pam-krb5: Import/add pam-krb5 from eyeire.orgvendor/pam-krb5/4.11vendor/pam-krb5

From https://www.eyrie.org/~eagle/software/pam-krb5/:

pam-krb5 provides a Kerberos PAM module that supports authentication,
user ticket cache handling, simple authorization (via .k5login or
checking Kerberos principals against local usernames), and password
changing. It can be configured through either options in the PAM
configuration itself or through entries in the system krb5.conf file,
and it tries to work around PAM implementation flaws in commonly-used
PAM-enabled applications such as OpenSSH and xdm. It supports both
PKINIT and FAST to the extent that the underlying Kerberos libraries
support these features.

The reason for this import is to provide an MIT KRB5 compatible
pam_krb5 PAM module. The existing pam_krb5 in FreeBS only works
with Heimdal.

Sponsored by:	The FreeBSD Foundation

15 files changed, 323 insertions, 0 deletions

diff --git a/tests/data/scripts/password/authtok b/tests/data/scripts/password/authtok
new file mode 100644
index 000000000000..9f6a39935b2d
--- /dev/null
+++ b/tests/data/scripts/password/authtok
@@ -0,0 +1,21 @@
+# Test password change with new authtok set but not old.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/authtok-force b/tests/data/scripts/password/authtok-force
new file mode 100644
index 000000000000..3bc0b598521b
--- /dev/null
+++ b/tests/data/scripts/password/authtok-force
@@ -0,0 +1,18 @@
+# Test password change with new authtok set but not old.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok force_first_pass
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/authtok-too-long b/tests/data/scripts/password/authtok-too-long
new file mode 100644
index 000000000000..df81e24977b3
--- /dev/null
+++ b/tests/data/scripts/password/authtok-too-long
@@ -0,0 +1,17 @@
+# Test use_authtok with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
diff --git a/tests/data/scripts/password/authtok-too-long-debug b/tests/data/scripts/password/authtok-too-long-debug
new file mode 100644
index 000000000000..cb38e8861102
--- /dev/null
+++ b/tests/data/scripts/password/authtok-too-long-debug
@@ -0,0 +1,23 @@
+# Test use_authtok with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    DEBUG pam_sm_chauthtok: exit (failure)
diff --git a/tests/data/scripts/password/banner b/tests/data/scripts/password/banner
new file mode 100644
index 000000000000..98c899c26af5
--- /dev/null
+++ b/tests/data/scripts/password/banner
@@ -0,0 +1,23 @@
+# Test password change with a modified banner.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = banner=realm
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current realm password: |%p
+    echo_off = Enter new realm password: |%n
+    echo_off = Retype new realm password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/banner-expose b/tests/data/scripts/password/banner-expose
new file mode 100644
index 000000000000..595fa0380b22
--- /dev/null
+++ b/tests/data/scripts/password/banner-expose
@@ -0,0 +1,23 @@
+# Test password change with banner and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account banner=realm
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current realm password for %0: |%p
+    echo_off = Enter new realm password for %0: |%n
+    echo_off = Retype new realm password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/basic b/tests/data/scripts/password/basic
new file mode 100644
index 000000000000..5cb68267ce26
--- /dev/null
+++ b/tests/data/scripts/password/basic
@@ -0,0 +1,20 @@
+# Test password change with prompting.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/basic-debug b/tests/data/scripts/password/basic-debug
new file mode 100644
index 000000000000..ca1c86b9c2c9
--- /dev/null
+++ b/tests/data/scripts/password/basic-debug
@@ -0,0 +1,28 @@
+# Test password change with prompting and debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    INFO user %u changed Kerberos password
+    DEBUG pam_sm_chauthtok: exit (success)
diff --git a/tests/data/scripts/password/expose b/tests/data/scripts/password/expose
new file mode 100644
index 000000000000..a82c1bd0b78d
--- /dev/null
+++ b/tests/data/scripts/password/expose
@@ -0,0 +1,23 @@
+# Test password change with prompting and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password for %0: |%p
+    echo_off = Enter new Kerberos password for %0: |%n
+    echo_off = Retype new Kerberos password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/ignore b/tests/data/scripts/password/ignore
new file mode 100644
index 000000000000..023cf5656f67
--- /dev/null
+++ b/tests/data/scripts/password/ignore
@@ -0,0 +1,18 @@
+# Test password prompt saving for ignored users.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = ignore_root
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_IGNORE
+    chauthtok(UPDATE_AUTHTOK) = PAM_IGNORE
+
+[prompts]
+    echo_off = Enter new password: |%n
+    echo_off = Retype new password: |%n
+
+[output]
diff --git a/tests/data/scripts/password/no-banner b/tests/data/scripts/password/no-banner
new file mode 100644
index 000000000000..9cabbd8ec5f9
--- /dev/null
+++ b/tests/data/scripts/password/no-banner
@@ -0,0 +1,23 @@
+# Test password change with no identifying banner.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = banner=
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current password: |%p
+    echo_off = Enter new password: |%n
+    echo_off = Retype new password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/no-banner-expose b/tests/data/scripts/password/no-banner-expose
new file mode 100644
index 000000000000..3a5b944887bd
--- /dev/null
+++ b/tests/data/scripts/password/no-banner-expose
@@ -0,0 +1,23 @@
+# Test password change with no banner and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account banner=
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current password for %0: |%p
+    echo_off = Enter new password for %0: |%n
+    echo_off = Retype new password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/prompt-principal b/tests/data/scripts/password/prompt-principal
new file mode 100644
index 000000000000..1e7274eb058e
--- /dev/null
+++ b/tests/data/scripts/password/prompt-principal
@@ -0,0 +1,24 @@
+# Test password change with prompting and prompt_principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = prompt_principal
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_on = Principal: |%u
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/too-long b/tests/data/scripts/password/too-long
new file mode 100644
index 000000000000..4dbabd5db11e
--- /dev/null
+++ b/tests/data/scripts/password/too-long
@@ -0,0 +1,15 @@
+# Test password change to an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+
+[output]
diff --git a/tests/data/scripts/password/too-long-debug b/tests/data/scripts/password/too-long-debug
new file mode 100644
index 000000000000..18b4ed608612
--- /dev/null
+++ b/tests/data/scripts/password/too-long-debug
@@ -0,0 +1,24 @@
+# Test password change to an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    DEBUG pam_sm_chauthtok: exit (failure)