Subject: bin/1507: better SKEY and KERBEROS integration
To: None <gnats-bugs@gnats.netbsd.org>
From: Thorsten Lockert <tholo@SigmaSoft.COM>
List: netbsd-bugs
Date: 09/24/1995 17:54:37
>Number: 1507
>Category: bin
>Synopsis: better SKEY and KERBEROS integration
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Sep 25 13:35:00 1995
>Last-Modified:
>Originator: Thorsten Lockert
>Organization:
SigmaSoft, Th. Lockert
>Release: September 20, 1995
>Environment:
System: NetBSD gandalf.sigmasoft.com 1.0A NetBSD 1.0A (GANDALF) #0: Thu Jul 6 14:32:54 PDT 1995 tholo@gandalf.sigmasoft.com:/usr/src/sys/arch/i386/compile/GANDALF i386
>Description:
Makefiles for binaries unconditionally compiles with SKEY
included where appropiate even if SKEY is disabled in <bsd.own.mk>.
In addition, enabling KerberosIV support by enabling the
assignment to KERBEROS in <bsd.own.mk> has no effect on
parts of the source tree, and is partly broken elsewhere.
>How-To-Repeat:
Try to compile stuff with SKEY disabled in <bsd.own.mk>.
Try to compile stuff with KERBEROS enabled in <bsd.own.mk>.
>Fix:
Apply the following diffs. This will enable you to compile
binaries with or without SKEY support depending on setting
in <bsd.own.mk>, ditto for KerberosIV.
It will also conditionally compile domestic/des (as DES
support library for Kerberos) if that directory exists
and we are not compiling for an exportable system.
Note that if the Kerberos distribution from BSD4.4-Lite is
integrated, the DES library should be placed in domestic
as it is export controlled.
If compiling with KerberosIV support in an export controlled
environment, EXPORTABLE_SYSTEM should be defined so as to
disable encryption support in KerberosIV, if this is not
done the DES library is required.
With the exception of src/libexec/rlogind.c and
src/libexec/rshd.c, only makefiles are affected by
these patches.
*** src/Makefile.orig Sun Sep 24 15:18:32 1995
--- src/Makefile Sun Sep 24 17:41:15 1995
***************
*** 35,40 ****
--- 35,43 ----
(cd ${.CURDIR}/gnu/lib && ${MAKE} depend && ${MAKE} && ${MAKE} install)
.if exists(domestic)
(cd ${.CURDIR}/domestic/libcrypt && ${MAKE} depend && ${MAKE} && ${MAKE} install)
+ .if exists(domestic/des)
+ (cd ${.CURDIR}/domestic/des && ${MAKE} depend && ${MAKE} && ${MAKE} install)
+ .endif
.endif
.if exists(kerberosIV)
(cd ${.CURDIR}/kerberosIV && ${MAKE} depend && ${MAKE} && ${MAKE} install)
*** src/bin/rcp/Makefile.orig Sun Sep 24 15:20:10 1995
--- src/bin/rcp/Makefile Sun Sep 24 15:32:09 1995
***************
*** 7,18 ****
BINMODE=4555
#INSTALLFLAGS=-fschg
.if defined(KERBEROS)
.PATH: ${.CURDIR}/../../usr.bin/rlogin
SRCS+= krcmd.c kcmd.c
! CFLAGS+=-DKERBEROS -DCRYPT
! LDADD+= -lkrb -ldes
! DPADD+= ${LIBKRB} ${LIBDES}
.endif
.include <bsd.prog.mk>
--- 7,25 ----
BINMODE=4555
#INSTALLFLAGS=-fschg
+ .include <bsd.own.mk> # For KERBEROS
+
.if defined(KERBEROS)
.PATH: ${.CURDIR}/../../usr.bin/rlogin
SRCS+= krcmd.c kcmd.c
! CFLAGS+=-DKERBEROS
! LDADD+= -lkrb
! DPADD+= ${LIBKRB}
! .if !defined(EXPORTABLE_SYSTEM)
! CFLAGS+=-DCRYPT
! LDADD+= -ldes
! DPADD+= ${LIBDES}
! .endif
.endif
.include <bsd.prog.mk>
*** src/sbin/mount_nfs/Makefile.orig Sun Sep 24 16:19:23 1995
--- src/sbin/mount_nfs/Makefile Sun Sep 24 16:20:16 1995
***************
*** 9,18 ****
CFLAGS+= -DNFS -I${MOUNT}
.PATH: ${MOUNT}
.if defined(KERBEROS)
CFLAGS+=-DKERBEROS
! DPADD+= ${LIBKRB} ${LIBDES}
! LDADD+= -lkrb -ldes
.endif
.include <bsd.prog.mk>
--- 9,24 ----
CFLAGS+= -DNFS -I${MOUNT}
.PATH: ${MOUNT}
+ .include <bsd.own.mk> # For KERBEROS
+
.if defined(KERBEROS)
CFLAGS+=-DKERBEROS
! DPADD+= ${LIBKRB}
! LDADD+= -lkrb
! .if !defined(EXPORTABLE_SYSTEM)
! DPADD+= ${LIBDES}
! LDADD+= -ldes
! .endif
.endif
.include <bsd.prog.mk>
*** src/sbin/nfsd/Makefile.orig Sun Sep 24 16:21:35 1995
--- src/sbin/nfsd/Makefile Sun Sep 24 16:22:38 1995
***************
*** 4,7 ****
--- 4,19 ----
PROG= nfsd
MAN= nfsd.8
+ .include <bsd.own.mk> # For KERBEROS
+
+ .if defined(KERBEROS)
+ CFLAGS+=-DKERBEROS
+ LDADD+= -lkrb
+ DPADD+= ${LIBKRB}
+ .if !defined(EXPORTABLE_SYSTEM)
+ LDADD+= -ldes
+ DPADD+= ${LIBDES}
+ .endif
+ .endif
+
.include <bsd.prog.mk>
*** src/libexec/ftpd/Makefile.orig Sun Sep 24 16:53:02 1995
--- src/libexec/ftpd/Makefile Sun Sep 24 16:53:38 1995
***************
*** 2,21 ****
# @(#)Makefile 8.2 (Berkeley) 4/4/94
PROG= ftpd
! CFLAGS+=-DHASSETPROCTITLE -DSKEY
SRCS= ftpd.c ftpcmd.c logwtmp.c popen.c
MAN= ftpd.8
CLEANFILES+=ftpcmd.c y.tab.h
! .PATH: ${.CURDIR}/../../usr.bin/ftp ${.CURDIR}/../../usr.bin/login
! LDADD+= -lcrypt -lskey
! DPADD+= ${LIBCRYPT} ${LIBSKEY}
.if defined(KERBEROS)
SRCS+= klogin.c
CFLAGS+= -DKERBEROS
! LDADD+= -lkrb -ldes
! DPADD+= ${LIBKRB} ${LIBDES}
.endif
.include <bsd.prog.mk>
--- 2,34 ----
# @(#)Makefile 8.2 (Berkeley) 4/4/94
PROG= ftpd
! CFLAGS+=-DHASSETPROCTITLE
SRCS= ftpd.c ftpcmd.c logwtmp.c popen.c
MAN= ftpd.8
CLEANFILES+=ftpcmd.c y.tab.h
! .PATH: ${.CURDIR}/../../usr.bin/ftp
! LDADD+= -lcrypt
! DPADD+= ${LIBCRYPT}
!
! .include <bsd.own.mk>
!
! .if defined(SKEY)
! CFLAGS+=-DSKEY
! LDADD+= -lskey
! DPADD+= ${LIBSKEY}
! .endif
.if defined(KERBEROS)
SRCS+= klogin.c
+ .PATH: ${.CURDIR}/../../usr.bin/login
CFLAGS+= -DKERBEROS
! LDADD+= -lkrb
! DPADD+= ${LIBKRB}
! .if !defined(EXPORTABLE_SYSTEM)
! LDADD+= -ldes
! DPADD+= ${LIBDES}
! .endif
.endif
.include <bsd.prog.mk>
*** src/libexec/rlogind/Makefile.orig Thu Dec 22 04:05:30 1994
--- src/libexec/rlogind/Makefile Sun Sep 24 16:58:21 1995
***************
*** 1,9 ****
# from: @(#)Makefile 8.1 (Berkeley) 6/4/93
! # $Id: Makefile,v 1.5 1994/12/22 10:27:47 cgd Exp $
PROG= rlogind
MAN= rlogind.8
DPADD= ${LIBUTIL}
LDADD= -lutil
.include <bsd.prog.mk>
--- 1,25 ----
# from: @(#)Makefile 8.1 (Berkeley) 6/4/93
! # $Id: Makefile,v 1.4 1994/06/05 13:57:51 cgd Exp $
PROG= rlogind
+ SRCS= rlogind.c
MAN= rlogind.8
DPADD= ${LIBUTIL}
LDADD= -lutil
+
+ .include <bsd.own.mk> # For KERBEROS
+
+ .if defined(KERBEROS)
+ CFLAGS+=-DKERBEROS
+ DPADD+= ${LIBKRB}
+ LDADD+= -lkrb
+ .if !defined(EXPORTABLE_SYSTEM)
+ CFLAGS+=-DCRYPT
+ SRCS+= des_rw.c
