* Remove documentation of how krlogind gets its command line options

from its name, because it doesn't any more.  Same for kshd.

* Document and implement -i option to ignore checksums.  Restore
default mode to accept and process checksums if provided.

* Bring back the warning about only using -c with Kerberos5.  The
documentation (both install.texi and the man pages) clearly state that
the -c option shouldnot be used in conjunction with Kerberos4, so warn
users if they try.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7849 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 110 insertions, 33 deletions

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index 2f3e2b6c2e..5258ed76ce 100644
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,16 @@
+Sun Apr 21 00:30:28 1996  Sam Hartman  <hartmans@mit.edu>
+
+	* krshd.c krlogind.c: Implement -i.  Rewrite error message having
+ 	to do with checksums.
+
+	* krshd.Mkrlogind.M : Document -i, remove documentation about
+ 	taking options from name of daemon.  Clean up checksum
+ 	documentation.
+
+	* krlogind.c (do_krb_login): Fix up error messages for checksums.
+  	Configuration errors are presented for situations where -c and -i
+ 	are used together, or where -4 and -c are used together.
+
 Thu Apr 18 19:48:47 1996  Sam Hartman  <hartmans@mit.edu>
 
 	* Makefile.in: Fix spaces by converting to tabs.
diff --git a/src/appl/bsd/krlogind.M b/src/appl/bsd/krlogind.M
index 295617efbc..8322e7be99 100644
--- a/src/appl/bsd/krlogind.M
+++ b/src/appl/bsd/krlogind.M
@@ -42,9 +42,7 @@ login.krb5 or /bin/login, according to the definition of
 DO_NOT_USE_K_LOGIN.  
 .PP 
 The configuration of \fIkrlogind\fP is done
-either by command-line arguments passed by
-inetd, or by the name of the daemon. If command-line arguments are
-present, they  take priority. The options are:
+by command line arguments passed by inetd.  The options are:
 .IP \fB\-5\fP 10
 Allow Kerberos5 authentication with the \fI.k5login\fP access control file
 to be trusted.  If this authentication system is used by the client and the
@@ -78,16 +76,37 @@ to all other checks.
 .IP \fB\-e\fP
 Create an encrypted session. 
 
-.IP \fB\-c\fP
-Require Kerberos5 clients to present a cryptographic checksum of
-initial connection information like the name of the user that the
-client is trying to access in the initial authenticator.  This
-checksum provides additionl security by preventing an attacker from
-changing the initial connection information.  To benefit from this
-security, only Kerberos5 should be trusted; Kerberos4 and rhosts
-authentication do not include this checksum.  If this options is
+.IP \fB\-c\fP 
+Require Kerberos5 clients to present a cryptographic
+checksum of initial connection information like the name of the user
+that the client is trying to access in the initial authenticator.
+This checksum provides additionl security by preventing an attacker
+from changing the initial connection information.  To benefit from
+this security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+authentication do not include this checksum.  If this option is
 specified, older Kerberos5 clients that do not send a checksum in the
-authenticator will not be able to authenticate to this server.
+authenticator will not be able to authenticate to this server.  This
+option is mutually exclusive with the \fB-i\fP option.
+
+	If neither the \fB-c\fP or \fB-i\fP options are specified,then
+checksums are validated if presented.  Since it is difficult to remove
+a checksum from an authenticator without making the authenticator
+invalid, this default mode is almost as significant of a security
+improvement as \fB-c\fP if new clients are used.  It has the additional
+advantage of backwards compatability with some clients.
+Unfortunately, clients before Kerberos V5, Beta5, generate invalid
+checksums; if these clients are used, the \fB-i\fP option must be
+used.
+
+.IP \fB\-i\fP 
+Ignore authenticator checksums if provided.  This option
+ignore authenticator checksusm presented by current Kerberos clients
+to protect initial connection information; it is the opposite of
+\fB-c\fP.  This option is provided because some older
+clients--particularly clients predating the release of Kerberos V5
+Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+authentication from succeeding in the default mode.
+
 
