+Wed Apr 17 13:46:57 1996 Theodore Y. Ts'o <tytso@mit.edu>
+
+ * configure.in (LOGINLIBS): Remove DECLARE_SYS_ERRLIST since it's
+ no longer necessary.
+
+ * krcp.c (verifydir, allocbuf, rsource, source, sink): Don't use
+ sys_errlist[]; just call error_message() instead, since we
+ depend on com_err anyway.
+
+ * krshd.c (recvauth):
+ * krlogind.c (recvauth): Don't actually check the checksum unless
+ it is required. Old (pre-beta 5) clients sent a checksum
+ of random garbage (such as their pid) which is impossible to
+ actually check on the server side. (Grad student stupidity
+ strikes again.)
+ (fatalperror): Don't use sys_errlist[] to get the right
+ error message; just depend on com_err instead, since we're
+ using it anyway.
+
+ * krshd.c (doit):
+ * krlogind.c (do_krb_login): Fix logic so that if checksums are
+ required, and the checksum is valid, don't syslog the
+ stupid warning message about "Checksums are only required
+ for v5 clients...."
+
+ * krcp.c, krshd.c, krlogind.c: Miscellaneous -Wall cleanups
+
+ * krlogind.c (getpty): Removed dead code.
+
Tue Apr 16 11:33:33 1996 Sam Hartman <hartmans@mit.edu>
- * krlogind.c kshd.c (main): Drop support for handling options in rlogind's name.
+ * krlogind.c kshd.c (main): Drop support for handling options in
+ rlogind's name.
Sun Apr 14 03:41:49 1996 Sam Hartman <hartmans@zygorthian-space-raiders.MIT.EDU>
AC_CHECK_HEADERS(sys/ptyvar.h utmp.h utmpx.h sys/time.h)
AC_HEADER_STDARG
AC_REPLACE_FUNCS(getdtablesize)
-DECLARE_SYS_ERRLIST
KRB5_SIGTYPE
CHECK_SIGNALS
CHECK_SETJMP
* rcp
*/
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
char *strsave();
#endif
int des_write(), des_read();
-void answer_auth();
+void usage(), sink(), source(), rsource(), verifydir(), answer_auth();
+int response(), hosteq(), okname(), susystem();
int encryptflag = 0;
#ifndef UCB_RCP
char *colon();
int errs;
krb5_sigtype lostconn();
-#ifdef NEED_SYS_ERRLIST
-extern char *sys_errlist[];
-#endif
int iamremote, targetshouldbedirectory;
int iamrecursive;
int pflag;
#define NULLBUF (struct buffer *) 0
#ifdef HAVE_STDARG_H
-int error KRB5_STDARG_P((char *fmt, ...));
+void error KRB5_STDARG_P((char *fmt, ...));
#else
/*VARARGS*/
-int error KRB5_STDARG_P((char *, va_list));
+void error KRB5_STDARG_P((char *, va_list));
#endif
#define ga() (void) des_write(rem, "", 1)
-
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
session_key = &cred->keyblock;
krb5_use_enctype(bsd_context, &eblock, session_key->enctype);
- if ( status = krb5_process_key(bsd_context, &eblock,
- session_key)){
+ if ((status = krb5_process_key(bsd_context, &eblock, session_key))) {
fprintf(stderr, "rcp: send_auth failed krb5_process_key: %s\n",
error_message(status));
exit(1);
session_key = &cred->keyblock;
krb5_use_enctype(bsd_context, &eblock, session_key->enctype);
- if ( status = krb5_process_key(bsd_context, &eblock,
- session_key)){
+ if ((status = krb5_process_key(bsd_context, &eblock, session_key))) {
fprintf(stderr, "rcp: send_auth failed krb5_process_key: %s\n",
error_message(status));
exit(1);
-verifydir(cp)
+void verifydir(cp)
char *cp;
{
struct stat stb;
return;
errno = ENOTDIR;
}
- error("rcp: %s: %s.\n", cp, sys_errlist[errno]);
+ error("rcp: %s: %s.\n", cp, error_message(errno));
exit(1);
}
-okname(cp0)
+int okname(cp0)
char *cp0;
{
register char *cp = cp0;
-susystem(s)
+int susystem(s)
char *s;
{
int status;
return (status);
}
-
-
-source(argc, argv)
+void source(argc, argv)
int argc;
char **argv;
{
for (x = 0; x < argc; x++) {
name = argv[x];
if ((f = open(name, 0)) < 0) {
- error("rcp: %s: %s\n", name, sys_errlist[errno]);
+ error("rcp: %s: %s\n", name, error_message(errno));
continue;
}
if (fstat(f, &stb) < 0)
if (readerr == 0)
ga();
else
- error("rcp: %s: %s\n", name, sys_errlist[readerr]);
+ error("rcp: %s: %s\n", name, error_message(readerr));
(void) response();
}
}
#include <dirent.h>
#endif
-rsource(name, statp)
+void rsource(name, statp)
char *name;
struct stat *statp;
{
char *bufv[1];
if (d == 0) {
- error("rcp: %s: %s\n", name, sys_errlist[errno]);
+ error("rcp: %s: %s\n", name, error_message(errno));
return;
}
last = strrchr(name, '/');
-response()
+int response()
{
char resp, c, rbuf[RCP_BUFSIZ], *cp = rbuf;
if (des_read(rem, &resp, 1) != 1)
* set the microsecond values; we don't want to take away
* functionality unnecessarily.
