* klogind.M: Document things a little better, including new

	options controlling hostname manipulation.

	* krlogind.c: Make use of pty_make_sane_hostname() for purposes of
	manipulating hostname to pass to login.  Also unconditionally
	syslog IP address and full hostname of remote host.  Add command
	line options to control such behavior.

	* configure.in: Add arpa/nameser.h to CHECK_HEADERS.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11176 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index fdea771fd4b1974c767e60f86a3572cc40ab44e5..08eb74d77275ecd74697b7a6cb4c57f703b3aedf 100644 (file)
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,15 @@
+Wed Feb 17 17:24:11 1999  Tom Yu  <tlyu@mit.edu>
+
+       * klogind.M: Document things a little better, including new
+       options controlling hostname manipulation.
+
+       * krlogind.c: Make use of pty_make_sane_hostname() for purposes of
+       manipulating hostname to pass to login.  Also unconditionally
+       syslog IP address and full hostname of remote host.  Add command
+       line options to control such behavior.
+
+       * configure.in: Add arpa/nameser.h to CHECK_HEADERS.
+
 Wed Jan 20 21:42:41 1999  Tom Yu  <tlyu@mit.edu>
 
        * login.c (main): Call setluid().

diff --git a/src/appl/bsd/configure.in b/src/appl/bsd/configure.in
index 15db24fe6d0ceeb1e2116163bc340bb1c5932b5d..f96f9909f17c3a4a7b776e8d8b2400d9c6e036c3 100644 (file)
--- a/src/appl/bsd/configure.in
+++ b/src/appl/bsd/configure.in
@@ -64,7 +64,7 @@ dnl
 AC_VFORK
 AC_TYPE_MODE_T
 AC_CHECK_FUNCS(isatty inet_aton gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes)
-AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h)
+AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h arpa/nameser.h)
 AC_HEADER_STDARG
 AC_REPLACE_FUNCS(getdtablesize)
 KRB5_SIGTYPE

diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M
index 1cc7ee404c72cd6543e75ea301cad5728ad1b493..10211b38e6862cd3f485bc1dc9df4c9e9af8f612 100644 (file)
--- a/src/appl/bsd/klogind.M
+++ b/src/appl/bsd/klogind.M
@@ -10,7 +10,11 @@ klogind \- remote login server
 .SH SYNOPSIS
 .B klogind
 [
-.B \-kr54cpPe
+.B \-kr54cpPesI
+]
+[
+.B \-u
+.I utmp_hostname_length
 ]
 .SH DESCRIPTION
 .I Klogind
@@ -127,6 +131,21 @@ The screen or
 window size of the terminal is requested from the client, and window
 size changes from the client are propagated to the pseudo terminal.
 
+.PP
+.I Klogind
+supports the following options to control the form of the hostname
+passed to the login program:
+
+.IP \fB-u\ utmp_hostname_length\fP
+Set the maximum length of hostname passed to login to
+\fIutmp_hostname_length\fP bytes, including terminating nul.
+
+.IP \fB-I\fP
+Always pass a numeric IP address to login.
+
+.IP \fB-s\fP
+Don't strip the local domain off hostnames.
+
 .PP
 .I Klogind
 supports three options which are used for testing

diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c
index f433897190f887077d56adc0ec3a1e68b4277c89..b57b5a746f1fe08d3e683d4c6b5ebed13faf4ad2 100644 (file)
--- a/src/appl/bsd/krlogind.c
+++ b/src/appl/bsd/krlogind.c
@@ -260,7 +260,7 @@ krb5_ccache ccache = NULL;
 
 krb5_keytab keytab = NULL;
 
-#define ARGSTR "k54ciepPD:S:M:L:f?"
+#define ARGSTR "k54ciepPD:S:M:L:fu:Is?"
 #else /* !KERBEROS */
 #define ARGSTR "rpPD:f?"
 #endif /* KERBEROS */
@@ -286,11 +286,20 @@ char *login_program = LOGIN_PROGRAM;
 #define        UT_NAMESIZE     sizeof(((struct utmp *)0)->ut_name)
 #endif
 
+#if HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+
+#ifndef MAXDNAME
+#define MAXDNAME 256 /*per the rfc*/
+#endif
+
 char           lusername[UT_NAMESIZE+1];
 char           rusername[UT_NAMESIZE+1];
 char            *krusername = 0;
 char           term[64];
-char            rhost_name[128];
+char            rhost_name[MAXDNAME];
+char           rhost_addra[16];
 krb5_principal  client;
 int            do_inband = 0;
 
@@ -327,6 +336,10 @@ int auth_ok = 0, auth_sent = 0;
 int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
 int checksum_required = 0, checksum_ignored = 0;
 
