[2118] in Kerberos-V5-bugs
Improvements to appl/bsd/login.c
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Jul 29 01:05:43 1996
To: krb5-bugs@MIT.EDU
Date: Mon, 29 Jul 1996 01:05:24 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <16690.838616662.1@cmf.nrl.navy.mil>
Attached is a patch to appl/bsd/login.c; it adds the following things:
- The ability to run an alternate aklog that knows how to use v5 credentials
as opposed to v4 credentials (and specify the path of this aklog)
- The option to make the initial TGT you get upon login forwardable.
- The option to specify an alternate default lifetime upon login.
All of these things are configurable via the krb5.conf profile.
These changes were motivated mostly by my desire to get Kerberos more widely
accepted here. In case we ever decide to transition to DCE, I would like
to use as little V4 stuff as possible; that's why I'm using a V5 aklog.
The changes for specifying a default TGT that's forwardable is more one of
convenience. One thing we'd like to do is get people to use more strongly
authenticated sessions, and the less they had to type their password, the
better. However, giving people the instructions: "Well, login with your
password, type in "kinit -f" your password, and _then_ you can forward
your ticket inside of telnet", is just too much :-) Same thing for the
default lifetime - the default lifetime of 10 hours is too short for us.
I realize these changes are somewhat controversial, but I can't see the
hard in making them administrator-adjustable (especially since the defaults
are conservative).
Comments and suggetions are welcome. Yes, I realize that the stuff inside
of afs_login is really messy :-)
--Ken
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <16690.838616662.2@cmf.nrl.navy.mil>
Content-Description: patch to appl/bsd/login.c
--- login.c.orig Tue Jul 23 14:48:24 1996
+++ login.c Mon Jul 29 00:49:31 1996
@@ -39,15 +39,27 @@
# use password to get v4 tickets
krb4_convert = 1
# use kerberos conversion daemon to get v4 tickets
- krb_run_aklog = 1
+ krb4_run_aklog = 1
# attempt to run aklog
aklog_path = $(prefix)/bin/aklog
# where to find it [not yet implemented]
accept_passwd = 0
# don't accept plaintext passwords [not yet implemented]
+ krb5_forwardable_tgt = 0
+ # The initial TGT is forwardable
+ krb5_run_aklog = 0
+ # Run a Kerberos 5 aklog (doesn't need Kerberos 4 credentials)
+ krb5_aklog_path = $(prefix)/bin/aklog
+ # Path to Kerberos 5 aklog
+ krb5_default_lifetime = (null)
+ # Default ticket lifetime (10 hours)
*/
#define KRB5_GET_TICKETS
int login_krb5_get_tickets = 1;
+int login_krb5_forwardable_tgt = 0;
+int login_krb5_run_aklog = 0;
+char *login_krb5_aklog_path = 0;
+char *login_krb5_default_lifetime = 0;
#ifdef KRB5_KRB4_COMPAT
#define KRB4_GET_TICKETS
int login_krb4_get_tickets = 1;
@@ -304,6 +316,8 @@
"krb4_convert", &login_krb4_convert,
"krb4_run_aklog", &login_krb_run_aklog,
#endif /* KRB5_KRB4_COMPAT */
+ "krb5_forwardable_tgt", &login_krb5_forwardable_tgt,
+ "krb5_run_aklog", &login_krb5_run_aklog,
};
static char *conf_yes[] = {
"y", "yes", "true", "t", "1", "on",
@@ -329,6 +343,14 @@
/* ambiguous */
return -1;
}
+
+static struct login_conf_strings {
+ char *confname;
+ char **varname;
+} login_string_set[] = {
+ "krb5_aklog_path", &login_krb5_aklog_path,
+ "krb5_default_lifetime", &login_krb5_default_lifetime,
+};
#endif /* KRB5_GET_TICKETS */
#ifdef KRB5_GET_TICKETS
@@ -375,6 +397,20 @@
}
}
}
+
+ max_i = sizeof(login_string_set) / sizeof(struct login_conf_strings);
+ for (i = 0; i < max_i; i++) {
+ kconf_names[0] = "login";
+ kconf_names[1] = login_string_set[i].confname;
+ kconf_names[2] = 0;
+ retval = profile_get_values(k->profile,
+ kconf_names, &kconf_val);
+ if (retval) {
+ /* ignore most (all?) errors */
+ } else if (kconf_val) {
+ *(login_string_set[i].varname) = *kconf_val;
+ }
+ }
}
#endif /* KRB5_GET_TICKETS */
@@ -569,11 +605,25 @@
"while getting time of day");
goto nuke_ccache;
}
+
+ /*
+ * Use the lifetime from the profile if we were given one
+ */
+
+ if (login_krb5_default_lifetime) {
+ krb5_deltat tmplife;
+ if (! krb5_string_to_deltat(login_krb5_default_lifetime, &tmplife))
+ lifetime = tmplife;
+ }
+
my_creds.times.starttime = 0; /* start timer when
request gets to KDC */
my_creds.times.endtime = now + lifetime;
my_creds.times.renew_till = 0;
+ if (login_krb5_forwardable_tgt)
+ krb5_options |= KDC_OPT_FORWARDABLE;
+
code = krb5_get_in_tkt_with_password(kcontext, krb5_options,
0, NULL, 0 /*preauth*/,
pass,
@@ -1023,15 +1073,26 @@
void
afs_login ()
{
-#ifdef KRB4_GET_TICKETS
+ /* Allocating a PAG isn't that harmful ... */
#ifdef SETPAG
- if (login_krb4_get_tickets && pwd->pw_uid) {
+ if ( (
+#ifdef KRB4_GET_TICKETS
+ login_krb4_get_tickets
+#else /* KRB4_GET_TICKETS */
+ 1
+#endif
+ ||
+#ifdef KRB5_GET_TICKETS
+ login_krb5_get_tickets
+#else
+ 1
+#endif /* KRB5_GET_TICKETS */
+ ) && pwd->pw_uid) {
/* Only reset the pag for non-root users. */
/* This allows root to become anything. */
pagflag = try_setpag ();
}
-#endif
-#endif /* KRB4_GET_TICKETS */
+#endif /* SETPAG */
#ifdef KRB_RUN_AKLOG
if (got_v4_tickets && login_krb_run_aklog) {
/* KPROGDIR is $(prefix)/bin */
@@ -1045,8 +1106,37 @@
if (stat (aklog_path, &st) == 0) {
system(aklog_path);
}
- }
+ } else
#endif /* KRB_RUN_AKLOG */
+#ifdef KRB5_GET_TICKETS
+ /*
+ * Note that we check to see if we have valid credentials already
+ * in place here (because we might have forwarded them)
+ */
+ if (login_krb5_run_aklog && (got_v5_tickets || have_v5_tickets())) {
+ /*
+ * Check the profile for a path to aklog, otherwise use the
+ * default of KPROGDIR
+ */
+ char aklog_path[MAXPATHLEN];
+ struct stat st;
+
+ if (login_krb5_aklog_path) {
+ strcpy(aklog_path, login_krb5_aklog_path);
+ } else {
+ strcpy(aklog_path, KPROGDIR);
+ strcat(aklog_path, "/aklog");
+ }
+ /*
+ * Make sure it's there
+ */
+ if (stat (aklog_path, &st) == 0) {
+ system(aklog_path);
+ }
+ }
+#else
+ { }
+#endif /* KRB5_GET_TICKETS */
}
void
------- =_aaaaaaaaaa0--
