authenc.c (telnet_spin): Implemented the telnet spin function, which
works by calling the Scheduler with the tty_lockout flag set.
main.c (main): If the -x option is given, set the autologin,
wantencryption, and auth_enable_encrypt flag. They enable
authentication, enforcement of the encryption option, and a flag to
the auth layer to negotiate authentication with mandatory encryption
option.
telnet.c (telnet): If the wantencryption flag is set (because the user
has given the -x option, then we enforce that encryption must be
turned on. The user will not be able to type to the network stream
until encryption is enabled, and if encryption is refused, the client
will print an error message.
(Scheduler): If the tty_lockout flag is set, then don't process
keyboard read events. This prevents the user from typing over the
network until encryption is enabled.
utilities.c (printsub): Added print support for the authentication
must-encrypt option.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7662
dc483132-0cff-0310-8789-
dd5450dbe970
+Mon Mar 18 20:31:44 1996 Theodore Y. Ts'o <tytso@dcl>
+
+ * Makefile.in: Added flags to turn on the encryption option.
+
+ * authenc.c (telnet_spin): Implemented the telnet spin function,
+ which works by calling the Scheduler with the tty_lockout
+ flag set.
+
+ * main.c (main): If the -x option is given, set the autologin,
+ wantencryption, and auth_enable_encrypt flag. They enable
+ authentication, enforcement of the encryption option, and
+ a flag to the auth layer to negotiate authentication with
+ mandatory encryption option.
+
+ * telnet.c (telnet): If the wantencryption flag is set (because
+ the user has given the -x option, then we enforce that
+ encryption must be turned on. The user will not be able
+ to type to the network stream until encryption is enabled,
+ and if encryption is refused, the client will print an
+ error message.
+ (Scheduler): If the tty_lockout flag is set, then don't
+ process keyboard read events. This prevents the user from
+ typing over the network until encryption is enabled.
+
+ * utilities.c (printsub): Added print support for the
+ authentication must-encrypt option.
+
Sun Feb 25 20:32:57 1996 Sam Hartman <hartmans@tertius.mit.edu>
* configure.in: Check for arpa/nameser.h
# @(#)Makefile.generic 5.5 (Berkeley) 3/1/91
#
-AUTH_DEF=-DAUTHENTICATION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
OTHERDEFS=-DLINEMODE -DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
LOCALINCLUDES=-I.. -I$(srcdir)/..
CFLAGS = $(CCOPTS) $(AUTH_DEF) $(OTHERDEFS) $(DEFS) $(LOCALINCLUDES)
int
telnet_spin()
{
- return(-1);
+ extern int scheduler_lockout_tty;
+
+ scheduler_lockout_tty = 1;
+ Scheduler(0);
+ scheduler_lockout_tty = 0;
+
+ return 0;
}
char *
localchars, /* we recognize interrupt/quit */
donelclchars, /* the user has set "localchars" */
showoptions,
+ wantencryption, /* User has requested encryption */
net, /* Network file descriptor */
tin, /* Terminal input file descriptor */
tout, /* Terminal output file descriptor */
#ifdef FORWARD
extern int forward_flags;
#endif /* FORWARD */
+#ifdef ENCRYPTION
+ extern int auth_enable_encrypt;
+#endif /* ENCRYPTION */
tninit(); /* Clear out things */
#if defined(CRAY) && !defined(__STDC__)
#ifdef ENCRYPTION
encrypt_auto(1);
decrypt_auto(1);
+ wantencryption = 1;
+ autologin = 1;
+ auth_enable_encrypt = 1;
#else
fprintf(stderr,
"%s: Warning: -x ignored, no ENCRYPT support.\n",
askedSGA = 0, /* We have talked about suppress go ahead */
#endif /* defined(TN3270) */
telnetport,
+ wantencryption = 0,
SYNCHing, /* we are in TELNET SYNCH mode */
flushout, /* flush output */
autoflush = 0, /* flush output when interrupting? */
char *prompt = 0;
+int scheduler_lockout_tty = 0;
+
cc_t escape;
cc_t rlogin;
#ifdef KLUDGELINEMODE
}
#endif /* defined(TN3270) && defined(unix) */
+ if (scheduler_lockout_tty) {
+ ttyin = ttyout = 0;
+ }
+
/* Call to system code to process rings */
returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
}
#endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */
# if !defined(TN3270)
- if (telnetport) {
#if defined(AUTHENTICATION)
- if (autologin)
- send_will(TELOPT_AUTHENTICATION, 1);
+ if (autologin)
+ send_will(TELOPT_AUTHENTICATION, 1);
#endif
#ifdef ENCRYPTION
+ if (telnetport || wantencryption) {
send_do(TELOPT_ENCRYPT, 1);
send_will(TELOPT_ENCRYPT, 1);
+ }
#endif /* ENCRYPTION */
+ if (telnetport) {
send_do(TELOPT_SGA, 1);
send_will(TELOPT_TTYPE, 1);
send_will(TELOPT_NAWS, 1);
}
# endif /* !defined(TN3270) */
+#ifdef ENCRYPTION
+ /*
+ * Note: we assume a tie to the authentication option here. This
+ * is necessary so that authentication fails, we don't spin
+ * forever.
+ */
+ if (wantencryption) {
+ extern int auth_has_failed;
+ time_t timeout = time(0) + 60;
+
+ send_do(TELOPT_ENCRYPT, 1);
+ send_will(TELOPT_ENCRYPT, 1);
+ while (1) {
+ if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) {
+ printf("Server refused to negotiation authentication, which is required\n");
+ printf("for encryption. Good bye.\n\r");
+ Exit(1);
+ }
+ if (auth_has_failed) {
+ printf("Authentication negotation has failed, which is required for\n");
+ printf("encryption. Good bye.\n\r");
+ Exit(1);
+ }
+ if (my_want_state_is_dont(TELOPT_ENCRYPT) ||
+ my_want_state_is_wont(TELOPT_ENCRYPT)) {
+ printf("Server refused to negotiate encryption. Good bye.\n\r");
+ Exit(1);
+ }
+ if (encrypt_is_encrypting())
+ break;
+ if (time(0) > timeout) {
+ printf("Encryption could not be enabled. Goodbye.\n\r");
+ Exit(1);
+ }
+ telnet_spin();
+ }
+ }
+#endif
+
+
# if !defined(TN3270)
for (;;) {
int schedValue;
fprintf(NetTrace, "(partial suboption??\?)");
break;
}
- fprintf(NetTrace, "%s|%s",
+ fprintf(NetTrace, "%s|%s%s",
((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
"CLIENT" : "SERVER",
((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
- "MUTUAL" : "ONE-WAY");
-
+ "MUTUAL" : "ONE-WAY",
+ ((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+ "|ENCRYPT" : "");
auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
fprintf(NetTrace, "%s", buf);
break;
fprintf(NetTrace, "(partial suboption??\?)");
break;
}
- fprintf(NetTrace, "%s|%s ",
+ fprintf(NetTrace, "%s|%s%s ",
((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
"CLIENT" : "SERVER",
((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
- "MUTUAL" : "ONE-WAY");
+ "MUTUAL" : "ONE-WAY",
+ ((pointer[i] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+ "|ENCRYPT" : "");
++i;
}
break;