From c8f2a6b57b0d97f46136ffc04e30edf356de0531 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 9 Mar 1999 00:23:38 +0000 Subject: [PATCH] * kshd.M: Resync manpage * krshd.c: Rework hostname logging. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11247 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/ChangeLog | 6 +++ src/appl/bsd/krshd.c | 116 ++++++++++++++++++++++++++++------------- src/appl/bsd/kshd.M | 14 +++++ 3 files changed, 100 insertions(+), 36 deletions(-) diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index a2ea0c6cb..fc892bac9 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,9 @@ +Mon Mar 8 19:21:23 1999 Tom Yu + + * kshd.M: Resync manpage. + + * krshd.c: Rework hostname logging. + Wed Feb 24 20:05:40 1999 Tom Yu * klogind.M: Resync manpage. diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 7e0555f00..a29d17a07 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -162,7 +162,15 @@ char copyright[] = Key_schedule v4_schedule; #endif -#define ARGSTR "ek54ciD:S:M:AP:?L:" +#if HAVE_ARPA_NAMESER_H +#include +#endif + +#ifndef MAXDNAME +#define MAXDNAME 256 /*per the rfc*/ +#endif + +#define ARGSTR "ek54ciD:S:M:AP:?L:w:" @@ -180,6 +188,9 @@ int do_encrypt = 0; int anyport = 0; char *kprogdir = KPROGDIR; int netf; +int maxhostlen = 0; +int stripdomain = 1; +int always_ip = 0; #else /* !KERBEROS */ @@ -351,8 +362,30 @@ int main(argc, argv) case 'D': debug_port = atoi(optarg); break; - case '?': - default: + case 'w': + if (!strcmp(optarg, "ip")) + always_ip = 1; + else { + char *cp; + cp = strchr(optarg, ','); + if (cp == NULL) + maxhostlen = atoi(optarg); + else if (*(++cp)) { + if (!strcmp(cp, "striplocal")) + stripdomain = 1; + else if (!strcmp(cp, "nostriplocal")) + stripdomain = 0; + else { + usage(); + exit(1); + } + *(--cp) = '\0'; + maxhostlen = atoi(optarg); + } + } + break; + case '?': + default: usage(); exit(1); break; @@ -575,7 +608,9 @@ void doit(f, fromp) int s; struct hostent *hp; - char *hostname; + char hostname[MAXDNAME]; + char *sane_host; + char hostaddra[16]; short port; int pv[2], pw[2], px[2], cc; fd_set ready, readfrom; @@ -731,16 +766,23 @@ void doit(f, fromp) dup2(f, 2); hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); - if (hp){ - hostname = malloc(strlen(hp->h_name) + 1); - strcpy(hostname,hp->h_name); - } - else { - hostname = malloc(strlen((char *)inet_ntoa(fromp->sin_addr)) + 1); - strcpy(hostname,(char *)inet_ntoa(fromp->sin_addr)); + strncpy(hostaddra, inet_ntoa(fromp->sin_addr), sizeof (hostaddra)); + hostaddra[sizeof (hostaddra) - 1] = '\0'; + if (hp != NULL){ + strncpy(hostname, hp->h_name, sizeof (hostname)); + hostname[sizeof (hostname) - 1] = '\0'; } + else + hostname[0] = '\0'; #ifdef KERBEROS + status = pty_make_sane_hostname(fromp, maxhostlen, + stripdomain, always_ip, &sane_host); + if (status) { + error("failed make_sane_hostname: %s\n", error_message(status)); + exit(1); + } + if ((status = recvauth(f, fromaddr,&valid_checksum))) { error("Authentication failed: %s\n", error_message(status)); exit(1); @@ -771,8 +813,9 @@ void doit(f, fromp) pwd = getpwnam(locuser); if (pwd == (struct passwd *) 0 ) { syslog(LOG_ERR , - "Principal %s (%s@%s) for local user %s has no account.\n", - kremuser, remuser, hostname, locuser); /* xxx sprintf buffer in syslog*/ + "Principal %s (%s@%s (%s)) for local user %s has no account.\n", + kremuser, remuser, hostaddra, hostname, + locuser); /* xxx sprintf buffer in syslog*/ error("Login incorrect.\n"); exit(1); } @@ -823,18 +866,18 @@ void doit(f, fromp) endudb(); if (secflag) { if(getsysv(&sysv, sizeof(struct sysv)) != 0) { - loglogin(hostname, SLG_LLERR, 0, ue); + loglogin(sane_host, SLG_LLERR, 0, ue); error("Permission denied.\n"); exit(1); } if ((packet_level != ue->ue_deflvl) || ((packet_compart & ue->ue_comparts) != packet_compart )){ - loglogin(hostname, SLG_LLERR, 0, ue); + loglogin(sane_host, SLG_LLERR, 0, ue); error("Permission denied.\n"); exit(1); } if (ue->ue_disabled != 0) { - loglogin(hostname,SLG_LOCK,ue->ue_logfails,ue); + loglogin(sane_host,SLG_LOCK,ue->ue_logfails,ue); error("Permission denied.\n"); exit(1); } @@ -868,13 +911,13 @@ void doit(f, fromp) if (port) { /* Place entry into wtmp */ sprintf(ttyn,"krsh%1d",getpid()); - pty_logwtmp(ttyn,locuser,hostname); + pty_logwtmp(ttyn,locuser,sane_host); } /* We are simply execing a program over rshd : log entry into wtmp, as kexe(pid), then finish out the session right after that. Syslog should have the information as to what was exec'd */ else { - pty_logwtmp(ttyn,locuser,hostname); + pty_logwtmp(ttyn,locuser,sane_host); } #ifdef CRAY @@ -887,7 +930,7 @@ void doit(f, fromp) if (getusrv(&usrv)){ syslog(LOG_ERR,"Cannot getusrv"); error("Permission denied.