I hope Torsten doesn't mind me stepping on his toes a bit here...

Fix one serious bug in the RADIUS server's Kerberos interface, one
minor nit in the build, and add one feature:

- Properly validate the Kerberos ticket we obtained against an actual
  service so we know it wasn't forged.

- Make sure the test programs are built knowing where the database is.

- If the make variable KRB_INSTANCE is defined, it names the instance of
  each user to be used in validating their Kerberos password.  (If this
  instance doesn't exist, the validation will fail.)  This can be used
  for both access control and to keep separate one's login password from
  the less secure RADIUS mechanism (since exposure of the instance does
  not expose the null instance).

2 files changed, 74 insertions, 8 deletions

diff --git a/net/radius/files/patch-aa b/net/radius/files/patch-aa
index 94b0914..95bc814 100644
--- a/net/radius/files/patch-aa
+++ b/net/radius/files/patch-aa
@@ -1,6 +1,6 @@
 diff -ru orig/Makefile ./Makefile
 --- orig/Makefile	Sun Sep 22 14:00:16 1996
-+++ Makefile	Tue Jun 17 16:36:26 1997
++++ Makefile	Mon Jul 28 11:07:04 1997
 @@ -51,11 +51,11 @@
  # Where the configuration files live.
  RADDB		= ./raddb
@@ -27,7 +27,7 @@ diff -ru orig/Makefile ./Makefile
  
  # Define SRV to hold any combination of server names you'd like to override:
  #SRV3	  = -DDEFAULT_TACACS_SERVER=\"vms.dns.name\"
-@@ -110,17 +110,21 @@
+@@ -110,17 +110,22 @@
  # radiusd -- the default
  #
  #--------------------------------------------------------------------------
@@ -45,14 +45,15 @@ diff -ru orig/Makefile ./Makefile
 -#RADLIBS	  = /usr/kerberos/lib/libkrb.a /usr/kerberos/lib/libdes.a
 -#INCS	  = -I/usr/kerberos/include
 +.if defined(MAKE_EBONES)
-+DEFS	  = -DHAVE_SETVBUF -DM_KERB -DNOSHADOW $(MERIT) $(STUFF)
++DEFS	  = -DHAVE_SETVBUF -DM_KERB -DKRB_INSTANCE=\"$(KRB_INSTANCE)\" \
++	    -DNOSHADOW $(MERIT) $(STUFF)
 +RADLIBS	  = -lkrb -ldes
 +INCS	  = -I/usr/include/kerberosIV
 +.endif
  
  #
  # akerb
-@@ -219,12 +223,12 @@
+@@ -219,12 +224,12 @@
  #
  #--------------------------------------------------------------------------
  
@@ -71,7 +72,7 @@ diff -ru orig/Makefile ./Makefile
  
  #
  # Solaris 2.x
-@@ -304,14 +308,17 @@
+@@ -304,14 +309,17 @@
  #
  #--------------------------------------------------------------------------
  
@@ -84,7 +85,7 @@ diff -ru orig/Makefile ./Makefile
 -#INSTALL	  = /usr/bin/install
 -
 +CC	  = cc
-+CFLAGS += -DRADIUS_DIR=\"${PREFIX}/lib/radius/db\" \
++CFLAGS += -DRADIUS_DIR=\"${RADDB_INSDIR}\" -DDEFAULT_DIR2=\"${RADDB_INSDIR}\" \
 +	-DRADACCT_DIR=\"${PREFIX}/lib/radius/acct\" \
 +	-DRADIUS_COMPRESS=\"/usr/bin/gzip\" \
 +	$(DEFS) $(INCS)
@@ -97,7 +98,7 @@ diff -ru orig/Makefile ./Makefile
  #
  # AIX 3.2.5 (if using xlc(1) add -D_ALL_SOURCE to CFLAGS below)
  #
-@@ -604,8 +611,6 @@
+@@ -604,8 +612,6 @@
  						$(MAN_INSDIR)/man5/clients.5
  	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/dictionary.5 \
  						$(MAN_INSDIR)/man5/dictionary.5
@@ -106,7 +107,7 @@ diff -ru orig/Makefile ./Makefile
  	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/radius.fsm.5 \
  						$(MAN_INSDIR)/man5/radius.fsm.5
  	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/users.5 \
-@@ -625,17 +630,17 @@
+@@ -625,17 +631,17 @@
  		/bin/mkdir -p $(RADDB_INSDIR) ;\
  	fi
  	$(INSTALL) $(M) 660 $(O) $(RADOWN) $(G) $(RADGRP) $(RADDB)/authfile \
@@ -130,3 +131,4 @@ diff -ru orig/Makefile ./Makefile
  	-if [ ! -d $(RADACCT_INSDIR) ] ;\
  	then \
  		/bin/mkdir -p $(RADACCT_INSDIR) ;\
+
diff --git a/net/radius/files/patch-ad b/net/radius/files/patch-ad
new file mode 100644
index 0000000..535bd0f
--- /dev/null
+++ b/net/radius/files/patch-ad
@@ -0,0 +1,64 @@
+diff -ru orig/src/rad.kerberos.c ./src/rad.kerberos.c
+--- orig/src/rad.kerberos.c	Wed Sep 18 11:34:21 1996
++++ src/rad.kerberos.c	Sat Jul 26 17:33:30 1997
+@@ -177,7 +177,8 @@
+ #if defined(M_KERB)
+ 	if (strcmp (authreq->direct_aatv->id, "MKERB") == 0)
+ 	{
+-		krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
++		krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt",
++					 realm,
+ 					DEFAULT_TKT_LIFE, mit_passwd_to_key,
+ 					NULL, passwd);
+ 	}
+@@ -192,6 +193,12 @@
+ 	}
+ #endif	/* A_KERB */
+ 
++	/*
++	 * XXX
++	 * This can be spoofed fairly easily... Should attempt to authenticate
++	 * to some service on this machine (e.g., radius.thishost@REALM)
++	 * in order to ensure that the ticket we just got is really valid.
++	 */
+ 	switch (krbval)
+ 	{
+ 	    case INTK_OK:
+@@ -207,6 +214,37 @@
+ 			func, krbval);
+ 		break;
+ 	}
++#ifdef M_KERB
++	/*
++	 * Ticket verification code based loosely on Berkeley klogin.c 8.3
++	 */
++	if (krbreturn != EV_ACK) {
++		dest_tkt();
++		memset(passwd, 0, sizeof passwd);
++	} else {
++		struct sockaddr_in sin;
++		char host[MAXHOSTNAMELEN], *p;
++		AUTH_DAT authdata;
++		KTEXT_ST ticket;
++
++		krb_get_local_addr(&sin);
++		gethostname(host, sizeof host);
++		if ((p = strchr(host, '.')) != 0)
++			*p = '\0';
++		krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
++		if (krbval == KSUCCESS) {
++			krbval = krb_rd_req(&ticket, "radius", host, 
++					    sin.sin_addr.s_addr, &authdata,
++					    "");
++		}
++		if (krbval != KSUCCESS) {
++			logit(LOG_DAEMON, LOG_ERR, 
++			      "Kerberos error verifying ticket for %s: %s",
++			      func, krb_err_txt[krbval]);
++			krbreturn = EV_NAK;
++		}
++	}
++#endif /* M_KERB */
+ 
+ 	dest_tkt ();		/* destroy the ticket */
+ 	memset (passwd, 0, sizeof (passwd));