From schwim@whatmore.Stanford.EDU Tue Mar 17 22:29:11 1998 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA19330 for ; Tue, 17 Mar 1998 22:29:11 -0500 Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP id AA13000; Tue, 17 Mar 98 22:29:41 EST Received: (from schwim@localhost) by whatmore.Stanford.EDU (8.8.8/8.8.8) id TAA01037; Tue, 17 Mar 1998 19:29:08 -0800 (PST) Message-Id: <199803180329.TAA01037@whatmore.Stanford.EDU> Date: Tue, 17 Mar 1998 19:29:08 -0800 (PST) From: Larry Schwimmer To: krb5-bugs@MIT.EDU Cc: schwim@leland.Stanford.EDU Subject: PATCH: appl/bsd/krlogind.c >Number: 563 >Category: krb5-appl >Synopsis: non-kerberos support for krlogind >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Tue Mar 17 22:30:01 EST 1998 >Last-Modified: Fri Sep 14 11:36:38 EDT 2001 >Originator: Larry Schwimmer >Organization: >Release: 1.0.5 >Environment: ALL >Description: The krb4 klogind supported the krb4 eklogin, krb4 klogin, and (non-kerberos) rlogin protocols. The krb5 klogind supports krb4/krb5 eklogin and krb4/krb5 klogin but not non-kerberos rlogin. Some hosts still require both kerberos and non-kerberos rlogin, and the upgrade breaks the non-kerberos functionality. The code comments correctly mentions: Actually, these sources may not work without the KERBEROS #defined. However, the usage still mentions the non-kerberos invocation. It turns out to be fairly easy to add the support back in. While we're encouraging campus sites to turn off non-kerberos services, this is not always possible for some hosts. While it is possible to use the vendor rlogind, using the kerberos one provides source code access and quicker response times to security issues. The support is therefore useful. The kshd.c patch was much simpler. Providing a patch for krlogind.c is a bit tricky since there are several issues with krlogind.c that I needed to deal with: 1. Support for non-kerberos rlogin. 2. Backward compatibility with the krb4 klogind 3. Support for login.krb/login.krb5. 4. Terminal baud rate information passing under HP-UX. 5. Support for IRIX. I tried to seperate out just the first three items listed above in the patch below. The patch adds the following support: * If invoked as "rlogind" or "klogind -r", klogind will act as the non-kerberos rlogind. * If KRB5_KRB4_COMPAT is defined, invoking klogind as "eklogind" or "klogind" will have klogind support krb4. * Fix code to work properly if USE_LOGIN_F is not defined (and the define commented out in the source). This provides support for login.krb/login.krb5 derivants. It is a bit ironic that the comment in the USE_LOGIN_F mentions HP-UX since it is HP-UX where USE_LOGIN_F causes the most problems; -f/-F is intended to specify a local login, which rlogin decidedly is not. Having USE_LOGIN_F defined disables passing of the baud rate to login; the result is 300 baud, which is extremely painful to use. * Prevent small buffer overflow (about 8 bytes) in rusername strcpy. >How-To-Repeat: Install the krb5 klogind as rlogind for and have the appropriate login protocol entry in inetd.conf. The daemon does not work. >Fix: --- krlogind.c.orig Fri Feb 6 19:41:17 1998 +++ krlogind.c Tue Mar 17 17:25:54 1998 @@ -50,13 +50,14 @@ * inetd, or by the name of the daemon. If command-line arguments are * present, they take priority. The options are: * -k means trust krb4 or krb5 -* -5 means trust krb5 -* -4 means trust krb4 + * -5 means trust krb5 + * -4 means trust krb4 * -p and -P means prompt for password. * If the -P option is passed, then the password is verified in * addition to all other checks. If -p is not passed with -k or -r, * and both checks fail, then login permission is denied. * - -e means use encryption. + * -r means act as non-kerberos rlogind * * If no command-line arguments are present, then the presence of the * letters kKrRexpP in the program-name before "logind" determine the @@ -83,8 +84,7 @@ */ /* - * This is usually done in the Makefile. Actually, these sources may - * not work without the KERBEROS #defined. + * This is usually done in the Makefile. * * #define KERBEROS */ @@ -246,7 +246,7 @@ krb5_keytab keytab = NULL; -#define ARGSTR "k54ciepPD:S:M:L:?" +#define ARGSTR "k54cierpPD:S:M:L:?" #else /* !KERBEROS */ #define ARGSTR "rpPD:?" #define (*des_read) read @@ -301,7 +301,7 @@ krb5_error_code recvauth(); /* There are two authentication related masks: - * auth_ok and auth_sent. +* auth_ok and auth_sent. * The auth_ok mask is the oring of authentication systems any one * of which can be used. * The auth_sent mask is the oring of one or more authentication/authorization @@ -311,7 +311,7 @@ #define AUTH_KRB4 (0x1) #define AUTH_KRB5 (0x2) int auth_ok = 0, auth_sent = 0; -int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0; +int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0, no_kerberos = 0; int checksum_required = 0, checksum_ignored = 0; int main(argc, argv) @@ -330,7 +330,20 @@ #endif progname = *argv; - + + if (strcmp(progname, "eklogind") == 