summaryrefslogtreecommitdiff
path: root/kerberosIV/kauthd
diff options
context:
space:
mode:
authorArtur Grabowski <art@cvs.openbsd.org>1998-02-18 07:10:26 +0000
committerArtur Grabowski <art@cvs.openbsd.org>1998-02-18 07:10:26 +0000
commita73cbc45cf7e5cc6015d5ab6de6532fa5f7c0264 (patch)
tree07383f4e01e45b3803840a9194fcb8c0bb0130d8 /kerberosIV/kauthd
parentbb8b94c34f769ccbb4d124ce2eb111f9bc13eca2 (diff)
kauth deamon for getting tickets on a remote machine. from kth-krb.0.9.8
Diffstat (limited to 'kerberosIV/kauthd')
-rw-r--r--kerberosIV/kauthd/Makefile13
-rw-r--r--kerberosIV/kauthd/inaddr2str.c75
-rw-r--r--kerberosIV/kauthd/kauthd.828
-rw-r--r--kerberosIV/kauthd/kauthd.c204
-rw-r--r--kerberosIV/kauthd/mini_inetd.c90
5 files changed, 410 insertions, 0 deletions
diff --git a/kerberosIV/kauthd/Makefile b/kerberosIV/kauthd/Makefile
new file mode 100644
index 00000000000..eecc7182bfa
--- /dev/null
+++ b/kerberosIV/kauthd/Makefile
@@ -0,0 +1,13 @@
+# $OpenBSD: Makefile,v 1.1 1998/02/18 07:10:23 art Exp $
+
+.include <bsd.obj.mk>
+
+SRCS= ../kauth/encdata.c kauthd.c ../kauth/marshall.c inaddr2str.c mini_inetd.c
+PROG= kauthd
+LDADD+= -lkrb -lkafs -ldes
+DPADD+= ${LIBKRB} ${LIBKAFS}
+CFLAGS+= -I${.CURDIR}/../kauth
+BINDIR=/usr/libexec
+MAN= kauthd.8
+
+.include <bsd.prog.mk>
diff --git a/kerberosIV/kauthd/inaddr2str.c b/kerberosIV/kauthd/inaddr2str.c
new file mode 100644
index 00000000000..485aafb61c4
--- /dev/null
+++ b/kerberosIV/kauthd/inaddr2str.c
@@ -0,0 +1,75 @@
+/* $OpenBSD: inaddr2str.c,v 1.1 1998/02/18 07:10:24 art Exp $ */
+/* $KTH: inaddr2str.c,v 1.8 1997/10/29 01:32:55 assar Exp $ */
+
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the Kungliga Tekniska
+ * Högskolan and its contributors.
+ *
+ * 4. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+/*
+ * Get a verified name for `addr'.
+ * If unable to find it in the DNS, return x.y.z.a
+ */
+
+void
+inaddr2str(struct in_addr addr, char *s, size_t len)
+{
+ struct hostent *h;
+ char *p;
+
+ h = gethostbyaddr ((const char *)&addr, sizeof(addr), AF_INET);
+ if (h) {
+ h = gethostbyname (h->h_name);
+ if(h)
+ while ((p = *(h->h_addr_list)++))
+ if (memcmp (p, &addr, sizeof(addr)) == 0) {
+ strncpy (s, h->h_name, len);
+ s[len - 1] = '\0';
+ return;
+ }
+ }
+ strncpy (s, inet_ntoa (addr), len);
+ s[len - 1] = '\0';
+ return;
+}
diff --git a/kerberosIV/kauthd/kauthd.8 b/kerberosIV/kauthd/kauthd.8
new file mode 100644
index 00000000000..5cf8c4add5f
--- /dev/null
+++ b/kerberosIV/kauthd/kauthd.8
@@ -0,0 +1,28 @@
+.\" $KTH: kauthd.8,v 1.2 1996/09/28 22:04:48 assar Exp $
+.\" $OpenBSD: kauthd.8,v 1.1 1998/02/18 07:10:24 art Exp $
+.\"
+.Dd September 27, 1996
+.Dt KAUTHD 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kauthd
+.Nd
+remote Kerberos login daemon
+.Sh SYNOPSIS
+.Nm
+.Sh DESCRIPTION
+Daemon for the
+.Xr kauth 1
+command.
