diff options
author | nectar <nectar@FreeBSD.org> | 2002-08-30 21:23:27 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2002-08-30 21:23:27 +0000 |
commit | a77dba08ca7d8ad2f2dcd653974ac66df78cfa49 (patch) | |
tree | 6015f89700252fb05eb8fa267c46dba41913e9d8 /crypto/heimdal/appl/rsh/rshd.c | |
parent | 69a91bec14ec3ad49d1c8a82c40a796755f9e4a3 (diff) | |
download | FreeBSD-src-a77dba08ca7d8ad2f2dcd653974ac66df78cfa49.zip FreeBSD-src-a77dba08ca7d8ad2f2dcd653974ac66df78cfa49.tar.gz |
Import of Heimdal Kerberos from KTH repository circa 2002/08/29.
Diffstat (limited to 'crypto/heimdal/appl/rsh/rshd.c')
-rw-r--r-- | crypto/heimdal/appl/rsh/rshd.c | 131 |
1 files changed, 90 insertions, 41 deletions
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c index 850c6ac..fc2df7f 100644 --- a/crypto/heimdal/appl/rsh/rshd.c +++ b/crypto/heimdal/appl/rsh/rshd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,24 +32,28 @@ */ #include "rsh_locl.h" -RCSID("$Id: rshd.c,v 1.44 2001/11/30 14:38:48 joda Exp $"); +RCSID("$Id: rshd.c,v 1.46 2002/02/18 20:02:14 joda Exp $"); int login_access( struct passwd *user, char *from); enum auth_method auth_method; +#ifdef KRB5 krb5_context context; krb5_keyblock *keyblock; krb5_crypto crypto; +#endif #ifdef KRB4 des_key_schedule schedule; des_cblock iv; #endif +#ifdef KRB5 krb5_ccache ccache, ccache2; int kerberos_status = 0; +#endif int do_encrypt = 0; @@ -60,15 +64,19 @@ static int do_inetd = 1; static char *port_str; static int do_rhosts = 1; static int do_kerberos = 0; +#define DO_KRB4 2 +#define DO_KRB5 4 static int do_vacuous = 0; static int do_log = 1; +#ifdef KRB4 static int do_newpag = 1; +#endif static int do_addr_verify = 0; static int do_keepalive = 1; static int do_version; static int do_help = 0; -#if defined(DCE) +#if defined(KRB5) && defined(DCE) int dfsk5ok = 0; int dfspag = 0; int dfsfwd = 0; @@ -214,6 +222,7 @@ recv_krb4_auth (int s, u_char *buf, #endif /* KRB4 */ +#ifdef KRB5 static int save_krb5_creds (int s, krb5_auth_context auth_context, @@ -413,6 +422,7 @@ recv_krb5_auth (int s, u_char *buf, return 0; } +#endif /* KRB5 */ static void loop (int from0, int to0, @@ -593,7 +603,7 @@ setup_environment (char ***env, const struct passwd *pwd) } static void -doit (int do_kerberos, int check_rhosts) +doit (void) { u_char buf[BUFSIZ]; u_char *p; @@ -621,7 +631,9 @@ doit (int do_kerberos, int check_rhosts) if (getpeername (s, thataddr, &thataddr_len) < 0) syslog_and_die ("getpeername: %m"); - if (!do_kerberos && !is_reserved(socket_get_port(thataddr))) + /* check for V4MAPPED addresses? */ + + if (do_kerberos == 0 && !is_reserved(socket_get_port(thataddr))) fatal(s, NULL, "Permission denied."); p = buf; @@ -637,7 +649,7 @@ doit (int do_kerberos, int check_rhosts) syslog_and_die ("non-digit in port number: %c", *p); } - if (!do_kerberos && !is_reserved(htons(port))) + if (do_kerberos == 0 && !is_reserved(htons(port))) fatal(s, NULL, "Permission denied."); if (port) { @@ -677,19 +689,23 @@ doit (int do_kerberos, int check_rhosts) syslog_and_die ("reading auth info: %m"); #ifdef KRB4 - if (recv_krb4_auth (s, buf, thisaddr, thataddr, + if ((do_kerberos & DO_KRB4) && + recv_krb4_auth (s, buf, thisaddr, thataddr, client_user, server_user, cmd) == 0) auth_method = AUTH_KRB4; else #endif /* KRB4 */ - if(recv_krb5_auth (s, buf, thisaddr, thataddr, +#ifdef KRB5 + if((do_kerberos & DO_KRB5) && + recv_krb5_auth (s, buf, thisaddr, thataddr, client_user, server_user, cmd) == 0) auth_method = AUTH_KRB5; else +#endif /* KRB5 */ syslog_and_die ("unrecognized auth protocol: %x %x %x %x", buf[0], buf[1], buf[2], buf[3]); } else { @@ -851,18 +867,22 @@ struct getargs args[] = { { "keepalive", 'n', arg_negative_flag, &do_keepalive }, { "inetd", 'i', arg_negative_flag, &do_inetd, "Not started from inetd" }, +#if defined(KRB4) || defined(KRB5) { "kerberos", 'k', arg_flag, &do_kerberos, "Implement kerberised services" }, { "encrypt", 'x', arg_flag, &do_encrypt, "Implement encrypted service" }, +#endif { "rhosts", 'l', arg_negative_flag, &do_rhosts, "Don't check users .rhosts" }, { "port", 'p', arg_string, &port_str, "Use this port", "port" }, { "vacuous", 'v', arg_flag, &do_vacuous, "Don't accept non-kerberised connections" }, +#ifdef KRB4 { NULL, 'P', arg_negative_flag, &do_newpag, "Don't put process in new PAG" }, +#endif /* compatibility flag: */ { NULL, 'L', arg_flag, &do_log }, { "version", 0, arg_flag, &do_version }, @@ -887,7 +907,7 @@ int main(int argc, char **argv) { int optind = 0; - int port = 0; + int on = 1; setprogname (argv[0]); roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH); @@ -904,50 +924,79 @@ main(int argc, char **argv) exit(0); } -#ifdef KRB5 - { - krb5_error_code ret; +#if defined(KRB4) || defined(KRB5) + if (do_encrypt) + do_kerberos = 1; - ret = krb5_init_context (&context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); - } + if(do_kerberos) + do_kerberos = DO_KRB4 | DO_KRB5; #endif - if(port_str) { - struct servent *s = roken_getservbyname (port_str, "tcp"); - - if (s) - port = s->s_port; - else { - char *ptr; + if (do_keepalive && + setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, + sizeof(on)) < 0) + syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); - port = strtol (port_str, &ptr, 10); - if (port == 0 && ptr == port_str) - syslog_and_die("Bad port `%s'", port_str); - port = htons(port); - } - } + /* set SO_LINGER? */ - if (do_encrypt) - do_kerberos = 1; +#ifdef KRB5 + if((do_kerberos & DO_KRB5) && krb5_init_context (&context) != 0) + do_kerberos &= ~DO_KRB5; +#endif if (!do_inetd) { - if (port == 0) { + int error; + struct addrinfo *ai = NULL, hints; + char portstr[NI_MAXSERV]; + + memset (&hints, 0, sizeof(hints)); + hints.ai_flags = AI_PASSIVE; + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = PF_UNSPEC; + + if(port_str != NULL) { + error = getaddrinfo (NULL, port_str, &hints, &ai); + if (error) + errx (1, "getaddrinfo: %s", gai_strerror (error)); + } + if (ai == NULL) { +#if defined(KRB4) || defined(KRB5) if (do_kerberos) { - if (do_encrypt) - port = krb5_getportbyname (context, "ekshell", "tcp", 545); - else - port = krb5_getportbyname (context, "kshell", "tcp", 544); - } else { - port = krb5_getportbyname(context, "shell", "tcp", 514); - } + if (do_encrypt) { + error = getaddrinfo(NULL, "ekshell", &hints, &ai); + if(error == EAI_NONAME) { + snprintf(portstr, sizeof(portstr), "%d", 545); + error = getaddrinfo(NULL, portstr, &hints, &ai); + } + if(error) + errx (1, "getaddrinfo: %s", gai_strerror (error)); + } else { + error = getaddrinfo(NULL, "kshell", &hints, &ai); + if(error == EAI_NONAME) { + snprintf(portstr, sizeof(portstr), "%d", 544); + error = getaddrinfo(NULL, portstr, &hints, &ai); + } + if(error) + errx (1, "getaddrinfo: %s", gai_strerror (error)); + } + } else +#endif + { + error = getaddrinfo(NULL, "shell", &hints, &ai); + if(error == EAI_NONAME) { + snprintf(portstr, sizeof(portstr), "%d", 514); + error = getaddrinfo(NULL, portstr, &hints, &ai); + } + if(error) + errx (1, "getaddrinfo: %s", gai_strerror (error)); + } } - mini_inetd (port); + mini_inetd_addrinfo (ai); + freeaddrinfo(ai); } signal (SIGPIPE, SIG_IGN); - doit (do_kerberos, do_rhosts); + doit (); return 0; } |