From: Tom Yu Date: Wed, 17 Feb 1999 22:26:33 +0000 (+0000) Subject: * klogind.M: Document things a little better, including new X-Git-Tag: krb5-1.1-beta1~358 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0e4ead54c1994ccc90fa3829b7bff6cc1d2284d0;p=krb5.git * klogind.M: Document things a little better, including new options controlling hostname manipulation. * krlogind.c: Make use of pty_make_sane_hostname() for purposes of manipulating hostname to pass to login. Also unconditionally syslog IP address and full hostname of remote host. Add command line options to control such behavior. * configure.in: Add arpa/nameser.h to CHECK_HEADERS. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11176 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index fdea771fd..08eb74d77 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,15 @@ +Wed Feb 17 17:24:11 1999 Tom Yu + + * klogind.M: Document things a little better, including new + options controlling hostname manipulation. + + * krlogind.c: Make use of pty_make_sane_hostname() for purposes of + manipulating hostname to pass to login. Also unconditionally + syslog IP address and full hostname of remote host. Add command + line options to control such behavior. + + * configure.in: Add arpa/nameser.h to CHECK_HEADERS. + Wed Jan 20 21:42:41 1999 Tom Yu * login.c (main): Call setluid(). diff --git a/src/appl/bsd/configure.in b/src/appl/bsd/configure.in index 15db24fe6..f96f9909f 100644 --- a/src/appl/bsd/configure.in +++ b/src/appl/bsd/configure.in @@ -64,7 +64,7 @@ dnl AC_VFORK AC_TYPE_MODE_T AC_CHECK_FUNCS(isatty inet_aton gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes) -AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h) +AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h arpa/nameser.h) AC_HEADER_STDARG AC_REPLACE_FUNCS(getdtablesize) KRB5_SIGTYPE diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M index 1cc7ee404..10211b38e 100644 --- a/src/appl/bsd/klogind.M +++ b/src/appl/bsd/klogind.M @@ -10,7 +10,11 @@ klogind \- remote login server .SH SYNOPSIS .B klogind [ -.B \-kr54cpPe +.B \-kr54cpPesI +] +[ +.B \-u +.I utmp_hostname_length ] .SH DESCRIPTION .I Klogind @@ -127,6 +131,21 @@ The screen or window size of the terminal is requested from the client, and window size changes from the client are propagated to the pseudo terminal. +.PP +.I Klogind +supports the following options to control the form of the hostname +passed to the login program: + +.IP \fB-u\ utmp_hostname_length\fP +Set the maximum length of hostname passed to login to +\fIutmp_hostname_length\fP bytes, including terminating nul. + +.IP \fB-I\fP +Always pass a numeric IP address to login. + +.IP \fB-s\fP +Don't strip the local domain off hostnames. + .PP .I Klogind supports three options which are used for testing diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index f43389719..b57b5a746 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -260,7 +260,7 @@ krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; -#define ARGSTR "k54ciepPD:S:M:L:f?" +#define ARGSTR "k54ciepPD:S:M:L:fu:Is?" #else /* !KERBEROS */ #define ARGSTR "rpPD:f?" #endif /* KERBEROS */ @@ -286,11 +286,20 @@ char *login_program = LOGIN_PROGRAM; #define UT_NAMESIZE sizeof(((struct utmp *)0)->ut_name) #endif +#if HAVE_ARPA_NAMESER_H +#include +#endif + +#ifndef MAXDNAME +#define MAXDNAME 256 /*per the rfc*/ +#endif + char lusername[UT_NAMESIZE+1]; char rusername[UT_NAMESIZE+1]; char *krusername = 0; char term[64]; -char rhost_name[128]; +char rhost_name[MAXDNAME]; +char rhost_addra[16]; krb5_principal client; int do_inband = 0; @@ -327,6 +336,10 @@ int auth_ok = 0, auth_sent = 0; int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0; int checksum_required = 0, checksum_ignored = 0; +int stripdomain = 1; +int maxhostlen = 0; +int always_ip = 0; + int main(argc, argv) int argc; char **argv; @@ -428,6 +441,15 @@ int main(argc, argv) case 'f': do_fork = 1; break; + case 'u': + maxhostlen = atoi(optarg); + break; + case 'I': + always_ip = 1; + break; + case 's': + stripdomain = 0; + break; case '?': default: usage(); @@ -564,7 +586,9 @@ void doit(f, fromp) struct sigaction sa; #endif int retval; -int syncpipe[2]; + char *rhost_sane; + int syncpipe[2]; + netf = -1; if (setsockopt(f, SOL_SOCKET, SO_KEEPALIVE, (const char *) &on, sizeof (on)) < 0) @@ -601,18 +625,14 @@ int syncpipe[2]; fromp->sin_port = ntohs((u_short)fromp->sin_port); hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); - if (hp == 0) { - /* - * Only the name is used below. - */ - sprintf(rhost_name,"%s",inet_ntoa(fromp->sin_addr)); - } - - /* Save hostent information.... */ - else { + strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra)); + rhost_addra[sizeof (rhost_addra) -1] = '\0'; + if (hp != NULL) { + /* Save hostent information.... */ strncpy(rhost_name,hp->h_name,sizeof (rhost_name)); rhost_name[sizeof (rhost_name) - 1] = '\0'; - } + } else + rhost_name[0] = '\0'; if (fromp->sin_family != AF_INET) fatal(f, "Permission denied - Malformed from address\n"); @@ -629,7 +649,7 @@ int syncpipe[2]; #if defined(KERBEROS) /* All validation, and authorization goes through do_krb_login() */ - do_krb_login(rhost_name); + do_krb_login(rhost_addra, rhost_name); #else getstr(f, rusername, sizeof(rusername), "remuser"); getstr(f, lusername, sizeof(lusername), "locuser"); @@ -720,11 +740,13 @@ int syncpipe[2]; pwd = (struct passwd *) getpwnam(lusername); if (pwd && (pwd->pw_uid == 0)) { if (passwd_req) - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) forcing password access", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s)) forcing password access", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); else - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) ", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); } #ifdef KERBEROS #if defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) @@ -745,14 +767,14 @@ int syncpipe[2]; { if (passwd_req) syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s forcing password access\n", + "login by %s (%s@%s (%s)) as %s forcing password access", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); else syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s\n", + "login by %s (%s@%s (%s)) as %s", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); } #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */ #endif /* KERBEROS */ @@ -775,15 +797,20 @@ int syncpipe[2]; *cp = '\0'; setenv("TERM",term, 1); } - + + retval = pty_make_sane_hostname(fromp, maxhostlen, + stripdomain, always_ip, + &rhost_sane); + if (retval) + fatalperror(2, "failed make_sane_hostname"); if (passwd_req) - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, lusername, 0); else - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, "-f", lusername, 0); #else /* USE_LOGIN_F */ - execl(login_program, "login", "-r", rhost_name, 0); + execl(login_program, "login", "-r", rhost_sane, 0); #endif /* USE_LOGIN_F */ fatalperror(2, login_program); @@ -1159,8 +1186,8 @@ void fatalperror(f, msg) #ifdef KERBEROS void -do_krb_login(host) - char *host; +do_krb_login(host_addr, hostname) + char *host_addr, *hostname; { krb5_error_code status; struct passwd *pwd; @@ -1178,8 +1205,8 @@ do_krb_login(host) krb5_free_ticket(bsd_context, ticket); if (status != 255) syslog(LOG_ERR, - "Authentication failed from %s: %s\n", - host,error_message(status)); + "Authentication failed from %s (%s): %s\n",host_addr, + hostname,error_message(status)); fatal(netf, "Kerberos authentication failed"); return; }