$(OUTPRE)main.$(OBJEXT) $(OUTPRE)radix.$(OBJEXT) \
$(OUTPRE)ruserpass.$(OBJEXT) $(OUTPRE)secure.$(OBJEXT)
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@
-
-#
-# We cannot have @KRB4_INCLUDES@ under Windows, since we do not use
-# configure, so we redefine LOCALINCLUDES not to have that.
-#
-
-##WIN32##LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
all-unix:: ftp
all-windows:: $(OUTPRE)ftp.exe
ftp: $(OBJS) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB4COMPAT_LIBS)
+ $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB5_BASE_LIBS)
$(OUTPRE)ftp.exe: $(OBJS) $(GLIB) $(KLIB)
link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib advapi32.lib $(SCLIB)
.B \-g
Disables file name globbing.
.TP
-\fB\-k\fP \fIrealm\fP
-When using Kerberos v4 authentication, gets tickets in
-.IR realm .
-.TP
.B \-f
Causes credentials to be forwarded to the remote host.
.TP
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
#include <netdb.h>
-#endif
#include <sys/time.h>
#include <sys/file.h>
#ifdef HAVE_SYS_SELECT_H
#include <k5-platform.h>
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
-
-KTEXT_ST ticket;
-CREDENTIALS cred;
-Key_schedule schedule;
-MSG_DAT msg_data;
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
#include <gssapi/gssapi.h>
/* need to include the krb5 file, because we're doing manual fallback
int length;
if (auth_type && clevel != PROT_C) {
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0)
- if ((length = clevel == PROT_P ?
- krb_mk_priv((unsigned char *)cmd, (unsigned char *)out,
- strlen(cmd), schedule,
- &cred.session, &myctladdr, &hisctladdr)
- : krb_mk_safe((unsigned char *)cmd, (unsigned char *)out,
- strlen(cmd), &cred.session,
- &myctladdr, &hisctladdr)) == -1) {
- fprintf(stderr, "krb_mk_%s failed for KERBEROS_V4\n",
- clevel == PROT_P ? "priv" : "safe");
- return(0);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* secure_command (based on level) */
if (strcmp(auth_type, "GSSAPI") == 0) {
code, radix_error(kerror), obuf);
n = '5';
}
-#ifdef KRB5_KRB4_COMPAT
- else if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if (safe)
- kerror = krb_rd_safe((unsigned char *)ibuf,
- (unsigned int) len,
- &cred.session,
- &hisctladdr,
- &myctladdr, &msg_data);
- else
- kerror = krb_rd_priv((unsigned char *)ibuf,
- (unsigned int) len,
- schedule, &cred.session,
- &hisctladdr, &myctladdr,
- &msg_data);
- if (kerror != KSUCCESS) {
- printf("%d reply %s! (krb_rd_%s: %s)\n", code,
- safe ? "modified" : "garbled",
- safe ? "safe" : "priv",
- krb_get_err_text(kerror));
- n = '5';
- } else {
- if (debug) printf("%c:", safe ? 'S' : 'P');
- if(msg_data.app_length < sizeof(ibuf) - 2) {
- memmove(ibuf, msg_data.app_data,
- msg_data.app_length);
- memcpy(&ibuf[msg_data.app_length], "\r\n",
- 3);
- } else {
- printf("Message too long!");
- }
- continue;
- }
- }
-#endif
#ifdef GSSAPI
else if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc xmit_buf, msg_buf;
char *authtype;
int clvl;
int dlvl;
-#ifdef KRB5_KRB4_COMPAT
- C_Block session;
- Key_schedule schedule;
-#endif /* KRB5_KRB4_COMPAT */
} proxstruct, tmpstruct;
struct comvars *ip, *op;
clevel = PROT_C;
if (!dlevel)
dlevel = PROT_C;
-#ifdef KRB5_KRB4_COMPAT
- memcpy(ip->session, cred.session, sizeof(cred.session));
- memcpy(cred.session, op->session, sizeof(cred.session));
- memcpy(ip->schedule, schedule, sizeof(schedule));
- memcpy(schedule, op->schedule, sizeof(schedule));
-#endif /* KRB5_KRB4_COMPAT */
(void) signal(SIGINT, oldintr);
if (abrtflag) {
abrtflag = 0;
return(new);
}
-#ifdef KRB5_KRB4_COMPAT
-char realm[REALM_SZ + 1];
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef GSSAPI
static const struct {
gss_OID mech_type;
int do_auth()
{
int oldverbose = verbose;
-#ifdef KRB5_KRB4_COMPAT
- char *service, inst[INST_SZ];
- KRB4_32 cksum, checksum = getpid();
-#endif /* KRB5_KRB4_COMPAT */
-#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI)
+#ifdef GSSAPI
u_char out_buf[FTP_BUFSIZ];
int i;
-#endif /* KRB5_KRB4_COMPAT */
+#endif /* GSSAPI */
if (auth_type) return(1); /* auth already succeeded */
}
}
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- if (command("AUTH %s", "KERBEROS_V4") == CONTINUE) {
- if (verbose)
- printf("%s accepted as authentication type\n", "KERBEROS_V4");
-
- strncpy(inst, (char *) krb_get_phost(hostname), sizeof(inst) - 1);
- inst[sizeof(inst) - 1] = '\0';
- if (realm[0] == '\0')
- strncpy(realm, (char *) krb_realmofhost(hostname), sizeof(realm) - 1);
- realm[sizeof(realm) - 1] = '\0';
- if ((kerror = krb_mk_req(&ticket, service = "ftp",
- inst, realm, checksum))
- && (kerror != KDC_PR_UNKNOWN ||
- (kerror = krb_mk_req(&ticket, service = "rcmd",
- inst, realm, checksum))))
- fprintf(stderr, "Kerberos V4 krb_mk_req failed: %s\n",
- krb_get_err_text(kerror));
- else if ((kerror = krb_get_cred(service, inst, realm, &cred)))
