Kerberos can now deal with multi-homed clients.

Kerberos obtains a network address for the local host from the routing
tables and uses it consistently for all Kerberos transactions.  This ensures
that packets only leave the *authenticated* interface.  Clients who open
and use their own sockets for encrypted or authenticated correspondance
to kerberos services should bind their sockets to the same address as that
used by kerberos.  krb_get_local_addr() and krb_bind_local_addr() allow
clients to obtain the local address or bind a socket to the local address
used by Kerberos respectively.

Reviewed by: Mark Murray <markm>, Garrett Wollman <wollman>
Obtained from: concept by Dieter Dworkin Muller <dworkin@village.org>

eBones/include/krb.h

@@ -6,7 +6,7 @@
  * Include file for the Kerberos library.
  *
  *	from: krb.h,v 4.26 89/08/08 17:55:25 jtkohl Exp $
- *	$Id: krb.h,v 1.7 1995/09/07 20:50:36 mark Exp $
+ *	$Id: krb.h,v 1.6 1995/09/13 17:23:47 markm Exp $
  */
 
 /* Only one time, please */
@@ -259,6 +259,15 @@ typedef struct msg_dat MSG_DAT;
 /* Error code returned by kparse_name */
 #define		KNAME_FMT	81	/* Bad Kerberos name format */
 
+/* Error codes returned by get_local_addr and bind_local_addr */
+#define		GT_LADDR_NOSOCK  82	/* Can't open socket */
+#define		GT_LADDR_IFLIST	 83	/*
+					 * Can't retrieve local interface 
+					 * configuration list
+					 */
+#define		GT_LADDR_NVI	 84	/* No valid local interface found */
+#define		BND_LADDR_BIND	 85	/* Can't bind local address */
+
 /* Error code returned by krb_mk_safe */
 #define		SAFE_PRIV_ERROR	-1	/* syscall error */
 
@@ -456,6 +465,8 @@ int read_service_key __P((char *service, char *instance, char *realm, int kvno,
     char *file, char *key));
 int get_ad_tkt __P((char *service, char *sinstance, char *realm, int lifetime));
 int send_to_kdc __P((KTEXT pkt, KTEXT rpkt, char *realm));
+int krb_bind_local_addr __P((int s));
+int krb_get_local_addr __P((struct sockaddr_in *returned_addr));
 int krb_create_ticket __P((KTEXT tkt, unsigned char flags, char *pname,
     char *pinstance, char *prealm, long paddress, char *session, short life,
     long time_sec, char *sname, char *sinstance, C_Block key));

eBones/lib/libkadm/kadm_cli_wrap.c

@@ -12,7 +12,7 @@
 static char rcsid_kadm_cli_wrap_c[] =
 "from: Id: kadm_cli_wrap.c,v 4.6 89/12/30 20:09:45 qjb Exp";
 static const char rcsid[] =
-	"$Id: kadm_cli_wrap.c,v 1.1 1995/07/18 16:40:23 mark Exp $";
+	"$Id: kadm_cli_wrap.c,v 1.4 1995/09/07 21:38:47 markm Exp $";
 #endif	lint
 #endif
 
@@ -422,10 +422,24 @@ int
 kadm_cli_conn()
 {					/* this connects and sets my_addr */
     int on = 1;
+    int kerror;
 
     if ((client_parm.admin_fd =
 	 socket(client_parm.admin_addr.sin_family, SOCK_STREAM,0)) < 0)
 	return KADM_NO_SOCK;		/* couldnt create the socket */
+    client_parm.my_addr_len = sizeof(client_parm.my_addr);
+    if ((kerror = krb_get_local_addr(&client_parm.my_addr)) != KSUCCESS) {
+	(void) close(client_parm.admin_fd);
+	client_parm.admin_fd = -1;
+	return KADM_NO_HERE;
+    }
+    if (bind(client_parm.admin_fd,
+		(struct sockaddr *) & client_parm.admin_addr,
+		sizeof(client_parm.my_addr))) {
+	(void) close(client_parm.admin_fd);
+	client_parm.admin_fd = -1;
+	return KADM_NO_HERE;
+    }
     if (connect(client_parm.admin_fd,
 		(struct sockaddr *) & client_parm.admin_addr,
 		sizeof(client_parm.admin_addr))) {
@@ -434,15 +448,6 @@ kadm_cli_conn()
 	return KADM_NO_CONN;		/* couldnt get the connect */
     }
     opipe = signal(SIGPIPE, SIG_IGN);
-    client_parm.my_addr_len = sizeof(client_parm.my_addr);
-    if (getsockname(client_parm.admin_fd,
-		    (struct sockaddr *) & client_parm.my_addr,
-		    &client_parm.my_addr_len) < 0) {
-	(void) close(client_parm.admin_fd);
-	client_parm.admin_fd = -1;
-	(void) signal(SIGPIPE, opipe);
-	return KADM_NO_HERE;		/* couldnt find out who we are */
-    }
     if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, &on,
 		   sizeof(on)) < 0) {
 	(void) close(client_parm.admin_fd);