+.Pp
+Options supported by
+.Nm kauthd :
+.Bl -tag -width Ds
+.It Fl i
+Interactive. Do not expect to be started by
+.Nm inetd,
+but allocate and listen to the socket yourself. Handy for testing
+and debugging.
+.El
+.Sh SEE ALSO
+.Xr kauth 1
diff --git a/kerberosIV/kauthd/kauthd.c b/kerberosIV/kauthd/kauthd.c
new file mode 100644
index 00000000000..3ec59f76ad6
--- /dev/null
+++ b/kerberosIV/kauthd/kauthd.c
@@ -0,0 +1,204 @@
+/* $OpenBSD: kauthd.c,v 1.1 1998/02/18 07:10:24 art Exp $ */
+/* $KTH: kauthd.c,v 1.22 1997/05/18 20:37:55 assar Exp $ */
+
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the Kungliga Tekniska
+ * Högskolan and its contributors.
+ *
+ * 4. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <kauth.h>
+#include <syslog.h>
+#include <varargs.h>
+
+krb_principal princ;
+static char locuser[SNAME_SZ + 1];
+static int lifetime;
+static char tktfile[MAXPATHLEN + 1];
+
+struct remote_args {
+ int sock;
+ des_key_schedule *schedule;
+ des_cblock *session;
+ struct sockaddr_in *me, *her;
+};
+
+static int
+decrypt_remote_tkt (char *user, char *inst, char *realm, void *varg,
+ key_proc_t key_proc, KTEXT *cipp)
+{
+ char buf[BUFSIZ];
+ void *ptr;
+ int len;
+ KTEXT cip = *cipp;
+ struct remote_args *args = (struct remote_args *)varg;
+
+ write_encrypted (args->sock, cip->dat, cip->length,
+ *args->schedule, args->session, args->me,
+ args->her);
+ len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule,
+ args->session, args->her, args->me);
+ memcpy(cip->dat, ptr, cip->length);
+
+ return 0;
+}
+
+static int
+doit(int sock)
+{
+ int status;
+ KTEXT_ST ticket;
+ AUTH_DAT auth;
+ char instance[INST_SZ + 1];
+ des_key_schedule schedule;
+ struct sockaddr_in thisaddr, thataddr;
+ int addrlen;
+ int len;
+ char buf[BUFSIZ];
+ void *data;
+ struct passwd *passwd;
+ char version[KRB_SENDAUTH_VLEN + 1];
+ char remotehost[MAXHOSTNAMELEN];
+
+ addrlen = sizeof(thisaddr);
+ if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+ addrlen != sizeof(thisaddr)) {
+ return 1;
+ }
+ addrlen = sizeof(thataddr);
+ if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+ addrlen != sizeof(thataddr)) {
+ return 1;
+ }
+
+ inaddr2str (thataddr.sin_addr, remotehost, sizeof(remotehost));
+
+ k_getsockinst (sock, instance, sizeof(instance));
+ status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance,
+ &thataddr, &thisaddr, &auth, "", schedule,
+ version);
+ if (status != KSUCCESS ||
+ strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+ return 1;
+ }
+ len = read_encrypted (sock, buf, sizeof(buf), &data, schedule,
+ &auth.session, &thataddr, &thisaddr);
+ if (len < 0) {
+ write_encrypted (sock, "read_enc failed",
+ sizeof("read_enc failed") - 1, schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+ if (unpack_args(data, &princ, &lifetime, locuser,
+ tktfile)) {
+ write_encrypted (sock, "unpack_args failed",
+ sizeof("unpack_args failed") - 1, schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+
+ if( kuserok(&auth, locuser) != 0) {
+ snprintf(buf, sizeof(buf), "%s cannot get tickets for %s",
+ locuser, krb_unparse_name(&princ));
+ syslog (LOG_ERR, buf);
