Sam Hartman [Sun, 19 May 1996 18:56:50 +0000 (18:56 +0000)]
As per mail describing the ksu problem, invent a krb5util
function to properly set the euid on all systems where it is possible.
Ksu cannot be used without this function in a secure manner.
Sam Hartman [Sun, 19 May 1996 18:52:51 +0000 (18:52 +0000)]
Significant security fixes to ksu
* Use source euid all throughout procedure of opening source ccache,
Richard's code had a race condition.
* Use target euid while looking up .k5login and constructing target ccache.
* Avoid chowns completely; they create race conditions. Fchown could
have been used if we wanted to be really careful, but they aren't
necessary and we would have to violate abstractions.
* Clean up several conditions that would allow users to delete
arbitrary files of the user they were ksuing to without authorization.
Theodore Tso [Sat, 18 May 1996 05:55:59 +0000 (05:55 +0000)]
Define MD5_K5BETA_COMPAT and MD5_K5BETA_COMP_DEF so that we continue
doing things the wrong (broken) way. All hail backwards
compatibility.... The code now generates the old checksum, but it
will verify both the old and the correct checksum formats.
Also fixed two bugs in the "correct" MD5_CRYPTO implementation; use a
zero initialization vector, and calculate the confounder at the
beginning of the message, not at the end.
Theodore Tso [Sat, 18 May 1996 05:55:25 +0000 (05:55 +0000)]
Define MD4_K5BETA_COMPAT and MD4_K5BETA_COMP_DEF so that we continue
doing things the wrong (broken) way. All hail backwards
compatibility.... The code now generates the old checksum, but it
will verify both the old and the correct checksum formats.
Also fixed two bugs in the "correct" MD4_CRYPTO implementation; use a
zero initialization vector, and calculate the confounder at the
beginning of the message, not at the end.
Richard Basch [Wed, 15 May 1996 00:59:30 +0000 (00:59 +0000)]
* des_int.h: the cs_entry routines in cbc_cksum.c are now static
* Makefile.in: removed cs_entry.c
* cbc_cksum.c:
caller is responsible for allocating cksum->contents
and indicate the allocated amount in cksum->length.
the cs_entry routines are now static and the cs_entry
structure is now in this file to enforce proper use.
Theodore Tso [Tue, 14 May 1996 08:41:32 +0000 (08:41 +0000)]
ser_ctx.c (krb5_context_size, krb5_context_externalize,
krb5_context_internalize): Add missing fields from the serialized
context: clockskew, default_kdc_req_sumtype, default_ap_req_sumtype,
default_safe_sumtype, kdc_default_options, library_options,
profile_secure, fcc_default_format, scc_default_format.
ser_actx.c (krb5_auth_context_size, krb5_auth_context_externalize,
krb5_auth_context_internalize): Serialize the two fields req_cksumtype
and safe_cksumtype, instead of the one cksumtype field.
mk_safe.c (krb_mk_safe): Use safe_cksumtype instead of cksumtype in
the auth context.
mk_req_ext.c (krb5_mk_req_extended): Use req_cksumtype instead of
cksumtype in the auth context.
init_ctx.c (krb5_init_context): Add support for new profile
relations libdefaults/tkt_lifetime, libdefaults/kdc_req_checksum_type,
libdefaults/ap_req_cksumtype, libdefaults/safe_checksumtype, and
libdefaults/kdc_default_options.
auth_con.h: Remove old cksumtype element, and replace it with
req_cksumtype and safe_cksumtype.
auth_con.c (krb5_auth_con_init): Initialize the req_cksumtype and
safe_cksumtype from the context's default req_cksumtype and
safe_cksumtype. (krb5_auth_con_set_req_cksumtype,
krb5_auth_con_set_safe_cksumtype): New functions, to replace old
krb5_auth_con_setcksumtype
Theodore Tso [Tue, 14 May 1996 08:39:27 +0000 (08:39 +0000)]
k5-int.h: Added new field values for ap_req_sumtype and safe_sumtype.
