From d7880059b401483ac96f0a6da5e7ef37c6078369 Mon Sep 17 00:00:00 2001 From: wollman Date: Sat, 14 Jan 1995 22:57:41 +0000 Subject: [PATCH] Modify klogin to: 1) Don't spit out an error message if Kerberos is installed but not yet set up. 2) Don't attempt to verify the ticket you got back, as workstations are not intended to have srvtab files of their own. Both behaviors can be re-enabled with KLOGIN_PARANOID. --- lib/libpam/modules/pam_kerberosIV/klogin.c | 11 +++++++++++ usr.bin/login/Makefile | 9 ++++++--- usr.bin/login/README | 10 ++++++++++ usr.bin/login/klogin.c | 11 +++++++++++ usr.bin/login/login.c | 3 ++- 5 files changed, 40 insertions(+), 4 deletions(-) diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.c b/lib/libpam/modules/pam_kerberosIV/klogin.c index 6601a6e17587..f9c2163c0d96 100644 --- a/lib/libpam/modules/pam_kerberosIV/klogin.c +++ b/lib/libpam/modules/pam_kerberosIV/klogin.c @@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password) char realm[REALM_SZ], savehost[MAXHOSTNAMELEN]; char tkt_location[MAXPATHLEN]; char *krb_get_phost(); + extern int noticketsdontcomplain; +#ifdef KLOGIN_PARANOID + noticketsdontcomplain = 0; /* enable warning message */ +#endif /* * Root logins don't use Kerberos. * If we have a realm, try getting a ticket-granting ticket @@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password) krb_get_lrealm(realm, 0) != KSUCCESS) return (1); + noticketsdontcomplain = 0; /* enable warning message */ + /* * get TGT for local realm * tickets are stored in a file named TKT_ROOT plus uid @@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password) } kerror = krb_get_pw_in_tkt(pw->pw_name, instance, realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password); + /* * If we got a TGT, get a local "rcmd" ticket and check it so as to * ensure that we are not talking to a bogus Kerberos server. @@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password) (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost)); savehost[sizeof(savehost)-1] = NULL; +#ifdef KLOGIN_PARANOID /* * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, * still allow login with tickets, but log the error condition. @@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password) krb_err_txt[kerror]); dest_tkt(); return (1); +#else + return (0); +#endif } #endif diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile index 4c69dd3055ee..ee453c16b33d 100644 --- a/usr.bin/login/Makefile +++ b/usr.bin/login/Makefile @@ -1,5 +1,5 @@ # From: @(#)Makefile 8.1 (Berkeley) 7/19/93 -# $Id: Makefile,v 1.9 1994/10/19 00:03:31 pst Exp $ +# $Id: Makefile,v 1.10 1994/11/20 23:20:33 wollman Exp $ PROG= login MAN1= login.1 @@ -8,11 +8,14 @@ SRCS= login.c login_access.c login_fbtab.c CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL +.if defined(KLOGIN_PARANOID) +CFLAGS+=-DKLOGIN_PARANOID +.endif + DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY} ${LIBMD} LDADD= -lutil -lcrypt -lskey -lmd -.if exists(${DESTDIR}/usr/lib/libkrb.a) && \ - (defined(MAKE_KERBEROS) || defined(MAKE_EBONES)) +.if exists(${DESTDIR}/usr/lib/libkrb.a) && defined(MAKE_EBONES) CFLAGS+=-DKERBEROS SRCS+= klogin.c DPADD+= ${LIBKRB} ${LIBDES} diff --git a/usr.bin/login/README b/usr.bin/login/README index 6ad7a10d4796..d7c964d48275 100644 --- a/usr.bin/login/README +++ b/usr.bin/login/README @@ -8,3 +8,13 @@ The following defines can be used: 3) LOGALL to log all logins -Guido + +This login has some of Berkeley's paranoid/broken (depending on your point +of view) Kerberos code conditionalized out, so that by default it works like +klogin does at MIT-LCS. You can define KLOGIN_PARANOID to re-enable this code. +This define also controls whether a warning message is printed when logging +into a system with no krb.conf file, which usually means that Kerberos is +not configured. + +-GAWollman + diff --git a/usr.bin/login/klogin.c b/usr.bin/login/klogin.c index 6601a6e17587..f9c2163c0d96 100644 --- a/usr.bin/login/klogin.c +++ b/usr.bin/login/klogin.c @@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password) char realm[REALM_SZ], savehost[MAXHOSTNAMELEN]; char tkt_location[MAXPATHLEN]; char *krb_get_phost(); + extern int noticketsdontcomplain; +#ifdef KLOGIN_PARANOID + noticketsdontcomplain = 0; /* enable warning message */ +#endif /* * Root logins don't use Kerberos. * If we have a realm, try getting a ticket-granting ticket @@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password) krb_get_lrealm(realm, 0) != KSUCCESS) return (1); + noticketsdontcomplain = 0; /* enable warning message */ + /* * get TGT for local realm * tickets are stored in a file named TKT_ROOT plus uid @@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password) } kerror = krb_get_pw_in_tkt(pw->pw_name, instance, realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password); + /* * If we got a TGT, get a local "rcmd" ticket and check it so as to * ensure that we are not talking to a bogus Kerberos server. @@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password) (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost)); savehost[sizeof(savehost)-1] = NULL; +#ifdef KLOGIN_PARANOID /* * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, * still allow login with tickets, but log the error condition. @@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password) krb_err_txt[kerror]); dest_tkt(); return (1); +#else + return (0); +#endif } #endif diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index be6946fcb2e0..c10e0e23f4c8 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -101,6 +101,7 @@ u_int timeout = 300; #ifdef KERBEROS int notickets = 1; +int noticketsdontcomplain = 1; char *instance; char *krbtkfile_env; int authok; @@ -421,7 +422,7 @@ main(argc, argv) syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); #ifdef KERBEROS - if (!quietlog && notickets == 1) + if (!quietlog && notickets == 1 && !noticketsdontcomplain) (void)printf("Warning: no Kerberos tickets issued.\n"); #endif