oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

new program

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6486 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
1999-07-22 11:36:30 +00:00
parent cb5dfa1f84
commit aef43355c9
4 changed files with 795 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
appl/kf/Makefile.am Normal file
View File

@@ -0,0 +1,14 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
noinst_PROGRAMS = kf kfd
kf_SOURCES = kf.c kf_locl.h
kfd_SOURCES = kfd.c kf_locl.h
LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/des/libdes.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken)

363
appl/kf/kf.c Normal file
View File

@@ -0,0 +1,363 @@
/*
* Copyright (c) 1997 - 1999 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Kungliga Tekniska
* H<>gskolan and its contributors.
*
* 4. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kf_locl.h"
RCSID("$Id$");
krb5_context context;
static int help_flag;
static int version_flag;
static char *port_str;
char *service = SERVICE;
char *remote_name=NULL;
int forwardable=0;
char *tk_file=NULL;
static struct getargs args[] = {
{ "port", 'p', arg_string, &port_str, "port to connect to", "port" },
{ "login", 'l',arg_string, &remote_name,"remote login name","login"},
{ "tkfile", 't',arg_string, &tk_file,"remote ticket file","tkfile"},
{ "forwardable",'F',arg_flag,&forwardable,
"Forward forwardable credentials", NULL },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag }
};
static int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code, struct getargs *args, int num_args)
{
arg_printusage(args, num_args, NULL, "hosts");
exit(code);
}
static int
client_setup(krb5_context *context, int *argc, char **argv)
{
int optind;
int port = 0;
optind = krb5_program_setup(context, *argc, argv, args, num_args, usage);
if(help_flag)
(*usage)(0, args, num_args);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(port_str){
struct servent *s = roken_getservbyname(port_str, "tcp");
if(s)
port = s->s_port;
else {
char *ptr;
port = strtol (port_str, &ptr, 10);
if (port == 0 && ptr == port_str)
errx (1, "Bad port `%s'", port_str);
port = htons(port);
}
}
if (port == 0)
port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
if(*argc - optind < 1)
usage(1, args, num_args);
*argc=optind;
return port;
}
static int
proto (int sock, const char *hostname, const char *service)
{
struct sockaddr_in remote, local;
int addrlen;
krb5_address remote_addr, local_addr;
krb5_context context;
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_data data;
krb5_data packet;
krb5_data data_send;
u_int32_t len, net_len;
krb5_ccache ccache;
krb5_creds creds;
krb5_kdc_flags flags;
krb5_principal principal;
struct passwd *pwd;
char ret_string[10];
char buf[1000];
addrlen = sizeof(local);
if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
|| addrlen != sizeof(local))
{warn ("getsockname(%s)", hostname);
return 1;
}
addrlen = sizeof(remote);
if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
|| addrlen != sizeof(remote))
{warn ("getpeername(%s)", hostname);
return 1;
}
status = krb5_init_context(&context);
if (status)
errx (1, "krb5_init_context: %s",
krb5_get_err_text(context, status));
status = krb5_auth_con_init (context, &auth_context);
if (status)
{warn ("krb5_auth_con_init: %s",
krb5_get_err_text(context, status));
return 1;
}
local_addr.addr_type = AF_INET;
local_addr.address.length = sizeof(local.sin_addr);
local_addr.address.data = &local.sin_addr;
remote_addr.addr_type = AF_INET;
remote_addr.address.length = sizeof(remote.sin_addr);
remote_addr.address.data = &remote.sin_addr;
status = krb5_auth_con_setaddrs (context,
auth_context,
