[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-264-g3e5d8
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-264-g3e5d87b |
|
Date: |
Thu, 28 Mar 2013 19:06:49 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 3e5d87b25b4c314a184a44489a61e776712e46f1 (commit)
via 1054aa73549072527357795e6ac6fd641cc86c98 (commit)
from 2b21870677d919c10c7a3fee1adf5b9ef03887ec (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=3e5d87b25b4c314a184a44489a61e776712e46f1
commit 3e5d87b25b4c314a184a44489a61e776712e46f1
Author: Mats Erik Andersson <address@hidden>
Date: Thu Mar 28 18:29:57 2013 +0100
telnet: Specify realm with Kerberos5.
diff --git a/ChangeLog b/ChangeLog
index ee6f6e4..398c7a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
2013-03-28 Mats Erik Andersson <address@hidden>
+ Let Telnet client override Kerberos5 realm.
+
+ * libtelnet/kerberos5.c (dest_realm): Rename from
+ previous `telnet_krb5_realm'.
+ * telnet/main.c (dest_realm) [KERBEROS || SHISHI]:
+ Expand scope from KRB4 to KERBEROS.
+ (argp_options) [KERBEROS || SHISHI] <-k/--realm>:
+ Likewise.
+ (parse_opt) [AUTHENTICATION && (KERBEROS || SHISHI)]
+ <case 'k'>: Likewise.
+
+2013-03-28 Mats Erik Andersson <address@hidden>
+
Partial adaptions to Kerberos5, sufficient
to do some build and runtime testing, but
without encryption.
diff --git a/libtelnet/kerberos5.c b/libtelnet/kerberos5.c
index 1813806..7b41ae5 100644
--- a/libtelnet/kerberos5.c
+++ b/libtelnet/kerberos5.c
@@ -76,7 +76,7 @@ static krb5_ticket *ticket = NULL; /* telnet matches the
AP_REQ and
krb5_keyblock *session_key = 0;
char *telnet_srvtab = NULL;
-char *telnet_krb5_realm = NULL;
+char *dest_realm = NULL;
# define DEBUG(c) if (auth_debug_mode) printf c
@@ -224,18 +224,18 @@ kerberos5_send (TN_Authenticator * ap)
return 0;
}
- if (telnet_krb5_realm)
+ if (dest_realm)
{
krb5_data rdata;
- rdata.length = strlen (telnet_krb5_realm);
+ rdata.length = strlen (dest_realm);
rdata.data = malloc (rdata.length + 1);
if (rdata.data == NULL)
{
DEBUG (("telnet: Kerberos V5: could not allocate memory\r\n"));
return 0;
}
- strcpy (rdata.data, telnet_krb5_realm);
+ strcpy (rdata.data, dest_realm);
krb5_princ_set_realm (telnet_context, creds.server, &rdata);
}
diff --git a/telnet/main.c b/telnet/main.c
index 912090b..cda8edc 100644
--- a/telnet/main.c
+++ b/telnet/main.c
@@ -112,7 +112,7 @@ enum {
OPTION_NOASYNCNET
};
-#if defined KRB4 || defined SHISHI
+#if defined KERBEROS || defined SHISHI
extern char *dest_realm;
#endif
@@ -165,7 +165,7 @@ static struct argp_option argp_options[] = {
"Authentication and Kerberos options:", GRID },
{ "disable-auth", 'X', "ATYPE", 0,
"disable type ATYPE authentication", GRID+1 },
-# if defined KRB4 || defined SHISHI
+# if defined KERBEROS || defined SHISHI
{ "realm", 'k', "REALM", 0,
"obtain tickets for the remote host in REALM "
"instead of the remote host's realm", GRID+1 },
@@ -263,7 +263,7 @@ parse_opt (int key, char *arg, struct argp_state *state
_GL_UNUSED_PARAMETER)
#endif
#if defined AUTHENTICATION && \
- ( defined KRB4 || defined SHISHI )
+ ( defined KERBEROS || defined SHISHI )
case 'k':
dest_realm = arg;
break;
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=1054aa73549072527357795e6ac6fd641cc86c98
commit 1054aa73549072527357795e6ac6fd641cc86c98
Author: Mats Erik Andersson <address@hidden>
Date: Thu Mar 28 16:44:21 2013 +0100
Partial adaptions to Kerberos5.
diff --git a/ChangeLog b/ChangeLog
index ea79052..ee6f6e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,40 @@
+2013-03-28 Mats Erik Andersson <address@hidden>
+
+ Partial adaptions to Kerberos5, sufficient
+ to do some build and runtime testing, but
+ without encryption.
