[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-201-gd4855
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-201-gd4855df |
|
Date: |
Thu, 08 Nov 2012 21:11:45 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via d4855dfde8f2feb7ba3124924fb546cdde3bdc20 (commit)
via 9f35cb2128ec0421a7029aa1caa8ce78838bd036 (commit)
from 302aa409c6b90039ee8e7a6afcd631f72c0cab20 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=d4855dfde8f2feb7ba3124924fb546cdde3bdc20
commit d4855dfde8f2feb7ba3124924fb546cdde3bdc20
Author: Mats Erik Andersson <address@hidden>
Date: Tue Nov 6 18:41:50 2012 +0100
rlogind: Force encrypted sessions.
diff --git a/ChangeLog b/ChangeLog
index ee503a0..78a09c3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,25 @@
+2012-10-06 Mats Erik Andersson <address@hidden>
+
+ rshd: Allow enforced encryption with libshishi,
+ rejecting other Kerberized sessions.
+
+ * src/rshd.c (uses_encryption) [SHISHI]: New variable.
+ (options) [(KERBEROS || SHISHI) && ENCRYPTION]:
+ Expose option `-x/--encrypt'.
+ (doit) [SHISHI] <client encrypts>: Set `uses_encryption'
+ instead of `doencrypt'. Fail connection request if
+ `doencrypt && !uses_encryption', otherwise proceed.
+ [SHISHI] <logging>: Refine message to indicate whether
+ encryption is in use.
+
+ * src/rlogind.c (do_krb_login) [SHISHI]: Initialize RC
+ as SHISHI_VERIFY_FAILED.
+ [KERBEROS]: Initialize RC as 1.
+
+ * src/rlogind.c (setup_utmp): Calculate offset
+ from PATH_DEV.
+ * telnetd/pty.c (setup_utmp): Likewise.
+
2012-10-05 Mats Erik Andersson <address@hidden>
rlogind: Buffer overflow, causing stalled and
diff --git a/src/rlogind.c b/src/rlogind.c
index 5e839ff..db77df2 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -1027,7 +1027,7 @@ setup_utmp (char *line, char *host)
{
char *ut_id = utmp_ptsid (line, "rl");
- utmp_init (line + sizeof ("/dev/") - 1, ".rlogin", ut_id, host);
+ utmp_init (line + sizeof (PATH_DEV) - 1, ".rlogin", ut_id, host);
}
void
@@ -1258,14 +1258,18 @@ do_rlogin (int infd, struct auth_data *ap)
int
do_krb_login (int infd, struct auth_data *ap, const char **err_msg)
{
- int rc;
+# if defined SHISHI
+ int rc = SHISHI_VERIFY_FAILED;
+# else /* KERBEROS */
+ int rc = 1;
+# endif
*err_msg = NULL;
# if defined KRB5
if (kerberos == AUTH_KERBEROS_5)
rc = do_krb5_login (infd, ap, err_msg);
else
-# elif defined(SHISHI)
+# elif defined SHISHI
if (kerberos == AUTH_KERBEROS_SHISHI)
rc = do_shishi_login (infd, ap, err_msg);
else
diff --git a/src/rshd.c b/src/rshd.c
index 35d8588..f560132 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -198,7 +198,7 @@ Shishi_ap *ap;
Shishi_key *enckey;
shishi_ivector iv1, iv2, iv3, iv4;
shishi_ivector *ivtab[4];
-int protocol;
+int protocol, uses_encryption = 0;
# endif /* SHISHI */
# define VERSION_SIZE 9
# define SECURE_MESSAGE "This rsh session is using DES encryption for all
transmissions.\r\n"
@@ -230,6 +230,10 @@ static struct argp_option options[] = {
"fail for non-Kerberos authentication", GRP },
{ "server-principal", 'S', "NAME", 0,
"set Kerberos server name, overriding canonical hostname", GRP },
+# if defined ENCRYPTION
+ { "encrypt", 'x', NULL, 0,
+ "fail for non-encrypted, Kerberized sessions", GRP },
+# endif
# undef GRP
#endif /* KERBEROS */
{ NULL, 0, NULL, 0, NULL, 0 }
@@ -866,7 +870,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
{
int i;
- doencrypt = 1;
+ uses_encryption = 1;
ivtab[0] = &iv1;
ivtab[1] = &iv2;
@@ -961,6 +965,17 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
exit (EXIT_FAILURE);
}
+ if (doencrypt && !uses_encryption)
+ {
+ syslog (LOG_INFO, "non-encrypted session denied");
+ free (compcksum);
+ shishi_ap_done (ap);
+ rshd_error ("Only encrypted sessions are allowed.\n");
+ exit (EXIT_FAILURE);
+ }
+ else
+ doencrypt = uses_encryption;
+
rc = shishi_authorized_p (h, shishi_ap_tkt (ap), locuser);
if (!rc)
{
@@ -1615,7 +1630,9 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
syslog (LOG_INFO | LOG_AUTH,
"address@hidden as %s: cmd='%.80s'",
#ifdef SHISHI
- use_kerberos ? "Kerberized " : "",
+ !use_kerberos ? ""
+ : !doencrypt ? "Kerberized "
+ : "Kerberized and encrypted ",
#else
"",
#endif
diff --git a/telnetd/pty.c b/telnetd/pty.c
index 83fd373..0926142 100644
--- a/telnetd/pty.c
+++ b/telnetd/pty.c
@@ -32,7 +32,7 @@ void
setup_utmp (char *line, char *host)
{
char *ut_id = utmp_ptsid (line, "tn");
- utmp_init (line + sizeof ("/dev/") - 1, ".telnet", ut_id, host);
+ utmp_init (line + sizeof (PATH_DEV) - 1, ".telnet", ut_id, host);
}
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9f35cb2128ec0421a7029aa1caa8ce78838bd036
commit 9f35cb2128ec0421a7029aa1caa8ce78838bd036
Author: Mats Erik Andersson <address@hidden>
Date: Mon Nov 5 23:25:28 2012 +0100
rlogind: Buffer overflow with encryption.
