accept Kerberos context - * handles. The heuristic is similar to SPNEGO's delete_sec_context. - */ OM_uint32 KRB5_CALLCONV iakerb_gss_delete_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, @@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, } /* - * Until we implement partial context exports, there are no SPNEGO exported + * Until we implement partial context exports, there are no IAKERB exported * context tokens, only tokens for the underlying krb5 context. So we do not * need to implement an iakerb_gss_import_sec_context() yet; it would be * unreachable except via a manually constructed token. debian/patches/series0000664000000000000000000000261113415424530012035 0ustar 0001-ticket-new.patch debian-local/0002-Debian-HURD-compatibility.patch debian-local/0003-debian-suppress-usr-lib-in-krb5-config.patch debian-local/0004-debian-osconf.hin-path-changes.patch debian-local/0005-debian-install-ldap-library-in-subdirectory.patch debian-local/0006-gssapi-never-unload-mechanisms.patch debian-local/0007-Add-substpdf-target.patch 0008-autoreconf.patch debian-local/0009-.gbp.conf.patch avoid_mechglue_recursive_calls_new_symbols Use-TAILQ-macros-instead-of-CIRCLEQ-in-libdb2.patch CVE-2014-4341-4342.patch CVE-2014-4343.patch CVE-2014-4344.patch CVE-2014-4345.patch CVE-2014-5351.patch CVE-2014-5352.patch CVE-2014-5353.patch CVE-2014-5354.patch CVE-2014-9421.patch CVE-2014-9422.patch CVE-2014-9423.patch 0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch 0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch 0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch 0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch 0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch 0034-Fix-two-IAKERB-comments.patch 0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch 0036-Fix-SPNEGO-context-import.patch upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch CVE-2015-8629.patch CVE-2015-8630.patch CVE-2015-8631.patch CVE-2016-3119.patch CVE-2016-3120.patch CVE-2017-11368-1.patch CVE-2017-11368-2.patch CVE-2017-11462.patch CVE-2018-5729-CVE-2018-5730.patch debian/patches/0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch0000664000000000000000000003741612620645630021567 0ustar From 7c363c0667d2d17e9e434f6eaa506b89ca56ffac Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 14 Sep 2015 12:27:52 -0400 Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695] The SPNEGO mechanism currently replaces its context handle with the mechanism context handle upon establishment, under the assumption that most GSS functions are only called after context establishment. This assumption is incorrect, and can lead to aliasing violations for some programs. Maintain the SPNEGO context structure after context establishment and refer to it in all GSS methods. Add initiate and opened flags to the SPNEGO context structure for use in gss_inquire_context() prior to context establishment. CVE-2015-2695: In MIT krb5 1.5 and later, applications which call gss_inquire_context() on a partially-established SPNEGO context can cause the GSS-API library to read from a pointer using the wrong type, generally causing a process crash. This bug may go unnoticed, because the most common SPNEGO authentication scenario establishes the context after just one call to gss_accept_sec_context(). Java server applications using the native JGSS provider are vulnerable to this bug. A carefully crafted SPNEGO packet might allow the gss_inquire_context() call to succeed with attacker-determined results, but applications should not make access control decisions based on gss_inquire_context() results prior to context establishment. CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [ghudson@mit.edu: several bugfixes, style changes, and edge-case behavior changes; commit message and CVE description] ticket: 8244 target_version: 1.14 tags: pullup (cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d) (cherry picked from commit b813d5811432faed844a2dfd3daecde914978f2c) Patch-Category: upstream --- src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- 2 files changed, 192 insertions(+), 64 deletions(-) Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/gssapiP_spnego.h =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/gssapiP_spnego.h 2015-11-11 09:07:15.090380006 -0500 +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/gssapiP_spnego.h 2015-11-11 09:07:15.082380267 -0500 @@ -102,6 +102,8 @@ int firstpass; int mech_complete; int nego_done; + int initiate; + int opened; OM_uint32 ctx_flags; gss_name_t internal_name; gss_OID actual_mech; Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/spnego_mech.c 2015-11-11 09:07:15.090380006 -0500 +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c 2015-11-11 09:07:15.082380267 -0500 @@ -108,7 +108,7 @@ gss_cred_usage_t, gss_OID_set *); static void release_spnego_ctx(spnego_gss_ctx_id_t *); static void check_spnego_options(spnego_gss_ctx_id_t); -static spnego_gss_ctx_id_t create_spnego_ctx(void); +static spnego_gss_ctx_id_t create_spnego_ctx(int); static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); @@ -440,7 +440,7 @@ } static spnego_gss_ctx_id_t -create_spnego_ctx(void) +create_spnego_ctx(int initiate) { spnego_gss_ctx_id_t spnego_ctx = NULL; spnego_ctx = (spnego_gss_ctx_id_t) @@ -463,6 +463,8 @@ spnego_ctx->mic_rcvd = 0; spnego_ctx->mech_complete = 0; spnego_ctx->nego_done = 0; + spnego_ctx->opened = 0; + spnego_ctx->initiate = initiate; spnego_ctx->internal_name = GSS_C_NO_NAME; spnego_ctx->actual_mech = GSS_C_NO_OID; @@ -595,7 +597,7 @@ OM_uint32 ret; spnego_gss_ctx_id_t sc = NULL; - sc = create_spnego_ctx(); + sc = create_spnego_ctx(1); if (sc == NULL) return GSS_S_FAILURE; @@ -612,10 +614,7 @@ ret = GSS_S_FAILURE; goto cleanup; } - /* - * The actual context is not yet determined, set the output - * context handle to refer to the spnego context itself. - */ + sc->ctx_handle = GSS_C_NO_CONTEXT; *ctx = (gss_ctx_id_t)sc; sc = NULL; @@ -1043,16 +1042,11 @@ } gss_release_buffer(&tmpmin, &mechtok_out); if (ret == GSS_S_COMPLETE) { - /* - * Now, switch the output context to refer to the - * negotiated mechanism's context. - */ - *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; + spnego_ctx->opened = 1; if (actual_mech != NULL) *actual_mech = spnego_ctx->actual_mech; if (ret_flags != NULL) *ret_flags = spnego_ctx->ctx_flags; - release_spnego_ctx(&spnego_ctx); } else if (ret != GSS_S_CONTINUE_NEEDED) { if (spnego_ctx != NULL) { gss_delete_sec_context(&tmpmin, @@ -1296,7 +1290,7 @@ if (ret != GSS_S_COMPLETE) goto cleanup; - sc = create_spnego_ctx(); + sc = create_spnego_ctx(0); if (sc == NULL) { ret = GSS_S_FAILURE; goto cleanup; @@ -1378,7 +1372,7 @@ gss_release_buffer(&tmpmin, &sc->DER_mechTypes); assert(mech_wanted != GSS_C_NO_OID); } else - sc = create_spnego_ctx(); + sc = create_spnego_ctx(0); if (sc == NULL) { ret = GSS_S_FAILURE; *return_token = NO_TOKEN_SEND; @@ -1761,13 +1755,12 @@ ret = GSS_S_FAILURE; } if (ret == GSS_S_COMPLETE) { - *context_handle = (gss_ctx_id_t)sc->ctx_handle; + sc->opened = 1; if (sc->internal_name != GSS_C_NO_NAME && src_name != NULL) { *src_name = sc->internal_name; sc->internal_name = GSS_C_NO_NAME; } - release_spnego_ctx(&sc); } else if (ret != GSS_S_CONTINUE_NEEDED) { if (sc != NULL) { gss_delete_sec_context(&tmpmin, &sc->ctx_handle, @@ -2060,8 +2053,13 @@ gss_qop_t *qop_state) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_unwrap(minor_status, - context_handle, + sc->ctx_handle, input_message_buffer, output_message_buffer, conf_state, @@ -2081,8 +2079,13 @@ gss_buffer_t output_message_buffer) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_wrap(minor_status, - context_handle, + sc->ctx_handle, conf_req_flag, qop_req, input_message_buffer, @@ -2099,8 +2102,14 @@ const gss_buffer_t token_buffer) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + /* SPNEGO doesn't have its own context tokens. */ + if (!sc->opened) + return (GSS_S_DEFECTIVE_TOKEN); + ret = gss_process_context_token(minor_status, - context_handle, + sc->ctx_handle, token_buffer); return (ret); @@ -2124,19 +2133,9 @@ if (*ctx == NULL) return (GSS_S_COMPLETE); - /* - * If this is still an SPNEGO mech, release it locally. - */ - if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { - (void) gss_delete_sec_context(minor_status, - &(*ctx)->ctx_handle, - output_token); - (void) release_spnego_ctx(ctx); - } else { - ret = gss_delete_sec_context(minor_status, - context_handle, - output_token); - } + (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, + output_token); + (void) release_spnego_ctx(ctx); return (ret); } @@ -2148,8 +2147,13 @@ OM_uint32 *time_rec) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_context_time(minor_status, - context_handle, + sc->ctx_handle, time_rec); return (ret); } @@ -2161,9 +2165,20 @@ gss_buffer_t interprocess_token) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; + + /* We don't currently support exporting partially established + * contexts. */ + if (!sc->opened) + return GSS_S_UNAVAILABLE; + ret = gss_export_sec_context(minor_status, - context_handle, + &sc->ctx_handle, interprocess_token); + if (sc->ctx_handle == GSS_C_NO_CONTEXT) { + release_spnego_ctx(&sc); + *context_handle = GSS_C_NO_CONTEXT; + } return (ret); } @@ -2173,11 +2188,12 @@ const gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle) { - OM_uint32 ret; - ret = gss_import_sec_context(minor_status, - interprocess_token, - context_handle); - return (ret); + /* + * Until we implement partial context exports, there are no SPNEGO + * exported context tokens, only tokens for underlying mechs. So just + * return an error for now. + */ + return GSS_S_UNAVAILABLE; } #endif /* LEAN_CLIENT */ @@ -2194,16 +2210,48 @@ int *opened) { OM_uint32 ret = GSS_S_COMPLETE; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (src_name != NULL) + *src_name = GSS_C_NO_NAME; + if (targ_name != NULL) + *targ_name = GSS_C_NO_NAME; + if (lifetime_rec != NULL) + *lifetime_rec = 0; + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_spnego; + if (ctx_flags != NULL) + *ctx_flags = 0; + if (locally_initiated != NULL) + *locally_initiated = sc->initiate; + if (opened != NULL) + *opened = sc->opened; + + if (sc->ctx_handle != GSS_C_NO_CONTEXT) { + ret = gss_inquire_context(minor_status, sc->ctx_handle, + src_name, targ_name, lifetime_rec, + mech_type, ctx_flags, NULL, NULL); + } - ret = gss_inquire_context(minor_status, - context_handle, - src_name, - targ_name, - lifetime_rec, - mech_type, - ctx_flags, - locally_initiated, - opened); + if (!sc->opened) { + /* + * We are still doing SPNEGO negotiation, so report SPNEGO as + * the OID. After negotiation is complete we will report the + * underlying mechanism OID. + */ + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_spnego; + + /* + * Remove flags we don't support with partially-established + * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add + * support for exporting partial SPNEGO contexts.) + */ + if (ctx_flags != NULL) { + *ctx_flags &= ~GSS_C_PROT_READY_FLAG; + *ctx_flags &= ~GSS_C_TRANS_FLAG; + } + } return (ret); } @@ -2218,8 +2266,13 @@ OM_uint32 *max_input_size) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_wrap_size_limit(minor_status, - context_handle, + sc->ctx_handle, conf_req_flag, qop_req, req_output_size, @@ -2236,8 +2289,13 @@ gss_buffer_t message_token) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_get_mic(minor_status, - context_handle, + sc->ctx_handle, qop_req, message_buffer, message_token); @@ -2253,8 +2311,13 @@ gss_qop_t *qop_state) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_verify_mic(minor_status, - context_handle, + sc->ctx_handle, msg_buffer, token_buffer, qop_state); @@ -2269,8 +2332,14 @@ gss_buffer_set_t *data_set) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + /* There are no SPNEGO-specific OIDs for this function. */ + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_UNAVAILABLE); + ret = gss_inquire_sec_context_by_oid(minor_status, - context_handle, + sc->ctx_handle, desired_object, data_set); return (ret); @@ -2339,8 +2408,15 @@ const gss_buffer_t value) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; + + /* There are no SPNEGO-specific OIDs for this function, and we cannot + * construct an empty SPNEGO context with it. */ + if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_UNAVAILABLE); + ret = gss_set_sec_context_option(minor_status, - context_handle, + &sc->ctx_handle, desired_object, value); return (ret); @@ -2357,8 +2433,13 @@ gss_buffer_t output_message_buffer) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_wrap_aead(minor_status, - context_handle, + sc->ctx_handle, conf_req_flag, qop_req, input_assoc_buffer, @@ -2379,8 +2460,13 @@ gss_qop_t *qop_state) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_unwrap_aead(minor_status, - context_handle, + sc->ctx_handle, input_message_buffer, input_assoc_buffer, output_payload_buffer, @@ -2399,8 +2485,13 @@ int iov_count) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_wrap_iov(minor_status, - context_handle, + sc->ctx_handle, conf_req_flag, qop_req, conf_state, @@ -2418,8 +2509,13 @@ int iov_count) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_unwrap_iov(minor_status, - context_handle, + sc->ctx_handle, conf_state, qop_state, iov, @@ -2437,8 +2533,13 @@ int iov_count) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_wrap_iov_length(minor_status, - context_handle, + sc->ctx_handle, conf_req_flag, qop_req, conf_state, @@ -2455,8 +2556,13 @@ gss_buffer_t input_message_buffer) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_UNAVAILABLE); + ret = gss_complete_auth_token(minor_status, - context_handle, + sc->ctx_handle, input_message_buffer); return (ret); } @@ -2708,8 +2814,13 @@ gss_buffer_t prf_out) { OM_uint32 ret; + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + ret = gss_pseudo_random(minor_status, - context, + sc->ctx_handle, prf_key, prf_in, desired_output_len, @@ -2850,7 +2961,12 @@ gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count) { - return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + + return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, iov_count); } @@ -2859,7 +2975,12 @@ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count) { - return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + + return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, iov_count); } @@ -2868,7 +2989,12 @@ gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count) { - return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, + spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; + + if (sc->ctx_handle == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); + + return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, iov_count); } debian/patches/CVE-2014-5352.patch0000664000000000000000000002324112465221511013236 0ustar From 82dc33da50338ac84c7b4102dc6513d897d0506a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 5 Nov 2014 11:58:04 -0500 Subject: [PATCH] Fix gss_process_context_token() [CVE-2014-5352] [MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not actually delete the context; that leaves the caller with a dangling pointer and no way to know that it is invalid. Instead, mark the context as terminated, and check for terminated contexts in the GSS functions which expect established contexts. Also add checks in export_sec_context and pseudo_random, and adjust t_prf.c for the pseudo_random check. ticket: 8055 (new) target_version: 1.13.1 tags: pullup --- src/lib/gssapi/krb5/context_time.c | 2 +- src/lib/gssapi/krb5/export_sec_context.c | 5 +++++ src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- src/lib/gssapi/krb5/inq_context.c | 2 +- src/lib/gssapi/krb5/k5seal.c | 2 +- src/lib/gssapi/krb5/k5sealiov.c | 2 +- src/lib/gssapi/krb5/k5unseal.c | 2 +- src/lib/gssapi/krb5/k5unsealiov.c | 2 +- src/lib/gssapi/krb5/lucid_context.c | 5 +++++ src/lib/gssapi/krb5/prf.c | 4 ++++ src/lib/gssapi/krb5/process_context_token.c | 17 ++++++++++++----- src/lib/gssapi/krb5/wrap_size_limit.c | 2 +- src/tests/gssapi/t_prf.c | 1 + 14 files changed, 36 insertions(+), 13 deletions(-) Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/context_time.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/context_time.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/context_time.c 2015-02-06 15:13:33.074677477 -0500 @@ -40,7 +40,7 @@ ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/export_sec_context.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/export_sec_context.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/export_sec_context.c 2015-02-06 15:13:33.074677477 -0500 @@ -45,6 +45,11 @@ *minor_status = 0; ctx = (krb5_gss_ctx_id_t) *context_handle; + if (ctx->terminated) { + *minor_status = KG_CTX_INCOMPLETE; + return (GSS_S_NO_CONTEXT); + } + context = ctx->k5_context; kret = krb5_gss_ser_init(context); if (kret) Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-02-06 15:13:33.074677477 -0500 @@ -204,6 +204,7 @@ unsigned int established : 1; unsigned int have_acceptor_subkey : 1; unsigned int seed_init : 1; /* XXX tested but never actually set */ + unsigned int terminated : 1; OM_uint32 gss_flags; unsigned char seed[16]; krb5_gss_name_t here; Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/gssapi_krb5.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/gssapi_krb5.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/gssapi_krb5.c 2015-02-06 15:13:33.074677477 -0500 @@ -369,7 +369,7 @@ ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (!ctx->established) + if (ctx->terminated || !ctx->established) return GSS_S_NO_CONTEXT; for (i = 0; i < sizeof(krb5_gss_inquire_sec_context_by_oid_ops)/ Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/inq_context.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/inq_context.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/inq_context.c 2015-02-06 15:13:33.074677477 -0500 @@ -105,7 +105,7 @@ ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5seal.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/k5seal.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5seal.c 2015-02-06 15:13:33.074677477 -0500 @@ -342,7 +342,7 @@ ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5sealiov.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/k5sealiov.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5sealiov.c 2015-02-06 15:13:33.074677477 -0500 @@ -284,7 +284,7 @@ } ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5unseal.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/k5unseal.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5unseal.c 2015-02-06 15:13:33.074677477 -0500 @@ -492,7 +492,7 @@ ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5unsealiov.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/k5unsealiov.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/k5unsealiov.c 2015-02-06 15:13:33.074677477 -0500 @@ -628,7 +628,7 @@ OM_uint32 code; ctx = (krb5_gss_ctx_id_rec *)context_handle; - if (!ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return GSS_S_NO_CONTEXT; } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/lucid_context.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/lucid_context.c 2015-02-06 15:13:33.078677506 -0500 @@ -75,6 +75,11 @@ *minor_status = 0; *data_set = GSS_C_NO_BUFFER_SET; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } + retval = generic_gss_oid_decompose(minor_status, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/prf.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/prf.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/prf.c 2015-02-06 15:13:33.078677506 -0500 @@ -60,6 +60,10 @@ ns.data = NULL; ctx = (krb5_gss_ctx_id_t)context; + if (ctx->terminated || !ctx->established) { + *minor_status = KG_CTX_INCOMPLETE; + return GSS_S_NO_CONTEXT; + } switch (prf_key) { case GSS_C_PRF_KEY_FULL: Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/process_context_token.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/process_context_token.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/process_context_token.c 2015-02-06 15:13:33.078677506 -0500 @@ -39,11 +39,18 @@ ctx = (krb5_gss_ctx_id_t) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } + /* We only support context deletion tokens for now, and RFC 4121 does not + * define a context deletion token. */ + if (ctx->proto) { + *minor_status = 0; + return(GSS_S_DEFECTIVE_TOKEN); + } + /* "unseal" the token */ if (GSS_ERROR(majerr = kg_unseal(minor_status, context_handle, @@ -52,8 +59,8 @@ KG_TOK_DEL_CTX))) return(majerr); - /* that's it. delete the context */ - - return(krb5_gss_delete_sec_context(minor_status, &context_handle, - GSS_C_NO_BUFFER)); + /* Mark the context as terminated, but do not delete it (as that would + * leave the caller with a dangling context handle). */ + ctx->terminated = 1; + return(GSS_S_COMPLETE); } Index: krb5-1.12.1+dfsg/src/lib/gssapi/krb5/wrap_size_limit.c =================================================================== --- krb5-1.12.1+dfsg.orig/src/lib/gssapi/krb5/wrap_size_limit.c 2015-02-06 15:13:33.082677536 -0500 +++ krb5-1.12.1+dfsg/src/lib/gssapi/krb5/wrap_size_limit.c 2015-02-06 15:13:33.078677506 -0500 @@ -95,7 +95,7 @@ } ctx = (krb5_gss_ctx_id_rec *) context_handle; - if (! ctx->established) { + if (ctx->terminated || !ctx->established) { *minor_status = KG_CTX_INCOMPLETE; return(GSS_S_NO_CONTEXT); } debian/patches/CVE-2017-11462.patch0000664000000000000000000003614713415177440013340 0ustar From 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 14 Jul 2017 13:02:46 -0400 Subject: [PATCH] Preserve GSS context on init/accept failure After gss_init_sec_context() or gss_accept_sec_context() has created a context, don't delete the mechglue context on failures from subsequent calls, even if the mechanism deletes the mech-specific context (which is allowed by RFC 2744 but not preferred). Check for union contexts with no mechanism context in each GSS function which accepts a gss_ctx_id_t. CVE-2017-11462: RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context() if the call results in an error. This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers. For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them. All versions of MIT krb5 prior to this change may delete acceptor contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through 1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on error. ticket: 8598 (new) target_version: 1.15-next target_version: 1.14-next tags: pullup --- .../gssapi/mechglue/g_accept_sec_context.c | 22 +++++++++++++------ .../gssapi/mechglue/g_complete_auth_token.c | 2 ++ src/lib/gssapi/mechglue/g_context_time.c | 2 ++ .../gssapi/mechglue/g_delete_sec_context.c | 14 +++++++----- src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 ++ src/lib/gssapi/mechglue/g_init_sec_context.c | 19 +++++++++------- src/lib/gssapi/mechglue/g_inq_context.c | 2 ++ src/lib/gssapi/mechglue/g_prf.c | 2 ++ src/lib/gssapi/mechglue/g_process_context.c | 2 ++ src/lib/gssapi/mechglue/g_seal.c | 4 ++++ src/lib/gssapi/mechglue/g_sign.c | 2 ++ src/lib/gssapi/mechglue/g_unseal.c | 2 ++ src/lib/gssapi/mechglue/g_unwrap_aead.c | 2 ++ src/lib/gssapi/mechglue/g_unwrap_iov.c | 4 ++++ src/lib/gssapi/mechglue/g_verify.c | 2 ++ src/lib/gssapi/mechglue/g_wrap_aead.c | 2 ++ src/lib/gssapi/mechglue/g_wrap_iov.c | 8 +++++++ 17 files changed, 72 insertions(+), 21 deletions(-) diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c index ddaf87412e..f28e2b14a9 100644 --- a/src/lib/gssapi/mechglue/g_accept_sec_context.c +++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c @@ -185,6 +185,8 @@ gss_cred_id_t * d_cred; } else { union_ctx_id = (gss_union_ctx_id_t)*context_handle; selected_mech = union_ctx_id->mech_type; + if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); } /* Now create a new context if we didn't get one. */ @@ -203,9 +205,6 @@ gss_cred_id_t * d_cred; free(union_ctx_id); return (status); } - - /* set the new context handle to caller's data */ - *context_handle = (gss_ctx_id_t)union_ctx_id; } /* @@ -243,8 +242,10 @@ gss_cred_id_t * d_cred; d_cred ? &tmp_d_cred : NULL); /* If there's more work to do, keep going... */ - if (status == GSS_S_CONTINUE_NEEDED) + if (status == GSS_S_CONTINUE_NEEDED) { + *context_handle = (gss_ctx_id_t)union_ctx_id; return GSS_S_CONTINUE_NEEDED; + } /* if the call failed, return with failure */ if (status != GSS_S_COMPLETE) { @@ -330,14 +331,22 @@ gss_cred_id_t * d_cred; *mech_type = gssint_get_public_oid(actual_mech); if (ret_flags != NULL) *ret_flags = temp_ret_flags; - return (status); + *context_handle = (gss_ctx_id_t)union_ctx_id; + return GSS_S_COMPLETE; } else { status = GSS_S_BAD_MECH; } error_out: - if (union_ctx_id) { + /* + * RFC 2744 5.1 requires that we not create a context on a failed first + * call to accept, and recommends that on a failed subsequent call we + * make the caller responsible for calling gss_delete_sec_context. + * Even if the mech deleted its context, keep the union context around + * for the caller to delete. + */ + if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) { if (union_ctx_id->mech_type) { if (union_ctx_id->mech_type->elements) free(union_ctx_id->mech_type->elements); @@ -350,7 +359,6 @@ gss_cred_id_t * d_cred; GSS_C_NO_BUFFER); } free(union_ctx_id); - *context_handle = GSS_C_NO_CONTEXT; } if (src_name) diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c index 9181551301..4bcb47e84b 100644 --- a/src/lib/gssapi/mechglue/g_complete_auth_token.c +++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c @@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status, */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; mech = gssint_get_mechanism (ctx->mech_type); if (mech != NULL) { diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c index 2ff8d0996e..c947e7646c 100644 --- a/src/lib/gssapi/mechglue/g_context_time.c +++ b/src/lib/gssapi/mechglue/g_context_time.c @@ -58,6 +58,8 @@ OM_uint32 * time_rec; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c index 4bf0dec5ce..574ff02944 100644 --- a/src/lib/gssapi/mechglue/g_delete_sec_context.c +++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c @@ -87,12 +87,14 @@ gss_buffer_t output_token; if (GSSINT_CHK_LOOP(ctx)) return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - status = gssint_delete_internal_sec_context(minor_status, - ctx->mech_type, - &ctx->internal_ctx_id, - output_token); - if (status) - return status; + if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) { + status = gssint_delete_internal_sec_context(minor_status, + ctx->mech_type, + &ctx->internal_ctx_id, + output_token); + if (status) + return status; + } /* now free up the space for the union context structure */ free(ctx->mech_type->elements); diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c index b63745299f..1d7990b1ca 100644 --- a/src/lib/gssapi/mechglue/g_exp_sec_context.c +++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c @@ -95,6 +95,8 @@ gss_buffer_t interprocess_token; */ ctx = (gss_union_ctx_id_t) *context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (!mech) return GSS_S_BAD_MECH; diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c index 9f154b8936..e2df1ce261 100644 --- a/src/lib/gssapi/mechglue/g_init_sec_context.c +++ b/src/lib/gssapi/mechglue/g_init_sec_context.c @@ -192,8 +192,13 @@ OM_uint32 * time_rec; /* copy the supplied context handle */ union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT; - } else + } else { union_ctx_id = (gss_union_ctx_id_t)*context_handle; + if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) { + status = GSS_S_NO_CONTEXT; + goto end; + } + } /* * get the appropriate cred handle from the union cred struct. @@ -224,12 +229,13 @@ OM_uint32 * time_rec; if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) { /* - * the spec says (the preferred) method is to delete all - * context info on the first call to init, and on all - * subsequent calls make the caller responsible for - * calling gss_delete_sec_context + * RFC 2744 5.19 requires that we not create a context on a failed + * first call to init, and recommends that on a failed subsequent call + * we make the caller responsible for calling gss_delete_sec_context. + * Even if the mech deleted its context, keep the union context around + * for the caller to delete. */ map_error(minor_status, mech); if (*context_handle == GSS_C_NO_CONTEXT) { free(union_ctx_id->mech_type->elements); free(union_ctx_id->mech_type); diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c index 6f1c71eede..6c0d98dd33 100644 --- a/src/lib/gssapi/mechglue/g_inq_context.c +++ b/src/lib/gssapi/mechglue/g_inq_context.c @@ -104,6 +104,8 @@ gss_inquire_context( */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (!mech || !mech->gss_inquire_context || !mech->gss_display_name || diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c index fcca3e44c4..9e168adfe0 100644 --- a/src/lib/gssapi/mechglue/g_prf.c +++ b/src/lib/gssapi/mechglue/g_prf.c @@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status, */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; mech = gssint_get_mechanism (ctx->mech_type); if (mech != NULL) { diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c index bc260aeb10..3968b5d9c6 100644 --- a/src/lib/gssapi/mechglue/g_process_context.c +++ b/src/lib/gssapi/mechglue/g_process_context.c @@ -61,6 +61,8 @@ gss_buffer_t token_buffer; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c index f17241c908..3db1ee095b 100644 --- a/src/lib/gssapi/mechglue/g_seal.c +++ b/src/lib/gssapi/mechglue/g_seal.c @@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status, */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { @@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status, */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (!mech) diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c index 86d641aa2e..03fbd8c01f 100644 --- a/src/lib/gssapi/mechglue/g_sign.c +++ b/src/lib/gssapi/mechglue/g_sign.c @@ -94,6 +94,8 @@ gss_buffer_t msg_token; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c index 3e8053c6e9..c208635b67 100644 --- a/src/lib/gssapi/mechglue/g_unseal.c +++ b/src/lib/gssapi/mechglue/g_unseal.c @@ -76,6 +76,8 @@ gss_qop_t * qop_state; * call it. */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c index e78bff2d32..0682bd8998 100644 --- a/src/lib/gssapi/mechglue/g_unwrap_aead.c +++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c @@ -186,6 +186,8 @@ gss_qop_t *qop_state; * call it. */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (!mech) diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c index c0dd314b1b..599be2c7b2 100644 --- a/src/lib/gssapi/mechglue/g_unwrap_iov.c +++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c @@ -89,6 +89,8 @@ int iov_count; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { @@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, /* Select the approprate underlying mechanism routine and call it. */ ctx = (gss_union_ctx_id_t)context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; mech = gssint_get_mechanism(ctx->mech_type); if (mech == NULL) return GSS_S_BAD_MECH; diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c index 1578ae1110..8996fce8d5 100644 --- a/src/lib/gssapi/mechglue/g_verify.c +++ b/src/lib/gssapi/mechglue/g_verify.c @@ -65,6 +65,8 @@ gss_qop_t * qop_state; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c index 96cdf3ce6a..7fe3b7b35b 100644 --- a/src/lib/gssapi/mechglue/g_wrap_aead.c +++ b/src/lib/gssapi/mechglue/g_wrap_aead.c @@ -256,6 +256,8 @@ gss_buffer_t output_message_buffer; * call it. */ ctx = (gss_union_ctx_id_t)context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (!mech) return (GSS_S_BAD_MECH); diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c index 40cd98fc91..14447c4ee1 100644 --- a/src/lib/gssapi/mechglue/g_wrap_iov.c +++ b/src/lib/gssapi/mechglue/g_wrap_iov.c @@ -93,6 +93,8 @@ int iov_count; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { @@ -151,6 +153,8 @@ int iov_count; */ ctx = (gss_union_ctx_id_t) context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return (GSS_S_NO_CONTEXT); mech = gssint_get_mechanism (ctx->mech_type); if (mech) { @@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, /* Select the approprate underlying mechanism routine and call it. */ ctx = (gss_union_ctx_id_t)context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; mech = gssint_get_mechanism(ctx->mech_type); if (mech == NULL) return GSS_S_BAD_MECH; @@ -215,6 +221,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, /* Select the approprate underlying mechanism routine and call it. */ ctx = (gss_union_ctx_id_t)context_handle; + if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) + return GSS_S_NO_CONTEXT; mech = gssint_get_mechanism(ctx->mech_type); if (mech == NULL) return GSS_S_BAD_MECH; debian/patches/CVE-2014-5351.patch0000664000000000000000000000670612465221470013250 0ustar From af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 21 Aug 2014 13:52:07 -0400 Subject: [PATCH] Return only new keys in randkey [CVE-2014-5351] In kadmind's randkey operation, if a client specifies the keepold flag, do not include the preserved old keys in the response. CVE-2014-5351: An authenticated remote attacker can retrieve the current keys for a service principal when generating a new set of keys for that principal. The attacker needs to be authenticated as a user who has the elevated privilege for randomizing the keys of other principals. Normally, when a Kerberos administrator randomizes the keys of a service principal, kadmind returns only the new keys. This prevents an administrator who lacks legitimate privileged access to a service from forging tickets to authenticate to that service. If the "keepold" flag to the kadmin randkey RPC operation is true, kadmind retains the old keys in the KDC database as intended, but also unexpectedly returns the old keys to the client, which exposes the service to ticket forgery attacks from the administrator. A mitigating factor is that legitimate clients of the affected service will start failing to authenticate to the service once they begin to receive service tickets encrypted in the new keys. The affected service will be unable to decrypt the newly issued tickets, possibly alerting the legitimate administrator of the affected service. CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C [tlyu@mit.edu: CVE description and CVSS score] ticket: 8018 (new) target_version: 1.13 tags: pullup --- src/lib/kadm5/srv/svr_principal.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) Index: krb5-1.12+dfsg/src/lib/kadm5/srv/svr_principal.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/kadm5/srv/svr_principal.c 2015-02-06 15:25:26.392092142 -0500 +++ krb5-1.12+dfsg/src/lib/kadm5/srv/svr_principal.c 2015-02-06 15:25:26.388092109 -0500 @@ -344,6 +344,20 @@ *passptr = NULL; } +/* Return the number of keys with the newest kvno. Assumes that all key data + * with the newest kvno are at the front of the key data array. */ +static int +count_new_keys(int n_key_data, krb5_key_data *key_data) +{ + int n; + + for (n = 1; n < n_key_data; n++) { + if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno) + return n; + } + return n_key_data; +} + kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t entry, long mask, @@ -1593,7 +1607,7 @@ osa_princ_ent_rec adb; krb5_int32 now; kadm5_policy_ent_rec pol; - int ret, last_pwd; + int ret, last_pwd, n_new_keys; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; @@ -1681,8 +1695,9 @@ kdb->fail_auth_count = 0; if (keyblocks) { - ret = decrypt_key_data(handle->context, - kdb->n_key_data, kdb->key_data, + /* Return only the new keys added by krb5_dbe_crk. */ + n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data); + ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data, keyblocks, n_keys); if (ret) goto done; debian/patches/upstream/0000775000000000000000000000000013014725027012460 5ustar debian/patches/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch0000664000000000000000000000577213014725027024063 0ustar From cb96ca52a3354e5a0ea52e12495ff375de54f9b7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 30 Mar 2016 13:00:19 -0400 Subject: [PATCH] Add SPNEGO special case for NTLMSSP+MechListMIC MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer needs to implement specifically for the NTLMSSP mechanism. This is required for compatibility with Windows services. ticket: 8423 (new) --- src/lib/gssapi/spnego/spnego_mech.c | 48 +++++++++++++++++++++++++++++++++---- 1 file changed, 43 insertions(+), 5 deletions(-) Index: krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- krb5-1.12+dfsg.orig/src/lib/gssapi/spnego/spnego_mech.c +++ krb5-1.12+dfsg/src/lib/gssapi/spnego/spnego_mech.c @@ -473,6 +473,45 @@ return (spnego_ctx); } +/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) Microsoft(311) + * security(2) mechanisms(2) NTLM(10) */ +static const gss_OID_desc gss_mech_ntlmssp_oid = + { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; + +/* iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) samba(7165) + * gssntlmssp(655) controls(1) ntlmssp_reset_crypto(3) */ +static const gss_OID_desc ntlmssp_reset_crypto_oid = + { 11, "\x2B\x06\x01\x04\x01\xB7\x7D\x85\x0F\x01\x03" }; + +/* + * MS-SPNG section 3.3.5.1 warns that the NTLM mechanism requires special + * handling of the crypto state to interop with Windows. If the mechanism for + * sc is SPNEGO, invoke a mechanism-specific operation on the context to reset + * the RC4 state after producing or verifying a MIC. Ignore a result of + * GSS_S_UNAVAILABLE for compatibility with older versions of the mechanism + * that do not support this functionality. + */ +static OM_uint32 +ntlmssp_reset_crypto_state(OM_uint32 *minor_status, spnego_gss_ctx_id_t sc, + OM_uint32 verify) +{ + OM_uint32 major, minor; + gss_buffer_desc value; + + if (!g_OID_equal(sc->internal_mech, &gss_mech_ntlmssp_oid)) + return GSS_S_COMPLETE; + + value.length = sizeof(verify); + value.value = &verify; + major = gss_set_sec_context_option(&minor, &sc->ctx_handle, + (gss_OID)&ntlmssp_reset_crypto_oid, + &value); + if (major == GSS_S_UNAVAILABLE) + return GSS_S_COMPLETE; + *minor_status = minor; + return major; +} + /* * Both initiator and acceptor call here to verify and/or create mechListMIC, * and to consistency-check the MIC state. handle_mic is invoked only if the @@ -554,6 +593,8 @@ ret = gss_verify_mic(minor_status, sc->ctx_handle, &sc->DER_mechTypes, mic_in, &qop_state); + if (ret == GSS_S_COMPLETE) + ret = ntlmssp_reset_crypto_state(minor_status, sc, 1); if (ret != GSS_S_COMPLETE) { *negState = REJECT; *tokflag = ERROR_TOKEN_SEND; @@ -568,6 +609,8 @@ GSS_C_QOP_DEFAULT, &sc->DER_mechTypes, &tmpmic); + if (ret == GSS_S_COMPLETE) + ret = ntlmssp_reset_crypto_state(minor_status, sc, 0); if (ret != GSS_S_COMPLETE) { gss_release_buffer(&tmpmin, &tmpmic); *tokflag = NO_TOKEN_SEND; debian/patches/avoid_mechglue_recursive_calls_new_symbols0000664000000000000000000000232712412233003021375 0ustar Index: krb5/src/lib/gssapi/mechglue/g_initialize.c =================================================================== --- krb5.orig/src/lib/gssapi/mechglue/g_initialize.c 2014-06-04 15:24:20.491589000 -0400 +++ krb5/src/lib/gssapi/mechglue/g_initialize.c 2014-06-04 15:28:14.392939775 -0400 @@ -678,11 +678,11 @@ GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_inquire_mech_for_saslname); /* RFC 5587 */ GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_inquire_attrs_for_mech); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_acquire_cred_from); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_store_cred_into); + GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_acquire_cred_from); + GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_store_cred_into); GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_acquire_cred_with_password); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_cred); - GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_import_cred); + GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_export_cred); + GSS_ADD_DYNAMIC_METHOD_NOLOOP(dl, mech, gss_import_cred); GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_import_sec_context_by_mech); GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_import_name_by_mech); GSS_ADD_DYNAMIC_METHOD(dl, mech, gssspi_import_cred_by_mech); debian/patches/CVE-2014-9422.patch0000664000000000000000000000310012465221533013234 0ustar From 6609658db0799053fbef0d7d0aa2f1fd68ef32d8 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 29 Dec 2014 13:27:42 -0500 Subject: [PATCH] Fix kadmind server validation [CVE-2014-9422] [MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use data_eq_string() instead of strncmp() to check components of the server principal, so that we don't erroneously match left substrings of "kadmin", "history", or the realm. ticket: 8057 (new) target_version: 1.13.1 tags: pullup --- src/kadmin/server/kadm_rpc_svc.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 3837931..f4d2a7c 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -4,7 +4,7 @@ * */ -#include +#include #include #include /* for gss_nt_krb5_name */ #include @@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp) c1 = krb5_princ_component(kctx, princ, 0); c2 = krb5_princ_component(kctx, princ, 1); realm = krb5_princ_realm(kctx, princ); - if (strncmp(handle->params.realm, realm->data, realm->length) == 0 - && strncmp("kadmin", c1->data, c1->length) == 0) { - - if (strncmp("history", c2->data, c2->length) == 0) - goto fail_princ; - else - success = 1; - } + success = data_eq_string(*realm, handle->params.realm) && + data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); fail_princ: if (!success) { debian/patches/CVE-2014-5354.patch0000664000000000000000000001242012465221521013236 0ustar From 877ad027ca2103f3ac2f581451fdd347a76b8981 Mon Sep 17 00:00:00 2001 From: Ben Kaduk Date: Wed, 19 Nov 2014 12:04:46 -0500 Subject: [PATCH] Support keyless principals in LDAP [CVE-2014-5354] Operations like "kadmin -q 'addprinc -nokey foo'" or "kadmin -q 'purgekeys -all foo'" result in principal entries with no keys present, so krb5_encode_krbsecretkey() would just return NULL, which then got unconditionally dereferenced in krb5_add_ber_mem_ldap_mod(). Apply some fixes to krb5_encode_krbsecretkey() to handle zero-key principals better, correct the test for an allocation failure, and slightly restructure the cleanup handler to be shorter and more appropriate for the usage. Once it no longer short-circuits when n_key_data is zero, it will produce an array of length two with both entries NULL, which is treated as an empty list by the LDAP library, the correct behavior for a keyless principal. However, attributes with empty values are only handled by the LDAP library for Modify operations, not Add operations (which only get a sequence of Attribute, with no operation field). Therefore, only add an empty krbprincipalkey to the modlist when we will be performing a Modify, and not when we will be performing an Add, which is conditional on the (misspelled) create_standalone_prinicipal boolean. CVE-2014-5354: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by inserting into the database a principal entry which contains no long-term keys. In order for the LDAP KDC backend to translate a principal entry from the database abstraction layer into the form expected by the LDAP schema, the principal's keys are encoded into a NULL-terminated array of length-value entries to be stored in the LDAP database. However, the subroutine which produced this array did not correctly handle the case where no keys were present, returning NULL instead of an empty array, and the array was unconditionally dereferenced while adding to the list of LDAP operations to perform. Versions of MIT krb5 prior to 1.12 did not expose a way for principal entries to have no long-term key material, and therefore are not vulnerable. CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:OF/RC:C ticket: 8041 (new) tags: pullup target_version: 1.13.1 subject: kadmind with ldap backend crashes when putting keyless entries (cherry picked from commit 04038bf3633c4b909b5ded3072dc88c8c419bf16) Some of the "other fixes" to krb5_encode_krbsecretkey() do not apply on the 1.12 branch. The patch needed to be modified slightly to account for the absence of commit 1825455ede7e61ab934b16262fb5b12b78a52f1a on the 1.12 branch upon which this branch is based. The tests added to exercise this fuctionality do pass, even with the modified form of the commit. Patch-category: upstream --- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 23 ++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index e2320ab..c9a3ecf 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -412,7 +412,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, int i, j, last; krb5_error_code err = 0; - if (n_key_data <= 0) + if (n_key_data < 0) return NULL; /* Find the number of key versions */ @@ -425,6 +425,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, err = ENOMEM; goto cleanup; } + if (n_key_data == 0) + return ret; for (i = 0, last = 0, j = 0, currkvno = key_data[0].key_data_kvno; i < n_key_data; i++) { krb5_data *code; if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { @@ -453,9 +455,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, if (err != 0) { if (ret != NULL) { - for (i = 0; i <= num_versions; i++) - if (ret[i] != NULL) - free (ret[i]); + for (i = 0; ret[i] != NULL; i++) + free (ret[i]); free (ret); ret = NULL; } @@ -1028,9 +1029,19 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, bersecretkey = krb5_encode_krbsecretkey (entry->key_data, entry->n_key_data, mkvno); - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) + if (bersecretkey == NULL) { + st = ENOMEM; goto cleanup; + } + /* An empty list of bervals is only accepted for modify operations, + * not add operations. */ + if (bersecretkey[0] != NULL || !create_standalone_prinicipal) { + st = krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, + bersecretkey); + if (st != 0) + goto cleanup; + } if (!(entry->mask & KADM5_PRINCIPAL)) { memset(strval, 0, sizeof(strval)); debian/patches/CVE-2015-8631.patch0000664000000000000000000005444313415157315013260 0ustar From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 8 Jan 2016 13:16:54 -0500 Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631] In each kadmind server stub, initialize the client_name and server_name variables, and release them in the cleanup handler. Many of the stubs will otherwise leak the client and server name if krb5_unparse_name() fails. Also make sure to free the prime_arg variables in rename_principal_2_svc(), or we can leak the first one if unparsing the second one fails. Discovered by Simo Sorce. CVE-2015-8631: In all versions of MIT krb5, an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory. CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C ticket: 8343 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- src/kadmin/server/server_stubs.c | 151 ++++++++++++++++--------------- 1 file changed, 77 insertions(+), 74 deletions(-) diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 1879dc67ef..6ac797e288 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; @@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); free_server_handle(handle); return &ret; } @@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; @@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); free_server_handle(handle); return &ret; } @@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) } free(prime_arg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); free_server_handle(handle); return &ret; } @@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; @@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -570,10 +572,9 @@ generic_ret * rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) { static generic_ret ret; - char *prime_arg1, - *prime_arg2; - gss_buffer_desc client_name, - service_name; + char *prime_arg1 = NULL, *prime_arg2 = NULL; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; @@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } +exit_func: free(prime_arg1); free(prime_arg2); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) { static gprinc_ret ret; char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) { static gprincs_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) krb5_keyblock *k; int nkeys; char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) krb5_keyblock *k; int nkeys; char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) static gpol_ret ret; kadm5_ret_t ret2; char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_principal_ent_rec caller_ent; kadm5_server_handle_t handle; @@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; @@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) { static gpols_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); } +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1541,7 +1542,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { static getprivs_ret ret; - gss_buffer_desc client_name, service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg, *funcname; - gss_buffer_desc client_name, service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; @@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) { static gstrings_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; OM_uint32 minor_stat; kadm5_server_handle_t handle; const char *errmsg = NULL; @@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } free(prime_arg); +exit_func: gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); -exit_func: free_server_handle(handle); return &ret; } @@ -1754,8 +1757,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { static generic_ret ret; - gss_buffer_desc client_name, - service_name; + gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; kadm5_server_handle_t handle; OM_uint32 minor_stat; const char *errmsg = NULL; @@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) rqstp->rq_cred.oa_flavor); if (errmsg != NULL) krb5_free_error_message(NULL, errmsg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); return(&ret); } debian/patches/CVE-2017-11368-2.patch0000664000000000000000000003066513415175242013501 0ustar From d265f16b71058b0cb0546a3993c941975a48b70f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 17 Jul 2017 13:11:54 -0400 Subject: [PATCH] Simplify KDC status assignment Omit assigning status values for very unlikely error cases. Remove the "UNKNOWN_REASON" fallback for validate_as_request() and validate_tgs_request() as that fallback is now applied globally. --- src/kdc/do_as_req.c | 51 ++++++++++--------------------------------- src/kdc/do_tgs_req.c | 52 ++++++++++---------------------------------- 2 files changed, 24 insertions(+), 79 deletions(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 9b256c8764..5d49e80362 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -219,10 +219,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.ticket = &state->ticket_reply; state->reply_encpart.session = &state->session_key; if ((errcode = fetch_last_req_info(state->client, - &state->reply_encpart.last_req))) { - state->status = "FETCH_LAST_REQ"; + &state->reply_encpart.last_req))) goto egress; - } state->reply_encpart.nonce = state->request->nonce; state->reply_encpart.key_exp = get_key_exp(state->client); state->reply_encpart.flags = state->enc_tkt_reply.flags; @@ -278,27 +276,21 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, &state->ticket_reply); - if (errcode) { - state->status = "ENCRYPTING_TICKET"; + if (errcode) goto egress; - } errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, &au_state->tkt_out_id); - if (errcode) { - state->status = "GENERATE_TICKET_ID"; + if (errcode) goto egress; - } state->ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state->rstate, state->request, &state->reply, state->client_keyblock.enctype); - if (errcode) { - state->status = "fast response handling"; + if (errcode) goto egress; - } /* now encode/encrypt the response */ @@ -306,10 +298,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock, &as_encrypting_key); - if (errcode) { - state->status = "generating reply key"; + if (errcode) goto egress; - } errcode = return_enc_padata(kdc_context, state->req_pkt, state->request, as_encrypting_key, state->server, &state->reply_encpart, FALSE); @@ -326,10 +316,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->reply, &response); if (client_key != NULL) state->reply.enc_part.kvno = client_key->key_data_kvno; - if (errcode) { - state->status = "ENCODE_KDC_REP"; + if (errcode) goto egress; - } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ @@ -519,7 +507,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; - state->status = "Finding req_body"; goto errout; } errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL, @@ -532,10 +519,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* Not a FAST request; copy the encoded request body. */ errcode = krb5_copy_data(kdc_context, &encoded_req_body, &state->inner_body); - if (errcode) { - state->status = "storing req body"; + if (errcode) goto errout; - } } au_state->request = state->request; state->rock.request = state->request; @@ -549,10 +534,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->client, - &state->cname))) { - state->status = "UNPARSING_CLIENT"; + &state->cname))) goto errout; - } limit_string(state->cname); /* @@ -611,10 +594,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->server, - &state->sname))) { - state->status = "UNPARSING_SERVER"; + &state->sname))) goto errout; - } limit_string(state->sname); s_flags = 0; setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK); @@ -636,18 +617,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) { - state->status = "TIMEOFDAY"; + if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) goto errout; - } state->authtime = state->kdc_time; /* for audit_as_request() */ if ((errcode = validate_as_request(kdc_active_realm, state->request, *state->client, *state->server, state->kdc_time, &state->status, &state->e_data))) { - if (!state->status) - state->status = "UNKNOWN_REASON"; errcode += ERROR_TABLE_BASE_krb5; goto errout; } @@ -667,10 +644,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &state->session_key))) { - state->status = "RANDOM_KEY_FAILED"; + &state->session_key))) goto errout; - } /* * Canonicalization is only effective if we are issuing a TGT @@ -761,10 +746,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->request->client = NULL; errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), &state->request->client); - if (errcode) { - state->status = "Copying anonymous principal"; + if (errcode) goto errout; - } state->enc_tkt_reply.client = state->request->client; setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index d8d67199b9..84445ed904 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -188,15 +188,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (!header_ticket) { errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ - status="UNEXPECTED NULL in header_ticket"; goto cleanup; } errcode = kau_make_tkt_id(kdc_context, header_ticket, &au_state->tkt_in_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; @@ -248,16 +245,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { - status = "TIME_OF_DAY"; + if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) goto cleanup; - } if ((retval = validate_tgs_request(kdc_active_realm, request, *server, header_ticket, kdc_time, &status, &e_data))) { - if (!status) - status = "UNKNOWN_REASON"; if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; errcode = retval + ERROR_TABLE_BASE_krb5; @@ -324,7 +317,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx], &au_state->evid_tkt_id); if (retval) { - status = "GENERATE_TICKET_ID"; errcode = retval; goto cleanup; } @@ -715,10 +707,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, &ticket_reply); if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) krb5_free_keyblock_contents(kdc_context, &encrypting_key); - if (errcode) { - status = "TKT_ENCRYPT"; + if (errcode) goto cleanup; - } ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ au_state->stage = ENCR_REP; @@ -732,10 +722,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, s4u_x509_user, &reply, &reply_encpart); - if (errcode) { - status = "KDC_RETURN_S4U2SELF_PADATA"; + if (errcode) au_state->status = status; - } kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; @@ -772,16 +760,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_ticket->enc_part2->session->enctype; errcode = kdc_fast_response_handle_padata(state, request, &reply, subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype); - if (errcode !