+int stripdomain = 1;
+int maxhostlen = 0;
+int always_ip = 0;
+
 int main(argc, argv)
      int argc;
      char **argv;
@@ -428,6 +441,15 @@ int main(argc, argv)
         case 'f':
          do_fork = 1;
          break;
+        case 'u':
+         maxhostlen = atoi(optarg);
+         break;
+        case 'I':
+         always_ip = 1;
+         break;
+        case 's':
+         stripdomain = 0;
+         break;
        case '?':
        default:
          usage();
@@ -564,7 +586,9 @@ void doit(f, fromp)
     struct sigaction sa;
 #endif
     int retval;
-int syncpipe[2];
+    char *rhost_sane;
+    int syncpipe[2];
+
     netf = -1;
     if (setsockopt(f, SOL_SOCKET, SO_KEEPALIVE,
                   (const char *) &on, sizeof (on)) < 0)
@@ -601,18 +625,14 @@ int syncpipe[2];
     fromp->sin_port = ntohs((u_short)fromp->sin_port);
     hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr),
                       fromp->sin_family);
-    if (hp == 0) {
-       /*
-        * Only the name is used below.
-        */
-       sprintf(rhost_name,"%s",inet_ntoa(fromp->sin_addr));
-    }
-    
-    /* Save hostent information.... */
-    else {
+    strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra));
+    rhost_addra[sizeof (rhost_addra) -1] = '\0';
+    if (hp != NULL) {
+       /* Save hostent information.... */
        strncpy(rhost_name,hp->h_name,sizeof (rhost_name));
        rhost_name[sizeof (rhost_name) - 1] = '\0';
-    }
+    } else
+       rhost_name[0] = '\0';
     
     if (fromp->sin_family != AF_INET)
       fatal(f, "Permission denied - Malformed from address\n");
@@ -629,7 +649,7 @@ int syncpipe[2];
     
 #if defined(KERBEROS)
     /* All validation, and authorization goes through do_krb_login() */
-    do_krb_login(rhost_name);
+    do_krb_login(rhost_addra, rhost_name);
 #else
     getstr(f, rusername, sizeof(rusername), "remuser");
     getstr(f, lusername, sizeof(lusername), "locuser");
@@ -720,11 +740,13 @@ int syncpipe[2];
        pwd = (struct passwd *) getpwnam(lusername);
        if (pwd && (pwd->pw_uid == 0)) {
            if (passwd_req)
-             syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) forcing password access",
-                    krusername ? krusername : "", rusername, rhost_name);
+             syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s)) forcing password access",
+                    krusername ? krusername : "",
+                    rusername, rhost_addra, rhost_name);
            else
-             syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) ", 
-                    krusername ? krusername : "", rusername, rhost_name);
+             syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", 
+                    krusername ? krusername : "",
+                    rusername, rhost_addra, rhost_name);
        }
 #ifdef KERBEROS
 #if defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS)
@@ -745,14 +767,14 @@ int syncpipe[2];
        {
            if (passwd_req)
              syslog(LOG_NOTICE,
-                    "login by %s (%s@%s) as %s forcing password access\n",
+                    "login by %s (%s@%s (%s)) as %s forcing password access",
                     krusername ? krusername : "", rusername,
-                    rhost_name, lusername);
+                    rhost_addra, rhost_name, lusername);
            else 
              syslog(LOG_NOTICE,
-                    "login by %s (%s@%s) as %s\n",
+                    "login by %s (%s@%s (%s)) as %s",
                     krusername ? krusername : "", rusername,
-                    rhost_name, lusername); 
+                    rhost_addra, rhost_name, lusername); 
        }
 #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */
 #endif /* KERBEROS */
@@ -775,15 +797,20 @@ int syncpipe[2];
             *cp = '\0';
         setenv("TERM",term, 1);
     }
- 
+
+    retval = pty_make_sane_hostname(fromp, maxhostlen,
+                                   stripdomain, always_ip,
+                                   &rhost_sane);
+    if (retval)
+        fatalperror(2, "failed make_sane_hostname");
     if (passwd_req)
-        execl(login_program, "login", "-p", "-h", rhost_name,
+        execl(login_program, "login", "-p", "-h", rhost_sane,
           lusername, 0);
     else
-        execl(login_program, "login", "-p", "-h", rhost_name,
+        execl(login_program, "login", "-p", "-h", rhost_sane,
              "-f", lusername, 0);
 #else /* USE_LOGIN_F */
-       execl(login_program, "login", "-r", rhost_name, 0);
+       execl(login_program, "login", "-r", rhost_sane, 0);
 #endif /* USE_LOGIN_F */
        
        fatalperror(2, login_program);
@@ -1159,8 +1186,8 @@ void fatalperror(f, msg)
 #ifdef KERBEROS
 
 void
-do_krb_login(host)
-     char *host;
+do_krb_login(host_addr, hostname)
+     char *host_addr, *hostname;
 {
     krb5_error_code status;
     struct passwd *pwd;
@@ -1178,8 +1205,8 @@ do_krb_login(host)
          krb5_free_ticket(bsd_context, ticket);
        if (status != 255)
          syslog(LOG_ERR,
-                "Authentication failed from %s: %s\n",
-                host,error_message(status));
+                "Authentication failed from %s (%s): %s\n",host_addr,
+                hostname,error_message(status));
        fatal(netf, "Kerberos authentication failed");
        return;
     }