diff options
author | Tom Yu <tlyu@mit.edu> | 1999-02-18 00:47:13 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 1999-02-18 00:47:13 +0000 |
commit | 05d34d62d7485df256a596eccab7d00fe4fd5d93 (patch) | |
tree | b08c019b62199dfdb0014b7d8455f268bff69017 | |
parent | 48c003eb318bb0ef4d9abc0803f6cc0d091bcafb (diff) | |
download | krb5-05d34d62d7485df256a596eccab7d00fe4fd5d93.zip krb5-05d34d62d7485df256a596eccab7d00fe4fd5d93.tar.gz krb5-05d34d62d7485df256a596eccab7d00fe4fd5d93.tar.bz2 |
* klogind.M: Document things a little better, including new
options controlling hostname manipulation.
* krlogind.c: Make use of pty_make_sane_hostname() for purposes of
manipulating hostname to pass to login. Also unconditionally
syslog IP address and full hostname of remote host. Add command
line options to control such behavior.
* configure.in: Add arpa/nameser.h to CHECK_HEADERS.
[pullup from trunk]
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/V1_0_BRANCH@11177 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/appl/bsd/ChangeLog | 12 | ||||
-rw-r--r-- | src/appl/bsd/configure.in | 2 | ||||
-rw-r--r-- | src/appl/bsd/klogind.M | 21 | ||||
-rw-r--r-- | src/appl/bsd/krlogind.c | 87 |
4 files changed, 90 insertions, 32 deletions
diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 5e8964a..c8338b3 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,15 @@ +Wed Feb 17 17:24:11 1999 Tom Yu <tlyu@mit.edu> + + * klogind.M: Document things a little better, including new + options controlling hostname manipulation. + + * krlogind.c: Make use of pty_make_sane_hostname() for purposes of + manipulating hostname to pass to login. Also unconditionally + syslog IP address and full hostname of remote host. Add command + line options to control such behavior. + + * configure.in: Add arpa/nameser.h to CHECK_HEADERS. + Fri Feb 12 10:20:20 1999 Theodore Y. Ts'o <tytso@mit.edu> * login.c (read_env_vars_from_file): Fix so that it uses diff --git a/src/appl/bsd/configure.in b/src/appl/bsd/configure.in index 8f53b87..3621985 100644 --- a/src/appl/bsd/configure.in +++ b/src/appl/bsd/configure.in @@ -82,7 +82,7 @@ AC_FUNC_CHECK(tcsetpgrp,AC_DEFINE(HAVE_TCSETPGRP)) AC_FUNC_CHECK(setpgid,AC_DEFINE(HAVE_SETPGID)) AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h ) AC_CHECK_HEADERS(sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h ) -AC_CHECK_HEADERS(sys/ptyvar.h utmp.h sys/time.h) +AC_CHECK_HEADERS(sys/ptyvar.h utmp.h sys/time.h arpa/nameser.h) AC_HEADER_STDARG AC_REPLACE_FUNCS(getdtablesize) KRB5_SIGTYPE diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M index 3db26c8..d03a538 100644 --- a/src/appl/bsd/klogind.M +++ b/src/appl/bsd/klogind.M @@ -10,7 +10,11 @@ klogind \- remote login server .SH SYNOPSIS .B klogind [ -.B \-kr54cpPe +.B \-kr54cpPesI +] +[ +.B \-u +.I utmp_hostname_length ] .SH DESCRIPTION .I Klogind @@ -124,6 +128,21 @@ size changes from the client are propagated to the pseudo terminal. .PP .I Klogind +supports the following options to control the form of the hostname +passed to the login program: + +.IP \fB-u\ utmp_hostname_length\fP +Set the maximum length of hostname passed to login to +\fIutmp_hostname_length\fP bytes, including terminating nul. + +.IP \fB-I\fP +Always pass a numeric IP address to login. + +.IP \fB-s\fP +Don't strip the local domain off hostnames. + +.PP +.I Klogind supports three options which are used for testing purposes: diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index e260aac..131cdcb 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -246,7 +246,7 @@ krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; -#define ARGSTR "k54ciepPD:S:M:L:?" +#define ARGSTR "k54ciepPD:S:M:L:u:Is?" #else /* !KERBEROS */ #define ARGSTR "rpPD:?" #define (*des_read) read @@ -274,11 +274,20 @@ char *login_program = LOGIN_PROGRAM; #define UT_NAMESIZE sizeof(((struct utmp *)0)->ut_name) #endif +#if HAVE_ARPA_NAMESER_H +#include <arpa/nameser.h> +#endif + +#ifndef MAXDNAME +#define MAXDNAME 256 /*per the rfc*/ +#endif + char lusername[UT_NAMESIZE+1]; char rusername[UT_NAMESIZE+1]; char *krusername = 0; char term[64]; -char rhost_name[128]; +char rhost_name[MAXDNAME]; +char rhost_addra[16]; krb5_principal