+
+ * configure.ac <KERBEROS_VERSION == krb5>:
+ Disable `rcp', `rlogin', and `rsh'.
+ * libinetutils/des_rw.c [ENCRYPTION && KRB4]:
+ Replace KERBEROS by KRB4 in guard.
+ * libinetutils/kcmd.c, libinetutils/krcmd.c:
+ Likewise.
+ * src/rlogind.c [KRB5 && HAVE_COM_ERR_H]:
+ Include <com_err.h>.
+ (do_krb5_login) [KRB5]: Insert prototype.
+ * src/rshd.c [KRB4]: Replace previous KERBEROS
+ by KRB4 throughout.
+ [KRB5 && HAVE_KRB5_H]: Include <krb5.h>.
+ [KRB5 && HAVE_COM_ERR_H]: Include <com_err.h>.
+ (doit) [KRB5]: New partial template code and
+ related variables for later refinement.
+ [KERBEROS]: Set FROMADDR using memcpy().
+ [ENCRYPTION && (KERBEROS || SHISHI)]: Call dup2()
+ with macros STDIN_FILENO and STDOUT_FILENO.
+
+ Replace obsolete interfaces.
+
+ * libtelnet/kerberos5.c (encryption_init)
+ [ENCRYPTION]: Call krb5_auth_con_getsendsubkey().
+ (kerberos5_is_auth): New variable VALID.
+ Call krb5_auth_con_getrecvsubkey().
+
+ * src/rlogind.c (do_shishi_login) [SHISHI]:
+ Test macro ENCRYPT_IO when calling syslog().
+
+ * configure.ac <rsh summary>: Use $rsh_BUILD.
+
2013-03-22 Mats Erik Andersson <address@hidden>
Detection of Kerberos5.
diff --git a/configure.ac b/configure.ac
index 2cdb1ab..68579e3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -357,6 +357,11 @@ if test "$enable_encryption" = yes \
krb5/asn1.h krb5/crc-32.h krb5/ext-proto.h \
krb5/krb5.h krb5/los-proto.h])
CPPFLAGS=$save_CPPFLAGS
+ # We have no support for krcmd() with Kerberos5.
+ # Encryption must be sorted out as a first step.
+ IU_DISABLE_TARGET(rcp)
+ IU_DISABLE_TARGET(rlogin)
+ IU_DISABLE_TARGET(rsh)
fi
;;
*)
@@ -1026,7 +1031,7 @@ ${rcp_BUILD:+$KERBEROS_VERSION}
rlogin ${enable_rlogin} \
${rlogin_BUILD:+$KERBEROS_VERSION}
rsh ${enable_rsh} \
-${rshd_BUILD:+$KERBEROS_VERSION}
+${rsh_BUILD:+$KERBEROS_VERSION}
talk ${enable_talk} \
${talk_BUILD:+$LIBCURSES}
telnet ${enable_telnet} \
diff --git a/libinetutils/des_rw.c b/libinetutils/des_rw.c
index 464753e..9485f45 100644
--- a/libinetutils/des_rw.c
+++ b/libinetutils/des_rw.c
@@ -50,7 +50,7 @@
#include <config.h>
#ifdef ENCRYPTION
-# ifdef KERBEROS
+# ifdef KRB4
# include <sys/param.h>
# ifdef HAVE_KERBEROSIV_DES_H
@@ -208,5 +208,5 @@ des_write (fd, buf, len)
write (fd, des_outbuf, roundup (len, 8));
return (len);
}
-# endif /* KERBEROS */
+# endif /* KRB4 */
#endif /* CRYPT */
diff --git a/libinetutils/kcmd.c b/libinetutils/kcmd.c
index 0e280fe..325c92b 100644
--- a/libinetutils/kcmd.c
+++ b/libinetutils/kcmd.c
@@ -49,7 +49,7 @@
#include <config.h>
-#if defined KERBEROS || defined SHISHI
+#if defined KRB4 || defined SHISHI
# include <sys/param.h>
# include <sys/file.h>
diff --git a/libinetutils/krcmd.c b/libinetutils/krcmd.c
index 4611273..76f28aa 100644
--- a/libinetutils/krcmd.c
+++ b/libinetutils/krcmd.c
@@ -49,7 +49,7 @@
#include <config.h>
-#if defined KERBEROS || defined SHISHI
+#if defined KRB4 || defined SHISHI
# include <sys/types.h>
# ifdef ENCRYPTION
# include <sys/socket.h>
diff --git a/libtelnet/kerberos5.c b/libtelnet/kerberos5.c
index 3649c0c..1813806 100644
--- a/libtelnet/kerberos5.c
+++ b/libtelnet/kerberos5.c
@@ -154,7 +154,7 @@ encryption_init (krb5_creds * creds)
{
