1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-28 01:06:17 +00:00

New MIT Kerberos V beta, V 1.2.6-beta1.

This commit is contained in:
Cy Schubert 2002-08-20 21:25:23 +00:00
parent 40dfb78e73
commit f48f91879a
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=64717
24 changed files with 912 additions and 0 deletions

134
security/krb5-beta/Makefile Normal file
View File

@ -0,0 +1,134 @@
# Ports collection Makefile for: MIT Kerberos V
# Date created: 6/5/1998
# Whom: nectar@FreeBSD.org
#
# $FreeBSD$
#
PORTNAME= krb5
PORTVERSION= 1.2.6b1
CATEGORIES= security
MASTER_SITES= # manual download
DISTNAME= krb5-1.2.6-beta1
EXTRACT_SUFX= .tar
MAINTAINER= cy@FreeBSD.org
BUILD_DEPENDS= gm4:${PORTSDIR}/devel/m4
KERBEROSV_URL= http://web.mit.edu/network/kerberos-form.html
USE_GMAKE= yes
INSTALLS_SHLIB= yes
GNU_CONFIGURE= yes
CONFIGURE_ARGS?= --enable-shared --with-ccopts="${CFLAGS}"
CONFIGURE_ENV= INSTALL="${INSTALL}"
MAKE_ARGS= INSTALL="${INSTALL}"
KRB5_KRB4_COMPAT?= YES
.if !defined(KRB5_KRB4_COMPAT) || ${KRB5_KRB4_COMPAT} == "NO"
CONFIGURE_ARGS+= --without-krb4
.endif
.if defined(KRB5_HOME)
PREFIX= ${KRB5_HOME}
.endif
RESTRICTED= "Crypto; export-controlled"
# Set USA_RESIDENT appropriately in /etc/make.conf if you like
INFO_FILES= krb425.info krb5-admin.info krb5-admin.info-1 \
krb5-admin.info-2 krb5-admin.info-3 krb5-install.info \
krb5-install.info-1 krb5-install.info-2 krb5-user.info
MAN1= krb5-send-pr.1 kpasswd.1 v5passwd.1 klist.1 kinit.1 \
kdestroy.1 ksu.1 sclient.1 rsh.1 rcp.1 rlogin.1 \
v4rcp.1 ftp.1 telnet.1 kerberos.1 kvno.1
MAN5= kdc.conf.5 krb5.conf.5 .k5login.5
MAN8= krb5kdc.8 kadmin.8 kadmin.local.8 kdb5_util.8 \
ktutil.8 kadmind.8 kprop.8 kpropd.8 sserver.8 \
kshd.8 klogind.8 login.krb5.8 ftpd.8 telnetd.8
WRKSRC= ${WRKDIR}/${DISTNAME}/src
WANT_HTML?= YES
HTML_DOC_DIR= ${WRKDIR}/${DISTNAME}/doc
HTML_DOCS= admin.html install_foot.html user-guide.html \
admin_foot.html install_toc.html user-guide_foot.html \
admin_toc.html krb425.html user-guide_toc.html \
install.html krb425_toc.html
.if !defined(USA_RESIDENT) || ${USA_RESIDENT} == "YES"
do-fetch:
@if [ ! -f ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX} ]; then \
${ECHO} ""; \
${ECHO} ">> Kerberos V contains encryption software and is"; \
${ECHO} " export restricted. If you are not a USA resident,";\
${ECHO} " then you cannot obtain the Kerberos V sources from";\
${ECHO} " within the United States."; \
${ECHO} ""; \
${ECHO} ">> The Kerberos V sources must be fetched manually."; \
${ECHO} " Please visit ${KERBEROSV_URL}"; \
${ECHO} " to download ${DISTNAME}${EXTRACT_SUFX} and place"; \
${ECHO} " it in ${DISTDIR}. Then run make again."; \
${FALSE}; \
fi
post-extract:
@${TAR} -C ${WRKDIR} -xzf ${WRKDIR}/${DISTNAME}.tar.gz
@${RM} ${WRKDIR}/${DISTNAME}.tar.gz ${WRKDIR}/${DISTNAME}.tar.gz.asc
.if !defined(EXTRACT_PRESERVE_OWNERSHIP)
@if [ `id -u` = 0 ]; then \
${CHMOD} -R ug-s,go-w ${WRKDIR}/${DISTNAME}; \
${CHOWN} -R 0:0 ${WRKDIR}/${DISTNAME}; \
fi
.endif
.endif
pre-build:
.if !defined(KRB5_KRB4_COMPAT)
@${ECHO} "------------------------------------------------------"
@${ECHO} "Set KRB5_KRB4_COMPAT=NO if you do not want to build "
@${ECHO} "the KerberosIV compatibility libraries. "
@${ECHO} "------------------------------------------------------"
.endif
post-build:
@(cd ${WRKSRC}/../doc && \
${MAKE} ${INFO_FILES})
.include <bsd.port.pre.mk>
post-install:
# html documentation
.if defined(WANT_HTML) && ${WANT_HTML} == "YES"
@${MKDIR} ${PREFIX}/share/doc/krb5
.for html in ${HTML_DOCS}
${INSTALL_MAN} ${HTML_DOC_DIR}/${html} ${PREFIX}/share/doc/krb5
.endfor
.endif
# handle info files
.for info in ${INFO_FILES}
${INSTALL_MAN} ${WRKSRC}/../doc/${info} ${PREFIX}/info/${info}
.endfor
.for info in ${INFO_FILES:M*.info}
install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir
.endfor
# fixup packing list (no libs without version numbers in aout case)
.if ${PORTOBJFORMAT} == "aout"
${ECHO_MSG} "Fixing packing list for a.out"
${MV} ${TMPPLIST} ${TMPPLIST}.new
${GREP} -v '\.so$$' ${TMPPLIST}.new > ${TMPPLIST}
${RM} ${TMPPLIST}.new
.endif
@${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR}/README.FreeBSD > ${PREFIX}/share/doc/krb5/README.FreeBSD
@${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD
@${ECHO} "------------------------------------------------------"
@${ECHO} "This port of MIT Kerberos 5 includes remote login "
@${ECHO} "daemons (telnetd and klogind). These daemons default "
@${ECHO} "to using the system login program (/usr/bin/login). "
@${ECHO} "Please see the file "
@${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD"
@${ECHO} "for more information. "
@${ECHO} "------------------------------------------------------"
.include <bsd.port.post.mk>

