(kerberos5_is): also syslog all messages printed in auth_debug_mode
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16501 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -324,6 +324,21 @@ kerberos5_send_oneway(Authenticator *ap)
|
|||||||
return kerberos5_send("KERBEROS5", ap);
|
return kerberos5_send("KERBEROS5", ap);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void log_message(const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list ap;
|
||||||
|
va_start(ap, fmt);
|
||||||
|
if (auth_debug_mode) {
|
||||||
|
va_start(ap, fmt);
|
||||||
|
vfprintf(stdout, fmt, ap);
|
||||||
|
va_end(ap);
|
||||||
|
fprintf(stdout, "\r\n");
|
||||||
|
}
|
||||||
|
va_start(ap, fmt);
|
||||||
|
vsyslog(LOG_NOTICE, fmt, ap);
|
||||||
|
va_end(ap);
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
||||||
{
|
{
|
||||||
@@ -347,9 +362,8 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
|
Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: krb5_auth_con_init failed (%s)",
|
||||||
printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -359,10 +373,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
|
Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_auth_con_setaddrs_from_fd failed (%s)",
|
||||||
"krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -374,10 +387,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
|
Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_sock_to_principal failed (%s)",
|
||||||
"krb5_sock_to_principal failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -401,8 +413,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
errbuf2 = errbuf;
|
errbuf2 = errbuf;
|
||||||
Data(ap, KRB_REJECT, errbuf2, -1);
|
Data(ap, KRB_REJECT, errbuf2, -1);
|
||||||
if (auth_debug_mode)
|
log_message("%s", errbuf2);
|
||||||
printf("%s\r\n", errbuf2);
|
|
||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
free (errbuf);
|
free (errbuf);
|
||||||
return;
|
return;
|
||||||
@@ -429,8 +440,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
errbuf2 = errbuf;
|
errbuf2 = errbuf;
|
||||||
Data(ap, KRB_REJECT, errbuf2, -1);
|
Data(ap, KRB_REJECT, errbuf2, -1);
|
||||||
if (auth_debug_mode)
|
log_message("%s", errbuf2);
|
||||||
printf ("%s\r\n", errbuf2);
|
|
||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
free(errbuf);
|
free(errbuf);
|
||||||
return;
|
return;
|
||||||
@@ -443,10 +453,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
|
Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_auth_con_getremotesubkey failed (%s)",
|
||||||
"krb5_auth_con_getremotesubkey failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -458,18 +467,16 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
|
Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_auth_con_getkey failed (%s)",
|
||||||
"krb5_auth_con_getkey failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (key_block == NULL) {
|
if (key_block == NULL) {
|
||||||
Data(ap, KRB_REJECT, "no subkey received", -1);
|
Data(ap, KRB_REJECT, "no subkey received", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_auth_con_getremotesubkey returned NULL key");
|
||||||
"krb5_auth_con_getremotesubkey returned NULL key\r\n");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -479,10 +486,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
Data(ap, KRB_REJECT,
|
Data(ap, KRB_REJECT,
|
||||||
"krb5_mk_rep failed", -1);
|
"krb5_mk_rep failed", -1);
|
||||||
auth_finished(ap, AUTH_REJECT);
|
auth_finished(ap, AUTH_REJECT);
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: "
|
||||||
printf("Kerberos V5: "
|
"krb5_mk_rep failed (%s)",
|
||||||
"krb5_mk_rep failed (%s)\r\n",
|
krb5_get_err_text(context, ret));
|
||||||
krb5_get_err_text(context, ret));
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
|
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
|
||||||
@@ -494,10 +500,10 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
ticket->client,
|
ticket->client,
|
||||||
UserNameRequested)) {
|
UserNameRequested)) {
|
||||||
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
|
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
|
||||||
if (auth_debug_mode) {
|
log_message("%s accepted as user %s from %s",
|
||||||
printf("Kerberos5 identifies him as ``%s''\r\n",
|
name ? name : "<unknown>",
|
||||||
name ? name : "");
|
UserNameRequested ? UserNameRequested : "<unknown>",
|
||||||
}
|
RemoteHostName ? RemoteHostName : "<unknown>");
|
||||||
|
|
||||||
if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
|
if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
|
||||||
key_block->keytype == ETYPE_DES_CBC_MD4 ||
|
key_block->keytype == ETYPE_DES_CBC_MD4 ||
|
||||||
@@ -515,9 +521,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
char *msg;
|
char *msg;
|
||||||
|
|
||||||
ret = asprintf (&msg, "user `%s' is not authorized to "
|
ret = asprintf (&msg, "user `%s' is not authorized to "
|
||||||
"login as `%s'",
|
"login as `%s'",
|
||||||
name ? name : "<unknown>",
|
name ? name : "<unknown>",
|
||||||
UserNameRequested ? UserNameRequested : "<nobody>");
|
UserNameRequested ? UserNameRequested : "<nobody>");
|
||||||
if (ret != -1)
|
if (ret != -1)
|
||||||
msg2 = msg;
|
msg2 = msg;
|
||||||
Data(ap, KRB_REJECT, (void *)msg2, -1);
|
Data(ap, KRB_REJECT, (void *)msg2, -1);
|
||||||
@@ -548,8 +554,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
|
|
||||||
ret = krb5_cc_resolve (context, ccname, &ccache);
|
ret = krb5_cc_resolve (context, ccname, &ccache);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: could not get ccache: %s",
|
||||||
printf ("Kerberos V5: could not get ccache: %s\r\n",
|
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -558,8 +563,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
ccache,
|
ccache,
|
||||||
ticket->client);
|
ticket->client);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
if (auth_debug_mode)
|
log_message("Kerberos V5: could not init ccache: %s",
|
||||||
printf ("Kerberos V5: could not init ccache: %s\r\n",
|
|
||||||
krb5_get_err_text(context, ret));
|
krb5_get_err_text(context, ret));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -582,9 +586,8 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
errbuf2 = errbuf;
|
errbuf2 = errbuf;
|
||||||
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
|
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
|
||||||
if (auth_debug_mode)
|
log_message("Could not read forwarded credentials: %s", errbuf);
|
||||||
printf("Could not read forwarded credentials: %s\r\n",
|
|
||||||
errbuf);
|
|
||||||
if (ret2 != -1)
|
if (ret2 != -1)
|
||||||
free (errbuf);
|
free (errbuf);
|
||||||
} else {
|
} else {
|
||||||
@@ -594,13 +597,11 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
chown (ccname + 5, pwd->pw_uid, -1);
|
chown (ccname + 5, pwd->pw_uid, -1);
|
||||||
if (auth_debug_mode)
|
log_message("Forwarded credentials obtained");
|
||||||
printf("Forwarded credentials obtained\r\n");
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
if (auth_debug_mode)
|
log_message("Unknown Kerberos option %d", data[-1]);
|
||||||
printf("Unknown Kerberos option %d\r\n", data[-1]);
|
|
||||||
Data(ap, KRB_REJECT, 0, 0);
|
Data(ap, KRB_REJECT, 0, 0);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user