diff options
Diffstat (limited to 'crypto/heimdal/appl/rsh')
| -rw-r--r-- | crypto/heimdal/appl/rsh/ChangeLog | 395 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/Makefile.am | 25 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/Makefile.in | 769 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/common.c | 174 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/rsh.1 | 235 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/rsh.c | 1104 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/rsh_locl.h | 162 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/rshd.8 | 130 | ||||
| -rw-r--r-- | crypto/heimdal/appl/rsh/rshd.c | 1035 |
9 files changed, 0 insertions, 4029 deletions
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog deleted file mode 100644 index ddac74f50283..000000000000 --- a/crypto/heimdal/appl/rsh/ChangeLog +++ /dev/null @@ -1,395 +0,0 @@ -2002-09-04 Johan Danielsson <joda@pdc.kth.se> - - * rsh.c: free some memory - -2002-09-04 Assar Westerlund <assar@kth.se> - - * common.c: krb5_crypto_block_size -> krb5_crypto_getblocksize - -2002-09-04 Johan Danielsson <joda@pdc.kth.se> - - * rsh.1: document -P - -2002-09-03 Johan Danielsson <joda@pdc.kth.se> - - * rsh.c: revert to protocol v1 if not asked for specific protocol - - * rshd.c: handle protocol version 2 - - * rsh.c: handle protocol version 2 - - * common.c: handle protocol version 2 - - * rsh_locl.h: handle protocol version 2 - -2002-02-18 Johan Danielsson <joda@pdc.kth.se> - - * rshd.c: don't show options that doesn't apply - - * rsh.c: don't show options that doesn't apply - - * rsh_locl.h: if we're not building with any kerberos support, - just call read/write directly - - * common.c: if we're not building with any kerberos support, just - call read/write directly - - * rshd.c: make this build without krb5; also use the addrinfo - interface to mini_inetd, and set the keepalive option if requested - - * rsh.c: make this build without krb5 - - * rsh_locl.h: make this build without krb5 - - * common.c: make this build without krb5 - -2001-11-30 Johan Danielsson <joda@pdc.kth.se> - - * rshd.c: make the syslog messages somewhat more informative - -2001-08-15 Johan Danielsson <joda@pdc.kth.se> - - * rsh.c: only complain about encryption flag when old - authentication is requested - -2001-08-07 Johan Danielsson <joda@pdc.kth.se> - - * rsh.c: don't try broken auth if rresvport failed; try to give - some more informative error messages - -2001-07-31 Johan Danielsson <joda@pdc.kth.se> - - * rshd.8: add an EXAMPLE - * rshd.8: manual page - * rshd.c: add some compat flags - * rsh.1: manual page - * rsh.c: iff -d, set the SO_DEBUG flags of the stdout and stderr - socket; implement parsing user@host - -2001-07-19 Assar Westerlund <assar@sics.se> - - * rshd.c (fatal): use vsnprintf correctly - -2001-02-07 Assar Westerlund <assar@sics.se> - - * Makefile.am: add login_access - * rshd.c (login_access): add prototype - (syslog_and_die, fatal): add printf attributes - (*): AIX -> _AIX - (doit): use login_access - based on patches from Ake Sandgren <ake@cs.umu.se> - -2001-01-09 Assar Westerlund <assar@sics.se> - - * rshd.c (save_krb5_creds): use krb5_rd_cred2 instead of - krb5_rd_cred - -2000-12-31 Assar Westerlund <assar@sics.se> - - * rshd.c (main): handle krb5_init_context failure consistently - * rsh.c (main): handle krb5_init_context failure consistently - -2000-12-05 Johan Danielsson <joda@pdc.kth.se> - - * rshd.c: require encryption if passed -x - -2000-11-15 Assar Westerlund <assar@sics.se> - - * rshd.c (loop): check that the fd's aren't too large to select on - * rsh.c (loop, proto): check that the fd's aren't too large to - select on - -2000-08-10 Assar Westerlund <assar@sics.se> - - * rsh.c: move code to do config/command parsing correctly. - -2000-08-09 Assar Westerlund <assar@sics.se> - - * rsh.c (main): only fetch stuff from krb5.conf when no option has - been given - -2000-08-01 Assar Westerlund <assar@sics.se> - - * rsh.c (doit): loop until we create an error socket of an - supported socket family - -2000-07-02 Assar Westerlund <assar@sics.se> - - * rshd.c: DCE stuff from Ake Sandgren <ake@cs.umu.se> - do not call syslog with a variable as format string - - * rsh_locl.h (_PATH_ETC_ENVIRONMENT): add - -2000-06-09 Assar Westerlund <assar@sics.se> - - * rsh.c (main): work-around for setuid and capabilities bug fixed - in Linux 2.2.16 - -2000-06-06 Johan Danielsson <joda@pdc.kth.se> - - * rsh.c: nuke long option from -z - - * rsh.c: don't try to encrypt if auth is broken (Daniel Kouril) - -2000-06-03 Assar Westerlund <assar@sics.se> - - * rshd.c (doit): check return value of getspnam. From - <haba@pdc.kth.se> - -2000-05-23 Assar Westerlund <assar@sics.se> - - * rsh.c (proto): select on the normal socket when waiting for the - daemon to connect back to the stderr port, so that we discover - when data arrives there before. when that happens, we assume that - the daemon did not manage to connect (because of NAT/whatever) and - continue as if `-e' was given - * rshd.c (doit): if we fail to connect back to the stderr port, - act as if `-e' was given on the client side, i.e. without the - special TCP-connection. This tries to make things better when - running the head against a NAT wall, for example. - -2000-02-07 Assar Westerlund <assar@sics.se> - - * Makefile.am (LDADD): make sure we use the heimdal libdes - -2000-02-06 Assar Westerlund <assar@sics.se> - - * *: conditionalize des stuff on KRB4 - -1999-12-16 Assar Westerlund <assar@sics.se> - - * rsh.c (doit): addrinfo returned from getaddrinfo() is not usable - directly as hints. copy it and set AI_PASSIVE. - -1999-11-20 Assar Westerlund <assar@sics.se> - - * rsh.c (main): remember to close the priviledged sockets before - calling rlogin - -1999-11-02 Assar Westerlund <assar@sics.se> - - * rsh.c (main): redo the v4/v5 selection for consistency. -4 -> - try only v4 -5 -> try only v5 none, -45 -> try v5, v4 - -1999-10-26 Assar Westerlund <assar@sics.se> - - * rshd.c (main): ignore SIGPIPE - - * common.c (do_read): the encoded length can be longer than the - buffer being used, allocate memory for it dynamically. From Brian - A May <bmay@dgs.monash.edu.au> - -1999-10-14 Assar Westerlund <assar@sics.se> - - * rsh.c (proto): be more careful and don't print errno when read() - returns 0 - -1999-09-20 Assar Westerlund <assar@sics.se> - - * rshd.c (recv_krb4_auth): set `iv' - -1999-08-16 Assar Westerlund <assar@sics.se> - - * common.c (do_read): be careful with the return value from - krb5_net_read - -1999-08-05 Assar Westerlund <assar@sics.se> - - * rsh.c: call freehostent - - * rsh.c: remove some dead code - -1999-08-04 Assar Westerlund <assar@sics.se> - - * rshd.c: re-write the handling of forwarded credentials and - stuff. From Miroslav Ruda <ruda@ics.muni.cz> - - * rsh_locl.h: always include kafs.h - - * rsh.c: add `-z' and `-G' options - - * rsh.c (loop): shutdown one side of the TCP connection on EOF. - From Brian A May <bmay@dgs.monash.edu.au> - - * common.c (do_read): handle EOF. From Brian A May - <bmay@dgs.monash.edu.au> - -1999-08-01 Assar Westerlund <assar@sics.se> - - * rsh.c: const fixes - -1999-07-29 Assar Westerlund <assar@sics.se> - - * rshd.c: v6-ify - - * rsh.c: v6-ify - -1999-07-28 Assar Westerlund <assar@sics.se> - - * rsh_locl.h: move around kafs.h - -1999-07-24 Assar Westerlund <assar@sics.se> - - * rsh_locl.h: <shadow.h> - - * rsh.c, rshd.c: improve forwarding and implement unique ccache on - server. From Miroslav Ruda <ruda@ics.muni.cz> - -1999-07-03 Assar Westerlund <assar@sics.se> - - * rsh.c (construct_command): handle argc == 0 for generality - -1999-06-23 Assar Westerlund <assar@sics.se> - - * rsh.c: new option `-e' for not trying to open an stderr socket - -1999-06-17 Assar Westerlund <assar@sics.se> - - * rsh_locl.h (RSH_BUFSIZ): bump to 16 * 1024 to be sure that we - don't leave any data inside des_enc_read. (that constant should - really be exported in some way...) - -1999-06-15 Assar Westerlund <assar@sics.se> - - * rsh.c: use get_default_username and resulting const pollution - -1999-05-21 Assar Westerlund <assar@sics.se> - - * rsh.c (main): try $USERNAME - -1999-05-14 Assar Westerlund <assar@sics.se> - - * rshd.c (doit): afslog correctly - -1999-05-11 Assar Westerlund <assar@sics.se> - - * rsh.c (main): add fallback to rlogin - -1999-05-10 Assar Westerlund <assar@sics.se> - - * rsh.c (send_krb5_auth): call krb5_sendauth with ccache == NULL. - check return value from krb5_crypto_init - - * common.c (do_write, do_read): always return -1 for failure - (net_write, net_read): remove. they already exist in libroken - -1999-05-09 Assar Westerlund <assar@sics.se> - - * rsh.c: make sure it tries with all other authentication methods - after one has failed - * rsh.c (main): detect the case of no command given. - -1999-04-11 Assar Westerlund <assar@sics.se> - - * rsh.c: new option --forwardable. use print_version - -Sat Apr 10 17:10:55 1999 Assar Westerlund <assar@sics.se> - - * rshd.c (setup_copier): use `socketpair' instead of `pipe'. Some - shells don't think it's a rsh session if they find a pipe at the - other end. - (setup_environment): add SSH_CLIENT just to make bash happy - - * common.c (do_read): use krb5_get_wrapped_length - -Wed Mar 24 03:59:42 1999 Assar Westerlund <assar@sics.se> - - * rsh.c (loop): more braces to make gcc happy - -Tue Mar 23 17:08:32 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * rsh_locl.h: kafs.h - - * rshd.c: add `-P', `-v', and `-L' flags - -Thu Mar 18 11:37:24 1999 Johan Danielsson <joda@hella.pdc.kth.se> - - * Makefile.am: include Makefile.am.common - -Tue Dec 1 14:44:44 1998 Johan Danielsson <joda@hella.pdc.kth.se> - - * appl/rsh/rshd.c: update to new crypto framework - - * appl/rsh/rsh_locl.h: update to new crypto framework - - * appl/rsh/rsh.c: update to new crypto framework - - * appl/rsh/common.c: update to new crypto framework - -Mon Nov 2 01:15:06 1998 Assar Westerlund <assar@sics.se> - - * appl/rsh/rsh.c (main): initialize host - - * appl/rsh/rshd.c (recv_krb5_auth): disable `do_encrypt' if not - encrypting. - -Thu Jul 30 23:12:17 1998 Assar Westerlund <assar@sics.se> - - * appl/rsh/rsh.c: kludges for parsing `rsh hostname -l user' - -Thu Jul 23 19:49:03 1998 Johan Danielsson <joda@emma.pdc.kth.se> - - * appl/rsh/rshd.c: use krb5_verify_authenticator_checksum - -Sat Apr 18 21:13:06 1998 Johan Danielsson <joda@emma.pdc.kth.se> - - * appl/rsh/rsh.c: Don't try v5 if (only) `-4' is specified. - -Sun Dec 21 09:44:05 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rshd.c (recv_krb5_auth): swap the order of the - `local_user' and the `remote_user' - - * appl/rsh/rsh.c (send_krb5_auth): swap the order of the - `local_user' and the `remote_user' - -Sat Nov 29 07:10:11 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rshd.c: updated to use getarg. - changed `struct fd_set' to `fd_set'. - implemented broken/BSD authentication (requires iruserok) - -Wed Nov 12 02:35:57 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rsh_locl.h: add AUTH_BROKEN and PATH_RSH - - * appl/rsh/Makefile.am: set BINDIR - - * appl/rsh/rsh.c: implemented BSD-style reserved port - `authentication' - -Sun Aug 24 08:06:54 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rshd.c: syslog remote shells - -Tue Aug 12 01:29:46 1997 Assar Westerlund <assar@sics.se> - - * appl/rshd/rshd.c: Use `krb5_sock_to_principal'. Send server - parameter to krb5_rd_req/krb5_recvauth. Set addresses in - auth_context. - -Fri Jul 25 17:32:12 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rshd.c: implement forwarding - - * appl/rsh/rsh.c: Use getarg. Implement forwarding. - -Sun Jul 13 00:32:16 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh: Conditionalize the krb4-support. - -Wed Jul 9 06:58:00 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rsh.c: use the correct user for the checksum - -Mon Jul 7 11:15:51 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh/rshd.c: Now works. Also implementd encryption and - `-p'. - - * appl/rsh/common.c: new file - -Mon Jun 30 06:08:14 1997 Assar Westerlund <assar@sics.se> - - * appl/rsh: New program. - diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am deleted file mode 100644 index 2fbc8e0f4f2a..000000000000 --- a/crypto/heimdal/appl/rsh/Makefile.am +++ /dev/null @@ -1,25 +0,0 @@ -# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../login - -bin_PROGRAMS = rsh - -man_MANS = rsh.1 rshd.8 - -libexec_PROGRAMS = rshd - -rsh_SOURCES = rsh.c common.c rsh_locl.h - -rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h - -login_access.c: - $(LN_S) $(srcdir)/../login/login_access.c . - -LDADD = $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_kdfs) diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in deleted file mode 100644 index c51a16e7724c..000000000000 --- a/crypto/heimdal/appl/rsh/Makefile.in +++ /dev/null @@ -1,769 +0,0 @@ -# Makefile.in generated by automake 1.6.1 from Makefile.am. -# @configure_input@ - -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 -# Free Software Foundation, Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# $Id: Makefile.am,v 1.17 2001/07/31 09:12:03 joda Exp $ - -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ - -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ -SHELL = @SHELL@ - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ -VPATH = @srcdir@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ - -bindir = @bindir@ -sbindir = @sbindir@ -libexecdir = @libexecdir@ -datadir = @datadir@ -sysconfdir = @sysconfdir@ -sharedstatedir = @sharedstatedir@ -localstatedir = @localstatedir@ -libdir = @libdir@ -infodir = @infodir@ -mandir = @mandir@ -includedir = @includedir@ -oldincludedir = /usr/include -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. - -ACLOCAL = @ACLOCAL@ -AUTOCONF = @AUTOCONF@ -AUTOMAKE = @AUTOMAKE@ -AUTOHEADER = @AUTOHEADER@ - -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_DATA = @INSTALL_DATA@ -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_HEADER = $(INSTALL_DATA) -transform = @program_transform_name@ -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -host_alias = @host_alias@ -host_triplet = @host@ - -EXEEXT = @EXEEXT@ -OBJEXT = @OBJEXT@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AMTAR = @AMTAR@ -AS = @AS@ -AWK = @AWK@ -CANONICAL_HOST = @CANONICAL_HOST@ -CATMAN = @CATMAN@ -CATMANEXT = @CATMANEXT@ -CC = @CC@ -COMPILE_ET = @COMPILE_ET@ -CPP = @CPP@ -DBLIB = @DBLIB@ -DEPDIR = @DEPDIR@ -DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ -DIR_roken = @DIR_roken@ -DLLTOOL = @DLLTOOL@ -ECHO = @ECHO@ -EXTRA_LIB45 = @EXTRA_LIB45@ -GROFF = @GROFF@ -INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_ = @INCLUDE_@ -INCLUDE_des = @INCLUDE_des@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LEX = @LEX@ - -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBTOOL = @LIBTOOL@ -LIB_ = @LIB_@ -LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ -LIB_NDBM = @LIB_NDBM@ -LIB_com_err = @LIB_com_err@ -LIB_com_err_a = @LIB_com_err_a@ -LIB_com_err_so = @LIB_com_err_so@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ -LIB_kdb = @LIB_kdb@ -LIB_otp = @LIB_otp@ -LIB_roken = @LIB_roken@ -LIB_security = @LIB_security@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ -NROFF = @NROFF@ -OBJDUMP = @OBJDUMP@ -PACKAGE = @PACKAGE@ -RANLIB = @RANLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ -WFLAGS = @WFLAGS@ -WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ -WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ -X_CFLAGS = @X_CFLAGS@ -X_EXTRA_LIBS = @X_EXTRA_LIBS@ -X_LIBS = @X_LIBS@ -X_PRE_LIBS = @X_PRE_LIBS@ -YACC = @YACC@ -am__include = @am__include@ -am__quote = @am__quote@ -dpagaix_cflags = @dpagaix_cflags@ -dpagaix_ldadd = @dpagaix_ldadd@ -dpagaix_ldflags = @dpagaix_ldflags@ -install_sh = @install_sh@ - -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 - -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login - -@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME - -AM_CFLAGS = $(WFLAGS) - -CP = cp - -buildinclude = $(top_builddir)/include - -LIB_XauReadAuth = @LIB_XauReadAuth@ -LIB_crypt = @LIB_crypt@ -LIB_dbm_firstkey = @LIB_dbm_firstkey@ -LIB_dbopen = @LIB_dbopen@ -LIB_dlopen = @LIB_dlopen@ -LIB_dn_expand = @LIB_dn_expand@ -LIB_el_init = @LIB_el_init@ -LIB_getattr = @LIB_getattr@ -LIB_gethostbyname = @LIB_gethostbyname@ -LIB_getpwent_r = @LIB_getpwent_r@ -LIB_getpwnam_r = @LIB_getpwnam_r@ -LIB_getsockopt = @LIB_getsockopt@ -LIB_logout = @LIB_logout@ -LIB_logwtmp = @LIB_logwtmp@ -LIB_odm_initialize = @LIB_odm_initialize@ -LIB_openpty = @LIB_openpty@ -LIB_pidfile = @LIB_pidfile@ -LIB_res_search = @LIB_res_search@ -LIB_setpcred = @LIB_setpcred@ -LIB_setsockopt = @LIB_setsockopt@ -LIB_socket = @LIB_socket@ -LIB_syslog = @LIB_syslog@ -LIB_tgetent = @LIB_tgetent@ - -HESIODLIB = @HESIODLIB@ -HESIODINCLUDE = @HESIODINCLUDE@ -INCLUDE_hesiod = @INCLUDE_hesiod@ -LIB_hesiod = @LIB_hesiod@ - -INCLUDE_krb4 = @INCLUDE_krb4@ -LIB_krb4 = @LIB_krb4@ - -INCLUDE_openldap = @INCLUDE_openldap@ -LIB_openldap = @LIB_openldap@ - -INCLUDE_readline = @INCLUDE_readline@ -LIB_readline = @LIB_readline@ - -NROFF_MAN = groff -mandoc -Tascii - -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) - -@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ -@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la - -@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la - -@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la - -bin_PROGRAMS = rsh - -man_MANS = rsh.1 rshd.8 - -libexec_PROGRAMS = rshd - -rsh_SOURCES = rsh.c common.c rsh_locl.h - -rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h - -LDADD = $(LIB_kafs) \ - $(LIB_krb5) \ - $(LIB_krb4) \ - $(LIB_des) \ - $(LIB_roken) \ - $(LIB_kdfs) - -subdir = appl/rsh -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs -CONFIG_HEADER = $(top_builddir)/include/config.h -CONFIG_CLEAN_FILES = -bin_PROGRAMS = rsh$(EXEEXT) -libexec_PROGRAMS = rshd$(EXEEXT) -PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) - -am_rsh_OBJECTS = rsh.$(OBJEXT) common.$(OBJEXT) -rsh_OBJECTS = $(am_rsh_OBJECTS) -rsh_LDADD = $(LDADD) -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -rsh_LDFLAGS = -am_rshd_OBJECTS = rshd.$(OBJEXT) common.$(OBJEXT) login_access.$(OBJEXT) -rshd_OBJECTS = $(am_rshd_OBJECTS) -rshd_LDADD = $(LDADD) -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/krb5/libkrb5.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@ $(top_builddir)/lib/kdfs/libkdfs.la -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES = \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kafs/libkafs.la \ -@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@ $(top_builddir)/lib/kdfs/libkdfs.la -rshd_LDFLAGS = - -DEFS = @DEFS@ -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -CPPFLAGS = @CPPFLAGS@ -LDFLAGS = @LDFLAGS@ -LIBS = @LIBS@ -depcomp = -am__depfiles_maybe = -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \ - $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -CFLAGS = @CFLAGS@ -DIST_SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) -MANS = $(man_MANS) -DIST_COMMON = ChangeLog Makefile.am Makefile.in -SOURCES = $(rsh_SOURCES) $(rshd_SOURCES) - -all: all-am - -.SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign appl/rsh/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(bindir) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ - echo " rm -f $(DESTDIR)$(bindir)/$$f"; \ - rm -f $(DESTDIR)$(bindir)/$$f; \ - done - -clean-binPROGRAMS: - -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) -libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -install-libexecPROGRAMS: $(libexec_PROGRAMS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(libexecdir) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \ - f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \ - else :; fi; \ - done - -uninstall-libexecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(libexec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - f=`echo "$$f" | sed -e 's,^.