*/
-utimes(file, tvp)
+int utimes(file, tvp)
const char *file;
struct timeval *tvp;
{
#endif
-sink(argc, argv)
+void sink(argc, argv)
int argc;
char **argv;
{
setimes = 0;
if (utimes(nambuf, tv) < 0)
error("rcp: can't set times on %s: %s\n",
- nambuf, sys_errlist[errno]);
+ nambuf, error_message(errno));
}
continue;
}
if ((of = open(nambuf, O_WRONLY|O_CREAT, mode)) < 0) {
bad:
- error("rcp: %s: %s\n", nambuf, sys_errlist[errno]);
+ error("rcp: %s: %s\n", nambuf, error_message(errno));
continue;
}
if (exists && pflag) {
if (j == 0)
error("rcp: dropped connection");
else
- error("rcp: %s\n",
- sys_errlist[errno]);
+ error("rcp: %s\n", error_message(errno));
exit(1);
}
amt -= j;
write(of, bp->buf, count) != count)
wrerr++;
if (ftruncate(of, size))
- error("rcp: can't truncate %s: %s\n",
- nambuf, sys_errlist[errno]);
+ error("rcp: can't truncate %s: %s\n", nambuf, error_message(errno));
(void) close(of);
(void) response();
if (setimes) {
setimes = 0;
if (utimes(nambuf, tv) < 0)
error("rcp: can't set times on %s: %s\n",
- nambuf, sys_errlist[errno]);
+ nambuf, error_message(errno));
}
if (wrerr)
- error("rcp: %s: %s\n", nambuf, sys_errlist[errno]);
+ error("rcp: %s: %s\n", nambuf, error_message(errno));
else
ga();
}
int size;
if (fstat(fd, &stb) < 0) {
- error("rcp: fstat: %s\n", sys_errlist[errno]);
+ error("rcp: fstat: %s\n", error_message(errno));
return (NULLBUF);
}
#ifdef NOROUNDUP
-int
+void
#ifdef HAVE_STDARG_H
error(char *fmt, ...)
