diff options
author | Artur Grabowski <art@cvs.openbsd.org> | 1998-02-18 07:10:26 +0000 |
---|---|---|
committer | Artur Grabowski <art@cvs.openbsd.org> | 1998-02-18 07:10:26 +0000 |
commit | a73cbc45cf7e5cc6015d5ab6de6532fa5f7c0264 (patch) | |
tree | 07383f4e01e45b3803840a9194fcb8c0bb0130d8 /kerberosIV/kauthd | |
parent | bb8b94c34f769ccbb4d124ce2eb111f9bc13eca2 (diff) |
kauth deamon for getting tickets on a remote machine. from kth-krb.0.9.8
Diffstat (limited to 'kerberosIV/kauthd')
-rw-r--r-- | kerberosIV/kauthd/Makefile | 13 | ||||
-rw-r--r-- | kerberosIV/kauthd/inaddr2str.c | 75 | ||||
-rw-r--r-- | kerberosIV/kauthd/kauthd.8 | 28 | ||||
-rw-r--r-- | kerberosIV/kauthd/kauthd.c | 204 | ||||
-rw-r--r-- | kerberosIV/kauthd/mini_inetd.c | 90 |
5 files changed, 410 insertions, 0 deletions
diff --git a/kerberosIV/kauthd/Makefile b/kerberosIV/kauthd/Makefile new file mode 100644 index 00000000000..eecc7182bfa --- /dev/null +++ b/kerberosIV/kauthd/Makefile @@ -0,0 +1,13 @@ +# $OpenBSD: Makefile,v 1.1 1998/02/18 07:10:23 art Exp $ + +.include <bsd.obj.mk> + +SRCS= ../kauth/encdata.c kauthd.c ../kauth/marshall.c inaddr2str.c mini_inetd.c +PROG= kauthd +LDADD+= -lkrb -lkafs -ldes +DPADD+= ${LIBKRB} ${LIBKAFS} +CFLAGS+= -I${.CURDIR}/../kauth +BINDIR=/usr/libexec +MAN= kauthd.8 + +.include <bsd.prog.mk> diff --git a/kerberosIV/kauthd/inaddr2str.c b/kerberosIV/kauthd/inaddr2str.c new file mode 100644 index 00000000000..485aafb61c4 --- /dev/null +++ b/kerberosIV/kauthd/inaddr2str.c @@ -0,0 +1,75 @@ +/* $OpenBSD: inaddr2str.c,v 1.1 1998/02/18 07:10:24 art Exp $ */ +/* $KTH: inaddr2str.c,v 1.8 1997/10/29 01:32:55 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netdb.h> + +/* + * Get a verified name for `addr'. + * If unable to find it in the DNS, return x.y.z.a + */ + +void +inaddr2str(struct in_addr addr, char *s, size_t len) +{ + struct hostent *h; + char *p; + + h = gethostbyaddr ((const char *)&addr, sizeof(addr), AF_INET); + if (h) { + h = gethostbyname (h->h_name); + if(h) + while ((p = *(h->h_addr_list)++)) + if (memcmp (p, &addr, sizeof(addr)) == 0) { + strncpy (s, h->h_name, len); + s[len - 1] = '\0'; + return; + } + } + strncpy (s, inet_ntoa (addr), len); + s[len - 1] = '\0'; + return; +} diff --git a/kerberosIV/kauthd/kauthd.8 b/kerberosIV/kauthd/kauthd.8 new file mode 100644 index 00000000000..5cf8c4add5f --- /dev/null +++ b/kerberosIV/kauthd/kauthd.8 @@ -0,0 +1,28 @@ +.\" $KTH: kauthd.8,v 1.2 1996/09/28 22:04:48 assar Exp $ +.\" $OpenBSD: kauthd.8,v 1.1 1998/02/18 07:10:24 art Exp $ +.\" +.Dd September 27, 1996 +.Dt KAUTHD 8 +.Os KTH-KRB +.Sh NAME +.Nm kauthd +.Nd +remote Kerberos login daemon +.Sh SYNOPSIS +.Nm +.Sh DESCRIPTION +Daemon for the +.Xr kauth 1 +command. +.Pp +Options supported by +.Nm kauthd : +.Bl -tag -width Ds +.It Fl i +Interactive. Do not expect to be started by +.Nm inetd, +but allocate and listen to the socket yourself. Handy for testing +and debugging. +.El +.Sh SEE ALSO +.Xr kauth 1 diff --git a/kerberosIV/kauthd/kauthd.c b/kerberosIV/kauthd/kauthd.c new file mode 100644 index 00000000000..3ec59f76ad6 --- /dev/null +++ b/kerberosIV/kauthd/kauthd.c @@ -0,0 +1,204 @@ +/* $OpenBSD: kauthd.c,v 1.1 1998/02/18 07:10:24 art Exp $ */ +/* $KTH: kauthd.c,v 1.22 1997/05/18 20:37:55 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <kauth.h> +#include <syslog.h> +#include <varargs.h> + +krb_principal princ; +static char locuser[SNAME_SZ + 1]; +static int lifetime; +static char tktfile[MAXPATHLEN + 1]; + +struct remote_args { + int sock; + des_key_schedule *schedule; + des_cblock *session; + struct sockaddr_in *me, *her; +}; + +static int +decrypt_remote_tkt (char *user, char *inst, char *realm, void *varg, + key_proc_t key_proc, KTEXT *cipp) +{ + char buf[BUFSIZ]; + void *ptr; + int len; + KTEXT cip = *cipp; + struct remote_args *args = (struct remote_args *)varg; + + write_encrypted (args->sock, cip->dat, cip->length, + *args->schedule, args->session, args->me, + args->her); + len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule, + args->session, args->her, args->me); + memcpy(cip->dat, ptr, cip->length); + + return 0; +} + +static int +doit(int sock) +{ + int status; + KTEXT_ST ticket; + AUTH_DAT auth; + char instance[INST_SZ + 1]; + des_key_schedule schedule; + struct sockaddr_in thisaddr, thataddr; + int addrlen; + int len; + char buf[BUFSIZ]; + void *data; + struct passwd *passwd; + char version[KRB_SENDAUTH_VLEN + 1]; + char remotehost[MAXHOSTNAMELEN]; + + addrlen = sizeof(thisaddr); + if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 || + addrlen != sizeof(thisaddr)) { + return 1; + } + addrlen = sizeof(thataddr); + if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 || + addrlen != sizeof(thataddr)) { + return 1; + } + + inaddr2str (thataddr.sin_addr, remotehost, sizeof(remotehost)); + + k_getsockinst (sock, instance, sizeof(instance)); + status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance, + &thataddr, &thisaddr, &auth, "", schedule, + version); + if (status != KSUCCESS || + strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) { + return 1; + } + len = read_encrypted (sock, buf, sizeof(buf), &data, schedule, + &auth.session, &thataddr, &thisaddr); + if (len < 0) { + write_encrypted (sock, "read_enc failed", + sizeof("read_enc failed") - 1, schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } + if (unpack_args(data, &princ, &lifetime, locuser, + tktfile)) { + write_encrypted (sock, "unpack_args failed", + sizeof("unpack_args failed") - 1, schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } + + if( kuserok(&auth, locuser) != 0) { + snprintf(buf, sizeof(buf), "%s cannot get tickets for %s", + locuser, krb_unparse_name(&princ)); + syslog (LOG_ERR, buf); + write_encrypted (sock, buf, strlen(buf), schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } + passwd = getpwnam (locuser); + if (passwd == NULL) { + snprintf (buf, sizeof(buf), "No user '%s'", locuser); + syslog (LOG_ERR, buf); + write_encrypted (sock, buf, strlen(buf), schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } + if (setgid (passwd->pw_gid) || + initgroups(passwd->pw_name, passwd->pw_gid) || + setuid(passwd->pw_uid)) { + snprintf (buf, sizeof(buf), "Could not change user"); + syslog (LOG_ERR, buf); + write_encrypted (sock, buf, strlen(buf), schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } + write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, + &auth.session, &thisaddr, &thataddr); + + if (*tktfile == 0) + snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid()); + krb_set_tkt_string (tktfile); + + { + struct remote_args arg; + + arg.sock = sock; + arg.schedule = &schedule; + arg.session = &auth.session; + arg.me = &thisaddr; + arg.her = &thataddr; + + status = krb_get_in_tkt (princ.name, princ.instance, princ.realm, + KRB_TICKET_GRANTING_TICKET, + princ.realm, + lifetime, NULL, decrypt_remote_tkt, &arg); + } + if (status == KSUCCESS) { + syslog (LOG_INFO, "from %s(%s): %s -> %s", + remotehost, + inet_ntoa(thataddr.sin_addr), + locuser, + krb_unparse_name (&princ)); + write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, + &auth.session, &thisaddr, &thataddr); + return 0; + } else { + snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status)); + syslog (LOG_NOTICE, buf); + write_encrypted (sock, buf, strlen(buf), schedule, + &auth.session, &thisaddr, &thataddr); + return 1; + } +} + +int +main (int argc, char **argv) +{ + openlog ("kauthd", LOG_ODELAY, LOG_AUTH); + + if(argc > 1 && strcmp(argv[1], "-i") == 0) + mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT))); + return doit(STDIN_FILENO); +} diff --git a/kerberosIV/kauthd/mini_inetd.c b/kerberosIV/kauthd/mini_inetd.c new file mode 100644 index 00000000000..b2452c82b06 --- /dev/null +++ b/kerberosIV/kauthd/mini_inetd.c @@ -0,0 +1,90 @@ +/* $OpenBSD: mini_inetd.c,v 1.1 1998/02/18 07:10:25 art Exp $ */ +/* $KTH : mini_inetd.c,v 1.12 1997/11/02 04:14:12 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + +#include <stdio.h> + +#include <unistd.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> + +void +mini_inetd (int port) +{ + struct sockaddr_in sa; + int s = socket(AF_INET, SOCK_STREAM, 0); + int s2; + int one = 1; + if(s < 0){ + perror("socket"); + exit(1); + } +#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) + if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, + sizeof(one)) < 0){ + perror("setsockopt"); + exit(1); + } +#endif + memset(&sa, 0, sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = port; + sa.sin_addr.s_addr = INADDR_ANY; + if(bind(s, (struct sockaddr*)&sa, sizeof(sa)) < 0){ + perror("bind"); + exit(1); + } + if(listen(s, SOMAXCONN) < 0){ + perror("listen"); + exit(1); + } + s2 = accept(s, NULL, 0); + if(s2 < 0){ + perror("accept"); + exit(1); + } + close(s); + dup2(s2, STDIN_FILENO); + dup2(s2, STDOUT_FILENO); + /* dup2(s2, STDERR_FILENO); */ + close(s2); +} |