eBones/lib/libkrb/Makefile

@@ -1,5 +1,5 @@
 #	From: @(#)Makefile	5.1 (Berkeley) 6/25/90
-#	$Id: Makefile,v 1.8 1995/09/13 17:23:55 markm Exp $
+#	$Id: Makefile,v 1.9 1995/09/14 04:05:02 gibbs Exp $
 
 LIB=	krb
 CFLAGS+=-DKERBEROS -DCRYPT -DDEBUG -DBSD42
@@ -31,7 +31,8 @@ MAN3=	krb.3 krb_realmofhost.3 krb_sendauth.3 krb_set_tkt_string.3 \
 MLINKS=	krb.3 krb_mk_req.3 krb.3 krb_rd_req.3 krb.3 krb_kntoln.3 \
 	krb.3 krb_set_key.3 krb.3 krb_get_cred.3 krb.3 krb_mk_priv.3 \
 	krb.3 krb_rd_priv.3 krb.3 krb_mk_safe.3 krb.3 krb_rd_safe.3 \
-	krb.3 krb_mk_err.3 krb.3 krb_rd_err.3 krb.3 krb_ck_repl.3
+	krb.3 krb_mk_err.3 krb.3 krb_rd_err.3 krb.3 krb_ck_repl.3 \
+	krb.3 krb_get_local_addr.3 krb.3 krb_bind_local_addr.3
 
 MLINKS+=krb_realmofhost.3 krb_get_phost.3 krb_realmofhost.3 krb_get_krbhst.3 \
 	krb_realmofhost.3 krb_get_admhst.3 krb_realmofhost.3 krb_get_lrealm.3

eBones/lib/libkrb/krb.3

@@ -1,6 +1,6 @@
-.\" $Source: /usr/cvs/src/eBones/krb/krb.3,v $
-.\" $Author: mark $
-.\" $Header: /usr/cvs/src/eBones/krb/krb.3,v 1.2 1995/07/18 16:40:57 mark Exp $
+.\" $Source: /home/ncvs/src/eBones/lib/libkrb/krb.3,v $
+.\" $Author: markm $
+.\" $Header: /home/ncvs/src/eBones/lib/libkrb/krb.3,v 1.3 1995/09/13 17:23:55 markm Exp $
 .\" Copyright 1989 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -8,9 +8,12 @@
 .\"
 .TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena"
 .SH NAME
-krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred,
-krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err,
-krb_rd_err, krb_ck_repl \- Kerberos authentication library
+Kerberos authentication library
+.PP
+krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
+krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
+krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl
+krb_get_local_addr, krb_bind_local_addr
 .SH SYNOPSIS
 .nf
 .nj
@@ -105,6 +108,14 @@ u_char *in;
 u_long length;
 long code;
 MSG_DAT *msg_data;
+.PP
+.ft B
+int krb_get_local_addr(address)
+struct sockaddr_in *address;
+.PP
+.ft B
+int krb_bind_local_addr(socket)
+int socket;
 .fi
 .ft R
 .SH DESCRIPTION
@@ -114,6 +125,17 @@ in this man page, but they are not intended to be used directly.
 Instead, they are called by the routines that are described, the
 authentication server and the login program.
 .PP
+The original MIT implementation of the krb library could fail when used on 
+multi-homed client machines.  Two functions,
+.I krb_get_local_addr
+and
+.I krb_bind_local_addr,
+are provided to overcome this limitation.  Any
+application expected to function in a multi-homed environment (clients
+with more than one network interface) that opens sockets to perform
+authenticated or encrypted transactions must use one of these functions
+to bind its sockets to the local address used and authenticated by Kerberos.
+.PP
 .I krb_err_txt[]
 contains text string descriptions of various Kerberos error codes returned
 by some of the routines below.
@@ -412,6 +434,30 @@ care of).
 The routine returns zero if the error message has been successfully received,
 or a Kerberos error code.
 .PP
+.I krb_get_local_addr
+retrieves the address of the local interface used for
+all kerberos transactions and copies it to the sockaddr_in pointed to
+by 
+.I address.
+This information is usually used to bind additional sockets in client
+programs to the kerberos authenticated local address so transactions
+to kerberos services on remote machines succeed.  This routine may be called
+at any time and the address returned will not change during the lifetime of
+the program.
+
+The routine returns zero on success or a Kerberos error code.
+.PP
+.I krb_bind_local_addr
+binds
+.I socket
+to the address of the local interface used for all kerberos
+transactions.  The bind allows the system to assign a port for the socket,
+so programs wishing to specify an explicit port should use
+.I krb_get_local_addr
+and perform the bind manually.
+
+The routine returns zero on success or a Kerberos error code.
+.PP
 The
 .I KTEXT
 structure is used to pass around text of varying lengths.  It consists

