drop krb4 support

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24495 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-01-26 01:09:16 +00:00
parent 3a2db6c8ea
commit a21969d84d
10 changed files with 16 additions and 447 deletions

View File

@@ -8,9 +8,6 @@ bin_PROGRAMS = ftp
CHECK_LOCAL =
if KRB4
krb4_sources = krb4.c
endif
if KRB5
krb5_sources = gssapi.c
endif

View File

@@ -106,17 +106,10 @@ char verbosehelp[] = "toggle verbose mode";
char prothelp[] = "set protection level";
char prothelp_c[] = "set command protection level";
#ifdef KRB4
char kauthhelp[] = "get remote tokens";
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
char klisthelp[] = "show remote tickets";
#endif
#ifdef KRB4
char kdestroyhelp[] = "destroy remote tickets";
char krbtkfilehelp[] = "set filename of remote tickets";
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
char afsloghelp[] = "obtain remote AFS tokens";
#endif
@@ -197,17 +190,10 @@ struct cmd cmdtab[] = {
{ "protect", prothelp, 0, 1, 0, sec_prot },
/* what MIT uses */
{ "cprotect", prothelp_c, 0, 1, 1, sec_prot_command },
#ifdef KRB4
{ "kauth", kauthhelp, 0, 1, 0, kauth },
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
{ "klist", klisthelp, 0, 1, 0, klist },
#endif
#ifdef KRB4
{ "kdestroy", kdestroyhelp, 0, 1, 0, kdestroy },
{ "krbtkfile", krbtkfilehelp, 0, 1, 0, krbtkfile },
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
{ "afslog", afsloghelp, 0, 1, 0, afslog },
#endif

View File

@@ -34,143 +34,7 @@
#include "ftp_locl.h"
RCSID("$Id$");
#ifdef KRB4
#include <krb.h>
void
kauth(int argc, char **argv)
{
int ret;
char buf[1024];
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
int overbose;
char passwd[100];
int tmp;
int save;
if(argc > 2){
printf("usage: %s [principal]\n", argv[0]);
code = -1;
return;
}
if(argc == 2)
name = argv[1];
else
name = username;
overbose = verbose;
verbose = 0;
save = set_command_prot(prot_private);
ret = command("SITE KAUTH %s", name);
if(ret != CONTINUE){
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
verbose = overbose;
p = strstr(reply_string, "T=");
if(!p){
printf("Bad reply from server.\n");
set_command_prot(save);
code = -1;
return;
}
p += 2;
tmp = base64_decode(p, &tkt.dat);
if(tmp < 0){
printf("Failed to decode base64 in reply.\n");
set_command_prot(save);
code = -1;
return;
}
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(reply_string, "P=");
if(!p){
printf("Bad reply from server.\n");
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
snprintf(buf, sizeof(buf), "Password for %s:", name);
if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
*passwd = '\0';
des_string_to_key (passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if (strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
des_key_sched (&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
set_command_prot(save);
code = -1;
return;
}
memset (tktcopy.dat, 0, tktcopy.length);
ret = command("SITE KAUTH %s %s", name, p);
free(p);
set_command_prot(save);
if(ret != COMPLETE){
code = -1;
return;
}
code = 0;
}
void
kdestroy(int argc, char **argv)
{
int ret;
if (argc != 1) {
printf("usage: %s\n", argv[0]);
code = -1;
return;
}
ret = command("SITE KDESTROY");
code = (ret == COMPLETE);
}
void
krbtkfile(int argc, char **argv)
{
int ret;
if(argc != 2) {
printf("usage: %s tktfile\n", argv[0]);
code = -1;
return;
}
ret = command("SITE KRBTKFILE %s", argv[1]);
code = (ret == COMPLETE);
}
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
void
afslog(int argc, char **argv)

View File

@@ -90,9 +90,6 @@ name_to_level(const char *name)
static struct sec_server_mech *mechs[] = {
#ifdef KRB5
&gss_server_mech,
#endif
#ifdef KRB4
&krb4_server_mech,
#endif
NULL
};
@@ -104,9 +101,6 @@ static struct sec_server_mech *mech;
static struct sec_client_mech *mechs[] = {
#ifdef KRB5
&gss_client_mech,
#endif
#ifdef KRB4
&krb4_client_mech,
#endif
NULL
};

View File

@@ -8,9 +8,6 @@ libexec_PROGRAMS = ftpd
CHECK_LOCAL =
if KRB4
krb4_sources = krb4.c
endif
if KRB5
krb5_sources = gssapi.c gss_userok.c
endif
@@ -30,7 +27,7 @@ ftpd_SOURCES = \
$(krb4_sources) \
$(krb5_sources)
EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c
$(ftpd_OBJECTS): security.h
@@ -38,12 +35,10 @@ security.c:
@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
security.h:
@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
krb4.c:
@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
gssapi.c:
@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
CLEANFILES = security.c security.h krb4.c gssapi.c
CLEANFILES = security.c security.h gssapi.c
man_MANS = ftpd.8 ftpusers.5

View File

@@ -501,26 +501,7 @@ cmd
| SITE SP KAUTH SP STRING CRLF check_login
{
#ifdef KRB4
char *p;
if(guest)
reply(500, "Can't be done as guest.");
else{
if($7 && $5 != NULL){
p = strpbrk($5, " \t");
if(p){
*p++ = 0;
kauth($5, p + strspn(p, " \t"));
}else
kauth($5, NULL);
}
}
if($5 != NULL)
free($5);
#else
reply(500, "Command not implemented.");
#endif
}
| SITE SP KLIST CRLF check_login
{
@@ -529,29 +510,15 @@ cmd
}
| SITE SP KDESTROY CRLF check_login
{
#ifdef KRB4
if($5)
kdestroy();
#else
reply(500, "Command not implemented.");
#endif
}
| SITE SP KRBTKFILE SP STRING CRLF check_login
{
#ifdef KRB4
if(guest)
reply(500, "Can't be done as guest.");
else if($7 && $5)
krbtkfile($5);
if($5)
free($5);
#else
reply(500, "Command not implemented.");
#endif
}
| SITE SP AFSLOG CRLF check_login
{
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
if(guest)
reply(500, "Can't be done as guest.");
else if($5)
@@ -562,7 +529,7 @@ cmd
}
| SITE SP AFSLOG SP STRING CRLF check_login
{
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
if(guest)
reply(500, "Can't be done as guest.");
else if($7)

View File

@@ -271,16 +271,6 @@ main(int argc, char **argv)
setprogname (argv[0]);
/* detach from any tickets and tokens */
{
#ifdef KRB4
char tkfile[1024];
snprintf(tkfile, sizeof(tkfile),
"/tmp/ftp_%u", (unsigned)getpid());
krb_set_tkt_string(tkfile);
#endif
}
if(getarg(args, num_args, argc, argv, &optind))
usage(1);

View File

@@ -145,11 +145,7 @@
#include <krb5.h>
#endif /* KRB5 */
#ifdef KRB4
#include <krb.h>
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
#include <kafs.h>
#endif

View File

@@ -35,224 +35,13 @@
RCSID("$Id$");
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
int do_destroy_tickets = 1;
char *k5ccname;
#endif
#ifdef KRB4
static KTEXT_ST cip;
static unsigned int lifetime;
static time_t local_time;
static krb_principal pr;
static int
save_tkt(const char *user,
const char *instance,
const char *realm,
const void *arg,
key_proc_t key_proc,
KTEXT *cipp)
{
local_time = time(0);
memmove(&cip, *cipp, sizeof(cip));
return -1;
}
static int
store_ticket(KTEXT cip)
{
char *ptr;
des_cblock session;
krb_principal sp;
unsigned char kvno;
KTEXT_ST tkt;
int left = cip->length;
int len;
int kerror;
ptr = (char *) cip->dat;
/* extract session key */
memmove(session, ptr, 8);
ptr += 8;
left -= 8;
len = strnlen(ptr, left);
if (len == left)
return(INTK_BADPW);
/* extract server's name */
strlcpy(sp.name, ptr, sizeof(sp.name));
ptr += len + 1;
left -= len + 1;
len = strnlen(ptr, left);
if (len == left)
return(INTK_BADPW);
/* extract server's instance */
strlcpy(sp.instance, ptr, sizeof(sp.instance));
ptr += len + 1;
left -= len + 1;
len = strnlen(ptr, left);
if (len == left)
return(INTK_BADPW);
/* extract server's realm */
strlcpy(sp.realm, ptr, sizeof(sp.realm));
ptr += len + 1;
left -= len + 1;
if(left < 3)
return INTK_BADPW;
/* extract ticket lifetime, server key version, ticket length */
/* be sure to avoid sign extension on lifetime! */
lifetime = (unsigned char) ptr[0];
kvno = (unsigned char) ptr[1];
tkt.length = (unsigned char) ptr[2];
ptr += 3;
left -= 3;
if (tkt.length > left)
return(INTK_BADPW);
/* extract ticket itself */
memmove(tkt.dat, ptr, tkt.length);
ptr += tkt.length;
left -= tkt.length;
/* Here is where the time should be verified against the KDC.
* Unfortunately everything is sent in host byte order (receiver
* makes wrong) , and at this stage there is no way for us to know
* which byteorder the KDC has. So we simply ignore the time,
* there are no security risks with this, the only thing that can
* happen is that we might receive a replayed ticket, which could
* at most be useless.
*/
#if 0
/* check KDC time stamp */
{
time_t kdc_time;
memmove(&kdc_time, ptr, sizeof(kdc_time));
if (swap_bytes) swap_u_long(kdc_time);
ptr += 4;
if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) {
return(RD_AP_TIME); /* XXX should probably be better
code */
}
}
#endif
/* initialize ticket cache */
if (tf_create(TKT_FILE) != KSUCCESS)
return(INTK_ERR);
if (tf_put_pname(pr.name) != KSUCCESS ||
tf_put_pinst(pr.instance) != KSUCCESS) {
tf_close();
return(INTK_ERR);
}
kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session,
lifetime, kvno, &tkt, local_time);
tf_close();
return(kerror);
}
void
kauth(char *principal, char *ticket)
{
char *p;
int ret;
if(get_command_prot() != prot_private) {
reply(500, "Request denied (bad protection level)");
return;
}
ret = krb_parse_name(principal, &pr);
if(ret){
reply(500, "Bad principal: %s.", krb_get_err_text(ret));
return;
}
if(pr.realm[0] == 0)
krb_get_lrealm(pr.realm, 1);
if(ticket){
cip.length = base64_decode(ticket, &cip.dat);
if(cip.length == -1){
reply(500, "Failed to decode data.");
return;
}
ret = store_ticket(&cip);
if(ret){
reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
memset(&cip, 0, sizeof(cip));
return;
}
do_destroy_tickets = 1;
if(k_hasafs())
krb_afslog(0, 0);
reply(200, "Tickets will be destroyed on exit.");
return;
}
ret = krb_get_in_tkt (pr.name,
pr.instance,
pr.realm,
KRB_TICKET_GRANTING_TICKET,
pr.realm,
DEFAULT_TKT_LIFE,
NULL, save_tkt, NULL);
if(ret != INTK_BADPW){
reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
return;
}
if(base64_encode(cip.dat, cip.length, &p) < 0) {
reply(500, "Out of memory while base64-encoding.");
return;
}
reply(300, "P=%s T=%s", krb_unparse_name(&pr), p);
free(p);
memset(&cip, 0, sizeof(cip));
}
static char *
short_date(int32_t dp)
{
char *cp;
time_t t = (time_t)dp;
if (t == (time_t)(-1L)) return "*** Never *** ";
cp = ctime(&t) + 4;
cp[15] = '\0';
return (cp);
}
void
krbtkfile(const char *tkfile)
{
do_destroy_tickets = 0;
krb_set_tkt_string(tkfile);
reply(200, "Using ticket file %s", tkfile);
}
#endif /* KRB4 */
#ifdef KRB5
static void
@@ -278,7 +67,7 @@ dest_cc(void)
}
#endif
#if defined(KRB4) || defined(KRB5)
#if defined(KRB5)
/*
* Only destroy if we created the tickets
@@ -288,9 +77,6 @@ void
cond_kdestroy(void)
{
if (do_destroy_tickets) {
#if KRB4
dest_tkt();
#endif
#if KRB5
dest_cc();
#endif
@@ -302,9 +88,6 @@ cond_kdestroy(void)
void
kdestroy(void)
{
#if KRB4
dest_tkt();
#endif
#if KRB5
dest_cc();
#endif
@@ -336,9 +119,6 @@ afslog(const char *cell, int quiet)
krb5_cc_close (context, id);
krb5_free_context (context);
}
#endif
#ifdef KRB4
krb_afslog(cell, 0);
#endif
if (!quiet)
reply(200, "afslog done");
@@ -357,4 +137,4 @@ afsunlog(void)
#else
int ftpd_afslog_placeholder;
#endif /* KRB4 || KRB5 */
#endif /* KRB5 */

View File

@@ -405,14 +405,14 @@ find_log10(int num)
* have to fetch them.
*/
#ifdef KRB4
#ifdef KRB5
static int do_the_afs_dance = 1;
#endif
static int
lstat_file (const char *file, struct stat *sb)
{
#ifdef KRB4
#ifdef KRB5
if (do_the_afs_dance &&
k_hasafs()
&& strcmp(file, ".")
@@ -494,7 +494,7 @@ lstat_file (const char *file, struct stat *sb)
return 0;
}
#endif /* KRB4 */
#endif /* KRB5 */
return lstat (file, sb);
}