Add SIA kerberos module

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@920 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/auth/Makefile.in

@@ -0,0 +1,39 @@
+#
+# $Id$
+#
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+SUBDIRS		= sia
+
+all:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+		make CFLAGS="-g -Wall -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install: all
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+clean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+		rm -f Makefile config.status *~
+		rm -rf CVS
+
+realclean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) realclean); done

lib/auth/sia/Makefile.in

@@ -0,0 +1,75 @@
+#
+# $Id$
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = $(prefix)
+libdir = $(exec_prefix)/lib
+
+PICFLAGS = @PICFLAGS@
+ 
+LIBNAME = libsia_krb4
+LIBEXT = so
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = sia.c
+
+OBJECTS = sia.o
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(CPPFLAGS) $(DEFS) -I../../.. -I../../../include -I$(srcdir) $(CFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(libdir)
+	$(INSTALL) -m 0555 $(LIB) $(libdir)
+
+uninstall:
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+	rm -rf CVS
+
+realclean: distclean
+	rm -f TAGS
+
+dist: $(DISTFILES)
+	for file in $(DISTFILES); do \
+	  ln $$file ../`cat ../.fname`/lib \
+	    || cp -p $$file ../`cat ../.fname`/lib; \
+	done
+
+
+$(OBJECTS): ../../../config.h
+
+$(LIB): $(OBJECTS)
+	ld -shared -expect_unresolved \* -o $(LIB) $(OBJECTS)  ../../kafs/libkafs.a ../../krb/libkrb.a ../../des/libdes.a

lib/auth/sia/README

@@ -0,0 +1,18 @@
+This is a quick attempt at a SIA module for Kerberos. To install this
+you will have to do the following:
+
+* Make sure libsia_krb4.so is available in /usr/athena/lib
+
+* Copy krb4_matrix.conf to /etc/sia
+
+* Apply security.patch to /sbin/init.d/security
+
+* Turn on krb4 security by issuing `rcmgr set SECURITY KRB4' and
+  `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'
+
+* Digital thinks you should reboot your machine, but that really
+  shouldn't be necessary.  It's usually sufficient just to run
+  /sbin/init.d/security
+
+
+Users with local passwords (like root) should be able to login safely.

lib/auth/sia/krb4_matrix.conf

@@ -0,0 +1,28 @@
+# $Id$
+
+# sia matrix configuration file (Kerberos 4 + BSD)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_suauthent=(BSD,libc.so)
+siad_ses_reauthent=(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+

lib/auth/sia/security.patch

@@ -0,0 +1,11 @@
+--- /sbin/init.d/security~      Tue Aug 20 22:44:09 1996
++++ /sbin/init.d/security       Fri Nov  1 14:52:56 1996
+@@ -49,7 +49,7 @@
+                    SECURITY=BASE
+                fi
+                ;;
+-       BASE)
++       BASE|KRB4)
+                ;;
+        *)
+                echo "security configuration set to default (BASE)."

lib/auth/sia/sia.c

@@ -0,0 +1,320 @@
+/*
+ * Copyright (c) 1995, 1996 Kungliga Tekniska H<>gskolan (Royal Institute
+ * of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      H<>gskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id$");
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <siad.h>
+#include <pwd.h>
+
+#include <krb.h>
+
+int 
+siad_init(void)
+{
+    return SIADSUCCESS;
+}
+
+int 
+siad_chk_invoker(void)
+{
+    return SIADFAIL;
+}
+
+int 
+siad_ses_init(SIAENTITY *entity, int pkgind)
+{
+    entity->mech[pkgind] = NULL;
+    return SIADSUCCESS;
+}
+
+static int
+setup_name(SIAENTITY *e, prompt_t *p)
+{
+    e->name = malloc(SIANAMEMIN+1);
+    if(e->name == NULL)
+	return SIADFAIL;
+    p->prompt = (unsigned char*)"login: ";
+    p->result = (unsigned char*)e->name;
+    p->min_result_length = 1;
+    p->max_result_length = SIANAMEMIN;
+    p->control_flags = 0;
+    return SIADSUCCESS;
+}
+
+static int
+setup_password(SIAENTITY *e, prompt_t *p)
+{
+    e->password = malloc(SIAMXPASSWORD+1);
+    if(e->password == NULL)
+	return SIADFAIL;
+    p->prompt = (unsigned char*)"Password: ";
+    p->result = (unsigned char*)e->password;
+    p->min_result_length = 0;
+    p->max_result_length = SIAMXPASSWORD;
+    p->control_flags = SIARESINVIS;
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_authent(sia_collect_func_t *collect, 
+		 SIAENTITY *entity, 
+		 int siastat,
+		 int pkgind)
+{
+    prompt_t prompts[2], *pr;
+    if((siastat == SIADSUCCESS) && (geteuid() == 0))
+	return SIADSUCCESS;
+    if(entity == NULL)
+	return SIADFAIL | SIADSTOP;
+    if((entity->acctname != NULL) || (entity->pwd != NULL))
+	return SIADFAIL | SIADSTOP;
+    
+    if((collect != NULL) && entity->colinput) {
+	int num;
+	pr = prompts;
+	if(entity->name == NULL){
+	    if(setup_name(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	if(entity->password == NULL){
+	    if(setup_password(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	num = pr - prompts;
+	if(num == 1){
+	    if((*collect)(240, SIAONELINER, (unsigned char*)"bar", num, 
+			  prompts) != SIACOLSUCCESS)
+		return SIADFAIL | SIADSTOP;
+	} else if(num > 0){
+	    if((*collect)(0, SIAFORM, (unsigned char*)"foo", num, 
+			  prompts) != SIACOLSUCCESS)
+		return SIADFAIL | SIADSTOP;
+	}
+    }
+    
+    if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD)
+	return SIADFAIL;
+    if(entity->name[0] == 0)
+	return SIADFAIL;
+    
+    {
+	char realm[REALM_SZ];
+	int ret;
+	struct passwd pwd;
+	char buf[1024];
+
+	sprintf(buf, "%s_%d", TKT_ROOT, getpid());
+	entity->mech[pkgind] = (int*)strdup(buf);
+	krb_set_tkt_string(buf);
+
+	krb_get_lrealm(realm, 0);
+	ret = krb_verify_user(entity->name, "", realm, 
+			      entity->password, 0, NULL);
+	if(ret){
+	    SIALOG("WARNING", "krb_verify_user(%s): %s", 
+		   entity->name, krb_get_err_text(ret));
+	    return SIADFAIL;
+	}
+	getpwnam_r(entity->name, &pwd, buf, sizeof(buf));
+	if(sia_make_entity_pwd(&pwd, entity) == SIAFAIL)
+	    return SIADFAIL;
+    }
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_estab(sia_collect_func_t *collect, 
+	       SIAENTITY *entity, int pkgind)
+{
+    return SIADFAIL;
+}
+
+int 
+siad_ses_launch(sia_collect_func_t *collect,
+		SIAENTITY *entity,
+		int pkgind)
+{
+    char buf[1024];
+    if(entity->mech[pkgind] == NULL)
+	return SIADFAIL;
+    sprintf(buf, "%s%d", TKT_ROOT, entity->pwd->pw_uid);
+    rename((char*)entity->mech[pkgind], buf);
+    krb_set_tkt_string(buf);
+    chown(buf, entity->pwd->pw_uid, entity->pwd->pw_gid);
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_release(SIAENTITY *entity, int pkgind)
+{
+    if(entity->mech[pkgind])
+	free(entity->mech[pkgind]);
+    return SIADSUCCESS;
+}
+
+/* Is it necessary to have all these? I think not. */
+
+int 
+siad_ses_suauthent(sia_collect_func_t *collect,
+		   SIAENTITY *entity,
+		   int siastat,
+		   int pkgind)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_ses_reauthent(sia_collect_func_t *collect,
+		   SIAENTITY *entity,
+		   int siastat,
+		   int pkgind)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_chg_finger(sia_collect_func_t *collect,
+		const char *username, int argc, char *argv[])
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_chg_password(sia_collect_func_t *collect,
+		  const char *username, int argc, char *argv[])
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_chg_shell(sia_collect_func_t *collect,
+	       const char *username, int argc, char *argv[])
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getpwent(struct passwd *result, char *buf, int bufsize, FILE
+	      **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getpwuid(uid_t uid, struct passwd *result, char *buf, int bufsize)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getpwnam(const char *name, struct passwd *result, char *buf,
+	      int bufsize)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_setpwent(FILE **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_endpwent(FILE **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getgrent(struct group *result, char *buf, int bufsize, FILE 
+	      **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getgrgid(gid_t gid, struct group *result, char *buf, int bufsize)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_getgrnam(const char *name, struct group *result, char *buf, 
+	      int bufsize)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_setgrent(FILE **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_endgrent(FILE **context)
+{
+    return SIADFAIL;
+}
+
+
+int 
+siad_chk_user(const char *logname, int checkflag)
+{
+    return SIADFAIL;
+}