RCSID("$Header$");
extern char *whoami, *host;
+extern int proxy_acl;
+
+static int set_client(client *cl, char *kname,
+ char *name, char *inst, char *realm);
typedef struct _replay_cache {
KTEXT_ST auth;
{
KTEXT_ST auth;
AUTH_DAT ad;
- int status, ok;
+ int status;
replay_cache *rc, *rcnew;
time_t now;
rc = rc->next;
}
- memcpy(cl->kname.name, ad.pname, ANAME_SZ);
- memcpy(cl->kname.inst, ad.pinst, INST_SZ);
- memcpy(cl->kname.realm, ad.prealm, REALM_SZ);
- strncpy(cl->clname, kname_unparse(ad.pname, ad.pinst, ad.prealm),
- sizeof(cl->clname));
- cl->clname[sizeof(cl->clname) - 1] = '\0';
-
- if (ad.pinst[0] == 0 && !strcmp(ad.prealm, krb_realm))
- ok = 1;
- else
- ok = 0;
- /* this is in a separate function because it accesses the database */
- status = set_krb_mapping(cl->clname, ad.pname, ok,
- &cl->client_id, &cl->users_id);
+ status = set_client(cl, kname_unparse(ad.pname, ad.pinst, ad.prealm),
+ ad.pname, ad.pinst, ad.prealm);
- strncpy(cl->entity, cl->req.mr_argv[1], 8);
- cl->entity[8] = 0;
+ strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
+ cl->entity[sizeof(cl->entity) - 1] = 0;
memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
else
client_reply(cl, MR_USER_AUTH);
}
+
+void do_proxy(client *cl)
+{
+ char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+ char kname[MAX_K_NAME_SZ];
+
+ if (cl->proxy_id)
+ {
+ com_err(whoami, MR_PERM, "Cannot re-proxy");
+ client_reply(cl, MR_PERM);
+ return;
+ }
+
+ if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
+ {
+ com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
+ cl->req.mr_argv);
+ client_reply(cl, KE_KNAME_FMT);
+ return;
+ }
+
+ if (!*realm)
+ {
+ strcpy(realm, krb_realm);
+ sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
+ }
+ else
+ strcpy(kname, cl->req.mr_argv[0]);
+
+ if (find_member("LIST", proxy_acl, cl))
+ {
+ cl->proxy_id = cl->client_id;
+ set_client(cl, kname, name, inst, realm);
+ com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
+ kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
+ client_reply(cl, MR_SUCCESS);
+ }
+ else
+ {
+ com_err(whoami, MR_PERM, "Proxy authentication denied");
+ client_reply(cl, MR_PERM);
+ }
+}
+
+static int set_client(client *cl, char *kname,
+ char *name, char *inst, char *realm)
+{
+ int ok;
+
+ strncpy(cl->clname, kname, sizeof(cl->clname));
+ cl->clname[sizeof(cl->clname) - 1] = '\0';
+
+ if (inst[0] == 0 && !strcmp(realm, krb_realm))
+ ok = 1;
+ else
+ ok = 0;
+ /* this is in a separate function because it accesses the database */
+ return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
+}
#include <krb.h>
-/* This should be in the kerberos header file. */
-
-struct krbname {
- char name[ANAME_SZ];
- char inst[INST_SZ];
- char realm[REALM_SZ];
-};
-
enum clstate { CL_ACCEPTING, CL_ACTIVE, CL_CLOSING };
/*
struct sockaddr_in haddr; /* IP address of client */
enum clstate state; /* State of the connection */
char clname[MAX_K_NAME_SZ]; /* Name client authenticated to */
- struct krbname kname; /* Parsed version of the above */
- char entity[9]; /* client program being used */
+ char entity[USERS_MODWITH_SIZE]; /* client program being used */
int users_id; /* Moira-internal ID of authenticated user */
int client_id; /* Moira-internal ID of client */
+ int proxy_id; /* client_id of orig user, if proxied */
time_t last_time_used; /* Last time connection used */
mr_params req; /* Current request */
mr_params *tuples; /* Tuples waiting to send back to client */
/* prototypes from mr_sauth.c */
void do_auth(client *cl);
+void do_proxy(client *cl);
/* prototypes from mr_scall.c */
void do_client(client *cl);