Remove support for LOGIN_CAP_AUTH. It was never enabled, it was

not complete, and it hasn't been touched for 18 months.  All the
ifdefs obfuscate the code.  I discussed the LOGIN_CAP_AUTH support
with its author and he agreed that it is a dead end.  I am bringing
PAM into the tree within the next two weeks.  It is much more
flexible than LOGIN_CAP_AUTH, and will serve as a superior replacement
for it.
This commit is contained in:
John Polstra 1998-11-11 02:16:01 +00:00
parent 069b715f73
commit 8e32ad3bde
2 changed files with 5 additions and 131 deletions

View File

@ -1,15 +1,12 @@
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93 # From: @(#)Makefile 8.1 (Berkeley) 7/19/93
# $Id: Makefile,v 1.20 1998/08/06 21:37:04 markm Exp $ # $Id: Makefile,v 1.21 1998/09/19 22:42:04 obrien Exp $
PROG= login PROG= login
MAN1= login.1 MAN1= login.1
MAN5= login.access.5 MAN5= login.access.5
SRCS= login.c login_access.c login_fbtab.c SRCS= login.c login_access.c login_fbtab.c
#Uncomment to activate login_auth CFLAGS+=-Wall -DSKEY -DLOGIN_ACCESS -DLOGALL -DLOGIN_CAP
#Warning: requires src/libexec/login_* auth modules
#LC_AUTH=-DLOGIN_CAP_AUTH
CFLAGS+=-Wall -DSKEY -DLOGIN_ACCESS -DLOGALL -DLOGIN_CAP $(LC_AUTH)
.if defined(KLOGIN_PARANOID) .if defined(KLOGIN_PARANOID)
CFLAGS+=-DKLOGIN_PARANOID CFLAGS+=-DKLOGIN_PARANOID
@ -18,7 +15,7 @@ CFLAGS+=-DKLOGIN_PARANOID
DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT}
LDADD= -lutil -lskey -lmd -lcrypt LDADD= -lutil -lskey -lmd -lcrypt
.if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4) && !defined(LC_AUTH) .if exists(${DESTDIR}${LIBDIR}/libkrb.a) && defined(MAKE_KERBEROS4)
CFLAGS+=-DKERBEROS CFLAGS+=-DKERBEROS
SRCS+= klogin.c SRCS+= klogin.c
DPADD+= ${LIBKRB} ${LIBDES} DPADD+= ${LIBKRB} ${LIBDES}

