diff --git a/lib/auth/Makefile.in b/lib/auth/Makefile.in new file mode 100644 index 000000000..cd02993f8 --- /dev/null +++ b/lib/auth/Makefile.in @@ -0,0 +1,39 @@ +# +# $Id$ +# + +srcdir = @srcdir@ +VPATH = @srcdir@ + +SHELL = /bin/sh + +@SET_MAKE@ + +SUBDIRS = sia + +all: + for i in $(SUBDIRS); \ + do (cd $$i && $(MAKE) $(MFLAGS) all); done + +Wall: + make CFLAGS="-g -Wall -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +install: all + for i in $(SUBDIRS); \ + do (cd $$i && $(MAKE) $(MFLAGS) install); done + +clean: + for i in $(SUBDIRS); \ + do (cd $$i && $(MAKE) $(MFLAGS) clean); done + +mostlyclean: clean + +distclean: + for i in $(SUBDIRS); \ + do (cd $$i && $(MAKE) $(MFLAGS) distclean); done + rm -f Makefile config.status *~ + rm -rf CVS + +realclean: + for i in $(SUBDIRS); \ + do (cd $$i && $(MAKE) $(MFLAGS) realclean); done diff --git a/lib/auth/sia/Makefile.in b/lib/auth/sia/Makefile.in new file mode 100644 index 000000000..ed3f5ebf5 --- /dev/null +++ b/lib/auth/sia/Makefile.in @@ -0,0 +1,75 @@ +# +# $Id$ +# + +SHELL = /bin/sh + +srcdir = @srcdir@ +VPATH = @srcdir@ + +CC = @CC@ +AR = ar +RANLIB = @RANLIB@ +DEFS = @DEFS@ +CFLAGS = @CFLAGS@ + +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs + +prefix = @prefix@ +exec_prefix = $(prefix) +libdir = $(exec_prefix)/lib + +PICFLAGS = @PICFLAGS@ + +LIBNAME = libsia_krb4 +LIBEXT = so +LIB = $(LIBNAME).$(LIBEXT) + +SOURCES = sia.c + +OBJECTS = sia.o + +all: $(LIB) + +Wall: + make CFLAGS="-g -Wall -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +.c.o: + $(CC) -c $(CPPFLAGS) $(DEFS) -I../../.. -I../../../include -I$(srcdir) $(CFLAGS) $(PICFLAGS) $< + +install: all + $(MKINSTALLDIRS) $(libdir) + $(INSTALL) -m 0555 $(LIB) $(libdir) + +uninstall: + +TAGS: $(SOURCES) + etags $(SOURCES) + +check: + +clean: + rm -f $(LIB) *.o + +mostlyclean: clean + +distclean: clean + rm -f Makefile *.tab.c *~ + rm -rf CVS + +realclean: distclean + rm -f TAGS + +dist: $(DISTFILES) + for file in $(DISTFILES); do \ + ln $$file ../`cat ../.fname`/lib \ + || cp -p $$file ../`cat ../.fname`/lib; \ + done + + +$(OBJECTS): ../../../config.h + +$(LIB): $(OBJECTS) + ld -shared -expect_unresolved \* -o $(LIB) $(OBJECTS) ../../kafs/libkafs.a ../../krb/libkrb.a ../../des/libdes.a diff --git a/lib/auth/sia/README b/lib/auth/sia/README new file mode 100644 index 000000000..d50c6b205 --- /dev/null +++ b/lib/auth/sia/README @@ -0,0 +1,18 @@ +This is a quick attempt at a SIA module for Kerberos. To install this +you will have to do the following: + +* Make sure libsia_krb4.so is available in /usr/athena/lib + +* Copy krb4_matrix.conf to /etc/sia + +* Apply security.patch to /sbin/init.d/security + +* Turn on krb4 security by issuing `rcmgr set SECURITY KRB4' and + `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf' + +* Digital thinks you should reboot your machine, but that really + shouldn't be necessary. It's usually sufficient just to run + /sbin/init.d/security + + +Users with local passwords (like root) should be able to login safely. diff --git a/lib/auth/sia/krb4_matrix.conf b/lib/auth/sia/krb4_matrix.conf new file mode 100644 index 000000000..2334d3f3d --- /dev/null +++ b/lib/auth/sia/krb4_matrix.conf @@ -0,0 +1,28 @@ +# $Id$ + +# sia matrix configuration file (Kerberos 4 + BSD) + +siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chk_invoker=(BSD,libc.so) +siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so) +siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_ses_estab=(BSD,libc.so) +siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_ses_suauthent=(BSD,libc.so) +siad_ses_reauthent=(BSD,libc.so) +siad_chg_finger=(BSD,libc.so) +siad_chg_password=(BSD,libc.so) +siad_chg_shell=(BSD,libc.so) +siad_getpwent=(BSD,libc.so) +siad_getpwuid=(BSD,libc.so) +siad_getpwnam=(BSD,libc.so) +siad_setpwent=(BSD,libc.so) +siad_endpwent=(BSD,libc.so) +siad_getgrent=(BSD,libc.so) +siad_getgrgid=(BSD,libc.so) +siad_getgrnam=(BSD,libc.so) +siad_setgrent=(BSD,libc.so) +siad_endgrent=(BSD,libc.so) +siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so) +siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) + diff --git a/lib/auth/sia/security.patch b/lib/auth/sia/security.patch new file mode 100644 index 000000000..c407876d6 --- /dev/null +++ b/lib/auth/sia/security.patch @@ -0,0 +1,11 @@ +--- /sbin/init.d/security~ Tue Aug 20 22:44:09 1996 ++++ /sbin/init.d/security Fri Nov 1 14:52:56 1996 +@@ -49,7 +49,7 @@ + SECURITY=BASE + fi + ;; +- BASE) ++ BASE|KRB4) + ;; + *) + echo "security configuration set to default (BASE)." diff --git a/lib/auth/sia/sia.c b/lib/auth/sia/sia.c new file mode 100644 index 000000000..572660210 --- /dev/null +++ b/lib/auth/sia/sia.c @@ -0,0 +1,320 @@ +/* + * Copyright (c) 1995, 1996 Kungliga Tekniska Högskolan (Royal Institute + * of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +RCSID("$Id$"); +#endif +#include +#include +#include +#include + +#include + +int +siad_init(void) +{ + return SIADSUCCESS; +} + +int +siad_chk_invoker(void) +{ + return SIADFAIL; +} + +int +siad_ses_init(SIAENTITY *entity, int pkgind) +{ + entity->mech[pkgind] = NULL; + return SIADSUCCESS; +} + +static int +setup_name(SIAENTITY *e, prompt_t *p) +{ + e->name = malloc(SIANAMEMIN+1); + if(e->name == NULL) + return SIADFAIL; + p->prompt = (unsigned char*)"login: "; + p->result = (unsigned char*)e->name; + p->min_result_length = 1; + p->max_result_length = SIANAMEMIN; + p->control_flags = 0; + return SIADSUCCESS; +} + +static int +setup_password(SIAENTITY *e, prompt_t *p) +{ + e->password = malloc(SIAMXPASSWORD+1); + if(e->password == NULL) + return SIADFAIL; + p->prompt = (unsigned char*)"Password: "; + p->result = (unsigned char*)e->password; + p->min_result_length = 0; + p->max_result_length = SIAMXPASSWORD; + p->control_flags = SIARESINVIS; + return SIADSUCCESS; +} + +int +siad_ses_authent(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + prompt_t prompts[2], *pr; + if((siastat == SIADSUCCESS) && (geteuid() == 0)) + return SIADSUCCESS; + if(entity == NULL) + return SIADFAIL | SIADSTOP; + if((entity->acctname != NULL) || (entity->pwd != NULL)) + return SIADFAIL | SIADSTOP; + + if((collect != NULL) && entity->colinput) { + int num; + pr = prompts; + if(entity->name == NULL){ + if(setup_name(entity, pr) != SIADSUCCESS) + return SIADFAIL; + pr++; + } + if(entity->password == NULL){ + if(setup_password(entity, pr) != SIADSUCCESS) + return SIADFAIL; + pr++; + } + num = pr - prompts; + if(num == 1){ + if((*collect)(240, SIAONELINER, (unsigned char*)"bar", num, + prompts) != SIACOLSUCCESS) + return SIADFAIL | SIADSTOP; + } else if(num > 0){ + if((*collect)(0, SIAFORM, (unsigned char*)"foo", num, + prompts) != SIACOLSUCCESS) + return SIADFAIL | SIADSTOP; + } + } + + if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD) + return SIADFAIL; + if(entity->name[0] == 0) + return SIADFAIL; + + { + char realm[REALM_SZ]; + int ret; + struct passwd pwd; + char buf[1024]; + + sprintf(buf, "%s_%d", TKT_ROOT, getpid()); + entity->mech[pkgind] = (int*)strdup(buf); + krb_set_tkt_string(buf); + + krb_get_lrealm(realm, 0); + ret = krb_verify_user(entity->name, "", realm, + entity->password, 0, NULL); + if(ret){ + SIALOG("WARNING", "krb_verify_user(%s): %s", + entity->name, krb_get_err_text(ret)); + return SIADFAIL; + } + getpwnam_r(entity->name, &pwd, buf, sizeof(buf)); + if(sia_make_entity_pwd(&pwd, entity) == SIAFAIL) + return SIADFAIL; + } + return SIADSUCCESS; +} + +int +siad_ses_estab(sia_collect_func_t *collect, + SIAENTITY *entity, int pkgind) +{ + return SIADFAIL; +} + +int +siad_ses_launch(sia_collect_func_t *collect, + SIAENTITY *entity, + int pkgind) +{ + char buf[1024]; + if(entity->mech[pkgind] == NULL) + return SIADFAIL; + sprintf(buf, "%s%d", TKT_ROOT, entity->pwd->pw_uid); + rename((char*)entity->mech[pkgind], buf); + krb_set_tkt_string(buf); + chown(buf, entity->pwd->pw_uid, entity->pwd->pw_gid); + return SIADSUCCESS; +} + +int +siad_ses_release(SIAENTITY *entity, int pkgind) +{ + if(entity->mech[pkgind]) + free(entity->mech[pkgind]); + return SIADSUCCESS; +} + +/* Is it necessary to have all these? I think not. */ + +int +siad_ses_suauthent(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + return SIADFAIL; +} + + +int +siad_ses_reauthent(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + return SIADFAIL; +} + + +int +siad_chg_finger(sia_collect_func_t *collect, + const char *username, int argc, char *argv[]) +{ + return SIADFAIL; +} + + +int +siad_chg_password(sia_collect_func_t *collect, + const char *username, int argc, char *argv[]) +{ + return SIADFAIL; +} + + +int +siad_chg_shell(sia_collect_func_t *collect, + const char *username, int argc, char *argv[]) +{ + return SIADFAIL; +} + + +int +siad_getpwent(struct passwd *result, char *buf, int bufsize, FILE + **context) +{ + return SIADFAIL; +} + + +int +siad_getpwuid(uid_t uid, struct passwd *result, char *buf, int bufsize) +{ + return SIADFAIL; +} + + +int +siad_getpwnam(const char *name, struct passwd *result, char *buf, + int bufsize) +{ + return SIADFAIL; +} + + +int +siad_setpwent(FILE **context) +{ + return SIADFAIL; +} + + +int +siad_endpwent(FILE **context) +{ + return SIADFAIL; +} + + +int +siad_getgrent(struct group *result, char *buf, int bufsize, FILE + **context) +{ + return SIADFAIL; +} + + +int +siad_getgrgid(gid_t gid, struct group *result, char *buf, int bufsize) +{ + return SIADFAIL; +} + + +int +siad_getgrnam(const char *name, struct group *result, char *buf, + int bufsize) +{ + return SIADFAIL; +} + + +int +siad_setgrent(FILE **context) +{ + return SIADFAIL; +} + + +int +siad_endgrent(FILE **context) +{ + return SIADFAIL; +} + + +int +siad_chk_user(const char *logname, int checkflag) +{ + return SIADFAIL; +}