diff --git a/ChangeLog b/ChangeLog
index dae5e07..ee503a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2012-10-05 Mats Erik Andersson <address@hidden>
+
+ rlogind: Buffer overflow, causing stalled and
+ incomplete login for encrypted connections.
+
+ * libinetutils/shishi_def.h (SHISHI_ENCRYPT_BUFLEN):
+ Rename from previous BUFLEN.
+ * libinetutils/shishi.c (readenc): Likewise, used
+ in calling memset() on `buf'.
+ * src/rlogind.c (do_shishi_login): Replace 100 by
+ sizeof(cksumdata) when calling snprintf(). Insert
+ `encrypted' in syslog message for encrypted exchange.
+ (BUFLEN): Define as SHISHI_ENCRYPT_BUFLEN, if possible,
+ otherwise fall back to existing value, or to 1024.
+ (protocol): Declare FIBUF of length BUFLEN, and DBUF
+ of length BUFLEN+1.
+
2012-10-02 Mats Erik Andersson <address@hidden>
* telnet/commands.c: Include <limits.h>. Needed
diff --git a/libinetutils/shishi.c b/libinetutils/shishi.c
index 90c79a8..21e375b 100644
--- a/libinetutils/shishi.c
+++ b/libinetutils/shishi.c
@@ -684,7 +684,7 @@ readenc (Shishi * h, int sock, char *buf, int *len,
shishi_ivector * iv,
val = sizeof (int);
}
- memset (buf, 0, BUFLEN);
+ memset (buf, 0, SHISHI_ENCRYPT_BUFLEN);
/* copy decrypted data to output */
memcpy (buf, out + val, outlen - val);
diff --git a/libinetutils/shishi_def.h b/libinetutils/shishi_def.h
index 4970cd9..1f0d3d1 100644
--- a/libinetutils/shishi_def.h
+++ b/libinetutils/shishi_def.h
@@ -22,7 +22,7 @@
# include <netinet/in.h>
# define SERVICE "host"
-# define BUFLEN 1040
+# define SHISHI_ENCRYPT_BUFLEN 1040
struct shishi_iv
{
diff --git a/src/rlogind.c b/src/rlogind.c
index c169ef5..5e839ff 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -1574,7 +1574,7 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
fatal (infd, "Can't get sockname", 1);
}
- snprintf (cksumdata, 100, "%u:%s%s",
+ snprintf (cksumdata, sizeof (cksumdata), "%u:%s%s",
(sock.ss_family == AF_INET6)
? ntohs (((struct sockaddr_in6 *) &sock)->sin6_port)
: ntohs (((struct sockaddr_in *) &sock)->sin_port),
@@ -1607,7 +1607,8 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
}
syslog (LOG_INFO | LOG_AUTH,
- "Kerberos V login from %s on %s as `%s'.\n",
+ "Kerberos V %slogin from %s on %s as `%s'.\n",
+ encrypt_io ? "encrypted " : "",
ad->rusername, ad->hostname, ad->lusername);
shishi_ap_done (ad->ap);
@@ -1681,10 +1682,17 @@ char oobdata[] = { TIOCPKT_WINDOW }; /* May be
modified by protocol/control */
char oobdata_new[] = { 0377, 0377, 'o', 'o', TIOCPKT_WINDOW };
#endif
+#ifdef SHISHI_ENCRYPT_BUFLEN
+# undef BUFLEN
+# define BUFLEN SHISHI_ENCRYPT_BUFLEN
+#elif !defined BUFLEN
+# define BUFLEN 1024
+#endif
+
void
protocol (int f, int p, struct auth_data *ap)
{
- char fibuf[1024], *pbp = NULL, *fbp = NULL;
+ char fibuf[BUFLEN], *pbp = NULL, *fbp = NULL;
int pcc = 0, fcc = 0;
int cc, nfd, n;
char cntl;
@@ -1821,7 +1829,7 @@ protocol (int f, int p, struct auth_data *ap)
if (FD_ISSET (p, &ibits))
{
- char dbuf[1024 + 1];
+ char dbuf[BUFLEN + 1];
pcc = read (p, dbuf, sizeof dbuf);
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 39 +++++++++++++++++++++++++++++++++++++++
libinetutils/shishi.c | 2 +-
libinetutils/shishi_def.h | 2 +-
src/rlogind.c | 26 +++++++++++++++++++-------
src/rshd.c | 23 ++++++++++++++++++++---
telnetd/pty.c | 2 +-
6 files changed, 81 insertions(+), 13 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-201-gd4855df,
Mats Erik Andersson <=