diff options
| -rw-r--r-- | sbin/nfsd/Makefile | 8 | ||||
| -rw-r--r-- | sbin/nfsd/nfsd.c | 106 | ||||
| -rw-r--r-- | sys/nfs/nfs_socket.c | 18 | ||||
| -rw-r--r-- | sys/nfs/nfs_syscalls.c | 19 | ||||
| -rw-r--r-- | sys/nfs/rpcv2.h | 7 |
5 files changed, 5 insertions, 153 deletions
diff --git a/sbin/nfsd/Makefile b/sbin/nfsd/Makefile index 02f8e6870d9..da806b6b147 100644 --- a/sbin/nfsd/Makefile +++ b/sbin/nfsd/Makefile @@ -1,14 +1,8 @@ -# $OpenBSD: Makefile,v 1.6 2000/09/03 18:41:16 espie Exp $ +# $OpenBSD: Makefile,v 1.7 2002/06/11 15:45:44 hin Exp $ PROG= nfsd MAN= nfsd.8 .include <bsd.own.mk> # For KERBEROS -.if (${KERBEROS:L} == "yes") -CFLAGS+=-DKERBEROS -LDADD+= -lkrb -ldes -DPADD+= ${LIBKRB} ${LIBDES} -.endif - .include <bsd.prog.mk> diff --git a/sbin/nfsd/nfsd.c b/sbin/nfsd/nfsd.c index 6fba9ea91ef..29408ac2ecd 100644 --- a/sbin/nfsd/nfsd.c +++ b/sbin/nfsd/nfsd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfsd.c,v 1.17 2002/05/22 08:21:02 deraadt Exp $ */ +/* $OpenBSD: nfsd.c,v 1.18 2002/06/11 15:45:44 hin Exp $ */ /* $NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $ */ /* @@ -72,11 +72,6 @@ static char rcsid[] = "$NetBSD: nfsd.c,v 1.19 1996/02/18 23:18:56 mycroft Exp $" #include <nfs/nfsproto.h> #include <nfs/nfs.h> -#ifdef NFSKERB -#include <des.h> -#include <kerberosIV/krb.h> -#endif - #include <err.h> #include <errno.h> #include <fcntl.h> @@ -99,18 +94,6 @@ int debug = 0; struct nfsd_srvargs nsd; -#ifdef NFSKERB -char lnam[ANAME_SZ]; -KTEXT_ST kt; -AUTH_DAT kauth; -char inst[INST_SZ]; -struct nfsrpc_fullblock kin, kout; -struct nfsrpc_fullverf kverf; -NFSKERBKEY_T kivec; -struct timeval ktv; -NFSKERBKEYSCHED_T kerb_keysched; -#endif - void nonfs(int); void reapchild(int); void usage(void); @@ -148,14 +131,6 @@ main(argc, argv, envp) int ch, cltpflag, connect_type_cnt, i, len, maxsock = 0, msgsock; int nfsdcnt, nfssvc_flag, on, reregister, sock, tcpflag, tcpsock; int tp4cnt, tpipcnt, udpflag; -#ifdef NFSKERB - struct ucred *cr; - char *cp, **cpp; - int tpipflag = 0, tp4flag = 0, tpipsock = 0, tp4sock; - struct timeval ktv; - struct passwd *pwd; - struct group *grp; -#endif #define MAXNFSDCNT 20 #define DEFNFSDCNT 4 @@ -259,91 +234,12 @@ main(argc, argv, envp) setproctitle("server"); nfssvc_flag = NFSSVC_NFSD; nsd.nsd_nfsd = NULL; -#ifdef NFSKERB - if (sizeof (struct nfsrpc_fullverf) != RPCX_FULLVERF || - sizeof (struct nfsrpc_fullblock) != RPCX_FULLBLOCK) - syslog(LOG_ERR, "Yikes NFSKERB structs not packed!"); - nsd.nsd_authstr = (u_char *)&kt; - nsd.nsd_authlen = sizeof (kt); - nsd.nsd_verfstr = (u_char *)&kverf; - nsd.nsd_verflen = sizeof (kverf); -#endif while (nfssvc(nfssvc_flag, &nsd) < 0) { if (errno != ENEEDAUTH) { syslog(LOG_ERR, "nfssvc: %m"); return (1); } nfssvc_flag = NFSSVC_NFSD | NFSSVC_AUTHINFAIL; -#ifdef NFSKERB - /* - * Get the Kerberos ticket out of the authenticator - * verify it and convert the principal name to a user - * name. The user name is then converted to a set of - * user credentials via the password and group file. - * Finally, decrypt the timestamp and validate it. - * For more info see the IETF Draft "Authentication - * in ONC RPC". - */ - kt.length = ntohl(kt.length); - if (gettimeofday(&ktv, NULL) == 0 && - kt.length > 0 && kt.length <= - (RPCAUTH_MAXSIZ - 3 * NFSX_UNSIGNED)) { - kin.w1 = NFS_KERBW1(kt); - kt.mbz = 0; - (void)strlcpy(inst, "*", sizeof inst); - if (krb_rd_req(&kt, NFS_KERBSRV, - inst, nsd.nsd_haddr, &kauth, "") == RD_AP_OK && - krb_kntoln(&kauth, lnam) == KSUCCESS && - (pwd = getpwnam(lnam)) != NULL) { - cr = &nsd.nsd_cr; - cr->cr_uid = pwd->pw_uid; - cr->cr_groups[0] = pwd->pw_gid; - cr->cr_ngroups = 1; - setgrent(); - while ((grp = getgrent()) != NULL) { - if (grp->gr_gid == cr->cr_groups[0]) - continue; - for (cpp = grp->gr_mem; - *cpp != NULL; ++cpp) - if (!strcmp(*cpp, lnam)) - break; - if (*cpp == NULL) - continue; - cr->cr_groups[cr->cr_ngroups++] - = grp->gr_gid; - if (cr->cr_ngroups == NGROUPS) - break; - } - endgrent(); - - /* - * Get the timestamp verifier out of the - * authenticator and verifier strings. - */ - kin.t1 = kverf.t1; - kin.t2 = kverf.t2; - kin.w2 = kverf.w2; - memset((caddr_t)kivec, 0, sizeof (kivec)); - memmove((caddr_t)nsd.nsd_key, - (caddr_t)kauth.session, - sizeof(kauth.session)); - - /* - * Decrypt the timestamp verifier in CBC mode. - */ - XXX - - /* - * Validate the timestamp verifier, to - * check that the session key is ok. - */ - nsd.nsd_timestamp.tv_sec = ntohl(kout.t1); - nsd.nsd_timestamp.tv_usec = ntohl(kout.t2); - nsd.nsd_ttl = ntohl(kout.w1); - if ((nsd.nsd_ttl - 1) == ntohl(kout.w2)) - nfssvc_flag = NFSSVC_NFSD | NFSSVC_AUTHIN; - } -#endif /* NFSKERB */ } return (0); } diff --git a/sys/nfs/nfs_socket.c b/sys/nfs/nfs_socket.c index 4da8153efd6..d5d22861f99 100644 --- a/sys/nfs/nfs_socket.c +++ b/sys/nfs/nfs_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs_socket.c,v 1.27 2002/05/17 18:41:01 csapuntz Exp $ */ +/* $OpenBSD: nfs_socket.c,v 1.28 2002/06/11 15:45:44 hin Exp $ */ /* $NetBSD: nfs_socket.c,v 1.27 1996/04/15 20:20:00 thorpej Exp $ */ /* @@ -1139,14 +1139,6 @@ nfs_rephead(siz, nd, slp, err, cache, frev, mrq, mbp, bposp) ktvin.tv_usec = txdr_unsigned(nuidp->nu_timestamp.tv_usec); - /* - * Encrypt the timestamp in ecb mode using the - * session key. - */ -#ifdef NFSKERB - XXX -#endif - *tl++ = rpc_auth_kerb; *tl++ = txdr_unsigned(3 * NFSX_UNSIGNED); *tl = ktvout.tv_sec; @@ -1671,14 +1663,6 @@ nfs_getreq(nd, nfsd, has_header) return (0); } - /* - * Now, decrypt the timestamp using the session key - * and validate it. - */ -#ifdef NFSKERB - XXX -#endif - tvout.tv_sec = fxdr_unsigned(long, tvout.tv_sec); tvout.tv_usec = fxdr_unsigned(long, tvout.tv_usec); if (nuidp->nu_expire < time.tv_sec || diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c index c70bf07c8f2..881f8a843d8 100644 --- a/sys/nfs/nfs_syscalls.c +++ b/sys/nfs/nfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs_syscalls.c,v 1.30 2002/03/14 01:27:13 millert Exp $ */ +/* $OpenBSD: nfs_syscalls.c,v 1.31 2002/06/11 15:45:44 hin Exp $ */ /* $NetBSD: nfs_syscalls.c,v 1.19 1996/02/18 11:53:52 fvdl Exp $ */ /* @@ -146,9 +146,6 @@ nfs_clientd(struct nfsmount *nmp, struct ucred *cred, struct nfsd_cargs *ncd, nmp->nm_authtype = ncd->ncd_authtype; nmp->nm_authlen = ncd->ncd_authlen; nmp->nm_verflen = ncd->ncd_verflen; -#ifdef NFSKERB - nmp->nm_key = ncd->ncd_key; -#endif } else nmp->nm_flag |= NFSMNT_AUTHERR; } else @@ -1153,14 +1150,6 @@ nfs_getnickauth(nmp, cred, auth_str, auth_len, verf_str, verf_len) ktvin.tv_sec = txdr_unsigned(nuidp->nu_timestamp.tv_sec); ktvin.tv_usec = txdr_unsigned(nuidp->nu_timestamp.tv_usec); - /* - * Now encrypt the timestamp verifier in ecb mode using the session - * key. - */ -#ifdef NFSKERB - XXX -#endif - *verfp++ = ktvout.tv_sec; *verfp++ = ktvout.tv_usec; *verfp = 0; @@ -1195,12 +1184,6 @@ nfs_savenickauth(nmp, cred, len, key, mdp, dposp, mrep) ktvin.tv_usec = *tl++; nick = fxdr_unsigned(u_int32_t, *tl); - /* - * Decrypt the timestamp in ecb mode. - */ -#ifdef NFSKERB - XXX -#endif ktvout.tv_sec = fxdr_unsigned(long, ktvout.tv_sec); ktvout.tv_usec = fxdr_unsigned(long, ktvout.tv_usec); deltasec = time.tv_sec - ktvout.tv_sec; diff --git a/sys/nfs/rpcv2.h b/sys/nfs/rpcv2.h index e78d184e7e0..50be489e937 100644 --- a/sys/nfs/rpcv2.h +++ b/sys/nfs/rpcv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rpcv2.h,v 1.4 1996/04/17 04:50:42 mickey Exp $ */ +/* $OpenBSD: rpcv2.h,v 1.5 2002/06/11 15:45:44 hin Exp $ */ /* $NetBSD: rpcv2.h,v 1.8 1996/02/18 11:54:11 fvdl Exp $ */ /* @@ -138,13 +138,8 @@ struct nfsrpc_nickverf { #define RPCX_FULLBLOCK 16 #define RPCX_NICKVERF 16 -#ifdef NFSKERB -XXX -#else typedef u_char NFSKERBKEY_T[2]; typedef u_char NFSKERBKEYSCHED_T[2]; -#endif -#define NFS_KERBSRV "rcmd" /* Kerberos Service for NFS */ #define NFS_KERBTTL (30 * 60) /* Credential ttl (sec) */ #define NFS_KERBCLOCKSKEW (5 * 60) /* Clock skew (sec) */ #define NFS_KERBW1(t) (*((u_long *)(&((t).dat[((t).length + 3) & ~0x3])))) |