Skip Menu |
 

Download (untitled) / with headers
text/plain 10.8KiB
From schwim@whatmore.Stanford.EDU Tue Mar 17 22:29:11 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA19330 for <bugs@RT-11.MIT.EDU>; Tue, 17 Mar 1998 22:29:11 -0500
Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP
id AA13000; Tue, 17 Mar 98 22:29:41 EST
Received: (from schwim@localhost)
by whatmore.Stanford.EDU (8.8.8/8.8.8) id TAA01037;
Tue, 17 Mar 1998 19:29:08 -0800 (PST)
Message-Id: <199803180329.TAA01037@whatmore.Stanford.EDU>
Date: Tue, 17 Mar 1998 19:29:08 -0800 (PST)
From: Larry Schwimmer <schwim@whatmore.Stanford.EDU>
To: krb5-bugs@MIT.EDU
Cc: schwim@leland.Stanford.EDU
Subject: PATCH: appl/bsd/krlogind.c

Show quoted text
>Number: 563
>Category: krb5-appl
>Synopsis: non-kerberos support for krlogind
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Tue Mar 17 22:30:01 EST 1998
>Last-Modified: Fri Sep 14 11:36:38 EDT 2001
>Originator: Larry Schwimmer
>Organization:
>Release: 1.0.5
>Environment:
ALL
Show quoted text
>Description:

The krb4 klogind supported the krb4 eklogin, krb4 klogin,
and (non-kerberos) rlogin protocols. The krb5 klogind supports
krb4/krb5 eklogin and krb4/krb5 klogin but not non-kerberos rlogin.
Some hosts still require both kerberos and non-kerberos rlogin, and
the upgrade breaks the non-kerberos functionality.

The code comments correctly mentions:

Actually, these sources may not work without the KERBEROS #defined.

However, the usage still mentions the non-kerberos invocation.

It turns out to be fairly easy to add the support back in.
While we're encouraging campus sites to turn off non-kerberos
services, this is not always possible for some hosts. While it is
possible to use the vendor rlogind, using the kerberos one provides
source code access and quicker response times to security issues.
The support is therefore useful.

The kshd.c patch was much simpler. Providing a patch for
krlogind.c is a bit tricky since there are several issues with
krlogind.c that I needed to deal with:

1. Support for non-kerberos rlogin.
2. Backward compatibility with the krb4 klogind
3. Support for login.krb/login.krb5.
4. Terminal baud rate information passing under HP-UX.
5. Support for IRIX.

I tried to seperate out just the first three items listed above in the
patch below.

The patch adds the following support:

* If invoked as "rlogind" or "klogind -r", klogind will act as the
non-kerberos rlogind.

* If KRB5_KRB4_COMPAT is defined, invoking klogind as "eklogind"
or "klogind" will have klogind support krb4.

* Fix code to work properly if USE_LOGIN_F is not defined (and
the define commented out in the source). This provides support
for login.krb/login.krb5 derivants.

It is a bit ironic that the comment in the USE_LOGIN_F mentions
HP-UX since it is HP-UX where USE_LOGIN_F causes the most problems;
-f/-F is intended to specify a local login, which rlogin decidedly
is not. Having USE_LOGIN_F defined disables passing of the baud
rate to login; the result is 300 baud, which is extremely painful to
use.

* Prevent small buffer overflow (about 8 bytes) in rusername strcpy.

Show quoted text
>How-To-Repeat:

Install the krb5 klogind as rlogind for and have the
appropriate login protocol entry in inetd.conf. The daemon does not
work.

