freebsd-dev/crypto/heimdal/appl/rsh/rsh.c

1105 lines
26 KiB
C

/*
* Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "rsh_locl.h"
RCSID("$Id: rsh.c,v 1.68 2002/09/04 21:40:04 joda Exp $");
enum auth_method auth_method;
#if defined(KRB4) || defined(KRB5)
int do_encrypt = -1;
#endif
#ifdef KRB5
int do_unique_tkfile = 0;
char *unique_tkfile = NULL;
char tkfile[MAXPATHLEN];
int do_forward = -1;
int do_forwardable = -1;
krb5_context context;
krb5_keyblock *keyblock;
krb5_crypto crypto;
#endif
#ifdef KRB4
des_key_schedule schedule;
des_cblock iv;
#endif
int sock_debug = 0;
#ifdef KRB4
static int use_v4 = -1;
#endif
#ifdef KRB5
static int use_v5 = -1;
#endif
static int use_only_broken = 0;
static int use_broken = 1;
static char *port_str;
static const char *user;
static int do_version;
static int do_help;
static int do_errsock = 1;
static char *protocol_version_str;
static int protocol_version = 2;
/*
*
*/
static int input = 1; /* Read from stdin */
static int
loop (int s, int errsock)
{
fd_set real_readset;
int count = 1;
#ifdef KRB5
if(auth_method == AUTH_KRB5 && protocol_version == 2)
init_ivecs(1);
#endif
if (s >= FD_SETSIZE || errsock >= FD_SETSIZE)
errx (1, "fd too large");
FD_ZERO(&real_readset);
FD_SET(s, &real_readset);
if (errsock != -1) {
FD_SET(errsock, &real_readset);
++count;
}
if(input)
FD_SET(STDIN_FILENO, &real_readset);
for (;;) {
int ret;
fd_set readset;
char buf[RSH_BUFSIZ];
readset = real_readset;
ret = select (max(s, errsock) + 1, &readset, NULL, NULL, NULL);
if (ret < 0) {
if (errno == EINTR)
continue;
else
err (1, "select");
}
if (FD_ISSET(s, &readset)) {
ret = do_read (s, buf, sizeof(buf), ivec_in[0]);
if (ret < 0)
err (1, "read");
else if (ret == 0) {
close (s);
FD_CLR(s, &real_readset);
if (--count == 0)
return 0;
} else
net_write (STDOUT_FILENO, buf, ret);
}
if (errsock != -1 && FD_ISSET(errsock, &readset)) {
ret = do_read (errsock, buf, sizeof(buf), ivec_in[1]);
if (ret < 0)
err (1, "read");
else if (ret == 0) {
close (errsock);
FD_CLR(errsock, &real_readset);
if (--count == 0)
return 0;
} else
net_write (STDERR_FILENO, buf, ret);
}
if (FD_ISSET(STDIN_FILENO, &readset)) {
ret = read (STDIN_FILENO, buf, sizeof(buf));
if (ret < 0)
err (1, "read");
else if (ret == 0) {
close (STDIN_FILENO);
FD_CLR(STDIN_FILENO, &real_readset);
shutdown (s, SHUT_WR);
} else
do_write (s, buf, ret, ivec_out[0]);
}
}
}
#ifdef KRB4
static int
send_krb4_auth(int s,
struct sockaddr *thisaddr,
struct sockaddr *thataddr,
const char *hostname,
const char *remote_user,
const char *local_user,
size_t cmd_len,
const char *cmd)
{
KTEXT_ST text;
CREDENTIALS cred;
MSG_DAT msg;
int status;
size_t len;
status = krb_sendauth (do_encrypt ? KOPT_DO_MUTUAL : 0,
s, &text, "rcmd",
(char *)hostname, krb_realmofhost (hostname),
getpid(), &msg, &cred, schedule,
(struct sockaddr_in *)thisaddr,
(struct sockaddr_in *)thataddr,
KCMD_OLD_VERSION);
if (status != KSUCCESS) {
warnx("%s: %s", hostname, krb_get_err_text(status));
return 1;
}
memcpy (iv, cred.session, sizeof(iv));
len = strlen(remote_user) + 1;
if (net_write (s, remote_user, len) != len) {
warn("write");
return 1;
}
if (net_write (s, cmd, cmd_len) != cmd_len) {
warn("write");
return 1;
}
return 0;
}
#endif /* KRB4 */
#ifdef KRB5
/*
* Send forward information on `s' for host `hostname', them being
* forwardable themselves if `forwardable'
*/
static int
krb5_forward_cred (krb5_auth_context auth_context,
int s,
const char *hostname,
int forwardable)
{
krb5_error_code ret;
krb5_ccache ccache;
krb5_creds creds;
krb5_kdc_flags flags;
krb5_data out_data;
krb5_principal principal;
memset (&creds, 0, sizeof(creds));
ret = krb5_cc_default (context, &ccache);
if (ret) {
warnx ("could not forward creds: krb5_cc_default: %s",
krb5_get_err_text (context, ret));
return 1;
}
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
warnx ("could not forward creds: krb5_cc_get_principal: %s",
krb5_get_err_text (context, ret));
return 1;
}
creds.client = principal;
ret = krb5_build_principal (context,
&creds.server,
strlen(principal->realm),
principal->realm,
"krbtgt",
principal->realm,
NULL);
if (ret) {
warnx ("could not forward creds: krb5_build_principal: %s",
krb5_get_err_text (context, ret));
return 1;
}
creds.times.endtime = 0;
flags.i = 0;
flags.b.forwarded = 1;
flags.b.forwardable = forwardable;
ret = krb5_get_forwarded_creds (context,
auth_context,
ccache,
flags.i,
hostname,
&creds,
&out_data);
if (ret) {
warnx ("could not forward creds: krb5_get_forwarded_creds: %s",
krb5_get_err_text (context, ret));
return 1;
}
ret = krb5_write_message (context,
(void *)&s,
&out_data);
krb5_data_free (&out_data);
if (ret)
warnx ("could not forward creds: krb5_write_message: %s",
krb5_get_err_text (context, ret));
return 0;
}
static int sendauth_version_error;
static int
send_krb5_auth(int s,
struct sockaddr *thisaddr,
struct sockaddr *thataddr,
const char *hostname,
const char *remote_user,
const char *local_user,
size_t cmd_len,
const char *cmd)
{
krb5_principal server;
krb5_data cksum_data;
int status;
size_t len;
krb5_auth_context auth_context = NULL;
const char *protocol_string = NULL;
krb5_flags ap_opts;
status = krb5_sname_to_principal(context,
hostname,
"host",
KRB5_NT_SRV_HST,
&server);
if (status) {
warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
return 1;
}
cksum_data.length = asprintf ((char **)&cksum_data.data,
"%u:%s%s%s",
ntohs(socket_get_port(thataddr)),
do_encrypt ? "-x " : "",
cmd,
remote_user);
ap_opts = 0;
if(do_encrypt)
ap_opts |= AP_OPTS_MUTUAL_REQUIRED;
switch(protocol_version) {
case 2:
ap_opts |= AP_OPTS_USE_SUBKEY;
protocol_string = KCMD_NEW_VERSION;
break;
case 1:
protocol_string = KCMD_OLD_VERSION;
key_usage = KRB5_KU_OTHER_ENCRYPTED;
break;
default:
abort();
}
status = krb5_sendauth (context,
&auth_context,
&s,
protocol_string,
NULL,
server,
ap_opts,
&cksum_data,
NULL,
NULL,
NULL,
NULL,
NULL);
krb5_free_principal(context, server);
krb5_data_free(&cksum_data);
if (status) {
if(status == KRB5_SENDAUTH_REJECTED &&
protocol_version == 2 && protocol_version_str == NULL)
sendauth_version_error = 1;
else
krb5_warn(context, status, "%s", hostname);
return 1;
}
status = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock);
if(keyblock == NULL)
status = krb5_auth_con_getkey (context, auth_context, &keyblock);
if (status) {
warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status));
return 1;
}
status = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&s);
if (status) {
warnx("krb5_auth_con_setaddrs_from_fd: %s",
krb5_get_err_text(context, status));
return(1);
}
status = krb5_crypto_init(context, keyblock, 0, &crypto);
if(status) {
warnx ("krb5_crypto_init: %s", krb5_get_err_text(context, status));
return 1;
}
len = strlen(remote_user) + 1;
if (net_write (s, remote_user, len) != len) {
warn ("write");
return 1;
}
if (do_encrypt && net_write (s, "-x ", 3) != 3) {
warn ("write");
return 1;
}
if (net_write (s, cmd, cmd_len) != cmd_len) {
warn ("write");
return 1;
}
if (do_unique_tkfile) {
if (net_write (s, tkfile, strlen(tkfile)) != strlen(tkfile)) {
warn ("write");
return 1;
}
}
len = strlen(local_user) + 1;
if (net_write (s, local_user, len) != len) {
warn ("write");
return 1;
}
if (!do_forward
|| krb5_forward_cred (auth_context, s, hostname, do_forwardable)) {
/* Empty forwarding info */
u_char zero[4] = {0, 0, 0, 0};
write (s, &zero, 4);
}
krb5_auth_con_free (context, auth_context);
return 0;
}
#endif /* KRB5 */
static int
send_broken_auth(int s,
struct sockaddr *thisaddr,
struct sockaddr *thataddr,
const char *hostname,
const char *remote_user,
const char *local_user,
size_t cmd_len,
const char *cmd)
{
size_t len;
len = strlen(local_user) + 1;
if (net_write (s, local_user, len) != len) {
warn ("write");
return 1;
}
len = strlen(remote_user) + 1;
if (net_write (s, remote_user, len) != len) {
warn ("write");
return 1;
}
if (net_write (s, cmd, cmd_len) != cmd_len) {
warn ("write");
return 1;
}
return 0;
}
static int
proto (int s, int errsock,
const char *hostname, const char *local_user, const char *remote_user,
const char *cmd, size_t cmd_len,
int (*auth_func)(int s,
struct sockaddr *this, struct sockaddr *that,
const char *hostname, const char *remote_user,
const char *local_user, size_t cmd_len,
const char *cmd))
{
int errsock2;
char buf[BUFSIZ];
char *p;
size_t len;
char reply;
struct sockaddr_storage thisaddr_ss;
struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
struct sockaddr_storage thataddr_ss;
struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
struct sockaddr_storage erraddr_ss;
struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
socklen_t addrlen;
int ret;
addrlen = sizeof(thisaddr_ss);
if (getsockname (s, thisaddr, &addrlen) < 0) {
warn ("getsockname(%s)", hostname);
return 1;
}
addrlen = sizeof(thataddr_ss);
if (getpeername (s, thataddr, &addrlen) < 0) {
warn ("getpeername(%s)", hostname);
return 1;
}
if (errsock != -1) {
addrlen = sizeof(erraddr_ss);
if (getsockname (errsock, erraddr, &addrlen) < 0) {
warn ("getsockname");
return 1;
}
if (listen (errsock, 1) < 0) {
warn ("listen");
return 1;
}
p = buf;
snprintf (p, sizeof(buf), "%u",
ntohs(socket_get_port(erraddr)));
len = strlen(buf) + 1;
if(net_write (s, buf, len) != len) {
warn ("write");
close (errsock);
return 1;
}
for (;;) {
fd_set fdset;
if (errsock >= FD_SETSIZE || s >= FD_SETSIZE)
errx (1, "fd too large");
FD_ZERO(&fdset);
FD_SET(errsock, &fdset);
FD_SET(s, &fdset);
ret = select (max(errsock, s) + 1, &fdset, NULL, NULL, NULL);
if (ret < 0) {
if (errno == EINTR)
continue;
warn ("select");
close (errsock);
return 1;
}
if (FD_ISSET(errsock, &fdset)) {
errsock2 = accept (errsock, NULL, NULL);
close (errsock);
if (errsock2 < 0) {
warn ("accept");
return 1;
}
break;
}
/*
* there should not arrive any data on this fd so if it's
* readable it probably indicates that the other side when
* away.
*/
if (FD_ISSET(s, &fdset)) {
warnx ("socket closed");
close (errsock);
errsock2 = -1;
break;
}
}
} else {
if (net_write (s, "0", 2) != 2) {
warn ("write");
return 1;
}
errsock2 = -1;
}
if ((*auth_func)(s, thisaddr, thataddr, hostname,
remote_user, local_user,
cmd_len, cmd)) {
close (errsock2);
return 1;
}
ret = net_read (s, &reply, 1);
if (ret < 0) {
warn ("read");
close (errsock2);
return 1;
} else if (ret == 0) {
warnx ("unexpected EOF from %s", hostname);
close (errsock2);
return 1;
}
if (reply != 0) {
warnx ("Error from rshd at %s:", hostname);
while ((ret = read (s, buf, sizeof(buf))) > 0)
write (STDOUT_FILENO, buf, ret);
write (STDOUT_FILENO,"\n",1);
close (errsock2);
return 1;
}
if (sock_debug) {
int one = 1;
if (setsockopt(s, SOL_SOCKET, SO_DEBUG, (void *)&one, sizeof(one)) < 0)
warn("setsockopt remote");
if (errsock2 != -1 &&
setsockopt(errsock2, SOL_SOCKET, SO_DEBUG,
(void *)&one, sizeof(one)) < 0)
warn("setsockopt stderr");
}
return loop (s, errsock2);
}
/*
* Return in `res' a copy of the concatenation of `argc, argv' into
* malloced space. */
static size_t
construct_command (char **res, int argc, char **argv)
{
int i;
size_t len = 0;
char *tmp;
for (i = 0; i < argc; ++i)
len += strlen(argv[i]) + 1;
len = max (1, len);
tmp = malloc (len);
if (tmp == NULL)
errx (1, "malloc %u failed", len);
*tmp = '\0';
for (i = 0; i < argc - 1; ++i) {
strcat (tmp, argv[i]);
strcat (tmp, " ");
}
if (argc > 0)
strcat (tmp, argv[argc-1]);
*res = tmp;
return len;
}
static char *
print_addr (const struct sockaddr_in *sin)
{
char addr_str[256];
char *res;
inet_ntop (AF_INET, &sin->sin_addr, addr_str, sizeof(addr_str));
res = strdup(addr_str);
if (res == NULL)
errx (1, "malloc: out of memory");
return res;
}
static int
doit_broken (int argc,
char **argv,
int optind,
struct addrinfo *ai,
const char *remote_user,
const char *local_user,
int priv_socket1,
int priv_socket2,
const char *cmd,
size_t cmd_len)
{
struct addrinfo *a;
if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) {
if (ai->ai_next == NULL)
return 1;
close(priv_socket1);
close(priv_socket2);
for (a = ai->ai_next; a != NULL; a = a->ai_next) {
pid_t pid;
pid = fork();
if (pid < 0)
err (1, "fork");
else if(pid == 0) {
char **new_argv;
int i = 0;
struct sockaddr_in *sin = (struct sockaddr_in *)a->ai_addr;
new_argv = malloc((argc + 2) * sizeof(*new_argv));
if (new_argv == NULL)
errx (1, "malloc: out of memory");
new_argv[i] = argv[i];
++i;
if (optind == i)
new_argv[i++] = print_addr (sin);
new_argv[i++] = "-K";
for(; i <= argc; ++i)
new_argv[i] = argv[i - 1];
if (optind > 1)
new_argv[optind + 1] = print_addr(sin);
new_argv[argc + 1] = NULL;
execv(PATH_RSH, new_argv);
err(1, "execv(%s)", PATH_RSH);
} else {
int status;
while(waitpid(pid, &status, 0) < 0)
;
if(WIFEXITED(status) && WEXITSTATUS(status) == 0)
return 0;
}
}
return 1;
} else {
int ret;
ret = proto (priv_socket1, priv_socket2,
argv[optind],
local_user, remote_user,
cmd, cmd_len,
send_broken_auth);
return ret;
}
}
#if defined(KRB4) || defined(KRB5)
static int
doit (const char *hostname,
struct addrinfo *ai,
const char *remote_user,
const char *local_user,
const char *cmd,
size_t cmd_len,
int do_errsock,
int (*auth_func)(int s,
struct sockaddr *this, struct sockaddr *that,
const char *hostname, const char *remote_user,
const char *local_user, size_t cmd_len,
const char *cmd))
{
int error;
struct addrinfo *a;
int socketfailed = 1;
int ret;
for (a = ai; a != NULL; a = a->ai_next) {
int s;
int errsock;
s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
if (s < 0)
continue;
socketfailed = 0;
if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
char addr[128];
if(getnameinfo(a->ai_addr, a->ai_addrlen,
addr, sizeof(addr), NULL, 0, NI_NUMERICHOST) == 0)
warn ("connect(%s [%s])", hostname, addr);
else