View File

@ -0,0 +1 @@
MD5 (krb5-1.2.6-beta1.tar) = 3705b8c989a15a3c706c53dd83972711

View File

@ -0,0 +1,32 @@
The MIT KRB5 port provides its own login program at
${PREFIX}/sbin/login.krb5. However, login.krb5 does not make use of
the FreeBSD login.conf and login.access files that provide a means of
setting up and controlling sessions under FreeBSD. To overcome this,
the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
interactive login password authentication instead of the login.krb5
program provided by MIT KRB5. The FreeBSD /usr/bin/login program does
not have support for Kerberos V password authentication,
e.g. authentication at the console. The pam_krb5 port must be used to
provide Kerberos V password authentication.
For more information about pam_krb5, please see pam(8) and pam_krb5(8).
If you wish to use login.krb5 that is provided by the MIT KRB5 port,
the arguments "-L ${PREFIX}/sbin/login.krb5" must be
specified as arguments to klogind and KRB5 telnetd, e.g.
klogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -L ${PREFIX}/sbin/login.krb5
eklogin stream tcp nowait root ${PREFIX}/sbin/klogind klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
telnet stream tcp nowait root ${PREFIX}/sbin/telnetd telnetd -a none -L ${PREFIX}/sbin/login.krb5
Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
of the FreeBSD provided /usr/bin/login for local tty logins,
"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:\
:lo=${PREFIX}/sbin/login.krb5:
It is recommended that the FreeBSD /usr/bin/login be used with the
pam_krb5 port instead of the MIT KRB5 provided login.krb5.

View File

@ -0,0 +1,13 @@
--- ../doc/admin.texinfo Fri Feb 6 21:40:56 1998
+++ admin.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb5-admin.info
@settitle Kerberos V5 System Administrator's Guide
+@dircategory Kerberos V5
+@direntry
+* Admin Guide: (krb5-admin). Kerberos V5 System Admin's Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/user-guide.texinfo Fri Feb 6 21:40:58 1998
+++ user-guide.texinfo Fri Jun 19 15:13:45 1998
@@ -3,6 +3,10 @@
@c guide
@setfilename krb5-user.info
@settitle Kerberos V5 UNIX User's Guide
+@dircategory Kerberos V5
+@direntry
+* User's Guide: (krb5-user). Kerberos V5 UNIX User's Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/install.texinfo Fri Feb 6 21:40:56 1998
+++ install.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb5-install.info
@settitle Kerberos V5 Installation Guide
+@dircategory Kerberos V5
+@direntry
+* Installation Guide: (krb5-install). Kerberos V5 Installation Guide
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,13 @@
--- ../doc/krb425.texinfo Fri Feb 6 21:40:57 1998
+++ krb425.texinfo Fri Jun 19 15:13:45 1998
@@ -5,6 +5,10 @@
@c guide
@setfilename krb425.info
@settitle Upgrading to Kerberos V5 from Kerberos V4
+@dircategory Kerberos V5
+@direntry
+* Upgrading from V4 to V5: (krb425). Upgrading from Kerberos V4 to V5
+@end direntry
@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper

View File

@ -0,0 +1,28 @@
--- appl/gssftp/ftpd/ftpd.c.orig Wed Jan 9 14:26:51 2002
+++ appl/gssftp/ftpd/ftpd.c Thu Jan 10 19:00:13 2002
@@ -487,7 +487,13 @@
#ifndef LOG_DAEMON
#define LOG_DAEMON 0
#endif
- openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON);
+
+#ifndef LOG_FTP
+#define FACILITY LOG_DAEMON
+#else
+#define FACILITY LOG_FTP
+#endif
+ openlog("ftpd", LOG_PID | LOG_NDELAY, FACILITY);
addrlen = sizeof (his_addr);
if (getpeername(0, (struct sockaddr *)&his_addr, &addrlen) < 0) {
@@ -2312,6 +2318,10 @@
if ((length = krb_mk_safe((u_char *)&cksum, out_buf, sizeof(cksum),
&kdata.session,&ctrl_addr, &his_addr)) == -1) {
secure_error("ADAT: krb_mk_safe failed");
+ return(0);
+ }
+ if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
+ secure_error("ADAT: reply too long");
return(0);
}
if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {

View File

@ -0,0 +1,19 @@
*** appl/gssftp/ftpd/logwtmp.c.ORIG Fri Feb 6 19:41:25 1998
--- appl/gssftp/ftpd/logwtmp.c Tue Jun 30 19:46:01 1998
***************
*** 66,72 ****
struct stat buf;
time_t time();
! if (fd < 0 && (fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0)
return;
if (fstat(fd, &buf) == 0) {
(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));
--- 66,72 ----
struct stat buf;
time_t time();
! if (fd < 0 && (fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0)
return;
if (fstat(fd, &buf) == 0) {
(void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));

View File

@ -0,0 +1,11 @@
--- appl/bsd/Makefile.in.orig Wed Feb 28 14:06:43 2001
+++ appl/bsd/Makefile.in Mon Dec 31 21:52:45 2001
@@ -28,7 +28,7 @@
-DUCB_RSH=\"$(UCB_RSH)\" -DUCB_RCP=\"$(UCB_RCP)\"
DEFINES = $(RSH) $(BSD) $(RPROGS) \
- -DLOGIN_PROGRAM=\"$(SERVER_BINDIR)/login.krb5\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
+ -DLOGIN_PROGRAM=\"/usr/bin/login\" -DKPROGDIR=\"$(CLIENT_BINDIR)\"
all:: rsh rcp rlogin kshd klogind login.krb5 $(V4RCP)