+ DPADD+= ${LIBDES}
+ LDADD+= -ldes
+ .PATH: ${.CURDIR}/../../usr.bin/rlogin
+ .endif
+ .endif
.include <bsd.prog.mk>
*** src/libexec/rlogind/rlogind.c.orig Mon Jun 6 03:10:16 1994
--- src/libexec/rlogind/rlogind.c Sun Sep 24 16:57:13 1995
***************
*** 78,84 ****
--- 78,99 ----
#define TIOCPKT_WINDOW 0x80
#endif
+ #ifdef KERBEROS
+ #include <kerberosIV/des.h>
+ #include <kerberosIV/krb.h>
+ #define SECURE_MESSAGE "This rlogin session is using DES encryption for all transmissions.\r\n"
+
+ AUTH_DAT *kdata;
+ KTEXT ticket;
+ u_char auth_buf[sizeof(AUTH_DAT)];
+ u_char tick_buf[sizeof(KTEXT_ST)];
+ Key_schedule schedule;
+ int doencrypt, retval, use_kerberos, vacuous;
+
+ #define ARGSTR "alnkvx"
+ #else
#define ARGSTR "aln"
+ #endif /* KERBEROS */
char *env[2];
#define NMAX 30
***************
*** 126,131 ****
--- 141,159 ----
case 'n':
keepalive = 0;
break;
+ #ifdef KERBEROS
+ case 'k':
+ use_kerberos = 1;
+ break;
+ case 'v':
+ vacuous = 1;
+ break;
+ #ifdef CRYPT
+ case 'x':
+ doencrypt = 1;
+ break;
+ #endif
+ #endif
case '?':
default:
usage();
***************
*** 134,139 ****
--- 162,173 ----
argc -= optind;
argv += optind;
+ #ifdef KERBEROS
+ if (use_kerberos && vacuous) {
+ usage();
+ fatal(STDERR_FILENO, "only one of -k and -v allowed", 0);
+ }
+ #endif
fromlen = sizeof (from);
if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
syslog(LOG_ERR,"Can't get peer name of remote host: %m");
***************
*** 173,178 ****
--- 207,216 ----
if (c != 0)
exit(1);
+ #ifdef KERBEROS
+ if (vacuous)
+ fatal(f, "Remote host requires Kerberos authentication", 0);
+ #endif
alarm(0);
fromp->sin_port = ntohs((u_short)fromp->sin_port);
***************
*** 183,188 ****
--- 221,237 ----
else
(void)strcpy(hostname, inet_ntoa(fromp->sin_addr));
+ #ifdef KERBEROS
+ if (use_kerberos) {
+ retval = do_krb_login(fromp);
+ if (retval == 0)
+ authenticated++;
+ else if (retval > 0)
+ fatal(f, krb_err_txt[retval], 0);
+ write(f, &c, 1);
+ confirmed = 1; /* we sent the null! */
+ } else
+ #endif
{
if (fromp->sin_family != AF_INET ||
fromp->sin_port >= IPPORT_RESERVED ||
***************
*** 226,231 ****
--- 275,286 ----
write(f, "", 1);
confirmed = 1; /* we sent the null! */
}
+ #ifdef KERBEROS
+ #ifdef CRYPT
+ if (doencrypt)
+ (void) des_write(f, SECURE_MESSAGE, sizeof(SECURE_MESSAGE) - 1);
+ #endif
+ #endif
netf = f;
pid = forkpty(&master, line, NULL, &win);
***************
*** 240,245 ****
--- 295,307 ----
(void) close(f);
setup_term(0);
if (authenticated) {
+ #ifdef KERBEROS
+ if (use_kerberos && (pwd->pw_uid == 0))
+ syslog(LOG_INFO|LOG_AUTH,
+ "ROOT Kerberos login from %s.%s@%s on %s\n",
+ kdata->pname, kdata->pinst, kdata->prealm,
+ hostname);
+ #endif
execl(_PATH_LOGIN, "login", "-p",
"-h", hostname, "-f", lusername, (char *)NULL);
***************
*** 249,254 ****
--- 311,326 ----
fatal(STDERR_FILENO, _PATH_LOGIN, 1);
/*NOTREACHED*/
}
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ /*
+ * If encrypted, don't turn on NBIO or the des read/write
+ * routines will croak.
