* kshd.M: Resync manpage

	* krshd.c: Rework hostname logging.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11247 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index a2ea0c6cbc31f26d99ee1dbe182dcf00d2aba43d..fc892bac9faf31e64cebad44e170241c2c94ba98 100644 (file)
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,9 @@
+Mon Mar  8 19:21:23 1999  Tom Yu  <tlyu@mit.edu>
+
+       * kshd.M: Resync manpage.
+
+       * krshd.c: Rework hostname logging.
+
 Wed Feb 24 20:05:40 1999  Tom Yu  <tlyu@mit.edu>
 
        * klogind.M: Resync manpage.

diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index 7e0555f0040656385a472c712a9e0b819b262cdd..a29d17a07a5a8cc19175a8906561c74ade305289 100644 (file)
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -162,7 +162,15 @@ char copyright[] =
 Key_schedule v4_schedule;
 #endif
 
-#define ARGSTR "ek54ciD:S:M:AP:?L:"
+#if HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+
+#ifndef MAXDNAME
+#define MAXDNAME 256 /*per the rfc*/
+#endif
+
+#define ARGSTR "ek54ciD:S:M:AP:?L:w:"
 
 
 
@@ -180,6 +188,9 @@ int do_encrypt = 0;
 int anyport = 0;
 char *kprogdir = KPROGDIR;
 int netf;
+int maxhostlen = 0;
+int stripdomain = 1;
+int always_ip = 0;
 
 #else /* !KERBEROS */
 
@@ -351,8 +362,30 @@ int main(argc, argv)
        case 'D':
          debug_port = atoi(optarg);
          break;
-       case '?':
-       default:
+      case 'w':
+         if (!strcmp(optarg, "ip"))
+             always_ip = 1;
+         else {
+             char *cp;
+             cp = strchr(optarg, ',');
+             if (cp == NULL)
+                 maxhostlen = atoi(optarg);
+             else if (*(++cp)) {
+                 if (!strcmp(cp, "striplocal"))
+                     stripdomain = 1;
+                 else if (!strcmp(cp, "nostriplocal"))
+                     stripdomain = 0;
+                 else {
+                     usage();
+                     exit(1);
+                 }
+                 *(--cp) = '\0';
+                 maxhostlen = atoi(optarg);
+             }
+         }
+         break;
+      case '?':
+      default:
          usage();
          exit(1);
          break;
@@ -575,7 +608,9 @@ void doit(f, fromp)
     
     int s;
     struct hostent *hp;
-    char *hostname;
+    char hostname[MAXDNAME];
+    char *sane_host;
+    char hostaddra[16];
     short port;
     int pv[2], pw[2], px[2], cc;
     fd_set ready, readfrom;
@@ -731,16 +766,23 @@ void doit(f, fromp)
     dup2(f, 2);
     hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr),
                       fromp->sin_family);
-    if (hp){
-       hostname = malloc(strlen(hp->h_name) + 1);
-       strcpy(hostname,hp->h_name);
-    }
-    else {
-       hostname = malloc(strlen((char *)inet_ntoa(fromp->sin_addr)) + 1);
-       strcpy(hostname,(char *)inet_ntoa(fromp->sin_addr));
+    strncpy(hostaddra, inet_ntoa(fromp->sin_addr), sizeof (hostaddra));
+    hostaddra[sizeof (hostaddra) - 1] = '\0';
+    if (hp != NULL){
+       strncpy(hostname, hp->h_name, sizeof (hostname));
+       hostname[sizeof (hostname) - 1] = '\0';
     }
+    else
+       hostname[0] = '\0';
 
