Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/login Kerberos5 changes to login -- now supports for...
details: https://anonhg.NetBSD.org/src/rev/1ad0980fed64
branches: trunk
changeset: 474623:1ad0980fed64
user: aidan <aidan%NetBSD.org@localhost>
date: Mon Jul 12 21:36:10 1999 +0000
description:
Kerberos5 changes to login -- now supports forwarded TGTs.
diffstat:
usr.bin/login/Makefile | 5 +-
usr.bin/login/k5login.c | 103 +++++++++++++++++++++++++++++++++++++++++++++--
usr.bin/login/login.1 | 13 +++++-
usr.bin/login/login.c | 27 ++++++++++-
4 files changed, 135 insertions(+), 13 deletions(-)
diffs (280 lines):
diff -r 94fe0d30c499 -r 1ad0980fed64 usr.bin/login/Makefile
--- a/usr.bin/login/Makefile Mon Jul 12 20:55:32 1999 +0000
+++ b/usr.bin/login/Makefile Mon Jul 12 21:36:10 1999 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.21 1999/03/05 01:07:56 kim Exp $
+# $NetBSD: Makefile,v 1.22 1999/07/12 21:36:10 aidan Exp $
# @(#)Makefile 8.1 (Berkeley) 7/19/93
.include <bsd.own.mk> # for EXPORTABLE_SYSTEM definition
-.if !exists(${.CURDIR}/../../domestic/usr.bin/login) || \
+.if !exists(${.CURDIR}/../../domestic/usr.bin/login) && \
+ !exists(${.CURDIR}/../../crypto-us/usr.bin/login) || \
defined(EXPORTABLE_SYSTEM) || \
make(obj) || make(clean) || make(cleandir) || make(distclean)
diff -r 94fe0d30c499 -r 1ad0980fed64 usr.bin/login/k5login.c
--- a/usr.bin/login/k5login.c Mon Jul 12 20:55:32 1999 +0000
+++ b/usr.bin/login/k5login.c Mon Jul 12 21:36:10 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: k5login.c,v 1.6 1997/10/12 14:07:06 mycroft Exp $ */
+/* $NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $ */
/*-
* Copyright (c) 1990 The Regents of the University of California.
@@ -38,7 +38,7 @@
#if 0
static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92";
#endif
-__RCSID("$NetBSD: k5login.c,v 1.6 1997/10/12 14:07:06 mycroft Exp $");
+__RCSID("$NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $");
#endif /* not lint */
#ifdef KERBEROS5
@@ -48,6 +48,7 @@
#include <pwd.h>
#include <netdb.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -67,6 +68,101 @@
extern char *tty;
static char tkt_location[MAXPATHLEN];
+static krb5_creds forw_creds;
+int have_forward;
+static krb5_principal me, server;
+
+/*
+ * Attempt to read forwarded kerberos creds
+ *
+ * return 0 on success (forwarded creds in memory)
+ * 1 if no forwarded creds.
+ */
+int
+k5_read_creds(username)
+ char *username;
+{
+ krb5_error_code code;
+ krb5_creds mcreds;
+ krb5_ccache ccache;
+
+ have_forward = 0;
+ memset((char*) &mcreds, 0, sizeof(forw_creds));
+ memset((char*) &forw_creds, 0, sizeof(forw_creds));
+
+ code = krb5_cc_default(kcontext, &ccache);
+ if (code) {
+ com_err("login", code, "while getting default ccache");
+ return(1);
+ }
+
+ code = krb5_parse_name(kcontext, username, &me);
+ if (code) {
+ com_err("login", code, "when parsing name %s", username);
+ return(1);
+ }
+
+ mcreds.client = me;
+ code = krb5_build_principal_ext(kcontext, &mcreds.server,
+ krb5_princ_realm(kcontext, me)->length,
+ krb5_princ_realm(kcontext, me)->data,
+ tgtname.length, tgtname.data,
+ krb5_princ_realm(kcontext, me)->length,
+ krb5_princ_realm(kcontext, me)->data,
+ 0);
+ if (code) {
+ com_err("login", code, "while building server name");
+ goto nuke_ccache;
+ }
+
+ code = krb5_cc_retrieve_cred(kcontext, ccache, 0,
+ &mcreds, &forw_creds);
+ if (code) {
+ com_err("login", code, "while retrieving V5 initial ticket for copy");
+ goto nuke_ccache;
+ }
+ have_forward = 1;
+
+ strcpy(tkt_location, getenv("KRB5CCNAME"));
+ krbtkfile_env = tkt_location;
+ notickets = 0;
+
+nuke_ccache:
+ krb5_cc_destroy(kcontext, ccache);
+ return(!have_forward);
+}
+
+int
+k5_write_creds()
+{
+ krb5_error_code code;
+ krb5_ccache ccache;
+ char buf[256];
+
+ if (!have_forward)
+ return(1);
+ code = krb5_cc_default(kcontext, &ccache);
+ if (code) {
+ com_err("login", code, "while getting default ccache");
+ return(1);
+ }
+
+ code = krb5_cc_initialize(kcontext, ccache, me);
+ if (code) {
+ com_err("login", code, "while re-initializing V5 ccache as user");
+ goto nuke_ccache_contents;
+ }
+
+ code = krb5_cc_store_cred(kcontext, ccache, &forw_creds);
+ if (code) {
+ com_err("login", code, "while re-storing V5 ccache as user");
+ goto nuke_ccache_contents;
+ }
+
+nuke_ccache_contents:
+ krb5_free_cred_contents(kcontext, &forw_creds);
+ return(code != 0);
+}
/*
* Attempt to log the user in using Kerberos authentication
@@ -81,7 +177,6 @@
{
krb5_error_code kerror;
krb5_address **my_addresses;
- krb5_principal me, server;
krb5_creds my_creds;
krb5_timestamp now;
krb5_ccache ccache = NULL;
@@ -91,8 +186,6 @@
int i;
char *realm, *client_name;
char *principal;
-
- krb5_init_ets(kcontext);
/*
* Root logins don't use Kerberos.
