Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 9153 From djm@web.us.uu.net Wed May 24 17:13:49 2000 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA03182 for ; Wed, 24 May 2000 17:13:49 -0400 (EDT) Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP id AA27130; Wed, 24 May 00 17:13:41 EDT Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP (peer crosschecked as: dagger.web.us.uu.net [208.211.134.28]) id RAA22632; Wed, 24 May 2000 17:13:43 -0400 (EDT) Received: by dagger.web.us.uu.net id RAA14712; Wed, 24 May 2000 17:13:43 -0400 Message-Id: Date: Wed, 24 May 2000 17:13:43 -0400 From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: Subject: patch to support BSD/OS authentication system X-Send-Pr-Version: 3.99 >Number: 857 >Category: krb5-appl >Synopsis: The BSDI login authentication system isn't supported >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Wed May 24 17:14:00 EDT 2000 >Last-Modified: >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.1.1 >Environment: System: BSD/OS robby.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #1: Mon May 8 23:23:57 EDT 2000 root@robby.web.us.uu.net:/usr/src/bsdi/sys/compile/SERVER+NFS i386 Architecture: i686 >Description: BSDI has a PAM-like system for selecting authentication mechanisms for login, su, etc. krb5 needs a patch in order to work with it. >How-To-Repeat: Install krb5 and login on a BSDI system. >Fix: This patch is from Chris Ross . Index: src/appl/bsd/forward.c --- src/appl/bsd/forward.c 2000/03/27 22:36:22 1.1 +++ src/appl/bsd/forward.c 2000/03/29 01:16:53 1.2 @@ -24,6 +24,10 @@ #include #include #include +#ifdef LOGIN_WONT_RECREATE_CC +#include +#include +#endif #include "k5-int.h" @@ -39,12 +43,26 @@ krb5_creds ** creds; krb5_error_code retval; char ccname[35]; +#ifdef LOGIN_WONT_RECREATE_CC + struct passwd *pwd; + krb5_data *user = krb5_princ_name(context, + ticket->enc_part2->client); + char *username; +#endif *ccache = NULL; if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) return(retval); +#ifdef LOGIN_WONT_RECREATE_CC + /* If we're gonna fail malloc(), fail it now before we set anything */ + /* in the environment. */ + username = (char *)malloc(user->length + 1); + if (username == NULL) + return(KRB5_CC_NOMEM); +#endif + /* Set the KRB5CCNAME ENV variable to keep sessions * seperate. Use the process id of this process which is * the rlogind or rshd. Set the environment variable as well. @@ -53,6 +71,25 @@ sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid()); setenv("KRB5CCNAME", ccname, 0); +#ifdef LOGIN_WONT_RECREATE_CC + /* If we're running a login that isn't the kerberos V5 login, it + * presumedly won't know how to destroy and recreate [as the user] + * the credentials cache. We will solve this by seteuid'ing here + * so that it's created by the "right" user to start with. + * + * XXX - it's created as the user who's in the ticket. If this + * is not the user who's being logged in, we're screwed. This needs + * to be fixed, but I'm not sure how to fix it... + */ + memmove(username, user->data, user->length); + username[user->length] = '\0'; + pwd = getpwnam(username); + free(username); + if (pwd) { + seteuid(pwd->pw_uid); + } +#endif + if (retval = krb5_cc_resolve(context, ccname, ccache)) goto cleanup; @@ -63,6 +100,11 @@ goto cleanup; cleanup: +#ifdef LOGIN_WONT_RECREATE_CC + if (pwd) { + seteuid(getuid()); + } +#endif krb5_free_creds(context, *creds); return retval; } Index: src/appl/bsd/krshd.c --- src/appl/bsd/krshd.c 2000/03/27 22:36:23 1.1 +++ src/appl/bsd/krshd.c 2000/05/20 17:54:52 1.5 @@ -142,6 +142,10 @@ #include #endif /* CRAY */ +#ifdef __bsdi__ +#include +#endif /* __bsdi__ */ + #include #ifdef POSIX_TERMIOS @@ -567,7 +571,9 @@ #endif wait(0); +#ifndef KRSH_NO_WTMP pty_logwtmp(ttyn,"",""); +#endif syslog(LOG_INFO ,"Daemon terminated via signal %d.", signumber); if (ccache) krb5_cc_destroy(bsd_context, ccache); @@ -607,6 +613,9 @@ int packet_level; /* Packet classification level */ long packet_compart; /* Packet compartments */ #endif /* CRAY */ +#ifdef __bsdi__ + login_cap_t *lc; +#endif int s; struct hostent *hp; @@ -907,6 +916,7 @@ #endif /* !NO_UDB */ #endif /*CRAY*/ +#ifndef KRSH_NO_WTMP /* Setup wtmp entry : we do it here so that if this is a CRAY the Process Id is correct and we have not lost our trusted privileges. */ @@ -921,6 +931,7 @@ else { pty_logwtmp(ttyn,locuser,sane_host); } +#endif #ifdef CRAY @@ -1053,6 +1064,34 @@ } #endif /*CRAY*/ +#ifdef __bsdi__ + /* + * Stuff specific to BSD/OS's login authentication/approval mechanism + */ + lc = login_getclass(pwd->pw_class); + if (lc == NULL) { + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: unknown class. cmd='%.80s'", + remuser, hostname, locuser, cmdbuf); + error("Unable to get login class for user.\n"); + goto signout_please; + } + + /* Set up everything so the shell knows who we are... */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) { + error("Unable to set user context.\n"); + goto signout_please; + } + /* + * XXX - this will output an error if it fails, which will get messed + * up by the rsh communications channel. Not sure how to fix this... + */ + if (auth_approve(lc, pwd->pw_name, "rsh") <= 0) { + error("Approval failure.\n"); + goto signout_please; + } +#endif + if (chdir(pwd->pw_dir) < 0) { if(chdir("/") < 0) { error("No remote directory.\n"); @@ -1304,7 +1343,9 @@ "Shell process completed."); #endif /* Finish session in wmtp */ +#ifndef KRSH_NO_WTMP pty_logwtmp(ttyn,"",""); +#endif if (ccache) krb5_cc_destroy(bsd_context, ccache); exit(0); @@ -1337,12 +1378,14 @@ (void) close(pv[1]); } +#ifndef KRSH_NO_WTMP /* We are simply execing a program over rshd : log entry into wtmp, as kexe(pid), then finish out the session right after that. Syslog should have the information as to what was exec'd */ else { pty_logwtmp(ttyn,"",""); } +#endif if (*pwd->pw_shell == '\0') pwd->pw_shell = "/bin/sh"; @@ -1501,7 +1545,9 @@ if (ccache) krb5_cc_destroy(bsd_context, ccache); ccache = NULL; +#ifndef KRSH_NO_WTMP pty_logwtmp(ttyn,"",""); +#endif exit(1); } Index: src/appl/telnet/libtelnet/forward.c --- src/appl/telnet/libtelnet/forward.c 2000/03/27 22:36:25 1.1 +++ src/appl/telnet/libtelnet/forward.c 2000/03/29 01:16:53 1.2 @@ -26,6 +26,10 @@ #if defined(KERBEROS) || defined(KRB5) #include #include +#ifdef LOGIN_WONT_RECREATE_CC +#include +#include +#endif #include "k5-int.h" @@ -44,13 +48,46 @@ char ccname[35]; krb5_ccache ccache = NULL; char *tty; +#ifdef LOGIN_WONT_RECREATE_CC + struct passwd *pwd; + krb5_data *user = krb5_princ_name(context, + ticket->enc_part2->client); + char *username; +#endif if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) return(retval); +#ifdef LOGIN_WONT_RECREATE_CC + /* If we're gonna fail malloc(), fail it now before we set anything */ + /* in the environment. */ + username = (char *)malloc(user->length + 1); + if (username == NULL) + return(KRB5_CC_NOMEM); +#endif + sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid()); setenv(KRB5_ENV_CCNAME, ccname, 1); +#ifdef LOGIN_WONT_RECREATE_CC + /* If we're running a login that isn't the kerberos V5 login, it + * presumedly won't know how to destroy and recreate [as the user] + * the credentials cache. We will solve this by seteuid'ing here + * so that it's created by the "right" user to start with. + * + * XXX - it's created as the user who's in the ticket. If this + * is not the user who's being logged in, we're screwed. This needs + * to be fixed, but I'm not sure how to fix it... + */ + memmove(username, user->data, user->length); + username[user->length] = '\0'; + pwd = getpwnam(username); + free(username); + if (pwd) { + seteuid(pwd->pw_uid); + } +#endif + if (retval = krb5_cc_resolve(context, ccname, &ccache)) goto cleanup; @@ -61,6 +98,11 @@ goto cleanup; cleanup: +#ifdef LOGIN_WONT_RECREATE_CC + if (pwd) { + seteuid(getuid()); + } +#endif krb5_free_creds(context, *creds); return retval; } >Audit-Trail: >Unformatted: