summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/appl/bsd
diff options
context:
space:
mode:
authorassar <assar@FreeBSD.org>2000-12-29 21:00:22 +0000
committerassar <assar@FreeBSD.org>2000-12-29 21:00:22 +0000
commit2aa51584a1bbbfd8d631a114c91b525674ec0175 (patch)
tree3be1655d8572aa7a94f884419466a6be1d5e9e35 /crypto/kerberosIV/appl/bsd
parent7e5f2377be4220b42ea18ddd0112a4a64320943a (diff)
downloadFreeBSD-src-2aa51584a1bbbfd8d631a114c91b525674ec0175.zip
FreeBSD-src-2aa51584a1bbbfd8d631a114c91b525674ec0175.tar.gz
import krb4-1.0.5
Diffstat (limited to 'crypto/kerberosIV/appl/bsd')
-rw-r--r--crypto/kerberosIV/appl/bsd/bsd_locl.h6
-rw-r--r--crypto/kerberosIV/appl/bsd/kcmd.c10
-rw-r--r--crypto/kerberosIV/appl/bsd/login.c34
-rw-r--r--crypto/kerberosIV/appl/bsd/rcmd_util.c20
-rw-r--r--crypto/kerberosIV/appl/bsd/rcp.c8
-rw-r--r--crypto/kerberosIV/appl/bsd/rlogin.c8
-rw-r--r--crypto/kerberosIV/appl/bsd/rlogind.c13
-rw-r--r--crypto/kerberosIV/appl/bsd/rsh.c16
-rw-r--r--crypto/kerberosIV/appl/bsd/rshd.c28
-rw-r--r--crypto/kerberosIV/appl/bsd/su.c57
10 files changed, 151 insertions, 49 deletions
diff --git a/crypto/kerberosIV/appl/bsd/bsd_locl.h b/crypto/kerberosIV/appl/bsd/bsd_locl.h
index e39bc36..f742d63 100644
--- a/crypto/kerberosIV/appl/bsd/bsd_locl.h
+++ b/crypto/kerberosIV/appl/bsd/bsd_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: bsd_locl.h,v 1.111 1999/12/02 16:58:28 joda Exp $ */
+/* $Id: bsd_locl.h,v 1.111.2.1 2000/06/23 02:34:20 assar Exp $ */
#define LOGALL
#define KERBEROS
@@ -395,3 +395,5 @@ void prepare_utmp (struct utmp *utmp, char *tty, char *username,
#endif
int do_osfc2_magic(uid_t);
+
+void paranoid_setuid (uid_t uid);
diff --git a/crypto/kerberosIV/appl/bsd/kcmd.c b/crypto/kerberosIV/appl/bsd/kcmd.c
index af20357..93b2b70 100644
--- a/crypto/kerberosIV/appl/bsd/kcmd.c
+++ b/crypto/kerberosIV/appl/bsd/kcmd.c
@@ -33,7 +33,7 @@
#include "bsd_locl.h"
-RCSID("$Id: kcmd.c,v 1.20 1998/07/13 13:54:07 assar Exp $");
+RCSID("$Id: kcmd.c,v 1.20.4.1 2000/10/10 12:55:55 assar Exp $");
#define START_PORT 5120 /* arbitrary */
@@ -185,6 +185,14 @@ kcmd(int *sock,
{
fd_set fds;
FD_ZERO(&fds);
+ if (s >= FD_SETSIZE || s2 >= FD_SETSIZE) {
+ warnx("file descriptor too large");
+ close(s);
+ close(s2);
+ status = -1;
+ goto bad;
+ }
+
FD_SET(s, &fds);
FD_SET(s2, &fds);
status = select(FD_SETSIZE, &fds, NULL, NULL, NULL);
diff --git a/crypto/kerberosIV/appl/bsd/login.c b/crypto/kerberosIV/appl/bsd/login.c
index 0d29ebe..f2f0873 100644
--- a/crypto/kerberosIV/appl/bsd/login.c
+++ b/crypto/kerberosIV/appl/bsd/login.c
@@ -45,7 +45,7 @@
#include <sys/capability.h>
#endif
-RCSID("$Id: login.c,v 1.125 1999/11/30 19:24:01 bg Exp $");
+RCSID("$Id: login.c,v 1.125.2.2 2000/06/23 02:33:07 assar Exp $");
#ifdef OTP
#include <otp.h>
@@ -596,22 +596,28 @@ main(int argc, char **argv)
