diff options
author | Artur Grabowski <art@cvs.openbsd.org> | 1997-12-18 22:28:06 +0000 |
---|---|---|
committer | Artur Grabowski <art@cvs.openbsd.org> | 1997-12-18 22:28:06 +0000 |
commit | 9c8e71c5198e4965b9bbce99b57ae5c0a67a686e (patch) | |
tree | 4c79477cf0460203dbbef2ce692977c31b65ac80 /kerberosIV/kauth | |
parent | 08ee6dc284aa9763275b05c8c8f255bbdacb0208 (diff) |
kauth is a nice tool. Gets you kerberos tickets, afs-tokens and other nice
things.
Diffstat (limited to 'kerberosIV/kauth')
-rw-r--r-- | kerberosIV/kauth/Makefile | 11 | ||||
-rw-r--r-- | kerberosIV/kauth/encdata.c | 106 | ||||
-rw-r--r-- | kerberosIV/kauth/kauth.c | 326 | ||||
-rw-r--r-- | kerberosIV/kauth/kauth.h | 81 | ||||
-rw-r--r-- | kerberosIV/kauth/marshall.c | 98 | ||||
-rw-r--r-- | kerberosIV/kauth/rkinit.c | 223 |
6 files changed, 845 insertions, 0 deletions
diff --git a/kerberosIV/kauth/Makefile b/kerberosIV/kauth/Makefile new file mode 100644 index 00000000000..895ff11123e --- /dev/null +++ b/kerberosIV/kauth/Makefile @@ -0,0 +1,11 @@ +# $OpenBSD: Makefile,v 1.1 1997/12/18 22:28:02 art Exp $ + +.include <bsd.obj.mk> + +SRCS= encdata.c rkinit.c kauth.c marshall.c +PROG= kauth +LDADD+= -lkrb -lkafs -ldes +DPADD+= ${LIBKRB} ${LIBKAFS} +MAN= + +.include <bsd.prog.mk> diff --git a/kerberosIV/kauth/encdata.c b/kerberosIV/kauth/encdata.c new file mode 100644 index 00000000000..71e1a998c6e --- /dev/null +++ b/kerberosIV/kauth/encdata.c @@ -0,0 +1,106 @@ +/* $OpenBSD: encdata.c,v 1.1 1997/12/18 22:28:02 art Exp $ */ +/* $KTH: encdata.c,v 1.9 1997/04/01 08:17:30 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kauth.h" + +int +write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule, + des_cblock *session, struct sockaddr_in *me, + struct sockaddr_in *him) +{ + void *outbuf; + int32_t outlen, l; + int i; + unsigned char tmp[4]; + + outbuf = malloc(len + 30); + if (outbuf == NULL) + return -1; + + outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him); + if (outlen < 0) { + free(outbuf); + return -1; + } + + l = outlen; + for(i = 3; i >= 0; i--, l = l >> 8) + tmp[i] = l & 0xff; + if (krb_net_write (fd, tmp, 4) != 4 || + krb_net_write (fd, outbuf, outlen) != outlen) { + free(outbuf); + outbuf = NULL; + return -1; + } + + free(outbuf); + outbuf = NULL; + return 0; +} + + +int +read_encrypted (int fd, void *buf, size_t len, void **ret, + des_key_schedule schedule, des_cblock *session, + struct sockaddr_in *him, struct sockaddr_in *me) +{ + int status; + int32_t l; + MSG_DAT msg; + unsigned char tmp[4]; + + l = krb_net_read (fd, tmp, 4); + if (l != 4) + return l; + l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; + if (l > len) + return -1; + if (krb_net_read (fd, buf, l) != l) + return -1; + status = krb_rd_priv (buf, l, schedule, session, him, me, &msg); + if (status != RD_AP_OK) { + fprintf (stderr, "read_encrypted: %s\n", + krb_get_err_text(status)); + return -1; + } + *ret = msg.app_data; + return msg.app_length; +} diff --git a/kerberosIV/kauth/kauth.c b/kerberosIV/kauth/kauth.c new file mode 100644 index 00000000000..4126ebdef92 --- /dev/null +++ b/kerberosIV/kauth/kauth.c @@ -0,0 +1,326 @@ +/* $OpenBSD: kauth.c,v 1.1 1997/12/18 22:28:03 art Exp $ */ +/* $KTH: kauth.c,v 1.81 1997/12/09 10:36:33 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Little program that reads an srvtab or password and + * creates a suitable ticketfile and associated AFS tokens. + * + * If an optional command is given the command is executed in a + * new PAG and when the command exits the tickets are destroyed. + */ + +#include "kauth.h" + +krb_principal princ; +static char srvtab[MAXPATHLEN + 1]; +static int lifetime = DEFAULT_TKT_LIFE; +static char remote_tktfile[MAXPATHLEN + 1]; +static char remoteuser[100]; +static char *cell = 0; +static char progname[] = "kauth"; + +char * +strupr(char *str) +{ + char *s; + + for(s = str; *s; s++) + *s = toupper(*s); + return str; +} + +static void +usage(void) +{ + fprintf(stderr, + "Usage: %s -n <name> [-r remoteuser] [-t remote ticketfile] " + "[-l lifetime (in minutes) ] [-f srvtab ] " + "[-c AFS cell name ] [-h hosts... [--]] [command ... ]\n", + progname); + fprintf(stderr, "\nA fully qualified name can be given user[.instance][@realm]\nRealm is converted to uppercase!\n"); + exit(1); +} + +static void +doexec(int argc, char **argv) +{ + int status; + pid_t ret; + + switch (fork()) { + case -1: + err (1, "fork"); + break; + case 0: + /* in child */ + execvp(argv[0], argv); + err (1, "Can't exec program ``%s''", argv[0]); + break; + default: + /* in parent */ + do { + ret = wait(&status); + } while ((ret > 0 && !WIFEXITED(status)) || (ret < 0 && errno == EINTR)); + if (ret < 0) + perror("wait"); + dest_tkt(); + if (k_hasafs()) + k_unlog(); + break; + } +} + +void +renew(int sig) +{ + int code; + + signal(SIGALRM, renew); + + code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm, + KRB_TICKET_GRANTING_TICKET, + princ.realm, lifetime, srvtab); + if (code) + warnx ("%s", krb_get_err_text(code)); + else if (k_hasafs()) + { + if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) { + warnx ("%s", krb_get_err_text(code)); + } + } + + alarm(krb_life_to_time(0, lifetime)/2 - 60); +} + +static int +zrefresh(void) +{ + switch (fork()) { + case -1: + err (1, "Warning: Failed to fork zrefresh"); + return -1; + case 0: + /* Child */ + execlp("zrefresh", "zrefresh", 0); + execl("/usr/bin/zrefresh", "zrefresh", 0); + exit(1); + default: + /* Parent */ + break; + } + return 0; +} + +static int +key_to_key(char *user, char *instance, char *realm, void *arg, + des_cblock *key) +{ + memcpy(key, arg, sizeof(des_cblock)); + return 0; +} + +int +main(int argc, char **argv) +{ + int code, more_args; + int ret; + int c; + char *file; + int pflag = 0; + char passwd[100]; + des_cblock key; + char **host; + int nhost; + char tf[MAXPATHLEN]; + + if ((file = getenv("KRBTKFILE")) == 0) + file = TKT_FILE; + + memset(&princ, 0, sizeof(princ)); + memset(srvtab, 0, sizeof(srvtab)); + *remoteuser = '\0'; + nhost = 0; + + /* Look for kerberos name */ + if (argc > 1 && + argv[1][0] != '-' && + krb_parse_name(argv[1], &princ) == 0) + { + argc--; argv++; + strupr(princ.realm); + } + + while ((c = getopt(argc, argv, "r:t:f:hl:n:c:")) != EOF) + switch (c) { + case 'f': + strncpy(srvtab, optarg, sizeof(srvtab)); + break; + case 't': + strncpy(remote_tktfile, optarg, sizeof(remote_tktfile)); + break; + case 'r': + strncpy(remoteuser, optarg, sizeof(remoteuser)); + break; + case 'l': + lifetime = atoi(optarg); + if (lifetime == -1) + lifetime = 255; + else if (lifetime < 5) + lifetime = 1; + else + lifetime = krb_time_to_life(0, lifetime*60); + if (lifetime > 255) + lifetime = 255; + break; + case 'n': + if ((code = krb_parse_name(optarg, &princ)) != 0) { + warnx ("%s", krb_get_err_text(code)); + usage(); + } + strupr(princ.realm); + pflag = 1; + break; + case 'c': + cell = optarg; + break; + case 'h': + host = argv + optind; + for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind) + ++nhost; + break; + case '?': + default: + usage(); + break; + } + + if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, + princ.instance, + princ.realm) < 0) + errx (1, "Could not get default principal"); + + /* With root tickets assume remote user is root */ + if (*remoteuser == '\0') + if (strcmp(princ.instance, "root") == 0) { + strncpy(remoteuser, princ.instance, sizeof(remoteuser) - 1); + remoteuser[sizeof(remoteuser) - 1] = '\0'; + } + else { + strncpy(remoteuser, princ.name, sizeof(remoteuser) - 1); + remoteuser[sizeof(remoteuser) - 1] = '\0'; + } + + more_args = argc - optind; + + if (princ.realm[0] == '\0') + if (krb_get_lrealm(princ.realm, 1) != KSUCCESS) { + strncpy(princ.realm, KRB_REALM, REALM_SZ - 1); + princ.realm[REALM_SZ - 1] = '\0'; + } + + if (more_args) { + int f; + + do{ + snprintf(tf, sizeof(tf), + TKT_ROOT "%u_%u", + (unsigned)getuid(), + (unsigned)(getpid()*time(0))); + f = open(tf, O_CREAT|O_EXCL|O_RDWR); + }while(f < 0); + close(f); + unlink(tf); + setenv("KRBTKFILE", tf, 1); + krb_set_tkt_string (tf); + } + + if (srvtab[0]) + { + signal(SIGALRM, renew); + + code = read_service_key (princ.name, princ.instance, princ.realm, 0, + srvtab, (char *)&key); + if (code == KSUCCESS) + code = krb_get_in_tkt(princ.name, princ.instance, princ.realm, + KRB_TICKET_GRANTING_TICKET, + princ.realm, lifetime, + key_to_key, NULL, key); + alarm(krb_life_to_time(0, lifetime)/2 - 60); + } + else { + char prompt[128]; + + snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ)); + if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ + memset(passwd, 0, sizeof(passwd)); + exit(1); + } + code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, + KRB_TICKET_GRANTING_TICKET, princ.realm, + lifetime, passwd, &key); + + memset(passwd, 0, sizeof(passwd)); + } + if (code) { + memset (key, 0, sizeof(key)); + errx (1, "%s", krb_get_err_text(code)); + } + + if (k_hasafs()) { + if (more_args) + k_setpag(); + if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) + warnx ("%s", krb_get_err_text(code)); + } + + for(ret = 0; nhost-- > 0; host++) + ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host); + + if (ret) + return ret; + + if (more_args) + doexec(more_args, &argv[optind]); + else + zrefresh(); + + return 0; +} diff --git a/kerberosIV/kauth/kauth.h b/kerberosIV/kauth/kauth.h new file mode 100644 index 00000000000..85d04a6cc14 --- /dev/null +++ b/kerberosIV/kauth/kauth.h @@ -0,0 +1,81 @@ +/* $KTH: kauth.h,v 1.18 1997/05/20 18:40:31 bg Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <ctype.h> +#include <string.h> +#include <signal.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> +#include <pwd.h> +#include <grp.h> + +#include <sys/time.h> +#include <time.