diff options
Diffstat (limited to 'crypto/heimdal/appl/rsh')
-rw-r--r-- | crypto/heimdal/appl/rsh/ChangeLog | 29 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/Makefile.in | 99 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh.1 | 35 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh.c | 121 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh_locl.h | 13 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rshd.8 | 48 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rshd.c | 147 |
7 files changed, 294 insertions, 198 deletions
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog index ddac74f..1f33245 100644 --- a/crypto/heimdal/appl/rsh/ChangeLog +++ b/crypto/heimdal/appl/rsh/ChangeLog @@ -1,3 +1,32 @@ +2003-04-16 Johan Danielsson <joda@pdc.kth.se> + + * rsh.c: use krb5_appdefault to get defaults for forward and + encrypt + + * rshd.c: use ARG_MAX + 1 + + * rshd.c (read_str): return allocated string + + * rsh_locl.h: set NCARGS to 8k if undefined + +2003-03-23 Assar Westerlund <assar@kth.se> + + * rsh.c (loop): only check errsock if it's valid + +2003-03-18 Love Love Hörnquist Åstrand <lha@it.su.se> + + * rshd.c: do krb5_afslog when compling with afs support + + * rsh_locl.h: always include kafs.h + +2002-11-22 Johan Danielsson <joda@pdc.kth.se> + + * rshd.8: clarify -x and kerberos 5 + +2002-11-01 Johan Danielsson <joda@pdc.kth.se> + + * rsh_locl.h: bump COMMAND_SZ to NCARGS+1 + 2002-09-04 Johan Danielsson <joda@pdc.kth.se> * rsh.c: free some memory diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in index c51a16e..cc8fda1 100644 --- a/crypto/heimdal/appl/rsh/Makefile.in +++ b/crypto/heimdal/appl/rsh/Makefile.in @@ -18,7 +18,7 @@ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ +# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ SHELL = @SHELL@ srcdir = @srcdir@ @@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ @@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @@ -229,58 +230,38 @@ PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) am_rsh_OBJECTS = rsh.$(OBJEXT) common.$(OBJEXT) rsh_OBJECTS = $(am_rsh_OBJECTS) rsh_LDADD = $(LDADD) -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la +@DCE_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES = \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la +@DCE_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = \ +@DCE_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la +@DCE_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES = \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la +@DCE_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES = \ +@DCE_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la rsh_LDFLAGS = am_rshd_OBJECTS = rshd.$(OBJEXT) common.$(OBJEXT) login_access.$(OBJEXT) rshd_OBJECTS = $(am_rshd_OBJECTS) rshd_LDADD = $(LDADD) -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la +@DCE_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES = \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ +@DCE_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la +@DCE_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = \ +@DCE_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la +@DCE_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES = \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ +@DCE_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la +@DCE_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES = \ +@DCE_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ +@DCE_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la rshd_LDFLAGS = DEFS = @DEFS@ @@ -307,10 +288,10 @@ all: all-am .SUFFIXES: .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign appl/rsh/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status +Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in $(top_builddir)/config.status cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) install-binPROGRAMS: $(bin_PROGRAMS) @@ -590,7 +571,9 @@ info: info-am info-am: -install-data-am: install-data-local install-man +install-data-am: install-man + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-exec-am: install-binPROGRAMS install-libexecPROGRAMS @$(NORMAL_INSTALL) @@ -621,10 +604,10 @@ uninstall-man: uninstall-man1 uninstall-man8 clean-libtool distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am info \ info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man1 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-data-am install-exec install-exec-am install-info \ + install-info-am install-libexecPROGRAMS install-man \ + install-man1 install-man8 install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool tags uninstall \ uninstall-am uninstall-binPROGRAMS uninstall-info-am \ @@ -755,7 +738,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) -install-data-local: install-cat-mans +install-data-hook: install-cat-mans .et.h: $(COMPILE_ET) $< diff --git a/crypto/heimdal/appl/rsh/rsh.1 b/crypto/heimdal/appl/rsh/rsh.1 index 46652d8..82c1f6c 100644 --- a/crypto/heimdal/appl/rsh/rsh.1 +++ b/crypto/heimdal/appl/rsh/rsh.1 @@ -1,4 +1,35 @@ -.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $ +.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: rsh.1,v 1.6 2003/04/16 19:57:25 lha Exp $ .\" .Dd September 4, 2002 .Dt RSH 1 @@ -158,7 +189,7 @@ selects protocol version 2, while .Ar O and .Ar 1 -selects version 1. Version 2 is beleived to be more secure, and is the +selects version 1. Version 2 is believed to be more secure, and is the default. Unless asked for a specific version, .Nm will try both. This behaviour may change in the future. diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c index 6ae9646..8af5096 100644 --- a/crypto/heimdal/appl/rsh/rsh.c +++ b/crypto/heimdal/appl/rsh/rsh.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "rsh_locl.h" -RCSID("$Id: rsh.c,v 1.68 2002/09/04 21:40:04 joda Exp $"); +RCSID("$Id: rsh.c,v 1.71 2003/04/16 20:37:20 joda Exp $"); enum auth_method auth_method; #if defined(KRB4) || defined(KRB5) @@ -87,7 +87,7 @@ loop (int s, int errsock) init_ivecs(1); #endif - if (s >= FD_SETSIZE || errsock >= FD_SETSIZE) + if (s >= FD_SETSIZE || (errsock != -1 && errsock >= FD_SETSIZE)) errx (1, "fd too large"); FD_ZERO(&real_readset); @@ -167,7 +167,8 @@ send_krb4_auth(int s, int status; size_t len; - status = krb_sendauth (do_encrypt ? KOPT_DO_MUTUAL : 0, + /* the normal default for krb4 should be to disable encryption */ + status = krb_sendauth ((do_encrypt == 1) ? KOPT_DO_MUTUAL : 0, s, &text, "rcmd", (char *)hostname, krb_realmofhost (hostname), getpid(), &msg, &cred, schedule, @@ -304,6 +305,14 @@ send_krb5_auth(int s, return 1; } + if(do_encrypt == -1) { + krb5_appdefault_boolean(context, NULL, + krb5_principal_get_realm(context, server), + "encrypt", + FALSE, + &do_encrypt); + } + cksum_data.length = asprintf ((char **)&cksum_data.data, "%u:%s%s%s", ntohs(socket_get_port(thataddr)), @@ -343,6 +352,19 @@ send_krb5_auth(int s, NULL, NULL); + /* do this while we have a principal */ + if(do_forward == -1 || do_forwardable == -1) { + krb5_const_realm realm = krb5_principal_get_realm(context, server); + if (do_forwardable == -1) + krb5_appdefault_boolean(context, NULL, realm, + "forwardable", FALSE, + &do_forwardable); + if (do_forward == -1) + krb5_appdefault_boolean(context, NULL, realm, + "forward", FALSE, + &do_forward); + } + krb5_free_principal(context, server); krb5_data_free(&cksum_data); @@ -625,13 +647,23 @@ construct_command (char **res, int argc, char **argv) } static char * -print_addr (const struct sockaddr_in *sin) +print_addr (const struct sockaddr *sa) { char addr_str[256]; char *res; - - inet_ntop (AF_INET, &sin->sin_addr, addr_str, sizeof(addr_str)); - res = strdup(addr_str); + const char *as = NULL; + + if(sa->sa_family == AF_INET) + as = inet_ntop (sa->sa_family, &((struct sockaddr_in*)sa)->sin_addr, + addr_str, sizeof(addr_str)); +#ifdef HAVE_INET6 + else if(sa->sa_family == AF_INET6) + as = inet_ntop (sa->sa_family, &((struct sockaddr_in6*)sa)->sin6_addr, + addr_str, sizeof(addr_str)); +#endif + if(as == NULL) + return NULL; + res = strdup(as); if (res == NULL) errx (1, "malloc: out of memory"); return res; @@ -640,7 +672,7 @@ print_addr (const struct sockaddr_in *sin) static int doit_broken (int argc, char **argv, - int optind, + int hostindex, struct addrinfo *ai, const char *remote_user, const char *local_user, @@ -652,14 +684,16 @@ doit_broken (int argc, struct addrinfo *a; if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) { - if (ai->ai_next == NULL) - return 1; - + int save_errno = errno; + close(priv_socket1); close(priv_socket2); for (a = ai->ai_next; a != NULL; a = a->ai_next) { pid_t pid; + char *adr = print_addr(a->ai_addr); + if(adr == NULL) + continue; pid = fork(); if (pid < 0) @@ -667,25 +701,25 @@ doit_broken (int argc, else if(pid == 0) { char **new_argv; int i = 0; - struct sockaddr_in *sin = (struct sockaddr_in *)a->ai_addr; new_argv = malloc((argc + 2) * sizeof(*new_argv)); if (new_argv == NULL) errx (1, "malloc: out of memory"); new_argv[i] = argv[i]; ++i; - if (optind == i) - new_argv[i++] = print_addr (sin); + if (hostindex == i) + new_argv[i++] = adr; new_argv[i++] = "-K"; for(; i <= argc; ++i) new_argv[i] = argv[i - 1]; - if (optind > 1) - new_argv[optind + 1] = print_addr(sin); + if (hostindex > 1) + new_argv[hostindex + 1] = adr; new_argv[argc + 1] = NULL; execv(PATH_RSH, new_argv); err(1, "execv(%s)", PATH_RSH); } else { int status; + free(adr); while(waitpid(pid, &status, 0) < 0) ; @@ -693,12 +727,14 @@ doit_broken (int argc, return 0; } } + errno = save_errno; + warn("%s", argv[hostindex]); return 1; } else { int ret; ret = proto (priv_socket1, priv_socket2, - argv[optind], + argv[hostindex], local_user, remote_user, cmd, cmd_len, send_broken_auth); @@ -841,7 +877,7 @@ main(int argc, char **argv) { int priv_port1, priv_port2; int priv_socket1, priv_socket2; - int optind = 0; + int argindex = 0; int error; struct addrinfo hints, *ai; int ret = 1; @@ -867,11 +903,11 @@ main(int argc, char **argv) if (argc >= 2 && argv[1][0] != '-') { host = argv[host_index = 1]; - optind = 1; + argindex = 1; } if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) + &argindex)) usage (1); if (do_help) @@ -907,37 +943,12 @@ main(int argc, char **argv) else use_v5 = 0; } - - if (do_forwardable == -1) - do_forwardable = krb5_config_get_bool (context, NULL, - "libdefaults", - "forwardable", - NULL); - - if (do_forward == -1) - do_forward = krb5_config_get_bool (context, NULL, - "libdefaults", - "forward", - NULL); - else if (do_forward == 0) - do_forwardable = 0; - - if (do_forwardable) + + /* request for forwardable on the command line means we should + also forward */ + if (do_forwardable == 1) do_forward = 1; -#endif -#if defined(KRB4) || defined(KRB5) - if (do_encrypt == -1) { - /* we want to tell the -x flag from the default encryption - option */ -#ifdef KRB5 - /* the normal default for krb4 should be to disable encryption */ - if(!krb5_config_get_bool (context, NULL, - "libdefaults", - "encrypt", - NULL)) -#endif - do_encrypt = 0; - } + #endif #if defined(KRB4) && defined(KRB5) @@ -986,10 +997,10 @@ main(int argc, char **argv) #endif if (host == NULL) { - if (argc - optind < 1) + if (argc - argindex < 1) usage (1); else - host = argv[host_index = optind++]; + host = argv[host_index = argindex++]; } if((tmp = strchr(host, '@')) != NULL) { @@ -998,7 +1009,7 @@ main(int argc, char **argv) host = tmp; } - if (optind == argc) { + if (argindex == argc) { close (priv_socket1); close (priv_socket2); argv[0] = "rlogin"; @@ -1013,7 +1024,7 @@ main(int argc, char **argv) if (user == NULL) user = local_user; - cmd_len = construct_command(&cmd, argc - optind, argv + optind); + cmd_len = construct_command(&cmd, argc - argindex, argv + argindex); /* * Try all different authentication methods diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h index 0d54a3e..151a888 100644 --- a/crypto/heimdal/appl/rsh/rsh_locl.h +++ b/crypto/heimdal/appl/rsh/rsh_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: rsh_locl.h,v 1.28 2002/09/03 20:03:46 joda Exp $ */ +/* $Id: rsh_locl.h,v 1.33 2003/04/16 20:05:39 lha Exp $ */ #ifdef HAVE_CONFIG_H #include <config.h> @@ -78,6 +78,9 @@ #ifdef HAVE_NETDB_H #include <netdb.h> #endif +#ifdef HAVE_LIMITS_H +#include <limits.h> +#endif #include <errno.h> #ifdef HAVE_SYS_PARAM_H @@ -101,9 +104,7 @@ #include <krb5.h> #include <krb5-private.h> /* for _krb5_{get,put}_int */ #endif -#ifdef KRB4 #include <kafs.h> -#endif #ifndef _PATH_NOLOGIN #define _PATH_NOLOGIN "/etc/nologin" @@ -147,7 +148,9 @@ extern des_cblock iv; #define KCMD_NEW_VERSION "KCMDV0.2" #define USERNAME_SZ 16 -#define COMMAND_SZ 1024 +#ifndef ARG_MAX +#define ARG_MAX 8192 +#endif #define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */ diff --git a/crypto/heimdal/appl/rsh/rshd.8 b/crypto/heimdal/appl/rsh/rshd.8 index 22ad0fc..7c7a363 100644 --- a/crypto/heimdal/appl/rsh/rshd.8 +++ b/crypto/heimdal/appl/rsh/rshd.8 @@ -1,8 +1,37 @@ -.\" Things to fix: -.\" * remove Op from mandatory flags -.\" * use better macros for arguments (like .Pa for files) +.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.Dd July 31, 2001 +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: rshd.8,v 1.7 2003/04/16 19:58:42 lha Exp $ +.\" +.Dd November 22, 2002 .Dt RSHD 8 .Os HEIMDAL .Sh NAME @@ -25,9 +54,9 @@ service. Supported options are: .Fl n , .Fl -no-keepalive .Xc -Disables keep-alive messages. Keep-alives are packets sent a certain -interval to make sure that the client is still there, even when it -doesn't send any data. +Disables keep-alive messages. +Keep-alives are packets sent at certain intervals to make sure that the +client is still there, even when it doesn't send any data. .It Xo .Fl k , .Fl -kerberos @@ -43,7 +72,10 @@ configuration. .Fl -encrypt .Xc For Kerberos 4 this means that the connections are encrypted. Kerberos -5 will negotiate encryption inline. This option implies +5 can negotiate encryption even without this option, but if it's +present +.Nm +will deny unencrypted connections. This option implies .Fl k . .\".It Xo .\".Fl l , diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c index bec9bf4..c3c3d38 100644 --- a/crypto/heimdal/appl/rsh/rshd.c +++ b/crypto/heimdal/appl/rsh/rshd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "rsh_locl.h" -RCSID("$Id: rshd.c,v 1.47 2002/09/03 20:03:26 joda Exp $"); +RCSID("$Id: rshd.c,v 1.51 2003/04/16 19:50:49 joda Exp $"); int login_access( struct passwd *user, char *from); @@ -68,9 +68,7 @@ static int do_kerberos = 0; #define DO_KRB5 4 static int do_vacuous = 0; static int do_log = 1; -#ifdef KRB4 static int do_newpag = 1; -#endif static int do_addr_verify = 0; static int do_keepalive = 1; static int do_version; @@ -100,7 +98,7 @@ syslog_and_die (const char *m, ...) static void fatal (int, const char*, const char *, ...) - __attribute__ ((format (printf, 3, 4))); + __attribute__ ((noreturn, format (printf, 3, 4))); static void fatal (int sock, const char *what, const char *m, ...) @@ -122,38 +120,41 @@ fatal (int sock, const char *what, const char *m, ...) exit (1); } -static void -read_str (int s, char *str, size_t sz, char *expl) +static char * +read_str (int s, size_t sz, char *expl) { - while (sz > 0) { - if (net_read (s, str, 1) != 1) - syslog_and_die ("read: %m"); - if (*str == '\0') - return; - --sz; - ++str; + char *str = malloc(sz); + char *p = str; + if(str == NULL) + fatal(s, NULL, "%s too long", expl); + while(p < str + sz) { + if(net_read(s, p, 1) != 1) + syslog_and_die("read: %m"); + if(*p == '\0') + return str; + p++; } - fatal (s, NULL, "%s too long", expl); + fatal(s, NULL, "%s too long", expl); } static int recv_bsd_auth (int s, u_char *buf, struct sockaddr_in *thisaddr, struct sockaddr_in *thataddr, - char *client_username, - char *server_username, - char *cmd) + char **client_username, + char **server_username, + char **cmd) { struct passwd *pwd; - - read_str (s, client_username, USERNAME_SZ, "local username"); - read_str (s, server_username, USERNAME_SZ, "remote username"); - read_str (s, cmd, COMMAND_SZ, "command"); - pwd = getpwnam(server_username); + + *client_username = read_str (s, USERNAME_SZ, "local username"); + *server_username = read_str (s, USERNAME_SZ, "remote username"); + *cmd = read_str (s, ARG_MAX + 1, "command"); + pwd = getpwnam(*server_username); if (pwd == NULL) fatal(s, NULL, "Login incorrect."); if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0, - client_username, server_username)) + *client_username, *server_username)) fatal(s, NULL, "Login incorrect."); return 0; } @@ -163,9 +164,9 @@ static int recv_krb4_auth (int s, u_char *buf, struct sockaddr *thisaddr, struct sockaddr *thataddr, - char *client_username, - char *server_username, - char *cmd) + char **client_username, + char **server_username, + char **cmd) { int status; int32_t options; @@ -202,18 +203,18 @@ recv_krb4_auth (int s, u_char *buf, if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0) syslog_and_die ("bad version: %s", version); - read_str (s, server_username, USERNAME_SZ, "remote username"); - if (kuserok (&auth, server_username) != 0) + *server_username = read_str (s, USERNAME_SZ, "remote username"); + if (kuserok (&auth, *server_username) != 0) fatal (s, NULL, "Permission denied."); - read_str (s, cmd, COMMAND_SZ, "command"); + *cmd = read_str (s, ARG_MAX + 1, "command"); syslog(LOG_INFO|LOG_AUTH, "kerberos v4 shell from %s on %s as %s, cmd '%.80s'", krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm), inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr), - server_username, - cmd); + *server_username, + *cmd); memcpy (iv, auth.session, sizeof(iv)); @@ -249,6 +250,9 @@ save_krb5_creds (int s, krb5_cc_initialize(context,ccache,client); ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred); + if(ret != 0) + syslog(LOG_INFO|LOG_AUTH, + "reading creds: %s", krb5_get_err_text(context, ret)); krb5_data_free (&remote_cred); if (ret) return 0; @@ -299,9 +303,9 @@ static int recv_krb5_auth (int s, u_char *buf, struct sockaddr *thisaddr, struct sockaddr *thataddr, - char *client_username, - char *server_username, - char *cmd) + char **client_username, + char **server_username, + char **cmd) { u_int32_t len; krb5_auth_context auth_context = NULL; @@ -343,9 +347,9 @@ recv_krb5_auth (int s, u_char *buf, syslog_and_die ("krb5_recvauth: %s", krb5_get_err_text(context, status)); - read_str (s, server_username, USERNAME_SZ, "remote username"); - read_str (s, cmd, COMMAND_SZ, "command"); - read_str (s, client_username, COMMAND_SZ, "local username"); + *server_username = read_str (s, USERNAME_SZ, "remote username"); + *cmd = read_str (s, ARG_MAX + 1, "command"); + *client_username = read_str (s, ARG_MAX + 1, "local username"); if(protocol_version == 2) { status = krb5_auth_con_getremotesubkey(context, auth_context, @@ -370,8 +374,8 @@ recv_krb5_auth (int s, u_char *buf, cksum_data.length = asprintf ((char **)&cksum_data.data, "%u:%s%s", ntohs(socket_get_port (thisaddr)), - cmd, - server_username); + *cmd, + *server_username); status = krb5_verify_authenticator_checksum(context, auth_context, @@ -384,38 +388,38 @@ recv_krb5_auth (int s, u_char *buf, free (cksum_data.data); - if (strncmp (client_username, "-u ", 3) == 0) { + if (strncmp (*client_username, "-u ", 3) == 0) { do_unique_tkfile = 1; - memmove (client_username, client_username + 3, - strlen(client_username) - 2); + memmove (*client_username, *client_username + 3, + strlen(*client_username) - 2); } - if (strncmp (client_username, "-U ", 3) == 0) { + if (strncmp (*client_username, "-U ", 3) == 0) { char *end, *temp_tkfile; do_unique_tkfile = 1; - if (strncmp (server_username + 3, "FILE:", 5) == 0) { + if (strncmp (*client_username + 3, "FILE:", 5) == 0) { temp_tkfile = tkfile; } else { strcpy (tkfile, "FILE:"); temp_tkfile = tkfile + 5; } - end = strchr(client_username + 3,' '); - strncpy(temp_tkfile, client_username + 3, end - client_username - 3); - temp_tkfile[end - client_username - 3] = '\0'; - memmove (client_username, end +1, strlen(end+1)+1); + end = strchr(*client_username + 3,' '); + strncpy(temp_tkfile, *client_username + 3, end - *client_username - 3); + temp_tkfile[end - *client_username - 3] = '\0'; + memmove (*client_username, end + 1, strlen(end+1)+1); } kerberos_status = save_krb5_creds (s, auth_context, ticket->client); if(!krb5_kuserok (context, - ticket->client, - server_username)) + ticket->client, + *server_username)) fatal (s, NULL, "Permission denied."); - if (strncmp (cmd, "-x ", 3) == 0) { + if (strncmp (*cmd, "-x ", 3) == 0) { do_encrypt = 1; - memmove (cmd, cmd + 3, strlen(cmd) - 2); + memmove (*cmd, *cmd + 3, strlen(*cmd) - 2); } else { if(do_encrypt) fatal (s, NULL, "Encryption is required."); @@ -438,8 +442,8 @@ recv_krb5_auth (int s, u_char *buf, "kerberos v5 shell from %s on %s as %s, cmd '%.80s'", name, addr_str, - server_username, - cmd); + *server_username, + *cmd); free (name); } } @@ -649,8 +653,7 @@ doit (void) socklen_t thisaddr_len, thataddr_len; int port; int errsock = -1; - char client_user[COMMAND_SZ], server_user[USERNAME_SZ]; - char cmd[COMMAND_SZ]; + char *client_user, *server_user, *cmd; struct passwd *pwd; int s = STDIN_FILENO; char **env; @@ -724,18 +727,18 @@ doit (void) #ifdef KRB4 if ((do_kerberos & DO_KRB4) && recv_krb4_auth (s, buf, thisaddr, thataddr, - client_user, - server_user, - cmd) == 0) + &client_user, + &server_user, + &cmd) == 0) auth_method = AUTH_KRB4; else #endif /* KRB4 */ #ifdef KRB5 if((do_kerberos & DO_KRB5) && recv_krb5_auth (s, buf, thisaddr, thataddr, - client_user, - server_user, - cmd) == 0) + &client_user, + &server_user, + &cmd) == 0) auth_method = AUTH_KRB5; else #endif /* KRB5 */ @@ -745,9 +748,9 @@ doit (void) if(recv_bsd_auth (s, buf, (struct sockaddr_in *)thisaddr, (struct sockaddr_in *)thataddr, - client_user, - server_user, - cmd) == 0) { + &client_user, + &server_user, + &cmd) == 0) { auth_method = AUTH_BROKEN; if(do_vacuous) { printf("Remote host requires Kerberos authentication\n"); @@ -864,16 +867,17 @@ doit (void) fatal (s, "net_write", "write failed"); } -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) if(k_hasafs()) { char cell[64]; if(do_newpag) k_setpag(); +#ifdef KRB4 if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0) krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir); - krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir); +#endif #ifdef KRB5 /* XXX */ @@ -883,14 +887,17 @@ doit (void) status = krb5_cc_resolve (context, tkfile, &ccache); if (!status) { - krb5_afslog_uid_home(context,ccache,NULL,NULL, + if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0) + krb5_afslog_uid_home(context, ccache, cell, NULL, + pwd->pw_uid, pwd->pw_dir); + krb5_afslog_uid_home(context, ccache, NULL, NULL, pwd->pw_uid, pwd->pw_dir); krb5_cc_close (context, ccache); } } #endif /* KRB5 */ } -#endif /* KRB4 */ +#endif /* KRB5 || KRB4 */ execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env); err(1, "exec %s", pwd->pw_shell); } |