Dike out the Kerberos(IV) support on the grounds that better kerberos

support can be already obtained via PAM.

2 files changed, 14 insertions, 189 deletions

diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1
index 5024849..00ff324 100644
--- a/usr.bin/su/su.1
+++ b/usr.bin/su/su.1
@@ -42,27 +42,29 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl
-.Op Fl Kflm
+.Op Fl flm
 .Op Fl c Ar class 
 .Op Ar login Op Ar args
 .Sh DESCRIPTION
 .Nm Su
-requests the Kerberos password for
+requests the superuser password for
 .Ar login
-(or for
-.Dq Ar login Ns .root ,
-if no login is provided), and switches to
-that user and group ID after obtaining a Kerberos ticket granting ticket.
+(or if Kerberos PAMs are used for
+.Dq Ar login Ns .root
+or
+.Dq Ar login Ns /root
+as appropriate),
+and switches to that user ID.
 A shell is then executed.
 .Nm Su
 will resort to the local password file to find the password for
 .Ar login
-if there is a Kerberos error.
+if there is a PAM error.
 If
 .Nm
 is executed by root, no password is requested and a shell
-with the appropriate user ID is executed; no additional Kerberos tickets
-are obtained.
+with the appropriate user ID is executed;
+no additional PAM work is done.
 .Pp
 By default, the environment is unmodified with the exception of
 .Ev USER ,
@@ -76,7 +78,7 @@ are set to the target login's default values.
 .Ev USER
 is set to the target login, unless the target login has a user ID of 0,
 in which case it is unmodified.
-The invoked shell is the target login's.
+The invoked shell is the one belonging to the target login.
 This is the traditional behavior of
 .Nm .
 Resource limits and session priority applicable to the original user's
@@ -86,8 +88,6 @@ are also normally retained unless the target login as a user ID of 0.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl K
-Do not attempt to use Kerberos to authenticate the user.
 .It Fl f
 If the invoked shell is
 .Xr csh 1 ,
@@ -190,7 +190,8 @@ entries with service name
 .Xr group 5 ,
 .Xr login.conf 5 ,
 .Xr passwd 5 ,
-.Xr environ 7
+.Xr environ 7 ,
+.Xr pam 8
 .Sh ENVIRONMENT
 Environment variables used by
 .Nm :
diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c
index efd46b8..bbe93fc 100644
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@@ -88,20 +88,7 @@ static char **environ_pam;
 #endif
 #endif /* USE_PAM */
 
-#ifdef KERBEROS
-#include <openssl/des.h>
-#include <krb.h>
-#include <netdb.h>
-
-#define	ARGSTR	"-Kflmc:"
-
-static int kerberos(char *username, char *user, int uid, char *pword);
-static int koktologin(char *name, char *toname);
-
-int use_kerberos = 1;
-#else /* !KERBEROS */
 #define	ARGSTR	"-flmc:"
-#endif /* KERBEROS */
 
 char   *ontty __P((void));
 int	chshell __P((char *));
@@ -136,9 +123,6 @@ main(argc, argv)
 	char **g;
 	struct group *gr;
 #endif /* USE_PAM */
-#ifdef KERBEROS
-	char *k;
-#endif
 	char shellbuf[MAXPATHLEN];
 
 #ifdef WHEELSU
@@ -148,11 +132,6 @@ main(argc, argv)
 	user = "root";
 	while((ch = getopt(argc, argv, ARGSTR)) != -1) 
 		switch((char)ch) {
-#ifdef KERBEROS
-		case 'K':
-			use_kerberos = 0;
-			break;
-#endif
 		case 'f':
 			fastlogin = 1;
 			break;
@@ -194,11 +173,6 @@ main(argc, argv)
 
 	argv += optind;
 
-#ifdef KERBEROS
-	k = auth_getval("auth_list");
-	if (k && !strstr(k, "kerberos"))
-	    use_kerberos = 0;
-#endif
 	errno = 0;
 	prio = getpriority(PRIO_PROCESS, 0);
 	if (errno)
@@ -300,13 +274,6 @@ main(argc, argv)
 #endif /* WHEELSU */
 
 	if (ruid) {
-#ifdef KERBEROS
-		if (use_kerberos && koktologin(username, user)
-		    && !pwd->pw_uid) {
-			warnx("kerberos: not in %s's ACL.", user);
-			use_kerberos = 0;
-		}
-#endif
 		{
 			/*
 			 * Only allow those with pw_gid==0 or those listed in
@@ -351,9 +318,6 @@ main(argc, argv)
 			if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd)))
 #endif /* SKEY */
 			{
-#ifdef KERBEROS
-	    			if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p)))
-#endif
 				{
 					syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty());
 					errx(1, "Sorry");
@@ -464,9 +428,6 @@ main(argc, argv)
 	if (!asme) {
 		if (asthem) {
 			p = getenv("TERM");
-#ifdef KERBEROS
-			k = getenv("KRBTKFILE");
-#endif
 			environ = &cleanenv;
 
 #ifdef USE_PAM
@@ -483,10 +444,6 @@ main(argc, argv)
 			setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV);
 			if (p)
 				(void)setenv("TERM", p, 1);
-#ifdef KERBEROS
-			if (k)
-				(void)setenv("KRBTKFILE", k, 1);
-#endif
 			if (chdir(pwd->pw_dir) < 0)
 				errx(1, "no directory");
 		}
@@ -596,136 +553,3 @@ ontty()
 		snprintf(buf, sizeof(buf), " on %s", p);
 	return (buf);
 }
-
-#ifdef KERBEROS
-int
-kerberos(username, user, uid, pword)
-	char *username, *user;
-	int uid;
-	char *pword;
-{
-	KTEXT_ST ticket;
-	AUTH_DAT authdata;
-	int kerno;
-	u_long faddr;
-	char lrealm[REALM_SZ], krbtkfile[MAXPATHLEN];
-	char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN];
-	char *krb_get_phost();
-	struct hostent *hp;
-
-	if (krb_get_lrealm(lrealm, 1) != KSUCCESS)
-		return (1);
-	(void)sprintf(krbtkfile, "%s_%s_%lu", TKT_ROOT, user,
-	    (unsigned long)getuid());
-
-	(void)setenv("KRBTKFILE", krbtkfile, 1);
-	(void)krb_set_tkt_string(krbtkfile);
-	/*
-	 * Set real as well as effective ID to 0 for the moment,
-	 * to make the kerberos library do the right thing.
-	 */
-	if (setuid(0) < 0) {
-		warn("setuid");
-		return (1);
-	}
-
-	/*
-	 * Little trick here -- if we are su'ing to root,
-	 * we need to get a ticket for "xxx.root", where xxx represents
-	 * the name of the person su'ing.  Otherwise (non-root case),
-	 * we need to get a ticket for "yyy.", where yyy represents
-	 * the name of the person being su'd to, and the instance is null
-	 *
-	 * We should have a way to set the ticket lifetime,
-	 * with a system default for root.
-	 */
-	kerno = krb_get_pw_in_tkt((uid == 0 ? username : user),
-		(uid == 0 ? "root" : ""), lrealm,
-	    	"krbtgt", lrealm, DEFAULT_TKT_LIFE, pword);
-
-	if (kerno != KSUCCESS) {
-		if (kerno == KDC_PR_UNKNOWN) {
-			warnx("kerberos: principal unknown: %s.%s@%s",
-				(uid == 0 ? username : user),
-				(uid == 0 ? "root" : ""), lrealm);
-			return (1);
-		}
-		warnx("kerberos: unable to su: %s", krb_err_txt[kerno]);
-		syslog(LOG_NOTICE,
-		    "BAD Kerberos SU: %s to %s%s: %s",
-		    username, user, ontty(), krb_err_txt[kerno]);
-		return (1);
-	}
-
-	if (chown(krbtkfile, uid, -1) < 0) {
-		warn("chown");
-		(void)unlink(krbtkfile);
-		return (1);
-	}
-
-	(void)setpriority(PRIO_PROCESS, 0, -2);
-
-	if (gethostname(hostname, sizeof(hostname)) == -1) {
-		warn("gethostname");
-		dest_tkt();
-		return (1);
-	}
-
-	(void)strncpy(savehost, krb_get_phost(hostname), sizeof(savehost));
-	savehost[sizeof(savehost) - 1] = '\0';
-
-	kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33);
-
-	if (kerno == KDC_PR_UNKNOWN) {
-		warnx("Warning: TGT not verified.");
-		syslog(LOG_NOTICE,
-		    "%s to %s%s, TGT not verified (%s); %s.%s not registered?",
-		    username, user, ontty(), krb_err_txt[kerno],
-		    "rcmd", savehost);
-	} else if (kerno != KSUCCESS) {
-		warnx("Unable to use TGT: %s", krb_err_txt[kerno]);
-		syslog(LOG_NOTICE, "failed su: %s to %s%s: %s",
-		    username, user, ontty(), krb_err_txt[kerno]);
-		dest_tkt();
-		return (1);
-	} else {
-		if (!(hp = gethostbyname(hostname))) {
-			warnx("can't get addr of %s", hostname);
-			dest_tkt();
-			return (1);
-		}
-		memmove((char *)&faddr, (char *)hp->h_addr, sizeof(faddr));
-
-		if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr,
-		    &authdata, "")) != KSUCCESS) {
-			warnx("kerberos: unable to verify rcmd ticket: %s",
-			    krb_err_txt[kerno]);
-			syslog(LOG_NOTICE,
-			    "failed su: %s to %s%s: %s", username,
-			     user, ontty(), krb_err_txt[kerno]);
-			dest_tkt();
-			return (1);
-		}
-	}
-	return (0);
-}
-
-int
-koktologin(name, toname)
-	char *name, *toname;
-{
-	AUTH_DAT *kdata;
-	AUTH_DAT kdata_st;
-	char realm[REALM_SZ];
-
-	if (krb_get_lrealm(realm, 1) != KSUCCESS)
-		return (1);
-	kdata = &kdata_st;
-	memset((char *)kdata, 0, sizeof(*kdata));
-	(void)strncpy(kdata->pname, name, sizeof kdata->pname - 1);
-	(void)strncpy(kdata->pinst,
-	    ((strcmp(toname, "root") == 0) ? "root" : ""), sizeof kdata->pinst - 1);
-	(void)strncpy(kdata->prealm, realm, sizeof kdata->prealm - 1);
-	return (kuserok(kdata, toname));
-}
-#endif