Show quoted text
>Fix:

--- krlogind.c.orig Fri Feb 6 19:41:17 1998
+++ krlogind.c Tue Mar 17 17:25:54 1998
@@ -50,13 +50,14 @@
* inetd, or by the name of the daemon. If command-line arguments are
* present, they take priority. The options are:
* -k means trust krb4 or krb5
-* -5 means trust krb5
-* -4 means trust krb4
+ * -5 means trust krb5
+ * -4 means trust krb4
* -p and -P means prompt for password.
* If the -P option is passed, then the password is verified in
* addition to all other checks. If -p is not passed with -k or -r,
* and both checks fail, then login permission is denied.
* - -e means use encryption.
+ * -r means act as non-kerberos rlogind
*
* If no command-line arguments are present, then the presence of the
* letters kKrRexpP in the program-name before "logind" determine the
@@ -83,8 +84,7 @@
*/

/*
- * This is usually done in the Makefile. Actually, these sources may
- * not work without the KERBEROS #defined.
+ * This is usually done in the Makefile.
*
* #define KERBEROS
*/
@@ -246,7 +246,7 @@

krb5_keytab keytab = NULL;

-#define ARGSTR "k54ciepPD:S:M:L:?"
+#define ARGSTR "k54cierpPD:S:M:L:?"
#else /* !KERBEROS */
#define ARGSTR "rpPD:?"
#define (*des_read) read
@@ -301,7 +301,7 @@
krb5_error_code recvauth();

/* There are two authentication related masks:
- * auth_ok and auth_sent.
+* auth_ok and auth_sent.
* The auth_ok mask is the oring of authentication systems any one
* of which can be used.
* The auth_sent mask is the oring of one or more authentication/authorization
@@ -311,7 +311,7 @@
#define AUTH_KRB4 (0x1)
#define AUTH_KRB5 (0x2)
int auth_ok = 0, auth_sent = 0;
-int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
+int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0, no_kerberos = 0;
int checksum_required = 0, checksum_ignored = 0;

int main(argc, argv)
@@ -330,7 +330,20 @@
#endif

progname = *argv;
-
+
+ if (strcmp(progname, "eklogind") == 0) {
+ do_encrypt = 1;
+#ifdef KRB5_KRB4_COMPAT
+ auth_ok |= AUTH_KRB4;
+ } else if (strcmp(progname, "klogind") == 0) {
+ auth_ok |= AUTH_KRB4;
+#endif
+ } else if (strcmp(progname, "rlogind") == 0) {
+ no_kerberos = 1;
+ des_read = &read;
+ des_write = &write;
+ }
+
pty_init();

#ifndef LOG_NDELAY
@@ -344,11 +357,13 @@
#endif /* 4.2 syslog */

#ifdef KERBEROS
- status = krb5_init_context(&bsd_context);
- if (status) {
+ if (!no_kerberos) {
+ status = krb5_init_context(&bsd_context);
+ if (status) {
syslog(LOG_ERR, "Error initializing krb5: %s",
error_message(status));
exit(1);
+ }
}
#endif

@@ -411,6 +426,11 @@
case 'L':
login_program = optarg;
break;
+ case 'r':
+ no_kerberos = 1;
+ des_read = &read;
+ des_write = &write;
+ break;
case '?':
default:
usage();
@@ -556,30 +576,33 @@
fatal(f, "Permission denied - Malformed from address\n");

#ifdef KERBEROS
-
+ if (!no_kerberos) {
/* setup des buffers */
- desinbuf.data = des_inbuf;
- desoutbuf.data = des_outpkt+4; /* Set up des buffers */
-
-#else /* !KERBEROS */
+ desinbuf.data = des_inbuf;
+ desoutbuf.data = des_outpkt+4; /* Set up des buffers */
+ } else
+#endif /* KERBEROS */
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2)
fatal(f, "Permission denied - Connection from bad port");
-#endif /* KERBEROS */

/* Set global netf to f now : we may need to drop everything
in do_krb_login. */
netf = f;

#if defined(KERBEROS)
- /* All validation, and authorization goes through do_krb_login() */
- do_krb_login(rhost_name);
-#else
- getstr(f, rusername, sizeof(rusername), "remuser");
- getstr(f, lusername, sizeof(lusername), "locuser");
- getstr(f, term, sizeof(term), "Terminal type");
-#endif
-
+ if (!no_kerberos) {
+ /* All validation, and authorization goes through do_krb_login() */
+ do_krb_login(rhost_name);
+ } else {
+#endif /* KERBEROS */
+ getstr(f, rusername, sizeof(rusername), "remuser");
+ getstr(f, lusername, sizeof(lusername), "locuser");
+ getstr(f, term, sizeof(term), "Terminal type");
+#if defined(KERBEROS)
+ }
+#endif /* KERBEROS */
+
write(f, "", 1);
if ((retval = pty_getpty(&p,line, sizeof(line)))) {
com_err(progname, retval, "while getting master pty");
@@ -708,27 +731,32 @@
}
#endif