+ */
+
+ if (!doencrypt)
+ #endif
+ #endif
ioctl(f, FIONBIO, &on);
ioctl(master, FIONBIO, &on);
ioctl(master, TIOCPKT, &on);
***************
*** 355,360 ****
--- 427,439 ----
}
}
if (FD_ISSET(f, &ibits)) {
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt)
+ fcc = des_read(f, fibuf, sizeof(fibuf));
+ else
+ #endif
+ #endif
fcc = read(f, fibuf, sizeof(fibuf));
if (fcc < 0 && errno == EWOULDBLOCK)
fcc = 0;
***************
*** 401,406 ****
--- 480,490 ----
break;
else if (pibuf[0] == 0) {
pbp++, pcc--;
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (!doencrypt)
+ #endif
+ #endif
FD_SET(f, &obits); /* try write */
} else {
if (pkcontrol(pibuf[0])) {
***************
*** 411,416 ****
--- 495,507 ----
}
}
if ((FD_ISSET(f, &obits)) && pcc > 0) {
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt)
+ cc = des_write(f, pbp, pcc);
+ else
+ #endif
+ #endif
cc = write(f, pbp, pcc);
if (cc < 0 && errno == EWOULDBLOCK) {
/*
***************
*** 549,559 ****
--- 640,720 ----
environ = env;
}
+ #ifdef KERBEROS
+ #define VERSION_SIZE 9
+
+ /*
+ * Do the remote kerberos login to the named host with the
+ * given inet address
+ *
+ * Return 0 on valid authorization
+ * Return -1 on valid authentication, no authorization
+ * Return >0 for error conditions
+ */
+ int
+ do_krb_login(dest)
+ struct sockaddr_in *dest;
+ {
+ int rc;
+ char instance[INST_SZ], version[VERSION_SIZE];
+ long authopts = 0L; /* !mutual */
+ struct sockaddr_in faddr;
+
+ kdata = (AUTH_DAT *) auth_buf;
+ ticket = (KTEXT) tick_buf;
+
+ instance[0] = '*';
+ instance[1] = '\0';
+
+ #ifdef CRYPT
+ if (doencrypt) {
+ rc = sizeof(faddr);
+ if (getsockname(0, (struct sockaddr *)&faddr, &rc))
+ return (-1);
+ authopts = KOPT_DO_MUTUAL;
+ rc = krb_recvauth(
+ authopts, 0,
+ ticket, "rcmd",
+ instance, dest, &faddr,
+ kdata, "", schedule, version);
+ des_set_key(kdata->session, schedule);
+
+ } else
+ #endif
+ rc = krb_recvauth(
+ authopts, 0,
+ ticket, "rcmd",
+ instance, dest, (struct sockaddr_in *) 0,
+ kdata, "", (bit_64 *) 0, version);
+
+ if (rc != KSUCCESS)
+ return (rc);
+
+ getstr(lusername, sizeof(lusername), "locuser");
+ /* get the "cmd" in the rcmd protocol */
+ getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type");
+
+ pwd = getpwnam(lusername);
+ if (pwd == NULL)
+ return (-1);
+
+ /* returns nonzero for no access */
+ if (kuserok(kdata, lusername) != 0)
+ return (-1);
+
+ return (0);
+
+ }
+ #endif /* KERBEROS */
void
usage()
{
+ #ifdef KERBEROS
+ syslog(LOG_ERR, "usage: rlogind [-aln] [-k | -v]");
+ #else
syslog(LOG_ERR, "usage: rlogind [-aln]");
+ #endif
}
/*
*** src/libexec/rshd/Makefile.orig Thu Dec 22 04:05:47 1994
--- src/libexec/rshd/Makefile Sun Sep 24 17:07:13 1995
***************
*** 1,7 ****
# from: @(#)Makefile 8.1 (Berkeley) 6/4/93
! # $Id: Makefile,v 1.6 1994/12/22 10:28:04 cgd Exp $
PROG= rshd
MAN= rshd.8
.include <bsd.prog.mk>
--- 1,23 ----
# from: @(#)Makefile 8.1 (Berkeley) 6/4/93
! # $Id: Makefile,v 1.5 1994/06/05 15:35:54 cgd Exp $