krb5_keyblock *newkey = 0;
- krb5_auth_con_getlocalsubkey (telnet_context, auth_context, &newkey);
+ krb5_auth_con_getsendsubkey (telnet_context, auth_context, &newkey);
if (session_key)
{
krb5_free_keyblock (telnet_context, session_key);
@@ -547,6 +547,7 @@ kerberos5_is_auth (TN_Authenticator * ap, unsigned char
*data, int cnt,
char type_check[2];
krb5_checksum *cksum = authenticator->checksum;
krb5_keyblock *key;
+ krb5_boolean valid;
type_check[0] = ap->type;
type_check[1] = ap->way;
@@ -559,9 +560,12 @@ kerberos5_is_auth (TN_Authenticator * ap, unsigned char
*data, int cnt,
return 1;
}
+# if 1
+ /* XXX: Obsolete interface. Remove after investigation. */
r = krb5_verify_checksum (telnet_context,
cksum->checksum_type, cksum,
&type_check, 2, key->contents, key->length);
+ krb5_free_keyblock (telnet_context, key);
if (r)
{
@@ -569,7 +573,24 @@ kerberos5_is_auth (TN_Authenticator * ap, unsigned char
*data, int cnt,
"checksum verification failed: %s", error_message (r));
return 1;
}
+#else
+ /* Incomplete call!
+ *
+ * XXX: Establish replacement for the preceding call.
+ * It is no longer present in all implementations.
+ */
+ r = krb5_c_verify_checksum (telnet_context, key,
+ /* usage */, /* data */,
+ cksum, &valid);
krb5_free_keyblock (telnet_context, key);
+
+ if (r || !valid)
+ {
+ snprintf (errbuf, errbuflen,
+ "checksum verification failed: %s", error_message (r));
+ return 1;
+ }
+#endif
}
krb5_free_authenticator (telnet_context, authenticator);
@@ -594,7 +615,7 @@ kerberos5_is_auth (TN_Authenticator * ap, unsigned char
*data, int cnt,
auth_finished (ap, AUTH_USER);
free (name);
- krb5_auth_con_getremotesubkey (telnet_context, auth_context, &newkey);
+ krb5_auth_con_getrecvsubkey (telnet_context, auth_context, &newkey);
if (session_key)
{
diff --git a/src/rlogind.c b/src/rlogind.c
index 23e22fb..4772026 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -163,6 +163,9 @@
# ifdef HAVE_KRB5_H
# include <krb5.h>
# endif
+# ifdef HAVE_COM_ERR_H
+# include <com_err.h>
+# endif
# ifdef HAVE_KERBEROSIV_KRB_H
# include <kerberosIV/krb.h>
# endif
@@ -243,10 +246,10 @@ char *servername = NULL;
# ifdef ENCRYPTION
int encrypt_io = 0;
# endif /* ENCRYPTION */
-#endif /* KERBEROS */
+#endif /* KERBEROS || SHISHI */
+
int reverse_required = 0;
int debug_level = 0;
-
int numchildren;
int netf;
char line[1024]; /* FIXME */
@@ -287,6 +290,10 @@ void rlogind_error (int f, int syserr, const char *msg,
...);
int in_local_domain (char *hostname);
char *topdomain (char *name, int max_dots);
+#ifdef KRB5
+int do_krb5_login (int infd, struct auth_data *ap, const char **err_msg);
+#endif
+
#ifdef SHISHI
int do_shishi_login (int infd, struct auth_data *ad, const char **err_msg);
#endif
@@ -1707,7 +1714,7 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
syslog (LOG_INFO | LOG_AUTH,
"Kerberos V %slogin from %s on %s as `%s'.\n",
- encrypt_io ? "encrypted " : "",
+ ENCRYPT_IO ? "encrypted " : "",
ad->rusername, ad->hostname, ad->lusername);
return SHISHI_OK;
diff --git a/src/rshd.c b/src/rshd.c
index 5ed460e..5e0b54a 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -149,14 +149,22 @@
#ifdef HAVE_SECURITY_PAM_APPL_H