warn ("connect(%s)", hostname);
close (s);
continue;
}
if (do_errsock) {
struct addrinfo *ea, *eai;
struct addrinfo hints;
memset (&hints, 0, sizeof(hints));
hints.ai_socktype = a->ai_socktype;
hints.ai_protocol = a->ai_protocol;
hints.ai_family = a->ai_family;
hints.ai_flags = AI_PASSIVE;
errsock = -1;
error = getaddrinfo (NULL, "0", &hints, &eai);
if (error)
errx (1, "getaddrinfo: %s", gai_strerror(error));
for (ea = eai; ea != NULL; ea = ea->ai_next) {
errsock = socket (ea->ai_family, ea->ai_socktype,
ea->ai_protocol);
if (errsock < 0)
continue;
if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0)
err (1, "bind");
break;
}
if (errsock < 0)
err (1, "socket");
freeaddrinfo (eai);
} else
errsock = -1;
ret = proto (s, errsock,
hostname,
local_user, remote_user,
cmd, cmd_len, auth_func);
close (s);
return ret;
}
if(socketfailed)
warnx ("failed to contact %s", hostname);
return -1;
}
#endif /* KRB4 || KRB5 */
struct getargs args[] = {
#ifdef KRB4
{ "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4" },
#endif
#ifdef KRB5
{ "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5" },
{ "forward", 'f', arg_flag, &do_forward, "Forward credentials (krb5)"},
{ NULL, 'G', arg_negative_flag,&do_forward, "Don't forward credentials" },
{ "forwardable", 'F', arg_flag, &do_forwardable,
"Forward forwardable credentials" },
#endif
#if defined(KRB4) || defined(KRB5)
{ "broken", 'K', arg_flag, &use_only_broken, "Use only priv port" },
{ "encrypt", 'x', arg_flag, &do_encrypt, "Encrypt connection" },
{ NULL, 'z', arg_negative_flag, &do_encrypt,
"Don't encrypt connection", NULL },
#endif
#ifdef KRB5
{ "unique", 'u', arg_flag, &do_unique_tkfile,
"Use unique remote tkfile (krb5)" },
{ "tkfile", 'U', arg_string, &unique_tkfile,
"Use that remote tkfile (krb5)" },
#endif
{ NULL, 'd', arg_flag, &sock_debug, "Enable socket debugging" },
{ "input", 'n', arg_negative_flag, &input, "Close stdin" },
{ "port", 'p', arg_string, &port_str, "Use this port",
"port" },
{ "user", 'l', arg_string, &user, "Run as this user", "login" },
{ "stderr", 'e', arg_negative_flag, &do_errsock, "Don't open stderr"},
{ "protocol", 'P', arg_string, &protocol_version_str,
"Protocol version", "protocol" },
{ "version", 0, arg_flag, &do_version, NULL },
{ "help", 0, arg_flag, &do_help, NULL }
};
static void
usage (int ret)
{
arg_printusage (args,
sizeof(args) / sizeof(args[0]),
NULL,
"[login@]host [command]");
exit (ret);
}
/*
*
*/
int
main(int argc, char **argv)
{
int priv_port1, priv_port2;
int priv_socket1, priv_socket2;
int optind = 0;
int error;
struct addrinfo hints, *ai;
int ret = 1;
char *cmd;
char *tmp;
size_t cmd_len;
const char *local_user;
char *host = NULL;
int host_index = -1;
#ifdef KRB5
int status;
#endif
uid_t uid;
priv_port1 = priv_port2 = IPPORT_RESERVED-1;
priv_socket1 = rresvport(&priv_port1);
priv_socket2 = rresvport(&priv_port2);
uid = getuid ();
if (setuid (uid) || (uid != 0 && setuid(0) == 0))
err (1, "setuid");
setprogname (argv[0]);
if (argc >= 2 && argv[1][0] != '-') {
host = argv[host_index = 1];
optind = 1;
}
if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
&optind))
usage (1);
if (do_help)
usage (0);
if (do_version) {
print_version (NULL);
return 0;
}
if(protocol_version_str != NULL) {
if(strcasecmp(protocol_version_str, "N") == 0)
protocol_version = 2;
else if(strcasecmp(protocol_version_str, "O") == 0)
protocol_version = 1;
else {
char *end;
int v;
v = strtol(protocol_version_str, &end, 0);
if(*end != '\0' || (v != 1 && v != 2)) {
errx(1, "unknown protocol version \"%s\"",
protocol_version_str);
}
protocol_version = v;
}
}
#ifdef KRB5
status = krb5_init_context (&context);
if (status) {
if(use_v5 == 1)
errx(1, "krb5_init_context failed: %d", status);
else
use_v5 = 0;
}
if (do_forwardable == -1)
