From: Sam Hartman Date: Sun, 21 Apr 1996 07:06:50 +0000 (+0000) Subject: * Remove documentation of how krlogind gets its command line options X-Git-Tag: krb5-1.0-beta6~188 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=dfb72e73bd4ef7c5f2f40a4073a37471af7dd71b;p=krb5.git * Remove documentation of how krlogind gets its command line options from its name, because it doesn't any more. Same for kshd. * Document and implement -i option to ignore checksums. Restore default mode to accept and process checksums if provided. * Bring back the warning about only using -c with Kerberos5. The documentation (both install.texi and the man pages) clearly state that the -c option shouldnot be used in conjunction with Kerberos4, so warn users if they try. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7849 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 2f3e2b6c2..5258ed76c 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,16 @@ +Sun Apr 21 00:30:28 1996 Sam Hartman + + * krshd.c krlogind.c: Implement -i. Rewrite error message having + to do with checksums. + + * krshd.Mkrlogind.M : Document -i, remove documentation about + taking options from name of daemon. Clean up checksum + documentation. + + * krlogind.c (do_krb_login): Fix up error messages for checksums. + Configuration errors are presented for situations where -c and -i + are used together, or where -4 and -c are used together. + Thu Apr 18 19:48:47 1996 Sam Hartman * Makefile.in: Fix spaces by converting to tabs. diff --git a/src/appl/bsd/krlogind.M b/src/appl/bsd/krlogind.M index 295617efb..8322e7be9 100644 --- a/src/appl/bsd/krlogind.M +++ b/src/appl/bsd/krlogind.M @@ -42,9 +42,7 @@ login.krb5 or /bin/login, according to the definition of DO_NOT_USE_K_LOGIN. .PP The configuration of \fIkrlogind\fP is done -either by command-line arguments passed by -inetd, or by the name of the daemon. If command-line arguments are -present, they take priority. The options are: +by command line arguments passed by inetd. The options are: .IP \fB\-5\fP 10 Allow Kerberos5 authentication with the \fI.k5login\fP access control file to be trusted. If this authentication system is used by the client and the @@ -78,16 +76,37 @@ to all other checks. .IP \fB\-e\fP Create an encrypted session. -.IP \fB\-c\fP -Require Kerberos5 clients to present a cryptographic checksum of -initial connection information like the name of the user that the -client is trying to access in the initial authenticator. This -checksum provides additionl security by preventing an attacker from -changing the initial connection information. To benefit from this -security, only Kerberos5 should be trusted; Kerberos4 and rhosts -authentication do not include this checksum. If this options is +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic +checksum of initial connection information like the name of the user +that the client is trying to access in the initial authenticator. +This checksum provides additionl security by preventing an attacker +from changing the initial connection information. To benefit from +this security, only Kerberos5 should be trusted; Kerberos4 and rhosts +authentication do not include this checksum. If this option is specified, older Kerberos5 clients that do not send a checksum in the -authenticator will not be able to authenticate to this server. +authenticator will not be able to authenticate to this server. This +option is mutually exclusive with the \fB-i\fP option. + + If neither the \fB-c\fP or \fB-i\fP options are specified,then +checksums are validated if presented. Since it is difficult to remove +a checksum from an authenticator without making the authenticator +invalid, this default mode is almost as significant of a security +improvement as \fB-c\fP if new clients are used. It has the additional +advantage of backwards compatability with some clients. +Unfortunately, clients before Kerberos V5, Beta5, generate invalid +checksums; if these clients are used, the \fB-i\fP option must be +used. + +.IP \fB\-i\fP +Ignore authenticator checksums if provided. This option +ignore authenticator checksusm presented by current Kerberos clients +to protect initial connection information; it is the opposite of +\fB-c\fP. This option is provided because some older +clients--particularly clients predating the release of Kerberos V5 +Beta5 (May 1995)--present bogus checksums that prevent Kerberos +authentication from succeeding in the default mode. + .PP If the diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index fd0a2afc0..26fb2cd21 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -239,7 +239,7 @@ krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; -#define ARGSTR "rk54cepPD:S:M:L:?" +#define ARGSTR "rk54ciepPD:S:M:L:?" #else /* !KERBEROS */ #define ARGSTR "rpPD:?" #define (*des_read) read @@ -306,7 +306,7 @@ krb5_error_code recvauth(); #define AUTH_RHOSTS (0x4) int auth_ok = 0, auth_sent = 0; int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0; -int checksum_required = 0; +int checksum_required = 0, checksum_ignored = 0; int main(argc, argv) int argc; @@ -365,6 +365,10 @@ pty_init(); case 'c': checksum_required = 1; break; + case 'i': + checksum_ignored = 1; + break; + #ifdef KRB5_KRB4_COMPAT case '4': auth_ok |= AUTH_KRB4; @@ -465,6 +469,11 @@ pty_init(); syslog(LOG_CRIT, "No authentication systems were enabled; all connections will be refused."); fatal(fd, "All authentication systems disabled; connection refused."); } + + if (checksum_required&&checksum_ignored) { + syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation."); + fatal(fd, "Configuration error: mutually exclusive options specified"); + } doit(fd, &from); return 0; @@ -1112,11 +1121,12 @@ do_krb_login(host) if (checksum_required && !valid_checksum) { if (auth_sent & AUTH_KRB5) { - syslog(LOG_WARNING, "Client did not supply required checksum."); + syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected."); fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized."); } else { - syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums."); + syslog(LOG_WARNING, + "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections."); } } if (auth_ok&auth_sent) /* This should be bitwise.