\n"); - loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue); + loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue); goto signout_please; } /* @@ -896,12 +939,12 @@ void doit(f, fromp) if((ue->ue_valcat & TFM_TRUSTED) || (sysv.sy_oldtfm && ((ue->ue_comparts & TRUSTED_SUBJECT) == TRUSTED_SUBJECT))) { - loglogin(hostname, SLG_TRSUB, ue->ue_logfails,ue); + loglogin(sane_host, SLG_TRSUB, ue->ue_logfails,ue); error("Permission denied.\n"); goto signout_please; } - loglogin(hostname, SLG_OKLOG, ue->ue_logfails,ue); + loglogin(sane_host, SLG_OKLOG, ue->ue_logfails,ue); /* Setup usrv structure with user udb info and packet_level and packet_compart. */ @@ -986,7 +1029,7 @@ void doit(f, fromp) } } if (nal_error) { - loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue); + loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue); error("Permission denied.\n"); goto signout_please; } @@ -996,7 +1039,7 @@ void doit(f, fromp) sethost(paddr); if (setusrv(&usrv) == -1) { - loglogin(hostname, SLG_LVERR, ue->ue_logfails,ue); + loglogin(sane_host, SLG_LVERR, ue->ue_logfails,ue); error("Permission denied.\n"); goto signout_please; } @@ -1023,8 +1066,8 @@ void doit(f, fromp) /* kuserok returns 0 if OK */ if (kuserok(v4_kdata, locuser)){ syslog(LOG_ERR , - "Principal %s (%s@%s) for local user %s failed kuserok.\n", - kremuser, remuser, hostname, locuser); + "Principal %s (%s@%s (%s)) for local user %s failed kuserok.\n", + kremuser, remuser, hostaddra, hostname, locuser); } else auth_sent |= AUTH_KRB4; } else @@ -1033,8 +1076,8 @@ void doit(f, fromp) /* krb5_kuserok returns 1 if OK */ if (!krb5_kuserok(bsd_context, client, locuser)){ syslog(LOG_ERR , - "Principal %s (%s@%s) for local user %s failed krb5_kuserok.\n", - kremuser, remuser, hostname, locuser); + "Principal %s (%s@%s (%s)) for local user %s failed krb5_kuserok.\n", + kremuser, remuser, hostaddra, hostname, locuser); } else auth_sent |= @@ -1044,7 +1087,8 @@ void doit(f, fromp) #else if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && - ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) { + ruserok(hostname[0] ? hostname : hostaddra, + pwd->pw_uid == 0, remuser, locuser) < 0) { error("Permission denied.\n"); goto signout_please; } @@ -1082,11 +1126,11 @@ void doit(f, fromp) pwd = (struct passwd *) getpwnam(locuser); if (pwd && (pwd->pw_uid == 0)) { #ifdef LOG_CMD - syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s) as ROOT", - cmdbuf, kremuser, remuser, hostname); + syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as ROOT", + cmdbuf, kremuser, remuser, hostaddra, hostname); #else - syslog(LOG_NOTICE ,"Access as ROOT by principal %s (%s@%s)", - kremuser, remuser, hostname); + syslog(LOG_NOTICE ,"Access as ROOT by principal %s (%s@%s (%s))", + kremuser, remuser, hostaddra, hostname); #endif } #if defined(KERBEROS) && defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) @@ -1106,11 +1150,11 @@ void doit(f, fromp) #if defined(LOG_REMOTE_REALM) || defined(LOG_OTHER_USERS) || defined(LOG_ALL_LOGINS) { #ifdef LOG_CMD - syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s) as local user %s", - cmdbuf, kremuser, remuser, hostname, locuser); + syslog(LOG_NOTICE, "Executing %s for principal %s (%s@%s (%s)) as local user %s", + cmdbuf, kremuser, remuser, hostaddra, hostname, locuser); #else - syslog(LOG_NOTICE ,"Access as %s by principal %s (%s@%s)", - locuser, kremuser, remuser, hostname); + syslog(LOG_NOTICE ,"Access as %s by principal %s (%s@%s (%s))", + locuser, kremuser, remuser, hostaddra, hostname); #endif } #endif diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M index df95c4db9..43d0f7c81 100644 --- a/src/appl/bsd/kshd.M +++ b/src/appl/bsd/kshd.M @@ -114,6 +114,20 @@ Don't allocate a reserved port for the stderr connection. .IP \fB\-P\ path\fP Use the argument to find the Kerberos binaries. Normally a compiled in argument is used. + +.TP +\fB\-w \fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]] +Controls the form of the remote hostname passed to login(1). +Specifying \fBip\fP results in the numeric IP address always being +passed to login(1). Specifying a number, \fImaxhostlen\fP, sets the +maximum length of the hostname passed to login(1) before it will be +passed as a numeric IP address. If \fImaxhostlen\fP is 0, then the +system default, as determined by the utmp or utmpx structures, is +used. The \fBnostriplocal\fP and \fBstriplocal\fP options, which must +be preceded by a comma, control whether or not the local host domain +is stripped from the remote hostname. By default, the equivalent of +\fBstriplocal\fP is in effect. + .SH DIAGNOSTICS Except for the last one listed below, all diagnostic messages -- 2.26.2