From d986df5a8970205e144a07cad5ad9ee31a4a687b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 15 Dec 2008 20:31:53 +0000 Subject: [PATCH] Remove krb4 support in gssftp and telnet ticket: 6303 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21451 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/gssftp/ftp/Makefile.in | 11 +- src/appl/gssftp/ftp/ftp.M | 4 - src/appl/gssftp/ftp/ftp.c | 143 +---- src/appl/gssftp/ftp/main.c | 27 - src/appl/gssftp/ftp/secure.c | 71 --- src/appl/gssftp/ftpd/Makefile.in | 6 +- src/appl/gssftp/ftpd/ftpcmd.y | 32 +- src/appl/gssftp/ftpd/ftpd.M | 6 - src/appl/gssftp/ftpd/ftpd.c | 266 +-------- src/appl/telnet/configure.in | 12 - src/appl/telnet/libtelnet/Makefile.in | 12 +- src/appl/telnet/libtelnet/auth-proto.h | 9 - src/appl/telnet/libtelnet/auth.c | 18 - src/appl/telnet/libtelnet/kerberos.c | 744 ------------------------- src/appl/telnet/telnet/Makefile.in | 4 +- src/appl/telnet/telnet/main.c | 11 +- src/appl/telnet/telnetd/Makefile.in | 6 +- 17 files changed, 19 insertions(+), 1363 deletions(-) delete mode 100644 src/appl/telnet/libtelnet/kerberos.c diff --git a/src/appl/gssftp/ftp/Makefile.in b/src/appl/gssftp/ftp/Makefile.in index 949f0ba5d..7fe4a6da9 100644 --- a/src/appl/gssftp/ftp/Makefile.in +++ b/src/appl/gssftp/ftp/Makefile.in @@ -21,20 +21,13 @@ OBJS = $(OUTPRE)cmds.$(OBJEXT) $(OUTPRE)cmdtab.$(OBJEXT) \ $(OUTPRE)main.$(OBJEXT) $(OUTPRE)radix.$(OBJEXT) \ $(OUTPRE)ruserpass.$(OBJEXT) $(OUTPRE)secure.$(OBJEXT) -LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@ - -# -# We cannot have @KRB4_INCLUDES@ under Windows, since we do not use -# configure, so we redefine LOCALINCLUDES not to have that. -# - -##WIN32##LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) +LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) all-unix:: ftp all-windows:: $(OUTPRE)ftp.exe ftp: $(OBJS) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB4COMPAT_LIBS) + $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB5_BASE_LIBS) $(OUTPRE)ftp.exe: $(OBJS) $(GLIB) $(KLIB) link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib advapi32.lib $(SCLIB) diff --git a/src/appl/gssftp/ftp/ftp.M b/src/appl/gssftp/ftp/ftp.M index ce168813f..11bbc931e 100644 --- a/src/appl/gssftp/ftp/ftp.M +++ b/src/appl/gssftp/ftp/ftp.M @@ -94,10 +94,6 @@ Enables debugging. .B \-g Disables file name globbing. .TP -\fB\-k\fP \fIrealm\fP -When using Kerberos v4 authentication, gets tickets in -.IR realm . -.TP .B \-f Causes credentials to be forwarded to the remote host. .TP diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c index ababc5d59..3df233fcd 100644 --- a/src/appl/gssftp/ftp/ftp.c +++ b/src/appl/gssftp/ftp/ftp.c @@ -88,11 +88,8 @@ int gettimeofday(struct timeval *tv, void *tz); #include #include #include -#ifndef KRB5_KRB4_COMPAT -/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */ #include #include -#endif #include #include #ifdef HAVE_SYS_SELECT_H @@ -126,14 +123,6 @@ int gettimeofday(struct timeval *tv, void *tz); #include -#ifdef KRB5_KRB4_COMPAT -#include - -KTEXT_ST ticket; -CREDENTIALS cred; -Key_schedule schedule; -MSG_DAT msg_data; -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI #include /* need to include the krb5 file, because we're doing manual fallback @@ -438,20 +427,6 @@ static int secure_command(char* cmd) int length; if (auth_type && clevel != PROT_C) { -#ifdef KRB5_KRB4_COMPAT - if (strcmp(auth_type, "KERBEROS_V4") == 0) - if ((length = clevel == PROT_P ? - krb_mk_priv((unsigned char *)cmd, (unsigned char *)out, - strlen(cmd), schedule, - &cred.session, &myctladdr, &hisctladdr) - : krb_mk_safe((unsigned char *)cmd, (unsigned char *)out, - strlen(cmd), &cred.session, - &myctladdr, &hisctladdr)) == -1) { - fprintf(stderr, "krb_mk_%s failed for KERBEROS_V4\n", - clevel == PROT_P ? "priv" : "safe"); - return(0); - } -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* secure_command (based on level) */ if (strcmp(auth_type, "GSSAPI") == 0) { @@ -694,40 +669,6 @@ int getreply(int expecteof) code, radix_error(kerror), obuf); n = '5'; } -#ifdef KRB5_KRB4_COMPAT - else if (strcmp(auth_type, "KERBEROS_V4") == 0) { - if (safe) - kerror = krb_rd_safe((unsigned char *)ibuf, - (unsigned int) len, - &cred.session, - &hisctladdr, - &myctladdr, &msg_data); - else - kerror = krb_rd_priv((unsigned char *)ibuf, - (unsigned int) len, - schedule, &cred.session, - &hisctladdr, &myctladdr, - &msg_data); - if (kerror != KSUCCESS) { - printf("%d reply %s! (krb_rd_%s: %s)\n", code, - safe ? "modified" : "garbled", - safe ? "safe" : "priv", - krb_get_err_text(kerror)); - n = '5'; - } else { - if (debug) printf("%c:", safe ? 'S' : 'P'); - if(msg_data.app_length < sizeof(ibuf) - 2) { - memmove(ibuf, msg_data.app_data, - msg_data.app_length); - memcpy(&ibuf[msg_data.app_length], "\r\n", - 3); - } else { - printf("Message too long!"); - } - continue; - } - } -#endif #ifdef GSSAPI else if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc xmit_buf, msg_buf; @@ -1664,10 +1605,6 @@ void pswitch(int flag) char *authtype; int clvl; int dlvl; -#ifdef KRB5_KRB4_COMPAT - C_Block session; - Key_schedule schedule; -#endif /* KRB5_KRB4_COMPAT */ } proxstruct, tmpstruct; struct comvars *ip, *op; @@ -1745,12 +1682,6 @@ void pswitch(int flag) clevel = PROT_C; if (!dlevel) dlevel = PROT_C; -#ifdef KRB5_KRB4_COMPAT - memcpy(ip->session, cred.session, sizeof(cred.session)); - memcpy(cred.session, op->session, sizeof(cred.session)); - memcpy(ip->schedule, schedule, sizeof(schedule)); - memcpy(schedule, op->schedule, sizeof(schedule)); -#endif /* KRB5_KRB4_COMPAT */ (void) signal(SIGINT, oldintr); if (abrtflag) { abrtflag = 0; @@ -1956,10 +1887,6 @@ gunique(char *local) return(new); } -#ifdef KRB5_KRB4_COMPAT -char realm[REALM_SZ + 1]; -#endif /* KRB5_KRB4_COMPAT */ - #ifdef GSSAPI static const struct { gss_OID mech_type; @@ -1974,14 +1901,10 @@ static const int n_gss_trials = sizeof(gss_trials)/sizeof(gss_trials[0]); int do_auth() { int oldverbose = verbose; -#ifdef KRB5_KRB4_COMPAT - char *service, inst[INST_SZ]; - KRB4_32 cksum, checksum = getpid(); -#endif /* KRB5_KRB4_COMPAT */ -#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI) +#ifdef GSSAPI u_char out_buf[FTP_BUFSIZ]; int i; -#endif /* KRB5_KRB4_COMPAT */ +#endif /* GSSAPI */ if (auth_type) return(1); /* auth already succeeded */ @@ -2132,68 +2055,6 @@ int do_auth() } } #endif /* GSSAPI */ -#ifdef KRB5_KRB4_COMPAT - if (command("AUTH %s", "KERBEROS_V4") == CONTINUE) { - if (verbose) - printf("%s accepted as authentication type\n", "KERBEROS_V4"); - - strncpy(inst, (char *) krb_get_phost(hostname), sizeof(inst) - 1); - inst[sizeof(inst) - 1] = '\0'; - if (realm[0] == '\0') - strncpy(realm, (char *) krb_realmofhost(hostname), sizeof(realm) - 1); - realm[sizeof(realm) - 1] = '\0'; - if ((kerror = krb_mk_req(&ticket, service = "ftp", - inst, realm, checksum)) - && (kerror != KDC_PR_UNKNOWN || - (kerror = krb_mk_req(&ticket, service = "rcmd", - inst, realm, checksum)))) - fprintf(stderr, "Kerberos V4 krb_mk_req failed: %s\n", - krb_get_err_text(kerror)); - else if ((kerror = krb_get_cred(service, inst, realm, &cred))) - fprintf(stderr, "Kerberos V4 krb_get_cred failed: %s\n", - krb_get_err_text(kerror)); - else { - key_sched(cred.session, schedule); - reply_parse = "ADAT="; - oldverbose = verbose; - verbose = 0; - i = ticket.length; - if ((kerror = radix_encode(ticket.dat, out_buf, &i, 0))) - fprintf(stderr, "Base 64 encoding failed: %s\n", - radix_error(kerror)); - else if (command("ADAT %s", out_buf) != COMPLETE) - fprintf(stderr, "Kerberos V4 authentication failed\n"); - else if (!reply_parse) - fprintf(stderr, - "No authentication data received from server\n"); - else if ((kerror = radix_encode((unsigned char *)reply_parse, out_buf, &i, 1))) - fprintf(stderr, "Base 64 decoding failed: %s\n", - radix_error(kerror)); - else if ((kerror = krb_rd_safe(out_buf, (unsigned )i, - &cred.session, - &hisctladdr, &myctladdr, - &msg_data))) - fprintf(stderr, "Kerberos V4 krb_rd_safe failed: %s\n", - krb_get_err_text(kerror)); - else { - /* fetch the (modified) checksum */ - (void) memcpy(&cksum, msg_data.app_data, sizeof(cksum)); - if (ntohl(cksum) == checksum + 1) { - verbose = oldverbose; - if (verbose) - printf("Kerberos V4 authentication succeeded\n"); - reply_parse = NULL; - auth_type = "KERBEROS_V4"; - return(1); - } else fprintf(stderr, - "Kerberos V4 mutual authentication failed\n"); - } - verbose = oldverbose; - reply_parse = NULL; - } - } else fprintf(stderr, "%s rejected as an authentication type\n", - "KERBEROS_V4"); -#endif /* KRB5_KRB4_COMPAT */ /* Other auth types go here ... */ diff --git a/src/appl/gssftp/ftp/main.c b/src/appl/gssftp/ftp/main.c index 2e8c2cb8a..6ec5ee1a8 100644 --- a/src/appl/gssftp/ftp/main.c +++ b/src/appl/gssftp/ftp/main.c @@ -55,11 +55,8 @@ static char sccsid[] = "@(#)main.c 5.18 (Berkeley) 3/1/91"; #include #include "ftp_var.h" #ifndef _WIN32 -#ifndef KRB5_KRB4_COMPAT -/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */ #include #include -#endif #include #include #include @@ -90,11 +87,6 @@ uid_t getuid(); sigtype intr (int), lostpeer (int); extern char *home; char *getlogin(); -#ifdef KRB5_KRB4_COMPAT -#include -struct servent staticsp; -extern char realm[]; -#endif /* KRB5_KRB4_COMPAT */ static void cmdscanner (int); static char *slurpstring (void); @@ -126,12 +118,6 @@ main(argc, argv) fprintf(stderr, "ftp: ftp/tcp: unknown service\n"); exit(1); } -#ifdef KRB5_KRB4_COMPAT -/* GDM need to static sp so that the information is not lost - when kerberos calls getservbyname */ - memcpy(&staticsp,sp,sizeof(struct servent)); - sp = &staticsp; -#endif /* KRB5_KRB4_COMPAT */ doglob = 1; interactive = 1; autoauth = 1; @@ -148,19 +134,6 @@ main(argc, argv) debug++; break; -#ifdef KRB5_KRB4_COMPAT - case 'k': - if (*++cp != '\0') - strncpy(realm, ++cp, REALM_SZ); - else if (argc > 1) { - argc--, argv++; - strncpy(realm, *argv, REALM_SZ); - } - else - fprintf(stderr, "ftp: -k expects arguments\n"); - goto nextopt; -#endif - case 'v': verbose++; break; diff --git a/src/appl/gssftp/ftp/secure.c b/src/appl/gssftp/ftp/secure.c index b8b963774..3ed15ee97 100644 --- a/src/appl/gssftp/ftp/secure.c +++ b/src/appl/gssftp/ftp/secure.c @@ -13,15 +13,6 @@ extern gss_ctx_id_t gcontext; #include /* stuff which is specific to client or server */ -#ifdef KRB5_KRB4_COMPAT -#include - -CRED_DECL -extern KTEXT_ST ticket; -extern MSG_DAT msg_data; -extern Key_schedule schedule; -#endif /* KRB5_KRB4_COMPAT */ - #ifdef _WIN32 #undef ERROR #endif @@ -82,21 +73,6 @@ static unsigned int smaxbuf; /* Internal saved value of maxbuf static unsigned int smaxqueue; /* Maximum allowed to queue before flush buffer. < smaxbuf by fudgefactor */ -#ifdef KRB5_KRB4_COMPAT -#define KRB4_FUDGE_FACTOR 32 /* Amount of growth - * from cleartext to ciphertext. - * krb_mk_priv adds this # bytes. - * Must be defined for each auth type. - */ -#endif /* KRB5_KRB4_COMPAT */ - -#ifdef KRB5_KRB4_COMPAT -/* XXX - The following must be redefined if KERBEROS_V4 is not used - * but some other auth type is. They must have the same properties. */ -#define looping_write krb_net_write -#define looping_read krb_net_read -#endif - /* perhaps use these in general, certainly use them for GSSAPI */ #ifndef looping_write @@ -167,12 +143,6 @@ static int secure_determine_constants() smaxbuf = maxbuf; smaxqueue = maxbuf; -#ifdef KRB5_KRB4_COMPAT - /* For KRB4 - we know the fudge factor to be 32 */ - if (strcmp(auth_type, "KERBEROS_V4") == 0) { - smaxqueue = smaxbuf - KRB4_FUDGE_FACTOR; - } -#endif #ifdef GSSAPI if (strcmp(auth_type, "GSSAPI") == 0) { OM_uint32 maj_stat, min_stat, mlen; @@ -289,31 +259,6 @@ unsigned int nbyte; buffer lengths required */ /* Other auth types go here ... */ -#ifdef KRB5_KRB4_COMPAT - if (bufsize < nbyte + fudge) { - if (outbuf? - (outbuf = realloc(outbuf, (unsigned) (nbyte + fudge))): - (outbuf = malloc((unsigned) (nbyte + fudge)))) { - bufsize = nbyte + fudge; - } else { - bufsize = 0; - secure_error("%s (in malloc of