 #ifdef KERBEROS
+    status = pty_make_sane_hostname(fromp, maxhostlen,
+                                   stripdomain, always_ip, &sane_host);
+    if (status) {
+       error("failed make_sane_hostname: %s\n", error_message(status));
+       exit(1);
+    }
+
     if ((status = recvauth(f, fromaddr,&valid_checksum))) {
        error("Authentication failed: %s\n", error_message(status));
        exit(1);
@@ -771,8 +813,9 @@ void doit(f, fromp)
     pwd = getpwnam(locuser);
     if (pwd == (struct passwd *) 0 ) {
        syslog(LOG_ERR ,
-              "Principal %s (%s@%s) for local user %s has no account.\n",
-              kremuser, remuser, hostname, locuser); /* xxx sprintf buffer in syslog*/
+              "Principal %s (%s@%s (%s)) for local user %s has no account.\n",
+              kremuser, remuser, hostaddra, hostname,
+              locuser); /* xxx sprintf buffer in syslog*/
        error("Login incorrect.\n");
        exit(1);
     }
@@ -823,18 +866,18 @@ void doit(f, fromp)
     endudb();
     if (secflag) {
        if(getsysv(&sysv, sizeof(struct sysv)) != 0) {
-           loglogin(hostname, SLG_LLERR, 0, ue);
+           loglogin(sane_host, SLG_LLERR, 0, ue);
            error("Permission denied.\n");
            exit(1);
        }
        if ((packet_level != ue->ue_deflvl) ||
            ((packet_compart & ue->ue_comparts) != packet_compart )){
-           loglogin(hostname, SLG_LLERR, 0, ue);
+           loglogin(sane_host, SLG_LLERR, 0, ue);
            error("Permission denied.\n");
            exit(1);
        }
        if (ue->ue_disabled != 0) {
-           loglogin(hostname,SLG_LOCK,ue->ue_logfails,ue);
+           loglogin(sane_host,SLG_LOCK,ue->ue_logfails,ue);
            error("Permission denied.\n");
            exit(1);
        }
@@ -868,13 +911,13 @@ void doit(f, fromp)
     if (port) {
        /* Place entry into wtmp */
        sprintf(ttyn,"krsh%1d",getpid());
-       pty_logwtmp(ttyn,locuser,hostname);
+       pty_logwtmp(ttyn,locuser,sane_host);
     }
     /*      We are simply execing a program over rshd : log entry into wtmp,
            as kexe(pid), then finish out the session right after that.
            Syslog should have the information as to what was exec'd */
     else {
-       pty_logwtmp(ttyn,locuser,hostname);
+       pty_logwtmp(ttyn,locuser,sane_host);
     }
     
 #ifdef CRAY
@@ -887,7 +930,7 @@ void doit(f, fromp)
        if (getusrv(&usrv)){
            syslog(LOG_ERR,"Cannot getusrv");
            error("Permission denied.\n");
-           loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue);
+           loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue);
            goto signout_please;
        }
        /*
@@ -896,12 +939,12 @@ void doit(f, fromp)
        if((ue->ue_valcat & TFM_TRUSTED) ||
           (sysv.sy_oldtfm &&
            ((ue->ue_comparts & TRUSTED_SUBJECT) == TRUSTED_SUBJECT))) {
-           loglogin(hostname, SLG_TRSUB, ue->ue_logfails,ue);
+           loglogin(sane_host, SLG_TRSUB, ue->ue_logfails,ue);
            error("Permission denied.\n");
            goto signout_please;
        }
        
-       loglogin(hostname, SLG_OKLOG, ue->ue_logfails,ue);
+       loglogin(sane_host, SLG_OKLOG, ue->ue_logfails,ue);
        
        /*      Setup usrv structure with user udb info and 
                packet_level and packet_compart. */
@@ -986,7 +1029,7 @@ void doit(f, fromp)
            }
        }
        if (nal_error) {
-           loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue);
+           loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue);
            error("Permission denied.\n");
            goto signout_please;
        }
@@ -996,7 +1039,7 @@ void doit(f, fromp)
        sethost(paddr);
        
