diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/appl/bsd/ChangeLog | 11 | ||||
-rw-r--r-- | src/appl/bsd/kcmd.c | 16 | ||||
-rw-r--r-- | src/appl/bsd/krlogind.c | 37 | ||||
-rw-r--r-- | src/appl/bsd/krshd.c | 10 |
4 files changed, 35 insertions, 39 deletions
diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 527407bf16..d786903a65 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,14 @@ +Thu Apr 11 00:22:51 1996 Richard Basch <basch@lehman.com> + + * kcmd.c: Cleaned up whitespace and removed commented & unused cruft + + * krlogind.c, krshd.c: Allow the recvauth routine to find any key + in the keytab for which the user is trying to login. The host may + be known as many names. Additionally, for krlogind, clean up the + error handling for bad authentication (potential null dereference + and a misleading message because of the wrong authentication system + being used) + Sun Apr 7 22:46:07 1996 Ezra Peisach <epeisach@kangaroo.mit.edu> * krshd.c: Add an option -L to pass certain environment variables diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index d343054b9c..c446541b76 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -66,8 +66,6 @@ char *default_service = "host"; extern krb5_context bsd_context; -krb5_enctype bsd_ktypes[] = { ENCTYPE_DES_CBC_CRC , 0 }; - kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, cred, seqno, server_seqno, laddr, faddr, authopts, anyport) @@ -109,15 +107,16 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, krb5_auth_context auth_context = NULL; char *cksumbuf; krb5_data cksumdat; + if ((cksumbuf = malloc(strlen(cmd)+strlen(remuser)+64)) == 0 ) { - fprintf(stderr, "Unable to allocate memory for checksum buffer.\n"); - return(-1); + fprintf(stderr, "Unable to allocate memory for checksum buffer.\n"); + return(-1); } -sprintf(cksumbuf, "%u:", ntohs(rport)); + sprintf(cksumbuf, "%u:", ntohs(rport)); strcat(cksumbuf, cmd); strcat(cksumbuf, remuser); cksumdat.data = cksumbuf; - cksumdat.length = strlen(cksumbuf); + cksumdat.length = strlen(cksumbuf); pid = getpid(); hp = gethostbyname(*ahost); @@ -144,7 +143,7 @@ sprintf(cksumbuf, "%u:", ntohs(rport)); fprintf(stderr,"kcmd: no memory\n"); return(-1); } - status = krb5_sname_to_principal(bsd_context, host_save,service, + status = krb5_sname_to_principal(bsd_context, host_save, service, KRB5_NT_SRV_HST, &get_cred->server); if (status) { fprintf(stderr, "kcmd: krb5_sname_to_principal failed: %s\n", @@ -278,9 +277,6 @@ sprintf(cksumbuf, "%u:", ntohs(rport)); if (status = krb5_cc_default(bsd_context, &cc)) goto bad2; -/* if (krb5_set_default_tgs_ktypes(bsd_context, bsd_ktypes)) */ -/* goto bad2; */ - if (status = krb5_cc_get_principal(bsd_context, cc, &get_cred->client)) { (void) krb5_cc_close(bsd_context, cc); goto bad2; diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 5de2f5faad..d78ab6fbc2 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -1062,7 +1062,7 @@ do_krb_login(host) { krb5_error_code status; struct passwd *pwd; - char *msg_fail; + char *msg_fail = NULL; int valid_checksum; @@ -1127,23 +1127,28 @@ int valid_checksum; syslog(LOG_WARNING, "Client did not supply required checksum."); fatal(netf, "You are using an old Kerberos5 without initial connection support; only newer clients are authorized."); + } + else { + syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums."); + } } - else { - syslog(LOG_WARNING, "Checksums are only required for v5 clients; other clients cannot produce initial authenticator checksums."); - } - } - if -(auth_ok&auth_sent) /* This should be bitwise.*/ + if (auth_ok&auth_sent) /* This should be bitwise.*/ return; if (ticket) krb5_free_ticket(bsd_context, ticket); - msg_fail = (char *) malloc( strlen(krusername) + strlen(lusername) + 80 ); + if (krusername) + msg_fail = (char *)malloc(strlen(krusername) + strlen(lusername) + 80); if (!msg_fail) - fatal(netf, "User is not authorized to login to specified account"); - sprintf(msg_fail, "User %s is not authorized to login to account %s", - krusername, lusername); + fatal(netf, "User is not authorized to login to specified account"); + + if (auth_sent) + sprintf(msg_fail, "Access denied because of improper credentials"); + else + sprintf(msg_fail, "User %s is not authorized to login to account %s", + krusername, lusername); + fatal(netf, msg_fail); /* NOTREACHED */ } @@ -1472,7 +1477,6 @@ recvauth(valid_checksum) struct sockaddr_in peersin, laddr; char krb_vers[KRB_SENDAUTH_VLEN + 1]; int len; - krb5_principal server; krb5_data inbuf; char v4_instance[INST_SZ]; /* V4 Instance */ char v4_version[9]; @@ -1489,13 +1493,6 @@ recvauth(valid_checksum) exit(1); } - if (status = krb5_sname_to_principal(bsd_context, NULL, "host", - KRB5_NT_SRV_HST, &server)) { - syslog(LOG_ERR, "parse server name %s: %s", "host", - error_message(status)); - exit(1); - } - strcpy(v4_instance, "*"); if (status = krb5_auth_con_init(bsd_context, &auth_context)) @@ -1508,7 +1505,7 @@ recvauth(valid_checksum) if (status = krb5_compat_recvauth(bsd_context, &auth_context, &netf, "KCMDV0.1", - server, /* Specify daemon principal */ + NULL, /* Specify daemon principal */ 0, /* no flags */ keytab, /* normally NULL to use v5srvtab */ diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 867319700d..e4073bfdd1 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1696,7 +1696,6 @@ recvauth(netf, peersin, valid_checksum) struct sockaddr_in laddr; char krb_vers[KRB_SENDAUTH_VLEN + 1]; int len; - krb5_principal server; krb5_data inbuf; char v4_instance[INST_SZ]; /* V4 Instance */ char v4_version[9]; @@ -1715,13 +1714,6 @@ krb5_authenticator *authenticator; #define SIZEOF_INADDR sizeof(struct in_addr) #endif - if (status = krb5_sname_to_principal(bsd_context, NULL, "host", - KRB5_NT_SRV_HST, &server)) { - syslog(LOG_ERR, "parse server name %s: %s", "host", - error_message(status)); - exit(1); - } - strcpy(v4_instance, "*"); if (status = krb5_auth_con_init(bsd_context, &auth_context)) @@ -1733,7 +1725,7 @@ krb5_authenticator *authenticator; status = krb5_compat_recvauth(bsd_context, &auth_context, &netf, "KCMDV0.1", - server, /* Specify daemon principal */ + NULL, /* Specify daemon principal */ 0, /* no flags */ keytab, /* normally NULL to use v5srvtab */ 0, /* v4_opts */ |