diff options
author | Tom Yu <tlyu@mit.edu> | 1999-02-17 22:26:33 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 1999-02-17 22:26:33 +0000 |
commit | 0e4ead54c1994ccc90fa3829b7bff6cc1d2284d0 (patch) | |
tree | ee358651eac253f29176ff25ad9068890e8d3719 /src/appl/bsd/krlogind.c | |
parent | 8157e459fdae118c88e5c124d0a866378ced115a (diff) | |
download | krb5-0e4ead54c1994ccc90fa3829b7bff6cc1d2284d0.tar.gz krb5-0e4ead54c1994ccc90fa3829b7bff6cc1d2284d0.tar.xz krb5-0e4ead54c1994ccc90fa3829b7bff6cc1d2284d0.zip |
* klogind.M: Document things a little better, including new
options controlling hostname manipulation.
* krlogind.c: Make use of pty_make_sane_hostname() for purposes of
manipulating hostname to pass to login. Also unconditionally
syslog IP address and full hostname of remote host. Add command
line options to control such behavior.
* configure.in: Add arpa/nameser.h to CHECK_HEADERS.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11176 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl/bsd/krlogind.c')
-rw-r--r-- | src/appl/bsd/krlogind.c | 87 |
1 files changed, 57 insertions, 30 deletions
diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index f433897190..b57b5a746f 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -260,7 +260,7 @@ krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; -#define ARGSTR "k54ciepPD:S:M:L:f?" +#define ARGSTR "k54ciepPD:S:M:L:fu:Is?" #else /* !KERBEROS */ #define ARGSTR "rpPD:f?" #endif /* KERBEROS */ @@ -286,11 +286,20 @@ char *login_program = LOGIN_PROGRAM; #define UT_NAMESIZE sizeof(((struct utmp *)0)->ut_name) #endif +#if HAVE_ARPA_NAMESER_H +#include <arpa/nameser.h> +#endif + +#ifndef MAXDNAME +#define MAXDNAME 256 /*per the rfc*/ +#endif + char lusername[UT_NAMESIZE+1]; char rusername[UT_NAMESIZE+1]; char *krusername = 0; char term[64]; -char rhost_name[128]; +char rhost_name[MAXDNAME]; +char rhost_addra[16]; krb5_principal client; int do_inband = 0; @@ -327,6 +336,10 @@ int auth_ok = 0, auth_sent = 0; int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0; int checksum_required = 0, checksum_ignored = 0; +int stripdomain = 1; +int maxhostlen = 0; +int always_ip = 0; + int main(argc, argv) int argc; char **argv; @@ -428,6 +441,15 @@ int main(argc, argv) case 'f': do_fork = 1; break; + case 'u': + maxhostlen = atoi(optarg); + break; + case 'I': + always_ip = 1; + break; + case 's': + stripdomain = 0; + break; case '?': default: usage(); @@ -564,7 +586,9 @@ void doit(f, fromp) struct sigaction sa; #endif int retval; -int syncpipe[2]; + char *rhost_sane; + int syncpipe[2]; + netf = -1; if (setsockopt(f, SOL_SOCKET, SO_KEEPALIVE, (const char *) &on, sizeof (on)) < 0) @@ -601,18 +625,14 @@ int syncpipe[2]; fromp->sin_port = ntohs((u_short)fromp->sin_port); hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); - if (hp == 0) { - /* - * Only the name is used below. - */ - sprintf(rhost_name,"%s",inet_ntoa(fromp->sin_addr)); - } - - /* Save hostent information.... */ - else { + strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra)); + rhost_addra[sizeof (rhost_addra) -1] = '\0'; + if (hp != NULL) { + /* Save hostent information.... */ strncpy(rhost_name,hp->h_name,sizeof (rhost_name)); rhost_name[sizeof (rhost_name) - 1] = '\0'; - } + } else + rhost_name[0] = '\0'; if (fromp->sin_family != AF_INET) fatal(f, "Permission denied - Malformed from address\n"); @@ -629,7 +649,7 @@ int syncpipe[2]; #if defined(KERBEROS) /* All validation, and authorization goes through do_krb_login() */ - do_krb_login(rhost_name); + do_krb_login(rhost_addra, rhost_name); #else getstr(f, rusername, sizeof(rusername), "remuser"); getstr(f, lusername, sizeof(lusername), "locuser"); @@ -720,11 +740,13 @@ int syncpipe[2]; pwd = (struct passwd *) getpwnam(lusername); if (pwd && (pwd->pw_uid == 0)) { if (passwd_req) - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) forcing password access", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s)) forcing password access", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); else - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) ", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); } #ifdef KERBEROS #if defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) @@ -745,14 +767,14 @@ int syncpipe[2]; { if (passwd_req) syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s forcing password access\n", + "login by %s (%s@%s (%s)) as %s forcing password access", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); else syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s\n", + "login by %s (%s@%s (%s)) as %s", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); } #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */ #endif /* KERBEROS */ @@ -775,15 +797,20 @@ int syncpipe[2]; *cp = '\0'; setenv("TERM",term, 1); } - + + retval = pty_make_sane_hostname(fromp, maxhostlen, + stripdomain, always_ip, + &rhost_sane); + if (retval) + fatalperror(2, "failed make_sane_hostname"); if (passwd_req) - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, lusername, 0); else - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, "-f", lusername, 0); #else /* USE_LOGIN_F */ - execl(login_program, "login", "-r", rhost_name, 0); + execl(login_program, "login", "-r", rhost_sane, 0); #endif /* USE_LOGIN_F */ fatalperror(2, login_program); @@ -1159,8 +1186,8 @@ void fatalperror(f, msg) #ifdef KERBEROS void -do_krb_login(host) - char *host; +do_krb_login(host_addr, hostname) + char *host_addr, *hostname; { krb5_error_code status; struct passwd *pwd; @@ -1178,8 +1205,8 @@ do_krb_login(host) krb5_free_ticket(bsd_context, ticket); if (status != 255) syslog(LOG_ERR, - "Authentication failed from %s: %s\n", - host,error_message(status)); + "Authentication failed from %s (%s): %s\n",host_addr, + hostname,error_message(status)); fatal(netf, "Kerberos authentication failed"); return; } |