PROG= rshd
+ SRCS= rshd.c
MAN= rshd.8
+
+ .include <bsd.own.mk>
+
+ .if defined(KERBEROS)
+ CFLAGS+=-DKERBEROS
+ DPADD+= ${LIBKRB}
+ LDADD+= -lkrb
+ .if !defined(EXPORTABLE_SYSTEM)
+ CFLAGS+=-DCRYPT
+ SRCS+= des_rw.c
+ DPADD+= ${LIBDES}
+ LDADD+= -ldes
+ .PATH: ${.CURDIR}/../../usr.bin/rlogin
+ .endif
+ .endif
.include <bsd.prog.mk>
*** src/libexec/rshd/rshd.c.orig Sat Jan 21 03:10:27 1995
--- src/libexec/rshd/rshd.c Sun Sep 24 17:06:32 1995
***************
*** 82,88 ****
--- 82,100 ----
char *topdomain __P((char *));
void usage __P((void));
+ #ifdef KERBEROS
+ #include <kerberosIV/des.h>
+ #include <kerberosIV/krb.h>
+ #define VERSION_SIZE 9
+ #define SECURE_MESSAGE "This rsh session is using DES encryption for all transmissions.\r\n"
+ #define OPTIONS "alnkvxL"
+ char authbuf[sizeof(AUTH_DAT)];
+ char tickbuf[sizeof(KTEXT_ST)];
+ int doencrypt, use_kerberos, vacuous;
+ Key_schedule schedule;
+ #else
#define OPTIONS "alnL"
+ #endif
int
main(argc, argv)
***************
*** 108,113 ****
--- 120,140 ----
case 'n':
keepalive = 0;
break;
+ #ifdef KERBEROS
+ case 'k':
+ use_kerberos = 1;
+ break;
+
+ case 'v':
+ vacuous = 1;
+ break;
+
+ #ifdef CRYPT
+ case 'x':
+ doencrypt = 1;
+ break;
+ #endif
+ #endif
case 'L':
log_success = 1;
break;
***************
*** 120,125 ****
--- 147,164 ----
argc -= optind;
argv += optind;
+ #ifdef KERBEROS
+ if (use_kerberos && vacuous) {
+ syslog(LOG_ERR, "only one of -k and -v allowed");
+ exit(2);
+ }
+ #ifdef CRYPT
+ if (doencrypt && !use_kerberos) {
+ syslog(LOG_ERR, "-k is required for -x");
+ exit(2);
+ }
+ #endif
+ #endif
fromlen = sizeof (from);
if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
***************
*** 164,169 ****
--- 203,220 ----
char remotehost[2 * MAXHOSTNAMELEN + 1];
char hostnamebuf[2 * MAXHOSTNAMELEN + 1];
+ #ifdef KERBEROS
+ AUTH_DAT *kdata = (AUTH_DAT *) NULL;
+ KTEXT ticket = (KTEXT) NULL;
+ char instance[INST_SZ], version[VERSION_SIZE];
+ struct sockaddr_in fromaddr;
+ int rc;
+ long authopts;
+ int pv1[2], pv2[2];
+ fd_set wready, writeto;
+
+ fromaddr = *fromp;
+ #endif
(void) signal(SIGINT, SIG_DFL);
(void) signal(SIGQUIT, SIG_DFL);
***************
*** 210,215 ****
--- 261,269 ----
}
#endif
+ #ifdef KERBEROS
+ if (!use_kerberos)
+ #endif
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2) {
syslog(LOG_NOTICE|LOG_AUTH,
***************
*** 242,247 ****
--- 296,304 ----
syslog(LOG_ERR, "can't get stderr port: %m");
exit(1);
}
+ #ifdef KERBEROS
+ if (!use_kerberos)
+ #endif
if (port >= IPPORT_RESERVED) {
syslog(LOG_ERR, "2nd port not reserved\n");
exit(1);
***************
*** 253,258 ****
--- 310,321 ----
}
}
+ #ifdef KERBEROS
+ if (vacuous) {
+ error("rshd: remote host requires Kerberos authentication\n");
+ exit(1);
+ }
+ #endif
#ifdef notdef
/* from inetd, socket is already on 0, 1, 2 */
***************
*** 271,276 ****
--- 334,342 ----
* address corresponds to the name.
