Remove support for LOGIN_CAP_AUTH. It was never enabled, it was
not complete, and it hasn't been touched for 18 months. All the ifdefs obfuscate the code. I discussed the LOGIN_CAP_AUTH support with its author and he agreed that it is a dead end. I am bringing PAM into the tree within the next two weeks. It is much more flexible than LOGIN_CAP_AUTH, and will serve as a superior replacement for it.
This commit is contained in:
parent
069b715f73
commit
8e32ad3bde
@ -1,15 +1,12 @@
|
|||||||
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93
|
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93
|
||||||
# $Id: Makefile,v 1.20 1998/08/06 21:37:04 markm Exp $
|
# $Id: Makefile,v 1.21 1998/09/19 22:42:04 obrien Exp $
|
||||||
|
|
||||||
PROG= login
|
PROG= login
|
||||||
MAN1= login.1
|
MAN1= login.1
|
||||||
MAN5= login.access.5
|
MAN5= login.access.5
|
||||||
SRCS= login.c login_access.c login_fbtab.c
|
SRCS= login.c login_access.c login_fbtab.c
|
||||||
|
|
||||||
#Uncomment to activate login_auth
|
CFLAGS+=-Wall -DSKEY -DLOGIN_ACCESS -DLOGALL -DLOGIN_CAP
|
||||||
#Warning: requires src/libexec/login_* auth modules
|
|
||||||
#LC_AUTH=-DLOGIN_CAP_AUTH
|
|
||||||
CFLAGS+=-Wall -DSKEY -DLOGIN_ACCESS -DLOGALL -DLOGIN_CAP $(LC_AUTH)
|
|
||||||
|
|
||||||
.if defined(KLOGIN_PARANOID)
|
.if defined(KLOGIN_PARANOID)
|
||||||
CFLAGS+=-DKLOGIN_PARANOID
|
CFLAGS+=-DKLOGIN_PARANOID
|
||||||
@ -18,7 +15,7 @@ CFLAGS+=-DKLOGIN_PARANOID
|
|||||||
DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT}
|
DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT}
|
||||||
LDADD= -lutil -lskey -lmd -lcrypt
|
LDADD= -lutil -lskey -lmd -lcrypt
|
||||||
|
|
||||||
.if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4) && !defined(LC_AUTH)
|
.if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4)
|
||||||
CFLAGS+=-DKERBEROS
|
CFLAGS+=-DKERBEROS
|
||||||
SRCS+= klogin.c
|
SRCS+= klogin.c
|
||||||
DPADD+= ${LIBKRB} ${LIBDES}
|
DPADD+= ${LIBKRB} ${LIBDES}
|
||||||
|
@ -42,7 +42,7 @@ static char copyright[] =
|
|||||||
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
|
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
|
||||||
#endif
|
#endif
|
||||||
static const char rcsid[] =
|
static const char rcsid[] =
|
||||||
"$Id: login.c,v 1.39 1998/10/09 06:36:22 markm Exp $";
|
"$Id: login.c,v 1.40 1998/11/11 01:53:12 jdp Exp $";
|
||||||
#endif /* not lint */
|
#endif /* not lint */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -78,23 +78,8 @@ static const char rcsid[] =
|
|||||||
|
|
||||||
#ifdef LOGIN_CAP
|
#ifdef LOGIN_CAP
|
||||||
#include <login_cap.h>
|
#include <login_cap.h>
|
||||||
#else /* Undef AUTH as well */
|
|
||||||
#undef LOGIN_CAP_AUTH
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
|
||||||
* If LOGIN_CAP_AUTH is activated:
|
|
||||||
* kerberose & skey logins are runtime selected via login
|
|
||||||
* login_getstyle() and authentication types for login classes
|
|
||||||
* The actual login itself is handled via /usr/libexec/login_<style>
|
|
||||||
* Valid styles are determined by the auth-type=style,style entries
|
|
||||||
* in the login class.
|
|
||||||
*/
|
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
#undef KERBEROS
|
|
||||||
#undef SKEY
|
|
||||||
#endif /* LOGIN_CAP_AUTH */
|
|
||||||
|
|
||||||
#ifdef SKEY
|
#ifdef SKEY
|
||||||
#include <skey.h>
|
#include <skey.h>
|
||||||
#endif /* SKEY */
|
#endif /* SKEY */
|
||||||
@ -167,12 +152,6 @@ main(argc, argv)
|
|||||||
char *shell = NULL;
|
char *shell = NULL;
|
||||||
#ifdef LOGIN_CAP
|
#ifdef LOGIN_CAP
|
||||||
login_cap_t *lc = NULL;
|
login_cap_t *lc = NULL;
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
char *style, *authtype;
|
|
||||||
char *auth_method = NULL;
|
|
||||||
char *instance = NULL;
|
|
||||||
int authok;
|
|
||||||
#endif /* LOGIN_CAP_AUTH */
|
|
||||||
#endif /* LOGIN_CAP */
|
#endif /* LOGIN_CAP */
|
||||||
#ifdef SKEY
|
#ifdef SKEY
|
||||||
int permit_passwd = 0;
|
int permit_passwd = 0;
|
||||||
@ -266,9 +245,6 @@ main(argc, argv)
|
|||||||
else
|
else
|
||||||
tty = ttyn;
|
tty = ttyn;
|
||||||
|
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
authtype = hostname ? "rlogin" : "login";
|
|
||||||
#endif
|
|
||||||
#ifdef LOGIN_CAP
|
#ifdef LOGIN_CAP
|
||||||
/*
|
/*
|
||||||
* Get "login-retries" & "login-backoff" from default class
|
* Get "login-retries" & "login-backoff" from default class
|
||||||
@ -290,25 +266,6 @@ main(argc, argv)
|
|||||||
}
|
}
|
||||||
rootlogin = 0;
|
rootlogin = 0;
|
||||||
rootok = rootterm(tty); /* Default (auth may change) */
|
rootok = rootterm(tty); /* Default (auth may change) */
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
authok = 0;
|
|
||||||
if (auth_method = strchr(username, ':')) {
|
|
||||||
*auth_method = '\0';
|
|
||||||
auth_method++;
|
|
||||||
if (*auth_method == '\0')
|
|
||||||
auth_method = NULL;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* We need to do this regardless of whether
|
|
||||||
* kerberos is available.
|
|
||||||
*/
|
|
||||||
if ((instance = strchr(username, '.')) != NULL) {
|
|
||||||
if (strncmp(instance, ".root", 5) == 0)
|
|
||||||
rootlogin = 1;
|
|
||||||
*instance++ = '\0';
|
|
||||||
} else
|
|
||||||
instance = "";
|
|
||||||
#else /* !LOGIN_CAP_AUTH */
|
|
||||||
#ifdef KERBEROS
|
#ifdef KERBEROS
|
||||||
if ((instance = strchr(username, '.')) != NULL) {
|
if ((instance = strchr(username, '.')) != NULL) {
|
||||||
if (strncmp(instance, ".root", 5) == 0)
|
if (strncmp(instance, ".root", 5) == 0)
|
||||||
@ -317,7 +274,6 @@ main(argc, argv)
|
|||||||
} else
|
} else
|
||||||
instance = "";
|
instance = "";
|
||||||
#endif /* KERBEROS */
|
#endif /* KERBEROS */
|
||||||
#endif /* LOGIN_CAP_AUTH */
|
|
||||||
|
|
||||||
if (strlen(username) > UT_NAMESIZE)
|
if (strlen(username) > UT_NAMESIZE)
|
||||||
username[UT_NAMESIZE] = '\0';
|
username[UT_NAMESIZE] = '\0';
|
||||||
@ -380,77 +336,6 @@ main(argc, argv)
|
|||||||
|
|
||||||
(void)setpriority(PRIO_PROCESS, 0, -4);
|
(void)setpriority(PRIO_PROCESS, 0, -4);
|
||||||
|
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
/*
|
|
||||||
* This hands off authorization to an authorization program,
|
|
||||||
* depending on the styles available for the "auth-login",
|
|
||||||
* auth-rlogin (or default) authorization styles.
|
|
||||||
* We do this regardless of whether an account exists so that
|
|
||||||
* the remote user cannot tell a "real" from an invented
|
|
||||||
* account name. If we don't have an account we just fall
|
|
||||||
* back to the first method for the "default" class.
|
|
||||||
*/
|
|
||||||
if (!(style = login_getstyle(lc, auth_method, authtype))) {
|
|
||||||
|
|
||||||
/*
|
|
||||||
* No available authorization method
|
|
||||||
*/
|
|
||||||
rval = 1;
|
|
||||||
(void)printf("No auth method available for %s.\n",
|
|
||||||
authtype);
|
|
||||||
} else {
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Put back the kerberos instance, if any was given.
