d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modify klogin to:

Browse Source 
1) Don't spit out an error message if Kerberos is installed but not yet
   set up.

2) Don't attempt to verify the ticket you got back, as workstations
   are not intended to have srvtab files of their own.

Both behaviors can be re-enabled with KLOGIN_PARANOID.
This commit is contained in:
wollman 1995-01-14 22:57:41 +00:00
parent f6d953b1df
commit d7880059b4
5 changed files with 40 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/libpam/modules/pam_kerberosIV/klogin.c
View File

@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password)
char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
char tkt_location[MAXPATHLEN];
char *krb_get_phost();
extern int noticketsdontcomplain;
#ifdef KLOGIN_PARANOID
noticketsdontcomplain = 0; /* enable warning message */
#endif
/*
* Root logins don't use Kerberos.
* If we have a realm, try getting a ticket-granting ticket
@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password)
krb_get_lrealm(realm, 0) != KSUCCESS)
return (1);
noticketsdontcomplain = 0; /* enable warning message */
/*
* get TGT for local realm
* tickets are stored in a file named TKT_ROOT plus uid
@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password)
}
kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
/*
* If we got a TGT, get a local "rcmd" ticket and check it so as to
* ensure that we are not talking to a bogus Kerberos server.
@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password)
(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
savehost[sizeof(savehost)-1] = NULL;
#ifdef KLOGIN_PARANOID
/*
* if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
* still allow login with tickets, but log the error condition.
@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password)
krb_err_txt[kerror]);
dest_tkt();
return (1);
#else
return (0);
#endif
}
#endif

9
usr.bin/login/Makefile
View File

@ -1,5 +1,5 @@
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93
# $Id: Makefile,v 1.9 1994/10/19 00:03:31 pst Exp $
# $Id: Makefile,v 1.10 1994/11/20 23:20:33 wollman Exp $
PROG= login
MAN1= login.1
@ -8,11 +8,14 @@ SRCS= login.c login_access.c login_fbtab.c
CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL
.if defined(KLOGIN_PARANOID)
CFLAGS+=-DKLOGIN_PARANOID
.endif
DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY} ${LIBMD}
LDADD= -lutil -lcrypt -lskey -lmd
.if exists(${DESTDIR}/usr/lib/libkrb.a) && \
(defined(MAKE_KERBEROS) || defined(MAKE_EBONES))
.if exists(${DESTDIR}/usr/lib/libkrb.a) && defined(MAKE_EBONES)
CFLAGS+=-DKERBEROS
SRCS+= klogin.c
DPADD+= ${LIBKRB} ${LIBDES}

10
usr.bin/login/README
View File

@ -8,3 +8,13 @@ The following defines can be used:
3) LOGALL to log all logins
-Guido
This login has some of Berkeley's paranoid/broken (depending on your point
of view) Kerberos code conditionalized out, so that by default it works like
klogin does at MIT-LCS. You can define KLOGIN_PARANOID to re-enable this code.
This define also controls whether a warning message is printed when logging
into a system with no krb.conf file, which usually means that Kerberos is
not configured.
-GAWollman

11
usr.bin/login/klogin.c
View File

@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password)
char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
char tkt_location[MAXPATHLEN];
char *krb_get_phost();
extern int noticketsdontcomplain;
#ifdef KLOGIN_PARANOID
noticketsdontcomplain = 0; /* enable warning message */
#endif
/*
* Root logins don't use Kerberos.
* If we have a realm, try getting a ticket-granting ticket
@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password)
krb_get_lrealm(realm, 0) != KSUCCESS)
return (1);
noticketsdontcomplain = 0; /* enable warning message */
/*
* get TGT for local realm
* tickets are stored in a file named TKT_ROOT plus uid
@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password)
}
kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
/*
* If we got a TGT, get a local "rcmd" ticket and check it so as to
* ensure that we are not talking to a bogus Kerberos server.
@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password)
(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
savehost[sizeof(savehost)-1] = NULL;
#ifdef KLOGIN_PARANOID
/*
* if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
* still allow login with tickets, but log the error condition.
@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password)
krb_err_txt[kerror]);
dest_tkt();
return (1);
#else
return (0);
#endif
}
#endif

3
usr.bin/login/login.c
View File

@ -101,6 +101,7 @@ u_int timeout = 300;
#ifdef KERBEROS
int notickets = 1;
int noticketsdontcomplain = 1;
char *instance;
char *krbtkfile_env;
int authok;
@ -421,7 +422,7 @@ main(argc, argv)
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty);
#ifdef KERBEROS
if (!quietlog && notickets == 1)
if (!quietlog && notickets == 1 && !noticketsdontcomplain)
(void)printf("Warning: no Kerberos tickets issued.\n");
#endif