This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 32746bf6648bdad78000ae5b39d4841d36a334a4 (commit)
from 4d1fc9ac2cc7e4aef00884370d2383bc0eb1b87a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=32746bf6648bdad78000ae5b39d4841d36a334a4
commit 32746bf6648bdad78000ae5b39d4841d36a334a4
Author: Mats Erik Andersson <[email protected]>
Date: Thu Aug 16 18:11:19 2012 +0200
telnetd: Server principal naming.
diff --git a/ChangeLog b/ChangeLog
index 6e6a625..356d739 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,30 @@
+2012-08-16 Mats Erik Andersson <[email protected]>
+
+ telnetd: Configurable principal name.
+
+ * libtelnet/misc.c (ServerPrincipal): New variable.
+ (auth_encrypt_init): Add `char *principal' to signature.
+ Assign value to ServerPrincipal.
+ * libtelnet/misc.h (ServerPrincipal): New external variable.
+ * libtelnet/misc-proto.h (auth_encrypt_init): Updated.
+ * libtelnet/shishi.c: Prune newlines in error messages.
+ (krb5shishi_is_auth): New variable REALM. Delay shishi_ap()
+ and shishi_ap_req_der_set() until after complete setup.
+ Extract server name and realm from ServerPrincipal and
+ override defaults accordingly. Use variant calls to access
+ realm also, shishi_hostkeys_for_serverrealm() and
+ shishi_hostkeys_for_localservicerealm().
+
+ * telnet/telnet.c (telnet): Call auth_encrypt_init()
+ with `principal = NULL'.
+ * telnetd/telnetd.c (principal) [AUTHENTICATION || ENCRYPTION]:
+ New variable.
+ (argp_options) [AUTHENTICATION || ENCRYPTION]: New option
+ `-S/--server-principal'.
+ (parse_opt) [AUTHENTICATION || ENCRYPTION] <'S'>: New case.
+ (telnetd_setup) [AUTHENTICATION || ENCRYPTION]: Pass
+ `principal' in call to auth_encrypt_init().
+
2012-08-15 Mats Erik Andersson <[email protected]>
* src/rcp.c (main) [KERBEROS || SHISHI]: Add `!use_kerberos'
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index 7601ebd..bce878d 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -3755,6 +3755,18 @@ The only recognised value is otherwise @samp{nokludge}.
@opindex --no-keepalive
Disable TCP keep-alives.
+@item -S @var{principal}
+@itemx --server-principal=@var{principal}
+@opindex -S
+@opindex --server-principal
+Set principal name for the server, to be used in Kerberos
+authentication. The value @var{principal} can be set
+to provide full specification like @samp{srv.local@@REALM}
+and @samp{tnt/localhost@@REALM}, where the first uses the
+standard prefix `host/'. Or @var{principal} can override
+default settings in part only, like @samp{srv.local},
+@samp{tnt/srv.local}, or @samp{@@REALM}.
+
@item -U
@itemx --reverse-lookup
@opindex -U
diff --git a/libtelnet/misc-proto.h b/libtelnet/misc-proto.h
index 009d9b2..e2cbef9 100644
--- a/libtelnet/misc-proto.h
+++ b/libtelnet/misc-proto.h
@@ -70,7 +70,7 @@
#ifndef __MISC_PROTO__
# define __MISC_PROTO__
-void auth_encrypt_init (char *, char *, char *, int);
+void auth_encrypt_init (char *, char *, char *, char *, int);
void auth_encrypt_user (char *);
void auth_encrypt_connect (int);
void printd (unsigned char *, int);
diff --git a/libtelnet/misc.c b/libtelnet/misc.c
index 0385040..45cf3b9 100644
--- a/libtelnet/misc.c
+++ b/libtelnet/misc.c
@@ -59,12 +59,15 @@
char *RemoteHostName;
char *LocalHostName;
char *UserNameRequested = NULL;
+char *ServerPrincipal;
void
-auth_encrypt_init (char *local, char *remote, char *name, int server)
+auth_encrypt_init (char *local, char *remote, char *principal,
+ char *name, int server)
{
RemoteHostName = remote;
LocalHostName = local;
+ ServerPrincipal = principal;
(void) name;
(void) server; /* silence gcc */
#if defined AUTHENTICATION
diff --git a/libtelnet/misc.h b/libtelnet/misc.h
index a463d50..ec18a3f 100644
--- a/libtelnet/misc.h
+++ b/libtelnet/misc.h
@@ -50,6 +50,7 @@
extern char *UserNameRequested;
extern char *LocalHostName;
extern char *RemoteHostName;
+extern char *ServerPrincipal;
extern int ConnectedCount;
extern int ReservedPort;
diff --git a/libtelnet/shishi.c b/libtelnet/shishi.c
index a90e40e..1a21624 100644
--- a/libtelnet/shishi.c
+++ b/libtelnet/shishi.c
@@ -306,7 +306,7 @@ krb5shishi_reply (TN_Authenticator * ap, unsigned char
*data, int cnt)
{
case KRB_REJECT:
if (cnt > 0)
- printf ("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+ printf ("[ Kerberos V5 rejects authentication: %.*s ]\r\n",
cnt, data);
else
printf ("[ Kerberos V5 refuses authentication ]\r\n");
@@ -402,7 +402,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char
*data, int cnt,
{
Shishi_key *key, *key2;
int rc;
- char *cnamerealm, *server;
+ char *cnamerealm, *server = NULL, *realm = NULL;
int cnamerealmlen;
# ifdef ENCRYPTION
Session_Key skey;
@@ -427,45 +427,100 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char
*data, int cnt,
}
}
- rc = shishi_ap (shishi_handle, &auth_handle);
- if (rc != SHISHI_OK)
+ if (ServerPrincipal && *ServerPrincipal)
{
- snprintf (errbuf, errbuflen,
- "Cannot allocate authentication structures: %s",
- shishi_strerror (rc));
- return 1;
+ rc = shishi_parse_name (shishi_handle, ServerPrincipal,
+ &server, &realm);
+ if (rc != SHISHI_OK)
+ {
+ snprintf (errbuf, errbuflen,
+ "Cannot parse server principal name: %s",
+ shishi_strerror (rc));
+ return 1;
+ }
+ if (realm)
+ shishi_realm_default_set (shishi_handle, realm);
+
+ /* Reclaim an empty server part. */
+ if (server && !*server)
+ {
+ free (server);
+ server = NULL;
+ }
}
- rc = shishi_ap_req_der_set (auth_handle, data, cnt);
- if (rc != SHISHI_OK)
+ if (!server)
{
- snprintf (errbuf, errbuflen,
- "Cannot parse authentication information: %s",
- shishi_strerror (rc));
- return 1;
+ server = malloc (strlen ("host/") + strlen (LocalHostName) + 1);
+ if (server)
+ sprintf (server, "host/%s", LocalHostName);
}
- server = malloc (strlen ("host/") + strlen (LocalHostName) + 1);
if (server)
{
- sprintf (server, "host/%s", LocalHostName);
- key = shishi_hostkeys_for_server (shishi_handle, server);
+ /* Two possible action on `server':
+ * "srv.local" : rewrite as "host/srv.local"
+ * "tn/srv.local" : accept as is
+ */
+ char *p = strchr (server, '/');
+
+ if (!p)
+ {
+ p = server;
+ server = malloc (strlen ("host/") + strlen (p) + 1);
+ if (!server)
+ {
+ free (p); /* This old `server'. */
+ snprintf (errbuf, errbuflen,
+ "Cannot allocate memory for server name");
+ return 1;
+ }
+ sprintf (server, "host/%s", p);
+ }
+
+ if (realm)
+ key = shishi_hostkeys_for_serverrealm (shishi_handle,
+ server, realm);
+ else
+ key = shishi_hostkeys_for_server (shishi_handle, server);
+
free (server);
}
else
- key = shishi_hostkeys_for_localservice (shishi_handle, "host");
+ key = shishi_hostkeys_for_localservicerealm (shishi_handle,
+ "host", realm);
+
+ free (realm);
if (key == NULL)
{
- snprintf (errbuf, errbuflen, "Could not find key:\n%s\n",
+ snprintf (errbuf, errbuflen, "Could not find key: %s",
shishi_error (shishi_handle));
return 1;
}
+ rc = shishi_ap (shishi_handle, &auth_handle);
+ if (rc != SHISHI_OK)
+ {
+ snprintf (errbuf, errbuflen,
+ "Cannot allocate authentication structures: %s",