View File

@ -0,0 +1,34 @@
--- appl/bsd/klogind.M.orig Wed Feb 28 14:06:43 2001
+++ appl/bsd/klogind.M Mon Dec 31 21:22:27 2001
@@ -14,6 +14,7 @@
]
[
[ \fB\-w\fP[\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]] ]
+[\fB\-L\fP \fIloginpath\fP]
.SH DESCRIPTION
.I Klogind
is the server for the
@@ -107,6 +108,10 @@
Beta5 (May 1995)--present bogus checksums that prevent Kerberos
authentication from succeeding in the default mode.
+.IP \fB\-L\ loginpath\fP
+Specify pathname to an alternative login program. Default: /usr/bin/login.
+KRB5_HOME/sbin/login.krb5 may be specified.
+
.PP
If the
@@ -157,12 +162,6 @@
.IP \fB\-M\ realm\fP
Set the Kerberos realm to use.
-
-.IP \fB\-L\ login\fP
-Set the login program to use. This option only has an effect if
-DO_NOT_USE_K_LOGIN was not defined when
-.I klogind
-was compiled.
.SH DIAGNOSTICS
All diagnostic messages are returned on the connection
associated with the

View File

@ -0,0 +1,11 @@
--- appl/telnet/telnetd/Makefile.in.orig Wed Feb 28 14:06:51 2001
+++ appl/telnet/telnetd/Makefile.in Mon Dec 31 21:51:19 2001
@@ -24,7 +24,7 @@
# @(#)Makefile.generic 5.5 (Berkeley) 3/1/91
#
-AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -ULOGIN_CAP_F -DLOGIN_PROGRAM=\"/usr/bin/login\"
OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
LOCALINCLUDES=-I.. -I$(srcdir)/..
DEFINES = $(AUTH_DEF) $(OTHERDEFS)

View File

@ -0,0 +1,22 @@
--- appl/telnet/telnetd/telnetd.8.orig Wed Feb 28 14:06:51 2001
+++ appl/telnet/telnetd/telnetd.8 Mon Dec 31 21:16:55 2001
@@ -43,7 +43,7 @@
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
[\fB\-S\fP \fItos\fP] [\fB\-U\fP] [\fB\-X\fP \fIauthtype\fP]
[\fB\-w\fP [\fBip\fP|\fImaxhostlen\fP[\fB,\fP[\fBno\fP]\fBstriplocal\fP]]]
-[\fB\-debug\fP [\fIport\fP]]
+[\fB\-debug\fP] [\fB\-L\fP \fIloginpath\fP] [\fIport\fP]
.SH DESCRIPTION
The
.B telnetd
@@ -221,6 +221,10 @@
in response to a
.SM DO TIMING-MARK)
for kludge linemode support.
+.TP
+\fB\-L\fP \fIloginpath\fP
+Specify pathname to an alternative login program. Default: /usr/bin/login.
+KRB5_HOME/sbin/login.krb5 may be specified.
.TP
.B \-l
Specifies line mode. Tries to force clients to use line-at-a-time

View File

@ -0,0 +1,38 @@
--- appl/telnet/telnetd/utility.c.orig Wed Jan 9 14:26:59 2002
+++ appl/telnet/telnetd/utility.c Fri Jan 11 13:10:33 2002
@@ -408,18 +408,25 @@
int
netwrite(const char *buf, size_t len)
{
- size_t remain;
+ int remaining, copied;
+
+ remaining = BUFSIZ - (nfrontp - netobuf);
+ while (len > 0) {
+ /* Free up enough space if the room is too low*/
+ if ((len > BUFSIZ ? BUFSIZ : len) > remaining) {
+ netflush();
+ remaining = BUFSIZ - (nfrontp - netobuf);
+ }
- remain = sizeof(netobuf) - (nfrontp - netobuf);
- if (remain < len) {
- netflush();
- remain = sizeof(netobuf) - (nfrontp - netobuf);
+ /* Copy out as much as will fit */
+ copied = remaining > len ? len : remaining;
+ memmove(nfrontp, buf, copied);
+ nfrontp += copied;
+ len -= copied;
+ remaining -= copied;
+ buf += copied;
}
- if (remain < len)
- return 0;
- memcpy(nfrontp, buf, len);
- nfrontp += len;
- return len;
+ return copied;
}
/*

