Kill kerberos4 code; OK deraadt@

5 files changed, 29 insertions, 804 deletions

diff --git a/usr.bin/rsh/Makefile b/usr.bin/rsh/Makefile
index fd08dd2122f..ac35a03845a 100644
--- a/usr.bin/rsh/Makefile
+++ b/usr.bin/rsh/Makefile
@@ -1,18 +1,8 @@
-#	$OpenBSD: Makefile,v 1.7 2003/05/14 07:33:39 mho Exp $
+#	$OpenBSD: Makefile,v 1.8 2004/01/17 20:57:15 millert Exp $
 
 PROG=	rsh
 SRCS=	rsh.c
 BINOWN=	root
 BINMODE=4555
 
-.include <bsd.own.mk>	# For KERBEROS
-
-#.if (${KERBEROS:L} == "yes")
-#SRCS+=	des_rw.c
-#CFLAGS+=-DKERBEROS
-#SRCS+=	krcmd.c kcmd.c
-#LDADD+=	-lkrb -ldes
-#DPADD+=	${LIBKRB} ${LIBDES}
-#.endif
-
 .include <bsd.prog.mk>
diff --git a/usr.bin/rsh/des_rw.c b/usr.bin/rsh/des_rw.c
deleted file mode 100644
index 654a74b646e..00000000000
--- a/usr.bin/rsh/des_rw.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/*	$OpenBSD: des_rw.c,v 1.4 2003/06/03 02:56:15 millert Exp $	*/
-/*	$NetBSD: des_rw.c,v 1.2 1995/03/21 07:58:30 cgd Exp $	*/
-
-/*-
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-#if 0
-static char sccsid[] = "@(#)des_rw.c	8.1 (Berkeley) 6/6/93";
-#else
-static char rcsid[] = "$OpenBSD: des_rw.c,v 1.4 2003/06/03 02:56:15 millert Exp $";
-#endif
-#endif /* not lint */
-
-#ifdef KERBEROS
-#include <sys/param.h>
-
-#include <des.h>
-#include <kerberosIV/krb.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-void	desrw_set_key(des_cblock *, des_key_schedule *);
-void	desrw_clear_key(void);
-int	des_read(int, void *, int);
-int	des_write(int, void *, int);
-
-static unsigned char	des_inbuf[10240], storage[10240], *store_ptr;
-static des_cblock 	*key;
-static des_key_schedule	*key_schedule;
-
-/*
- * NB: These routines will not function properly if NBIO
- * 	is set
- */
-
-/*
- * des_set_key
- *
- * Set des encryption/decryption key for use by the des_read and
- * des_write routines
- *
- * The inkey parameter is actually the DES initial vector,
- * and the insched is the DES Key unwrapped for faster decryption
- */
-static int nstored = 0;
-
-void
-desrw_set_key(des_cblock *inkey, des_key_schedule *insched)
-{
-	key = inkey;
-	key_schedule = insched;
-	nstored = 0;
-}
-
-void
-desrw_clear_key(void)
-{
-	bzero((char *) key, sizeof(C_Block));
-	bzero((char *) key_schedule, sizeof(Key_schedule));
-}
-	
-
-int
-des_read(int fd, void *bp, int len)
-{
-	long net_len, rd_len;
-	int nreturned = 0;
-	char *buf = bp;
-
-	if (nstored >= len) {
-		(void) bcopy(store_ptr, buf, len);
-		store_ptr += len;
-		nstored -= len;
-		return(len);
-	} else if (nstored) {
-		(void) bcopy(store_ptr, buf, nstored);
-		nreturned += nstored;
-		buf += nstored;
-		len -= nstored;
-		nstored = 0;
-	}
-	
-	if (krb_net_read(fd, (char *)&net_len, sizeof(net_len)) !=
-	    sizeof(net_len)) {
-		/* XXX can't read enough, pipe
-		   must have closed */
-		return(0);
-	}
-	net_len = ntohl(net_len);
-	if (net_len <= 0 || net_len > sizeof(des_inbuf)) {
-		/* preposterous length; assume out-of-sync; only
-		   recourse is to close connection, so return 0 */
-		return(0);
-	}
-	/* the writer tells us how much real data we are getting, but
-	   we need to read the pad bytes (8-byte boundary) */
-	rd_len = roundup(net_len, 8);
-	if (krb_net_read(fd, (char *)des_inbuf, rd_len) != rd_len) {
-		/* pipe must have closed, return 0 */
-		return(0);
-	}
-	(void) des_pcbc_encrypt((des_cblock *)des_inbuf,
-	    (des_cblock *)storage, rd_len, *key_schedule, key, DECRYPT);
-
-	if(net_len < 8)
-		store_ptr = storage + 8 - net_len;
-	else
-		store_ptr = storage;
-
-	nstored = net_len;
-	if (nstored > len) {
-		(void) bcopy(store_ptr, buf, len);
-		nreturned += len;
-		store_ptr += len;
-		nstored -= len;
-	} else {
-		(void) bcopy(store_ptr, buf, nstored);
