Condor_Auth_Base :: Condor_Auth_Base(ReliSock * sock, int mode) :
mySock_ ( sock ),
authenticated_ ( false ),
mode_ ( mode ),
isDaemon_ ( false ),
remoteUser_ ( NULL ),
remoteDomain_ ( NULL ),
remoteHost_ ( NULL ),
localDomain_ ( NULL ),
fqu_ ( NULL ),
authenticatedName_ ( NULL )
{
//if (mySock_->isClient()) {
//------------------------------------------
// There are two possible cases:
// 1. This is a user who is calling authentication
// 2. This is a daemon who is calling authentication
//
// So, we first find out whether this is a daemon or user
//------------------------------------------
//if ((strncmp(username,
// STR_DEFAULT_CONDOR_USER,
// strlen(STR_DEFAULT_CONDOR_USER)) == 0) ||
// (strncmp(username, root, strlen(root)) == 0)) {
// I am a daemon! This is a daemon-daemon authentication
// isDaemon_ = true;
//dprintf(D_ALWAYS,"This is a daemon with Condor uid:%d; my uid:%d, user uid :%d ,
// with username %s\n", get_condor_uid(), get_my_uid(), get_user_uid(), username);
//}
if (get_my_uid() == 0) {
isDaemon_ = true;
}
//}
// this will *always* succeed
localDomain_ = param( "UID_DOMAIN" );
setRemoteHost(mySock_->peer_addr().to_ip_string().Value());
//setRemoteHost(inet_ntoa(mySock_->peer_addr()->sin_addr));
// This is done for protocols such as fs, anonymous. Kerberos should
// override this with the ip address from Kerbeos
}
void RemoteManager::addHost(RemoteHost *host)
{
RDTreeWidgetItem *node = new RDTreeWidgetItem({host->Name(), lit("...")});
node->setItalic(true);
node->setIcon(0, Icons::hourglass());
setRemoteHost(node, host);
ui->hosts->addTopLevelItem(node);
ui->hosts->setSelectedItem(node);
ui->refreshOne->setEnabled(false);
ui->refreshAll->setEnabled(false);
m_Lookups.release();
refreshHost(node);
updateLookupsStatus();
}
//----------------------------------------------------------------------
// getRemoteHost -- retrieve remote host's address
//----------------------------------------------------------------------
void Condor_Auth_Kerberos :: setRemoteAddress()
{
krb5_error_code code;
krb5_address ** localAddr = NULL;
krb5_address ** remoteAddr = NULL;
// Get remote host's address first
if ((code = krb5_auth_con_getaddrs(krb_context_,
auth_context_,
localAddr,
remoteAddr))) {
goto error;
}
if (remoteAddr) {
struct in_addr in;
memcpy(&(in.s_addr), (*remoteAddr)[0].contents, sizeof(in_addr));
setRemoteHost(inet_ntoa(in));
}
if (localAddr) {
krb5_free_addresses(krb_context_, localAddr);
}
if (remoteAddr) {
krb5_free_addresses(krb_context_, remoteAddr);
}
dprintf(D_SECURITY, "Remote host is %s\n", getRemoteHost());
return;
error:
dprintf( D_ALWAYS, "KERBEROS: Unable to obtain remote address: %s\n",
error_message(code) );
}
void AtDrv::startClient(uint8_t sock, const char *host, uint16_t port, uint8_t protMode)
{
// if we enable CHECK_TCP_STATE feature, always call reConnect(), or we won't get right
// tcp port status, since we disable tcp auto reconnect.