# include <security/pam_appl.h>
#endif
-#ifdef KERBEROS
+
+#ifdef KRB4
# ifdef HAVE_KERBEROSIV_DES_H
# include <kerberosIV/des.h>
# endif
# ifdef HAVE_KERBEROSIV_KRB_H
# include <kerberosIV/krb.h>
# endif
-#endif /* KERBEROS */
+#elif defined KRB5 /* !KRB4 */
+# ifdef HAVE_KRB5_H
+# include <krb5.h>
+# endif
+# ifdef HAVE_COM_ERR_H
+# include <com_err.h>
+# endif
+#endif /* KRB4 || KRB5 */
#ifdef SHISHI
# include <shishi.h>
@@ -188,10 +196,11 @@ static struct pam_conv pam_conv = { rsh_conv, NULL };
#endif /* WITH_PAM */
#if defined KERBEROS || defined SHISHI
-# ifdef KERBEROS
+# ifdef KRB4
Key_schedule schedule;
char authbuf[sizeof (AUTH_DAT)];
char tickbuf[sizeof (KTEXT_ST)];
+# elif defined KRB5
# elif defined(SHISHI)
Shishi *h;
Shishi_ap *ap;
@@ -235,7 +244,7 @@ static struct argp_option options[] = {
"fail for non-encrypted, Kerberized sessions", GRP },
# endif
# undef GRP
-#endif /* KERBEROS */
+#endif /* KERBEROS || SHISHI */
{ NULL, 0, NULL, 0, NULL, 0 }
};
@@ -432,15 +441,23 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
#endif
#ifdef KERBEROS
+# ifdef KRB4
AUTH_DAT *kdata = (AUTH_DAT *) NULL;
KTEXT ticket = (KTEXT) NULL;
char instance[INST_SZ], version[VERSION_SIZE];
+# elif defined KRB5 /* !KRB4 */
+ krb5_context context;
+ krb5_auth_context auth_ctx;
+ krb5_authenticator *author;
+ krb5_principal client;
+ krb5_rcache rcache;
+ krb5_keytab keytab;
+ krb5_ticket *ticket;
+# endif /* KRB4 || KRB5 */
struct sockaddr_in fromaddr;
long authopts;
int pv1[2], pv2[2];
fd_set wready, writeto;
-
- fromaddr = *fromp;
#elif defined SHISHI /* !KERBEROS */
int n;
int pv1[2], pv2[2];
@@ -451,6 +468,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
char *cksum = NULL;
#endif /* KERBEROS || SHISHI */
+#ifdef KERBEROS
+ memcpy (&fromaddr, fromp, sizeof (fromaddr));
+#endif
+
#ifdef HAVE_GETPWNAM_R
pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX);
if (pwbuflen <= 0)
@@ -800,7 +821,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
else
errorhost = hostname = addrstr;
-#ifdef KERBEROS
+#ifdef KRB4
if (use_kerberos)
{
kdata = (AUTH_DAT *) authbuf;
@@ -840,7 +861,82 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
}
else
-#elif defined (SHISHI) /* !KERBEROS */
+#elif defined KRB5
+ if (use_kerberos)
+ {
+ /* Set up context data. */
+ rc = krb5_init_context (&context);
+ if (!rc)
+ rc = krb5_auth_con_init (context, &auth_ctx);
+ if (!rc)
+ rc = krb5_auth_con_genaddrs (context, auth_ctx, sockfd,
+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR);
+ if (!rc)
+ rc = krb5_auth_con_getrcache (context, auth_ctx, &rcache);
+
+ if (!rc && !rcache)
+ {
+ krb5_principal server;
+
+ rc = krb5_sname_to_principal (context, 0, 0,
+ KRB5_NT_SRV_HST, &server);
+ if (!rc)
+ {
+ krb5_data *pdata;
+
+ pdata = krb5_princ_component (context, server, 0);
+
+ rc = krb5_get_server_rcache (context, pdata, &rcache);
+ krb5_free_principal (context, server);
+
+ if (!rc)
+ rc = krb5_auth_con_setrcache (context, auth_ctx, rcache);
+ }
+ }
+
+ if (rc)
+ {
+ syslog (LOG_ERR, "Error initializing krb5: %s",
+ error_message (rc));
+ rshd_error ("Permission denied.\n");
+ exit (EXIT_FAILURE);
+ }
+
+# ifdef ENCRYPTION
+ if (doencrypt)
+ {