+ write_encrypted (sock, buf, strlen(buf), schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+ passwd = getpwnam (locuser);
+ if (passwd == NULL) {
+ snprintf (buf, sizeof(buf), "No user '%s'", locuser);
+ syslog (LOG_ERR, buf);
+ write_encrypted (sock, buf, strlen(buf), schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+ if (setgid (passwd->pw_gid) ||
+ initgroups(passwd->pw_name, passwd->pw_gid) ||
+ setuid(passwd->pw_uid)) {
+ snprintf (buf, sizeof(buf), "Could not change user");
+ syslog (LOG_ERR, buf);
+ write_encrypted (sock, buf, strlen(buf), schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+ write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+ &auth.session, &thisaddr, &thataddr);
+
+ if (*tktfile == 0)
+ snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid());
+ krb_set_tkt_string (tktfile);
+
+ {
+ struct remote_args arg;
+
+ arg.sock = sock;
+ arg.schedule = &schedule;
+ arg.session = &auth.session;
+ arg.me = &thisaddr;
+ arg.her = &thataddr;
+
+ status = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+ KRB_TICKET_GRANTING_TICKET,
+ princ.realm,
+ lifetime, NULL, decrypt_remote_tkt, &arg);
+ }
+ if (status == KSUCCESS) {
+ syslog (LOG_INFO, "from %s(%s): %s -> %s",
+ remotehost,
+ inet_ntoa(thataddr.sin_addr),
+ locuser,
+ krb_unparse_name (&princ));
+ write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 0;
+ } else {
+ snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status));
+ syslog (LOG_NOTICE, buf);
+ write_encrypted (sock, buf, strlen(buf), schedule,
+ &auth.session, &thisaddr, &thataddr);
+ return 1;
+ }
+}
+
+int
+main (int argc, char **argv)
+{
+ openlog ("kauthd", LOG_ODELAY, LOG_AUTH);
+
+ if(argc > 1 && strcmp(argv[1], "-i") == 0)
+ mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT)));
+ return doit(STDIN_FILENO);
+}
diff --git a/kerberosIV/kauthd/mini_inetd.c b/kerberosIV/kauthd/mini_inetd.c
new file mode 100644
index 00000000000..b2452c82b06
--- /dev/null
+++ b/kerberosIV/kauthd/mini_inetd.c
@@ -0,0 +1,90 @@
+/* $OpenBSD: mini_inetd.c,v 1.1 1998/02/18 07:10:25 art Exp $ */
+/* $KTH : mini_inetd.c,v 1.12 1997/11/02 04:14:12 assar Exp $ */
+
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the Kungliga Tekniska
+ * Högskolan and its contributors.
+ *
+ * 4. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#include <stdio.h>
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+void
+mini_inetd (int port)
+{
+ struct sockaddr_in sa;
+ int s = socket(AF_INET, SOCK_STREAM, 0);
+ int s2;
+ int one = 1;
+ if(s < 0){
+ perror("socket");
+ exit(1);
+ }
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+ if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one,
+ sizeof(one)) < 0){
+ perror("setsockopt");
+ exit(1);
+ }
+#endif
+ memset(&sa, 0, sizeof(sa));
+ sa.sin_family = AF_INET;
+ sa.sin_port = port;
+ sa.sin_addr.s_addr = INADDR_ANY;
+ if(bind(s, (struct sockaddr*)&sa, sizeof(sa)) < 0){
+ perror("bind");
+ exit(1);
+ }
+ if(listen(s, SOMAXCONN) < 0){
+ perror("listen");
+ exit(1);
+ }
+ s2 = accept(s, NULL, 0);
+ if(s2 < 0){
+ perror("accept");
+ exit(1);
+ }
+ close(s);
+ dup2(s2, STDIN_FILENO);
+ dup2(s2, STDOUT_FILENO);
+ /* dup2(s2, STDERR_FILENO); */
+ close(s2);
+}