This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 3054a34cda7ced89f28fcaf3401097ee0b83cebc (commit)
from a1df58afcb9f63e97ec6b944432a09ae52ed51a4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=3054a34cda7ced89f28fcaf3401097ee0b83cebc
commit 3054a34cda7ced89f28fcaf3401097ee0b83cebc
Author: Mats Erik Andersson <[email protected]>
Date: Fri Aug 3 15:19:06 2012 +0200
rlogind, rshd: Exchange protocol audit.
Make sure they follow identical protocols.
diff --git a/ChangeLog b/ChangeLog
index 4ac4f42..6ed2ba5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,26 @@
2012-08-03 Mats Erik Andersson <[email protected]>
+ rlogind, rshd: Protocol exchange adherence.
+ The implementations in both, with and without
+ Kerberization, did not follow identical protocols.
+
+ * libinetutils/kcmd.c (kcmd) [SHISHI]: Write remote user name
+ first, then the local user name, falling back to remote name.
+ * src/rlogind.c (do_shishi_login) [SHISHI]: Read local user
+ name first, then remote name.
+ * src/rshd.c (doit): Read `locuser' immediately before `command'.
+ [!KERBEROS && !SHISHI]: Read `remuser' first.
+ [KERBEROS || SHISHI]: Read `remuser' last.
+ [SHISHI]: Insert `Kerberized' into syslog message only for active
+ Kerberized connection.
+
+ * src/rsh.c (options) [WITH_ORCMD_AF || WITH_RCMD_AF || SHISHI]:
+ Add SHISHI as provider of `--ipv4' and `--ipv6'.
+
+ * doc/inetutils.text: Updated.
+
+2012-08-03 Mats Erik Andersson <[email protected]>
+
* configure.ac: Check whether `struct sockaddr_in6'
contains sin6_len. Correctly check for ut_addr_v6
inside `struct utmpx'.
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index 002c903..c1b67c8 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -1715,11 +1715,17 @@ Reference Manual}.
The options are as follows :
@table @option
-@item -K
-@itemx --kerberos
-@opindex -K
-@opindex --kerberos
-Turns off all Kerberos authentication.
+@item -4
+@itemx --ipv4
+@opindex -4
+@opindex --ipv4
+Use only IPv4.
+
+@item -6
+@itemx --ipv6
+@opindex -6
+@opindex --ipv6
+Use only IPv6.
@item -d
@itemx --debug
@@ -1732,26 +1738,38 @@ Turns on socket debugging used for communication with
the remote host.
@opindex -k
@opindex --realm
The option requests rsh to obtain tickets for the remote host in
-@var{realm} realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
+@item -K
+@itemx --kerberos
+@opindex -K
+@opindex --kerberos
+Turns off all Kerberos authentication.
+
+@item -l @var{user}
+@itemx --user=@var{user}
+@opindex -l
+@opindex --user
+By default, the remote username is the same as the local username.
+The @option{-l} option and the @samp{username@@host} format allow the
+remote user name to be specified. Kerberos authentication is used,
+whenever available, and authorization is determined as in @command{rlogin}
+(@pxref{rlogin invocation}).
+
+@item -n
+@itemx --no-input
+@opindex -n
+@opindex --no-input
+Use @file{/dev/null} for all input, and use no separate @samp{stderr}
+at remote end. This option is void together with encryption.
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rsh session. This
+Turns on encryption for all data passed via the rsh session. This
may impact response time and CPU utilization, but provides increased
security.
-
-@item -l
-@itemx --user
-@opindex -l
-@opindex --user
-By default, the remote username is the same as the local username.
-The @option{-l} option or the @samp{username@@host} format allow the
-remote name to be specified. Kerberos authentication is used, and
-authorization is determined as in @command{rlogin} (@pxref{rlogin
-invocation}).
-
@end table
If no command is specified, you will be logged in on the remote host
@@ -1802,6 +1820,18 @@ Reference Manual}.
The options are as follows :
@table @option
+@item -4
+@itemx --ipv4
+@opindex -4
+@opindex --ipv4
+Use only IPv4.
+
+@item -6
+@itemx --ipv6
+@opindex -6
+@opindex --ipv6
+Use only IPv6.
+
@item -8
@itemx --8-bit
@opindex -8
@@ -1810,21 +1840,6 @@ Allows an eight-bit input data path at all times;
otherwise parity
bits are stripped except when the remote side's stop and start
characters are other than @kbd{C-S}/@kbd{C-Q}.
-@item -E
-@item --no-escape
-@itemx --no-escape
-@opindex -E
-@opindex --no-escape
-Stops any character from being recognized as an escape character.
-When used with the @option{-8} option, this provides a completely
-transparent connection.
-
-@item -K
-@itemx --kerberos
-@opindex -K
-@opindex --kerberos
-Turns off all Kerberos authentication.
-
@item -d
@itemx --debug
@opindex -d
@@ -1832,7 +1847,7 @@ Turns off all Kerberos authentication.
Turns on socket debugging on the TCP sockets used for communication
with the remote host.
-@item -e
+@item -e @var{char}
@itemx --escape=@var{char}
@opindex -e
@opindex --escape
@@ -1840,18 +1855,40 @@ Allows user specification of the escape character,
which is @samp{~}
by default. This specification may be as a literal character, or as
an octal value in the form @samp{\nnn}.
-@item -k
+@item -E
+@itemx --no-escape
+@opindex -E
+@opindex --no-escape
+Stops any character from being recognized as an escape character.
+When used with the @option{-8} option, this provides a completely
+transparent connection.
+
+@item -k @var{realm}
@itemx --realm=@var{realm}
@opindex -k
@opindex --realm
The option requests rlogin to obtain tickets for the remote host in
-@var{realm} realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
+@item -K
+@itemx --kerberos
+@opindex -K
+@opindex --kerberos
+Turns off all Kerberos authentication.
+
+@item -l @var{user}
+@itemx --user=@var{user}
+@opindex -l
+@opindex --user
+By default, the remote username is the same as the local username.
+This option, and the @samp{user@@host} format, allow the remote
+user name to be made explicit, or changed.
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rlogin session.
+Turns on encryption for all data passed via the rlogin session.
This may impact response time and CPU utilization, but provides
increased security.
@end table
@@ -1906,18 +1943,42 @@ rcp [@var{option}]@dots{} @var{files}@dots{}
@var{directory}
@end example
@table @option
-@item -K
-@itemx --kerberos
-@opindex -K
-@opindex --kerberos
-Turns off all Kerberos authentication.
+@item -4
+@itemx --ipv4
+@opindex -4
+@opindex --ipv4
+Use only IPv4.
-@item -k
+@item -6
+@itemx --ipv6
+@opindex -6
+@opindex --ipv6
+Use only IPv6.
+
+@item -d @var{directory}
+@itemx --target-directory=@var{directory}
+@opindex -d
+@opindex --target-directory
+Copy all source arguments into @var{directory}.
+
+@item -f
+@itemx --from
+@opindex -f
+@opindex --from
+(Server mode only.) Copying from remote host.
+
+@item -k @var{realm}
@itemx --realm=@var{realm}
@opindex -k
@opindex --realm
The option requests rcp to obtain tickets for the remote host in
-@var{realm} realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
+@item -K
+@itemx --kerberos
+@opindex -K
+@opindex --kerberos
+Turns off all Kerberos authentication.
@item -p
@itemx --preserve
@@ -1925,9 +1986,9 @@ The option requests rcp to obtain tickets for the remote
host in
@opindex --preserve
Causes @code{rcp} to attempt to preserve (duplicate) in its copies the
modification times and modes of the source files, ignoring the umask.
-By default, the mode and owner of file are preserved if it already
-existed; otherwise the mode of the source file modified by the
-@code{umask} function on the destination host is used.
+By default, the mode and owner of the target file are preserved
+if the target itself already exists; otherwise the mode of the source
+file is modified by the @code{umask} setting on the destination host.
@item -r
@itemx --recursive
@@ -1937,12 +1998,18 @@ If any of the source files are directories,
@command{rcp} copies each
subtree rooted at that name; in this case the destination must be a
directory.
+@item -t
+@itemx --to
+@opindex -t
+@opindex --to
+(Server mode only.) Copying to remote host.
+
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rcp session. This
-may impact response time and CPU utilization, but provides increased
+Turns on encryption for all data passed via the @command{rcp} session.
+This may impact response time and CPU utilization, but provides increased
security.
@end table
@@ -3064,7 +3131,8 @@ request is received the following protocol is initiated:
@enumerate
@item
The server checks the client's source port. If the port is not in the
-range 512--1023, the server aborts the connection.
+range 512--1023, the server aborts the connection. However, this
+condition is not applied for Kerberized service.
@item
The server reads characters from the socket up to a NUL (@samp{\0})
@@ -3150,17 +3218,23 @@ Ask hostname for verification.
@c @opindex --daemon
@c Daemon mode.
+@item -k
+@itemx --kerberos
+@opindex -k
+@opindex --kerberos
+Use Kerberos authentication.
+
@item -l
@itemx --no-rhosts
@opindex -l
@opindex --no-rhosts
Ignore @file{.rhosts} file.
-@item -L @var{name}
-@itemx --local-domain=@var{name}
+@item -L
+@itemx --log-sessions
@opindex -L
-@opindex --local-domain
-Set local domain name.
+@opindex --log-sessions
+Log successful logins.
@item -n
@itemx --no-keepalive
@@ -3168,25 +3242,32 @@ Set local domain name.
@opindex --no-keepalive
Do not set SO_KEEPALIVE.
-@item -k
-@itemx --kerberos
-@opindex -k
-@opindex --kerberos
-Use kerberos IV authentication.
-
-@item -x
-@itemx --encrypt
-@opindex -x
-@opindex --encrypt
-Turns on DES encryption for all data passed via the @command{rshd}
-session. This may impact response time and CPU utilization, but
-provides increased security.
-
-@item -D[@var{level}]
-@itemx --debug[=@var{level}]
-@opindex -D
-@opindex -debug
-Set debug level, not implemented.
+@item -S @var{name}
+@itemx --servername=@var{name}
+@opindex -S
+@opindex --servername
+Set Kerberos server name, overriding canonical hostname.
+
+@item -v
+@itemx --vacuous
+@opindex -v
+@opindex --vacuous
+Fail any call asking for non-Kerberos authentication.
+
+@c OBSOLETE?
+@c @item -x
+@c @itemx --encrypt
+@c @opindex -x
+@c @opindex --encrypt
+@c Turns on DES encryption for all data passed via the @command{rshd}
+@c session. This may impact response time and CPU utilization, but
+@c provides increased security.
+
+@c @item -D[@var{level}]
+@c @itemx --debug[=@var{level}]
+@c @opindex -D
+@c @opindex -debug
+@c Set debug level, not implemented.
@c @item -o
@c @itemx --allow-root
@@ -3327,6 +3408,18 @@ Ask hostname for verification.
@opindex --daemon
Daemon mode.
+@item -D[@var{level}]
+@itemx --debug[=@var{level}]
+@opindex -D
+@opindex -debug
+Set debug level, not implemented.
+
+@item -k
+@itemx --kerberos
+@opindex -k
+@opindex --kerberos
+Use Kerberos authentication.
+
@item -l
@itemx --no-rhosts
@opindex -l
@@ -3345,43 +3438,37 @@ Set local domain name.
@opindex --no-keepalive
Do not set SO_KEEPALIVE.
-@item -k
-@itemx --kerberos
-@opindex -k
-@opindex --kerberos
-Use kerberos IV authentication.
-
-@item -x
-@itemx --encrypt
-@opindex -x
-@opindex --encrypt
-Turns on DES encryption for all data passed via the rlogind session.
-This may impact response time and CPU utilization, but provides
-increased security.
-
-@item -D[@var{level}]
-@itemx --debug[=@var{level}]
-@opindex -D
-@opindex -debug
-Set debug level, not implemented.
-
@item -o
@itemx --allow-root
@opindex -o
@opindex --allow-root
-Allow the root user to login, disabled by default.
+Allow the root user to login. This is disallowed by default.
@item -p @var{port}
@itemx --port=@var{port}
@opindex -p
@opindex --port
-Listen on given port (valid only in daemon mode).
+Listen on given port. (Applicable only in daemon mode.)
@item -r
@itemx --reverse-required
@opindex -r
@opindex --reverse-required
-Require reverse resolving of a remote host IP.
+Require reverse resolving of remote host's numerical IP.
+
+@item -S @var{name}
+@itemx --servername=@var{name}
+@opindex -S
+@opindex --servername
+Set Kerberos server name, overriding canonical hostname.
+
+@item -x
+@itemx --encrypt
+@opindex -x
+@opindex --encrypt
+Turns on encryption for all data passed via the @command{rlogind} session.
+This may impact response time and CPU utilization, but provides
+increased security.