if (pwd->pw_change || pwd->pw_expire)
gettimeofday(&tp, (struct timezone *)NULL);
- if (pwd->pw_change)
+ if (pwd->pw_change) {
+ time_t t;
+
if (tp.tv_sec >= pwd->pw_change) {
printf("Sorry -- your password has expired.\n");
changepass=1;
} else if (pwd->pw_change - tp.tv_sec <
- 2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
+ 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+ t = pwd->pw_change;
printf("Warning: your password expires on %s",
- ctime(&pwd->pw_change));
+ ctime(&t));
+ }
if (pwd->pw_expire)
if (tp.tv_sec >= pwd->pw_expire) {
printf("Sorry -- your account has expired.\n");
sleepexit(1);
} else if (pwd->pw_expire - tp.tv_sec <
- 2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
+ 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+ t = pwd->pw_expire;
printf("Warning: your account expires on %s",
- ctime(&pwd->pw_expire));
+ ctime(&t));
+ }
#endif /* defined(HAVE_PASSWD_CHANGE) && defined(HAVE_PASSWD_EXPIRE) */
/* Nothing else left to fail -- really log in. */
@@ -788,6 +794,11 @@ main(int argc, char **argv)
if(!rootlogin)
exit(1);
}
+ if (uid != 0 && setuid(0) != -1) {
+ syslog(LOG_ALERT | LOG_AUTH,
+ "Failed to drop privileges for user %d", uid);
+ errx(1, "Sorry");
+ }
}
@@ -953,6 +964,7 @@ dolastlog(int quiet)
#if defined(HAVE_LASTLOG_H) || defined(HAVE_LOGIN_H)
struct lastlog ll;
int fd;
+ time_t t;
if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
@@ -966,8 +978,8 @@ dolastlog(int quiet)
sleepexit(1);
}
if (!quiet) {
- printf("Last login: %.*s ",
- 24-5, ctime(&ll.ll_time));
+ t = ll.ll_time;
+ printf("Last login: %.*s ", 24-5, ctime(&t));
if (*ll.ll_host != '\0') {
printf("from %.*s\n",
(int)sizeof(ll.ll_host),
@@ -983,8 +995,8 @@ dolastlog(int quiet)
if (!quiet) {
if (read(fd, &ll, sizeof(ll)) == sizeof(ll) &&
ll.ll_time != 0) {
- printf("Last login: %.*s ",
- 24-5, ctime(&ll.ll_time));
+ t = ll.ll_time;
+ printf("Last login: %.*s ", 24-5, ctime(&t));
if (*ll.ll_host != '\0')
printf("from %.*s\n",
(int)sizeof(ll.ll_host),
@@ -998,7 +1010,7 @@ dolastlog(int quiet)
}
#endif /* SYSV_SHADOW */
memset(&ll, 0, sizeof(ll));
- time(&ll.ll_time);
+ ll.ll_time = time(NULL);
strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
if (hostname)
strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
diff --git a/crypto/kerberosIV/appl/bsd/rcmd_util.c b/crypto/kerberosIV/appl/bsd/rcmd_util.c
index 1dfb46d..cd431e3 100644
--- a/crypto/kerberosIV/appl/bsd/rcmd_util.c
+++ b/crypto/kerberosIV/appl/bsd/rcmd_util.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "bsd_locl.h"
-RCSID("$Id: rcmd_util.c,v 1.19 1999/12/02 16:58:28 joda Exp $");
+RCSID("$Id: rcmd_util.c,v 1.19.2.1 2000/06/23 02:34:48 assar Exp $");
int
get_login_port(int kerberos, int encryption)
@@ -245,3 +245,19 @@ warning(const char *fmt, ...)
