From: Ken Raeburn Date: Fri, 8 Mar 2002 23:02:05 +0000 (+0000) Subject: (kcmd_connect): copy out correct remote address to caller X-Git-Tag: krb5-1.3-alpha1~838 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0e76dadc3a2619cb092ed75552d337347caedfd2;p=krb5.git (kcmd_connect): copy out correct remote address to caller git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14256 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/bsd/Makefile.in b/src/appl/bsd/Makefile.in index 92b4dc872..f596999c0 100644 --- a/src/appl/bsd/Makefile.in +++ b/src/appl/bsd/Makefile.in @@ -60,8 +60,8 @@ install:: ) || exit 1; \ done f=$(V4RCP); \ - if test -n "$$f" ; then $(INSTALL_SETUID) $$f \ - $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \ + if test -n "$$f" ; then $(INSTALL_PROGRAM) $$f \ + $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`.real; \ $(INSTALL_DATA) $(srcdir)/$$f.M \ ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ fi diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index f69cf0752..424854b8a 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -196,7 +196,6 @@ kcmd_connect (int *sp, int *addrfamilyp, struct sockaddr_in *sockinp, struct sockaddr_in *laddrp) { int s, aierr; - struct sockaddr_in sockin; struct addrinfo *ap, *ap2, aihints; char rport_buf[10]; GETSOCKNAME_ARG3_TYPE sin_len; @@ -282,7 +281,7 @@ connected: } *sp = s; - *sockinp = sockin; + *sockinp = *(struct sockaddr_in *) ap->ai_addr; return 0; } diff --git a/src/appl/bsd/krcp.c b/src/appl/bsd/krcp.c index 5ad6a25a1..c48ed80eb 100644 --- a/src/appl/bsd/krcp.c +++ b/src/appl/bsd/krcp.c @@ -47,6 +47,8 @@ char copyright[] = #include #include #include + +#include #include @@ -93,6 +95,7 @@ Key_schedule v4_schedule; CREDENTIALS v4_cred; KTEXT_ST v4_ticket; MSG_DAT v4_msg_data; +int v4_only; #endif void v4_send_auth(char *, char *), try_normal(char **); @@ -125,6 +128,7 @@ int forcenet; struct passwd *pwd; int userid; int port = 0; +static const char *me; struct buffer { unsigned int cnt; @@ -173,6 +177,12 @@ int main(argc, argv) } #endif + me = strrchr (argv[0], '/'); + if (me) + me++; + else + me = argv[0]; + pwd = getpwuid(userid = getuid()); if (pwd == 0) { fprintf(stderr, "who are you?\n"); @@ -244,6 +254,11 @@ int main(argc, argv) else usage (); goto next_arg; +#ifdef KRB5_KRB4_COMPAT + case '4': + v4_only = 1; + break; +#endif #endif /* KERBEROS */ /* The rest of these are not for users. */ case 'd': @@ -252,6 +267,7 @@ int main(argc, argv) case 'f': /* "from" */ iamremote = 1; + openlog (me, LOG_PID, LOG_DAEMON); rcmd_stream_init_normal(); #if defined(KERBEROS) if (encryptflag) @@ -264,6 +280,7 @@ int main(argc, argv) case 't': /* "to" */ iamremote = 1; + openlog (me, LOG_PID, LOG_DAEMON); rcmd_stream_init_normal(); #if defined(KERBEROS) if (encryptflag) @@ -425,6 +442,10 @@ int main(argc, argv) cmd, targ); host = thost; #ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT + if (v4_only) + goto try_krb4; +#endif authopts = AP_OPTS_MUTUAL_REQUIRED; status = kcmd(&sock, &host, port, @@ -449,6 +470,7 @@ int main(argc, argv) /* Don't fall back to less safe methods. */ exit (1); #ifdef KRB5_KRB4_COMPAT + try_krb4: fprintf(stderr, "Trying krb4 rcp...