Modify klogin to:

1) Don't spit out an error message if Kerberos is installed but not yet
   set up.

2) Don't attempt to verify the ticket you got back, as workstations
   are not intended to have srvtab files of their own.

Both behaviors can be re-enabled with KLOGIN_PARANOID.
This commit is contained in:
wollman 1995-01-14 22:57:41 +00:00
parent 589544ea3b
commit 20054cbaa0
5 changed files with 40 additions and 4 deletions

View File

@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password)
char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
char tkt_location[MAXPATHLEN];
char *krb_get_phost();
extern int noticketsdontcomplain;
#ifdef KLOGIN_PARANOID
noticketsdontcomplain = 0; /* enable warning message */
#endif
/*
* Root logins don't use Kerberos.
* If we have a realm, try getting a ticket-granting ticket
@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password)
krb_get_lrealm(realm, 0) != KSUCCESS)
return (1);
noticketsdontcomplain = 0; /* enable warning message */
/*
* get TGT for local realm
* tickets are stored in a file named TKT_ROOT plus uid
@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password)
}
kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
/*
* If we got a TGT, get a local "rcmd" ticket and check it so as to
* ensure that we are not talking to a bogus Kerberos server.
@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password)
(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
savehost[sizeof(savehost)-1] = NULL;
#ifdef KLOGIN_PARANOID
/*
* if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
* still allow login with tickets, but log the error condition.
@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password)
krb_err_txt[kerror]);
dest_tkt();
return (1);
#else
return (0);
#endif
}
#endif

View File

@ -1,5 +1,5 @@
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93
# $Id: Makefile,v 1.9 1994/10/19 00:03:31 pst Exp $
# $Id: Makefile,v 1.10 1994/11/20 23:20:33 wollman Exp $
PROG= login
MAN1= login.1
@ -8,11 +8,14 @@ SRCS= login.c login_access.c login_fbtab.c
CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL
.if defined(KLOGIN_PARANOID)
CFLAGS+=-DKLOGIN_PARANOID
.endif
DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY} ${LIBMD}
LDADD= -lutil -lcrypt -lskey -lmd
.if exists(${DESTDIR}/usr/lib/libkrb.a) && \
(defined(MAKE_KERBEROS) || defined(MAKE_EBONES))
.if exists(${DESTDIR}/usr/lib/libkrb.a) && defined(MAKE_EBONES)
CFLAGS+=-DKERBEROS
SRCS+= klogin.c
DPADD+= ${LIBKRB} ${LIBDES}

View File

@ -8,3 +8,13 @@ The following defines can be used:
3) LOGALL to log all logins
-Guido
This login has some of Berkeley's paranoid/broken (depending on your point
of view) Kerberos code conditionalized out, so that by default it works like
klogin does at MIT-LCS. You can define KLOGIN_PARANOID to re-enable this code.
This define also controls whether a warning message is printed when logging
into a system with no krb.conf file, which usually means that Kerberos is
not configured.
-GAWollman

View File

@ -74,7 +74,11 @@ klogin(pw, instance, localhost, password)
char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
char tkt_location[MAXPATHLEN];
char *krb_get_phost();
extern int noticketsdontcomplain;
#ifdef KLOGIN_PARANOID
noticketsdontcomplain = 0; /* enable warning message */
#endif
/*
* Root logins don't use Kerberos.
* If we have a realm, try getting a ticket-granting ticket
@ -87,6 +91,8 @@ klogin(pw, instance, localhost, password)
krb_get_lrealm(realm, 0) != KSUCCESS)
return (1);
noticketsdontcomplain = 0; /* enable warning message */
/*
* get TGT for local realm
* tickets are stored in a file named TKT_ROOT plus uid
@ -111,6 +117,7 @@ klogin(pw, instance, localhost, password)
}
kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
/*
* If we got a TGT, get a local "rcmd" ticket and check it so as to
* ensure that we are not talking to a bogus Kerberos server.
@ -135,6 +142,7 @@ klogin(pw, instance, localhost, password)
(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
savehost[sizeof(savehost)-1] = NULL;
#ifdef KLOGIN_PARANOID
/*
* if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
* still allow login with tickets, but log the error condition.
@ -186,5 +194,8 @@ klogin(pw, instance, localhost, password)
krb_err_txt[kerror]);
dest_tkt();
return (1);
#else
return (0);
#endif
}
#endif

View File

@ -101,6 +101,7 @@ u_int timeout = 300;
#ifdef KERBEROS
int notickets = 1;
int noticketsdontcomplain = 1;
char *instance;
char *krbtkfile_env;
int authok;
@ -421,7 +422,7 @@ main(argc, argv)
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty);
#ifdef KERBEROS
if (!quietlog && notickets == 1)
if (!quietlog && notickets == 1 && !noticketsdontcomplain)
(void)printf("Warning: no Kerberos tickets issued.\n");
#endif