#ifndef CHECK_TCP_STATE
bool needReConn = false;
#else
bool needReConn = true;
#endif
int curMode;
char curHostBuf[MAX_HOST_NAME_BUF_SIZE];
uint8_t curProtocol;
uint16_t curPort;
uint16_t curLocalPort;
uint32_t curTimeout;
bool curTcpAuto;
// clear uart buffer first
stopClient(sock);
if(!isAtMode()) {
if(!switchToAtMode()) {
INFO1("Can't switch to at mode");
goto end;
}
}
if(!getMode(sock, &curMode) || curMode != MODE_CLIENT) {
needReConn = true;
INFO1("curMode != MODE_CLIENT");
if(!setMode(sock, MODE_CLIENT)) {
INFO1("Can't set mode");
goto end;
}
}
if(!getRemoteHost(sock, curHostBuf) || (strcmp(curHostBuf, host) != 0)) {
needReConn = true;
INFO1("curHostBuf != host");
if(!setRemoteHost(sock, host)) {
INFO1("Can't set host");
goto end;
}
}
if(!getProtocol(sock, &curProtocol) || curProtocol != protMode) {
needReConn = true;
INFO1("curProtocol != protMode");
if(!setProtocol(sock, protMode)) {
INFO1("Can't set protocol");
goto end;
}
}
if(!getRemotePort(sock, &curPort) || curPort != port) {
needReConn = true;
INFO1("curPort != port");
if(!setPort(sock, port)) {
INFO1("Can't set port");
goto end;
}
}
if(!getTcpAuto(sock, &curTcpAuto) || curTcpAuto != false) {
needReConn = true;
INFO1("curTcpAuto != false");
if(!setTcpAuto(sock, false)) {
INFO1("Can't set tcp auto");
goto end;
}
}
if(!getLocalPort(sock, &curLocalPort) || curLocalPort != localSockPort[sock]) {
needReConn = true;
INFO1("curLocalPort != port");
if(!setLocalPort(sock, localSockPort[sock])) {
INFO1("Can't set port");
goto end;
}
}
if(needReConn) {
if(!reConnect()) {
INFO1("Can't reconnect");
goto end;
}
}
sockPort[sock] = localSockPort[sock];
sockConnected[sock] = true;
end:
return;
}
int Cconfigurator::loadConfig(QByteArray path, QByteArray filename)
{
int size;
QSettings conf(path + filename, QSettings::IniFormat);
conf.beginGroup("General");
setBaseFile( conf.value("mapFile", "database/mume.pmf").toByteArray() );
setWindowRect( conf.value("windowRect").toRect() );
setAlwaysOnTop( conf.value("alwaysOnTop", true ).toBool() );
setStartupMode( conf.value("startupMode", 1).toInt() );
setLogFileEnabled( conf.value("isLogFileEnabled", false).toBool() );
conf.endGroup();
conf.beginGroup("Networking");
setLocalPort( conf.value("localPort", 4242).toInt() );
setRemoteHost( conf.value("remoteHost", "193.134.218.111").toByteArray() );
setRemotePort( conf.value("remotePort", 443).toInt() );
conf.endGroup();
conf.beginGroup("OpenGL");
setTextureVisibility( conf.value("texturesVisibility", 500).toInt() );
setDetailsVisibility( conf.value("detailsVisibility", 300).toInt() );
setVisibleLayers( conf.value("visibleLayers", 5).toInt() );
setShowNotesRenderer( conf.value("showNotes", true).toBool() );
setShowRegionsInfo( conf.value("showRegions", false). toBool() );
setDisplayRegionsRenderer( conf.value("displayRegions", false).toBool() );
setMultisampling( conf.value("multisampling", true).toBool() );
setSelectOAnyLayer( conf.value("selectOnAnyLayer", true).toBool() );
setRendererAngles(conf.value("angleX", 0).toFloat(), conf.value("angleY", 0).toFloat(), conf.value("angleZ", 0).toFloat());
setRendererPosition(conf.value("userX", 0).toFloat(), conf.value("userY", 0).toFloat(), conf.value("userZ", 0).toFloat());
setNoteColor( conf.value("noteColor", "#F28003").toByteArray() );
setDrawPrespam( conf.value("drawPrespam", true).toBool() );
conf.endGroup();
conf.beginGroup("Engine");
setExitsCheck( conf.value("checkExits", false).toBool() );
setTerrainCheck( conf.value("checkTerrain", true).toBool() );
setBriefMode( conf.value("briefmode", true ).toBool() );