*/
hostname = hp->h_name;
+ #ifdef KERBEROS
+ if (!use_kerberos)
+ #endif
if (check_all || local_domain(hp->h_name)) {
strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
remotehost[sizeof(remotehost) - 1] = 0;
***************
*** 310,315 ****
--- 376,417 ----
sizeof(hostnamebuf) - 1);
hostnamebuf[sizeof(hostnamebuf) - 1] = '\0';
+ #ifdef KERBEROS
+ if (use_kerberos) {
+ kdata = (AUTH_DAT *) authbuf;
+ ticket = (KTEXT) tickbuf;
+ authopts = 0L;
+ strcpy(instance, "*");
+ version[VERSION_SIZE - 1] = '\0';
+ #ifdef CRYPT
+ if (doencrypt) {
+ struct sockaddr_in local_addr;
+ rc = sizeof(local_addr);
+ if (getsockname(0, (struct sockaddr *)&local_addr,
+ &rc) < 0) {
+ syslog(LOG_ERR, "getsockname: %m");
+ error("rlogind: getsockname: %m");
+ exit(1);
+ }
+ authopts = KOPT_DO_MUTUAL;
+ rc = krb_recvauth(authopts, 0, ticket,
+ "rcmd", instance, &fromaddr,
+ &local_addr, kdata, "", schedule,
+ version);
+ des_set_key(kdata->session, schedule);
+ } else
+ #endif
+ rc = krb_recvauth(authopts, 0, ticket, "rcmd",
+ instance, &fromaddr,
+ (struct sockaddr_in *) 0,
+ kdata, "", (bit_64 *) 0, version);
+ if (rc != KSUCCESS) {
+ error("Kerberos authentication failure: %s\n",
+ krb_err_txt[rc]);
+ exit(1);
+ }
+ } else
+ #endif
getstr(remuser, sizeof(remuser), "remuser");
getstr(locuser, sizeof(locuser), "locuser");
***************
*** 335,340 ****
--- 437,455 ----
#endif
}
+ #ifdef KERBEROS
+ if (use_kerberos) {
+ if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') {
+ if (kuserok(kdata, locuser) != 0) {
+ syslog(LOG_INFO|LOG_AUTH,
+ "Kerberos rsh denied to %s.%s@%s",
+ kdata->pname, kdata->pinst, kdata->prealm);
+ error("Permission denied.\n");
+ exit(1);
+ }
+ }
+ } else
+ #endif
if (errorstr ||
pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
***************
*** 369,380 ****
--- 484,520 ----
error("Can't make pipe.\n");
exit(1);
}
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt) {
+ if (pipe(pv1) < 0) {
+ error("Can't make 2nd pipe.\n");
+ exit(1);
+ }
+ if (pipe(pv2) < 0) {
+ error("Can't make 3rd pipe.\n");
+ exit(1);
+ }
+ }
+ #endif
+ #endif
pid = fork();
if (pid == -1) {
error("Can't fork; try again.\n");
exit(1);
}
if (pid) {
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt) {
+ static char msg[] = SECURE_MESSAGE;
+ (void) close(pv1[1]);
+ (void) close(pv2[1]);
+ des_write(s, msg, sizeof(msg) - 1);
+
+ } else
+ #endif
+ #endif
{
(void) close(0);
(void) close(1);
***************
*** 389,405 ****
--- 529,575 ----
nfd = pv[0];
else
nfd = s;
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt) {
+ FD_ZERO(&writeto);
+ FD_SET(pv2[0], &writeto);
+ FD_SET(pv1[0], &readfrom);
+
+ nfd = MAX(nfd, pv2[0]);
+ nfd = MAX(nfd, pv1[0]);
+ } else
+ #endif
+ #endif
ioctl(pv[0], FIONBIO, (char *)&one);
/* should set s nbio! */
nfd++;
do {
ready = readfrom;
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt) {
+ wready = writeto;
+ if (select(nfd, &ready,
+ &wready, (fd_set *) 0,
+ (struct timeval *) 0) < 0)
+ break;
+ } else
+ #endif
+ #endif
if (select(nfd, &ready, (fd_set *)0,
(fd_set *)0, (struct timeval *)0) < 0)
break;
if (FD_ISSET(s, &ready)) {
int ret;
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt)
+ ret = des_read(s, &sig, 1);
+ else
+ #endif
+ #endif
ret = read(s, &sig, 1);
if (ret <= 0)
FD_CLR(s, &readfrom);
***************
*** 413,430 ****
--- 583,649 ----
shutdown(s, 1+1);
FD_CLR(pv[0], &readfrom);
} else {
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt)
+ (void)
+ des_write(s, buf, cc);
+ else
+ #endif
+ #endif
(void)
write(s, buf, cc);
}
}
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt && FD_ISSET(pv1[0], &ready)) {
+ errno = 0;
+ cc = read(pv1[0], buf, sizeof(buf));
+ if (cc <= 0) {
+ shutdown(pv1[0], 1+1);