+ struct sockaddr_in local_addr;
+ rc = sizeof local_addr;
+ if (getsockname (STDIN_FILENO,
+ (struct sockaddr *) &local_addr, &rc) < 0)
+ {
+ syslog (LOG_ERR, "getsockname: %m");
+ rshd_error ("rlogind: getsockname: %s", strerror (errno));
+ exit (EXIT_FAILURE);
+ }
+ authopts = KOPT_DO_MUTUAL;
+ rc = krb_recvauth (authopts, 0, ticket,
+ "rcmd", instance, &fromaddr,
+ &local_addr, kdata, "", schedule, version);
+ des_set_key (kdata->session, schedule);
+ }
+ else
+# endif /* ENCRYPTION */
+ rc = krb5_recvauth (context, &auth_ctx, &sockfd, "rcmd",
+ 0, 0, keytab, &ticket);
+
+ if (!rc)
+ rc = krb5_auth_con_getauthenticator (context, auth_ctx, &author);
+
+ if (!rc)
+ {
+ rshd_error ("Kerberos authentication failure: %s\n",
+ error_message(rc));
+ exit (EXIT_FAILURE);
+ }
+ }
+ else
+#elif defined (SHISHI) /* !KRB4 && !KRB5 */
if (use_kerberos)
{
int rc;
@@ -1002,7 +1098,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
shishi_ap_done (ap);
}
-#endif /* SHISHI */
+#elif defined KRB5 /* !SHISHI */
+ if (use_kerberos)
+ {
+ remuser = getstr ("remuser"); /* The requesting user! */
+
+ rc = krb5_copy_principal (context, ticket->enc_part2->client,
+ &client);
+
+ }
+#endif /* KRB5 || SHISHI */
/* Look up locuser in the passwd file. The locuser has to be a
* valid account on this system.
@@ -1132,7 +1237,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
#endif
-#ifdef KERBEROS
+#ifdef KRB4
if (use_kerberos)
{
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0')
@@ -1147,6 +1252,21 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
}
else
+#elif defined KRB5 /* !KRB4 */
+ if (use_kerberos)
+ {
+ if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && client)
+ {
+ if (krb5_kuserok (context, client, locuser) != 0)
+ {
+ syslog (LOG_INFO | LOG_AUTH, "Kerberos rsh denied to
address@hidden",
+ "kdata->pname", "kdata->pinst", "kdata->prealm");
+ rshd_error ("Permission denied.\n");
+ exit (EXIT_FAILURE);
+ }
+ }
+ }
+ else
#elif defined(SHISHI) /* !KERBEROS */
if (use_kerberos)
{ /*
@@ -1487,8 +1607,8 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
{
close (pv1[0]);
close (pv2[0]);
- dup2 (pv1[1], 1);
- dup2 (pv2[1], 0);
+ dup2 (pv1[1], STDOUT_FILENO);
+ dup2 (pv2[1], STDIN_FILENO);
close (pv1[1]);
close (pv2[1]);
}
@@ -1636,14 +1756,14 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
endpwent ();
if (log_success || pwd->pw_uid == 0)
{
-#ifdef KERBEROS
+#ifdef KRB4
if (use_kerberos)
syslog (LOG_INFO | LOG_AUTH,
"Kerberos shell from address@hidden on %s as %s, cmd='%.80s'",
kdata->pname, kdata->pinst, kdata->prealm,
hostname, locuser, cmdbuf);
else
-#endif /* KERBEROS */
+#endif /* KRB4 */
syslog (LOG_INFO | LOG_AUTH,
"address@hidden as %s: cmd='%.80s'",
#ifdef SHISHI
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 50 +++++++++++++++++
configure.ac | 7 ++-
libinetutils/des_rw.c | 4 +-
libinetutils/kcmd.c | 2 +-
libinetutils/krcmd.c | 2 +-
libtelnet/kerberos5.c | 33 +++++++++--
src/rlogind.c | 13 +++-
src/rshd.c | 148 ++++++++++++++++++++++++++++++++++++++++++++-----
telnet/main.c | 6 +-
9 files changed, 234 insertions(+), 31 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-264-g3e5d87b,
Mats Erik Andersson <=