-/*
- * $Source$
- * $Header$
+/* $Id$
+ *
+ * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
*/
-/* (c) Copyright 1988 by the Massachusetts Institute of Technology. */
-/* For copying and distribution information, please see the file */
-/* <mit-copyright.h>. */
-
-#ifndef lint
-static char *rcsid_auth_002_c = "$Header$";
-#endif
#include <mit-copyright.h>
+#include <moira.h>
+#include "update_server.h"
+
+#include <sys/utsname.h>
+
+#include <errno.h>
#include <stdio.h>
#include <string.h>
-#include <gdb.h>
+
+#ifdef HAVE_KRB4
#include <krb.h>
-#include <krb_et.h>
-#include <netinet/in.h>
-#include <errno.h>
-#ifdef POSIX
-#include <sys/utsname.h>
#endif
-extern char buf[BUFSIZ];
-extern int have_authorization;
-extern struct sockaddr_in *client_address();
-extern CONNECTION conn;
-extern int code;
-extern char *PrincipalHostname();
+RCSID("$Header$");
+
static char service[] = "rcmd";
static char master[] = "sms";
static char qmark[] = "???";
-extern C_Block session;
+#ifdef HAVE_KRB4
+extern des_cblock session;
+#endif
/*
* authentication request auth_002:
*
*/
-int
-auth_002(str)
- char *str;
+void auth_002(int conn, char *str)
{
- STRING data;
- char host[BUFSIZ], realm[REALM_SZ];
- char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
- AUTH_DAT ad;
- char *p, *first, *config_lookup();
- KTEXT_ST ticket_st;
-#ifdef POSIX
- struct utsname name;
-#endif
- des_key_schedule sched;
- C_Block nonce, nonce2;
+#ifdef HAVE_KRB4
+ char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
+ AUTH_DAT ad;
+ char *p, *first, *data;
+ size_t size;
+ KTEXT_ST ticket_st;
+ des_key_schedule sched;
+ des_cblock nonce, nonce2;
+ long code;
- if (send_ok())
- lose("sending okay for authorization (auth_002)");
- code = receive_object(conn, (char *)&data, STRING_T);
- if (code) {
- code = connection_errno(conn);
- lose("awaiting Kerberos authenticators");
+ send_ok(conn);
+
+ recv_string(conn, &data, &size);
+ if (size > sizeof(ticket_st.dat))
+ {
+ code = KE_RD_AP_UNDEC;
+ com_err(whoami, code, ": authenticator too large");
+ send_int(conn, code);
+ return;
}
-#ifdef POSIX
- (void) uname(&name);
- strncpy(host, name.nodename, sizeof(host));
-#else
- gethostname(host, sizeof(host));
-#endif
- ticket_st.mbz = 0;
- ticket_st.length = MAX_STRING_SIZE(data);
- memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
- code = krb_rd_req(&ticket_st, service,
- krb_get_phost(host), 0,
- &ad, KEYFILE);
- if (code) {
- code += ERROR_TABLE_BASE_krb;
- strcpy(ad.pname, qmark);
- strcpy(ad.pinst, qmark);
- strcpy(ad.prealm, qmark);
- goto auth_failed;
+ memcpy(ticket_st.dat, data, size);
+ free(data);
+ ticket_st.mbz = 0;
+ ticket_st.length = size;
+ code = krb_rd_req(&ticket_st, service, krb_get_phost(hostname), 0,
+ &ad, KEYFILE);
+ if (code)
+ {
+ code += ERROR_TABLE_BASE_krb;
+ strcpy(ad.pname, qmark);
+ strcpy(ad.pinst, qmark);
+ strcpy(ad.prealm, qmark);
+ goto auth_failed;
}
- /* If there is an auth record in the config file matching the
- * authenticator we received, then accept it. If there's no
- * auth record, assume [master]@[local realm].
- */
- if (first = p = config_lookup("auth")) {
- do {
- kname_parse(aname, ainst, arealm, p);
- if (strcmp(aname, ad.pname) ||
- strcmp(ainst, ad.pinst) ||
- strcmp(arealm, ad.prealm))
- p = config_lookup("auth");
- else
- p = first;
- } while (p != first);
- } else {
- strcpy(aname, master);
- strcpy(ainst, "");
- if (krb_get_lrealm(arealm,1))
- strcpy(arealm, KRB_REALM);
+ /* If there is an auth record in the config file matching the
+ * authenticator we received, then accept it. If there's no
+ * auth record, assume [master]@[local realm].
+ */
+ if ((first = p = config_lookup("auth")))
+ {
+ do
+ {
+ kname_parse(aname, ainst, arealm, p);
+ if (strcmp(aname, ad.pname) ||
+ strcmp(ainst, ad.pinst) ||
+ strcmp(arealm, ad.prealm))
+ p = config_lookup("auth");
+ else
+ p = first;
+ }
+ while (p != first);
}
- code = EPERM;
- if (strcmp(aname, ad.pname) ||
- strcmp(ainst, ad.pinst) ||
- strcmp(arealm, ad.prealm))
- goto auth_failed;
+ else
+ {
+ strcpy(aname, master);
+ strcpy(ainst, "");
+ if (krb_get_lrealm(arealm, 1))
+ strcpy(arealm, KRB_REALM);
+ }
+ code = EPERM;
+ if (strcmp(aname, ad.pname) ||
+ strcmp(ainst, ad.pinst) ||
+ strcmp(arealm, ad.prealm))
+ goto auth_failed;
- if (send_ok())
- lose("sending preliminary approval of authorization");
+ send_ok(conn);
- /* replay protection */
- des_random_key(&nonce);
- STRING_DATA(data) = (char *)nonce;
- MAX_STRING_SIZE(data) = 8;
- if (send_object(conn, (char *)&data, STRING_T))
- lose("sending nonce");
- code = receive_object(conn, (char *)&data, STRING_T);
- des_key_sched(&ad.session, &sched);
- des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
- if (memcmp(nonce, nonce2, sizeof(nonce)))
- goto auth_failed;
+ /* replay protection */
+ des_random_key(&nonce);
+ send_string(conn, (char *)nonce, sizeof(nonce));
+ recv_string(conn, &data, &size);
+ des_key_sched(ad.session, sched);
+ des_ecb_encrypt(data, nonce2, sched, 0);
+ free(data);
+ if (memcmp(nonce, nonce2, sizeof(nonce)))
+ goto auth_failed;
+ send_ok(conn);
+
+ have_authorization = 1;
+ /* Stash away session key */
+ memcpy(session, ad.session, sizeof(session));
+ return;
- if (send_ok())
- lose("sending approval of authorization");
- have_authorization = 1;
- /* Stash away session key */
- memcpy(session, ad.session, sizeof(session));
- return(0);
auth_failed:
- sprintf(buf, "auth for %s.%s@%s failed: %s",
- ad.pname, ad.pinst, ad.prealm, error_message(code));
- {
- register int rc;
- rc = send_object(conn, (char *)&code, INTEGER_T);
- code = rc;
- }
- if (code)
- lose("sending rejection of authenticator");
- return(EPERM);
+ com_err(whoami, code, "auth for %s.%s@%s failed",
+ ad.pname, ad.pinst, ad.prealm);
+ send_int(conn, code);
+#else
+ send_int(conn, MR_NO_KRB4);
+#endif
}