[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-125-g3da88
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-125-g3da88b2 |
|
Date: |
Mon, 09 Jul 2012 23:06:12 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 3da88b201d8397b2a7906a9ee8194fbfae247338 (commit)
via 715707856daa622f5fc3076e0b7171f055c7ca42 (commit)
from 4b48cb5f2bcf781b072b5b11c0a528f18d85a140 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=3da88b201d8397b2a7906a9ee8194fbfae247338
commit 3da88b201d8397b2a7906a9ee8194fbfae247338
Author: Mats Erik Andersson <address@hidden>
Date: Sat Jul 7 14:49:44 2012 +0200
rshd: PAM conversation matters.
diff --git a/ChangeLog b/ChangeLog
index 7a67e5a..9be716a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2012-07-07 Mats Erik Andersson <address@hidden>
+
+ * src/rshd.c (doit) <PAM_NEW_AUTHTOK_REQD>:
+ When either pam_authenticate() or pam_acct_mgmt()
+ require token renewal, then call pam_chauthtok()
+ and repeat the previous call.
+ (rsh_conv) <PAM_PROMPT_ECHO_OFF>: Build a full
+ pam_response structure using an emtpy password,
+ instead of returning an empty pointer. Make a
+ syslog notice showing the passed message string.
+
2012-07-05 Mats Erik Andersson <address@hidden>
rsh, rshd: Functional Shishi code. Tested on
diff --git a/src/rshd.c b/src/rshd.c
index 8623960..b6b1303 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -1000,6 +1000,14 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
case PAM_ABORT:
pam_end (pam_handle, pam_rc);
exit (EXIT_FAILURE);
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_rc == PAM_SUCCESS)
+ {
+ pam_rc = pam_authenticate (pam_handle, PAM_SILENT);
+ if (pam_rc == PAM_SUCCESS)
+ break;
+ }
default:
errorstr = "Password incorrect.\n";
goto fail;
@@ -1012,6 +1020,13 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
switch (pam_rc)
{
case PAM_NEW_AUTHTOK_REQD:
+ pam_rc = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (pam_rc == PAM_SUCCESS)
+ {
+ pam_rc = pam_acct_mgmt (pam_handle, PAM_SILENT);
+ if (pam_rc == PAM_SUCCESS)
+ break;
+ }
case PAM_AUTH_ERR:
errorstr = "Password incorrect.\n";
goto fail;
@@ -1733,7 +1748,22 @@ rsh_conv (int num, const struct pam_message **pam_msg,
switch ((*pam_msg)->msg_style)
{
case PAM_PROMPT_ECHO_OFF: /* Return an empty password. */
+ resp = (struct pam_response *) malloc (sizeof (*resp));
+ if (!resp)
+ return PAM_BUF_ERR;
+ resp->resp_retcode = 0;
+ resp->resp = strdup ("");
+ if (!resp->resp)
+ {
+ free (resp);
+ return PAM_BUF_ERR;
+ }
+ if (log_success)
+ syslog (LOG_NOTICE | LOG_AUTH, "PAM message \"%s\".",
+ (*pam_msg)->msg);
+ *pam_resp = resp;
return PAM_SUCCESS;
+ break;
case PAM_TEXT_INFO: /* Not yet supported. */
case PAM_ERROR_MSG: /* Likewise. */
case PAM_PROMPT_ECHO_ON: /* Interactivity is not supported. */
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=715707856daa622f5fc3076e0b7171f055c7ca42
commit 715707856daa622f5fc3076e0b7171f055c7ca42
Author: Mats Erik Andersson <address@hidden>
Date: Thu Jul 5 23:21:55 2012 +0200
rsh, rshd: Verified Shishi support.
diff --git a/ChangeLog b/ChangeLog
index e15e17c..7a67e5a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,50 @@
+2012-07-05 Mats Erik Andersson <address@hidden>
+
+ rsh, rshd: Functional Shishi code. Tested on
+ 32-bit system, with and without encryption,
+ but without PAM.
+
+ * src/rlogind.c (servername): New variable.
+ (options): New option `-S/--servername'.
+ (parse_opt) <'S'>: Implement `-S'.
+ (do_shishi_login): Add `servername' as additional
+ argument to get_auth().
+ * src/rsh.c (servername): New variable.
+ (options): New option `-S/--servername'. Rephrase
+ explanation for `-v/--vacuous'.
+ (parse_opt) <'S'>: Implement `-S'.
+ (doit): Add `servername' as additional argument to
+ get_auth(). Apply ntohs() to PORT in calculating
+ CKSUMDATA. Do not free CKSUM before use!
+ (doit) [WITH_IRUSEROK_AF && !WITH_PAM]: Calculate
+ FROMADDRP separately, not within nested conditionals.
+
+ * libinetutils/kcmd.c (kcmd) [SHISHI]: Let arguments
+ `laddr' and `faddr' be `struct sockaddr_storage *'.
+ New variables LEN and PORT, use `struct sockaddr_storage'
+ for SIN and FROM. Modify resolver code to handle AF_INET
+ and AF_INET6.
+ * libinetutils/krcmd.c (krcmd) [SHISHI]: Produce error
+ message using shishi_strerror() at failures.
+ (krcmd_mutual) [SHISHI]: Use `struct sockaddr_storage'
+ for LADDR and FADDR.
+ * libinetutils/shishi.c (shishi_auth, get_auth): Return
+ meaningful error status, not `1' every time.
+ (shishi_auth) <ticket fetch failure>: Report Kerberos
+ principal name, not only host name of server.
+ (shishi_auth) <authentication response reading>: Store
+ int32 sized answer in an integer, not in a char! Report
+ a failure in case authentication actually failed.
+ (get_auth): Add a further parameter `char *srvname'.
+ Call shishi_server_for_local_service() only if `srvname'
+ was NULL. Otherwise, manually assemble the host's
+ principal name.
+ (get_auth) <authentication type failure>: Follow protocol
+ and send a response 0x01.
+ (get_auth) <protocol version failure>: Follow protocol
+ and send a response 0x02.
+ * libinetutils/shishi_def.h (get_auth): Update signature.
+
2012-07-03 Mats Erik Andersson <address@hidden>
* libinetutils/kcmd.c (kcmd, getport)
diff --git a/libinetutils/kcmd.c b/libinetutils/kcmd.c
index 674d86e..c3f079e 100644
--- a/libinetutils/kcmd.c
+++ b/libinetutils/kcmd.c
@@ -101,8 +101,8 @@ kcmd (int *sock, char **ahost, unsigned short rport, char
*locuser,
int
kcmd (Shishi ** h, int *sock, char **ahost, unsigned short rport, char
*locuser,
char **remuser, char *cmd, int *fd2p, char *service, char *realm,
- Shishi_key ** key,
- struct sockaddr_in *laddr, struct sockaddr_in *faddr, long authopts)
+ Shishi_key ** key, struct sockaddr_storage *laddr,
+ struct sockaddr_storage *faddr, long authopts)
# endif
{
int s, timo = 1, pid;
@@ -111,7 +111,8 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
# else
long oldmask;
# endif /* !HAVE_SIGACTION */
- struct sockaddr_in sin, from;
+ struct sockaddr_storage sin, from;
+ socklen_t len;
char c;
# ifdef ATHENA_COMPAT
@@ -129,6 +130,9 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
# endif
pid = getpid ();
+
+ /* FIXME: Often the following rejects non-IPv4.
+ * This is dependent on system implementation. */
hp = gethostbyname (*ahost);
if (hp == NULL)
{
@@ -172,15 +176,30 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
return (-1);
}
fcntl (s, F_SETOWN, pid);
- sin.sin_family = hp->h_addrtype;
+ sin.ss_family = hp->h_addrtype;
+ switch (hp->h_addrtype)
+ {
+ case AF_INET6:
+ len = sizeof (struct sockaddr_in6);
#ifdef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN
- sin.sin_len = sizeof (sin);
+ sin.ss_len = len;
#endif
+ memcpy (&((struct sockaddr_in6 *) &sin)->sin6_addr,
+ hp->h_addr, hp->h_length);
+ ((struct sockaddr_in6 *) &sin)->sin6_port = rport;
+ break;
+ case AF_INET:
+ default:
+ len = sizeof (struct sockaddr_in);
+#ifdef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN
+ sin.ss_len = len;
+#endif
+ memcpy (&((struct sockaddr_in *) &sin)->sin_addr,
+ hp->h_addr, hp->h_length);
+ ((struct sockaddr_in *) &sin)->sin_port = rport;
+ }
- memcpy (&sin.sin_addr, hp->h_addr, hp->h_length);
- sin.sin_port = rport;
-
- if (connect (s, (struct sockaddr *) &sin, sizeof (sin)) >= 0)
+ if (connect (s, (struct sockaddr *) &sin, len) >= 0)
break;
close (s);
if (errno == EADDRINUSE)
@@ -209,7 +228,6 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
errno = oerrno;
perror (NULL);
hp->h_addr_list++;
- memcpy (& sin.sin_addr, hp->h_addr_list, hp->h_length);
fprintf (stderr, "Trying %s...\n",
inet_ntop (hp->h_addrtype, hp->h_addr_list[0],
addrstr, sizeof (addrstr)));
@@ -236,8 +254,10 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
else
{
char num[8];
- int s2 = getport (&lport), s3;
- int len = sizeof (from);
+ int port, s2, s3;
+
+ s2 = getport (&lport);
+ len = sizeof (from);
if (s2 < 0)
{
@@ -263,8 +283,12 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
goto bad;
}
*fd2p = s3;
- from.sin_port = ntohs ((unsigned short) from.sin_port);
- if (from.sin_family != AF_INET || from.sin_port >= IPPORT_RESERVED)
+ port = (from.ss_family == AF_INET6)
+ ? ntohs (((struct sockaddr_in6 *) &from)->sin6_port)
+ : ntohs (((struct sockaddr_in *) &from)->sin_port);
+
+ if (port >= IPPORT_RESERVED
+ || from.ss_family != AF_INET && from.ss_family != AF_INET6)
{
fprintf (stderr,
"kcmd(socket): protocol failure in circuit setup.\n");
@@ -287,7 +311,7 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
*faddr = sin;
- sin_len = sizeof (struct sockaddr_in);
+ sin_len = sizeof (*laddr);
if (getsockname (s, (struct sockaddr *) laddr, &sin_len) < 0)
{
perror ("kcmd(getsockname)");
@@ -310,7 +334,7 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
*faddr = sin;
- sin_len = sizeof (struct sockaddr_in);
+ sin_len = sizeof (*laddr);
if (getsockname (s, (struct sockaddr *) laddr, &sin_len) < 0)
{
perror ("kcmd(getsockname)");
diff --git a/libinetutils/krcmd.c b/libinetutils/krcmd.c
index d22caa5..08b3402 100644
--- a/libinetutils/krcmd.c
+++ b/libinetutils/krcmd.c
@@ -76,7 +76,7 @@
# if defined SHISHI
int kcmd (Shishi **, int *, char **, unsigned short, char *, char **,
char *, int *, char *, char *, Shishi_key **,
- struct sockaddr_in *, struct sockaddr_in *, long);
+ struct sockaddr_storage *, struct sockaddr_storage *, long);
# else
int kcmd (int *, char **, unsigned short, char *, char *, char *, int *,
KTEXT, char *, char *, CREDENTIALS *, Key_schedule,
@@ -105,7 +105,7 @@ krcmd (Shishi ** h, char **ahost, unsigned short rport,
char **remuser, char *cm
if (err > SHISHI_OK)
{
- fprintf (stderr, "krcmd: %s\n", "error");
+ fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err));
return (-1);
}
if (err < 0)
@@ -149,7 +149,7 @@ krcmd_mutual (Shishi ** h, char **ahost, unsigned short
rport, char **remuser,
char *cmd, int *fd2p, char *realm, Shishi_key ** key)
{
int sock = -1, err = 0;
- struct sockaddr_in laddr, faddr;
+ struct sockaddr_storage laddr, faddr;
long authopts = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
err = kcmd (h, &sock, ahost, rport, NULL, /* locuser not used */
diff --git a/libinetutils/shishi.c b/libinetutils/shishi.c
index bbe1ad6..25c54a0 100644
--- a/libinetutils/shishi.c
+++ b/libinetutils/shishi.c
@@ -57,7 +57,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
{
fprintf (stderr, "shishi_check_version() failed:\n"
"Header file incompatible with shared library.\n");
- return 1;
+ return SHISHI_INVALID_ARGUMENT;
}
rc = shishi_init (handle);
@@ -65,7 +65,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
{
fprintf (stderr,
"error initializing shishi: %s\n", shishi_strerror (rc));
- return 1;
+ return rc;
}
if (realm)
@@ -97,7 +97,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
errormsg[100] = '\0';
fprintf (stderr, "Error during server authentication : %s\n", errormsg);
- return 1;
+ return SHISHI_VERIFY_FAILED;
}
if (verbose)
@@ -114,7 +114,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
if (!tmpserver)
{
perror ("shishi_auth()");
- return 1;
+ return SHISHI_TOO_SMALL_BUFFER;
}
strcpy (tmpserver, SERVICE);
strcat (tmpserver, "/");
@@ -126,9 +126,9 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
tkt = shishi_tkts_get (shishi_tkts_default (h), &hint);
if (!tkt)
{
+ fprintf (stderr, "cannot find ticket for \"%s\"\n", tmpserver);
free (tmpserver);
- fprintf (stderr, "cannot find ticket for \"%s\"\n", sname);
- return 1;
+ return SHISHI_INVALID_TICKET;
}
free (tmpserver);
@@ -142,13 +142,14 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
if (rc != SHISHI_OK)
{
fprintf (stderr, "cannot create authentication context\n");
- return 1;
+ return rc;
}
/* checksum = port: terminal name */
- snprintf (cksumdata, 100, "%u:%s%s", ntohs (port), cmd, *cname);
+ snprintf (cksumdata, sizeof (cksumdata) - 1,
+ "%u:%s%s", ntohs (port), cmd, *cname);
/* add checksum to authenticator */
@@ -164,7 +165,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