PROT buffer)", - strerror(errno)); - return(ERR); - } - } - - if (strcmp(auth_type, "KERBEROS_V4") == 0) - if ((length = dlevel == PROT_P ? - krb_mk_priv(buf, (unsigned char *) outbuf, nbyte, schedule, - SESSION, &myaddr, &hisaddr) - : krb_mk_safe(buf, (unsigned char *) outbuf, nbyte, SESSION, - &myaddr, &hisaddr)) == -1) { - secure_error("krb_mk_%s failed for KERBEROS_V4", - dlevel == PROT_P ? "priv" : "safe"); - return(ERR); - } -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc in_buf, out_buf; @@ -392,22 +337,6 @@ int fd; return(ERR); } /* Other auth types go here ... */ -#ifdef KRB5_KRB4_COMPAT - if (strcmp(auth_type, "KERBEROS_V4") == 0) { - if ((kerror = dlevel == PROT_P ? - krb_rd_priv(ucbuf, length, schedule, SESSION, - &hisaddr, &myaddr, &msg_data) - : krb_rd_safe(ucbuf, length, SESSION, - &hisaddr, &myaddr, &msg_data))) { - secure_error("krb_rd_%s failed for KERBEROS_V4 (%s)", - dlevel == PROT_P ? "priv" : "safe", - krb_get_err_text(kerror)); - return(ERR); - } - memmove(ucbuf, msg_data.app_data, msg_data.app_length); - nin = bufp = msg_data.app_length; - } -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc xmit_buf, msg_buf; diff --git a/src/appl/gssftp/ftpd/Makefile.in b/src/appl/gssftp/ftpd/Makefile.in index f74f1ef56..3eba82e77 100644 --- a/src/appl/gssftp/ftpd/Makefile.in +++ b/src/appl/gssftp/ftpd/Makefile.in @@ -25,12 +25,12 @@ SRCS = $(srcdir)/ftpd.c ftpcmd.c $(srcdir)/popen.c \ OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \ secure.o $(LIBOBJS) $(SETENVOBJ) -LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@ +LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) all:: ftpd -ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB4COMPAT_LIBS) +ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) generate-files-mac: ftpcmd.c diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y index 73655a4aa..a57b43587 100644 --- a/src/appl/gssftp/ftpd/ftpcmd.y +++ b/src/appl/gssftp/ftpd/ftpcmd.y @@ -76,13 +76,6 @@ unsigned int maxbuf, actualbuf; unsigned char *ucbuf; static int kerror; /* XXX needed for all auth types */ -#ifdef KRB5_KRB4_COMPAT -extern struct sockaddr_in his_addr, ctrl_addr; -#include -extern AUTH_DAT kdata; -extern Key_schedule schedule; -extern MSG_DAT msg_data; -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI #include #include @@ -1090,27 +1083,6 @@ ftpd_getline(s, n, iop) if (debug) syslog(LOG_DEBUG, "getline got %d from %s <%s>\n", len, cs, mic?"MIC":"ENC"); clevel = mic ? PROT_S : PROT_P; -#ifdef KRB5_KRB4_COMPAT - if (strcmp(auth_type, "KERBEROS_V4") == 0) { - if ((kerror = mic ? - krb_rd_safe((unsigned char *)out, len, &kdata.session, - &his_addr, &ctrl_addr, &msg_data) - : krb_rd_priv((unsigned char *)out, len, schedule, - &kdata.session, &his_addr, &ctrl_addr, &msg_data)) - != KSUCCESS) { - reply(535, "%s! (%s)", - mic ? "MIC command modified" : "ENC command garbled", - krb_get_err_text(kerror)); - syslog(LOG_ERR,"%s failed: %s", - mic ? "MIC krb_rd_safe" : "ENC krb_rd_priv", - krb_get_err_text(kerror)); - *s = '\0'; - return(s); - } - (void) memcpy(s, msg_data.app_data, msg_data.app_length); - (void) memcpy(s+msg_data.app_length, "\r\n", 3); - } -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* we know this is a MIC or ENC already, and out/len already has the bits */ if (strcmp(auth_type, "GSSAPI") == 0) { @@ -1158,7 +1130,7 @@ ftpd_getline(s, n, iop) } } -#if defined KRB5_KRB4_COMPAT || defined GSSAPI /* or other auth types */ +#ifdef GSSAPI /* or other auth types */ else { /* !auth_type */ if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3))) #ifndef NOCONFIDENTIAL @@ -1170,7 +1142,7 @@ ftpd_getline(s, n, iop) return(s); } } -#endif /* KRB5_KRB4_COMPAT || GSSAPI */ +#endif GSSAPI if (debug) { if (!strncmp(s, "PASS ", 5) && !guest) diff --git a/src/appl/gssftp/ftpd/ftpd.M b/src/appl/gssftp/ftpd/ftpd.M index b26a4bd94..33fc1d9c7 100644 --- a/src/appl/gssftp/ftpd/ftpd.M +++ b/src/appl/gssftp/ftpd/ftpd.M @@ -128,12 +128,6 @@ Sets the name of the file to use. The default value is normally set by .IR /etc/krb5.conf . .TP -\fB\-s\fP \fIsrvtab\fP -Sets the name of the -.I srvtab -file to use for Kerberos V4 authentication. The default value is normally -.IR /etc/srvtab . -.TP \fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]} Controls the form of the remote hostname passed to login(1). Specifying \fBip\fP results in the numeric IP address always being diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index 7522c50ce..69f7ac392 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -47,10 +47,7 @@ static char sccsid[] = "@(#)ftpd.c 5.40 (Berkeley) 7/2/91"; #include #include #include -#ifndef KRB5_KRB4_COMPAT -/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */ #include -#endif #include #include #include @@ -80,10 +77,7 @@ static char sccsid[] = "@(#)ftpd.c 5.40 (Berkeley) 7/2/91"; #define sigsetjmp(j,s) setjmp(j) #define siglongjmp longjmp #endif -#ifndef KRB5_KRB4_COMPAT -/* krb.h gets this, and Ultrix doesn't protect vs multiple inclusion */ #include -#endif #include #include #include @@ -129,18 +123,6 @@ extern int yyparse(void); #include #include "port-sockets.h" -#ifdef KRB5_KRB4_COMPAT -#include -#include - -AUTH_DAT kdata; -KTEXT_ST ticket; -MSG_DAT msg_data; -Key_schedule schedule; -char *keyfile; -static char *krb4_services[] = { "ftp", "rcmd", NULL }; -#endif /* KRB5_KRB4_COMPAT */ - #ifdef GSSAPI #include #include @@ -162,7 +144,7 @@ static void log_gss_error(int, OM_uint32, OM_uint32, const char *); char *auth_type; /* Authentication succeeded? If so, what type? */ static char *temp_auth_type; -int authorized; /* Auth succeeded and was accepted by krb4 or gssapi */ +int authorized; /* Auth succeeded and was accepted by gssapi */ int have_creds; /* User has credentials on disk */ /* @@ -294,16 +276,9 @@ main(argc, argv, envp) int addrlen, c, on = 1, tos, port = -1; extern char *optarg; extern int optopt; -#ifdef KRB5_KRB4_COMPAT - char *option_string = "AaCcdElp:r:s:T:t:U:u:vw:"; -#else /* !KRB5_KRB4_COMPAT */ char *option_string = "AaCcdElp:r:T:t:U:u:vw:"; -#endif /* KRB5_KRB4_COMPAT */ ftpusers = _PATH_FTPUSERS_DEFAULT; -#ifdef KRB5_KRB4_COMPAT - keyfile = KEYFILE; -#endif /* KRB5_KRB4_COMPAT */ debug = 0; #ifdef SETPROCTITLE /* @@ -363,12 +338,6 @@ main(argc, argv, envp) setenv("KRB_CONF", optarg, 1); break; -#ifdef KRB5_KRB4_COMPAT - case 's': - keyfile = optarg; - break; -#endif /* KRB5_KRB4_COMPAT */ - case 't': timeout = atoi(optarg); if (maxtimeout < timeout) @@ -779,32 +748,7 @@ user(name) authorized ? "" : " not", name); } -#ifdef KRB5_KRB4_COMPAT - else -#endif /* KRB5_KRB4_COMPAT */ #endif /* GSSAPI */ -#ifdef KRB5_KRB4_COMPAT - if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) { - int len; - - authorized = kuserok(&kdata,name) == 0; - len = sizeof("Kerberos user .