-		nreturned += nstored;
-		nstored = 0;
-	}
-	
-	return(nreturned);
-}
-
-static unsigned char	des_outbuf[10240];	/* > longest write */
-
-int
-des_write(int fd, void *bp, int len)
-{
-	static	int	seeded = 0;
-	static	char	garbage_buf[8];
-	long net_len, garbage;
-	char *buf = bp;
-
-	if(len < 8) {
-		if(!seeded) {
-			seeded = 1;
-			srandom((int) time(NULL));
-		}
-		garbage = random();
-		/* insert random garbage */
-		(void) bcopy(&garbage, garbage_buf, MIN(sizeof(long),8));
-		/* this "right-justifies" the data in the buffer */
-		(void) bcopy(buf, garbage_buf + 8 - len, len);
-	}
-	/* pcbc_encrypt outputs in 8-byte (64 bit) increments */
-
-	(void) des_pcbc_encrypt((des_cblock *)((len < 8) ? garbage_buf : buf),
-	    (des_cblock *)des_outbuf,    (len < 8) ? 8 : len,
-	    *key_schedule, key, ENCRYPT);
-
-	/* tell the other end the real amount, but send an 8-byte padded
-	   packet */
-	net_len = htonl(len);
-	(void) write(fd, &net_len, sizeof(net_len));
-	(void) write(fd, des_outbuf, roundup(len,8));
-	return(len);
-}
-#endif /* KERBEROS */
diff --git a/usr.bin/rsh/kcmd.c b/usr.bin/rsh/kcmd.c
deleted file mode 100644
index 19c572dc685..00000000000
--- a/usr.bin/rsh/kcmd.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/*	$OpenBSD: kcmd.c,v 1.7 2003/06/03 02:56:15 millert Exp $	*/
-/*	$NetBSD: kcmd.c,v 1.2 1995/03/21 07:58:32 cgd Exp $	*/
-
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-#if 0
-static char Xsccsid[] = "derived from @(#)rcmd.c 5.17 (Berkeley) 6/27/88";
-static char sccsid[] = "@(#)kcmd.c	8.2 (Berkeley) 8/19/93";
-#else
-static char rcsid[] = "$OpenBSD: kcmd.c,v 1.7 2003/06/03 02:56:15 millert Exp $";
-#endif
-#endif /* not lint */
-
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <des.h>
-#include <kerberosIV/krb.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <pwd.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <err.h>
-
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 64
-#endif
-
-#define	START_PORT	5120	 /* arbitrary */
-
-int	getport(int *);
-int	kcmd(int *, char **, u_short, char *, char *, char *,
-	    int *, KTEXT, char *, char *, CREDENTIALS *,
-	    Key_schedule, MSG_DAT *, struct sockaddr_in *,
-	    struct sockaddr_in *, long);
-
-int
-kcmd(int *sock, char **ahost, u_short rport, char *locuser, char *remuser,
-    char *cmd, int *fd2p, KTEXT ticket, char *service, char *realm,
-    CREDENTIALS *cred, Key_schedule schedule, MSG_DAT *msg_data,
-    struct sockaddr_in *laddr, struct sockaddr_in *faddr, long authopts)
-{
-	int s, timo = 1;
-	sigset_t mask, oldmask;
-	struct sockaddr_in sin, from;
-	char c;
-	int lport = IPPORT_RESERVED - 1;
-	struct hostent *hp;
-	int rc;
-	char *host_save;
-	int status;
-	pid_t pid;
-
-	pid = getpid();
-	hp = gethostbyname(*ahost);
-	if (hp == NULL) {
-		herror(*ahost);
-		return (-1);
-	}
-	if ((host_save = strdup(hp->h_name)) == NULL) {
-		warn("can't allocate memory");
-		return (-1);
-	}
-	*ahost = host_save;
-
-	/* If realm is null, look up from table */
-	if (realm == NULL || realm[0] == '\0')
-		realm = krb_realmofhost(host_save);
-
-	sigemptyset(&mask);
-	sigaddset(&mask, SIGURG);
-	sigprocmask(SIG_BLOCK, &mask, &oldmask);
-	for (;;) {
-		s = getport(&lport);
-		if (s < 0) {
-			if (errno == EAGAIN)
-				fprintf(stderr,
-					"kcmd(socket): All ports in use\n");
-			else
-				perror("kcmd: socket");
-			sigprocmask(SIG_SETMASK, &oldmask, NULL);
-			return (-1);
-		}
-		fcntl(s, F_SETOWN, pid);
-		bzero(&sin, sizeof sin);
-		sin.sin_len = sizeof(struct sockaddr_in);
-		sin.sin_family = hp->h_addrtype;
-		sin.sin_port = rport;
-		bcopy(hp->h_addr_list[0], &sin.sin_addr, hp->h_length);