#else
-usage()
+void usage()
{
#ifdef KERBEROS
fprintf(stderr,
-hosteq(h1, h2)
+int hosteq(h1, h2)
char *h1, *h2;
{
struct hostent *h_ptr;
const char * filenames[2];
filenames[1] = NULL;
filenames[0] = config_file;
- if (status = krb5_set_config_files(bsd_context, filenames))
+ if ((status = krb5_set_config_files(bsd_context, filenames)))
exit(1);
}
memset ((char*)&creds, 0, sizeof(creds));
- if (status = krb5_read_message(bsd_context, (krb5_pointer)&rem,
- &pname_data))
+ if ((status = krb5_read_message(bsd_context, (krb5_pointer)&rem,
+ &pname_data)))
exit(1);
- if (status = krb5_read_message(bsd_context, (krb5_pointer) &rem,
- &creds.second_ticket))
+ if ((status = krb5_read_message(bsd_context, (krb5_pointer) &rem,
+ &creds.second_ticket)))
exit(1);
if (ccache_file == NULL) {
- if (status = krb5_cc_default(bsd_context, &cc))
+ if ((status = krb5_cc_default(bsd_context, &cc)))
exit(1);
} else {
- if (status = krb5_cc_resolve(bsd_context, ccache_file, &cc))
+ if ((status = krb5_cc_resolve(bsd_context, ccache_file, &cc)))
exit(1);
}
- if (status = krb5_cc_get_principal(bsd_context, cc, &creds.client))
+ if ((status = krb5_cc_get_principal(bsd_context, cc, &creds.client)))
exit(1);
- if (status = krb5_parse_name(bsd_context, pname_data.data, &creds.server))
+ if ((status = krb5_parse_name(bsd_context, pname_data.data,
+ &creds.server)) )
exit(1);
krb5_xfree(pname_data.data);
- if (status = krb5_get_credentials(bsd_context, KRB5_GC_USER_USER, cc,
- &creds, &new_creds))
+ if ((status = krb5_get_credentials(bsd_context, KRB5_GC_USER_USER, cc,
+ &creds, &new_creds)))
exit(1);
- if (status = krb5_mk_req_extended(bsd_context, &auth_context,
- AP_OPTS_USE_SESSION_KEY,
- NULL, new_creds, &msg))
+ if ((status = krb5_mk_req_extended(bsd_context, &auth_context,
+ AP_OPTS_USE_SESSION_KEY,
+ NULL, new_creds, &msg)))
exit(1);
- if (status = krb5_write_message(bsd_context, (krb5_pointer) &rem, &msg)) {
+ if ((status = krb5_write_message(bsd_context, (krb5_pointer) &rem,
+ &msg))) {
krb5_xfree(msg.data);
exit(1);
}
/* OK process key */
krb5_use_enctype(bsd_context, &eblock, session_key->enctype);
- if (status = krb5_process_key(bsd_context, &eblock, session_key))
+ if ((status = krb5_process_key(bsd_context, &eblock, session_key)))
exit(1);
return;
return(krb5_net_write(bsd_context, fd, buf, len));
desoutbuf.length = krb5_encrypt_size(len,eblock.crypto_entry);
- if (desoutbuf.length > sizeof(des_outbuf)){
+ if (desoutbuf.length > (int) sizeof(des_outbuf)){
return(-1);
}
if (( krb5_encrypt(bsd_context, (krb5_pointer)buf,
#define VHANG_LAST /* vhangup must occur on close, not open */
#endif
-void fatal(), fatalperror(), doit(), usage(), do_krb_login();
+void fatal(), fatalperror(), doit(), usage(), do_krb_login(), getstr();
+void protocol();
int princ_maps_to_lname(), default_realm();
krb5_sigtype cleanup();
+krb5_error_code recvauth();
/* There are two authentication related masks:
* auth_ok and auth_sent.
int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
int checksum_required = 0;
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
int debug_port = 0;
int fd;
#ifdef KERBEROS
-int valid_checksum;
krb5_error_code status;
#endif
break;
#endif
case 'S':
- if (status = krb5_kt_resolve(bsd_context, optarg, &keytab)) {
+ if ((status = krb5_kt_resolve(bsd_context, optarg, &keytab))) {
com_err(progname, status, "while resolving srvtab file %s",
optarg);
exit(2);
}
doit(fd, &from);
+ return 0;
}
int f;
struct sockaddr_in *fromp;
{
- int i, p, t, vfd, on = 1;
+ int p, t, on = 1;
register struct hostent *hp;
char c;
char buferror[255];
#endif
write(f, "", 1);
- if (retval = pty_getpty(&p,line, sizeof(line))) {
+ if ((retval = pty_getpty(&p,line, sizeof(line)))) {
com_err(progname, retval, "while getting master pty");
exit(2);
}
(void) ioctl(p, TIOCSWINSZ, &win);
#endif
-
-
-
-
#ifdef POSIX_SIGNALS
sa.sa_handler = cleanup;
(void) sigaction(SIGCHLD, &sa, (struct sigaction *)0);
#else
struct sgttyb b;
#endif /* POSIX_TERMIOS */
- if ( retval = pty_open_slave(line, &t)) {
+ if ((retval = pty_open_slave(line, &t))) {
fatal(f, error_message(retval));
exit(1);
}
dup2(t, 0), dup2(t, 1), dup2(t, 2);
if (t > 2)
close(t);
-
#if defined(sysvimp)
setcompat (COMPAT_CLRPGROUP | (getcompat() & ~COMPAT_BSDTTY));
(void) write(p, lusername, strlen(lusername) +1);
#endif
/* stuff term info down to login */
- if( write(p, term, strlen(term)+1) != strlen(term)+1 ){
+ if ((write(p, term, strlen(term)+1) != (int) strlen(term)+1)) {
/*
* Problems write failed ...