- fprintf(stderr, "Kerberos V4 krb_get_cred failed: %s\n",
- krb_get_err_text(kerror));
- else {
- key_sched(cred.session, schedule);
- reply_parse = "ADAT=";
- oldverbose = verbose;
- verbose = 0;
- i = ticket.length;
- if ((kerror = radix_encode(ticket.dat, out_buf, &i, 0)))
- fprintf(stderr, "Base 64 encoding failed: %s\n",
- radix_error(kerror));
- else if (command("ADAT %s", out_buf) != COMPLETE)
- fprintf(stderr, "Kerberos V4 authentication failed\n");
- else if (!reply_parse)
- fprintf(stderr,
- "No authentication data received from server\n");
- else if ((kerror = radix_encode((unsigned char *)reply_parse, out_buf, &i, 1)))
- fprintf(stderr, "Base 64 decoding failed: %s\n",
- radix_error(kerror));
- else if ((kerror = krb_rd_safe(out_buf, (unsigned )i,
- &cred.session,
- &hisctladdr, &myctladdr,
- &msg_data)))
- fprintf(stderr, "Kerberos V4 krb_rd_safe failed: %s\n",
- krb_get_err_text(kerror));
- else {
- /* fetch the (modified) checksum */
- (void) memcpy(&cksum, msg_data.app_data, sizeof(cksum));
- if (ntohl(cksum) == checksum + 1) {
- verbose = oldverbose;
- if (verbose)
- printf("Kerberos V4 authentication succeeded\n");
- reply_parse = NULL;
- auth_type = "KERBEROS_V4";
- return(1);
- } else fprintf(stderr,
- "Kerberos V4 mutual authentication failed\n");
- }
- verbose = oldverbose;
- reply_parse = NULL;
- }
- } else fprintf(stderr, "%s rejected as an authentication type\n",
- "KERBEROS_V4");
-#endif /* KRB5_KRB4_COMPAT */
/* Other auth types go here ... */
#include <signal.h>
#include "ftp_var.h"
#ifndef _WIN32
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
#include <netdb.h>
-#endif
#include <sys/ioctl.h>
#include <sys/types.h>
#include <pwd.h>
sigtype intr (int), lostpeer (int);
extern char *home;
char *getlogin();
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
-struct servent staticsp;
-extern char realm[];
-#endif /* KRB5_KRB4_COMPAT */
static void cmdscanner (int);
static char *slurpstring (void);
fprintf(stderr, "ftp: ftp/tcp: unknown service\n");
exit(1);
}
-#ifdef KRB5_KRB4_COMPAT
-/* GDM need to static sp so that the information is not lost
- when kerberos calls getservbyname */
- memcpy(&staticsp,sp,sizeof(struct servent));
- sp = &staticsp;
-#endif /* KRB5_KRB4_COMPAT */
doglob = 1;
interactive = 1;
autoauth = 1;
debug++;
break;
-#ifdef KRB5_KRB4_COMPAT
- case 'k':
- if (*++cp != '\0')
- strncpy(realm, ++cp, REALM_SZ);
- else if (argc > 1) {
- argc--, argv++;
- strncpy(realm, *argv, REALM_SZ);
- }
- else
- fprintf(stderr, "ftp: -k expects arguments\n");
- goto nextopt;
-#endif
-
case 'v':
verbose++;
break;
#include <secure.h> /* stuff which is specific to client or server */
-#ifdef KRB5_KRB4_COMPAT
-#include <krb.h>
-
-CRED_DECL
-extern KTEXT_ST ticket;
-extern MSG_DAT msg_data;
-extern Key_schedule schedule;
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef _WIN32
#undef ERROR
#endif
static unsigned int smaxqueue; /* Maximum allowed to queue before
flush buffer. < smaxbuf by fudgefactor */
-#ifdef KRB5_KRB4_COMPAT
-#define KRB4_FUDGE_FACTOR 32 /* Amount of growth
- * from cleartext to ciphertext.
- * krb_mk_priv adds this # bytes.
- * Must be defined for each auth type.
- */
-#endif /* KRB5_KRB4_COMPAT */
-
-#ifdef KRB5_KRB4_COMPAT
-/* XXX - The following must be redefined if KERBEROS_V4 is not used
- * but some other auth type is. They must have the same properties. */
-#define looping_write krb_net_write
-#define looping_read krb_net_read
-#endif
-
/* perhaps use these in general, certainly use them for GSSAPI */
#ifndef looping_write
smaxbuf = maxbuf;
smaxqueue = maxbuf;
-#ifdef KRB5_KRB4_COMPAT
- /* For KRB4 - we know the fudge factor to be 32 */
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- smaxqueue = smaxbuf - KRB4_FUDGE_FACTOR;
- }
-#endif
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
OM_uint32 maj_stat, min_stat, mlen;
buffer lengths required */
/* Other auth types go here ... */
-#ifdef KRB5_KRB4_COMPAT
- if (bufsize < nbyte + fudge) {
- if (outbuf?
- (outbuf = realloc(outbuf, (unsigned) (nbyte + fudge))):
- (outbuf = malloc((unsigned) (nbyte + fudge)))) {
- bufsize = nbyte + fudge;
- } else {
- bufsize = 0;
- secure_error("%s (in malloc of PROT buffer)",
- strerror(errno));
- return(ERR);
- }
- }
-
- if (strcmp(auth_type, "KERBEROS_V4") == 0)
- if ((length = dlevel == PROT_P ?
- krb_mk_priv(buf, (unsigned char *) outbuf, nbyte, schedule,
- SESSION, &myaddr, &hisaddr)
- : krb_mk_safe(buf, (unsigned char *) outbuf, nbyte, SESSION,
- &myaddr, &hisaddr)) == -1) {
- secure_error("krb_mk_%s failed for KERBEROS_V4",
- dlevel == PROT_P ? "priv" : "safe");
- return(ERR);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc in_buf, out_buf;
return(ERR);
}
/* Other auth types go here ... */
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if ((kerror = dlevel == PROT_P ?
- krb_rd_priv(ucbuf, length, schedule, SESSION,
- &hisaddr, &myaddr, &msg_data)
- : krb_rd_safe(ucbuf, length, SESSION,
- &hisaddr, &myaddr, &msg_data))) {
- secure_error("krb_rd_%s failed for KERBEROS_V4 (%s)",
- dlevel == PROT_P ? "priv" : "safe",
- krb_get_err_text(kerror));
- return(ERR);
- }
- memmove(ucbuf, msg_data.app_data, msg_data.app_length);
- nin = bufp = msg_data.app_length;
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(auth_type, "GSSAPI") == 0) {
gss_buffer_desc xmit_buf, msg_buf;
OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \
secure.o $(LIBOBJS) $(SETENVOBJ)
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
all:: ftpd
-ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB4COMPAT_LIBS)
+ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS)
generate-files-mac: ftpcmd.c
unsigned char *ucbuf;
static int kerror; /* XXX needed for all auth types */
-#ifdef KRB5_KRB4_COMPAT
-extern struct sockaddr_in his_addr, ctrl_addr;
-#include <krb.h>
-extern AUTH_DAT kdata;
-extern Key_schedule schedule;
-extern MSG_DAT msg_data;
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
if (debug) syslog(LOG_DEBUG, "getline got %d from %s <%s>\n",
len, cs, mic?"MIC":"ENC");
clevel = mic ? PROT_S : PROT_P;
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if ((kerror = mic ?
- krb_rd_safe((unsigned char *)out, len, &kdata.session,
- &his_addr, &ctrl_addr, &msg_data)
- : krb_rd_priv((unsigned char *)out, len, schedule,
- &kdata.session, &his_addr, &ctrl_addr, &msg_data))
- != KSUCCESS) {
- reply(535, "%s! (%s)",
- mic ? "MIC command modified" : "ENC command garbled",
- krb_get_err_text(kerror));
- syslog(LOG_ERR,"%s failed: %s",
- mic ? "MIC krb_rd_safe" : "ENC krb_rd_priv",
- krb_get_err_text(kerror));
- *s = '\0';
- return(s);
- }
- (void) memcpy(s, msg_data.app_data, msg_data.app_length);
- (void) memcpy(s+msg_data.app_length, "\r\n", 3);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* we know this is a MIC or ENC already, and out/len already has the bits */
if (strcmp(auth_type, "GSSAPI") == 0) {
}
}
-#if defined KRB5_KRB4_COMPAT || defined GSSAPI /* or other auth types */
+#ifdef GSSAPI /* or other auth types */
else { /* !auth_type */
if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3)))
#ifndef NOCONFIDENTIAL
return(s);
}
}
-#endif /* KRB5_KRB4_COMPAT || GSSAPI */
+#endif GSSAPI
if (debug) {
if (!strncmp(s, "PASS ", 5) && !guest)
file to use. The default value is normally set by
.IR /etc/krb5.conf .
.TP
-\fB\-s\fP \fIsrvtab\fP
-Sets the name of the
-.I srvtab
-file to use for Kerberos V4 authentication. The default value is normally
-.IR /etc/srvtab .
-.TP
\fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}
Controls the form of the remote hostname passed to login(1).
Specifying \fBip\fP results in the numeric IP address always being
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <sys/socket.h>
-#endif
#include <sys/wait.h>
#include <sys/file.h>
#include <netinet/in.h>
#define sigsetjmp(j,s) setjmp(j)
#define siglongjmp longjmp
#endif
-#ifndef KRB5_KRB4_COMPAT
-/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */
#include <netdb.h>
-#endif
#include <errno.h>
#include <syslog.h>
#include <unistd.h>
#include <k5-util.h>
#include "port-sockets.h"
-#ifdef KRB5_KRB4_COMPAT
-#include <krb5.h>
-#include <krb.h>
-
-AUTH_DAT kdata;
-KTEXT_ST ticket;
-MSG_DAT msg_data;
-Key_schedule schedule;
-char *keyfile;
-static char *krb4_services[] = { "ftp", "rcmd", NULL };
-#endif /* KRB5_KRB4_COMPAT */
-
#ifdef GSSAPI
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_generic.h>
char *auth_type; /* Authentication succeeded? If so, what type? */
static char *temp_auth_type;
-int authorized; /* Auth succeeded and was accepted by krb4 or gssapi */
+int authorized; /* Auth succeeded and was accepted by gssapi */
int have_creds; /* User has credentials on disk */
/*
int addrlen, c, on = 1, tos, port = -1;
extern char *optarg;
extern int optopt;
-#ifdef KRB5_KRB4_COMPAT
- char *option_string = "AaCcdElp:r:s:T:t:U:u:vw:";
-#else /* !KRB5_KRB4_COMPAT */
char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
-#endif /* KRB5_KRB4_COMPAT */
ftpusers = _PATH_FTPUSERS_DEFAULT;
-#ifdef KRB5_KRB4_COMPAT
- keyfile = KEYFILE;
-#endif /* KRB5_KRB4_COMPAT */
debug = 0;
#ifdef SETPROCTITLE
/*
setenv("KRB_CONF", optarg, 1);
break;
-#ifdef KRB5_KRB4_COMPAT
- case 's':
- keyfile = optarg;
- break;
-#endif /* KRB5_KRB4_COMPAT */
-
case 't':
timeout = atoi(optarg);
if (maxtimeout < timeout)
authorized ? "" : " not",
name);
}
-#ifdef KRB5_KRB4_COMPAT
- else
-#endif /* KRB5_KRB4_COMPAT */
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) {
- int len;
-
- authorized = kuserok(&kdata,name) == 0;
- len = sizeof("Kerberos user .@ is not authorized as "
- "; Password required.")
- + strlen(kdata.pname)
- + strlen(kdata.pinst)
- + strlen(kdata.prealm)
- + strlen(name);
- if (len >= sizeof(buf)) {
- syslog(LOG_ERR, "user: username too long");
- name = "[username too long]";
- }
- snprintf(buf, sizeof(buf),
- "Kerberos user %s%s%s@%s is%s authorized as %s",
- kdata.pname, *kdata.pinst ? "." : "",
- kdata.pinst, kdata.prealm,
- authorized ? "" : " not", name);
- }
-#endif /* KRB5_KRB4_COMPAT */
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
strncat(buf, "; Access denied.",
if (have_creds) {
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
-#endif
-#ifdef KRB5_KRB4_COMPAT
- dest_tkt();
#endif
have_creds = 0;
}
krb5_creds my_creds;
krb5_timestamp now;
#endif /* GSSAPI */
-#ifdef KRB5_KRB4_COMPAT
- char realm[REALM_SZ];
-#ifndef GSSAPI
- char **service;
- KTEXT_ST ticket;
- AUTH_DAT authdata;
- des_cblock key;
- char instance[INST_SZ];
- unsigned long faddr;
- struct hostent *hp;
-#endif /* GSSAPI */
-#endif /* KRB5_KRB4_COMPAT */
char ccname[MAXPATHLEN];
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
return(1);
}
-#endif /* GSSAPI */
-
-#ifdef KRB5_KRB4_COMPAT
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- goto nuke_ccache;
-
- snprintf(ccname, sizeof(ccname), "%s_ftpd%ld", TKT_ROOT,
- (long) getpid());
- krb_set_tkt_string(ccname);
-
- if (krb_get_pw_in_tkt(name, "", realm, "krbtgt", realm, 1, passwd))
- goto nuke_ccache;
-
-#ifndef GSSAPI
- /* Verify the ticket since we didn't verify the krb5 one. */
- strncpy(instance, krb_get_phost(hostname), sizeof(instance));
-
- if ((hp = gethostbyname(instance)) == NULL)
- goto nuke_ccache;
- memcpy((char *) &faddr, (char *)hp->h_addr, sizeof(faddr));
-
- for (service = krb4_services; *service; service++) {
- if (!read_service_key(*service, instance,
- realm, 0, keyfile, key)) {
- (void) memset(key, 0, sizeof(key));
- if (krb_mk_req(&ticket, *service,
- instance, realm, 33) ||
- krb_rd_req(&ticket, *service, instance,
- faddr, &authdata,keyfile) ||
- kuserok(&authdata, name)) {
- dest_tkt();
- goto nuke_ccache;
- } else
- break;
- }
- }
-
- if (!*service) {
- dest_tkt();
- goto nuke_ccache;
- }
-
- if (!want_creds) {
- dest_tkt();
- return(1);
- }
-#endif /* GSSAPI */
-#endif /* KRB5_KRB4_COMPAT */
-#if defined(GSSAPI) || defined(KRB5_KRB4_COMPAT)
have_creds = 1;
return(1);
-#endif /* GSSAPI || KRB5_KRB4_COMPAT */
+#endif /* GSSAPI */
nuke_ccache:
#ifdef GSSAPI
#ifdef GSSAPI
const char *ccname = krb5_cc_get_name(kcontext, ccache);
chown(ccname, pw->pw_uid, pw->pw_gid);
-#endif
-#ifdef KRB5_KRB4_COMPAT
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
#endif
}
if (n) snprintf(in, sizeof(in), "%d%c", n, cont_char);
else in[0] = '\0';
strncat(in, buf, sizeof (in) - strlen(in) - 1);
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(auth_type, "KERBEROS_V4") == 0) {
- if (clevel == PROT_P)
- length = krb_mk_priv((unsigned char *)in,
- (unsigned char *)out,
- strlen(in),
- schedule, &kdata.session,
- &ctrl_addr,
- &his_addr);
- else
- length = krb_mk_safe((unsigned char *)in,
- (unsigned char *)out,
- strlen(in),
- &kdata.session,
- &ctrl_addr,
- &his_addr);
- if (length == -1) {
- syslog(LOG_ERR,
- "krb_mk_%s failed for KERBEROS_V4",
- clevel == PROT_P ? "priv" : "safe");
- fputs(in,stdout);
- }
- } else
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
/* reply (based on level) */
if (strcmp(auth_type, "GSSAPI") == 0) {
if (have_creds) {
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
-#endif
-#ifdef KRB5_KRB4_COMPAT
- dest_tkt();
#endif
}
/* beware of flushing buffers after a SIGPIPE */
if (auth_type)
reply(534, "Authentication type already set to %s", auth_type);
else
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(atype, "KERBEROS_V4") == 0)
- reply(334, "Using authentication type %s; ADAT must follow",
- temp_auth_type = atype);
- else
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(atype, "GSSAPI") == 0)
reply(334, "Using authentication type %s; ADAT must follow",
char *adata;
{
int kerror, length;
-#ifdef KRB5_KRB4_COMPAT
- static char **service=NULL;
- char instance[INST_SZ];
- KRB4_32 cksum;
- char buf[FTP_BUFSIZ];
- u_char out_buf[sizeof(buf)];
-#endif /* KRB5_KRB4_COMPAT */
if (auth_type) {
reply(503, "Authentication already established");
reply(503, "Must identify AUTH type before ADAT");
return(0);
}
-#ifdef KRB5_KRB4_COMPAT
- if (strcmp(temp_auth_type, "KERBEROS_V4") == 0) {
- kerror = radix_encode(adata, out_buf, &length, 1);
- if (kerror) {
- reply(501, "Couldn't decode ADAT (%s)",
- radix_error(kerror));
- syslog(LOG_ERR, "Couldn't decode ADAT (%s)",
- radix_error(kerror));
- return(0);
- }
- (void) memcpy((char *)ticket.dat, (char *)out_buf, ticket.length = length);
- strlcpy(instance, "*", sizeof(instance));
-
- kerror = 255;
- for (service = krb4_services; *service; service++) {
- kerror = krb_rd_req(&ticket, *service, instance,
- his_addr.sin_addr.s_addr,
- &kdata, keyfile);
- /* Success */
- if(!kerror) break;
- }
- /* rd_req failed.... */
- if(kerror) {
- secure_error("ADAT: Kerberos V4 krb_rd_req: %s",
- krb_get_err_text(kerror));
- return(0);
- }
-
- /* add one to the (formerly) sealed checksum, and re-seal it */
- cksum = kdata.checksum + 1;
- cksum = htonl(cksum);
- key_sched(kdata.session,schedule);
- if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum),
- &kdata.session,&ctrl_addr, &his_addr)) == -1) {
- secure_error("ADAT: krb_mk_safe failed");
- return(0);
- }
- if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
- secure_error("ADAT: reply too long");
- return(0);
- }
-
- kerror = radix_encode(out_buf, buf, &length, 0);
- if (kerror) {
- secure_error("Couldn't encode ADAT reply (%s)",
- radix_error(kerror));
- return(0);
- }
- reply(235, "ADAT=%s", buf);
- /* Kerberos V4 authentication succeeded */
- auth_type = temp_auth_type;
- temp_auth_type = NULL;
- return(1);
- }
-#endif /* KRB5_KRB4_COMPAT */
#ifdef GSSAPI
if (strcmp(temp_auth_type, "GSSAPI") == 0) {
int replied = 0;
OM_uint32 major_status, minor_status;
krb5_principal me;
char ccname[MAXPATHLEN];
-#ifdef KRB5_KRB4_COMPAT
- krb5_principal kpcserver;
- krb5_creds increds, *v5creds;
- CREDENTIALS v4creds;
-#endif
/* Set up ccache */
if (krb5_parse_name(kcontext, name, &me))
if (major_status != GSS_S_COMPLETE)
goto cleanup;
-#ifdef KRB5_KRB4_COMPAT
- /* Convert krb5 creds to krb4 */
-
- if (krb5_build_principal_ext(kcontext, &kpcserver,
- krb5_princ_realm(kcontext, me)->length,
- krb5_princ_realm(kcontext, me)->data,
- 6, "krbtgt",
- krb5_princ_realm(kcontext, me)->length,
- krb5_princ_realm(kcontext, me)->data,
- 0))
- goto cleanup;
-
- memset((char *) &increds, 0, sizeof(increds));
- increds.client = me;
- increds.server = kpcserver;
- increds.times.endtime = 0;
- increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
- if (krb5_get_credentials(kcontext, 0, ccache, &increds, &v5creds))
- goto cleanup;
- if (krb524_convert_creds_kdc(kcontext, v5creds, &v4creds))
- goto cleanup;
-
- snprintf(ccname, sizeof(ccname), "%s_ftpd%ld",
- TKT_ROOT, (long) getpid());
- krb_set_tkt_string(ccname);
-
- if (in_tkt(v4creds.pname, v4creds.pinst) != KSUCCESS)
- goto cleanup;
-
- if (krb_save_credentials(v4creds.service, v4creds.instance,
- v4creds.realm, v4creds.session,
- v4creds.lifetime, v4creds.kvno,
- &(v4creds.ticket_st), v4creds.issue_date))
- goto cleanup_v4;
-#endif /* KRB5_KRB4_COMPAT */
have_creds = 1;
return;
-#ifdef KRB5_KRB4_COMPAT
-cleanup_v4:
- dest_tkt();
-#endif
cleanup:
krb5_cc_destroy(kcontext, ccache);
}
dnl
KRB5_NEED_PROTO([#include <stdlib.h>],setenv)
AC_C_CONST
-if test "$KRB4_LIB" = ''; then
- AC_MSG_RESULT(No Kerberos 4 authentication)
-else
- AC_MSG_RESULT(Kerberos 4 authentication enabled)
- AC_DEFINE(KRB4,1,[Define if krb4 authentication is enabled])
-fi
KRB5_BUILD_LIBRARY
KRB5_BUILD_LIBOBJS
dnl
#include <netdb.h>],herror,1)
dnl
CHECK_SIGNALS
-if test "$KRB4_LIB" = ''; then
- AC_MSG_RESULT(No Kerberos 4 authentication)
-else
- AC_MSG_RESULT(Kerberos 4 authentication enabled)
- AC_DEFINE(KRB4)
-fi
dnl
KRB5_BUILD_PROGRAM
dnl
#
AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION -DKRB5 -DFORWARD \
-UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
-LOCALINCLUDES=-I.. -I$(srcdir)/.. @KRB4_INCLUDES@
+LOCALINCLUDES=-I.. -I$(srcdir)/..
DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF)
LIBOBJS=@LIBOBJS@
$(srcdir)/encrypt.c \
$(srcdir)/genget.c \
$(srcdir)/misc.c \
- $(srcdir)/kerberos.c \
$(srcdir)/kerberos5.c \
$(srcdir)/forward.c \
$(srcdir)/enc_des.c \
$(srcdir)/strerror.c
STLIBOBJS= auth.o encrypt.o genget.o \
- misc.o kerberos.o kerberos5.o forward.o enc_des.o \
+ misc.o kerberos5.o forward.o enc_des.o \
$(LIBOBJS) getent.o $(SETENVOBJ)
TELNET_H= $(srcdir)/../arpa/telnet.h
encrypt.o: $(TELNET_H)
encrypt.o: encrypt.h
encrypt.o: misc.h
-kerberos.o: $(TELNET_H)
-kerberos.o: encrypt.h
-kerberos.o: auth.h
-kerberos.o: misc.h
kerberos5.o: $(TELNET_H)
kerberos5.o: encrypt.h
kerberos5.o: auth.h
misc-proto.h misc.h
misc.so misc.po $(OUTPRE)misc.$(OBJEXT): auth-proto.h \
auth.h enc-proto.h encrypt.h misc-proto.h misc.c misc.h
-kerberos.so kerberos.po $(OUTPRE)kerberos.$(OBJEXT): \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \
- kerberos.c
kerberos5.so kerberos5.po $(OUTPRE)kerberos5.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
void auth_printsub (unsigned char *, int, unsigned char *, unsigned int);
-#ifdef KRB4
-int kerberos4_init (Authenticator *, int);
-int kerberos4_send (Authenticator *);
-void kerberos4_is (Authenticator *, unsigned char *, int);
-void kerberos4_reply (Authenticator *, unsigned char *, int);
-int kerberos4_status (Authenticator *, char *, int);
-void kerberos4_printsub (unsigned char *, int, unsigned char *, unsigned int);
-#endif
-
#ifdef KRB5
int kerberos5_init (Authenticator *, int);
int kerberos5_send (Authenticator *);
kerberos5_reply,
kerberos5_status,
kerberos5_printsub },
-#endif
-#ifdef KRB4
-# ifdef ENCRYPTION
- { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
- kerberos4_init,
- kerberos4_send,
- kerberos4_is,
- kerberos4_reply,
- kerberos4_status,
- kerberos4_printsub },
-# endif /* ENCRYPTION */
- { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
- kerberos4_init,
- kerberos4_send,
- kerberos4_is,
- kerberos4_reply,
- kerberos4_status,
- kerberos4_printsub },
#endif
{ 0, },
};
+++ /dev/null
-/*-
- * Copyright (c) 1991, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* based on @(#)kerberos.c 8.1 (Berkeley) 6/4/93 */
-
-/*
- * Copyright (C) 1990 by the Massachusetts Institute of Technology
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * Copyright (C) 1998 by the FundsXpress, INC.
- *
- * All rights reserved.
- *
- * Export of this software from the United States of America may require
- * a specific license from the United States Government. It is the
- * responsibility of any person or organization contemplating export to
- * obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of FundsXpress. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. FundsXpress makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifdef KRB4
-/* this code must be compiled in the krb5 tree. disgustingly, there
- is code in here which declares structures which happen to mirror
- the krb4 des structures. I didn't want to rototill this *completely*
- so this is how it's going to work. --marc */
-#include <krb5.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <arpa/telnet.h>
-#include <stdio.h>
-#include <des.h> /* BSD wont include this in krb.h, so we do it here */
-#include <krb.h>
-#ifdef __STDC__
-#include <stdlib.h>
-#endif
-#ifdef HAVE_STRING_H
-#include <string.h>
-#else
-#include <strings.h>
-#endif
-
-#include "encrypt.h"
-#include "auth.h"
-#include "misc.h"
-
-extern int auth_debug_mode;
-extern krb5_context telnet_context;
-
-int kerberos4_cksum (unsigned char *, int);
-
-static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
- AUTHTYPE_KERBEROS_V4, };
-#if 0
-static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
- TELQUAL_NAME, };
-#endif
-
-#define KRB_AUTH 0 /* Authentication data follows */
-#define KRB_REJECT 1 /* Rejected (reason might follow) */
-#define KRB_ACCEPT 2 /* Accepted */
-#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */
-#define KRB_RESPONSE 4 /* Response for mutual auth. */
-
-#define KRB_SERVICE_NAME "rcmd"
-
-static KTEXT_ST auth;
-static char name[ANAME_SZ];
-static AUTH_DAT adat = { 0 };
-#ifdef ENCRYPTION
-static Block session_key = { 0 };
-static krb5_keyblock krbkey;
-static Block challenge = { 0 };
-#endif /* ENCRYPTION */
-
- static int
-Data(ap, type, d, c)
- Authenticator *ap;
- int type;
- const void *d;
- int c;
-{
- unsigned char *p = str_data + 4;
- const unsigned char *cd = (const unsigned char *)d;
- size_t spaceleft = sizeof(str_data) - 4;
- if (c == -1)
- c = strlen((const char *)cd);
-
- if (auth_debug_mode) {
- printf("%s:%d: [%d] (%d)",
- str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
- str_data[3],
- type, c);
- printd(d, c);
- printf("\r\n");
- }
- *p++ = ap->type;
- *p++ = ap->way;
- *p++ = type;
- spaceleft -= 3;
- while (c-- > 0) {
- if ((*p++ = *cd++) == IAC) {
- *p++ = IAC;
- spaceleft--;
- }
- if ((--spaceleft < 4) && c) {
- errno = ENOMEM;
- return -1;
- }
- }
- *p++ = IAC;
- *p++ = SE;
- if (str_data[3] == TELQUAL_IS)
- printsub('>', &str_data[2], p - (&str_data[2]));
- return(net_write(str_data, p - str_data));
-}
-
- int
-kerberos4_init(ap, server)
- Authenticator *ap;
- int server;
-{
- FILE *fp;
-
- if (server) {
- str_data[3] = TELQUAL_REPLY;
- if ((fp = fopen(KEYFILE, "r")) == NULL)
- return(0);
- fclose(fp);
- } else {
- str_data[3] = TELQUAL_IS;
- }
-
- kerberos5_init(NULL, server);
-
- return(1);
-}
-
-char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
-unsigned int dst_realm_sz = REALM_SZ;
-
- int
-kerberos4_send(ap)
- Authenticator *ap;
-{
- KTEXT_ST kauth;
- char instance[INST_SZ];
- char *realm;
- char *krb_realmofhost();
- char *krb_get_phost();
- CREDENTIALS cred;
- int r;
-#ifdef ENCRYPTION
- krb5_data data;
- krb5_enc_data encdata;
- krb5_error_code code;
- krb5_keyblock rand_key;
-#endif
-
- printf("[ Trying KERBEROS4 ... ]\r\n");
- if (!UserNameRequested) {
- if (auth_debug_mode) {
- printf("Kerberos V4: no user name supplied\r\n");
- }
- return(0);
- }
-
- memset(instance, 0, sizeof(instance));
-
- if ((realm = krb_get_phost(RemoteHostName)))
- strncpy(instance, realm, sizeof(instance));
-
- instance[sizeof(instance)-1] = '\0';
-
- realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
-
- if (!realm) {
- printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
- return(0);
- }
- if ((r = krb_mk_req(&kauth, KRB_SERVICE_NAME, instance, realm, 0))) {
- printf("mk_req failed: %s\r\n", krb_get_err_text(r));
- return(0);
- }
- if ((r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred))) {
- printf("get_cred failed: %s\r\n", krb_get_err_text(r));
- return(0);
- }
- if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
- if (auth_debug_mode)
- printf("Not enough room for user name\r\n");
- return(0);
- }
- if (auth_debug_mode)
- printf("Sent %d bytes of authentication data\r\n", kauth.length);
- if (!Data(ap, KRB_AUTH, (void *)kauth.dat, kauth.length)) {
- if (auth_debug_mode)
- printf("Not enough room for authentication data\r\n");
- return(0);
- }
-#ifdef ENCRYPTION
- /*
- * If we are doing mutual authentication, get set up to send
- * the challenge, and verify it when the response comes back.
- */
- if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
- register int i;
-
- data.data = cred.session;
- data.length = 8; /* sizeof(cred.session) */;
-
- if ((code = krb5_c_random_seed(telnet_context, &data))) {
- com_err("libtelnet", code,
- "while seeding random number generator");
- return(0);
- }
-
- if ((code = krb5_c_make_random_key(telnet_context,
- ENCTYPE_DES_CBC_RAW,
- &rand_key))) {
- com_err("libtelnet", code,
- "while creating random session key");
- return(0);
- }
-
- /* the krb4 code uses ecb mode, but on a single block
- with a zero ivec, ecb and cbc are the same */
- krbkey.enctype = ENCTYPE_DES_CBC_RAW;
- krbkey.length = 8;
- krbkey.contents = cred.session;
-
- encdata.ciphertext.data = rand_key.contents;
- encdata.ciphertext.length = rand_key.length;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- data.data = session_key;
- data.length = 8;
-
- code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &data);
-
- krb5_free_keyblock_contents(telnet_context, &rand_key);
-
- if (code) {
- com_err("libtelnet", code, "while encrypting random key");
- return(0);
- }
-
- encdata.ciphertext.data = session_key;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- data.data = challenge;
- data.length = 8;
-
- code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &data);
-
- /*
- * Increment the challenge by 1, and encrypt it for
- * later comparison.