        if (setusrv(&usrv) == -1) {
-           loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue);
+           loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue);
            error("Permission denied.\n");
            goto signout_please;
        }
@@ -1023,8 +1066,8 @@ void doit(f, fromp)
            /* kuserok returns 0 if OK */
            if (kuserok(v4_kdata, locuser)){
                syslog(LOG_ERR ,
-                      "Principal %s (%s@%s) for local user %s failed kuserok.\n",
-                      kremuser, remuser, hostname, locuser);
+                      "Principal %s (%s@%s (%s)) for local user %s failed kuserok.\n",
+                      kremuser, remuser, hostaddra, hostname, locuser);
                }
            else auth_sent |= AUTH_KRB4;
        } else
@@ -1033,8 +1076,8 @@ void doit(f, fromp)
            /* krb5_kuserok returns 1 if OK */
            if (!krb5_kuserok(bsd_context, client, locuser)){
                syslog(LOG_ERR ,
-                      "Principal %s (%s@%s) for local user %s failed krb5_kuserok.\n",
-                      kremuser, remuser, hostname, locuser);
+                      "Principal %s (%s@%s (%s)) for local user %s failed krb5_kuserok.\n",
+                      kremuser, remuser, hostaddra, hostname, locuser);
            }
            else
                auth_sent |=
@@ -1044,7 +1087,8 @@ void doit(f, fromp)
        
 #else
     if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
-       ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) {
+       ruserok(hostname[0] ? hostname : hostaddra,
+               pwd->pw_uid == 0, remuser, locuser) < 0) {
        error("Permission denied.\n");
        goto signout_please;
     }
@@ -1082,11 +1126,11 @@ void doit(f, fromp)
     pwd = (struct passwd *) getpwnam(locuser);
     if (pwd && (pwd->pw_uid == 0)) {
 #ifdef LOG_CMD
-       syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s) as ROOT", 
-              cmdbuf, kremuser, remuser, hostname);
+       syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as ROOT", 
+              cmdbuf, kremuser, remuser, hostaddra, hostname);
 #else
-       syslog(LOG_NOTICE ,"Access as ROOT by principal %s (%s@%s)",
-              kremuser, remuser, hostname);
+       syslog(LOG_NOTICE ,"Access as ROOT by principal %s (%s@%s (%s))",
+              kremuser, remuser, hostaddra, hostname);
 #endif
     }
 #if defined(KERBEROS) && defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS)
@@ -1106,11 +1150,11 @@ void doit(f, fromp)
 #if defined(LOG_REMOTE_REALM) || defined(LOG_OTHER_USERS) || defined(LOG_ALL_LOGINS)
       {
 #ifdef LOG_CMD
-         syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s) as local user %s", 
-                cmdbuf, kremuser, remuser, hostname, locuser);
+         syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as local user %s", 
+                cmdbuf, kremuser, remuser, hostaddra, hostname, locuser);
 #else
-         syslog(LOG_NOTICE ,"Access as %s by principal %s (%s@%s)",
-                locuser, kremuser, remuser, hostname);
+         syslog(LOG_NOTICE ,"Access as %s by principal %s (%s@%s (%s))",
+                locuser, kremuser, remuser, hostaddra, hostname);
 #endif
       }
 #endif

diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M
index df95c4db9721274032f954a9fbe679b6640b72a8..43d0f7c81abe161b8ca21ee80e2e902ddc020f6f 100644 (file)
--- a/src/appl/bsd/kshd.M
+++ b/src/appl/bsd/kshd.M
@@ -114,6 +114,20 @@ Don't allocate a reserved port for the stderr connection.
 .IP \fB\-P\ path\fP
 Use the argument to find the Kerberos binaries.  Normally a compiled
 in argument is used.
+
+.TP
+\fB\-w \fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]
+Controls the form of the remote hostname passed to login(1).
+Specifying \fBip\fP results in the numeric IP address always being
+passed to login(1).  Specifying a number, \fImaxhostlen\fP, sets the
+maximum length of the hostname passed to login(1) before it will be
+passed as a numeric IP address.  If \fImaxhostlen\fP is 0, then the
+system default, as determined by the utmp or utmpx structures, is
+used.  The \fBnostriplocal\fP and \fBstriplocal\fP options, which must
+be preceded by a comma, control whether or not the local host domain
+is stripped from the remote hostname.  By default, the equivalent of
+\fBstriplocal\fP is in effect.
+
 .SH DIAGNOSTICS
 Except for the last one listed below,
 all diagnostic messages