[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-257-g43b50
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-257-g43b50bb |
|
Date: |
Fri, 15 Mar 2013 01:24:19 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 43b50bb11e6aec4b92de64807967f1173eb4326b (commit)
via 45025971e1124701e522260850eb28cba51822d7 (commit)
via 9a5bd6a12d74c10ce9654f702c6cce947e344074 (commit)
from 92a015531592b9bb4ec83ea572f2d2288fed34e9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=43b50bb11e6aec4b92de64807967f1173eb4326b
commit 43b50bb11e6aec4b92de64807967f1173eb4326b
Author: Mats Erik Andersson <address@hidden>
Date: Fri Mar 15 01:14:04 2013 +0100
rshd: Differentiate PAM services.
diff --git a/ChangeLog b/ChangeLog
index f8e9d6c..39256c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2013-03-15 Mats Erik Andersson <address@hidden>
+
+ rshd: Differentiate PAM services.
+
+ * src/rshd.c (service) [WITH_PAM]: New variable.
+ (doc) [WITH_PAM && (KERBEROS || SHISHI)]:
+ Mention `krsh' in description.
+ (doit) [WITH_PAM && (KERBEROS || SHISHI)]:
+ Set PAM service type to "krsh" for kerberised action,
+ and "rsh" otherwise.
+ [WITH_PAM]: Pass `service' to pam_start() and to
+ pam_set_item(PAM_TTY).
+ (rsh_conv) [WITH_PAM]: Add _GL_UNUSED_PARAMETER to the
+ function parameter `data'.
+
2013-03-14 Mats Erik Andersson <address@hidden>
rlogind: PAM support with libshishi.
diff --git a/src/rshd.c b/src/rshd.c
index 2684d03..5ed460e 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -303,9 +303,13 @@ parse_opt (int key, char *arg, struct argp_state *state
_GL_UNUSED_PARAMETER)
const char doc[] =
#ifdef WITH_PAM
- "Remote shell server, using PAM service 'rsh'.";
+# if defined KERBEROS || defined SHISHI
+ "Remote shell server, using PAM services 'rsh' and 'krsh'.";
+# else
+ "Remote shell server, using PAM service 'rsh'.";
+# endif
#else /* !WITH_PAM */
- "Remote shell server.";
+ "Remote shell server.";
#endif
static struct argp argp = { options, parse_opt, NULL, doc, NULL, NULL, NULL};
@@ -423,6 +427,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
#if defined WITH_IRUSEROK_AF && !defined WITH_PAM
void * fromaddrp; /* Pointer to remote address. */
#endif
+#ifdef WITH_PAM
+ char *service;
+#endif
#ifdef KERBEROS
AUTH_DAT *kdata = (AUTH_DAT *) NULL;
@@ -1017,13 +1024,20 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
#ifdef WITH_PAM
- pam_rc = pam_start ("rsh", locuser, &pam_conv, &pam_handle);
+# if defined KERBEROS || defined SHISHI
+ if (use_kerberos)
+ service = "krsh";
+ else
+# endif
+ service = "rsh";
+
+ pam_rc = pam_start (service, locuser, &pam_conv, &pam_handle);
if (pam_rc == PAM_SUCCESS)
pam_rc = pam_set_item (pam_handle, PAM_RHOST, hostname);
if (pam_rc == PAM_SUCCESS)
pam_rc = pam_set_item (pam_handle, PAM_RUSER, remuser);
if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_set_item (pam_handle, PAM_TTY, "rsh");
+ pam_rc = pam_set_item (pam_handle, PAM_TTY, service);
if (pam_rc != PAM_SUCCESS)
{
errorstr = "Try again.\n";
@@ -1782,7 +1796,8 @@ topdomain (const char *h)
*/
static int
rsh_conv (int num, const struct pam_message **pam_msg,
- struct pam_response **pam_resp, void *data)
+ struct pam_response **pam_resp,
+ void *data _GL_UNUSED_PARAMETER)
{
struct pam_response *resp;
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=45025971e1124701e522260850eb28cba51822d7
commit 45025971e1124701e522260850eb28cba51822d7
Author: Mats Erik Andersson <address@hidden>
Date: Fri Mar 15 00:40:15 2013 +0100
rlogind: PAM support with libshishi.
diff --git a/ChangeLog b/ChangeLog
index 9e460ce..f8e9d6c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,19 @@
2013-03-14 Mats Erik Andersson <address@hidden>
+ rlogind: PAM support with libshishi.