}
va_end(args);
}
+
+/*
+ * setuid but work-around Linux 2.2.15 bug with setuid and capabilities
+ */
+
+void
+paranoid_setuid (uid_t uid)
+{
+ if (setuid (uid) < 0)
+ err (1, "setuid");
+ if (uid != 0 && setuid (0) == 0) {
+ syslog(LOG_ALERT | LOG_AUTH,
+ "Failed to drop privileges for uid %u", (unsigned)uid);
+ err (1, "setuid");
+ }
+}
diff --git a/crypto/kerberosIV/appl/bsd/rcp.c b/crypto/kerberosIV/appl/bsd/rcp.c
index be87097..660be91 100644
--- a/crypto/kerberosIV/appl/bsd/rcp.c
+++ b/crypto/kerberosIV/appl/bsd/rcp.c
@@ -33,7 +33,7 @@
#include "bsd_locl.h"
-RCSID("$Id: rcp.c,v 1.52 1999/11/16 16:54:16 bg Exp $");
+RCSID("$Id: rcp.c,v 1.52.2.1 2000/06/23 02:35:16 assar Exp $");
/* Globals */
static char dst_realm_buf[REALM_SZ];
@@ -415,7 +415,7 @@ kerberos(char **host, char *bp, char *locuser, char *user)
int sock = -1, err;
if (use_kerberos) {
- setuid(getuid());
+ paranoid_setuid(getuid());
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
@@ -559,7 +559,7 @@ toremote(char *targ, int argc, char **argv)
if (response() < 0)
exit(1);
free(bp);
- setuid(userid);
+ paranoid_setuid(userid);
}
source(1, argv+i);
}
@@ -1002,7 +1002,7 @@ main(int argc, char **argv)
response();
if(do_osfc2_magic(pwd->pw_uid))
exit(1);
- setuid(userid);
+ paranoid_setuid(userid);
if (k_hasafs()) {
/* Sometimes we will need cell specific tokens
* to be able to read and write files, thus,
diff --git a/crypto/kerberosIV/appl/bsd/rlogin.c b/crypto/kerberosIV/appl/bsd/rlogin.c
index d057ede..60bed67 100644
--- a/crypto/kerberosIV/appl/bsd/rlogin.c
+++ b/crypto/kerberosIV/appl/bsd/rlogin.c
@@ -36,7 +36,7 @@
*/
#include "bsd_locl.h"
-RCSID("$Id: rlogin.c,v 1.67 1999/11/13 06:13:02 assar Exp $");
+RCSID("$Id: rlogin.c,v 1.67.2.2 2000/10/10 12:54:26 assar Exp $");
CREDENTIALS cred;
Key_schedule schedule;
@@ -241,6 +241,8 @@ reader(void)
rcvcnt = 0;
FD_ZERO (&readfds);
+ if (rem >= FD_SETSIZE)
+ errx (1, "fd too large");
FD_SET (rem, &readfds);
FD_ZERO (&exceptfds);
if (kludgep)
@@ -641,7 +643,7 @@ main(int argc, char **argv)
get_window_size(0, &winsize);
if (use_kerberos) {
- setuid(getuid());
+ paranoid_setuid(getuid());
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
@@ -703,7 +705,7 @@ main(int argc, char **argv)
#endif /* IP_TOS */
#endif /* HAVE_SETSOCKOPT */
- setuid(uid);
+ paranoid_setuid(uid);
doit();
return 0;
}
diff --git a/crypto/kerberosIV/appl/bsd/rlogind.c b/crypto/kerberosIV/appl/bsd/rlogind.c
index 927ffc5..eae2dd6 100644
--- a/crypto/kerberosIV/appl/bsd/rlogind.c
+++ b/crypto/kerberosIV/appl/bsd/rlogind.c
@@ -42,7 +42,7 @@
#include "bsd_locl.h"
-RCSID("$Id: rlogind.c,v 1.109 1999/11/25 05:27:38 assar Exp $");
+RCSID("$Id: rlogind.c,v 1.109.2.2 2000/06/23 02:37:06 assar Exp $");
extern int __check_rhosts_file;
@@ -257,7 +257,7 @@ rlogind_logout(const char *line)
ut.ut_exit.e_exit = 0;
#endif
#endif
- time(&ut.ut_time);
+ ut.ut_time = time(NULL);
fseek(fp, (long)-sizeof(struct utmp), SEEK_CUR);