View File

@ -0,0 +1,199 @@
--- clients/ksu/main.c.orig Wed Feb 28 14:06:55 2001
+++ clients/ksu/main.c Thu Sep 6 16:21:46 2001
@@ -31,6 +31,10 @@
#include <sys/wait.h>
#include <signal.h>
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -60,7 +64,7 @@
ill specified arguments to commands */
void usage (){
- fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
+ fprintf(stderr, "Usage: %s [target user] [-m] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
}
/* for Ultrix and friends ... */
@@ -76,6 +80,7 @@
int argc;
char ** argv;
{
+int asme = 0;
int hp =0;
int some_rest_copy = 0;
int all_rest_copy = 0;
@@ -90,6 +95,7 @@
char * cc_target_tag = NULL;
char * target_user = NULL;
char * source_user;
+char * source_shell;
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
@@ -118,6 +124,11 @@
char * dir_of_cc_target;
char * dir_of_cc_source;
+#ifdef LOGIN_CAP
+login_cap_t *lc;
+int setwhat;
+#endif
+
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
options.rlife =0;
@@ -181,7 +192,7 @@
com_err (prog_name, errno, "while setting euid to source user");
exit (1);
}
- while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
+ while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkmql:e:")) != -1)){
switch (option) {
case 'r':
options.opt |= KDC_OPT_RENEWABLE;
@@ -227,6 +238,9 @@
errflg++;
}
break;
+ case 'm':
+ asme = 1;
+ break;
case 'n':
if ((retval = krb5_parse_name(ksu_context, optarg, &client))){
com_err(prog_name, retval, "when parsing name %s", optarg);
@@ -341,6 +355,7 @@
/* allocate space and copy the usernamane there */
source_user = xstrdup(pwd->pw_name);
+ source_shell = xstrdup(pwd->pw_shell);
source_uid = pwd->pw_uid;
source_gid = pwd->pw_gid;
@@ -668,43 +683,64 @@
/* get the shell of the user, this will be the shell used by su */
target_pwd = getpwnam(target_user);
- if (target_pwd->pw_shell)
- shell = xstrdup(target_pwd->pw_shell);
- else {
- shell = _DEF_CSH; /* default is cshell */
- }
+ if (asme) {
+ if (source_shell && *source_shell) {
+ shell = strdup(source_shell);
+ } else {
+ shell = _DEF_CSH;
+ }
+ } else {
+ if (target_pwd->pw_shell)
+ shell = strdup(target_pwd->pw_shell);
+ else {
+ shell = _DEF_CSH; /* default is cshell */
+ }
+ }
#ifdef HAVE_GETUSERSHELL
/* insist that the target login uses a standard shell (root is omited) */
- if (!standard_shell(target_pwd->pw_shell) && source_uid) {
- fprintf(stderr, "ksu: permission denied (shell).\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
+ if (asme) {
+ if (!standard_shell(pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ } else {
+ if (!standard_shell(target_pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
}
#endif /* HAVE_GETUSERSHELL */
- if (target_pwd->pw_uid){
-
- if(set_env_var("USER", target_pwd->pw_name)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- }
+ if (!asme) {
+ if (target_pwd->pw_uid){
+ if (set_env_var("USER", target_pwd->pw_name)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
- if(set_env_var( "HOME", target_pwd->pw_dir)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ if (set_env_var( "HOME", target_pwd->pw_dir)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
- if(set_env_var( "SHELL", shell)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ if (set_env_var( "SHELL", shell)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+#ifdef LOGIN_CAP
+ lc = login_getpwclass(pwd);
+#endif
/* set the cc env name to target */
@@ -714,7 +750,18 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
-
+#ifdef LOGIN_CAP
+ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
+ setwhat |= LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV;
+ /*
+ * Don't touch resource/priority settings if -m has been
+ * used or -l and -c hasn't, and we're not su'ing to root.
+ */
+ if (target_pwd->pw_uid)
+ setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
+ if (setusercontext(lc, target_pwd, target_pwd->pw_uid, setwhat) < 0)
+ err(1, "setusercontext");
+#else
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -754,7 +801,8 @@
perror("ksu: setuid");
sweep_up(ksu_context, cc_target);
exit(1);
- }
+ }
+#endif
if (access( cc_target_tag_tmp, R_OK | W_OK )){
com_err(prog_name, errno,