-		if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
-			break;
-		(void) close(s);
-		if (errno == EADDRINUSE) {
-			lport--;
-			continue;
-		}
-		/*
-		 * don't wait very long for Kerberos rcmd.
-		 */
-		if (errno == ECONNREFUSED && timo <= 4) {
-			/* sleep(timo); don't wait at all here */
-			timo *= 2;
-			continue;
-		}
-		if (hp->h_addr_list[1] != NULL) {
-			int oerrno = errno;
-
-			fprintf(stderr,
-			    "kcmd: connect to address %s: ",
-			    inet_ntoa(sin.sin_addr));
-			errno = oerrno;
-			perror(NULL);
-			hp->h_addr_list++;
-			bcopy(hp->h_addr_list[0], &sin.sin_addr, hp->h_length);
-			fprintf(stderr, "Trying %s...\n",
-				inet_ntoa(sin.sin_addr));
-			continue;
-		}
-		if (errno != ECONNREFUSED)
-			perror(hp->h_name);
-		sigprocmask(SIG_SETMASK, &oldmask, NULL);
-		return (-1);
-	}
-	if (fd2p == 0) {
-		write(s, "", 1);
-		lport = 0;
-	} else {
-		char num[12];
-		int s2 = getport(&lport), s3;
-		socklen_t len = sizeof(from);
-
-		if (s2 < 0) {
-			status = -1;
-			goto bad;
-		}
-		listen(s2, 1);
-		(void) snprintf(num, sizeof(num), "%d", lport);
-		if (write(s, num, strlen(num) + 1) != strlen(num) + 1) {
-			perror("kcmd(write): setting up stderr");
-			(void) close(s2);
-			status = -1;
-			goto bad;
-		}
-again:
-                s3 = accept(s2, (struct sockaddr *)&from, &len);
-		/*
-		 * XXX careful for ftp bounce attacks. If discovered, shut them
-		 * down and check for the real auxiliary channel to connect.
-		 */
-		if (from.sin_family == AF_INET && from.sin_port == htons(20)) {
-			(void) close(s3);
-			goto again;
-		}
-		(void) close(s2);
-		if (s3 < 0) {
-			perror("kcmd:accept");
-			lport = 0;
-			status = -1;
-			goto bad;
-		}
-		*fd2p = s3;
-		from.sin_port = ntohs(from.sin_port);
-		if (from.sin_family != AF_INET ||
-		    from.sin_port >= IPPORT_RESERVED ||
-		    from.sin_port < IPPORT_RESERVED / 2) {
-			fprintf(stderr,
-			 "kcmd(socket): protocol failure in circuit setup.\n");
-			status = -1;
-			goto bad2;
-		}
-	}
-	/*
-	 * Kerberos-authenticated service.  Don't have to send locuser,
-	 * since its already in the ticket, and we'll extract it on
-	 * the other side.
-	 */
-	/* (void) write(s, locuser, strlen(locuser)+1); */
-
-	/* set up the needed stuff for mutual auth, but only if necessary */
-	if (authopts & KOPT_DO_MUTUAL) {
-		socklen_t sin_len;
-		*faddr = sin;
-
-		sin_len = sizeof(struct sockaddr_in);
-		if (getsockname(s, (struct sockaddr *)laddr, &sin_len) < 0) {
-			perror("kcmd(getsockname)");
-			status = -1;
-			goto bad2;
-		}
-	}
-	if ((status = krb_sendauth(authopts, s, ticket, service, *ahost,
-			       realm, (unsigned long) getpid(), msg_data,
-			       cred, schedule,
-			       laddr,
-			       faddr,
-			       "KCMDV0.1")) != KSUCCESS)
-		goto bad2;
-
-	(void) write(s, remuser, strlen(remuser)+1);
-	(void) write(s, cmd, strlen(cmd)+1);
-
-	if ((rc = read(s, &c, 1)) != 1) {
-		if (rc == -1)
-			perror(*ahost);
-		else
-			fprintf(stderr,"kcmd: bad connection with remote host\n");
-		status = -1;
-		goto bad2;
-	}
-	if (c != '\0') {
-		while (read(s, &c, 1) == 1) {
-			(void) write(2, &c, 1);
-			if (c == '\n')
-				break;
-		}
-		status = -1;
-		goto bad2;
-	}
-	sigprocmask(SIG_SETMASK, &oldmask, NULL);
-	*sock = s;
-	return (KSUCCESS);
-bad2:
-	if (lport)
-		(void) close(*fd2p);
-bad:
-	(void) close(s);
-	sigprocmask(SIG_SETMASK, &oldmask, NULL);
-	return (status);
-}
-
-int
-getport(int *alport)
-{
-	struct sockaddr_in sin;
-	int s;
-
-	/* First try to get a "reserved" [sic] port, for interoperability with
-	   broken klogind (aix, e.g.) */
-
-	s = rresvport(alport);
-	if (s >= 0)
-		return s;
-
-	/* Failed; if EACCES, we're not root, so just get an unreserved port