fprintf (stderr, "cannot build authentication request: %s\n",
shishi_strerror (rc));
- return 1;
+ return rc;
}
if (verbose)
@@ -184,9 +185,11 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
write (sock, out, outlen);
- /* read a respond from server - what ? */
+ /* read response from server - what ? */
- read (sock, &auth, sizeof (int));
+ read (sock, &rc, sizeof (rc));
+ if (rc)
+ return SHISHI_APREP_VERIFY_FAILED;
/* For mutual authentication, wait for server reply. */
@@ -216,7 +219,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
else
fprintf (stderr, "AP-REP verification error: %s\n",
shishi_strerror (rc));
- return 1;
+ return rc;
}
/* The server is authenticated. */
@@ -228,7 +231,7 @@ shishi_auth (Shishi ** handle, int verbose, char **cname,
if (verbose)
printf ("User authenticated.\n");
- return 0;
+ return SHISHI_OK;
}
@@ -242,7 +245,7 @@ senderror (int s, char type, char *buf)
int
get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
Shishi_key ** enckey, const char **err_msg, int *protoversion,
- int *cksumtype, char **cksum, int *cksumlen)
+ int *cksumtype, char **cksum, int *cksumlen, char *srvname)
{
Shishi_key *key;
char *out;
@@ -268,20 +271,32 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
{
*err_msg =
"shishi_check_version() failed: header file incompatible with shared
library.";
- return 1;
+ return SHISHI_INVALID_ARGUMENT;
}
rc = shishi_init_server (handle);
if (rc != SHISHI_OK)
return rc;
- servername = shishi_server_for_local_service (*handle, SERVICE);
+ if (srvname && *srvname)
+ {
+ servername = malloc (sizeof (SERVICE) + strlen (srvname) + 2);
+ if (!servername)
+ {
+ *err_msg = "Not enough memory";
+ return SHISHI_TOO_SMALL_BUFFER;
+ }
+ sprintf (servername, "%s/%s", SERVICE, srvname);
+ }
+ else
+ servername = shishi_server_for_local_service (*handle, SERVICE);
key = shishi_hostkeys_for_server (*handle, servername);
+ free (servername);
if (!key)
{
*err_msg = shishi_error (*handle);
- return 1;
+ return SHISHI_INVALID_KEY;
}
/* Read Kerberos 5 sendauth message */
@@ -289,7 +304,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc != sizeof (int))
{
*err_msg = "Error reading message size";
- return 1;
+ return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
@@ -297,14 +312,14 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (!buf)
{
*err_msg = "Not enough memory";
- return 1;
+ return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication message";
- return 1;
+ return SHISHI_IO_ERROR;
}
len = strlen (krb5sendauth);
@@ -312,7 +327,9 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc)
{
*err_msg = "Invalid authentication type";
- return 1;
+ /* Authentication type is wrong. */
+ write (infd, "\001", 1);
+ return SHISHI_VERIFY_FAILED;
}
free (buf);
@@ -322,21 +339,21 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc != sizeof (int))
{
*err_msg = "Error reading protocol message size";
- return 1;
+ return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
buf = malloc (buflen);
if (!buf)
{
*err_msg = "Not enough memory";
- return 1;
+ return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading protocol message";
- return 1;
+ return SHISHI_IO_ERROR;
}
len = strlen (krb5kcmd1);
@@ -348,7 +365,9 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc)
{
*err_msg = "Protocol version not supported";
- return 1;
+ /* Protocol version is wrong. */
+ write (infd, "\002", 1);
+ return SHISHI_VERIFY_FAILED;
}
*protoversion = 2;
}
@@ -367,7 +386,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc != sizeof (int))
{
*err_msg = "Error reading authentication request size";
- return 1;
+ return SHISHI_IO_ERROR;
}
buflen = ntohl (len);
@@ -375,14 +394,14 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (!buf)
{
*err_msg = "Not enough memory";
- return 1;
+ return SHISHI_TOO_SMALL_BUFFER;
}
rc = read (infd, buf, buflen);
if (rc != buflen)
{
*err_msg = "Error reading authentication request";
- return 1;
+ return SHISHI_IO_ERROR;
}
/* Create Authentication context */
@@ -393,7 +412,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
/* Store request in context */
