static krb5_error_code
add_locate(void *ctx, int type, struct sockaddr *addr)
{
struct krb5_krbhst_data *kd = ctx;
char host[NI_MAXHOST], port[NI_MAXSERV];
socklen_t socklen;
krb5_error_code ret;
int proto, portnum;
socklen = socket_sockaddr_size(addr);
portnum = socket_get_port(addr);
ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
NI_NUMERICHOST|NI_NUMERICSERV);
if (ret != 0)
return 0;
if (kd->port)
snprintf(port, sizeof(port), "%d", kd->port);
else if (atoi(port) == 0)
snprintf(port, sizeof(port), "%d", krbhst_get_default_port(kd));
proto = krbhst_get_default_proto(kd);
ret = add_plugin_host(kd, host, port, portnum, proto);
if (ret)
return ret;
/*
* This is really kind of broken and should be solved a different
* way, some sites block UDP, and we don't, in the general case,
* fall back to TCP, that should also be done. But since that
* should require us to invert the whole "find kdc" stack, let put
* this in for now.
*/
if (proto == KRB5_KRBHST_UDP) {
ret = add_plugin_host(kd, host, port, portnum, KRB5_KRBHST_TCP);
if (ret)
return ret;
}
return 0;
}
static krb5_error_code
add_locate(void *ctx, int type, struct sockaddr *addr)
{
struct krb5_krbhst_info *hi;
struct krb5_krbhst_data *kd = ctx;
char host[NI_MAXHOST], port[NI_MAXSERV];
struct addrinfo hints, *ai;
socklen_t socklen;
size_t hostlen;
int ret;
socklen = socket_sockaddr_size(addr);
ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
NI_NUMERICHOST|NI_NUMERICSERV);
if (ret != 0)
return 0;
memset(&hints, 0, sizeof(hints));
ret = getaddrinfo(host, port, &hints, &ai);
if (ret)
return 0;
hostlen = strlen(host);
hi = calloc(1, sizeof(*hi) + hostlen);
if(hi == NULL) {
return ENOMEM;
}
hi->proto = krbhst_get_default_proto(kd);
hi->port = hi->def_port = socket_get_port(addr);
hi->ai = ai;
memmove(hi->hostname, host, hostlen);
hi->hostname[hostlen] = '\0';
append_host_hostinfo(kd, hi);
return 0;
}
static void
doit (void)
{
u_char buf[BUFSIZ];
u_char *p;
struct sockaddr_storage thisaddr_ss;
struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
struct sockaddr_storage thataddr_ss;
struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
struct sockaddr_storage erraddr_ss;
struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
socklen_t thisaddr_len, thataddr_len;
int port;
int errsock = -1;
char *client_user = NULL, *server_user = NULL, *cmd = NULL;
struct passwd *pwd;
int s = STDIN_FILENO;
char **env;
int ret;
char that_host[NI_MAXHOST];
thisaddr_len = sizeof(thisaddr_ss);
if (getsockname (s, thisaddr, &thisaddr_len) < 0)
syslog_and_die("getsockname: %s", strerror(errno));
thataddr_len = sizeof(thataddr_ss);
if (getpeername (s, thataddr, &thataddr_len) < 0)
syslog_and_die ("getpeername: %s", strerror(errno));
/* check for V4MAPPED addresses? */
if (do_kerberos == 0 && !is_reserved(socket_get_port(thataddr)))
fatal(s, NULL, "Permission denied.");
p = buf;
port = 0;
for(;;) {
if (net_read (s, p, 1) != 1)
syslog_and_die ("reading port number: %s", strerror(errno));
if (*p == '\0')
break;
else if (isdigit(*p))
port = port * 10 + *p - '0';
else
syslog_and_die ("non-digit in port number: %c", *p);
}
if (do_kerberos == 0 && !is_reserved(htons(port)))
fatal(s, NULL, "Permission denied.");
if (port) {
int priv_port = IPPORT_RESERVED - 1;
/*
* There's no reason to require a ``privileged'' port number
* here, but for some reason the brain dead rsh clients
* do... :-(
*/
erraddr->sa_family = thataddr->sa_family;
socket_set_address_and_port (erraddr,
socket_get_address (thataddr),
htons(port));
/*
* we only do reserved port for IPv4
*/
if (erraddr->sa_family == AF_INET)
errsock = rresvport (&priv_port);
else
errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
if (errsock < 0)