eBones/lib/libkrb/krb_err.et

@@ -3,7 +3,7 @@
 #	"Copyright.MIT".
 #
 #	from: krb_err.et,v 4.1 89/09/26 09:24:20 jtkohl Exp $
-#	$Id: krb_err.et,v 1.3 1995/07/18 16:39:00 mark Exp $
+#	$Id: krb_err.et,v 1.3 1995/09/07 21:38:09 markm Exp $
 #
 	error_table	krb
 
@@ -253,5 +253,17 @@
 	ec		KRBET_KNAME_FMT,
 			"Bad Kerberos name format"
 
+	ec		KRBET_GT_LADDR_NOSOCK,
+			"Can't open socket"
+
+	ec		KRBET_GT_LADDR_IFLIST,
+			"Can't retrieve local interface list"
+
+	ec		KRBET_GT_LADDR_NVI,
+			"No valid local interface found"
+
+	ec		KRBET_BND_LADDR_BIND,
+			"Can't bind local address"
+
 	end
 

eBones/lib/libkrb/krb_err_txt.c

@@ -4,13 +4,13 @@
  * <Copyright.MIT>.
  *
  *	from: krb_err_txt.c,v 4.7 88/12/01 14:10:14 jtkohl Exp $
- *	$Id: krb_err_txt.c,v 1.3 1995/07/18 16:39:02 mark Exp $
+ *	$Id: krb_err_txt.c,v 1.3 1995/09/07 21:38:10 markm Exp $
  */
 
 #if 0
 #ifndef	lint
 static char rcsid[] =
-"$Id: krb_err_txt.c,v 1.3 1995/07/18 16:39:02 mark Exp $";
+"$Id: krb_err_txt.c,v 1.3 1995/09/07 21:38:10 markm Exp $";
 #endif	lint
 #endif
 
@@ -103,10 +103,10 @@ char *krb_err_txt[256] = {
   "Bad ticket file format (tf_util)",			/* 079 */
   "Read ticket file before tf_init (tf_util)",		/* 080 */
   "Bad Kerberos name format (kname_parse)",		/* 081 */
-  "(reserved)",
-  "(reserved)",
-  "(reserved)",
-  "(reserved)",
+  "Can't open socket",					/* 082 */
+  "Can't retrieve local interface list",		/* 083 */
+  "No valid local interface found",			/* 084 */
+  "Can't bind local address",				/* 085 */
   "(reserved)",
   "(reserved)",
   "(reserved)",

eBones/lib/libkrb/krb_sendauth.3

@@ -1,5 +1,5 @@
 .\" from: krb_sendauth.3,v 4.1 89/01/23 11:10:58 jtkohl Exp $
-.\" $Id: krb_sendauth.3,v 1.3 1995/07/18 16:41:03 mark Exp $
+.\" $Id: krb_sendauth.3,v 1.3 1995/09/13 17:23:57 markm Exp $
 .\" Copyright 1988 by the Massachusetts Institute of Technology.
 .\"
 .\" For copying and distribution information,
@@ -82,6 +82,13 @@ The
 function receives the ticket from the client by
 reading from a network socket.
 
