* klogind.M: Document things a little better, including new

	options controlling hostname manipulation.

	* krlogind.c: Make use of pty_make_sane_hostname() for purposes of
	manipulating hostname to pass to login.  Also unconditionally
	syslog IP address and full hostname of remote host.  Add command
	line options to control such behavior.

	* configure.in: Add arpa/nameser.h to CHECK_HEADERS.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11176 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 57 insertions, 30 deletions

diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c
index f433897190..b57b5a746f 100644
--- a/src/appl/bsd/krlogind.c
+++ b/src/appl/bsd/krlogind.c
@@ -260,7 +260,7 @@ krb5_ccache ccache = NULL;
 
 krb5_keytab keytab = NULL;
 
-#define ARGSTR	"k54ciepPD:S:M:L:f?"
+#define ARGSTR	"k54ciepPD:S:M:L:fu:Is?"
 #else /* !KERBEROS */
 #define ARGSTR	"rpPD:f?"
 #endif /* KERBEROS */
@@ -286,11 +286,20 @@ char *login_program = LOGIN_PROGRAM;
 #define	UT_NAMESIZE	sizeof(((struct utmp *)0)->ut_name)
 #endif
 
+#if HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+
+#ifndef MAXDNAME
+#define MAXDNAME 256 /*per the rfc*/
+#endif
+
 char		lusername[UT_NAMESIZE+1];
 char		rusername[UT_NAMESIZE+1];
 char            *krusername = 0;
 char		term[64];
-char            rhost_name[128];
+char            rhost_name[MAXDNAME];
+char		rhost_addra[16];
 krb5_principal  client;
 int		do_inband = 0;
 
@@ -327,6 +336,10 @@ int auth_ok = 0, auth_sent = 0;
 int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
 int checksum_required = 0, checksum_ignored = 0;
 
+int stripdomain = 1;
+int maxhostlen = 0;
+int always_ip = 0;
+
 int main(argc, argv)
      int argc;
      char **argv;
@@ -428,6 +441,15 @@ int main(argc, argv)
         case 'f':
 	  do_fork = 1;
 	  break;
+        case 'u':
+	  maxhostlen = atoi(optarg);
+	  break;
+        case 'I':
+	  always_ip = 1;
+	  break;
+        case 's':
+	  stripdomain = 0;
+	  break;
 	case '?':
 	default:
 	  usage();
@@ -564,7 +586,9 @@ void doit(f, fromp)
     struct sigaction sa;
 #endif
     int retval;
-int syncpipe[2];
+    char *rhost_sane;
+    int syncpipe[2];
+
     netf = -1;
     if (setsockopt(f, SOL_SOCKET, SO_KEEPALIVE,
 		   (const char *) &on, sizeof (on)) < 0)
@@ -601,18 +625,14 @@ int syncpipe[2];
     fromp->sin_port = ntohs((u_short)fromp->sin_port);
     hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr),
 		       fromp->sin_family);
-    if (hp == 0) {
-	/*
-	 * Only the name is used below.
-	 */
-	sprintf(rhost_name,"%s",inet_ntoa(fromp->sin_addr));
-    }
-    
-    /* Save hostent information.... */
-    else {
+    strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra));
+    rhost_addra[sizeof (rhost_addra) -1] = '\0';
+    if (hp != NULL) {
+	/* Save hostent information.... */
 	strncpy(rhost_name,hp->h_name,sizeof (rhost_name));
 	rhost_name[sizeof (rhost_name) - 1] = '\0';
-    }
+    } else
+	rhost_name[0] = '\0';
     
     if (fromp->sin_family != AF_INET)
       fatal(f, "Permission denied - Malformed from address\n");
@@ -629,7 +649,7 @@ int syncpipe[2];
     
 #if defined(KERBEROS)
     /* All validation, and authorization goes through do_krb_login() */
-    do_krb_login(rhost_name);
+    do_krb_login(rhost_addra, rhost_name);
 #else
     getstr(f, rusername, sizeof(rusername), "remuser");
     getstr(f, lusername, sizeof(lusername), "locuser");
@@ -720,11 +740,13 @@ int syncpipe[2];
 	pwd = (struct passwd *) getpwnam(lusername);
 	if (pwd && (pwd->pw_uid == 0)) {
 	    if (passwd_req)
-	      syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) forcing password access",
-		     krusername ? krusername : "", rusername, rhost_name);
+	      syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s)) forcing password access",
+		     krusername ? krusername : "",
+		     rusername, rhost_addra, rhost_name);
 	    else
-	      syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) ", 
-		     krusername ? krusername : "", rusername, rhost_name);
+	      syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", 
+		     krusername ? krusername : "",
+		     rusername, rhost_addra, rhost_name);
 	}
 #ifdef KERBEROS
 #if defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS)
@@ -745,14 +767,14 @@ int syncpipe[2];
 	{
 	    if (passwd_req)
 	      syslog(LOG_NOTICE,
-		     "login by %s (%s@%s) as %s forcing password access\n",
+		     "login by %s (%s@%s (%s)) as %s forcing password access",
 		     krusername ? krusername : "", rusername,
-		     rhost_name, lusername);
+		     rhost_addra, rhost_name, lusername);
 	    else 
 	      syslog(LOG_NOTICE,
-		     "login by %s (%s@%s) as %s\n",
+		     "login by %s (%s@%s (%s)) as %s",
 		     krusername ? krusername : "", rusername,
-		     rhost_name, lusername); 
+		     rhost_addra, rhost_name, lusername); 
 	}
 #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */
 #endif /* KERBEROS */
@@ -775,15 +797,20 @@ int syncpipe[2];
             *cp = '\0';
         setenv("TERM",term, 1);
     }
- 
+
+    retval = pty_make_sane_hostname(fromp, maxhostlen,
+				    stripdomain, always_ip,
+				    &rhost_sane);
+    if (retval)
+        fatalperror(2, "failed make_sane_hostname");
     if (passwd_req)
-        execl(login_program, "login", "-p", "-h", rhost_name,
+        execl(login_program, "login", "-p", "-h", rhost_sane,
           lusername, 0);
     else
-        execl(login_program, "login", "-p", "-h", rhost_name,
+        execl(login_program, "login", "-p", "-h", rhost_sane,
              "-f", lusername, 0);
 #else /* USE_LOGIN_F */
-	execl(login_program, "login", "-r", rhost_name, 0);
+	execl(login_program, "login", "-r", rhost_sane, 0);
 #endif /* USE_LOGIN_F */
 	
 	fatalperror(2, login_program);
@@ -1159,8 +1186,8 @@ void fatalperror(f, msg)
 #ifdef KERBEROS
 
 void
-do_krb_login(host)
-     char *host;
+do_krb_login(host_addr, hostname)
+     char *host_addr, *hostname;
 {
     krb5_error_code status;
     struct passwd *pwd;
@@ -1178,8 +1205,8 @@ do_krb_login(host)
 	  krb5_free_ticket(bsd_context, ticket);
 	if (status != 255)
 	  syslog(LOG_ERR,
-		 "Authentication failed from %s: %s\n",
-		 host,error_message(status));
+		 "Authentication failed from %s (%s): %s\n",host_addr,
+		 hostname,error_message(status));
 	fatal(netf, "Kerberos authentication failed");
 	return;
     }