\n"); if (strncmp(buf, "-x rcp", 6) == 0) memcpy(buf, "rcp -x", 6); @@ -951,8 +973,11 @@ krb5_sigtype lostconn(signumber) int signumber; { + char *reason = signumber ? "signal" : "eof"; if (iamremote == 0) - fprintf(stderr, "rcp: lost connection\n"); + fprintf(stderr, "rcp: lost connection (%s)\n", reason); + else + syslog(LOG_ERR, "lost connection (%s)", reason); exit(1); } @@ -1251,8 +1276,14 @@ error(fmt, va_alist) void usage() { #ifdef KERBEROS +# ifdef KRB5_KRB4_COMPAT +# define POPT "[-PN | -PO | -4]" +# else +# define POPT "[-PN | -PO]" +# endif fprintf(stderr, - "Usage: \trcp [-PN | -PO] [-p] [-x] [-k realm] f1 f2; or:\n\trcp [-PN | -PO] [-r] [-p] [-x] [-k realm] f1 ... fn d2\n"); + "Usage:\trcp " POPT " [-p] [-x] [-k realm] f1 f2\n" + " or:\trcp " POPT " [-r] [-p] [-x] [-k realm] f1 ... fn d2\n"); #else fputs("usage: rcp [-p] f1 f2; or: rcp [-rp] f1 ... fn d2\n", stderr); #endif diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 76d1f5397..dc3a556f3 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -300,8 +300,8 @@ char lusername[UT_NAMESIZE+1]; char rusername[UT_NAMESIZE+1]; char *krusername = 0; char term[64]; -char rhost_name[MAXDNAME]; -char rhost_addra[16]; +char rhost_name[NI_MAXHOST]; +char rhost_addra[NI_MAXHOST]; krb5_principal client; int do_inband = 0; @@ -322,7 +322,7 @@ extern int daemon(int, int); #define VHANG_LAST /* vhangup must occur on close, not open */ #endif -void fatal(int, const char *), fatalperror(int, const char *), doit(int, struct sockaddr_in *), usage(void), do_krb_login(char *, char *), getstr(int, char *, int, char *); +void fatal(int, const char *), fatalperror(int, const char *), doit(int, struct sockaddr *), usage(void), do_krb_login(char *, char *), getstr(int, char *, int, char *); void protocol(int, int); int princ_maps_to_lname(krb5_principal, char *), default_realm(krb5_principal); krb5_sigtype cleanup(int); @@ -353,7 +353,7 @@ int main(argc, argv) extern int opterr, optind; extern char * optarg; int on = 1, fromlen, ch; - struct sockaddr_in from; + struct sockaddr_storage from; int debug_port = 0; int fd; int do_fork = 0; @@ -542,7 +542,7 @@ int main(argc, argv) syslog(LOG_ERR, "fork: %s", error_message(errno)); case 0: (void) close(s); - doit(fd, &from); + doit(fd, (struct sockaddr *) &from); close(fd); exit(0); default: @@ -570,7 +570,7 @@ int main(argc, argv) fd = 0; } - doit(fd, &from); + doit(fd, (struct sockaddr *) &from); return 0; } @@ -593,7 +593,7 @@ int pid; /* child process id */ void doit(f, fromp) int f; - struct sockaddr_in *fromp; + struct sockaddr *fromp; { int p, t, on = 1; register struct hostent *hp; @@ -640,24 +640,28 @@ void doit(f, fromp) sa.sa_flags = 0; #endif - fromp->sin_port = ntohs((u_short)fromp->sin_port); + if (fromp->sa_family == AF_INET) + portnum = ntohs(((struct sockaddr_in *)fromp)->sin_port); +#ifdef KRB5_USE_INET6 + else if (fromp->sa_family == AF_INET6) + portnum = ntohs(((struct sockaddr_in6 *)fromp)->sin6_port); +#endif + else + fatal(f, "Permission denied - Malformed from address\n"); + + if (getnameinfo (fromp, socklen(fromp), rhost_name, sizeof(rhost_name), + 0, 0, 0)) + rhost_name[0] = 0; + if (getnameinfo (fromp, socklen(fromp), rhost_addra, sizeof(rhost_addra), + 0, 0, NI_NUMERICHOST)) + strcpy(rhost_addra, "??"); + hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra)); - rhost_addra[sizeof (rhost_addra) -1] = '\0'; - if (hp != NULL) { - /* Save hostent information.... */ - strncpy(rhost_name,hp->h_name,sizeof (rhost_name)); - rhost_name[sizeof (rhost_name) - 1] = '\0'; - } else - rhost_name[0] = '\0'; - - if (fromp->sin_family != AF_INET) - fatal(f, "Permission denied - Malformed from address\n"); #ifndef KERBEROS - if (fromp->sin_port >= IPPORT_RESERVED || - fromp->sin_port < IPPORT_RESERVED/2) + if (portnum >= IPPORT_RESERVED || portnum < IPPORT_RESERVED/2) fatal(f, "Permission denied - Connection from bad port"); #endif /* KERBEROS */ @@ -816,7 +820,7 @@ void doit(f, fromp) setenv("TERM",term, 1); } - retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen, + retval = pty_make_sane_hostname(fromp, maxhostlen, stripdomain, always_ip, &rhost_sane); if (retval) @@ -843,7 +847,7 @@ void doit(f, fromp) ** The master blocks here until it reads a byte. */ -(void) close(syncpipe[1]); + (void) close(syncpipe[1]); if (read(syncpipe[0], &c, 1) != 1) { /* * Problems read failed ... @@ -867,7 +871,7 @@ void doit(f, fromp) * will fail to work properly */ #endif /* KERBEROS */ - ioctl(f, FIONBIO, &on); + ioctl(f, FIONBIO, &on); ioctl(p, FIONBIO, &on); /* FIONBIO doesn't always work on ptys, use fcntl to set O_NDELAY? */ @@ -1382,7 +1386,10 @@ recvauth(valid_checksum) { krb5_auth_context auth_context = NULL; krb5_error_code status; + struct sockaddr_storage peer_addr, local_addr; +#if 0 struct sockaddr_in peersin, laddr; +#endif int len; krb5_data inbuf; char v4_instance[INST_SZ]; /* V4 Instance */ @@ -1394,12 +1401,12 @@ recvauth(valid_checksum) *valid_checksum = 0; len = sizeof(laddr); - if (getsockname(netf, (struct sockaddr *)&laddr, &len)) { + if (getsockname(netf, (struct sockaddr *)&local_addr, &len)) { exit(1); } - - len = sizeof(peersin); - if (getpeername(netf, (struct sockaddr *)&peersin, &len)) { + + len = sizeof(peer_addr); + if (getpeername(netf, (struct sockaddr *)&peer_addr, &len)) { syslog(LOG_ERR, "get peer name failed %d", netf); exit(1); } diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 6f7f447d9..3e047470d 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -216,7 +216,7 @@ int maxhostlen = 0; int stripdomain = 1; int always_ip = 0; -static krb5_error_code recvauth(int netfd, struct sockaddr_in peersin, +static krb5_error_code recvauth(int netfd, struct sockaddr *peersin, int *valid_checksum); #else /* !KERBEROS */ @@ -264,7 +264,7 @@ void error (char *fmt, ...) ; void usage(void), getstr(int, char *, int, char *), - doit(int, struct sockaddr_in *); + doit(int, struct sockaddr *); #ifndef HAVE_INITGROUPS int initgroups(char* name, gid_t basegid) { @@ -286,7 +286,7 @@ int main(argc, argv) struct linger linger; #endif int on = 1, fromlen; - struct sockaddr_in from; + struct sockaddr_storage from; extern int opterr, optind; extern char *optarg; int ch; @@ -492,7 +492,7 @@ int main(argc, argv) fatal(fd, "Configuration error: mutually exclusive options specified"); } - doit(dup(fd), &from); + doit(dup(fd), (struct sockaddr *) &from); return 0; } @@ -609,7 +609,7 @@ cleanup(signumber) void doit(f, fromp) int f; - struct sockaddr_in *fromp; + struct sockaddr *fromp; { char *cp; #ifdef KERBEROS @@ -817,7 +817,7 @@ void doit(f, fromp) exit(1); } - if ((status = recvauth(f, fromaddr,&valid_checksum))) { + if ((status = recvauth(f, fromaddr, &valid_checksum))) { error("Authentication failed: %s\n", error_message(status)); exit(1); } @@ -945,14 +945,11 @@ void doit(f, fromp) if (port) { /* Place entry into wtmp */ sprintf(ttyn,"krsh%ld",(long) (getpid() % 9999999)); - pty_logwtmp(ttyn,locuser,sane_host); - } - /* We are simply execing a program over rshd : log entry into wtmp, - as kexe(pid), then finish out the session right after that. - Syslog should have the information as to what was exec'd */ - else { - pty_logwtmp(ttyn,locuser,sane_host); } + /* else: We are simply execing a program over rshd : log entry into wtmp, + as kexe(pid), then finish out the session right after that. + Syslog should have the information as to what was exec'd */ + pty_logwtmp(ttyn,locuser,sane_host); #ifdef CRAY diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c index dee36247a..e2fd62d27 100644 --- a/src/appl/bsd/login.c +++ b/src/appl/bsd/login.c @@ -818,7 +818,8 @@ static int verify_krb_v4_tgt (realm) memcpy ((char *) &addr, (char *)hp->h_addr, sizeof (addr)); /* Do we have rcmd. keys? */ #if 0 /* Be paranoid. If srvtab exists, assume it must contain the - right key. */ + right key. The more paranoid mode also helps avoid a + possible DNS spoofing issue. */ have_keys = read_service_key (rcmd_str, phost, realm, 0, KEYFILE, key) ? 0 : 1; memset (key, 0, sizeof (key));