=0 ) { - status = "Preparing FAST padata"; + if (errcode) goto cleanup; - } errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); - if (errcode) { - status = "generating reply key"; + if (errcode) goto cleanup; - } errcode = return_enc_padata(kdc_context, pkt, request, reply_key, server, &reply_encpart, is_referral && @@ -793,10 +777,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } if (kdc_fast_hide_client(state)) reply.client = (krb5_principal)krb5_anonymous_principal(); @@ -804,11 +786,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, subkey ? 1 : 0, reply_key, &reply, response); - if (errcode) { - status = "ENCODE_KDC_REP"; - } else { + if (!errcode) status = "ISSUE"; - } memset(ticket_reply.enc_part.ciphertext.data, 0, ticket_reply.enc_part.ciphertext.length); @@ -1045,7 +1024,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype, status); if (retval != 0) - goto cleanup; + return retval; } if (useenctype == 0) { useenctype = select_session_keytype(kdc_active_realm, server, @@ -1055,17 +1034,10 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (useenctype == 0) { /* unsupported ktype */ *status = "BAD_ENCRYPTION_TYPE"; - retval = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; - } - retval = krb5_c_make_random_key(kdc_context, useenctype, skey); - if (retval != 0) { - /* random key failed */ - *status = "RANDOM_KEY_FAILED"; - goto cleanup; + return KRB5KDC_ERR_ETYPE_NOSUPP; } -cleanup: - return retval; + + return krb5_c_make_random_key(kdc_context, useenctype, skey); } /* debian/krb5-admin-server.postrm0000664000000000000000000000015212272025331013666 0ustar #! /bin/sh set -e case "$1" in purge) rm -f /etc/default/krb5-admin-server ;; esac #DEBHELPER# debian/copyright0000664000000000000000000015361312272025332011132 0ustar This package was debianized by Sam Hartman on Thu, 19 Oct 2000 16:05:06 -0400. It was downloaded from: Upstream Maintainers: MIT Kerberos Team The doc/krb5-protocol directory has been removed from the upstream source package because it does not comply with the Debian Free Software Guidelines. Copyright: Copyright (C) 1985-2013 by the Massachusetts Institute of Technology. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Downloading of this software may constitute an export of cryptographic software from the United States of America that is subject to the United States Export Administration Regulations (EAR), 15 CFR 730-774. Additional laws or regulations may apply. It is the responsibility of the person or entity contemplating export to comply with all applicable export laws and regulations, including obtaining any required license from the U.S. government. The U.S. government prohibits export of encryption source code to certain countries and individuals, including, but not limited to, the countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and nationals of those countries. Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. (http://creativecommons.org/licenses/by-sa/3.0/) Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). ====================================================================== The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in "kadmin/create", "kadmin/dbutil", "kadmin/passwd", "kadmin/server", "lib/kadm5", and portions of "lib/rpc": Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. ====================================================================== Portions contributed by Matt Crawford "crawdad@fnal.gov" were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. ====================================================================== Portions of "src/lib/crypto" have the following copyright: Copyright (C) 1998 by the FundsXpress, INC. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. ====================================================================== The implementation of the AES encryption algorithm in "src/lib/crypto/builtin/aes" has the following copyright: Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net", Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. ====================================================================== Portions contributed by Red Hat, including the pre-authentication plug-in framework and the NSS crypto implementation, contain the following copyright: Copyright (C) 2006 Red Hat, Inc. Portions copyright (C) 2006 Massachusetts Institute of Technology All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== The bundled verto source code is subject to the following license: Copyright 2011 Red Hat, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ====================================================================== The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in "src/lib/gssapi", including the following files: lib/gssapi/generic/gssapi_err_generic.et lib/gssapi/mechglue/g_accept_sec_context.c lib/gssapi/mechglue/g_acquire_cred.c lib/gssapi/mechglue/g_canon_name.c lib/gssapi/mechglue/g_compare_name.c lib/gssapi/mechglue/g_context_time.c lib/gssapi/mechglue/g_delete_sec_context.c lib/gssapi/mechglue/g_dsp_name.c lib/gssapi/mechglue/g_dsp_status.c lib/gssapi/mechglue/g_dup_name.c lib/gssapi/mechglue/g_exp_sec_context.c lib/gssapi/mechglue/g_export_name.c lib/gssapi/mechglue/g_glue.c lib/gssapi/mechglue/g_imp_name.c lib/gssapi/mechglue/g_imp_sec_context.c lib/gssapi/mechglue/g_init_sec_context.c lib/gssapi/mechglue/g_initialize.c lib/gssapi/mechglue/g_inquire_context.c lib/gssapi/mechglue/g_inquire_cred.c lib/gssapi/mechglue/g_inquire_names.c lib/gssapi/mechglue/g_process_context.c lib/gssapi/mechglue/g_rel_buffer.c lib/gssapi/mechglue/g_rel_cred.c lib/gssapi/mechglue/g_rel_name.c lib/gssapi/mechglue/g_rel_oid_set.c lib/gssapi/mechglue/g_seal.c lib/gssapi/mechglue/g_sign.c lib/gssapi/mechglue/g_store_cred.c lib/gssapi/mechglue/g_unseal.c lib/gssapi/mechglue/g_userok.c lib/gssapi/mechglue/g_utils.c lib/gssapi/mechglue/g_verify.c lib/gssapi/mechglue/gssd_pname_to_uid.c lib/gssapi/mechglue/mglueP.h lib/gssapi/mechglue/oid_ops.c lib/gssapi/spnego/gssapiP_spnego.h lib/gssapi/spnego/spnego_mech.c and the initial implementation of incremental propagation, including the following new or changed files: include/iprop_hdr.h kadmin/server/ipropd_svc.c lib/kdb/iprop.x lib/kdb/kdb_convert.c lib/kdb/kdb_log.c lib/kdb/kdb_log.h lib/krb5/error_tables/kdb5_err.et slave/kpropd_rpc.c slave/kproplog.c are subject to the following license: Copyright (C) 2004 Sun Microsystems, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ====================================================================== Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: Copyright (C) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: Copyright (C) 2004-2005, Novell, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The copyright holder's name is not used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Portions funded by Sandia National Laboratory and developed by the University of Michigan's Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license: COPYRIGHT (C) 2006-2007 THE REGENTS OF THE UNIVERSITY OF MICHIGAN ALL RIGHTS RESERVED Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or any other identification of the University of Michigan is included in any copy of any portion of this software, then the disclaimer below must also be included. THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ====================================================================== The pkcs11.h file included in the PKINIT code has the following license: Copyright 2006 g10 Code GmbH Copyright 2006 Andreas Jellinghaus This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ====================================================================== Portions contributed by Apple Inc. are subject to the following license: Copyright 2004-2008 Apple Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. ====================================================================== The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice: The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ====================================================================== Marked test programs in src/lib/krb5/krb have the following copyright: Copyright (C) 2006 Kungliga Tekniska Högskola (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc have the following copyright and permission notice: Copyright (C) 2010, Oracle America, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the "Oracle America, Inc." nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Copyright (C) 2006,2007,2009 NTT (Nippon Telegraph and Telephone Corporation). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Copyright 2000 by Carnegie Mellon University All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ====================================================================== Copyright (C) 2002 Naval Research Laboratory (NRL/CCS) Permission to use, copy, modify and distribute this software and its documentation is hereby granted, provided that both the copyright notice and this permission notice appear in all copies of the software, derivative works or modified versions, and any portions thereof. NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. ====================================================================== Portions extracted from Internet RFCs have the following copyright notice: Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. ====================================================================== Copyright (C) 1991, 1992, 1994 by Cygnus Support. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Cygnus Support makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ====================================================================== Copyright (C) 2006 Secure Endpoints Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ====================================================================== Portions of the implementation of the Fortuna-like PRNG are subject to the following notice: Copyright (C) 2005 Marko Kreen All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (C) 1994 by the University of Southern California EXPORT OF THIS SOFTWARE from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute this software and its documentation in source and binary forms is hereby granted, provided that any documentation or other materials related to such distribution or use acknowledge that the software was developed by the University of Southern California. DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not limitation, the University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. The University of Southern California shall not be held liable for any liability nor for any direct, indirect, or consequential damages with respect to any claim by the user or distributor of the ksu software. ====================================================================== Copyright (C) 1995 The President and Fellows of Harvard University This code is derived from software contributed to Harvard by Jeremy Rassen. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Copyright (C) 2008 by the Massachusetts Institute of Technology. Copyright 1995 by Richard P. Basch. All Rights Reserved. Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Richard P. Basch, Lehman Brothers and M.I.T. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ====================================================================== The following notice applies to "src/lib/krb5/krb/strptime.c" and "src/include/k5-queue.h". Copyright (C) 1997, 1998 The NetBSD Foundation, Inc. All rights reserved. This code was contributed to The NetBSD Foundation by Klaus Klein. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the NetBSD Foundation, Inc. and its contributors. 4. Neither the name of The NetBSD Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== The following notice applies to Unicode library files in "src/lib/krb5/unicode": Copyright 1997, 1998, 1999 Computing Research Labs, New Mexico State University Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ====================================================================== The following notice applies to "src/util/support/strlcpy.c": Copyright (C) 1998 Todd C. Miller "Todd.Miller@courtesan.com" Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ====================================================================== The following notice applies to "src/util/profile/argv_parse.c" and "src/util/profile/argv_parse.h": Copyright 1999 by Theodore Ts'o. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't it sick that the U.S. culture of lawsuit-happy lawyers requires this kind of disclaimer?) ====================================================================== The following notice applies to SWIG-generated code in "src/util/profile/profile_tcl.c": Copyright (C) 1999-2000, The University of Chicago This file may be freely redistributed without license or fee provided this copyright message remains intact. ====================================================================== The following notice applies to portiions of "src/lib/rpc" and "src/include/gssrpc": Copyright (C) 2000 The Regents of the University of Michigan. All rights reserved. Copyright (C) 2000 Dug Song "dugsong@UMICH.EDU". All rights reserved, all wrongs reversed. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== Implementations of the MD4 algorithm are subject to the following notice: Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD4 Message Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD4 Message Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ====================================================================== Implementations of the MD5 algorithm are subject to the following notice: Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message- Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ====================================================================== The following notice applies to "src/lib/crypto/crypto_tests/t_mddriver.c": Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ====================================================================== Portions of "src/lib/krb5" are subject to the following notice: Copyright (C) 1994 CyberSAFE Corporation. Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. Neither M.I.T., the Open Computing Security Group, nor CyberSAFE Corporation make any representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ====================================================================== Portions contributed by PADL Software are subject to the following license: Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of PADL Software nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ====================================================================== The bundled libev source code is subject to the following license: All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Alternatively, the contents of this package may be used under the terms of the GNU General Public License ("GPL") version 2 or any later version, in which case the provisions of the GPL are applicable instead of the above. If you wish to allow the use of your version of this package only under the terms of the GPL and not to allow others to use your version of this file under the BSD license, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL in this and the other files of this package. If you do not delete the provisions above, a recipient may use your version of this file under either the BSD or the GPL. On Debian systems, the complete text of the GNU General Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'. debian/libkrb5-dev.install0000664000000000000000000000006512272025332012665 0ustar usr/bin/krb5-config usr/share/man/man1/krb5-config.1 debian/krb5-kdc.docs0000664000000000000000000000004712272025331011442 0ustar debian/README.KDC debian/README.Debian debian/krb5_newrealm0000775000000000000000000000317312272025332011655 0ustar #!/bin/sh -e cat </etc/krb5kdc/kadm5.acl # This file Is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: # */admin * EOF fi cat < Wed, 09 Jan 2019 14:01:22 -0200 krb5 (1.12+dfsg-2ubuntu5.3) trusty; urgency=medium * d/p/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch: Cherry-pick from upstream to add SPNEGO special case for NTLMSSP+MechListMIC. LP: #1643708. -- Steve Langasek Mon, 21 Nov 2016 18:14:47 -0800 krb5 (1.12+dfsg-2ubuntu5.2) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect null bytes - d/p/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch: properly handle null bytes in src/appl/user_user/server.c, src/lib/krb5/krb/recvauth.c. - CVE-2015-5355 * SECURITY UPDATE: preauthentication requirement bypass in kdcpreauth - d/p/0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch: improve logic in src/plugins/preauth/otp/main.c, src/plugins/preauth/pkinit/pkinit_srv.c. - CVE-2015-2694 * SECURITY UPDATE: SPNEGO context aliasing bugs - d/p/0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch: improve logic in src/lib/gssapi/spnego/gssapiP_spnego.h, src/lib/gssapi/spnego/spnego_mech.c. - d/p/0036-Fix-SPNEGO-context-import.patch: fix SPNEGO context import in src/lib/gssapi/spnego/spnego_mech.c. - CVE-2015-2695 * SECURITY UPDATE: IAKERB context aliasing bugs - d/p/0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch: improve logic in src/lib/gssapi/krb5/gssapiP_krb5.h, src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c. - d/p/0034-Fix-two-IAKERB-comments.patch: fix comments in src/lib/gssapi/krb5/iakerb.c. - CVE-2015-2696 * SECURITY UPDATE: KDC crash via invalid string processing - d/p/0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch: use k5memdup0() instead of strdup() in src/lib/krb5/krb/bld_princ.c. - CVE-2015-2697 * SECURITY UPDATE: memory corruption in IAKERB context export/import - d/p/0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch: dereferencing the context_handle pointer before casting it in and implement implement an IAKERB gss_import_sec_context() function in src/lib/gssapi/krb5/gssapiP_krb5.h, src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c. - CVE-2015-2698 -- Marc Deslauriers Wed, 11 Nov 2015 09:08:08 -0500 krb5 (1.12+dfsg-2ubuntu5.1) trusty-security; urgency=medium * SECURITY UPDATE: ticket forging via old keys - debian/patches/CVE-2014-5321.patch: return only new keys in src/lib/kadm5/srv/svr_principal.c. - CVE-2014-5321 * SECURITY UPDATE: use-after-free and double-free memory access violations - debian/patches/CVE-2014-5352.patch: properly handle context deletion in src/lib/gssapi/krb5/context_time.c, src/lib/gssapi/krb5/export_sec_context.c, src/lib/gssapi/krb5/gssapiP_krb5.h, src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/inq_context.c, src/lib/gssapi/krb5/k5seal.c, src/lib/gssapi/krb5/k5sealiov.c, src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c, src/lib/gssapi/krb5/lucid_context.c, src/lib/gssapi/krb5/prf.c, src/lib/gssapi/krb5/process_context_token.c, src/lib/gssapi/krb5/wrap_size_limit.c. - CVE-2014-5352 * SECURITY UPDATE: denial of service via LDAP query with no results - debian/patches/CVE-2014-5353.patch: properly handle policy name in src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c. - CVE-2014-5353 * SECURITY UPDATE: denial of service via database entry for a keyless principal - debian/patches/CVE-2014-5354.patch: support keyless principals in src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. - CVE-2014-5354 * SECURITY UPDATE: denial of service or code execution in kadmind XDR data processing - debian/patches/CVE-2014-9421.patch: fix double free in src/lib/kadm5/kadm_rpc_xdr.c, src/lib/rpc/auth_gssapi_misc.c. - CVE-2014-9421 * SECURITY UPDATE: impersonation attack via two-component server principals - debian/patches/CVE-2014-9422.patch: fix kadmind server validation in src/kadmin/server/kadm_rpc_svc.c. - CVE-2014-9422 * SECURITY UPDATE: gssrpc data leakage - debian/patches/CVE-2014-9423.patch: fix leakage in src/lib/gssapi/mechglue/mglueP.h, src/lib/rpc/svc_auth_gss.c. - CVE-2014-9423 -- Marc Deslauriers Fri, 06 Feb 2015 15:26:22 -0500 krb5 (1.12+dfsg-2ubuntu5) trusty; urgency=low * Use ADD_METHOD_NOLOOP rather than ADD_METHOD for new GSS-API entry points, avoids infinite recursive loop when a mechanism doesn't provide an entry point and does include calls back into the mechglue (LP: #1326500) * Make libkadm5srv-mit8 be arch: any multi-arch: same to work around upgrade bug (LP: #1334052) * Use tailq macros to work around GCC 4.8 optimizer bug and prevent infinite loop for database propagation (LP: #1347147) -- Sam Hartman Wed, 30 Jul 2014 21:06:49 -0400 krb5 (1.12+dfsg-2ubuntu4.2) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via invalid tokens - debian/patches/CVE-2014-4341-4342.patch: handle invalid tokens in src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c. - CVE-2014-4341 - CVE-2014-4342 * SECURITY UPDATE: denial of service via double-free in SPNEGO - debian/patches/CVE-2014-4343.patch: fix double-free in src/lib/gssapi/spnego/spnego_mech.c. - CVE-2014-4343 * SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor - debian/patches/CVE-2014-4344.patch: validate REMAIN in src/lib/gssapi/spnego/spnego_mech.c. - CVE-2014-4344 * SECURITY UPDATE: denial of service and possible code execution in kadmind with LDAP backend - debian/patches/CVE-2014-4345.patch: fix off-by-one in src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c - CVE-2014-4345 -- Marc Deslauriers Fri, 08 Aug 2014 14:58:49 -0400 krb5 (1.12+dfsg-2ubuntu4) trusty; urgency=low * Add transitional libkadm5srv-mit8 package to help libapt calculating the upgrade (LP: #1304403) to trusty. This transitional package can be dropped once trusty is released. -- Michael Vogt Wed, 09 Apr 2014 11:11:43 +0200 krb5 (1.12+dfsg-2ubuntu3) trusty; urgency=medium * Add missing versioned Replaces: libkadm5srv-mit8 to the libkdb5-7 package. Fixes upgrades from trusty. (LP: #1304403) -- Martin Pitt Tue, 08 Apr 2014 18:04:14 +0200 krb5 (1.12+dfsg-2ubuntu2) trusty; urgency=medium * debian/rules: force -O2 to work around build failure with -O3. -- Adam Conrad Mon, 17 Feb 2014 08:50:33 +0000 krb5 (1.12+dfsg-2ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: - Add alternate dependency on libverto-libevent1 as that's the package ABI name in ubuntu. -- Timo Aaltonen Tue, 04 Feb 2014 14:29:23 +0200 krb5 (1.12+dfsg-2) unstable; urgency=low * Split out libkrad-dev into its own package, Closes: #735323 -- Sam Hartman Mon, 27 Jan 2014 09:29:42 -0500 krb5 (1.12+dfsg-1) experimental; urgency=low [ Benjamin Kaduk ] * New upstream release (closes: #730085, #728845, #637662, #729291). * Update HURD compatibility patch (closes: #729191). * Move pkgconfig files to krb5-multidev and avoid conflicts with heimdal (closes: #730267). -- Benjamin Kaduk Mon, 02 Dec 2013 12:25:43 -0500 krb5 (1.12~alpha1+dfsg-1) experimental; urgency=low [ Benjamin Kaduk ] * New upstream release, Closes: #694988, #697954 * Build-depend on python-lxml, Closes: #725596 * Remove Debian versions from symbols * Add myself to uploaders [ Sam Hartman ] * Build-depend on libverto-dev 0.2.4 to get verto_set_flags -- Benjamin Kaduk Mon, 28 Oct 2013 16:12:52 -0400 krb5 (1.11.3+dfsg-3+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Add python-lxml build dependency (closes: #725596). * Fix cve-2013-1417: KDC daemon crash condition (closes: #730085). * Fix cve-2013-1418: null pointer dereference issue (closes: #728845). -- Michael Gilbert Sat, 16 Nov 2013 23:40:00 +0000 krb5 (1.11.3+dfsg-3ubuntu2) trusty; urgency=low * Add alternate dependency on libverto-libevent1 as that's the package ABI name in ubuntu. -- Dmitrijs Ledkovs Sun, 10 Nov 2013 02:20:12 +0000 krb5 (1.11.3+dfsg-3ubuntu1) trusty; urgency=low * Add build dependency on python-lxml. Closes: #725596. -- Matthias Klose Wed, 23 Oct 2013 18:47:25 +0200 krb5 (1.11.3+dfsg-3) unstable; urgency=low [ Benjamin Kaduk ] * Update config.sub and config.guess, patch from upstream, Closes: #717840 * Update Brazillian Portugese Translation, thanks Fernando Ike, Closes: #719726 * Bump the version of the gssrpc_clnt_create symbol. The routine itself was changed in a backwards-compatible way, but callers from the kadm5 libraries were changed to rely on the new behavior, Closes: #718275 * Add symbols files for the kadm5 libraries. The KADM5 API version number was increased for the 1.11 release but the corresponding library sonames were not, so we must indicate the behavior change ourself, Closes: #716772 [ Sam Hartman ] * krb5-kdc depends on libverto-libev1, work around for #652699 * Remove krb5-kdc conflict since it's more than one release cycle old * Add Benjamin Kaduk to uploaders -- Sam Hartman Sun, 25 Aug 2013 16:48:53 -0400 krb5 (1.11.3+dfsg-2) experimental; urgency=low * Run autoreconf to update configure based on aclocal patch -- Sam Hartman Sat, 08 Jun 2013 22:00:50 -0400 krb5 (1.11.3+dfsg-1) experimental; urgency=low * New upstream version - Turns out 1.11.2+dfsg didn't