+To ensure proper behavior on multi-homed systems (machines with more
+than one network interface) all sockets used with these routines should
+be bound to the same address as that used by the Kerberos library via
+.I krb_get_local_addr
+or
+.I krb_bind_local_addr.
+
 .SH KRB_SENDAUTH
 .PP
 This function writes the ticket to
@@ -338,7 +345,8 @@ will not work properly on sockets set to non-blocking I/O mode.
 
 .SH SEE ALSO
 
-krb_mk_req(3), krb_rd_req(3), krb_get_phost(3)
+krb_mk_req(3), krb_rd_req(3), krb_get_phost(3), krb_get_local_addr(3),
+krb_bind_local_addr(3)
 
 .SH AUTHOR
 John T. Kohl, MIT Project Athena

eBones/lib/libkrb/send_to_kdc.c

@@ -4,7 +4,7 @@
  * <Copyright.MIT>.
  *
  *	from: send_to_kdc.c,v 4.20 90/01/02 13:40:37 jtkohl Exp $
- *	$Id: send_to_kdc.c,v 1.8 1995/09/14 20:58:35 gibbs Exp $
+ *	$Id: send_to_kdc.c,v 1.9 1995/09/16 23:11:25 gibbs Exp $
  */
 
 #if 0
@@ -22,11 +22,15 @@ static char rcsid_send_to_kdc_c[] =
 #include <stdio.h>
 #include <errno.h>
 #include <sys/time.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #ifdef lint
 #include <sys/uio.h>            /* struct iovec to make lint happy */
 #endif /* lint */
+#include <sys/sysctl.h>
 #include <sys/socket.h>
+#include <net/if.h>
+#include <net/route.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netdb.h>
@@ -34,6 +38,11 @@ static char rcsid_send_to_kdc_c[] =
 
 #define S_AD_SZ sizeof(struct sockaddr_in)
 
+/* Used for extracting addresses from routing messages */
+#define ROUNDUP(a) \
+        ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
+#define ADVANCE(x, n) (x += ROUNDUP((n)->sin_len))
+
 extern int errno;
 extern int krb_debug;
 
@@ -41,6 +50,10 @@ extern char *malloc(), *calloc(), *realloc();
 
 int krb_udp_port = 0;
 
+static struct sockaddr_in local_addr = { S_AD_SZ,
+					 AF_INET
+					};
+
 /* CLIENT_KRB_TIMEOUT indicates the time to wait before
  * retrying a server.  It's defined in "krb.h".
  */
@@ -222,6 +235,11 @@ send_to_kdc(pkt,rpkt,realm)
         bcopy(host->h_addr, (char *)&to.sin_addr,
               host->h_length);
         to.sin_port = krb_udp_port;
+	if ((retval = krb_bind_local_addr(f)) != KSUCCESS) {
+	    fprintf(stderr, "krb_bind_local_addr: %s", krb_err_txt[retval]);
+	    retval = SKDC_CANT;
+	    goto rtn;
+	}
         if (send_recv(pkt, rpkt, f, &to, hostlist)) {
             retval = KSUCCESS;
             goto rtn;
@@ -389,3 +407,123 @@ send_recv(pkt,rpkt,f,_to,addrs)
 		"send_to_kdc(send_rcv)", inet_ntoa(from.sin_addr));
     return 0;
 }
+
+
+static int
+setfixedaddr(s)
+	int s;
+{
+    struct ifa_msghdr *ifa, *ifa0, *ifa_end;
+    struct sockaddr_in *cur_addr;
+    int tries;
+    int i;
+    u_long loopback;
+    int mib[6] = { CTL_NET, PF_ROUTE, 0, AF_INET, NET_RT_IFLIST, 0 };
+    size_t len;
+
+    /* Get information about our interfaces */
+#define NUMTRIES 10
+    tries = 0;
+
+retry:
+    len = 0;
+    if (sysctl(mib, 6, NULL, &len, NULL, 0) < 0) {
+	perror("setfixedaddr: Can't get size of interface table: sysctl");
+	return GT_LADDR_IFLIST;
+    }
+    ifa = (struct ifa_msghdr *)malloc(len);
+    if (!ifa) {
+	fprintf(stderr, "setfixedaddr: Cannot malloc\n");
+	return (KFAILURE);
+    }
+    if (sysctl(mib, 6, ifa, &len, NULL, 0) < 0) {
+	free(ifa);
+	if (errno == ENOMEM && tries < NUMTRIES) {
+	    /* Table grew between calls */
+	    tries++;
+	    goto retry;
+	}
+	else {
+	    perror("setfixedaddr: Can't get interface table: sysctl");
+	    return GT_LADDR_IFLIST;
+	}
+    }
+    loopback = inet_addr("127.0.0.1");
+
+    ifa0 = ifa;
+    for(ifa_end = (struct ifa_msghdr *)((caddr_t)ifa + len);
+	ifa < ifa_end;
+	(caddr_t)ifa += ifa->ifam_msglen) {
+	/* Ignore interface name messages and ensure we have an address */
+	if (ifa->ifam_type == RTM_IFINFO || !(ifa->ifam_addrs & RTAX_IFA))
+		continue;
+	cur_addr = (struct sockaddr_in *)(ifa + 1);
+	for (i = 0; i < RTAX_IFA; i++) {
+		if (ifa->ifam_addrs & (1 << i))
+			ADVANCE((caddr_t)cur_addr, cur_addr);
+	}
+	if (cur_addr->sin_addr.s_addr != loopback) {
+	    local_addr.sin_addr.s_addr = cur_addr->sin_addr.s_addr;
+	    break;
+	}
+    }
+    free(ifa0);
+    if (ifa >= ifa_end) {
+	return GT_LADDR_NVI;
+    }
+    if (krb_debug) {
+	fprintf(stderr, "setfixedaddr: using local address %s\n",
+		inet_ntoa(local_addr.sin_addr));
+    }
+    return (KSUCCESS);
+}
+
+int
+krb_bind_local_addr(s)
+	int s;
+{
+    int retval;
+    if (local_addr.sin_addr.s_addr == INADDR_ANY) {
+	/*
+	 * We haven't determined the local interface to use
+	 * for kerberos server interactions.  Do so now.
+	 */
+	if ((retval = setfixedaddr(s)) != KSUCCESS)
+	    return (retval);
+    }
+    if (bind(s, (struct sockaddr *)&local_addr, sizeof(local_addr)) < 0) {
+	perror("krb_bind_local_addr: bind");
+	return BND_LADDR_BIND;
+    }
+    if (krb_debug)
+	printf("local_addr = %s\n", inet_ntoa(local_addr.sin_addr));
+    return(KSUCCESS);
+}
+
+int
+krb_get_local_addr(returned_addr)
+	struct sockaddr_in *returned_addr;
+{
+    int retval;
+    if (local_addr.sin_addr.s_addr == INADDR_ANY) {
+	/*
+	 * We haven't determined the local interface to use
+	 * for kerberos server interactions.  Do so now.
+	 */
+	int s;
+	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+	    return GT_LADDR_NOSOCK; 
+	}
+	if ((retval = setfixedaddr(s)) != KSUCCESS) {
+	    close(s);
+	    return (retval);
+	}
+	close(s);
+    }
+    if (!returned_addr)
+	return(KFAILURE);
+    *returned_addr = local_addr;
+    if (krb_debug)
+	printf("local_addr = %s\n", inet_ntoa(local_addr.sin_addr));
+    return (KSUCCESS);
+}

eBones/lib/librkinit/rk_rpc.c

@@ -1,7 +1,7 @@
 /* 
- * $Id: rk_rpc.c,v 1.1 1993/12/10 19:36:09 dglo Exp gibbs $
- * $Source: /usr/src/eBones/librkinit/RCS/rk_rpc.c,v $
- * $Author: dglo $
+ * $Id: rk_rpc.c,v 1.1.1.1 1995/09/15 06:09:30 gibbs Exp $
+ * $Source: /home/ncvs/src/eBones/lib/librkinit/rk_rpc.c,v $
+ * $Author: gibbs $
  *
  * This file contains functions that are used for network communication.
  * See the comment at the top of rk_lib.c for a description of the naming
@@ -9,7 +9,7 @@
  */
 
