* Changes to abort the session if telnetd receives certain options
such as environment or DISPLAY options before authentication and
encryption is negotiated or not negotiated.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7818
dc483132-0cff-0310-8789-
dd5450dbe970
+Tue Apr 16 12:23:02 1996 Sam Hartman <hartmans@mit.edu>
+
+ * configure.in : Treat HPUX as if it doesn't have streams.
+
+ * state.c (suboption): For certain options like environment and X
+ display, require authentication and encryption to be established
+ or not established before processing the option.
+ (sb_auth_complete): Fail and kill telnetd if authentication
+ negotiation is not complete.
+
+ * ext.h: Define new global variable indicating whether encryption
+ wait has happened.
+
Thu Apr 11 21:44:39 1996 Richard Basch <basch@lehman.com>
* sys_term.c (cleanup): Call the Kerberos 5 cleanup routine, also.
dnl login.
dnl
case $krb5_cv_host in
+*-*-hpux-*)
+ broken_streams=yes
+ ;;
*-*-irix*)
# Irix doesn't have a working granpt, and more over
# you can't push anything onto a pty, so telnetd really
# Really wants to treat it as if it doesn't have streams
broken_streams=yes
-;;
+ ;;
esac
if test -z "$broken_streams" ; then
AC_FUNC_CHECK(grantpt,AC_DEFINE(STREAMSPTY))
#if defined(AUTHENTICATION)
extern int auth_level;
#endif
-
+extern int auth_negotiated; /* Have we finished all authentication negotiation we plan to finish?*/
extern slcfun slctab[NSLC + 1]; /* slc mapping table */
extern char *terminaltype;
#define TS_DO 7 /* do " */
#define TS_DONT 8 /* dont " */
+static void sb_auth_complete()
+{
+ if (!auth_negotiated) {
+ static char *error =
+ "An environment option was sent before authentication negotiation completed.\r\nThis may create a security hazard. Connection dropped.\r\n";
+ writenet(error, strlen(error));
+ netflush();
+ exit(1);
+ }
+}
+
void
telrcv()
{
if (his_state_is_wont(TELOPT_TSPEED)) /* Ignore if option disabled */
break;
+ sb_auth_complete();
+
settimer(tspeedsubopt);
if (SB_EOF() || SB_GET() != TELQUAL_IS)
if (his_state_is_wont(TELOPT_TTYPE)) /* Ignore if option disabled */
break;
+sb_auth_complete();
settimer(ttypesubopt);
if (SB_EOF() || SB_GET() != TELQUAL_IS) {
case TELOPT_XDISPLOC: {
if (SB_EOF() || SB_GET() != TELQUAL_IS)
return;
+sb_auth_complete();
settimer(xdisplocsubopt);
subpointer[SB_LEN()] = '\0';
(void)setenv("DISPLAY", (char *)subpointer, 1);
if (SB_EOF())
return;
+sb_auth_complete();
c = SB_GET();
if (c == TELQUAL_IS) {
if (subchar == TELOPT_OLD_ENVIRON)
}
}
#endif /* ENCRYPTION */
+ /* Options like environment require authentication and encryption
+ negotiation to be completed.*/
+ auth_negotiated = 1;
if (his_state_is_will(TELOPT_TSPEED)) {
static unsigned char sb[] =
{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
projects / krb5.git / commitdiff