[3263] in Release_Engineering
Kerberized telnet
daemon@ATHENA.MIT.EDU (brlewis@MIT.EDU)
Thu Jun 23 11:30:12 1994
From: brlewis@MIT.EDU
Date: Thu, 23 Jun 94 11:30:07 -0400
To: rel-eng@MIT.EDU
I have some patches to apply here. But first, could I look at the logs
and see why install didn't happen for telnet, telnetd or their man
pages?
*** /tmp/,RCSt1a24686 Thu Jun 23 11:25:46 1994
--- telnet/telnet.1 Mon Jun 20 17:43:12 1994
***************
*** 183,188 ****
--- 183,190 ----
In this
mode, the escape character is set to the tilde (~) character,
unless modified by the -e option.
+ .It Fl safe
+ For MIT Athena, this option is equivalent to -ax.
.It Fl x
Turns on encryption of the data stream if possible. This
option is not available outside of the United States and
*** /tmp/,RCSt1a24717 Thu Jun 23 11:28:00 1994
--- main.c Thu Jun 9 17:59:11 1994
***************
*** 82,88 ****
prompt,
#ifdef AUTHENTICATION
" [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char] [-k realm]",
! "\n\t[-l user] [-f/-F] [-n tracefile] ",
#else
" [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] [-n tracefile]",
"\n\t",
--- 82,88 ----
prompt,
#ifdef AUTHENTICATION
" [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char] [-k realm]",
! "\n\t[-l user] [-safe] [-f/-F] [-n tracefile] ",
#else
" [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] [-n tracefile]",
"\n\t",
***************
*** 142,148 ****
rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
autologin = -1;
! while ((ch = getopt(argc, argv, "8EKLS:X:acde:fFk:l:n:rt:x")) != EOF) {
switch(ch) {
case '8':
eight = 3; /* binary output and input */
--- 142,148 ----
rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
autologin = -1;
! while ((ch = getopt(argc, argv, "8EKLS:X:acde:fFk:l:n:rs:t:x")) != EOF) {
switch(ch) {
case '8':
eight = 3; /* binary output and input */
***************
*** 259,264 ****
--- 259,277 ----
break;
case 'r':
rlogin = '~';
+ break;
+ case 's': /* -safe same as -xaF */
+ if (!strcmp(optarg, "afe")) {
+ #ifdef ENCRYPTION
+ encrypt_auto(1);
+ decrypt_auto(1);
+ #endif
+ autologin = 1;
+ #if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+ forward_flags |= OPTS_FORWARD_CREDS;
+ forward_flags |= OPTS_FORWARDABLE_CREDS;
+ #endif
+ } else usage();
break;
case 't':
#if defined(TN3270) && defined(unix)
*** /tmp/,RCSt1a24696 Thu Jun 23 11:25:50 1994
--- telnetd/telnetd.8 Mon Jun 20 17:39:40 1994
***************
*** 137,146 ****
program will provide the necessary user
verification.
.It off
! This disables the authentication code.
! All user verification will happen through the
.Xr login 1
! program.
.El
.It Fl B
Specifies bftp server mode. In this mode,
--- 137,150 ----
program will provide the necessary user
verification.
.It off
! This disables automatic login.
! User verification will happen through the
.Xr login 1
! program. For MIT Athena, this option also means
! that Kerberos-authenticated unencrypted connections
! will be closed before
! .Xr login 1
! can prompt for a password.
.El
.It Fl B
Specifies bftp server mode. In this mode,
*** /tmp/,RCSt1a24701 Thu Jun 23 11:25:51 1994
--- telnetd/sys_term.c Mon Jun 20 15:40:22 1994
***************
*** 1701,1707 ****
close(pty);
#endif
closelog();
! if (autologin) path_login = _PATH_LOGIN;
else path_login = "/bin/login";
if (auth_debug_mode) {
char **debug_argv;
--- 1701,1708 ----
close(pty);
#endif
closelog();
! if (auth_level >= 0 && autologin == AUTH_VALID)
! path_login = _PATH_LOGIN;
else path_login = "/bin/login";
if (auth_debug_mode) {
char **debug_argv;
***************
*** 1711,1718 ****
printf(" %s", *debug_argv);
printf("\n");
}
execv(path_login, argv);
-
syslog(LOG_ERR, "%s: %m\n", path_login);
fatalperror(net, path_login);
/*NOTREACHED*/
--- 1712,1733 ----
printf(" %s", *debug_argv);
printf("\n");
}
+ #if defined(AUTHENTICATION) && defined(ENCRYPTION)
+ /* if client tries authentication and server wants password anyway */
+ if (autologin && auth_level < 0) {
+ if (decrypt_input)
+ printf("What you type is protected by encryption.\r\n");
+ else {
+ printf("What you type is not protected.\r\n\r\n");
+ # ifdef ATHENA_LOGIN
+ printf("You must use the encryption option.\r\n\r\n");
+ AthenaLoginCleanup();
+ exit(1);
+ # endif /* ATHENA_LOGIN */
+ }
+ }
+ #endif /* defined(AUTHENTICATION) && defined(ENCRYPTION) */
execv(path_login, argv);
syslog(LOG_ERR, "%s: %m\n", path_login);
fatalperror(net, path_login);
/*NOTREACHED*/
*** /tmp/,RCSt1a24706 Thu Jun 23 11:25:53 1994
--- telnetd/telnetd.c Mon Jun 20 16:45:18 1994
***************
*** 80,86 ****
#endif
extern int utmp_len;
! int registerd_host_only = 0;
#ifdef STREAMSPTY
# include <stropts.h>
--- 80,86 ----
#endif
extern int utmp_len;
! int registered_host_only = 0;
#ifdef STREAMSPTY
# include <stropts.h>
***************
*** 352,358 ****
break;
case 'U':
! registerd_host_only = 1;
break;
#ifdef AUTHENTICATION
--- 352,358 ----
break;
case 'U':
! registered_host_only = 1;
break;
#ifdef AUTHENTICATION
***************
*** 768,775 ****
#define MAXHOSTNAMELEN 64
#endif /* MAXHOSTNAMELEN */
! char *hostname;
! char host_name[MAXHOSTNAMELEN];
char remote_host_name[MAXHOSTNAMELEN];
#ifndef convex
--- 768,775 ----
#define MAXHOSTNAMELEN 64
#endif /* MAXHOSTNAMELEN */
! char *hostname, *dnsrealm, *remote_dnsrealm;
! char host_name[MAXHOSTNAMELEN], dns_realm[MAXHOSTNAMELEN];
char remote_host_name[MAXHOSTNAMELEN];
#ifndef convex
***************
*** 830,843 ****
}
#endif /* _SC_CRAY_SECURE_SYS */
/* get name of connected client */
hp = gethostbyaddr((char *)&who->sin_addr, sizeof (struct in_addr),
who->sin_family);
! if (hp == NULL && registerd_host_only) {
fatal(net, "Couldn't resolve your address into a host name.\r\n\
Please contact your net administrator");
! } else if (hp &&
(strlen(hp->h_name) <= ((utmp_len < 0) ? -utmp_len : utmp_len))) {
host = hp->h_name;
} else {
--- 830,866 ----
}
#endif /* _SC_CRAY_SECURE_SYS */
+ /* get server hostname and DNS realm */
+ (void) gethostname(host_name, sizeof (host_name));
+ hostname = host_name;
+ hp = gethostbyname(hostname);
+ if (hp) {
+ dnsrealm = strchr(hp->h_name, '.');
+ if (dnsrealm) {
+ strcpy(dns_realm, dnsrealm);
+ dnsrealm = dns_realm;
+ }
+ }
+
/* get name of connected client */
hp = gethostbyaddr((char *)&who->sin_addr, sizeof (struct in_addr),
who->sin_family);
! if (hp == NULL && registered_host_only) {
fatal(net, "Couldn't resolve your address into a host name.\r\n\
Please contact your net administrator");
! /*NOTREACHED*/
! }
!
! /* cut realm off hostname if it's the same as server's realm */
! if (hp && dnsrealm) {
! remote_dnsrealm= strchr(hp->h_name, '.');
! if (remote_dnsrealm && !strcmp(dnsrealm, remote_dnsrealm))
! *remote_dnsrealm = '\0';
! }
!
! /* make sure hostname fits in utmp entry */
! if (hp &&
(strlen(hp->h_name) <= ((utmp_len < 0) ? -utmp_len : utmp_len))) {
host = hp->h_name;
} else {
***************
*** 850,858 ****
strncpy(remote_host_name, host, sizeof(remote_host_name)-1);
remote_host_name[sizeof(remote_host_name)-1] = 0;
host = remote_host_name;
-
- (void) gethostname(host_name, sizeof (host_name));
- hostname = host_name;
#if defined(AUTHENTICATION) || defined(ENCRYPTION)
auth_encrypt_init(hostname, host, "TELNETD", 1);
--- 873,878 ----
