[516] in Info-AFS_Redistribution

home help back first fref pref prev next nref lref last post

Patches to X11R5 xdm for AFS authentication and token obtaining.

daemon@ATHENA.MIT.EDU (Alan Judge)
Mon Jan 13 17:21:28 1992

Date: Mon, 13 Jan 92 21:02:40 GMT
From: Alan Judge <amjudge@swift.cs.tcd.ie>
To: info-afs@transarc.com
Cc: skenny@swift.cs.tcd.ie
X-Envelope-To: info-afs@transarc.com

A while ago I posted a question about AFS support in xdm.  I got a
number of helpful replies, but no ready made solution for X11R5.

I finally got around to hacking in support yesterday.  It works, but
doesn't do everything that I would like, like printing the error
returned by UserAuthenticate to the screen (mainly because I didn't
want to change much of the xdm code).

Without any programming level documents, I'm still not exactly sure
that I am doing the right things with PAGs, particularly in passing
them on to the client and removing them from xdm itself.  Since I
don't particularly want xdm, or some other user, to end up with a
user's token, I would appreciate it if someone at transarc would cast
their eye over the patch.  If there is a security problem, let me know.
--
Alan

Patch follows:

*** xdm/Imakefile	Thu Aug 22 22:04:37 1991
--- xdm-afs/Imakefile	Sun Jan 12 17:10:08 1992
***************
*** 24,34 ****
  #endif
  #endif
  
     XDMCONFIGDIR = XdmConfigurationSubdirectory
          SUBDIRS = $(XDMCONFIGDIR)
  
  DEPLIBS = XawClientDepLibs $(DEPXAUTHLIB) $(DEPXDMCPLIB)
! LOCAL_LIBRARIES = XawClientLibs $(XAUTHLIB) $(XDMCPLIB) $(RPCLIB)
            SRCS1 = auth.c daemon.c server.c dpylist.c dm.c error.c file.c \
  		  greet.c netaddr.c reset.c resource.c protodpy.c policy.c \
  		  session.c socket.c streams.c util.c verify.c xdmcp.c \
--- 24,41 ----
  #endif
  #endif
  
+ AFSLIBDIR = /usr/afsws/lib
+ AFSLIBS = -L$(AFSLIBDIR) -L$(AFSLIBDIR)/afs -lkauth -lprot -lubik \
+ 		-lauth -lrxkad -lsys -ldes -lrx -llwp -lcmd -lcom_err \
+ 		$(AFSLIBDIR)/afs/util.a
+ 
+ INCLUDES = -I/usr/afsws/include
+ 
     XDMCONFIGDIR = XdmConfigurationSubdirectory
          SUBDIRS = $(XDMCONFIGDIR)
  
  DEPLIBS = XawClientDepLibs $(DEPXAUTHLIB) $(DEPXDMCPLIB)
! LOCAL_LIBRARIES = XawClientLibs $(XAUTHLIB) $(XDMCPLIB) $(RPCLIB) $(AFSLIBS)
            SRCS1 = auth.c daemon.c server.c dpylist.c dm.c error.c file.c \
  		  greet.c netaddr.c reset.c resource.c protodpy.c policy.c \
  		  session.c socket.c streams.c util.c verify.c xdmcp.c \
***************
*** 62,68 ****
  		$(SIGNAL_DEFINES) $(XDMAUTH_DEFINES) $(RPC_DEFINES) $(PWD_DEFINES) \
  		ConnectionFlags \
  		-DOSMAJORVERSION=$(OSMAJORVERSION) \
! 		-DOSMINORVERSION=$(OSMINORVERSION)
  
  XCOMM
  XCOMM Special definitions for compiling default resources; these parameters
--- 69,76 ----
  		$(SIGNAL_DEFINES) $(XDMAUTH_DEFINES) $(RPC_DEFINES) $(PWD_DEFINES) \
  		ConnectionFlags \
  		-DOSMAJORVERSION=$(OSMAJORVERSION) \
! 		-DOSMINORVERSION=$(OSMINORVERSION) \
! 		-DAFS
  
  XCOMM
  XCOMM Special definitions for compiling default resources; these parameters
*** xdm/verify.c	Fri Jul 19 03:23:36 1991
--- xdm-afs/verify.c	Sun Jan 12 18:57:38 1992
***************
*** 22,27 ****
--- 22,30 ----
   * verify.c
   *
   * typical unix verification routine.
+  *
+  * Modified by AJ to add AFS authentication.
+  * ALL changes are inside #ifdef AFS
   */
  
  # include	"dm.h"
***************
*** 36,41 ****
--- 39,48 ----
  char *getenv();
  #endif
  
+ #ifdef AFS
+ #include <afs/kautils.h>
+ #endif
+ 
  struct passwd joeblow = {
  	"Nobody", "***************"
  };
***************
*** 75,85 ****
  	char		**userEnv (), **systemEnv (), **parseArgs ();
  	char		*shell, *home;
  	char		**argv;
  
  	Debug ("Verify %s ...\n", greet->name);
  	p = getpwnam (greet->name);
  	if (!p || strlen (greet->name) == 0)
! 		p = &joeblow;
  #ifdef USESHADOW
  	sp = getspnam(greet->name);
  	if (sp == NULL) {
--- 82,120 ----
  	char		**userEnv (), **systemEnv (), **parseArgs ();
  	char		*shell, *home;
  	char		**argv;
+ #ifdef AFS
+ 	int		dontuseafs = 0;
+ 	/*
+ 	 * We don't use AFS if the user doesn't exist in the local password file.
+ 	 */
+ 	char		*reason;
+ #endif
  
  	Debug ("Verify %s ...\n", greet->name);
  	p = getpwnam (greet->name);
  	if (!p || strlen (greet->name) == 0)
! #ifdef AFS
! 	    { p = &joeblow; dontuseafs = 1; }
! #else
! 	    p = &joeblow;
! #endif
! 
! #ifdef AFS
! 	/*
! 	 * Now.  If all is well, we try using AFS to authenticate the user.
! 	 */
! 	if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG,
! 				       greet->name,
! 				       (char *) 0,
! 				       (char *) 0,
! 				       greet->password,
! 				       0,
! 				       0, 0,
! 				       &reason) != 0) {
! 	    /* Failed */
! 	    Debug("AFS Verify failed: %s\n", reason);
! 	    /* Fall through and try the old system. */
! #endif
  #ifdef USESHADOW
  	sp = getspnam(greet->name);
  	if (sp == NULL) {
***************
*** 97,102 ****
--- 132,140 ----
  		bzero(greet->password, strlen(greet->password));
  		return 0;
  	}
+ #ifdef AFS
+ 	}
+ #endif
  	Debug ("verify succeeded\n");
  /*	bzero(greet->password, strlen(greet->password)); */
  	verify->uid = p->pw_uid;
***************
*** 123,128 ****
--- 161,170 ----
  	Debug ("system environment:\n");
  	printEnv (verify->systemEnviron);
  	Debug ("end of environments\n");
+ #ifdef AFS
+ 	/* Make sure that xdm doesn't end up with token. */
+ 	setpag();
+ #endif
  	return 1;
  }
  
***************
*** 209,215 ****
--- 251,276 ----
  	struct group	*g;
  	int		i;
  
+ #ifdef AFS
+ 	/*
+ 	 * AFS's PAG is stored as the first two elements of the groups
+ 	 * array.  Save these for the client.
+ 	 */
+ 	int tmpg[NGROUPS_MAX];
+ 	int tmpng;
+ #endif
  	ngroups = 0;
+ 
+ #ifdef AFS
+ 	tmpng = getgroups(NGROUPS_MAX, tmpg);
+ 	if (tmpng < 2)
+ 	    LogError("Couldn't get PAG from groups.\n");
+ 	else {
+ 	    ngroups = 2;
+ 	    verify->groups[0] = tmpg[0];
+ 	    verify->groups[1] = tmpg[1];
+ 	}
+ #endif
  	verify->groups[ngroups++] = gid;
  	setgrent ();
  	/* SUPPRESS 560 */

home help back first fref pref prev next nref lref last post