diff --git a/appl/ftp/ftp/Makefile.am b/appl/ftp/ftp/Makefile.am index 8effb870b..44f9cf68d 100644 --- a/appl/ftp/ftp/Makefile.am +++ b/appl/ftp/ftp/Makefile.am @@ -8,9 +8,6 @@ bin_PROGRAMS = ftp CHECK_LOCAL = -if KRB4 -krb4_sources = krb4.c -endif if KRB5 krb5_sources = gssapi.c endif diff --git a/appl/ftp/ftp/cmdtab.c b/appl/ftp/ftp/cmdtab.c index 1c65e7158..d4483c510 100644 --- a/appl/ftp/ftp/cmdtab.c +++ b/appl/ftp/ftp/cmdtab.c @@ -106,17 +106,10 @@ char verbosehelp[] = "toggle verbose mode"; char prothelp[] = "set protection level"; char prothelp_c[] = "set command protection level"; -#ifdef KRB4 -char kauthhelp[] = "get remote tokens"; -#endif -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) char klisthelp[] = "show remote tickets"; #endif -#ifdef KRB4 -char kdestroyhelp[] = "destroy remote tickets"; -char krbtkfilehelp[] = "set filename of remote tickets"; -#endif -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) char afsloghelp[] = "obtain remote AFS tokens"; #endif @@ -197,17 +190,10 @@ struct cmd cmdtab[] = { { "protect", prothelp, 0, 1, 0, sec_prot }, /* what MIT uses */ { "cprotect", prothelp_c, 0, 1, 1, sec_prot_command }, -#ifdef KRB4 - { "kauth", kauthhelp, 0, 1, 0, kauth }, -#endif -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) { "klist", klisthelp, 0, 1, 0, klist }, #endif -#ifdef KRB4 - { "kdestroy", kdestroyhelp, 0, 1, 0, kdestroy }, - { "krbtkfile", krbtkfilehelp, 0, 1, 0, krbtkfile }, -#endif -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) { "afslog", afsloghelp, 0, 1, 0, afslog }, #endif diff --git a/appl/ftp/ftp/kauth.c b/appl/ftp/ftp/kauth.c index fd6755639..3af44aa7d 100644 --- a/appl/ftp/ftp/kauth.c +++ b/appl/ftp/ftp/kauth.c @@ -34,143 +34,7 @@ #include "ftp_locl.h" RCSID("$Id$"); -#ifdef KRB4 -#include - -void -kauth(int argc, char **argv) -{ - int ret; - char buf[1024]; - des_cblock key; - des_key_schedule schedule; - KTEXT_ST tkt, tktcopy; - char *name; - char *p; - int overbose; - char passwd[100]; - int tmp; - - int save; - - if(argc > 2){ - printf("usage: %s [principal]\n", argv[0]); - code = -1; - return; - } - if(argc == 2) - name = argv[1]; - else - name = username; - - overbose = verbose; - verbose = 0; - - save = set_command_prot(prot_private); - ret = command("SITE KAUTH %s", name); - if(ret != CONTINUE){ - verbose = overbose; - set_command_prot(save); - code = -1; - return; - } - verbose = overbose; - p = strstr(reply_string, "T="); - if(!p){ - printf("Bad reply from server.\n"); - set_command_prot(save); - code = -1; - return; - } - p += 2; - tmp = base64_decode(p, &tkt.dat); - if(tmp < 0){ - printf("Failed to decode base64 in reply.\n"); - set_command_prot(save); - code = -1; - return; - } - tkt.length = tmp; - tktcopy.length = tkt.length; - - p = strstr(reply_string, "P="); - if(!p){ - printf("Bad reply from server.\n"); - verbose = overbose; - set_command_prot(save); - code = -1; - return; - } - name = p + 2; - for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++); - *p = 0; - - snprintf(buf, sizeof(buf), "Password for %s:", name); - if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0)) - *passwd = '\0'; - des_string_to_key (passwd, &key); - - des_key_sched(&key, schedule); - - des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat, - tkt.length, - schedule, &key, DES_DECRYPT); - if (strcmp ((char*)tktcopy.dat + 8, - KRB_TICKET_GRANTING_TICKET) != 0) { - afs_string_to_key (passwd, krb_realmofhost(hostname), &key); - des_key_sched (&key, schedule); - des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat, - tkt.length, - schedule, &key, DES_DECRYPT); - } - memset(key, 0, sizeof(key)); - memset(schedule, 0, sizeof(schedule)); - memset(passwd, 0, sizeof(passwd)); - if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) { - printf("Out of memory base64-encoding.