- shishi_ap_req_der_set (*ap, buf, buflen);
+ rc = shishi_ap_req_der_set (*ap, buf, buflen);
if (rc != SHISHI_OK)
return rc;
@@ -424,11 +443,11 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (rc != SHISHI_OK)
return rc;
- /* User is authenticated. */
+ /* User is authenticated. */
error = 0;
write (infd, &error, sizeof (int));
- /* Authenticate ourself to client, if request */
+ /* Authenticate ourself to client, if requested. */
if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap)))
{
@@ -442,7 +461,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
{
*err_msg = "Error sending AP-REP";
free (out);
- return 1;
+ return SHISHI_IO_ERROR;
}
rc = write (infd, out, ntohl (outlen));
@@ -450,7 +469,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
{
*err_msg = "Error sending AP-REP";
free (out);
- return 1;
+ return SHISHI_IO_ERROR;
}
free (out);
@@ -467,7 +486,7 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
if (tkt == NULL)
{
*err_msg = "Could not get tkt from AP-REQ";
- return 1;
+ return SHISHI_INVALID_TICKET;
}
rc = shishi_encticketpart_get_key (*handle,
diff --git a/libinetutils/shishi_def.h b/libinetutils/shishi_def.h
index 868d72f..d574665 100644
--- a/libinetutils/shishi_def.h
+++ b/libinetutils/shishi_def.h
@@ -62,7 +62,7 @@ extern int shishi_auth (Shishi ** handle, int verbose, char
**cname,
extern int get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
Shishi_key ** enckey, const char **err_msg,
int *protoversion, int *cksumtype, char **cksum,
- int *cksumlen);
+ int *cksumlen, char *srvname);
extern int readenc (Shishi * h, int sock, char *buf, int *len,
shishi_ivector * iv, Shishi_key * enckey, int proto);
diff --git a/src/rlogind.c b/src/rlogind.c
index b3451ef..86cf17c 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -176,6 +176,7 @@ int keepalive = 1;
#if defined KERBEROS || defined SHISHI
int kerberos = 0;
+char *servername = NULL;
# ifdef ENCRYPTION
int encrypt_io = 0;
@@ -291,6 +292,8 @@ static struct argp_option options[] = {
#if defined KERBEROS || defined SHISHI
{ "kerberos", 'k', NULL, 0,
"use kerberos IV/V authentication" },
+ { "servername", 'S', "NAME", 0,
+ "set Kerberos server name, overriding canonical hostname" },
#endif
#if defined ENCRYPTION
{ "encrypt", 'x', NULL, 0,
@@ -354,6 +357,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
kerberos = AUTH_KERBEROS_DEFAULT;
break;
+ case 'S':
+ servername = arg;
+ break;
+
# ifdef ENCRYPTION
case 'x':
encrypt_io = 1;
@@ -1185,10 +1192,10 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
# ifdef ENCRYPTION
rc = get_auth (infd, &ad->h, &ad->ap, &ad->enckey, err_msg, &ad->protocol,
- &cksumtype, &cksum, &cksumlen);
+ &cksumtype, &cksum, &cksumlen, servername);
# else
rc = get_auth (infd, &ad->h, &ad->ap, NULL, err_msg, &ad->protocol,
- &cksumtype, &cksum, &cksumlen);
+ &cksumtype, &cksum, &cksumlen, servername);
# endif
if (rc != SHISHI_OK)
return rc;
diff --git a/src/rshd.c b/src/rshd.c
index b76a421..8623960 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -194,6 +194,7 @@ int protocol;
# define VERSION_SIZE 9
# define SECURE_MESSAGE "This rsh session is using DES encryption for all
transmissions.\r\n"
int doencrypt, use_kerberos, vacuous;
+char *servername = NULL;
#else
#endif /* KERBEROS || SHISHI */
@@ -214,7 +215,9 @@ static struct argp_option options[] = {
"use kerberos authentication" },
/* FIXME: Option name is misleading */
{ "vacuous", 'v', NULL, 0,
- "require Kerberos authentication" },
+ "fail for non-Kerberos authentication" },
+ { "servername", 'S', "NAME", 0,
+ "set Kerberos server name, overriding canonical hostname" },
#endif /* KERBEROS */
{ NULL }
};
@@ -263,6 +266,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
doencrypt = 1;
break;
# endif
+
+ case 'S':
+ servername = arg;
+ break;
#endif /* KERBEROS || SHISHI */
case 'L':
@@ -596,7 +603,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
#endif
if (port >= IPPORT_RESERVED || port < IPPORT_RESERVED / 2)
{
- syslog (LOG_ERR, "2nd port not reserved\n");
+ syslog (LOG_ERR, "Second port outside reserved range.");
exit (EXIT_FAILURE);
}
/* Use the fromp structure that we already have available.
