Add support for pam_krb5 module for Kerberos authentication.

This implements drop-in support for Kerberos (pam_krb5) in Gentoo systems;
if the kerberos USE flag has been enabled, it'll use pam_krb5 for login,
ignoring pam_unix, but no other module in the chain.

It requires Linux-PAM.

4 files changed, 55 insertions, 4 deletions

diff --git a/Makefile b/Makefile
index 6a80ec5..18a30d2 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,10 @@ ifeq "$(PAM_SSH)" "yes"
 PAMFLAGS += -DHAVE_PAM_SSH=1
 endif
 
+ifeq "$(KRB5)" "yes"
+PAMFLAGS += -DHAVE_KRB5=1
+endif
+
 ifeq "$(SHA512)" "yes"
 PAMFLAGS += -DWANT_SHA512=1
 endif
diff --git a/basic-conf b/basic-conf
index 902ff8d..e40a2f6 100644
--- a/basic-conf
+++ b/basic-conf
@@ -1,9 +1,19 @@
 // Only use_authtok (authentication token) when using cracklib or some other module
-// that checks for passwords.
+// that checks for passwords, or pam_krb5
+#define AUTHTOK use_authtok
+
 #if HAVE_CRACKLIB || HAVE_PASSWDQC
-# define AUTHTOK use_authtok
+# define PASSWORD_STRENGTH 1
+#endif
+
+#if HAVE_KRB5 && PASSWORD_STRENGTH
+# define KRB5_AUTHTOK AUTHTOK
+#endif
+
+#if HAVE_KRB5 || PASSWORD_STRENGTH
+# define UNIX_AUTHTOK AUTHTOK
 #else
-# define AUTHTOK
+# define UNIX_AUTHTOK AUTHTOK
 #endif
 
 // Define DEBUG to an empty string unless it was required by the user
@@ -18,3 +28,19 @@
 #ifndef LIKEAUTH
 #define LIKEAUTH
 #endif
+
+#define KRB5_PARAMS DEBUG ignore_root try_first_pass
+
+/* By using the extended Linux-PAM syntax for this, it is possible to
+   fine-tune the Kerberos handling so that it works out of hte box on
+   most desktop systems.
+
+   What this control operation does is ignore failures and errors from
+   Kerberos (falling back on local pam_unix auth), but if it's good,
+   it'll skip over the following module (pam_unix) with an accepted
+   status.
+
+   IMPORTANT! Make sure that the only thing that comes right after
+   pam_krb5 with KRB5_CONTROL is pam_unix!
+ */
+#define KRB5_CONTROL [success=1 default=ignore]
diff --git a/system-auth.in b/system-auth.in
index 941d925..85ea443 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -4,8 +4,14 @@ auth		required	pam_env.so DEBUG
 #if HAVE_PAM_SSH
 auth		sufficient	pam_ssh.so
 #endif
+#if HAVE_KRB5
+auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+#endif
 auth		required	pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
  
+#if HAVE_KRB5
+auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+#endif
 account		required	pam_unix.so DEBUG
  
 #if HAVE_CRACKLIB
@@ -14,7 +20,10 @@ password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 D
 #if HAVE_PASSWDQC
 password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
 #endif
-password	required	pam_unix.so try_first_pass AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
+#if HAVE_KRB5
+password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+#endif
+password	required	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
 
 #if HAVE_PAM_SSH
 session		optional	pam_ssh.so
diff --git a/system-session.inc b/system-session.inc
index 9d4aea1..2ba6964 100644
--- a/system-session.inc
+++ b/system-session.inc
@@ -7,7 +7,19 @@ session		required	pam_env.so DEBUG
 #if HAVE_MKTEMP
 session		optional	pam_mktemp.so
 #endif
+
+/* Only Linux-PAM supports session chain for pam_unix; but if it were
+   to not support it for whatever reason, still execute pam_krb5, with
+   sufficient level instead. */
 #if SUPPORT_UNIX_SESSION
+# if HAVE_KRB5
+session		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+# endif
 session		required	pam_unix.so DEBUG
+#else
+# if HAVE_KRB5
+session		sufficient	pam_krb5.so KRB5_PARAMS
+# endif
 #endif
+
 session		optional	pam_permit.so