&local_addr,
&remote_addr);
if (status)
{warn ("krb5_auth_con_setaddr: %s",
krb5_get_err_text(context, status));
return 1;
}
status = krb5_sname_to_principal (context,
hostname,
service,
KRB5_NT_SRV_HST,
&server);
if (status)
{warn ("krb5_sname_to_principal: %s",
krb5_get_err_text(context, status));
return 1;
}
status = krb5_sendauth (context,
&auth_context,
&sock,
VERSION,
NULL,
server,
AP_OPTS_MUTUAL_REQUIRED,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
if (status)
{warn("krb5_sendauth: %s",
krb5_get_err_text(context, status));
return 1;
}
if (remote_name == NULL)
{
pwd = getpwuid (getuid());
if (pwd == NULL)
errx (1, "who are you?");
remote_name=pwd->pw_name;
}
krb5_data_zero(&data_send);
data_send.data=remote_name;
data_send.length=strlen(remote_name) + 1;
status=krb5_write_message(context,&sock,&data_send);
if (status)
{err(1,"krb5_write_message");
}
if (tk_file) snprintf (buf, sizeof(buf), "%s", tk_file);
else snprintf (buf, sizeof(buf), "");
data_send.data=buf;
data_send.length=strlen(buf)+1;
status=krb5_write_message(context,&sock,&data_send);
if (status)
{err(1,"krb5_write_message");
}
memset (&creds, 0, sizeof(creds));
status = krb5_cc_default (context, &ccache);
if (status) {
warn ("could not forward creds: krb5_cc_default: %s",
krb5_get_err_text (context, status));
}
status = krb5_cc_get_principal (context, ccache, &principal);
if (status) {
warn ("could not forward creds: krb5_cc_get_principal: %s",
krb5_get_err_text (context, status));
return 1;
}
creds.client = principal;
status = krb5_build_principal (context,
&creds.server,
strlen(principal->realm),
principal->realm,
"krbtgt",
principal->realm,
NULL);
if (status) {
warn ("could not forward creds: krb5_build_principal: %s",
krb5_get_err_text (context, status));
return 1;
}
creds.times.endtime = 0;
flags.i = 0;
flags.b.forwarded = 1;
flags.b.forwardable = forwardable;
status = krb5_get_forwarded_creds (context,
auth_context,
ccache,
flags.i,
hostname,
&creds,
&data);
if (status) {
warn ("could not forward creds: krb5_get_forwarded_creds: %s",
krb5_get_err_text (context, status));
return 1;
}
status = krb5_mk_priv (context,
auth_context,
&data,
&packet,
NULL);
if (status)
{warn ("krb5_mk_priv: %s",
krb5_get_err_text(context, status));
return 1;}
len = packet.length;
net_len = htonl(len);
if (krb5_net_write (context, &sock, &net_len, 4) != 4)
{warn("krb5_net_write");
return 1;}
if (krb5_net_write (context, &sock, packet.data, len) != len)
{warn ("krb5_net_write");
return 1;}
krb5_data_free (&data);
if (krb5_net_read (context, &sock, &net_len, 4) != 4)
err (1, "krb5_net_read");
len = ntohl(net_len);
if (krb5_net_read (context, &sock, ret_string, len) != len)
err (1, "krb5_net_read");
return(strcmp(ret_string,"ok"));
}
static int
doit (const char *hostname, int port, const char *service)
{
struct in_addr **h;
struct hostent *hostent;
hostent = roken_gethostbyname (hostname);
if (hostent == NULL)
{warn ("gethostbyname '%s' failed: %s",
hostname,
hstrerror(h_errno));
return 1;
}
for (h = (struct in_addr **)hostent->h_addr_list;
*h != NULL;
++h) {
struct sockaddr_in addr;
int s;
memset (&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = port;
addr.sin_addr = **h;
s = socket (AF_INET, SOCK_STREAM, 0);
if (s < 0)
err (1, "socket");
if (connect (s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
warn ("connect(%s)", hostname);
close (s);
continue;
}
return proto (s, hostname, service);
}
return 1;
}
int
main(int argc, char **argv)
{ int argcc,port,i;
int ret=0;
argcc=argc;
port=client_setup(&context, &argcc, argv);
for (i=argcc;i<argc;i++)
{ret=doit (argv[i], port, service);
printf("%s:%s\n",argv[i],ret ? "failed" : "ok");
}
return(ret);
}