 .PP
 If the
diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c
index fd0a2afc0c..26fb2cd216 100644
--- a/src/appl/bsd/krlogind.c
+++ b/src/appl/bsd/krlogind.c
@@ -239,7 +239,7 @@ krb5_ccache ccache = NULL;
 
 krb5_keytab keytab = NULL;
 
-#define ARGSTR	"rk54cepPD:S:M:L:?"
+#define ARGSTR	"rk54ciepPD:S:M:L:?"
 #else /* !KERBEROS */
 #define ARGSTR	"rpPD:?"
 #define (*des_read)  read
@@ -306,7 +306,7 @@ krb5_error_code recvauth();
 #define AUTH_RHOSTS (0x4)
 int auth_ok = 0, auth_sent = 0;
 int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
-int checksum_required = 0;
+int checksum_required = 0, checksum_ignored = 0;
 
 int main(argc, argv)
      int argc;
@@ -365,6 +365,10 @@ pty_init();
       case 'c':
 	checksum_required = 1;
 	break;
+      case 'i':
+	checksum_ignored = 1;
+	break;
+	
 #ifdef KRB5_KRB4_COMPAT
       case '4':
 	auth_ok |= AUTH_KRB4;
@@ -465,6 +469,11 @@ pty_init();
       syslog(LOG_CRIT, "No authentication systems were enabled; all connections will be refused.");
       fatal(fd, "All authentication systems disabled; connection refused.");
     }
+
+    if (checksum_required&&checksum_ignored) {
+      syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+      fatal(fd, "Configuration error: mutually exclusive options specified");
+    }
     
     doit(fd, &from);
     return 0;
@@ -1112,11 +1121,12 @@ do_krb_login(host)
 
     if (checksum_required && !valid_checksum) {
 	if (auth_sent & AUTH_KRB5) {
-	    syslog(LOG_WARNING, "Client did not supply required checksum.");
+	    syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
 	
 	    fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
 	} else {
-	    syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
+	  syslog(LOG_WARNING,
+		 "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
 	}
     }
     if (auth_ok&auth_sent) /* This should be bitwise.*/
@@ -1447,7 +1457,7 @@ recvauth(valid_checksum)
 
     getstr(netf, lusername, sizeof (lusername), "locuser");
     getstr(netf, term, sizeof(term), "Terminal type");
-    if ((auth_sys == KRB5_RECVAUTH_V5) && checksum_required) {
+    if ((auth_sys == KRB5_RECVAUTH_V5) && !checksum_ignored) {
       
       if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
 						   &authenticator)))
diff --git a/src/appl/bsd/krshd.M b/src/appl/bsd/krshd.M
index afa5176902..9b263ec0d9 100644
--- a/src/appl/bsd/krshd.M
+++ b/src/appl/bsd/krshd.M
@@ -42,10 +42,9 @@ shell inherits the network connections established
 by
 .IR krshd .
 
-\fIKrshd\fP can be configured either by command-line arguments passed
-by \fIinetd(8)\fP,  
-or by the name of the daemon. If command-line arguments are present, they 
-take priority.  The options are:
+\fIKrshd\fP can be configured  by command-line arguments passed
+by \fIinetd(8)\fP.
+ The options are:
 
 .IP \fB\-5\fP 10
 Allow Kerberos5 authentication with the \fI.k5login\fP access control file
@@ -70,16 +69,37 @@ Trust the remote hostname as an authentication system using the
 Require the client to encrypt the connection.  Only Kerberos5 clients
 support encryption.
 
