Log message:
kstart has been imported into pkgsrc/security.

Log message:
Update to kstart-2.16

changes since 2.15:

 Add the -L option to k5start and krenew, saying to log messages
 to syslog as well as standard output or standard error.

 Correctly set the ticket cache path in k5start when the -k option
 was not given, fixing a NULL pointer dereference when the -o, -g,
 or -m options were given without -k. Thanks, Garrett Wollman.

 Allow the argument to -k to start with FILE: and strip off that
 prefix to form the ticket cache name. -k still forces its argument
 to be a file-based cache, however; FILE: is the only cache type
 designator supported. Use the KRB5CCNAME environment variable for
 other ticket cache types.

 k5start and krenew now say, in -h output, if they will attempt to
 create a new AFS PAG for commands run in combination with -t
 (enabled by --enable-setpag), allowing one to determine whether
 that support was compiled in.

 Include the proper header for signal handling functions, fixing
 a build problem on Solaris 9. Thanks, Tim Bishop.

 Avoid Heimdal functions marked as deprecated. Also fix the test
 suite to pass with Heimdal user space.

 Update to rra-c-util 2.2:

 * Add GCC function attributes alloc_size, malloc, and nonnull.
 * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).

changes since 2.14:

 k5start and krenew now catch SIGALRM and immediately refresh the
 ticket cache upon receiving it, even if the ticket isn't expired.

 Add the -i option to krenew, which says to keep running even if
 there is an error renewing the ticket cache. This is useful if
 the ticket cache renewed by krenew may expire and then later be
 renewed (such as with a manual kinit) and krenew is expected to
 wake up again and process the new ticket cache.

 Re-run aklog even if the ticket is still valid when -H is used in
 combination with -t. We don't check whether the token is valid,
 so it's safer to always re-run aklog. We may be setting a token
 in a new PAG using an existing ticket cache.

 Fail with an error rather than a segfault if MIT Kerberos is unable
 to determine a default local realm for an unqualified principal.
 Based on a patch from Jason Funk.

 Add example krenew-agent script, which runs krenew for a given
 ticket cache if it isn't already running. Contributed by Tim
 Skirvin.

 Correctly declare message_fatal_cleanup extern, fixing compilation
 problems on some platforms (particularly Mac OS X).

 Document that the -b flag to all programs also changes directories
 to / and any paths should therefore be absolute.

 Add support for the old Heimdal krb5_get_error_string interface.
 Thanks, Chaskiel Grundman.

 Fix some timing issues with the test suite that caused spurious
 failures on fast systems and try to make it more robust in the
 face of different process scheduling. This probably still isn't
 perfect.

 k4start is now built optionally based on whether Kerberos v4
 libraries are available, removing the need for --disable-k4start
 if no Kerberos v4 libraries are present. The option is still
 supported to explicitly disable building k4start even if Kerberos
 v4 libraries are found.

 Enable Automake silent rules. For a quieter build, pass the
 --enable-silent-rules option to configure or build with make V=0.

 Update to rra-c-util 2.0:

 * Redo build system for kafs replacement library and add tests.
 * Add --with-libkafs-include and --with-libkafs-lib configure
 options.
 * Add --with-afs-include and --with-afs-lib configure options.
 * Sanity-check the results of krb5-config before proceeding.
 * Fall back on manual probing if krb5-config results don't work.
 * Add --with-krb5-include and --with-krb5-lib configure options.
 * Add --with-krb4-include and --with-krb4-lib configure options.
 * Don't break if the user clobbers CPPFLAGS at build time.
 * Provide a proper bool type with Sun Studio 12 on Solaris 10.
 * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
 * Add strlcpy, strlcat, and setenv replacements.
 * Fix open call parameters in daemon portability test.
 * Update portable and util test suite for C TAP Harness 1.1.

 Update to C TAP Harness 1.1:

 * Rewrite of all test cases to use the new TAP library support.
 * Much improved and simplified builddir != srcdir test suite support.
 * Support running a single test with tests/runtests -o.
 * Summarize results at the end of test executions.
 * Correctly handle completely skipped tests, like docs/pod.
 * Better reporting of fatal errors in the test suite.
 * Consume all output from a test case before closing its descriptor.
 * Support aspell for spelling tests and skip them by default.

Log message:
 - enable setpag
 - adjust afslog comment to be more appropriate and less rantful
 - default to the afslog provide by pkgsrc/security/heimdal
   rather than one in /usr/local

Log message:
Update kstart to 3.14.

changes for 3.14:
  Add -F and -P options to k5start to force the tickets to not be forwardable
or proxiable, regardless of library defaults. This can be necessary if one's
krb5.conf defaults to forwardable or proxiable tickets but service principals
aren't allowed to get such tickets. 

changes for 3.13:
  As of this release, k4start should be considered frozen. I will still fix bugs
where possible, but it is no longer tested before releases and new features
added to k5start and krenew will not be added to k4start.

  If the environment variable AKLOG is set, use its value as the path to the
aklog program to run when -t is given to k5start or krenew. If AKLOG is set,
always run that program unless -n was given in k4start. This environment
variable replaces the badly-named KINIT_PROG, although KINIT_PROG is still
supported for backward compatibility.

  Remove the restriction that -o, -g, and -m may not be used with -K or a
command. The MIT Kerberos libraries have removed the restriction about ticket
cache ownership and this now works properly. However, each authentication
changes the permissions, so reset the ownership and permissions whenever we
renew the cache. Thanks, Howard Wilkinson.

  Strip a leading FILE: or WRFILE: prefix from the ticket cache name when
changing the ownership or permissions. Based on a patch from Howard Wilkinson.

  Fix a portability problem with Heimdal introduced in the previous release
(Heimdal wants krb5_cc_copy_cache, not krb5_cc_copy_creds). Thanks, Jason White.

  Include a dummy object in libportable to avoid build failures on systems that
don't need any portability functions (such as Mac OS X).

changes for 3.12:
  krenew, when running a command, first copies the current ticket cache to a
private cache for that command so that it will be unaffected by later
destruction of the cache (such as by user logout). The private cache is
deleted when the command exits.

  Fix problems with command-line parsing in k4start and k5start that led to
treating a provided command as a principal in some situations. Allow for
getopt() implementations that don't strip the -- argument if it occurs after
the first non-option (such as on at least older Solaris).

  k5start now uses krb5_cc_destroy() rather than unlink to clean up the ticket
cache when necessary.

  Fix multiple problems with the libkafs and AFS system call checks on platforms
other than Linux that caused the libraries to leak into the global LIBS and
include checks done without the AFS include paths.

  Fix the ordering of LDFLAGS to avoid accidentally linking with the AFS com_err
library and ensure the AFS syscall layer is built with the right CPPFLAGS.

  If KRB5_CONFIG was explicitly set in the environment, don't use a different
krb5-config based on --with-krb4 or --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by setting
KRB5_CONFIG to point to a nonexistent file.

  Sanity-check the results of krb5-config before proceeding and error out in
configure if they don't work.

  Fix Autoconf syntax error when probing for libkrb5support.
Thanks, Mike Garrison.

changes for 3.11:
  Add a -c option to k4start, k5start, and krenew, which writes out the PID of
the child process when running a command. This is similar to -p, but writes out
the command PID rather than the PID of k4start, k5start, or krenew. Based on a
patch by Sascha Tandel.

  Add a -H option to krenew that works similarly to the -H option for k5start:
checking whether the remaining lifetime of the ticket is already long enough,
only renewing if it isn't, and exiting with a status indicating whether the
resulting ticket had a sufficiently long lifetime.
Based on a patch by Gautam Iyer.

  Add -o, -g, and -m options to k4start and k5start to set the owner, group,
and mode of the ticket cache after creation. These options cannot be used with
a specified command or with -K since, after making those changes, the Kerberos
library won't permit reading or writing to the ticket cache.
Based on a patch by Howard Wilkinson.

  Significantly update the AFS setpag support. The option to build with AFS
setpag support is now --enable-setpag. On most platforms, if libkafs is not
found, kstart uses an internal AFS system call implementation that doesn't
require linking with the AFS libraries. The AFS libraries are used only on
AIX and IRIX. On platforms other than Linux, pass --with-afs to configure to
specify the location of the AFS include files and libraries.

  Redo the build machinery for Kerberos v4 and Kerberos v5 libraries to take
advantage of portability improvements from other projects. kstart will now
hopefully build with AIX's Kerberos libraries and get more of the edge cases
right. Instead of --with-kerberos, use --with-krb5 to specify the path to the
Kerberos v5 libraries and --with-krb4 to specify the path to the Kerberos v4
libraries.

  After backgrounding, reauthenticate if necessary before writing out the PID
file in case we need tickets or tokens to write the file.

  Close the keytab after determining the principal with k5start -U.

  --enable-static is no longer supported. This is generally unnecessary and
complex to support in combination with other options.

  kstart now has a basic test suite, although not all functionality is tested
yet. See README and tests/data/README for information on how to enable the
tests that are there. 

Log message:
This commit brought to you by the automated whitespace police (pkglint)

Log message:
k5tart aquires kerberos credentials and runs a command
with those credentials. If the kerberos credentials are
obtained from a keytab k5start can be configured to
wake up every so often and renew the obtained credentials.
It can also optionally run a command every time
credentials are obtained (for example, you could run
afslog when credentials are obtained).