fwrite(&ut, sizeof(struct utmp), 1, fp);
fseek(fp, (long)0, SEEK_CUR);
@@ -297,7 +297,7 @@ logwtmp(const char *line, const char *name, const char *host)
else
ut.ut_type = DEAD_PROCESS;
#endif
- time(&ut.ut_time);
+ ut.ut_time = time(NULL);
if (write(fd, &ut, sizeof(struct utmp)) !=
sizeof(struct utmp))
ftruncate(fd, buf.st_size);
@@ -491,6 +491,13 @@ doit(int f, struct sockaddr_in *fromp)
execl(new_login, "login", "-p",
"-h", hostname, "-f", "--", lusername, 0);
+ } else if (use_kerberos) {
+ fprintf(stderr, "User `%s' is not authorized to login as `%s'!\n",
+ krb_unparse_name_long(kdata->pname,
+ kdata->pinst,
+ kdata->prealm),
+ lusername);
+ exit(1);
} else
execl(new_login, "login", "-p",
"-h", hostname, "--", lusername, 0);
diff --git a/crypto/kerberosIV/appl/bsd/rsh.c b/crypto/kerberosIV/appl/bsd/rsh.c
index 87fe1fe..a18f775 100644
--- a/crypto/kerberosIV/appl/bsd/rsh.c
+++ b/crypto/kerberosIV/appl/bsd/rsh.c
@@ -33,7 +33,7 @@
#include "bsd_locl.h"
-RCSID("$Id: rsh.c,v 1.43 1999/11/13 06:13:34 assar Exp $");
+RCSID("$Id: rsh.c,v 1.43.2.2 2000/10/10 12:53:50 assar Exp $");
CREDENTIALS cred;
Key_schedule schedule;
@@ -107,7 +107,10 @@ talk(int nflag, sigset_t omask, int pid, int rem)
goto done;
bp = buf;
- rewrite: FD_ZERO(&rembits);
+ rewrite:
+ FD_ZERO(&rembits);
+ if (rem >= FD_SETSIZE)
+ errx(1, "fd too large");
FD_SET(rem, &rembits);
if (select(rem + 1, 0, &rembits, 0, 0) < 0) {
if (errno != EINTR)
@@ -140,6 +143,8 @@ talk(int nflag, sigset_t omask, int pid, int rem)
if (sigprocmask(SIG_SETMASK, &omask, 0) != 0)
warn("sigprocmask");
FD_ZERO(&readfrom);
+ if (rem >= FD_SETSIZE || rfd2 >= FD_SETSIZE)
+ errx(1, "fd too large");
FD_SET(rem, &readfrom);
FD_SET(rfd2, &readfrom);
do {
@@ -253,7 +258,7 @@ main(int argc, char **argv)
/* if no further arguments, must have been called as rlogin. */
if (!argv[optind]) {
*argv = "rlogin";
- setuid(getuid());
+ paranoid_setuid (getuid ());
execv(_PATH_RLOGIN, argv);
err(1, "can't exec %s", _PATH_RLOGIN);
}
@@ -282,7 +287,7 @@ main(int argc, char **argv)
sv_port = get_shell_port(use_kerberos, doencrypt);
if (use_kerberos) {
- setuid(getuid());
+ paranoid_setuid(getuid());
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
@@ -342,7 +347,7 @@ main(int argc, char **argv)
}
#endif
- setuid(uid);
+ paranoid_setuid(uid);
{
sigset_t sigmsk;
sigemptyset(&sigmsk);
@@ -358,6 +363,7 @@ main(int argc, char **argv)
signal(SIGQUIT, sendsig);
if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
signal(SIGTERM, sendsig);
+ signal(SIGPIPE, SIG_IGN);
if (!nfork) {
pid = fork();
diff --git a/crypto/kerberosIV/appl/bsd/rshd.c b/crypto/kerberosIV/appl/bsd/rshd.c
index b750e72..496fa88 100644
--- a/crypto/kerberosIV/appl/bsd/rshd.c
+++ b/crypto/kerberosIV/appl/bsd/rshd.c
@@ -42,7 +42,7 @@
#include "bsd_locl.h"
-RCSID("$Id: rshd.c,v 1.60 1999/11/13 06:13:53 assar Exp $");
+RCSID("$Id: rshd.c,v 1.60.2.3 2000/10/18 20:39:12 assar Exp $");
extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */
extern int __check_rhosts_file;
@@ -200,6 +200,8 @@ doit(struct sockaddr_in *fromp)
char *cp, sig, buf[DES_RW_MAXWRITE];
char cmdbuf[NCARGS+1], locuser[16], remuser[16];
char remotehost[2 * MaxHostNameLen + 1];
+ uid_t uid;
+ char shell_path[MAXPATHLEN];
AUTH_DAT *kdata;
KTEXT ticket;
@@ -433,6 +435,11 @@ doit(struct sockaddr_in *fromp)
close(2);
close(pv[1]);
+ if (s >= FD_SETSIZE || pv[0] >= FD_SETSIZE) {
+ error ("fd too large\n");
+ exit (1);
+ }
+
FD_ZERO(&readfrom);
FD_SET(s, &readfrom);
FD_SET(pv[0], &readfrom);
@@ -441,6 +448,11 @@ doit(struct sockaddr_in *fromp)
else
nfd = s;
if (doencrypt) {
+ if (pv2[1] >= FD_SETSIZE || pv1[0] >= FD_SETSIZE) {
+ error ("fd too large\n");
+ exit (1);
+ }
+
FD_ZERO(&writeto);
FD_SET(pv2[1], &writeto);
FD_SET(pv1[0], &readfrom);
@@ -571,14 +583,16 @@ doit(struct sockaddr_in *fromp)
snprintf(path, sizeof(path), "PATH=%s:%s", BINDIR, _PATH_DEFPATH);
strlcat(shell, pwd->pw_shell, sizeof(shell));
+ strlcpy(shell_path, pwd->pw_shell, sizeof(shell_path));
strlcat(username, pwd->pw_name, sizeof(username));
+ uid = pwd->pw_uid;
cp = strrchr(pwd->pw_shell, '/');
if (cp)
cp++;
else
cp = pwd->pw_shell;
endpwent();
- if (log_success || pwd->pw_uid == 0) {
+ if (log_success || uid == 0) {
if (use_kerberos)
syslog(LOG_INFO|LOG_AUTH,
"Kerberos shell from %s on %s as %s, cmd='%.80s'",
@@ -591,12 +605,16 @@ doit(struct sockaddr_in *fromp)
remuser, remotehost, locuser, cmdbuf);
}
if (k_hasafs()) {
+ char cell[64];
+
if (new_pag)
k_setpag(); /* Put users process in an new pag */
- krb_afslog(0, 0);
+ if (k_afs_cell_of_file (homedir, cell, sizeof(cell)) == 0)
+ krb_afslog_uid_home (cell, NULL, uid, homedir);
+ krb_afslog_uid_home(NULL, NULL, uid, homedir);
}
- execle(pwd->pw_shell, cp, "-c", cmdbuf, 0, envinit);
- err(1, "%s", pwd->pw_shell);
+ execle(shell_path, cp, "-c", cmdbuf, 0, envinit);
+ err(1, "%s", shell_path);
}
/*
diff --git a/crypto/kerberosIV/appl/bsd/su.c b/crypto/kerberosIV/appl/bsd/su.c
index cb24591..7fc63ee 100644
--- a/crypto/kerberosIV/appl/bsd/su.c
+++ b/crypto/kerberosIV/appl/bsd/su.c
@@ -33,20 +33,20 @@
#include "bsd_locl.h"
-RCSID ("$Id: su.c,v 1.70 1999/11/13 06:14:11 assar Exp $");
+RCSID ("$Id: su.c,v 1.70.2.2 2000/12/07 14:04:19 assar Exp $");
#ifdef SYSV_SHADOW
#include "sysv_shadow.h"
#endif
-static int kerberos (char *username, char *user, int uid);
+static int kerberos (char *username, char *user, char *realm, int uid);
static int chshell (char *sh);
static char *ontty (void);
static int koktologin (char *name, char *realm, char *toname);
static int chshell (char *sh);
/* Handle '-' option after all the getopt options */
-#define ARGSTR "Kflmti:"
+#define ARGSTR "Kkflmti:r:"
int destroy_tickets = 0;
static int use_kerberos = 1;
@@ -63,15 +63,22 @@ main (int argc, char **argv)
enum { UNSET, YES, NO } iscsh = UNSET;
char *user, *shell, *avshell, *username, **np;
char shellbuf[MaxPathLen], avshellbuf[MaxPathLen];