-.IP \fB\-c\fP
-Require Kerberos5 clients to present a cryptographic checksum of
-initial connection information like the name of the user that the
-client is trying to access in the initial authenticator.  This
-checksum provides additionl security by preventing an attacker from
-changing the initial connection information.  To benefit from this
-security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+.IP \fB\-c\fP 
+Require Kerberos5 clients to present a cryptographic
+checksum of initial connection information like the name of the user
+that the client is trying to access in the initial authenticator.
+This checksum provides additionl security by preventing an attacker
+from changing the initial connection information.  To benefit from
+this security, only Kerberos5 should be trusted; Kerberos4 and rhosts
 authentication do not include this checksum.  If this option is
 specified, older Kerberos5 clients that do not send a checksum in the
-authenticator will not be able to authenticate to this server.
+authenticator will not be able to authenticate to this server.  This
+option is mutually exclusive with the \fB-i\fP option.
+
+	If neither the \fB-c\fP or \fB-i\fP options are specified,then
+checksums are validated if presented.  Since it is difficult to remove
+a checksum from an authenticator without making the authenticator
+invalid, this default mode is almost as significant of a security
+improvement as \fB-c\fP if new clients are used.  It has the additional
+advantage of backwards compatability with some clients.
+Unfortunately, clients before Kerberos V5, Beta5, generate invalid
+checksums; if these clients are used, the \fB-i\fP option must be
+used.
+
+.IP \fB\-i\fP 
+Ignore authenticator checksums if provided.  This option
+ignore authenticator checksusm presented by current Kerberos clients
+to protect initial connection information; it is the opposite of
+\fB-c\fP.  This option is provided because some older
+clients--particularly clients predating the release of Kerberos V5
+Beta5 (May 1995)--present bogus checksums that prevent Kerberos
+authentication from succeeding in the default mode.
+
 
 .PP
 If the \fB\-r\fP or \fB\-R\fP options are used, the client must
diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index 3acbedb491..7445f3980d 100644
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -155,7 +155,7 @@ char copyright[] =
 #include "com_err.h"
 #include "loginpaths.h"
 
-#define ARGSTR	"rek54cD:S:M:AP:?L:"
+#define ARGSTR	"rek54ciD:S:M:AP:?L:"
 
 
 #define RSHD_BUFSIZ 5120
@@ -206,7 +206,7 @@ int netf;
 #define AUTH_KRB5 (0x2)
 #define AUTH_RHOSTS (0x4)
 int auth_ok = 0, auth_sent = 0;
-int checksum_required = 0;
+int checksum_required = 0, checksum_ignored = 1;
 char *progname;
 
 #define MAX_PROG_NAME 10
@@ -302,6 +302,10 @@ int main(argc, argv)
       case 'c':
 	checksum_required = 1;
 	break;
+      case 'i':
+	checksum_ignored = 1;
+	break;
+	
 #ifdef KRB5_KRB4_COMPAT
       case '4':
 	auth_ok |= AUTH_KRB4;
@@ -408,6 +412,11 @@ int main(argc, argv)
 	
 	fd = 0;
     }
+
+    if (checksum_required&&checksum_ignored) {
+      syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+      fatal(fd, "Configuration error: mutually exclusive options specified");
+    }
     
     if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
 		   sizeof (on)) < 0)
@@ -420,6 +429,11 @@ int main(argc, argv)
 		   sizeof (linger)) < 0)
       syslog(LOG_WARNING , "setsockopt (SO_LINGER): %m");
 #endif
+    if (checksum_required&&checksum_ignored) {
+      syslog( LOG_CRIT, "Checksums are required and ignored; these options are mutually exclusive--check the documentation.");
+      fatal(fd, "Configuration error: mutually exclusive options specified");
+    }
+
     doit(dup(fd), &from);
     return 0;
 }
@@ -1012,11 +1026,12 @@ void doit(f, fromp)
 
     if (checksum_required && !valid_checksum) {
 	if (auth_sent & AUTH_KRB5) {
-	    syslog(LOG_WARNING, "Client did not supply required checksum.");
+	    syslog(LOG_WARNING, "Client did not supply required checksum--connection rejected.");
 	    error( "You are using an old Kerberos5 without initial connection support; only newer clients are authorized.");
 	    goto signout_please;
 	} else {
-	    syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums.");
+	    syslog(LOG_WARNING,
+   "Configuration error: Requiring checksums with -c is inconsistent with allowing Kerberos V4 connections.");
 	}
     }
     if (require_encrypt&&(!do_encrypt)) {