-	   and hope that's good enough */
-
-	if (errno != EACCES)
-		return -1;
-
-	if (*alport < IPPORT_RESERVED)
-		*alport = START_PORT;
-	memset(&sin, 0, sizeof sin);
-	sin.sin_family = AF_INET;
-	sin.sin_addr.s_addr = INADDR_ANY;
-	s = socket(AF_INET, SOCK_STREAM, 0);
-	if (s < 0)
-		return (-1);
-	for (;;) {
-		sin.sin_port = htons((u_short)*alport);
-		if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
-			return (s);
-		if (errno != EADDRINUSE) {
-			(void) close(s);
-			return (-1);
-		}
-		(*alport)--;
-		if (*alport == IPPORT_RESERVED) {
-			(void) close(s);
-			errno = EAGAIN;		/* close */
-			return (-1);
-		}
-	}
-}
diff --git a/usr.bin/rsh/krcmd.c b/usr.bin/rsh/krcmd.c
deleted file mode 100644
index ecd12890dff..00000000000
--- a/usr.bin/rsh/krcmd.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/*	$OpenBSD: krcmd.c,v 1.3 2003/06/03 02:56:15 millert Exp $	*/
-/*	$NetBSD: krcmd.c,v 1.2 1995/03/21 07:58:36 cgd Exp $	*/
-
-/*
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-#if 0
-static char sccsid[] = "@(#)krcmd.c	8.1 (Berkeley) 6/6/93";
-#else
-static char rcsid[] = "$OpenBSD: krcmd.c,v 1.3 2003/06/03 02:56:15 millert Exp $";
-#endif
-#endif /* not lint */
-
-/*
- *	$Header: /mit/kerberos/ucb/mit/kcmd/RCS/krcmd.c,v 5.1
- *		89/07/25 15:38:44 kfall Exp Locker: kfall 
- */
-
-#ifdef KERBEROS
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <des.h>
-#include <kerberosIV/krb.h>
-
-#include <stdio.h>
-
-#define	SERVICE_NAME	"rcmd"
-
-int	kcmd(int *, char **, u_short, char *, char *, char *, int *,
-	    KTEXT, char *, char *, CREDENTIALS *, Key_schedule, MSG_DAT *,
-	    struct sockaddr_in *, struct sockaddr_in *, long);
-int	krcmd(char **, u_short, char *, char *, int *, char *);
-int	krcmd_mutual(char **, u_short, char *, char *, int *, char *,
-	    CREDENTIALS *, Key_schedule);
-
-/*
- * krcmd: simplified version of Athena's "kcmd"
- *	returns a socket attached to the destination, -1 or krb error on error 
- *	if fd2p is non-NULL, another socket is filled in for it
- */
-int
-krcmd(char **ahost, u_short rport, char *remuser, char *cmd, int *fd2p,
-    char *realm)
-{
-	int sock = -1, err = 0;
-	char myrealm[REALM_SZ];
-	long authopts = 0L;
-	KTEXT_ST ticket;
-
-	err = kcmd(&sock, ahost, rport, NULL, remuser, cmd, fd2p,
-	    &ticket, SERVICE_NAME, realm, (CREDENTIALS *) NULL,
-	    (void *) NULL, (MSG_DAT *) NULL, (struct sockaddr_in *) NULL,
-	    (struct sockaddr_in *) NULL, authopts);
-
-	if (err > KSUCCESS && err < MAX_KRB_ERRORS) {
-		if (krb_get_lrealm(myrealm, 0) == KSUCCESS)
-			fprintf(stderr, "krcmd: %s\n", krb_err_txt[err]);
-		return(-1);
-	}
-	if (err < 0)
-		return(-1);
-	return(sock);
-}
-
-int
-krcmd_mutual(char **ahost, u_short rport, char *remuser, char *cmd, int *fd2p,
-    char *realm, CREDENTIALS *cred, Key_schedule sched)
-{
-	struct sockaddr_in laddr, faddr;
-	long authopts = KOPT_DO_MUTUAL;
-	char myrealm[REALM_SZ];
-	KTEXT_ST ticket;
-	MSG_DAT msg_dat;
-	int sock, err;
-
-	err = kcmd(&sock, ahost, rport, NULL, remuser, cmd, fd2p,
-	    &ticket, SERVICE_NAME, realm, cred, sched, &msg_dat,
-	    &laddr, &faddr, authopts);
-
-	if (err > KSUCCESS && err < MAX_KRB_ERRORS) {
-		if (krb_get_lrealm(myrealm, 0) == KSUCCESS)
-			fprintf(stderr, "krcmd_mutual: %s\n", krb_err_txt[err]);
-		return(-1);
-	}
-
-	if (err < 0)
-		return (-1);
-	return(sock);
-}
-#endif /* KERBEROS */
diff --git a/usr.bin/rsh/rsh.c b/usr.bin/rsh/rsh.c
index 4f570546f6b..58ab3dd2f0a 100644
--- a/usr.bin/rsh/rsh.c
+++ b/usr.bin/rsh/rsh.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsh.c,v 1.34 2003/08/11 20:43:31 millert Exp $	*/
+/*	$OpenBSD: rsh.c,v 1.35 2004/01/17 20:57:15 millert Exp $	*/
 