*/,,'`; \ - echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \ - rm -f $(DESTDIR)$(libexecdir)/$$f; \ - done - -clean-libexecPROGRAMS: - -test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS) -rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES) - @rm -f rsh$(EXEEXT) - $(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS) -rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES) - @rm -f rshd$(EXEEXT) - $(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) core *.core - -distclean-compile: - -rm -f *.tab.c - -.c.o: - $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< - -.c.obj: - $(COMPILE) -c `cygpath -w $<` - -.c.lo: - $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: - -man1dir = $(mandir)/man1 -install-man1: $(man1_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man1dir) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \ - done -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list='$(man1_MANS) $(dist_man1_MANS) $(nodist_man1_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.1*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \ - rm -f $(DESTDIR)$(man1dir)/$$inst; \ - done - -man8dir = $(mandir)/man8 -install-man8: $(man8_MANS) $(man_MANS) - @$(NORMAL_INSTALL) - $(mkinstalldirs) $(DESTDIR)$(man8dir) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \ - $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \ - done -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \ - rm -f $(DESTDIR)$(man8dir)/$$inst; \ - done - -ETAGS = etags -ETAGSFLAGS = - -tags: TAGS - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - mkid -fID $$unique - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - -top_distdir = ../.. -distdir = $(top_distdir)/$(PACKAGE)-$(VERSION) - -distdir: $(DISTFILES) - @for file in $(DISTFILES); do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkinstalldirs) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ - if test -d $$d/$$file; then \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ - fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ - else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ - || exit 1; \ - fi; \ - done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="${top_distdir}" distdir="$(distdir)" \ - dist-hook -check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) all-local - -installdirs: - $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(man1dir) $(DESTDIR)$(man8dir) - -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -rm -f Makefile $(CONFIG_CLEAN_FILES) stamp-h stamp-h[0-9]* - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags - -dvi: dvi-am - -dvi-am: - -info: info-am - -info-am: - -install-data-am: install-data-local install-man - -install-exec-am: install-binPROGRAMS install-libexecPROGRAMS - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-exec-hook - -install-info: install-info-am - -install-man: install-man1 install-man8 - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man - -uninstall-man: uninstall-man1 uninstall-man8 - -.PHONY: GTAGS all all-am all-local check check-am check-local clean \ - clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \ - clean-libtool distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am info \ - info-am install install-am install-binPROGRAMS install-data \ - install-data-am install-data-local install-exec install-exec-am \ - install-info install-info-am install-libexecPROGRAMS \ - install-man install-man1 install-man8 install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libexecPROGRAMS uninstall-man uninstall-man1 \ - uninstall-man8 - - -install-suid-programs: - @foo='$(bin_SUIDS)'; \ - for file in $$foo; do \ - x=$(DESTDIR)$(bindir)/$$file; \ - if chown 0:0 $$x && chmod u+s $$x; then :; else \ - echo "*"; \ - echo "* Failed to install $$x setuid root"; \ - echo "*"; \ - fi; done - -install-exec-hook: install-suid-programs - -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ - for f in $$foo; do \ - f=`basename $$f`; \ - if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ - else file="$$f"; fi; \ - if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ - : ; else \ - echo " $(CP) $$file $(buildinclude)/$$f"; \ - $(CP) $$file $(buildinclude)/$$f; \ - fi ; \ - done - -all-local: install-build-headers - -check-local:: - @if test '$(CHECK_LOCAL)'; then \ - foo='$(CHECK_LOCAL)'; else \ - foo='$(PROGRAMS)'; fi; \ - if test "$$foo"; then \ - failed=0; all=0; \ - for i in $$foo; do \ - all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ - echo "PASS: $$i"; \ - else \ - echo "FAIL: $$i"; \ - failed=`expr $$failed + 1`; \ - fi; \ - done; \ - if test "$$failed" -eq 0; then \ - banner="All $$all tests passed"; \ - else \ - banner="$$failed of $$all tests failed"; \ - fi; \ - dashes=`echo "$$banner" | sed s/./=/g`; \ - echo "$$dashes"; \ - echo "$$banner"; \ - echo "$$dashes"; \ - test "$$failed" -eq 0; \ - fi - -.x.c: - @cmp -s $< $@ 2> /dev/null || cp $< $@ -#NROFF_MAN = nroff -man -.1.cat1: - $(NROFF_MAN) $< > $@ -.3.cat3: - $(NROFF_MAN) $< > $@ -.5.cat5: - $(NROFF_MAN) $< > $@ -.8.cat8: - $(NROFF_MAN) $< > $@ - -dist-cat1-mans: - @foo='$(man1_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.1) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat3-mans: - @foo='$(man3_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.3) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat5-mans: - @foo='$(man5_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.5) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-cat8-mans: - @foo='$(man8_MANS)'; \ - bar='$(man_MANS)'; \ - for i in $$bar; do \ - case $$i in \ - *.8) foo="$$foo $$i";; \ - esac; done ;\ - for i in $$foo; do \ - x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ - echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ - $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ - done - -dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans - -install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) - -install-data-local: install-cat-mans - -.et.h: - $(COMPILE_ET) $< -.et.c: - $(COMPILE_ET) $< - -login_access.c: - $(LN_S) $(srcdir)/../login/login_access.c . -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/crypto/heimdal/appl/rsh/common.c b/crypto/heimdal/appl/rsh/common.c deleted file mode 100644 index 69b0c9b5ddde..000000000000 --- a/crypto/heimdal/appl/rsh/common.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: common.c,v 1.16 2002/09/04 15:50:36 assar Exp $"); - -#if defined(KRB4) || defined(KRB5) - -#ifdef KRB5 -int key_usage = 1026; - -void *ivec_in[2]; -void *ivec_out[2]; - -void -init_ivecs(int client) -{ - size_t blocksize; - - krb5_crypto_getblocksize(context, crypto, &blocksize); - - ivec_in[0] = malloc(blocksize); - memset(ivec_in[0], client, blocksize); - - ivec_in[1] = malloc(blocksize); - memset(ivec_in[1], 2 | client, blocksize); - - ivec_out[0] = malloc(blocksize); - memset(ivec_out[0], !client, blocksize); - - ivec_out[1] = malloc(blocksize); - memset(ivec_out[1], 2 | !client, blocksize); -} -#endif - - -ssize_t -do_read (int fd, void *buf, size_t sz, void *ivec) -{ - if (do_encrypt) { -#ifdef KRB4 - if (auth_method == AUTH_KRB4) { - return des_enc_read (fd, buf, sz, schedule, &iv); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if(auth_method == AUTH_KRB5) { - krb5_error_code ret; - u_int32_t len, outer_len; - int status; - krb5_data data; - void *edata; - - ret = krb5_net_read (context, &fd, &len, 4); - if (ret <= 0) - return ret; - len = ntohl(len); - if (len > sz) - abort (); - /* ivec will be non null for protocol version 2 */ - if(ivec != NULL) - outer_len = krb5_get_wrapped_length (context, crypto, len + 4); - else - outer_len = krb5_get_wrapped_length (context, crypto, len); - edata = malloc (outer_len); - if (edata == NULL) - errx (1, "malloc: cannot allocate %u bytes", outer_len); - ret = krb5_net_read (context, &fd, edata, outer_len); - if (ret <= 0) - return ret; - - status = krb5_decrypt_ivec(context, crypto, key_usage, - edata, outer_len, &data, ivec); - free (edata); - - if (status) - krb5_err (context, 1, status, "decrypting data"); - if(ivec != NULL) { - unsigned long l; - if(data.length < len + 4) - errx (1, "data received is too short"); - _krb5_get_int(data.data, &l, 4); - if(l != len) - errx (1, "inconsistency in received data"); - memcpy (buf, (unsigned char *)data.data+4, len); - } else - memcpy (buf, data.data, len); - krb5_data_free (&data); - return len; - } else -#endif /* KRB5 */ - abort (); - } else - return read (fd, buf, sz); -} - -ssize_t -do_write (int fd, void *buf, size_t sz, void *ivec) -{ - if (do_encrypt) { -#ifdef KRB4 - if(auth_method == AUTH_KRB4) { - return des_enc_write (fd, buf, sz, schedule, &iv); - } else -#endif /* KRB4 */ -#ifdef KRB5 - if(auth_method == AUTH_KRB5) { - krb5_error_code status; - krb5_data data; - unsigned char len[4]; - int ret; - - _krb5_put_int(len, sz, 4); - if(ivec != NULL) { - unsigned char *tmp = malloc(sz + 4); - if(tmp == NULL) - err(1, "malloc"); - _krb5_put_int(tmp, sz, 4); - memcpy(tmp + 4, buf, sz); - status = krb5_encrypt_ivec(context, crypto, key_usage, - tmp, sz + 4, &data, ivec); - free(tmp); - } else - status = krb5_encrypt_ivec(context, crypto, key_usage, - buf, sz, &data, ivec); - - if (status) - krb5_err(context, 1, status, "encrypting data"); - - ret = krb5_net_write (context, &fd, len, 4); - if (ret != 4) - return ret; - ret = krb5_net_write (context, &fd, data.data, data.length); - if (ret != data.length) - return ret; - free (data.data); - return sz; - } else -#endif /* KRB5 */ - abort(); - } else - return write (fd, buf, sz); -} -#endif /* KRB4 || KRB5 */ diff --git a/crypto/heimdal/appl/rsh/rsh.1 b/crypto/heimdal/appl/rsh/rsh.1 deleted file mode 100644 index 46652d8e2dc9..000000000000 --- a/crypto/heimdal/appl/rsh/rsh.1 +++ /dev/null @@ -1,235 +0,0 @@ -.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $ -.\" -.Dd September 4, 2002 -.Dt RSH 1 -.Os HEIMDAL -.Sh NAME -.Nm rsh -.Nd -remote shell -.Sh SYNOPSIS -.Nm -.Op Fl 45FGKdefnuxz -.Op Fl U Pa string -.Op Fl p Ar port -.Op Fl l Ar username -.Op Fl P Ar N|O -.Ar host [command] -.Sh DESCRIPTION -.Nm -authenticates to the -.Xr rshd 8 -daemon on the remote -.Ar host , -and then executes the specified -.Ar command . -.Pp -.Nm -copies its standard input to the remote command, and the standard -output and error of the remote command to its own. -.Pp -Valid options are: -.Bl -tag -width Ds -.It Xo -.Fl 4 , -.Fl -krb4 -.Xc -The -.Fl 4 -option requests Kerberos 4 authentication. Normally all supported -authentication mechanisms will be tried, but in some cases more -explicit control is desired. -.It Xo -.Fl 5 , -.Fl -krb5 -.Xc -The -.Fl 5 -option requests Kerberos 5 authentication. This is analogous to the -.Fl 4 -option. -.It Xo -.Fl K , -.Fl -broken -.Xc -The -.Fl K -option turns off all Kerberos authentication. The long name implies -that this is more or less totally unsecure. The security in this mode -relies on reserved ports, which is not very secure. -.It Xo -.Fl n , -.Fl -no-input -.Xc -The -.Fl n -option directs the input from the -.Pa /dev/null -device (see the -.Sx BUGS -section of this manual page). -.It Xo -.Fl e , -.Fl -no-stderr -.Xc -Don't use a separate socket for the stderr stream. This can be -necessary if rsh-ing through a NAT bridge. -.It Xo -.Fl x , -.Fl -encrypt -.Xc -The -.Fl x -option enables encryption for all data exchange. This is only valid -for Kerberos authenticated connections (see the -.Sx BUGS -section for limitations). -.It Xo -.Fl z -.Xc -The opposite of -.Fl x . -This is the default, but encryption can be enabled when using -Kerberos 5, by setting the -.Li libdefaults/encrypt -option in -.Xr krb5.conf 5 . -.It Xo -.Fl f , -.Fl -forward -.Xc -Forward Kerberos 5 credentials to the remote host. Also controlled by -.Li libdefaults/forward -in -.Xr krb5.conf 5 . -.It Xo -.Fl G -.Xc -The opposite of -.Fl f . -.It Xo -.Fl F , -.Fl -forwardable -.Xc -Make the forwarded credentials re-forwardable. Also controlled by -.Li libdefaults/forwardable -in -.Xr krb5.conf 5 . -.It Xo -.Fl u , -.Fl -unique -.Xc -Make sure the remote credentials cache is unique, that is, don't reuse -any existing cache. Mutually exclusive to -.Fl U . -.It Xo -.Fl U Pa string , -.Fl -tkfile= Ns Pa string -.Xc -Name of the remote credentials cache. Mutually exclusive to -.Fl u . -.It Xo -.Fl p Ar number-or-service , -.Fl -port= Ns Ar number-or-service -.Xc -Connect to this port instead of the default (which is 514 when using -old port based authentication, 544 for Kerberos 5 and non-encrypted -Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to -the contents of -.Pa /etc/services ) . -.It Xo -.Fl l Ar string , -.Fl -user= Ns Ar string -.Xc -By default the remote username is the same as the local. The -.Fl l -option or the -.Pa username@host -format allow the remote name to be specified. -.It Xo -.Fl P Ar N|O|1|2 , -.Fl -protocol= Ns Ar N|O|1|2 -.Xc -Specifies which protocol version to use with Kerberos 5. -.Ar N -and -.Ar 2 -selects protocol version 2, while -.Ar O -and -.Ar 1 -selects version 1. Version 2 is beleived to be more secure, and is the -default. Unless asked for a specific version, -.Nm -will try both. This behaviour may change in the future. -.El -.