1 The standard upstream source builds the PAM modules against static
2 libraries, which means they contain non-PIC code. This isn't allowed by
3 Debian Policy and doesn't work on some supported platforms.
5 Two approaches for fixing this have been tried. One is to rebuild the
6 various object files that are part of the libraries PIC and then link with
7 those object files. The other, which this implements, is to link with the
8 object files used to create the libafsauthent and libafsrpc shared
9 libraries (which can't be shipped since they don't have a stable API or
10 correct SONAME). The latter means that the PAM modules must also be
11 linked with libpthread, but that's a feature since that means they'll work
12 with sshd built threaded.
14 Not submitted upstream yet. The call to rx_Init should be submitted
15 upstream and would probably be accepted. Upstream would probably rather
16 link the PAM modules against the shared libraries rather than accepting
17 this hack, which is unsuitable for Debian until the shared libraries are
18 handled more consistently.
20 --- openafs-1.3.87.orig/src/pam/Makefile.in
21 +++ openafs-1.3.87/src/pam/Makefile.in
23 afs_pam_msg.o afs_message.o AFS_component_version_number.o
24 OBJS = $(SHOBJS) test_pam.o
25 INCLUDES=-I${TOP_OBJDIR}/src/config -I${TOP_INCDIR}
26 -CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS}
27 +CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS} ${MT_CFLAGS}
29 +# For Debian, we link directly with the object files that would have gone
30 +# into the libafsrpc and libafsauthent shared libraries. The shared libraries
31 +# themselves cannot be used because the interface isn't stable and they have
32 +# no SONAME, but this is the easiest way of getting PIC objects built with the
34 +SHLIB_OBJS := `ls ../shlibafsauthent/*.o | grep -v version_num` \
35 + `ls ../shlibafsrpc/*.o | grep -v version_num`
36 +KRB_SHLIB_OBJS := `ls ../shlibafsauthent/*.o | egrep -v 'version_num|ktc.o'` \
37 + `ls ../shlibafsrpc/*.o | grep -v version_num`
39 all: test_pam ${TOP_LIBDIR}/pam_afs.so.1 ${TOP_LIBDIR}/pam_afs.krb.so.1
42 ${CC} ${CFLAGS} -c ${srcdir}/afs_auth.c -o afs_auth.o
44 afs_auth_krb.o: afs_auth.c afs_pam_msg.h afs_message.h afs_util.h
45 - ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
46 + ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
48 afs_util.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
49 ${CC} ${CFLAGS} -c ${srcdir}/afs_util.c -o afs_util.o
52 afs_util_krb.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
53 ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_util.c -o afs_util_krb.o
55 +ktc.o: ${srcdir}/../auth/ktc.c
56 + ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/../auth/ktc.c
58 pam_afs.so.1: $(SHOBJS) afs_setcred.o afs_auth.o afs_util.o
60 case "$(SYS_NAME)" in \
62 afs_setcred.o afs_auth.o afs_util.o \
63 $(SHOBJS) $(LIBS) ;; \
65 - $(CC) $(LDFLAGS) -o $@ afs_setcred.o \
66 - afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
67 + $(CC) $(LDFLAGS) $(PAM_CFLAGS) -o $@ afs_setcred.o \
68 + afs_auth.o afs_util.o $(SHOBJS) $(SHLIB_OBJS) \
69 + $(MT_LIBS) -lpam -lresolv;;\
71 $(CC) $(LDFLAGS) -o $@ afs_setcred.o \
72 afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
74 echo No link line for system $(SYS_NAME). ;; \
77 -pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o
78 +pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o ktc.o
80 case "$(SYS_NAME)" in \
81 hp_ux* | ia64_hpux*) \
83 $(SHOBJS) $(LDFLAGS) $(KLIBS) ;; \
85 $(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
86 - afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
87 + afs_auth_krb.o afs_util_krb.o ktc.o $(SHOBJS) \
88 + $(KRB_SHLIB_OBJS) $(MT_LIBS) -lpam -lresolv;;\
90 $(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
91 afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
92 --- openafs-1.3.87.orig/src/pam/afs_setcred.c
93 +++ openafs-1.3.87/src/pam/afs_setcred.c
95 int refresh_token = 0;
96 int set_expires = 0; /* the default is to not to set the env variable */
100 struct pam_conv *pam_convp = NULL;
101 char my_password_buf[256];
102 char *cell_ptr = NULL;
107 + if ((code = rx_Init(0)) != 0) {
108 + pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
112 if (flags & PAM_REFRESH_CRED) {
114 auth_ok = !do_klog(user, password, "00:00:01", cell_ptr);
115 --- openafs-1.3.87.orig/src/pam/afs_auth.c
116 +++ openafs-1.3.87/src/pam/afs_auth.c
118 if (cpid <= 0) { /* The child process */
119 if (logmask && LOG_MASK(LOG_DEBUG))
120 syslog(LOG_DEBUG, "in child");
121 + if ((code = rx_Init(0)) != 0) {
122 + pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
125 if (refresh_token || set_token)
126 code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user, /* kerberos name */
129 pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
131 } else { /* dont_fork, used by httpd */
132 + if ((code = rx_Init(0)) != 0) {
133 + pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
136 if (logmask && LOG_MASK(LOG_DEBUG))
137 syslog(LOG_DEBUG, "dont_fork");
138 if (refresh_token || set_token)
139 --- openafs-1.3.87.orig/Makefile.in
140 +++ openafs-1.3.87/Makefile.in
142 # pthread based user space RX library
143 shlibafsrpc: rx rxkad des
144 case ${SYS_NAME} in \
146 - echo Skipping shlibafsrpc for amd64_linux24 ;; \
147 alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
148 ${COMPILE_PART1} shlibafsrpc ${COMPILE_PART2} ;; \
152 shlibafsauthent: ubik auth kauth shlibafsrpc
153 case ${SYS_NAME} in \
155 - echo Skipping shlibafsauthent for amd64_linux24 ;; \
156 alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
157 ${COMPILE_PART1} shlibafsauthent ${COMPILE_PART2} ;; \