setAutomerge( conf.value("autoMerge", true ).toBool() );
setAngrylinker( conf.value("angryLinker", true ).toBool() );
setDuallinker( conf.value("dualLinker", false ).toBool() );
setAutorefresh( conf.value("autoRefresh", true ).toBool() );
setNameQuote( conf.value("roomNameQuote", 10 ).toInt() );
setDescQuote( conf.value("descQuote", 10 ).toInt() );
setRegionsAutoReplace( conf.value("regionsAutoReplace", false ).toBool() );
setRegionsAutoSet( conf.value("regionsAutoSet", false ).toBool() );
setMactionUsesPrespam( conf.value("mactionUsesPrespam", true).toBool() );
setPrespamTTL( conf.value("prespamTTL", 5000).toInt() );
conf.endGroup();
conf.beginGroup("Patterns");
setExitsPattern( conf.value("exitsPattern", "Exits: ").toByteArray() );
spells_pattern = conf.value("spellsEffectPattern", "Affected by:").toByteArray();
setScorePattern( conf.value("scorePattern", "[0-9]*/* hits, */* mana, and */* moves.").toByteArray() );
setShortScorePattern( conf.value("scorePatternShort", "[0-9]*/* hits and */* moves.").toByteArray() );
conf.endGroup();
conf.beginGroup("GroupManager");
setGroupManagerHost( conf.value("remoteHost", "localhost").toByteArray() );
setGroupManagerRemotePort( conf.value("remotePort", 4243 ).toInt() );
setGroupManagerLocalPort( conf.value("localServerPort", 4243 ).toInt() );
setGroupManagerCharName( conf.value("charName", "Charname" ).toByteArray() );
setGroupManagerColor( QColor( conf.value("charColor", "#F28003").toString() ) );
setGroupManagerShowSelf( conf.value("showSelf", false ).toBool() );
setGroupManagerNotifyArmour( conf.value("notifyArm", true ).toBool() );
setGroupManagerNotifySanc( conf.value("notifySanc", true ).toBool() );
setGroupManagerNotifyBash( conf.value("notifyBash", true ).toBool() );
setGroupManagerShowManager( conf.value("showGroupManager", true ).toBool() );
setGroupManagerRect( conf.value("windowRect").toRect() );
conf.endGroup();
size = conf.beginReadArray("Spells");
for (int i = 0; i < size; ++i) {
conf.setArrayIndex(i);
TSpell spell;
spell.up = false;
spell.silently_up = false;
spell.addon = conf.value("addon", 0).toBool();
spell.name = conf.value("name").toByteArray();
spell.up_mes = conf.value("upMessage").toByteArray();
spell.refresh_mes = conf.value("refreshMessage").toByteArray();
spell.down_mes = conf.value("downMessage").toByteArray();
addSpell(spell);
}
conf.endArray();
conf.beginGroup("Movement tracking");
size = conf.beginReadArray("Cancel Patterns");
for (int i = 0; i < size; ++i) {
conf.setArrayIndex(i);
moveCancelPatterns.append( conf.value("pattern").toByteArray() );
}
conf.endArray();
size = conf.beginReadArray("Force Patterns");
for (int i = 0; i < size; ++i) {
conf.setArrayIndex(i);
moveForcePatterns.append( conf.value("pattern").toByteArray() );
}
conf.endArray();
conf.endGroup();
size = conf.beginReadArray("Debug Settings");
for (int i = 0; i < size; ++i) {
conf.setArrayIndex(i);
QString s = conf.value("name").toString();
unsigned int z = 0;
while (debug_data[z].name != NULL) {
if (debug_data[z].name == s)
break;
z++;
}
if (debug_data[z].name == NULL) {
print_debug(DEBUG_CONFIG, "Warning, %s is a wrong debug descriptor/name!", qPrintable(s));
continue;
}
debug_data[i].state = conf.value("state", 0 ).toInt();
}
conf.endArray();
configFile = filename;
configPath = path;
setConfigModified(false);
return true;
}
int Condor_Auth_Kerberos :: authenticate_server_kerberos()
{
krb5_error_code code;
krb5_flags flags = 0;
krb5_data request, reply;
priv_state priv;
krb5_keytab keytab = 0;
int message, rc = FALSE;
krb5_ticket * ticket = NULL;
request.data = 0;
reply.data = 0;
keytabName_ = param(STR_KERBEROS_SERVER_KEYTAB);
//------------------------------------------
// Getting keytab info
//------------------------------------------
if (keytabName_) {
code = krb5_kt_resolve(krb_context_, keytabName_, &keytab);
}
else {
code = krb5_kt_default(krb_context_, &keytab);
}
if (code) {
dprintf( D_ALWAYS, "1: Kerberos server authentication error:%s\n",
error_message(code) );
goto error;
}
//------------------------------------------
// Get te KRB_AP_REQ message
//------------------------------------------
if(read_request(&request) == FALSE) {
dprintf( D_ALWAYS, "KERBEROS: Server is unable to read request\n" );
goto error;
}
dprintf( D_SECURITY, "Reading kerberos request object (krb5_rd_req)\n");
dprintf_krb5_principal( D_FULLDEBUG, "KERBEROS: krb_principal_ is '%s'\n", krb_principal_);
priv = set_root_priv(); // Get the old privilige
if ((code = krb5_rd_req(krb_context_,
&auth_context_,
&request,
//krb_principal_,
NULL,
keytab,
&flags,
&ticket))) {
set_priv(priv); // Reset
dprintf( D_ALWAYS, "2: Kerberos server authentication error:%s\n",
error_message(code) );
goto error;
}
set_priv(priv); // Reset
dprintf ( D_FULLDEBUG, "KERBEROS: krb5_rd_req done.\n");
//------------------------------------------
// See if mutual authentication is required
//------------------------------------------
if (flags & AP_OPTS_MUTUAL_REQUIRED) {
if ((code = krb5_mk_rep(krb_context_, auth_context_, &reply))) {
dprintf( D_ALWAYS, "3: Kerberos server authentication error:%s\n",
error_message(code) );
goto error;
}
mySock_->encode();
message = KERBEROS_MUTUAL;
if (!mySock_->code(message) || !mySock_->end_of_message()) {
goto error;
}
// send the message
if (send_request(&reply) != KERBEROS_GRANT) {
goto cleanup;
}
}
//------------------------------------------
// extract client addresses
//------------------------------------------
if (ticket->enc_part2->caddrs) {
struct in_addr in;
memcpy(&(in.s_addr), ticket->enc_part2->caddrs[0]->contents, sizeof(in_addr));
setRemoteHost(inet_ntoa(in));
dprintf(D_SECURITY, "Client address is %s\n", getRemoteHost());
}
// First, map the name, this has to take place before receive_tgt_creds!
if (!map_kerberos_name(&(ticket->enc_part2->client))) {
dprintf(D_SECURITY, "Unable to map Kerberos name\n");
goto error;
}
// copy the session key
if ((code = krb5_copy_keyblock(krb_context_,
ticket->enc_part2->session,
&sessionKey_))){
dprintf(D_SECURITY, "4: Kerberos server authentication error:%s\n", error_message(code));
goto error;
}
// Next, see if we need client to forward the credential as well
if (receive_tgt_creds(ticket)) {
goto cleanup;
}
//------------------------------------------
// We are now authenticated!
//------------------------------------------
dprintf(D_SECURITY, "User %s is now authenticated!\n", getRemoteUser());
rc = TRUE;
goto cleanup;
error:
message = KERBEROS_DENY;
mySock_->encode();
if ((!mySock_->code(message)) || (!mySock_->end_of_message())) {
dprintf( D_ALWAYS, "KERBEROS: Failed to send response message!\n" );
}
cleanup:
//------------------------------------------
// Free up some stuff
//------------------------------------------
if (ticket) {
krb5_free_ticket(krb_context_, ticket);
}
if (keytab) {
krb5_kt_close(krb_context_, keytab);
}
//------------------------------------------
// Free it for now, in the future, we might
// need this for future secure transctions.
//------------------------------------------
if (request.data) {
free(request.data);
}
if (reply.data) {
free(reply.data);
}
return rc;
}