Added new convenience function for verifying magic numbers:
KRB5_VERIFY_MAGIC.
krb5.hin (krb5_auth_con_set_req_cksumtype, rb5_auth_con_set_safe_cksumtype):
Added prototypes of new functions, to replace old
krb5_auth_con_setcksumtype.
Theodore Tso [Tue, 14 May 1996 00:43:00 +0000 (00:43 +0000)]
Change the default ticket lifetime to something reasonable (10 hours,
instead of 10 minutes). Also change the label of this parameter to be
tkt_lifetime.
Richard Basch [Mon, 13 May 1996 11:54:07 +0000 (11:54 +0000)]
configure.in heuristic.c:
Change the euid before opening the source ccache, so we don't use
someone else's ccache.
authorization.c:
users only in /.k5login were not permitted to use the '-e cmd' feature.
The man page does not indicate that this should not be permitted...
Also, lots of indentation cleanup was done... I couldn't read the code before.
Ezra Peisach [Sun, 12 May 1996 11:47:13 +0000 (11:47 +0000)]
Back out change to libupdate.sh.
The problem is that for directories containing multiple subdirs, the
current procedure is to do a foreach and invoke libupdate --force for
each one. This is broken as it caused the library to be removed each time.
Richard Basch [Thu, 9 May 1996 16:01:08 +0000 (16:01 +0000)]
krlogind.c krshd.c:
Use the default service principal as the basis for the rcache name.
login.c:
SVR4 systems typically do not do mail/motd checks in login; they
do it in the profiles (/etc/profile). Follow that convention...
Richard Basch [Tue, 7 May 1996 23:22:02 +0000 (23:22 +0000)]
Don't do more than the necessary encryptions for a single cblock length
random key. Only the larger cblocks need a second wrap-around cbc encrypt
to prevent leaking a codebook.
Richard Basch [Tue, 7 May 1996 20:17:36 +0000 (20:17 +0000)]
New DES random number generation. For regular DES, it is nearly equivalent
(an extra DES encryption now happens). For 3des, it is a substantially
better setup (the original one was a placeholder); it may not be the final
one, but at least it is not as weak as the previous version. (This checkin
does not include the proposed API changes.)
Ken Raeburn [Sat, 4 May 1996 02:04:10 +0000 (02:04 +0000)]
* rsh.exp: Add tests for ticket forwarding
* kadmin.exp and gssapi.exp: Fix syntax of expect_after blocks. The -i $foo
must be inside the {, and the { must be by itself at the end of the line.
* gssftp.exp (start_ftp_daemon): use krb5.conf, not krb.conf
* kadmin.exp: Don't look at output from kadmind to drain it; that problem is
handled elsewhere now.
* kadmin.exp (kadmin_delete, kamind_add, kadmin_add_rnd, kadmin_examine,
kadmin_cpw, kadmin_cpw_rnd, kadmin_modify, kadmin_rename, kadmin_list,
kadmin_extract, kadmin_extractv4): check for "lost KDC" as well.
* kadmin.exp (kadmin_show): extend regexp to match current kadmin interface.
(kadmin_add): match more of extended output (tentative change, should be
expanded later to actually check the values.)
Ken Raeburn [Sat, 4 May 1996 01:11:12 +0000 (01:11 +0000)]
Tue Apr 2 22:22:47 1996 Chris Provenzano <proven@cygnus.com>
* default.exp : Do an stty to set kill and erase correctly. Things don't work
if kill is set to '@'.
Fri Mar 29 15:02:32 1996 Chris Provenzano <proven@cygnus.com>
* default.exp : Always use variable BINSH instead of sh. Use -f flag with
kinit to get forwardable tickets. Setup kdc.conf to allow forwardable tickets.
Thu Mar 28 17:30:55 1996 Ken Raeburn <raeburn@cygnus.com>
* default.exp (touch, tail1): New proc.
(start_kerberos_daemons, stop_root_shell): Use them, and sleep built-in cmd.