- */
- for (i = 7; i >= 0; --i) {
- register int x;
- x = (unsigned int)challenge[i] + 1;
- challenge[i] = x; /* ignore overflow */
- if (x < 256) /* if no overflow, all done */
- break;
- }
-
- data.data = challenge;
- data.length = 8;
-
- encdata.ciphertext.data = challenge;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &data, &encdata))) {
- com_err("libtelnet", code, "while encrypting random key");
- return(0);
- }
- }
-#endif /* ENCRYPTION */
-
- if (auth_debug_mode) {
- printf("CK: %d:", kerberos4_cksum(kauth.dat, kauth.length));
- printd(kauth.dat, kauth.length);
- printf("\r\n");
- printf("Sent Kerberos V4 credentials to server\r\n");
- }
- return(1);
-}
-
- void
-kerberos4_is(ap, data, cnt)
- Authenticator *ap;
- unsigned char *data;
- int cnt;
-{
-#ifdef ENCRYPTION
- Session_Key skey;
- Block datablock, tmpkey;
- krb5_data kdata;
- krb5_enc_data encdata;
- krb5_error_code code;
-#endif /* ENCRYPTION */
- char realm[REALM_SZ];
- char instance[INST_SZ];
- int r;
-
- if (cnt-- < 1)
- return;
- switch (*data++) {
- case KRB_AUTH:
- if (krb_get_lrealm(realm, 1) != KSUCCESS) {
- Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
- auth_finished(ap, AUTH_REJECT);
- if (auth_debug_mode)
- printf("No local realm\r\n");
- return;
- }
- memcpy((void *)auth.dat, (void *)data, auth.length = cnt);
- if (auth_debug_mode) {
- printf("Got %d bytes of authentication data\r\n", cnt);
- printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
- printd(auth.dat, auth.length);
- printf("\r\n");
- }
- instance[0] = '*'; instance[1] = 0;
- if ((r = krb_rd_req(&auth, KRB_SERVICE_NAME,
- instance, 0, &adat, ""))) {
- if (auth_debug_mode)
- printf("Kerberos failed him as %s\r\n", name);
- Data(ap, KRB_REJECT, (const void *)krb_get_err_text(r), -1);
- auth_finished(ap, AUTH_REJECT);
- return;
- }
-#ifdef ENCRYPTION
- memcpy((void *)session_key, (void *)adat.session, sizeof(Block));
-#endif /* ENCRYPTION */
- krb_kntoln(&adat, name);
-
- if (UserNameRequested && !kuserok(&adat, UserNameRequested))
- Data(ap, KRB_ACCEPT, (void *)0, 0);
- else
- Data(ap, KRB_REJECT,
- (void *)"user is not authorized", -1);
- auth_finished(ap, AUTH_USER);
- break;
-
- case KRB_CHALLENGE:
-#ifndef ENCRYPTION
- Data(ap, KRB_RESPONSE, (void *)0, 0);
-#else /* ENCRYPTION */
- if (!VALIDKEY(session_key)) {
- /*
- * We don't have a valid session key, so just
- * send back a response with an empty session
- * key.
- */
- Data(ap, KRB_RESPONSE, (void *)0, 0);
- break;
- }
-
- /*
- * Initialize the random number generator since it's
- * used later on by the encryption routine.
- */
-
- kdata.data = session_key;
- kdata.length = 8;
-
- if ((code = krb5_c_random_seed(telnet_context, &kdata))) {
- com_err("libtelnet", code,
- "while seeding random number generator");
- return;
- }
-
- memcpy((void *)datablock, (void *)data, sizeof(Block));
- /*
- * Take the received encrypted challenge, and encrypt
- * it again to get a unique session_key for the
- * ENCRYPT option.
- */
- krbkey.enctype = ENCTYPE_DES_CBC_RAW;
- krbkey.length = 8;
- krbkey.contents = session_key;
-
- kdata.data = datablock;
- kdata.length = 8;
-
- encdata.ciphertext.data = tmpkey;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &kdata, &encdata))) {
- com_err("libtelnet", code, "while encrypting random key");
- return;
- }
-
- skey.type = SK_DES;
- skey.length = 8;
- skey.data = tmpkey;
- encrypt_session_key(&skey, 1);
- /*
- * Now decrypt the received encrypted challenge,
- * increment by one, re-encrypt it and send it back.
- */
- encdata.ciphertext.data = datablock;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- kdata.data = challenge;
- kdata.length = 8;
-
- if ((code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0,
- &encdata, &kdata))) {
- com_err("libtelnet", code, "while decrypting challenge");
- return;
- }
-
- for (r = 7; r >= 0; r--) {
- register int t;
- t = (unsigned int)challenge[r] + 1;
- challenge[r] = t; /* ignore overflow */
- if (t < 256) /* if no overflow, all done */
- break;
- }
-
- kdata.data = challenge;
- kdata.length = 8;
-
- encdata.ciphertext.data = challenge;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0,
- &kdata, &encdata))) {
- com_err("libtelnet", code, "while decrypting challenge");
- return;
- }
-
- Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
-#endif /* ENCRYPTION */
- break;
-
- default:
- if (auth_debug_mode)
- printf("Unknown Kerberos option %d\r\n", data[-1]);
- Data(ap, KRB_REJECT, 0, 0);
- break;
- }
-}
-
- void
-kerberos4_reply(ap, data, cnt)
- Authenticator *ap;
- unsigned char *data;
- int cnt;
-{
-#ifdef ENCRYPTION
- Session_Key skey;
- krb5_data kdata;
- krb5_enc_data encdata;
- krb5_error_code code;
-
-#endif /* ENCRYPTION */
-
- if (cnt-- < 1)
- return;
- switch (*data++) {
- case KRB_REJECT:
- if (cnt > 0) {
- printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n",
- cnt, data);
- } else
- printf("[ Kerberos V4 refuses authentication ]\r\n");
- auth_send_retry();
- return;
- case KRB_ACCEPT:
- printf("[ Kerberos V4 accepts you ]\r\n");
- if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
- /*
- * Send over the encrypted challenge.