 /*-
  * Copyright (c) 1983, 1990 The Regents of the University of California.
@@ -37,7 +37,7 @@ static const char copyright[] =
 
 #ifndef lint
 /*static const char sccsid[] = "from: @(#)rsh.c	5.24 (Berkeley) 7/1/91";*/
-static const char rcsid[] = "$OpenBSD: rsh.c,v 1.34 2003/08/11 20:43:31 millert Exp $";
+static const char rcsid[] = "$OpenBSD: rsh.c,v 1.35 2004/01/17 20:57:15 millert Exp $";
 #endif /* not lint */
 
 #include <sys/types.h>
@@ -61,29 +61,9 @@ static const char rcsid[] = "$OpenBSD: rsh.c,v 1.34 2003/08/11 20:43:31 millert
 
 #include "pathnames.h"
 
-#ifdef KERBEROS
-#include <des.h>
-#include <kerberosIV/krb.h>
-
-CREDENTIALS cred;
-Key_schedule schedule;
-int use_kerberos = 1, doencrypt;
-char dst_realm_buf[REALM_SZ], *dest_realm;
-
-void warning(const char *, ...);
-void desrw_set_key(des_cblock *, des_key_schedule *);
-int des_read(int, char *, int);
-int des_write(int, void *, int);
-
-int krcmd(char **, u_short, char *, char *, int *, char *);
-int krcmd_mutual(char **, u_short, char *, char *, int *, char *,
-    CREDENTIALS *, Key_schedule);
-#endif
-
-void usage(void);
+__dead void usage(void);
 void sendsig(int);
 char *copyargs(char **argv);
-
 void talk(int, sigset_t *, int, int);
 
 /*
@@ -94,26 +74,21 @@ int rfd2;
 int
 main(int argc, char *argv[])
 {
-	extern char *optarg;
-	extern int optind;
 	struct passwd *pw;
 	struct servent *sp;
 	sigset_t mask, omask;
 	int argoff, asrsh, ch, dflag, nflag, one, rem, uid;
-	char *args, *host, *user, *p;
+	char *args, *host, *user;
 	pid_t pid = 0;
+	extern char *__progname;
 
 	argoff = asrsh = dflag = nflag = 0;
 	one = 1;
 	host = user = NULL;
 
 	/* if called as something other than "rsh", use it as the host name */
-	if ((p = strrchr(argv[0], '/')))
-		++p;
-	else
-		p = argv[0];
-	if (strcmp(p, "rsh"))
-		host = p;
+	if (strcmp(__progname, "rsh") != 0)
+		host = __progname;
 	else
 		asrsh = 1;
 
@@ -123,22 +98,13 @@ main(int argc, char *argv[])
 		argoff = 1;
 	}
 
-#ifdef KERBEROS
-#define	OPTIONS	"8KLdek:l:nwx"
-#else
-#define	OPTIONS	"8KLdel:nw"
-#endif
-	while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != -1)
+	while ((ch = getopt(argc - argoff, argv + argoff, "8KLdel:nw")) != -1)
 		switch(ch) {
+		case '8':	/* -8KLew are ignored to allow rlogin aliases */
 		case 'K':
-#ifdef KERBEROS
-			use_kerberos = 0;
-#endif
-			break;
-		case 'L':	/* -8Lew are ignored to allow rlogin aliases */
+		case 'L':
 		case 'e':
 		case 'w':
-		case '8':
 			break;
 		case 'd':
 			dflag = 1;
@@ -146,22 +112,9 @@ main(int argc, char *argv[])
 		case 'l':
 			user = optarg;
 			break;
-#ifdef KERBEROS
-		case 'k':
-			dest_realm = dst_realm_buf;
-			strncpy(dest_realm, optarg, REALM_SZ);
-			break;
-#endif
 		case 'n':
 			nflag = 1;
 			break;
-#ifdef KERBEROS
-		case 'x':
-			doencrypt = 1;
-			desrw_set_key(&cred.session, &schedule);
-			break;
-#endif
-		case '?':
 		default:
 			usage();
 		}
@@ -191,73 +144,20 @@ main(int argc, char *argv[])
 
 	if (geteuid() != 0)
 		errx(1, "must be setuid root");
-	if (!(pw = getpwuid(uid = getuid())))
+	if ((pw = getpwuid(uid = getuid())) == NULL)
 		errx(1, "unknown user ID %u", uid);
-	if (!user)
+	if (user == NULL)
 		user = pw->pw_name;
 
-#ifdef KERBEROS
-	/* -x turns off -n */
-	if (doencrypt)
-		nflag = 0;
-#endif
-
 	args = copyargs(argv);
 
-	sp = NULL;
-#ifdef KERBEROS
-	if (use_kerberos) {
-		sp = getservbyname((doencrypt ? "ekshell" : "kshell"), "tcp");
-		if (sp == NULL) {
-			use_kerberos = 0;
-			warning("can't get entry for %s/tcp service",
-			    doencrypt ? "ekshell" : "kshell");
-		}
-	}
-#endif
-	if (sp == NULL)
-		sp = getservbyname("shell", "tcp");
-	if (sp == NULL)
+	if ((sp = getservbyname("shell", "tcp")) == NULL)
 		errx(1, "shell/tcp: unknown service");
 
-	(void) unsetenv("RSH");		/* no tricks with rcmd(3) */
-
-#ifdef KERBEROS
-try_connect:
-	if (use_kerberos) {
-		rem = KSUCCESS;
-		errno = 0;
-		if (dest_realm == NULL)
-			dest_realm = krb_realmofhost(host);
-
-		if (doencrypt)
-			rem = krcmd_mutual(&host, sp->s_port, user, args,
-			    &rfd2, dest_realm, &cred, schedule);
-		else
-			rem = krcmd(&host, sp->s_port, user, args, &rfd2,
-			    dest_realm);
-		if (rem < 0) {
-			use_kerberos = 0;
-			sp = getservbyname("shell", "tcp");
-			if (sp == NULL)
-				errx(1, "unknown service shell/tcp");
-			if (errno == ECONNREFUSED)
-				warning("remote host doesn't support Kerberos");
-			if (errno == ENOENT)
-				warning("can't provide Kerberos auth data");
-			goto try_connect;
-		}
-	} else {
-		if (doencrypt)
-			errx("the -x flag requires Kerberos authentication");
-		rem = rcmd_af(&host, sp->s_port, pw->pw_name, user, args,
-		    &rfd2, PF_UNSPEC);
-	}
-#else
+	(void)unsetenv("RSH");		/* no tricks with rcmd(3) */
+
 	rem = rcmd_af(&host, sp->s_port, pw->pw_name, user, args, &rfd2,
 	    PF_UNSPEC);
-#endif
-
 	if (rem < 0)
 		exit(1);
 