Wed Mar 27 22:43:08 1996 Ken Raeburn <raeburn@cygnus.com>
* default.exp (start_kerberos_daemons): Use ">>" to avoid updating mod time on
kadmind log file.
Wed Mar 27 21:35:57 1996 Marc Horowitz <marc@mit.edu>
* default.exp: (start_kerberos_daemons): exec the kadmind inside an sh to
redirect stderr (this is a pending bug), and keep the same pid, so that
stop_kerberos_daemons doesn't leave a kadmind running.
Wed Mar 27 21:24:35 1996 Marc Horowitz <marc@mit.edu>
* default.exp: (start_kerberos_daemons): add a check for "cannot initialize
network" as a failure message to the kadmind5 startup expect checks
Wed Mar 27 21:10:47 1996 Marc Horowitz <marc@mit.edu>
* default.exp (start_kerberos_daemons): use ezra's KDC tail changes for
kadmind5, too.
* rlogin.exp (start_rlogin_daemon): start klogind with sh -c so that setsid()
won't fail due to the process already being the leader of a process group
Ken Raeburn [Sat, 4 May 1996 00:42:57 +0000 (00:42 +0000)]
* kinit.c (krb5_validate_tgt): new function, takes a credential cache with an
tgt with the "invalid flag" set, and asks the kdc to validate it. Wipes cache
and stores only the newly validated credential. (After all, there won't be any
others, because the invalid krbtgt couldn't have gotten them.) Most of the code
is taken from krb5_mk_req, since it did the right thing.
(main): add -v option, validates the ticket already in the selected cache.
Ken Raeburn [Sat, 4 May 1996 00:17:55 +0000 (00:17 +0000)]
* get_creds.c (krb5_get_credentials_core): new function. Common part of
krb5_get_credentials and krb5_get_credentials_validate. Some formerly local
variables are now arguments.
(krb5_get_credentials): same as before, but calls _core to do some of the work.
(krb5_get_credentials_validate): uses krb5_get_cred_from_kdc_validate and only
stores the returned credential in the cache, instead of storing all of them.
* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): new function. Same body as
krb5_get_cred_from_kdc, but takes one new argument, kdcopts, and combines it
with the other kdc options when calling krb5_get_cred_via_tkt. This is static
and only called by
(krb5_get_cred_from_kdc): a wrapper that provides the same function it did
before, and
(krb5_get_cred_from_kdc_validate): a wrapper that passes KDC_OPT_VALIDATE, so
that kinit can use it.
We'll probably need another one for renewing tickets as well.
* rd_req_dec.c (krb5_rd_req_decoded_opt): new function. Same body as
krb5_rd_req_decoded, but takes one new argument, check_valid_flag, to determine
whether or not to check if the "invalid flag" is set in the ticket. Also made
static, so that it is only called via:
(krb5_rd_req_decoded): wrapper for krb5_rd_req_decoded_opt that specifies the
"invalid flag" gets checked, and
(krb5_rd_req_decoded_anyflag): wrapper for krb5_rd_req_decoded_opt that
specifies that the "invalid flag" doesn't get checked. (This version is only
called from kdc_util.c:kdc_process_tgs_req.)
* str_conv.c (krb5_string_to_timestamp): double check that strptime at least
parsed *some* of the string, avoid degenerate cases from GNU libc strptime.
Theodore Tso [Fri, 3 May 1996 21:03:00 +0000 (21:03 +0000)]
Add code to support appropriate behavior when the input credentials is
NULL (i.e., the default credential). We use the default credential
for the "default mechanism", which is the first mechanism registered
with the library.
Ken Raeburn [Thu, 2 May 1996 01:22:45 +0000 (01:22 +0000)]
cygnus merge:
* configure.in: Fix typo in Apr 16 HP-UX change.
* state.c (envvarok): nuke all KRB5* environment variables, not just the
previously selected ones.
* telnetd.c (telnet -> doit): moved SIGTTOU handler before the first thing
which would cause the terminal driver to get upset.
* sys_term.c (line): Remove initialization silliness. The non-GNUC method was
Just Wrong, do it the other way always.