View File

@ -0,0 +1,14 @@
*** include/sys/syslog.h.ORIG Fri Feb 6 19:42:12 1998
--- include/sys/syslog.h Tue Jun 30 19:46:02 1998
***************
*** 34,39 ****
--- 34,42 ----
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
+ #if (defined(BSD) && (BSD >= 199306))
+ #define LOG_FTP (11<<3) /* ftp daemon */
+ #endif
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */

View File

@ -0,0 +1,15 @@
*** clients/ksu/Makefile.in.ORIG Sun Aug 2 16:51:18 1998
--- clients/ksu/Makefile.in Sun Aug 2 16:53:48 1998
***************
*** 3,7 ****
mydir=ksu
BUILDTOP=$(REL)$(U)$(S)$(U)
! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
--- 3,7 ----
mydir=ksu
BUILDTOP=$(REL)$(U)$(S)$(U)
! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"'
CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)

View File

@ -0,0 +1,11 @@
--- ../doc/Makefile.orig Wed Jan 20 21:57:45 1999
+++ ../doc/Makefile Wed Jan 20 21:59:19 1999
@@ -1,7 +1,7 @@
SRCDIR=../src
DVI=texi2dvi
DVIPS=dvips -o "$@"
-INFO=makeinfo
+INFO=makeinfo --no-validate
HTML=texi2html
RM=rm -f
TAR=tar -chvf

View File

@ -0,0 +1,50 @@
--- util/pty/getpty.c.orig Wed Jan 9 14:28:37 2002
+++ util/pty/getpty.c Thu Jan 10 21:30:40 2002
@@ -24,13 +24,26 @@
#include "libpty.h"
#include "pty-int.h"
+#ifdef __FreeBSD__
+#define PTYCHARS1 "pqrsPQRS"
+#define PTYCHARS2 "0123456789abcdefghijklmnopqrstuv"
+#endif
+
+#ifndef PTYCHARS1
+#define PTYCHARS1 "pqrstuvwxyzPQRST"
+#endif
+
+#ifndef PTYCHARS2
+#define PTYCHARS2 "0123456789abcdef"
+#endif
+
long
ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt)
{
+ int ptynum;
+ char *cp1, *cp2;
#if !defined(HAVE__GETPTY) && !defined(HAVE_OPENPTY)
- char *cp;
char *p;
- int i,ptynum;
struct stat stb;
char slavebuf[1024];
#endif
@@ -115,14 +128,14 @@
strncpy(slave, slavebuf, slavelength);
return 0;
} else {
- for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
+ for (cp1 = PTYCHARS1; *cp1 != '\0'; cp1++) {
sprintf(slavebuf,"/dev/ptyXX");
- slavebuf[sizeof("/dev/pty") - 1] = *cp;
+ slavebuf[sizeof("/dev/pty") - 1] = *cp1;
slavebuf[sizeof("/dev/ptyp") - 1] = '0';
if (stat(slavebuf, &stb) < 0)
break;
- for (i = 0; i < 16; i++) {
- slavebuf[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
+ for (cp2 = PTYCHARS2; *cp2 != '\0'; cp2++) {
+ slavebuf[sizeof("/dev/ptyp") - 1] = *cp2;
*fd = open(slavebuf, O_RDWR);
if (*fd < 0) continue;

