In order to make the MIT KRB5 port compatible with FreeBSD, the port

now makes use of login.conf and login.access.  This is performed by
using FreeBSD login(1) instead of MIT KRB5 login.krb5(8).

The MIT KRB5 login.krb5(8) can still be used by specifying "-L" in
the klogind and telnetd arguments in inetd.conf.  This is documented
in a new file called README.FreeBSD.

Reviewed by:	nectar

7 files changed, 123 insertions, 2 deletions

diff --git a/security/krb5/Makefile b/security/krb5/Makefile
index 7fac84161a4a..3a0bf189ab7f 100644
--- a/security/krb5/Makefile
+++ b/security/krb5/Makefile
@@ -7,11 +7,11 @@
 
 PORTNAME=		krb5
 PORTVERSION=		1.2.2
-PORTREVISION=		4
+PORTREVISION=		5
 CATEGORIES=		security
 MASTER_SITES=		# manual download
 
-MAINTAINER=		Cy.Schubert@uumail.gov.bc.ca
+MAINTAINER=		cy@FreeBSD.org
 
 BUILD_DEPENDS=		gm4:${PORTSDIR}/devel/m4
 
@@ -113,5 +113,15 @@ post-install:
 	${GREP} -v '\.so$$' ${TMPPLIST}.new > ${TMPPLIST}
 	${RM} ${TMPPLIST}.new
 .endif
+	@${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR} > ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${ECHO} "------------------------------------------------------"
+	@${ECHO} "This port of MIT Kerberos 5 includes remote login     "
+	@${ECHO} "daemons (telnetd and klogind).  These daemons default "
+	@${ECHO} "to using the system login program (/usr/bin/login).   "
+	@${ECHO} "Please see the file                                   "
+	@${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD"
+	@${ECHO} "for more information.                                 "
+	@${ECHO} "------------------------------------------------------"
 
 .include <bsd.port.post.mk>
diff --git a/security/krb5/files/README.FreeBSD b/security/krb5/files/README.FreeBSD
new file mode 100644
index 000000000000..e888e689eb04
--- /dev/null
+++ b/security/krb5/files/README.FreeBSD
@@ -0,0 +1,32 @@
+The MIT KRB5 port provides its own login program at
+${PREFIX}/sbin/login.krb5.  However, login.krb5 does not make use of
+the FreeBSD login.conf and login.access files that provide a means of
+setting up and controlling sessions under FreeBSD.  To overcome this,
+the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
+interactive login password authentication instead of the login.krb5
+program provided by MIT KRB5.  The FreeBSD /usr/bin/login program does
+not have support for Kerberos V password authentication,
+e.g. authentication at the console.  The pam_krb5 port must be used to
+provide Kerberos V password authentication.
+
+For more information about pam_krb5, please see pam(8) and pam_krb5(8).
+
+If you wish to use login.krb5 that is provided by the MIT KRB5 port,
+the arguments "-L ${PREFIX}/sbin/login.krb5" must be
+specified as arguments to klogind and KRB5 telnetd, e.g.
+
+klogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -L ${PREFIX}/sbin/login.krb5
+eklogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
+telnet	stream	tcp	nowait	root	${PREFIX}/sbin/telnetd	telnetd -a none -L ${PREFIX}/sbin/login.krb5
+
+Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
+of the FreeBSD provided /usr/bin/login for local tty logins,
+"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
+
+default:\
+	:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
+	:if=/etc/issue:\
+	:lo=${PREFIX}/sbin/login.krb5:
+
+It is recommended that the FreeBSD /usr/bin/login be used with the
+pam_krb5 port instead of the MIT KRB5 provided login.krb5.
diff --git a/security/krb5/files/patch-appl::bsd::Makefile.in b/security/krb5/files/patch-appl::bsd::Makefile.in
new file mode 100644
index 000000000000..603c399a287f
--- /dev/null
+++ b/security/krb5/files/patch-appl::bsd::Makefile.in
@@ -0,0 +1,11 @@
+--- appl/bsd/Makefile.in.orig	Wed Feb 28 14:06:43 2001
++++ appl/bsd/Makefile.in	Mon Dec 31 21:52:45 2001
+@@ -28,7 +28,7 @@
+ 	-DUCB_RSH=\"$(UCB_RSH)\" -DUCB_RCP=\"$(UCB_RCP)\"
+ 
+ DEFINES = $(RSH) $(BSD) $(RPROGS) \
+-	-DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
++	-DLOGIN_PROGRAM=\"/usr/bin/login\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
+ 
+ all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP)
+ 
diff --git a/security/krb5/files/patch-appl::bsd::klogind.M b/security/krb5/files/patch-appl::bsd::klogind.M
new file mode 100644
index 000000000000..1523c3d593df
--- /dev/null
+++ b/security/krb5/files/patch-appl::bsd::klogind.M
@@ -0,0 +1,34 @@
+--- appl/bsd/klogind.M.orig	Wed Feb 28 14:06:43 2001
++++ appl/bsd/klogind.M	Mon Dec 31 21:22:27 2001
+@@ -14,6 +14,7 @@
+ ]
+ [
+ [ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]] ]
++[\fB\-L\fP \fIloginpath\fP]
+ .SH DESCRIPTION
+ .I Klogind
+ is the server for the 
+@@ -107,6 +108,10 @@
+ Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+ authentication from succeeding in the default mode.
+ 
++.IP \fB\-L\ loginpath\fP
++Specify pathname to an alternative login program.  Default: /usr/bin/login.
++KRB5_HOME/sbin/login.krb5 may be specified.
++
+ 
+ .PP
+ If the
+@@ -157,12 +162,6 @@
+ 
+ .IP \fB\-M\ realm\fP
+ Set the Kerberos realm to use.
+-
+-.IP \fB\-L\ login\fP
+-Set the login program to use.  This option only has an effect if
+-DO_NOT_USE_K_LOGIN was not defined when
+-.I klogind
+-was compiled.
+ .SH DIAGNOSTICS
+ All diagnostic messages are returned on the connection
+ associated with the
diff --git a/security/krb5/files/patch-appl::telnet::telnetd::Makefile.in b/security/krb5/files/patch-appl::telnet::telnetd::Makefile.in
new file mode 100644
index 000000000000..cb5a0e26d49d
--- /dev/null
+++ b/security/krb5/files/patch-appl::telnet::telnetd::Makefile.in
@@ -0,0 +1,11 @@
+--- appl/telnet/telnetd/Makefile.in.orig	Wed Feb 28 14:06:51 2001
++++ appl/telnet/telnetd/Makefile.in	Mon Dec 31 21:51:19 2001
+@@ -24,7 +24,7 @@
+ #	@(#)Makefile.generic	5.5 (Berkeley) 3/1/91
+ #
+ 
+-AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
++AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=\"/usr/bin/login\"
+ OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
+ LOCALINCLUDES=-I.. -I$(srcdir)/..
+ DEFINES = $(AUTH_DEF) $(OTHERDEFS)
diff --git a/security/krb5/files/patch-appl::telnet::telnetd::telnetd.8 b/security/krb5/files/patch-appl::telnet::telnetd::telnetd.8
new file mode 100644
index 000000000000..951ee0d5692a
--- /dev/null
+++ b/security/krb5/files/patch-appl::telnet::telnetd::telnetd.8
@@ -0,0 +1,22 @@
+--- appl/telnet/telnetd/telnetd.8.orig	Wed Feb 28 14:06:51 2001
++++ appl/telnet/telnetd/telnetd.8	Mon Dec 31 21:16:55 2001
+@@ -43,7 +43,7 @@
+ [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
+ [\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP]
+ [\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]]
+-[\fB\-debug\fP [\fIport\fP]]
++[\fB\-debug\fP] [\fB\-L\fP \fIloginpath\fP] [\fIport\fP]
+ .SH DESCRIPTION
+ The
+ .B telnetd
+@@ -221,6 +221,10 @@
+ in response to a
+ .SM DO TIMING-MARK)
+ for kludge linemode support.
++.TP
++\fB\-L\fP \fIloginpath\fP
++Specify pathname to an alternative login program.  Default: /usr/bin/login.
++KRB5_HOME/sbin/login.krb5 may be specified.
+ .TP
+ .B \-l
+ Specifies line mode.  Tries to force clients to use line-at-a-time
diff --git a/security/krb5/pkg-plist b/security/krb5/pkg-plist
index df48394c37cf..5170610a1b3d 100644
--- a/security/krb5/pkg-plist
+++ b/security/krb5/pkg-plist
@@ -102,6 +102,7 @@ sbin/sserver
 sbin/telnetd
 sbin/uuserver
 sbin/v5passwdd
+share/doc/krb5/README.FreeBSD
 share/doc/krb5/admin.html
 share/doc/krb5/admin_foot.html
 share/doc/krb5/admin_toc.html