From djm@web.us.uu.net Wed May 24 17:13:49 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA03182
for <bugs@RT-11.MIT.EDU>; Wed, 24 May 2000 17:13:49 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA27130; Wed, 24 May 00 17:13:41 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id RAA22632; Wed, 24 May 2000 17:13:43 -0400 (EDT)
Received: by dagger.web.us.uu.net
id RAA14712; Wed, 24 May 2000 17:13:43 -0400
Message-Id: <RAA14712.200005242113@dagger.web.us.uu.net>
Date: Wed, 24 May 2000 17:13:43 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc:
Subject: patch to support BSD/OS authentication system
X-Send-Pr-Version: 3.99
Architecture: i686
mechanisms for login, su, etc.
krb5 needs a patch in order to work with it.
This patch is from Chris Ross <cross@uu.net>.
Index: src/appl/bsd/forward.c
--- src/appl/bsd/forward.c 2000/03/27 22:36:22 1.1
+++ src/appl/bsd/forward.c 2000/03/29 01:16:53 1.2
@@ -24,6 +24,10 @@
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
+#ifdef LOGIN_WONT_RECREATE_CC
+#include <pwd.h>
+#include <syslog.h>
+#endif
#include "k5-int.h"
@@ -39,12 +43,26 @@
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
+#ifdef LOGIN_WONT_RECREATE_CC
+ struct passwd *pwd;
+ krb5_data *user = krb5_princ_name(context,
+ ticket->enc_part2->client);
+ char *username;
+#endif
*ccache = NULL;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're gonna fail malloc(), fail it now before we set anything */
+ /* in the environment. */
+ username = (char *)malloc(user->length + 1);
+ if (username == NULL)
+ return(KRB5_CC_NOMEM);
+#endif
+
/* Set the KRB5CCNAME ENV variable to keep sessions
* seperate. Use the process id of this process which is
* the rlogind or rshd. Set the environment variable as well.
@@ -53,6 +71,25 @@
sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
setenv("KRB5CCNAME", ccname, 0);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're running a login that isn't the kerberos V5 login, it
+ * presumedly won't know how to destroy and recreate [as the user]
+ * the credentials cache. We will solve this by seteuid'ing here
+ * so that it's created by the "right" user to start with.
+ *
+ * XXX - it's created as the user who's in the ticket. If this
+ * is not the user who's being logged in, we're screwed. This needs
+ * to be fixed, but I'm not sure how to fix it...
+ */
+ memmove(username, user->data, user->length);
+ username[user->length] = '\0';
+ pwd = getpwnam(username);
+ free(username);
+ if (pwd) {
+ seteuid(pwd->pw_uid);
+ }
+#endif
+
if (retval = krb5_cc_resolve(context, ccname, ccache))
goto cleanup;
@@ -63,6 +100,11 @@
goto cleanup;
cleanup:
+#ifdef LOGIN_WONT_RECREATE_CC
+ if (pwd) {
+ seteuid(getuid());
+ }
+#endif
krb5_free_creds(context, *creds);
return retval;
}
Index: src/appl/bsd/krshd.c
--- src/appl/bsd/krshd.c 2000/03/27 22:36:23 1.1
+++ src/appl/bsd/krshd.c 2000/05/20 17:54:52 1.5
@@ -142,6 +142,10 @@
#include <path.h>
#endif /* CRAY */
+#ifdef __bsdi__
+#include <login_cap.h>
+#endif /* __bsdi__ */
+
#include <syslog.h>
#ifdef POSIX_TERMIOS
@@ -567,7 +571,9 @@
#endif
wait(0);
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
syslog(LOG_INFO ,"Daemon terminated via signal %d.", signumber);
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
@@ -607,6 +613,9 @@
int packet_level; /* Packet classification level */
long packet_compart; /* Packet compartments */
#endif /* CRAY */
+#ifdef __bsdi__
+ login_cap_t *lc;
+#endif
int s;
struct hostent *hp;
@@ -907,6 +916,7 @@
#endif /* !NO_UDB */
#endif /*CRAY*/
+#ifndef KRSH_NO_WTMP
/* Setup wtmp entry : we do it here so that if this is a CRAY
the Process Id is correct and we have not lost our trusted
privileges. */
@@ -921,6 +931,7 @@
else {
pty_logwtmp(ttyn,locuser,sane_host);
}
+#endif
#ifdef CRAY
@@ -1053,6 +1064,34 @@
}
#endif /*CRAY*/
+#ifdef __bsdi__
+ /*
+ * Stuff specific to BSD/OS's login authentication/approval mechanism
+ */
+ lc = login_getclass(pwd->pw_class);
+ if (lc == NULL) {
+ syslog(LOG_INFO|LOG_AUTH,
+ "%s@%s as %s: unknown class. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ error("Unable to get login class for user.\n");
+ goto signout_please;
+ }
+
+ /* Set up everything so the shell knows who we are... */
+ if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) {
+ error("Unable to set user context.\n");
+ goto signout_please;
+ }
+ /*
+ * XXX - this will output an error if it fails, which will get messed
+ * up by the rsh communications channel. Not sure how to fix this...