View File

@ -42,7 +42,7 @@ static char copyright[] =
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
#endif #endif
static const char rcsid[] = static const char rcsid[] =
"$Id: login.c,v 1.39 1998/10/09 06:36:22 markm Exp $"; "$Id: login.c,v 1.40 1998/11/11 01:53:12 jdp Exp $";
#endif /* not lint */ #endif /* not lint */
/* /*
@ -78,23 +78,8 @@ static const char rcsid[] =
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
#include <login_cap.h> #include <login_cap.h>
#else /* Undef AUTH as well */
#undef LOGIN_CAP_AUTH
#endif #endif
/*
* If LOGIN_CAP_AUTH is activated:
* kerberose & skey logins are runtime selected via login
* login_getstyle() and authentication types for login classes
* The actual login itself is handled via /usr/libexec/login_<style>
* Valid styles are determined by the auth-type=style,style entries
* in the login class.
*/
#ifdef LOGIN_CAP_AUTH
#undef KERBEROS
#undef SKEY
#endif /* LOGIN_CAP_AUTH */
#ifdef SKEY #ifdef SKEY
#include <skey.h> #include <skey.h>
#endif /* SKEY */ #endif /* SKEY */
@ -167,12 +152,6 @@ main(argc, argv)
char *shell = NULL; char *shell = NULL;
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
login_cap_t *lc = NULL; login_cap_t *lc = NULL;
#ifdef LOGIN_CAP_AUTH
char *style, *authtype;
char *auth_method = NULL;
char *instance = NULL;
int authok;
#endif /* LOGIN_CAP_AUTH */
#endif /* LOGIN_CAP */ #endif /* LOGIN_CAP */
#ifdef SKEY #ifdef SKEY
int permit_passwd = 0; int permit_passwd = 0;
@ -266,9 +245,6 @@ main(argc, argv)
else else
tty = ttyn; tty = ttyn;
#ifdef LOGIN_CAP_AUTH
authtype = hostname ? "rlogin" : "login";
#endif
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
/* /*
* Get "login-retries" & "login-backoff" from default class * Get "login-retries" & "login-backoff" from default class
@ -290,25 +266,6 @@ main(argc, argv)
} }
rootlogin = 0; rootlogin = 0;
rootok = rootterm(tty); /* Default (auth may change) */ rootok = rootterm(tty); /* Default (auth may change) */
#ifdef LOGIN_CAP_AUTH
authok = 0;
if (auth_method = strchr(username, ':')) {
*auth_method = '\0';
auth_method++;
if (*auth_method == '\0')
auth_method = NULL;
}
/*
* We need to do this regardless of whether
* kerberos is available.
*/
if ((instance = strchr(username, '.')) != NULL) {
if (strncmp(instance, ".root", 5) == 0)
rootlogin = 1;
*instance++ = '\0';
} else
instance = "";
#else /* !LOGIN_CAP_AUTH */
#ifdef KERBEROS #ifdef KERBEROS
if ((instance = strchr(username, '.')) != NULL) { if ((instance = strchr(username, '.')) != NULL) {
if (strncmp(instance, ".root", 5) == 0) if (strncmp(instance, ".root", 5) == 0)
@ -317,7 +274,6 @@ main(argc, argv)
} else } else
instance = ""; instance = "";
#endif /* KERBEROS */ #endif /* KERBEROS */
#endif /* LOGIN_CAP_AUTH */
if (strlen(username) > UT_NAMESIZE) if (strlen(username) > UT_NAMESIZE)
username[UT_NAMESIZE] = '\0'; username[UT_NAMESIZE] = '\0';
@ -380,77 +336,6 @@ main(argc, argv)
(void)setpriority(PRIO_PROCESS, 0, -4); (void)setpriority(PRIO_PROCESS, 0, -4);
#ifdef LOGIN_CAP_AUTH
/*
* This hands off authorization to an authorization program,
* depending on the styles available for the "auth-login",
* auth-rlogin (or default) authorization styles.
* We do this regardless of whether an account exists so that
* the remote user cannot tell a "real" from an invented
* account name. If we don't have an account we just fall
* back to the first method for the "default" class.
*/
if (!(style = login_getstyle(lc, auth_method, authtype))) {
/*
* No available authorization method
*/
rval = 1;
(void)printf("No auth method available for %s.\n",
authtype);
} else {
/*
* Put back the kerberos instance, if any was given.
* Don't worry about the non-kerberos case here, since
* if kerberos is not available or not selected and an
* instance is given at the login prompt, su or rlogin -l,
* then anything else should fail as well.
*/
if (*instance)
*(instance - 1) = '.';
rval = authenticate(username,
lc ? lc->lc_class : "default",
style, authtype);
/* Junk it again */
if (*instance)
*(instance - 1) = '\0';
}
if (!rval) {
char * approvep;
/*
* If authentication succeeds, run any approval
* program, if applicable for this class.
*/
approvep = login_getcapstr(lc, "approve", NULL, NULL);
rval = 1; /* Assume bad login again */
if (approvep==NULL ||
auth_script(approvep, approvep, username,
lc->lc_class, 0) == 0) {
int r;
r = auth_scan(AUTH_OKAY);
/*
* See what the authorize program says
*/
if (r != 0) {
rval = 0;
if (!rootok && (r & AUTH_ROOTOKAY))
rootok = 1; /* root approved */
else
rootlogin = 0;
if (!authok && (r & AUTH_SECURE))
authok = 1; /* secure */
}
}
}
#else /* !LOGIN_CAP_AUTH */
#ifdef SKEY #ifdef SKEY
permit_passwd = skeyaccess(username, tty, permit_passwd = skeyaccess(username, tty,
hostname ? full_hostname : NULL, hostname ? full_hostname : NULL,
@ -494,21 +379,16 @@ main(argc, argv)
/* clear entered password */ /* clear entered password */
memset(p, 0, strlen(p)); memset(p, 0, strlen(p));
#endif /* LOGIN_CAP_AUTH */
(void)setpriority(PRIO_PROCESS, 0, 0); (void)setpriority(PRIO_PROCESS, 0, 0);
#ifdef LOGIN_CAP_AUTH
if (rval)
auth_rmfiles();
#endif
ttycheck: ttycheck:
/* /*
* If trying to log in as root without Kerberos, * If trying to log in as root without Kerberos,
* but with insecure terminal, refuse the login attempt. * but with insecure terminal, refuse the login attempt.
*/ */
if (pwd && !rval) { if (pwd && !rval) {
#if defined(KERBEROS) || defined(LOGIN_CAP_AUTH) #if defined(KERBEROS)
if (authok == 0 && rootlogin && !rootok) if (authok == 0 && rootlogin && !rootok)
#else #else
if (rootlogin && !rootok) if (rootlogin && !rootok)
@ -756,9 +636,6 @@ main(argc, argv)
if (krbtkfile_env) if (krbtkfile_env)
(void)setenv("KRBTKFILE", krbtkfile_env, 1); (void)setenv("KRBTKFILE", krbtkfile_env, 1);
#endif #endif
#if LOGIN_CAP_AUTH
auth_env();
#endif
#ifdef LOGIN_CAP #ifdef LOGIN_CAP
if (!quietlog) { if (!quietlog) {