syslog_and_die ("socket: %s", strerror(errno));
if (connect (errsock,
erraddr,
socket_sockaddr_size (erraddr)) < 0) {
syslog (LOG_WARNING, "connect: %s", strerror(errno));
close (errsock);
}
}
if(do_kerberos) {
if (net_read (s, buf, 4) != 4)
syslog_and_die ("reading auth info: %s", strerror(errno));
#ifdef KRB5
if((do_kerberos & DO_KRB5) &&
recv_krb5_auth (s, buf, thisaddr, thataddr,
&client_user,
&server_user,
&cmd) == 0)
auth_method = AUTH_KRB5;
else
#endif /* KRB5 */
syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
buf[0], buf[1], buf[2], buf[3]);
} else {
if(recv_bsd_auth (s, buf,
(struct sockaddr_in *)thisaddr,
(struct sockaddr_in *)thataddr,
&client_user,
&server_user,
&cmd) == 0) {
auth_method = AUTH_BROKEN;
if(do_vacuous) {
printf("Remote host requires Kerberos authentication\n");
exit(0);
}
} else
syslog_and_die("recv_bsd_auth failed");
}
if (client_user == NULL || server_user == NULL || cmd == NULL)
syslog_and_die("mising client/server/cmd");
pwd = getpwnam (server_user);
if (pwd == NULL)
fatal (s, NULL, "Login incorrect.");
if (*pwd->pw_shell == '\0')
pwd->pw_shell = _PATH_BSHELL;
if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
fatal (s, NULL, "Login disabled.");
ret = getnameinfo_verified (thataddr, thataddr_len,
that_host, sizeof(that_host),
NULL, 0, 0);
if (ret)
fatal (s, NULL, "getnameinfo: %s", gai_strerror(ret));
if (login_access(pwd, that_host) == 0) {
syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
server_user, that_host);
fatal(s, NULL, "Permission denied.");
}
#ifdef HAVE_GETSPNAM
{
struct spwd *sp;
long today;
sp = getspnam(server_user);
if (sp != NULL) {
today = time(0)/(24L * 60 * 60);
if (sp->sp_expire > 0)
if (today > sp->sp_expire)
fatal(s, NULL, "Account has expired.");
}
}
#endif
#ifdef HAVE_SETLOGIN
if (setlogin(pwd->pw_name) < 0)
syslog(LOG_ERR, "setlogin() failed: %s", strerror(errno));
#endif
#ifdef HAVE_SETPCRED
if (setpcred (pwd->pw_name, NULL) == -1)
syslog(LOG_ERR, "setpcred() failure: %s", strerror(errno));
#endif /* HAVE_SETPCRED */
/* Apply limits if not root */
if(pwd->pw_uid != 0) {
const char *file = _PATH_LIMITS_CONF;
read_limits_conf(file, pwd);
}
if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
fatal (s, "initgroups", "Login incorrect.");
if (setgid(pwd->pw_gid) < 0)
fatal (s, "setgid", "Login incorrect.");
if (setuid (pwd->pw_uid) < 0)
fatal (s, "setuid", "Login incorrect.");
if (chdir (pwd->pw_dir) < 0)
fatal (s, "chdir", "Remote directory.");
if (errsock >= 0) {
if (dup2 (errsock, STDERR_FILENO) < 0)
fatal (s, "dup2", "Cannot dup stderr.");
close (errsock);
} else {
if (dup2 (STDOUT_FILENO, STDERR_FILENO) < 0)
fatal (s, "dup2", "Cannot dup stderr.");
}
#ifdef KRB5
{
int fd;
if (!do_unique_tkfile)
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%lu",
(unsigned long)pwd->pw_uid);
else if (*tkfile=='\0') {
snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
fd = mkstemp(tkfile+5);
close(fd);
unlink(tkfile+5);
}
if (kerberos_status)
krb5_start_session();
}
#endif
setup_environment (&env, pwd);
if (do_encrypt) {
setup_copier (errsock >= 0);
} else {
if (net_write (s, "", 1) != 1)
fatal (s, "net_write", "write failed");
}
#if defined(KRB5)
if(k_hasafs()) {
char cell[64];
if(do_newpag)
k_setpag();
/* XXX */
if (kerberos_status) {
krb5_ccache ccache;
krb5_error_code status;
status = krb5_cc_resolve (context, tkfile, &ccache);
if (!status) {
if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0)
krb5_afslog_uid_home(context, ccache, cell, NULL,
pwd->pw_uid, pwd->pw_dir);
krb5_afslog_uid_home(context, ccache, NULL, NULL,
pwd->pw_uid, pwd->pw_dir);
krb5_cc_close (context, ccache);
}
}
}
#endif /* KRB5 */
execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env);
err(1, "exec %s", pwd->pw_shell);
}
