diff options
Diffstat (limited to 'crypto/kerberosIV/lib/auth')
23 files changed, 0 insertions, 2454 deletions
diff --git a/crypto/kerberosIV/lib/auth/ChangeLog b/crypto/kerberosIV/lib/auth/ChangeLog deleted file mode 100644 index f9c948c..0000000 --- a/crypto/kerberosIV/lib/auth/ChangeLog +++ /dev/null @@ -1,65 +0,0 @@ -1999-11-15 Assar Westerlund <assar@sics.se> - - * */lib/Makefile.in: set LIBNAME. From Enrico Scholz - <Enrico.Scholz@informatik.tu-chemnitz.de> - -1999-10-17 Assar Westerlund <assar@sics.se> - - * afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4 - -1999-10-03 Assar Westerlund <assar@sics.se> - - * afskauthlib/verify.c (verify_krb5): update to new - krb524_convert_creds_kdc - -1999-09-28 Assar Westerlund <assar@sics.se> - - * sia/sia.c (doauth): use krb5_get_local_realms and - krb5_verify_user_lrealm - - * afskauthlib/verify.c (verify_krb5): remove krb5_kuserok. use - krb5_verify_user_lrealm - -1999-08-11 Johan Danielsson <joda@pdc.kth.se> - - * afskauthlib/verify.c: make this compile w/o krb4 - -1999-08-04 Assar Westerlund <assar@sics.se> - - * afskauthlib/verify.c: incorporate patches from Miroslav Ruda - <ruda@ics.muni.cz> - -Thu Apr 8 14:35:34 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * sia/sia.c: remove definition of KRB_VERIFY_USER (moved to - config.h) - - * sia/Makefile.am: make it build w/o krb4 - - * afskauthlib/verify.c: add krb5 support - - * afskauthlib/Makefile.am: build afskauthlib.so - -Wed Apr 7 14:06:22 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * sia/sia.c: make it compile w/o krb4 - - * sia/Makefile.am: make it compile w/o krb4 - -Thu Apr 1 18:09:23 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h - -Sun Mar 21 14:08:30 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * sia/Makefile.in: add posix_getpw.c - - * sia/Makefile.am: makefile for sia - - * sia/posix_getpw.c: move from sia.c - - * sia/sia_locl.h: merge with krb5 version - - * sia/sia.c: merge with krb5 version - - * sia/sia5.c: remove unused variables diff --git a/crypto/kerberosIV/lib/auth/Makefile.am b/crypto/kerberosIV/lib/auth/Makefile.am deleted file mode 100644 index 0310dc3..0000000 --- a/crypto/kerberosIV/lib/auth/Makefile.am +++ /dev/null @@ -1,6 +0,0 @@ -# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -SUBDIRS = @LIB_AUTH_SUBDIRS@ -DIST_SUBDIRS = afskauthlib pam sia diff --git a/crypto/kerberosIV/lib/auth/Makefile.in b/crypto/kerberosIV/lib/auth/Makefile.in deleted file mode 100644 index 53fde5f..0000000 --- a/crypto/kerberosIV/lib/auth/Makefile.in +++ /dev/null @@ -1,55 +0,0 @@ -# -# $Id: Makefile.in,v 1.12 1998/03/15 05:58:10 assar Exp $ -# - -srcdir = @srcdir@ -VPATH = @srcdir@ - -SHELL = /bin/sh - -@SET_MAKE@ - -SUBDIRS = @LIB_AUTH_SUBDIRS@ - -all: - SUBDIRS='$(SUBDIRS)'; \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) all); done - -Wall: - make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" - -install: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) install); done - -uninstall: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done - -check: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) check); done - -clean: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) clean); done - -mostlyclean: clean - -distclean: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) distclean); done - rm -f Makefile *~ - -realclean: - SUBDIRS=$(SUBDIRS); \ - for i in $$SUBDIRS; \ - do (cd $$i && $(MAKE) $(MFLAGS) realclean); done - -.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am deleted file mode 100644 index 7dd6d52..0000000 --- a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am +++ /dev/null @@ -1,38 +0,0 @@ -# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -DEFS = @DEFS@ - -foodir = $(libdir) -foo_DATA = afskauthlib.so - -SUFFIXES += .c .o - -SRCS = verify.c -OBJS = verify.o - -CLEANFILES = $(foo_DATA) $(OBJS) so_locations - -afskauthlib.so: $(OBJS) - $(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L) - -.c.o: - $(COMPILE) -c $< - -if KRB4 -KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a -endif - -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.a \ - $(top_builddir)/lib/asn1/.libs/libasn1.a \ - $(LIB_krb4) \ - $(top_builddir)/lib/des/.libs/libdes.a \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - -lc - -$(OBJS): $(top_builddir)/include/config.h diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in deleted file mode 100644 index 5e073af..0000000 --- a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in +++ /dev/null @@ -1,87 +0,0 @@ -# -# $Id: Makefile.in,v 1.25.2.1 2000/06/23 03:20:05 assar Exp $ -# - -SHELL = /bin/sh - -srcdir = @srcdir@ -VPATH = @srcdir@ - -CC = @CC@ -LINK = @LINK@ -AR = ar -LN_S = @LN_S@ -RANLIB = @RANLIB@ -DEFS = @DEFS@ -CFLAGS = @CFLAGS@ $(WFLAGS) -WFLAGS = @WFLAGS@ - -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs - -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libdir = @libdir@ - -@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs \ -@lib_deps_yes@ -L../../krb -lkrb \ -@lib_deps_yes@ -L../../des -ldes \ -@lib_deps_yes@ -L../../roken -lroken \ -@lib_deps_yes@ -lc -@lib_deps_no@LIB_DEPS = - -PICFLAGS = @REAL_PICFLAGS@ -LDSHARED = @LDSHARED@ -SHLIBEXT = @REAL_SHLIBEXT@ -LD_FLAGS = @REAL_LD_FLAGS@ - -LIBNAME = afskauthlib -LIB = $(LIBNAME).$(SHLIBEXT) - -SOURCES = verify.c - -OBJECTS = verify.o - -all: $(LIB) - -Wall: - make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" - -.c.o: - $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< - -install: all - $(MKINSTALLDIRS) $(DESTDIR)$(libdir) - -if test "$(LIB)" != ""; then \ - $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -uninstall: - -if test "$(LIB)" != ""; then \ - rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -TAGS: $(SOURCES) - etags $(SOURCES) - -check: - -clean: - rm -f $(LIB) *.o - -mostlyclean: clean - -distclean: clean - rm -f Makefile *.tab.c *~ - -realclean: distclean - rm -f TAGS - -$(OBJECTS): ../../../include/config.h - -$(LIB): $(OBJECTS) - rm -f $@ - $(LDSHARED) $(CFLAGS) -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) - -.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/README b/crypto/kerberosIV/lib/auth/afskauthlib/README deleted file mode 100644 index 6052a26..0000000 --- a/crypto/kerberosIV/lib/auth/afskauthlib/README +++ /dev/null @@ -1,25 +0,0 @@ - -IRIX ----- - -The IRIX support is a module that is compatible with Transarc's -`afskauthlib.so'. It should work with all programs that use this -library, this should include `login' and `xdm'. - -The interface is not very documented but it seems that you have to copy -`libkafs.so', `libkrb.so', and `libdes.so' to `/usr/lib', or build your -`afskauthlib.so' statically. - -The `afskauthlib.so' itself is able to reside in `/usr/vice/etc', -`/usr/afsws/lib', or the current directory (wherever that is). - -IRIX 6.4 and newer seems to have all programs (including `xdm' and -`login') in the N32 object format, whereas in older versions they were -O32. For it to work, the `afskauthlib.so' library has to be in the same -object format as the program that tries to load it. This might require -that you have to configure and build for O32 in addition to the default -N32. - -Appart from this it should "just work", there are no configuration -files. - diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c deleted file mode 100644 index 1c23119..0000000 --- a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c +++ /dev/null @@ -1,288 +0,0 @@ -/* - * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include <config.h> -RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $"); -#endif -#include <unistd.h> -#include <sys/types.h> -#include <pwd.h> -#ifdef KRB5 -#include <krb5.h> -#endif -#ifdef KRB4 -#include <krb.h> -#include <kafs.h> -#endif -#include <roken.h> - -#ifdef KRB5 -static char krb5ccname[128]; -#endif -#ifdef KRB4 -static char krbtkfile[128]; -#endif - -/* - In some cases is afs_gettktstring called twice (once before - afs_verify and once after afs_verify). - In some cases (rlogin with access allowed via .rhosts) - afs_verify is not called! - So we can't rely on correct value in krbtkfile in some - cases! -*/ - -static int correct_tkfilename=0; -static int pag_set=0; - -#ifdef KRB4 -static void -set_krbtkfile(uid_t uid) -{ - snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); - krb_set_tkt_string (krbtkfile); - correct_tkfilename = 1; -} -#endif - -/* XXX this has to be the default cache name, since the KRB5CCNAME - * environment variable isn't exported by login/xdm - */ - -#ifdef KRB5 -static void -set_krb5ccname(uid_t uid) -{ - snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid); -#ifdef KRB4 - snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); -#endif - correct_tkfilename = 1; -} -#endif - -static void -set_spec_krbtkfile(void) -{ - int fd; -#ifdef KRB4 - snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT); - fd = mkstemp(krbtkfile); - close(fd); - unlink(krbtkfile); - krb_set_tkt_string (krbtkfile); -#endif -#ifdef KRB5 - snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX"); - fd=mkstemp(krb5ccname+5); - close(fd); - unlink(krb5ccname+5); -#endif -} - -#ifdef KRB5 -static int -verify_krb5(struct passwd *pwd, - char *password, - int32_t *exp, - int quiet) -{ - krb5_context context; - krb5_error_code ret; - krb5_ccache ccache; - krb5_principal principal; - - krb5_init_context(&context); - - ret = krb5_parse_name (context, pwd->pw_name, &principal); - if (ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - set_krb5ccname(pwd->pw_uid); - ret = krb5_cc_resolve(context, krb5ccname, &ccache); - if(ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - ret = krb5_verify_user_lrealm(context, - principal, - ccache, - password, - TRUE, - NULL); - if(ret) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", - krb5_get_err_text(context, ret)); - goto out; - } - - if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { - syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", - krb5_get_err_text(context, errno)); - goto out; - } - -#ifdef KRB4 - if (krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL)) { - CREDENTIALS c; - krb5_creds mcred, cred; - krb5_realm realm; - - krb5_get_default_realm(context, &realm); - krb5_make_principal(context, &mcred.server, realm, - "krbtgt", - realm, - NULL); - free (realm); - ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc(context, ccache, &cred, &c); - if(ret) - krb5_warn(context, ret, "converting creds"); - else { - set_krbtkfile(pwd->pw_uid); - tf_setup(&c, c.pname, c.pinst); - } - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } else - syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", - krb5_get_err_text(context, ret)); - - krb5_free_principal(context, mcred.server); - } - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set = 1; - krb5_afslog_uid_home(context, ccache, NULL, NULL, - pwd->pw_uid, pwd->pw_dir); - } -#endif -out: - if(ret && !quiet) - printf ("%s\n", krb5_get_err_text (context, ret)); - return ret; -} -#endif - -#ifdef KRB4 -static int -verify_krb4(struct passwd *pwd, - char *password, - int32_t *exp, - int quiet) -{ - int ret = 1; - char lrealm[REALM_SZ]; - - if (krb_get_lrealm (lrealm, 1) != KFAILURE) { - set_krbtkfile(pwd->pw_uid); - ret = krb_verify_user (pwd->pw_name, "", lrealm, password, - KRB_VERIFY_SECURE, NULL); - if (ret == KSUCCESS) { - if (!pag_set && k_hasafs()) { - k_setpag (); - pag_set = 1; - krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir); - } - } else if (!quiet) - printf ("%s\n", krb_get_err_text (ret)); - } - return ret; -} -#endif - -int -afs_verify(char *name, - char *password, - int32_t *exp, - int quiet) -{ - int ret = 1; - struct passwd *pwd = k_getpwnam (name); - - if(pwd == NULL) - return 1; - if (ret) - ret = unix_verify_user (name, password); -#ifdef KRB5 - if (ret) - ret = verify_krb5(pwd, password, exp, quiet); -#endif -#ifdef KRB4 - if(ret) - ret = verify_krb4(pwd, password, exp, quiet); -#endif - return ret; -} - -char * -afs_gettktstring (void) -{ - char *ptr; - struct passwd *pwd; - - if (!correct_tkfilename) { - ptr = getenv("LOGNAME"); - if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) { - set_krb5ccname(pwd->pw_uid); -#ifdef KRB4 - set_krbtkfile(pwd->pw_uid); - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set=1; - } -#endif - } else { - set_spec_krbtkfile(); - } - } -#ifdef KRB5 - setenv("KRB5CCNAME",krb5ccname,1); -#endif -#ifdef KRB4 - setenv("KRBTKFILE",krbtkfile,1); - return krbtkfile; -#else - return ""; -#endif -} diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.am b/crypto/kerberosIV/lib/auth/pam/Makefile.am deleted file mode 100644 index abde2d9..0000000 --- a/crypto/kerberosIV/lib/auth/pam/Makefile.am +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ - -include $(top_srcdir)/Makefile.am.common diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.in b/crypto/kerberosIV/lib/auth/pam/Makefile.in deleted file mode 100644 index 4369532..0000000 --- a/crypto/kerberosIV/lib/auth/pam/Makefile.in +++ /dev/null @@ -1,87 +0,0 @@ -# -# $Id: Makefile.in,v 1.25.2.2 2000/12/07 16:44:11 assar Exp $ -# - -SHELL = /bin/sh - -srcdir = @srcdir@ -VPATH = @srcdir@ - -CC = @CC@ -LINK = @LINK@ -AR = ar -RANLIB = @RANLIB@ -DEFS = @DEFS@ -CFLAGS = @CFLAGS@ $(WFLAGS) -WFLAGS = @WFLAGS@ - -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs - -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libdir = @libdir@ - -PICFLAGS = @REAL_PICFLAGS@ -LDSHARED = @LDSHARED@ -SHLIBEXT = @REAL_SHLIBEXT@ -LD_FLAGS = @REAL_LD_FLAGS@ - -LIB_res_search = @LIB_res_search@ -LIB_dn_expand = @LIB_dn_expand@ - -@lib_deps_yes@LIB_DEPS = ../../kafs/libkafs_pic.a \ -@lib_deps_yes@ ../../krb/libkrb_pic.a ../../des/libdes_pic.a \ -@lib_deps_yes@ $(LIB_res_search) $(LIB_dn_expand) -lpam -lc -@lib_deps_no@LIB_DEPS = - -LIBNAME = pam_krb4 -LIB = $(LIBNAME).$(SHLIBEXT) - -SOURCES = pam.c - -OBJECTS = pam.o - -all: $(LIB) - -Wall: - make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" - -.c.o: - $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< - -install: all - $(MKINSTALLDIRS) $(DESTDIR)$(libdir) - -if test "$(LIB)" != ""; then \ - $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -uninstall: - -if test "$(LIB)" != ""; then \ - rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -TAGS: $(SOURCES) - etags $(SOURCES) - -check: - -clean: - rm -f $(LIB) *.o - -mostlyclean: clean - -distclean: clean - rm -f Makefile *.tab.c *~ - -realclean: distclean - rm -f TAGS - -$(OBJECTS): ../../../include/config.h - -$(LIB): $(OBJECTS) - rm -f $@ - $(LDSHARED) -Wl,-Bsymbolic -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) - -.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/pam/README b/crypto/kerberosIV/lib/auth/pam/README deleted file mode 100644 index 2c45a53..0000000 --- a/crypto/kerberosIV/lib/auth/pam/README +++ /dev/null @@ -1,25 +0,0 @@ - -PAM ---- - -The PAM module was written more out of curiosity that anything else. It -has not been updated for quite a while, but it seems to mostly work on -both Linux and Solaris. - -To use this module you should: - - * Make sure `pam_krb4.so' is available in `/usr/athena/lib'. You - might actually want it on local disk, so `/lib/security' might be a - better place if `/usr/athena' is not local. - - * Look at `pam.conf.add' for examples of what to add to - `/etc/pam.conf'. - -There is currently no support for changing kerberos passwords. Use -kpasswd instead. - -See also Derrick J Brashear's `<shadow@dementia.org>' Kerberos PAM -module at -<ftp://ftp.dementia.org/pub/pam>. It has a lot more features, and it is -also more in line with other PAM modules. - diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c deleted file mode 100644 index 22dfc74..0000000 --- a/crypto/kerberosIV/lib/auth/pam/pam.c +++ /dev/null @@ -1,443 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include<config.h> -RCSID("$Id: pam.c,v 1.22.2.2 2000/10/13 15:41:09 assar Exp $"); -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <pwd.h> -#include <unistd.h> -#include <sys/types.h> -#include <syslog.h> - -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */ -#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR -#endif - -#include <netinet/in.h> -#include <krb.h> -#include <kafs.h> - -#if 0 -/* Debugging PAM modules is a royal pain, truss helps. */ -#define DEBUG(msg) (access(msg " at line", __LINE__)) -#endif - -static void -psyslog(int level, const char *format, ...) -{ - va_list args; - va_start(args, format); - openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(level, format, args); - va_end(args); - closelog(); -} - -enum { - KRB4_DEBUG, - KRB4_USE_FIRST_PASS, - KRB4_TRY_FIRST_PASS, - KRB4_IGNORE_ROOT, - KRB4_NO_VERIFY, - KRB4_REAFSLOG, - KRB4_CTRLS /* Number of ctrl arguments defined. */ -}; - -#define KRB4_DEFAULTS 0 - -static int ctrl_flags = KRB4_DEFAULTS; -#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags) -#define ctrl_off(x) (!ctrl_on(x)) - -typedef struct -{ - const char *token; - unsigned int flag; -} krb4_ctrls_t; - -static krb4_ctrls_t krb4_args[KRB4_CTRLS] = -{ - /* KRB4_DEBUG */ { "debug", 0x01 }, - /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 }, - /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 }, - /* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 }, - /* KRB4_NO_VERIFY */ { "no_verify", 0x10 }, - /* KRB4_REAFSLOG */ { "reafslog", 0x20 }, -}; - -static void -parse_ctrl(int argc, const char **argv) -{ - int i, j; - - ctrl_flags = KRB4_DEFAULTS; - for (i = 0; i < argc; i++) - { - for (j = 0; j < KRB4_CTRLS; j++) - if (strcmp(argv[i], krb4_args[j].token) == 0) - break; - - if (j >= KRB4_CTRLS) - psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); - else - ctrl_flags |= krb4_args[j].flag; - } -} - -static void -pdeb(const char *format, ...) -{ - va_list args; - if (ctrl_off(KRB4_DEBUG)) - return; - va_start(args, format); - openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_DEBUG, format, args); - va_end(args); - closelog(); -} - -#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) - -static void -set_tkt_string(uid_t uid) -{ - char buf[128]; - - snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid); - krb_set_tkt_string(buf); - -#if 0 - /* pam_set_data+pam_get_data are not guaranteed to work, grr. */ - pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup); - if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS) - { - pam_putenv(pamh, var); - } -#endif - - /* We don't want to inherit this variable. - * If we still do, it must have a sane value. */ - if (getenv("KRBTKFILE") != 0) - { - char *var = malloc(sizeof(buf)); - snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string()); - putenv(var); - /* free(var); XXX */ - } -} - -static int -verify_pass(pam_handle_t *pamh, - const char *name, - const char *inst, - const char *pass) -{ - char realm[REALM_SZ]; - int ret, krb_verify, old_euid, old_ruid; - - krb_get_lrealm(realm, 1); - if (ctrl_on(KRB4_NO_VERIFY)) - krb_verify = KRB_VERIFY_SECURE_FAIL; - else - krb_verify = KRB_VERIFY_SECURE; - old_ruid = getuid(); - old_euid = geteuid(); - setreuid(0, 0); - ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", - name, inst, realm, krb_verify, - krb_get_err_text(ret)); - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - - switch(ret) { - case KSUCCESS: - return PAM_SUCCESS; - case KDC_PR_UNKNOWN: - return PAM_USER_UNKNOWN; - case SKDC_CANT: - case SKDC_RETRY: - case RD_AP_TIME: - return PAM_AUTHINFO_UNAVAIL; - default: - return PAM_AUTH_ERR; - } -} - -static int -krb4_auth(pam_handle_t *pamh, - int flags, - const char *name, - const char *inst, - struct pam_conv *conv) -{ - struct pam_response *resp; - char prompt[128]; - struct pam_message msg, *pmsg = &msg; - int ret; - - if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS)) - { - char *pass = 0; - ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); - if (ret != PAM_SUCCESS) - { - psyslog(LOG_ERR , "pam_get_item returned error to get-password"); - return ret; - } - else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) - return PAM_SUCCESS; - else if (ctrl_on(KRB4_USE_FIRST_PASS)) - return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */ - else - /* We tried the first password but it didn't work, cont. */; - } - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - if (*inst == 0) - snprintf(prompt, sizeof(prompt), "%s's Password: ", name); - else - snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst); - msg.msg = prompt; - - ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr); - if (ret != PAM_SUCCESS) - return ret; - - ret = verify_pass(pamh, name, inst, resp->resp); - if (ret == PAM_SUCCESS) - { - memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */ - free(resp->resp); - free(resp); - } - else - { - pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */ - /* free(resp->resp); XXX */ - /* free(resp); XXX */ - } - - return ret; -} - -int -pam_sm_authenticate(pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - char *user; - int ret; - struct pam_conv *conv; - struct passwd *pw; - uid_t uid = -1; - const char *name, *inst; - char realm[REALM_SZ]; - realm[0] = 0; - - parse_ctrl(argc, argv); - ENTRY("pam_sm_authenticate"); - - ret = pam_get_user(pamh, &user, "login: "); - if (ret != PAM_SUCCESS) - return ret; - - if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0) - return PAM_AUTHINFO_UNAVAIL; - - ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); - if (ret != PAM_SUCCESS) - return ret; - - pw = getpwnam(user); - if (pw != 0) - { - uid = pw->pw_uid; - set_tkt_string(uid); - } - - if (strcmp(user, "root") == 0 && getuid() != 0) - { - pw = getpwuid(getuid()); - if (pw != 0) - { - name = strdup(pw->pw_name); - inst = "root"; - } - } - else - { - name = user; - inst = ""; - } - - ret = krb4_auth(pamh, flags, name, inst, conv); - - /* - * The realm was lost inside krb_verify_user() so we can't simply do - * a krb_kuserok() when inst != "". - */ - if (ret == PAM_SUCCESS && inst[0] != 0) - { - uid_t old_euid = geteuid(); - uid_t old_ruid = getuid(); - - setreuid(0, 0); /* To read ticket file. */ - if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) - ret = PAM_SERVICE_ERR; - else if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - { - setreuid(0, uid); /* To read ~/.klogin. */ - if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - ret = PAM_PERM_DENIED; - } - - if (ret != PAM_SUCCESS) - { - dest_tkt(); /* Passwd known, ok to kill ticket. */ - psyslog(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); - } - - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - } - - if (ret == PAM_SUCCESS) - { - psyslog(LOG_INFO, - "%s.%s@%s authenticated as user %s", - name, inst, realm, user); - if (chown(tkt_string(), uid, -1) == -1) - { - dest_tkt(); - psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); - exit(1); - } - } - - /* - * Kludge alert!!! Sun dtlogin unlock screen fails to call - * pam_setcred(3) with PAM_REFRESH_CRED after a successful - * authentication attempt, sic. - * - * This hack is designed as a workaround to that problem. - */ - if (ctrl_on(KRB4_REAFSLOG)) - if (ret == PAM_SUCCESS) - pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); - - return ret; -} - -int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_setcred"); - - switch (flags & ~PAM_SILENT) { - case 0: - case PAM_ESTABLISH_CRED: - if (k_hasafs()) - k_setpag(); - /* Fall through, fill PAG with credentials below. */ - case PAM_REINITIALIZE_CRED: - case PAM_REFRESH_CRED: - if (k_hasafs()) - { - void *user = 0; - - if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS) - { - struct passwd *pw = getpwnam((char *)user); - if (pw != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, - pw->pw_uid, pw->pw_dir); - } - } - break; - case PAM_DELETE_CRED: - dest_tkt(); - if (k_hasafs()) - k_unlog(); - break; - default: - psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); - break; - } - - return PAM_SUCCESS; -} - -int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_open_session"); - - return PAM_SUCCESS; -} - - -int -pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_close_session"); - - /* This isn't really kosher, but it's handy. */ - pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); - - return PAM_SUCCESS; -} diff --git a/crypto/kerberosIV/lib/auth/pam/pam.conf.add b/crypto/kerberosIV/lib/auth/pam/pam.conf.add deleted file mode 100644 index 64a4915..0000000 --- a/crypto/kerberosIV/lib/auth/pam/pam.conf.add +++ /dev/null @@ -1,81 +0,0 @@ -To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: - ---- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998 -+++ /etc/pam.conf Tue Feb 15 19:39:12 2000 -@@ -4,15 +4,19 @@ - # - # Authentication management - # -+login auth sufficient /usr/athena/lib/pam_krb4.so - login auth required /usr/lib/security/pam_unix.so.1 - login auth required /usr/lib/security/pam_dial_auth.so.1 - # - rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 - rlogin auth required /usr/lib/security/pam_unix.so.1 - # -+dtlogin auth sufficient /usr/athena/lib/pam_krb4.so - dtlogin auth required /usr/lib/security/pam_unix.so.1 - # - rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 -+# Reafslog is for dtlogin lock display -+other auth sufficient /usr/athena/lib/pam_krb4.so reafslog - other auth required /usr/lib/security/pam_unix.so.1 - # - # Account management -@@ -24,6 +28,8 @@ - # - # Session management - # -+dtlogin session required /usr/athena/lib/pam_krb4.so -+login session required /usr/athena/lib/pam_krb4.so - other session required /usr/lib/security/pam_unix.so.1 - # - # Password management ---------------------------------------------------------------------------- -To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches: - ---- /etc/pam.d/login~ Thu Jul 8 00:14:02 1999 -+++ /etc/pam.d/login Mon Aug 30 14:33:12 1999 -@@ -1,9 +1,12 @@ - #%PAM-1.0 -+# Updated to work with kerberos -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so nullok use_authtok shadow -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so ---- /etc/pam.d/xdm~ Mon Jun 14 17:39:05 1999 -+++ /etc/pam.d/xdm Mon Aug 30 14:54:51 1999 -@@ -1,8 +1,10 @@ - #%PAM-1.0 -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so shadow nullok use_authtok -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so --------------------------------------------------------------------------- - -This stuff may work under some other system. - -# To get this to work, you will have to add entries to /etc/pam.conf -# -# To make login kerberos-aware, you might change pam.conf to look -# like: - -# login authorization -login auth sufficient /lib/security/pam_krb4.so -login auth required /lib/security/pam_securetty.so -login auth required /lib/security/pam_unix_auth.so -login account required /lib/security/pam_unix_acct.so -login password required /lib/security/pam_unix_passwd.so -login session required /lib/security/pam_krb4.so -login session required /lib/security/pam_unix_session.so diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.am b/crypto/kerberosIV/lib/auth/sia/Makefile.am deleted file mode 100644 index 5a58cb7..0000000 --- a/crypto/kerberosIV/lib/auth/sia/Makefile.am +++ /dev/null @@ -1,48 +0,0 @@ -# $Id: Makefile.am,v 1.4 1999/04/08 12:36:40 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) - -WFLAGS += $(WFLAGS_NOIMPLICITINT) - -DEFS = @DEFS@ - -## this is horribly ugly, but automake/libtool doesn't allow us to -## unconditionally build shared libraries, and it does not allow us to -## link with non-installed libraries - -if KRB4 -KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a -endif - -L = \ - $(KAFS) \ - $(top_builddir)/lib/krb5/.libs/libkrb5.a \ - $(top_builddir)/lib/asn1/.libs/libasn1.a \ - $(LIB_krb4) \ - $(top_builddir)/lib/des/.libs/libdes.a \ - $(top_builddir)/lib/com_err/.libs/libcom_err.a \ - $(top_builddir)/lib/roken/.libs/libroken.a \ - $(LIB_getpwnam_r) \ - -lc - -EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch - -foodir = $(libdir) -foo_DATA = libsia_krb5.so - -LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* - -OBJS = sia.o posix_getpw.o - -libsia_krb5.so: $(OBJS) - ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L) - ostrip -x -z $@ - -CLEANFILES = libsia_krb5.so $(OBJS) so_locations - -SUFFIXES += .c .o - -.c.o: - $(COMPILE) -c $< diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.in b/crypto/kerberosIV/lib/auth/sia/Makefile.in deleted file mode 100644 index a17c341..0000000 --- a/crypto/kerberosIV/lib/auth/sia/Makefile.in +++ /dev/null @@ -1,90 +0,0 @@ -# -# $Id: Makefile.in,v 1.30.2.1 2000/06/23 03:20:06 assar Exp $ -# - -SHELL = /bin/sh - -srcdir = @srcdir@ -VPATH = @srcdir@ - -CC = @CC@ -LINK = @LINK@ -AR = ar -RANLIB = @RANLIB@ -DEFS = @DEFS@ -CFLAGS = @CFLAGS@ $(WFLAGS) -WFLAGS = @WFLAGS@ - -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs - -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libdir = @libdir@ - -PICFLAGS = @REAL_PICFLAGS@ -SHARED = @SHARED@ -LDSHARED = @LDSHARED@ -SHLIBEXT = @REAL_SHLIBEXT@ -LD_FLAGS = @REAL_LD_FLAGS@ - -@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs \ -@lib_deps_yes@ -L../../kadm -lkadm \ -@lib_deps_yes@ -L../../krb -lkrb \ -@lib_deps_yes@ -L../../des -ldes \ -@lib_deps_yes@ -L../../com_err -lcom_err \ -@lib_deps_yes@ -L../../roken -lroken \ -@lib_deps_yes@ @LIB_getpwnam_r@ \ -@lib_deps_yes@ -lc -@lib_deps_no@LIB_DEPS = - -LIBNAME = libsia_krb4 -LIB = $(LIBNAME).$(SHLIBEXT) - -SOURCES = sia.c posix_getpw.c - -OBJECTS = sia.o posix_getpw.o - -all: $(LIB) - -Wall: - make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" - -.c.o: - $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< - -install: all - $(MKINSTALLDIRS) $(DESTDIR)$(libdir) - -if test "$(LIB)" != ""; then \ - $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -uninstall: - -if test "$(LIB)" != ""; then \ - rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -TAGS: $(SOURCES) - etags $(SOURCES) - -check: - -clean: - rm -f $(LIB) *.o - -mostlyclean: clean - -distclean: clean - rm -f Makefile *.tab.c *~ - -realclean: distclean - rm -f TAGS - -$(OBJECTS): ../../../include/config.h - -$(LIB): $(OBJECTS) - rm -f $@ - $(LDSHARED) -shared -o $@ -rpath $(libdir) -hidden -exported_symbol siad_\* $(OBJECTS) $(LIB_DEPS) - -.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/sia/README b/crypto/kerberosIV/lib/auth/sia/README deleted file mode 100644 index 6595734..0000000 --- a/crypto/kerberosIV/lib/auth/sia/README +++ /dev/null @@ -1,87 +0,0 @@ - -Digital SIA ------------ - -To install the SIA module you will have to do the following: - - * Make sure `libsia_krb4.so' is available in `/usr/athena/lib'. If - `/usr/athena' is not on local disk, you might want to put it in - `/usr/shlib' or someplace else. If you do, you'll have to edit - `krb4_matrix.conf' to reflect the new location (you will also have - to do this if you installed in some other directory than - `/usr/athena'). If you built with shared libraries, you will have - to copy the shared `libkrb.so', `libdes.so', `libkadm.so', and - `libkafs.so' to a place where the loader can find them (such as - `/usr/shlib'). - - * Copy (your possibly edited) `krb4_matrix.conf' to `/etc/sia'. - - * Apply `security.patch' to `/sbin/init.d/security'. - - * Turn on KRB4 security by issuing `rcmgr set SECURITY KRB4' and - `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'. - - * Digital thinks you should reboot your machine, but that really - shouldn't be necessary. It's usually sufficient just to run - `/sbin/init.d/security start' (and restart any applications that - use SIA, like `xdm'.) - -Users with local passwords (like `root') should be able to login safely. - -When using Digital's xdm the `KRBTKFILE' environment variable isn't -passed along as it should (since xdm zaps the environment). Instead you -have to set `KRBTKFILE' to the correct value in -`/usr/lib/X11/xdm/Xsession'. Add a line similar to - KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE -If you use CDE, `dtlogin' allows you to specify which additional -environment variables it should export. To add `KRBTKFILE' to this -list, edit `/usr/dt/config/Xconfig', and look for the definition of -`exportList'. You want to add something like: - Dtlogin.exportList: KRBTKFILE - -Notes to users with Enhanced security -..................................... - -Digital's `ENHANCED' (C2) security, and Kerberos solves two different -problems. C2 deals with local security, adds better control of who can -do what, auditing, and similar things. Kerberos deals with network -security. - -To make C2 security work with Kerberos you will have to do the -following. - - * Replace all occurencies of `krb4_matrix.conf' with - `krb4+c2_matrix.conf' in the directions above. - - * You must enable "vouching" in the `default' database. This will - make the OSFC2 module trust other SIA modules, so you can login - without giving your C2 password. To do this use `edauth' to edit - the default entry `/usr/tcb/bin/edauth -dd default', and add a - `d_accept_alternate_vouching' capability, if not already present. - - * For each user that does _not_ have a local C2 password, you should - set the password expiration field to zero. You can do this for each - user, or in the `default' table. To do this use `edauth' to set - (or change) the `u_exp' capability to `u_exp#0'. - - * You also need to be aware that the shipped `login', `rcp', and - `rshd', doesn't do any particular C2 magic (such as checking to - various forms of disabled accounts), so if you rely on those - features, you shouldn't use those programs. If you configure with - `--enable-osfc2', these programs will, however, set the login UID. - Still: use at your own risk. - -At present `su' does not accept the vouching flag, so it will not work -as expected. - -Also, kerberised ftp will not work with C2 passwords. You can solve this -by using both Digital's ftpd and our on different ports. - -*Remember*, if you do these changes you will get a system that most -certainly does _not_ fulfill the requirements of a C2 system. If C2 is -what you want, for instance if someone else is forcing you to use it, -you're out of luck. If you use enhanced security because you want a -system that is more secure than it would otherwise be, you probably got -an even more secure system. Passwords will not be sent in the clear, -for instance. - diff --git a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf deleted file mode 100644 index 4b90e02..0000000 --- a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright (c) 1998 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. - -# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $ - -# sia matrix configuration file (Kerberos 4 + C2) - -siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf deleted file mode 100644 index 4f55a81..0000000 --- a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright (c) 1998 Kungliga Tekniska Högskolan -# (Royal Institute of Technology, Stockholm, Sweden). -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the Institute nor the names of its contributors -# may be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. - -# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $ - -# sia matrix configuration file (Kerberos 4 + BSD) - -siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_invoker=(BSD,libc.so) -siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so) -siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_estab=(BSD,libc.so) -siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chg_finger=(BSD,libc.so) -siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chg_shell=(BSD,libc.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) -siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) - diff --git a/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf deleted file mode 100644 index c2952e2..0000000 --- a/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf +++ /dev/null @@ -1,27 +0,0 @@ -# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $ - -# sia matrix configuration file (Kerberos 5 + C2) - -siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) -siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf deleted file mode 100644 index e49366a..0000000 --- a/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf +++ /dev/null @@ -1,27 +0,0 @@ -# $Id: krb5_matrix.conf,v 1.1 1997/05/15 18:34:18 joda Exp $ - -# sia matrix configuration file (Kerberos 5 + BSD) - -siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_invoker=(BSD,libc.so) -siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so) -siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_estab=(BSD,libc.so) -siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_ses_reauthent=(BSD,libc.so) -siad_chg_finger=(BSD,libc.so) -siad_chg_password=(BSD,libc.so) -siad_chg_shell=(BSD,libc.so) -siad_getpwent=(BSD,libc.so) -siad_getpwuid=(BSD,libc.so) -siad_getpwnam=(BSD,libc.so) -siad_setpwent=(BSD,libc.so) -siad_endpwent=(BSD,libc.so) -siad_getgrent=(BSD,libc.so) -siad_getgrgid=(BSD,libc.so) -siad_getgrnam=(BSD,libc.so) -siad_setgrent=(BSD,libc.so) -siad_endgrent=(BSD,libc.so) -siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) -siad_chk_user=(BSD,libc.so) diff --git a/crypto/kerberosIV/lib/auth/sia/posix_getpw.c b/crypto/kerberosIV/lib/auth/sia/posix_getpw.c deleted file mode 100644 index c5961dc..0000000 --- a/crypto/kerberosIV/lib/auth/sia/posix_getpw.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "sia_locl.h" - -RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $"); - -#ifndef POSIX_GETPWNAM_R -/* - * These functions translate from the old Digital UNIX 3.x interface - * to POSIX.1c. - */ - -int -posix_getpwnam_r(const char *name, struct passwd *pwd, - char *buffer, int len, struct passwd **result) -{ - int ret = getpwnam_r(name, pwd, buffer, len); - if(ret == 0) - *result = pwd; - else{ - *result = NULL; - ret = _Geterrno(); - if(ret == 0){ - ret = ERANGE; - _Seterrno(ret); - } - } - return ret; -} - -int -posix_getpwuid_r(uid_t uid, struct passwd *pwd, - char *buffer, int len, struct passwd **result) -{ - int ret = getpwuid_r(uid, pwd, buffer, len); - if(ret == 0) - *result = pwd; - else{ - *result = NULL; - ret = _Geterrno(); - if(ret == 0){ - ret = ERANGE; - _Seterrno(ret); - } - } - return ret; -} -#endif /* POSIX_GETPWNAM_R */ diff --git a/crypto/kerberosIV/lib/auth/sia/security.patch b/crypto/kerberosIV/lib/auth/sia/security.patch deleted file mode 100644 index c407876..0000000 --- a/crypto/kerberosIV/lib/auth/sia/security.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- /sbin/init.d/security~ Tue Aug 20 22:44:09 1996 -+++ /sbin/init.d/security Fri Nov 1 14:52:56 1996 -@@ -49,7 +49,7 @@ - SECURITY=BASE - fi - ;; -- BASE) -+ BASE|KRB4) - ;; - *) - echo "security configuration set to default (BASE)." diff --git a/crypto/kerberosIV/lib/auth/sia/sia.c b/crypto/kerberosIV/lib/auth/sia/sia.c deleted file mode 100644 index 979bb58..0000000 --- a/crypto/kerberosIV/lib/auth/sia/sia.c +++ /dev/null @@ -1,672 +0,0 @@ -/* - * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "sia_locl.h" - -RCSID("$Id: sia.c,v 1.32.2.1 1999/12/20 09:49:30 joda Exp $"); - -int -siad_init(void) -{ - return SIADSUCCESS; -} - -int -siad_chk_invoker(void) -{ - SIA_DEBUG(("DEBUG", "siad_chk_invoker")); - return SIADFAIL; -} - -int -siad_ses_init(SIAENTITY *entity, int pkgind) -{ - struct state *s = malloc(sizeof(*s)); - SIA_DEBUG(("DEBUG", "siad_ses_init")); - if(s == NULL) - return SIADFAIL; - memset(s, 0, sizeof(*s)); -#ifdef SIA_KRB5 - krb5_init_context(&s->context); -#endif - entity->mech[pkgind] = (int*)s; - return SIADSUCCESS; -} - -static int -setup_name(SIAENTITY *e, prompt_t *p) -{ - SIA_DEBUG(("DEBUG", "setup_name")); - e->name = malloc(SIANAMEMIN + 1); - if(e->name == NULL){ - SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1)); - return SIADFAIL; - } - p->prompt = (unsigned char*)"login: "; - p->result = (unsigned char*)e->name; - p->min_result_length = 1; - p->max_result_length = SIANAMEMIN; - p->control_flags = 0; - return SIADSUCCESS; -} - -static int -setup_password(SIAENTITY *e, prompt_t *p) -{ - SIA_DEBUG(("DEBUG", "setup_password")); - e->password = malloc(SIAMXPASSWORD + 1); - if(e->password == NULL){ - SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1)); - return SIADFAIL; - } - p->prompt = (unsigned char*)"Password: "; - p->result = (unsigned char*)e->password; - p->min_result_length = 0; - p->max_result_length = SIAMXPASSWORD; - p->control_flags = SIARESINVIS; - return SIADSUCCESS; -} - - -static int -doauth(SIAENTITY *entity, int pkgind, char *name) -{ - struct passwd pw, *pwd; - char pwbuf[1024]; - struct state *s = (struct state*)entity->mech[pkgind]; -#ifdef SIA_KRB5 - krb5_realm *realms, *r; - krb5_principal principal; - krb5_ccache ccache; - krb5_error_code ret; -#endif -#ifdef SIA_KRB4 - char realm[REALM_SZ]; - char *toname, *toinst; - int ret; - struct passwd fpw, *fpwd; - char fpwbuf[1024]; - int secure; -#endif - - if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){ - SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name)); - return SIADFAIL; - } - -#ifdef SIA_KRB5 - ret = krb5_get_default_realms(s->context, &realms); - - for (r = realms; *r != NULL; ++r) { - krb5_make_principal (s->context, &principal, *r, entity->name, NULL); - - if(krb5_kuserok(s->context, principal, entity->name)) - break; - } - krb5_free_host_realm (s->context, realms); - if (*r == NULL) - return SIADFAIL; - - sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid()); - ret = krb5_cc_resolve(s->context, s->ticket, &ccache); - if(ret) - return SIADFAIL; -#endif - -#ifdef SIA_KRB4 - snprintf(s->ticket, sizeof(s->ticket), - "%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid()); - krb_get_lrealm(realm, 1); - toname = name; - toinst = ""; - if(entity->authtype == SIA_A_SUAUTH){ - uid_t ouid; -#ifdef HAVE_SIAENTITY_OUID - ouid = entity->ouid; -#else - ouid = getuid(); -#endif - if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){ - SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid)); - return SIADFAIL; - } - snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d", - TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid()); - if(strcmp(pwd->pw_name, "root") == 0){ - toname = fpwd->pw_name; - toinst = pwd->pw_name; - } - } - if(entity->authtype == SIA_A_REAUTH) - snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string()); - - krb_set_tkt_string(s->ticket); - - setuid(0); /* XXX fix for fix in tf_util.c */ - if(krb_kuserok(toname, toinst, realm, name)){ - SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", - toname, toinst, realm, name)); - return SIADFAIL; - } -#endif -#ifdef SIA_KRB5 - ret = krb5_verify_user_lrealm(s->context, principal, ccache, - entity->password, 1, NULL); - if(ret){ - /* if this is most likely a local user (such as - root), just silently return failure when the - principal doesn't exist */ - if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && - ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - SIALOG("WARNING", "krb5_verify_user(%s): %s", - entity->name, error_message(ret)); - return SIADFAIL; - } -#endif -#ifdef SIA_KRB4 - if (getuid () == 0) - secure = KRB_VERIFY_SECURE; - else - secure = KRB_VERIFY_NOT_SECURE; - - ret = krb_verify_user(toname, toinst, realm, - entity->password, secure, NULL); - if(ret){ - SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret))); - if(ret != KDC_PR_UNKNOWN) - /* since this is most likely a local user (such as - root), just silently return failure when the - principal doesn't exist */ - SIALOG("WARNING", "krb_verify_user(%s.%s): %s", - toname, toinst, krb_get_err_text(ret)); - return SIADFAIL; - } -#endif - if(sia_make_entity_pwd(pwd, entity) == SIAFAIL) - return SIADFAIL; - s->valid = 1; - return SIADSUCCESS; -} - - -static int -common_auth(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - prompt_t prompts[2], *pr; - char *name; - - SIA_DEBUG(("DEBUG", "common_auth")); - if((siastat == SIADSUCCESS) && (geteuid() == 0)) - return SIADSUCCESS; - if(entity == NULL) { - SIA_DEBUG(("DEBUG", "entity == NULL")); - return SIADFAIL | SIADSTOP; - } - name = entity->name; - if(entity->acctname) - name = entity->acctname; - - if((collect != NULL) && entity->colinput) { - int num; - pr = prompts; - if(name == NULL){ - if(setup_name(entity, pr) != SIADSUCCESS) - return SIADFAIL; - pr++; - } - if(entity->password == NULL){ - if(setup_password(entity, pr) != SIADSUCCESS) - return SIADFAIL; - pr++; - } - num = pr - prompts; - if(num == 1){ - if((*collect)(240, SIAONELINER, (unsigned char*)"", num, - prompts) != SIACOLSUCCESS){ - SIA_DEBUG(("DEBUG", "collect failed")); - return SIADFAIL | SIADSTOP; - } - } else if(num > 0){ - if((*collect)(0, SIAFORM, (unsigned char*)"", num, - prompts) != SIACOLSUCCESS){ - SIA_DEBUG(("DEBUG", "collect failed")); - return SIADFAIL | SIADSTOP; - } - } - } - if(name == NULL) - name = entity->name; - if(name == NULL || name[0] == '\0'){ - SIA_DEBUG(("DEBUG", "name is null")); - return SIADFAIL; - } - - if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){ - SIA_DEBUG(("DEBUG", "entity->password is null")); - return SIADFAIL; - } - - return doauth(entity, pkgind, name); -} - - -int -siad_ses_authent(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_authent")); - return common_auth(collect, entity, siastat, pkgind); -} - -int -siad_ses_estab(sia_collect_func_t *collect, - SIAENTITY *entity, int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_estab")); - return SIADFAIL; -} - -int -siad_ses_launch(sia_collect_func_t *collect, - SIAENTITY *entity, - int pkgind) -{ - static char env[MaxPathLen]; - struct state *s = (struct state*)entity->mech[pkgind]; - SIA_DEBUG(("DEBUG", "siad_ses_launch")); - if(s->valid){ -#ifdef SIA_KRB5 - chown(s->ticket + sizeof("FILE:") - 1, - entity->pwd->pw_uid, - entity->pwd->pw_gid); - snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket); -#endif -#ifdef SIA_KRB4 - chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); - snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket); -#endif - putenv(env); - } -#ifdef KRB4 - if (k_hasafs()) { - char cell[64]; - k_setpag(); - if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - krb_afslog_home(0, 0, entity->pwd->pw_dir); - } -#endif - return SIADSUCCESS; -} - -int -siad_ses_release(SIAENTITY *entity, int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_release")); - if(entity->mech[pkgind]){ -#ifdef SIA_KRB5 - struct state *s = (struct state*)entity->mech[pkgind]; - krb5_free_context(s->context); -#endif - free(entity->mech[pkgind]); - } - return SIADSUCCESS; -} - -int -siad_ses_suauthent(sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - SIA_DEBUG(("DEBUG", "siad_ses_suauth")); - if(geteuid() != 0) - return SIADFAIL; - if(entity->name == NULL) - return SIADFAIL; - if(entity->name[0] == '\0') { - free(entity->name); - entity->name = strdup("root"); - if (entity->name == NULL) - return SIADFAIL; - } - return common_auth(collect, entity, siastat, pkgind); -} - -int -siad_ses_reauthent (sia_collect_func_t *collect, - SIAENTITY *entity, - int siastat, - int pkgind) -{ - int ret; - SIA_DEBUG(("DEBUG", "siad_ses_reauthent")); - if(entity == NULL || entity->name == NULL) - return SIADFAIL; - ret = common_auth(collect, entity, siastat, pkgind); - if((ret & SIADSUCCESS)){ - /* launch isn't (always?) called when doing reauth, so we must - duplicate some code here... */ - struct state *s = (struct state*)entity->mech[pkgind]; - chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); -#ifdef KRB4 - if(k_hasafs()) { - char cell[64]; - if(k_afs_cell_of_file(entity->pwd->pw_dir, - cell, sizeof(cell)) == 0) - krb_afslog(cell, 0); - krb_afslog_home(0, 0, entity->pwd->pw_dir); - } -#endif - } - return ret; -} - -int -siad_chg_finger (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - SIA_DEBUG(("DEBUG", "siad_chg_finger")); - return SIADFAIL; -} - -#ifdef SIA_KRB5 -int -siad_chg_password (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - return SIADFAIL; -} -#endif - -#ifdef SIA_KRB4 -static void -sia_message(sia_collect_func_t *collect, int rendition, - const char *title, const char *message) -{ - prompt_t prompt; - prompt.prompt = (unsigned char*)message; - (*collect)(0, rendition, (unsigned char*)title, 1, &prompt); -} - -static int -init_change(sia_collect_func_t *collect, krb_principal *princ) -{ - prompt_t prompt; - char old_pw[MAX_KPW_LEN+1]; - char *msg; - char tktstring[128]; - int ret; - - SIA_DEBUG(("DEBUG", "init_change")); - prompt.prompt = (unsigned char*)"Old password: "; - prompt.result = (unsigned char*)old_pw; - prompt.min_result_length = 0; - prompt.max_result_length = sizeof(old_pw) - 1; - prompt.control_flags = SIARESINVIS; - asprintf(&msg, "Changing password for %s", krb_unparse_name(princ)); - if(msg == NULL){ - SIA_DEBUG(("DEBUG", "out of memory")); - return SIADFAIL; - } - ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt); - free(msg); - SIA_DEBUG(("DEBUG", "ret = %d", ret)); - if(ret != SIACOLSUCCESS) - return SIADFAIL; - snprintf(tktstring, sizeof(tktstring), - "%s_cpw_%u", TKT_ROOT, (unsigned)getpid()); - krb_set_tkt_string(tktstring); - - ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, - PWSERV_NAME, KADM_SINST, 1, old_pw); - if (ret != KSUCCESS) { - SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret))); - if (ret == INTK_BADPW) - sia_message(collect, SIAWARNING, "", "Incorrect old password."); - else - sia_message(collect, SIAWARNING, "", "Kerberos error."); - memset(old_pw, 0, sizeof(old_pw)); - return SIADFAIL; - } - if(chown(tktstring, getuid(), -1) < 0){ - dest_tkt(); - return SIADFAIL; - } - memset(old_pw, 0, sizeof(old_pw)); - return SIADSUCCESS; -} - -int -siad_chg_password (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - prompt_t prompts[2]; - krb_principal princ; - int ret; - char new_pw1[MAX_KPW_LEN+1]; - char new_pw2[MAX_KPW_LEN+1]; - static struct et_list *et_list; - - set_progname(argv[0]); - - SIA_DEBUG(("DEBUG", "siad_chg_password")); - if(collect == NULL) - return SIADFAIL; - - if(username == NULL) - username = getlogin(); - - ret = krb_parse_name(username, &princ); - if(ret) - return SIADFAIL; - if(princ.realm[0] == '\0') - krb_get_lrealm(princ.realm, 1); - - if(et_list == NULL) { - initialize_kadm_error_table_r(&et_list); - initialize_krb_error_table_r(&et_list); - } - - ret = init_change(collect, &princ); - if(ret != SIADSUCCESS) - return ret; - -again: - prompts[0].prompt = (unsigned char*)"New password: "; - prompts[0].result = (unsigned char*)new_pw1; - prompts[0].min_result_length = MIN_KPW_LEN; - prompts[0].max_result_length = sizeof(new_pw1) - 1; - prompts[0].control_flags = SIARESINVIS; - prompts[1].prompt = (unsigned char*)"Verify new password: "; - prompts[1].result = (unsigned char*)new_pw2; - prompts[1].min_result_length = MIN_KPW_LEN; - prompts[1].max_result_length = sizeof(new_pw2) - 1; - prompts[1].control_flags = SIARESINVIS; - if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != - SIACOLSUCCESS) { - dest_tkt(); - return SIADFAIL; - } - if(strcmp(new_pw1, new_pw2) != 0){ - sia_message(collect, SIAWARNING, "", "Password mismatch."); - goto again; - } - ret = kadm_check_pw(new_pw1); - if(ret) { - sia_message(collect, SIAWARNING, "", com_right(et_list, ret)); - goto again; - } - - memset(new_pw2, 0, sizeof(new_pw2)); - ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm); - if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "Error initing kadmin connection", - com_right(et_list, ret)); - else { - des_cblock newkey; - char *pw_msg; /* message from server */ - - des_string_to_key(new_pw1, &newkey); - ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg); - memset(newkey, 0, sizeof(newkey)); - - if (ret == KADM_INSECURE_PW) - sia_message(collect, SIAWARNING, "Insecure password", pw_msg); - else if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "Error changing password", - com_right(et_list, ret)); - } - memset(new_pw1, 0, sizeof(new_pw1)); - - if (ret != KADM_SUCCESS) - sia_message(collect, SIAWARNING, "", "Password NOT changed."); - else - sia_message(collect, SIAINFO, "", "Password changed."); - - dest_tkt(); - if(ret) - return SIADFAIL; - return SIADSUCCESS; -} -#endif - -int -siad_chg_shell (sia_collect_func_t *collect, - const char *username, - int argc, - char *argv[]) -{ - return SIADFAIL; -} - -int -siad_getpwent(struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getpwuid (uid_t uid, - struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getpwnam (const char *name, - struct passwd *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_setpwent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_endpwent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrent(struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrgid (gid_t gid, - struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_getgrnam (const char *name, - struct group *result, - char *buf, - int bufsize, - struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_setgrent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_endgrent (struct sia_context *context) -{ - return SIADFAIL; -} - -int -siad_chk_user (const char *logname, int checkflag) -{ - if(checkflag != CHGPASSWD) - return SIADFAIL; - return SIADSUCCESS; -} diff --git a/crypto/kerberosIV/lib/auth/sia/sia_locl.h b/crypto/kerberosIV/lib/auth/sia/sia_locl.h deleted file mode 100644 index 0f3f74d..0000000 --- a/crypto/kerberosIV/lib/auth/sia/sia_locl.h +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1999 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -/* $Id: sia_locl.h,v 1.2 1999/04/01 16:09:22 joda Exp $ */ - -#ifndef __sia_locl_h__ -#define __sia_locl_h__ - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif -#include <ctype.h> -#include <stdio.h> -#include <string.h> -#include <siad.h> -#include <pwd.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> - -#ifdef KRB5 -#define SIA_KRB5 -#elif defined(KRB4) -#define SIA_KRB4 -#endif - -#ifdef SIA_KRB5 -#include <krb5.h> -#include <com_err.h> -#endif -#ifdef SIA_KRB4 -#include <krb.h> -#include <krb_err.h> -#include <kadm.h> -#include <kadm_err.h> -#endif -#ifdef KRB4 -#include <kafs.h> -#endif - -#include <roken.h> - -#ifndef POSIX_GETPWNAM_R - -#define getpwnam_r posix_getpwnam_r -#define getpwuid_r posix_getpwuid_r - -#endif /* POSIX_GETPWNAM_R */ - -#ifndef DEBUG -#define SIA_DEBUG(X) -#else -#define SIA_DEBUG(X) SIALOG X -#endif - -struct state{ -#ifdef SIA_KRB5 - krb5_context context; - krb5_auth_context auth_context; -#endif - char ticket[MaxPathLen]; - int valid; -}; - -#endif /* __sia_locl_h__ */ |