+Sun Apr 21 00:30:28 1996 Sam Hartman <hartmans@mit.edu>
+
+ * krshd.c krlogind.c: Implement -i. Rewrite error message having
+ to do with checksums.
+
+ * krshd.Mkrlogind.M : Document -i, remove documentation about
+ taking options from name of daemon. Clean up checksum
+ documentation.
+
+ * krlogind.c (do_krb_login): Fix up error messages for checksums.
+ Configuration errors are presented for situations where -c and -i
+ are used together, or where -4 and -c are used together.
+
Thu Apr 18 19:48:47 1996 Sam Hartman <hartmans@mit.edu>
* Makefile.in: Fix spaces by converting to tabs.
DO_NOT_USE_K_LOGIN.
.PP
The configuration of \fIkrlogind\fP is done
-either by command-line arguments passed by
-inetd, or by the name of the daemon. If command-line arguments are
-present, they take priority. The options are:
+by command line arguments passed by inetd. The options are:
.IP \fB\-5\fP 10
Allow Kerberos5 authentication with the \fI.k5login\fP access control file
to be trusted. If this authentication system is used by the client and the
.IP \fB\-e\fP
Create an encrypted session.
-.IP \fB\-c\fP
-Require Kerberos5 clients to present a cryptographic checksum of
-initial connection information like the name of the user that the
-client is trying to access in the initial authenticator. This
-checksum provides additionl security by preventing an attacker from
-changing the initial connection information. To benefit from this
-security, only Kerberos5 should be trusted; Kerberos4 and rhosts
-authentication do not include this checksum. If this options is
+.IP \fB\-c\fP
+Require Kerberos5 clients to present a cryptographic
+checksum of initial connection information like the name of the user
+that the client is trying to access in the initial authenticator.
+This checksum provides additionl security by preventing an attacker
+from changing the initial connection information. To benefit from
+this security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+authentication do not include this checksum. If this option is
specified, older Kerberos5 clients that do not send a checksum in the
-authenticator will not be able to authenticate to this server.
+authenticator will not be able to authenticate to this server. This
+option is mutually exclusive with the \fB-i\fP option.
+
+ If neither the \fB-c\fP or \fB-i\fP options are specified,then
+checksums are validated if presented. Since it is difficult to remove
+a checksum from an authenticator without making the authenticator
+invalid, this default mode is almost as significant of a security
+improvement as \fB-c\fP if new clients are used. It has the additional
+advantage of backwards compatability with some clients.
+Unfortunately, clients before Kerberos V5, Beta5, generate invalid
+checksums; if these clients are used, the \fB-i\fP option must be
+used.
+
+.IP \fB\-i\fP
+Ignore authenticator checksums if provided. This option
+ignore authenticator checksusm presented by current Kerberos clients
+to protect initial connection information; it is the opposite of
+\fB-c\fP. This option is provided because some older
+clients--particularly clients predating the release of Kerberos V5
+Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+authentication from succeeding in the default mode.
+
.PP
If the
krb5_keytab keytab = NULL;
-#define ARGSTR "rk54cepPD:S:M:L:?"
+#define ARGSTR "rk54ciepPD:S:M:L:?"
#else /* !KERBEROS */
#define ARGSTR "rpPD:?"
#define (*des_read) read
#define AUTH_RHOSTS (0x4)
int auth_ok = 0, auth_sent = 0;
int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
-int checksum_required = 0;
+int checksum_required = 0, checksum_ignored = 0;
int main(argc, argv)
int argc;
case 'c':
checksum_required = 1;
break;
+ case 'i':
+ checksum_ignored = 1;
+ break;
+
#ifdef KRB5_KRB4_COMPAT
case '4':
auth_ok |= AUTH_KRB4;
syslog(LOG_CRIT, "No authentication systems were enabled; all connections will be refused.");
fatal(fd, "All authentication systems disabled; connection refused.");
}
+
+ if (checksum_required&&checksum_ignored) {
+ syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+ fatal(fd, "Configuration error: mutually exclusive options specified");
+ }
doit(fd, &from);
return 0;
if (checksum_required && !valid_checksum) {
if (auth_sent & AUTH_KRB5) {
- syslog(LOG_WARNING, "Client did not supply required checksum.");
+ syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
} else {
- syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
+ syslog(LOG_WARNING,
+ "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
}
}
if (auth_ok&auth_sent) /* This should be bitwise.*/
getstr(netf, lusername, sizeof (lusername), "locuser");
getstr(netf, term, sizeof(term), "Terminal type");
- if ((auth_sys == KRB5_RECVAUTH_V5) && checksum_required) {
+ if ((auth_sys == KRB5_RECVAUTH_V5) && !checksum_ignored) {
if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
&authenticator)))
by
.IR krshd .