@ is not authorized as " - "; Password required.") - + strlen(kdata.pname) - + strlen(kdata.pinst) - + strlen(kdata.prealm) - + strlen(name); - if (len >= sizeof(buf)) { - syslog(LOG_ERR, "user: username too long"); - name = "[username too long]"; - } - snprintf(buf, sizeof(buf), - "Kerberos user %s%s%s@%s is%s authorized as %s", - kdata.pname, *kdata.pinst ? "." : "", - kdata.pinst, kdata.prealm, - authorized ? "" : " not", name); - } -#endif /* KRB5_KRB4_COMPAT */ if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) { strncat(buf, "; Access denied.", @@ -909,9 +853,6 @@ end_login() if (have_creds) { #ifdef GSSAPI krb5_cc_destroy(kcontext, ccache); -#endif -#ifdef KRB5_KRB4_COMPAT - dest_tkt(); #endif have_creds = 0; } @@ -929,18 +870,6 @@ char *name, *passwd; krb5_creds my_creds; krb5_timestamp now; #endif /* GSSAPI */ -#ifdef KRB5_KRB4_COMPAT - char realm[REALM_SZ]; -#ifndef GSSAPI - char **service; - KTEXT_ST ticket; - AUTH_DAT authdata; - des_cblock key; - char instance[INST_SZ]; - unsigned long faddr; - struct hostent *hp; -#endif /* GSSAPI */ -#endif /* KRB5_KRB4_COMPAT */ char ccname[MAXPATHLEN]; #ifdef GSSAPI @@ -983,59 +912,10 @@ char *name, *passwd; krb5_cc_destroy(kcontext, ccache); return(1); } -#endif /* GSSAPI */ - -#ifdef KRB5_KRB4_COMPAT - if (krb_get_lrealm(realm, 1) != KSUCCESS) - goto nuke_ccache; - - snprintf(ccname, sizeof(ccname), "%s_ftpd%ld", TKT_ROOT, - (long) getpid()); - krb_set_tkt_string(ccname); - - if (krb_get_pw_in_tkt(name, "", realm, "krbtgt", realm, 1, passwd)) - goto nuke_ccache; - -#ifndef GSSAPI - /* Verify the ticket since we didn't verify the krb5 one. */ - strncpy(instance, krb_get_phost(hostname), sizeof(instance)); - - if ((hp = gethostbyname(instance)) == NULL) - goto nuke_ccache; - memcpy((char *) &faddr, (char *)hp->h_addr, sizeof(faddr)); - - for (service = krb4_services; *service; service++) { - if (!read_service_key(*service, instance, - realm, 0, keyfile, key)) { - (void) memset(key, 0, sizeof(key)); - if (krb_mk_req(&ticket, *service, - instance, realm, 33) || - krb_rd_req(&ticket, *service, instance, - faddr, &authdata,keyfile) || - kuserok(&authdata, name)) { - dest_tkt(); - goto nuke_ccache; - } else - break; - } - } - - if (!*service) { - dest_tkt(); - goto nuke_ccache; - } - - if (!want_creds) { - dest_tkt(); - return(1); - } -#endif /* GSSAPI */ -#endif /* KRB5_KRB4_COMPAT */ -#if defined(GSSAPI) || defined(KRB5_KRB4_COMPAT) have_creds = 1; return(1); -#endif /* GSSAPI || KRB5_KRB4_COMPAT */ +#endif /* GSSAPI */ nuke_ccache: #ifdef GSSAPI @@ -1110,9 +990,6 @@ login(passwd, logincode) #ifdef GSSAPI const char *ccname = krb5_cc_get_name(kcontext, ccache); chown(ccname, pw->pw_uid, pw->pw_gid); -#endif -#ifdef KRB5_KRB4_COMPAT - chown(tkt_string(), pw->pw_uid, pw->pw_gid); #endif } @@ -1816,30 +1693,6 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5) if (n) snprintf(in, sizeof(in), "%d%c", n, cont_char); else in[0] = '\0'; strncat(in, buf, sizeof (in) - strlen(in) - 1); -#ifdef KRB5_KRB4_COMPAT - if (strcmp(auth_type, "KERBEROS_V4") == 0) { - if (clevel == PROT_P) - length = krb_mk_priv((unsigned char *)in, - (unsigned char *)out, - strlen(in), - schedule, &kdata.session, - &ctrl_addr, - &his_addr); - else - length = krb_mk_safe((unsigned char *)in, - (unsigned char *)out, - strlen(in), - &kdata.session, - &ctrl_addr, - &his_addr); - if (length == -1) { - syslog(LOG_ERR, - "krb_mk_%s failed for KERBEROS_V4", - clevel == PROT_P ? "priv" : "safe"); - fputs(in,stdout); - } - } else -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* reply (based on level) */ if (strcmp(auth_type, "GSSAPI") == 0) { @@ -2109,9 +1962,6 @@ dologout(status) if (have_creds) { #ifdef GSSAPI krb5_cc_destroy(kcontext, ccache); -#endif -#ifdef KRB5_KRB4_COMPAT - dest_tkt(); #endif } /* beware of flushing buffers after a SIGPIPE */ @@ -2272,12 +2122,6 @@ char *atype; if (auth_type) reply(534, "Authentication type already set to %s", auth_type); else -#ifdef KRB5_KRB4_COMPAT - if (strcmp(atype, "KERBEROS_V4") == 0) - reply(334, "Using authentication type %s; ADAT must follow", - temp_auth_type = atype); - else -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(atype, "GSSAPI") == 0) reply(334, "Using authentication type %s; ADAT must follow", @@ -2293,13 +2137,6 @@ auth_data(adata) char *adata; { int kerror, length; -#ifdef KRB5_KRB4_COMPAT - static char **service=NULL; - char instance[INST_SZ]; - KRB4_32 cksum; - char buf[FTP_BUFSIZ]; - u_char out_buf[sizeof(buf)]; -#endif /* KRB5_KRB4_COMPAT */ if (auth_type) { reply(503, "Authentication already established"); @@ -2309,61 +2146,6 @@ char *adata; reply(503, "Must identify AUTH type before ADAT"); return(0); } -#ifdef KRB5_KRB4_COMPAT - if (strcmp(temp_auth_type, "KERBEROS_V4") == 0) { - kerror = radix_encode(adata, out_buf, &length, 1); - if (kerror) { - reply(501, "Couldn't decode ADAT (%s)", - radix_error(kerror)); - syslog(LOG_ERR, "Couldn't decode ADAT (%s)", - radix_error(kerror)); - return(0); - } - (void) memcpy((char *)ticket.dat, (char *)out_buf, ticket.length = length); - strlcpy(instance, "*", sizeof(instance)); - - kerror = 255; - for (service = krb4_services; *service; service++) { - kerror = krb_rd_req(&ticket, *service, instance, - his_addr.sin_addr.s_addr, - &kdata, keyfile); - /* Success */ - if(!kerror) break; - } - /* rd_req failed.... */ - if(kerror) { - secure_error("ADAT: Kerberos V4 krb_rd_req: %s", - krb_get_err_text(kerror)); - return(0); - } - - /* add one to the (formerly) sealed checksum, and re-seal it */ - cksum = kdata.checksum + 1; - cksum = htonl(cksum); - key_sched(kdata.session,schedule); - if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum), - &kdata.session,&ctrl_addr, &his_addr)) == -1) { - secure_error("ADAT: krb_mk_safe failed"); - return(0); - } - if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) { - secure_error("ADAT: reply too long"); - return(0); - } - - kerror = radix_encode(out_buf, buf, &length, 0); - if (kerror) { - secure_error("Couldn't encode ADAT reply (%s)", - radix_error(kerror)); - return(0); - } - reply(235, "ADAT=%s", buf); - /* Kerberos V4 authentication succeeded */ - auth_type = temp_auth_type; - temp_auth_type = NULL; - return(1); - } -#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(temp_auth_type, "GSSAPI") == 0) { int replied = 0; @@ -2920,11 +2702,6 @@ ftpd_gss_convert_creds(name, creds) OM_uint32 major_status, minor_status; krb5_principal me; char ccname[MAXPATHLEN]; -#ifdef KRB5_KRB4_COMPAT - krb5_principal kpcserver; - krb5_creds increds, *v5creds; - CREDENTIALS v4creds; -#endif /* Set up ccache */ if (krb5_parse_name(kcontext, name, &me)) @@ -2942,48 +2719,9 @@ ftpd_gss_convert_creds(name, creds) if (major_status != GSS_S_COMPLETE) goto cleanup; -#ifdef KRB5_KRB4_COMPAT - /* Convert krb5 creds to krb4 */ - - if (krb5_build_principal_ext(kcontext, &kpcserver, - krb5_princ_realm(kcontext, me)->length, - krb5_princ_realm(kcontext, me)->data, - 6, "krbtgt", - krb5_princ_realm(kcontext, me)->length, - krb5_princ_realm(kcontext, me)->data, - 0)) - goto cleanup; - - memset((char *) &increds, 0, sizeof(increds)); - increds.client = me; - increds.server = kpcserver; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - if (krb5_get_credentials(kcontext, 0, ccache, &increds, &v5creds)) - goto cleanup; - if (krb524_convert_creds_kdc(kcontext, v5creds, &v4creds)) - goto cleanup; - - snprintf(ccname, sizeof(ccname), "%s_ftpd%ld", - TKT_ROOT, (long) getpid()); - krb_set_tkt_string(ccname); - - if (in_tkt(v4creds.pname, v4creds.pinst) != KSUCCESS) - goto cleanup; - - if (krb_save_credentials(v4creds.service, v4creds.instance, - v4creds.realm, v4creds.session, - v4creds.lifetime, v4creds.kvno, - &(v4creds.ticket_st), v4creds.issue_date)) - goto cleanup_v4; -#endif /* KRB5_KRB4_COMPAT */ have_creds = 1; return; -#ifdef KRB5_KRB4_COMPAT -cleanup_v4: - dest_tkt(); -#endif cleanup: krb5_cc_destroy(kcontext, ccache); } diff --git a/src/appl/telnet/configure.in b/src/appl/telnet/configure.in index 7285696bc..fc91a5a82 100644 --- a/src/appl/telnet/configure.in +++ b/src/appl/telnet/configure.in @@ -18,12 +18,6 @@ fi dnl KRB5_NEED_PROTO([#include ],setenv) AC_C_CONST -if test "$KRB4_LIB" = ''; then - AC_MSG_RESULT(No Kerberos 4 authentication) -else - AC_MSG_RESULT(Kerberos 4 authentication enabled) - AC_DEFINE(KRB4,1,[Define if krb4 authentication is enabled]) -fi KRB5_BUILD_LIBRARY KRB5_BUILD_LIBOBJS dnl @@ -81,12 +75,6 @@ KRB5_NEED_PROTO([#include #include ],herror,1) dnl CHECK_SIGNALS -if test "$KRB4_LIB" = ''; then - AC_MSG_RESULT(No Kerberos 4 authentication) -else - AC_MSG_RESULT(Kerberos 4 authentication enabled) - AC_DEFINE(KRB4) -fi dnl KRB5_BUILD_PROGRAM dnl diff --git a/src/appl/telnet/libtelnet/Makefile.in b/src/appl/telnet/libtelnet/Makefile.in index 5d81f17cb..fbfedf695 100644 --- a/src/appl/telnet/libtelnet/Makefile.in +++ b/src/appl/telnet/libtelnet/Makefile.in @@ -25,7 +25,7 @@ BUILDTOP=$(REL)..$(S)..$(S).. # AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION -DKRB5 -DFORWARD \ -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN -LOCALINCLUDES=-I.. -I$(srcdir)/.. @KRB4_INCLUDES@ +LOCALINCLUDES=-I.. -I$(srcdir)/.. DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF) LIBOBJS=@LIBOBJS@ @@ -42,7 +42,6 @@ SRCS= $(srcdir)/auth.c \ $(srcdir)/encrypt.c \ $(srcdir)/genget.c \ $(srcdir)/misc.c \ - $(srcdir)/kerberos.c \ $(srcdir)/kerberos5.c \ $(srcdir)/forward.c \ $(srcdir)/enc_des.c \ @@ -57,7 +56,7 @@ SRCS= $(srcdir)/auth.c \ $(srcdir)/strerror.c STLIBOBJS= auth.o encrypt.o genget.o \ - misc.o kerberos.o kerberos5.o forward.o enc_des.o \ + misc.o kerberos5.o forward.o enc_des.o \ $(LIBOBJS) getent.o $(SETENVOBJ) TELNET_H= $(srcdir)/../arpa/telnet.h @@ -73,10 +72,6 @@ auth.o: misc-proto.h encrypt.o: $(TELNET_H) encrypt.o: encrypt.h encrypt.o: misc.h -kerberos.o: $(TELNET_H) -kerberos.o: encrypt.h -kerberos.o: auth.h -kerberos.o: misc.h kerberos5.o: $(TELNET_H) kerberos5.o: encrypt.h kerberos5.o: auth.h @@ -105,9 +100,6 @@ genget.so genget.po $(OUTPRE)genget.$(OBJEXT): genget.c \ misc-proto.h misc.h misc.so misc.po $(OUTPRE)misc.$(OBJEXT): auth-proto.h \ auth.h enc-proto.h encrypt.h misc-proto.h misc.c misc.h -kerberos.so kerberos.po $(OUTPRE)kerberos.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5.h \ - kerberos.c kerberos5.so kerberos5.po $(OUTPRE)kerberos5.