do_forwardable = krb5_config_get_bool (context, NULL,
"libdefaults",
"forwardable",
NULL);
if (do_forward == -1)
do_forward = krb5_config_get_bool (context, NULL,
"libdefaults",
"forward",
NULL);
else if (do_forward == 0)
do_forwardable = 0;
if (do_forwardable)
do_forward = 1;
#endif
#if defined(KRB4) || defined(KRB5)
if (do_encrypt == -1) {
/* we want to tell the -x flag from the default encryption
option */
#ifdef KRB5
/* the normal default for krb4 should be to disable encryption */
if(!krb5_config_get_bool (context, NULL,
"libdefaults",
"encrypt",
NULL))
#endif
do_encrypt = 0;
}
#endif
#if defined(KRB4) && defined(KRB5)
if(use_v4 == -1 && use_v5 == 1)
use_v4 = 0;
if(use_v5 == -1 && use_v4 == 1)
use_v5 = 0;
#endif
if (use_only_broken) {
#ifdef KRB4
use_v4 = 0;
#endif
#ifdef KRB5
use_v5 = 0;
#endif
}
if(priv_socket1 < 0) {
if (use_only_broken)
errx (1, "unable to bind reserved port: is rsh setuid root?");
use_broken = 0;
}
#if defined(KRB4) || defined(KRB5)
if (do_encrypt == 1 && use_only_broken)
errx (1, "encryption not supported with old style authentication");
#endif
#ifdef KRB5
if (do_unique_tkfile && unique_tkfile != NULL)
errx (1, "Only one of -u and -U allowed.");
if (do_unique_tkfile)
strcpy(tkfile,"-u ");
else if (unique_tkfile != NULL) {
if (strchr(unique_tkfile,' ') != NULL) {
warnx("Space is not allowed in tkfilename");
usage(1);
}
do_unique_tkfile = 1;
snprintf (tkfile, sizeof(tkfile), "-U %s ", unique_tkfile);
}
#endif
if (host == NULL) {
if (argc - optind < 1)
usage (1);
else
host = argv[host_index = optind++];
}
if((tmp = strchr(host, '@')) != NULL) {
*tmp++ = '\0';
user = host;
host = tmp;
}
if (optind == argc) {
close (priv_socket1);
close (priv_socket2);
argv[0] = "rlogin";
execvp ("rlogin", argv);
err (1, "execvp rlogin");
}
local_user = get_default_username ();
if (local_user == NULL)
errx (1, "who are you?");
if (user == NULL)
user = local_user;
cmd_len = construct_command(&cmd, argc - optind, argv + optind);
/*
* Try all different authentication methods
*/
#ifdef KRB5
if (ret && use_v5) {
memset (&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if(port_str == NULL) {
error = getaddrinfo(host, "kshell", &hints, &ai);
if(error == EAI_NONAME)
error = getaddrinfo(host, "544", &hints, &ai);
} else
error = getaddrinfo(host, port_str, &hints, &ai);
if(error)
errx (1, "getaddrinfo: %s", gai_strerror(error));
auth_method = AUTH_KRB5;
again:
ret = doit (host, ai, user, local_user, cmd, cmd_len,
do_errsock,
send_krb5_auth);
if(ret != 0 && sendauth_version_error &&
protocol_version == 2) {
protocol_version = 1;
goto again;
}
freeaddrinfo(ai);
}
#endif
#ifdef KRB4
if (ret && use_v4) {
memset (&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if(port_str == NULL) {
if(do_encrypt) {
error = getaddrinfo(host, "ekshell", &hints, &ai);
if(error == EAI_NONAME)
error = getaddrinfo(host, "545", &hints, &ai);
} else {
error = getaddrinfo(host, "kshell", &hints, &ai);
if(error == EAI_NONAME)
error = getaddrinfo(host, "544", &hints, &ai);
}
} else
error = getaddrinfo(host, port_str, &hints, &ai);
if(error)
errx (1, "getaddrinfo: %s", gai_strerror(error));
auth_method = AUTH_KRB4;
ret = doit (host, ai, user, local_user, cmd, cmd_len,
do_errsock,
send_krb4_auth);
freeaddrinfo(ai);
}
#endif
if (ret && use_broken) {
memset (&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if(port_str == NULL) {
error = getaddrinfo(host, "shell", &hints, &ai);
if(error == EAI_NONAME)
error = getaddrinfo(host, "514", &hints, &ai);
} else
error = getaddrinfo(host, port_str, &hints, &ai);
if(error)
errx (1, "getaddrinfo: %s", gai_strerror(error));
auth_method = AUTH_BROKEN;
ret = doit_broken (argc, argv, host_index, ai,
user, local_user,
priv_socket1,
do_errsock ? priv_socket2 : -1,
cmd, cmd_len);
freeaddrinfo(ai);
}
free(cmd);
return ret;
}