[1163] in Kerberos-V5-bugs
krb5b4pl3: appl/bsd/{krlogind,krshd}.c: disable rhosts support (optionally)
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Mar 14 12:01:13 1995
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Date: Tue, 14 Mar 1995 12:04:17 -0500
To: krb5-bugs@MIT.EDU
As the krb5b4pl3 distribution is shipped from MIT, the support for
.rhosts in krlogind and krshd in it can't possibly work, for at least
two reasons:
1) The klogin and kshell ports aren't privileged.
2) krlogin and krsh aren't installed setuid root.
Furthermore, recent CERT advisories have made clear just how risky
trusting .rhosts, hosts.equiv, etc. is in general.
Therefore, we have made the following patches, which I am submitting:
1) Add a DO_RHOSTS cpp symbol to krlogind.c and krshd.c. It can be
set to either 0 or 1.
2) If DO_RHOSTS isn't defined, define it to 0 if KERBEROS is defined
or 1 otherwise.
3) If DO_RHOSTS is 0, don't allow rhosts access.
Here are patches:
--- appl/bsd/krlogind.c 1995/03/09 22:05:52 1.7
+++ appl/bsd/krlogind.c 1995/03/10 19:58:19 1.8
@@ -217,8 +217,14 @@
#define KRB5_RECVAUTH_V4 4
#define KRB5_RECVAUTH_V5 5
+#ifndef DO_RHOSTS
+#define DO_RHOSTS 0
+#endif
+
+#if DO_RHOSTS
int non_privileged = 0; /* set when connection is seen to be from */
/* a non-privileged port */
+#endif
AUTH_DAT *v4_kdata;
Key_schedule v4_schedule;
@@ -247,9 +253,24 @@
#endif
#endif
+#if DO_RHOSTS
#define ARGSTR "rRkKeExXpPD:l:?"
+#else
+#define ARGSTR "kKeExXpPD:l:?"
+#endif /* DO_RHOSTS */
+
#else /* !KERBEROS */
+
+#ifndef DO_RHOSTS
+#define DO_RHOSTS 1
+#endif
+
+#if DO_RHOSTS
#define ARGSTR "rRpPD:?"
+#else
+#define ARGSTR "pPD:?"
+#endif /* DO_RHOSTS */
+
#define (*des_read) read
#define (*des_write) write
#endif /* KERBEROS */
@@ -302,7 +323,10 @@
void fatal(), fatalperror(), doit(), usage(), do_krb_login();
int princ_maps_to_lname(), default_realm();
-int must_pass_rhosts = 0, must_pass_k5 = 0, must_pass_one = 0;
+int must_pass_k5 = 0;
+#if DO_RHOSTS
+int must_pass_rhosts = 0, must_pass_one = 0;
+#endif
int do_encrypt = 0, passwd_if_fail = 0, passwd_req = 0;
main(argc, argv)
@@ -377,6 +401,7 @@
opterr = 0;
while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
switch (ch) {
+#if DO_RHOSTS
case 'r':
must_pass_one = 1; /* If just 'r', any one check must succeed */
break;
@@ -385,14 +410,19 @@
if (must_pass_one)
must_pass_one = 0;
break;
+#endif /* DO_RHOSTS */
#ifdef KERBEROS
case 'k':
+#if DO_RHOSTS
must_pass_one = 1; /* If just 'k', any one check must succeed */
break;
+#endif
case 'K': /* If 'K', must pass .k5login check*/
must_pass_k5 = 1;
+#if DO_RHOSTS
if (must_pass_one)
must_pass_one = 0;
+#endif
break;
#ifdef CRYPT
case 'x': /* Use encryption. */
@@ -530,16 +560,16 @@
#ifdef KERBEROS
krb5_init_ets();
- if (must_pass_k5 || must_pass_one) {
- /* Init error messages and setup des buffers */
- desinbuf.data = des_inbuf;
- desoutbuf.data = des_outbuf; /* Set up des buffers */
- }
+ /* setup des buffers */
+ desinbuf.data = des_inbuf;
+ desoutbuf.data = des_outbuf;
+#if DO_RHOSTS
/* Must come from privileged port when .rhosts is being looked into */
if ((must_pass_rhosts || must_pass_one)
&& (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2))
non_privileged = 1;
+#endif
#else /* !KERBEROS */
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2)
@@ -1133,7 +1163,11 @@
}
#endif
- if (must_pass_k5 || must_pass_one) {