-\fIKrshd\fP can be configured either by command-line arguments passed
-by \fIinetd(8)\fP,
-or by the name of the daemon. If command-line arguments are present, they
-take priority. The options are:
+\fIKrshd\fP can be configured by command-line arguments passed
+by \fIinetd(8)\fP.
+ The options are:
.IP \fB\-5\fP 10
Allow Kerberos5 authentication with the \fI.k5login\fP access control file
Require the client to encrypt the connection. Only Kerberos5 clients
support encryption.
-.IP \fB\-c\fP
-Require Kerberos5 clients to present a cryptographic checksum of
-initial connection information like the name of the user that the
-client is trying to access in the initial authenticator. This
-checksum provides additionl security by preventing an attacker from
-changing the initial connection information. To benefit from this
-security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+.IP \fB\-c\fP
+Require Kerberos5 clients to present a cryptographic
+checksum of initial connection information like the name of the user
+that the client is trying to access in the initial authenticator.
+This checksum provides additionl security by preventing an attacker
+from changing the initial connection information. To benefit from
+this security, only Kerberos5 should be trusted; Kerberos4 and rhosts
authentication do not include this checksum. If this option is
specified, older Kerberos5 clients that do not send a checksum in the
-authenticator will not be able to authenticate to this server.
+authenticator will not be able to authenticate to this server. This
+option is mutually exclusive with the \fB-i\fP option.
+
+ If neither the \fB-c\fP or \fB-i\fP options are specified,then
+checksums are validated if presented. Since it is difficult to remove
+a checksum from an authenticator without making the authenticator
+invalid, this default mode is almost as significant of a security
+improvement as \fB-c\fP if new clients are used. It has the additional
+advantage of backwards compatability with some clients.
+Unfortunately, clients before Kerberos V5, Beta5, generate invalid
+checksums; if these clients are used, the \fB-i\fP option must be
+used.
+
+.IP \fB\-i\fP
+Ignore authenticator checksums if provided. This option
+ignore authenticator checksusm presented by current Kerberos clients
+to protect initial connection information; it is the opposite of
+\fB-c\fP. This option is provided because some older
+clients--particularly clients predating the release of Kerberos V5
+Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+authentication from succeeding in the default mode.
+
.PP
If the \fB\-r\fP or \fB\-R\fP options are used, the client must
#include "com_err.h"
#include "loginpaths.h"
-#define ARGSTR "rek54cD:S:M:AP:?L:"
+#define ARGSTR "rek54ciD:S:M:AP:?L:"
#define RSHD_BUFSIZ 5120
#define AUTH_KRB5 (0x2)
#define AUTH_RHOSTS (0x4)
int auth_ok = 0, auth_sent = 0;
-int checksum_required = 0;
+int checksum_required = 0, checksum_ignored = 1;
char *progname;
#define MAX_PROG_NAME 10
case 'c':
checksum_required = 1;
break;
+ case 'i':
+ checksum_ignored = 1;
+ break;
+
#ifdef KRB5_KRB4_COMPAT
case '4':
auth_ok |= AUTH_KRB4;
fd = 0;
}
+
+ if (checksum_required&&checksum_ignored) {
+ syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+ fatal(fd, "Configuration error: mutually exclusive options specified");
+ }
if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
sizeof (on)) < 0)
sizeof (linger)) < 0)
syslog(LOG_WARNING , "setsockopt (SO_LINGER): %m");
#endif
+ if (checksum_required&&checksum_ignored) {
+ syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+ fatal(fd, "Configuration error: mutually exclusive options specified");
+ }
+
doit(dup(fd), &from);
return 0;
}
if (checksum_required && !valid_checksum) {
if (auth_sent & AUTH_KRB5) {
- syslog(LOG_WARNING, "Client did not supply required checksum.");
+ syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
error( "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
goto signout_please;
} else {
- syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
+ syslog(LOG_WARNING,
+ "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
}
}
if (require_encrypt&&(!do_encrypt)) {