+ */
+ if (auth_approve(lc, pwd->pw_name, "rsh") <= 0) {
+ error("Approval failure.\n");
+ goto signout_please;
+ }
+#endif
+
if (chdir(pwd->pw_dir) < 0) {
if(chdir("/") < 0) {
error("No remote directory.\n");
@@ -1304,7 +1343,9 @@
"Shell process completed.");
#endif
/* Finish session in wmtp */
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
exit(0);
@@ -1337,12 +1378,14 @@
(void) close(pv[1]);
}
+#ifndef KRSH_NO_WTMP
/* We are simply execing a program over rshd : log entry into wtmp,
as kexe(pid), then finish out the session right after that.
Syslog should have the information as to what was exec'd */
else {
pty_logwtmp(ttyn,"","");
}
+#endif
if (*pwd->pw_shell == '\0')
pwd->pw_shell = "/bin/sh";
@@ -1501,7 +1545,9 @@
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
ccache = NULL;
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
exit(1);
}
Index: src/appl/telnet/libtelnet/forward.c
--- src/appl/telnet/libtelnet/forward.c 2000/03/27 22:36:25 1.1
+++ src/appl/telnet/libtelnet/forward.c 2000/03/29 01:16:53 1.2
@@ -26,6 +26,10 @@
#if defined(KERBEROS) || defined(KRB5)
#include <stdio.h>
#include <netdb.h>
+#ifdef LOGIN_WONT_RECREATE_CC
+#include <sys/types.h>
+#include <pwd.h>
+#endif
#include "k5-int.h"
@@ -44,13 +48,46 @@
char ccname[35];
krb5_ccache ccache = NULL;
char *tty;
+#ifdef LOGIN_WONT_RECREATE_CC
+ struct passwd *pwd;
+ krb5_data *user = krb5_princ_name(context,
+ ticket->enc_part2->client);
+ char *username;
+#endif
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're gonna fail malloc(), fail it now before we set anything */
+ /* in the environment. */
+ username = (char *)malloc(user->length + 1);
+ if (username == NULL)
+ return(KRB5_CC_NOMEM);
+#endif
+
sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
setenv(KRB5_ENV_CCNAME, ccname, 1);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're running a login that isn't the kerberos V5 login, it
+ * presumedly won't know how to destroy and recreate [as the user]
+ * the credentials cache. We will solve this by seteuid'ing here
+ * so that it's created by the "right" user to start with.
+ *
+ * XXX - it's created as the user who's in the ticket. If this
+ * is not the user who's being logged in, we're screwed. This needs
+ * to be fixed, but I'm not sure how to fix it...
+ */
+ memmove(username, user->data, user->length);
+ username[user->length] = '\0';
+ pwd = getpwnam(username);
+ free(username);
+ if (pwd) {
+ seteuid(pwd->pw_uid);
+ }
+#endif
+
if (retval = krb5_cc_resolve(context, ccname, &ccache))
goto cleanup;
@@ -61,6 +98,11 @@
goto cleanup;
cleanup:
+#ifdef LOGIN_WONT_RECREATE_CC
+ if (pwd) {
+ seteuid(getuid());
+ }
+#endif
krb5_free_creds(context, *creds);
return retval;
}
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA03182
for <bugs@RT-11.MIT.EDU>; Wed, 24 May 2000 17:13:49 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA27130; Wed, 24 May 00 17:13:41 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id RAA22632; Wed, 24 May 2000 17:13:43 -0400 (EDT)
Received: by dagger.web.us.uu.net
id RAA14712; Wed, 24 May 2000 17:13:43 -0400
Message-Id: <RAA14712.200005242113@dagger.web.us.uu.net>
Date: Wed, 24 May 2000 17:13:43 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc:
Subject: patch to support BSD/OS authentication system
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 857
>Category: krb5-appl
>Synopsis: The BSDI login authentication system isn't supported
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed May 24 17:14:00 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
UUNET Technologies>Category: krb5-appl
>Synopsis: The BSDI login authentication system isn't supported
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed May 24 17:14:00 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
Show quoted text
>Release: krb5-1.1.1
>Environment:
System: BSD/OS robby.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #1: Mon May 8 23:23:57 EDT 2000 root@robby.web.us.uu.net:/usr/src/bsdi/sys/compile/SERVER+NFS i386>Environment:
Architecture: i686
Show quoted text
>Description:
BSDI has a PAM-like system for selecting authenticationmechanisms for login, su, etc.