- */
-#ifndef ENCRYPTION
- Data(ap, KRB_CHALLENGE, (void *)0, 0);
-#else /* ENCRYPTION */
- Data(ap, KRB_CHALLENGE, (void *)session_key,
- sizeof(session_key));
-
- kdata.data = session_key;
- kdata.length = 8;
-
- encdata.ciphertext.data = session_key;
- encdata.ciphertext.length = 8;
- encdata.enctype = ENCTYPE_UNKNOWN;
-
- if ((code = krb5_c_encrypt(telnet_context, &krbkey,
- 0, 0, &kdata, &encdata))) {
- com_err("libtelnet", code,
- "while encrypting session_key");
- return;
- }
-
- skey.type = SK_DES;
- skey.length = 8;
- skey.data = session_key;
- encrypt_session_key(&skey, 0);
-#endif /* ENCRYPTION */
- return;
- }
- auth_finished(ap, AUTH_USER);
- return;
- case KRB_RESPONSE:
-#ifdef ENCRYPTION
- /*
- * Verify that the response to the challenge is correct.
- */
- if ((cnt != sizeof(Block)) ||
- (0 != memcmp((void *)data, (void *)challenge,
- sizeof(challenge))))
- {
-#endif /* ENCRYPTION */
- printf("[ Kerberos V4 challenge failed!!! ]\r\n");
- auth_send_retry();
- return;
-#ifdef ENCRYPTION
- }
- printf("[ Kerberos V4 challenge successful ]\r\n");
- auth_finished(ap, AUTH_USER);
-#endif /* ENCRYPTION */
- break;
- default:
- if (auth_debug_mode)
- printf("Unknown Kerberos option %d\r\n", data[-1]);
- return;
- }
-}
-
- int
-kerberos4_status(ap, kname, level)
- Authenticator *ap;
- char *kname;
- int level;
-{
- if (level < AUTH_USER)
- return(level);
-
- /*
- * Always copy in UserNameRequested if the authentication
- * is valid, because the higher level routines need it.
- */
- if (UserNameRequested) {
- /* the name buffer comes from telnetd/telnetd{-ktd}.c */
- strncpy(kname, UserNameRequested, 255);
- kname[255] = '\0';
- }
-
- if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
- return(AUTH_VALID);
- } else
- return(AUTH_USER);
-}
-
-#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
-#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
-
- void
-kerberos4_printsub(data, cnt, buf, buflen)
- unsigned char *data, *buf;
- int cnt;
- unsigned int buflen;
-{
- char lbuf[32];
- register int i;
-
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
- buflen -= 1;
-
- switch(data[3]) {
- case KRB_REJECT: /* Rejected (reason might follow) */
- strncpy((char *)buf, " REJECT ", buflen);
- goto common;
-
- case KRB_ACCEPT: /* Accepted (name might follow) */
- strncpy((char *)buf, " ACCEPT ", buflen);
- common:
- BUMP(buf, buflen);
- if (cnt <= 4)
- break;
- ADDC(buf, buflen, '"');
- for (i = 4; i < cnt; i++)
- ADDC(buf, buflen, data[i]);
- ADDC(buf, buflen, '"');
- ADDC(buf, buflen, '\0');
- break;
-
- case KRB_AUTH: /* Authentication data follows */
- strncpy((char *)buf, " AUTH", buflen);
- goto common2;
-
- case KRB_CHALLENGE:
- strncpy((char *)buf, " CHALLENGE", buflen);
- goto common2;
-
- case KRB_RESPONSE:
- strncpy((char *)buf, " RESPONSE", buflen);
- goto common2;
-
- default:
- snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]);
- strncpy((char *)buf, lbuf, buflen);
- common2:
- BUMP(buf, buflen);
- for (i = 4; i < cnt; i++) {
- snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
- strncpy((char *)buf, lbuf, buflen);
- BUMP(buf, buflen);
- }
- break;
- }
-}
-
- int
-kerberos4_cksum(d, n)
- unsigned char *d;
- int n;
-{
- int ck = 0;
-
- /*
- * A comment is probably needed here for those not
- * well versed in the "C" language. Yes, this is
- * supposed to be a "switch" with the body of the
- * "switch" being a "while" statement. The whole
- * purpose of the switch is to allow us to jump into
- * the middle of the while() loop, and then not have
- * to do any more switch()s.
- *
- * Some compilers will spit out a warning message
- * about the loop not being entered at the top.
- */
- switch (n&03)
- while (n > 0) {
- case 0:
- ck ^= (int)*d++ << 24;
- --n;
- case 3:
- ck ^= (int)*d++ << 16;
- --n;
- case 2:
- ck ^= (int)*d++ << 8;
- --n;
- case 1:
- ck ^= (int)*d++;
- --n;
- }
- return(ck);
-}
-#else
-#include <krb5.h>
-#include <errno.h>
-
-#endif
-
-#ifdef notdef
-
-prkey(msg, key)
- char *msg;
- unsigned char *key;
-{
- register int i;
- printf("%s:", msg);
- for (i = 0; i < 8; i++)
- printf(" %3d", key[i]);
- printf("\r\n");
-}
-#endif
all:: telnet
-telnet: $(OBJS) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a
- $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB4COMPAT_LIBS)
+telnet: $(OBJS) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a
+ $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB5_BASE_LIBS)
clean::
$(RM) telnet
#endif
break;
case 'k':
-#if defined(AUTHENTICATION) && defined(KRB4)
- {
- extern char *dest_realm, dst_realm_buf[];
- extern unsigned int dst_realm_sz;
- dest_realm = dst_realm_buf;
- (void)strncpy(dest_realm, optarg, dst_realm_sz);
- }
-#endif
#if defined(AUTHENTICATION) && defined(KRB5)
{
extern char *telnet_krb5_realm;
telnet_krb5_realm = optarg;
break;
}
-#endif
-#if !defined(AUTHENTICATION) || (!defined(KRB4) && !defined(KRB5))
+#else
fprintf(stderr,
"%s: Warning: -k ignored, no Kerberos V4 support.\n",
prompt);
DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF) $(OTHERDEFS)
ARPA_TELNET= $(srcdir)/../arpa/telnet.h
-PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
+PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
LIBS= @TELNETD_LIBS@
all:: telnetd
-telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a
- $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS)
+telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a
+ $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS)
clean::
$(RM) telnetd
projects / krb5.git / commitdiff