* $Source$
* $Header$
*/
+/* (c) Copyright 1988 by the Massachusetts Institute of Technology. */
+/* For copying and distribution information, please see the file */
+/* <mit-copyright.h>. */
#ifndef lint
static char *rcsid_auth_001_c = "$Header$";
#endif lint
+#include <mit-copyright.h>
#include <stdio.h>
-#include <strings.h>
-#include "gdb.h"
-#include "smsu_int.h"
-#include "kludge.h"
+#include <string.h>
+#include <gdb.h>
#include <krb.h>
+#include <krb_et.h>
#include <netinet/in.h>
#include <errno.h>
+#ifdef POSIX
+#include <sys/utsname.h>
+#endif
extern char buf[BUFSIZ];
extern int have_authorization;
extern CONNECTION conn;
int code;
extern char *PrincipalHostname();
-static char sms[] = "sms";
+static char service[] = "rcmd";
+static char master[] = "sms";
static char qmark[] = "???";
+C_Block session;
/*
* authentication request auth_001:
char *str;
{
STRING data;
- char host[BUFSIZ];
+ char host[BUFSIZ], realm[REALM_SZ];
+ char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
AUTH_DAT ad;
- char realm[REALM_SZ];
+ char *p, *first, *config_lookup();
KTEXT_ST ticket_st;
+#ifdef POSIX
+ struct utsname name;
+#endif
if (send_ok())
lose("sending okay for authorization (auth_001)");
code = connection_errno(conn);
lose("awaiting Kerberos authenticators");
}
- gethostname(host, BUFSIZ);
+#ifdef POSIX
+ (void) uname(&name);
+ strncpy(host, name.nodename, sizeof(host));
+#else
+ gethostname(host, sizeof(host));
+#endif
ticket_st.mbz = 0;
ticket_st.length = MAX_STRING_SIZE(data);
- bcopy(STRING_DATA(data), ticket_st.dat, MAX_STRING_SIZE(data));
- code = rd_ap_req(&ticket_st, sms,
- PrincipalHostname(host), 0,
- &ad, "/etc/srvtab");
+ memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
+ code = krb_rd_req(&ticket_st, service,
+ krb_get_phost(host), 0,
+ &ad, KEYFILE);
if (code) {
- code = krb_err_frob(code);
+ code += ERROR_TABLE_BASE_krb;
strcpy(ad.pname, qmark);
strcpy(ad.pinst, qmark);
strcpy(ad.prealm, qmark);
goto auth_failed;
}
- if (get_krbrlm(realm,0))
- realm[0] = '\0';
+
+ /* If there is an auth record in the config file matching the
+ * authenticator we received, then accept it. If there's no
+ * auth record, assume [master]@[local realm].
+ */
+ if (first = p = config_lookup("auth")) {
+ do {
+ kname_parse(aname, ainst, arealm, p);
+ if (strcmp(aname, ad.pname) ||
+ strcmp(ainst, ad.pinst) ||
+ strcmp(arealm, ad.prealm))
+ p = config_lookup("auth");
+ else
+ p = first;
+ } while (p != first);
+ } else {
+ strcpy(aname, master);
+ strcpy(ainst, "");
+ if (krb_get_lrealm(arealm,1))
+ strcpy(arealm, KRB_REALM);
+ }
code = EPERM;
- if (strcmp(sms, ad.pname))
- goto auth_failed;
- if (ad.pinst[0] != '\0')
- goto auth_failed;
- if (strcmp(realm, ad.prealm))
- goto auth_failed;
+ if (strcmp(aname, ad.pname) ||
+ strcmp(ainst, ad.pinst) ||
+ strcmp(arealm, ad.prealm))
+ goto auth_failed;
if (send_ok())
lose("sending approval of authorization");
have_authorization = 1;
+ /* Stash away session key */
+ memcpy(session, ad.session, sizeof(session));
return(0);
auth_failed:
sprintf(buf, "auth for %s.%s@%s failed: %s",