Remove all traces of Kerberised NFS; it never worked in OpenBSD, but it

has been in the userland tools and the manpages for ages.

Spotted by Lars Hansson <lars@unet.net.ph>

Ok deraadt@

3 files changed, 10 insertions, 206 deletions

diff --git a/sbin/mount_nfs/Makefile b/sbin/mount_nfs/Makefile
index 826a648ed08..926e004acf0 100644
--- a/sbin/mount_nfs/Makefile
+++ b/sbin/mount_nfs/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.7 2000/09/03 18:41:16 espie Exp $
+#	$OpenBSD: Makefile,v 1.8 2001/10/03 18:50:07 hin Exp $
 
 PROG=	mount_nfs
 SRCS=	mount_nfs.c getmntopts.c
@@ -11,14 +11,4 @@ MAN=	mount_nfs.8
 #.PATH:	${MOUNT}
 CFLAGS+=-DNFS
 
-# NFSKERB is not currently supported
-#
-#.include <bsd.own.mk>	# For KERBEROS
-#
-#.if (${KERBEROS:L} == "yes")
-#CFLAGS+=-DNFSKERB
-#DPADD+=	${LIBKRB} ${LIBDES}
-#LDADD+=	-lkrb -ldes
-#.endif
-
 .include <bsd.prog.mk>
diff --git a/sbin/mount_nfs/mount_nfs.8 b/sbin/mount_nfs/mount_nfs.8
index 44c2e162e88..c0ded63fb8b 100644
--- a/sbin/mount_nfs/mount_nfs.8
+++ b/sbin/mount_nfs/mount_nfs.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: mount_nfs.8,v 1.24 2001/07/13 18:19:24 csapuntz Exp $
+.\"	$OpenBSD: mount_nfs.8,v 1.25 2001/10/03 18:50:07 hin Exp $
 .\"	$NetBSD: mount_nfs.8,v 1.3 1996/02/18 11:59:10 fvdl Exp $
 .\"
 .\" Copyright (c) 1992, 1993, 1994, 1995
@@ -42,14 +42,13 @@
 .Nd mount nfs file systems
 .Sh SYNOPSIS
 .Nm mount_nfs
-.Op Fl 23KPTUbcdilqs
+.Op Fl 23PTUbcdilqs
 .Op Fl D Ar deadthresh
 .Op Fl I Ar readdirsize
 .Op Fl L Ar leaseterm
 .Op Fl R Ar retrycnt
 .Op Fl a Ar maxreadahead
 .Op Fl g Ar maxgroups
-.Op Fl m Ar realm
 .Op Fl o Ar options
 .Op Fl r Ar readsize
 .Op Fl t Ar timeout
@@ -83,13 +82,6 @@ fall back to version 2 if the mount fails.
 Set the readdir read size to the specified value.
 The value should normally
 be a multiple of DIRBLKSIZ that is <= the read size for the mount.
-.It Fl K
-Pass Kerberos authenticators to the server for client-to-server
-user-credential mapping.
-This requires that the kernel be built with the NFSKERB option.
-(Refer to the INTERNET-DRAFT titled
-.%T "Authentication Mechanisms for ONC RPC" ,
-for more information.)
 .It Fl P
 The kernel always uses a reserved port number to communicate with
 clients.
@@ -151,11 +143,6 @@ Try this option and see whether performance improves or degrades.
 Probably
 most useful for client to server network interconnects with a large bandwidth
 times delay product.
-.It Fl m Ar realm
-Set the Kerberos realm to the string argument.
-Used with the
-.Fl K
-option for mounts to other realms.
 .It Fl o Ar options
 Options are specified with a
 .Fl o
diff --git a/sbin/mount_nfs/mount_nfs.c b/sbin/mount_nfs/mount_nfs.c
index f1a0d538a30..6dfc7139121 100644
--- a/sbin/mount_nfs/mount_nfs.c
+++ b/sbin/mount_nfs/mount_nfs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mount_nfs.c,v 1.23 2001/07/13 18:19:24 csapuntz Exp $	*/
+/*	$OpenBSD: mount_nfs.c,v 1.24 2001/10/03 18:50:07 hin Exp $	*/
 /*	$NetBSD: mount_nfs.c,v 1.12.4.1 1996/05/25 22:48:05 fvdl Exp $	*/
 
 /*
@@ -66,11 +66,6 @@ static char rcsid[] = "$NetBSD: mount_nfs.c,v 1.12.4.1 1996/05/25 22:48:05 fvdl
 #include <netiso/iso.h>
 #endif
 
-#ifdef NFSKERB
-#include <des.h>
-#include <kerberosIV/krb.h>
-#endif
-
 #include <nfs/rpcv2.h>
 #include <nfs/nfsproto.h>
 #define _KERNEL
@@ -96,7 +91,6 @@ static char rcsid[] = "$NetBSD: mount_nfs.c,v 1.12.4.1 1996/05/25 22:48:05 fvdl
 #define ALTF_NOCONN	0x2
 #define ALTF_DUMBTIMR	0x4
 #define ALTF_INTR	0x8
-#define ALTF_KERB	0x10
 #define ALTF_NFSV3	0x20
 #define ALTF_RDIRPLUS	0x40
 #define	ALTF_MNTUDP	0x80
@@ -116,9 +110,6 @@ const struct mntopt mopts[] = {
 	{ "conn", 1, ALTF_NOCONN, 1 },
 	{ "dumbtimer", 0, ALTF_DUMBTIMR, 1 },
 	{ "intr", 0, ALTF_INTR, 1 },
-#ifdef NFSKERB
-	{ "kerb", 0, ALTF_KERB, 1 },
-#endif
 	{ "nfsv3", 0, ALTF_NFSV3, 1 },
 	{ "rdirplus", 0, ALTF_RDIRPLUS, 1 },
 	{ "mntudp", 0, ALTF_MNTUDP, 1 },
@@ -177,21 +168,6 @@ u_short port_no = 0;
 int force2 = 0;
 int force3 = 0;
 
-#ifdef NFSKERB
-char inst[INST_SZ];
-char realm[REALM_SZ];
-struct {
-	u_long		kind;
-	KTEXT_ST	kt;
-} ktick;
-struct nfsrpc_nickverf kverf;
-struct nfsrpc_fullblock kin, kout;
-NFSKERBKEY_T kivec;
-CREDENTIALS kcr;
-struct timeval ktv;
-NFSKERBKEYSCHED_T kerb_keysched;
-#endif
-
 int	getnfsargs __P((char *, struct nfs_args *));
 #ifdef ISO
 struct	iso_addr *iso_addr __P((const char *));
@@ -212,21 +188,7 @@ main(argc, argv)
 	struct nfsd_cargs ncd;
 	int mntflags, altflags, i, nfssvc_flag, num;
 	char *name, *p, *spec;
-#ifdef NFSKERB
-	uid_t last_ruid;
-#endif
 
-#ifdef NFSKERB
-	last_ruid = -1;
-	if (krb_get_lrealm(realm, 0) != KSUCCESS)
-	    (void)strcpy(realm, "[not set]");
-	if (sizeof (struct nfsrpc_nickverf) != RPCX_NICKVERF ||
-	    sizeof (struct nfsrpc_fullblock) != RPCX_FULLBLOCK ||
-	    ((char *)&ktick.kt) - ((char *)&ktick) != NFSX_UNSIGNED ||
-	    ((char *)ktick.kt.dat) - ((char *)&ktick) != 2 * NFSX_UNSIGNED)
-		fprintf(stderr, "Yikes! NFSKERB structs not packed!!\n");
-
-#endif
 	retrycnt = DEF_RETRY;
 
 	mntflags = 0;
@@ -234,7 +196,7 @@ main(argc, argv)
 	nfsargs = nfsdefargs;
 	nfsargsp = &nfsargs;
 	while ((c = getopt(argc, argv,
-	    "23a:bcdD:g:I:iKL:lm:o:PpqR:r:sTt:w:x:U")) != EOF)
+	    "23a:bcdD:g:I:iL:l:o:PpqR:r:sTt:w:x:U")) != EOF)
 		switch (c) {
 		case '3':
 			if (force2)
@@ -290,11 +252,6 @@ main(argc, argv)
 		case 'i':
 			nfsargsp->flags |= NFSMNT_INT;
 			break;
-#ifdef NFSKERB
-		case 'K':
-			nfsargsp->flags |= NFSMNT_KERB;
-			break;
-#endif
 		case 'L':
 			num = strtol(optarg, &p, 10);
 			if (*p || num < 2)
@@ -305,11 +262,6 @@ main(argc, argv)
 		case 'l':
 			nfsargsp->flags |= NFSMNT_RDIRPLUS;
 			break;
-#ifdef NFSKERB
-		case 'm':
-			strlcpy(realm, optarg, sizeof(realm));
-			break;
-#endif
 		case 'o':
 			getmntopts(optarg, mopts, &mntflags, &altflags);
 			if (altflags & ALTF_BG)
@@ -320,10 +272,6 @@ main(argc, argv)
 				nfsargsp->flags |= NFSMNT_DUMBTIMR;
 			if (altflags & ALTF_INTR)
 				nfsargsp->flags |= NFSMNT_INT;
-#ifdef NFSKERB
-			if (altflags & ALTF_KERB)
-				nfsargsp->flags |= NFSMNT_KERB;
-#endif
 			if (altflags & ALTF_NFSV3) {
 				if (force2)
 					errx(1,"conflicting version options");
@@ -437,104 +385,6 @@ main(argc, argv)
 		else
 			err(1, "%s", name);
 	}
-	if (nfsargsp->flags & NFSMNT_KERB) {
-		if ((opflags & ISBGRND) == 0) {
-			if ((i = fork())) {
-				if (i == -1)
-					err(1, "Couldn't launch NFS kerberos service process");
-				exit(0);
-			}
-			(void) setsid();
-			(void) close(STDIN_FILENO);
-			(void) close(STDOUT_FILENO);
-			(void) close(STDERR_FILENO);
-			(void) chdir("/");
-		}
-		openlog("mount_nfs:", LOG_PID, LOG_DAEMON);
-		nfssvc_flag = NFSSVC_MNTD;
-		ncd.ncd_dirp = name;
-		while (nfssvc(nfssvc_flag, (caddr_t)&ncd) < 0) {
-			if (errno != ENEEDAUTH) {
-				syslog(LOG_ERR, "nfssvc err %m");
-				continue;
-			}
-			nfssvc_flag =
-			    NFSSVC_MNTD | NFSSVC_GOTAUTH | NFSSVC_AUTHINFAIL;
-#ifdef NFSKERB
-			/*
-			 * Set up as ncd_authuid for the kerberos call.
-			 * Must set ruid to ncd_authuid and reset the
-			 * ticket name iff ncd_authuid is not the same
-			 * as last time, so that the right ticket file
-			 * is found.
-			 * Get the Kerberos credential structure so that
-			 * we have the seesion key and get a ticket for
-			 * this uid.
-			 * For more info see the IETF Draft "Authentication
-			 * in ONC RPC".
-			 */
-			if (ncd.ncd_authuid != last_ruid) {
-				krb_set_tkt_string("");
-				last_ruid = ncd.ncd_authuid;
-			}
-			setreuid(ncd.ncd_authuid, 0);
-			kret = krb_get_cred(NFS_KERBSRV, inst, realm, &kcr);
-			if (kret == RET_NOTKT) {
-		            kret = get_ad_tkt(NFS_KERBSRV, inst, realm,
-				DEFAULT_TKT_LIFE);
-			    if (kret == KSUCCESS)
-				kret = krb_get_cred(NFS_KERBSRV, inst, realm,
-				    &kcr);
-			}
-			if (kret == KSUCCESS)
-			    kret = krb_mk_req(&ktick.kt, NFS_KERBSRV, inst,
-				realm, 0);
-
-			/*
-			 * Fill in the AKN_FULLNAME authenticator and verfier.
-			 * Along with the Kerberos ticket, we need to build
-			 * the timestamp verifier and encrypt it in CBC mode.
-			 */
-			if (kret == KSUCCESS &&
-			    ktick.kt.length <= (RPCAUTH_MAXSIZ-3*NFSX_UNSIGNED)
-			    && gettimeofday(&ktv, NULL) == 0) {
-			    ncd.ncd_authtype = RPCAUTH_KERB4;
-			    ncd.ncd_authstr = (u_char *)&ktick;
-			    ncd.ncd_authlen = nfsm_rndup(ktick.kt.length) +
-				3 * NFSX_UNSIGNED;
-			    ncd.ncd_verfstr = (u_char *)&kverf;
-			    ncd.ncd_verflen = sizeof (kverf);
-			    memmove(ncd.ncd_key, kcr.session,
-				sizeof (kcr.session));
-			    kin.t1 = htonl(ktv.tv_sec);
-			    kin.t2 = htonl(ktv.tv_usec);
-			    kin.w1 = htonl(NFS_KERBTTL);
-			    kin.w2 = htonl(NFS_KERBTTL - 1);
-			    bzero((caddr_t)kivec, sizeof (kivec));
-
-			    /*
-			     * Encrypt kin in CBC mode using the session
-			     * key in kcr.
-			     */
-			    XXX
-
-			    /*
-			     * Finally, fill the timestamp verifier into the
-			     * authenticator and verifier.
-			     */
-			    ktick.kind = htonl(RPCAKN_FULLNAME);
-			    kverf.kind = htonl(RPCAKN_FULLNAME);
-			    NFS_KERBW1(ktick.kt) = kout.w1;
-			    ktick.kt.length = htonl(ktick.kt.length);
-			    kverf.verf.t1 = kout.t1;
-			    kverf.verf.t2 = kout.t2;
-			    kverf.verf.w2 = kout.w2;
-			    nfssvc_flag = NFSSVC_MNTD | NFSSVC_GOTAUTH;
-			}
-			setreuid(0, 0);
-#endif /* NFSKERB */
-		}
-	}
 	exit(0);
 }
 
@@ -555,9 +405,6 @@ getnfsargs(spec, nfsargsp)
 	enum clnt_stat clnt_stat;
 	int so = RPC_ANYSOCK, i, nfsvers, mntvers, orgcnt;
 	char *hostp, *delimp;
-#ifdef NFSKERB
-	char *cp;
-#endif
 	u_short tport;
 	static struct nfhret nfhret;
 	static char nam[MNAMELEN + 1];
@@ -604,19 +451,9 @@ getnfsargs(spec, nfsargsp)
 #endif /* ISO */
 
 	/*
-	 * Handle an internet host address and reverse resolve it if
-	 * doing Kerberos.
+	 * Handle an internet host address
 	 */
-	if (inet_aton(hostp, &saddr.sin_addr) != 0) {
-		if ((nfsargsp->flags & NFSMNT_KERB)) {
-			if ((hp = gethostbyaddr((char *)&saddr.sin_addr.s_addr,
-			    sizeof (u_long), AF_INET)) == NULL) {
-				warnx("can't resolve hostname for address %s",
-				    hostp);
-				return (0);
-			}
-		}
-	} else {
+	if (inet_aton(hostp, &saddr.sin_addr) == 0) {
 		hp = gethostbyname(hostp);
 		if (hp == NULL) {
 			warnx("can't resolve address for host %s", hostp);
@@ -624,13 +461,6 @@ getnfsargs(spec, nfsargsp)
 		}
 		memcpy(&saddr.sin_addr, hp->h_addr, hp->h_length);
 	}
-#ifdef NFSKERB
-	if (nfsargsp->flags & NFSMNT_KERB) {
-		strlcpy(inst, hp->h_name, sizeof(inst));
-		if (cp = strchr(inst, '.'))
-			*cp = '\0';
-	}
-#endif /* NFSKERB */
 
 	if (force2) {
 		nfsvers = NFS_VER2;
@@ -667,10 +497,7 @@ tryagain:
 				clp->cl_auth = authunix_create_default();
 				try.tv_sec = 10;
 				try.tv_usec = 0;
-				if (nfsargsp->flags & NFSMNT_KERB)
-				    nfhret.auth = RPCAUTH_KERB4;
-				else
-				    nfhret.auth = RPCAUTH_UNIX;
+				nfhret.auth = RPCAUTH_UNIX;
 				nfhret.vers = mntvers;
 				clnt_stat = clnt_call(clp, RPCMNT_MOUNT,
 				    xdr_dir, spec, xdr_fh, &nfhret, try);
@@ -799,8 +626,8 @@ __dead void
 usage()
 {
 	(void)fprintf(stderr, "usage: mount_nfs %s\n%s\n%s\n%s\n",
-"[-23bcdiKklMPqsT] [-a maxreadahead] [-D deadthresh]",
-"\t[-g maxgroups] [-L leaseterm] [-m realm] [-o options] [-R retrycnt]",
+"[-23bcdiklMPsT] [-a maxreadahead] [-D deadthresh]",
+"\t[-g maxgroups] [-L leaseterm] [-o options] [-R retrycnt]",
 "\t[-r readsize] [-t timeout] [-w writesize] [-x retrans]",
 "\trhost:path node");
 	exit(1);