\".Pp -.\"Without a -.\".Ar command -.\".Nm -.\"will just exec -.\".Xr rlogin 1 -.\"with the same arguments. -.Sh EXAMPLES -Care should be taken when issuing commands containing shell meta -characters. Without quoting, these will be expanded on the local -machine. -.Pp -The following command: -.Pp -.Dl rsh otherhost cat remotefile > localfile -.Pp -will write the contents of the remote -.Pa remotefile -to the local -.Pa localfile , -but: -.Pp -.Dl rsh otherhost 'cat remotefile > remotefile2' -.Pp -will write it to the remote -.Pa remotefile2 . -.\".Sh ENVIRONMENT -.Sh FILES -.Bl -tag -width /etc/hosts -compact -.It Pa /etc/hosts -.El -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr rlogin 1 , -.Xr krb_realmofhost 3 , -.Xr krb_sendauth 3 , -.Xr hosts.equiv 5 , -.Xr krb5.conf 5 , -.Xr rhosts 5 , -.Xr kerberos 8 -.Xr rshd 8 -.\".Sh STANDARDS -.Sh HISTORY -The -.Nm -command appeared in -.Bx 4.2 . -.Sh AUTHORS -This implementation of -.Nm -was written as part of the Heimdal Kerberos 5 implementation. -.Sh BUGS -Some shells (notably -.Xr csh 1 ) -will cause -.Nm -to block if run in the background, unless the standard input is directed away from the terminal. This is what the -.Fl n -option is for. -.Pp -The -.Fl x -options enables encryption for the session, but for both Kerberos 4 -and 5 the actual command is sent unencrypted, so you should not send -any secret information in the command line (which is probably a bad -idea anyway, since the command line can usually be read with tools -like -.Xr ps 1 ) . -Forthermore in Kerberos 4 the command is not even integrity -protected, so anyone with the right tools can modify the command. diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c deleted file mode 100644 index 6ae9646a1cd8..000000000000 --- a/crypto/heimdal/appl/rsh/rsh.c +++ /dev/null @@ -1,1104 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: rsh.c,v 1.68 2002/09/04 21:40:04 joda Exp $"); - -enum auth_method auth_method; -#if defined(KRB4) || defined(KRB5) -int do_encrypt = -1; -#endif -#ifdef KRB5 -int do_unique_tkfile = 0; -char *unique_tkfile = NULL; -char tkfile[MAXPATHLEN]; -int do_forward = -1; -int do_forwardable = -1; -krb5_context context; -krb5_keyblock *keyblock; -krb5_crypto crypto; -#endif -#ifdef KRB4 -des_key_schedule schedule; -des_cblock iv; -#endif -int sock_debug = 0; - -#ifdef KRB4 -static int use_v4 = -1; -#endif -#ifdef KRB5 -static int use_v5 = -1; -#endif -static int use_only_broken = 0; -static int use_broken = 1; -static char *port_str; -static const char *user; -static int do_version; -static int do_help; -static int do_errsock = 1; -static char *protocol_version_str; -static int protocol_version = 2; - -/* - * - */ - -static int input = 1; /* Read from stdin */ - -static int -loop (int s, int errsock) -{ - fd_set real_readset; - int count = 1; - -#ifdef KRB5 - if(auth_method == AUTH_KRB5 && protocol_version == 2) - init_ivecs(1); -#endif - - if (s >= FD_SETSIZE || errsock >= FD_SETSIZE) - errx (1, "fd too large"); - - FD_ZERO(&real_readset); - FD_SET(s, &real_readset); - if (errsock != -1) { - FD_SET(errsock, &real_readset); - ++count; - } - if(input) - FD_SET(STDIN_FILENO, &real_readset); - - for (;;) { - int ret; - fd_set readset; - char buf[RSH_BUFSIZ]; - - readset = real_readset; - ret = select (max(s, errsock) + 1, &readset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - else - err (1, "select"); - } - if (FD_ISSET(s, &readset)) { - ret = do_read (s, buf, sizeof(buf), ivec_in[0]); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (s); - FD_CLR(s, &real_readset); - if (--count == 0) - return 0; - } else - net_write (STDOUT_FILENO, buf, ret); - } - if (errsock != -1 && FD_ISSET(errsock, &readset)) { - ret = do_read (errsock, buf, sizeof(buf), ivec_in[1]); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (errsock); - FD_CLR(errsock, &real_readset); - if (--count == 0) - return 0; - } else - net_write (STDERR_FILENO, buf, ret); - } - if (FD_ISSET(STDIN_FILENO, &readset)) { - ret = read (STDIN_FILENO, buf, sizeof(buf)); - if (ret < 0) - err (1, "read"); - else if (ret == 0) { - close (STDIN_FILENO); - FD_CLR(STDIN_FILENO, &real_readset); - shutdown (s, SHUT_WR); - } else - do_write (s, buf, ret, ivec_out[0]); - } - } -} - -#ifdef KRB4 -static int -send_krb4_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - KTEXT_ST text; - CREDENTIALS cred; - MSG_DAT msg; - int status; - size_t len; - - status = krb_sendauth (do_encrypt ? KOPT_DO_MUTUAL : 0, - s, &text, "rcmd", - (char *)hostname, krb_realmofhost (hostname), - getpid(), &msg, &cred, schedule, - (struct sockaddr_in *)thisaddr, - (struct sockaddr_in *)thataddr, - KCMD_OLD_VERSION); - if (status != KSUCCESS) { - warnx("%s: %s", hostname, krb_get_err_text(status)); - return 1; - } - memcpy (iv, cred.session, sizeof(iv)); - - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn("write"); - return 1; - } - return 0; -} -#endif /* KRB4 */ - -#ifdef KRB5 -/* - * Send forward information on `s' for host `hostname', them being - * forwardable themselves if `forwardable' - */ - -static int -krb5_forward_cred (krb5_auth_context auth_context, - int s, - const char *hostname, - int forwardable) -{ - krb5_error_code ret; - krb5_ccache ccache; - krb5_creds creds; - krb5_kdc_flags flags; - krb5_data out_data; - krb5_principal principal; - - memset (&creds, 0, sizeof(creds)); - - ret = krb5_cc_default (context, &ccache); - if (ret) { - warnx ("could not forward creds: krb5_cc_default: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - ret = krb5_cc_get_principal (context, ccache, &principal); - if (ret) { - warnx ("could not forward creds: krb5_cc_get_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - creds.client = principal; - - ret = krb5_build_principal (context, - &creds.server, - strlen(principal->realm), - principal->realm, - "krbtgt", - principal->realm, - NULL); - - if (ret) { - warnx ("could not forward creds: krb5_build_principal: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - creds.times.endtime = 0; - - flags.i = 0; - flags.b.forwarded = 1; - flags.b.forwardable = forwardable; - - ret = krb5_get_forwarded_creds (context, - auth_context, - ccache, - flags.i, - hostname, - &creds, - &out_data); - if (ret) { - warnx ("could not forward creds: krb5_get_forwarded_creds: %s", - krb5_get_err_text (context, ret)); - return 1; - } - - ret = krb5_write_message (context, - (void *)&s, - &out_data); - krb5_data_free (&out_data); - - if (ret) - warnx ("could not forward creds: krb5_write_message: %s", - krb5_get_err_text (context, ret)); - return 0; -} - -static int sendauth_version_error; - -static int -send_krb5_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - krb5_principal server; - krb5_data cksum_data; - int status; - size_t len; - krb5_auth_context auth_context = NULL; - const char *protocol_string = NULL; - krb5_flags ap_opts; - - status = krb5_sname_to_principal(context, - hostname, - "host", - KRB5_NT_SRV_HST, - &server); - if (status) { - warnx ("%s: %s", hostname, krb5_get_err_text(context, status)); - return 1; - } - - cksum_data.length = asprintf ((char **)&cksum_data.data, - "%u:%s%s%s", - ntohs(socket_get_port(thataddr)), - do_encrypt ? "-x " : "", - cmd, - remote_user); - - ap_opts = 0; - - if(do_encrypt) - ap_opts |= AP_OPTS_MUTUAL_REQUIRED; - - switch(protocol_version) { - case 2: - ap_opts |= AP_OPTS_USE_SUBKEY; - protocol_string = KCMD_NEW_VERSION; - break; - case 1: - protocol_string = KCMD_OLD_VERSION; - key_usage = KRB5_KU_OTHER_ENCRYPTED; - break; - default: - abort(); - } - - status = krb5_sendauth (context, - &auth_context, - &s, - protocol_string, - NULL, - server, - ap_opts, - &cksum_data, - NULL, - NULL, - NULL, - NULL, - NULL); - - krb5_free_principal(context, server); - krb5_data_free(&cksum_data); - - if (status) { - if(status == KRB5_SENDAUTH_REJECTED && - protocol_version == 2 && protocol_version_str == NULL) - sendauth_version_error = 1; - else - krb5_warn(context, status, "%s", hostname); - return 1; - } - - status = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock); - if(keyblock == NULL) - status = krb5_auth_con_getkey (context, auth_context, &keyblock); - if (status) { - warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status)); - return 1; - } - - status = krb5_auth_con_setaddrs_from_fd (context, - auth_context, - &s); - if (status) { - warnx("krb5_auth_con_setaddrs_from_fd: %s", - krb5_get_err_text(context, status)); - return(1); - } - - status = krb5_crypto_init(context, keyblock, 0, &crypto); - if(status) { - warnx ("krb5_crypto_init: %s", krb5_get_err_text(context, status)); - return 1; - } - - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn ("write"); - return 1; - } - if (do_encrypt && net_write (s, "-x ", 3) != 3) { - warn ("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn ("write"); - return 1; - } - - if (do_unique_tkfile) { - if (net_write (s, tkfile, strlen(tkfile)) != strlen(tkfile)) { - warn ("write"); - return 1; - } - } - len = strlen(local_user) + 1; - if (net_write (s, local_user, len) != len) { - warn ("write"); - return 1; - } - - if (!do_forward - || krb5_forward_cred (auth_context, s, hostname, do_forwardable)) { - /* Empty forwarding info */ - - u_char zero[4] = {0, 0, 0, 0}; - write (s, &zero, 4); - } - krb5_auth_con_free (context, auth_context); - return 0; -} - -#endif /* KRB5 */ - -static int -send_broken_auth(int s, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - const char *hostname, - const char *remote_user, - const char *local_user, - size_t cmd_len, - const char *cmd) -{ - size_t len; - - len = strlen(local_user) + 1; - if (net_write (s, local_user, len) != len) { - warn ("write"); - return 1; - } - len = strlen(remote_user) + 1; - if (net_write (s, remote_user, len) != len) { - warn ("write"); - return 1; - } - if (net_write (s, cmd, cmd_len) != cmd_len) { - warn ("write"); - return 1; - } - return 0; -} - -static int -proto (int s, int errsock, - const char *hostname, const char *local_user, const char *remote_user, - const char *cmd, size_t cmd_len, - int (*auth_func)(int s, - struct sockaddr *this, struct sockaddr *that, - const char *hostname, const char *remote_user, - const char *local_user, size_t cmd_len, - const char *cmd)) -{ - int errsock2; - char buf[BUFSIZ]; - char *p; - size_t len; - char reply; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - struct sockaddr_storage thataddr_ss; - struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss; - struct sockaddr_storage erraddr_ss; - struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss; - socklen_t addrlen; - int ret; - - addrlen = sizeof(thisaddr_ss); - if (getsockname (s, thisaddr, &addrlen) < 0) { - warn ("getsockname(%s)", hostname); - return 1; - } - addrlen = sizeof(thataddr_ss); - if (getpeername (s, thataddr, &addrlen) < 0) { - warn ("getpeername(%s)", hostname); - return 1; - } - - if (errsock != -1) { - - addrlen = sizeof(erraddr_ss); - if (getsockname (errsock, erraddr, &addrlen) < 0) { - warn ("getsockname"); - return 1; - } - - if (listen (errsock, 1) < 0) { - warn ("listen"); - return 1; - } - - p = buf; - snprintf (p, sizeof(buf), "%u", - ntohs(socket_get_port(erraddr))); - len = strlen(buf) + 1; - if(net_write (s, buf, len) != len) { - warn ("write"); - close (errsock); - return 1; - } - - - for (;;) { - fd_set fdset; - - if (errsock >= FD_SETSIZE || s >= FD_SETSIZE) - errx (1, "fd too large"); - - FD_ZERO(&fdset); - FD_SET(errsock, &fdset); - FD_SET(s, &fdset); - - ret = select (max(errsock, s) + 1, &fdset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - warn ("select"); - close (errsock); - return 1; - } - if (FD_ISSET(errsock, &fdset)) { - errsock2 = accept (errsock, NULL, NULL); - close (errsock); - if (errsock2 < 0) { - warn ("accept"); - return 1; - } - break; - } - - /* - * there should not arrive any data on this fd so if it's - * readable it probably indicates that the other side when - * away. - */ - - if (FD_ISSET(s, &fdset)) { - warnx ("socket closed"); - close (errsock); - errsock2 = -1; - break; - } - } - } else { - if (net_write (s, "0", 2) != 2) { - warn ("write"); - return 1; - } - errsock2 = -1; - } - - if ((*auth_func)(s, thisaddr, thataddr, hostname, - remote_user, local_user, - cmd_len, cmd)) { - close (errsock2); - return 1; - } - - ret = net_read (s, &reply, 1); - if (ret < 0) { - warn ("read"); - close (errsock2); - return 1; - } else if (ret == 0) { - warnx ("unexpected EOF from %s", hostname); - close (errsock2); - return 1; - } - if (reply != 0) { - - warnx ("Error from rshd at %s:", hostname); - - while ((ret = read (s, buf, sizeof(buf))) > 0) - write (STDOUT_FILENO, buf, ret); - write (STDOUT_FILENO,"\n",1); - close (errsock2); - return 1; - } - - if (sock_debug) { - int one = 1; - if (setsockopt(s, SOL_SOCKET, SO_DEBUG, (void *)&one, sizeof(one)) < 0) - warn("setsockopt remote"); - if (errsock2 != -1 && - setsockopt(errsock2, SOL_SOCKET, SO_DEBUG, - (void *)&one, sizeof(one)) < 0) - warn("setsockopt stderr"); - } - - return loop (s, errsock2); -} - -/* - * Return in `res' a copy of the concatenation of `argc, argv' into - * malloced space. */ - -static size_t -construct_command (char **res, int argc, char **argv) -{ - int i; - size_t len = 0; - char *tmp; - - for (i = 0; i < argc; ++i) - len += strlen(argv[i]) + 1; - len = max (1, len); - tmp = malloc (len); - if (tmp == NULL) - errx (1, "malloc %u failed", len); - - *tmp = '\0'; - for (i = 0; i < argc - 1; ++i) { - strcat (tmp, argv[i]); - strcat (tmp, " "); - } - if (argc > 0) - strcat (tmp, argv[argc-1]); - *res = tmp; - return len; -} - -static char * -print_addr (const struct sockaddr_in *sin) -{ - char addr_str[256]; - char *res; - - inet_ntop (AF_INET, &sin->sin_addr, addr_str, sizeof(addr_str)); - res = strdup(addr_str); - if (res == NULL) - errx (1, "malloc: out of memory"); - return res; -} - -static int -doit_broken (int argc, - char **argv, - int optind, - struct addrinfo *ai, - const char *remote_user, - const char *local_user, - int priv_socket1, - int priv_socket2, - const char *cmd, - size_t cmd_len) -{ - struct addrinfo *a; - - if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) { - if (ai->ai_next == NULL) - return 1; - - close(priv_socket1); - close(priv_socket2); - - for (a = ai->ai_next; a != NULL; a = a->ai_next) { - pid_t pid; - - pid = fork(); - if (pid < 0) - err (1, "fork"); - else if(pid == 0) { - char **new_argv; - int i = 0; - struct sockaddr_in *sin = (struct sockaddr_in *)a->ai_addr; - - new_argv = malloc((argc + 2) * sizeof(*new_argv)); - if (new_argv == NULL) - errx (1, "malloc: out of memory"); - new_argv[i] = argv[i]; - ++i; - if (optind == i) - new_argv[i++] = print_addr (sin); - new_argv[i++] = "-K"; - for(; i <= argc; ++i) - new_argv[i] = argv[i - 1]; - if (optind > 1) - new_argv[optind + 1] = print_addr(sin); - new_argv[argc + 1] = NULL; - execv(PATH_RSH, new_argv); - err(1, "execv(%s)", PATH_RSH); - } else { - int status; - - while(waitpid(pid, &status, 0) < 0) - ; - if(WIFEXITED(status) && WEXITSTATUS(status) == 0) - return 0; - } - } - return 1; - } else { - int ret; - - ret = proto (priv_socket1, priv_socket2, - argv[optind], - local_user, remote_user, - cmd, cmd_len, - send_broken_auth); - return ret; - } -} - -#if defined(KRB4) || defined(KRB5) -static int -doit (const char *hostname, - struct addrinfo *ai, - const char *remote_user, - const char *local_user, - const char *cmd, - size_t cmd_len, - int do_errsock, - int (*auth_func)(int s, - struct sockaddr *this, struct sockaddr *that, - const char *hostname, const char *remote_user, - const char *local_user, size_t cmd_len, - const char *cmd)) -{ - int error; - struct addrinfo *a; - int socketfailed = 1; - int ret; - - for (a = ai; a != NULL; a = a->ai_next) { - int s; - int errsock; - - s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); - if (s < 0) - continue; - socketfailed = 0; - if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { - char addr[128]; - if(getnameinfo(a->ai_addr, a->ai_addrlen, - addr, sizeof(addr), NULL, 0, NI_NUMERICHOST) == 0) - warn ("connect(%s [%s])", hostname, addr); - else - warn ("connect(%s)", hostname); - close (s); - continue; - } - if (do_errsock) { - struct addrinfo *ea, *eai; - struct addrinfo hints; - - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = a->ai_socktype; - hints.ai_protocol = a->ai_protocol; - hints.ai_family = a->ai_family; - hints.ai_flags = AI_PASSIVE; - - errsock = -1; - - error = getaddrinfo (NULL, "0", &hints, &eai); - if (error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - for (ea = eai; ea != NULL; ea = ea->ai_next) { - errsock = socket (ea->ai_family, ea->ai_socktype, - ea->ai_protocol); - if (errsock < 0) - continue; - if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0) - err (1, "bind"); - break; - } - if (errsock < 0) - err (1, "socket"); - freeaddrinfo (eai); - } else - errsock = -1; - - ret = proto (s, errsock, - hostname, - local_user, remote_user, - cmd, cmd_len, auth_func); - close (s); - return ret; - } - if(socketfailed) - warnx ("failed to contact %s", hostname); - return -1; -} -#endif /* KRB4 || KRB5 */ - -struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4" }, -#endif -#ifdef KRB5 - { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5" }, - { "forward", 'f', arg_flag, &do_forward, "Forward credentials (krb5)"}, - { NULL, 'G', arg_negative_flag,&do_forward, "Don't forward credentials" }, - { "forwardable", 'F', arg_flag, &do_forwardable, - "Forward forwardable credentials" }, -#endif -#if defined(KRB4) || defined(KRB5) - { "broken", 'K', arg_flag, &use_only_broken, "Use only priv port" }, - { "encrypt", 'x', arg_flag, &do_encrypt, "Encrypt connection" }, - { NULL, 'z', arg_negative_flag, &do_encrypt, - "Don't encrypt connection", NULL }, -#endif -#ifdef KRB5 - { "unique", 'u', arg_flag, &do_unique_tkfile, - "Use unique remote tkfile (krb5)" }, - { "tkfile", 'U', arg_string, &unique_tkfile, - "Use that remote tkfile (krb5)" }, -#endif - { NULL, 'd', arg_flag, &sock_debug, "Enable socket debugging" }, - { "input", 'n', arg_negative_flag, &input, "Close stdin" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "user", 'l', arg_string, &user, "Run as this user", "login" }, - { "stderr", 'e', arg_negative_flag, &do_errsock, "Don't open stderr"}, - { "protocol", 'P', arg_string, &protocol_version_str, - "Protocol version", "protocol" }, - { "version", 0, arg_flag, &do_version, NULL }, - { "help", 0, arg_flag, &do_help, NULL } -}; - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - "[login@]host [command]"); - exit (ret); -} - -/* - * - */ - -int -main(int argc, char **argv) -{ - int priv_port1, priv_port2; - int priv_socket1, priv_socket2; - int optind = 0; - int error; - struct addrinfo hints, *ai; - int ret = 1; - char *cmd; - char *tmp; - size_t cmd_len; - const char *local_user; - char *host = NULL; - int host_index = -1; -#ifdef KRB5 - int status; -#endif - uid_t uid; - - priv_port1 = priv_port2 = IPPORT_RESERVED-1; - priv_socket1 = rresvport(&priv_port1); - priv_socket2 = rresvport(&priv_port2); - uid = getuid (); - if (setuid (uid) || (uid != 0 && setuid(0) == 0)) - err (1, "setuid"); - - setprogname (argv[0]); - - if (argc >= 2 && argv[1][0] != '-') { - host = argv[host_index = 1]; - optind = 1; - } - - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); - - if (do_help) - usage (0); - - if (do_version) { - print_version (NULL); - return 0; - } - - if(protocol_version_str != NULL) { - if(strcasecmp(protocol_version_str, "N") == 0) - protocol_version = 2; - else if(strcasecmp(protocol_version_str, "O") == 0) - protocol_version = 1; - else { - char *end; - int v; - v = strtol(protocol_version_str, &end, 0); - if(*end != '\0' || (v != 1 && v != 2)) { - errx(1, "unknown protocol version \"%s\"", - protocol_version_str); - } - protocol_version = v; - } - } - -#ifdef KRB5 - status = krb5_init_context (&context); - if (status) { - if(use_v5 == 1) - errx(1, "krb5_init_context failed: %d", status); - else - use_v5 = 0; - } - - if (do_forwardable == -1) - do_forwardable = krb5_config_get_bool (context, NULL, - "libdefaults", - "forwardable", - NULL); - - if (do_forward == -1) - do_forward = krb5_config_get_bool (context, NULL, - "libdefaults", - "forward", - NULL); - else if (do_forward == 0) - do_forwardable = 0; - - if (do_forwardable) - do_forward = 1; -#endif -#if defined(KRB4) || defined(KRB5) - if (do_encrypt == -1) { - /* we want to tell the -x flag from the default encryption - option */ -#ifdef KRB5 - /* the normal default for krb4 should be to disable encryption */ - if(!krb5_config_get_bool (context, NULL, - "libdefaults", - "encrypt", - NULL)) -#endif - do_encrypt = 0; - } -#endif - -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - - if (use_only_broken) { -#ifdef KRB4 - use_v4 = 0; -#endif -#ifdef KRB5 - use_v5 = 0; -#endif - } - - if(priv_socket1 < 0) { - if (use_only_broken) - errx (1, "unable to bind reserved port: is rsh setuid root?"); - use_broken = 0; - } - -#if defined(KRB4) || defined(KRB5) - if (do_encrypt == 1 && use_only_broken) - errx (1, "encryption not supported with old style authentication"); -#endif - - - -#ifdef KRB5 - if (do_unique_tkfile && unique_tkfile != NULL) - errx (1, "Only one of -u and -U allowed."); - - if (do_unique_tkfile) - strcpy(tkfile,"-u "); - else if (unique_tkfile != NULL) { - if (strchr(unique_tkfile,' ') != NULL) { - warnx("Space is not allowed in tkfilename"); - usage(1); - } - do_unique_tkfile = 1; - snprintf (tkfile, sizeof(tkfile), "-U %s ", unique_tkfile); - } -#endif - - if (host == NULL) { - if (argc - optind < 1) - usage (1); - else - host = argv[host_index = optind++]; - } - - if((tmp = strchr(host, '@')) != NULL) { - *tmp++ = '\0'; - user = host; - host = tmp; - } - - if (optind == argc) { - close (priv_socket1); - close (priv_socket2); - argv[0] = "rlogin"; - execvp ("rlogin", argv); - err (1, "execvp rlogin"); - } - - local_user = get_default_username (); - if (local_user == NULL) - errx (1, "who are you?"); - - if (user == NULL) - user = local_user; - - cmd_len = construct_command(&cmd, argc - optind, argv + optind); - - /* - * Try all different authentication methods - */ - -#ifdef KRB5 - if (ret && use_v5) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - error = getaddrinfo(host, "kshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "544", &hints, &ai); - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - - auth_method = AUTH_KRB5; - again: - ret = doit (host, ai, user, local_user, cmd, cmd_len, - do_errsock, - send_krb5_auth); - if(ret != 0 && sendauth_version_error && - protocol_version == 2) { - protocol_version = 1; - goto again; - } - freeaddrinfo(ai); - } -#endif -#ifdef KRB4 - if (ret && use_v4) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - if(do_encrypt) { - error = getaddrinfo(host, "ekshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "545", &hints, &ai); - } else { - error = getaddrinfo(host, "kshell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "544", &hints, &ai); - } - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - auth_method = AUTH_KRB4; - ret = doit (host, ai, user, local_user, cmd, cmd_len, - do_errsock, - send_krb4_auth); - freeaddrinfo(ai); - } -#endif - if (ret && use_broken) { - memset (&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if(port_str == NULL) { - error = getaddrinfo(host, "shell", &hints, &ai); - if(error == EAI_NONAME) - error = getaddrinfo(host, "514", &hints, &ai); - } else - error = getaddrinfo(host, port_str, &hints, &ai); - - if(error) - errx (1, "getaddrinfo: %s", gai_strerror(error)); - - auth_method = AUTH_BROKEN; - ret = doit_broken (argc, argv, host_index, ai, - user, local_user, - priv_socket1, - do_errsock ? priv_socket2 : -1, - cmd, cmd_len); - freeaddrinfo(ai); - } - free(cmd); - return ret; -} diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h deleted file mode 100644 index 0d54a3e5c948..000000000000 --- a/crypto/heimdal/appl/rsh/rsh_locl.h +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: rsh_locl.h,v 1.28 2002/09/03 20:03:46 joda Exp $ */ - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <stdio.h> -#include <assert.h> -#include <stdarg.h> -#include <ctype.h> -#ifdef HAVE_SYS_TYPES_H -#include <sys/types.h> -#endif -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#ifdef HAVE_SYS_WAIT_H -#include <sys/wait.h> -#endif -#ifdef HAVE_SYS_SELECT_H -#include <sys/select.h> -#endif -#ifdef HAVE_SYS_SOCKET_H -#include <sys/socket.h> -#endif -#ifdef HAVE_NETINET_IN_H -#include <netinet/in.h> -#endif -#ifdef HAVE_NETINET_IN6_H -#include <netinet/in6.h> -#endif -#ifdef HAVE_NETINET6_IN6_H -#include <netinet6/in6.h> -#endif -#ifdef HAVE_ARPA_INET_H -#include <arpa/inet.h> -#endif - -#ifdef HAVE_PWD_H -#include <pwd.h> -#endif -#ifdef HAVE_SHADOW_H -#include <shadow.h> -#endif -#ifdef HAVE_NETDB_H -#include <netdb.h> -#endif -#include <errno.h> - -#ifdef HAVE_SYS_PARAM_H -#include <sys/param.h> -#endif - -#ifdef HAVE_SYSLOG_H -#include <syslog.h> -#endif -#ifdef HAVE_PATHS_H -#include <paths.h> -#endif -#include <err.h> -#include <roken.h> -#include <getarg.h> -#ifdef KRB4 -#include <krb.h> -#include <prot.h> -#endif -#ifdef KRB5 -#include <krb5.h> -#include <krb5-private.h> /* for _krb5_{get,put}_int */ -#endif -#ifdef KRB4 -#include <kafs.h> -#endif - -#ifndef _PATH_NOLOGIN -#define _PATH_NOLOGIN "/etc/nologin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -#ifndef _PATH_ETC_ENVIRONMENT -#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" -#endif - -/* - * - */ - -enum auth_method { AUTH_KRB4, AUTH_KRB5, AUTH_BROKEN }; - -extern enum auth_method auth_method; -extern int do_encrypt; -#ifdef KRB5 -extern krb5_context context; -extern krb5_keyblock *keyblock; -extern krb5_crypto crypto; -extern int key_usage; -extern void *ivec_in[2]; -extern void *ivec_out[2]; -void init_ivecs(int); -#endif -#ifdef KRB4 -extern des_key_schedule schedule; -extern des_cblock iv; -#endif - -#define KCMD_OLD_VERSION "KCMDV0.1" -#define KCMD_NEW_VERSION "KCMDV0.2" - -#define USERNAME_SZ 16 -#define COMMAND_SZ 1024 - -#define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */ - -#define PATH_RSH BINDIR "/rsh" - -#if defined(KRB4) || defined(KRB5) -ssize_t do_read (int, void*, size_t, void*); -ssize_t do_write (int, void*, size_t, void*); -#else -#define do_write(F, B, L, I) write((F), (B), (L)) -#define do_read(F, B, L, I) read((F), (B), (L)) -#endif diff --git a/crypto/heimdal/appl/rsh/rshd.8 b/crypto/heimdal/appl/rsh/rshd.8 deleted file mode 100644 index 22ad0fcc8b7c..000000000000 --- a/crypto/heimdal/appl/rsh/rshd.8 +++ /dev/null @@ -1,130 +0,0 @@ -.\" Things to fix: -.\" * remove Op from mandatory flags -.\" * use better macros for arguments (like .Pa for files) -.\" -.Dd July 31, 2001 -.Dt RSHD 8 -.Os HEIMDAL -.Sh NAME -.Nm rshd -.Nd -remote shell server -.Sh SYNOPSIS -.Nm -.Op Fl aiklnvxPL -.Op Fl p Ar port -.Sh DESCRIPTION -.Nm -is the server for -the -.Xr rsh 1 -program. It provides an authenticated remote command execution -service. Supported options are: -.Bl -tag -width Ds -.It Xo -.Fl n , -.Fl -no-keepalive -.Xc -Disables keep-alive messages. Keep-alives are packets sent a certain -interval to make sure that the client is still there, even when it -doesn't send any data. -.It Xo -.Fl k , -.Fl -kerberos -.Xc -Assume that clients connecting to this server will use some form of -Kerberos authentication. See the -.Sx EXAMPLES -section for a sample -.Xr inetd.conf 5 -configuration. -.It Xo -.Fl x , -.Fl -encrypt -.Xc -For Kerberos 4 this means that the connections are encrypted. Kerberos -5 will negotiate encryption inline. This option implies -.Fl k . -.\".It Xo -.\".Fl l , -.\".Fl -no-rhosts -.\".Xc -.\"When using old port-based authentication, the user's -.\".Pa .rhosts -.\"files are normally checked. This options disables this. -.It Xo -.Fl v , -.Fl -vacuous -.Xc -If the connecting client does not use any Kerberised authentication, -print a message that complains about this fact, and exit. This is -helpful if you want to move away from old port-based authentication. -.It Xo -.Fl P -.Xc -When using the AFS filesystem, users' authentication tokens are put in -something called a PAG (Process Authentication Group). Multiple -processes can share a PAG, but normally each login session has its own -PAG. This option disables the -.Fn setpag -call, so all tokens will be put in the default (uid-based) PAG, making -it possible to share tokens between sessions. This is only useful in -peculiar environments, such as some batch systems. -.It Xo -.Fl i , -.Fl -no-inetd -.Xc -The -.Fl i -option will cause -.Nm -to create a socket, instead of assuming that its stdin came from -.Xr inetd 8 . -This is mostly useful for debugging. -.It Xo -.Fl p Ar port , -.Fl -port= Ns Ar port -.Xc -Port to use with -.Fl i . -.It Xo -.Fl a -.Xc -This flag is for backwards compatibility only. -.It Xo -.Fl L -.Xc -This flag enables logging of connections to -.Xr syslogd 8 . -This option is always on in this implementation. -.El -.\".Sh ENVIRONMENT -.Sh FILES -.Bl -tag -width /etc/hosts.equiv -compact -.It Pa /etc/hosts.equiv -.It Pa ~/.rhosts -.El -.Sh EXAMPLES -The following can be used to enable Kerberised rsh in -.Xr inetd.cond 5 , -while disabling non-Kerberised connections: -.Bd -literal -shell stream tcp nowait root /usr/libexec/rshd rshd -v -kshell stream tcp nowait root /usr/libexec/rshd rshd -k -ekshell stream tcp nowait root /usr/libexec/rshd rshd -kx -.Ed -.\".Sh DIAGNOSTICS -.Sh SEE ALSO -.Xr rsh 1 , -.Xr iruserok 3 -.\".Sh STANDARDS -.Sh HISTORY -The -.Nm -command appeared in -.Bx 4.2 . -.Sh AUTHORS -This implementation of -.Nm -was written as part of the Heimdal Kerberos 5 implementation. -.