 #if !defined(lint) && !defined(SABER) && !defined(LOCORE) && defined(RCS_HDRS)
-static char *rcsid = "$Id: rk_rpc.c,v 1.1 1993/12/10 19:36:09 dglo Exp gibbs $";
+static char *rcsid = "$Id: rk_rpc.c,v 1.1.1.1 1995/09/15 06:09:30 gibbs Exp $";
 #endif /* lint || SABER || LOCORE || RCS_HDRS */
 
 #include <stdio.h>
@@ -187,7 +187,7 @@ int rki_setup_rpc(host)
 {
     struct hostent *hp;
     struct servent *sp;
-    int port;
+    int port, retval;
 
     SBCLEAR(saddr);
     SBCLEAR(hp);
@@ -214,7 +214,12 @@ int rki_setup_rpc(host)
 	rkinit_errmsg(errbuf);
 	return(RKINIT_SOCKET);
     }
-    
+    if ((retval = krb_bind_local_addr(sock)) != KSUCCESS) {
+	sprintf(errbuf, "krb_bind_local_addr: %s", krb_err_txt[retval]);
+	rkinit_errmsg(errbuf);
+	close(sock);
+	return(RKINIT_SOCKET);
+    }
     if (connect(sock, (struct sockaddr *)&saddr, sizeof (saddr)) < 0) {
 	sprintf(errbuf, "connect: %s", sys_errlist[errno]);
 	rkinit_errmsg(errbuf);

eBones/usr.sbin/kprop/kprop.c

@@ -5,14 +5,33 @@
  * For copying and distribution information,
  * please see the file <mit-copyright.h>.
  *
- * $Revision: 1.1.1.1 $
- * $Date: 1995/08/03 07:36:18 $
+ * $Revision: 1.3 $
+ * $Date: 1995/09/07 21:37:34 $
  * $State: Exp $
- * $Source: /usr/cvs/src/eBones/kprop/kprop.c,v $
- * $Author: mark $
+ * $Source: /home/ncvs/src/eBones/usr.sbin/kprop/kprop.c,v $
+ * $Author: markm $
  * $Locker:  $
  *
  * $Log: kprop.c,v $
+ * Revision 1.3  1995/09/07  21:37:34  markm
+ * Major cleanup of eBones code:
+ *
+ * - Get all functions prototyped or at least defined before use.
+ * - Make code compile (Mostly) clean with -Wall set
+ * - Start to reduce the degree to which DES aka libdes is built in.
+ * - get all functions to the same uniform standard of definition:
+ * int
+ * foo(a, b)
+ * int a;
+ * int *b;
+ * {
+ *    :
+ * }
+ * - fix numerous bugs exposed by above processes.
+ *
+ * Note - this replaces the previous work which used an unpopular function
+ *  definition style.
+ *
  * Revision 1.1.1.1  1995/08/03  07:36:18  mark
  * Import an updated revision of the MIT kprop program for distributing
  * kerberos databases to slave servers.
@@ -73,7 +92,7 @@
 #if 0
 #ifndef	lint
 static char rcsid_kprop_c[] =
-"$Id: kprop.c,v 1.1.1.1 1995/08/03 07:36:18 mark Exp $";
+"$Id: kprop.c,v 1.3 1995/09/07 21:37:34 markm Exp $";
 #endif	lint
 #endif
 
@@ -333,7 +352,21 @@ prop_to_slaves(sl, fd, fslv)
 		}
 		bcopy(&cs->net_addr, &sin.sin_addr,
 		      sizeof cs->net_addr);
-
+		/* for krb_mk_{priv, safe} */
+		bzero (&my_sin, sizeof my_sin);
+		n = sizeof my_sin;
+		if ((kerror = krb_get_local_addr (&my_sin)) != KSUCCESS) {
+		    fprintf (stderr, "kprop: can't get local address: %s\n",
+			     krb_err_txt[kerror]);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+		if (bind(s, (struct sockaddr *) &my_sin, sizeof my_sin) < 0) {
+		    fprintf(stderr, "Unable to bind local address: ");
+		    perror("bind");
+		    close(s);
+		    continue;
+		}
 		if (connect(s, (struct sockaddr *) &sin, sizeof sin) < 0) {
 		    fprintf(stderr, "%s: ", cs->name);
 		    perror("connect");
@@ -341,21 +374,6 @@ prop_to_slaves(sl, fd, fslv)
 		    continue;	/*** NEXT SLAVE ***/
 		}
 		