View File

@ -0,0 +1,81 @@
--- appl/bsd/login.c.ORIG Wed Oct 13 12:55:47 1999
+++ appl/bsd/login.c Wed Oct 13 12:56:29 1999
@@ -1303,19 +1304,6 @@
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
}
- /* Policy: If local password is good, user is good.
- We really can't trust the Kerberos password,
- because somebody on the net could spoof the
- Kerberos server (not easy, but possible).
- Some sites might want to use it anyways, in
- which case they should change this line
- to:
- if (kpass_ok)
- */
-
- if (lpass_ok)
- break;
-
if (got_v5_tickets) {
if (retval = krb5_verify_init_creds(kcontext, &my_creds, NULL,
NULL, &xtra_creds,
@@ -1338,6 +1326,9 @@
}
#endif /* KRB4_GET_TICKETS */
+ if (lpass_ok)
+ break;
+
bad_login:
setpriority(PRIO_PROCESS, 0, 0 + PRIO_OFFSET);
@@ -1640,20 +1631,28 @@
/* set up credential cache -- obeying KRB5_ENV_CCNAME
set earlier */
/* (KRB5_ENV_CCNAME == "KRB5CCNAME" via osconf.h) */
- if (retval = krb5_cc_default(kcontext, &ccache)) {
+ retval = krb5_cc_default(kcontext, &ccache);
+ if (retval)
com_err(argv[0], retval, "while getting default ccache");
- } else if (retval = krb5_cc_initialize(kcontext, ccache, me)) {
- com_err(argv[0], retval, "when initializing cache");
- } else if (retval = krb5_cc_store_cred(kcontext, ccache, &my_creds)) {
- com_err(argv[0], retval, "while storing credentials");
- } else if (xtra_creds &&
- (retval = krb5_cc_copy_creds(kcontext, xtra_creds,
- ccache))) {
- com_err(argv[0], retval, "while storing credentials");
+ else {
+ retval = krb5_cc_initialize(kcontext, ccache, me);
+ if (retval)
+ com_err(argv[0], retval, "when initializing cache");
+ else {
+ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
+ if (retval)
+ com_err(argv[0], retval, "while storing credentials");
+ else {
+ if (xtra_creds) {
+ retval = krb5_cc_copy_creds(kcontext, xtra_creds,
+ ccache);
+ if (retval)
+ com_err(argv[0], retval, "while storing credentials");
+ krb5_cc_destroy(kcontext, xtra_creds);
+ }
+ }
+ }
}
-
- if (xtra_creds)
- krb5_cc_destroy(kcontext, xtra_creds);
} else if (forwarded_v5_tickets && rewrite_ccache) {
if ((retval = krb5_cc_initialize (kcontext, ccache, me))) {
syslog(LOG_ERR,
@@ -1727,6 +1727,7 @@
if (ccname)
setenv("KRB5CCNAME", ccname, 1);
+ krb5_cc_set_default_name(kcontext, ccname);
setenv("HOME", pwd->pw_dir, 1);
setenv("PATH", LPATH, 1);

View File

@ -0,0 +1,10 @@
--- appl/telnet/telnet/Makefile.in.orig Sat Dec 18 10:47:05 1999
+++ appl/telnet/telnet/Makefile.in Sat Dec 18 10:47:13 1999
@@ -58,7 +58,6 @@
$(INSTALL_DATA) $(srcdir)/$$f.1 \
${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \
done
- $(INSTALL_DATA) $(srcdir)/tmac.doc ${DESTDIR}$(CLIENT_MANDIR)/tmac.doc
authenc.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)
commands.o: defines.h externs.h general.h ring.h types.h $(ARPA_TELNET)

View File

@ -0,0 +1 @@
An authentication system developed at MIT, successor to Kerberos IV

View File

@ -0,0 +1,24 @@
Kerberos V5 is an authentication system developed at MIT.
WWW: http://web.mit.edu/kerberos/www/
Abridged from the User Guide:
Under Kerberos, a client sends a request for a ticket to the
Key Distribution Center (KDC). The KDC creates a ticket-granting
ticket (TGT) for the client, encrypts it using the client's
password as the key, and sends the encrypted TGT back to the
client. The client then attempts to decrypt the TGT, using
its password. If the client successfully decrypts the TGT, it
keeps the decrypted TGT, which indicates proof of the client's
identity. The TGT permits the client to obtain additional tickets,
which give permission for specific services.
Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the internet, it
provides a layer of security that is not dependent on which side of a
firewall either client is on.
The Kerberos V5 package is designed to be easy to use. Most of the
commands are nearly identical to UNIX network programs you are already
used to. Kerberos V5 is a single-sign-on system, which means that you
have to type your password only once per session, and Kerberos does
the authenticating and encrypting transparently.
Jacques Vidrine <n@nectar.com>