+ /* Pass TERM to login's environment */
+ {
+ char *cp;
+
+ if ((cp = strchr(term,'/')))
+ *cp = '\0';
+ setenv("TERM",term, 1);
+ }
+
+ if (passwd_req)
+ execl(login_program, "login", "-p", "-h", rhost_name,
+ lusername, 0);
+ else if (no_kerberos)
+ execl(login_program, "login", "-r", rhost_name, 0);
+ else if (do_encrypt)
#ifdef USE_LOGIN_F
-/* use the vendors login, which has -p and -f. Tested on
- * AIX 4.1.4 and HPUX 10
- */
- {
- char *cp;
- if ((cp = strchr(term,'/')))
- *cp = '\0';
- setenv("TERM",term, 1);
- }
-
- if (passwd_req)
- execl(login_program, "login", "-p", "-h", rhost_name,
- lusername, 0);
- else
- execl(login_program, "login", "-p", "-h", rhost_name,
- "-f", lusername, 0);
-#else /* USE_LOGIN_F */
- execl(login_program, "login", "-r", rhost_name, 0);
+ execl(login_program, "login", "-h", rhost_name,
+ "-F", lusername, 0);
+#else
+ execl(login_program,
+ "login", "-h", rhost_name, "-e", lusername, 0);
#endif /* USE_LOGIN_F */
-
+ else
+ execl(login_program, "login", "-p", "-h", rhost_name,
+ "-f", lusername, 0);
+
fatalperror(2, login_program);
/*NOTREACHED*/
} /* if (pid == 0) */
@@ -740,7 +768,7 @@
** The master blocks here until it reads a byte.
*/

-(void) close(syncpipe[1]);
+ (void) close(syncpipe[1]);
if (read(syncpipe[0], &c, 1) != 1) {
/*
* Problems read failed ...
@@ -779,16 +807,20 @@


#if!defined(USE_LOGIN_F)
- /* Pass down rusername and lusername to login. */
- (void) write(p, rusername, strlen(rusername) +1);
- (void) write(p, lusername, strlen(lusername) +1);
+ if (no_kerberos) {
+ /* Pass down rusername and lusername to login. */
+ (void) write(p, rusername, strlen(rusername) +1);
+ (void) write(p, lusername, strlen(lusername) +1);
+ }
/* stuff term info down to login */
- if ((write(p, term, strlen(term)+1) != (int) strlen(term)+1)) {
+ if (do_encrypt || no_kerberos) {
+ if ((write(p, term, strlen(term)+1) != (int) strlen(term)+1)) {
/*
* Problems write failed ...
*/
sprintf(buferror,"Cannot write slave pty %s ",line);
fatalperror(f,buferror);
+ }
}

#endif
@@ -1332,7 +1364,7 @@
{
#ifdef KERBEROS
syslog(LOG_ERR,
- "usage: klogind [-ke45pP] [-D port] or [r/R][k/K][x/e][p/P]logind");
+ "usage: klogind [-ke45rpP] [-D port] or [r/R][k/K][x/e][p/P]logind");
#else
syslog(LOG_ERR,
"usage: rlogind [-rpP] [-D port] or [r/R][p/P]logind");
@@ -1519,7 +1551,7 @@
* Assume it to be the same as the first component of the
* principal's name.
*/
- strcpy(rusername, v4_kdata->pname);
+ strncpy(rusername, v4_kdata->pname, sizeof(rusername)-1);

status = krb5_425_conv_principal(bsd_context, v4_kdata->pname,
v4_kdata->pinst, v4_kdata->prealm,
Show quoted text
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Fri Sep 14 11:36:30 2001
Responsible-Changed-Why:

reformat/refile

Show quoted text
>Unformatted:
We probably want to discourage rhosts auth at this point.