@@ -291,13 +191,8 @@ try_connect:
 			err(1, "fork");
 	}
 
-#ifdef KERBEROS
-	if (!doencrypt)
-#endif
-	{
-		(void)ioctl(rfd2, FIONBIO, &one);
-		(void)ioctl(rem, FIONBIO, &one);
-	}
+	(void)ioctl(rfd2, FIONBIO, &one);
+	(void)ioctl(rem, FIONBIO, &one);
 
 	talk(nflag, &omask, pid, rem);
 
@@ -331,12 +226,9 @@ rewrite:
 				err(1, "poll");
 			goto rewrite;
 		}
-#ifdef KERBEROS
-		if (doencrypt)
-			wc = des_write(rem, bp, cc);
-		else
-#endif
-			wc = write(rem, bp, cc);
+		if (pfd[0].revents & (POLLERR|POLLHUP|POLLNVAL))
+			err(1, "poll");
+		wc = write(rem, bp, cc);
 		if (wc < 0) {
 			if (errno == EWOULDBLOCK)
 				goto rewrite;
@@ -363,14 +255,12 @@ done:
 				err(1, "poll");
 			continue;
 		}
+		if ((pfd[0].revents & (POLLERR|POLLHUP|POLLNVAL)) ||
+		    (pfd[1].revents & (POLLERR|POLLHUP|POLLNVAL)))
+			err(1, "poll");
 		if (pfd[1].revents & POLLIN) {
 			errno = 0;
-#ifdef KERBEROS
-			if (doencrypt)
-				cc = des_read(rfd2, buf, sizeof buf);
-			else
-#endif
-				cc = read(rfd2, buf, sizeof buf);
+			cc = read(rfd2, buf, sizeof buf);
 			if (cc <= 0) {
 				if (errno != EWOULDBLOCK)
 					pfd[1].revents = 0;
@@ -379,12 +269,7 @@ done:
 		}
 		if (pfd[0].revents & POLLIN) {
 			errno = 0;
-#ifdef KERBEROS
-			if (doencrypt)
-				cc = des_read(rem, buf, sizeof buf);
-			else
-#endif
-				cc = read(rem, buf, sizeof buf);
+			cc = read(rem, buf, sizeof buf);
 			if (cc <= 0) {
 				if (errno != EWOULDBLOCK)
 					pfd[0].revents = 0;
@@ -399,33 +284,10 @@ sendsig(int signo)
 {
 	int save_errno = errno;
 
-#ifdef KERBEROS
-	if (doencrypt)
-		(void)des_write(rfd2, &signo, 1);
-	else
-#endif
-		(void)write(rfd2, &signo, 1);
+	(void)write(rfd2, &signo, 1);
 	errno = save_errno;
 }
 
-#ifdef KERBEROS
-/* VARARGS */
-void
-warning(const char *fmt, ...)
-{
-	va_list ap;
-	char myrealm[REALM_SZ];
-
-	if (krb_get_lrealm(myrealm, 0) != KSUCCESS)
-		return;
-	(void)fprintf(stderr, "rsh: warning, using standard rsh: ");
-	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-	(void)fprintf(stderr, ".\n");
-}
-#endif
-
 char *
 copyargs(char **argv)
 {
@@ -451,15 +313,10 @@ copyargs(char **argv)
 	return(args);
 }
 
-void
+__dead void
 usage(void)
 {
 	(void)fprintf(stderr,
-	    "usage: rsh [-Kdn%s]%s[-l username] hostname [command]\n",
-#ifdef KERBEROS
-	    "x", " [-k realm] ");
-#else
-	    "", " ");
-#endif
+	    "usage: rsh [-Kdn] [-l username] hostname [command]\n");
 	exit(1);
 }