+
+Tue Apr 25 21:23:28 1995 Chris Provenzano (proven@mit.edu)
+
+ * forward.c (rd_and_store_for_creds()) : Rewritten to use
+ auth_context and the new krb5_rd_creds().
+ * forward.c (get_for_creds()) : New function replacing
+ krb5_get_for_creds() and uses auth_context and new
+ krb5_mk_creds() routine.
+ * kcmd.c (kcmd()): Use new get_for_creds() routine.
+ * krlogind.c (recvauth()): Use new rd_and_store_for_creds() routine.
+
Sat Apr 22 00:42:22 1995 Theodore Y. Ts'o (tytso@dcl)
* rlogind (main, doit): The variable krb5_override_default_realm
rlogin testing changes from ian@cygnus.com.
-> Fri Mar 24 15:04:25 1995 Ian Lance Taylor <ian@cygnus.com>
+Fri Apr 21 17:13:48 1995 Mark Eichin <eichin@cygnus.com>
+
+ More changes from ian@cygnus.com to support testing.
+
+Fri Apr 21 14:07:15 1995 Mark Eichin <eichin@cygnus.com>
+
+ Added Ian's changes with minor tweaks. These are used by the testsuite.
+
+Fri Apr 07 15:46:54 1995 Chris Provenzano (proven@mit.edu)
+
+ * configure.in, krlogind.c, krsh.c, krshd.c, login.c, logutil.c.
+ A bunch of patches from Ezra to get BSD to work on
+ The Alpha that looked reasonable.
+
+Mon Mar 27 07:56:26 1995 Chris Provenzano (proven@mit.edu)
+
+ * krcp.c (send_auth()): Use new calling convention for krb5_rd_req().
+
+ * krshd.c (recvauth()): Use new calling convention for
+ krb5_compat_recvauth().
+
+ * krlogind.c (recvauth()): Use new calling convention for
+ krb5_compat_recvauth().
+
+Fri Mar 24 15:04:25 1995 Ian Lance Taylor <ian@cygnus.com>
* krlogind.c (srvtab): New global variable.
(krb5_override_default_realm): Declare.
(recvauth): Pass srvtab to krb5_compat_recvauth.
* krlogind.M: Document -S, -M, and -L.
-Fri Apr 21 17:13:48 1995 Mark Eichin <eichin@cygnus.com>
-
- More changes from ian@cygnus.com to support testing.
-
-> Fri Mar 24 15:04:25 1995 Ian Lance Taylor <ian@cygnus.com>
+Fri Mar 24 15:04:25 1995 Ian Lance Taylor <ian@cygnus.com>
* krcp.c (forcenet): New global vraiable.
(main): Accept -D and -N arguments. Pass Kerberos realm to remote
kprogdir/rcp if it exists.
* krshd.M: Document -P.
-Fri Apr 21 14:07:15 1995 Mark Eichin <eichin@cygnus.com>
-
- Added Ian's changes with minor tweaks. These are used by the testsuite.
-
-> Thu Mar 23 18:18:31 1995 Ian Lance Taylor <ian@cygnus.com>
+Thu Mar 23 18:18:31 1995 Ian Lance Taylor <ian@cygnus.com>
* krshd.c (ARGSTR): Add S:M:A to KERBEROS version.
(srvtab): New global variable.
* krcp.c (main): Pass 0 for anyport to kcmd.
* krlogin.c (main): Pass 0 for anyport to kcmd.
-Mon Mar 27 07:56:26 1995 Chris Provenzano (proven@mit.edu)
-
- * krcp.c (send_auth()): Use new calling convention for krb5_rd_req().
-
- * krshd.c (recvauth()): Use new calling convention for
- krb5_compat_recvauth().
-
- * krlogind.c (recvauth()): Use new calling convention for
- krb5_compat_recvauth().