krb5 needs a patch in order to work with it.
Show quoted text
>How-To-Repeat:
Install krb5 and login on a BSDI system.Show quoted text
>Fix:
This patch is from Chris Ross <cross@uu.net>.
Index: src/appl/bsd/forward.c
--- src/appl/bsd/forward.c 2000/03/27 22:36:22 1.1
+++ src/appl/bsd/forward.c 2000/03/29 01:16:53 1.2
@@ -24,6 +24,10 @@
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
+#ifdef LOGIN_WONT_RECREATE_CC
+#include <pwd.h>
+#include <syslog.h>
+#endif
#include "k5-int.h"
@@ -39,12 +43,26 @@
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
+#ifdef LOGIN_WONT_RECREATE_CC
+ struct passwd *pwd;
+ krb5_data *user = krb5_princ_name(context,
+ ticket->enc_part2->client);
+ char *username;
+#endif
*ccache = NULL;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're gonna fail malloc(), fail it now before we set anything */
+ /* in the environment. */
+ username = (char *)malloc(user->length + 1);
+ if (username == NULL)
+ return(KRB5_CC_NOMEM);
+#endif
+
/* Set the KRB5CCNAME ENV variable to keep sessions
* seperate. Use the process id of this process which is
* the rlogind or rshd. Set the environment variable as well.
@@ -53,6 +71,25 @@
sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
setenv("KRB5CCNAME", ccname, 0);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're running a login that isn't the kerberos V5 login, it
+ * presumedly won't know how to destroy and recreate [as the user]
+ * the credentials cache. We will solve this by seteuid'ing here
+ * so that it's created by the "right" user to start with.
+ *
+ * XXX - it's created as the user who's in the ticket. If this
+ * is not the user who's being logged in, we're screwed. This needs
+ * to be fixed, but I'm not sure how to fix it...
+ */
+ memmove(username, user->data, user->length);
+ username[user->length] = '\0';
+ pwd = getpwnam(username);
+ free(username);
+ if (pwd) {
+ seteuid(pwd->pw_uid);
+ }
+#endif
+
if (retval = krb5_cc_resolve(context, ccname, ccache))
goto cleanup;
@@ -63,6 +100,11 @@
goto cleanup;
cleanup:
+#ifdef LOGIN_WONT_RECREATE_CC
+ if (pwd) {
+ seteuid(getuid());
+ }
+#endif
krb5_free_creds(context, *creds);
return retval;
}
Index: src/appl/bsd/krshd.c
--- src/appl/bsd/krshd.c 2000/03/27 22:36:23 1.1
+++ src/appl/bsd/krshd.c 2000/05/20 17:54:52 1.5
@@ -142,6 +142,10 @@
#include <path.h>
#endif /* CRAY */
+#ifdef __bsdi__
+#include <login_cap.h>
+#endif /* __bsdi__ */
+
#include <syslog.h>
#ifdef POSIX_TERMIOS
@@ -567,7 +571,9 @@
#endif
wait(0);
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
syslog(LOG_INFO ,"Daemon terminated via signal %d.", signumber);
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
@@ -607,6 +613,9 @@
int packet_level; /* Packet classification level */
long packet_compart; /* Packet compartments */
#endif /* CRAY */
+#ifdef __bsdi__
+ login_cap_t *lc;
+#endif
int s;
struct hostent *hp;
@@ -907,6 +916,7 @@
#endif /* !NO_UDB */
#endif /*CRAY*/
+#ifndef KRSH_NO_WTMP
/* Setup wtmp entry : we do it here so that if this is a CRAY
the Process Id is correct and we have not lost our trusted
privileges. */
@@ -921,6 +931,7 @@
else {
pty_logwtmp(ttyn,locuser,sane_host);
}
+#endif
#ifdef CRAY
@@ -1053,6 +1064,34 @@
}
#endif /*CRAY*/
+#ifdef __bsdi__
+ /*
+ * Stuff specific to BSD/OS's login authentication/approval mechanism
+ */
+ lc = login_getclass(pwd->pw_class);
+ if (lc == NULL) {
+ syslog(LOG_INFO|LOG_AUTH,
+ "%s@%s as %s: unknown class. cmd='%.80s'",
+ remuser, hostname, locuser, cmdbuf);
+ error("Unable to get login class for user.\n");
+ goto signout_please;
+ }
+
+ /* Set up everything so the shell knows who we are... */
+ if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL)) {
+ error("Unable to set user context.\n");
+ goto signout_please;
+ }
+ /*
+ * XXX - this will output an error if it fails, which will get messed
+ * up by the rsh communications channel. Not sure how to fix this...