client; int reapchild(); @@ -314,6 +323,10 @@ int auth_ok = 0, auth_sent = 0; int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0; int checksum_required = 0, checksum_ignored = 0; +int stripdomain = 1; +int maxhostlen = 0; +int always_ip = 0; + int main(argc, argv) int argc; char **argv; @@ -411,6 +424,15 @@ int main(argc, argv) case 'L': login_program = optarg; break; + case 'u': + maxhostlen = atoi(optarg); + break; + case 'I': + always_ip = 1; + break; + case 's': + stripdomain = 0; + break; case '?': default: usage(); @@ -515,7 +537,9 @@ void doit(f, fromp) struct sigaction sa; #endif int retval; -int syncpipe[2]; + char *rhost_sane; + int syncpipe[2]; + netf = -1; alarm(60); read(f, &c, 1); @@ -539,18 +563,14 @@ int syncpipe[2]; fromp->sin_port = ntohs((u_short)fromp->sin_port); hp = gethostbyaddr((char *) &fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); - if (hp == 0) { - /* - * Only the name is used below. - */ - sprintf(rhost_name,"%s",inet_ntoa(fromp->sin_addr)); - } - - /* Save hostent information.... */ - else { + strncpy(rhost_addra, inet_ntoa(fromp->sin_addr), sizeof (rhost_addra)); + rhost_addra[sizeof (rhost_addra) -1] = '\0'; + if (hp != NULL) { + /* Save hostent information.... */ strncpy(rhost_name,hp->h_name,sizeof (rhost_name)); rhost_name[sizeof (rhost_name) - 1] = '\0'; - } + } else + rhost_name[0] = '\0'; if (fromp->sin_family != AF_INET) fatal(f, "Permission denied - Malformed from address\n"); @@ -573,7 +593,7 @@ int syncpipe[2]; #if defined(KERBEROS) /* All validation, and authorization goes through do_krb_login() */ - do_krb_login(rhost_name); + do_krb_login(rhost_addra, rhost_name); #else getstr(f, rusername, sizeof(rusername), "remuser"); getstr(f, lusername, sizeof(lusername), "locuser"); @@ -663,11 +683,13 @@ int syncpipe[2]; pwd = (struct passwd *) getpwnam(lusername); if (pwd && (pwd->pw_uid == 0)) { if (passwd_req) - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) forcing password access", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s)) forcing password access", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); else - syslog(LOG_NOTICE, "ROOT login by %s (%s@%s) ", - krusername ? krusername : "", rusername, rhost_name); + syslog(LOG_NOTICE, "ROOT login by %s (%s@%s (%s))", + krusername ? krusername : "", + rusername, rhost_addra, rhost_name); } #ifdef KERBEROS #if defined(LOG_REMOTE_REALM) && !defined(LOG_OTHER_USERS) && !defined(LOG_ALL_LOGINS) @@ -688,14 +710,14 @@ int syncpipe[2]; { if (passwd_req) syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s forcing password access\n", + "login by %s (%s@%s (%s)) as %s forcing password access", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); else syslog(LOG_NOTICE, - "login by %s (%s@%s) as %s\n", + "login by %s (%s@%s (%s)) as %s", krusername ? krusername : "", rusername, - rhost_name, lusername); + rhost_addra, rhost_name, lusername); } #endif /* LOG_REMOTE_REALM || LOG_OTHER_USERS || LOG_ALL_LOGINS */ #endif /* KERBEROS */ @@ -718,15 +740,20 @@ int syncpipe[2]; *cp = '\0'; setenv("TERM",term, 1); } - + + retval = pty_make_sane_hostname(fromp, maxhostlen, + stripdomain, always_ip, + &rhost_sane); + if (retval) + fatalperror(2, "failed make_sane_hostname"); if (passwd_req) - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, lusername, 0); else - execl(login_program, "login", "-p", "-h", rhost_name, + execl(login_program, "login", "-p", "-h", rhost_sane, "-f", lusername, 0); #else /* USE_LOGIN_F */ - execl(login_program, "login", "-r", rhost_name, 0); + execl(login_program, "login", "-r", rhost_sane, 0); #endif /* USE_LOGIN_F */ fatalperror(2, login_program); @@ -1059,8 +1086,8 @@ void fatalperror(f, msg) #ifdef KERBEROS void -do_krb_login(host) - char *host; +do_krb_login(host_addr, hostname) + char *host_addr, *hostname; { krb5_error_code status; struct passwd *pwd; @@ -1078,8 +1105,8 @@ do_krb_login(host) krb5_free_ticket(bsd_context, ticket); if (status != 255) syslog(LOG_ERR, - "Authentication failed from %s: %s\n", - host,error_message(status)); + "Authentication failed from %s (%s): %s\n",host_addr, + hostname,error_message(status)); fatal(netf, "Kerberos authentication failed"); return; } |