+
+ * src/rlogind.c (doc) [WITH_PAM && SHISHI]:
+ Mention `krlogin' in description.
+ (do_pam_check) [WITH_PAM]: New function,
+ refactored from previous code in do_rlogin().
+ (do_rlogin) [WITH_PAM]: Remove variable USER.
+ Replace code block by a call to do_pam_check()
+ for service `rlogin'.
+ (do_shishi_login) [SHISHI && WITH_PAM]:
+ Call do_pam_check() for service `krlogin'.
+
+2013-03-14 Mats Erik Andersson <address@hidden>
+
* src/rlogind.c (do_shishi_login) [SHISHI]:
Do not free the static pointer PWD!
Call getpwnam() for verification that local
diff --git a/src/rlogind.c b/src/rlogind.c
index c2e2abb..681d59e 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -21,9 +21,10 @@
/*
* PAM implementation by Mats Erik Andersson.
*
- * The service name `rlogin' is regitered, and two modules
- * `auth' and `account' are called for confirmation.
- * These two modules suffice, since further verification
+ * The service names `rlogin' and `krlogin' are registered,
+ * the latter when Shishi support is included, and two
+ * facilities `auth' and `account' are used for confirmation.
+ * These two facilities suffice, since further verification
* is completed by login(1), which continues where `rlogind'
* hands off execution.
*
@@ -55,10 +56,6 @@
*
*/
-/*
- * TODO: Implement PAM also for Shishi/Kerberos.
- */
-
#include <config.h>
#include <signal.h>
@@ -294,6 +291,10 @@ char *topdomain (char *name, int max_dots);
int do_shishi_login (int infd, struct auth_data *ad, const char **err_msg);
#endif
+#ifdef WITH_PAM
+int do_pam_check (int infd, struct auth_data *ap, const char *service);
+#endif
+
void
rlogind_sigchld (int signo _GL_UNUSED_PARAMETER)
{
@@ -413,7 +414,11 @@ check_host (struct sockaddr *sa, socklen_t len)
�
const char doc[] =
#ifdef WITH_PAM
+# ifdef SHISHI
+ "Remote login server, using PAM service 'rlogin' and 'krlogin'.";
+# else /* !SHISHI */
"Remote login server, using PAM service 'rlogin'.";
+# endif
#else /* !WITH_PAM */
"Remote login server";
#endif
@@ -1254,9 +1259,6 @@ do_rlogin (int infd, struct auth_data *ap)
{
struct passwd *pwd;
int rc;
-#ifdef WITH_PAM
- char *user;
-#endif
#if defined WITH_IRUSEROK_AF || defined WITH_IRUSEROK
void *addrp;
@@ -1288,115 +1290,9 @@ do_rlogin (int infd, struct auth_data *ap)
}
#ifdef WITH_PAM
- pam_rc = pam_start ("rlogin", ap->lusername, &pam_conv, &pam_handle);
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_set_item (pam_handle, PAM_RHOST, ap->hostname);
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_set_item (pam_handle, PAM_RUSER, ap->rusername);
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_set_item (pam_handle, PAM_TTY, "rlogin");
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_get_item (pam_handle, PAM_USER, (const void **) &user);
- if (pam_rc != PAM_SUCCESS)
- {
- if (pam_handle)
- pam_end (pam_handle, pam_rc);
-
- /* Failed set-up is deemed serious. Abort! */
- syslog (LOG_ERR | LOG_AUTH, "PAM set-up failed.");
- fatal (infd, "Permission denied", 0);
- }
-
- pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
- if (pam_rc != PAM_SUCCESS)
- {
- switch (pam_rc)
- {
- case PAM_ABORT:
- /* Serious enough to merit immediate abortion. */
- pam_end (pam_handle, pam_rc);
- syslog (LOG_ERR | LOG_AUTH, "PAM authentication said PAM_ABORT.");
- exit (EXIT_FAILURE);
-
- case PAM_NEW_AUTHTOK_REQD:
- pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
- break;
-
- default:
- break; /* Non-zero status. */
- }
- }
-
- if (pam_rc != PAM_SUCCESS)
- {
- syslog (LOG_NOTICE | LOG_AUTH,
- "PAM authentication of '%s' from %s(%s): %s",
- user, ap->hostname, ap->hostaddr,
- pam_strerror (pam_handle, pam_rc));
- pam_end (pam_handle, pam_rc);
-
- return pam_rc;
- }
-
- pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
- if (pam_rc != PAM_SUCCESS)
- {
- switch (pam_rc)
- {
- case PAM_NEW_AUTHTOK_REQD:
- pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (pam_rc == PAM_SUCCESS)
- pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
- break;
-
- case PAM_ACCT_EXPIRED:
- case PAM_AUTH_ERR:
- case PAM_PERM_DENIED:
- case PAM_USER_UNKNOWN:
- default:
- break; /* Non-zero status. */
- }
- }
-
- if (pam_rc != PAM_SUCCESS)
- {
- syslog (LOG_INFO | LOG_AUTH,
- "PAM accounting of '%s' from %s(%s): %s",
- user, ap->hostname, ap->hostaddr,
- pam_strerror (pam_handle, pam_rc));
- pam_end (pam_handle, pam_rc);
-
- return pam_rc;
- }
-
- /* Renew client information, since the PAM stack may have
- * mapped the request onto another identity.
- */
- pam_rc = pam_get_item (pam_handle, PAM_USER, (const void **) &user);
- if (pam_rc != PAM_SUCCESS)
- {
- syslog (LOG_NOTICE | LOG_AUTH, "pam_get_item(PAM_USER): %s",
- pam_strerror (pam_handle, pam_rc));
- user = "<invalid>";
- }
-
- pwd = getpwnam (user);
- free (ap->lusername);
- ap->lusername = xstrdup (user);
-
- if (pwd == NULL)
- {
- syslog (LOG_INFO | LOG_AUTH, "address@hidden as %s: unknown login.",
- ap->rusername, ap->hostname, ap->lusername);
- pam_rc = PAM_AUTH_ERR; /* Non-zero status. */
- }
-
- pam_end (pam_handle, pam_rc); /* PAM access is complete. */
-
- if (pam_rc != PAM_SUCCESS)
- return pam_rc;
+ rc = do_pam_check (infd, ap, "rlogin");
+ if (rc != PAM_SUCCESS)
+ return rc;
#endif /* WITH_PAM */
#if defined WITH_IRUSEROK_SA || defined WITH_IRUSEROK_AF \
@@ -1716,7 +1612,7 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
}
}
}
-# endif
+# endif /* ENCRYPTION */
getstr (infd, &ad->lusername, NULL); /* Acting user. */
getstr (infd, &ad->term, "TERM=");
@@ -1787,6 +1683,12 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
shishi_ap_done (ad->ap);
+# ifdef WITH_PAM
+ rc = do_pam_check (infd, ad, "krlogin");
+ if (rc != PAM_SUCCESS)
+ return rc;
+# endif /* WITH_PAM */
+
syslog (LOG_INFO | LOG_AUTH,
"Kerberos V %slogin from %s on %s as `%s'.\n",
encrypt_io ? "encrypted " : "",
@@ -2175,6 +2077,128 @@ fatal (int f, const char *msg, int syserr)
}
#ifdef WITH_PAM
+int
+do_pam_check (int infd, struct auth_data *ap, const char *service)
+{
+ char *user;
+ struct passwd *pwd;
+
+ pam_rc = pam_start (service, ap->lusername, &pam_conv, &pam_handle);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_set_item (pam_handle, PAM_RHOST, ap->hostname);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_set_item (pam_handle, PAM_RUSER, ap->rusername);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_set_item (pam_handle, PAM_TTY, service);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_get_item (pam_handle, PAM_USER, (const void **) &user);
