[2152] in Kerberos-V5-bugs
Patches to run aklog in krshd
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Aug 15 13:20:43 1996
To: krb5-bugs@MIT.EDU
Date: Thu, 15 Aug 1996 13:20:37 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <24292.840129564.1@nexus.cmf.nrl.navy.mil>
Since we use AFS here, we rely heavily on the AFS token-passing rsh/rshd.
Obviously this is hokey, so we're tyring to get away from it. However, even
though the kerberos 5 rsh does do TGT forwarding, it doesn't run aklog for
you. The following patch will make rshd get a PAG and run aklog for you,
if you have it configured to do so.
This is based on the patches I sent in to login.c earlier to do similar
things.
Comments and/or questions are welcome.
--Ken
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <24292.840129564.2@nexus.cmf.nrl.navy.mil>
Content-Description: patch to krshd.c
--- appl/bsd/krshd.c.orig Mon Aug 12 14:31:53 1996
+++ appl/bsd/krshd.c Wed Aug 14 17:56:59 1996
@@ -111,6 +111,7 @@
#include <pwd.h>
#include <ctype.h>
#include <string.h>
+#include <setjmp.h>
#ifdef HAVE_SYS_LABEL_H
/* only SunOS 4? */
@@ -152,6 +153,8 @@
#ifdef KERBEROS
#include "krb5.h"
+#include "k5-int.h"
+#include "osconf.h"
#include "com_err.h"
#include "loginpaths.h"
@@ -226,6 +229,31 @@
void usage(), getstr(), doit();
+static char *conf_yes[] = {
+ "y", "yes", "true", "t", "1", "on",
+ 0
+};
+static char *conf_no[] = {
+ "n", "no", "false", "nil", "0", "off",
+ 0
+};
+/* Conf file checking function, from login.c */
+static int conf_affirmative(s)
+ char *s;
+{
+ char **p;
+ for(p=conf_yes; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 1;
+ }
+ for(p=conf_no; *p; p++) {
+ if (!strcasecmp(*p,s))
+ return 0;
+ }
+ /* ambiguous */
+ return -1;
+}
+
#ifdef __SCO__
/* sco has getgroups and setgroups but no initgroups */
int initgroups(char* name, gid_t basegid) {
@@ -238,6 +266,59 @@
}
#endif
+typedef krb5_sigtype sigtype;
+
+#ifndef POSIX_SETJMP
+#undef sigjmp_buf
+#undef sigsetjmp
+#undef siglongjmp
+#define sigjmp_buf jmp_buf
+#define sigsetjmp(j,s) setjmp(j)
+#define siglongjmp longjmp
+#endif
+
+#ifdef POSIX_SIGNALS
+typedef struct sigaction handler;
+#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \
+ (H).sa_flags=0, \
+ (H).sa_handler=(F))
+#define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD)
+#define handler_set(S,OLD) sigaction(S, &OLD, NULL)
+#else
+typedef sigtype (*handler)();
+#define handler_init(H,F) ((H) = (F))
+#define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW)))
+#define handler_set(S,OLD) (signal ((S), (OLD)))
+#endif
+
+#ifdef SETPAG
+extern setpag();
+
+static sigjmp_buf setpag_buf;
+
+static sigtype sigsys()
+{
+ siglongjmp(setpag_buf, 1);
+}
+#endif
+
+static int try_setpag()
+{
+#ifdef SETPAG
+ handler sa, osa;
+ volatile int retval = 0;
+
+ (void) &retval;
+ handler_init(sa, sigsys);
+ handler_swap(SIGSYS, sa, osa);
+ if (sigsetjmp(setpag_buf, 1) == 0) {
+ setpag();
+ retval = 1;
+ }
+ handler_set(SIGSYS, osa);
+ return retval;
+#endif
+}
int main(argc, argv)
int argc;
@@ -1840,11 +1921,60 @@
}
if (inbuf.length) { /* Forwarding being done, read creds */
+ const char *kconf_names[3];
+ char **kconf_val;
+
if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
ticket, locuser, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
exit(1);
+ }
+ /*
+ * This is unfortunately rather hokey, but I don't see a better
+ * way to deal with it.
+ *
+ * If we want to use Kerberos rsh and get an AFS token, we'll need
+ * to allocate a PAG and run aklog. This only makes sense if we
+ * have a forwarded ticket.
+ *
+ * We would prefer to have this behavior configurable, much like
+ * login.krb5 is now. However, does it make sense to create a
+ * new configuration entry for rshd?
+ *
+ * My gut feeling is "no", since rshd is taking the place of login
+ * in this instance. So we will check the "login" configuration
+ * entry to find out if we need to do AFS stuff.
+ */
+
+ kconf_names[0] = "login";
+ kconf_names[1] = "krb5_run_aklog";
+ kconf_names[2] = 0;
+ status = profile_get_values(bsd_context->profile,
+ kconf_names, &kconf_val);
+ if (!status) {
+ if (conf_affirmative(*kconf_val) == 1) {
+ char aklog_path[MAXPATHLEN];
+ struct stat st;
+
+ try_setpag();
+ kconf_names[1] = "krb5_aklog_path";
+ status = profile_get_values(bsd_context->profile,
+ kconf_names, &kconf_val);
+ if (!status) {
+ strcpy(aklog_path, *kconf_val);
+ } else {
+ strcpy(aklog_path, KPROGDIR);
+ strcat(aklog_path, "/aklog");
+ }
+
+ /*
+ * Make sure it's there before we try running it.
+ */
+ if (stat (aklog_path, &st) == 0) {
+ system(aklog_path);
+ }
+ }
}
}
krb5_free_ticket(bsd_context, ticket);
--- appl/bsd/Makefile.in.orig Wed Aug 14 16:44:39 1996
+++ appl/bsd/Makefile.in Wed Aug 14 16:45:21 1996
@@ -49,7 +49,7 @@
done
kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS)
- $(LD) $(LDFLAGS) $(LDARGS) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(LIBS)
+ $(LD) $(LDFLAGS) $(LDARGS) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(LIBS)
klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS)
$(LD) $(LDFLAGS) $(LDARGS) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(LIBS)
------- =_aaaaaaaaaa0--