*/
* in the data stream. For now, we are only willing to handle
* window size changes.
*/
-control(pty, cp, n)
+int control(pty, cp, n)
int pty;
unsigned char *cp;
int n;
struct winsize w;
int pgrp;
- if (n < 4+sizeof (w) || cp[2] != 's' || cp[3] != 's')
+ if (n < (int) 4+sizeof (w) || cp[2] != 's' || cp[3] != 's')
return (0);
#ifdef TIOCSWINSZ
oobdata[0] &= ~TIOCPKT_WINDOW; /* we know he heard */
/*
* rlogin "protocol" machine.
*/
-protocol(f, p)
+void protocol(f, p)
int f, p;
{
unsigned char pibuf[1024], fibuf[1024], *pbp, *fbp;
char *msg;
{
char buf[512];
-#ifdef NEED_SYS_ERRLIST
- extern int sys_nerr;
- extern char *sys_errlist[];
-#endif
- if ((unsigned)errno < sys_nerr)
- (void) sprintf(buf, "%s: %s", msg, sys_errlist[errno]);
- else
- (void) sprintf(buf, "%s: Error %d", msg, errno);
+
+ (void) sprintf(buf, "%s: %s", msg, error_message(errno));
fatal(f, buf);
}
krb5_error_code status;
struct passwd *pwd;
char *msg_fail = NULL;
-int valid_checksum;
-
-
+ int valid_checksum;
if (getuid()) {
exit(1);
/* Check authentication. This can be either Kerberos V5, */
/* Kerberos V4, or host-based. */
- if (status = recvauth(&valid_checksum)) {
+ if ((status = recvauth(&valid_checksum))) {
if (ticket)
krb5_free_ticket(bsd_context, ticket);
if (status != 255)
}
}
- if (checksum_required) {
- if ((auth_sent&AUTH_KRB5)&&(!valid_checksum)) {
+ if (checksum_required && !valid_checksum) {
+ if (auth_sent & AUTH_KRB5) {
syslog(LOG_WARNING, "Client did not supply required checksum.");
fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
- }
- else {
+ } else {
syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
}
}
-getstr(fd, buf, cnt, err)
+void getstr(fd, buf, cnt, err)
int fd;
char *buf;
int cnt;
int nreturned = 0;
krb5_ui_4 net_len,rd_len;
int cc,retry;
+#if 0
unsigned char len_buf[4];
+#endif
if (!do_encrypt)
return(read(fd, buf, len));
}
#endif
net_len = krb5_encrypt_size(rd_len,eblock.crypto_entry);
- if (net_len < 0 || net_len > sizeof(des_inbuf)) {
+ /* note net_len is unsigned */
+ if (net_len > sizeof(des_inbuf)) {
/* XXX preposterous length, probably out of sync.