+ if (pam_rc != PAM_SUCCESS)
+ {
+ if (pam_handle)
+ {
+ pam_end (pam_handle, pam_rc);
+ pam_handle = NULL;
+ }
+
+ /* Failed set-up is deemed serious. Abort! */
+ syslog (LOG_ERR | LOG_AUTH, "PAM set-up failed.");
+ fatal (infd, "Permission denied", 0);
+ }
+
+ pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
+ if (pam_rc != PAM_SUCCESS)
+ {
+ switch (pam_rc)
+ {
+ case PAM_ABORT:
+ /* Serious enough to merit immediate abortion. */
+ pam_end (pam_handle, pam_rc);
+ syslog (LOG_ERR | LOG_AUTH, "PAM authentication said PAM_ABORT.");
+ exit (EXIT_FAILURE);
+
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
+ break;
+
+ default:
+ break; /* Non-zero status. */
+ }
+ }
+
+ if (pam_rc != PAM_SUCCESS)
+ {
+ syslog (LOG_NOTICE | LOG_AUTH,
+ "PAM authentication of '%s' from %s(%s): %s",
+ user, ap->hostname, ap->hostaddr,
+ pam_strerror (pam_handle, pam_rc));
+ pam_end (pam_handle, pam_rc);
+ pam_handle = NULL;
+
+ return pam_rc;
+ }
+
+ pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
+ if (pam_rc != PAM_SUCCESS)
+ {
+ switch (pam_rc)
+ {
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_rc == PAM_SUCCESS)
+ pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
+ break;
+
+ case PAM_ACCT_EXPIRED:
+ case PAM_AUTH_ERR:
+ case PAM_PERM_DENIED:
+ case PAM_USER_UNKNOWN:
+ default:
+ break; /* Non-zero status. */
+ }
+ }
+
+ if (pam_rc != PAM_SUCCESS)
+ {
+ syslog (LOG_INFO | LOG_AUTH,
+ "PAM accounting of '%s' from %s(%s): %s",
+ user, ap->hostname, ap->hostaddr,
+ pam_strerror (pam_handle, pam_rc));
+ pam_end (pam_handle, pam_rc);
+ pam_handle = NULL;
+
+ return pam_rc;
+ }
+
+ /* Renew client information, since the PAM stack may have
+ * mapped the request onto another identity.
+ */
+ pam_rc = pam_get_item (pam_handle, PAM_USER, (const void **) &user);
+ if (pam_rc != PAM_SUCCESS)
+ {
+ syslog (LOG_NOTICE | LOG_AUTH, "pam_get_item(PAM_USER): %s",
+ pam_strerror (pam_handle, pam_rc));
+ user = "<invalid>";
+ }
+
+ pwd = getpwnam (user);
+ free (ap->lusername);
+ ap->lusername = xstrdup (user);
+
+ if (pwd == NULL)
+ {
+ syslog (LOG_INFO | LOG_AUTH, "address@hidden as %s: unknown login.",
+ ap->rusername, ap->hostname, ap->lusername);
+ pam_rc = PAM_AUTH_ERR; /* Non-zero status. */
+ }
+
+ pam_end (pam_handle, pam_rc); /* PAM access is complete. */
+ pam_handle = NULL;
+
+ return pam_rc;
+}
+
/* Call back function for passing user's information
* to any PAM module requesting this information.
*/
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9a5bd6a12d74c10ce9654f702c6cce947e344074
commit 9a5bd6a12d74c10ce9654f702c6cce947e344074
Author: Mats Erik Andersson <address@hidden>
Date: Thu Mar 14 19:23:07 2013 +0100
rlogind: Additional user check.
diff --git a/ChangeLog b/ChangeLog
index b3fa23a..9e460ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2013-03-14 Mats Erik Andersson <address@hidden>
+
+ * src/rlogind.c (do_shishi_login) [SHISHI]:
+ Do not free the static pointer PWD!