+ char *realm = NULL;
set_progname (argv[0]);
+ if (getuid() == 0)
+ use_kerberos = 0;
+
asme = asthem = fastlogin = 0;
while ((ch = getopt (argc, argv, ARGSTR)) != -1)
switch ((char) ch) {
case 'K':
use_kerberos = 0;
break;
+ case 'k':
+ use_kerberos = 1;
+ break;
case 'f':
fastlogin = 1;
break;
@@ -89,10 +96,13 @@ main (int argc, char **argv)
case 'i':
root_inst = optarg;
break;
+ case 'r':
+ realm = optarg;
+ break;
case '?':
default:
fprintf (stderr,
- "usage: su [-Kflmt] [-i root-instance] [-] [login]\n");
+ "usage: su [-Kkflmt] [-i root-instance] [-r realm] [-] [login]\n");
exit (1);
}
/* Don't handle '-' option with getopt */
@@ -150,7 +160,7 @@ main (int argc, char **argv)
syslog (LOG_ALERT, "NIS attack, user %s has uid 0", user);
errx (1, "unknown login %s", user);
}
- if (!use_kerberos || kerberos (username, user, pwd->pw_uid)) {
+ if (!use_kerberos || kerberos (username, user, realm, pwd->pw_uid)) {
#ifndef PASSWD_FALLBACK
errx (1, "won't use /etc/passwd authentication");
#endif
@@ -225,12 +235,22 @@ main (int argc, char **argv)
if (setgid (pwd->pw_gid) < 0)
err (1, "setgid");
- if (initgroups (user, pwd->pw_gid))
- errx (1, "initgroups failed.");
+ if (initgroups (user, pwd->pw_gid)) {
+ if (errno == E2BIG) /* Member of too many groups! */
+ warn("initgroups failed.");
+ else
+ errx(1, "initgroups failed.");
+ }
if (setuid (pwd->pw_uid) < 0)
err (1, "setuid");
+ if (pwd->pw_uid != 0 && setuid(0) != -1) {
+ syslog(LOG_ALERT | LOG_AUTH,
+ "Failed to drop privileges for user %s", pwd->pw_name);
+ errx(1, "Sorry");
+ }
+
if (!asme) {
if (asthem) {
char *k = getenv ("KRBTKFILE");
@@ -321,19 +341,26 @@ ontty (void)
}
static int
-kerberos (char *username, char *user, int uid)
+kerberos (char *username, char *user, char *lrealm, int uid)
{
KTEXT_ST ticket;
AUTH_DAT authdata;
struct hostent *hp;
int kerno;
u_long faddr;
- char lrealm[REALM_SZ], krbtkfile[MaxPathLen];
+ char tmp_realm[REALM_SZ], krbtkfile[MaxPathLen];
char hostname[MaxHostNameLen], savehost[MaxHostNameLen];
+ int n;
+ int allowed = 0;
- if (krb_get_lrealm (lrealm, 1) != KSUCCESS)
- return (1);
- if (koktologin (username, lrealm, user) && !uid) {
+ if (lrealm != NULL) {
+ allowed = koktologin (username, lrealm, user) == 0;
+ } else {
+ for (n = 1; !allowed && krb_get_lrealm (tmp_realm, n) == KSUCCESS; ++n)
+ allowed = koktologin (username, tmp_realm, user) == 0;
+ lrealm = tmp_realm;
+ }
+ if (!allowed && !uid) {
#ifndef PASSWD_FALLBACK
warnx ("not in %s's ACL.", user);
#endif
@@ -416,7 +443,11 @@ kerberos (char *username, char *user, int uid)
}
strlcpy (savehost, krb_get_phost (hostname), sizeof (savehost));
- kerno = krb_mk_req (&ticket, "rcmd", savehost, lrealm, 33);
+ for (n = 1; krb_get_lrealm (tmp_realm, n) == KSUCCESS; ++n) {
+ kerno = krb_mk_req (&ticket, "rcmd", savehost, tmp_realm, 33);
+ if (kerno == 0)
+ break;
+ }
if (kerno == KDC_PR_UNKNOWN) {
warnx ("Warning: TGT not verified.");
OpenPOWER on IntegriCloud