-
Thu Mar 23 23:23:25 1995 Theodore Y. Ts'o <tytso@dcl>
* Makefile.in (krshd): Move $(K4LIB) after $(KLIB) so that if
AC_FUNC_CHECK(setresuid,AC_DEFINE(HAVE_SETRESUID))
AC_FUNC_CHECK(waitpid,AC_DEFINE(HAVE_WAITPID))
AC_FUNC_CHECK(setsid,AC_DEFINE(HAVE_SETSID))
+AC_FUNC_CHECK(ttyname,AC_DEFINE(HAVE_TTYNAME))
AC_FUNC_CHECK(line_push,AC_DEFINE(HAVE_LINE_PUSH))
AC_FUNC_CHECK(ptsname,AC_DEFINE(HAVE_PTSNAME))
AC_FUNC_CHECK(grantpt,AC_DEFINE(HAVE_GRANTPT))
+AC_FUNC_CHECK(openpty,AC_DEFINE(HAVE_OPENPTY))
+AC_FUNC_CHECK(setlogin,AC_DEFINE(HAVE_SETLOGIN))
+AC_FUNC_CHECK(logwtmp,AC_DEFINE(HAVE_LOGWTMP))
AC_HAVE_HEADERS(sys/filio.h sys/sockio.h unistd.h stdlib.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h)
AC_REPLACE_FUNCS(getdtablesize)
CHECK_SIGNALS
#include <pwd.h>
#include <netdb.h>
-#include "krb5.h"
+#include "k5-int.h"
/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
-rd_and_store_for_creds(context, inbuf, ticket, lusername)
- krb5_context context;
- krb5_data *inbuf;
- krb5_ticket *ticket;
- char *lusername;
+rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername)
+ krb5_context context;
+ krb5_auth_context * auth_context;
+ krb5_data *inbuf;
+ krb5_ticket *ticket;
+ char *lusername;
{
- krb5_encrypt_block eblock;
- krb5_creds creds;
+ krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
krb5_ccache ccache = NULL;
struct passwd *pwd;
- if (retval = krb5_rd_cred(inbuf, ticket->enc_part2->session,
- &creds, 0, 0)) {
- return(retval);
- }
-
- if (!(pwd = (struct passwd *) getpwnam(lusername))) {
+ if (!(pwd = (struct passwd *) getpwnam(lusername)))
return -1;
- }
+
+ if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
+ return(retval);
/* Set the KRB5CCNAME ENV variable to keep sessions
* seperate. Use the process id of this process which is
sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
setenv("KRB5CCNAME", ccname, 0);
- if (retval = krb5_cc_resolve(context, ccname, &ccache)) {
- return(retval);
+ if (retval = krb5_cc_resolve(context, ccname, &ccache))
+ goto cleanup;
+
+ if (retval = krb5_cc_initialize(context, ccache, ticket->enc_part2->client))
+ goto cleanup;
+
+ if (retval = krb5_cc_store_cred(context, ccache, *creds))
+ goto cleanup;
+
+ retval = chown(ccname+5, pwd->pw_uid, -1);
+
+cleanup:
+ krb5_free_creds(context, *creds);
+ return retval;
+}
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif
+
+#define KRB5_DEFAULT_LIFE 60*60*8 /* 8 hours */
+/* helper function: convert flags to necessary KDC options */
+#define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
+
+/* Get a TGT for use at the remote host */
+krb5_error_code
+get_for_creds(context, auth_context, rhost, client, forwardable, out_buf)
+ krb5_context context;
+ krb5_auth_context * auth_context;
+ char *rhost;
+ krb5_principal client;
+ int forwardable; /* Should forwarded TGT also be forwardable? */
+ krb5_data *out_buf;
+{
+ krb5_replay_data replaydata;
+ krb5_data * scratch;
+ struct hostent *hp;
+ krb5_address **addrs;
+ krb5_error_code retval;
+ krb5_creds tgt, creds, *pcreds;
+ krb5_ccache cc;
+ krb5_flags kdcoptions;
+ krb5_timestamp now;
+ char *remote_host = 0;
+ char **hrealms = 0;
+ int i;
+
+ memset((char *)&creds, 0, sizeof(creds));
+
+ if (!rhost || !(hp = gethostbyname(rhost)))
+ return KRB5_ERR_BAD_HOSTNAME;
+
+ remote_host = (char *) malloc(strlen(hp->h_name)+1);
+ if (!remote_host) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ strcpy(remote_host, hp->h_name);
+
+ if (retval = krb5_get_host_realm(context, remote_host, &hrealms))
+ goto errout;
+ if (!hrealms[0]) {
+ retval = KRB5_ERR_HOST_REALM_UNKNOWN;
+ goto errout;
}
- if (retval = krb5_cc_initialize(context, ccache,
- ticket->enc_part2->client)) {
- return(retval);
+ /* Count elements */
+ for(i = 0; hp->h_addr_list[i]; i++);
+
+ addrs = (krb5_address **) malloc ((i + 1)*sizeof(*addrs));
+ if (!addrs) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ memset(addrs, 0, (i+1)*sizeof(*addrs));
+
+ for(i = 0; hp->h_addr_list[i]; i++) {
+ addrs[i] = (krb5_address *) malloc(sizeof(krb5_address));
+ if (!addrs[i]) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ addrs[i]->addrtype = hp->h_addrtype;
+ addrs[i]->length = hp->h_length;
+ addrs[i]->contents = (unsigned char *)malloc(addrs[i]->length);
+ if (!addrs[i]->contents) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ memcpy ((char *)addrs[i]->contents, hp->h_addr_list[i],
+ addrs[i]->length);
}
+ addrs[i] = 0;
- if (retval = krb5_cc_store_cred(context, ccache, &creds)) {
- return(retval);
+ if (retval = krb5_copy_principal(context, client, &creds.client))
+ goto errout;
+
+ if (retval = krb5_build_principal_ext(context, &creds.server,
+ strlen(hrealms[0]),
+ hrealms[0],
+ KRB5_TGS_NAME_SIZE,
+ KRB5_TGS_NAME,
+ client->realm.length,
+ client->realm.data,
+ 0))
+ goto errout;
+
+ creds.times.starttime = 0;
+ if (retval = krb5_timeofday(context, &now))
+ goto errout;
+
+ creds.times.endtime = now + KRB5_DEFAULT_LIFE;
+ creds.times.renew_till = 0;
+
+ if (retval = krb5_cc_default(context, &cc))
+ goto errout;
+
+ /* fetch tgt directly from cache */
+ retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_MATCH_SRV_NAMEONLY,
+ &creds, &tgt);
+ krb5_cc_close(context, cc);
+
+ if (retval)
+ goto errout;
+
+ /* tgt->client must be equal to creds.client */
+ if (!krb5_principal_compare(context, tgt.client, creds.client)) {
+ retval = KRB5_PRINC_NOMATCH;
+ goto errout;
}
- if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
- return(retval);
+ if (!tgt.ticket.length) {
+ retval = KRB5_NO_TKT_SUPPLIED;
+ goto errout;
+ }
+
+ if (!(tgt.ticket_flags & TKT_FLG_FORWARDABLE)) {
+ retval = KRB5_TKT_NOT_FORWARDABLE;
+ goto errout;
}
+ kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
+
+ if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
+ kdcoptions &= ~(KDC_OPT_FORWARDABLE);
+
+ if (retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
+ addrs, &creds, &pcreds))
+ goto errout;
+
+ retval = krb5_mk_1cred(context, auth_context, pcreds,
+ &scratch, &replaydata);
+ krb5_free_creds(context, pcreds);
+ *out_buf = *scratch;
+ krb5_xfree(scratch);
+
+errout:
+ if (remote_host)
+ free(remote_host);
+ if (hrealms)
+ krb5_xfree(hrealms);
+ if (addrs)
+ krb5_free_addresses(context, addrs);
+ krb5_free_cred_contents(context, &creds);
return retval;
}
#include "krb5.h"
#include "defines.h"
-
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 64
-#endif
-
-extern errno;
-#define START_PORT 5120 /* arbitrary */
+
+#define START_PORT 5120 /* arbitrary */
char *default_service = "host";
extern krb5_cksumtype krb5_kdc_req_sumtype;
extern krb5_context bsd_context;
+
+
kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
cred, seqno, server_seqno, laddr, faddr, authopts, anyport)
int *sock;
status = -1;
goto bad2;
}
-
+
status = krb5_cc_default(bsd_context, &cc);
if (status) goto bad2;
authopts &= (~OPTS_FORWARD_CREDS);
authopts &= (~OPTS_FORWARDABLE_CREDS);
+ if (krb5_auth_con_init(bsd_context, &auth_context))
+ goto bad2;
+
+ if (krb5_auth_con_setflags(bsd_context, auth_context,
+ KRB5_AUTH_CONTEXT_RET_TIME))
+ goto bad2;
+
+ /* Only need local address for mk_cred() to send to krlogind */
+ if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, s,
+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))
+ goto bad2;
+
/* call Kerberos library routine to obtain an authenticator,
pass it over the socket to the server, and obtain mutual
authentication. */
(void) write(s, locuser, strlen(locuser)+1);
if (options & OPTS_FORWARD_CREDS) { /* Forward credentials */
- if (status = krb5_get_for_creds(bsd_context,
- krb5_kdc_req_sumtype,
+ if (status = get_for_creds(bsd_context, auth_context,
hp->h_name,
ret_cred->client,
- &ret_cred->keyblock,
/* Forwardable TGT? */
options & OPTS_FORWARDABLE_CREDS,
&outbuf)) {
fprintf(stderr, "kcmd: Error getting forwarded creds\n");
goto bad2;
}
-
+
/* Send forwarded credentials */
if (status = krb5_write_message(bsd_context, (krb5_pointer)&s, &outbuf))
goto bad2;
int i,ptynum;
struct stat stb;
+#ifdef HAVE_OPENPTY
+ int slavefd;
+
+ if(openpty(fd, &slavefd, slave, (struct termios *) 0,
+ (struct winsize *) 0)) return 1;
+ return 0;
+#else
+
*fd = open("/dev/ptmx", O_RDWR|O_NDELAY); /* Solaris, IRIX */
if (*fd < 0) *fd = open("/dev/ptc", O_RDWR|O_NDELAY); /* AIX */
if (*fd < 0) *fd = open("/dev/pty", O_RDWR|O_NDELAY); /* sysvimp */
if (grantpt(*fd) || unlockpt(*fd)) return 1;
#endif
+#ifdef HAVE_TTYNAME
+ p = ttyname(*fd);
+#else
#ifdef HAVE_PTSNAME
p = ptsname(*fd);
#else
- p = ttyname(*fd);
+ /* XXX If we don't have either what do we do */
+#endif
#endif
if (p) {
strcpy(slave, p);
}
return 1;
}
+#endif /* HAVE_OPENPTY */
}
char krb_vers[KRB_SENDAUTH_VLEN + 1];
int len;
krb5_principal server;
- krb5_address peeraddr;
krb5_data inbuf;
char v4_instance[INST_SZ]; /* V4 Instance */
char v4_version[9];
exit(1);
}
-#ifdef unicos61
-#define SIZEOF_INADDR SIZEOF_in_addr
-#else
-#define SIZEOF_INADDR sizeof(struct in_addr)
-#endif
-
- peeraddr.addrtype = peersin.sin_family;
- peeraddr.length = SIZEOF_INADDR;
- peeraddr.contents = (krb5_octet *)&peersin.sin_addr;
-
if (status = krb5_sname_to_principal(bsd_context, NULL, "host",
KRB5_NT_SRV_HST, &server)) {
syslog(LOG_ERR, "parse server name %s: %s", "host",
if (status = krb5_auth_con_init(bsd_context, &auth_context))
return status;
- krb5_auth_con_setaddrs(bsd_context, auth_context, NULL, &peeraddr);
+ /* Only need remote address for rd_cred() to verify client */
+ if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR))
+ return status;
if (status = krb5_compat_recvauth(bsd_context, &auth_context, &netf,
"KCMDV0.1",
fatal(netf, "Error reading message");
if (inbuf.length) { /* Forwarding being done, read creds */
- if (status = rd_and_store_for_creds(bsd_context, &inbuf, ticket,
- lusername))
+ if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
+ fatal(netf, "Can't generate full address for client");
+
+ if (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
+ ticket, lusername))
fatal(netf, "Can't get forwarded credentials");
}
return 0;
#include "krb5.h"
#include "com_err.h"
#include "defines.h"
+#include "ext-proto.h"
#endif /* KERBEROS */
/*
if (port) {
/* Place entry into wtmp */
sprintf(ttyn,"krsh%1d",getpid());
- logwtmp(ttyn,locuser,hostname,1);
+ logwtmp(ttyn,locuser,hostname);
}
/* We are simply execing a program over rshd : log entry into wtmp,
as kexe(pid), then finish out the session right after that.
Syslog should have the information as to what was exec'd */
else {
- logwtmp(ttyn,locuser,hostname,1);
+ logwtmp(ttyn,locuser,hostname);
}
#ifdef CRAY
"Shell process completed.");
#endif
/* Finish session in wmtp */
- logwtmp(ttyn,"","",0);
+ logwtmp(ttyn,"","");
exit(0);
}
#ifdef SETPGRP_TWOARG
as kexe(pid), then finish out the session right after that.
Syslog should have the information as to what was exec'd */
else {
- logwtmp(ttyn,"","",0);
+ logwtmp(ttyn,"","");
}
if (*pwd->pw_shell == '\0')
exit(1);
signout_please:
- logwtmp(ttyn,"","",0);
+ logwtmp(ttyn,"","");
exit(1);
}
#endif
wait(0);
- logwtmp(ttyn,"","",0);
+ logwtmp(ttyn,"","");
syslog(LOG_INFO ,"Shell process completed.");
exit(0);
}
}
if (inbuf.length) { /* Forwarding being done, read creds */
- if (status = rd_and_store_for_creds(bsd_context, &inbuf, ticket, locuser)) {
+ if (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
+ ticket, locuser)) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
exit(1);
#include <ttyent.h>
#endif
#include <syslog.h>
+#include <stdio.h>
#include <grp.h>
#include <pwd.h>
#include <setjmp.h>
-#include <stdio.h>
#include <string.h>
#ifdef HAVE_SHADOW
#ifdef OQUOTA
quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);
#endif
+#ifdef HAVE_SETLOGIN
+ if (setlogin(pwd->pw_name) < 0)
+ syslog(LOG_ERR, "setlogin() failure %d",errno);
+#endif
+
#ifdef __SCO__
/* this is necessary when C2 mode is enabled, but not otherwise */
setluid((uid_t) pwd->pw_uid);
void update_wtmp(ent)
struct utmp *ent;
{
-#ifndef HAVE_SETUTENT
struct utmp ut;
struct stat statb;
int fd;
-#endif /* !HAVE_SETUTENT */
#ifdef HAVE_SETUTXENT
struct utmpx utx;
#ifdef HAVE_UPDWTMP
updwtmp(WTMP_FILE, ent);
#else /* HAVE_UPDWTMP */
-#ifdef HAVE_SETUTENT
- utmpname(WTMP_FILE);
- setutent();
- pututline(ent);
- endutent();
-#else /* HAVE_SETUTENT */
if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) >= 0) {
if (!fstat(fd, &statb)) {
(void)strncpy(ut.ut_host, ent->ut_host, sizeof(ut.ut_host));
#endif
(void)time(&ut.ut_time);
-#ifdef HAVE_GETUTENT
+#if defined(HAVE_GETUTENT) && defined(USER_PROCESS)
if (ent->ut_name) {
if (!ut.ut_pid)
ut.ut_pid = getpid();
}
(void)close(fd);
}
-#endif /* HAVE_SETUTENT */
#endif /* HAVE_UPDWTMP */
}
-void logwtmp(tty, locuser, host, loggingin)
+#ifndef HAVE_LOGWTMP
+void logwtmp(tty, locuser, host)
char *tty;
char *locuser;
char *host;
- int loggingin;
{
struct utmp ut;
char *tmpx;
char utmp_id[5];
+ /* Will be empty for logout */
+ int loggingin = locuser[0];
+
+
#ifndef NO_UT_HOST
strncpy(ut.ut_host, host, sizeof(ut.ut_host));
#endif
update_wtmp(&ut);
}
+#endif