\n"); - set_command_prot(save); - code = -1; - return; - } - memset (tktcopy.dat, 0, tktcopy.length); - ret = command("SITE KAUTH %s %s", name, p); - free(p); - set_command_prot(save); - if(ret != COMPLETE){ - code = -1; - return; - } - code = 0; -} - -void -kdestroy(int argc, char **argv) -{ - int ret; - if (argc != 1) { - printf("usage: %s\n", argv[0]); - code = -1; - return; - } - ret = command("SITE KDESTROY"); - code = (ret == COMPLETE); -} - -void -krbtkfile(int argc, char **argv) -{ - int ret; - if(argc != 2) { - printf("usage: %s tktfile\n", argv[0]); - code = -1; - return; - } - ret = command("SITE KRBTKFILE %s", argv[1]); - code = (ret == COMPLETE); -} -#endif - -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) void afslog(int argc, char **argv) diff --git a/appl/ftp/ftp/security.c b/appl/ftp/ftp/security.c index c1928c6b2..77ed2f030 100644 --- a/appl/ftp/ftp/security.c +++ b/appl/ftp/ftp/security.c @@ -90,9 +90,6 @@ name_to_level(const char *name) static struct sec_server_mech *mechs[] = { #ifdef KRB5 &gss_server_mech, -#endif -#ifdef KRB4 - &krb4_server_mech, #endif NULL }; @@ -104,9 +101,6 @@ static struct sec_server_mech *mech; static struct sec_client_mech *mechs[] = { #ifdef KRB5 &gss_client_mech, -#endif -#ifdef KRB4 - &krb4_client_mech, #endif NULL }; diff --git a/appl/ftp/ftpd/Makefile.am b/appl/ftp/ftpd/Makefile.am index a412cf8c7..cc0ad840f 100644 --- a/appl/ftp/ftpd/Makefile.am +++ b/appl/ftp/ftpd/Makefile.am @@ -8,9 +8,6 @@ libexec_PROGRAMS = ftpd CHECK_LOCAL = -if KRB4 -krb4_sources = krb4.c -endif if KRB5 krb5_sources = gssapi.c gss_userok.c endif @@ -30,7 +27,7 @@ ftpd_SOURCES = \ $(krb4_sources) \ $(krb5_sources) -EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c +EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c $(ftpd_OBJECTS): security.h @@ -38,12 +35,10 @@ security.c: @test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c . security.h: @test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h . -krb4.c: - @test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c . gssapi.c: @test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c . -CLEANFILES = security.c security.h krb4.c gssapi.c +CLEANFILES = security.c security.h gssapi.c man_MANS = ftpd.8 ftpusers.5 diff --git a/appl/ftp/ftpd/ftpcmd.y b/appl/ftp/ftpd/ftpcmd.y index 0c1a9f98e..6ec03d665 100644 --- a/appl/ftp/ftpd/ftpcmd.y +++ b/appl/ftp/ftpd/ftpcmd.y @@ -501,26 +501,7 @@ cmd | SITE SP KAUTH SP STRING CRLF check_login { -#ifdef KRB4 - char *p; - - if(guest) - reply(500, "Can't be done as guest."); - else{ - if($7 && $5 != NULL){ - p = strpbrk($5, " \t"); - if(p){ - *p++ = 0; - kauth($5, p + strspn(p, " \t")); - }else - kauth($5, NULL); - } - } - if($5 != NULL) - free($5); -#else reply(500, "Command not implemented."); -#endif } | SITE SP KLIST CRLF check_login { @@ -529,29 +510,15 @@ cmd } | SITE SP KDESTROY CRLF check_login { -#ifdef KRB4 - if($5) - kdestroy(); -#else reply(500, "Command not implemented."); -#endif } | SITE SP KRBTKFILE SP STRING CRLF check_login { -#ifdef KRB4 - if(guest) - reply(500, "Can't be done as guest."); - else if($7 && $5) - krbtkfile($5); - if($5) - free($5); -#else reply(500, "Command not implemented."); -#endif } | SITE SP AFSLOG CRLF check_login { -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) if(guest) reply(500, "Can't be done as guest."); else if($5) @@ -562,7 +529,7 @@ cmd } | SITE SP AFSLOG SP STRING CRLF check_login { -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) if(guest) reply(500, "Can't be done as guest."); else if($7) diff --git a/appl/ftp/ftpd/ftpd.c b/appl/ftp/ftpd/ftpd.c index a27687a87..3130f0dc9 100644 --- a/appl/ftp/ftpd/ftpd.c +++ b/appl/ftp/ftpd/ftpd.c @@ -271,16 +271,6 @@ main(int argc, char **argv) setprogname (argv[0]); - /* detach from any tickets and tokens */ - { -#ifdef KRB4 - char tkfile[1024]; - snprintf(tkfile, sizeof(tkfile), - "/tmp/ftp_%u", (unsigned)getpid()); - krb_set_tkt_string(tkfile); -#endif - } - if(getarg(args, num_args, argc, argv, &optind)) usage(1); diff --git a/appl/ftp/ftpd/ftpd_locl.h b/appl/ftp/ftpd/ftpd_locl.h index 0bb9402f7..cff3ff3d4 100644 --- a/appl/ftp/ftpd/ftpd_locl.h +++ b/appl/ftp/ftpd/ftpd_locl.h @@ -145,11 +145,7 @@ #include #endif /* KRB5 */ -#ifdef KRB4 -#include -#endif - -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) #include #endif diff --git a/appl/ftp/ftpd/kauth.c b/appl/ftp/ftpd/kauth.c index ad1a48f3d..546461d9d 100644 --- a/appl/ftp/ftpd/kauth.c +++ b/appl/ftp/ftpd/kauth.c @@ -35,224 +35,13 @@ RCSID("$Id$"); -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) int do_destroy_tickets = 1; char *k5ccname; #endif -#ifdef KRB4 - -static KTEXT_ST cip; -static unsigned int lifetime; -static time_t local_time; - -static krb_principal pr; - -static int -save_tkt(const char *user, - const char *instance, - const char *realm, - const void *arg, - key_proc_t key_proc, - KTEXT *cipp) -{ - local_time = time(0); - memmove(&cip, *cipp, sizeof(cip)); - return -1; -} - -static int -store_ticket(KTEXT cip) -{ - char *ptr; - des_cblock session; - krb_principal sp; - unsigned char kvno; - KTEXT_ST tkt; - int left = cip->length; - int len; - int kerror; - - ptr = (char *) cip->dat; - - /* extract session key */ - memmove(session, ptr, 8); - ptr += 8; - left -= 8; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's name */ - strlcpy(sp.name, ptr, sizeof(sp.name)); - ptr += len + 1; - left -= len + 1; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's instance */ - strlcpy(sp.instance, ptr, sizeof(sp.instance)); - ptr += len + 1; - left -= len + 1; - - len = strnlen(ptr, left); - if (len == left) - return(INTK_BADPW); - - /* extract server's realm */ - strlcpy(sp.realm, ptr, sizeof(sp.realm)); - ptr += len + 1; - left -= len + 1; - - if(left < 3) - return INTK_BADPW; - /* extract ticket lifetime, server key version, ticket length */ - /* be sure to avoid sign extension on lifetime! */ - lifetime = (unsigned char) ptr[0]; - kvno = (unsigned char) ptr[1]; - tkt.length = (unsigned char) ptr[2]; - ptr += 3; - left -= 3; - - if (tkt.length > left) - return(INTK_BADPW); - - /* extract ticket itself */ - memmove(tkt.dat, ptr, tkt.length); - ptr += tkt.length; - left -= tkt.length; - - /* Here is where the time should be verified against the KDC. - * Unfortunately everything is sent in host byte order (receiver - * makes wrong) , and at this stage there is no way for us to know - * which byteorder the KDC has. So we simply ignore the time, - * there are no security risks with this, the only thing that can - * happen is that we might receive a replayed ticket, which could - * at most be useless. - */ - -#if 0 - /* check KDC time stamp */ - { - time_t kdc_time; - - memmove(&kdc_time, ptr, sizeof(kdc_time)); - if (swap_bytes) swap_u_long(kdc_time); - - ptr += 4; - - if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ - } - } -#endif - - /* initialize ticket cache */ - - if (tf_create(TKT_FILE) != KSUCCESS) - return(INTK_ERR); - - if (tf_put_pname(pr.name) != KSUCCESS || - tf_put_pinst(pr.instance) != KSUCCESS) { - tf_close(); - return(INTK_ERR); - } - - - kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session, - lifetime, kvno, &tkt, local_time); - tf_close(); - - return(kerror); -} - -void -kauth(char *principal, char *ticket) -{ - char *p; - int ret; - - if(get_command_prot() != prot_private) { - reply(500, "Request denied (bad protection level)"); - return; - } - ret = krb_parse_name(principal, &pr); - if(ret){ - reply(500, "Bad principal: %s.", krb_get_err_text(ret)); - return; - } - if(pr.realm[0] == 0) - krb_get_lrealm(pr.realm, 1); - - if(ticket){ - cip.length = base64_decode(ticket, &cip.dat); - if(cip.length == -1){ - reply(500, "Failed to decode data."); - return; - } - ret = store_ticket(&cip); - if(ret){ - reply(500, "Kerberos error: %s.", krb_get_err_text(ret)); - memset(&cip, 0, sizeof(cip)); - return; - } - do_destroy_tickets = 1; - - if(k_hasafs()) - krb_afslog(0, 0); - reply(200, "Tickets will be destroyed on exit."); - return; - } - - ret = krb_get_in_tkt (pr.name, - pr.instance, - pr.realm, - KRB_TICKET_GRANTING_TICKET, - pr.realm, - DEFAULT_TKT_LIFE, - NULL, save_tkt, NULL); - if(ret != INTK_BADPW){ - reply(500, "Kerberos error: %s.", krb_get_err_text(ret)); - return; - } - if(base64_encode(cip.dat, cip.length, &p) < 0) { - reply(500, "Out of memory while base64-encoding."); - return; - } - reply(300, "P=%s T=%s", krb_unparse_name(&pr), p); - free(p); - memset(&cip, 0, sizeof(cip)); -} - - -static char * -short_date(int32_t dp) -{ - char *cp; - time_t t = (time_t)dp; - - if (t == (time_t)(-1L)) return "*** Never *** "; - cp = ctime(&t) + 4; - cp[15] = '\0'; - return (cp); -} - -void -krbtkfile(const char *tkfile) -{ - do_destroy_tickets = 0; - krb_set_tkt_string(tkfile); - reply(200, "Using ticket file %s", tkfile); -} - -#endif /* KRB4 */ - #ifdef KRB5 static void @@ -278,7 +67,7 @@ dest_cc(void) } #endif -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) /* * Only destroy if we created the tickets @@ -288,9 +77,6 @@ void cond_kdestroy(void) { if (do_destroy_tickets) { -#if KRB4 - dest_tkt(); -#endif #if KRB5 dest_cc(); #endif @@ -302,9 +88,6 @@ cond_kdestroy(void) void kdestroy(void) { -#if KRB4 - dest_tkt(); -#endif #if KRB5 dest_cc(); #endif @@ -336,9 +119,6 @@ afslog(const char *cell, int quiet) krb5_cc_close (context, id); krb5_free_context (context); } -#endif -#ifdef KRB4 - krb_afslog(cell, 0); #endif if (!quiet) reply(200, "afslog done"); @@ -357,4 +137,4 @@ afsunlog(void) #else int ftpd_afslog_placeholder; -#endif /* KRB4 || KRB5 */ +#endif /* KRB5 */ diff --git a/appl/ftp/ftpd/ls.c b/appl/ftp/ftpd/ls.c index 3c2a41d51..36ee31fce 100644 --- a/appl/ftp/ftpd/ls.c +++ b/appl/ftp/ftpd/ls.c @@ -405,14 +405,14 @@ find_log10(int num) * have to fetch them. */ -#ifdef KRB4 +#ifdef KRB5 static int do_the_afs_dance = 1; #endif static int lstat_file (const char *file, struct stat *sb) { -#ifdef KRB4 +#ifdef KRB5 if (do_the_afs_dance && k_hasafs() && strcmp(file, ".") @@ -494,7 +494,7 @@ lstat_file (const char *file, struct stat *sb) return 0; } -#endif /* KRB4 */ +#endif /* KRB5 */ return lstat (file, sb); }