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netdb.h> + +#include <err.h> + +#include <kerberosIV/krb.h> +#include <kerberosIV/kafs.h> + +#define KAUTH_PORT 2120 + +#define KAUTH_VERSION "RKINIT.0" + +int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*); + +int write_encrypted (int, void*, size_t, des_key_schedule, + des_cblock*, struct sockaddr_in*, struct sockaddr_in*); + +int read_encrypted (int, void*, size_t, void **, des_key_schedule, + des_cblock*, struct sockaddr_in*, struct sockaddr_in*); + +unsigned pack_args (char *, krb_principal*, int, char*, char*); + +int unpack_args (char*, krb_principal*, int*, char*, char*); diff --git a/kerberosIV/kauth/marshall.c b/kerberosIV/kauth/marshall.c new file mode 100644 index 00000000000..982991509c7 --- /dev/null +++ b/kerberosIV/kauth/marshall.c @@ -0,0 +1,98 @@ +/* $OpenBSD: marshall.c,v 1.1 1997/12/18 22:28:04 art Exp $ */ +/* $KTH: marshall.c,v 1.7 1997/04/01 08:17:32 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kauth.h" + +unsigned +pack_args (char *buf, krb_principal *pr, int lifetime, + char *locuser, char *tktfile) +{ + char *p; + + p = buf; + strcpy (p, pr->name); + p += strlen (pr->name) + 1; + strcpy (p, pr->instance); + p += strlen (pr->instance) + 1; + strcpy (p, pr->realm); + p += strlen (pr->realm) + 1; + *p++ = (unsigned char)lifetime; + strcpy(p, locuser); + p += strlen (locuser) + 1; + strcpy(p, tktfile); + p += strlen(tktfile) + 1; + return p - buf; +} + +int +unpack_args (char *buf, krb_principal *pr, int *lifetime, + char *locuser, char *tktfile) +{ + int len; + + len = strlen(buf); + if (len > SNAME_SZ) + return -1; + strncpy(pr->name, buf, len + 1); + buf += len + 1; + len = strlen (buf); + if (len > INST_SZ) + return -1; + strncpy (pr->instance, buf, len + 1); + buf += len + 1; + len = strlen (buf); + if (len > REALM_SZ) + return -1; + strncpy (pr->realm, buf, len + 1); + buf += len + 1; + *lifetime = (unsigned char)*buf++; + len = strlen(buf); + if (len > SNAME_SZ) + return -1; + strncpy (locuser, buf, len + 1); + buf += len + 1; + len = strlen(buf); + if (len > MAXPATHLEN) + return -1; + strncpy (tktfile, buf, len + 1); + buf += len + 1; + return 0; +} diff --git a/kerberosIV/kauth/rkinit.c b/kerberosIV/kauth/rkinit.c new file mode 100644 index 00000000000..615b6592583 --- /dev/null +++ b/kerberosIV/kauth/rkinit.c @@ -0,0 +1,223 @@ +/* $OpenBSD: rkinit.c,v 1.1 1997/12/18 22:28:05 art Exp $ */ +/* $KTH: rkinit.c,v 1.19 1997/04/01 08:17:33 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kauth.h" + +static struct in_addr * +getalladdrs (char *hostname, unsigned *count) +{ + struct hostent *hostent; + struct in_addr **h; + struct in_addr *addr; + unsigned naddr; + unsigned maxaddr; + + hostent = gethostbyname (hostname); + if (hostent == NULL) { + warnx ("gethostbyname '%s' failed: %s\n", + hostname, +#ifdef HAVE_H_ERRNO + hstrerror(h_errno) +#else + "unknown error" +#endif + ); + return NULL; + } + maxaddr = 1; + naddr = 0; + addr = malloc(sizeof(*addr) * maxaddr); + if (addr == NULL) { + warnx ("out of memory"); + return NULL; + } + for (h = (struct in_addr **)(hostent->h_addr_list); + *h != NULL; + h++) { + if (naddr >= maxaddr) { + maxaddr *= 2; + addr = realloc (addr, sizeof(*addr) * maxaddr); + if (addr == NULL) { + warnx ("out of memory"); + return NULL; + } + } + addr[naddr++] = **h; + } + addr = realloc (addr, sizeof(*addr) * naddr); + if (addr == NULL) { + warnx ("out of memory"); + return NULL; + } + *count = naddr; + return addr; +} + +static int +doit_host (krb_principal *princ, int lifetime, char *locuser, + char *tktfile, des_cblock *key, int s, char *hostname) +{ + char buf[BUFSIZ]; + int inlen; + KTEXT_ST text; + CREDENTIALS cred; + MSG_DAT msg; + int status; + des_key_schedule schedule; + struct sockaddr_in thisaddr, thataddr; + int addrlen; + void *ret; + + addrlen = sizeof(thisaddr); + if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 || + addrlen != sizeof(thisaddr)) { + warn ("getsockname(%s)", hostname); + return 1; + } + addrlen = sizeof(thataddr); + if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 || + addrlen != sizeof(thataddr)) { + warn ("getpeername(%s)", hostname); + return 1; + } + + status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd", + hostname, krb_realmofhost (hostname), + getpid(), &msg, &cred, schedule, + &thisaddr, &thataddr, KAUTH_VERSION); + if (status != KSUCCESS) { + warnx ("%s: %s\n", hostname, krb_get_err_text(status)); + return 1; + } + inlen = pack_args (buf, princ, lifetime, locuser, tktfile); + + if (write_encrypted(s, buf, inlen, schedule, &cred.session, + &thisaddr, &thataddr) < 0) { + warn ("write to %s", hostname); + return 1; + } + + inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, + &cred.session, &thataddr, &thisaddr); + if (inlen < 0) { + warn ("read from %s failed", hostname); + return 1; + } + + if (strncmp(ret, "ok", inlen) != 0) { + warnx ("error from %s: %.*s\n", + hostname, inlen, (char *)ret); + return 1; + } + + inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, + &cred.session, &thataddr, &thisaddr); + if (inlen < 0) { + warn ("read from %s", hostname); + return 1; + } + + { + des_key_schedule key_s; + + des_key_sched(key, key_s); + des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT); + memset(key_s, 0, sizeof(key_s)); + } + write_encrypted (s, ret, inlen, schedule, &cred.session, + &thisaddr, &thataddr); + + inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, + &cred.session, &thataddr, &thisaddr); + if (inlen < 0) { + warn ("read from %s", hostname); + return 1; + } + + if (strncmp(ret, "ok", inlen) != 0) { + warnx ("error from %s: %.*s\n", + hostname, inlen, (char *)ret); + return 1; + } + return 0; +} + +int +rkinit (krb_principal *princ, int lifetime, char *locuser, + char *tktfile, des_cblock *key, char *hostname) +{ + struct in_addr *addr; + unsigned naddr; + unsigned i; + int port; + int success; + + addr = getalladdrs (hostname, &naddr); + if (addr == NULL) + return 1; + port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT)); + success = 0; + for (i = 0; !success && i < naddr; ++i) { + struct sockaddr_in a; + int s; + + memset(&a, 0, sizeof(a)); + a.sin_family = AF_INET; + a.sin_port = port; + a.sin_addr = addr[i]; + + s = socket (AF_INET, SOCK_STREAM, 0); + if (s < 0) { + warn("socket"); + return 1; + } + if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) { + warn("connect(%s)", hostname); + continue; + } + + success = success || !doit_host (princ, lifetime, + locuser, tktfile, key, + s, hostname); + close (s); + } + return !success; +} |