include the pingpong fix, but this does , Closes: # -- Sam Hartman Fri, 07 Jun 2013 21:31:03 -0400 krb5 (1.11.2+dfsg-2) experimental; urgency=low * Import upstream's patch to not warn or error on variadic macros, Closes: #709824 -- Benjamin Kaduk Sat, 25 May 2013 16:06:48 -0400 krb5 (1.11.2+dfsg-1) experimental; urgency=low * New upstream version, Closes: #697662 - By not depending on texinfo, we avoid FTBFSing from its changes, Closes: #708711 * Fix "usage of keytabs gives "Generic preauthentication failure while getting initial credentials"" via upstream change to prefer keys in the keytab (Closes: #698534) * Fixed upstream "kerberos password policy attributes missing from kerberos.schema" (Closes: #655381) * Remove arch-dep and arch-indep dependency in rules (Closes: #708973) -- Sam Hartman Thu, 23 May 2013 21:56:23 -0400 krb5 (1.10.1+dfsg-5) unstable; urgency=low * Import workaround for getaddrinfo bug from upstream. Described in upstream's RT 7124, addresses the main concern of #697662 * Correct CVE number for CVE-2012-1016 in changelog and patches, Closes: #703457 -- Benjamin Kaduk Mon, 25 Mar 2013 11:50:07 -0400 krb5 (1.10.1+dfsg-4+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix cve-2012-1016: null pointer derefence when handling a draft9 request (closes: #702633). -- Michael Gilbert Fri, 15 Mar 2013 04:15:27 +0000 krb5 (1.10.1+dfsg-4) unstable; urgency=high * KDC null pointer dereference with PKINIT, CVE-2013-1415 -- Benjamin Kaduk Fri, 15 Feb 2013 16:07:53 -0500 krb5 (1.10.1+dfsg-3) unstable; urgency=low * Kadmind crash only triggered by admin users, cve-2012-1013, Closes: #687647 * Don't unload GSS-API plugins to avoid crashing applications that use GSS-API on systems with plugins installed, Closes: #693741 -- Sam Hartman Mon, 19 Nov 2012 17:35:04 -0500 krb5 (1.10.1+dfsg-2) unstable; urgency=high * MITKRB5-SA-2012-001 [CVE-2012-1014 CVE-2012-1015] KDC frees uninitialized pointers * Break libgssglue1 << 0.2-2 for multiarch, Closes: #680612 * Don't free caller's principal in verify_init_creds, Closes: #512410 -- Sam Hartman Tue, 31 Jul 2012 08:20:09 -0400 krb5 (1.10.1+dfsg-1) unstable; urgency=low * New Upstream Version - Set display_name in gss_get_name_attribute, Closes: #658514 * Fix use counts on preauthentication, Closes: #670457 * Fix kadmin access controls, Closes: #670918 * Accept NMU with longer hostname, Closes: #657027 * Fix history from old databases, Closes: #660869 * Fix gcc 4.6.2 may be used uninitialized warnings/errors, Closes: #672075 * Check all keys in keytab for verifying credentials, Possibly fixes: #669127 * Avoid multi-arch libpath in krb5-config, Closes: #642229 * Debconf translations: - Turkish debconf Translation, Thanks Atila KOC, Closes: #659072 - Polish, thanks Michal/ Kul/ach, Closes: #658437 -- Sam Hartman Thu, 10 May 2012 16:32:13 -0400 krb5 (1.10+dfsg~beta1-2.1) unstable; urgency=low * Non-maintainer upload. * Apply patch from Svante Signell to fix FTBFS on hurd-i386, Closes: #657027. -- Samuel Thibault Thu, 26 Apr 2012 00:52:37 +0200 krb5 (1.10+dfsg~beta1-2) unstable; urgency=low * Oops, actually fix build flags, Closes: #655248 -- Sam Hartman Fri, 13 Jan 2012 17:39:34 -0500 krb5 (1.10+dfsg~beta1-1) unstable; urgency=low * New Upstream version * Fix hardening flags and pre-dpkg-buildflags support, Closes: #655248 * Update some symbols files for enhanced functions in 1.10 -- Sam Hartman Fri, 13 Jan 2012 17:11:39 -0500 krb5 (1.10+dfsg~alpha2-1) unstable; urgency=low * New upstream Version -- Sam Hartman Tue, 27 Dec 2011 06:02:35 -0500 krb5 (1.10+dfsg~alpha1-7) unstable; urgency=high * Merge in github/krb5-1-10 branch up through 12/16/2010: many new upstream changes * Includes fix for MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling [CVE-2011-1530] , Closes: #651226 -- Sam Hartman Fri, 16 Dec 2011 15:30:18 -0500 krb5 (1.10+dfsg~alpha1-6) unstable; urgency=low * Fix segfault with unknown hostnames in krb5_sname_to_principal, Closes: #650671 * Indicate that this library breaks libsmbclient versions that depend on krb5_locate_kdc, Closes: #650603, #650611 -- Sam Hartman Thu, 01 Dec 2011 19:34:41 -0500 krb5 (1.10+dfsg~alpha1-5) unstable; urgency=low * Add texinfo back to build depends: policy has been subverted by the evil forces of wishful thinking and forward progress * Conflict: with libkrb53 again. The transition is over and we no longer need that package. -- Sam Hartman Wed, 30 Nov 2011 09:09:55 -0500 krb5 (1.10+dfsg~alpha1-4) unstable; urgency=low * Add kadmind and krb5kdc pidfiles, Closes: #550781 * Respect locale in time display, Closes: #138430 * Status action for init scripts, Thanks Yukio Shiiya, Closes: #645363, #645364 * Fix dependencies for krb5-kdc * Add dpkg-buildflags support * Initial build-arch and build-indep support: currently build-indep depends on build-arch but that's OK as a starting point -- Sam Hartman Tue, 29 Nov 2011 20:34:03 -0500 krb5 (1.10+dfsg~alpha1-3) unstable; urgency=low * Build depend on pkg-config -- Sam Hartman Tue, 29 Nov 2011 17:35:48 -0500 krb5 (1.10+dfsg~alpha1-2) unstable; urgency=low * LDAP plugin depends on ldap library for parallel builds -- Sam Hartman Tue, 29 Nov 2011 17:35:30 -0500 krb5 (1.10+dfsg~alpha1-1) unstable; urgency=low * New upstream release - mit-krb5-sa-2011-006, Closes: #646367 - Install k5login.5 not just .k5login.5, Closes: #623068 - Fixes LDAP file descriptor leak, Closes: #561176 * Updated translations: - French, Thanks Christian Perrier, Closes: #630827 - Catalan, Thanks Innocent De Marchi, Closes: #632208 * Update to krb5-1-10 branch of 2011-11-28 -- Sam Hartman Tue, 29 Nov 2011 13:05:17 -0500 krb5 (1.9.1+dfsg-3) unstable; urgency=low * New function gss_localname from trunk -- Sam Hartman Wed, 21 Sep 2011 16:53:47 -0400 krb5 (1.9.1+dfsg-2) unstable; urgency=low * Revert incorrect Danish translations * Multiarch support, Thanks Steve Langasek, Closes: #634121 * Use linux-any in debian/control instead of explicit exclusions, Closes: #634311 * Apply upstream r24977 in order to fix problems where a name exists for v6 but not v4, Closes: #532536 * Apply upstream tickets 6916 and 6917 to fi x referrals behavior with old KDCs, Closes: #631106 -- Sam Hartman Tue, 09 Aug 2011 11:52:04 -0400 krb5 (1.9.1+dfsg-1) unstable; urgency=low * New upstream version * Fix g_make_token_header when no token type is passed * Support absolute paths for GSS-API mechanisms * Add gss_authorize_localname, gss_userok, gss_pname_to_uid * Fix gss_acquire_cred handling with empty mech set; fix accept_sec_context handling in this case too * Permit importing anonymous name with empty buffer * New Translations: - Dutch: Thanks Vincent Zweije, Closes: #624173 - Danish, Thanks Joe Dalton, Closes: #626530 * Fix kadmin free of null pointer on change password, Closes: #622681 -- Sam Hartman Thu, 02 Jun 2011 10:57:10 -0400 krb5 (1.9+dfsg-2) unstable; urgency=low * In the interest of testing other GSS-API mechanisms it is desirable to install the gss-server and gss-client application. These are useful to people developing new GSS-API mechanisms within Debian. -- Sam Hartman Wed, 04 May 2011 16:07:42 -0400 krb5 (1.9+dfsg-1) unstable; urgency=low * New upstream version * Pull in krb5 1.9 branch as of 03/16/2011 - Include updates in 1.8.3+dfsg-4, 1.8.3+dfsg-5, 1.8.3+dfsg-6 - Include fixes for trace logging * Since Debian does not and will not ever build with edirectory support, remove documentation of edirectory commands from the man page. Closes: #580502 * Includes IPv6 support for kadmind, Closes: #595796 * Upstream 1.9 supports hooks for password change and synchronization, Closes: #588968 * LDAP now supports stash creation after db cretaion, Closes: #484808 * Krb5 1.9 supports including files from krb5.conf, Closes: #429692 -- Sam Hartman Thu, 17 Mar 2011 20:54:04 -0400 krb5 (1.9+dfsg~beta2-1) experimental; urgency=low * New upstream release * Fix default location of kpropd.acl in kpropd.M (LP: #688464) * Ignore PACs without a server signature generated by OS X Open Directory rather than failing authentication, Closes: #604925 * New exported API: krb5_tkt_creds_get -- Sam Hartman Fri, 10 Dec 2010 14:30:35 -0500 krb5 (1.9+dfsg~beta1-1) experimental; urgency=low * New upstream release * No longer use symbols files for libkadm5 ad libkdb5: these libraries change very rapidly and tend to change soname each major release. Symbols files will be introduced if they make sense again. * Update symbols for libkrb5-3: note that several internal functions have disappeared. These functions were not part of the public ABI which remains stable * Update library package names based on soname changes -- Sam Hartman Sun, 21 Nov 2010 17:31:55 -0500 krb5 (1.8.3+dfsg-6) unstable; urgency=low * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517 * Updated Danish debconf translations, thanks Joe Dalton, Closes: #584282 -- Sam Hartman Wed, 16 Mar 2011 10:10:55 -0400 krb5 (1.8.3+dfsg-5) unstable; urgency=low * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282, Closes: #613487 * Fix delegation of credentials against Windows servers; significant interoperability issue, Closes: #611906 * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes: #616429 * Don't fail authentication when PAC verification fails; support hmac- md5 checksums even for non-RC4 keys, Closes: #616728 -- Sam Hartman Sun, 06 Mar 2011 18:08:35 -0500 krb5 (1.8.3+dfsg-4) unstable; urgency=medium * Ignore PACs without a server signature generated by OS X Open Directory rather than failing authentication, Closes: #604925 -- Sam Hartman Tue, 14 Dec 2010 11:53:26 -0500 krb5 (1.8.3+dfsg-3) unstable; urgency=emergency * MITKRB5-SA-2010-007 * CVE-2010-1324: An unauthenticated attacker can inject arbitrary content into an existing GSS connection that appears to be integrity protected from the legitimate peer under some circumstances * GSS applications may accept a PAC produced by an attacker as if it were signed by a KDC * CVE-2010-1323: attackers have a 1/256 chance of being able to produce krb_safe messages that appear to be from legitimate remote sources. Other than use in KDC database copies this may not be a huge issue only because no one actually uses krb_safe messages. Similarly, an attacker can force clients to display challenge/response values of the attacker's choice. * CVE-2010-4020: An attacker may be able to generate what is accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256 probability * New Vietnamese debconf translations, Thanks Clytie Siddall, Closes: #601533 * Update standards version to 3.9.1 (no changes required -- Sam Hartman Sat, 20 Nov 2010 14:50:54 -0500 krb5 (1.8.3+dfsg-2) unstable; urgency=high * MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in kdc_authdata.c leading to KDC crash, Closes: #599237 * Fix two memory leaks in krb5_get_init_creds path; one of these memory leaks is quite common for any application such as PAM or kinit that gets initial credentials, thanks Bastian Blank, Closes: #598032 * Install doc/CHANGES only in krb5-doc, not in all packages, saves several megabytes on most Debian systems, Closes: #599562 -- Sam Hartman Wed, 13 Oct 2010 10:41:19 -0400 krb5 (1.8.3+dfsg-1) unstable; urgency=low * New Upstream release; only change is version bump from beta1 to final * Bring back a libkrb53 oldlibs package. Note that this is technically a policy violation because it doesn't provide libdes425.so.3 or libkrb4.so.2 and thus provides a different ABI. However, some packages, such as postgres8.4 require the lenny version to be present for the squeeze transition, so we cannot force the removal of libkrb53's reverse dependencies. We can conflict or break with lenny packages that will not work with this libkrb53, but we may break out-of-archive packages without notice. Absent someone coming up with a patch to the modern libk5crypto-3 that allows it to work with the lenny libkrb53 (a weekend's worth of work proved this would be quite difficult), this is the best solution we've come up with, Closes: #596678 -- Sam Hartman Sun, 19 Sep 2010 14:59:46 -0400 krb5 (1.8.3+dfsg~beta1-2) unstable; urgency=low * Remove documentation that has moved to the krb5-appl package and is not shipped upstream from Debian diff -- Sam Hartman Tue, 10 Aug 2010 15:33:15 -0400 krb5 (1.8.3+dfsg~beta1-1) unstable; urgency=low * New Upstream version * Add breaks with libkrb53 because libdes425 cannot work with new libk5crypto3 (Closes: #557929) * You want this version: it fixes an incompatibility with how PACs are verified with Windows 2008 * As a result of libkrb53 breaks, we no longer get into problems with krb5int_hmac, Closes: #566988 * Note that libkdb5-4 breaks rather than conflicts libkadm5srv6, Closes: #565429 * Start kdc before x display managers, Closes: #588536 -- Sam Hartman Thu, 05 Aug 2010 12:15:50 -0400 krb5 (1.8.1+dfsg-5) unstable; urgency=low * Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO (LP: #551901) * krb5-admin-server starts after krb5-kdc, Closes: #583494 -- Sam Hartman Wed, 04 Aug 2010 16:10:02 -0400 krb5 (1.8.1+dfsg-4) unstable; urgency=low * fix prerm script (Closes: #577389), thanks Harald Dunkel -- Sam Hartman Thu, 20 May 2010 12:33:43 -0400 krb5 (1.8.1+dfsg-3) unstable; urgency=high * CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes: #582261 * Force use of bash for build, Closes: #581473 * Start slapd before krb5 when krb5-kdc-ldap installed, Closes: #582122 -- Sam Hartman Wed, 19 May 2010 16:37:36 -0400 krb5 (1.8.1+dfsg-2) unstable; urgency=high * Fix crash in renewal and validation, Thanks Joel Johnson for such a prompt bug report, Closes: #577490 -- Sam Hartman Mon, 12 Apr 2010 13:08:35 -0400 krb5 (1.8.1+dfsg-1) unstable; urgency=high * New upstream release * Fixes significant ABI incompatibility between Heimdal and MIT in the init_creds_step API; backward incompatible change in the meaning of the flags API. Since this was introduced in 1.8 and since no better solution was found, it's felt that getting 1.8.1 out everywhere that had 1.8 very promptly is the right approach. Otherwise software build against 1.8 will be broken in the future. * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT Kerberos and Microsoft Kerberos; resolve this incompatibility. As a result, mixing KDCs between 1.8 and 1.8.1 in the same realm may produce undesirable results for constrained delegation. Again, another reason to replace 1.8 with 1.8.1 as soon as possible. * Acknowledge security team upload, thanks for picking up the slack and sorry it was necessary -- Sam Hartman Sun, 11 Apr 2010 10:12:59 -0400 krb5 (1.8+dfsg-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash) via an invalid packet that triggers incorrect preparation of an error token. (Closes: 575740) * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703) -- Giuseppe Iuculano Fri, 09 Apr 2010 19:11:50 +0200 krb5 (1.8+dfsg-1) unstable; urgency=low * New upstream version * Include new upstream notice file in docs * Update symbols files * Include upstream ticket 6676: fix handling of cross-realm tickets issued by W2K8R2 * Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476 * New Brazilian Portuguese translations, Thanks Eder L. Marques, Closes: #574149 -- Sam Hartman Wed, 17 Mar 2010 15:51:54 -0400 krb5 (1.8+dfsg~alpha1-7) unstable; urgency=high * MITKRB5-SA-2010-001: Avoid an assertion failure leading to a denial of service in the KDC by doing better input validation. (CVE-2010-0283) * Update standards version to 3.8.4 (no changes required). -- Russ Allbery Tue, 16 Feb 2010 12:20:51 -0800 krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium * Import upstream fixes including: - A non-conformance with RFC 4120 that causes enc_padata to be included when the client may not support it - Weak crypto acts as a filter and does not reject if DES is included in krb5.conf, fixes Samba net ads join, Closes: #566977 * Medium urgency because of the samba bug fix. If the samba maintainers request the release team to bump to high I'd support that. * Update libkdb5 symbols for new upstream internal interface -- Sam Hartman Fri, 12 Feb 2010 12:24:26 -0500 krb5 (1.8+dfsg~alpha1-5) unstable; urgency=high [ Sam Hartman ] * New API to allow an application to enable weak crypto * Rename libkadm5clnt and libkadm5srv to libkadm5clnt_mit and libkadm5srv_mit in order to avoid conflicts with Heimdal packages. Sorry for the second trip through new, but we needed to coordinate with upstream on the ABI issues involved with this change. * Medium urgency in order to get a fix for openafs-krb5 weak crypto into testing sooner * Include fix for pam-krb5 segfault with wrong password; bump urgency to high. [ Russ Allbery ] * Change libkrb5-dbg to only depend on libkrb5-3, libk5crypto3, or libkrb5support0. All of the other packages for which it provides debugging symbols also depend on one of those packages and always will, so listing the disjunction of every library package is overkill. Remove from the Depends several obsolete library packages no longer included. * Drop obsolete Replaces for libkadm5srv-mit7 and libkadm5clnt-mit7. * Wrap krb5-multidev dependencies and description and shorten the short description. * Reformat NEWS.Debian to avoid using a bulleted list per devref. [ Sam Hartman ] * Link libkadm5{clnt,srv}.so specially so that the links work without libkrb5-dev installed -- Sam Hartman Fri, 22 Jan 2010 23:35:09 -0500 krb5 (1.8+dfsg~alpha1-4) unstable; urgency=high * Add replaces to deal with moving files from krb5-multidev to libkrb5-dev, Closes: #565217 * This is definitely the getting all the conflicts combinations right is tricky series of releases. Sorry about the wasted cycles. -- Sam Hartman Wed, 13 Jan 2010 19:00:37 -0500 krb5 (1.8+dfsg~alpha1-3) unstable; urgency=high * Move files to avoid overlap between heimdal-dev and krb5-multidev, Closes: #565132 -- Sam Hartman Wed, 13 Jan 2010 04:18:32 -0500 krb5 (1.8+dfsg~alpha1-2) unstable; urgency=high * While Kerberos 1.8 is not vulnerable to CVE-2009-4212 (the vulnerable code was removed during the 1.8 release process for code simplification and code size reasons), this is urgency high to get a version of Kerberos that fixes that integer underflow in the AES and RC4 code into testing. * For now, heimdal and MIT shared libraries for kadm5 will conflict; discussions of how to fix this are ongoing upstream, Closes: #564666 * New translations; sorry about missing them in the last upload - Vietnamese, Thanks Clytie Siddall, Closes: #548204 - Basque, Thanks Piarres Beobide, Closes: #534284 * Update standards version (no changes required) * Pull upstream changes made since alpha1 into the package. In particular this includes a fix to a bug where unkeyed checksums are accepted by the FAST KDC backend. That bug was introduced between 1.7 and 1.8 alpha1 so is only present in prior Debian packages of 1.8. See upstream tickets 6632 and 6633. -- Sam Hartman Tue, 12 Jan 2010 19:26:09 -0500 krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low * Include symlinks in libkrb5-dev too * New upstream release * Fix .so symlinks in krb5-multidev -- Sam Hartman Fri, 08 Jan 2010 22:41:23 -0500 krb5 (1.8+dfsg~aa+r23527-1) experimental; urgency=low * MIT krb5 trunk prior to 1.8 branch * Remove krb5-telnet, krb5-ftpd, krb5-clients, krb5-rsh-server, no longer provided upstream. These are provided now in a separate source distribution. * Bring back functions needed by Samba, Closes: #531635 * I know that the symbols revisions are generating lintian warnings; that will be cleaned up when upstream actually makes an alpha release * Implement krb5-multidev similar to heimdal-multidev so that packages can be built against both MIT Kerberos and Heimdal -- Sam Hartman Sun, 03 Jan 2010 17:54:04 -0500 krb5 (1.7+dfsg-4) unstable; urgency=high * cve-2009-3295, MIT-KRB5-SA-2009-003: KDC crash when failing to find the realm of a host., Thanks 2Jakob Haufe for the report to Debian -- Sam Hartman Mon, 28 Dec 2009 10:42:32 -0500 krb5 (1.7+dfsg-3) unstable; urgency=low * Fix typo in control file * Exclude usr/lib/krb5/plugins from dh_makeshlibs call to deal with behavior change in dh_makeshlibs, Closes: #558719 -- Sam Hartman Sun, 29 Nov 2009 23:24:01 -0500 krb5 (1.7+dfsg-2) unstable; urgency=low * Only picked up part of the upstream fix to #557979; upstream fully reverted to 1.6. -- Sam Hartman Sun, 29 Nov 2009 19:34:44 -0500 krb5 (1.7+dfsg-1) unstable; urgency=low * New upstream version, Closes: #554225 * Several fixes applied after the 1.7 release: - 6506: correctly handle keytab vs stash file - 6508: kadmind ACL parsing could reference uninitialized memory - 6509: kadmind can reference null pointer on ACL error - 6511: uninitialized memory passed to krb5_free_error in change password client path - 6514: none replay cache memory leak - 6515: profile library mutex performance improvements - 6541: memory leak in PAC verify code - 6542: Check for null characters in pkinit certs - 6543: login vs user order in ftpd sometimes wrong - 6551: Memory leak in spnego accept_sec_context error path * libkrb5-dev depends on libkadm5clnt6 (LP: #472080) * Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP: #489418) -- Sam Hartman Sun, 29 Nov 2009 17:29:26 -0500 krb5 (1.7dfsg~beta3-2) UNRELEASED; urgency=low * Update to policy 3.8.2 (no changes) -- Sam Hartman Sat, 20 Jun 2009 06:32:22 -0400 krb5 (1.7dfsg~beta3-1) unstable; urgency=low * New upstream release * Revert relaxation of Debian symbol versions introduced in 1.7dfsg~beta1-3 * Fix kproplog's manpage (LP: #374819) -- Sam Hartman Wed, 27 May 2009 21:15:41 -0400 krb5 (1.7dfsg~beta2-4) unstable; urgency=low * Upstream fixes to RT #6490, Closes: #528729 - Use MS usage 9 not 8 for tgs-rep encrypted in subkey - Do not use keyed checksum with RC4; WS2003 expects it to be encrypted in the subsession key, everyone else expects the session key. Note that a keyed checksum for RC4 would work against WS2008. * Patch from Marc Dequ?nes (Duck) for HURD portability, Closes: #528828 -- Sam Hartman Wed, 20 May 2009 08:57:53 -0400 krb5 (1.7dfsg~beta2-3) unstable; urgency=low * Use correct enctype identifier in lucid security context export, Closes: #528514 -- Sam Hartman Mon, 18 May 2009 14:59:46 -0400 krb5 (1.7dfsg~beta2-2) unstable; urgency=low * Apply upstream patch from ticket 6488 intended to fix gss_krb5_export_lucid_sec_context and thus NFS; hopefully fixes #528514 * Apply patch from ticket 6489 to fix UCS2 handling in RC4 string to key and PAC routines -- Sam Hartman Thu, 14 May 2009 16:21:48 -0400 krb5 (1.7dfsg~beta2-1) unstable; urgency=low * New Upstream release including FAST support for DES and 3DES. * Remove non-free content accidentally reintroduced in beta1, Closes: #528555 * Add strict dependency from libgssapi-krb5-2 to libkrb5-3 as discussed in #528514 -- Sam Hartman Wed, 13 May 2009 14:09:31 -0400 krb5 (1.7dfsg~beta1-4) unstable; urgency=low * When decrypting the TGS response fails with the subkey, try with the session key to work around Heimdal bug, Closes: #527353 -- Sam Hartman Thu, 07 May 2009 16:16:34 -0400 krb5 (1.7dfsg~beta1-3) unstable; urgency=low * Relax symbol versions of symbols that exist in krb5 1.6.dfsg.2 to 1.6.dfsg.2. No software currently in Debian uses the new functionality, and this will ease the transition because it allows krb5 to move independently of packages that are being rebuilt. This change will be reverted before the end of May, 2009. -- Sam Hartman Tue, 05 May 2009 09:01:17 -0400 krb5 (1.7dfsg~beta1-2) unstable; urgency=low * Upload to unstable with permission of release team; note that this upload will make anything that depends on libkrb53 uninstallable in unstable. The release team will make binary only NMUs to rebuild any such packages and they will depend on the new libraries. Packages built since 1.6.dfsg.4~beta1-9 entered unstable should not be affected. * Upstream change: return PREAUTH_REQUIRED not PREAUTH_FAILED on unknown preauth type in the KDC. * Remove a bunch of patches applied ustream from debian/patches -- Sam Hartman Mon, 04 May 2009 16:19:09 -0400 krb5 (1.7dfsg~beta1-1) experimental; urgency=low * New upstream release - kadmin and related commands moved to /usr/bin, Closes: #477296 - Kadmin headers are Public: Closes: #191616 - KDC supports loopback address, Closes: #478425 -- Sam Hartman Wed, 22 Apr 2009 09:53:15 -0400 krb5 (1.7dfsg~alpha1-1) experimental; urgency=low * New upstream version -- Sam Hartman Sun, 05 Apr 2009 20:46:14 -0400 krb5 (1.6.dfsg.4~beta1-13) unstable; urgency=high * MITKRB5-SA-2009-001: Fix read-beyond-end-of-buffer DOS in SPNEGO, an SPNEGO null pointer dereference, and incorrect length validation in an ASN.1 decoder. (CVE-2009-0844, CVE-2009-0845, CVE-2009-0847) * MITKRB5-SA-2009-002: ASN.1 general time decoder can free uninitialized pointer. (CVE-2009-0846) * Add dependency on libkrb53 from libkrb5-dev. This should make it significantly more difficult for buildds to get out of sync. I don't think we can do better within the constraints of this transition, Closes: #522469 -- Sam Hartman Tue, 07 Apr 2009 14:58:31 -0400 krb5 (1.6.dfsg.4~beta1-12) unstable; urgency=low * Translation updates: - Romanian, thanks Eddy PetriÈ™or. (Closes: #519660) - Finnish, thanks Esko Arajärvi. (Closes: #519741) - Russian, thanks Sergey Alyoshin. (Closes: #519744) - Spanish, thanks Francisco Javier Cuadrado. (Closes: #519808) -- Russ Allbery Fri, 27 Mar 2009 11:24:28 -0700 krb5 (1.6.dfsg.4~beta1-11) unstable; urgency=low * Upload from the partial-krb4 branch not the master branch so we don't break unstable. - Restore libkrb53 and libkadm55 * Resync the aes test files from upstream to fix a line ending problem and significantly shrink the debian diff -- Sam Hartman Fri, 13 Mar 2009 10:19:42 -0400 krb5 (1.6.dfsg.4~beta1-10) unstable; urgency=low * Add Homepage control field. * Add ${misc:Depends} to dependencies for all packages. * Expand the packages that satisfy the libkrb5-dbg dependency. * Include a few more details about the differences between the various library packages in their long descriptions and fix some whitespace inconsistencies. Thanks, Gerfried Fuchs. (Closes: #519403) * Remove empty usr/include/kerberosIV directory in libkrb5-dev. * Use set -e instead of #!