-		/* for krb_mk_{priv, safe} */
-		bzero (&my_sin, sizeof my_sin);
-		n = sizeof my_sin;
-		if (getsockname (s, (struct sockaddr *) &my_sin, &n) != 0) {
-		    fprintf (stderr, "kprop: can't get socketname.");
-		    perror ("getsockname");
-		    close (s);
-		    continue;	/*** NEXT SLAVE ***/
-		}
-		if (n != sizeof (my_sin)) {
-		    fprintf (stderr, "kprop: can't get socketname. len");
-		    close (s);
-		    continue;	/*** NEXT SLAVE ***/
-		}
-		
 		/* Get ticket */
 		kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME, 
 				     cs->instance, cs->realm, (u_long) 0);

libexec/rlogind/rlogind.c

@@ -681,7 +681,7 @@ do_krb_login(dest)
 			ticket, "rcmd",
 			instance, dest, &faddr,
 			kdata, "", schedule, version);
-		 des_set_key(kdata->session, schedule);
+		 des_set_key(&kdata->session, schedule);
 
 	} else
 #endif

usr.bin/rlogin/kcmd.c

@@ -278,11 +278,14 @@ getport(alport)
 	int *alport;
 {
 	struct sockaddr_in sin;
-	int s;
+	int s, retval;
 
-	sin.sin_family = AF_INET;
-	sin.sin_addr.s_addr = INADDR_ANY;
 	s = socket(AF_INET, SOCK_STREAM, 0);
+	if ((retval = krb_get_local_addr(&sin)) != KSUCCESS) {
+		fprintf(stderr, "krb_get_local_addr: %s\n",krb_err_txt[retval]);
+		close(s);
+		return (-1);
+	}
 	if (s < 0)
 		return (-1);
 	for (;;) {

usr.bin/rlogin/rlogin.c

@@ -301,7 +301,7 @@ main(argc, argv)
 		if (doencrypt) {
 			rem = krcmd_mutual(&host, sp->s_port, user, term, 0,
 			    dest_realm, &cred, schedule);
-			des_set_key(cred.session, schedule);
+			des_set_key(&cred.session, schedule);
 		} else
 #endif /* CRYPT */
 			rem = krcmd(&host, sp->s_port, user, term, 0,

usr.bin/rsh/rsh.c

@@ -40,7 +40,7 @@ static char copyright[] =
 #ifndef lint
 static char sccsid[] = "From: @(#)rsh.c	8.3 (Berkeley) 4/6/94";
 static char rcsid[] =
-	"$Id: rsh.c,v 1.3 1995/01/14 20:36:22 wollman Exp $";
+	"$Id: rsh.c,v 1.4 1995/05/30 06:33:24 rgrimes Exp $";
 #endif /* not lint */
 
 #include <sys/types.h>
@@ -233,7 +233,7 @@ main(argc, argv)
 		if (doencrypt) {
 			rem = krcmd_mutual(&host, sp->s_port, user, args,
 			    &rfd2, dest_realm, &cred, schedule);
-			des_set_key(cred.session, schedule);
+			des_set_key(&cred.session, schedule);
 		} else
 #endif
 			rem = krcmd(&host, sp->s_port, user, args, &rfd2,

usr.bin/su/su.c

@@ -340,6 +340,7 @@ kerberos(username, user, uid)
 	char *p;
 	int kerno;
 	u_long faddr;
+	struct sockaddr_in local_addr;
 	char lrealm[REALM_SZ], krbtkfile[MAXPATHLEN];
 	char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN];
 	char *krb_get_phost();
@@ -423,13 +424,13 @@ kerberos(username, user, uid)
 		dest_tkt();
 		return (1);
 	} else {
-		if (!(hp = gethostbyname(hostname))) {
-			warnx("can't get addr of %s", hostname);
+		if ((kerno = krb_get_local_addr(&local_addr)) != KSUCCESS) {
+			warnx("Unable to get our local address: %s",
+			      krb_err_txt[kerno]);
 			dest_tkt();
 			return (1);
 		}
-		memmove((char *)&faddr, (char *)hp->h_addr, sizeof(faddr));
-
+		faddr = local_addr.sin_addr.s_addr;
 		if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr,
 		    &authdata, "")) != KSUCCESS) {
 			warnx("kerberos: unable to verify rcmd ticket: %s\n",