act as if pipe closed */
syslog(LOG_ERR,"Read size problem.");
}
#endif /* KERBEROS */
-
-
-getpty(fd,slave)
- int *fd;
- char *slave;
-{
- char c;
- char *p;
- int i,ptynum;
- struct stat stb;
-
-#ifdef HAVE_OPENPTY
- int slavefd;
-
- if(openpty(fd, &slavefd, slave, (struct termios *) 0,
- (struct winsize *) 0)) return 1;
- return 0;
-#else
-
- *fd = open("/dev/ptmx", O_RDWR|O_NDELAY); /* Solaris, IRIX */
- if (*fd < 0) *fd = open("/dev/ptc", O_RDWR|O_NDELAY); /* AIX */
- if (*fd < 0) *fd = open("/dev/pty", O_RDWR|O_NDELAY); /* sysvimp */
-
- if (*fd >= 0) {
-
-#ifdef HAVE_GRANTPT
- if (grantpt(*fd) || unlockpt(*fd)) return 1;
-#endif
-
-#ifdef HAVE_PTSNAME
- p = ptsname(*fd);
-#else
-#ifdef HAVE_TTYNAME
- p = ttyname(*fd);
-#else
- /* XXX If we don't have either what do we do */
-#endif
-#endif
- if (p) {
- strcpy(slave, p);
- return 0;
- }
-
- if (fstat(*fd, &stb) < 0) {
- close(*fd);
- return 1;
- }
- ptynum = (int)(stb.st_rdev&0xFF);
- sprintf(slave, "/dev/ttyp%x", ptynum);
- return 0;
-
- } else {
-
- for (c = 'p'; c <= 's'; c++) {
- sprintf(slave,"/dev/ptyXX");
- slave[strlen("/dev/pty")] = c;
- slave[strlen("/dev/ptyp")] = '0';
- if (stat(slave, &stb) < 0)
- break;
- for (i = 0; i < 16; i++) {
- slave[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
- *fd = open(slave, O_RDWR);
- if (*fd < 0) continue;
-
- /* got pty */
- slave[strlen("/dev/")] = 't';
- return 0;
- }
- }
- return 1;
- }
-#endif /* HAVE_OPENPTY */
-}
-
-
-
void usage()
{
#ifdef KERBEROS
realm_length = krb5_princ_realm(bsd_context, principal)->length;
- if (retval = krb5_get_default_realm(bsd_context, &def_realm)) {
+ if ((retval = krb5_get_default_realm(bsd_context, &def_realm))) {
return 0;
}
krb5_auth_context auth_context = NULL;
krb5_error_code status;
struct sockaddr_in peersin, laddr;
- char krb_vers[KRB_SENDAUTH_VLEN + 1];
int len;
krb5_data inbuf;
char v4_instance[INST_SZ]; /* V4 Instance */
char v4_version[9];
krb5_authenticator *authenticator;
-*valid_checksum = 0;
+
+ *valid_checksum = 0;
len = sizeof(laddr);
if (getsockname(netf, (struct sockaddr *)&laddr, &len)) {
exit(1);
strcpy(v4_instance, "*");
- if (status = krb5_auth_con_init(bsd_context, &auth_context))
+ if ((status = krb5_auth_con_init(bsd_context, &auth_context)))
return status;
/* Only need remote address for rd_cred() to verify client */
- if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
- KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
+ if ((status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)))
return status;
- if (status = krb5_compat_recvauth(bsd_context, &auth_context, &netf,
+ if ((status = krb5_compat_recvauth(bsd_context, &auth_context, &netf,
"KCMDV0.1",
NULL, /* Specify daemon principal */
0, /* no flags */
&ticket, /* return ticket */
&auth_sys, /* which authentication system*/
- &v4_kdata, v4_schedule, v4_version)) {
+ &v4_kdata, v4_schedule, v4_version))) {
if (auth_sys == KRB5_RECVAUTH_V5) {
/*
getstr(netf, lusername, sizeof (lusername), "locuser");
getstr(netf, term, sizeof(term), "Terminal type");
- if (auth_sys == KRB5_RECVAUTH_V5) {
+ if ((auth_sys == KRB5_RECVAUTH_V5) && checksum_required) {
- if(status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))
+ if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
+ &authenticator)))
return status;
if (authenticator->checksum) {
int adr_length = sizeof(adr);
char * chksumbuf = (char *) malloc(strlen(term)+strlen(lusername)+32);
if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0)
- return errno;
+ goto error_cleanup;
if (chksumbuf == 0)
- goto error_cleanup;
+ goto error_cleanup;
sprintf(chksumbuf,"%u:", ntohs(adr.sin_port));
strcat(chksumbuf,term);
strcat(chksumbuf,lusername);