/bin/sh -e for all maintainer scripts. * Use which without a path to check for update-inetd. * Improve the leading comment in /etc/default/krb5-kdc. * Remove unnecessary section override for krb5-pkinit. * Update to debhelper compatibility level V7. - Use dh_lintian to install Lintian overrides. - Use dh_prep instead of dh_clean -k. * Update standards version to 3.8.1 (no changes required). * Fix superfluous space in the krb5-kdc debconf templates and unfuzzy translations. Thanks, Helge Kreutzmann. (Closes: #518403) * Translation updates: - French, thanks Christian Perrier. (Closes: #518221) - Japanese, thanks TANAKA Atushi. (Closes: #518345) - Swedish, thanks Martin Bagge. (Closes: #518347) - German, thanks Helge Kreutzmann. (Closes: #518402) - Czech, thanks Miroslav Kure. (Closes: #518993) - Portuguese, thanks Miguel Figueiredo. (Closes: #519000) - Italian, thanks Luca Monducci. (Closes: #519178) - Galician, thanks Marce Villarino. (Closes: #519481) -- Russ Allbery Thu, 12 Mar 2009 18:00:31 -0700 krb5 (1.6.dfsg.4~beta1-9) unstable; urgency=medium * Fix typo in downgrade instructions in NEWS file. * Fix override for libkadm55 * Upload to unstable. -- Sam Hartman Sun, 01 Mar 2009 15:33:58 -0500 krb5 (1.6.dfsg.4~beta1-8) experimental; urgency=low * Re-introduce libkrb53 and libkadm55 based on discussion on debian-devel; in this version, libkrb53 contains only libkrb4. Both libkrb53 and libkadm55 depend on the split library packages. These dependencies are unversioned; that means that before any symbols are added the shlibs files need to be repointed away from libkrb53 and libkadm55. Any version of the split library packages can satisfy the symbols needed by the libraries previously shipped in libkrb53. * Perform two builds; one without krb4 and one with krb4 for the only warnings; they will go away when the shlibs files are repointed. * Remove krb4 support from debconf and init scripts. * Remove the krb4 migration guide from doc-base * Fix up replaces in control file so that libraries that used to be in libkadm55 claim to replace libkadm55 * Only use parallel builds on the krb5 build; it breaks krb4 enabled builds. * Used versioned replaces; this seems to make it harder to get a system into a broken state if you remove the new packages, Closes: #517483 -- Sam Hartman Sat, 28 Feb 2009 00:42:51 -0500 krb5 (1.6.dfsg.4~beta1-7) experimental; urgency=low * Do not build krb4 support; this is being removed upstream with 1.7 and it is strongly desirable to examine the debian implications. * As a result, the libraries which were previously all in libkrb53 need to change package names as we are dropping some libraries. So, split out the libraries into lib- per policy. The old format was consistent with policy when it was written 8 years ago, and has lasted well. As a result, a significant number of new library packages are introduced. * Use dpkg-gensymbols support for .symbols files for better version tracking * Update to policy 3.8.0 - Support parallel= -- Sam Hartman Fri, 20 Feb 2009 16:57:43 -0500 krb5 (1.6.dfsg.4~beta1-6) unstable; urgency=low * In the krb5-install info pages, document the need to create an empty database on new slaves before the first database propagation to work around a bug in kdb5_util. This is a workaround for Bug#512670, which won't be fixed in time for the lenny release. -- Russ Allbery Sun, 01 Feb 2009 10:07:37 -0800 krb5 (1.6.dfsg.4~beta1-5) unstable; urgency=low * Correct the actions of krb5_newrealm in its man page. It doesn't create a keytab for kadmind since kadmind no longer needs one. Mention that it does create a stash file and that it starts the KDC and kadmind daemons. Thanks, David Medberry. (Closes: #504126) * Translation updates: - Spanish, thanks Ignacio Mondino. (Closes: #504766) -- Russ Allbery Mon, 29 Dec 2008 22:21:21 -0800 krb5 (1.6.dfsg.4~beta1-4) unstable; urgency=low [ Russ Allbery ] * Translation updates: - Swedish, thanks Martin Bagge. (Closes: #487669, #491774) - Italian, thanks Luca Monducci. (Closes: #493962) [ Sam Hartman ] * Translation Updates: - Dutch, Thanks Vincent Zweije, Closes: #495733 -- Sam Hartman Thu, 21 Aug 2008 10:41:41 -0400 krb5 (1.6.dfsg.4~beta1-3) unstable; urgency=low * Set length to 0 on no-salt ldap keys so they do not crash; uupstream ticket 5545, Closes: #480523 * Swedish translations, thanks Martin Bagge, Closes: #487563 -- Sam Hartman Sun, 22 Jun 2008 23:00:37 -0400 krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low [ Russ Allbery ] * Translation updates: - Japanese, thanks TANAKA, Atushi. - Russian, thanks Sergey Alyoshin. (Closes: #485473) - Brazilian Portuguese, thanks Eder L. Marques. (Closes: #485613) - Romanian, thanks Eddy PetriÈ™or. (Closes: #484996) [ Sam Hartman ] * Upload 1.6.4 beta 1 to unstable. As best I can tell evaluating the changes this is a strict improvement over 1.6.3 even though it is still a beta version. There is not an ABI change ; backing out would be relatively easy. * Patch from Bryan Kadzban to look inside spnego union_creds when looking for a specific mechanism cred. This allows spnego creds to be used when copying out to a ccache after delegation, Closes: #480434 * Ksu now calls krb5_verify_init_creds rather than using its own custom logic because that is correct and so it can take advantage of the following change. * krb5_verify_init_creds uses the default realm if it gets a referral realm as input for server, Closes: #435427 * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at the request of Moritz Muehlenhoff ; he was unsure that adding these flags on other platforms would be a good idea. I'd be happy to expand the list at the request of port maintainers, Closes: #484371 * Fix KDC purge code introduced in previous revision. -- Sam Hartman Mon, 16 Jun 2008 09:29:00 -0400 krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low [ Russ Allbery ] * Do not translate the Kerberos v4 modes. They are literal strings passed to the Kerberos KDC as arguments to the -4 option. Comment mentions of those strings in the debconf template so that translators know this. * Rather than prompting at installation time for whether the KDC database should be deleted on purge, prompt in prerm when the package is being removed for whether the database should be deleted. * Translation updates: - Galician, thanks Jacobo Tarrio. (Closes: #482324) - French, thanks Christian Perrier. (Closes: #482326) - Vietnamese, thanks Clytie Siddall. (Closes: #482362) - Basque, thanks Piarres Beobide. (Closes: #482376) - Czech, thanks Miroslav Kure. (Closes: #482428) - German, thanks Helge Kreutzmann. (Closes: #482366) - Spanish, thanks Diego D'Onofrio. - Finnish, thanks Esko Arajärvi. (Closes: #482682) - Portuguese, thanks Miguel Figueiredo. (Closes: #483049) [ Sam Hartman ] * Remove extra space in debian/rules so upstream configure scripts can work. * Upgrade to 1.6.4 beta 1. * Upstream includes several fixes to bugs that were assigned CVE numbers; upstream does not actually consider these security issues and no advisory was issued, but they are included here for the benefit of the security team in case anyone asks. Closes: #454974 - fix CVE-2007-5972: double fclose() in krb5_def_store_mkey() - fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3() - fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal() - fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs() - fix CVE-2007-5894: apparent uninit length in ftpd.c:reply() -- Sam Hartman Sat, 31 May 2008 10:53:21 -0400 krb5 (1.6.dfsg.3-2) unstable; urgency=low * kdc.conf was previously in krb5-doc, not uninstalled. Properly handle moving it to the krb5-kdc package. (Closes: #480452) * Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an RPATH in kdb5_ldap_util and the plugin to find the library. Drop the libkdb-ldap1 library package. This library isn't intended to be used by any software outside of the KDC plugin and utility. Thanks, Bastian Blank. (Closes: #479384) * Load defaults for debconf configuration of krb5-admin-server and krb5-kdc from the /etc/default files if they exist. Thanks, Bastian Blank. (Closes: #479404) * Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and /etc/default/krb5-kdc even if debconf configuration is enabled. * Don't require that a stash file be created in /etc/init.d/krb5-kdc. Stash files are optional. (Closes: #479457) * Error out instead of silently existing if debconf's confmodule cannot be loaded. Given that we depend on debconf, if this fails, something serious went wrong and we shouldn't ignore it. * Use /bin/which instead of command -v to check for update-inetd. * Unconditionally remove kpropd's inetd.conf entry in the postrm of krb5-kdc rather than special-casing remove and deconfigure. * Add 256-bit AES and RC4 keys to the default kdc.conf, the first because it's the strongest enctype currently supported and the second for Windows compatibility. Improve the README.KDC enctype documentation. * Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as documentation. Thanks, Bastian Blank. (Closes: #479239) -- Russ Allbery Fri, 09 May 2008 20:27:16 -0700 krb5 (1.6.dfsg.3-1) unstable; urgency=low * Final upstream 1.6.3 release. * Package the LDAP plugin for the KDC, which allows one to use an LDAP server to store the KDC database. Install the krb5-kdc-ldap package for the plugin. (Closes: #453113) * If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm so that the kdc.conf will at least be syntactically valid (but will still require editing). (Closes: #474741) * krb5-kdc explicitly depends on krb5-config since it relies on debconf variables set by that package. * Always stop krb524d on /etc/init.d/krb5-kdc stop even if the configuration has been changed to no longer run it. Thanks, Bastian Blank. (Closes: #477294) * Install the kdc.conf man page. (Closes: #477307) * krb5-kdc no longer depends on update-inetd and inet-superserver and instead just suggests openbsd-inetd | inet-superserver and conditionally adds the commented-out kpropd example if update-inetd is available. krb5-admin-server doesn't need inet-superserver at all. Thanks, Bastian Blank. (Closes: #477301) * Change the doc-base sections to System/Security. * Correctly mangle the version in the watch file. * Remove conflicts with packages already not present in oldstable. * Remove versioned build-dependencies satisfied by oldstable. * Remove versioned Replaces for versions older than oldstable. -- Russ Allbery Sun, 27 Apr 2008 20:39:36 -0700 krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC, malformed messages may result in NULL pointer use, double-frees, or exposure of information. (CVE-2008-0062, CVE-2008-0063) * MITKRB5-SA-2008-002: If the file descriptor limit is larger than FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an array overrun and memory corruption may result. (CVE-2008-0947) -- Russ Allbery Fri, 07 Mar 2008 18:53:59 -0800 krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low * Apply cross-build patch from Neil Williams. (Closes: #465294) * Document in comments that configuration management via debconf should be disabled before making manual changes to /etc/default/krb5-kdc and /etc/default/krb5-admin-server. (Closes: #443326) * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind. Thanks, Dwayne Litzenberger. (Closes: #443331) * Don't stop the servers in runlevel S. This isn't a real runlevel and cannot be switched to, so the links are extraneous. * Use binary:Version instead of Source-Version in debian/control. * Depend on openbsd-inetd | inet-superserver instead of on update-inetd, since inetd implementations may provide their own update-inetd. * Improve quoting and formatting in the postinsts for krb5-kdc and krb5-admin-server. Error on failure to load debconf, since we do depend on it. Support reconfigure. * Fix file locations in the krb524 doc-base control file. * Add the info documentation to all doc-base control files. * Fix a variety of man page errors uncovered by man --warnings. * Wrap Depends and Conflicts fields in debian/control. * dpkg-dev now compresses duplicate relations, so no need for lintian overrides. * Add an override for the empty plugin directory in libkrb53. * Update standards version to 3.7.3 (no changes required). * Translation updates: - Finnish, thanks Esko Arajärvi. (Closes: #451146) - Dutch, thanks Vincent Zweije. (Closes: #460589) -- Russ Allbery Mon, 18 Feb 2008 20:53:08 -0800 krb5 (1.6.dfsg.3~beta1-2) unstable; urgency=low * Move pkinit into a new package krb5-pkinit. We don't want pkinit to always be installed because this pulls in an openssl dependency and most people don't need it. However we want the plugin available when needed, Closes: #444938 * I had hoped to wait for the upstream release, but that is being a bit slow. -- Sam Hartman Thu, 18 Oct 2007 17:03:27 -0400 krb5 (1.6.dfsg.3~beta1-1) unstable; urgency=low * New Upstream release - Fix krb5_set_default_tgs_enctypes, Closes: #413838 -- Sam Hartman Mon, 01 Oct 2007 21:21:59 -0400 krb5 (1.6.dfsg.1-7) unstable; urgency=emergency * mit-sa-2007-6: - CVE 2007-3999 rpc library buffer overflow - CVE 2007-uninitialized kadmin pointer -- Sam Hartman Tue, 04 Sep 2007 15:06:51 -0400 krb5 (1.6.dfsg.1-6) unstable; urgency=low * Don't depend on libkeyutils-dev on non-Linux architectures. Thanks, Petr Salinger. (Closes: #430215) * Restore support for the RUN_KADMIND setting as written by debconf. Thanks, Christoph Neerfeld. (Closes: #429535) * Wrap the build-depends line now that dpkg in oldstable supports this. * Update debconf templates and debian/control long package descriptions as suggested by the debian-l10n-english team as part of the Smith review project. Thanks to Christian Perrier for the coordination work. (Closes: #428195) * Debconf translation updates: - Galician, thanks Jacobo Tarrio. (Closes: #429511) - Portuguese, thanks Miguel Figueiredo. (Closes: #429592) - Basque, thanks Piarres Beobide. (Closes: #429637) - Japanese, thanks TANAKA, Atushi. (Closes: #429844) - Vietnamese, thanks Clytie Siddall. (Closes: #429907) - German, thanks Helge Kreutzmann. (Closes: #430561) - Czech, thanks Miroslav Kure. (Closes: #431203) - Russian, thanks Yuri Kozlov. (Closes: #431247) - French, thanks Christian Perrier. -- Russ Allbery Sun, 15 Jul 2007 20:58:07 -0700 krb5 (1.6.dfsg.1-5) unstable; urgency=emergency * MIT-SA-2007-4: The kadmin RPC library can free an uninitialized pointer or write past the end of a stack buffer. This may lead to execution of arbitrary code. (CVE-2007-2442, CVE-2007-2443) * MIT-SA-2007-5: kadmind is vulnerable to a stack buffer overflow that may lead to execution of arbitrary code. (CVE-2007-2798) -- Russ Allbery Wed, 13 Jun 2007 13:07:44 -0700 krb5 (1.6.dfsg.1-4) unstable; urgency=low * Make --deps switch to krb5-config include dependent libraries; otherwise do not, Closes: #422985 * Include copyright statement for remaining IETF draft, Closes: #393380 -- Sam Hartman Sun, 13 May 2007 16:28:56 -0400 krb5 (1.6.dfsg.1-3) unstable; urgency=low * Upstream bug #5552: krb5_get_init_creds needs to not dereference gic_opts if it is null. Instead, assume that it is default options, Closes: #422687 -- Sam Hartman Tue, 8 May 2007 14:46:55 -0400 krb5 (1.6.dfsg.1-2) unstable; urgency=low * Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1 * Upload 1.6 to unstable -- Sam Hartman Thu, 3 May 2007 20:23:47 -0400 krb5 (1.6.dfsg.1-1) experimental; urgency=low * Oops, I failed to understand how the version numbers work. Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series. We will use 1.6.dfsg.1 for 1.6.1. * Update to update-inetd dependency, Closes: #420748 -- Sam Hartman Sun, 29 Apr 2007 08:59:28 -0400 krb5 (1.6.1.dfsg-1) experimental; urgency=low * Depend on keyutils-lib-dev so we consistently get keyring cache support * New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318 * New Upstream release - Update shlibs for new API * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there. -- Sam Hartman Sat, 28 Apr 2007 16:21:03 -0400 krb5 (1.6.dfsg-1) experimental; urgency=low * New 1.6 release from upstream. * Update copyright -- Sam Hartman Thu, 1 Feb 2007 22:26:08 -0500 krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low * New upstream release * Remove IETF RFCs, Closes: #393380 * Update copyright file based on new copyrights upstearm -- Sam Hartman Wed, 22 Nov 2006 10:28:13 -0500 krb5 (1.4.4-8) unstable; urgency=emergency * MIT-SA-2007-1: telnet allows login as an arbitrary user when presented with a specially crafted username; CVE-2007-0956 * krb5_klog_syslog has a trivial buffer overflow that can be exploited by network data; CVE-2007-0957. The upstream patch is very intrusive because it fixes each call to syslog to have proper length checking as well as the actual krb5_klog_syslog internals to use vsnprintf rather than vsprintf. I have chosen to only include the change to krb5_klog_syslog for sarge. This is sufficient to fix the problem but is much smaller and less intrusive. (MIT-SA-2007-2) * MIT-SA-2007-3: The GSS-API library can cause a double free if applications treat certain errors decoding a message as errors that require freeing the output buffer. At least the gssapi rpc library does this, so kadmind is vulnerable. Fix the gssapi library because the spec allows applications to treat errors this way. CVE-2007-1216 * New Japanese translation, thanks TANAKA Atushi, Closes: #414382 -- Sam Hartman Sun, 11 Mar 2007 19:08:52 -0400 krb5 (1.4.4-7) unstable; urgency=low * Translation updates: - New Portuguese translation, thanks Rui Branco. (Closes: #409318) -- Russ Allbery Wed, 21 Feb 2007 15:23:08 -0800 krb5 (1.4.4-6) unstable; urgency=emergency * MIT-SA-2006-2: kadmind and rpc library call through function pointer to freed memory (CVE-2006-6143). Null out xp_auth unless it is associated with an rpcsec_gss connection. -- Sam Hartman Thu, 4 Jan 2007 16:07:02 -0500 krb5 (1.4.4-5) unstable; urgency=low * Translation updates: - New Spanish translation, thanks Fernando Cerezal. (Closes: #402986) -- Russ Allbery Sun, 17 Dec 2006 17:18:05 -0800 krb5 (1.4.4-4) unstable; urgency=low * Remove the check for pthread_mutexattr_setrobust_np in the thread initialization code. This was only needed on Solaris 9 and has been removed upstream, and was causing FTBFS with glibc 2.5. Thanks, Martin Pitt. (Closes: #396166) * Translation updates: - New Romanian translation, thanks stan ioan-eugen. (Closes: #395347) -- Russ Allbery Sun, 5 Nov 2006 21:32:17 -0800 krb5 (1.4.4-3) unstable; urgency=low * Don't require the presence of debconf during the postrm. Thanks to Bill Allombert for the report. (Closes: #388784) * Fix uses of hyphens instead of minus signs in the man pages. -- Russ Allbery Fri, 22 Sep 2006 14:57:34 -0700 krb5 (1.4.4-2) unstable; urgency=low * Patch from Alejandro R. Sedeno to allow 32-bit and 64-bit krb4 ticket files to be used on the same system. Similar to a patch included in MIT Kerberos 1.5 but backported because of missing byte order macros. -- Sam Hartman Wed, 20 Sep 2006 22:51:59 -0400 krb5 (1.4.4-1) unstable; urgency=low * New upstream release. * Stop using --exec to start and stop services since then services will not be stopped properly during an upgrade. (Closes: #385039) * Rewrite the init scripts to include LSB information and to use the LSB logging functions. krb5-kdc and krb5-admin-server now depend on lsb-base (>= 3.0-6) for the LSB functions. -- Russ Allbery Fri, 1 Sep 2006 20:45:59 -0700 krb5 (1.4.4~beta1-1) unstable; urgency=low * New upstream version including several memory leak fixes * Install upstream changelog -- Sam Hartman Wed, 16 Aug 2006 16:45:56 -0400 krb5 (1.4.3-9) unstable; urgency=high * Add error checking to setuid, setreuid to avoid local privilege escalation ; fixes krb5-sa-2006-1, CVE-2006-3084, CVE-2006-3083 * Update standards version to 3.7.2 (no changes required). * Translation updates. - Russian, thanks Yuri Kozlov. (Closes: #380303) -- Sam Hartman Sun, 6 Aug 2006 17:12:40 -0400 krb5 (1.4.3-8) unstable; urgency=low * Defer seeding of the random number generator in kadmind until after forking and backgrounding, since otherwise blocking on /dev/random may block system startup. (Closes: #364308) * Update config.{guess,sub}. (Closes: #373727) * Better fix for error handling of a zero-length keytab. Thanks, Rainer Weikusat. -- Russ Allbery Sun, 16 Jul 2006 08:59:20 -0700 krb5 (1.4.3-7) unstable; urgency=low * Fix double free caused by a zero-length keytab. Thanks, Steve Langasek. (Closes: #344295) * Fix segfault in krb5_kuserok if the local name doesn't correspond to a local account. (Discovered in bug #354133.) * Build a separate libkrb5-dbg package containing the detached debugging information for libkrb53 and libkadm55. * Update debhelper compatibility level to V5 since the dh_strip behavior around debug packages changes in V5 and we should use the current interface from the beginning. * Translation updates. - Dutch, thanks Vincent Zweije. (Closes: #360444) - Galician, thanks Jacobo Tarrio. (Closes: #361809) -- Russ Allbery Sat, 15 Apr 2006 16:22:01 -0700 krb5 (1.4.3-6) unstable; urgency=low * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is passed in. Fixes a segfault in racoon from ipsec-tools. Thanks, Daniel Kahn Gillmor. (Closes: #351877) * v5passwdd is gone, so remove the debconf template, the prompts, and the code to start and stop it from the init script. Thanks, Greg Folkert. * Fix incorrect option names in krb5.conf(5). Thanks, Martin v. Loewis. (Closes: #347643) * Translation updates. - Danish, thanks Claus Hindsgaul. (Closes: #350041) -- Russ Allbery Tue, 21 Feb 2006 23:25:34 -0800 krb5 (1.4.3-5) unstable; urgency=medium * Configure with --enable-shared --enable-static so that libkrb5-dev gets static libraries. * Fix double free in getting credentials, Closes: #344543 -- Sam Hartman Sun, 25 Dec 2005 21:59:47 -0500 krb5 (1.4.3-4) unstable; urgency=high * Fix problem when libpthreads is dynamically loaded into a program causing mutexes to sometimes be used and sometimes not be used. If the library starts out without threads support it will never start using threads support; doing anything else causes hangs. -- Sam Hartman Fri, 16 Dec 2005 18:16:53 -0500 krb5 (1.4.3-3) unstable; urgency=low * Additional internal pthread symbols have to be declared weak on Hurd. Thanks, Michael Banck. (Closes: #341608) * Build on GNU/kFreeBSD. Thanks, Petr Salinger. (Closes: #261712) * Change the default KDC enctype to 3DES to match upstream (the difference was probably a mismerge). * Remove /etc/default/krb5-admin-server on purge. (Closes: #333161) * Document the behavior of klogind and kshd if the user has no .k5login file. Remove vestigial .rhosts references. (Closes: #250966) * Document krb5-rsh-server authorization defaults in README.Debian. * Enable kinit -a to match the man page. (Closes: #232431) * Remove the patch to tightly bind libkrb4 to libdes425. This should no longer be necessary with symbol versioning. * Upstream has removed the file with questionable licensing, so the upstream tarball is no longer repacked. Remove the get-orig-source target in debian/rules and the notes in copyright and README.Debian. * Add a watch file. * Translation updates. - German, thanks jens. (Closes: #330925) -- Russ Allbery Sun, 4 Dec 2005 11:37:40 -0800 krb5 (1.4.3-2) unstable; urgency=low * Conflict with libauthen-krb5-perl (<< 1.4-5) because of krb5_init_ets. * Update uploader address. * Conflict with libapache-mod-auth-kerb because it accesses library internals in a way that breaks. -- Sam Hartman Wed, 30 Nov 2005 22:33:47 -0500 krb5 (1.4.3-1) experimental; urgency=low * New upstream release. * Install ac_check_krb5 for use by aclocal. -- Sam Hartman Sat, 19 Nov 2005 16:20:56 -0500 krb5 (1.4.2-1) UNRELEASED; urgency=low * New upstream version. (Closes: #293077) - kadmind4, v5passwdd, and v5passwd are no longer included. - Increase the libkrb53 shlibs version dependency. Programs linked against this version will not work with an older libkrb53. - Rebuild should fix link problems on powerpc. (Closes: #329709) * Re-enable optimization on m68k to stop hiding the toolchain problem. * Don't build crypto code -O3. It uncovers too many gcc bugs. * Fix compilation on Hurd. Thanks, Michael Banck. (Closes: #324305) * Always initialize the output token in gss_init_sec_context, even with an unknown mechanism. (Closes: #311977) * rcp should fall back to /usr/bin/netkit-rcp, not /usr/bin/rpc. * Add the missing shared library depends for libkadm55. * Use dh_install rather than dh_movefiles and enable --fail-missing to be sure to pick up any new upstream files. * Avoid test -a in maintainer scripts. * Expand and reformat the documentation and sample kdc.conf file. * Add a doc-base file for the krb425 migration guide. * Ignore lintian warnings about the library package names. We'll fix them the next time upstream changes SONAMEs. * Conflict with packages that used internal symbols not part of the public ABI * Use "MIT Kerberos" rather than krb5 in the krb5-doc short description. * Remove the saved patches that have been applied upstream or are no longer applied to the package, update the remaining patches, and move them into debian/patches. * Break out the other patches of interest for ease submitting them upstream. * Translation updates. - Vietnamese, thanks Clytie Siddall. (Closes: #319704) -- Russ Allbery Thu, 22 Sep 2005 17:08:58 -0700 krb5 (1.3.6-5) unstable; urgency=high * Disable optimization on m68k to attempt to work around a gcc 4.0 bug. -- Russ Allbery Sun, 14 Aug 2005 22:26:00 -0700 krb5 (1.3.6-4) unstable; urgency=high [ Russ Allbery ] * Fix a mistake in variable names that caused the package to be built without optimization. * Allow whitespace before comments in krb5.conf. Thanks, Jeremie Koenig. (Closes: #314609) * GCC 4.0 compile fixes, thanks Daniel Schepler. (Closes: #315618) * Avoid "say yes" in debconf templates. (Closes: #306883) * Update Czech translation, thanks Miroslav Kure. * Update French translation, thanks Christian Perrier. (Closes: #307748) * Update Portuguese (Brazil) translation, thanks André Luís Lopes. * New Vietnamese translation, thanks Clytie Siddall. (Closes: #312172) * Update standards version to 3.6.2 (no changes required). * DAK can now handle not repeating maintainers in uploaders. [ Sam Hartman ] * Fix double free in krb5_recvauth; critical because it is in the code path for kpropd and may allow arbitrary code execution. (CAN-2005-1689) * krb5_unparse_name overflows allocated storage by one byte on 0 element principal name. (CAN-2005-1175, VU#885830) * Do not free unallocated storage in the KDC's TCP request handling path. (CAN-2005-1174, VU#259798) -- Sam Hartman Tue, 12 Jul 2005 15:45:14 -0400 krb5 (1.3.6-3) unstable; urgency=low * krb5-kdc: Install a commented-out line for kpropd with update-inetd. Add dependency on netbase for update-inetd. (Closes: #293182) * krb5-kdc: Ask with debconf whether the user wishes to delete the KDC database on purge, modelled after how postgresql handles the same situation. (Closes: #289358) * Close leak in the arcfour crypto support. Thanks, fumihiko kakuma. (Closes: #244595) * krb5-config should never return -I/usr/include. (Closes: #165521) * Write manual pages for fakeka, krb524init, kadmind4, and v5passwdd. Backport from upstream the manual pages for krb5-config and krb524d. (Closes: #78953, #96437) * Fix paths in manual pages to match the Debian defaults. Fix service in the inetd.conf example in the kpropd man page to work with Debian /etc/services. (Closes: #157736) * Fix references to kerberos(1) in the rlogin and kinit man pages and include kerberos.1 in krb5-doc. (Closes: #154381, #154384) * Add more detailed information about each package to the extended descriptions. (Closes: #135517) * krb5-doc: Include info pages. (Closes: #292512) * krb5-doc: Fix two minor variable name problems in the texinfo docs. * Let dh_installdebconf set the debconf dependency. * Update standards version to 3.6.1. - Support noopt in DEB_BUILD_OPTIONS. - Let debhelper take care of calling ldconfig appropriately. - Remove calls to dh_undocumented. - Remove lintian overrides for links to the undocumented man page. - Install kdc.conf template in /usr/share/krb5-kdc rather than /usr/share/krb5 (policy 10.7.3 states the directory should be named after the package). - Symlink the kdc.conf template to /usr/share/doc/krb5-kdc/examples per policy 10.7.3 since it's also a useful example. * Update debhelper compatibility level to V4. - Remove all *.conffiles control files. They're no longer needed. * rules generally cleaned up. Commented out and unused debhelper programs removed as the set being run wasn't comprehensive anyway. Invocation order now matches the debhelper examples. * Removed (s) from copyright to make lintian happier. * Removed unnecessary lintian override for libkrb53. * Add lintian overrides for the duplicate dependencies on krb5 libraries. -- Russ Allbery Sat, 16 Apr 2005 14:12:08 -0700 krb5 (1.3.6-2) unstable; urgency=high * Package priority to standard * Fix buffer overflow in slc_add_reply in telnet.c (CAN-2005-0469) * Fix telnet.c env_opt_add buffer overflow (CAN-2005-0468) * Note that both of these vulnerabilities are client-side vulnerabilities that can be exploited only by a server. -- Sam Hartman Sun, 3 Apr 2005 23:49:08 -0400 krb5 (1.3.6-1) unstable; urgency=medium * New upstream version * Changing a password afwter the size of password history has been reduced may double free or write past end of an arry; fix (CAN-2004-1189 / CERT VU#948033) * Conflict between krb5-kdc and kerberos4kth-kdc; also deals with krb5-admin-server conflict indirectly, Closes: #274763 -- Sam Hartman Sun, 2 Jan 2005 15:55:25 -0500 krb5 (1.3.5-1) unstable; urgency=low * New pt_br debconf translation, Cluses: #278734 * New upstream version * Part of the fix to #261712: allow ftpd to build on gnu/bsd -- Sam Hartman Fri, 26 Nov 2004 18:44:02 -0500 krb5 (1.3.4-4) unstable; urgency=high * Fix what is hopefully the last remnant of the patch to gettextize the debconf without making the code consistent, thanks Thimo Neubauer, Closes: #271456 * Fix krb5_newrealm man page to better describe dependencies, thanks Rachel Elizabeth Dillon , Closes: #269685 -- Sam Hartman Mon, 13 Sep 2004 11:36:38 -0400 krb5 (1.3.4-3) unstable; urgency=high * Initial Czech translations thanks to Miroslav Kure, Closes: #264366 * Updated French debconf translation, thanks Martin Quinson, Closes: #264941 * KDC and clients double-free on error conditions (CAN-2004-0642 VU#795632) *krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT VU#866472 ) * ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and earlier allows unauthenticated remote attackers to induce infinite loop, causing denial of service, including in KDC code (CAN-2004-0644 , CERT VU#550464) * Fix double free in krb524d handling of encrypted ticket contents (CAN-2004-0772) -- Sam Hartman Tue, 31 Aug 2004 13:04:51 -0400 krb5 (1.3.4-2) unstable; urgency=low * Fix doc-base files, Closes: #262916 -- Sam Hartman Wed, 4 Aug 2004 13:08:53 -0400 krb5 (1.3.4-1) unstable; urgency=low * New upstream version * Update krb5-doc to include pointers to the right html documents, Closes: #203321 * Patches to find res_search on amd64 and to include new Debian ports in shared library building, Closes: #261712 * Install default file for krb5-admin-server, Closes: #262428 * Patch from Russ Allbery to only prompt for a password once in krb4 when null is passed in to krb_get_in_pw_tkt, Closes: #262192 * New pt_br translation, thanks Andre Luis Lopes, Closes: #254115 * New French translation, thanks Christian Perrier, closes: #253685 -- Sam Hartman Sat, 31 Jul 2004 12:12:44 -0400 krb5 (1.3.3-2) unstable; urgency=high * Fix buffer overflow in krb5_aname_to_localname; potential remote root exploit in some fairly limited circumstances. You are not vulnerable unless you have enabled aname_to_lname rules in krb5.conf (CAN-2004-0523) * Fix kadmind template formatting, thanks Christian Perrier -- Sam Hartman Sat, 5 Jun 2004 16:57:44 -0400 krb5 (1.3.3-1) unstable; urgency=low * New upstream version * Gettextize my debconf templates, thanks Martin Quinson , Closes: #236176 * Don't remove /etc/krb5.conf on libkrb53 purge -- Sam Hartman Tue, 13 Apr 2004 20:04:37 -0400 krb5 (1.3.2-2) unstable; urgency=low * Don't check for /etc/krb5kdc/kadm5.keytab, Closes: #235966 * Fix dangling symlink, Closes: #203622 -- Sam Hartman Sun, 14 Mar 2004 20:46:27 -0500 krb5 (1.3.2-1) unstable; urgency=low * New Upstream Release, Closes: #223485 * Includes upstream patch to ignore unknown address families, Closes: #206851 * Include note that encrypted services are not enabled, Closes: #232115 * Up shlib deps because of new features in auth context -- Sam Hartman Sun, 29 Feb 2004 09:36:27 -0500 krb5 (1.3-3) unstable; urgency=low * Don't clear the key schedule so krb4 callers can use it, Closes: #203566 * Use alternatives system for rcp, Closes: #218392 -- Sam Hartman Tue, 3 Feb 2004 14:07:12 -0500 krb5 (1.3-2) unstable; urgency=low * Include patch to MIT Bug #1681, an incompatible change to etype_info2. This change will break clients between 1.3 beta1 and 1.3-1 talking to 1.3-2 KDCs, but is necessary because of a protocol bug. -- Sam Hartman Thu, 24 Jul 2003 13:32:33 -0400 krb5 (1.3-1) unstable; urgency=medium * New upstream version--finally 1.3 is released, Closes: #199573 * Don't depend on com_err in libcrypto, Closes: #201005 * Urgency is medium because the only code change is removing a single call to com_err and this package not being in testing is blocking other packages. The beta has been in unstable more than 10 days. * Update shlibs again to avoid long-term references to a beta in the archive -- Sam Hartman Sat, 19 Jul 2003 15:19:38 -0400 krb5 (1.2.99-1.3.beta5-1) unstable; urgency=low * New upstream version -- Sam Hartman Sat, 5 Jul 2003 21:29:44 -0400 krb5 (1.2.99-1.3.beta4-1) unstable; urgency=low * Fix rpath on generated binaries and in krb5-config, Closes: #198124 * Fix build-depends to require comerr-dev with correct shlibs, Closes: #197650 * New upstream version * Don't generate /etc/krb5kdc/kadm5.keytab as 1.3 does not require it except for kadmind4 -- Sam Hartman Fri, 20 Jun 2003 17:37:15 -0400 krb5 (1.2.99-1.3.beta3-4) unstable; urgency=low * Add replaces for libkadm55 on libkrb53 -- Sam Hartman Wed, 11 Jun 2003 16:41:16 -0400 krb5 (1.2.99-1.3.beta3-3) unstable; urgency=low * One more try at avoiding autoconf dependency -- Sam Hartman Wed, 11 Jun 2003 03:04:56 -0400 krb5 (1.2.99-1.3.beta3-2) unstable; urgency=low * Touch some more files to defeat autoheader -- Sam Hartman Tue, 10 Jun 2003 23:55:08 -0400 krb5 (1.2.99-1.3.beta3-1) unstable; urgency=low * Fix dh_makeshlibs call so dependencies are correct * New upstream version * Patch from Steve Langasek for versioned symbols; adapted to better fit the build system and to work for all libraries * This version builds with GCC 3.3, Closes: #195571 * Move the rest of the administration libraries into libkadm55 to reduce space required by libkrb53. * libkrb53 conflicts with current openafs-krb5 because of ABI changes in krb524 -- Sam Hartman Tue, 10 Jun 2003 20:56:33 -0400 krb5 (1.2.99-1.3.beta2-1) experimental; urgency=low * New upstream version * Include a patch from upstream CVS (post beta2) to fix renewable tickets. -- Sam Hartman Sun, 1 Jun 2003 00:30:35 -0400 krb5 (1.2.99-1.3.beta1-1) experimental; urgency=low * New upstream pre-release * Update copyright * Add db_stop calls to krb5-kdc.postinst and krb5-admin-server.postinst * Install a fakeka binary * Install libkrb524.a even though upstream does not * kdc defaults to no v4 support per upstream change. -- Sam Hartman Thu, 15 May 2003 11:37:10 -0400 krb5 (1.2.99-1.3.alpha3-1) experimental; urgency=low * New upstream pre-release - ftp no longer segfaults on wildcards, Closes: #175495 - Clock skew is returned on clock skew with preauth, Closes: #98855 - Preauthentication has been reworked to improve interoperability with older implementations and to comply with Kerberos Clarifications, Closes: #169014 - Typo in man page fixed, Closes: #127302 * Remove dangling symlink, Closes: #133244 * Depend on sufficiently new com_err and libss * Build the crypto library -O9 as it seems to help performance a lot. * Bump up shared library versions; all the public libraries have new functions -- Sam Hartman Mon, 12 May 2003 02:22:37 -0400 krb5 (1.2.7-3) unstable; urgency=high * Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in Kerberos 4 - Add -X option to krb5kdc and krb524d. By default cross-realm is no longer supported for krb4 as it is a security hole. - Add protection to isolate krb5 keys from krb4 especially for the TGS key - Remove support for the MIT extension to krb4 to use 3DES keys as it is insecure. * Patch to various DOS issues where the KDC assumes principal names have certain components. Fixes CAN-2003-0072 * VU#516825: Additional errors in XDR that may lead to denial of service. * Fix template bug in v5passwd template, Closes: #172565 -- Sam Hartman Tue, 25 Mar 2003 08:03:00 -0500 krb5 (1.2.7-2) unstable; urgency=low * Remove declaration of errno from krb.h -- Sam Hartman Mon, 6 Jan 2003 15:38:20 -0500 krb5 (1.2.7-1) unstable; urgency=high * New upstream version * Still urgency high until the kadmin4 fix gets into testing * Don't declare errno so glibc will be happy; applying upstream as well, Closes :#168528 * Remove pidfile argument from start-stop-daemon call for restarting krb5kdc so it actually works, Closes: #174881 -- Sam Hartman Sun, 5 Jan 2003 18:00:55 -0500 krb5 (1.2.6-2) unstable; urgency=high * Security fix for buffer overflow in kadmind4 (mitsa-2002-2) * If bison is too good for yacc compatibility then we're to good for bison, Closes: #165655 * Include readme.debian if we're going to reference it, Closes: #166399 * Fix readme.debian comments to be correct -- Sam Hartman Sat, 26 Oct 2002 17:18:41 -0400 krb5 (1.2.6-1) unstable; urgency=low * New upstream version * Important: upstream has introduced a new way of handling AFS tickets within krb524d; long-term this may allow the use of ticket keys other than DES with AFS, but short-term this will break AFS because OpenAFS has not yet released servers that support the new mechanism. If you run AFS servers and don't want them to break, please look at README.debian * This includes a fix for 162794 as that is now in the upstream * For now, libkrb5-dev is going to be priority extra. If anyone complains I'll attempt to fight the comerr-dev dependency battle; honestly I think comerr-dev is common enough and on enough systems that it rates optional but the maintainer does not, Closes: #145165 * Fix restart to restart krb524d, Closes: #162477 -- Sam Hartman Sun, 6 Oct 2002 16:40:44 -0400 krb5 (1.2.5-3) unstable; urgency=high * Try to fix diversion handling for real this time, Closes: #155514 -- Sam Hartman Mon, 5 Aug 2002 13:40:53 -0400 krb5 (1.2.5-2) unstable; urgency=high * We are still installing a krb5.conf.template; don't as that is kerberos-configs's job. * The MIT KDC was not sending etype info padata; this couldcreate a problem if you require preauth and have unusual salts; patch from upstream CVS * Add readme to krb5-user, Closes: #152670 * Fix typo in alternatives handling so man page symlinks are handled correctely, Closes: #152707 * Include XDR encoding patch for krb5-sa-2002-01; same patch as the woody security update -- Sam Hartman Sat, 3 Aug 2002 17:51:50 -0400 krb5 (1.2.5-1) unstable; urgency=low * New upstream version; not really any patches that will actually affect Debian at all, as we pulled them into 1.2.4 packages from upstream CVS * Stop shipping patches that upstream has accepted and released * Update included upstream PGP signature * Fix diversion handling; it was fairly broken in 1.2.4. All we divert now is rcp * Ftp should not be diverted, closes: #146171 * Fix overly small fixed length buffer in kuserok, closes: #145106 -- Sam Hartman Sun, 2 Jun 2002 19:22:39 -0400 krb5 (1.2.4-5) unstable; urgency=low * Pull up bugfix from 1.2.5 beta1 to src/lib/krb5/asn.1/asn1_get.c * This should be the last thing we need from 1.2.5; Debian has all the 1.2.5 changes besides the API reorg. I'm not checking an API reorg this close to woody release. -- Sam Hartman Fri, 12 Apr 2002 12:16:49 -0400 krb5 (1.2.4-4) unstable; urgency=low * Suggest rather than recommend krb5-user from libkrb53, closes: #140116 * Fix null pointer dereference in krb5 library; pull patch from 1.2.5 beta1 -- Sam Hartman Wed, 10 Apr 2002 14:19:49 -0400 krb5 (1.2.4-3) unstable; urgency=medium * Move from non-us to main -- Sam Hartman Sat, 16 Mar 2002 15:04:44 -0500 krb5 (1.2.4-2) unstable; urgency=low * Don't respect umask when writing out srvtabs; you always want them 0600 and if you don't you can chmod later, closes: #135988 * To work with Heimdal, accept encrypted creds in gss_accept_sec_context, closes: #135962 * Fix kadmin ACL bug. Targets (a cool but undocumented ACL feature) didn't work quite right. They do now. -- Sam Hartman Sun, 3 Mar 2002 18:53:40 -0500 krb5 (1.2.4-1) unstable; urgency=low * Don't check address in krb5_rd_cred; upstream patch also applied to their CVS, closes: #132226 * Patch from Ken Raeburn to improve over-the-wire errors from KDC, included because I happened to be testing it and it seemed to work * New upstream release -- Sam Hartman Fri, 1 Mar 2002 00:44:26 -0500 krb5 (1.2.3-2) unstable; urgency=low * We want to be able to use krb4 and libssl's libcrypto in the same program. To do this, we make libkrb4 bind libdes425 -Bsymbolic and we allow krb_mk_priv and krb_rd_priv to take null schedule arguments. -- Sam Hartman Tue, 15 Jan 2002 12:17:40 -0500 krb5 (1.2.3-1) unstable; urgency=low * New upstream version, closes: #110932 * Use alternatives for rsh, closes: #122710 * Major version of libkadm5 bumped; we no longer conflict with heimdal there -- Sam hartman Thu, 10 Jan 2002 06:59:13 -0500 krb5 (1.2.2-8) unstable; urgency=low * Oops, call htons around port numbers in kprop patch * Register with doc-base, closes: #100463 * Move krb5.conf and kdc.conf manpages into krb5-doc; krb5-doc now conflicts with heimdal-docs, closes: #121141 -- Sam Hartman Sun, 25 Nov 2001 23:47:35 -0500 krb5 (1.2.2-7) unstable; urgency=low * Forward only tickets we believe the remote side knows the enctype of, closes: #99320 * Start krb5-kdc and krb5-admin-server before RPC services, thanks Hein Roehrig, closes: #88604 * Install krb5.conf and kdc.conf man pages in krb5-user. This is not ideal but installing them in krb5-config won't work as they are implementation dependent, closes: #109522 * Install kprop manpage, thanks Steve Langasek, closes: #120040 * Fix FHS paths with kprop; store files in /var/lib/krb5kdc, thanks again Steve, closes: #120050 * Telnet help should open a connection to the host help not give you a usage message, thanks Graeme Mathieson for a patch which will be sent upstream, closes: #118730 * Fix kprop handling of service name. If we can't find what we are looking for in /etc/services default to the obvious correct answer; thanks Steve, will commit upstream, closes: #120010 -- Sam Hartman Sat, 24 Nov 2001 22:10:16 -0500 krb5 (1.2.2-6) unstable; urgency=high * Include telnetd security patch for ring buffer issue from upstream * Conflict with the right Heimdal libs, closes: #103872 -- Sam Hartman Wed, 1 Aug 2001 15:19:43 -0400 krb5 (1.2.2-5) unstable; urgency=low * Use krb5-config; remove our own krb5.conf handling.. Note this is the krb5-config package for /etc/krb5.conf, not the krb5-config library helper command. * * Conflict with kerberos4kth-services, closes: #93303 * Update config.guess and config.sub, closes: #97585 * Have telnetd depend on krb5-rsh-server. I suspect this will make people grumpy and we need a better fix. Really, Kerberized rlogin is better than telnetd from a security standpoint, so I'm OK with it for now. Closes: #96695 -- Sam Hartman Wed, 16 May 2001 17:44:47 -0400 krb5 (1.2.2-4) unstable; urgency=low * Fix shared libraries to build with gcc not ld to properly include -lgcc symbols, closes: #94407 -- Sam Hartman Fri, 20 Apr 2001 02:47:21 -0400 krb5 (1.2.2-3) unstable; urgency=high * Fix vulnerability with glob call. CERT claims that Linux is not vulnerable, but I believe the krb5 implementation is. The result of glob was copied into a fixed-sized buffer. This fixes that closes: #93689 * Provide ftp-server not ftpd, closes: #93531 * Do not link kadm5clnt against kdb5. -- Sam Hartman Wed, 11 Apr 2001 19:50:17 -0400 krb5 (1.2.2-2) unstable; urgency=low * Work to provide an alternative for telnet and to be a telnet-client, closes: 87914 * libkrb5-dev depends on comerr-dev, closes: #87489 * Make clean target remove configure-stamp -- Sam Hartman Mon, 5 Mar 2001 08:25:17 -0500 krb5 (1.2.2-1) unstable; urgency=low * New Upstream version, Closes: #82546 * Depend on debconf, closes: #87490 * Fix debconf formatting issue, closes: #84447 * Create sample ACL file, closes: #84448 * Fix lintian warnings and override as appropriate * Upgrade to policy 3.5 moving stuff out of examples. -- Sam Hartman Fri, 2 Mar 2001 11:32:06 -0500 krb5 (1.2.1-9) unstable; urgency=low * Do not use TIOCGLTC anywhere * Build without TCL, closes: #81977 * Fix krb5-admin-server restart, closes: #81070 * With the new dpkg-source, files get diffed in the wrong order for us to prevent autoconf from getting run just by mangling things and making sure we change every configure script. So, touch every configure script in debian/rules. -- Sam Hartman Sat, 13 Jan 2001 19:27:37 -0500 krb5 (1.2.1-8) unstable; urgency=low * Use separate build directory because the source tree supports it and it works around failures in the upstream clean target, closes: #78954 * Make sure we modify all the configure scripts since we modify aclocal.m4 so that time stamps don't cause autoconf to be run. * Add bison and debhelper as build-depends, closes: #79643 * New maintainer address -- Sam Hartman Sat, 23 Dec 2000 16:20:24 -0500 krb5 (1.2.1-7) unstable; urgency=low * Do not conflict with libss.a * Upload to Debian(Closes: BUG#78499) -- Sam Hartman Mon, 4 Dec 2000 04:15:50 -0500 krb5 (1.2.1-6) unstable; urgency=low * Fix kpasswd manpage. * Split out libkadm5 to avoid Heimdal conflict * Conflict with kerberos4kth. * Remove runpaths from libs and executables. -- Sam Hartman Wed, 29 Nov 2000 12:18:22 -0500 krb5 (1.2.1-5) unstable; urgency=low * If libkrb53 was preconfigured, then krb5.conf could overide explicit user input. -- Sam Hartman Sat, 25 Nov 2000 17:01:26 -0500 krb5 (1.2.1-4) unstable; urgency=low * Write init.d scripts for kdc and admin server. * Ask what admin programs to run and what krb4 mode to use. * Populate initial kdc.conf if needed. * New script (krb5_newrealm) to set up a Kerberos realm * Document KDC issues. * Make libkrb53.config work again so libkrb53 installs -- Sam Hartman Sat, 18 Nov 2000 17:22:16 -0500 krb5 (1.2.1-3) unstable; urgency=low * Add KDC packages * Install login.krb5 Sadly, it is needed to make forwarded credentials work. This is unfortunate; it is not a good login program. -- Sam Hartman Wed, 8 Nov 2000 16:10:13 -0500 krb5 (1.2.1-2) unstable; urgency=low * Add copyright and README.debian * Ship kadmin in krb5-user. * Add services to inetd.conf * Add support for generating krb5.conf -- Sam Hartman Thu, 2 Nov 2000 17:29:59 -0500 krb5 (1.2.1-1) unstable; urgency=low * Initial Release. -- Sam Hartman Thu, 19 Oct 2000 16:05:06 -0400 debian/control0000664000000000000000000004307112412233003010566 0ustar Source: krb5 Section: net Priority: standard Build-Depends: debhelper (>= 8.1.3), byacc | bison, comerr-dev, docbook-to-man, doxygen, libkeyutils-dev [linux-any], libldap2-dev, libncurses5-dev, libssl-dev, ss-dev, libverto-dev (>= 0.2.4), pkg-config build-depends-indep: python-cheetah, python-lxml, python-sphinx, doxygen-latex Standards-Version: 3.9.5 Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Sam Hartman Uploaders: Russ Allbery , Benjamin Kaduk Homepage: http://web.mit.edu/kerberos/ VCS-Git: git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git VCS-Browser: http://git.debian.org/?p=pkg-k5-afs/debian-krb5-2013.git Package: krb5-user Architecture: any Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}), krb5-config Conflicts: heimdal-clients Description: Basic programs to authenticate using MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the basic programs to authenticate to MIT Kerberos, change passwords, and talk to the admin server (to create and delete principals, list principals, etc.). Package: krb5-kdc Architecture: any Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}), libkadm5srv-mit9, krb5-config, krb5-user, lsb-base (>= 3.0-6), libverto-libev1 | libverto-libevent1 Suggests: openbsd-inetd | inet-superserver, krb5-admin-server, krb5-kdc-ldap (= ${binary:Version}) Description: MIT Kerberos key server (KDC) Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the Kerberos key server (KDC). The KDC manages all authentication credentials for a Kerberos realm, holds the master keys for the realm, and responds to authentication requests. This package should be installed on both master and slave KDCs. Package: krb5-kdc-ldap Architecture: any Priority: extra Depends: ${misc:Depends}, ${shlibs:Depends}, krb5-kdc (= ${binary:Version}) Description: MIT Kerberos key server (KDC) LDAP plugin Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the LDAP plugin for the Kerberos key server (KDC) and supporting utilities. This plugin allows the KDC data to be stored in an LDAP server rather than the default local database. It should be installed on both master and slave KDCs that use LDAP as a storage backend. Package: krb5-admin-server Architecture: any Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}), krb5-kdc (>= 1.10+dfsg~), lsb-base (>= 3.0-6) Description: MIT Kerberos master server (kadmind) Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the Kerberos master server (kadmind), which handles account creations and deletions, password changes, and other administrative commands via the Kerberos admin protocol. It also contains the command used by the master KDC to propagate its database to slave KDCs. This package is generally only used on the master KDC for a Kerberos realm. Package: krb5-multidev Section: libdevel Architecture: any Depends: ${misc:Depends}, libkrb5-3 (= ${binary:Version}), libk5crypto3 (= ${binary:Version}), libgssapi-krb5-2 (= ${binary:Version}), libgssrpc4 (= ${binary:Version}), libkadm5srv-mit9 (= ${binary:Version}), libkadm5clnt-mit9 (= ${binary:Version}), comerr-dev, Priority: optional Suggests: krb5-doc Description: Development files for MIT Kerberos without Heimdal conflict Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . Most users wishing to build applications against MIT Kerberos should install libkrb5-dev. However, that package conflicts with heimdal-dev. This package installs libraries and headers in /usr/include/mit-krb5 and /usr/lib/mit-krb5 and can be installed along side heimdal-multidev, which provides the same facilities for Heimdal. Package: libkrb5-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, krb5-multidev (= ${binary:Version}) Replaces: krb5-multidev (<< 1.8+dfsg~alpha1-3) Conflicts: heimdal-dev Priority: extra Suggests: krb5-doc Description: Headers and development libraries for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the symlinks, headers, and development libraries needed to compile and link programs that use the Kerberos libraries. Package: libkrb5-dbg Architecture: any Depends: ${misc:Depends}, libkrb5-3 (= ${binary:Version}) | libk5crypto3 (= ${binary:Version}) | libkrb5support0 (= ${binary:Version}) Priority: extra Section: debug Multi-Arch: same Description: Debugging files for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the debugging information for the MIT Kerberos libraries. Install this package if you need to trace problems inside the MIT Kerberos libraries with a debugger. Package: krb5-pkinit Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}) Suggests: opensc Priority: extra Multi-Arch: same Description: PKINIT plugin for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains a plugin for the PKINIT protocol, which allows Kerberos tickets to be obtained using public-key credentials such as X.509 certificates or a smart card. This plugin can be used by the client libraries and the KDC. Package: krb5-otp Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libkrad0 (= ${binary:Version}) Priority: extra Multi-Arch: same Description: OTP plugin for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains a plugin for the OTP preauthentication method (RFC 6560), which allows Kerberos tickets to be obtained using One-Time Password authentication. This plugin is for use on the KDC; the client support is built in to libkrb5. Package: krb5-doc Architecture: all Priority: optional Conflicts: heimdal-docs Section: doc Depends: ${misc:Depends} Description: Documentation for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the installation, administrator, and user reference manuals for MIT Kerberos and the man pages for the MIT Kerberos configuration files. Package: libkrb5-3 Section: libs Breaks: sssd (<= 1.2.1-4.3), libsmbclient (<= 2:3.6.1-2) Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5support0 (= ${binary:Version}) Suggests: krb5-doc, krb5-user Conflicts: libkrb53 Recommends: krb5-locales Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the runtime library for the main Kerberos v5 API used by applications and Kerberos clients. Package: libgssapi-krb5-2 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, libkrb5-3 (= ${binary:Version}) Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Breaks: libgssglue1 (<< 0.2-2) Description: MIT Kerberos runtime libraries - krb5 GSS-API Mechanism Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the runtime library for the MIT Kerberos implementation of GSS-API used by applications and Kerberos clients. Package: libgssrpc4 Section: libs Conflicts: libkadm55 Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - GSS enabled ONCRPC Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains an RPC library used by the Kerberos administrative programs and potentially other applications. Package: libkadm5srv-mit9 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - KDC and Admin Server Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the runtime library used by Kerberos administrative servers. Package: libkadm5srv-mit8 Section: oldlibs Priority: extra Architecture: any Multi-Arch: same Depends: libkadm5srv-mit9 Description: transitional dummy package for libkadm5srv-mit9 This transitional dummy package is safe to remove. Package: libkadm5clnt-mit9 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - Administration Clients Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the runtime library used by clients of the Kerberos administration protocol. Package: libk5crypto3 Section: libs Breaks: libkrb5-3 (<= 1.8~aa), libgssapi-krb5-2 (<= 1.10+dfsg~alpha1) Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Conflicts: libkrb53 Description: MIT Kerberos runtime libraries - Crypto Library Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the runtime cryptography libraries used by applications and Kerberos clients. Package: libkdb5-7 Section: libs Breaks: libkadm5srv-mit8 (<< 1.11+dfsg~) Replaces: libkadm5srv-mit8 (<< 1.11+dfsg~) Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Suggests: krb5-doc, krb5-user Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - Kerberos database Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the internal Kerberos database libraries. Package: libkrb5support0 Section: libs Conflicts: libkrb53 Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - Support library Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains an internal runtime support library used by other Kerberos libraries. Package: libkrad0 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Description: MIT Kerberos runtime libraries - RADIUS library Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains the internal support library for RADIUS functionality. Package: krb5-gss-samples Section: net Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Priority: extra Description: MIT Kerberos GSS Sample applications Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains bgss-sample and gss-server, programs used to test GSS-API mechanisms. These programs are most commonly used in testing newly developed GSS-API mechanisms or in testing events between Kerberos or GSS implementations. Package: krb5-locales Section: localization Architecture: all Depends: ${misc:Depends}, ${shlibs:Depends}, Pre-Depends: ${misc:Pre-Depends} Multi-Arch: foreign Description: Internationalization support for MIT Kerberos Kerberos is a system for authenticating users and services on a network. Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). . This is the MIT reference implementation of Kerberos V5. . This package contains internationalized messages for MIT Kerberos. Package: libkrad-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, libkrad0 (= ${binary:Version}), comerr-dev, libverto-dev (>= 0.2.4) Priority: extra Suggests: libkrb5-dev Replaces: libkrb5-dev (<< 1.12+dfsg-2) Breaks: krb5-multidev (<<1.12+dfsg-2), libkrb5-dev (<<1.12+dfsg-2) Description: MIT Kerberos RADIUS Library Development This package includes development headers for libkrad0, the MIT Kerberos RADIUS library. You should not use this RADIUS library in packages unrelated to MIT Kerberos. debian/rules0000775000000000000000000001640212300350722010245 0ustar #!/usr/bin/make -f # Based on sample debian/rules that uses debhelper. # GNU copyright 1997 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 # This has to be exported to make some magic below work. export DH_OPTIONS SHELL=/bin/bash export SHELL # Tell Autoconf the correct system types. Needed for cross builds. DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) SYSTEM = --build $(DEB_HOST_GNU_TYPE) CACHE = else SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) CACHE = --cache-file=$(DEB_HOST_GNU_TYPE).cache endif export DEB_HOST_MULTIARCH CCOPTS=-g ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CCOPTS +=-O0 else CCOPTS +=-O2 endif ifneq (,$(filter i486-linux-gnu x86_64-linux-gnu,$(DEB_HOST_GNU_TYPE))) CCOPTS +=-D_FORTIFY_SOURCE=2 -fstack-protector endif FLAGS=$(shell if res=`dpkg-buildflags --export=configure `; then echo $$res; else echo CFLAGS="'$(CCOPTS)'"; fi) FLAGS:=$(subst -O3,-O2,$(FLAGS)) ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = -j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) endif # The flags to pass to dh_install specifying the upstream files to exclude. # We use --fail-missing to be sure we catch any new upstream files, so be # sure to update this list if upstream adds any more files we don't want. EXCLUDE = -Xtmac.doc -Xexamples/krb5 -Xgnats/mit -Xkrb5-send-pr \ -Xsserver -Xsim_server -Xuuserver \ -Xsclient -Xsim_client -Xuuclient LIB_PACKAGES = libkrb5-3 libgssapi-krb5-2 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libgssrpc4 \ libkrb5support0 libk5crypto3 libkrad0 # We touch each configure and Autoconf-related file so that we do not attempt # to use Autoconf. The cache is used by the Embdebian project for cross # compiles. configure: configure-stamp configure-stamp: dh_testdir mkdir -p build find src -name configure -print | xargs touch find src \( -name \*hin -o -name \*.h.in -o -name \*.stmp \) -print \ | xargs touch [ ! -f $(DEB_HOST_GNU_TYPE).cache ] \ || cp $(DEB_HOST_GNU_TYPE).cache build/ cd build && $(FLAGS) ../src/configure \ --prefix=/usr --localstatedir=/etc --mandir=/usr/share/man \ --with-system-et --with-system-ss --disable-rpath \ --enable-shared --with-ldap --without-tcl \ --with-system-verto \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ $(SYSTEM) $(CACHE) touch configure-stamp # Build the documentation in a separate directory, since otherwise we'll # overwrite the info pages provided upstream and then debian/rules clean won't # get back to a virgin copy of the package. build: build-arch build-indep build-arch: build-stamp build-indep: build-indep-stamp build-stamp: configure-stamp cd build && $(MAKE) $(NUMJOBS) all touch build-stamp build-indep-stamp: build-stamp cd build/doc && make substhtml substpdf ln -sf /usr/share/javascript/jquery/jquery.js build/doc/html_subst/_static/jquery.js ln -sf /usr/share/javascript/underscore/underscore.js build/doc/html_subst/_static/underscore.js ln -sf /usr/share/javascript/sphinxdoc/1.0/doctools.js build/doc/html_subst/_static/doctools.js ln -sf /usr/share/javascript/sphinxdoc/1.0/searchtools.js build/doc/html_subst/_static/searchtools.js touch build-indep-stamp clean: dh_testdir -rm -rf build doc/tools/*.pyc doc/version.py dh_clean build-stamp configure-stamp build-indep-stamp install: DH_OPTIONS= install: build-arch dh_testdir dh_testroot dh_prep set -e; for file in krb5-kdc.dirs krb5-multidev.dirs krb5-multidev.links \ krb5-multidev.install libkrb5-3.dirs libkrb5-dev.dirs; \ do \ sed -e"s,\$${DEB_HOST_MULTIARCH},${DEB_HOST_MULTIARCH},g" \ debian/$${file}.in > debian/$$file; \ done dh_installdirs cd build && $(MAKE) install DESTDIR=`pwd`/../debian/tmp install -d $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/krb5 $(CURDIR)/debian/tmp/etc/insserv/overrides install -m644 debian/krb5-kdc-ldap.insserv-override debian/tmp/etc/insserv/overrides/krb5-kdc mv $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libkdb_ldap* \ $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/ rm -f $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/libkdb_ldap*.so install -m644 src/util/ac_check_krb5.m4 \ debian/libkrb5-dev/usr/share/aclocal dh_install --sourcedir=debian/tmp --fail-missing $(EXCLUDE) set -e ; find debian/krb5-multidev/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5 -type l -name \*.so -print |\ while read linkname; do \ ln -s -f ../`readlink $$linkname` \ $$linkname; \ done rm debian/krb5-multidev/usr/include/mit-krb5/krad.h debian/krb5-multidev/usr/lib/*/mit-krb5/libkrad.so for dir in include lib/$(DEB_HOST_MULTIARCH) lib/$(DEB_HOST_MULTIARCH)/pkgconfig; do \ (cd debian/krb5-multidev/usr/$$dir/mit-krb5 && \ find . -type d -print ) | (cd debian/libkrb5-dev/usr/$$dir && \ xargs mkdir -p); \ (cd debian/krb5-multidev/usr/$$dir/mit-krb5 && find . \( -type f -o -type l \) -print ) | \ (cd debian/libkrb5-dev/usr/$$dir && xargs -I+ ln -s /usr/$$dir/mit-krb5/+ +) ; \ done # however we will handle libkadm5{srv,clnt.so} in dh_link # because they actually point to the current level not one level up rm -f debian/krb5-multidev/usr/lib/$(DEB_HOST_MULTIARCH)/mit-krb5/libkadm5{clnt,srv}.so docbook-to-man debian/krb5_newrealm.sgml \ > debian/krb5-admin-server/usr/share/man/man8/krb5_newrealm.8 install -o root -g root -m 755 debian/krb5_newrealm \ debian/krb5-admin-server/usr/sbin install -o root -g root -m 644 debian/kdc.conf \ debian/krb5-kdc/usr/share/krb5-kdc/kdc.conf.template ln -s /usr/share/krb5-kdc/kdc.conf.template \ debian/krb5-kdc/usr/share/doc/krb5-kdc/examples/kdc.conf # Build architecture-independent files here. # Pass -i to all debhelper commands in this target to reduce clutter. binary-indep: DH_OPTIONS=-i binary-indep: build-indep install dh_testdir dh_testroot dh_installchangelogs -Xdoc/CHANGES dh_installchangelogs -pkrb5-doc -k doc/CHANGES dh_installdocs dh_installinfo dh_link dh_compress dh_fixperms dh_installdeb dh_gencontrol dh_md5sums dh_builddeb # Build architecture-dependent files here. # Pass -a to all debhelper commands in this target to reduce clutter. Strip # library packages separately and save the debug information for the # libkrb5-dbg package. This method strips the libraries in those packages # twice, but that should be harmless and all other ways of doing this seem # uglier. binary-arch: DH_OPTIONS=-a binary-arch: build-arch install dh_testdir dh_testroot dh_installchangelogs -Xdoc/CHANGES dh_installdocs dh_installdebconf dh_installinit -- defaults 18 18 dh_lintian set -e ; for pkg in $(LIB_PACKAGES) ; do \ DH_OPTIONS="" dh_strip -p$$pkg --dbg-package=libkrb5-dbg; \ DH_OPTIONS="" dh_makeshlibs -p$$pkg -Xusr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins -- -c4 ; \ done dh_strip dh_link dh_compress dh_fixperms chmod u+s debian/krb5-user/usr/bin/ksu chmod 700 debian/krb5-kdc/var/lib/krb5kdc chmod 700 debian/krb5-kdc/etc/krb5kdc dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean configure binary-indep binary-arch binary install debian/krb5-gss-samples.docs0000664000000000000000000000003312272025332013133 0ustar src/appl/gss-sample/README debian/krb5-doc.install0000664000000000000000000000023212272025331012160 0ustar usr/share/man/man5/k5login.5 usr/share/man/man5/.k5login.5 usr/share/man/man5/k5identity* usr/share/man/man5/.k5identity.5 usr/share/man/man5/krb5.conf.5 debian/libgssrpc4.install0000664000000000000000000000003212272025332012625 0ustar usr/lib/*/libgssrpc.so.4* debian/libkrb5support0.symbols0000664000000000000000000001077412272025331013657 0ustar libkrb5support.so.0 libkrb5support0 #MINVER# HIDDEN@HIDDEN 1.7dfsg~beta2 k5_base64_decode@krb5support_0_MIT 1.12~alpha1+dfsg k5_base64_encode@krb5support_0_MIT 1.12~alpha1+dfsg k5_bcmp@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_add@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_add_fmt@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_add_len@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_data@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_init_dynamic@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_init_fixed@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_len@krb5support_0_MIT 1.12~alpha1+dfsg k5_buf_truncate@krb5support_0_MIT 1.12~alpha1+dfsg k5_clear_error@krb5support_0_MIT 1.12~alpha1+dfsg k5_free_buf@krb5support_0_MIT 1.12~alpha1+dfsg k5_free_error@krb5support_0_MIT 1.12~alpha1+dfsg k5_get_error@krb5support_0_MIT 1.12~alpha1+dfsg k5_json_array_add@krb5support_0_MIT 1.11+dfsg k5_json_array_create@krb5support_0_MIT 1.11+dfsg k5_json_array_fmt@krb5support_0_MIT 1.12~alpha1+dfsg k5_json_array_get@krb5support_0_MIT 1.11+dfsg k5_json_array_length@krb5support_0_MIT 1.11+dfsg k5_json_array_set@krb5support_0_MIT 1.11+dfsg k5_json_bool_create@krb5support_0_MIT 1.11+dfsg k5_json_bool_value@krb5support_0_MIT 1.11+dfsg k5_json_decode@krb5support_0_MIT 1.11+dfsg k5_json_encode@krb5support_0_MIT 1.11+dfsg k5_json_get_tid@krb5support_0_MIT 1.11+dfsg k5_json_null_create@krb5support_0_MIT 1.11+dfsg k5_json_null_create_val@krb5support_0_MIT 1.12~alpha1+dfsg k5_json_number_create@krb5support_0_MIT 1.11+dfsg k5_json_number_value@krb5support_0_MIT 1.11+dfsg k5_json_object_count@krb5support_0_MIT 1.11+dfsg k5_json_object_create@krb5support_0_MIT 1.11+dfsg k5_json_object_get@krb5support_0_MIT 1.11+dfsg k5_json_object_iterate@krb5support_0_MIT 1.11+dfsg k5_json_object_set@krb5support_0_MIT 1.11+dfsg k5_json_release@krb5support_0_MIT 1.11+dfsg k5_json_retain@krb5support_0_MIT 1.11+dfsg k5_json_string_create@krb5support_0_MIT 1.11+dfsg k5_json_string_create_base64@krb5support_0_MIT 1.11+dfsg k5_json_string_create_len@krb5support_0_MIT 1.11+dfsg k5_json_string_unbase64@krb5support_0_MIT 1.11+dfsg k5_json_string_utf8@krb5support_0_MIT 1.11+dfsg k5_path_isabs@krb5support_0_MIT 1.10+dfsg~alpha1 k5_path_join@krb5support_0_MIT 1.10+dfsg~alpha1 k5_path_split@krb5support_0_MIT 1.10+dfsg~alpha1 k5_set_error@krb5support_0_MIT 1.12~alpha1+dfsg k5_set_error_fl@krb5support_0_MIT 1.12~alpha1+dfsg k5_set_error_info_callout_fn@krb5support_0_MIT 1.12~alpha1+dfsg k5_vset_error@krb5support_0_MIT 1.12~alpha1+dfsg k5_vset_error_fl@krb5support_0_MIT 1.12~alpha1+dfsg krb5int_close_plugin@krb5support_0_MIT 1.7dfsg~beta2 krb5int_close_plugin_dirs@krb5support_0_MIT 1.7dfsg~beta2 krb5int_free_plugin_dir_data@krb5support_0_MIT 1.7dfsg~beta2 krb5int_free_plugin_dir_func@krb5support_0_MIT 1.7dfsg~beta2 krb5int_freeaddrinfo@krb5support_0_MIT 1.7dfsg~beta2 krb5int_gai_strerror@krb5support_0_MIT 1.7dfsg~beta2 krb5int_get_plugin_data@krb5support_0_MIT 1.7dfsg~beta2 krb5int_get_plugin_dir_data@krb5support_0_MIT 1.7dfsg~beta2 krb5int_get_plugin_dir_func@krb5support_0_MIT 1.7dfsg~beta2 krb5int_get_plugin_func@krb5support_0_MIT 1.7dfsg~beta2 krb5int_getaddrinfo@krb5support_0_MIT 1.7dfsg~beta2 krb5int_getnameinfo@krb5support_0_MIT 1.7dfsg~beta2 krb5int_getspecific@krb5support_0_MIT 1.7dfsg~beta2 krb5int_gmt_mktime@krb5support_0_MIT 1.7dfsg~beta2 krb5int_in6addr_any@krb5support_0_MIT 1.7dfsg~beta2 krb5int_key_delete@krb5support_0_MIT 1.7dfsg~beta2 krb5int_key_register@krb5support_0_MIT 1.7dfsg~beta2 krb5int_mutex_alloc@krb5support_0_MIT 1.7dfsg~beta2 krb5int_mutex_free@krb5support_0_MIT 1.7dfsg~beta2 krb5int_mutex_lock@krb5support_0_MIT 1.7dfsg~beta2 krb5int_mutex_unlock@krb5support_0_MIT 1.7dfsg~beta2 krb5int_open_plugin@krb5support_0_MIT 1.7dfsg~beta2 krb5int_open_plugin_dirs@krb5support_0_MIT 1.7dfsg~beta2 krb5int_pthread_loaded@krb5support_0_MIT 1.7dfsg~beta2 krb5int_setspecific@krb5support_0_MIT 1.7dfsg~beta2 krb5int_strlcat@krb5support_0_MIT 1.7dfsg~beta2 krb5int_strlcpy@krb5support_0_MIT 1.7dfsg~beta2 krb5int_ucs2lecs_to_utf8s@krb5support_0_MIT 1.7dfsg~beta2 krb5int_ucs4_to_utf8@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8_lentab@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8_mintab@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8_next@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8_to_ucs4@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8cs_to_ucs2les@krb5support_0_MIT 1.7dfsg~beta2 krb5int_utf8s_to_ucs2les@krb5support_0_MIT 1.7dfsg~beta2 krb5int_zap@krb5support_0_MIT 1.8+dfsg~alpha1 krb5support_0_MIT@krb5support_0_MIT 1.7dfsg~beta2 debian/watch0000664000000000000000000000027112272025331010216 0ustar # debian/watch -- Rules for uscan to find new upstream versions. version=3 opts=dversionmangle=s/\+dfsg// \ http://web.mit.edu/kerberos/dist/ krb5/[\d.]+/krb5-([\d.]+)-signed.tar$ debian/libkrb5-3.docs0000664000000000000000000000003412272025332011527 0ustar README debian/README.Debian debian/compat0000664000000000000000000000000212272025332010364 0ustar 8 debian/krb5-kdc.install0000664000000000000000000000037412272025331012163 0ustar usr/sbin/kproplog usr/share/man/man8/kproplog.8 usr/sbin/kdb5_util usr/share/man/man8/kdb5_util.8 usr/sbin/kpropd usr/share/man/man8/kpropd.8 usr/sbin/krb5kdc usr/share/man/man8/krb5kdc.8 usr/share/man/man5/kdc.conf.5 usr/lib/*/krb5/plugins/kdb/db2.so debian/libkadm5clnt-mit9.install0000664000000000000000000000004112271473454014015 0ustar usr/lib/*/libkadm5clnt_mit.so.9* debian/krb5-kdc.prerm0000664000000000000000000000027112272025331011636 0ustar #! /bin/sh set -e if test "remove" = "$1"; then if which update-inetd >/dev/null 2>&1 ; then update-inetd --remove '#?krb5_prop.*/usr/sbin/kpropd' fi fi #DEBHELPER# exit 0 debian/krb5-doc.docs0000664000000000000000000000044012272025332011444 0ustar debian/README.KDC README NOTICE build/doc/html_subst/*.html build/doc/html_subst/admin/ build/doc/html_subst/appdev/ build/doc/html_subst/basic/ build/doc/html_subst/build/ build/doc/html_subst/plugindev/ build/doc/html_subst/_static/ build/doc/html_subst/user/ build/doc/pdf_subst/*.pdf debian/krb5-locales.install0000664000000000000000000000002312272025332013034 0ustar usr/share/locale/* debian/libkdb-ldap1.install0000664000000000000000000000003312272025331012777 0ustar usr/lib/*/libkdb_ldap*so.* debian/libkrad0.install0000664000000000000000000000003012271473454012252 0ustar usr/lib/*/libkrad.so.0* debian/libkdb5-7.install0000664000000000000000000000002712272025331012234 0ustar usr/lib/*/libkdb5.so.* debian/krb5-admin-server.config0000664000000000000000000000070612272025331013614 0ustar #!/bin/sh set -e . /usr/share/debconf/confmodule db_version 2.0 db_input high krb5-admin-server/newrealm || true db_go db_get krb5-kdc/debconf if [ x"$RET" = xtrue ] ; then if [ -f "/etc/default/krb5-admin-server" ] ; then . /etc/default/krb5-admin-server if [ -n "$RUN_KADMIND" ] ; then db_set krb5-admin-server/kadmind "$RUN_KADMIND" fi fi db_input low krb5-admin-server/kadmind || true db_go fi debian/krb5-doc.doc-base.plugindev0000664000000000000000000000051512272025331014167 0ustar Document: plugindev Title: Kerberos Plugin Module Developer Guide Author: MIT Abstract: Plugin module development guide for MIT Kerberos. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/plugindev/index.html Files: /usr/share/doc/krb5-doc/plugindev/* Format: PDF Files: /usr/share/doc/krb5-doc/plugindev.pdf.gz debian/krb5-doc.doc-base.admin0000664000000000000000000000050412272025331013260 0ustar Document: admin Title: Kerberos Administration Guide Author: MIT Abstract: Administration and installation guide for MIT Kerberos Version 5. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/admin/index.html Files: /usr/share/doc/krb5-doc/admin/* Format: PDF Files: /usr/share/doc/krb5-doc/admin.pdf.gz debian/libkrb5-3.lintian-overrides0000664000000000000000000000007412272025331014240 0ustar libkrb5-3: package-contains-empty-directory */plugins/krb5/ debian/krb5-doc.doc-base.user0000664000000000000000000000042312272025331013146 0ustar Document: user Title: Kerberos User Guide Author: MIT Abstract: User's guide for MIT Kerberos. Section: System/Security Format: HTML Index: /usr/share/doc/krb5-doc/user/index.html Files: /usr/share/doc/krb5-doc/user/* Format: PDF Files: /usr/share/doc/krb5-doc/user.pdf.gz debian/libkrb5-3.symbols0000664000000000000000000007134512272025332012304 0ustar libkrb5.so.3 libkrb5-3 #MINVER# HIDDEN@HIDDEN 1.6.dfsg.2 _krb5_conf_boolean@krb5_3_MIT 1.6.dfsg.2 decode_krb5_ad_kdcissued@krb5_3_MIT 1.8+dfsg decode_krb5_ad_signedpath@krb5_3_MIT 1.8+dfsg decode_krb5_ap_rep@krb5_3_MIT 1.6.dfsg.2 decode_krb5_ap_rep_enc_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_ap_req@krb5_3_MIT 1.6.dfsg.2 decode_krb5_as_rep@krb5_3_MIT 1.6.dfsg.2 decode_krb5_as_req@krb5_3_MIT 1.6.dfsg.2 decode_krb5_authdata@krb5_3_MIT 1.6.dfsg.2 decode_krb5_authenticator@krb5_3_MIT 1.6.dfsg.2 decode_krb5_cred@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_cred_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_data@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_kdc_rep_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_priv_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_enc_sam_response_enc_2@krb5_3_MIT 1.7dfsg decode_krb5_enc_tkt_part@krb5_3_MIT 1.6.dfsg.2 decode_krb5_encryption_key@krb5_3_MIT 1.6.dfsg.2 decode_krb5_error@krb5_3_MIT 1.6.dfsg.2 decode_krb5_etype_info2@krb5_3_MIT 1.7dfsg decode_krb5_etype_info@krb5_3_MIT 1.6.dfsg.2 decode_krb5_fast_req@krb5_3_MIT 1.7dfsg decode_krb5_fast_response@krb5_3_MIT 1.11+dfsg decode_krb5_iakerb_finished@krb5_3_MIT 1.9+dfsg~beta1 decode_krb5_iakerb_header@krb5_3_MIT 1.9+dfsg~beta1 decode_krb5_kdc_req_body@krb5_3_MIT 1.6.dfsg.2 decode_krb5_otp_tokeninfo@krb5_3_MIT 1.11+dfsg decode_krb5_pa_enc_ts@krb5_3_MIT 1.6.dfsg.2 decode_krb5_pa_for_user@krb5_3_MIT 1.7dfsg decode_krb5_pa_fx_fast_reply@krb5_3_MIT 1.11+dfsg decode_krb5_pa_fx_fast_request@krb5_3_MIT 1.7dfsg decode_krb5_pa_otp_challenge@krb5_3_MIT 1.11+dfsg decode_krb5_pa_otp_enc_req@krb5_3_MIT 1.11+dfsg decode_krb5_pa_otp_req@krb5_3_MIT 1.11+dfsg decode_krb5_pa_pac_req@krb5_3_MIT 1.7dfsg decode_krb5_pa_s4u_x509_user@krb5_3_MIT 1.8+dfsg decode_krb5_padata_sequence@krb5_3_MIT 1.6.dfsg.2 decode_krb5_priv@krb5_3_MIT 1.6.dfsg.2 decode_krb5_safe@krb5_3_MIT 1.6.dfsg.2 decode_krb5_sam_challenge_2@krb5_3_MIT 1.11+dfsg decode_krb5_sam_challenge_2_body@krb5_3_MIT 1.11+dfsg decode_krb5_sam_response_2@krb5_3_MIT 1.7dfsg decode_krb5_setpw_req@krb5_3_MIT 1.7dfsg decode_krb5_tgs_rep@krb5_3_MIT 1.6.dfsg.2 decode_krb5_tgs_req@krb5_3_MIT 1.6.dfsg.2 decode_krb5_ticket@krb5_3_MIT 1.6.dfsg.2 decode_krb5_typed_data@krb5_3_MIT 1.7dfsg encode_krb5_ad_kdcissued@krb5_3_MIT 1.8+dfsg encode_krb5_ad_signedpath@krb5_3_MIT 1.8+dfsg encode_krb5_ad_signedpath_data@krb5_3_MIT 1.8+dfsg encode_krb5_ap_rep@krb5_3_MIT 1.6.dfsg.2 encode_krb5_ap_rep_enc_part@krb5_3_MIT 1.6.dfsg.2 encode_krb5_ap_req@krb5_3_MIT 1.6.dfsg.2 encode_krb5_as_rep@krb5_3_MIT 1.6.dfsg.2 encode_krb5_as_req@krb5_3_MIT 1.6.dfsg.2 encode_krb5_authdata@krb5_3_MIT 1.6.dfsg.2 encode_krb5_authenticator@krb5_3_MIT 1.6.dfsg.2 encode_krb5_checksum@krb5_3_MIT 1.8+dfsg encode_krb5_cred@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_cred_part@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_data@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_kdc_rep_part@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_priv_part@krb5_3_MIT 1.6.dfsg.2 encode_krb5_enc_sam_response_enc_2@krb5_3_MIT 1.7dfsg encode_krb5_enc_tkt_part@krb5_3_MIT 1.6.dfsg.2 encode_krb5_encryption_key@krb5_3_MIT 1.6.dfsg.2 encode_krb5_error@krb5_3_MIT 1.6.dfsg.2 encode_krb5_etype_info2@krb5_3_MIT 1.6.dfsg.2 encode_krb5_etype_info@krb5_3_MIT 1.6.dfsg.2 encode_krb5_fast_response@krb5_3_MIT 1.7dfsg encode_krb5_iakerb_finished@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_iakerb_header@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_kdc_req_body@krb5_3_MIT 1.6.dfsg.2 encode_krb5_otp_tokeninfo@krb5_3_MIT 1.11+dfsg encode_krb5_pa_enc_ts@krb5_3_MIT 1.6.dfsg.2 encode_krb5_pa_for_user@krb5_3_MIT 1.7dfsg encode_krb5_pa_fx_fast_reply@krb5_3_MIT 1.7dfsg encode_krb5_pa_otp_challenge@krb5_3_MIT 1.11+dfsg encode_krb5_pa_otp_enc_req@krb5_3_MIT 1.11+dfsg encode_krb5_pa_otp_req@krb5_3_MIT 1.11+dfsg encode_krb5_pa_s4u_x509_user@krb5_3_MIT 1.8+dfsg encode_krb5_padata_sequence@krb5_3_MIT 1.6.dfsg.2 encode_krb5_pkinit_supp_pub_info@krb5_3_MIT 1.10+dfsg~alpha1 encode_krb5_priv@krb5_3_MIT 1.6.dfsg.2 encode_krb5_s4u_userid@krb5_3_MIT 1.8+dfsg encode_krb5_safe@krb5_3_MIT 1.6.dfsg.2 encode_krb5_sam_challenge_2@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_sam_challenge_2_body@krb5_3_MIT 1.9+dfsg~beta1 encode_krb5_sam_response_2@krb5_3_MIT 1.7dfsg encode_krb5_sp80056a_other_info@krb5_3_MIT 1.10+dfsg~alpha1 encode_krb5_tgs_rep@krb5_3_MIT 1.6.dfsg.2 encode_krb5_tgs_req@krb5_3_MIT 1.6.dfsg.2 encode_krb5_ticket@krb5_3_MIT 1.6.dfsg.2 encode_krb5_typed_data@krb5_3_MIT 1.10+dfsg~alpha1 et_asn1_error_table@krb5_3_MIT 1.6.dfsg.2 et_k524_error_table@krb5_3_MIT 1.6.dfsg.2 et_kdb5_error_table@krb5_3_MIT 1.6.dfsg.2 et_krb5_error_table@krb5_3_MIT 1.6.dfsg.2 et_kv5m_error_table@krb5_3_MIT 1.6.dfsg.2 et_prof_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_asn1_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_k524_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_k5e1_error_table@krb5_3_MIT 1.9+dfsg~beta1 initialize_kdb5_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_krb5_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_kv5m_error_table@krb5_3_MIT 1.6.dfsg.2 initialize_prof_error_table@krb5_3_MIT 1.6.dfsg.2 k5_build_conf_principals@krb5_3_MIT 1.12~alpha1+dfsg k5_ccselect_free_context@krb5_3_MIT 1.10+dfsg~alpha1 k5_etypes_contains@krb5_3_MIT 1.11+dfsg k5_expand_path_tokens@krb5_3_MIT 1.11+dfsg k5_expand_path_tokens_extra@krb5_3_MIT 1.11+dfsg k5_free_algorithm_identifier@krb5_3_MIT 1.11+dfsg k5_free_otp_tokeninfo@krb5_3_MIT 1.11+dfsg k5_free_pa_otp_challenge@krb5_3_MIT 1.11+dfsg k5_free_pa_otp_req@krb5_3_MIT 1.11+dfsg k5_free_serverlist@krb5_3_MIT 1.10+dfsg~alpha1 k5_hostrealm_free_context@krb5_3_MIT 1.12~alpha1+dfsg k5_init_trace@krb5_3_MIT 1.12~alpha1+dfsg k5_kt_get_principal@krb5_3_MIT 1.10+dfsg~alpha1 k5_localauth_free_context@krb5_3_MIT 1.12~alpha1+dfsg k5_locate_kdc@krb5_3_MIT 1.10+dfsg~alpha1 k5_os_free_context@krb5_3_MIT 1.12~alpha1+dfsg k5_os_init_context@krb5_3_MIT 1.12~alpha1+dfsg k5_plugin_free_modules@krb5_3_MIT 1.9+dfsg~beta1 k5_plugin_load@krb5_3_MIT 1.9+dfsg~beta1 k5_plugin_load_all@krb5_3_MIT 1.9+dfsg~beta1 k5_plugin_register@krb5_3_MIT 1.9+dfsg~beta1 k5_plugin_register_dyn@krb5_3_MIT 1.10+dfsg~alpha1 krb524_convert_creds_kdc@krb5_3_MIT 1.6.dfsg.2 krb524_init_ets@krb5_3_MIT 1.6.dfsg.2 krb5_3_MIT@krb5_3_MIT 1.6.dfsg.2 krb5_425_conv_principal@krb5_3_MIT 1.6.dfsg.2 krb5_524_conv_principal@krb5_3_MIT 1.6.dfsg.2 krb5_524_convert_creds@krb5_3_MIT 1.6.dfsg.2 krb5_address_compare@krb5_3_MIT 1.6.dfsg.2 krb5_address_order@krb5_3_MIT 1.6.dfsg.2 krb5_address_search@krb5_3_MIT 1.6.dfsg.2 krb5_allow_weak_crypto@krb5_3_MIT 1.8+dfsg krb5_aname_to_localname@krb5_3_MIT 1.6.dfsg.2 krb5_anonymous_principal@krb5_3_MIT 1.8+dfsg krb5_anonymous_realm@krb5_3_MIT 1.8+dfsg krb5_appdefault_boolean@krb5_3_MIT 1.6.dfsg.2 krb5_appdefault_string@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_free@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_genaddrs@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_get_authdata_context@krb5_3_MIT 1.8+dfsg krb5_auth_con_get_checksum_func@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getaddrs@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getauthenticator@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getflags@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getivector@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getkey_k@krb5_3_MIT 1.8+dfsg krb5_auth_con_getlocalseqnumber@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getlocalsubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getpermetypes@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getrcache@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getrecvsubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getrecvsubkey_k@krb5_3_MIT 1.8+dfsg krb5_auth_con_getremoteseqnumber@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getremotesubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getsendsubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_getsendsubkey_k@krb5_3_MIT 1.8+dfsg krb5_auth_con_init@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_initivector@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_set_authdata_context@krb5_3_MIT 1.8+dfsg krb5_auth_con_set_checksum_func@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_set_req_cksumtype@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_set_safe_cksumtype@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setaddrs@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setflags@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setivector@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setpermetypes@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setports@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setrcache@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setrecvsubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setrecvsubkey_k@krb5_3_MIT 1.9+dfsg~beta1 krb5_auth_con_setsendsubkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_con_setsendsubkey_k@krb5_3_MIT 1.9+dfsg~beta1 krb5_auth_con_setuseruserkey@krb5_3_MIT 1.6.dfsg.2 krb5_auth_to_rep@krb5_3_MIT 1.6.dfsg.2 krb5_authdata_context_copy@krb5_3_MIT 1.8+dfsg krb5_authdata_context_free@krb5_3_MIT 1.8+dfsg krb5_authdata_context_init@krb5_3_MIT 1.8+dfsg krb5_authdata_delete_attribute@krb5_3_MIT 1.8+dfsg krb5_authdata_export_attributes@krb5_3_MIT 1.8+dfsg krb5_authdata_export_authdata@krb5_3_MIT 1.8+dfsg krb5_authdata_export_internal@krb5_3_MIT 1.8+dfsg krb5_authdata_free_internal@krb5_3_MIT 1.8+dfsg krb5_authdata_get_attribute@krb5_3_MIT 1.8+dfsg krb5_authdata_get_attribute_types@krb5_3_MIT 1.8+dfsg krb5_authdata_import_attributes@krb5_3_MIT 1.8+dfsg krb5_authdata_set_attribute@krb5_3_MIT 1.8+dfsg krb5_build_principal@krb5_3_MIT 1.6.dfsg.2 krb5_build_principal_alloc_va@krb5_3_MIT 1.7dfsg krb5_build_principal_ext@krb5_3_MIT 1.6.dfsg.2 krb5_build_principal_va@krb5_3_MIT 1.6.dfsg.2 krb5_cc_cache_match@krb5_3_MIT 1.10+dfsg~alpha1 krb5_cc_close@krb5_3_MIT 1.6.dfsg.2 krb5_cc_copy_creds@krb5_3_MIT 1.6.dfsg.2 krb5_cc_default@krb5_3_MIT 1.6.dfsg.2 krb5_cc_default_name@krb5_3_MIT 1.6.dfsg.2 krb5_cc_destroy@krb5_3_MIT 1.6.dfsg.2 krb5_cc_dfl_ops@krb5_3_MIT 1.6.dfsg.2 krb5_cc_dup@krb5_3_MIT 1.9+dfsg~beta1 krb5_cc_end_seq_get@krb5_3_MIT 1.6.dfsg.2 krb5_cc_file_ops@krb5_3_MIT 1.6.dfsg.2 krb5_cc_gen_new@krb5_3_MIT 1.6.dfsg.2 krb5_cc_get_config@krb5_3_MIT 1.8+dfsg krb5_cc_get_full_name@krb5_3_MIT 1.10+dfsg~alpha1 krb5_cc_get_name@krb5_3_MIT 1.6.dfsg.2 krb5_cc_get_principal@krb5_3_MIT 1.6.dfsg.2 krb5_cc_get_type@krb5_3_MIT 1.6.dfsg.2 krb5_cc_initialize@krb5_3_MIT 1.6.dfsg.2 krb5_cc_move@krb5_3_MIT 1.11+dfsg krb5_cc_new_unique@krb5_3_MIT 1.6.dfsg.2 krb5_cc_next_cred@krb5_3_MIT 1.6.dfsg.2 krb5_cc_register@krb5_3_MIT 1.6.dfsg.2 krb5_cc_remove_cred@krb5_3_MIT 1.6.dfsg.2 krb5_cc_resolve@krb5_3_MIT 1.6.dfsg.2 krb5_cc_retrieve_cred@krb5_3_MIT 1.6.dfsg.2 krb5_cc_select@krb5_3_MIT 1.10+dfsg~alpha1 krb5_cc_set_config@krb5_3_MIT 1.8+dfsg krb5_cc_set_default_name@krb5_3_MIT 1.6.dfsg.2 krb5_cc_set_flags@krb5_3_MIT 1.6.dfsg.2 krb5_cc_start_seq_get@krb5_3_MIT 1.6.dfsg.2 krb5_cc_store_cred@krb5_3_MIT 1.6.dfsg.2 krb5_cc_support_switch@krb5_3_MIT 1.10+dfsg~alpha1 krb5_cc_switch@krb5_3_MIT 1.10+dfsg~alpha1 krb5_cccol_cursor_free@krb5_3_MIT 1.6.dfsg.2 krb5_cccol_cursor_new@krb5_3_MIT 1.6.dfsg.2 krb5_cccol_cursor_next@krb5_3_MIT 1.6.dfsg.2 krb5_cccol_have_content@krb5_3_MIT 1.11+dfsg krb5_change_cache@krb5_3_MIT 1.6.dfsg.2 krb5_change_password@krb5_3_MIT 1.6.dfsg.2 krb5_check_clockskew@krb5_3_MIT 1.10+dfsg~alpha1 krb5_check_transited_list@krb5_3_MIT 1.6.dfsg.2 krb5_chpw_message@krb5_3_MIT 1.11+dfsg krb5_chpw_result_code_string@krb5_3_MIT 1.6.dfsg.2 krb5_clear_error_message@krb5_3_MIT 1.6.dfsg.2 krb5_copy_addr@krb5_3_MIT 1.6.dfsg.2 krb5_copy_addresses@krb5_3_MIT 1.6.dfsg.2 krb5_copy_authdata@krb5_3_MIT 1.6.dfsg.2 krb5_copy_authenticator@krb5_3_MIT 1.6.dfsg.2 krb5_copy_checksum@krb5_3_MIT 1.6.dfsg.2 krb5_copy_context@krb5_3_MIT 1.6.dfsg.2 krb5_copy_creds@krb5_3_MIT 1.6.dfsg.2 krb5_copy_data@krb5_3_MIT 1.6.dfsg.2 krb5_copy_error_message@krb5_3_MIT 1.7dfsg krb5_copy_keyblock@krb5_3_MIT 1.6.dfsg.2 krb5_copy_keyblock_contents@krb5_3_MIT 1.6.dfsg.2 krb5_copy_principal@krb5_3_MIT 1.6.dfsg.2 krb5_copy_ticket@krb5_3_MIT 1.6.dfsg.2 krb5_crypto_us_timeofday@krb5_3_MIT 1.6.dfsg.2 krb5_decode_authdata_container@krb5_3_MIT 1.7dfsg krb5_decode_ticket@krb5_3_MIT 1.6.dfsg.2 krb5_decrypt_tkt_part@krb5_3_MIT 1.6.dfsg.2 krb5_deltat_to_string@krb5_3_MIT 1.6.dfsg.2 krb5_encode_authdata_container@krb5_3_MIT 1.7dfsg krb5_encode_kdc_rep@krb5_3_MIT 1.6.dfsg.2 krb5_encrypt_helper@krb5_3_MIT 1.6.dfsg.2 krb5_encrypt_tkt_part@krb5_3_MIT 1.6.dfsg.2 krb5_externalize_data@krb5_3_MIT 1.6.dfsg.2 krb5_externalize_opaque@krb5_3_MIT 1.6.dfsg.2 krb5_fcc_ops@krb5_3_MIT 1.6.dfsg.2 krb5_find_authdata@krb5_3_MIT 1.10+dfsg~alpha1 krb5_find_serializer@krb5_3_MIT 1.6.dfsg.2 krb5_free_ad_kdcissued@krb5_3_MIT 1.8+dfsg krb5_free_ad_signedpath@krb5_3_MIT 1.8+dfsg krb5_free_address@krb5_3_MIT 1.6.dfsg.2 krb5_free_addresses@krb5_3_MIT 1.6.dfsg.2 krb5_free_ap_rep@krb5_3_MIT 1.6.dfsg.2 krb5_free_ap_rep_enc_part@krb5_3_MIT 1.6.dfsg.2 krb5_free_ap_req@krb5_3_MIT 1.6.dfsg.2 krb5_free_authdata@krb5_3_MIT 1.6.dfsg.2 krb5_free_authenticator@krb5_3_MIT 1.6.dfsg.2 krb5_free_authenticator_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_checksum@krb5_3_MIT 1.6.dfsg.2 krb5_free_checksum_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_config_files@krb5_3_MIT 1.6.dfsg.2 krb5_free_context@krb5_3_MIT 1.6.dfsg.2 krb5_free_cred@krb5_3_MIT 1.6.dfsg.2 krb5_free_cred_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_cred_enc_part@krb5_3_MIT 1.6.dfsg.2 krb5_free_creds@krb5_3_MIT 1.6.dfsg.2 krb5_free_data@krb5_3_MIT 1.6.dfsg.2 krb5_free_data_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_default_realm@krb5_3_MIT 1.6.dfsg.2 krb5_free_enc_data@krb5_3_MIT 1.7dfsg krb5_free_enc_kdc_rep_part@krb5_3_MIT 1.6.dfsg.2 krb5_free_enc_sam_response_enc_2@krb5_3_MIT 1.6.dfsg.2 krb5_free_enc_sam_response_enc_2_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_enc_tkt_part@krb5_3_MIT 1.6.dfsg.2 krb5_free_enctypes@krb5_3_MIT 1.12~alpha1+dfsg krb5_free_error@krb5_3_MIT 1.6.dfsg.2 krb5_free_error_message@krb5_3_MIT 1.6.dfsg.2 krb5_free_etype_info@krb5_3_MIT 1.6.dfsg.2 krb5_free_fast_armored_req@krb5_3_MIT 1.7dfsg krb5_free_fast_req@krb5_3_MIT 1.7dfsg krb5_free_fast_response@krb5_3_MIT 1.11+dfsg krb5_free_host_realm@krb5_3_MIT 1.6.dfsg.2 krb5_free_iakerb_finished@krb5_3_MIT 1.9+dfsg~beta1 krb5_free_iakerb_header@krb5_3_MIT 1.9+dfsg~beta1 krb5_free_kdc_rep@krb5_3_MIT 1.6.dfsg.2 krb5_free_kdc_req@krb5_3_MIT 1.6.dfsg.2 krb5_free_keyblock@krb5_3_MIT 1.6.dfsg.2 krb5_free_keyblock_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_keytab_entry_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_last_req@krb5_3_MIT 1.6.dfsg.2 krb5_free_octet_data@krb5_3_MIT 1.10+dfsg~alpha1 krb5_free_pa_data@krb5_3_MIT 1.6.dfsg.2 krb5_free_pa_enc_ts@krb5_3_MIT 1.6.dfsg.2 krb5_free_pa_for_user@krb5_3_MIT 1.7dfsg krb5_free_pa_pac_req@krb5_3_MIT 1.7dfsg krb5_free_pa_s4u_x509_user@krb5_3_MIT 1.8+dfsg krb5_free_principal@krb5_3_MIT 1.6.dfsg.2 krb5_free_priv@krb5_3_MIT 1.6.dfsg.2 krb5_free_priv_enc_part@krb5_3_MIT 1.6.dfsg.2 krb5_free_realm_tree@krb5_3_MIT 1.6.dfsg.2 krb5_free_safe@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_challenge_2@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_challenge_2_body@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_challenge_2_body_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_challenge_2_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_response_2@krb5_3_MIT 1.6.dfsg.2 krb5_free_sam_response_2_contents@krb5_3_MIT 1.6.dfsg.2 krb5_free_string@krb5_3_MIT 1.10+dfsg~alpha1 krb5_free_tgt_creds@krb5_3_MIT 1.6.dfsg.2 krb5_free_ticket@krb5_3_MIT 1.6.dfsg.2 krb5_free_tickets@krb5_3_MIT 1.6.dfsg.2 krb5_free_tkt_authent@krb5_3_MIT 1.6.dfsg.2 krb5_free_unparsed_name@krb5_3_MIT 1.6.dfsg.2 krb5_fwd_tgt_creds@krb5_3_MIT 1.6.dfsg.2 krb5_gen_portaddr@krb5_3_MIT 1.6.dfsg.2 krb5_gen_replay_name@krb5_3_MIT 1.6.dfsg.2 krb5_generate_seq_number@krb5_3_MIT 1.6.dfsg.2 krb5_generate_subkey@krb5_3_MIT 1.6.dfsg.2 krb5_get_cred_via_tkt@krb5_3_MIT 1.6.dfsg.2 krb5_get_credentials@krb5_3_MIT 1.10+dfsg~ krb5_get_credentials_for_proxy@krb5_3_MIT 1.8+dfsg krb5_get_credentials_for_user@krb5_3_MIT 1.8+dfsg krb5_get_credentials_renew@krb5_3_MIT 1.6.dfsg.2 krb5_get_credentials_validate@krb5_3_MIT 1.6.dfsg.2 krb5_get_default_config_files@krb5_3_MIT 1.6.dfsg.2 krb5_get_default_in_tkt_ktypes@krb5_3_MIT 1.6.dfsg.2 krb5_get_default_realm@krb5_3_MIT 1.6.dfsg.2 krb5_get_error_message@krb5_3_MIT 1.6.dfsg.2 krb5_get_fallback_host_realm@krb5_3_MIT 1.7dfsg krb5_get_host_realm@krb5_3_MIT 1.6.dfsg.2 krb5_get_in_tkt_with_keytab@krb5_3_MIT 1.6.dfsg.2 krb5_get_in_tkt_with_password@krb5_3_MIT 1.6.dfsg.2 krb5_get_in_tkt_with_skey@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_keytab@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_alloc@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_free@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_free_pa@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_get_fast_flags@krb5_3_MIT 1.8+dfsg krb5_get_init_creds_opt_get_pa@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_init@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_address_list@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_anonymous@krb5_3_MIT 1.8+dfsg krb5_get_init_creds_opt_set_canonicalize@krb5_3_MIT 1.7dfsg krb5_get_init_creds_opt_set_change_password_prompt@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_etype_list@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_expire_callback@krb5_3_MIT 1.9+dfsg~beta1 krb5_get_init_creds_opt_set_fast_ccache@krb5_3_MIT 1.9+dfsg~beta1 krb5_get_init_creds_opt_set_fast_ccache_name@krb5_3_MIT 1.8+dfsg krb5_get_init_creds_opt_set_fast_flags@krb5_3_MIT 1.8+dfsg krb5_get_init_creds_opt_set_forwardable@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_in_ccache@krb5_3_MIT 1.11+dfsg krb5_get_init_creds_opt_set_out_ccache@krb5_3_MIT 1.8+dfsg krb5_get_init_creds_opt_set_pa@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_preauth_list@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_proxiable@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_renew_life@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_responder@krb5_3_MIT 1.11+dfsg krb5_get_init_creds_opt_set_salt@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_opt_set_tkt_life@krb5_3_MIT 1.6.dfsg.2 krb5_get_init_creds_password@krb5_3_MIT 1.6.dfsg.2 krb5_get_notification_message@krb5_3_MIT 1.6.dfsg.2 krb5_get_permitted_enctypes@krb5_3_MIT 1.6.dfsg.2 krb5_get_profile@krb5_3_MIT 1.6.dfsg.2 krb5_get_prompt_types@krb5_3_MIT 1.6.dfsg.2 krb5_get_realm_domain@krb5_3_MIT 1.6.dfsg.2 krb5_get_renewed_creds@krb5_3_MIT 1.6.dfsg.2 krb5_get_server_rcache@krb5_3_MIT 1.6.dfsg.2 krb5_get_tgs_ktypes@krb5_3_MIT 1.6.dfsg.2 krb5_get_time_offsets@krb5_3_MIT 1.6.dfsg.2 krb5_get_validated_creds@krb5_3_MIT 1.6.dfsg.2 krb5_init_context@krb5_3_MIT 1.6.dfsg.2 krb5_init_context_profile@krb5_3_MIT 1.10+dfsg~alpha1 krb5_init_creds_free@krb5_3_MIT 1.8+dfsg krb5_init_creds_get@krb5_3_MIT 1.8+dfsg krb5_init_creds_get_creds@krb5_3_MIT 1.8+dfsg krb5_init_creds_get_error@krb5_3_MIT 1.8+dfsg krb5_init_creds_get_times@krb5_3_MIT 1.8+dfsg krb5_init_creds_init@krb5_3_MIT 1.8+dfsg krb5_init_creds_set_keytab@krb5_3_MIT 1.8+dfsg krb5_init_creds_set_password@krb5_3_MIT 1.8+dfsg krb5_init_creds_set_service@krb5_3_MIT 1.8+dfsg krb5_init_creds_step@krb5_3_MIT 1.8.1+dfsg krb5_init_keyblock@krb5_3_MIT 1.6.dfsg.2 krb5_init_secure_context@krb5_3_MIT 1.6.dfsg.2 krb5_internalize_opaque@krb5_3_MIT 1.6.dfsg.2 krb5_is_config_principal@krb5_3_MIT 1.8+dfsg krb5_is_permitted_enctype@krb5_3_MIT 1.6.dfsg.2 krb5_is_referral_realm@krb5_3_MIT 1.6.dfsg.2 krb5_is_thread_safe@krb5_3_MIT 1.6.dfsg.2 krb5_kdc_rep_decrypt_proc@krb5_3_MIT 1.6.dfsg.2 krb5_kt_add_entry@krb5_3_MIT 1.6.dfsg.2 krb5_kt_client_default@krb5_3_MIT 1.11+dfsg krb5_kt_close@krb5_3_MIT 1.6.dfsg.2 krb5_kt_default@krb5_3_MIT 1.6.dfsg.2 krb5_kt_default_name@krb5_3_MIT 1.6.dfsg.2 krb5_kt_dfl_ops@krb5_3_MIT 1.6.dfsg.2 krb5_kt_dup@krb5_3_MIT 1.12~alpha1+dfsg krb5_kt_end_seq_get@krb5_3_MIT 1.6.dfsg.2 krb5_kt_free_entry@krb5_3_MIT 1.6.dfsg.2 krb5_kt_get_entry@krb5_3_MIT 1.6.dfsg.2 krb5_kt_get_name@krb5_3_MIT 1.6.dfsg.2 krb5_kt_get_type@krb5_3_MIT 1.6.dfsg.2 krb5_kt_have_content@krb5_3_MIT 1.11+dfsg krb5_kt_next_entry@krb5_3_MIT 1.6.dfsg.2 krb5_kt_read_service_key@krb5_3_MIT 1.6.dfsg.2 krb5_kt_register@krb5_3_MIT 1.6.dfsg.2 krb5_kt_remove_entry@krb5_3_MIT 1.6.dfsg.2 krb5_kt_resolve@krb5_3_MIT 1.6.dfsg.2 krb5_kt_start_seq_get@krb5_3_MIT 1.6.dfsg.2 krb5_ktf_ops@krb5_3_MIT 1.6.dfsg.2 krb5_ktf_writable_ops@krb5_3_MIT 1.6.dfsg.2 krb5_kts_ops@krb5_3_MIT 1.6.dfsg.2 krb5_kuserok@krb5_3_MIT 1.6.dfsg.2 krb5_lock_file@krb5_3_MIT 1.6.dfsg.2 krb5_make_authdata_kdc_issued@krb5_3_MIT 1.8+dfsg krb5_make_full_ipaddr@krb5_3_MIT 1.6.dfsg.2 krb5_make_fulladdr@krb5_3_MIT 1.6.dfsg.2 krb5_mcc_ops@krb5_3_MIT 1.6.dfsg.2 krb5_merge_authdata@krb5_3_MIT 1.7dfsg krb5_mk_1cred@krb5_3_MIT 1.6.dfsg.2 krb5_mk_error@krb5_3_MIT 1.6.dfsg.2 krb5_mk_ncred@krb5_3_MIT 1.6.dfsg.2 krb5_mk_priv@krb5_3_MIT 1.6.dfsg.2 krb5_mk_rep@krb5_3_MIT 1.7dfsg krb5_mk_rep_dce@krb5_3_MIT 1.7dfsg krb5_mk_req@krb5_3_MIT 1.7dfsg krb5_mk_req_extended@krb5_3_MIT 1.7dfsg krb5_mk_safe@krb5_3_MIT 1.6.dfsg.2 krb5_net_read@krb5_3_MIT 1.6.dfsg.2 krb5_net_write@krb5_3_MIT 1.6.dfsg.2 krb5_os_localaddr@krb5_3_MIT 1.6.dfsg.2 krb5_overridekeyname@krb5_3_MIT 1.6.dfsg.2 krb5_pac_add_buffer@krb5_3_MIT 1.7dfsg krb5_pac_free@krb5_3_MIT 1.7dfsg krb5_pac_get_buffer@krb5_3_MIT 1.7dfsg krb5_pac_get_types@krb5_3_MIT 1.7dfsg krb5_pac_init@krb5_3_MIT 1.7dfsg krb5_pac_parse@krb5_3_MIT 1.7dfsg krb5_pac_sign@krb5_3_MIT 1.10+dfsg~alpha1 krb5_pac_verify@krb5_3_MIT 1.7dfsg krb5_parse_name@krb5_3_MIT 1.6.dfsg.2 krb5_parse_name_flags@krb5_3_MIT 1.7dfsg krb5_principal2salt@krb5_3_MIT 1.6.dfsg.2 krb5_principal2salt_norealm@krb5_3_MIT 1.6.dfsg.2 krb5_principal_compare@krb5_3_MIT 1.6.dfsg.2 krb5_principal_compare_any_realm@krb5_3_MIT 1.7dfsg krb5_principal_compare_flags@krb5_3_MIT 1.7dfsg krb5_prompter_posix@krb5_3_MIT 1.6.dfsg.2 krb5_rc_close@krb5_3_MIT 1.6.dfsg.2 krb5_rc_default@krb5_3_MIT 1.6.dfsg.2 krb5_rc_default_name@krb5_3_MIT 1.6.dfsg.2 krb5_rc_default_type@krb5_3_MIT 1.6.dfsg.2 krb5_rc_destroy@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_close@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_close_no_free@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_destroy@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_expunge@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_get_name@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_get_span@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_init@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_ops@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_recover@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_resolve@krb5_3_MIT 1.6.dfsg.2 krb5_rc_dfl_store@krb5_3_MIT 1.6.dfsg.2 krb5_rc_expunge@krb5_3_MIT 1.6.dfsg.2 krb5_rc_free_entry@krb5_3_MIT 1.6.dfsg.2 krb5_rc_get_lifespan@krb5_3_MIT 1.6.dfsg.2 krb5_rc_get_name@krb5_3_MIT 1.6.dfsg.2 krb5_rc_get_type@krb5_3_MIT 1.6.dfsg.2 krb5_rc_hash_message@krb5_3_MIT 1.7dfsg krb5_rc_initialize@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_close@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_creat@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_destroy@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_mark@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_move@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_open@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_read@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_size@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_sync@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_unmark@krb5_3_MIT 1.6.dfsg.2 krb5_rc_io_write@krb5_3_MIT 1.6.dfsg.2 krb5_rc_recover@krb5_3_MIT 1.6.dfsg.2 krb5_rc_recover_or_initialize@krb5_3_MIT 1.7dfsg krb5_rc_register_type@krb5_3_MIT 1.6.dfsg.2 krb5_rc_resolve@krb5_3_MIT 1.6.dfsg.2 krb5_rc_resolve_full@krb5_3_MIT 1.6.dfsg.2 krb5_rc_resolve_type@krb5_3_MIT 1.6.dfsg.2 krb5_rc_store@krb5_3_MIT 1.6.dfsg.2 krb5_rd_cred@krb5_3_MIT 1.6.dfsg.2 krb5_rd_error@krb5_3_MIT 1.6.dfsg.2 krb5_rd_priv@krb5_3_MIT 1.6.dfsg.2 krb5_rd_rep@krb5_3_MIT 1.6.dfsg.2 krb5_rd_rep_dce@krb5_3_MIT 1.7dfsg krb5_rd_req@krb5_3_MIT 1.6.dfsg.2 krb5_rd_req_decoded@krb5_3_MIT 1.6.dfsg.2 krb5_rd_req_decoded_anyflag@krb5_3_MIT 1.6.dfsg.2 krb5_rd_safe@krb5_3_MIT 1.6.dfsg.2 krb5_read_message@krb5_3_MIT 1.6.dfsg.2 krb5_read_password@krb5_3_MIT 1.6.dfsg.2 krb5_realm_compare@krb5_3_MIT 1.6.dfsg.2 krb5_recvauth@krb5_3_MIT 1.6.dfsg.2 krb5_recvauth_version@krb5_3_MIT 1.6.dfsg.2 krb5_register_serializer@krb5_3_MIT 1.6.dfsg.2 krb5_responder_get_challenge@krb5_3_MIT 1.11+dfsg krb5_responder_list_questions@krb5_3_MIT 1.11+dfsg krb5_responder_otp_challenge_free@krb5_3_MIT 1.11+dfsg krb5_responder_otp_get_challenge@krb5_3_MIT 1.11+dfsg krb5_responder_otp_set_answer@krb5_3_MIT 1.11+dfsg krb5_responder_pkinit_challenge_free@krb5_3_MIT 1.12~alpha1+dfsg krb5_responder_pkinit_get_challenge@krb5_3_MIT 1.12~alpha1+dfsg krb5_responder_pkinit_set_answer@krb5_3_MIT 1.12~alpha1+dfsg krb5_responder_set_answer@krb5_3_MIT 1.11+dfsg krb5_salttype_to_string@krb5_3_MIT 1.6.dfsg.2 krb5_sendauth@krb5_3_MIT 1.6.dfsg.2 krb5_sendto_kdc@krb5_3_MIT 1.6.dfsg.2 krb5_ser_address_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_auth_context_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_authdata_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_authenticator_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_ccache_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_checksum_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_context_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_keyblock_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_keytab_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_pack_bytes@krb5_3_MIT 1.6.dfsg.2 krb5_ser_pack_int32@krb5_3_MIT 1.6.dfsg.2 krb5_ser_pack_int64@krb5_3_MIT 1.6.dfsg.2 krb5_ser_principal_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_rcache_init@krb5_3_MIT 1.6.dfsg.2 krb5_ser_unpack_bytes@krb5_3_MIT 1.6.dfsg.2 krb5_ser_unpack_int32@krb5_3_MIT 1.6.dfsg.2 krb5_ser_unpack_int64@krb5_3_MIT 1.6.dfsg.2 krb5_server_decrypt_ticket_keytab@krb5_3_MIT 1.6.dfsg.2 krb5_set_config_files@krb5_3_MIT 1.6.dfsg.2 krb5_set_debugging_time@krb5_3_MIT 1.6.dfsg.2 krb5_set_default_in_tkt_ktypes@krb5_3_MIT 1.6.dfsg.2 krb5_set_default_realm@krb5_3_MIT 1.6.dfsg.2 krb5_set_default_tgs_enctypes@krb5_3_MIT 1.6.dfsg.2 krb5_set_default_tgs_ktypes@krb5_3_MIT 1.6.dfsg.2 krb5_set_error_message@krb5_3_MIT 1.6.dfsg.2 krb5_set_error_message_fl@krb5_3_MIT 1.7dfsg krb5_set_password@krb5_3_MIT 1.6.dfsg.2 krb5_set_password_using_ccache@krb5_3_MIT 1.6.dfsg.2 krb5_set_principal_realm@krb5_3_MIT 1.6.dfsg.2 krb5_set_real_time@krb5_3_MIT 1.6.dfsg.2 krb5_set_time_offsets@krb5_3_MIT 1.6.dfsg.2 krb5_set_trace_callback@krb5_3_MIT 1.10.2+dfsg krb5_set_trace_filename@krb5_3_MIT 1.10.2+dfsg krb5_size_opaque@krb5_3_MIT 1.6.dfsg.2 krb5_sname_match@krb5_3_MIT 1.10+dfsg~alpha1 krb5_sname_to_principal@krb5_3_MIT 1.6.dfsg.2 krb5_string_to_deltat@krb5_3_MIT 1.6.dfsg.2 krb5_string_to_salttype@krb5_3_MIT 1.6.dfsg.2 krb5_string_to_timestamp@krb5_3_MIT 1.6.dfsg.2 krb5_timeofday@krb5_3_MIT 1.6.dfsg.2 krb5_timestamp_to_sfstring@krb5_3_MIT 1.6.dfsg.2 krb5_timestamp_to_string@krb5_3_MIT 1.6.dfsg.2 krb5_tkt_creds_free@krb5_3_MIT 1.9+dfsg~beta1 krb5_tkt_creds_get@krb5_3_MIT 1.9+dfsg krb5_tkt_creds_get_creds@krb5_3_MIT 1.9+dfsg~beta1 krb5_tkt_creds_get_times@krb5_3_MIT 1.9+dfsg~beta1 krb5_tkt_creds_init@krb5_3_MIT 1.9+dfsg~beta1 krb5_tkt_creds_step@krb5_3_MIT 1.9+dfsg~beta1 krb5_unlock_file@krb5_3_MIT 1.6.dfsg.2 krb5_unpack_full_ipaddr@krb5_3_MIT 1.6.dfsg.2 krb5_unparse_name@krb5_3_MIT 1.6.dfsg.2 krb5_unparse_name_ext@krb5_3_MIT 1.6.dfsg.2 krb5_unparse_name_flags@krb5_3_MIT 1.7dfsg krb5_unparse_name_flags_ext@krb5_3_MIT 1.7dfsg krb5_us_timeofday@krb5_3_MIT 1.6.dfsg.2 krb5_use_natural_time@krb5_3_MIT 1.6.dfsg.2 krb5_verify_authdata_kdc_issued@krb5_3_MIT 1.8+dfsg krb5_verify_init_creds@krb5_3_MIT 1.6.dfsg.2 krb5_verify_init_creds_opt_init@krb5_3_MIT 1.6.dfsg.2 krb5_verify_init_creds_opt_set_ap_req_nofail@krb5_3_MIT 1.6.dfsg.2 krb5_vset_error_message@krb5_3_MIT 1.6.dfsg.2 krb5_walk_realm_tree@krb5_3_MIT 1.6.dfsg.2 krb5_write_message@krb5_3_MIT 1.6.dfsg.2 krb5int_accessor@krb5_3_MIT 1.6.dfsg.2 krb5int_cc_default@krb5_3_MIT 1.6.dfsg.2 krb5int_cleanup_library@krb5_3_MIT 1.6.dfsg.2 krb5int_copy_data_contents@krb5_3_MIT 1.11+dfsg krb5int_copy_data_contents_add0@krb5_3_MIT 1.7dfsg krb5int_find_pa_data@krb5_3_MIT 1.7dfsg krb5int_foreach_localaddr@krb5_3_MIT 1.6.dfsg.2 krb5int_free_data_list@krb5_3_MIT 1.8+dfsg krb5int_get_authdata_containee_types@krb5_3_MIT 1.8+dfsg krb5int_init_context_kdc@krb5_3_MIT 1.6.dfsg.2 krb5int_initialize_library@krb5_3_MIT 1.6.dfsg.2 krb5int_parse_enctype_list@krb5_3_MIT 1.11+dfsg krb5int_random_string@krb5_3_MIT 1.12~alpha1+dfsg krb5int_tgtname@krb5_3_MIT 1.9+dfsg~beta1 krb5int_trace@krb5_3_MIT 1.9+dfsg~beta1 profile_abandon@krb5_3_MIT 1.6.dfsg.2 profile_add_relation@krb5_3_MIT 1.6.dfsg.2 profile_clear_relation@krb5_3_MIT 1.6.dfsg.2 profile_flush@krb5_3_MIT 1.6.dfsg.2 profile_free_list@krb5_3_MIT 1.6.dfsg.2 profile_get_boolean@krb5_3_MIT 1.6.dfsg.2 profile_get_integer@krb5_3_MIT 1.6.dfsg.2 profile_get_relation_names@krb5_3_MIT 1.6.dfsg.2 profile_get_string@krb5_3_MIT 1.6.dfsg.2 profile_get_subsection_names@krb5_3_MIT 1.6.dfsg.2 profile_get_values@krb5_3_MIT 1.6.dfsg.2 profile_init@krb5_3_MIT 1.6.dfsg.2 profile_init_path@krb5_3_MIT 1.6.dfsg.2 profile_iterator@krb5_3_MIT 1.6.dfsg.2 profile_iterator_create@krb5_3_MIT 1.6.dfsg.2 profile_iterator_free@krb5_3_MIT 1.6.dfsg.2 profile_release@krb5_3_MIT 1.6.dfsg.2 profile_release_string@krb5_3_MIT 1.6.dfsg.2 profile_rename_section@krb5_3_MIT 1.6.dfsg.2 profile_ser_externalize@krb5_3_MIT 1.6.dfsg.2 profile_ser_internalize@krb5_3_MIT 1.6.dfsg.2 profile_ser_size@krb5_3_MIT 1.6.dfsg.2 profile_update_relation@krb5_3_MIT 1.6.dfsg.2 debian/krb5-admin-server.templates0000664000000000000000000000215512272025331014345 0ustar # These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # for an advice to debian-l10n-english@lists.debian.org # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: krb5-admin-server/newrealm Type: note _Description: Setting up a Kerberos Realm This package contains the administrative tools required to run the Kerberos master server. . However, installing this package does not automatically set up a Kerberos realm. This can be done later by running the "krb5_newrealm" command. . Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the krb5-doc package. Template: krb5-admin-server/kadmind Type: boolean Default: true _Description: Run the Kerberos V5 administration daemon (kadmind)? Kadmind serves requests to add/modify/remove principals in the Kerberos database. . It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should run on the master KDC. debian/krb5-gss-samples.lintian-overrides0000664000000000000000000000017012272025331015642 0ustar krb5-gss-samples: binary-without-manpage usr/bin/gss-client krb5-gss-samples: binary-without-manpage usr/bin/gss-server debian/README.KDC0000664000000000000000000000547512272025331010460 0ustar Running a Debian Kerberos Realm You will want to install the krb5-kdc and krb5-admin-server on your master KDC and at least krb5-kdc on any slave KDCs you have. You may wish to install krb5-admin-server on slaves in case you need them to become the master KDC in a hurry, but in this case you may want to configure krb5-admin-server to not start unless started manually. Otherwise, clients may change their password on a slave server, a change that will then be overwritten silently later and may cause user confusion. (This can only happen if the client is misconfigured to use a slave server as the admin server, but sometimes this happens.) If you want to use the LDAP backend, also install the krb5-kdc-ldap package, which contains the kldap plugin. krb5-kdc adds a commented-out line for kpropd to /etc/inetd.conf. You will want to uncomment this on slave KDCs so that they can receive updates from the master, but leave it commented out on the master. You should look at the KDC configuration file (/etc/krb5kdc/kdc.conf) and adjust the parameters appropriately. If you expect to be using a lot of Kerberos4 services, you should either remove +preauth from the default principal flags or select full krb4 support when prompted by debconf. (You can run dpkg-reconfigure on krb5-kdc to see this prompt again.) If you remove +preauth from the flags, principals will by default not require preauthentication. This is less secure since it opens you to offline dictionary attacks, but this level of security is what people have been suffering with throughout the lifetime of Kerberos4. You can turn on requires_preauth for specific high-security principals in kadmin. If you simply select full krb4 support, then Kerberos5 clients will require preauthentication, but all principals will be accepted for Kerberos4. This has a similar vulnerability to dictionary attacks and cannot be overridden by setting requires_preauth selectively. By default principals are created with most supported keys, including AES and 3DES keys. This means that if you ever decide at some point in the future that you no longer have any services using older weaker enctypes, you can get the full security benefits of stronger encryption types by dropping the weaker ones from supported_enctypes in /etc/krb5kdc/kdc.conf. Note however, that for some services, like AFS, you may need to only create single DES keys. You might do this by for example: kadmin.local -e des-cbc-crc:normal -q "ktadd afs/ATHENA.MIT.EDU" Similarly, for old Java applications, you may need to create keys without AES enctypes, particularly if Java is using a ticket cache created by a different program. You will probably want to create /etc/krb5kdc/kadm5.acl to include a list of users who are authorized to run kadmin in your realm. The kadmind documentation provides examples. debian/libk5crypto3.install0000664000000000000000000000003412272025331013104 0ustar usr/lib/*/libk5crypto.so.3* debian/krb5_newrealm.sgml0000664000000000000000000000326012272025331012607 0ustar krb5_newrealm 8 krb5_newrealm Create a new Kerberos Realm krb5_newrealm Description This script attempts to create a Kerberos realm. It assumes that none of the realm components exists, except for the /etc/krb5.conf file. (Normally this file is automatically generated at package installation, but if you skipped the configuration step, you will need to manually generate this file before running krb5_newrealm.) It creates the database, initializes the stash file in /etc/krb5kdc/stash containing the master key for the database, starts the KDC and Kerberos admin server, and creates a stub /etc/krb5kdc/kadm5.acl file. debian/libkrad0.symbols0000664000000000000000000000231712271473454012306 0ustar libkrad.so.0 libkrad0 #MINVER# HIDDEN@HIDDEN 1.12~alpha1+dfsg krad_0_MIT@krad_0_MIT 1.12~alpha1+dfsg krad_attr_name2num@krad_0_MIT 1.12~alpha1+dfsg krad_attr_num2name@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_add@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_add_number@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_copy@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_del@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_free@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_get@krad_0_MIT 1.12~alpha1+dfsg krad_attrset_new@krad_0_MIT 1.12~alpha1+dfsg krad_client_free@krad_0_MIT 1.12~alpha1+dfsg krad_client_new@krad_0_MIT 1.12~alpha1+dfsg krad_client_send@krad_0_MIT 1.12~alpha1+dfsg krad_code_name2num@krad_0_MIT 1.12~alpha1+dfsg krad_code_num2name@krad_0_MIT 1.12~alpha1+dfsg krad_packet_bytes_needed@krad_0_MIT 1.12~alpha1+dfsg krad_packet_decode_request@krad_0_MIT 1.12~alpha1+dfsg krad_packet_decode_response@krad_0_MIT 1.12~alpha1+dfsg krad_packet_encode@krad_0_MIT 1.12~alpha1+dfsg krad_packet_free@krad_0_MIT 1.12~alpha1+dfsg krad_packet_get_attr@krad_0_MIT 1.12~alpha1+dfsg krad_packet_get_code@krad_0_MIT 1.12~alpha1+dfsg krad_packet_new_request@krad_0_MIT 1.12~alpha1+dfsg krad_packet_new_response@krad_0_MIT 1.12~alpha1+dfsg debian/krb5-gss-samples.install0000664000000000000000000000004612272025332013655 0ustar usr/bin/gss-* usr/sbin/gss-* usr/bin