![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to klogin.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / login|
Return to klogin.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / login |
1.1 ! root 1: /*- ! 2: * Copyright (c) 1990 The Regents of the University of California. ! 3: * All rights reserved. ! 4: * ! 5: * Redistribution and use in source and binary forms are permitted provided ! 6: * that: (1) source distributions retain this entire copyright notice and ! 7: * comment, and (2) distributions including binaries display the following ! 8: * acknowledgement: ``This product includes software developed by the ! 9: * University of California, Berkeley and its contributors'' in the ! 10: * documentation or other materials provided with the distribution and in ! 11: * all advertising materials mentioning features or use of this software. ! 12: * Neither the name of the University nor the names of its contributors may ! 13: * be used to endorse or promote products derived from this software without ! 14: * specific prior written permission. ! 15: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED ! 16: * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF ! 17: * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ! 18: */ ! 19: ! 20: #ifndef lint ! 21: static char sccsid[] = "@(#)klogin.c 5.3 (Berkeley) 6/21/90"; ! 22: #endif /* not lint */ ! 23: ! 24: #ifdef KERBEROS ! 25: #include <sys/param.h> ! 26: #include <sys/syslog.h> ! 27: #include <kerberosIV/des.h> ! 28: #include <kerberosIV/krb.h> ! 29: #include <pwd.h> ! 30: #include <netdb.h> ! 31: ! 32: #define PRINCIPAL_NAME pw->pw_name ! 33: #define PRINCIPAL_INST "" ! 34: #define INITIAL_TICKET "krbtgt" ! 35: #define VERIFY_SERVICE "rcmd" ! 36: ! 37: extern int notickets; ! 38: ! 39: /* ! 40: * Attempt to log the user in using Kerberos authentication ! 41: * ! 42: * return 0 on success (will be logged in) ! 43: * 1 if Kerberos failed (try local password in login) ! 44: */ ! 45: ! 46: klogin(pw, localhost, password) ! 47: struct passwd *pw; ! 48: char *localhost, *password; ! 49: { ! 50: int kerror; ! 51: AUTH_DAT authdata; ! 52: KTEXT_ST ticket; ! 53: struct hostent *hp; ! 54: unsigned long faddr; ! 55: char realm[REALM_SZ], savehost[MAXHOSTNAMELEN]; ! 56: char tkt_location[MAXPATHLEN]; ! 57: ! 58: /* ! 59: * If we aren't Kerberos-authenticated, try the normal pw file ! 60: * for a password. If that's ok, log the user in without issueing ! 61: * any tickets. ! 62: */ ! 63: if (krb_get_lrealm(realm, 1) != KSUCCESS) ! 64: return(1); ! 65: ! 66: /* ! 67: * get TGT for local realm ! 68: * tickets are stored in a file determined by calling tkt_string() ! 69: */ ! 70: ! 71: (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid); ! 72: (void)krb_set_tkt_string(tkt_location); ! 73: (void)dest_tkt(); ! 74: ! 75: kerror = krb_get_pw_in_tkt(PRINCIPAL_NAME, PRINCIPAL_INST, ! 76: realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password); ! 77: /* ! 78: * If we got a TGT, get a local "rcmd" ticket and check it so as to ! 79: * ensure that we are not talking to a bogus Kerberos server. ! 80: * ! 81: * There are 2 cases where we still allow a login: ! 82: * 1: the VERIFY_SERVICE doesn't exist in the KDC ! 83: * 2: local host has no srvtab, as (hopefully) indicated by a ! 84: * return value of RD_AP_UNDEC from krb_rd_req(). ! 85: */ ! 86: if (kerror != INTK_OK) { ! 87: dest_tkt(); ! 88: if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) ! 89: syslog(LOG_ERR, "Kerberos intkt error: %s", ! 90: krb_err_txt[kerror]); ! 91: return(1); ! 92: } ! 93: ! 94: if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0) ! 95: syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE); ! 96: ! 97: (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost)); ! 98: savehost[sizeof(savehost)-1] = NULL; ! 99: ! 100: /* ! 101: * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, ! 102: * still allow login with tickets, but log the error condition. ! 103: */ ! 104: ! 105: kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33); ! 106: if (kerror == KDC_PR_UNKNOWN) { ! 107: syslog(LOG_NOTICE, "warning: TGT not verified (%s)", ! 108: krb_err_txt[kerror]); ! 109: notickets = 0; ! 110: return(0); ! 111: } ! 112: ! 113: if (kerror != KSUCCESS) { ! 114: (void)printf("unable to use TGT: (%s)\n", krb_err_txt[kerror]); ! 115: syslog(LOG_NOTICE, "unable to use TGT: (%s)", ! 116: krb_err_txt[kerror]); ! 117: dest_tkt(); ! 118: return(1); ! 119: } ! 120: ! 121: if (!(hp = gethostbyname(localhost))) { ! 122: syslog(LOG_ERR, "couldn't get local host address"); ! 123: dest_tkt(); ! 124: return(1); ! 125: } ! 126: ! 127: bcopy((void *)hp->h_addr, (void *)&faddr, sizeof(faddr)); ! 128: ! 129: kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr, ! 130: &authdata, ""); ! 131: ! 132: if (kerror == KSUCCESS) { ! 133: notickets = 0; ! 134: return(0); ! 135: } ! 136: ! 137: /* undecipherable: probably didn't have a srvtab on the local host */ ! 138: if (kerror = RD_AP_UNDEC) { ! 139: syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]); ! 140: dest_tkt(); ! 141: return(1); ! 142: } ! 143: /* failed for some other reason */ ! 144: (void)printf("unable to verify %s ticket: (%s)\n", VERIFY_SERVICE, ! 145: krb_err_txt[kerror]); ! 146: syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE, ! 147: krb_err_txt[kerror]); ! 148: dest_tkt(); ! 149: return(1); ! 150: } ! 151: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.