[2083] in Kerberos-V5-bugs
K5b6 and krlogind for AFS and DCE
daemon@ATHENA.MIT.EDU (Doug Engert)
Mon Jul 8 15:37:53 1996
Date: Mon, 8 Jul 1996 14:37:48 -0500
From: Doug Engert <DEEngert@anl.gov>
To: krb5-bugs@MIT.EDU
Attached are some modifications to krlogind.c which allow it to call
additional modules before the login.krb5 or vendor login. These allow
for use of a forwarded ticket to get a DCE context and/or AFS token
automaticly before login.
There are also some compatibility options which allowed older
inetd.conf files which had -K and -L to continue to function. And a
change to new_termio.c_oflag when using the HP 10.0 login.
The main function of this modification is to have krlogind construct a
parameter list which will be used by login.krb5 or a vendor login,
and to pass it to k5dcelogin and/or k5afslogin depending on wheither the
system has access to DFS and/or AFS. We have many machines
which are being converted, and having a dynamic test in krlogind
simplifies the installation and maintenance of these systems.
The two routines k5dcelogin and k5afslogin are linked against the DCE
and AFS libraries respectively. This avoids conflicts with linking the
libkrb5.a and libdce.a in the same routine, yet allows for a DCE
and/or AFS PAG to be setup for the correct process. Each of these
routines does its jobs, and exec's the program as defined in
argv[1]. This allows the krlogind to pass on the name of the login
program as argv[1], and in the case of a system with both DFS and AFS,
to have k5dcelogin exec k5afslogin which exec's the login.krb5. (The
functioning of the k5dcelogin matches the OSF RFC 92.0 specification
for a similiar k5dcelogin.)
The inclusion of the DCE code is controlled by ANL_DCE and the AFS code
by AFS524 which also controls the krb524d code I sent in two weeks
ago. These could be changed to check the profile to see if the test
should be made. If you are willing to accept this type of modification,
I will be willing to change this code as well.
(Similiar code is needed for telnet rsh and FTP.)
*** ./appl/bsd/,krlogind.c Thu May 9 11:01:01 1996
--- ./appl/bsd/krlogind.c Wed Jun 12 07:55:41 1996
***************
*** 243,249 ****
krb5_keytab keytab = NULL;
! #define ARGSTR "rk54ciepPD:S:M:L:?"
#else /* !KERBEROS */
#define ARGSTR "rpPD:?"
#define (*des_read) read
--- 243,249 ----
krb5_keytab keytab = NULL;
! #define ARGSTR "rKk54ciepPD:S:M:L:?"
#else /* !KERBEROS */
#define ARGSTR "rpPD:?"
#define (*des_read) read
***************
*** 264,269 ****
--- 264,284 ----
char *login_program = LOGIN_PROGRAM;
+
+ #ifdef ANL_DCE
+ #define K5DCELOGIN "/krb5/sbin/k5dcelogin"
+ #if defined(sun)
+ #define K5DCELIB "/usr/lib/libdce.so"
+ #else
+ #define K5DCELIB "/usr/lib/libdce.a"
+ #endif
+
+ #endif
+
+ #ifdef AFS524
+ #define K5AFSLOGIN "/krb5/sbin/k5afslogin"
+ #endif
+
#define MAXRETRIES 4
#define MAX_PROG_NAME 16
***************
*** 354,359 ****
--- 369,381 ----
auth_ok |= AUTH_RHOSTS;
break;
#ifdef KERBEROS
+ /* we have been using -e -K so for compatability
+ * we will take this as -e -k -i
+ * This will simplify a transition
+ * DEE 06/12/96
+ */
+ case 'K':
+ checksum_ignored = 1;
case 'k':
#ifdef KRB5_KRB4_COMPAT
auth_ok |= (AUTH_KRB5|AUTH_KRB4);
***************
*** 406,411 ****
--- 428,445 ----
debug_port = atoi(optarg);
break;
case 'L':
+ /* for temp compatability, we have a lot of inetd.conf with
+ * -L /krb5/sbin/k5dcelogin or -L /krb5/sbin/k5afslogin
+ * So disregard if -L is set to this name.
+ */
+ #if defined(AFS524)
+ if(!strcmp(optarg,K5AFSLOGIN))
+ break;
+ #endif
+ #if defined(ANL_DCE)
+ if(!strcmp(optarg,K5DCELOGIN))
+ break;
+ #endif
login_program = optarg;
break;
case '?':
***************
*** 513,518 ****
--- 547,559 ----
#endif
int retval;
int syncpipe[2];
+ char **newargv;
+ char **newargp;
+ char *newpath;
+ char *newarg0;
+ char *ccname;
+ struct stat stx;
+
netf = -1;
alarm(60);
read(f, &c, 1);
***************
*** 625,630 ****
--- 666,674 ----
new_termio.c_iflag &= ~(ISTRIP);
/* new_termio.c_iflag = 0; */
/* new_termio.c_oflag = 0; */
+ #if defined(hpux)
+ new_termio.c_oflag |= (OPOST|ONLCR);
+ #endif
new_termio.c_cc[VMIN] = 1;
new_termio.c_cc[VTIME] = 0;
tcsetattr(t,TCSANOW,&new_termio);
***************
*** 706,711 ****
--- 750,820 ----
}
#endif
+ /* For converting a forwarded ticket to a DCE context or AFS
+ * token, we want to exec k5dcelogin first, passing it the name of
+ * the login program. The cleanest way is to build the argv list.