|
|
||||||
* Don't worry about the non-kerberos case here, since
|
|
||||||
* if kerberos is not available or not selected and an
|
|
||||||
* instance is given at the login prompt, su or rlogin -l,
|
|
||||||
* then anything else should fail as well.
|
|
||||||
*/
|
|
||||||
if (*instance)
|
|
||||||
*(instance - 1) = '.';
|
|
||||||
|
|
||||||
rval = authenticate(username,
|
|
||||||
lc ? lc->lc_class : "default",
|
|
||||||
style, authtype);
|
|
||||||
/* Junk it again */
|
|
||||||
if (*instance)
|
|
||||||
*(instance - 1) = '\0';
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!rval) {
|
|
||||||
char * approvep;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If authentication succeeds, run any approval
|
|
||||||
* program, if applicable for this class.
|
|
||||||
*/
|
|
||||||
approvep = login_getcapstr(lc, "approve", NULL, NULL);
|
|
||||||
rval = 1; /* Assume bad login again */
|
|
||||||
|
|
||||||
if (approvep==NULL ||
|
|
||||||
auth_script(approvep, approvep, username,
|
|
||||||
lc->lc_class, 0) == 0) {
|
|
||||||
int r;
|
|
||||||
|
|
||||||
r = auth_scan(AUTH_OKAY);
|
|
||||||
/*
|
|
||||||
* See what the authorize program says
|
|
||||||
*/
|
|
||||||
if (r != 0) {
|
|
||||||
rval = 0;
|
|
||||||
|
|
||||||
if (!rootok && (r & AUTH_ROOTOKAY))
|
|
||||||
rootok = 1; /* root approved */
|
|
||||||
else
|
|
||||||
rootlogin = 0;
|
|
||||||
|
|
||||||
if (!authok && (r & AUTH_SECURE))
|
|
||||||
authok = 1; /* secure */
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#else /* !LOGIN_CAP_AUTH */
|
|
||||||
#ifdef SKEY
|
#ifdef SKEY
|
||||||
permit_passwd = skeyaccess(username, tty,
|
permit_passwd = skeyaccess(username, tty,
|
||||||
hostname ? full_hostname : NULL,
|
hostname ? full_hostname : NULL,
|
||||||
@ -494,21 +379,16 @@ main(argc, argv)
|
|||||||
|
|
||||||
/* clear entered password */
|
/* clear entered password */
|
||||||
memset(p, 0, strlen(p));
|
memset(p, 0, strlen(p));
|
||||||
#endif /* LOGIN_CAP_AUTH */
|
|
||||||
|
|
||||||
(void)setpriority(PRIO_PROCESS, 0, 0);
|
(void)setpriority(PRIO_PROCESS, 0, 0);
|
||||||
|
|
||||||
#ifdef LOGIN_CAP_AUTH
|
|
||||||
if (rval)
|
|
||||||
auth_rmfiles();
|
|
||||||
#endif
|
|
||||||
ttycheck:
|
ttycheck:
|
||||||
/*
|
/*
|
||||||
* If trying to log in as root without Kerberos,
|
* If trying to log in as root without Kerberos,
|
||||||
* but with insecure terminal, refuse the login attempt.
|
* but with insecure terminal, refuse the login attempt.
|
||||||
*/
|
*/
|
||||||
if (pwd && !rval) {
|
if (pwd && !rval) {
|
||||||
#if defined(KERBEROS) || defined(LOGIN_CAP_AUTH)
|
#if defined(KERBEROS)
|
||||||
if (authok == 0 && rootlogin && !rootok)
|
if (authok == 0 && rootlogin && !rootok)
|
||||||
#else
|
#else
|
||||||
if (rootlogin && !rootok)
|
if (rootlogin && !rootok)
|
||||||
@ -756,9 +636,6 @@ main(argc, argv)
|
|||||||
if (krbtkfile_env)
|
if (krbtkfile_env)
|
||||||
(void)setenv("KRBTKFILE", krbtkfile_env, 1);
|
(void)setenv("KRBTKFILE", krbtkfile_env, 1);
|
||||||
#endif
|
#endif
|
||||||
#if LOGIN_CAP_AUTH
|
|
||||||
auth_env();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef LOGIN_CAP
|
#ifdef LOGIN_CAP
|
||||||
if (!quietlog) {
|
if (!quietlog) {
|
||||||
|
Loading…
Reference in New Issue
Block a user