+ FD_CLR(pv1[0], &readfrom);
+ } else
+ (void) des_write(STDOUT_FILENO,
+ buf, cc);
+ }
+
+ if (doencrypt && FD_ISSET(pv2[0], &wready)) {
+ errno = 0;
+ cc = des_read(STDIN_FILENO,
+ buf, sizeof(buf));
+ if (cc <= 0) {
+ shutdown(pv2[0], 1+1);
+ FD_CLR(pv2[0], &writeto);
+ } else
+ (void) write(pv2[0], buf, cc);
+ }
+ #endif
+ #endif
} while (FD_ISSET(s, &readfrom) ||
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ (doencrypt && FD_ISSET(pv1[0], &readfrom)) ||
+ #endif
+ #endif
FD_ISSET(pv[0], &readfrom));
exit(0);
}
setpgrp(0, getpid());
(void) close(s);
(void) close(pv[0]);
+ #ifdef CRYPT
+ #ifdef KERBEROS
+ if (doencrypt) {
+ close(pv1[0]); close(pv2[0]);
+ dup2(pv1[1], 1);
+ dup2(pv2[1], 0);
+ close(pv1[1]);
+ close(pv2[1]);
+ }
+ #endif
+ #endif
dup2(pv[1], 2);
close(pv[1]);
}
***************
*** 449,454 ****
--- 668,681 ----
cp = pwd->pw_shell;
endpwent();
if (log_success || pwd->pw_uid == 0) {
+ #ifdef KERBEROS
+ if (use_kerberos)
+ syslog(LOG_INFO|LOG_AUTH,
+ "Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'",
+ kdata->pname, kdata->pinst, kdata->prealm,
+ hostname, locuser, cmdbuf);
+ else
+ #endif
syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
}
*** src/usr.bin/rlogin/Makefile.orig Sun Sep 24 17:16:21 1995
--- src/usr.bin/rlogin/Makefile Sun Sep 24 17:18:18 1995
***************
*** 3,14 ****
PROG= rlogin
SRCS= rlogin.c
- #SRCS+= krcmd.c kcmd.c des_rw.c
- #DPADD= ${LIBKRB} ${LIBDES}
- #CFLAGS+=-DKERBEROS -DCRYPT
- #LDADD= -lkrb -ldes
BINOWN= root
BINMODE=4555
#INSTALLFLAGS=-fschg
.include <bsd.prog.mk>
--- 3,25 ----
PROG= rlogin
SRCS= rlogin.c
BINOWN= root
BINMODE=4555
#INSTALLFLAGS=-fschg
+
+ .include <bsd.own.mk>
+
+ .if defined(KERBEROS)
+ CFLAGS+=-DKERBEROS
+ SRCS+= krcmd.c kcmd.c
+ LDADD+= -lkrb
+ DPADD+= ${LIBKRB}
+ .if !defined(EXPORTABLE_SYSTEM)
+ CFLAGS+=-DCRYPT
+ SRCS+= des_rw.c
+ LDADD= -ldes
+ DPADD= ${LIBDES}
+ .endif
+ .endif
.include <bsd.prog.mk>
*** src/usr.bin/rsh/Makefile.orig Sun Sep 24 17:19:18 1995
--- src/usr.bin/rsh/Makefile Sun Sep 24 17:22:01 1995
***************
*** 5,10 ****
--- 5,25 ----
SRCS= rsh.c
BINOWN= root
BINMODE=4555
+
+ .include <bsd.own.mk> # For KERBEROS
+
+ .if defined(KERBEROS)
.PATH: ${.CURDIR}/../rlogin
+ CFLAGS+=-DKERBEROS
+ SRCS+= krcmd.c kcmd.c
+ LDADD+= -lkrb
+ DPADD+= ${LIBKRB}
+ .if !defined(EXPORTABLE_SYSTEM)
+ CFLAGS+=-DCRYPT
+ SRCS+= des_rw.c
+ LDADD+= -ldes
+ DPADD+= ${LIBDES}
+ .endif
+ .endif
.include <bsd.prog.mk>
*** src/usr.bin/su/Makefile.orig Sun Sep 24 17:25:38 1995
--- src/usr.bin/su/Makefile Sun Sep 24 17:24:27 1995
***************
*** 4,11 ****
PROG= su
BINOWN= root
BINMODE=4555
CFLAGS+=-DSKEY
! LDADD+= -lcrypt -lskey
! DPADD+= ${LIBCRYPT} ${LIBSKEY}
.include <bsd.prog.mk>
--- 4,28 ----
PROG= su
BINOWN= root
BINMODE=4555
+ LDADD+= -lcrypt
+ DPADD+= ${LIBCRYPT}
+
+ .include <bsd.own.mk>
+
+ .if defined(SKEY)
CFLAGS+=-DSKEY
! LDADD+= -lskey
! DPADD+= ${LIBSKEY}
! .endif
!
! .if defined(KERBEROS)
! CFLAGS+=-DKERBEROS
! LDADD+= -lkrb
! DPADD+= ${LIBKRB}
! .if !defined(EXPORTABLE_SYSTEM)
! LDADD+= -ldes
! DPADD+= ${LIBDES}
! .endif
! .endif
.include <bsd.prog.mk>
*** src/usr.bin/login/Makefile.orig Sun Sep 24 17:27:47 1995
--- src/usr.bin/login/Makefile Sun Sep 24 17:30:13 1995
***************
*** 3,22 ****
PROG= login
SRCS= login.c
! DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY}
! LDADD= -lutil -lcrypt -lskey
! CFLAGS+= -DSKEY
.if defined(KERBEROS5)
SRCS+= k5login.c
- DPADD+= ${LIBKRB5} ${LIBCRYPTO}
LDADD+= -lkrb5 -lcrypto
! CFLAGS+= -DKERBEROS5
.elif defined(KERBEROS)
- SRCS+= klogin.c
- DPADD+= ${LIBKRB} ${LIBDES}
- LDADD+= -lkrb -ldes
CFLAGS+= -DKERBEROS
.endif
BINOWN= root
--- 3,33 ----
PROG= login
SRCS= login.c
! LDADD= -lutil -lcrypt
! DPADD= ${LIBUTIL} ${LIBCRYPT}
!