*/ @@ -1447,7 +1457,7 @@ recvauth(valid_checksum) getstr(netf, lusername, sizeof (lusername), "locuser"); getstr(netf, term, sizeof(term), "Terminal type"); - if ((auth_sys == KRB5_RECVAUTH_V5) && checksum_required) { + if ((auth_sys == KRB5_RECVAUTH_V5) && !checksum_ignored) { if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))) diff --git a/src/appl/bsd/krshd.M b/src/appl/bsd/krshd.M index afa517690..9b263ec0d 100644 --- a/src/appl/bsd/krshd.M +++ b/src/appl/bsd/krshd.M @@ -42,10 +42,9 @@ shell inherits the network connections established by .IR krshd . -\fIKrshd\fP can be configured either by command-line arguments passed -by \fIinetd(8)\fP, -or by the name of the daemon. If command-line arguments are present, they -take priority. The options are: +\fIKrshd\fP can be configured by command-line arguments passed +by \fIinetd(8)\fP. + The options are: .IP \fB\-5\fP 10 Allow Kerberos5 authentication with the \fI.k5login\fP access control file @@ -70,16 +69,37 @@ Trust the remote hostname as an authentication system using the Require the client to encrypt the connection. Only Kerberos5 clients support encryption. -.IP \fB\-c\fP -Require Kerberos5 clients to present a cryptographic checksum of -initial connection information like the name of the user that the -client is trying to access in the initial authenticator. This -checksum provides additionl security by preventing an attacker from -changing the initial connection information. To benefit from this -security, only Kerberos5 should be trusted; Kerberos4 and rhosts +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic +checksum of initial connection information like the name of the user +that the client is trying to access in the initial authenticator. +This checksum provides additionl security by preventing an attacker +from changing the initial connection information. To benefit from +this security, only Kerberos5 should be trusted; Kerberos4 and rhosts authentication do not include this checksum. If this option is specified, older Kerberos5 clients that do not send a checksum in the -authenticator will not be able to authenticate to this server. +authenticator will not be able to authenticate to this server. This +option is mutually exclusive with the \fB-i\fP option. + + If neither the \fB-c\fP or \fB-i\fP options are specified,then +checksums are validated if presented. Since it is difficult to remove +a checksum from an authenticator without making the authenticator +invalid, this default mode is almost as significant of a security +improvement as \fB-c\fP if new clients are used. It has the additional +advantage of backwards compatability with some clients. +Unfortunately, clients before Kerberos V5, Beta5, generate invalid +checksums; if these clients are used, the \fB-i\fP option must be +used. + +.IP \fB\-i\fP +Ignore authenticator checksums if provided. This option +ignore authenticator checksusm presented by current Kerberos clients +to protect initial connection information; it is the opposite of +\fB-c\fP. This option is provided because some older +clients--particularly clients predating the release of Kerberos V5 +Beta5 (May 1995)--present bogus checksums that prevent Kerberos +authentication from succeeding in the default mode. + .PP If the \fB\-r\fP or \fB\-R\fP options are used, the client must diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 3acbedb49..7445f3980 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -155,7 +155,7 @@ char copyright[] = #include "com_err.h" #include "loginpaths.h" -#define ARGSTR "rek54cD:S:M:AP:?L:" +#define ARGSTR "rek54ciD:S:M:AP:?L:" #define RSHD_BUFSIZ 5120 @@ -206,7 +206,7 @@ int netf; #define AUTH_KRB5 (0x2) #define AUTH_RHOSTS (0x4) int auth_ok = 0, auth_sent = 0; -int checksum_required = 0; +int checksum_required = 0, checksum_ignored = 1; char *progname; #define MAX_PROG_NAME 10 @@ -302,6 +302,10 @@ int main(argc, argv) case 'c': checksum_required = 1; break; + case 'i': + checksum_ignored = 1; + break; + #ifdef KRB5_KRB4_COMPAT case '4': auth_ok |= AUTH_KRB4; @@ -408,6 +412,11 @@ int main(argc, argv) fd = 0; } + + if (checksum_required&&checksum_ignored) { + syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation."); + fatal(fd, "Configuration error: mutually exclusive options specified"); + } if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, sizeof (on)) < 0) @@ -420,6 +429,11 @@ int main(argc, argv) sizeof (linger)) < 0) syslog(LOG_WARNING , "setsockopt (SO_LINGER): %m"); #endif + if (checksum_required&&checksum_ignored) { + syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation."); + fatal(fd, "Configuration error: mutually exclusive options specified"); + } + doit(dup(fd), &from); return 0; } @@ -1012,11 +1026,12 @@ void doit(f, fromp) if (checksum_required && !valid_checksum) { if (auth_sent & AUTH_KRB5) { - syslog(LOG_WARNING, "Client did not supply required checksum."); + syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected."); error( "You are using an old Kerberos5 without initial connection support; only newer clients are authorized."); goto signout_please; } else { - syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums."); + syslog(LOG_WARNING, + "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections."); } } if (require_encrypt&&(!do_encrypt)) {