85
appl/kf/kf_locl.h Normal file
View File

@@ -0,0 +1,85 @@
/*
* Copyright (c) 1997 - 1999 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Kungliga Tekniska
* H<>gskolan and its contributors.
*
* 4. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdarg.h>
#include <ctype.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN6_H
#include <netinet/in6.h>
#endif
#ifdef HAVE_NETINET6_IN6_H
#include <netinet6/in6.h>
#endif
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#include <errno.h>
#include <roken.h>
#include <getarg.h>
#include <err.h>
#include <krb5.h>
#define SERVICE "host"
#define PORT "kf"
#define PORT_NUM 2110

333
appl/kf/kfd.c Normal file
View File

@@ -0,0 +1,333 @@
/*
* Copyright (c) 1997 - 1999 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Kungliga Tekniska
* H<>gskolan and its contributors.
*
* 4. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kf_locl.h"
RCSID("$Id$");
krb5_context context;
static int help_flag;
static int version_flag;
static char *port_str;
char *service = SERVICE;
int do_inetd = 0;
static struct getargs args[] = {
{ "port", 'p', arg_string, &port_str, "port to listen to", "port" },
{ "inetd",'i',arg_flag,&do_inetd,
"Not started from inetd", NULL },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag }
};
static int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int code, struct getargs *args, int num_args)
{
arg_printusage(args, num_args, NULL, "");
exit(code);
}
static int
server_setup(krb5_context *context, int argc, char **argv)
{
int port = 0;
int local_argc;
local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
if(help_flag)
(*usage)(0, args, num_args);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(port_str){
struct servent *s = roken_getservbyname(port_str, "tcp");
if(s)
port = s->s_port;
else {
char *ptr;
port = strtol (port_str, &ptr, 10);
if (port == 0 && ptr == port_str)
errx (1, "Bad port `%s'", port_str);
port = htons(port);
}
}
if (port == 0)
port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
if(argv[local_argc] != NULL)
usage(1, args, num_args);
return port;
}
static void
syslog_and_die (const char *m, ...)
{
va_list args;
va_start(args, m);
vsyslog (LOG_ERR, m, args);
va_end(args);
exit (1);
}
static void
syslog_and_cont (const char *m, ...)
{
va_list args;
va_start(args, m);
vsyslog (LOG_ERR, m, args);
va_end(args);
return;
}
static int
proto (int sock, const char *service)
{
struct sockaddr_in remote, local;
int addrlen;
krb5_address remote_addr, local_addr;
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_ticket *ticket;
char *name;
char ret_string[10];
char hostname[MAXHOSTNAMELEN];
krb5_data packet;
krb5_data data;
krb5_data remotename;
krb5_data tk_file;
u_int32_t len, net_len;
krb5_ccache ccache;
char ccname[MAXPATHLEN];
struct passwd *pwd;
addrlen = sizeof(local);
if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
|| addrlen != sizeof(local))
syslog_and_die("getsockname: %s",strerror(errno));
addrlen = sizeof(remote);
if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
|| addrlen != sizeof(remote))
syslog_and_die("getpeername: %s",strerror(errno));
status = krb5_auth_con_init (context, &auth_context);
if (status)
syslog_and_die("krb5_auth_con_init: %s",
krb5_get_err_text(context, status));
local_addr.addr_type = AF_INET;
local_addr.address.length = sizeof(local.sin_addr);
local_addr.address.data = &local.sin_addr;
remote_addr.addr_type = AF_INET;
remote_addr.address.length = sizeof(remote.sin_addr);