(Xline): Specify length, not contents.
* termio-tn.c (readstream_termio): new file, provides isolated version of
M_IOCTL handling for systems where termio and termios can't be compiled
together.
* termios-tn.c (readstream_termios): new file, provides isolated version of
M_IOCTL handling for systems where termio and termios can't be compiled
together.
* telnetd.c (readstream): use readstream_termios and readstream_termio to
handle getmsg with M_IOCTL.
Ken Raeburn [Wed, 1 May 1996 03:17:43 +0000 (03:17 +0000)]
Merge with Cygnus sources, changes from Mark Eichin, Marc Horowitz, Chris
Provenzano and me:
* Makefile.in (install): Install correct set of man pages, and check for
failures.
* kshd.M, klogind.M: Renamed from kr*.M versions.
* login.M: New file. Man page for login with some description of new features.
* rlogin.M: Remove references to using program with target hostname as argv[0].
* rsh.M: Ditto. Also document -f, -F, -x options.
* login.c: Massive changes. Split much functionality out of main and into
separate file sections: terminal flag settings, Kerberos 4 and 5 support, UNIX
password support, mail check, signal handler handling, some other support
routines. Revamp controlling tty and process group handling. For AFS
configuration, use setpag and run aklog. Try validating password using krb5.
Always set tty flags, not just for rlogin session. When validating tickets,
treat an existing key file that doesn't contain the key we think we want
(possibly because DNS was spoofed) as an error condition.
* Makefile.in (LOGINLIBS): List libkrb524.a here.
(LIBOBJS): Not here.
(login.krb5): Reverse the order of LIBOBJS and LOGINLIBS.
* configure.in: Check for --with-afs. Add AFS libs and define SETPAG if
supplied.
* login.c (KRB5_GET_TICKETS, KRB4_GET_TICKETS, KRB_RUN_AKLOG): new macros
selecting single signon options. krb5.conf profile support for control over
authentication options, above the compile time selection.
(conf_affirmative): new function, recognize yes/no in profile value.
(login_get_kconf): new function, look for all [login] flags and set them in
appropriate globals (via login_conf_set array.)
(main, sleepexit, destroy_tickets): Check the new login_* flags.
(main): rename KRB4_USE_524 to KRB4_CONVERT.
* configure.in: Added checks for tcsetpgrp, tcgetpgrp, setpgid.
* krlogind.c (control): Use tcgetpgrp if it's available.
* loginpaths.h (RPATH, LPATH, LPATH_root): Define HP/UX 9.04 versions,
conditionalized on __hpux and !hpux.
* login.c and configure.in: instead of checking _IBMR2 and __sgi__, write
configure tests to check for the existence of /etc/environment and
/etc/TIMEZONE files, respectively.
* forward.c (rd_and_store_for_creds) : If chown fails then only pass failure
back if owner is different than intended owner. This is to make rsh.exp test
work without requiring root privlidges.
* login.c (main): Don't set TERM to an empty value.
(stypeof) [__hpux]: Return null if unknown.
* krlogin.c (catchild): remove hp/ux kludge because of aclocal.m4 fix.
(speeds): test __hpux for hpux speed list.
(main): test __hpux for use of FIOSSAIOSTAT and FIOSSAIOOWN
(USE_TERMIO): test __hpux for bsdtty/ptyio headers.
* krlogind.c: test __hpux for bsdtty/ptyio headers.
(doit): test __hpux for use of setpgrp2.
* krcp.c (main): test __hpux as well for remsh vs. rsh.
* krcp.c (des_write): Make sure the buffer for the encrypted data is large
enough. Only return an error in malloc fails.
* krsh.c (main): Always turn on anyport -A option.
* krlogind.c (ptsname): Declare if it's going to be used.
* krshd.c (main): Use basename of argv[0] for progname.
* login.c (dofork): On linux, TIOCNOTTY causes us to die on a SIGHUP, so don't
even try it.
projects / thirdparty / krb5.git / log