+ if (must_pass_k5
+#if DO_RHOSTS
+ || must_pass_one
+#endif
+ ) {
#if (defined(ALWAYS_V5_KUSEROK) || !defined(KRB5_KRB4_COMPAT))
/* krb5_kuserok returns 1 if OK */
if (client && krb5_kuserok(client, lusername))
@@ -1150,7 +1184,8 @@
}
#endif
}
-
+
+#if DO_RHOSTS
/* The kerberos authenticated request must pass ruserok also
if asked for. */
@@ -1165,10 +1200,14 @@
!ruserok(rhost_name, pwd->pw_uid == 0, rusername, lusername))
passed_rhosts++;
}
+#endif
- if ((must_pass_k5 && passed_krb) ||
- (must_pass_rhosts && passed_rhosts) ||
- (must_pass_one && (passed_krb || passed_rhosts)))
+ if ((must_pass_k5 && passed_krb)
+#if DO_RHOSTS
+ || (must_pass_rhosts && passed_rhosts) ||
+ (must_pass_one && (passed_krb || passed_rhosts))
+#endif
+ )
return;
if (ticket)
--- appl/bsd/krshd.c 1995/03/13 00:23:50 1.1
+++ appl/bsd/krshd.c 1995/03/13 00:30:39 1.2
@@ -173,6 +173,10 @@
#include "loginpaths.h"
+#ifndef DO_HOSTS
+#define DO_RHOSTS 0
+#endif
+
#ifndef SETPGRP_TWOARG
#define setpgrp(a,b) setpgrp()
#endif
@@ -194,13 +198,31 @@
#endif
/** XXX **/
+#if DO_RHOSTS
#define ARGSTR "rRkKD:?"
+#else
+#define ARGSTR "kKD:?"
+#endif /* DO_RHOSTS */
+
#else /* !KERBEROS */
+
+#ifndef DO_RHOSTS
+#define DO_RHOSTS 1
+#endif
+
+#if DO_RHOSTS
#define ARGSTR "rRD:?"
-
+#else
+#define ARGSTR "D:?"
+#endif
+
#endif /* KERBEROS */
-int must_pass_rhosts = 0, must_pass_k5 = 0, must_pass_one = 0;
+#if DO_RHOSTS
+int must_pass_rhosts = 0, must_pass_one = 0;
+#endif
+int must_pass_k5 = 0;
+
int failed_k5 = 0;
char *progname;
@@ -274,6 +296,7 @@
opterr = 0;
while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
switch (ch) {
+#if DO_RHOSTS
case 'r':
must_pass_one = 1; /* If just 'r', any one check must succeed */
break;
@@ -282,14 +305,19 @@
if (must_pass_one)
must_pass_one = 0;
break;
+#endif
#ifdef KERBEROS
case 'k':
+#if DO_RHOSTS
must_pass_one = 1; /* If just 'k', any one check must succeed */
break;
+#endif
case 'K': /* If 'K', must pass .k5login check*/
must_pass_k5 = 1;
+#if DO_RHOSTS
if (must_pass_one)
must_pass_one = 0;
+#endif
break;
#endif
case 'D':
@@ -485,7 +513,9 @@
krb5_sigtype cleanup();
int fd;
struct sockaddr_in fromaddr;
+#if DO_RHOSTS
int non_privileged = 0;
+#endif
#ifdef IP_TOS
/* solaris has IP_TOS, but only IPTOS_* values */
@@ -522,10 +552,12 @@
}
#ifdef KERBEROS
krb5_init_ets();
+#if DO_RHOSTS
if ((must_pass_rhosts || must_pass_one)
&& (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2))
non_privileged = 1;
+#endif
#else
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < IPPORT_RESERVED/2) {
@@ -592,9 +624,11 @@
exit(1);
}
#ifdef KERBEROS
+#if DO_RHOSTS
if ((must_pass_rhosts || must_pass_one)
&& port >= IPPORT_RESERVED)
non_privileged = 1;
+#endif /* DO_RHOSTS */
#else
if (port >= IPPORT_RESERVED) {
syslog(LOG_ERR , "2nd port not reserved\n");
@@ -912,7 +946,11 @@
}
#ifdef KERBEROS
- if (must_pass_k5 || must_pass_one) {
+ if (must_pass_k5
+#if DO_RHOSTS
+ || must_pass_one
+#endif
+ ) {
#if (defined(ALWAYS_V5_KUSEROK) || !defined(KRB5_KRB4_COMPAT))
if (!krb5_kuserok(client,locuser)) {
syslog(LOG_ERR ,
@@ -953,7 +991,8 @@
}
#endif
}
-
+
+#if DO_RHOSTS
if (must_pass_rhosts || (failed_k5 && must_pass_one)) {
/* Cannot check .rhosts unless connection from privileged port */
if (non_privileged) {
@@ -970,6 +1009,8 @@
goto signout_please;
}
}
+#endif /* DO_RHOSTS */
+
#else
if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) {