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ diff --git a/src/appl/telnet/libtelnet/auth-proto.h b/src/appl/telnet/libtelnet/auth-proto.h index 6b4957032..faf806fad 100644 --- a/src/appl/telnet/libtelnet/auth-proto.h +++ b/src/appl/telnet/libtelnet/auth-proto.h @@ -86,15 +86,6 @@ void auth_debug (int); void auth_printsub (unsigned char *, int, unsigned char *, unsigned int); -#ifdef KRB4 -int kerberos4_init (Authenticator *, int); -int kerberos4_send (Authenticator *); -void kerberos4_is (Authenticator *, unsigned char *, int); -void kerberos4_reply (Authenticator *, unsigned char *, int); -int kerberos4_status (Authenticator *, char *, int); -void kerberos4_printsub (unsigned char *, int, unsigned char *, unsigned int); -#endif - #ifdef KRB5 int kerberos5_init (Authenticator *, int); int kerberos5_send (Authenticator *); diff --git a/src/appl/telnet/libtelnet/auth.c b/src/appl/telnet/libtelnet/auth.c index 84dc5eb5c..1a1006605 100644 --- a/src/appl/telnet/libtelnet/auth.c +++ b/src/appl/telnet/libtelnet/auth.c @@ -141,24 +141,6 @@ Authenticator authenticators[] = { kerberos5_reply, kerberos5_status, kerberos5_printsub }, -#endif -#ifdef KRB4 -# ifdef ENCRYPTION - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - kerberos4_init, - kerberos4_send, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, -# endif /* ENCRYPTION */ - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - kerberos4_init, - kerberos4_send, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, #endif { 0, }, }; diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c deleted file mode 100644 index 925e9023e..000000000 --- a/src/appl/telnet/libtelnet/kerberos.c +++ /dev/null @@ -1,744 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)kerberos.c 8.1 (Berkeley) 6/4/93 */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifdef KRB4 -/* this code must be compiled in the krb5 tree. disgustingly, there - is code in here which declares structures which happen to mirror - the krb4 des structures. I didn't want to rototill this *completely* - so this is how it's going to work. --marc */ -#include -#include -#include -#include -#include -#include /* BSD wont include this in krb.h, so we do it here */ -#include -#ifdef __STDC__ -#include -#endif -#ifdef HAVE_STRING_H -#include -#else -#include -#endif - -#include "encrypt.h" -#include "auth.h" -#include "misc.h" - -extern int auth_debug_mode; -extern krb5_context telnet_context; - -int kerberos4_cksum (unsigned char *, int); - -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_KERBEROS_V4, }; -#if 0 -static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_NAME, }; -#endif - -#define KRB_AUTH 0 /* Authentication data follows */ -#define KRB_REJECT 1 /* Rejected (reason might follow) */ -#define KRB_ACCEPT 2 /* Accepted */ -#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */ -#define KRB_RESPONSE 4 /* Response for mutual auth. */ - -#define KRB_SERVICE_NAME "rcmd" - -static KTEXT_ST auth; -static char name[ANAME_SZ]; -static AUTH_DAT adat = { 0 }; -#ifdef ENCRYPTION -static Block session_key = { 0 }; -static krb5_keyblock krbkey; -static Block challenge = { 0 }; -#endif /* ENCRYPTION */ - - static int -Data(ap, type, d, c) - Authenticator *ap; - int type; - const void *d; - int c; -{ - unsigned char *p = str_data + 4; - const unsigned char *cd = (const unsigned char *)d; - size_t spaceleft = sizeof(str_data) - 4; - if (c == -1) - c = strlen((const char *)cd); - - if (auth_debug_mode) { - printf("%s:%d: [%d] (%d)", - str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", - str_data[3], - type, c); - printd(d, c); - printf("\r\n"); - } - *p++ = ap->type; - *p++ = ap->way; - *p++ = type; - spaceleft -= 3; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) { - *p++ = IAC; - spaceleft--; - } - if ((--spaceleft < 4) && c) { - errno = ENOMEM; - return -1; - } - } - *p++ = IAC; - *p++ = SE; - if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - (&str_data[2])); - return(net_write(str_data, p - str_data)); -} - - int -kerberos4_init(ap, server) - Authenticator *ap; - int server; -{ - FILE *fp; - - if (server) { - str_data[3] = TELQUAL_REPLY; - if ((fp = fopen(KEYFILE, "r")) == NULL) - return(0); - fclose(fp); - } else { - str_data[3] = TELQUAL_IS; - } - - kerberos5_init(NULL, server); - - return(1); -} - -char dst_realm_buf[REALM_SZ], *dest_realm = NULL; -unsigned int dst_realm_sz = REALM_SZ; - - int -kerberos4_send(ap) - Authenticator *ap; -{ - KTEXT_ST kauth; - char instance[INST_SZ]; - char *realm; - char *krb_realmofhost(); - char *krb_get_phost(); - CREDENTIALS cred; - int r; -#ifdef ENCRYPTION - krb5_data data; - krb5_enc_data encdata; - krb5_error_code code; - krb5_keyblock rand_key; -#endif - - printf("[ Trying KERBEROS4 ... ]\r\n"); - if (!UserNameRequested) { - if (auth_debug_mode) { - printf("Kerberos V4: no user name supplied\r\n"); - } - return(0); - } - - memset(instance, 0, sizeof(instance)); - - if ((realm = krb_get_phost(RemoteHostName))) - strncpy(instance, realm, sizeof(instance)); - - instance[sizeof(instance)-1] = '\0'; - - realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName); - - if (!realm) { - printf("Kerberos V4: no realm for %s\r\n", RemoteHostName); - return(0); - } - if ((r = krb_mk_req(&kauth, KRB_SERVICE_NAME, instance, realm, 0))) { - printf("mk_req failed: %s\r\n", krb_get_err_text(r)); - return(0); - } - if ((r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred))) { - printf("get_cred failed: %s\r\n", krb_get_err_text(r)); - return(0); - } - if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { - if (auth_debug_mode) - printf("Not enough room for user name\r\n"); - return(0); - } - if (auth_debug_mode) - printf("Sent %d bytes of authentication data\r\n", kauth.length); - if (!Data(ap, KRB_AUTH, (void *)kauth.dat, kauth.length)) { - if (auth_debug_mode) - printf("Not enough room for authentication data\r\n"); - return(0); - } -#ifdef ENCRYPTION - /* - * If we are doing mutual authentication, get set up to send - * the challenge, and verify it when the response comes back. - */ - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - register int i; - - data.data = cred.session; - data.length = 8; /* sizeof(cred.session) */; - - if ((code = krb5_c_random_seed(telnet_context, &data))) { - com_err("libtelnet", code, - "while seeding random number generator"); - return(0); - } - - if ((code = krb5_c_make_random_key(telnet_context, - ENCTYPE_DES_CBC_RAW, - &rand_key))) { - com_err("libtelnet", code, - "while creating random session key"); - return(0); - } - - /* the krb4 code uses ecb mode, but on a single block - with a zero ivec, ecb and cbc are the same */ - krbkey.enctype = ENCTYPE_DES_CBC_RAW; - krbkey.length = 8; - krbkey.contents = cred.session; - - encdata.ciphertext.data = rand_key.contents; - encdata.ciphertext.length = rand_key.length; - encdata.enctype = ENCTYPE_UNKNOWN; - - data.data = session_key; - data.length = 8; - - code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0, - &encdata, &data); - - krb5_free_keyblock_contents(telnet_context, &rand_key); - - if (code) { - com_err("libtelnet", code, "while encrypting random key"); - return(0); - } - - encdata.ciphertext.data = session_key; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - data.data = challenge; - data.length = 8; - - code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0, - &encdata, &data); - - /* - * Increment the challenge by 1, and encrypt it for - * later comparison. - */ - for (i = 7; i >= 0; --i) { - register int x; - x = (unsigned int)challenge[i] + 1; - challenge[i] = x; /* ignore overflow */ - if (x < 256) /* if no overflow, all done */ - break; - } - - data.data = challenge; - data.length = 8; - - encdata.ciphertext.data = challenge; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0, - &data, &encdata))) { - com_err("libtelnet", code, "while encrypting random key"); - return(0); - } - } -#endif /* ENCRYPTION */ - - if (auth_debug_mode) { - printf("CK: %d:", kerberos4_cksum(kauth.dat, kauth.length)); - printd(kauth.dat, kauth.length); - printf("\r\n"); - printf("Sent Kerberos V4 credentials to server\r\n"); - } - return(1); -} - - void -kerberos4_is(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ -#ifdef ENCRYPTION - Session_Key skey; - Block datablock, tmpkey; - krb5_data kdata; - krb5_enc_data encdata; - krb5_error_code code; -#endif /* ENCRYPTION */ - char realm[REALM_SZ]; - char instance[INST_SZ]; - int r; - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_AUTH: - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("No local realm\r\n"); - return; - } - memcpy((void *)auth.dat, (void *)data, auth.length = cnt); - if (auth_debug_mode) { - printf("Got %d bytes of authentication data\r\n", cnt); - printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length)); - printd(auth.dat, auth.length); - printf("\r\n"); - } - instance[0] = '*'; instance[1] = 0; - if ((r = krb_rd_req(&auth, KRB_SERVICE_NAME, - instance, 0, &adat, ""))) { - if (auth_debug_mode) - printf("Kerberos failed him as %s\r\n", name); - Data(ap, KRB_REJECT, (const void *)krb_get_err_text(r), -1); - auth_finished(ap, AUTH_REJECT); - return; - } -#ifdef ENCRYPTION - memcpy((void *)session_key, (void *)adat.session, sizeof(Block)); -#endif /* ENCRYPTION */ - krb_kntoln(&adat, name); - - if (UserNameRequested && !kuserok(&adat, UserNameRequested)) - Data(ap, KRB_ACCEPT, (void *)0, 0); - else - Data(ap, KRB_REJECT, - (void *)"user is not authorized", -1); - auth_finished(ap, AUTH_USER); - break; - - case KRB_CHALLENGE: -#ifndef ENCRYPTION - Data(ap, KRB_RESPONSE, (void *)0, 0); -#else /* ENCRYPTION */ - if (!VALIDKEY(session_key)) { - /* - * We don't have a valid session key, so just - * send back a response with an empty session - * key. - */ - Data(ap, KRB_RESPONSE, (void *)0, 0); - break; - } - - /* - * Initialize the random number generator since it's - * used later on by the encryption routine. - */ - - kdata.data = session_key; - kdata.length = 8; - - if ((code = krb5_c_random_seed(telnet_context, &kdata))) { - com_err("libtelnet", code, - "while seeding random number generator"); - return; - } - - memcpy((void *)datablock, (void *)data, sizeof(Block)); - /* - * Take the received encrypted challenge, and encrypt - * it again to get a unique session_key for the - * ENCRYPT option. - */ - krbkey.enctype = ENCTYPE_DES_CBC_RAW; - krbkey.length = 8; - krbkey.contents = session_key; - - kdata.data = datablock; - kdata.length = 8; - - encdata.ciphertext.data = tmpkey; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0, - &kdata, &encdata))) { - com_err("libtelnet", code, "while encrypting random key"); - return; - } - - skey.type = SK_DES; - skey.length = 8; - skey.data = tmpkey; - encrypt_session_key(&skey, 1); - /* - * Now decrypt the received encrypted challenge, - * increment by one, re-encrypt it and send it back. - */ - encdata.ciphertext.data = datablock; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - kdata.data = challenge; - kdata.length = 8; - - if ((code = krb5_c_decrypt(telnet_context, &krbkey, 0, 0, - &encdata, &kdata))) { - com_err("libtelnet", code, "while decrypting challenge"); - return; - } - - for (r = 7; r >= 0; r--) { - register int t; - t = (unsigned int)challenge[r] + 1; - challenge[r] = t; /* ignore overflow */ - if (t < 256) /* if no overflow, all done */ - break; - } - - kdata.data = challenge; - kdata.length = 8; - - encdata.ciphertext.data = challenge; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - if ((code = krb5_c_encrypt(telnet_context, &krbkey, 0, 0, - &kdata, &encdata))) { - com_err("libtelnet", code, "while decrypting challenge"); - return; - } - - Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge)); -#endif /* ENCRYPTION */ - break; - - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - Data(ap, KRB_REJECT, 0, 0); - break; - } -} - - void -kerberos4_reply(ap, data, cnt) - Authenticator *ap; - unsigned char *data; - int cnt; -{ -#ifdef ENCRYPTION - Session_Key skey; - krb5_data kdata; - krb5_enc_data encdata; - krb5_error_code code; - -#endif /* ENCRYPTION */ - - if (cnt-- < 1) - return; - switch (*data++) { - case KRB_REJECT: - if (cnt > 0) { - printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n", - cnt, data); - } else - printf("[ Kerberos V4 refuses authentication ]\r\n"); - auth_send_retry(); - return; - case KRB_ACCEPT: - printf("[ Kerberos V4 accepts you ]\r\n"); - if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - /* - * Send over the encrypted challenge. - */ -#ifndef ENCRYPTION - Data(ap, KRB_CHALLENGE, (void *)0, 0); -#else /* ENCRYPTION */ - Data(ap, KRB_CHALLENGE, (void *)session_key, - sizeof(session_key)); - - kdata.data = session_key; - kdata.length = 8; - - encdata.ciphertext.data = session_key; - encdata.ciphertext.length = 8; - encdata.enctype = ENCTYPE_UNKNOWN; - - if ((code = krb5_c_encrypt(telnet_context, &krbkey, - 0, 0, &kdata, &encdata))) { - com_err("libtelnet", code, - "while encrypting session_key"); - return; - } - - skey.type = SK_DES; - skey.length = 8; - skey.data = session_key; - encrypt_session_key(&skey, 0); -#endif /* ENCRYPTION */ - return; - } - auth_finished(ap, AUTH_USER); - return; - case KRB_RESPONSE: -#ifdef ENCRYPTION - /* - * Verify that the response to the challenge is correct. - */ - if ((cnt != sizeof(Block)) || - (0 != memcmp((void *)data, (void *)challenge, - sizeof(challenge)))) - { -#endif /* ENCRYPTION */ - printf("[ Kerberos V4 challenge failed!!! ]\r\n"); - auth_send_retry(); - return; -#ifdef ENCRYPTION - } - printf("[ Kerberos V4 challenge successful ]\r\n"); - auth_finished(ap, AUTH_USER); -#endif /* ENCRYPTION */ - break; - default: - if (auth_debug_mode) - printf("Unknown Kerberos option %d\r\n", data[-1]); - return; - } -} - - int -kerberos4_status(ap, kname, level) - Authenticator *ap; - char *kname; - int level; -{ - if (level < AUTH_USER) - return(level); - - /* - * Always copy in UserNameRequested if the authentication - * is valid, because the higher level routines need it. - */ - if (UserNameRequested) { - /* the name buffer comes from telnetd/telnetd{-ktd}.c */ - strncpy(kname, UserNameRequested, 255); - kname[255] = '\0'; - } - - if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { - return(AUTH_VALID); - } else - return(AUTH_USER); -} - -#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} -#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} - - void -kerberos4_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt; - unsigned int buflen; -{ - char lbuf[32]; - register int i; - - buf[buflen-1] = '\0'; /* make sure its NULL terminated */ - buflen -= 1; - - switch(data[3]) { - case KRB_REJECT: /* Rejected (reason might follow) */ - strncpy((char *)buf, " REJECT ", buflen); - goto common; - - case KRB_ACCEPT: /* Accepted (name might follow) */ - strncpy((char *)buf, " ACCEPT ", buflen); - common: - BUMP(buf, buflen); - if (cnt <= 4) - break; - ADDC(buf, buflen, '"'); - for (i = 4; i < cnt; i++) - ADDC(buf, buflen, data[i]); - ADDC(buf, buflen, '"'); - ADDC(buf, buflen, '\0'); - break; - - case KRB_AUTH: /* Authentication data follows */ - strncpy((char *)buf, " AUTH", buflen); - goto common2; - - case KRB_CHALLENGE: - strncpy((char *)buf, " CHALLENGE", buflen); - goto common2; - - case KRB_RESPONSE: - strncpy((char *)buf, " RESPONSE", buflen); - goto common2; - - default: - snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]); - strncpy((char *)buf, lbuf, buflen); - common2: - BUMP(buf, buflen); - for (i = 4; i < cnt; i++) { - snprintf(lbuf, sizeof(lbuf), " %d", data[i]); - strncpy((char *)buf, lbuf, buflen); - BUMP(buf, buflen); - } - break; - } -} - - int -kerberos4_cksum(d, n) - unsigned char *d; - int n; -{ - int ck = 0; - - /* - * A comment is probably needed here for those not - * well versed in the "C" language. Yes, this is - * supposed to be a "switch" with the body of the - * "switch" being a "while" statement. The whole - * purpose of the switch is to allow us to jump into - * the middle of the while() loop, and then not have - * to do any more switch()s. - * - * Some compilers will spit out a warning message - * about the loop not being entered at the top. - */ - switch (n&03) - while (n > 0) { - case 0: - ck ^= (int)*d++ << 24; - --n; - case 3: - ck ^= (int)*d++ << 16; - --n; - case 2: - ck ^= (int)*d++ << 8; - --n; - case 1: - ck ^= (int)*d++; - --n; - } - return(ck); -} -#else -#include -#include - -#endif - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - register int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/src/appl/telnet/telnet/Makefile.in b/src/appl/telnet/telnet/Makefile.in index e17d458cc..098649888 100644 --- a/src/appl/telnet/telnet/Makefile.in +++ b/src/appl/telnet/telnet/Makefile.in @@ -47,8 +47,8 @@ OBJS= authenc.o commands.o main.o network.o ring.o sys_bsd.o \ all:: telnet -telnet: $(OBJS) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a - $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB4COMPAT_LIBS) +telnet: $(OBJS) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a + $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(KRB5_BASE_LIBS) clean:: $(RM) telnet diff --git a/src/appl/telnet/telnet/main.c b/src/appl/telnet/telnet/main.c index 77832f912..c1dc2049a 100644 --- a/src/appl/telnet/telnet/main.c +++ b/src/appl/telnet/telnet/main.c @@ -235,14 +235,6 @@ main(argc, argv) #endif break; case 'k': -#if defined(AUTHENTICATION) && defined(KRB4) - { - extern char *dest_realm, dst_realm_buf[]; - extern unsigned int dst_realm_sz; - dest_realm = dst_realm_buf; - (void)strncpy(dest_realm, optarg, dst_realm_sz); - } -#endif #if defined(AUTHENTICATION) && defined(KRB5) { extern char *telnet_krb5_realm; @@ -250,8 +242,7 @@ main(argc, argv) telnet_krb5_realm = optarg; break; } -#endif -#if !defined(AUTHENTICATION) || (!defined(KRB4) && !defined(KRB5)) +#else fprintf(stderr, "%s: Warning: -k ignored, no Kerberos V4 support.\n", prompt); diff --git a/src/appl/telnet/telnetd/Makefile.in b/src/appl/telnet/telnetd/Makefile.in index a6107ff26..622aa2959 100644 --- a/src/appl/telnet/telnetd/Makefile.in +++ b/src/appl/telnet/telnetd/Makefile.in @@ -30,7 +30,7 @@ LOCALINCLUDES=-I.. -I$(srcdir)/.. DEFINES = -DTELNET_BUFSIZE=65535 $(AUTH_DEF) $(OTHERDEFS) ARPA_TELNET= $(srcdir)/../arpa/telnet.h -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) +PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) LIBS= @TELNETD_LIBS@ @@ -60,8 +60,8 @@ OBJS= telnetd.o \ all:: telnetd -telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) ../libtelnet/libtelnet.a - $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) +telnetd: $(OBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) ../libtelnet/libtelnet.a + $(CC_LINK) -o $@ $(OBJS) ../libtelnet/libtelnet.a $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) clean:: $(RM) telnetd -- 2.26.2