- if ( status = krb5_verify_checksum(bsd_context,
- authenticator->checksum->checksum_type,
- authenticator->checksum,
- chksumbuf, strlen(chksumbuf),
- ticket->enc_part2->session->contents,
- ticket->enc_part2->session->length))
- goto error_cleanup;
-
- error_cleanup:
- krb5_xfree(chksumbuf);
+ status = krb5_verify_checksum(bsd_context,
+ authenticator->checksum->checksum_type,
+ authenticator->checksum,
+ chksumbuf, strlen(chksumbuf),
+ ticket->enc_part2->session->contents,
+ ticket->enc_part2->session->length);
+ error_cleanup:
+ if (chksumbuf)
+ krb5_xfree(chksumbuf);
if (status) {
krb5_free_authenticator(bsd_context, authenticator);
return status;
/* Must be V5 */
- if (status = krb5_copy_principal(bsd_context, ticket->enc_part2->client,
- &client))
+ if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client,
+ &client)))
return status;
des_read = v5_des_read;
getstr(netf, rusername, sizeof(rusername), "remuser");
- if (status = krb5_unparse_name(bsd_context, client, &krusername))
+ if ((status = krb5_unparse_name(bsd_context, client, &krusername)))
return status;
/* Setup up eblock if encrypted login session */
if (do_encrypt) {
krb5_use_enctype(bsd_context, &eblock,
ticket->enc_part2->session->enctype);
- if (status = krb5_process_key(bsd_context, &eblock,
- ticket->enc_part2->session))
+ if ((status = krb5_process_key(bsd_context, &eblock,
+ ticket->enc_part2->session)))
fatal(netf, "Permission denied");
}
- if (status = krb5_read_message(bsd_context, (krb5_pointer)&netf, &inbuf))
+ if ((status = krb5_read_message(bsd_context, (krb5_pointer)&netf, &inbuf)))
fatal(netf, "Error reading message");
if ((inbuf.length) && /* Forwarding being done, read creds */
int nreturned = 0;
krb5_ui_4 net_len, rd_len;
int cc;
+#if 0
unsigned char len_buf[4];
+#endif
if (!do_encrypt)
return(read(fd, buf, len));
}
#endif
- if (net_len < 0 || net_len > sizeof(des_inbuf)) {
+ /* Note: net_len is unsigned */
+ if (net_len > sizeof(des_inbuf)) {
/* XXX preposterous length, probably out of sync.
act as if pipe closed */
return(0);
extern
#endif /* CRAY */
-
/*VARARGS1*/
-int error();
+void error();
+void usage(), getstr(), doit();
#ifdef __SCO__
/* sco has getgroups and setgroups but no initgroups */
#endif
-main(argc, argv)
+int main(argc, argv)
int argc;
char **argv;
{
break;
case 'S':
- if (status = krb5_kt_resolve(bsd_context, optarg, &keytab)) {
- com_err(progname, status, "while resolving srvtab file %s",
- optarg);
- exit(2);
+ if ((status = krb5_kt_resolve(bsd_context, optarg, &keytab))) {
+ com_err(progname, status, "while resolving srvtab file %s",
+ optarg);
+ exit(2);
}
break;
syslog(LOG_WARNING , "setsockopt (SO_LINGER): %m");
#endif
doit(dup(fd), &from);
+ return 0;
}
#ifdef CRAY
#define KRB5_RECVAUTH_V4 4
#define KRB5_RECVAUTH_V5 5
-doit(f, fromp)
+void doit(f, fromp)
int f;
struct sockaddr_in *fromp;
{
char *cp;
-
#ifdef KERBEROS
krb5_error_code status;
#endif
-
-int valid_checksum;
- int tmpint;
-
- int ioctlval, cnt;
- char *salt, *ttynm, *tty;
+ int valid_checksum;
+ int cnt;
register char *p;
char *crypt();
struct passwd *pwd;
char *path;
-
#ifdef CRAY
#ifndef NO_UDB
struct udb *ue;
int pv[2], pw[2], px[2], cc;
fd_set ready, readfrom;
char buf[RSHD_BUFSIZ], sig;
- int one = 1;
krb5_sigtype cleanup();
- int fd;
struct sockaddr_in fromaddr;
int non_privileged = 0;
#ifdef POSIX_SIGNALS
}
#ifdef KERBEROS
- if (status = recvauth(f, fromaddr,&valid_checksum)) {
+ if ((status = recvauth(f, fromaddr,&valid_checksum))) {
error("Authentication failed: %s\n", error_message(status));
exit(1);
}
if (ue->ue_minlvl > 0)
nal_error++;
/*
- /*
- * Address not in NAL, if EXEMPT_NAL is not
- * true, then even an unclassified user is
- * not allowed.
