From: Sam Hartman Date: Tue, 16 Apr 1996 18:19:13 +0000 (+0000) Subject: * Changes to not use streams on HPUX X-Git-Tag: krb5-1.0-beta6~200 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=1da7e425e03659a281674d7716a37754543f0634;p=krb5.git * Changes to not use streams on HPUX * Changes to abort the session if telnetd receives certain options such as environment or DISPLAY options before authentication and encryption is negotiated or not negotiated. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7818 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/telnet/telnetd/ChangeLog b/src/appl/telnet/telnetd/ChangeLog index 2c66434f8..2c7c36b63 100644 --- a/src/appl/telnet/telnetd/ChangeLog +++ b/src/appl/telnet/telnetd/ChangeLog @@ -1,3 +1,16 @@ +Tue Apr 16 12:23:02 1996 Sam Hartman + + * configure.in : Treat HPUX as if it doesn't have streams. + + * state.c (suboption): For certain options like environment and X + display, require authentication and encryption to be established + or not established before processing the option. + (sb_auth_complete): Fail and kill telnetd if authentication + negotiation is not complete. + + * ext.h: Define new global variable indicating whether encryption + wait has happened. + Thu Apr 11 21:44:39 1996 Richard Basch * sys_term.c (cleanup): Call the Kerberos 5 cleanup routine, also. diff --git a/src/appl/telnet/telnetd/configure.in b/src/appl/telnet/telnetd/configure.in index 9a4648b94..42a3c7ed8 100644 --- a/src/appl/telnet/telnetd/configure.in +++ b/src/appl/telnet/telnetd/configure.in @@ -29,12 +29,15 @@ dnl Make our operating system-specific security checks and definitions for dnl login. dnl case $krb5_cv_host in +*-*-hpux-*) + broken_streams=yes + ;; *-*-irix*) # Irix doesn't have a working granpt, and more over # you can't push anything onto a pty, so telnetd really # Really wants to treat it as if it doesn't have streams broken_streams=yes -;; + ;; esac if test -z "$broken_streams" ; then AC_FUNC_CHECK(grantpt,AC_DEFINE(STREAMSPTY)) diff --git a/src/appl/telnet/telnetd/ext.h b/src/appl/telnet/telnetd/ext.h index 2f577da49..37e2a1970 100644 --- a/src/appl/telnet/telnetd/ext.h +++ b/src/appl/telnet/telnetd/ext.h @@ -63,7 +63,7 @@ extern int require_SecurID; #if defined(AUTHENTICATION) extern int auth_level; #endif - +extern int auth_negotiated; /* Have we finished all authentication negotiation we plan to finish?*/ extern slcfun slctab[NSLC + 1]; /* slc mapping table */ extern char *terminaltype; diff --git a/src/appl/telnet/telnetd/state.c b/src/appl/telnet/telnetd/state.c index b61879297..0f19371ce 100644 --- a/src/appl/telnet/telnetd/state.c +++ b/src/appl/telnet/telnetd/state.c @@ -81,6 +81,17 @@ unsigned char *subsave; #define TS_DO 7 /* do " */ #define TS_DONT 8 /* dont " */ +static void sb_auth_complete() +{ + if (!auth_negotiated) { + static char *error = + "An environment option was sent before authentication negotiation completed.\r\nThis may create a security hazard. Connection dropped.\r\n"; + writenet(error, strlen(error)); + netflush(); + exit(1); + } +} + void telrcv() { @@ -1108,6 +1119,8 @@ suboption() if (his_state_is_wont(TELOPT_TSPEED)) /* Ignore if option disabled */ break; + sb_auth_complete(); + settimer(tspeedsubopt); if (SB_EOF() || SB_GET() != TELQUAL_IS) @@ -1131,6 +1144,7 @@ suboption() if (his_state_is_wont(TELOPT_TTYPE)) /* Ignore if option disabled */ break; +sb_auth_complete(); settimer(ttypesubopt); if (SB_EOF() || SB_GET() != TELQUAL_IS) { @@ -1250,6 +1264,7 @@ suboption() case TELOPT_XDISPLOC: { if (SB_EOF() || SB_GET() != TELQUAL_IS) return; +sb_auth_complete(); settimer(xdisplocsubopt); subpointer[SB_LEN()] = '\0'; (void)setenv("DISPLAY", (char *)subpointer, 1); @@ -1265,6 +1280,7 @@ suboption() if (SB_EOF()) return; +sb_auth_complete(); c = SB_GET(); if (c == TELQUAL_IS) { if (subchar == TELOPT_OLD_ENVIRON) diff --git a/src/appl/telnet/telnetd/telnetd.c b/src/appl/telnet/telnetd/telnetd.c index cbf76f855..1fd55e624 100644 --- a/src/appl/telnet/telnetd/telnetd.c +++ b/src/appl/telnet/telnetd/telnetd.c @@ -713,6 +713,9 @@ getterminaltype(name) } } #endif /* ENCRYPTION */ + /* Options like environment require authentication and encryption + negotiation to be completed.*/ + auth_negotiated = 1; if (his_state_is_will(TELOPT_TSPEED)) { static unsigned char sb[] = { IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };