* rcp.exp: Invoke kshd with -L for every environment variable we
want passed to invoke rcp with...
We also tell kshd to pass on ENV_SET because at MIT,
csh -c rcp.... will source the users .cshrc - which at MIT sets
LD_LIBRARY_PATH on the SUNS... We cannot use other options like
-f as the user may have sh as their shell. Probably kshd should recognize
rcp and invoke rcp without the shell invocation....
Add an option -L to pass an environment variable to a client.
This is used by the DejaGnu test suite to pass the shared library
paths to start up rcp properly.
Richard Basch [Wed, 3 Apr 1996 22:24:03 +0000 (22:24 +0000)]
* krlogind.c: Under Solaris, when the connection pipe goes away,
zero bytes are returned. Since we are using blocking
read calls, and the net_read function deals with
interrupted/resumed reads, consider zero bytes to be
be a terminated connection, so as not to spin.
Theodore Tso [Sun, 31 Mar 1996 03:57:48 +0000 (03:57 +0000)]
Took the list of sources and object files in FSRCS, FOBJS, D3OBJS, and
D3SRCS, and inlined them into the OBJS and SRCS list. This is
necessary so that the files are correctly picked up for the Macintosh
build.
Richard Basch [Wed, 27 Mar 1996 22:55:17 +0000 (22:55 +0000)]
* in_tkt_ktb.c (keytab_keyproc): Do not check to see that the
enctype of the key is identical; there are several equivalent
DES enctypes.
* in_tkt_ktb.c (krb5_get_in_tkt_with_keytab): Removed the fancy
logic to only request the keytypes that correspond to those in
the keytab. There were too many fencepost conditions that could
get you into trouble. Either it should be there and *fully*
functional, or not in there at all. Besides, there are too many
other components in Kerberos that expect the end-service to know
all its keys that this sanity check is overkill.
Ezra Peisach [Tue, 26 Mar 1996 05:43:20 +0000 (05:43 +0000)]
* default.exp (start_kerberos_daemons): New methodology for
starting KDC so that the KDC will not hang on a full
output buffer which is being ignored.
(setup_kerberos_files): Enable des3 encryption types.
The first problem was seen on Suns where I previously set the logging
for the kdc to stderr, and then ignored the output after the server was
running.
The second exercised the bug that sam just fixed in mixing in the des3
encryption types.
Sam Hartman [Mon, 25 Mar 1996 03:01:48 +0000 (03:01 +0000)]
Changes to help streams work correctly on AIX 4.1.4 and HPUX 9.
Adapted loosly from 1837 in krb5-bugs, although I ended up not using
any of Doug's code.
Sam Hartman [Sun, 24 Mar 1996 20:28:37 +0000 (20:28 +0000)]
* krshd no longer does non-blocking IO. It never really needed it
* krcp works correctly even if not all data is written in a single
request.
* Implement temporary patch to make sure des_outbuf is big enough.
Proven should be sending the Cygnus patch once he decides how to
handle this permanently.
Sam Hartman [Sun, 24 Mar 1996 20:23:45 +0000 (20:23 +0000)]
* Apply patch from Ken Raeburn to get telnetd compiling on the SGI
* Force telnetd not to use streams on the SGI; it doesn't support
pushing modules onto a pty.
* Remove old utmpx crud from sys_term.c because it was getting called
inadvertently, didn't compile on the SGI, and libpty already does
something reasonable with utmpx.
Sam Hartman [Sun, 24 Mar 1996 20:19:29 +0000 (20:19 +0000)]
Fix multiple enctype bug: the enctype for the eblock used to encrypt
the kdc request used the enctype of the tgt, not of the session key.
Considering that the request is encrypted in the session key of the
tgt, this is incorrect.
Theodore Tso [Thu, 21 Mar 1996 01:36:03 +0000 (01:36 +0000)]
Comment out #ident line. This causes the Macintosh C compiler
indigestion. Remove #include of gssapi/gssapi.h, since that gets
included by gssapiP_generic.h.