@@ -812,7 +819,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
char *err_msg;
rc = get_auth (STDIN_FILENO, &h, &ap, &enckey, &err_msg, &protocol,
- &cksumtype, &cksum, &cksumlen);
+ &cksumtype, &cksum, &cksumlen, servername);
if (rc != SHISHI_OK)
{
rshd_error ("Kerberos authentication failure: %s\n",
@@ -906,12 +913,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
exit (EXIT_FAILURE);
/* verify checksum */
-
-# if 1
{
unsigned short port;
- /* Doesn't give socket port ? */
socklen = sizeof (sock);
if (getsockname (STDIN_FILENO, (struct sockaddr *)&sock, &socklen) < 0)
{
@@ -923,15 +927,12 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
? ((struct sockaddr_in6 *) &sock)->sin6_port
: ((struct sockaddr_in *) &sock)->sin_port;
- snprintf (cksumdata, 100, "%u:%s%s", port, cmdbuf, locuser);
+ snprintf (cksumdata, 100, "%u:%s%s", ntohs (port), cmdbuf, locuser);
}
-# else
- snprintf (cksumdata, 100, "544:%s%s", cmdbuf, locuser);
-# endif
+
rc = shishi_checksum (h, enckey, 0, cksumtype,
cksumdata, strlen (cksumdata),
&compcksum, &compcksumlen);
- free (cksum);
if (rc != SHISHI_OK
|| compcksumlen != cksumlen
|| memcmp (compcksum, cksum, cksumlen) != 0)
@@ -1052,6 +1053,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
#endif /* WITH_PAM */
+#if defined WITH_IRUSEROK_AF && !defined WITH_PAM
+ switch (fromp->sa_family)
+ {
+ case AF_INET6:
+ fromaddrp = (void *) &((struct sockaddr_in6 *) fromp)->sin6_addr;
+ break;
+ case AF_INET:
+ default:
+ fromaddrp = (void *) &((struct sockaddr_in *) fromp)->sin_addr;
+ }
+#endif
+
#ifdef KERBEROS
if (use_kerberos)
{
@@ -1090,15 +1103,6 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
&& (iruserok_sa ((void *) fromp, fromlen,
pwd->pw_uid == 0, remuser, locuser)) < 0))
# elif defined WITH_IRUSEROK_AF
- switch (fromp->sa_family)
- {
- case AF_INET6:
- fromaddrp = (void *) &((struct sockaddr_in6 *) fromp)->sin6_addr;
- break;
- case AF_INET:
- default:
- fromaddrp = (void *) &((struct sockaddr_in *) fromp)->sin_addr;
- }
if (errorstr || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0'
&& (iruserok_af (fromaddrp, pwd->pw_uid == 0,
remuser, locuser, fromp->sa_family)) < 0))
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 58 ++++++++++++++++++++++++++++++
libinetutils/kcmd.c | 56 ++++++++++++++++++++--------
libinetutils/krcmd.c | 6 ++--
libinetutils/shishi.c | 87 +++++++++++++++++++++++++++-----------------
libinetutils/shishi_def.h | 2 +-
src/rlogind.c | 11 +++++-
src/rshd.c | 74 ++++++++++++++++++++++++++++----------
7 files changed, 218 insertions(+), 76 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-125-g3da88b2,
Mats Erik Andersson <=