+ * we want to do this before login so as to get PAGs and tokens
+ * for access to users home directory.
+ * We also need to set the USER= environment variable.
+ *
+ * If there is no forwarded ticket, go to login program directly.
+ *
+ * If there is, then there are four paths which can be followed here:
+ *
+ * (1) No DCE or AFS on this system, go to login program
+ *
+ * (2) DCE but no AFS, goto k5dcelogin then login program.
+ *
+ * (3) AFS but no DCE, goto k5afslogin then login program.
+ *
+ * (4) DCE and AFS, got to k5dcelogon, k5afslogin then login program.
+ *
+ * We test dynamicly for these situations since the same executable
+ * may be run on some systems which may or maynot have DCE/AFS.
+ * DEE 06/10/96
+ */
+
+ #if defined(ANL_DCE) || defined(AFS524)
+ setenv("USER",lusername,1);
+ #endif
+
+ /* allocate new arglist, need max args + two extra paths. */
+ if ((newargv = (char **)malloc((6+2)*sizeof(newargv[0]))) == NULL) {
+ sprintf(buferror,"Unable to allocate new argv\n");
+ fatal(p,buferror);
+ }
+ newargp = newargv;
+
+ if ((ccname = getenv("KRB5CCNAME")) != NULL) {
+
+ #ifdef ANL_DCE
+ if ((stat(K5DCELIB,&stx) == 0) &&
+ (stat(K5DCELOGIN,&stx) == 0)) {
+ *newargp++ = K5DCELOGIN;
+ }
+ #endif
+ #ifdef AFS524
+ /* if this system has AFS and not a NFS/AFS translator
+ * put it on the list too
+ */
+
+ if ((stat("/afs",&stx) == 0) &&
+ (stat(K5AFSLOGIN,&stx) == 0) &&
+ (stat("/usr/vice/etc/ThisCell",&stx) == 0)) {
+ *newargp++ = K5AFSLOGIN;
+
+ }
+ #endif
+ }
+
+ *newargp++ = login_program;
+
+
+ #if defined(ANL_DCE) || defined(AFS524)
+ setenv("USER",lusername,1);
+ #endif
+
+
#ifdef DO_NOT_USE_K_LOGIN
#ifdef USE_LOGIN_F
/* use the vendors login, which has -p and -f. Tested on
***************
*** 718,740 ****
setenv("TERM",term, 1);
}
! if (passwd_req)
! execl(login_program, "login", "-p", "-h", rhost_name,
! lusername, 0);
! else
! execl(login_program, "login", "-p", "-h", rhost_name,
! "-f", lusername, 0);
#else /* USE_LOGIN_F */
! execl(login_program, "login", "-r", rhost_name, 0);
#endif /* USE_LOGIN_F */
#else
! if (passwd_req)
! execl(login_program, "login","-h", rhost_name, lusername, 0);
! else
! execl(login_program, "login", "-h", rhost_name, "-e", lusername, 0);
#endif
! fatalperror(2, login_program);
/*NOTREACHED*/
} /* if (pid == 0) */
--- 827,866 ----
setenv("TERM",term, 1);
}
! *newargp++ = "-p";
! *newargp++ = "-h";
! *newargp++ = rhost_name;
! if (!passwd_req)
! *newargp++ = "-f";
! *newargp++ = lusername;
!
#else /* USE_LOGIN_F */
! *newargp++ = "-r";
! *newargp++ = rhost_name;
!
#endif /* USE_LOGIN_F */
#else
! *newargp++ = "-h";
! *newargp++ = rhost_name;
! if (!passwd_req)
! *newargp++ = "-e";
! *newargp++ = lusername;
#endif
+
+ *newargp++ = NULL; /* last entry done with newargp */
+
+ newpath = *newargv; /* point at first entry */
+ newarg0 = strrchr(newpath, '/');
+ if (newarg0)
+ newarg0++;
+ else
+ newarg0 = newpath;
+
+ newargv[0] = newarg0; /* point at striped name */
+
+ execv(newpath,newargv); /* call the next program */
! fatalperror(2, newpath);
/*NOTREACHED*/
} /* if (pid == 0) */
I believe I have now sent you every modification I have made so far to
K5b6. A complete diff file can be found at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k56.cdiff.960708. I will be
updating the rest of the files there as well in the next few days
including the ak5log, k5dcelogin, k5afslogin and the README.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