0) { + do_encrypt = 1; +#ifdef KRB5_KRB4_COMPAT + auth_ok |= AUTH_KRB4; + } else if (strcmp(progname, "klogind") == 0) { + auth_ok |= AUTH_KRB4; +#endif + } else if (strcmp(progname, "rlogind") == 0) { + no_kerberos = 1; + des_read = &read; + des_write = &write; + } + pty_init(); #ifndef LOG_NDELAY @@ -344,11 +357,13 @@ #endif /* 4.2 syslog */ #ifdef KERBEROS - status = krb5_init_context(&bsd_context); - if (status) { + if (!no_kerberos) { + status = krb5_init_context(&bsd_context); + if (status) { syslog(LOG_ERR, "Error initializing krb5: %s", error_message(status)); exit(1); + } } #endif @@ -411,6 +426,11 @@ case 'L': login_program = optarg; break; + case 'r': + no_kerberos = 1; + des_read = &read; + des_write = &write; + break; case '?': default: usage(); @@ -556,30 +576,33 @@ fatal(f, "Permission denied - Malformed from address\n"); #ifdef KERBEROS - + if (!no_kerberos) { /* setup des buffers */ - desinbuf.data = des_inbuf; - desoutbuf.data = des_outpkt+4; /* Set up des buffers */ - -#else /* !KERBEROS */ + desinbuf.data = des_inbuf; + desoutbuf.data = des_outpkt+4; /* Set up des buffers */ + } else +#endif /* KERBEROS */ if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) fatal(f, "Permission denied - Connection from bad port"); -#endif /* KERBEROS */ /* Set global netf to f now : we may need to drop everything in do_krb_login. */ netf = f; #if defined(KERBEROS) - /* All validation, and authorization goes through do_krb_login() */ - do_krb_login(rhost_name); -#else - getstr(f, rusername, sizeof(rusername), "remuser"); - getstr(f, lusername, sizeof(lusername), "locuser"); - getstr(f, term, sizeof(term), "Terminal type"); -#endif - + if (!no_kerberos) { + /* All validation, and authorization goes through do_krb_login() */ + do_krb_login(rhost_name); + } else { +#endif /* KERBEROS */ + getstr(f, rusername, sizeof(rusername), "remuser"); + getstr(f, lusername, sizeof(lusername), "locuser"); + getstr(f, term, sizeof(term), "Terminal type"); +#if defined(KERBEROS) + } +#endif /* KERBEROS */ + write(f, "", 1); if ((retval = pty_getpty(&p,line, sizeof(line)))) { com_err(progname, retval, "while getting master pty"); @@ -708,27 +731,32 @@ } #endif + /* Pass TERM to login's environment */ + { + char *cp; + + if ((cp = strchr(term,'/'))) + *cp = '\0'; + setenv("TERM",term, 1); + } + + if (passwd_req) + execl(login_program, "login", "-p", "-h", rhost_name, + lusername, 0); + else if (no_kerberos) + execl(login_program, "login", "-r", rhost_name, 0); + else if (do_encrypt) #ifdef USE_LOGIN_F -/* use the vendors login, which has -p and -f. Tested on - * AIX 4.1.4 and HPUX 10 - */ - { - char *cp; - if ((cp = strchr(term,'/'))) - *cp = '\0'; - setenv("TERM",term, 1); - } - - if (passwd_req) - execl(login_program, "login", "-p", "-h", rhost_name, - lusername, 0); - else - execl(login_program, "login", "-p", "-h", rhost_name, - "-f", lusername, 0); -#else /* USE_LOGIN_F */ - execl(login_program, "login", "-r", rhost_name, 0); + execl(login_program, "login", "-h", rhost_name, + "-F", lusername, 0); +#else + execl(login_program, + "login", "-h", rhost_name, "-e", lusername, 0); #endif /* USE_LOGIN_F */ - + else + execl(login_program, "login", "-p", "-h", rhost_name, + "-f", lusername, 0); + fatalperror(2, login_program); /*NOTREACHED*/ } /* if (pid == 0) */ @@ -740,7 +768,7 @@ ** The master blocks here until it reads a byte. */ -(void) close(syncpipe[1]); + (void) close(syncpipe[1]); if (read(syncpipe[0], &c, 1) != 1) { /* * Problems read failed ... @@ -779,16 +807,20 @@ #if!defined(USE_LOGIN_F) - /* Pass down rusername and lusername to login. */ - (void) write(p, rusername, strlen(rusername) +1); - (void) write(p, lusername, strlen(lusername) +1); + if (no_kerberos) { + /* Pass down rusername and lusername to login. */ + (void) write(p, rusername, strlen(rusername) +1); + (void) write(p, lusername, strlen(lusername) +1); + } /* stuff term info down to login */ - if ((write(p, term, strlen(term)+1) != (int) strlen(term)+1)) { + if (do_encrypt || no_kerberos) { + if ((write(p, term, strlen(term)+1) != (int) strlen(term)+1)) { /* * Problems write failed ... */ sprintf(buferror,"Cannot write slave pty %s ",line); fatalperror(f,buferror); + } } #endif @@ -1332,7 +1364,7 @@ { #ifdef KERBEROS syslog(LOG_ERR, - "usage: klogind [-ke45pP] [-D port] or [r/R][k/K][x/e][p/P]logind"); + "usage: klogind [-ke45rpP] [-D port] or [r/R][k/K][x/e][p/P]logind"); #else syslog(LOG_ERR, "usage: rlogind [-rpP] [-D port] or [r/R][p/P]logind"); @@ -1519,7 +1551,7 @@ * Assume it to be the same as the first component of the * principal's name. */ - strcpy(rusername, v4_kdata->pname); + strncpy(rusername, v4_kdata->pname, sizeof(rusername)-1); status = krb5_425_conv_principal(bsd_context, v4_kdata->pname, v4_kdata->pinst, v4_kdata->prealm, >Audit-Trail: Responsible-Changed-From-To: gnats-admin->krb5-unassigned Responsible-Changed-By: raeburn Responsible-Changed-When: Fri Sep 14 11:36:30 2001 Responsible-Changed-Why: reformat/refile >Unformatted: