drop krb4 support
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24495 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
@@ -8,9 +8,6 @@ bin_PROGRAMS = ftp
|
||||
|
||||
CHECK_LOCAL =
|
||||
|
||||
if KRB4
|
||||
krb4_sources = krb4.c
|
||||
endif
|
||||
if KRB5
|
||||
krb5_sources = gssapi.c
|
||||
endif
|
||||
|
@@ -106,17 +106,10 @@ char verbosehelp[] = "toggle verbose mode";
|
||||
|
||||
char prothelp[] = "set protection level";
|
||||
char prothelp_c[] = "set command protection level";
|
||||
#ifdef KRB4
|
||||
char kauthhelp[] = "get remote tokens";
|
||||
#endif
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
char klisthelp[] = "show remote tickets";
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
char kdestroyhelp[] = "destroy remote tickets";
|
||||
char krbtkfilehelp[] = "set filename of remote tickets";
|
||||
#endif
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
char afsloghelp[] = "obtain remote AFS tokens";
|
||||
#endif
|
||||
|
||||
@@ -197,17 +190,10 @@ struct cmd cmdtab[] = {
|
||||
{ "protect", prothelp, 0, 1, 0, sec_prot },
|
||||
/* what MIT uses */
|
||||
{ "cprotect", prothelp_c, 0, 1, 1, sec_prot_command },
|
||||
#ifdef KRB4
|
||||
{ "kauth", kauthhelp, 0, 1, 0, kauth },
|
||||
#endif
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
{ "klist", klisthelp, 0, 1, 0, klist },
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
{ "kdestroy", kdestroyhelp, 0, 1, 0, kdestroy },
|
||||
{ "krbtkfile", krbtkfilehelp, 0, 1, 0, krbtkfile },
|
||||
#endif
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
{ "afslog", afsloghelp, 0, 1, 0, afslog },
|
||||
#endif
|
||||
|
||||
|
@@ -34,143 +34,7 @@
|
||||
#include "ftp_locl.h"
|
||||
RCSID("$Id$");
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
|
||||
void
|
||||
kauth(int argc, char **argv)
|
||||
{
|
||||
int ret;
|
||||
char buf[1024];
|
||||
des_cblock key;
|
||||
des_key_schedule schedule;
|
||||
KTEXT_ST tkt, tktcopy;
|
||||
char *name;
|
||||
char *p;
|
||||
int overbose;
|
||||
char passwd[100];
|
||||
int tmp;
|
||||
|
||||
int save;
|
||||
|
||||
if(argc > 2){
|
||||
printf("usage: %s [principal]\n", argv[0]);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
if(argc == 2)
|
||||
name = argv[1];
|
||||
else
|
||||
name = username;
|
||||
|
||||
overbose = verbose;
|
||||
verbose = 0;
|
||||
|
||||
save = set_command_prot(prot_private);
|
||||
ret = command("SITE KAUTH %s", name);
|
||||
if(ret != CONTINUE){
|
||||
verbose = overbose;
|
||||
set_command_prot(save);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
verbose = overbose;
|
||||
p = strstr(reply_string, "T=");
|
||||
if(!p){
|
||||
printf("Bad reply from server.\n");
|
||||
set_command_prot(save);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
p += 2;
|
||||
tmp = base64_decode(p, &tkt.dat);
|
||||
if(tmp < 0){
|
||||
printf("Failed to decode base64 in reply.\n");
|
||||
set_command_prot(save);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
tkt.length = tmp;
|
||||
tktcopy.length = tkt.length;
|
||||
|
||||
p = strstr(reply_string, "P=");
|
||||
if(!p){
|
||||
printf("Bad reply from server.\n");
|
||||
verbose = overbose;
|
||||
set_command_prot(save);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
name = p + 2;
|
||||
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
|
||||
*p = 0;
|
||||
|
||||
snprintf(buf, sizeof(buf), "Password for %s:", name);
|
||||
if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
|
||||
*passwd = '\0';
|
||||
des_string_to_key (passwd, &key);
|
||||
|
||||
des_key_sched(&key, schedule);
|
||||
|
||||
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
|
||||
tkt.length,
|
||||
schedule, &key, DES_DECRYPT);
|
||||
if (strcmp ((char*)tktcopy.dat + 8,
|
||||
KRB_TICKET_GRANTING_TICKET) != 0) {
|
||||
afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
|
||||
des_key_sched (&key, schedule);
|
||||
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
|
||||
tkt.length,
|
||||
schedule, &key, DES_DECRYPT);
|
||||
}
|
||||
memset(key, 0, sizeof(key));
|
||||
memset(schedule, 0, sizeof(schedule));
|
||||
memset(passwd, 0, sizeof(passwd));
|
||||
if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
|
||||
printf("Out of memory base64-encoding.\n");
|
||||
set_command_prot(save);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
memset (tktcopy.dat, 0, tktcopy.length);
|
||||
ret = command("SITE KAUTH %s %s", name, p);
|
||||
free(p);
|
||||
set_command_prot(save);
|
||||
if(ret != COMPLETE){
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
code = 0;
|
||||
}
|
||||
|
||||
void
|
||||
kdestroy(int argc, char **argv)
|
||||
{
|
||||
int ret;
|
||||
if (argc != 1) {
|
||||
printf("usage: %s\n", argv[0]);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
ret = command("SITE KDESTROY");
|
||||
code = (ret == COMPLETE);
|
||||
}
|
||||
|
||||
void
|
||||
krbtkfile(int argc, char **argv)
|
||||
{
|
||||
int ret;
|
||||
if(argc != 2) {
|
||||
printf("usage: %s tktfile\n", argv[0]);
|
||||
code = -1;
|
||||
return;
|
||||
}
|
||||
ret = command("SITE KRBTKFILE %s", argv[1]);
|
||||
code = (ret == COMPLETE);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
|
||||
void
|
||||
afslog(int argc, char **argv)
|
||||
|
@@ -90,9 +90,6 @@ name_to_level(const char *name)
|
||||
static struct sec_server_mech *mechs[] = {
|
||||
#ifdef KRB5
|
||||
&gss_server_mech,
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
&krb4_server_mech,
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
@@ -104,9 +101,6 @@ static struct sec_server_mech *mech;
|
||||
static struct sec_client_mech *mechs[] = {
|
||||
#ifdef KRB5
|
||||
&gss_client_mech,
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
&krb4_client_mech,
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
|
@@ -8,9 +8,6 @@ libexec_PROGRAMS = ftpd
|
||||
|
||||
CHECK_LOCAL =
|
||||
|
||||
if KRB4
|
||||
krb4_sources = krb4.c
|
||||
endif
|
||||
if KRB5
|
||||
krb5_sources = gssapi.c gss_userok.c
|
||||
endif
|
||||
@@ -30,7 +27,7 @@ ftpd_SOURCES = \
|
||||
$(krb4_sources) \
|
||||
$(krb5_sources)
|
||||
|
||||
EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
|
||||
EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c
|
||||
|
||||
$(ftpd_OBJECTS): security.h
|
||||
|
||||
@@ -38,12 +35,10 @@ security.c:
|
||||
@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
|
||||
security.h:
|
||||
@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
|
||||
krb4.c:
|
||||
@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
|
||||
gssapi.c:
|
||||
@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
|
||||
|
||||
CLEANFILES = security.c security.h krb4.c gssapi.c
|
||||
CLEANFILES = security.c security.h gssapi.c
|
||||
|
||||
man_MANS = ftpd.8 ftpusers.5
|
||||
|
||||
|
@@ -501,26 +501,7 @@ cmd
|
||||
|
||||
| SITE SP KAUTH SP STRING CRLF check_login
|
||||
{
|
||||
#ifdef KRB4
|
||||
char *p;
|
||||
|
||||
if(guest)
|
||||
reply(500, "Can't be done as guest.");
|
||||
else{
|
||||
if($7 && $5 != NULL){
|
||||
p = strpbrk($5, " \t");
|
||||
if(p){
|
||||
*p++ = 0;
|
||||
kauth($5, p + strspn(p, " \t"));
|
||||
}else
|
||||
kauth($5, NULL);
|
||||
}
|
||||
}
|
||||
if($5 != NULL)
|
||||
free($5);
|
||||
#else
|
||||
reply(500, "Command not implemented.");
|
||||
#endif
|
||||
}
|
||||
| SITE SP KLIST CRLF check_login
|
||||
{
|
||||
@@ -529,29 +510,15 @@ cmd
|
||||
}
|
||||
| SITE SP KDESTROY CRLF check_login
|
||||
{
|
||||
#ifdef KRB4
|
||||
if($5)
|
||||
kdestroy();
|
||||
#else
|
||||
reply(500, "Command not implemented.");
|
||||
#endif
|
||||
}
|
||||
| SITE SP KRBTKFILE SP STRING CRLF check_login
|
||||
{
|
||||
#ifdef KRB4
|
||||
if(guest)
|
||||
reply(500, "Can't be done as guest.");
|
||||
else if($7 && $5)
|
||||
krbtkfile($5);
|
||||
if($5)
|
||||
free($5);
|
||||
#else
|
||||
reply(500, "Command not implemented.");
|
||||
#endif
|
||||
}
|
||||
| SITE SP AFSLOG CRLF check_login
|
||||
{
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
if(guest)
|
||||
reply(500, "Can't be done as guest.");
|
||||
else if($5)
|
||||
@@ -562,7 +529,7 @@ cmd
|
||||
}
|
||||
| SITE SP AFSLOG SP STRING CRLF check_login
|
||||
{
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
if(guest)
|
||||
reply(500, "Can't be done as guest.");
|
||||
else if($7)
|
||||
|
@@ -271,16 +271,6 @@ main(int argc, char **argv)
|
||||
|
||||
setprogname (argv[0]);
|
||||
|
||||
/* detach from any tickets and tokens */
|
||||
{
|
||||
#ifdef KRB4
|
||||
char tkfile[1024];
|
||||
snprintf(tkfile, sizeof(tkfile),
|
||||
"/tmp/ftp_%u", (unsigned)getpid());
|
||||
krb_set_tkt_string(tkfile);
|
||||
#endif
|
||||
}
|
||||
|
||||
if(getarg(args, num_args, argc, argv, &optind))
|
||||
usage(1);
|
||||
|
||||
|
@@ -145,11 +145,7 @@
|
||||
#include <krb5.h>
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
#endif
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
#include <kafs.h>
|
||||
#endif
|
||||
|
||||
|
@@ -35,224 +35,13 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
|
||||
int do_destroy_tickets = 1;
|
||||
char *k5ccname;
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef KRB4
|
||||
|
||||
static KTEXT_ST cip;
|
||||
static unsigned int lifetime;
|
||||
static time_t local_time;
|
||||
|
||||
static krb_principal pr;
|
||||
|
||||
static int
|
||||
save_tkt(const char *user,
|
||||
const char *instance,
|
||||
const char *realm,
|
||||
const void *arg,
|
||||
key_proc_t key_proc,
|
||||
KTEXT *cipp)
|
||||
{
|
||||
local_time = time(0);
|
||||
memmove(&cip, *cipp, sizeof(cip));
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int
|
||||
store_ticket(KTEXT cip)
|
||||
{
|
||||
char *ptr;
|
||||
des_cblock session;
|
||||
krb_principal sp;
|
||||
unsigned char kvno;
|
||||
KTEXT_ST tkt;
|
||||
int left = cip->length;
|
||||
int len;
|
||||
int kerror;
|
||||
|
||||
ptr = (char *) cip->dat;
|
||||
|
||||
/* extract session key */
|
||||
memmove(session, ptr, 8);
|
||||
ptr += 8;
|
||||
left -= 8;
|
||||
|
||||
len = strnlen(ptr, left);
|
||||
if (len == left)
|
||||
return(INTK_BADPW);
|
||||
|
||||
/* extract server's name */
|
||||
strlcpy(sp.name, ptr, sizeof(sp.name));
|
||||
ptr += len + 1;
|
||||
left -= len + 1;
|
||||
|
||||
len = strnlen(ptr, left);
|
||||
if (len == left)
|
||||
return(INTK_BADPW);
|
||||
|
||||
/* extract server's instance */
|
||||
strlcpy(sp.instance, ptr, sizeof(sp.instance));
|
||||
ptr += len + 1;
|
||||
left -= len + 1;
|
||||
|
||||
len = strnlen(ptr, left);
|
||||
if (len == left)
|
||||
return(INTK_BADPW);
|
||||
|
||||
/* extract server's realm */
|
||||
strlcpy(sp.realm, ptr, sizeof(sp.realm));
|
||||
ptr += len + 1;
|
||||
left -= len + 1;
|
||||
|
||||
if(left < 3)
|
||||
return INTK_BADPW;
|
||||
/* extract ticket lifetime, server key version, ticket length */
|
||||
/* be sure to avoid sign extension on lifetime! */
|
||||
lifetime = (unsigned char) ptr[0];
|
||||
kvno = (unsigned char) ptr[1];
|
||||
tkt.length = (unsigned char) ptr[2];
|
||||
ptr += 3;
|
||||
left -= 3;
|
||||
|
||||
if (tkt.length > left)
|
||||
return(INTK_BADPW);
|
||||
|
||||
/* extract ticket itself */
|
||||
memmove(tkt.dat, ptr, tkt.length);
|
||||
ptr += tkt.length;
|
||||
left -= tkt.length;
|
||||
|
||||
/* Here is where the time should be verified against the KDC.
|
||||
* Unfortunately everything is sent in host byte order (receiver
|
||||
* makes wrong) , and at this stage there is no way for us to know
|
||||
* which byteorder the KDC has. So we simply ignore the time,
|
||||
* there are no security risks with this, the only thing that can
|
||||
* happen is that we might receive a replayed ticket, which could
|
||||
* at most be useless.
|
||||
*/
|
||||
|
||||
#if 0
|
||||
/* check KDC time stamp */
|
||||
{
|
||||
time_t kdc_time;
|
||||
|
||||
memmove(&kdc_time, ptr, sizeof(kdc_time));
|
||||
if (swap_bytes) swap_u_long(kdc_time);
|
||||
|
||||
ptr += 4;
|
||||
|
||||
if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) {
|
||||
return(RD_AP_TIME); /* XXX should probably be better
|
||||
code */
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* initialize ticket cache */
|
||||
|
||||
if (tf_create(TKT_FILE) != KSUCCESS)
|
||||
return(INTK_ERR);
|
||||
|
||||
if (tf_put_pname(pr.name) != KSUCCESS ||
|
||||
tf_put_pinst(pr.instance) != KSUCCESS) {
|
||||
tf_close();
|
||||
return(INTK_ERR);
|
||||
}
|
||||
|
||||
|
||||
kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session,
|
||||
lifetime, kvno, &tkt, local_time);
|
||||
tf_close();
|
||||
|
||||
return(kerror);
|
||||
}
|
||||
|
||||
void
|
||||
kauth(char *principal, char *ticket)
|
||||
{
|
||||
char *p;
|
||||
int ret;
|
||||
|
||||
if(get_command_prot() != prot_private) {
|
||||
reply(500, "Request denied (bad protection level)");
|
||||
return;
|
||||
}
|
||||
ret = krb_parse_name(principal, &pr);
|
||||
if(ret){
|
||||
reply(500, "Bad principal: %s.", krb_get_err_text(ret));
|
||||
return;
|
||||
}
|
||||
if(pr.realm[0] == 0)
|
||||
krb_get_lrealm(pr.realm, 1);
|
||||
|
||||
if(ticket){
|
||||
cip.length = base64_decode(ticket, &cip.dat);
|
||||
if(cip.length == -1){
|
||||
reply(500, "Failed to decode data.");
|
||||
return;
|
||||
}
|
||||
ret = store_ticket(&cip);
|
||||
if(ret){
|
||||
reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
|
||||
memset(&cip, 0, sizeof(cip));
|
||||
return;
|
||||
}
|
||||
do_destroy_tickets = 1;
|
||||
|
||||
if(k_hasafs())
|
||||
krb_afslog(0, 0);
|
||||
reply(200, "Tickets will be destroyed on exit.");
|
||||
return;
|
||||
}
|
||||
|
||||
ret = krb_get_in_tkt (pr.name,
|
||||
pr.instance,
|
||||
pr.realm,
|
||||
KRB_TICKET_GRANTING_TICKET,
|
||||
pr.realm,
|
||||
DEFAULT_TKT_LIFE,
|
||||
NULL, save_tkt, NULL);
|
||||
if(ret != INTK_BADPW){
|
||||
reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
|
||||
return;
|
||||
}
|
||||
if(base64_encode(cip.dat, cip.length, &p) < 0) {
|
||||
reply(500, "Out of memory while base64-encoding.");
|
||||
return;
|
||||
}
|
||||
reply(300, "P=%s T=%s", krb_unparse_name(&pr), p);
|
||||
free(p);
|
||||
memset(&cip, 0, sizeof(cip));
|
||||
}
|
||||
|
||||
|
||||
static char *
|
||||
short_date(int32_t dp)
|
||||
{
|
||||
char *cp;
|
||||
time_t t = (time_t)dp;
|
||||
|
||||
if (t == (time_t)(-1L)) return "*** Never *** ";
|
||||
cp = ctime(&t) + 4;
|
||||
cp[15] = '\0';
|
||||
return (cp);
|
||||
}
|
||||
|
||||
void
|
||||
krbtkfile(const char *tkfile)
|
||||
{
|
||||
do_destroy_tickets = 0;
|
||||
krb_set_tkt_string(tkfile);
|
||||
reply(200, "Using ticket file %s", tkfile);
|
||||
}
|
||||
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
|
||||
static void
|
||||
@@ -278,7 +67,7 @@ dest_cc(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#if defined(KRB5)
|
||||
|
||||
/*
|
||||
* Only destroy if we created the tickets
|
||||
@@ -288,9 +77,6 @@ void
|
||||
cond_kdestroy(void)
|
||||
{
|
||||
if (do_destroy_tickets) {
|
||||
#if KRB4
|
||||
dest_tkt();
|
||||
#endif
|
||||
#if KRB5
|
||||
dest_cc();
|
||||
#endif
|
||||
@@ -302,9 +88,6 @@ cond_kdestroy(void)
|
||||
void
|
||||
kdestroy(void)
|
||||
{
|
||||
#if KRB4
|
||||
dest_tkt();
|
||||
#endif
|
||||
#if KRB5
|
||||
dest_cc();
|
||||
#endif
|
||||
@@ -336,9 +119,6 @@ afslog(const char *cell, int quiet)
|
||||
krb5_cc_close (context, id);
|
||||
krb5_free_context (context);
|
||||
}
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
krb_afslog(cell, 0);
|
||||
#endif
|
||||
if (!quiet)
|
||||
reply(200, "afslog done");
|
||||
@@ -357,4 +137,4 @@ afsunlog(void)
|
||||
|
||||
#else
|
||||
int ftpd_afslog_placeholder;
|
||||
#endif /* KRB4 || KRB5 */
|
||||
#endif /* KRB5 */
|
||||
|
@@ -405,14 +405,14 @@ find_log10(int num)
|
||||
* have to fetch them.
|
||||
*/
|
||||
|
||||
#ifdef KRB4
|
||||
#ifdef KRB5
|
||||
static int do_the_afs_dance = 1;
|
||||
#endif
|
||||
|
||||
static int
|
||||
lstat_file (const char *file, struct stat *sb)
|
||||
{
|
||||
#ifdef KRB4
|
||||
#ifdef KRB5
|
||||
if (do_the_afs_dance &&
|
||||
k_hasafs()
|
||||
&& strcmp(file, ".")
|
||||
@@ -494,7 +494,7 @@ lstat_file (const char *file, struct stat *sb)
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
#endif /* KRB5 */
|
||||
return lstat (file, sb);
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user