! .include <bsd.own.mk> # For SKEY, KERBEROS and KERBEROS5
!
! .if defined(SKEY)
! CFLAGS+=-DSKEY
! LDADD+= -lskey
! DPADD+= ${LIBSKEY}
! .endif
.if defined(KERBEROS5)
+ CFLAGS+= -DKERBEROS5
SRCS+= k5login.c
LDADD+= -lkrb5 -lcrypto
! DPADD+= ${LIBKRB5} ${LIBCRYPTO}
.elif defined(KERBEROS)
CFLAGS+= -DKERBEROS
+ SRCS+= klogin.c
+ LDADD+= -lkrb
+ DPADD+= ${LIBKRB}
+ .if !defined(EXPORTABLE_SYSTEM)
+ LDADD+= -ldes
+ DPADD+= ${LIBDES}
+ .endif
.endif
BINOWN= root
*** src/usr.bin/lock/Makefile.orig Sun Sep 24 17:31:39 1995
--- src/usr.bin/lock/Makefile Sun Sep 24 17:32:11 1995
***************
*** 4,11 ****
PROG= lock
BINOWN= root
BINMODE=4555
CFLAGS+=-DSKEY
! LDADD+= -lcrypt -lskey
! DPADD+= ${LIBCRYPT} ${LIBSKEY}
.include <bsd.prog.mk>
--- 4,18 ----
PROG= lock
BINOWN= root
BINMODE=4555
+ LDADD+= -lcrypt
+ DPADD+= ${LIBCRYPT}
+
+ .include <bsd.own.mk>
+
+ .if defined(SKEY)
CFLAGS+=-DSKEY
! LDADD+= -lskey
! DPADD+= ${LIBSKEY}
! .endif
.include <bsd.prog.mk>
*** src/usr.bin/login/Makefile.orig Sun Sep 24 17:27:47 1995
--- src/usr.bin/login/Makefile Sun Sep 24 17:30:13 1995
***************
*** 3,22 ****
PROG= login
SRCS= login.c
! DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY}
! LDADD= -lutil -lcrypt -lskey
! CFLAGS+= -DSKEY
.if defined(KERBEROS5)
SRCS+= k5login.c
- DPADD+= ${LIBKRB5} ${LIBCRYPTO}
LDADD+= -lkrb5 -lcrypto
! CFLAGS+= -DKERBEROS5
.elif defined(KERBEROS)
- SRCS+= klogin.c
- DPADD+= ${LIBKRB} ${LIBDES}
- LDADD+= -lkrb -ldes
CFLAGS+= -DKERBEROS
.endif
BINOWN= root
--- 3,33 ----
PROG= login
SRCS= login.c
! LDADD= -lutil -lcrypt
! DPADD= ${LIBUTIL} ${LIBCRYPT}
!
! .include <bsd.own.mk> # For SKEY, KERBEROS and KERBEROS5
!
! .if defined(SKEY)
! CFLAGS+=-DSKEY
! LDADD+= -lskey
! DPADD+= ${LIBSKEY}
! .endif
.if defined(KERBEROS5)
+ CFLAGS+= -DKERBEROS5
SRCS+= k5login.c
LDADD+= -lkrb5 -lcrypto
! DPADD+= ${LIBKRB5} ${LIBCRYPTO}
.elif defined(KERBEROS)
CFLAGS+= -DKERBEROS
+ SRCS+= klogin.c
+ LDADD+= -lkrb
+ DPADD+= ${LIBKRB}
+ .if !defined(EXPORTABLE_SYSTEM)
+ LDADD+= -ldes
+ DPADD+= ${LIBDES}
+ .endif
.endif
BINOWN= root
*** src/domestic/Makefile.orig Sun Sep 24 15:18:56 1995
--- src/domestic/Makefile Sun Sep 24 17:43:14 1995
***************
*** 4,9 ****
# it outside of the US.
SUBDIR+= libcrypt
! SUBDIR+= bdes init ed
.include <bsd.subdir.mk>
--- 4,14 ----
# it outside of the US.
SUBDIR+= libcrypt
!
! .if exists(des)
! SUBDIR+= des
! .endif
!
! SUBDIR+= bdes init ed telnetd
.include <bsd.subdir.mk>
>Audit-Trail:
>Unformatted: