pam-krb5: Import/add pam-krb5 from eyeire.orgvendor/pam-krb5/4.11vendor/pam-krb5

From https://www.eyrie.org/~eagle/software/pam-krb5/:

pam-krb5 provides a Kerberos PAM module that supports authentication,
user ticket cache handling, simple authorization (via .k5login or
checking Kerberos principals against local usernames), and password
changing. It can be configured through either options in the PAM
configuration itself or through entries in the system krb5.conf file,
and it tries to work around PAM implementation flaws in commonly-used
PAM-enabled applications such as OpenSSH and xdm. It supports both
PKINIT and FAST to the extent that the underlying Kerberos libraries
support these features.

The reason for this import is to provide an MIT KRB5 compatible
pam_krb5 PAM module. The existing pam_krb5 in FreeBS only works
with Heimdal.

Sponsored by:	The FreeBSD Foundation

14 files changed, 328 insertions, 0 deletions

diff --git a/tests/data/scripts/alt-auth/basic b/tests/data/scripts/alt-auth/basic
new file mode 100644
index 000000000000..92628e98cd8f
--- /dev/null
+++ b/tests/data/scripts/alt-auth/basic
@@ -0,0 +1,19 @@
+# Test simplest case of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/basic-debug b/tests/data/scripts/alt-auth/basic-debug
new file mode 100644
index 000000000000..325a8117284c
--- /dev/null
+++ b/tests/data/scripts/alt-auth/basic-debug
@@ -0,0 +1,25 @@
+# Test simplest case of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_first_pass no_ccache debug
+    account = alt_auth_map=%1 no_ccache debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to %1
+    DEBUG (user %u) alternate authentication successful
+    INFO user %u authenticated as %1
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG pam_sm_acct_mgmt: exit (success)
diff --git a/tests/data/scripts/alt-auth/fail b/tests/data/scripts/alt-auth/fail
new file mode 100644
index 000000000000..ec2145f3098f
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fail
@@ -0,0 +1,19 @@
+# Test failure of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus force_first_pass no_ccache
+    account = alt_auth_map=bogus no_ccache
+
+[run]
+    authenticate  = PAM_AUTHINFO_UNAVAIL
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/alt-auth/fail-debug b/tests/data/scripts/alt-auth/fail-debug
new file mode 100644
index 000000000000..ae96bb148e6a
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fail-debug
@@ -0,0 +1,28 @@
+# Test failure of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus force_first_pass no_ccache debug
+    account = alt_auth_map=bogus no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTHINFO_UNAVAIL
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to bogus@%2
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    DEBUG (user %u) attempting authentication as %u@%2
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
diff --git a/tests/data/scripts/alt-auth/fallback b/tests/data/scripts/alt-auth/fallback
new file mode 100644
index 000000000000..a0ee7a3d4292
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback
@@ -0,0 +1,25 @@
+# Test alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user no_ccache
+    account = alt_auth_map=%%s/unknown-user no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/fallback-debug b/tests/data/scripts/alt-auth/fallback-debug
new file mode 100644
index 000000000000..f63741a60a16
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback-debug
@@ -0,0 +1,38 @@
+# Test alternative authentication principal with debug logging.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user no_ccache debug
+    account = alt_auth_map=%%s/unknown-user no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping %u to %0/unknown-user@%2
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    DEBUG (user %u) attempting authentication as %u
+    DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/alt-auth/fallback-realm b/tests/data/scripts/alt-auth/fallback-realm
new file mode 100644
index 000000000000..0eef10fd5056
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback-realm
@@ -0,0 +1,25 @@
+# Test alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache
+    account = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/force b/tests/data/scripts/alt-auth/force
new file mode 100644
index 000000000000..4ad34f6f1fe4
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force
@@ -0,0 +1,19 @@
+# Test forced alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/force-fail-debug b/tests/data/scripts/alt-auth/force-fail-debug
new file mode 100644
index 000000000000..cc077b1a4743
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force-fail-debug
@@ -0,0 +1,26 @@
+# Test failure of forced authentication principal (no fallback).  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache debug
+    account = alt_auth_map=%1 no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to %1
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
diff --git a/tests/data/scripts/alt-auth/force-fallback b/tests/data/scripts/alt-auth/force-fallback
new file mode 100644
index 000000000000..b93b04175ed5
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force-fallback
@@ -0,0 +1,25 @@
+# Test forced alternative authentication with fallback.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user force_alt_auth no_ccache
+    account = alt_auth_map=%%s/unknown-user no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/only b/tests/data/scripts/alt-auth/only
new file mode 100644
index 000000000000..7761fc7fd0ce
--- /dev/null
+++ b/tests/data/scripts/alt-auth/only
@@ -0,0 +1,19 @@
+# Test required alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 only_alt_auth force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/only-fail b/tests/data/scripts/alt-auth/only-fail
new file mode 100644
index 000000000000..5c2831614928
--- /dev/null
+++ b/tests/data/scripts/alt-auth/only-fail
@@ -0,0 +1,22 @@
+# Test failure of required alternative authentication.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus only_alt_auth no_ccache
+    account = alt_auth_map=bogus no_ccache
+
+[run]
+    authenticate  = PAM_USER_UNKNOWN
+    acct_mgmt     = PAM_IGNORE
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/alt-auth/username-map b/tests/data/scripts/alt-auth/username-map
new file mode 100644
index 000000000000..7f28a670344b
--- /dev/null
+++ b/tests/data/scripts/alt-auth/username-map
@@ -0,0 +1,19 @@
+# Test username mapping of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s@%2 force_first_pass no_ccache
+    account = alt_auth_map=%%s@%2 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/username-map-prefix b/tests/data/scripts/alt-auth/username-map-prefix
new file mode 100644
index 000000000000..5e83fc888d77
--- /dev/null
+++ b/tests/data/scripts/alt-auth/username-map-prefix
@@ -0,0 +1,19 @@
+# Test username mapping of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%3%%s@%2 force_first_pass no_ccache
+    account = alt_auth_map=%3%%s@%2 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1