- */
- if (!EXEMPT_NAL)
+ * Address not in NAL, if EXEMPT_NAL is not
+ * true, then even an unclassified user is
+ * not allowed.
+ */
+ if (!EXEMPT_NAL)
nal_error++;
- else {
- usrv.sv_minlvl = 0;
- usrv.sv_maxlvl = 0;
- usrv.sv_valcmp = 0;
- usrv.sv_actcmp = 0;
- usrv.sv_actlvl = 0;
- }
+ else {
+ usrv.sv_minlvl = 0;
+ usrv.sv_maxlvl = 0;
+ usrv.sv_valcmp = 0;
+ usrv.sv_actcmp = 0;
+ usrv.sv_actlvl = 0;
+ }
}
if (nal_error) {
loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue);
kremuser, remuser, hostname, locuser);
}
else auth_sent |= AUTH_KRB4;
- }else
+ } else
#endif
- {
+ {
/* krb5_kuserok returns 1 if OK */
if (!krb5_kuserok(bsd_context, client, locuser)){
syslog(LOG_ERR ,
"Principal %s (%s@%s) for local user %s failed krb5_kuserok.\n",
kremuser, remuser, hostname, locuser);
}
-else auth_sent |= AUTH_KRB5;
+ else auth_sent |= AUTH_KRB5;
}
if (auth_ok&AUTH_RHOSTS) {
/* Cannot check .rhosts unless connection from privileged port */
if (!non_privileged) {
- if (ruserok(hostname, pwd->pw_uid == 0,
- remuser, locuser) < 0) {
- syslog(LOG_ERR ,
- "Principal %s (%s@%s) for local user %s failed ruserok.\n",
- kremuser, remuser, hostname, locuser);
-
-
+ if (ruserok(hostname, pwd->pw_uid == 0,
+ remuser, locuser) < 0) {
+ syslog(LOG_ERR ,
+ "Principal %s (%s@%s) for local user %s failed ruserok.\n",
+ kremuser, remuser, hostname, locuser);
+ } else auth_sent |=AUTH_RHOSTS;
}
- else auth_sent |=AUTH_RHOSTS;
- }
-}
+ }
#else
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) {
#endif /* KERBEROS */
-if (checksum_required) {
- if ((auth_sent&AUTH_KRB5)&&(!valid_checksum)) {
- syslog(LOG_WARNING, "Client did not supply required checksum.");
-
- error( "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
-goto signout_please;
- }
-else {
- syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
- }
- }
-if (require_encrypt&&(!do_encrypt)) {
- error("You must use encryption.");
- goto signout_please;
-}
+ if (checksum_required && !valid_checksum) {
+ if (auth_sent & AUTH_KRB5) {
+ syslog(LOG_WARNING, "Client did not supply required checksum.");
+ error( "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
+ goto signout_please;
+ } else {
+ syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
+ }
+ }
+ if (require_encrypt&&(!do_encrypt)) {
+ error("You must use encryption.");
+ goto signout_please;
+ }
if (!(auth_ok&auth_sent)) {
error("Permission denied.");
goto signout_please;
/*VARARGS1*/
-error(fmt, a1, a2, a3)
+void error(fmt, a1, a2, a3)
char *fmt;
char *a1, *a2, *a3;
{
}
-
-getstr(fd, buf, cnt, err)
- char *buf;
- int cnt;
- char *err;
+void getstr(fd, buf, cnt, err)
+ int fd;
+ char *buf;
+ int cnt;
+ char *err;
{
char c;
-usage()
+void usage()
{
#ifdef KERBEROS
syslog(LOG_ERR, "usage: kshd [-rRkK] or [r/R][k/K]shd");
realm_length = krb5_princ_realm(bsd_context, principal)->length;
- if (retval = krb5_get_default_realm(bsd_context, &def_realm)) {
+ if ((retval = krb5_get_default_realm(bsd_context, &def_realm))) {
return 0;
}
getstr(netf, remuser, sizeof(locuser), "remuser");
- if (status = krb5_unparse_name(bsd_context, ticket->enc_part2->client,
- &kremuser))
+ if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client,
+ &kremuser)))
return status;
- if (status = krb5_copy_principal(bsd_context, ticket->enc_part2->client,
- &client))
