From 87eabfc4956695f794f94248d9bdcdf8a1fa74ec Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 31 Jan 1996 22:26:17 +0000 Subject: [PATCH] * krshd: Make sure KRB5CCNAME gets set for forward creds; code could be much cleaner. * forward.c: give caller handle to ccache so it can be destroyed. * krshd: destroy the ccache if it is non-null. * krlogind: Fix call, but don't destroy cache, as login.krb5 should do that any year now. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7422 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/ChangeLog | 31 +++++++++++++++++++++++++++++++ src/appl/bsd/forward.c | 15 ++++++++------- src/appl/bsd/krlogind.c | 5 +++-- src/appl/bsd/krshd.c | 41 ++++++++++++++++++++++++++++++++++------- src/appl/bsd/setenv.c | 2 +- 5 files changed, 77 insertions(+), 17 deletions(-) diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 3014fcbed..02696fed1 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,34 @@ +Wed Jan 31 16:24:50 1996 Sam Hartman + + * krlogind.c (recvauth): Psas ccache to rd_and_store_for_creds + + * krshd.c (recvauth): Pass address of ccache to rd_and_store_for_creds + (ccache): new global variable. + (cleanup): Destroy ccache if we have one. + (doit): Destroy cache on normal terination. + + * forward.c (rd_and_store_for_creds): Take a pointer to a ccache; + we should provide the caller with a way of destroying forwarded + credentials. + +Tue Jan 30 17:56:49 1996 Sam Hartman + + * krshd.c (envinit): Expand to have space KRB5_CCNAME + (doit): Put krb5_ccname at the end of envinit; this is + handled differently that other variables, because TZ may or may not + beset, so our position cannot be fixed. + + + + + + done + + + + + Auto-saving...Use execle because AIX doesn't use envron for the initial environment. + Sat Jan 27 18:40:31 1996 Sam Hartman * kcmd.c (kcmd): We no longer need F_SETOWN as nothing in appl/bsd diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c index 5cdea1b78..8c74eb2e4 100644 --- a/src/appl/bsd/forward.c +++ b/src/appl/bsd/forward.c @@ -28,21 +28,22 @@ /* Decode, decrypt and store the forwarded creds in the local ccache. */ krb5_error_code -rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername) +rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache) krb5_context context; krb5_auth_context auth_context; krb5_data *inbuf; krb5_ticket *ticket; char *lusername; + krb5_ccache *ccache; { krb5_creds ** creds; krb5_error_code retval; char ccname[35]; - krb5_ccache ccache = NULL; struct passwd *pwd; + *ccache = NULL; if (!(pwd = (struct passwd *) getpwnam(lusername))) - return -1; + return ENOENT; if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) return(retval); @@ -55,17 +56,17 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername) sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid()); setenv("KRB5CCNAME", ccname, 0); - if (retval = krb5_cc_resolve(context, ccname, &ccache)) + if (retval = krb5_cc_resolve(context, ccname, ccache)) goto cleanup; - if (retval = krb5_cc_initialize(context, ccache, ticket->enc_part2->client)) + if (retval = krb5_cc_initialize(context, *ccache, ticket->enc_part2->client)) goto cleanup; - if (retval = krb5_cc_store_cred(context, ccache, *creds)) + if (retval = krb5_cc_store_cred(context, *ccache, *creds)) goto cleanup; retval = chown(ccname+5, pwd->pw_uid, -1); - + cleanup: krb5_free_creds(context, *creds); return retval; diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 7b3848ead..c7680c3bc 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -238,6 +238,7 @@ krb5_encrypt_block eblock; /* eblock for encrypt/decrypt */ krb5_authenticator *kdata; krb5_ticket *ticket = 0; krb5_context bsd_context; +krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; @@ -1464,7 +1465,7 @@ int default_realm(principal) krb5_error_code recvauth(valid_checksum) -int *valid_checksum; + int *valid_checksum; { krb5_auth_context auth_context = NULL; krb5_error_code status; @@ -1623,7 +1624,7 @@ krb5_xfree(chksumbuf); if ((inbuf.length) && /* Forwarding being done, read creds */ (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf, - ticket, lusername))) { + ticket, lusername, &ccache))) { fatal(netf, "Can't get forwarded credentials"); } return 0; diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index f5f324ee0..6e264bdde 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -170,7 +170,7 @@ krb5_data desinbuf,desoutbuf; krb5_context bsd_context; char *srvtab = NULL; krb5_keytab keytab = NULL; - +krb5_ccache ccache = NULL; void fatal(); int v5_des_read(); int v5_des_write(); @@ -445,14 +445,14 @@ char path_rest[] = RPATH; #ifdef CRAY char *envinit[] = -{homedir, shell, 0, username, "TZ=GMT0", tmpdir, term, 0}; +{homedir, shell, 0, username, "TZ=GMT0", tmpdir, term, 0,0}; #define TZENV 4 #define TMPDIRENV 5 char *getenv(); #else /* CRAY */ #ifdef KERBEROS char *envinit[] = -{homedir, shell, 0, username, term, 0, 0}; +{homedir, shell, 0, username, term, 0, 0, 0}; #define TZENV 5 #else /* KERBEROS */ char *envinit[] = @@ -1208,6 +1208,10 @@ if (require_encrypt&&(!do_encrypt)) { #endif /* Finish session in wmtp */ pty_logwtmp(ttyn,"",""); +if (ccache) + krb5_cc_destroy(bsd_context, ccache); + ccache = NULL; + exit(0); } #ifdef SETPGRP_TWOARG @@ -1262,7 +1266,6 @@ if (require_encrypt&&(!do_encrypt)) { findtz++; } } - environ = envinit; strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); strncat(shell, pwd->pw_shell, sizeof(shell)-7); strncat(username, pwd->pw_name, sizeof(username)-6); @@ -1273,12 +1276,31 @@ if (require_encrypt&&(!do_encrypt)) { } sprintf(path, "PATH=%s:%s", kprogdir, path_rest); envinit[PATHENV] = path; +/* If we have KRB5CCNAME set, then copy into the + * child's environment. This can't really have + * a fixed position because tz may or may not be set. + */ + if (getenv("KRB5CCNAME")) { + int i; + char *buf = (char *)malloc(strlen(getenv("KRB5CCNAME")) + +strlen("KRB5CCNAME=")+1); + if (buf) { +sprintf(buf, "KRB5CCNAME=%s",getenv("KRB5CCNAME")); + +for (i = 0; envinit[i]; i++); +envinit[i] =buf; + } + /* If we do anything else, make sure there is space in the array. + */ + } + environ = envinit; + cp = strrchr(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; - + #ifdef KERBEROS /* To make Kerberos rcp work correctly, we must ensure that we invoke Kerberos rcp on this end, not normal rcp, even if the @@ -1321,6 +1343,9 @@ if (require_encrypt&&(!do_encrypt)) { exit(1); signout_please: +if (ccache) + krb5_cc_destroy(bsd_context, ccache); + ccache = NULL; pty_logwtmp(ttyn,"",""); exit(1); } @@ -1392,6 +1417,8 @@ krb5_sigtype pty_logwtmp(ttyn,"",""); syslog(LOG_INFO ,"Shell process completed."); +if (ccache) + krb5_cc_destroy(bsd_context, ccache); exit(0); } @@ -1621,7 +1648,7 @@ krb5_error_code recvauth(netf, peersin, valid_checksum) int netf; struct sockaddr_in peersin; -int *valid_checksum; + int *valid_checksum; { krb5_auth_context auth_context = NULL; krb5_error_code status; @@ -1773,7 +1800,7 @@ krb5_xfree(chksumbuf); if (inbuf.length) { /* Forwarding being done, read creds */ if (status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf, - ticket, locuser)) { + ticket, locuser, &ccache)) { error("Can't get forwarded credentials: %s\n", error_message(status)); exit(1); diff --git a/src/appl/bsd/setenv.c b/src/appl/bsd/setenv.c index 50405213c..96d4a1e9e 100644 --- a/src/appl/bsd/setenv.c +++ b/src/appl/bsd/setenv.c @@ -73,7 +73,7 @@ setenv(name, value, rewrite) if (!(environ[offset] = /* name + `=' + value */ malloc((u_int)((int)(C - name) + l_value + 2)))) return(-1); - for (C = environ[offset]; (*C = *name++) && *C != '='; ++C); + for (C = environ[offset]; (*C = *name++) &&( *C != '='); ++C); for (*C++ = '='; *C++ = *value++;); return(0); } -- 2.26.2