@end table
diff --git a/libinetutils/kcmd.c b/libinetutils/kcmd.c
index 1d1858b..5266b15 100644
--- a/libinetutils/kcmd.c
+++ b/libinetutils/kcmd.c
@@ -431,16 +431,16 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
realm)) != SHISHI_OK)
goto bad2;
- if (locuser && locuser[0])
- write (s, locuser, strlen (locuser) + 1);
- else
- write (s, *remuser, strlen (*remuser) + 1);
+ write (s, *remuser, strlen (*remuser) + 1);
# endif /* SHISHI */
write (s, cmd, strlen (cmd) + 1);
# ifdef SHISHI
- write (s, *remuser, strlen (*remuser) + 1);
+ if (locuser && locuser[0])
+ write (s, locuser, strlen (locuser) + 1);
+ else
+ write (s, *remuser, strlen (*remuser) + 1);
write (s, &zero, sizeof (int)); /* XXX: not protocol */
# endif
diff --git a/src/rlogind.c b/src/rlogind.c
index 4af17cd..76e2a27 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -964,8 +964,8 @@ do_rlogin (int infd, struct auth_data *ap)
}
#endif /* WITH_IRUSEROK_AF || WITH_IRUSEROK */
- getstr (infd, &ap->rusername, NULL);
- getstr (infd, &ap->lusername, NULL);
+ getstr (infd, &ap->rusername, NULL); /* Requesting user. */
+ getstr (infd, &ap->lusername, NULL); /* Acting user. */
getstr (infd, &ap->term, "TERM=");
pwd = getpwnam (ap->lusername);
@@ -1293,9 +1293,9 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
}
# endif
- getstr (infd, &ad->rusername, NULL);
+ getstr (infd, &ad->lusername, NULL); /* Acting user. */
getstr (infd, &ad->term, "TERM=");
- getstr (infd, &ad->lusername, NULL);
+ getstr (infd, &ad->rusername, NULL); /* Requesting user. */
rc = read (infd, &error, sizeof (int)); /* XXX: not protocol */
if ((rc != sizeof (int)) || error)
diff --git a/src/rsh.c b/src/rsh.c
index d2dbe99..e01d662 100644
--- a/src/rsh.c
+++ b/src/rsh.c
@@ -156,7 +156,7 @@ static struct argp_option options[] = {
{ "encrypt", 'x', NULL, 0,
"encrypt all data transfer" },
#endif
-#if defined WITH_ORCMD_AF || defined WITH_RCMD_AF
+#if defined WITH_ORCMD_AF || defined WITH_RCMD_AF || defined SHISHI
{ "ipv4", '4', NULL, 0, "use only IPv4" },
{ "ipv6", '6', NULL, 0, "use only IPv6" },
#endif
diff --git a/src/rshd.c b/src/rshd.c
index 30b87f6..3805d9a 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -86,7 +86,7 @@
*/
/*
- * remote shell server exchange protocol (client view!):
+ * remote shell server exchange protocol (server view!):
* [port]\0
* remuser\0
* locuser\0
@@ -216,7 +216,7 @@ static struct argp_option options[] = {
{ "no-keepalive", 'n', NULL, 0,
"do not set SO_KEEPALIVE" },
{ "log-sessions", 'L', NULL, 0,
- "log successfull logins" },
+ "log successful logins" },
#if defined KERBEROS || defined SHISHI
/* FIXME: The option semantics does not match that of others r* utilities */
{ "kerberos", 'k', NULL, 0,
@@ -838,10 +838,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
else
#endif /* KERBEROS || SHISHI */
- locuser = getstr ("locuser");
+ remuser = getstr ("remuser"); /* The requesting user! */
/* Read three strings from the client. */
- remuser = getstr ("remuser"); /* The acting client! */
+ locuser = getstr ("locuser"); /* The acting user! */
cmdbuf = getstr ("command");
#ifdef SHISHI
@@ -916,7 +916,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
}
# endif /* ENCRYPTION */
- locuser = getstr ("locuser"); /* The agent here! */
+ remuser = getstr ("remuser"); /* The requesting user! */
rc = read (STDIN_FILENO, &error, sizeof (int)); /* XXX: not protocol */
if ((rc != sizeof (int)) || error)
@@ -1608,10 +1608,12 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
else
#endif /* KERBEROS */
syslog (LOG_INFO | LOG_AUTH,
+ "%s%s@%s as %s: cmd='%.80s'",
#ifdef SHISHI
- "Kerberized "
+ use_kerberos ? "Kerberized " : "",
+#else
+ "",
#endif
- "%s@%s as %s: cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
}
#ifdef SHISHI
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 21 ++++
doc/inetutils.texi | 279 +++++++++++++++++++++++++++++++++------------------
libinetutils/kcmd.c | 10 +-
src/rlogind.c | 8 +-
src/rsh.c | 2 +-
src/rshd.c | 16 ++--
6 files changed, 223 insertions(+), 113 deletions(-)
hooks/post-receive
--
GNU Inetutils
_______________________________________________
Commit-inetutils mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/commit-inetutils