\".Sh BUGS diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c deleted file mode 100644 index bec9bf47fb30..000000000000 --- a/crypto/heimdal/appl/rsh/rshd.c +++ /dev/null @@ -1,1035 +0,0 @@ -/* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "rsh_locl.h" -RCSID("$Id: rshd.c,v 1.47 2002/09/03 20:03:26 joda Exp $"); - -int -login_access( struct passwd *user, char *from); - -enum auth_method auth_method; - -#ifdef KRB5 -krb5_context context; -krb5_keyblock *keyblock; -krb5_crypto crypto; -#endif - -#ifdef KRB4 -des_key_schedule schedule; -des_cblock iv; -#endif - -#ifdef KRB5 -krb5_ccache ccache, ccache2; -int kerberos_status = 0; -#endif - -int do_encrypt = 0; - -static int do_unique_tkfile = 0; -static char tkfile[MAXPATHLEN] = ""; - -static int do_inetd = 1; -static char *port_str; -static int do_rhosts = 1; -static int do_kerberos = 0; -#define DO_KRB4 2 -#define DO_KRB5 4 -static int do_vacuous = 0; -static int do_log = 1; -#ifdef KRB4 -static int do_newpag = 1; -#endif -static int do_addr_verify = 0; -static int do_keepalive = 1; -static int do_version; -static int do_help = 0; - -#if defined(KRB5) && defined(DCE) -int dfsk5ok = 0; -int dfspag = 0; -int dfsfwd = 0; -krb5_ticket *user_ticket; -#endif - -static void -syslog_and_die (const char *m, ...) - __attribute__ ((format (printf, 1, 2))); - -static void -syslog_and_die (const char *m, ...) -{ - va_list args; - - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - exit (1); -} - -static void -fatal (int, const char*, const char *, ...) - __attribute__ ((format (printf, 3, 4))); - -static void -fatal (int sock, const char *what, const char *m, ...) -{ - va_list args; - char buf[BUFSIZ]; - size_t len; - - *buf = 1; - va_start(args, m); - len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args); - len = min(len, sizeof(buf) - 1); - va_end(args); - if(what != NULL) - syslog (LOG_ERR, "%s: %m: %s", what, buf + 1); - else - syslog (LOG_ERR, "%s", buf + 1); - net_write (sock, buf, len + 1); - exit (1); -} - -static void -read_str (int s, char *str, size_t sz, char *expl) -{ - while (sz > 0) { - if (net_read (s, str, 1) != 1) - syslog_and_die ("read: %m"); - if (*str == '\0') - return; - --sz; - ++str; - } - fatal (s, NULL, "%s too long", expl); -} - -static int -recv_bsd_auth (int s, u_char *buf, - struct sockaddr_in *thisaddr, - struct sockaddr_in *thataddr, - char *client_username, - char *server_username, - char *cmd) -{ - struct passwd *pwd; - - read_str (s, client_username, USERNAME_SZ, "local username"); - read_str (s, server_username, USERNAME_SZ, "remote username"); - read_str (s, cmd, COMMAND_SZ, "command"); - pwd = getpwnam(server_username); - if (pwd == NULL) - fatal(s, NULL, "Login incorrect."); - if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0, - client_username, server_username)) - fatal(s, NULL, "Login incorrect."); - return 0; -} - -#ifdef KRB4 -static int -recv_krb4_auth (int s, u_char *buf, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - char *client_username, - char *server_username, - char *cmd) -{ - int status; - int32_t options; - KTEXT_ST ticket; - AUTH_DAT auth; - char instance[INST_SZ + 1]; - char version[KRB_SENDAUTH_VLEN + 1]; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (net_read (s, buf + 4, KRB_SENDAUTH_VLEN - 4) != - KRB_SENDAUTH_VLEN - 4) - syslog_and_die ("reading auth info: %m"); - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) - syslog_and_die("unrecognized auth protocol: %.8s", buf); - - options = KOPT_IGNORE_PROTOCOL; - if (do_encrypt) - options |= KOPT_DO_MUTUAL; - k_getsockinst (s, instance, sizeof(instance)); - status = krb_recvauth (options, - s, - &ticket, - "rcmd", - instance, - (struct sockaddr_in *)thataddr, - (struct sockaddr_in *)thisaddr, - &auth, - "", - schedule, - version); - if (status != KSUCCESS) - syslog_and_die ("recvauth: %s", krb_get_err_text(status)); - if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0) - syslog_and_die ("bad version: %s", version); - - read_str (s, server_username, USERNAME_SZ, "remote username"); - if (kuserok (&auth, server_username) != 0) - fatal (s, NULL, "Permission denied."); - read_str (s, cmd, COMMAND_SZ, "command"); - - syslog(LOG_INFO|LOG_AUTH, - "kerberos v4 shell from %s on %s as %s, cmd '%.80s'", - krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm), - - inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr), - server_username, - cmd); - - memcpy (iv, auth.session, sizeof(iv)); - - return 0; -} - -#endif /* KRB4 */ - -#ifdef KRB5 -static int -save_krb5_creds (int s, - krb5_auth_context auth_context, - krb5_principal client) - -{ - int ret; - krb5_data remote_cred; - - krb5_data_zero (&remote_cred); - ret= krb5_read_message (context, (void *)&s, &remote_cred); - if (ret) { - krb5_data_free(&remote_cred); - return 0; - } - if (remote_cred.length == 0) - return 0; - - ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); - if (ret) { - krb5_data_free(&remote_cred); - return 0; - } - - krb5_cc_initialize(context,ccache,client); - ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred); - krb5_data_free (&remote_cred); - if (ret) - return 0; - return 1; -} - -static void -krb5_start_session (void) -{ - krb5_error_code ret; - - ret = krb5_cc_resolve (context, tkfile, &ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return; - } - - ret = krb5_cc_copy_cache (context, ccache, ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return ; - } - - krb5_cc_close(context, ccache2); - krb5_cc_destroy(context, ccache); - return; -} - -static int protocol_version; - -static krb5_boolean -match_kcmd_version(const void *data, const char *version) -{ - if(strcmp(version, KCMD_NEW_VERSION) == 0) { - protocol_version = 2; - return TRUE; - } - if(strcmp(version, KCMD_OLD_VERSION) == 0) { - protocol_version = 1; - key_usage = KRB5_KU_OTHER_ENCRYPTED; - return TRUE; - } - return FALSE; -} - - -static int -recv_krb5_auth (int s, u_char *buf, - struct sockaddr *thisaddr, - struct sockaddr *thataddr, - char *client_username, - char *server_username, - char *cmd) -{ - u_int32_t len; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - krb5_error_code status; - krb5_data cksum_data; - krb5_principal server; - - if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) - return -1; - len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); - - if (net_read(s, buf, len) != len) - syslog_and_die ("reading auth info: %m"); - if (len != sizeof(KRB5_SENDAUTH_VERSION) - || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) - syslog_and_die ("bad sendauth version: %.8s", buf); - - status = krb5_sock_to_principal (context, - s, - "host", - KRB5_NT_SRV_HST, - &server); - if (status) - syslog_and_die ("krb5_sock_to_principal: %s", - krb5_get_err_text(context, status)); - - status = krb5_recvauth_match_version(context, - &auth_context, - &s, - match_kcmd_version, - NULL, - server, - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); - krb5_free_principal (context, server); - if (status) - syslog_and_die ("krb5_recvauth: %s", - krb5_get_err_text(context, status)); - - read_str (s, server_username, USERNAME_SZ, "remote username"); - read_str (s, cmd, COMMAND_SZ, "command"); - read_str (s, client_username, COMMAND_SZ, "local username"); - - if(protocol_version == 2) { - status = krb5_auth_con_getremotesubkey(context, auth_context, - &keyblock); - if(status != 0 || keyblock == NULL) - syslog_and_die("failed to get remote subkey"); - } else if(protocol_version == 1) { - status = krb5_auth_con_getkey (context, auth_context, &keyblock); - if(status != 0 || keyblock == NULL) - syslog_and_die("failed to get key"); - } - if (status != 0 || keyblock == NULL) - syslog_and_die ("krb5_auth_con_getkey: %s", - krb5_get_err_text(context, status)); - - status = krb5_crypto_init(context, keyblock, 0, &crypto); - if(status) - syslog_and_die("krb5_crypto_init: %s", - krb5_get_err_text(context, status)); - - - cksum_data.length = asprintf ((char **)&cksum_data.data, - "%u:%s%s", - ntohs(socket_get_port (thisaddr)), - cmd, - server_username); - - status = krb5_verify_authenticator_checksum(context, - auth_context, - cksum_data.data, - cksum_data.length); - - if (status) - syslog_and_die ("krb5_verify_authenticator_checksum: %s", - krb5_get_err_text(context, status)); - - free (cksum_data.data); - - if (strncmp (client_username, "-u ", 3) == 0) { - do_unique_tkfile = 1; - memmove (client_username, client_username + 3, - strlen(client_username) - 2); - } - - if (strncmp (client_username, "-U ", 3) == 0) { - char *end, *temp_tkfile; - - do_unique_tkfile = 1; - if (strncmp (server_username + 3, "FILE:", 5) == 0) { - temp_tkfile = tkfile; - } else { - strcpy (tkfile, "FILE:"); - temp_tkfile = tkfile + 5; - } - end = strchr(client_username + 3,' '); - strncpy(temp_tkfile, client_username + 3, end - client_username - 3); - temp_tkfile[end - client_username - 3] = '\0'; - memmove (client_username, end +1, strlen(end+1)+1); - } - - kerberos_status = save_krb5_creds (s, auth_context, ticket->client); - - if(!krb5_kuserok (context, - ticket->client, - server_username)) - fatal (s, NULL, "Permission denied."); - - if (strncmp (cmd, "-x ", 3) == 0) { - do_encrypt = 1; - memmove (cmd, cmd + 3, strlen(cmd) - 2); - } else { - if(do_encrypt) - fatal (s, NULL, "Encryption is required."); - do_encrypt = 0; - } - - { - char *name; - - if (krb5_unparse_name (context, ticket->client, &name) == 0) { - char addr_str[256]; - - if (inet_ntop (thataddr->sa_family, - socket_get_address (thataddr), - addr_str, sizeof(addr_str)) == NULL) - strlcpy (addr_str, "unknown address", - sizeof(addr_str)); - - syslog(LOG_INFO|LOG_AUTH, - "kerberos v5 shell from %s on %s as %s, cmd '%.80s'", - name, - addr_str, - server_username, - cmd); - free (name); - } - } - -#if defined(DCE) - user_ticket = ticket; -#endif - - return 0; -} -#endif /* KRB5 */ - -static void -loop (int from0, int to0, - int to1, int from1, - int to2, int from2) -{ - fd_set real_readset; - int max_fd; - int count = 2; - - if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE) - errx (1, "fd too large"); - -#ifdef KRB5 - if(auth_method == AUTH_KRB5 && protocol_version == 2) - init_ivecs(0); -#endif - - FD_ZERO(&real_readset); - FD_SET(from0, &real_readset); - FD_SET(from1, &real_readset); - FD_SET(from2, &real_readset); - max_fd = max(from0, max(from1, from2)) + 1; - for (;;) { - int ret; - fd_set readset = real_readset; - char buf[RSH_BUFSIZ]; - - ret = select (max_fd, &readset, NULL, NULL, NULL); - if (ret < 0) { - if (errno == EINTR) - continue; - else - syslog_and_die ("select: %m"); - } - if (FD_ISSET(from0, &readset)) { - ret = do_read (from0, buf, sizeof(buf), ivec_in[0]); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from0); - close (to0); - FD_CLR(from0, &real_readset); - } else - net_write (to0, buf, ret); - } - if (FD_ISSET(from1, &readset)) { - ret = read (from1, buf, sizeof(buf)); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from1); - close (to1); - FD_CLR(from1, &real_readset); - if (--count == 0) - exit (0); - } else - do_write (to1, buf, ret, ivec_out[0]); - } - if (FD_ISSET(from2, &readset)) { - ret = read (from2, buf, sizeof(buf)); - if (ret < 0) - syslog_and_die ("read: %m"); - else if (ret == 0) { - close (from2); - close (to2); - FD_CLR(from2, &real_readset); - if (--count == 0) - exit (0); - } else - do_write (to2, buf, ret, ivec_out[1]); - } - } -} - -/* - * Used by `setup_copier' to create some pipe-like means of - * communcation. Real pipes would probably be the best thing, but - * then the shell doesn't understand it's talking to rshd. If - * socketpair doesn't work everywhere, some autoconf magic would have - * to be added here. - * - * If it fails creating the `pipe', it aborts by calling fatal. - */ - -static void -pipe_a_like (int fd[2]) -{ - if (socketpair (AF_UNIX, SOCK_STREAM, 0, fd) < 0) - fatal (STDOUT_FILENO, "socketpair", "Pipe creation failed."); -} - -/* - * Start a child process and leave the parent copying data to and from it. */ - -static void -setup_copier (void) -{ - int p0[2], p1[2], p2[2]; - pid_t pid; - - pipe_a_like(p0); - pipe_a_like(p1); - pipe_a_like(p2); - pid = fork (); - if (pid < 0) - fatal (STDOUT_FILENO, "fork", "Could not create child process."); - if (pid == 0) { /* child */ - close (p0[1]); - close (p1[0]); - close (p2[0]); - dup2 (p0[0], STDIN_FILENO); - dup2 (p1[1], STDOUT_FILENO); - dup2 (p2[1], STDERR_FILENO); - close (p0[0]); - close (p1[1]); - close (p2[1]); - } else { /* parent */ - close (p0[0]); - close (p1[1]); - close (p2[1]); - - if (net_write (STDOUT_FILENO, "", 1) != 1) - fatal (STDOUT_FILENO, "net_write", "Write failure."); - - loop (STDIN_FILENO, p0[1], - STDOUT_FILENO, p1[0], - STDERR_FILENO, p2[0]); - } -} - -/* - * Is `port' a ``reserverd'' port? - */ - -static int -is_reserved(u_short port) -{ - return ntohs(port) < IPPORT_RESERVED; -} - -/* - * Set the necessary part of the environment in `env'. - */ - -static void -setup_environment (char ***env, const struct passwd *pwd) -{ - int i, j, path; - char **e; - - i = 0; - path = 0; - *env = NULL; - - i = read_environment(_PATH_ETC_ENVIRONMENT, env); - e = *env; - for (j = 0; j < i; j++) { - if (!strncmp(e[j], "PATH=", 5)) { - path = 1; - } - } - - e = *env; - e = realloc(e, (i + 7) * sizeof(char *)); - - asprintf (&e[i++], "USER=%s", pwd->pw_name); - asprintf (&e[i++], "HOME=%s", pwd->pw_dir); - asprintf (&e[i++], "SHELL=%s", pwd->pw_shell); - if (! path) { - asprintf (&e[i++], "PATH=%s", _PATH_DEFPATH); - } - asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy"); -#if defined(DCE) - if (getenv("KRB5CCNAME")) - asprintf (&e[i++], "KRB5CCNAME=%s", getenv("KRB5CCNAME")); -#else - if (do_unique_tkfile) - asprintf (&e[i++], "KRB5CCNAME=%s", tkfile); -#endif - e[i++] = NULL; - *env = e; -} - -static void -doit (void) -{ - u_char buf[BUFSIZ]; - u_char *p; - struct sockaddr_storage thisaddr_ss; - struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss; - struct sockaddr_storage thataddr_ss; - struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss; - struct sockaddr_storage erraddr_ss; - struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss; - socklen_t thisaddr_len, thataddr_len; - int port; - int errsock = -1; - char client_user[COMMAND_SZ], server_user[USERNAME_SZ]; - char cmd[COMMAND_SZ]; - struct passwd *pwd; - int s = STDIN_FILENO; - char **env; - int ret; - char that_host[NI_MAXHOST]; - - thisaddr_len = sizeof(thisaddr_ss); - if (getsockname (s, thisaddr, &thisaddr_len) < 0) - syslog_and_die("getsockname: %m"); - thataddr_len = sizeof(thataddr_ss); - if (getpeername (s, thataddr, &thataddr_len) < 0) - syslog_and_die ("getpeername: %m"); - - /* check for V4MAPPED addresses? */ - - if (do_kerberos == 0 && !is_reserved(socket_get_port(thataddr))) - fatal(s, NULL, "Permission denied."); - - p = buf; - port = 0; - for(;;) { - if (net_read (s, p, 1) != 1) - syslog_and_die ("reading port number: %m"); - if (*p == '\0') - break; - else if (isdigit(*p)) - port = port * 10 + *p - '0'; - else - syslog_and_die ("non-digit in port number: %c", *p); - } - - if (do_kerberos == 0 && !is_reserved(htons(port))) - fatal(s, NULL, "Permission denied."); - - if (port) { - int priv_port = IPPORT_RESERVED - 1; - - /* - * There's no reason to require a ``privileged'' port number - * here, but for some reason the brain dead rsh clients - * do... :-( - */ - - erraddr->sa_family = thataddr->sa_family; - socket_set_address_and_port (erraddr, - socket_get_address (thataddr), - htons(port)); - - /* - * we only do reserved port for IPv4 - */ - - if (erraddr->sa_family == AF_INET) - errsock = rresvport (&priv_port); - else - errsock = socket (erraddr->sa_family, SOCK_STREAM, 0); - if (errsock < 0) - syslog_and_die ("socket: %m"); - if (connect (errsock, - erraddr, - socket_sockaddr_size (erraddr)) < 0) { - syslog (LOG_WARNING, "connect: %m"); - close (errsock); - } - } - - if(do_kerberos) { - if (net_read (s, buf, 4) != 4) - syslog_and_die ("reading auth info: %m"); - -#ifdef KRB4 - if ((do_kerberos & DO_KRB4) && - recv_krb4_auth (s, buf, thisaddr, thataddr, - client_user, - server_user, - cmd) == 0) - auth_method = AUTH_KRB4; - else -#endif /* KRB4 */ -#ifdef KRB5 - if((do_kerberos & DO_KRB5) && - recv_krb5_auth (s, buf, thisaddr, thataddr, - client_user, - server_user, - cmd) == 0) - auth_method = AUTH_KRB5; - else -#endif /* KRB5 */ - syslog_and_die ("unrecognized auth protocol: %x %x %x %x", - buf[0], buf[1], buf[2], buf[3]); - } else { - if(recv_bsd_auth (s, buf, - (struct sockaddr_in *)thisaddr, - (struct sockaddr_in *)thataddr, - client_user, - server_user, - cmd) == 0) { - auth_method = AUTH_BROKEN; - if(do_vacuous) { - printf("Remote host requires Kerberos authentication\n"); - exit(0); - } - } else - syslog_and_die("recv_bsd_auth failed"); - } - -#if defined(DCE) && defined(_AIX) - esetenv("AUTHSTATE", "DCE", 1); -#endif - - pwd = getpwnam (server_user); - if (pwd == NULL) - fatal (s, NULL, "Login incorrect."); - - if (*pwd->pw_shell == '\0') - pwd->pw_shell = _PATH_BSHELL; - - if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0) - fatal (s, NULL, "Login disabled."); - - - ret = getnameinfo_verified (thataddr, thataddr_len, - that_host, sizeof(that_host), - NULL, 0, 0); - if (ret) - fatal (s, NULL, "getnameinfo: %s", gai_strerror(ret)); - - if (login_access(pwd, that_host) == 0) { - syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s", - server_user, that_host); - fatal(s, NULL, "Permission denied."); - } - -#ifdef HAVE_GETSPNAM - { - struct spwd *sp; - long today; - - sp = getspnam(server_user); - if (sp != NULL) { - today = time(0)/(24L * 60 * 60); - if (sp->sp_expire > 0) - if (today > sp->sp_expire) - fatal(s, NULL, "Account has expired."); - } - } -#endif - - -#ifdef KRB5 - { - int fd; - - if (!do_unique_tkfile) - snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid); - else if (*tkfile=='\0') { - snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX"); - fd = mkstemp(tkfile+5); - close(fd); - unlink(tkfile+5); - } - - if (kerberos_status) - krb5_start_session(); - } - chown(tkfile + 5, pwd->pw_uid, -1); - -#if defined(DCE) - if (kerberos_status) { - esetenv("KRB5CCNAME", tkfile, 1); - dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user); - } -#endif - -#endif - -#ifdef HAVE_SETLOGIN - if (setlogin(pwd->pw_name) < 0) - syslog(LOG_ERR, "setlogin() failed: %m"); -#endif - -#ifdef HAVE_SETPCRED - if (setpcred (pwd->pw_name, NULL) == -1) - syslog(LOG_ERR, "setpcred() failure: %m"); -#endif /* HAVE_SETPCRED */ - - if (initgroups (pwd->pw_name, pwd->pw_gid) < 0) - fatal (s, "initgroups", "Login incorrect."); - - if (setgid(pwd->pw_gid) < 0) - fatal (s, "setgid", "Login incorrect."); - - if (setuid (pwd->pw_uid) < 0) - fatal (s, "setuid", "Login incorrect."); - - if (chdir (pwd->pw_dir) < 0) - fatal (s, "chdir", "Remote directory."); - - if (errsock >= 0) { - if (dup2 (errsock, STDERR_FILENO) < 0) - fatal (s, "dup2", "Cannot dup stderr."); - close (errsock); - } - - setup_environment (&env, pwd); - - if (do_encrypt) { - setup_copier (); - } else { - if (net_write (s, "", 1) != 1) - fatal (s, "net_write", "write failed"); - } - -#ifdef KRB4 - if(k_hasafs()) { - char cell[64]; - - if(do_newpag) - k_setpag(); - if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0) - krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir); - - krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir); - -#ifdef KRB5 - /* XXX */ - if (kerberos_status) { - krb5_ccache ccache; - krb5_error_code status; - - status = krb5_cc_resolve (context, tkfile, &ccache); - if (!status) { - krb5_afslog_uid_home(context,ccache,NULL,NULL, - pwd->pw_uid, pwd->pw_dir); - krb5_cc_close (context, ccache); - } - } -#endif /* KRB5 */ - } -#endif /* KRB4 */ - execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env); - err(1, "exec %s", pwd->pw_shell); -} - -struct getargs args[] = { - { NULL, 'a', arg_flag, &do_addr_verify }, - { "keepalive", 'n', arg_negative_flag, &do_keepalive }, - { "inetd", 'i', arg_negative_flag, &do_inetd, - "Not started from inetd" }, -#if defined(KRB4) || defined(KRB5) - { "kerberos", 'k', arg_flag, &do_kerberos, - "Implement kerberised services" }, - { "encrypt", 'x', arg_flag, &do_encrypt, - "Implement encrypted service" }, -#endif - { "rhosts", 'l', arg_negative_flag, &do_rhosts, - "Don't check users .rhosts" }, - { "port", 'p', arg_string, &port_str, "Use this port", - "port" }, - { "vacuous", 'v', arg_flag, &do_vacuous, - "Don't accept non-kerberised connections" }, -#ifdef KRB4 - { NULL, 'P', arg_negative_flag, &do_newpag, - "Don't put process in new PAG" }, -#endif - /* compatibility flag: */ - { NULL, 'L', arg_flag, &do_log }, - { "version", 0, arg_flag, &do_version }, - { "help", 0, arg_flag, &do_help } -}; - -static void -usage (int ret) -{ - if(isatty(STDIN_FILENO)) - arg_printusage (args, - sizeof(args) / sizeof(args[0]), - NULL, - ""); - else - syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", getprogname()); - exit (ret); -} - - -int -main(int argc, char **argv) -{ - int optind = 0; - int on = 1; - - setprogname (argv[0]); - roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH); - - if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage(1); - - if(do_help) - usage (0); - - if (do_version) { - print_version(NULL); - exit(0); - } - -#if defined(KRB4) || defined(KRB5) - if (do_encrypt) - do_kerberos = 1; - - if(do_kerberos) - do_kerberos = DO_KRB4 | DO_KRB5; -#endif - - if (do_keepalive && - setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, - sizeof(on)) < 0) - syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); - - /* set SO_LINGER? */ - -#ifdef KRB5 - if((do_kerberos & DO_KRB5) && krb5_init_context (&context) != 0) - do_kerberos &= ~DO_KRB5; -#endif - - if (!do_inetd) { - int error; - struct addrinfo *ai = NULL, hints; - char portstr[NI_MAXSERV]; - - memset (&hints, 0, sizeof(hints)); - hints.ai_flags = AI_PASSIVE; - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - if(port_str != NULL) { - error = getaddrinfo (NULL, port_str, &hints, &ai); - if (error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - if (ai == NULL) { -#if defined(KRB4) || defined(KRB5) - if (do_kerberos) { - if (do_encrypt) { - error = getaddrinfo(NULL, "ekshell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 545); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } else { - error = getaddrinfo(NULL, "kshell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 544); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - } else -#endif - { - error = getaddrinfo(NULL, "shell", &hints, &ai); - if(error == EAI_NONAME) { - snprintf(portstr, sizeof(portstr), "%d", 514); - error = getaddrinfo(NULL, portstr, &hints, &ai); - } - if(error) - errx (1, "getaddrinfo: %s", gai_strerror (error)); - } - } - mini_inetd_addrinfo (ai); - freeaddrinfo(ai); - } - - signal (SIGPIPE, SIG_IGN); - - doit (); - return 0; -} |