Richard Basch [Wed, 20 Mar 1996 01:02:57 +0000 (01:02 +0000)]
* conv_creds.c (krb524_convert_creds_plain):
if the v5 lifetime is greater than the max v4 lifetime, use the max
v4 lifetime (0xff), rather than masking it with 0xff.
Richard Basch [Wed, 20 Mar 1996 01:01:24 +0000 (01:01 +0000)]
* kdb5_edit.c (extract_v4_srvtab): do not test to make sure we
fetched a key of enctype 1 (des-cbc-crc), since we may have gotten
another des key from the database, which is just as useful in a
v4 srvtab
* dumpv4.c (dump_v4_iterator): use krb5_524_conv_principal to do the
v5 to v4 principal translation, instead of having yet another
hard-coded table.
Ezra Peisach [Tue, 19 Mar 1996 16:27:56 +0000 (16:27 +0000)]
* tf_util.c (tf_get_cred): Issue date is written out as a long,
read back in as same.
I have kept the size as a long to be compatible with the Cygnus V4
distribution. The problem was introduced when we changed the include/kerberosIV
structures to use 32 bit ints for timestamps. So, under OSF/1, tf_util would
write out a 64 bit issue date, and then try reading back in a 32 bit one. Since
Cygnus uses sizeof(long) we will too.
Ezra Peisach [Tue, 19 Mar 1996 02:58:27 +0000 (02:58 +0000)]
* aclocal.m4 (KRB5_RUN_FLAGS): Allows for setting of proper paths
for executing programs in the build tree with proper
overriding of potentially installed libraries.
Theodore Tso [Tue, 19 Mar 1996 02:38:56 +0000 (02:38 +0000)]
Makefile.in: Added flags to turn on the encryption option
authenc.c (telnet_spin): Implemented the telnet spin function, which
works by calling the Scheduler with the tty_lockout flag set.
main.c (main): If the -x option is given, set the autologin,
wantencryption, and auth_enable_encrypt flag. They enable
authentication, enforcement of the encryption option, and a flag to
the auth layer to negotiate authentication with mandatory encryption
option.
telnet.c (telnet): If the wantencryption flag is set (because the user
has given the -x option, then we enforce that encryption must be
turned on. The user will not be able to type to the network stream
until encryption is enabled, and if encryption is refused, the client
will print an error message.
(Scheduler): If the tty_lockout flag is set, then don't process
keyboard read events. This prevents the user from typing over the
network until encryption is enabled.
utilities.c (printsub): Added print support for the authentication
must-encrypt option.
Theodore Tso [Tue, 19 Mar 1996 02:33:21 +0000 (02:33 +0000)]
Mon Mar 18 20:56:37 1996 Theodore Y. Ts'o <tytso@dcl>
* kerberos5.c (kerberos5_send): Send in as input the
authentication type pair (ap->type, ap->way) to be
checksumed in the authenticator.
(kerberos5_is): If the checksum is present in the
authenticator, then validate the authentication type pair
against the checksum.
(kerberos5_reply): If we didn't do mutual authentication,
and we receive a KRB_ACCEPT, then stash away the session
key anyway. This way we have a chance of doing encryption
even if mutual authentication wasn't done.
* encrypt.c (EncryptStartInput, EncryptStartOutput): Added
conditional around printf so that these two functions can
be called by the server.
(encrypt_is_encrypting): New function which returns true
only if both sides of the telnet stream is encrypted.
Fri Mar 15 18:19:44 1996 Theodore Y. Ts'o <tytso@dcl>
* auth.c: Added new authentication scheme for Krb5 mutual
authentication with mandatory encryption.
(auth_send, auth_send_retry): Split auth_send() so that
the functionality done by auth_send_retry() is separate.
This avoids a really dodgy pointer comparison which was
caused by auth_send() being used for two purposes.
If the client has not requested encryption, then don't
use the authentication systems which require encryption.
(auth_must_encrypt): New function which returns whether
or not encryption must be negotiated.
* auth-proto.h: Added prototype for new option
auth_must_encrypt().
* Makefile.in (ENCRYPTION, DES_ENCRYPTION): Added defines to turn
on encryption and des encryption.