+ shishi_strerror (rc));
+ return 1;
+ }
+
+ rc = shishi_ap_req_der_set (auth_handle, data, cnt);
+ if (rc != SHISHI_OK)
+ {
+ snprintf (errbuf, errbuflen,
+ "Cannot parse authentication information: %s",
+ shishi_strerror (rc));
+ return 1;
+ }
+
rc = shishi_ap_req_process (auth_handle, key);
if (rc != SHISHI_OK)
{
- snprintf (errbuf, errbuflen, "Could not process AP-REQ: %s\n",
+ snprintf (errbuf, errbuflen, "Could not process AP-REQ: %s",
shishi_strerror (rc));
return 1;
}
@@ -479,7 +534,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char
*data, int cnt,
rc = shishi_ap_rep_der (auth_handle, &der, &derlen);
if (rc != SHISHI_OK)
{
- snprintf (errbuf, errbuflen, "Error DER encoding aprep: %s\n",
+ snprintf (errbuf, errbuflen, "Error DER encoding aprep: %s",
shishi_strerror (rc));
return 1;
}
@@ -494,7 +549,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char
*data, int cnt,
&cnamerealm, &cnamerealmlen);
if (rc != SHISHI_OK)
{
- snprintf (errbuf, errbuflen, "Error getting authenticator name: %s\n",
+ snprintf (errbuf, errbuflen, "Error getting authenticator name: %s",
shishi_strerror (rc));
return 1;
}
diff --git a/telnet/telnet.c b/telnet/telnet.c
index 70f24ca..a7f43f0 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -2413,7 +2413,7 @@ telnet (char *user)
if (!local_host)
local_host = localhost ();
- auth_encrypt_init (local_host, hostname, "TELNET", 0);
+ auth_encrypt_init (local_host, hostname, NULL, "TELNET", 0);
auth_encrypt_user (user);
}
#endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */
diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
index cd57cf8..064d6cd 100644
--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
@@ -65,6 +65,9 @@ int debug_tcp = 0; /* Should the SO_DEBUG be set?
*/
int net; /* Network connection socket */
int pty; /* PTY master descriptor */
+#if defined AUTHENTICATION || defined ENCRYPTION
+char *principal = NULL;
+#endif
char *remote_hostname;
char *local_hostname;
char *user_name;
@@ -110,6 +113,11 @@ static struct argp_option argp_options[] = {
"set line mode" },
{ "no-keepalive", 'n', NULL, 0,
"disable TCP keep-alives" },
+#if defined AUTHENTICATION || defined ENCRYPTION
+ { "server-principal", 'S', "NAME", 0,
+ "set Kerberos principal name for this server instance, "
+ "with or without explicit realm" },
+#endif
{ "reverse-lookup", 'U', NULL, 0,
"refuse connections from addresses that "
"cannot be mapped back into a symbolic name" },
@@ -151,6 +159,12 @@ parse_opt (int key, char *arg, struct argp_state *state)
keepalive = 0;
break;
+#if defined AUTHENTICATION || defined ENCRYPTION
+ case 'S':
+ principal = arg;
+ break;
+#endif
+
case 'U':
reverse_lookup = 1;
break;
@@ -448,7 +462,8 @@ telnetd_setup (int fd)
local_hostname = localhost ();
#if defined AUTHENTICATION || defined ENCRYPTION
- auth_encrypt_init (remote_hostname, local_hostname, "TELNETD", 1);
+ auth_encrypt_init (remote_hostname, local_hostname, principal,
+ "TELNETD", 1);
#endif
io_setup ();
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 27 +++++++++++++
doc/inetutils.texi | 12 ++++++
libtelnet/misc-proto.h | 2 +-
libtelnet/misc.c | 5 ++-
libtelnet/misc.h | 1 +
libtelnet/shishi.c | 99 +++++++++++++++++++++++++++++++++++++-----------
telnet/telnet.c | 2 +-
telnetd/telnetd.c | 17 ++++++++-
8 files changed, 139 insertions(+), 26 deletions(-)
hooks/post-receive
--
GNU Inetutils
_______________________________________________
Commit-inetutils mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/commit-inetutils