+ Call getpwnam() for verification that local
+ user exists. Add check to prevent root access
+ unless the flag `allow_root' is set.
+ Call shishi_ap_done() before sending a log report.
+
2013-03-13 Guillem Jover <address@hidden>
Use standard suid-mode for install.
diff --git a/src/rlogind.c b/src/rlogind.c
index 3922fb4..c2e2abb 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -1283,7 +1283,7 @@ do_rlogin (int infd, struct auth_data *ap)
}
if (!allow_root && pwd->pw_uid == 0)
{
- syslog (LOG_ERR | LOG_AUTH, "root logins not permitted");
+ syslog (LOG_ERR | LOG_AUTH, "root logins are not permitted");
fatal (infd, "Permission denied", 0);
}
@@ -1726,30 +1726,23 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
if ((rc != sizeof (int)) || error)
{
*err_msg = "Authentication exchange failed.";
- free (pwd);
free (cksum);
return EXIT_FAILURE;
}
- /*
- getpwnam crash !!!!
-
- pwd = getpwnam (ad->lusername);
- if (pwd == NULL)
- {
- *err_msg = "getpwnam failed";
- syslog (LOG_ERR | LOG_AUTH, "getpwnam failed: %m");
- return 1;
- }
-
- syslog (LOG_INFO | LOG_AUTH,
- "%sKerberos V login from %s on %s\n",
- (pwd->pw_uid == 0) ? "ROOT " : "",
- ad->lusername, ad->hostname);
-
- */
-
- free (pwd);
+ pwd = getpwnam (ad->lusername);
+ if (pwd == NULL)
+ {
+ *err_msg = "getpwnam failed";
+ free (cksum);
+ syslog (LOG_ERR | LOG_AUTH, "getpwnam failed: %m");
+ return 1;
+ }
+ if (!allow_root && pwd->pw_uid == 0)
+ {
+ syslog (LOG_ERR | LOG_AUTH, "root logins are not permitted");
+ fatal (infd, "Permission denied", 0);
+ }
/* verify checksum */
@@ -1767,7 +1760,8 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
rc = shishi_checksum (ad->h, ad->enckey, 0, cksumtype, cksumdata,
strlen (cksumdata), &compcksum, &compcksumlen);
if (rc != SHISHI_OK
- || compcksumlen != cksumlen || memcmp (compcksum, cksum, cksumlen) != 0)
+ || compcksumlen != cksumlen
+ || memcmp (compcksum, cksum, cksumlen) != 0)
{
*err_msg = "Authentication exchange failed.";
syslog (LOG_ERR, "checksum verify failed: %s", shishi_error (ad->h));
@@ -1777,7 +1771,6 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
}
free (cksum);
-
free (compcksum);
rc = shishi_authorized_p (ad->h, shishi_ap_tkt (ad->ap), ad->lusername);
@@ -1787,17 +1780,18 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
"User address@hidden is not authorized to log in as: %s.",
ad->rusername, ad->hostname, ad->lusername);
shishi_ap_done (ad->ap);
- rlogind_error (infd, 0, "Failed to get authorized as `%s'.\n",
ad->lusername);
+ rlogind_error (infd, 0, "Failed to get authorized as `%s'.\n",
+ ad->lusername);
return rc;
}
+ shishi_ap_done (ad->ap);
+
syslog (LOG_INFO | LOG_AUTH,
"Kerberos V %slogin from %s on %s as `%s'.\n",
encrypt_io ? "encrypted " : "",
ad->rusername, ad->hostname, ad->lusername);
- shishi_ap_done (ad->ap);
-
return SHISHI_OK;
}
# endif /* SHISHI */
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 38 +++++++
src/rlogind.c | 310 ++++++++++++++++++++++++++++++---------------------------
src/rshd.c | 25 ++++-
3 files changed, 222 insertions(+), 151 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-257-g43b50bb,
Mats Erik Andersson <=