View File

@ -0,0 +1,125 @@
@unexec install-info --delete %D/info/krb425.info %D/info/dir
@unexec install-info --delete %D/info/krb5-admin.info %D/info/dir
@unexec install-info --delete %D/info/krb5-install.info %D/info/dir
@unexec install-info --delete %D/info/krb5-user.info %D/info/dir
bin/ftp
bin/gss-client
bin/kdestroy
bin/kinit
bin/klist
bin/kpasswd
bin/krb5-config
bin/krb524init
bin/ksu
bin/kvno
bin/rcp
bin/rlogin
bin/rsh
bin/sclient
bin/sim_client
bin/telnet
bin/uuclient
bin/v4rcp
bin/v5passwd
include/com_err.h
include/gssapi/gssapi.h
include/gssapi/gssapi_generic.h
include/gssapi/gssapi_krb5.h
include/kerberosIV/des.h
include/kerberosIV/kadm.h
include/kerberosIV/krb.h
include/kerberosIV/krb_err.h
include/kerberosIV/mit-copyright.h
include/krb5.h
include/libpty.h
include/mit-sipb-copyright.h
include/port-sockets.h
include/profile.h
info/krb425.info
info/krb5-admin.info
info/krb5-admin.info-1
info/krb5-admin.info-2
info/krb5-admin.info-3
info/krb5-install.info
info/krb5-install.info-1
info/krb5-install.info-2
info/krb5-user.info
lib/libcom_err.a
lib/libcom_err.so
lib/libcom_err.so.3
lib/libdes425.a
lib/libdes425.so
lib/libdes425.so.3
lib/libdyn.a
lib/libdyn.so
lib/libdyn.so.1
lib/libgssapi_krb5.a
lib/libgssapi_krb5.so
lib/libgssapi_krb5.so.2
lib/libgssrpc.a
lib/libgssrpc.so
lib/libgssrpc.so.3
lib/libk5crypto.a
lib/libk5crypto.so
lib/libk5crypto.so.3
lib/libkadm5clnt.a
lib/libkadm5clnt.so
lib/libkadm5clnt.so.5
lib/libkadm5srv.a
lib/libkadm5srv.so
lib/libkadm5srv.so.5
lib/libkdb5.a
lib/libkdb5.so
lib/libkdb5.so.3
lib/libkrb4.a
lib/libkrb4.so
lib/libkrb4.so.2
lib/libkrb5.a
lib/libkrb5.so
lib/libkrb5.so.3
lib/libkrb524.a
lib/libpty.a
lib/libpty.so
lib/libpty.so.1
lib/libss.a
sbin/ftpd
sbin/gss-server
sbin/kadmin
sbin/kadmin.local
sbin/kadmind
sbin/kadmind4
sbin/kdb5_util
sbin/klogind
sbin/kprop
sbin/kpropd
sbin/krb5-send-pr
sbin/krb524d
sbin/krb5kdc
sbin/kshd
sbin/ktutil
sbin/login.krb5
sbin/sim_server
sbin/sserver
sbin/telnetd
sbin/uuserver
sbin/v5passwdd
share/doc/krb5/README.FreeBSD
share/doc/krb5/admin.html
share/doc/krb5/admin_foot.html
share/doc/krb5/admin_toc.html
share/doc/krb5/install.html
share/doc/krb5/install_foot.html
share/doc/krb5/install_toc.html
share/doc/krb5/krb425.html
share/doc/krb5/krb425_toc.html
share/doc/krb5/user-guide.html
share/doc/krb5/user-guide_foot.html
share/doc/krb5/user-guide_toc.html
share/gnats/mit
@dirrm include/gssapi
@dirrm include/kerberosIV
@dirrm share/doc/krb5
@exec install-info %D/info/krb425.info %D/info/dir
@exec install-info %D/info/krb5-admin.info %D/info/dir
@exec install-info %D/info/krb5-install.info %D/info/dir
@exec install-info %D/info/krb5-user.info %D/info/dir