diff -r 94fe0d30c499 -r 1ad0980fed64 usr.bin/login/login.1
--- a/usr.bin/login/login.1 Mon Jul 12 20:55:32 1999 +0000
+++ b/usr.bin/login/login.1 Mon Jul 12 21:36:10 1999 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: login.1,v 1.16 1999/03/22 18:16:39 garbled Exp $
+.\" $NetBSD: login.1,v 1.17 1999/07/12 21:36:11 aidan Exp $
.\"
.\" Copyright (c) 1980, 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -41,7 +41,7 @@
.Nd authenticate users and set up their session environment
.Sh SYNOPSIS
.Nm
-.Op Fl fps
+.Op Fl Ffps
.Op Fl h Ar hostname
.Op Ar user
.Sh DESCRIPTION
@@ -67,6 +67,15 @@
.Pp
The options are as follows:
.Bl -tag -width Ds
+.It Fl F
+The
+.Fl F
+option acts like the
+.Fl f
+option, but also indicates to \fBlogin\fR
+that it should attempt to rewrite an existing kerberos5 credentials cache
+(specified by the KRB5CCNAME environment variable) after dropping
+permissions to the user logging in.
.It Fl f
The
.Fl f
diff -r 94fe0d30c499 -r 1ad0980fed64 usr.bin/login/login.c
--- a/usr.bin/login/login.c Mon Jul 12 20:55:32 1999 +0000
+++ b/usr.bin/login/login.c Mon Jul 12 21:36:10 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: login.c,v 1.43 1999/06/15 14:19:53 christos Exp $ */
+/* $NetBSD: login.c,v 1.44 1999/07/12 21:36:11 aidan Exp $ */
/*-
* Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
@@ -44,7 +44,7 @@
#if 0
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
#endif
-__RCSID("$NetBSD: login.c,v 1.43 1999/06/15 14:19:53 christos Exp $");
+__RCSID("$NetBSD: login.c,v 1.44 1999/07/12 21:36:11 aidan Exp $");
#endif /* not lint */
/*
@@ -101,6 +101,10 @@
void kdestroy __P((void));
void dofork __P((void));
#endif
+#ifdef KERBEROS5
+int k5_read_creds __P((char*));
+int k5_write_creds __P((void));
+#endif
#define TTYGRPNAME "tty" /* name of group to own ttys */
@@ -117,6 +121,7 @@
#endif
#ifdef KERBEROS5
extern krb5_context kcontext;
+extern int have_forward;
#endif
struct passwd *pwd;
@@ -140,6 +145,7 @@
struct timeval tp;
struct utmp utmp;
int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval;
+ int Fflag;
uid_t uid, saved_uid;
gid_t saved_gid, saved_gids[NGROUPS_MAX];
int nsaved_gids;
@@ -179,10 +185,16 @@
domain = strchr(localhost, '.');
localhost[sizeof(localhost) - 1] = '\0';
- fflag = hflag = pflag = sflag = 0;
+ Fflag = fflag = hflag = pflag = sflag = 0;
+#ifdef KERBEROS5
+ have_forward = 0;
+#endif
uid = getuid();
- while ((ch = getopt(argc, argv, "fh:ps")) != -1)
+ while ((ch = getopt(argc, argv, "Ffh:ps")) != -1)
switch (ch) {
+ case 'F':
+ Fflag = 1;
+ /* FALLTHROUGH */
case 'f':
fflag = 1;
break;
@@ -292,6 +304,10 @@
if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
/* already authenticated */
+#ifdef KERBEROS5
+ if (Fflag)
+ k5_read_creds(username);
+#endif
break;
} else if (pwd->pw_passwd[0] == '\0') {
/* pretend password okay */
@@ -568,6 +584,9 @@
}
}
+#ifdef KERBEROS5
+ k5_write_creds();
+#endif
execlp(pwd->pw_shell, tbuf, 0);
err(1, "%s", pwd->pw_shell);
}
Home |
Main Index |
Thread Index |
Old Index