remote_addr.address.data = &remote.sin_addr;
status = krb5_auth_con_setaddrs (context,
auth_context,
&local_addr,
&remote_addr);
if (status)
syslog_and_die("krb5_auth_con_setaddr: %s",
krb5_get_err_text(context, status));
if(gethostname (hostname, sizeof(hostname)) < 0)
syslog_and_die("gethostname: %s",strerror(errno));
status = krb5_sname_to_principal (context,
hostname,
service,
KRB5_NT_SRV_HST,
&server);
if (status)
syslog_and_die("krb5_sname_to_principal: %s",
krb5_get_err_text(context, status));
status = krb5_recvauth (context,
&auth_context,
&sock,
VERSION,
server,
0,
NULL,
&ticket);
if (status)
syslog_and_die("krb5_recvauth: %s",
krb5_get_err_text(context, status));
status = krb5_unparse_name (context,
ticket->client,
&name);
if (status)
syslog_and_die("krb5_unparse_name: %s",
krb5_get_err_text(context, status));
status=krb5_read_message (context, &sock, &remotename);
if (status)
{syslog_and_die("krb5_read_message: %s",
krb5_get_err_text(context, status));
}
status=krb5_read_message (context, &sock, &tk_file);
if (status)
{syslog_and_die("krb5_read_message: %s",
krb5_get_err_text(context, status));
}
krb5_data_zero (&data);
krb5_data_zero (&packet);
if (krb5_net_read (context, &sock, &net_len, 4) != 4)
syslog_and_die("krb5_net_read: %s",strerror(errno));
len = ntohl(net_len);
krb5_data_alloc (&packet, len);
if (krb5_net_read (context, &sock, packet.data, len) != len)
syslog_and_die("krb5_net_read: %s",strerror(errno));
status = krb5_rd_priv (context,
auth_context,
&packet,
&data,
NULL);
if (status)
{syslog_and_cont("krb5_rd_priv: %s",
krb5_get_err_text(context, status));
goto out;
}
pwd = getpwnam ((char *)(remotename.data));
if (pwd == NULL)
{status=1;
syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data));
goto out;
}
if(!krb5_kuserok (context,
ticket->client,
(char *)(remotename.data)))
{status=1;
syslog_and_cont("krb5_kuserok: permission denied");
goto out;
}
setgid(pwd->pw_gid);
setuid(pwd->pw_uid);
if (tk_file.length != 1)
snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
else
snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid);
status = krb5_cc_resolve (context, ccname, &ccache);
if (status)
{syslog_and_cont("krb5_cc_resolve: %s",
krb5_get_err_text(context, status));
goto out;
}
status = krb5_cc_initialize (context, ccache, ticket->client);
if (status)
{syslog_and_cont("krb5_cc_initialize: %s",
krb5_get_err_text(context, status));
goto out;
}
status = krb5_rd_cred (context, auth_context, ccache, &data);
krb5_cc_close (context, ccache);
if (status)
{syslog_and_cont("krb5_cc_initialize: %s",
krb5_get_err_text(context, status));
goto out;
}
syslog_and_cont("%s forwarded ticket to %s,%s",
name,
(char *)(remotename.data),ccname);
out:
if (status)
{strcpy(ret_string,"no");
syslog_and_cont("failed");
}
else strcpy(ret_string,"ok");
krb5_data_free (&tk_file);
krb5_data_free (&remotename);
krb5_data_free (&packet);
krb5_data_free (&data);
free(name);
len = strlen(ret_string) + 1;
net_len = htonl(len);
if (krb5_net_write (context, &sock, &net_len, 4) != 4)
return 1;
if (krb5_net_write (context, &sock, ret_string, len) != len)
return 1;
return 0 ;
}
static int
doit (int port, const char *service)
{
if (do_inetd) mini_inetd(port);
return proto (STDIN_FILENO, service);
}
int
main(int argc, char **argv)
{
int port;
int ret;
set_progname (argv[0]);
roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
port = server_setup(&context, argc, argv);
ret=doit (port, service);
closelog();
return ret;
}