+ if ((status = krb5_copy_principal(bsd_context, ticket->enc_part2->client,
+ &client)))
return status;
- if (status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))
+ if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
+ &authenticator)))
return status;
- if (authenticator->checksum) {
+ if (authenticator->checksum && checksum_required) {
struct sockaddr_in adr;
int adr_length = sizeof(adr);
- char * chksumbuf = (char *) malloc(strlen(cmdbuf)+strlen(locuser)+32);
+ char * chksumbuf = (char *) malloc(strlen(cmdbuf)+strlen(locuser)+32);
+
+ if (chksumbuf == 0)
+ goto error_cleanup;
if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0)
- return errno;
- if (chksumbuf == 0)
- goto error_cleanup;
-
- sprintf(chksumbuf,"%u:", ntohs(adr.sin_port));
- strcat(chksumbuf,cmdbuf);
- strcat(chksumbuf,locuser);
-
- if ( status = krb5_verify_checksum(bsd_context,
- authenticator->checksum->checksum_type,
- authenticator->checksum,
- chksumbuf, strlen(chksumbuf),
- ticket->enc_part2->session->contents,
- ticket->enc_part2->session->length))
- goto error_cleanup;
-
- error_cleanup:
-krb5_xfree(chksumbuf);
- if (status) {
- krb5_free_authenticator(bsd_context, authenticator);
- return status;
- }
+ goto error_cleanup;
+
+ sprintf(chksumbuf,"%u:", ntohs(adr.sin_port));
+ strcat(chksumbuf,cmdbuf);
+ strcat(chksumbuf,locuser);
+
+ status = krb5_verify_checksum(bsd_context,
+ authenticator->checksum->checksum_type,
+ authenticator->checksum,
+ chksumbuf, strlen(chksumbuf),
+ ticket->enc_part2->session->contents,
+ ticket->enc_part2->session->length);
+
+ error_cleanup:
+ if (chksumbuf)
+ krb5_xfree(chksumbuf);
+ if (status) {
+ krb5_free_authenticator(bsd_context, authenticator);
+ return status;
+ }
*valid_checksum = 1;
-}
+ }
krb5_free_authenticator(bsd_context, authenticator);
/* Setup eblock for encrypted sessions. */
krb5_use_enctype(bsd_context, &eblock, ticket->enc_part2->session->enctype);
- if (status = krb5_process_key(bsd_context, &eblock, ticket->enc_part2->session))
+ if ((status = krb5_process_key(bsd_context, &eblock,
+ ticket->enc_part2->session)))
fatal(netf, "Permission denied");
/* Null out the "session" because eblock.key references the session
* key here, and we do not want krb5_free_ticket() to destroy it. */
ticket->enc_part2->session = 0;
- if (status = krb5_read_message(bsd_context, (krb5_pointer)&netf, &inbuf)) {
+ if ((status = krb5_read_message(bsd_context, (krb5_pointer)&netf,
+ &inbuf))) {
error("Error reading message: %s\n", error_message(status));
exit(1);
}
if (inbuf.length) { /* Forwarding being done, read creds */
- if (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
- ticket, locuser, &ccache)) {
+ if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
+ ticket, locuser, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
exit(1);
(len_buf[2]<<8) |
len_buf[3]);
net_len = krb5_encrypt_size(rd_len, eblock.crypto_entry);
- if (net_len < 0 || net_len > sizeof(des_inbuf)) {
+ /* note: net_len is unsigned */
+ if (net_len > sizeof(des_inbuf)) {
/* XXX preposterous length, probably out of sync.
act as if pipe closed */
syslog(LOG_ERR,"Read size problem (rd_len=%d, net_len=%d)",
char *msg;
{
char buf[512];
+#ifndef POSIX_TERMIOS
int out = 1 ; /* Output queue of f */
+#endif
buf[0] = '\01'; /* error indicator */
(void) sprintf(buf + 1, "%s: %s.\r\n",progname, msg);
projects / krb5.git / commitdiff