+ */
+ if (auth_approve(lc, pwd->pw_name, "rsh") <= 0) {
+ error("Approval failure.\n");
+ goto signout_please;
+ }
+#endif
+
if (chdir(pwd->pw_dir) < 0) {
if(chdir("/") < 0) {
error("No remote directory.\n");
@@ -1304,7 +1343,9 @@
"Shell process completed.");
#endif
/* Finish session in wmtp */
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
exit(0);
@@ -1337,12 +1378,14 @@
(void) close(pv[1]);
}
+#ifndef KRSH_NO_WTMP
/* We are simply execing a program over rshd : log entry into wtmp,
as kexe(pid), then finish out the session right after that.
Syslog should have the information as to what was exec'd */
else {
pty_logwtmp(ttyn,"","");
}
+#endif
if (*pwd->pw_shell == '\0')
pwd->pw_shell = "/bin/sh";
@@ -1501,7 +1545,9 @@
if (ccache)
krb5_cc_destroy(bsd_context, ccache);
ccache = NULL;
+#ifndef KRSH_NO_WTMP
pty_logwtmp(ttyn,"","");
+#endif
exit(1);
}
Index: src/appl/telnet/libtelnet/forward.c
--- src/appl/telnet/libtelnet/forward.c 2000/03/27 22:36:25 1.1
+++ src/appl/telnet/libtelnet/forward.c 2000/03/29 01:16:53 1.2
@@ -26,6 +26,10 @@
#if defined(KERBEROS) || defined(KRB5)
#include <stdio.h>
#include <netdb.h>
+#ifdef LOGIN_WONT_RECREATE_CC
+#include <sys/types.h>
+#include <pwd.h>
+#endif
#include "k5-int.h"
@@ -44,13 +48,46 @@
char ccname[35];
krb5_ccache ccache = NULL;
char *tty;
+#ifdef LOGIN_WONT_RECREATE_CC
+ struct passwd *pwd;
+ krb5_data *user = krb5_princ_name(context,
+ ticket->enc_part2->client);
+ char *username;
+#endif
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're gonna fail malloc(), fail it now before we set anything */
+ /* in the environment. */
+ username = (char *)malloc(user->length + 1);
+ if (username == NULL)
+ return(KRB5_CC_NOMEM);
+#endif
+
sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
setenv(KRB5_ENV_CCNAME, ccname, 1);
+#ifdef LOGIN_WONT_RECREATE_CC
+ /* If we're running a login that isn't the kerberos V5 login, it
+ * presumedly won't know how to destroy and recreate [as the user]
+ * the credentials cache. We will solve this by seteuid'ing here
+ * so that it's created by the "right" user to start with.
+ *
+ * XXX - it's created as the user who's in the ticket. If this
+ * is not the user who's being logged in, we're screwed. This needs
+ * to be fixed, but I'm not sure how to fix it...
+ */
+ memmove(username, user->data, user->length);
+ username[user->length] = '\0';
+ pwd = getpwnam(username);
+ free(username);
+ if (pwd) {
+ seteuid(pwd->pw_uid);
+ }
+#endif
+
if (retval = krb5_cc_resolve(context, ccname, &ccache))
goto cleanup;
@@ -61,6 +98,11 @@
goto cleanup;
cleanup:
+#ifdef LOGIN_WONT_RECREATE_CC
+ if (pwd) {
+ seteuid(getuid());
+ }
+#endif
krb5_free_creds(context, *creds);
return retval;
}
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: