10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53011Sjbeck * Common Development and Distribution License (the "License").
63011Sjbeck * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
213011Sjbeck
220Sstevel@tonic-gate /*
23*11415SSurya.Prakki@Sun.COM * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
240Sstevel@tonic-gate * Use is subject to license terms.
250Sstevel@tonic-gate */
260Sstevel@tonic-gate
270Sstevel@tonic-gate /* Copyright (c) 1983-1989 AT&T */
280Sstevel@tonic-gate /* All Rights Reserved */
290Sstevel@tonic-gate
300Sstevel@tonic-gate /*
310Sstevel@tonic-gate * Portions of this source code were derived from Berkeley 4.3 BSD
320Sstevel@tonic-gate * under license from the Regents of the University of California.
330Sstevel@tonic-gate */
340Sstevel@tonic-gate
350Sstevel@tonic-gate #define _FILE_OFFSET_BITS 64
360Sstevel@tonic-gate
370Sstevel@tonic-gate /*
380Sstevel@tonic-gate * remote shell server:
390Sstevel@tonic-gate * remuser\0
400Sstevel@tonic-gate * locuser\0
410Sstevel@tonic-gate * command\0
420Sstevel@tonic-gate * data
430Sstevel@tonic-gate */
440Sstevel@tonic-gate #include <sys/types.h>
450Sstevel@tonic-gate #include <sys/ioctl.h>
460Sstevel@tonic-gate #include <sys/telioctl.h>
470Sstevel@tonic-gate #include <sys/param.h>
480Sstevel@tonic-gate #include <sys/socket.h>
490Sstevel@tonic-gate #include <sys/time.h>
500Sstevel@tonic-gate #include <sys/stat.h>
510Sstevel@tonic-gate #include <sys/file.h>
520Sstevel@tonic-gate #include <sys/select.h>
530Sstevel@tonic-gate
540Sstevel@tonic-gate #include <netinet/in.h>
550Sstevel@tonic-gate
560Sstevel@tonic-gate #include <arpa/inet.h>
570Sstevel@tonic-gate
580Sstevel@tonic-gate #include <unistd.h>
590Sstevel@tonic-gate #include <string.h>
600Sstevel@tonic-gate #include <stdio.h>
610Sstevel@tonic-gate #include <stdarg.h>
620Sstevel@tonic-gate #include <errno.h>
630Sstevel@tonic-gate #include <pwd.h>
640Sstevel@tonic-gate #include <grp.h>
650Sstevel@tonic-gate #include <signal.h>
660Sstevel@tonic-gate #include <netdb.h>
670Sstevel@tonic-gate #include <syslog.h>
680Sstevel@tonic-gate #include <fcntl.h>
690Sstevel@tonic-gate #include <ctype.h>
700Sstevel@tonic-gate #include <locale.h>
710Sstevel@tonic-gate
720Sstevel@tonic-gate #include <sys/resource.h>
730Sstevel@tonic-gate #include <sys/filio.h>
740Sstevel@tonic-gate #include <shadow.h>
750Sstevel@tonic-gate #include <stdlib.h>
760Sstevel@tonic-gate
770Sstevel@tonic-gate #include <security/pam_appl.h>
788126SJoep.Vesseur@Sun.COM #include <deflt.h>
790Sstevel@tonic-gate
800Sstevel@tonic-gate #include <k5-int.h>
810Sstevel@tonic-gate #include <krb5_repository.h>
820Sstevel@tonic-gate #include <com_err.h>
830Sstevel@tonic-gate #include <kcmd.h>
840Sstevel@tonic-gate
853011Sjbeck #include <addr_match.h>
866536Sgtb #include <store_forw_creds.h>
873011Sjbeck
880Sstevel@tonic-gate #ifndef NCARGS
890Sstevel@tonic-gate #define NCARGS 5120
900Sstevel@tonic-gate #endif /* !NCARGS */
910Sstevel@tonic-gate
920Sstevel@tonic-gate static void error(char *, ...);
930Sstevel@tonic-gate static void doit(int, struct sockaddr_storage *, char **);
940Sstevel@tonic-gate static void getstr(int, char *, int, char *);
950Sstevel@tonic-gate
960Sstevel@tonic-gate static int legalenvvar(char *);
970Sstevel@tonic-gate static void add_to_envinit(char *);
980Sstevel@tonic-gate static int locale_envmatch(char *, char *);
990Sstevel@tonic-gate
1000Sstevel@tonic-gate /* Function decls. for functions not in any header file. (Grrrr.) */
1010Sstevel@tonic-gate extern int audit_rshd_setup(void);
1020Sstevel@tonic-gate extern int audit_rshd_success(char *, char *, char *, char *);
1030Sstevel@tonic-gate extern int audit_rshd_fail(char *, char *, char *, char *, char *);
1040Sstevel@tonic-gate extern int audit_settid(int);
1050Sstevel@tonic-gate
1060Sstevel@tonic-gate static int do_encrypt = 0;
1070Sstevel@tonic-gate static pam_handle_t *pamh;
1080Sstevel@tonic-gate
1090Sstevel@tonic-gate /*
1100Sstevel@tonic-gate * This is the shell/kshell daemon. The very basic protocol for checking
1110Sstevel@tonic-gate * authentication and authorization is:
1120Sstevel@tonic-gate * 1) Check authentication.
1130Sstevel@tonic-gate * 2) Check authorization via the access-control files:
1140Sstevel@tonic-gate * ~/.k5login (using krb5_kuserok) and/or
1150Sstevel@tonic-gate * Execute command if configured authoriztion checks pass, else deny
1160Sstevel@tonic-gate * permission.
1170Sstevel@tonic-gate *
1180Sstevel@tonic-gate * The configuration is done either by command-line arguments passed by inetd,
1190Sstevel@tonic-gate * or by the name of the daemon. If command-line arguments are present, they
1200Sstevel@tonic-gate * take priority. The options are:
1210Sstevel@tonic-gate * -k allow kerberos authentication (krb5 only; krb4 support is not provided)
1220Sstevel@tonic-gate * -5 same as `-k', mainly for compatability with MIT
1230Sstevel@tonic-gate * -e allow encrypted session
1240Sstevel@tonic-gate * -c demand authenticator checksum
1250Sstevel@tonic-gate * -i ignore authenticator checksum
1260Sstevel@tonic-gate * -U Refuse connections that cannot be mapped to a name via `gethostbyname'
1270Sstevel@tonic-gate * -s <tos> Set the IP TOS option
1280Sstevel@tonic-gate * -S <keytab> Set the keytab file to use
1290Sstevel@tonic-gate * -M <realm> Set the Kerberos realm to use
1300Sstevel@tonic-gate */
1310Sstevel@tonic-gate
1320Sstevel@tonic-gate #define ARGSTR "ek5ciUD:M:S:L:?:"
1330Sstevel@tonic-gate #define RSHD_BUFSIZ (50 * 1024)
1340Sstevel@tonic-gate
1350Sstevel@tonic-gate static krb5_context bsd_context;
1360Sstevel@tonic-gate static krb5_keytab keytab = NULL;
1370Sstevel@tonic-gate static krb5_ccache ccache = NULL;
1380Sstevel@tonic-gate static krb5_keyblock *sessionkey = NULL;
1390Sstevel@tonic-gate
1400Sstevel@tonic-gate static int require_encrypt = 0;
1410Sstevel@tonic-gate static int resolve_hostname = 0;
1420Sstevel@tonic-gate static int krb5auth_flag = 0; /* Flag set, when KERBEROS is enabled */
1430Sstevel@tonic-gate static enum kcmd_proto kcmd_protocol;
1440Sstevel@tonic-gate
1450Sstevel@tonic-gate #ifdef DEBUG
1460Sstevel@tonic-gate static int debug_port = 0;
1470Sstevel@tonic-gate #endif /* DEBUG */
1480Sstevel@tonic-gate
1490Sstevel@tonic-gate /*
1500Sstevel@tonic-gate * There are two authentication related masks:
1510Sstevel@tonic-gate * auth_ok and auth_sent.
1520Sstevel@tonic-gate * The auth_ok mask is the or'ing of authentication
1530Sstevel@tonic-gate * systems any one of which can be used.
1540Sstevel@tonic-gate * The auth_sent mask is the or'ing of one or more authentication/authorization
1550Sstevel@tonic-gate * systems that succeeded. If the and'ing
1560Sstevel@tonic-gate * of these two masks is true, then authorization is successful.
1570Sstevel@tonic-gate */
1580Sstevel@tonic-gate
1590Sstevel@tonic-gate #define AUTH_KRB5 (0x2)
1600Sstevel@tonic-gate static int auth_ok = 0;
1610Sstevel@tonic-gate static int auth_sent = 0;
1620Sstevel@tonic-gate static int checksum_required = 0;
1630Sstevel@tonic-gate static int checksum_ignored = 0;
1640Sstevel@tonic-gate
1650Sstevel@tonic-gate /*
1660Sstevel@tonic-gate * Leave room for 4 environment variables to be passed.
1670Sstevel@tonic-gate * The "-L env_var" option has been added primarily to
1680Sstevel@tonic-gate * maintain compatability with MIT.
1690Sstevel@tonic-gate */
1700Sstevel@tonic-gate #define MAXENV 4
1710Sstevel@tonic-gate static char *save_env[MAXENV];
1720Sstevel@tonic-gate static int num_env = 0;
1730Sstevel@tonic-gate
1740Sstevel@tonic-gate static void usage(void);
1750Sstevel@tonic-gate static krb5_error_code recvauth(int, int *);
1760Sstevel@tonic-gate
1770Sstevel@tonic-gate /*ARGSUSED*/
178473Sbw int
main(int argc,char ** argv,char ** renvp)1790Sstevel@tonic-gate main(int argc, char **argv, char **renvp)
1800Sstevel@tonic-gate {
1810Sstevel@tonic-gate struct linger linger;
1820Sstevel@tonic-gate int on = 1, fromlen;
1830Sstevel@tonic-gate struct sockaddr_storage from;
1840Sstevel@tonic-gate int fd = 0;
1850Sstevel@tonic-gate
1860Sstevel@tonic-gate extern int opterr, optind;
1870Sstevel@tonic-gate extern char *optarg;
1880Sstevel@tonic-gate int ch;
1890Sstevel@tonic-gate int tos = -1;
1900Sstevel@tonic-gate krb5_error_code status;
1910Sstevel@tonic-gate
1920Sstevel@tonic-gate openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON);
1930Sstevel@tonic-gate (void) audit_rshd_setup(); /* BSM */
1940Sstevel@tonic-gate fromlen = sizeof (from);
1950Sstevel@tonic-gate
1960Sstevel@tonic-gate (void) setlocale(LC_ALL, "");
1970Sstevel@tonic-gate
1980Sstevel@tonic-gate /*
1990Sstevel@tonic-gate * Analyze parameters.
2000Sstevel@tonic-gate */
2010Sstevel@tonic-gate opterr = 0;
2020Sstevel@tonic-gate while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
2030Sstevel@tonic-gate switch (ch) {
2040Sstevel@tonic-gate case '5':
2050Sstevel@tonic-gate case 'k':
2060Sstevel@tonic-gate auth_ok |= AUTH_KRB5;
2070Sstevel@tonic-gate krb5auth_flag++;
2080Sstevel@tonic-gate break;
2090Sstevel@tonic-gate
2100Sstevel@tonic-gate case 'c':
2110Sstevel@tonic-gate checksum_required = 1;
2120Sstevel@tonic-gate krb5auth_flag++;
2130Sstevel@tonic-gate break;
2140Sstevel@tonic-gate case 'i':
2150Sstevel@tonic-gate checksum_ignored = 1;
2160Sstevel@tonic-gate krb5auth_flag++;
2170Sstevel@tonic-gate break;
2180Sstevel@tonic-gate
2190Sstevel@tonic-gate case 'e':
2200Sstevel@tonic-gate require_encrypt = 1;
2210Sstevel@tonic-gate krb5auth_flag++;
2220Sstevel@tonic-gate break;
2230Sstevel@tonic-gate #ifdef DEBUG
2240Sstevel@tonic-gate case 'D':
2250Sstevel@tonic-gate debug_port = atoi(optarg);
2260Sstevel@tonic-gate break;
2270Sstevel@tonic-gate #endif /* DEBUG */
2280Sstevel@tonic-gate case 'U':
2290Sstevel@tonic-gate resolve_hostname = 1;
2300Sstevel@tonic-gate break;
2310Sstevel@tonic-gate
2320Sstevel@tonic-gate case 'M':
233*11415SSurya.Prakki@Sun.COM (void) krb5_set_default_realm(bsd_context, optarg);
2340Sstevel@tonic-gate krb5auth_flag++;
2350Sstevel@tonic-gate break;
2360Sstevel@tonic-gate
2370Sstevel@tonic-gate case 'S':
2380Sstevel@tonic-gate if ((status = krb5_kt_resolve(bsd_context, optarg,
2390Sstevel@tonic-gate &keytab))) {
2400Sstevel@tonic-gate com_err("rsh", status,
2410Sstevel@tonic-gate gettext("while resolving "
2420Sstevel@tonic-gate "srvtab file %s"), optarg);
2430Sstevel@tonic-gate exit(2);
2440Sstevel@tonic-gate }
2450Sstevel@tonic-gate krb5auth_flag++;
2460Sstevel@tonic-gate break;
2470Sstevel@tonic-gate
2480Sstevel@tonic-gate case 's':
2490Sstevel@tonic-gate if (optarg == NULL || ((tos = atoi(optarg)) < 0) ||
2500Sstevel@tonic-gate (tos > 255)) {
2510Sstevel@tonic-gate syslog(LOG_ERR, "rshd: illegal tos value: "
2520Sstevel@tonic-gate "%s\n", optarg);
2530Sstevel@tonic-gate }
2540Sstevel@tonic-gate break;
2550Sstevel@tonic-gate
2560Sstevel@tonic-gate case 'L':
2570Sstevel@tonic-gate if (num_env < MAXENV) {
2580Sstevel@tonic-gate save_env[num_env] = strdup(optarg);
2590Sstevel@tonic-gate if (!save_env[num_env++]) {
2600Sstevel@tonic-gate com_err("rsh", ENOMEM,
2610Sstevel@tonic-gate gettext("in saving env"));
2620Sstevel@tonic-gate exit(2);
2630Sstevel@tonic-gate }
2640Sstevel@tonic-gate } else {
2650Sstevel@tonic-gate (void) fprintf(stderr, gettext("rshd: Only %d"
2660Sstevel@tonic-gate " -L arguments allowed\n"),
2670Sstevel@tonic-gate MAXENV);
2680Sstevel@tonic-gate exit(2);
2690Sstevel@tonic-gate }
2700Sstevel@tonic-gate break;
2710Sstevel@tonic-gate
2720Sstevel@tonic-gate case '?':
2730Sstevel@tonic-gate default:
2740Sstevel@tonic-gate usage();
2750Sstevel@tonic-gate exit(1);
2760Sstevel@tonic-gate break;
2770Sstevel@tonic-gate }
2780Sstevel@tonic-gate
2790Sstevel@tonic-gate if (optind == 0) {
2800Sstevel@tonic-gate usage();
2810Sstevel@tonic-gate exit(1);
2820Sstevel@tonic-gate }
2830Sstevel@tonic-gate argc -= optind;
2840Sstevel@tonic-gate argv += optind;
2850Sstevel@tonic-gate
2860Sstevel@tonic-gate if (krb5auth_flag > 0) {
2870Sstevel@tonic-gate status = krb5_init_context(&bsd_context);
2880Sstevel@tonic-gate if (status) {
2890Sstevel@tonic-gate syslog(LOG_ERR, "Error initializing krb5: %s",
2900Sstevel@tonic-gate error_message(status));
2910Sstevel@tonic-gate exit(1);
2920Sstevel@tonic-gate }
2930Sstevel@tonic-gate }
2940Sstevel@tonic-gate
2950Sstevel@tonic-gate if (!checksum_required && !checksum_ignored)
2960Sstevel@tonic-gate checksum_ignored = 1;
2970Sstevel@tonic-gate
2980Sstevel@tonic-gate if (checksum_required && checksum_ignored) {
2990Sstevel@tonic-gate syslog(LOG_CRIT, gettext("Checksums are required and ignored."
3000Sstevel@tonic-gate "These options are mutually exclusive"
3010Sstevel@tonic-gate "--check the documentation."));
3020Sstevel@tonic-gate error("Configuration error: mutually exclusive "
3030Sstevel@tonic-gate "options specified.\n");
3040Sstevel@tonic-gate exit(1);
3050Sstevel@tonic-gate }
3060Sstevel@tonic-gate
3070Sstevel@tonic-gate #ifdef DEBUG
3080Sstevel@tonic-gate if (debug_port) {
3090Sstevel@tonic-gate int s;
3100Sstevel@tonic-gate struct sockaddr_in sin;
3110Sstevel@tonic-gate
3120Sstevel@tonic-gate if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) {
3130Sstevel@tonic-gate fprintf(stderr, gettext("Error in socket: %s\n"),
3140Sstevel@tonic-gate strerror(errno));
3150Sstevel@tonic-gate exit(2);
3160Sstevel@tonic-gate }
3170Sstevel@tonic-gate (void) memset((char *)&sin, 0, sizeof (sin));
3180Sstevel@tonic-gate sin.sin_family = AF_INET;
3190Sstevel@tonic-gate sin.sin_port = htons(debug_port);
3200Sstevel@tonic-gate sin.sin_addr.s_addr = INADDR_ANY;
3210Sstevel@tonic-gate
3220Sstevel@tonic-gate (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
3230Sstevel@tonic-gate (char *)&on, sizeof (on));
3240Sstevel@tonic-gate
3250Sstevel@tonic-gate if ((bind(s, (struct sockaddr *)&sin, sizeof (sin))) < 0) {
3260Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in bind: %s\n"),
3270Sstevel@tonic-gate strerror(errno));
3280Sstevel@tonic-gate exit(2);
3290Sstevel@tonic-gate }
3300Sstevel@tonic-gate if ((listen(s, 5)) < 0) {
3310Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in listen: %s\n"),
3320Sstevel@tonic-gate strerror(errno));
3330Sstevel@tonic-gate exit(2);
3340Sstevel@tonic-gate }
3350Sstevel@tonic-gate if ((fd = accept(s, (struct sockaddr *)&from,
3360Sstevel@tonic-gate &fromlen)) < 0) {
3370Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in accept: %s\n"),
3380Sstevel@tonic-gate strerror(errno));
3390Sstevel@tonic-gate exit(2);
3400Sstevel@tonic-gate }
3410Sstevel@tonic-gate (void) close(s);
3420Sstevel@tonic-gate }
3430Sstevel@tonic-gate else
3440Sstevel@tonic-gate #endif /* DEBUG */
3450Sstevel@tonic-gate {
3460Sstevel@tonic-gate if (getpeername(STDIN_FILENO, (struct sockaddr *)&from,
3470Sstevel@tonic-gate (socklen_t *)&fromlen) < 0) {
3480Sstevel@tonic-gate (void) fprintf(stderr, "rshd: ");
3490Sstevel@tonic-gate perror("getpeername");
3500Sstevel@tonic-gate _exit(1);
3510Sstevel@tonic-gate }
3520Sstevel@tonic-gate fd = STDIN_FILENO;
3530Sstevel@tonic-gate }
3540Sstevel@tonic-gate
3550Sstevel@tonic-gate if (audit_settid(fd) != 0) {
3560Sstevel@tonic-gate perror("settid");
3570Sstevel@tonic-gate exit(1);
3580Sstevel@tonic-gate }
3590Sstevel@tonic-gate
3600Sstevel@tonic-gate if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
3610Sstevel@tonic-gate sizeof (on)) < 0)
3620Sstevel@tonic-gate syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
3630Sstevel@tonic-gate linger.l_onoff = 1;
3640Sstevel@tonic-gate linger.l_linger = 60; /* XXX */
3650Sstevel@tonic-gate if (setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&linger,
3660Sstevel@tonic-gate sizeof (linger)) < 0)
3670Sstevel@tonic-gate syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m");
3680Sstevel@tonic-gate
3690Sstevel@tonic-gate if ((tos != -1) && (setsockopt(fd, IPPROTO_IP, IP_TOS, (char *)&tos,
3700Sstevel@tonic-gate sizeof (tos)) < 0) &&
3710Sstevel@tonic-gate (errno != ENOPROTOOPT)) {
3720Sstevel@tonic-gate syslog(LOG_ERR, "setsockopt (IP_TOS %d): %m");
3730Sstevel@tonic-gate }
3740Sstevel@tonic-gate
3750Sstevel@tonic-gate doit(dup(fd), &from, renvp);
376473Sbw return (0);
3770Sstevel@tonic-gate }
3780Sstevel@tonic-gate
3790Sstevel@tonic-gate /*
3800Sstevel@tonic-gate * locale environments to be passed to shells.
3810Sstevel@tonic-gate */
3820Sstevel@tonic-gate static char *localeenv[] = {
3830Sstevel@tonic-gate "LANG",
3840Sstevel@tonic-gate "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE",
3850Sstevel@tonic-gate "LC_MONETARY", "LC_MESSAGES", "LC_ALL", NULL};
3860Sstevel@tonic-gate
3870Sstevel@tonic-gate /*
3880Sstevel@tonic-gate * The following is for the environment variable list
3890Sstevel@tonic-gate * used in the call to execle(). envinit is declared here,
3900Sstevel@tonic-gate * but populated after the call to getpwnam().
3910Sstevel@tonic-gate */
3920Sstevel@tonic-gate static char *homedir; /* "HOME=" */
3930Sstevel@tonic-gate static char *shell; /* "SHELL=" */
3940Sstevel@tonic-gate static char *username; /* "USER=" */
3950Sstevel@tonic-gate static char *tz; /* "TZ=" */
3960Sstevel@tonic-gate
3970Sstevel@tonic-gate static char homestr[] = "HOME=";
3980Sstevel@tonic-gate static char shellstr[] = "SHELL=";
3990Sstevel@tonic-gate static char userstr[] = "USER=";
4000Sstevel@tonic-gate static char tzstr[] = "TZ=";
4010Sstevel@tonic-gate
4020Sstevel@tonic-gate static char **envinit;
4030Sstevel@tonic-gate #define PAM_ENV_ELIM 16 /* allow 16 PAM environment variables */
4040Sstevel@tonic-gate #define USERNAME_LEN 16 /* maximum number of characters in user name */
4050Sstevel@tonic-gate
4060Sstevel@tonic-gate /*
4070Sstevel@tonic-gate * See PSARC opinion 1992/025
4080Sstevel@tonic-gate */
4090Sstevel@tonic-gate static char userpath[] = "PATH=/usr/bin:";
4100Sstevel@tonic-gate static char rootpath[] = "PATH=/usr/sbin:/usr/bin";
4110Sstevel@tonic-gate
4120Sstevel@tonic-gate static char cmdbuf[NCARGS+1];
4130Sstevel@tonic-gate static char hostname [MAXHOSTNAMELEN + 1];
4140Sstevel@tonic-gate static char locuser[USERNAME_LEN + 1];
4150Sstevel@tonic-gate static char remuser[USERNAME_LEN + 1];
4160Sstevel@tonic-gate
4170Sstevel@tonic-gate #define KRB5_RECVAUTH_V5 5
4180Sstevel@tonic-gate #define SIZEOF_INADDR sizeof (struct in_addr)
4190Sstevel@tonic-gate
4200Sstevel@tonic-gate #define MAX_REPOSITORY_LEN 255
4210Sstevel@tonic-gate static char repository[MAX_REPOSITORY_LEN];
4220Sstevel@tonic-gate
4230Sstevel@tonic-gate static char *kremuser;
4240Sstevel@tonic-gate static krb5_principal client = NULL;
4250Sstevel@tonic-gate
4260Sstevel@tonic-gate static char remote_addr[64];
4270Sstevel@tonic-gate static char local_addr[64];
4280Sstevel@tonic-gate
4298126SJoep.Vesseur@Sun.COM #define _PATH_DEFAULT_LOGIN "/etc/default/login"
4308126SJoep.Vesseur@Sun.COM
4310Sstevel@tonic-gate static void
doit(int f,struct sockaddr_storage * fromp,char ** renvp)4320Sstevel@tonic-gate doit(int f, struct sockaddr_storage *fromp, char **renvp)
4330Sstevel@tonic-gate {
4340Sstevel@tonic-gate char *cp;
4350Sstevel@tonic-gate
4360Sstevel@tonic-gate struct passwd *pwd;
4370Sstevel@tonic-gate char *path;
4380Sstevel@tonic-gate char *tzenv;
4390Sstevel@tonic-gate struct spwd *shpwd;
4400Sstevel@tonic-gate struct stat statb;
4410Sstevel@tonic-gate char **lenvp;
4420Sstevel@tonic-gate
4430Sstevel@tonic-gate krb5_error_code status;
4440Sstevel@tonic-gate int valid_checksum;
4450Sstevel@tonic-gate int cnt;
4460Sstevel@tonic-gate int sin_len;
4470Sstevel@tonic-gate struct sockaddr_in localaddr;
4480Sstevel@tonic-gate
4490Sstevel@tonic-gate int s;
4500Sstevel@tonic-gate in_port_t port;
4510Sstevel@tonic-gate pid_t pid;
4520Sstevel@tonic-gate int pv[2], pw[2], px[2], cc;
4530Sstevel@tonic-gate char buf[RSHD_BUFSIZ];
4540Sstevel@tonic-gate char sig;
4550Sstevel@tonic-gate int one = 1;
4560Sstevel@tonic-gate int v = 0;
4570Sstevel@tonic-gate int err = 0;
4580Sstevel@tonic-gate int idx = 0;
4590Sstevel@tonic-gate char **pam_env;
4600Sstevel@tonic-gate char abuf[INET6_ADDRSTRLEN];
4610Sstevel@tonic-gate struct sockaddr_in *sin;
4620Sstevel@tonic-gate struct sockaddr_in6 *sin6;
4630Sstevel@tonic-gate int fromplen;
4640Sstevel@tonic-gate int homedir_len, shell_len, username_len, tz_len;
4650Sstevel@tonic-gate int no_name;
4663011Sjbeck boolean_t bad_port;
4670Sstevel@tonic-gate int netf = 0;
4680Sstevel@tonic-gate
4690Sstevel@tonic-gate (void) signal(SIGINT, SIG_DFL);
4700Sstevel@tonic-gate (void) signal(SIGQUIT, SIG_DFL);
4710Sstevel@tonic-gate (void) signal(SIGTERM, SIG_DFL);
4720Sstevel@tonic-gate (void) signal(SIGXCPU, SIG_DFL);
4730Sstevel@tonic-gate (void) signal(SIGXFSZ, SIG_DFL);
4740Sstevel@tonic-gate (void) sigset(SIGCHLD, SIG_IGN);
4750Sstevel@tonic-gate (void) signal(SIGPIPE, SIG_DFL);
4760Sstevel@tonic-gate (void) signal(SIGHUP, SIG_DFL);
4770Sstevel@tonic-gate
4780Sstevel@tonic-gate #ifdef DEBUG
479*11415SSurya.Prakki@Sun.COM {
480*11415SSurya.Prakki@Sun.COM int t = open("/dev/tty", 2);
481*11415SSurya.Prakki@Sun.COM
4820Sstevel@tonic-gate if (t >= 0) {
4830Sstevel@tonic-gate (void) setsid();
4840Sstevel@tonic-gate (void) close(t);
4850Sstevel@tonic-gate }
4860Sstevel@tonic-gate }
4870Sstevel@tonic-gate #endif
4880Sstevel@tonic-gate if (fromp->ss_family == AF_INET) {
4890Sstevel@tonic-gate sin = (struct sockaddr_in *)fromp;
4900Sstevel@tonic-gate port = ntohs((ushort_t)sin->sin_port);
4910Sstevel@tonic-gate fromplen = sizeof (struct sockaddr_in);
4920Sstevel@tonic-gate } else if (fromp->ss_family == AF_INET6) {
4930Sstevel@tonic-gate sin6 = (struct sockaddr_in6 *)fromp;
4940Sstevel@tonic-gate port = ntohs((ushort_t)sin6->sin6_port);
4950Sstevel@tonic-gate fromplen = sizeof (struct sockaddr_in6);
4960Sstevel@tonic-gate } else {
4970Sstevel@tonic-gate syslog(LOG_ERR, "wrong address family\n");
4980Sstevel@tonic-gate exit(1);
4990Sstevel@tonic-gate }
5000Sstevel@tonic-gate
5013011Sjbeck if (fromp->ss_family == AF_INET6) {
5023011Sjbeck if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
5033011Sjbeck struct in_addr ipv4_addr;
5043011Sjbeck
5053011Sjbeck IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &ipv4_addr);
5063011Sjbeck (void) inet_ntop(AF_INET, &ipv4_addr, abuf,
5073011Sjbeck sizeof (abuf));
5083011Sjbeck } else {
5093011Sjbeck (void) inet_ntop(AF_INET6, &sin6->sin6_addr, abuf,
5103011Sjbeck sizeof (abuf));
5113011Sjbeck }
5123011Sjbeck } else if (fromp->ss_family == AF_INET) {
5133011Sjbeck (void) inet_ntop(AF_INET, &sin->sin_addr, abuf, sizeof (abuf));
5143011Sjbeck }
5153011Sjbeck
5160Sstevel@tonic-gate sin_len = sizeof (struct sockaddr_in);
5173011Sjbeck if (getsockname(f, (struct sockaddr *)&localaddr, &sin_len) < 0) {
5180Sstevel@tonic-gate perror("getsockname");
5190Sstevel@tonic-gate exit(1);
5200Sstevel@tonic-gate }
5210Sstevel@tonic-gate
5220Sstevel@tonic-gate netf = f;
5230Sstevel@tonic-gate
5240Sstevel@tonic-gate bad_port = (port >= IPPORT_RESERVED ||
5250Sstevel@tonic-gate port < (uint_t)(IPPORT_RESERVED/2));
5260Sstevel@tonic-gate
5273011Sjbeck /* Get the name of the client side host to use later */
5280Sstevel@tonic-gate no_name = (getnameinfo((const struct sockaddr *) fromp, fromplen,
5290Sstevel@tonic-gate hostname, sizeof (hostname), NULL, 0, 0) != 0);
5300Sstevel@tonic-gate
5313011Sjbeck if (bad_port || no_name != 0) {
5323011Sjbeck /*
5333011Sjbeck * If there is no host name available then use the
5343011Sjbeck * IP address to identify the host in the PAM call
5353011Sjbeck * below. Do the same if a bad port was used, to
5363011Sjbeck * prevent untrustworthy authentication.
5373011Sjbeck */
5383011Sjbeck (void) strlcpy(hostname, abuf, sizeof (hostname));
5393011Sjbeck }
5403011Sjbeck
5413011Sjbeck if (no_name != 0) {
5423011Sjbeck /*
5433011Sjbeck * If the '-U' option was given on the cmd line,
5443011Sjbeck * we must be able to lookup the hostname
5453011Sjbeck */
5463011Sjbeck if (resolve_hostname) {
5473011Sjbeck syslog(LOG_ERR, "rshd: Couldn't resolve your "
5483011Sjbeck "address into a host name.\r\n Please "
5493011Sjbeck "contact your net administrator");
5503011Sjbeck exit(1);
5510Sstevel@tonic-gate }
5523011Sjbeck } else {
5533011Sjbeck /*
5543011Sjbeck * Even if getnameinfo() succeeded, we still have to check
5553011Sjbeck * for spoofing.
5563011Sjbeck */
5573011Sjbeck check_address("rshd", fromp, sin, sin6, abuf, hostname,
5583011Sjbeck sizeof (hostname));
5590Sstevel@tonic-gate }
5600Sstevel@tonic-gate
5610Sstevel@tonic-gate if (!krb5auth_flag && bad_port) {
5620Sstevel@tonic-gate if (no_name)
5630Sstevel@tonic-gate syslog(LOG_NOTICE, "connection from %s - "
5640Sstevel@tonic-gate "bad port\n", abuf);
5650Sstevel@tonic-gate else
5660Sstevel@tonic-gate syslog(LOG_NOTICE, "connection from %s (%s) - "
5670Sstevel@tonic-gate "bad port\n", hostname, abuf);
5680Sstevel@tonic-gate exit(1);
5690Sstevel@tonic-gate }
5700Sstevel@tonic-gate
5710Sstevel@tonic-gate (void) alarm(60);
5720Sstevel@tonic-gate port = 0;
5730Sstevel@tonic-gate for (;;) {
5740Sstevel@tonic-gate char c;
5750Sstevel@tonic-gate if ((cc = read(f, &c, 1)) != 1) {
5760Sstevel@tonic-gate if (cc < 0)
5770Sstevel@tonic-gate syslog(LOG_NOTICE, "read: %m");
5780Sstevel@tonic-gate (void) shutdown(f, 1+1);
5790Sstevel@tonic-gate exit(1);
5800Sstevel@tonic-gate }
5810Sstevel@tonic-gate if (c == 0)
5820Sstevel@tonic-gate break;
5830Sstevel@tonic-gate port = port * 10 + c - '0';
5840Sstevel@tonic-gate }
5850Sstevel@tonic-gate (void) alarm(0);
5860Sstevel@tonic-gate if (port != 0) {
5870Sstevel@tonic-gate int lport = 0;
5880Sstevel@tonic-gate struct sockaddr_storage ctl_addr;
5890Sstevel@tonic-gate int addrlen;
5900Sstevel@tonic-gate
5910Sstevel@tonic-gate (void) memset(&ctl_addr, 0, sizeof (ctl_addr));
5920Sstevel@tonic-gate addrlen = sizeof (ctl_addr);
5930Sstevel@tonic-gate if (getsockname(f, (struct sockaddr *)&ctl_addr,
5940Sstevel@tonic-gate &addrlen) < 0) {
5950Sstevel@tonic-gate syslog(LOG_ERR, "getsockname: %m");
5960Sstevel@tonic-gate exit(1);
5970Sstevel@tonic-gate }
5980Sstevel@tonic-gate get_port:
5990Sstevel@tonic-gate /*
6000Sstevel@tonic-gate * 0 means that rresvport_addr() will bind to a port in
6010Sstevel@tonic-gate * the anonymous priviledged port range.
6020Sstevel@tonic-gate */
6030Sstevel@tonic-gate if (krb5auth_flag) {
6040Sstevel@tonic-gate /*
6050Sstevel@tonic-gate * Kerberos does not support IPv6 yet.
6060Sstevel@tonic-gate */
6070Sstevel@tonic-gate lport = IPPORT_RESERVED - 1;
6080Sstevel@tonic-gate }
6090Sstevel@tonic-gate s = rresvport_addr(&lport, &ctl_addr);
6100Sstevel@tonic-gate
6110Sstevel@tonic-gate if (s < 0) {
6120Sstevel@tonic-gate syslog(LOG_ERR, "can't get stderr port: %m");
6130Sstevel@tonic-gate exit(1);
6140Sstevel@tonic-gate }
6150Sstevel@tonic-gate if (!krb5auth_flag && (port >= IPPORT_RESERVED)) {
6160Sstevel@tonic-gate syslog(LOG_ERR, "2nd port not reserved\n");
6170Sstevel@tonic-gate exit(1);
6180Sstevel@tonic-gate }
6190Sstevel@tonic-gate if (fromp->ss_family == AF_INET) {
6200Sstevel@tonic-gate sin->sin_port = htons((ushort_t)port);
6210Sstevel@tonic-gate } else if (fromp->ss_family == AF_INET6) {
6220Sstevel@tonic-gate sin6->sin6_port = htons((ushort_t)port);
6230Sstevel@tonic-gate }
6240Sstevel@tonic-gate if (connect(s, (struct sockaddr *)fromp, fromplen) < 0) {
6250Sstevel@tonic-gate if (errno == EADDRINUSE) {
6260Sstevel@tonic-gate (void) close(s);
6270Sstevel@tonic-gate goto get_port;
6280Sstevel@tonic-gate }
6290Sstevel@tonic-gate syslog(LOG_INFO, "connect second port: %m");
6300Sstevel@tonic-gate exit(1);
6310Sstevel@tonic-gate }
6320Sstevel@tonic-gate }
6330Sstevel@tonic-gate (void) dup2(f, 0);
6340Sstevel@tonic-gate (void) dup2(f, 1);
6350Sstevel@tonic-gate (void) dup2(f, 2);
6360Sstevel@tonic-gate
6370Sstevel@tonic-gate #ifdef DEBUG
6380Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Client hostname = %s", hostname);
6390Sstevel@tonic-gate if (debug_port)
6400Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Debug port is %d", debug_port);
6410Sstevel@tonic-gate if (krb5auth_flag > 0)
6420Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Kerberos mode is ON");
6430Sstevel@tonic-gate else
6440Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Kerberos mode is OFF");
6450Sstevel@tonic-gate #endif /* DEBUG */
6460Sstevel@tonic-gate
6470Sstevel@tonic-gate if (krb5auth_flag > 0) {
6480Sstevel@tonic-gate if ((status = recvauth(f, &valid_checksum))) {
6490Sstevel@tonic-gate syslog(LOG_ERR, gettext("Kerberos Authentication "
6500Sstevel@tonic-gate "failed \n"));
6510Sstevel@tonic-gate error("Authentication failed: %s\n",
6520Sstevel@tonic-gate error_message(status));
6530Sstevel@tonic-gate (void) audit_rshd_fail("Kerberos Authentication "
6540Sstevel@tonic-gate "failed", hostname, remuser, locuser, cmdbuf);
6550Sstevel@tonic-gate exit(1);
6560Sstevel@tonic-gate }
6570Sstevel@tonic-gate
6580Sstevel@tonic-gate if (checksum_required && !valid_checksum &&
6590Sstevel@tonic-gate kcmd_protocol == KCMD_OLD_PROTOCOL) {
6600Sstevel@tonic-gate syslog(LOG_WARNING, "Client did not supply required"
6610Sstevel@tonic-gate " checksum--connection rejected.");
6620Sstevel@tonic-gate error("Client did not supply required"
6630Sstevel@tonic-gate "checksum--connection rejected.\n");
6640Sstevel@tonic-gate (void) audit_rshd_fail("Client did not supply required"
6650Sstevel@tonic-gate " checksum--connection rejected.", hostname,
6660Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
6670Sstevel@tonic-gate goto signout;
6680Sstevel@tonic-gate }
6690Sstevel@tonic-gate
6700Sstevel@tonic-gate /*
6710Sstevel@tonic-gate * Authentication has succeeded, we now need
6720Sstevel@tonic-gate * to check authorization.
6730Sstevel@tonic-gate *
6740Sstevel@tonic-gate * krb5_kuserok returns 1 if OK.
6750Sstevel@tonic-gate */
6760Sstevel@tonic-gate if (client && krb5_kuserok(bsd_context, client, locuser)) {
6770Sstevel@tonic-gate auth_sent |= AUTH_KRB5;
6780Sstevel@tonic-gate } else {
6790Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
6800Sstevel@tonic-gate "%s failed krb5_kuserok.\n",
6810Sstevel@tonic-gate kremuser, remuser, hostname, locuser);
6820Sstevel@tonic-gate }
6830Sstevel@tonic-gate } else {
6840Sstevel@tonic-gate getstr(netf, remuser, sizeof (remuser), "remuser");
6850Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser");
6860Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
6870Sstevel@tonic-gate }
6880Sstevel@tonic-gate
6890Sstevel@tonic-gate #ifdef DEBUG
6900Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: locuser = %s, remuser = %s, cmdbuf = %s",
6910Sstevel@tonic-gate locuser, remuser, cmdbuf);
6920Sstevel@tonic-gate #endif /* DEBUG */
6930Sstevel@tonic-gate
6940Sstevel@tonic-gate /*
6950Sstevel@tonic-gate * Note that there is no rsh conv functions at present.
6960Sstevel@tonic-gate */
6970Sstevel@tonic-gate if (krb5auth_flag > 0) {
6980Sstevel@tonic-gate if ((err = pam_start("krsh", locuser, NULL, &pamh))
6990Sstevel@tonic-gate != PAM_SUCCESS) {
7000Sstevel@tonic-gate syslog(LOG_ERR, "pam_start() failed: %s\n",
7010Sstevel@tonic-gate pam_strerror(0, err));
7020Sstevel@tonic-gate exit(1);
7030Sstevel@tonic-gate }
7040Sstevel@tonic-gate }
7050Sstevel@tonic-gate else
7060Sstevel@tonic-gate {
7070Sstevel@tonic-gate if ((err = pam_start("rsh", locuser, NULL, &pamh))
7080Sstevel@tonic-gate != PAM_SUCCESS) {
7090Sstevel@tonic-gate syslog(LOG_ERR, "pam_start() failed: %s\n",
7100Sstevel@tonic-gate pam_strerror(0, err));
7110Sstevel@tonic-gate exit(1);
7120Sstevel@tonic-gate }
7130Sstevel@tonic-gate }
7140Sstevel@tonic-gate if ((err = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
7150Sstevel@tonic-gate syslog(LOG_ERR, "pam_set_item() failed: %s\n",
7160Sstevel@tonic-gate pam_strerror(pamh, err));
7170Sstevel@tonic-gate exit(1);
7180Sstevel@tonic-gate }
7190Sstevel@tonic-gate if ((err = pam_set_item(pamh, PAM_RUSER, remuser)) != PAM_SUCCESS) {
7200Sstevel@tonic-gate syslog(LOG_ERR, "pam_set_item() failed: %s\n",
7210Sstevel@tonic-gate pam_strerror(pamh, err));
7220Sstevel@tonic-gate exit(1);
7230Sstevel@tonic-gate }
7240Sstevel@tonic-gate
7250Sstevel@tonic-gate pwd = getpwnam(locuser);
7260Sstevel@tonic-gate shpwd = getspnam(locuser);
7270Sstevel@tonic-gate if ((pwd == NULL) || (shpwd == NULL)) {
7280Sstevel@tonic-gate if (krb5auth_flag > 0)
7290Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
7300Sstevel@tonic-gate "%s has no account.\n", kremuser, remuser,
7310Sstevel@tonic-gate hostname, locuser);
7320Sstevel@tonic-gate error("permission denied.\n");
7330Sstevel@tonic-gate (void) audit_rshd_fail("Login incorrect", hostname,
7340Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
7350Sstevel@tonic-gate exit(1);
7360Sstevel@tonic-gate }
7370Sstevel@tonic-gate
7380Sstevel@tonic-gate if (krb5auth_flag > 0) {
7390Sstevel@tonic-gate (void) snprintf(repository, sizeof (repository),
7400Sstevel@tonic-gate KRB5_REPOSITORY_NAME);
7410Sstevel@tonic-gate /*
7420Sstevel@tonic-gate * We currently only support special handling of the
7430Sstevel@tonic-gate * KRB5 PAM repository
7440Sstevel@tonic-gate */
7450Sstevel@tonic-gate if (strlen(locuser) != 0) {
7460Sstevel@tonic-gate krb5_repository_data_t krb5_data;
7470Sstevel@tonic-gate pam_repository_t pam_rep_data;
7480Sstevel@tonic-gate
7490Sstevel@tonic-gate krb5_data.principal = locuser;
7500Sstevel@tonic-gate krb5_data.flags = SUNW_PAM_KRB5_ALREADY_AUTHENTICATED;
7510Sstevel@tonic-gate
7520Sstevel@tonic-gate pam_rep_data.type = repository;
7530Sstevel@tonic-gate pam_rep_data.scope = (void *)&krb5_data;
7540Sstevel@tonic-gate pam_rep_data.scope_len = sizeof (krb5_data);
7550Sstevel@tonic-gate
7560Sstevel@tonic-gate (void) pam_set_item(pamh, PAM_REPOSITORY,
7570Sstevel@tonic-gate (void *)&pam_rep_data);
7580Sstevel@tonic-gate }
7590Sstevel@tonic-gate }
7600Sstevel@tonic-gate
7618126SJoep.Vesseur@Sun.COM if (shpwd->sp_pwdp != 0) {
7628126SJoep.Vesseur@Sun.COM if (*shpwd->sp_pwdp != '\0') {
7638126SJoep.Vesseur@Sun.COM if ((v = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
7648126SJoep.Vesseur@Sun.COM error("permission denied\n");
7658126SJoep.Vesseur@Sun.COM (void) audit_rshd_fail("Permission denied",
7668126SJoep.Vesseur@Sun.COM hostname, remuser, locuser, cmdbuf);
7678126SJoep.Vesseur@Sun.COM (void) pam_end(pamh, v);
7688126SJoep.Vesseur@Sun.COM exit(1);
7698126SJoep.Vesseur@Sun.COM }
7708126SJoep.Vesseur@Sun.COM } else {
7718126SJoep.Vesseur@Sun.COM int flags;
7728126SJoep.Vesseur@Sun.COM char *p;
7738126SJoep.Vesseur@Sun.COM /*
7748126SJoep.Vesseur@Sun.COM * maintain 2.1 and 4.* and BSD semantics with
7758126SJoep.Vesseur@Sun.COM * anonymous rshd unless PASSREQ is set to YES in
7768126SJoep.Vesseur@Sun.COM * /etc/default/login: then we deny logins with empty
7778126SJoep.Vesseur@Sun.COM * passwords.
7788126SJoep.Vesseur@Sun.COM */
7798126SJoep.Vesseur@Sun.COM if (defopen(_PATH_DEFAULT_LOGIN) == 0) {
7808126SJoep.Vesseur@Sun.COM flags = defcntl(DC_GETFLAGS, 0);
7818126SJoep.Vesseur@Sun.COM TURNOFF(flags, DC_CASE);
7828126SJoep.Vesseur@Sun.COM (void) defcntl(DC_SETFLAGS, flags);
7838126SJoep.Vesseur@Sun.COM
7848126SJoep.Vesseur@Sun.COM if ((p = defread("PASSREQ=")) != NULL &&
7858126SJoep.Vesseur@Sun.COM strcasecmp(p, "YES") == 0) {
7868126SJoep.Vesseur@Sun.COM error("permission denied\n");
7878126SJoep.Vesseur@Sun.COM (void) audit_rshd_fail(
7888126SJoep.Vesseur@Sun.COM "Permission denied", hostname,
7898126SJoep.Vesseur@Sun.COM remuser, locuser, cmdbuf);
7908126SJoep.Vesseur@Sun.COM (void) pam_end(pamh, PAM_ABORT);
7918126SJoep.Vesseur@Sun.COM (void) defopen(NULL);
7928126SJoep.Vesseur@Sun.COM syslog(LOG_AUTH|LOG_NOTICE,
7938126SJoep.Vesseur@Sun.COM "empty password not allowed for "
7948126SJoep.Vesseur@Sun.COM "%s from %s.", locuser, hostname);
7958126SJoep.Vesseur@Sun.COM exit(1);
7968126SJoep.Vesseur@Sun.COM }
7978126SJoep.Vesseur@Sun.COM (void) defopen(NULL);
7988126SJoep.Vesseur@Sun.COM }
7998126SJoep.Vesseur@Sun.COM /*
8008126SJoep.Vesseur@Sun.COM * /etc/default/login not found or PASSREQ not set
8018126SJoep.Vesseur@Sun.COM * to YES. Allow logins without passwords.
8028126SJoep.Vesseur@Sun.COM */
8038126SJoep.Vesseur@Sun.COM }
8040Sstevel@tonic-gate }
8050Sstevel@tonic-gate
8060Sstevel@tonic-gate if (krb5auth_flag > 0) {
8070Sstevel@tonic-gate if (require_encrypt && (!do_encrypt)) {
8080Sstevel@tonic-gate error("You must use encryption.\n");
8090Sstevel@tonic-gate (void) audit_rshd_fail("You must use encryption.",
8100Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf); /* BSM */
8110Sstevel@tonic-gate goto signout;
8120Sstevel@tonic-gate }
8130Sstevel@tonic-gate
8140Sstevel@tonic-gate if (!(auth_ok & auth_sent)) {
8150Sstevel@tonic-gate if (auth_sent) {
8160Sstevel@tonic-gate error("Another authentication mechanism "
8170Sstevel@tonic-gate "must be used to access this host.\n");
8180Sstevel@tonic-gate (void) audit_rshd_fail("Another authentication"
8190Sstevel@tonic-gate " mechanism must be used to access"
8200Sstevel@tonic-gate " this host.\n", hostname, remuser,
8210Sstevel@tonic-gate locuser, cmdbuf); /* BSM */
8220Sstevel@tonic-gate goto signout;
8230Sstevel@tonic-gate } else {
8240Sstevel@tonic-gate error("Permission denied.\n");
8250Sstevel@tonic-gate (void) audit_rshd_fail("Permission denied.",
8260Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf);
8270Sstevel@tonic-gate /* BSM */
8280Sstevel@tonic-gate goto signout;
8290Sstevel@tonic-gate }
8300Sstevel@tonic-gate }
8310Sstevel@tonic-gate
8320Sstevel@tonic-gate
8330Sstevel@tonic-gate if (pwd->pw_uid && !access("/etc/nologin", F_OK)) {
8340Sstevel@tonic-gate error("Logins currently disabled.\n");
8350Sstevel@tonic-gate (void) audit_rshd_fail("Logins currently disabled.",
8360Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf);
8370Sstevel@tonic-gate goto signout;
8380Sstevel@tonic-gate }
8390Sstevel@tonic-gate
8400Sstevel@tonic-gate /* Log access to account */
8410Sstevel@tonic-gate if (pwd && (pwd->pw_uid == 0)) {
8420Sstevel@tonic-gate syslog(LOG_NOTICE, "Executing %s for user %s (%s@%s)"
8430Sstevel@tonic-gate " as ROOT", cmdbuf,
8440Sstevel@tonic-gate kremuser, remuser, hostname);
8450Sstevel@tonic-gate }
8460Sstevel@tonic-gate }
8470Sstevel@tonic-gate
8480Sstevel@tonic-gate if ((v = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
8490Sstevel@tonic-gate switch (v) {
8500Sstevel@tonic-gate case PAM_NEW_AUTHTOK_REQD:
8510Sstevel@tonic-gate error("password expired\n");
8520Sstevel@tonic-gate (void) audit_rshd_fail("Password expired", hostname,
8530Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
8540Sstevel@tonic-gate break;
8550Sstevel@tonic-gate case PAM_PERM_DENIED:
8560Sstevel@tonic-gate error("account expired\n");
8570Sstevel@tonic-gate (void) audit_rshd_fail("Account expired", hostname,
8580Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
8590Sstevel@tonic-gate break;
8600Sstevel@tonic-gate case PAM_AUTHTOK_EXPIRED:
8610Sstevel@tonic-gate error("password expired\n");
8620Sstevel@tonic-gate (void) audit_rshd_fail("Password expired", hostname,
8630Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
8640Sstevel@tonic-gate break;
8650Sstevel@tonic-gate default:
8660Sstevel@tonic-gate error("login incorrect\n");
8670Sstevel@tonic-gate (void) audit_rshd_fail("Permission denied", hostname,
8680Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */
8690Sstevel@tonic-gate break;
8700Sstevel@tonic-gate }
8710Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
8720Sstevel@tonic-gate exit(1);
8730Sstevel@tonic-gate }
8740Sstevel@tonic-gate
8750Sstevel@tonic-gate if (chdir(pwd->pw_dir) < 0) {
8760Sstevel@tonic-gate (void) chdir("/");
8770Sstevel@tonic-gate #ifdef notdef
8780Sstevel@tonic-gate error("No remote directory.\n");
8790Sstevel@tonic-gate
8800Sstevel@tonic-gate exit(1);
8810Sstevel@tonic-gate #endif
8820Sstevel@tonic-gate }
8830Sstevel@tonic-gate
8840Sstevel@tonic-gate /*
8850Sstevel@tonic-gate * XXX There is no session management currently being done
8860Sstevel@tonic-gate */
8870Sstevel@tonic-gate
8880Sstevel@tonic-gate (void) write(STDERR_FILENO, "\0", 1);
8890Sstevel@tonic-gate if (port || do_encrypt) {
8900Sstevel@tonic-gate if ((pipe(pv) < 0)) {
8910Sstevel@tonic-gate error("Can't make pipe.\n");
8920Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
8930Sstevel@tonic-gate exit(1);
8940Sstevel@tonic-gate }
8950Sstevel@tonic-gate if (do_encrypt) {
8960Sstevel@tonic-gate if (pipe(pw) < 0) {
8970Sstevel@tonic-gate error("Can't make pipe 2.\n");
8980Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
8990Sstevel@tonic-gate exit(1);
9000Sstevel@tonic-gate }
9010Sstevel@tonic-gate if (pipe(px) < 0) {
9020Sstevel@tonic-gate error("Can't make pipe 3.\n");
9030Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
9040Sstevel@tonic-gate exit(1);
9050Sstevel@tonic-gate }
9060Sstevel@tonic-gate }
9070Sstevel@tonic-gate pid = fork();
9080Sstevel@tonic-gate if (pid == (pid_t)-1) {
9090Sstevel@tonic-gate error("Fork (to start shell) failed on server. "
9100Sstevel@tonic-gate "Please try again later.\n");
9110Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
9120Sstevel@tonic-gate exit(1);
9130Sstevel@tonic-gate }
9140Sstevel@tonic-gate if (pid) {
9150Sstevel@tonic-gate fd_set ready;
9160Sstevel@tonic-gate fd_set readfrom;
9170Sstevel@tonic-gate
9180Sstevel@tonic-gate (void) close(STDIN_FILENO);
9190Sstevel@tonic-gate (void) close(STDOUT_FILENO);
9200Sstevel@tonic-gate (void) close(STDERR_FILENO);
9210Sstevel@tonic-gate (void) close(pv[1]);
9220Sstevel@tonic-gate if (do_encrypt) {
9230Sstevel@tonic-gate (void) close(pw[1]);
9240Sstevel@tonic-gate (void) close(px[0]);
9250Sstevel@tonic-gate } else {
9260Sstevel@tonic-gate (void) close(f);
9270Sstevel@tonic-gate }
9280Sstevel@tonic-gate
9290Sstevel@tonic-gate (void) FD_ZERO(&readfrom);
9300Sstevel@tonic-gate
9310Sstevel@tonic-gate FD_SET(pv[0], &readfrom);
9320Sstevel@tonic-gate if (do_encrypt) {
9330Sstevel@tonic-gate FD_SET(pw[0], &readfrom);
9340Sstevel@tonic-gate FD_SET(f, &readfrom);
9350Sstevel@tonic-gate }
9360Sstevel@tonic-gate if (port)
9370Sstevel@tonic-gate FD_SET(s, &readfrom);
9380Sstevel@tonic-gate
9390Sstevel@tonic-gate /* read f (net), write to px[1] (child stdin) */
9400Sstevel@tonic-gate /* read pw[0] (child stdout), write to f (net) */
9410Sstevel@tonic-gate /* read s (alt. channel), signal child */
9420Sstevel@tonic-gate /* read pv[0] (child stderr), write to s */
9430Sstevel@tonic-gate if (ioctl(pv[0], FIONBIO, (char *)&one) == -1)
9440Sstevel@tonic-gate syslog(LOG_INFO, "ioctl FIONBIO: %m");
9450Sstevel@tonic-gate if (do_encrypt &&
9460Sstevel@tonic-gate ioctl(pw[0], FIONBIO, (char *)&one) == -1)
9470Sstevel@tonic-gate syslog(LOG_INFO, "ioctl FIONBIO: %m");
9480Sstevel@tonic-gate do {
9490Sstevel@tonic-gate ready = readfrom;
9500Sstevel@tonic-gate if (select(FD_SETSIZE, &ready, NULL,
9510Sstevel@tonic-gate NULL, NULL) < 0) {
9520Sstevel@tonic-gate if (errno == EINTR) {
9530Sstevel@tonic-gate continue;
9540Sstevel@tonic-gate } else {
9550Sstevel@tonic-gate break;
9560Sstevel@tonic-gate }
9570Sstevel@tonic-gate }
9580Sstevel@tonic-gate /*
9590Sstevel@tonic-gate * Read from child stderr, write to net
9600Sstevel@tonic-gate */
9610Sstevel@tonic-gate if (port && FD_ISSET(pv[0], &ready)) {
9620Sstevel@tonic-gate errno = 0;
9630Sstevel@tonic-gate cc = read(pv[0], buf, sizeof (buf));
9640Sstevel@tonic-gate if (cc <= 0) {
9650Sstevel@tonic-gate (void) shutdown(s, 2);
9660Sstevel@tonic-gate FD_CLR(pv[0], &readfrom);
9670Sstevel@tonic-gate } else {
9680Sstevel@tonic-gate (void) deswrite(s, buf, cc, 1);
9690Sstevel@tonic-gate }
9700Sstevel@tonic-gate }
9710Sstevel@tonic-gate /*
9720Sstevel@tonic-gate * Read from alternate channel, signal child
9730Sstevel@tonic-gate */
9740Sstevel@tonic-gate if (port && FD_ISSET(s, &ready)) {
9750Sstevel@tonic-gate if ((int)desread(s, &sig, 1, 1) <= 0)
9760Sstevel@tonic-gate FD_CLR(s, &readfrom);
9770Sstevel@tonic-gate else
9780Sstevel@tonic-gate (void) killpg(pid, sig);
9790Sstevel@tonic-gate }
9800Sstevel@tonic-gate /*
9810Sstevel@tonic-gate * Read from child stdout, write to net
9820Sstevel@tonic-gate */
9830Sstevel@tonic-gate if (do_encrypt && FD_ISSET(pw[0], &ready)) {
9840Sstevel@tonic-gate errno = 0;
9850Sstevel@tonic-gate cc = read(pw[0], buf, sizeof (buf));
9860Sstevel@tonic-gate if (cc <= 0) {
9870Sstevel@tonic-gate (void) shutdown(f, 2);
9880Sstevel@tonic-gate FD_CLR(pw[0], &readfrom);
9890Sstevel@tonic-gate } else {
9900Sstevel@tonic-gate (void) deswrite(f, buf, cc, 0);
9910Sstevel@tonic-gate }
9920Sstevel@tonic-gate }
9930Sstevel@tonic-gate /*
9940Sstevel@tonic-gate * Read from the net, write to child stdin
9950Sstevel@tonic-gate */
9960Sstevel@tonic-gate if (do_encrypt && FD_ISSET(f, &ready)) {
9970Sstevel@tonic-gate errno = 0;
9980Sstevel@tonic-gate cc = desread(f, buf, sizeof (buf), 0);
9990Sstevel@tonic-gate if (cc <= 0) {
10000Sstevel@tonic-gate (void) close(px[1]);
10010Sstevel@tonic-gate FD_CLR(f, &readfrom);
10020Sstevel@tonic-gate } else {
10030Sstevel@tonic-gate int wcc;
10040Sstevel@tonic-gate wcc = write(px[1], buf, cc);
10050Sstevel@tonic-gate if (wcc == -1) {
10060Sstevel@tonic-gate /*
10070Sstevel@tonic-gate * pipe closed,
10080Sstevel@tonic-gate * don't read any
10090Sstevel@tonic-gate * more
10100Sstevel@tonic-gate *
10110Sstevel@tonic-gate * might check for
10120Sstevel@tonic-gate * EPIPE
10130Sstevel@tonic-gate */
10140Sstevel@tonic-gate (void) close(px[1]);
10150Sstevel@tonic-gate FD_CLR(f, &readfrom);
10160Sstevel@tonic-gate } else if (wcc != cc) {
10170Sstevel@tonic-gate /* CSTYLED */
10180Sstevel@tonic-gate syslog(LOG_INFO, gettext("only wrote %d/%d to child"),
10190Sstevel@tonic-gate wcc, cc);
10200Sstevel@tonic-gate }
10210Sstevel@tonic-gate }
10220Sstevel@tonic-gate }
10230Sstevel@tonic-gate } while ((port && FD_ISSET(s, &readfrom)) ||
10240Sstevel@tonic-gate (port && FD_ISSET(pv[0], &readfrom)) ||
10250Sstevel@tonic-gate (do_encrypt && FD_ISSET(f, &readfrom)) ||
10260Sstevel@tonic-gate (do_encrypt && FD_ISSET(pw[0], &readfrom)));
10270Sstevel@tonic-gate #ifdef DEBUG
10280Sstevel@tonic-gate syslog(LOG_INFO, "Shell process completed.");
10290Sstevel@tonic-gate #endif /* DEBUG */
10300Sstevel@tonic-gate if (ccache)
10310Sstevel@tonic-gate (void) pam_close_session(pamh, 0);
10320Sstevel@tonic-gate (void) pam_end(pamh, PAM_SUCCESS);
10330Sstevel@tonic-gate
10340Sstevel@tonic-gate exit(0);
10350Sstevel@tonic-gate } /* End of Parent block */
10360Sstevel@tonic-gate
10370Sstevel@tonic-gate (void) setsid(); /* Should be the same as above. */
10380Sstevel@tonic-gate (void) close(pv[0]);
10390Sstevel@tonic-gate (void) dup2(pv[1], 2);
10400Sstevel@tonic-gate (void) close(pv[1]);
10410Sstevel@tonic-gate if (port)
10420Sstevel@tonic-gate (void) close(s);
10430Sstevel@tonic-gate if (do_encrypt) {
10440Sstevel@tonic-gate (void) close(f);
10450Sstevel@tonic-gate (void) close(pw[0]);
10460Sstevel@tonic-gate (void) close(px[1]);
10470Sstevel@tonic-gate
10480Sstevel@tonic-gate (void) dup2(px[0], 0);
10490Sstevel@tonic-gate (void) dup2(pw[1], 1);
10500Sstevel@tonic-gate
10510Sstevel@tonic-gate (void) close(px[0]);
10520Sstevel@tonic-gate (void) close(pw[1]);
10530Sstevel@tonic-gate }
10540Sstevel@tonic-gate }
10550Sstevel@tonic-gate
10560Sstevel@tonic-gate if (*pwd->pw_shell == '\0')
10570Sstevel@tonic-gate pwd->pw_shell = "/bin/sh";
10580Sstevel@tonic-gate if (!do_encrypt)
10590Sstevel@tonic-gate (void) close(f);
10600Sstevel@tonic-gate /*
10610Sstevel@tonic-gate * write audit record before making uid switch
10620Sstevel@tonic-gate */
10630Sstevel@tonic-gate (void) audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */
10640Sstevel@tonic-gate
10650Sstevel@tonic-gate /* set the real (and effective) GID */
10660Sstevel@tonic-gate if (setgid(pwd->pw_gid) == -1) {
10670Sstevel@tonic-gate error("Invalid gid.\n");
10680Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
10690Sstevel@tonic-gate exit(1);
10700Sstevel@tonic-gate }
10710Sstevel@tonic-gate
10720Sstevel@tonic-gate /*
10730Sstevel@tonic-gate * Initialize the supplementary group access list.
10740Sstevel@tonic-gate */
10750Sstevel@tonic-gate if (strlen(locuser) == 0) {
10760Sstevel@tonic-gate error("No local user.\n");
10770Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
10780Sstevel@tonic-gate exit(1);
10790Sstevel@tonic-gate }
10800Sstevel@tonic-gate if (initgroups(locuser, pwd->pw_gid) == -1) {
10810Sstevel@tonic-gate error("Initgroup failed.\n");
10820Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
10830Sstevel@tonic-gate exit(1);
10840Sstevel@tonic-gate }
10850Sstevel@tonic-gate
10860Sstevel@tonic-gate if ((v = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
10870Sstevel@tonic-gate error("Insufficient credentials.\n");
10880Sstevel@tonic-gate (void) pam_end(pamh, v);
10890Sstevel@tonic-gate exit(1);
10900Sstevel@tonic-gate }
10910Sstevel@tonic-gate
10920Sstevel@tonic-gate /* set the real (and effective) UID */
10930Sstevel@tonic-gate if (setuid(pwd->pw_uid) == -1) {
10940Sstevel@tonic-gate error("Invalid uid.\n");
10950Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
10960Sstevel@tonic-gate exit(1);
10970Sstevel@tonic-gate }
10980Sstevel@tonic-gate
10990Sstevel@tonic-gate /* Change directory only after becoming the appropriate user. */
11000Sstevel@tonic-gate if (chdir(pwd->pw_dir) < 0) {
11010Sstevel@tonic-gate (void) chdir("/");
11020Sstevel@tonic-gate if (krb5auth_flag > 0) {
11030Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user"
11040Sstevel@tonic-gate " %s has no home directory.",
11050Sstevel@tonic-gate kremuser, remuser, hostname, locuser);
11060Sstevel@tonic-gate error("No remote directory.\n");
11070Sstevel@tonic-gate goto signout;
11080Sstevel@tonic-gate }
11090Sstevel@tonic-gate #ifdef notdef
11100Sstevel@tonic-gate error("No remote directory.\n");
11110Sstevel@tonic-gate exit(1);
11120Sstevel@tonic-gate #endif
11130Sstevel@tonic-gate }
11140Sstevel@tonic-gate
11150Sstevel@tonic-gate path = (pwd->pw_uid == 0) ? rootpath : userpath;
11160Sstevel@tonic-gate
11170Sstevel@tonic-gate /*
11180Sstevel@tonic-gate * Space for the following environment variables are dynamically
11190Sstevel@tonic-gate * allocated because their lengths are not known before calling
11200Sstevel@tonic-gate * getpwnam().
11210Sstevel@tonic-gate */
11220Sstevel@tonic-gate homedir_len = strlen(pwd->pw_dir) + strlen(homestr) + 1;
11230Sstevel@tonic-gate shell_len = strlen(pwd->pw_shell) + strlen(shellstr) + 1;
11240Sstevel@tonic-gate username_len = strlen(pwd->pw_name) + strlen(userstr) + 1;
11250Sstevel@tonic-gate homedir = (char *)malloc(homedir_len);
11260Sstevel@tonic-gate shell = (char *)malloc(shell_len);
11270Sstevel@tonic-gate username = (char *)malloc(username_len);
11280Sstevel@tonic-gate if (homedir == NULL || shell == NULL || username == NULL) {
11290Sstevel@tonic-gate perror("malloc");
11300Sstevel@tonic-gate exit(1);
11310Sstevel@tonic-gate }
11320Sstevel@tonic-gate (void) snprintf(homedir, homedir_len, "%s%s", homestr, pwd->pw_dir);
11330Sstevel@tonic-gate (void) snprintf(shell, shell_len, "%s%s", shellstr, pwd->pw_shell);
11340Sstevel@tonic-gate (void) snprintf(username, username_len, "%s%s", userstr, pwd->pw_name);
11350Sstevel@tonic-gate
11360Sstevel@tonic-gate /* Pass timezone to executed command. */
11370Sstevel@tonic-gate if (tzenv = getenv("TZ")) {
11380Sstevel@tonic-gate tz_len = strlen(tzenv) + strlen(tzstr) + 1;
11390Sstevel@tonic-gate tz = malloc(tz_len);
11400Sstevel@tonic-gate if (tz != NULL)
11410Sstevel@tonic-gate (void) snprintf(tz, tz_len, "%s%s", tzstr, tzenv);
11420Sstevel@tonic-gate }
11430Sstevel@tonic-gate
11440Sstevel@tonic-gate add_to_envinit(homedir);
11450Sstevel@tonic-gate add_to_envinit(shell);
11460Sstevel@tonic-gate add_to_envinit(path);
11470Sstevel@tonic-gate add_to_envinit(username);
11480Sstevel@tonic-gate add_to_envinit(tz);
11490Sstevel@tonic-gate
11500Sstevel@tonic-gate if (krb5auth_flag > 0) {
11510Sstevel@tonic-gate int length;
11520Sstevel@tonic-gate char *buffer;
11530Sstevel@tonic-gate
11540Sstevel@tonic-gate /*
11550Sstevel@tonic-gate * If we have KRB5CCNAME set, then copy into the child's
11560Sstevel@tonic-gate * environment. This can't really have a fixed position
11570Sstevel@tonic-gate * because `tz' may or may not be set.
11580Sstevel@tonic-gate */
11590Sstevel@tonic-gate if (getenv("KRB5CCNAME")) {
11600Sstevel@tonic-gate length = (int)strlen(getenv("KRB5CCNAME")) +
11610Sstevel@tonic-gate (int)strlen("KRB5CCNAME=") + 1;
11620Sstevel@tonic-gate buffer = (char *)malloc(length);
11630Sstevel@tonic-gate
11640Sstevel@tonic-gate if (buffer) {
11650Sstevel@tonic-gate (void) snprintf(buffer, length, "KRB5CCNAME=%s",
11660Sstevel@tonic-gate getenv("KRB5CCNAME"));
11670Sstevel@tonic-gate add_to_envinit(buffer);
11680Sstevel@tonic-gate }
11690Sstevel@tonic-gate } {
11700Sstevel@tonic-gate /* These two are covered by ADDRPAD */
11710Sstevel@tonic-gate length = strlen(inet_ntoa(localaddr.sin_addr)) + 1 +
11720Sstevel@tonic-gate strlen("KRB5LOCALADDR=");
11730Sstevel@tonic-gate (void) snprintf(local_addr, length, "KRB5LOCALADDR=%s",
11740Sstevel@tonic-gate inet_ntoa(localaddr.sin_addr));
11750Sstevel@tonic-gate add_to_envinit(local_addr);
11760Sstevel@tonic-gate
11770Sstevel@tonic-gate length = strlen(inet_ntoa(sin->sin_addr)) + 1 +
11780Sstevel@tonic-gate strlen("KRB5REMOTEADDR=");
11790Sstevel@tonic-gate (void) snprintf(remote_addr, length,
11800Sstevel@tonic-gate "KRB5REMOTEADDR=%s", inet_ntoa(sin->sin_addr));
11810Sstevel@tonic-gate add_to_envinit(remote_addr);
11820Sstevel@tonic-gate }
11830Sstevel@tonic-gate
11840Sstevel@tonic-gate /*
11850Sstevel@tonic-gate * If we do anything else, make sure there is
11860Sstevel@tonic-gate * space in the array.
11870Sstevel@tonic-gate */
11880Sstevel@tonic-gate for (cnt = 0; cnt < num_env; cnt++) {
11890Sstevel@tonic-gate char *buf;
11900Sstevel@tonic-gate
11910Sstevel@tonic-gate if (getenv(save_env[cnt])) {
11920Sstevel@tonic-gate length = (int)strlen(getenv(save_env[cnt])) +
11930Sstevel@tonic-gate (int)strlen(save_env[cnt]) + 2;
11940Sstevel@tonic-gate
11950Sstevel@tonic-gate buf = (char *)malloc(length);
11960Sstevel@tonic-gate if (buf) {
11970Sstevel@tonic-gate (void) snprintf(buf, length, "%s=%s",
11980Sstevel@tonic-gate save_env[cnt],
11990Sstevel@tonic-gate getenv(save_env[cnt]));
12000Sstevel@tonic-gate add_to_envinit(buf);
12010Sstevel@tonic-gate }
12020Sstevel@tonic-gate }
12030Sstevel@tonic-gate }
12040Sstevel@tonic-gate
12050Sstevel@tonic-gate }
12060Sstevel@tonic-gate
12070Sstevel@tonic-gate /*
12080Sstevel@tonic-gate * add PAM environment variables set by modules
12090Sstevel@tonic-gate * -- only allowed 16 (PAM_ENV_ELIM)
12100Sstevel@tonic-gate * -- check to see if the environment variable is legal
12110Sstevel@tonic-gate */
12120Sstevel@tonic-gate if ((pam_env = pam_getenvlist(pamh)) != 0) {
12130Sstevel@tonic-gate while (pam_env[idx] != 0) {
12140Sstevel@tonic-gate if (idx < PAM_ENV_ELIM &&
12150Sstevel@tonic-gate legalenvvar(pam_env[idx])) {
12160Sstevel@tonic-gate add_to_envinit(pam_env[idx]);
12170Sstevel@tonic-gate }
12180Sstevel@tonic-gate idx++;
12190Sstevel@tonic-gate }
12200Sstevel@tonic-gate }
12210Sstevel@tonic-gate
12220Sstevel@tonic-gate (void) pam_end(pamh, PAM_SUCCESS);
12230Sstevel@tonic-gate
12240Sstevel@tonic-gate /*
12250Sstevel@tonic-gate * Pick up locale environment variables, if any.
12260Sstevel@tonic-gate */
12270Sstevel@tonic-gate lenvp = renvp;
12280Sstevel@tonic-gate while (*lenvp != NULL) {
12290Sstevel@tonic-gate int index;
12300Sstevel@tonic-gate
12310Sstevel@tonic-gate for (index = 0; localeenv[index] != NULL; index++)
12320Sstevel@tonic-gate /*
12330Sstevel@tonic-gate * locale_envmatch() returns 1 if
12340Sstevel@tonic-gate * *lenvp is localenev[index] and valid.
12350Sstevel@tonic-gate */
12360Sstevel@tonic-gate if (locale_envmatch(localeenv[index], *lenvp)) {
12370Sstevel@tonic-gate add_to_envinit(*lenvp);
12380Sstevel@tonic-gate break;
12390Sstevel@tonic-gate }
12400Sstevel@tonic-gate
12410Sstevel@tonic-gate lenvp++;
12420Sstevel@tonic-gate }
12430Sstevel@tonic-gate
12440Sstevel@tonic-gate cp = strrchr(pwd->pw_shell, '/');
12450Sstevel@tonic-gate if (cp != NULL)
12460Sstevel@tonic-gate cp++;
12470Sstevel@tonic-gate else
12480Sstevel@tonic-gate cp = pwd->pw_shell;
12490Sstevel@tonic-gate /*
12500Sstevel@tonic-gate * rdist has been moved to /usr/bin, so /usr/ucb/rdist might not
12510Sstevel@tonic-gate * be present on a system. So if it doesn't exist we fall back
12520Sstevel@tonic-gate * and try for it in /usr/bin. We take care to match the space
12530Sstevel@tonic-gate * after the name because the only purpose of this is to protect
12540Sstevel@tonic-gate * the internal call from old rdist's, not humans who type
12550Sstevel@tonic-gate * "rsh foo /usr/ucb/rdist".
12560Sstevel@tonic-gate */
12570Sstevel@tonic-gate #define RDIST_PROG_NAME "/usr/ucb/rdist -Server"
12580Sstevel@tonic-gate if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) {
12590Sstevel@tonic-gate if (stat("/usr/ucb/rdist", &statb) != 0) {
12600Sstevel@tonic-gate (void) strncpy(cmdbuf + 5, "bin", 3);
12610Sstevel@tonic-gate }
12620Sstevel@tonic-gate }
12630Sstevel@tonic-gate
12640Sstevel@tonic-gate #ifdef DEBUG
12650Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: cmdbuf = %s", cmdbuf);
12660Sstevel@tonic-gate if (do_encrypt)
12670Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: cmd to be exec'ed = %s",
12680Sstevel@tonic-gate ((char *)cmdbuf + 3));
12690Sstevel@tonic-gate #endif /* DEBUG */
12700Sstevel@tonic-gate
12710Sstevel@tonic-gate if (do_encrypt && (strncmp(cmdbuf, "-x ", 3) == 0)) {
12720Sstevel@tonic-gate (void) execle(pwd->pw_shell, cp, "-c", (char *)cmdbuf + 3,
12730Sstevel@tonic-gate NULL, envinit);
12740Sstevel@tonic-gate } else {
12750Sstevel@tonic-gate (void) execle(pwd->pw_shell, cp, "-c", cmdbuf, NULL,
12760Sstevel@tonic-gate envinit);
12770Sstevel@tonic-gate }
12780Sstevel@tonic-gate
12790Sstevel@tonic-gate perror(pwd->pw_shell);
12800Sstevel@tonic-gate exit(1);
12810Sstevel@tonic-gate
12820Sstevel@tonic-gate signout:
12830Sstevel@tonic-gate if (ccache)
12840Sstevel@tonic-gate (void) pam_close_session(pamh, 0);
12850Sstevel@tonic-gate ccache = NULL;
12860Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT);
12870Sstevel@tonic-gate exit(1);
12880Sstevel@tonic-gate }
12890Sstevel@tonic-gate
12900Sstevel@tonic-gate static void
getstr(fd,buf,cnt,err)12910Sstevel@tonic-gate getstr(fd, buf, cnt, err)
12920Sstevel@tonic-gate int fd;
12930Sstevel@tonic-gate char *buf;
12940Sstevel@tonic-gate int cnt;
12950Sstevel@tonic-gate char *err;
12960Sstevel@tonic-gate {
12970Sstevel@tonic-gate char c;
12980Sstevel@tonic-gate
12990Sstevel@tonic-gate do {
13000Sstevel@tonic-gate if (read(fd, &c, 1) != 1)
13010Sstevel@tonic-gate exit(1);
13020Sstevel@tonic-gate if (cnt-- == 0) {
13030Sstevel@tonic-gate error("%s too long\n", err);
13040Sstevel@tonic-gate exit(1);
13050Sstevel@tonic-gate }
13060Sstevel@tonic-gate *buf++ = c;
13070Sstevel@tonic-gate } while (c != 0);
13080Sstevel@tonic-gate }
13090Sstevel@tonic-gate
13100Sstevel@tonic-gate /*PRINTFLIKE1*/
13110Sstevel@tonic-gate static void
error(char * fmt,...)13120Sstevel@tonic-gate error(char *fmt, ...)
13130Sstevel@tonic-gate {
13140Sstevel@tonic-gate va_list ap;
13150Sstevel@tonic-gate char buf[RSHD_BUFSIZ];
13160Sstevel@tonic-gate
13170Sstevel@tonic-gate buf[0] = 1;
13180Sstevel@tonic-gate va_start(ap, fmt);
13190Sstevel@tonic-gate (void) vsnprintf(&buf[1], sizeof (buf) - 1, fmt, ap);
13200Sstevel@tonic-gate va_end(ap);
13210Sstevel@tonic-gate (void) write(STDERR_FILENO, buf, strlen(buf));
13220Sstevel@tonic-gate }
13230Sstevel@tonic-gate
13240Sstevel@tonic-gate static char *illegal[] = {
13250Sstevel@tonic-gate "SHELL=",
13260Sstevel@tonic-gate "HOME=",
13270Sstevel@tonic-gate "LOGNAME=",
13280Sstevel@tonic-gate #ifndef NO_MAIL
13290Sstevel@tonic-gate "MAIL=",
13300Sstevel@tonic-gate #endif
13310Sstevel@tonic-gate "CDPATH=",
13320Sstevel@tonic-gate "IFS=",
13330Sstevel@tonic-gate "PATH=",
13340Sstevel@tonic-gate "USER=",
13350Sstevel@tonic-gate "TZ=",
13360Sstevel@tonic-gate 0
13370Sstevel@tonic-gate };
13380Sstevel@tonic-gate
13390Sstevel@tonic-gate /*
13400Sstevel@tonic-gate * legalenvvar - can PAM modules insert this environmental variable?
13410Sstevel@tonic-gate */
13420Sstevel@tonic-gate
13430Sstevel@tonic-gate static int
legalenvvar(char * s)13440Sstevel@tonic-gate legalenvvar(char *s)
13450Sstevel@tonic-gate {
13460Sstevel@tonic-gate register char **p;
13470Sstevel@tonic-gate
13480Sstevel@tonic-gate for (p = illegal; *p; p++)
13490Sstevel@tonic-gate if (strncmp(s, *p, strlen(*p)) == 0)
13500Sstevel@tonic-gate return (0);
13510Sstevel@tonic-gate
13520Sstevel@tonic-gate if (s[0] == 'L' && s[1] == 'D' && s[2] == '_')
13530Sstevel@tonic-gate return (0);
13540Sstevel@tonic-gate
13550Sstevel@tonic-gate return (1);
13560Sstevel@tonic-gate }
13570Sstevel@tonic-gate
13580Sstevel@tonic-gate /*
13590Sstevel@tonic-gate * Add a string to the environment of the new process.
13600Sstevel@tonic-gate */
13610Sstevel@tonic-gate
13620Sstevel@tonic-gate static void
add_to_envinit(char * string)13630Sstevel@tonic-gate add_to_envinit(char *string)
13640Sstevel@tonic-gate {
13650Sstevel@tonic-gate /*
13660Sstevel@tonic-gate * Reserve space for 2 * 8 = 16 environment entries initially which
13670Sstevel@tonic-gate * should be enough to avoid reallocation of "envinit" in most cases.
13680Sstevel@tonic-gate */
13690Sstevel@tonic-gate static int size = 8;
13700Sstevel@tonic-gate static int index = 0;
13710Sstevel@tonic-gate
13720Sstevel@tonic-gate if (string == NULL)
13730Sstevel@tonic-gate return;
13740Sstevel@tonic-gate
13750Sstevel@tonic-gate if ((envinit == NULL) || (index == size)) {
13760Sstevel@tonic-gate size *= 2;
13770Sstevel@tonic-gate envinit = realloc(envinit, (size + 1) * sizeof (char *));
13780Sstevel@tonic-gate if (envinit == NULL) {
13790Sstevel@tonic-gate perror("malloc");
13800Sstevel@tonic-gate exit(1);
13810Sstevel@tonic-gate }
13820Sstevel@tonic-gate }
13830Sstevel@tonic-gate
13840Sstevel@tonic-gate envinit[index++] = string;
13850Sstevel@tonic-gate envinit[index] = NULL;
13860Sstevel@tonic-gate }
13870Sstevel@tonic-gate
13880Sstevel@tonic-gate /*
13890Sstevel@tonic-gate * Check if lenv and penv matches or not.
13900Sstevel@tonic-gate */
13910Sstevel@tonic-gate static int
locale_envmatch(char * lenv,char * penv)13920Sstevel@tonic-gate locale_envmatch(char *lenv, char *penv)
13930Sstevel@tonic-gate {
13940Sstevel@tonic-gate while ((*lenv == *penv) && (*lenv != '\0') && (*penv != '=')) {
13950Sstevel@tonic-gate lenv++;
13960Sstevel@tonic-gate penv++;
13970Sstevel@tonic-gate }
13980Sstevel@tonic-gate
13990Sstevel@tonic-gate /*
14000Sstevel@tonic-gate * '/' is eliminated for security reason.
14010Sstevel@tonic-gate */
14020Sstevel@tonic-gate return ((*lenv == '\0' && *penv == '=' && *(penv + 1) != '/'));
14030Sstevel@tonic-gate }
14040Sstevel@tonic-gate
14050Sstevel@tonic-gate #ifndef KRB_SENDAUTH_VLEN
14060Sstevel@tonic-gate #define KRB_SENDAUTH_VLEN 8 /* length for version strings */
14070Sstevel@tonic-gate #endif
14080Sstevel@tonic-gate
14090Sstevel@tonic-gate /* MUST be KRB_SENDAUTH_VLEN chars */
14100Sstevel@tonic-gate #define KRB_SENDAUTH_VERS "AUTHV0.1"
14110Sstevel@tonic-gate #define SIZEOF_INADDR sizeof (struct in_addr)
14120Sstevel@tonic-gate
14130Sstevel@tonic-gate static krb5_error_code
recvauth(int netf,int * valid_checksum)14140Sstevel@tonic-gate recvauth(int netf, int *valid_checksum)
14150Sstevel@tonic-gate {
14160Sstevel@tonic-gate krb5_auth_context auth_context = NULL;
14170Sstevel@tonic-gate krb5_error_code status;
14180Sstevel@tonic-gate struct sockaddr_in laddr;
14190Sstevel@tonic-gate int len;
14200Sstevel@tonic-gate krb5_data inbuf;
14210Sstevel@tonic-gate krb5_authenticator *authenticator;
14220Sstevel@tonic-gate krb5_ticket *ticket;
14230Sstevel@tonic-gate krb5_rcache rcache;
14240Sstevel@tonic-gate krb5_data version;
14250Sstevel@tonic-gate krb5_encrypt_block eblock; /* eblock for encrypt/decrypt */
14260Sstevel@tonic-gate krb5_data desinbuf;
14270Sstevel@tonic-gate krb5_data desoutbuf;
14280Sstevel@tonic-gate char des_inbuf[2 * RSHD_BUFSIZ];
14290Sstevel@tonic-gate /* needs to be > largest read size */
14300Sstevel@tonic-gate char des_outbuf[2 * RSHD_BUFSIZ + 4];
14310Sstevel@tonic-gate /* needs to be > largest write size */
14320Sstevel@tonic-gate
14330Sstevel@tonic-gate *valid_checksum = 0;
14340Sstevel@tonic-gate len = sizeof (laddr);
14350Sstevel@tonic-gate
14360Sstevel@tonic-gate if (getsockname(netf, (struct sockaddr *)&laddr, &len)) {
14370Sstevel@tonic-gate exit(1);
14380Sstevel@tonic-gate }
14390Sstevel@tonic-gate
14400Sstevel@tonic-gate if (status = krb5_auth_con_init(bsd_context, &auth_context))
14410Sstevel@tonic-gate return (status);
14420Sstevel@tonic-gate
14430Sstevel@tonic-gate if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
14440Sstevel@tonic-gate KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
14450Sstevel@tonic-gate return (status);
14460Sstevel@tonic-gate
14470Sstevel@tonic-gate status = krb5_auth_con_getrcache(bsd_context, auth_context, &rcache);
14480Sstevel@tonic-gate if (status)
14490Sstevel@tonic-gate return (status);
14500Sstevel@tonic-gate
14510Sstevel@tonic-gate if (!rcache) {
14520Sstevel@tonic-gate krb5_principal server;
14530Sstevel@tonic-gate
14540Sstevel@tonic-gate status = krb5_sname_to_principal(bsd_context, 0, 0,
14550Sstevel@tonic-gate KRB5_NT_SRV_HST, &server);
14560Sstevel@tonic-gate if (status)
14570Sstevel@tonic-gate return (status);
14580Sstevel@tonic-gate
14590Sstevel@tonic-gate status = krb5_get_server_rcache(bsd_context,
14600Sstevel@tonic-gate krb5_princ_component(bsd_context, server, 0),
14610Sstevel@tonic-gate &rcache);
14620Sstevel@tonic-gate krb5_free_principal(bsd_context, server);
14630Sstevel@tonic-gate if (status)
14640Sstevel@tonic-gate return (status);
14650Sstevel@tonic-gate
14660Sstevel@tonic-gate status = krb5_auth_con_setrcache(bsd_context, auth_context,
14670Sstevel@tonic-gate rcache);
14680Sstevel@tonic-gate if (status)
14690Sstevel@tonic-gate return (status);
14700Sstevel@tonic-gate }
14710Sstevel@tonic-gate
14720Sstevel@tonic-gate status = krb5_recvauth_version(bsd_context, &auth_context, &netf,
14730Sstevel@tonic-gate NULL, /* Specify daemon principal */
14740Sstevel@tonic-gate 0, /* no flags */
14750Sstevel@tonic-gate keytab, /* normally NULL to use v5srvtab */
14760Sstevel@tonic-gate &ticket, /* return ticket */
14770Sstevel@tonic-gate &version); /* application version string */
14780Sstevel@tonic-gate
14790Sstevel@tonic-gate
14800Sstevel@tonic-gate if (status) {
14810Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser");
14820Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
14830Sstevel@tonic-gate getstr(netf, remuser, sizeof (locuser), "remuser");
14840Sstevel@tonic-gate return (status);
14850Sstevel@tonic-gate }
14860Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser");
14870Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
14880Sstevel@tonic-gate
14890Sstevel@tonic-gate /* Must be V5 */
14900Sstevel@tonic-gate
14910Sstevel@tonic-gate kcmd_protocol = KCMD_UNKNOWN_PROTOCOL;
14920Sstevel@tonic-gate if (version.length != 9 || version.data == NULL) {
14930Sstevel@tonic-gate syslog(LOG_ERR, "bad application version length");
14940Sstevel@tonic-gate error(gettext("bad application version length\n"));
14950Sstevel@tonic-gate exit(1);
14960Sstevel@tonic-gate }
14970Sstevel@tonic-gate if (strncmp(version.data, "KCMDV0.1", 9) == 0) {
14980Sstevel@tonic-gate kcmd_protocol = KCMD_OLD_PROTOCOL;
14990Sstevel@tonic-gate } else if (strncmp(version.data, "KCMDV0.2", 9) == 0) {
15000Sstevel@tonic-gate kcmd_protocol = KCMD_NEW_PROTOCOL;
15010Sstevel@tonic-gate } else {
15020Sstevel@tonic-gate syslog(LOG_ERR, "Unrecognized KCMD protocol (%s)",
15030Sstevel@tonic-gate (char *)version.data);
15040Sstevel@tonic-gate error(gettext("Unrecognized KCMD protocol (%s)"),
15050Sstevel@tonic-gate (char *)version.data);
15060Sstevel@tonic-gate exit(1);
15070Sstevel@tonic-gate }
15080Sstevel@tonic-gate getstr(netf, remuser, sizeof (locuser), "remuser");
15090Sstevel@tonic-gate
15100Sstevel@tonic-gate if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client,
15110Sstevel@tonic-gate &kremuser)))
15120Sstevel@tonic-gate return (status);
15130Sstevel@tonic-gate
15140Sstevel@tonic-gate if ((status = krb5_copy_principal(bsd_context,
15150Sstevel@tonic-gate ticket->enc_part2->client, &client)))
15160Sstevel@tonic-gate return (status);
15170Sstevel@tonic-gate
15180Sstevel@tonic-gate
15190Sstevel@tonic-gate if (checksum_required && (kcmd_protocol == KCMD_OLD_PROTOCOL)) {
15200Sstevel@tonic-gate if ((status = krb5_auth_con_getauthenticator(bsd_context,
15210Sstevel@tonic-gate auth_context, &authenticator)))
15220Sstevel@tonic-gate return (status);
15230Sstevel@tonic-gate
15240Sstevel@tonic-gate if (authenticator->checksum && checksum_required) {
15250Sstevel@tonic-gate struct sockaddr_in adr;
15260Sstevel@tonic-gate int adr_length = sizeof (adr);
15270Sstevel@tonic-gate int chksumsize = strlen(cmdbuf) + strlen(locuser) + 32;
15280Sstevel@tonic-gate krb5_data input;
15290Sstevel@tonic-gate krb5_keyblock key;
15300Sstevel@tonic-gate
15310Sstevel@tonic-gate char *chksumbuf = (char *)malloc(chksumsize);
15320Sstevel@tonic-gate
15330Sstevel@tonic-gate if (chksumbuf == 0)
15340Sstevel@tonic-gate goto error_cleanup;
15350Sstevel@tonic-gate if (getsockname(netf, (struct sockaddr *)&adr,
15360Sstevel@tonic-gate &adr_length) != 0)
15370Sstevel@tonic-gate goto error_cleanup;
15380Sstevel@tonic-gate
15390Sstevel@tonic-gate (void) snprintf(chksumbuf, chksumsize, "%u:",
15400Sstevel@tonic-gate ntohs(adr.sin_port));
15410Sstevel@tonic-gate if (strlcat(chksumbuf, cmdbuf,
15420Sstevel@tonic-gate chksumsize) >= chksumsize) {
15430Sstevel@tonic-gate syslog(LOG_ERR, "cmd buffer too long.");
15440Sstevel@tonic-gate free(chksumbuf);
15450Sstevel@tonic-gate return (-1);
15460Sstevel@tonic-gate }
15470Sstevel@tonic-gate if (strlcat(chksumbuf, locuser,
15480Sstevel@tonic-gate chksumsize) >= chksumsize) {
15490Sstevel@tonic-gate syslog(LOG_ERR, "locuser too long.");
15500Sstevel@tonic-gate free(chksumbuf);
15510Sstevel@tonic-gate return (-1);
15520Sstevel@tonic-gate }
15530Sstevel@tonic-gate
15540Sstevel@tonic-gate input.data = chksumbuf;
15550Sstevel@tonic-gate input.length = strlen(chksumbuf);
15560Sstevel@tonic-gate key.magic = ticket->enc_part2->session->magic;
15570Sstevel@tonic-gate key.enctype = ticket->enc_part2->session->enctype;
15580Sstevel@tonic-gate key.contents = ticket->enc_part2->session->contents;
15590Sstevel@tonic-gate key.length = ticket->enc_part2->session->length;
15600Sstevel@tonic-gate
15610Sstevel@tonic-gate status = krb5_c_verify_checksum(bsd_context,
15620Sstevel@tonic-gate &key, 0, &input, authenticator->checksum,
15630Sstevel@tonic-gate (unsigned int *)valid_checksum);
15640Sstevel@tonic-gate
15650Sstevel@tonic-gate if (status == 0 && *valid_checksum == 0)
15660Sstevel@tonic-gate status = KRB5KRB_AP_ERR_BAD_INTEGRITY;
15670Sstevel@tonic-gate error_cleanup:
15680Sstevel@tonic-gate if (chksumbuf)
15690Sstevel@tonic-gate krb5_xfree(chksumbuf);
15700Sstevel@tonic-gate if (status) {
15710Sstevel@tonic-gate krb5_free_authenticator(bsd_context,
15720Sstevel@tonic-gate authenticator);
15730Sstevel@tonic-gate return (status);
15740Sstevel@tonic-gate }
15750Sstevel@tonic-gate }
15760Sstevel@tonic-gate krb5_free_authenticator(bsd_context, authenticator);
15770Sstevel@tonic-gate }
15780Sstevel@tonic-gate
15790Sstevel@tonic-gate
15800Sstevel@tonic-gate if ((strncmp(cmdbuf, "-x ", 3) == 0)) {
15810Sstevel@tonic-gate if (krb5_privacy_allowed()) {
15820Sstevel@tonic-gate do_encrypt = 1;
15830Sstevel@tonic-gate } else {
15840Sstevel@tonic-gate syslog(LOG_ERR, "rshd: Encryption not supported");
15850Sstevel@tonic-gate error("rshd: Encryption not supported. \n");
15860Sstevel@tonic-gate exit(2);
15870Sstevel@tonic-gate }
15880Sstevel@tonic-gate
15890Sstevel@tonic-gate status = krb5_auth_con_getremotesubkey(bsd_context,
15900Sstevel@tonic-gate auth_context,
15910Sstevel@tonic-gate &sessionkey);
15920Sstevel@tonic-gate if (status) {
15930Sstevel@tonic-gate syslog(LOG_ERR, "Error getting KRB5 session subkey");
15940Sstevel@tonic-gate error(gettext("Error getting KRB5 session subkey"));
15950Sstevel@tonic-gate exit(1);
15960Sstevel@tonic-gate }
15970Sstevel@tonic-gate /*
15980Sstevel@tonic-gate * The "new" protocol requires that a subkey be sent.
15990Sstevel@tonic-gate */
16000Sstevel@tonic-gate if (sessionkey == NULL && kcmd_protocol == KCMD_NEW_PROTOCOL) {
16010Sstevel@tonic-gate syslog(LOG_ERR, "No KRB5 session subkey sent");
16020Sstevel@tonic-gate error(gettext("No KRB5 session subkey sent"));
16030Sstevel@tonic-gate exit(1);
16040Sstevel@tonic-gate }
16050Sstevel@tonic-gate /*
16060Sstevel@tonic-gate * The "old" protocol does not permit an authenticator subkey.
16070Sstevel@tonic-gate * The key is taken from the ticket instead (see below).
16080Sstevel@tonic-gate */
16090Sstevel@tonic-gate if (sessionkey != NULL && kcmd_protocol == KCMD_OLD_PROTOCOL) {
16100Sstevel@tonic-gate syslog(LOG_ERR, "KRB5 session subkey not permitted "
16110Sstevel@tonic-gate "with old KCMD protocol");
16120Sstevel@tonic-gate error(gettext("KRB5 session subkey not permitted "
16130Sstevel@tonic-gate "with old KCMD protocol"));
16140Sstevel@tonic-gate exit(1);
16150Sstevel@tonic-gate }
16160Sstevel@tonic-gate /*
16170Sstevel@tonic-gate * If no key at this point, use the session key from
16180Sstevel@tonic-gate * the ticket.
16190Sstevel@tonic-gate */
16200Sstevel@tonic-gate if (sessionkey == NULL) {
16210Sstevel@tonic-gate /*
16220Sstevel@tonic-gate * Save the session key so we can configure the crypto
16230Sstevel@tonic-gate * module later.
16240Sstevel@tonic-gate */
16250Sstevel@tonic-gate status = krb5_copy_keyblock(bsd_context,
16260Sstevel@tonic-gate ticket->enc_part2->session,
16270Sstevel@tonic-gate &sessionkey);
16280Sstevel@tonic-gate if (status) {
16290Sstevel@tonic-gate syslog(LOG_ERR, "krb5_copy_keyblock failed");
16300Sstevel@tonic-gate error(gettext("krb5_copy_keyblock failed"));
16310Sstevel@tonic-gate exit(1);
16320Sstevel@tonic-gate }
16330Sstevel@tonic-gate }
16340Sstevel@tonic-gate /*
16350Sstevel@tonic-gate * If session key still cannot be found, we must
16360Sstevel@tonic-gate * exit because encryption is required here
16370Sstevel@tonic-gate * when encr_flag (-x) is set.
16380Sstevel@tonic-gate */
16390Sstevel@tonic-gate if (sessionkey == NULL) {
16400Sstevel@tonic-gate syslog(LOG_ERR, "Could not find an encryption key");
16410Sstevel@tonic-gate error(gettext("Could not find an encryption key"));
16420Sstevel@tonic-gate exit(1);
16430Sstevel@tonic-gate }
16440Sstevel@tonic-gate
16450Sstevel@tonic-gate /*
16460Sstevel@tonic-gate * Initialize parameters/buffers for desread & deswrite here.
16470Sstevel@tonic-gate */
16480Sstevel@tonic-gate desinbuf.data = des_inbuf;
16490Sstevel@tonic-gate desoutbuf.data = des_outbuf;
16500Sstevel@tonic-gate desinbuf.length = sizeof (des_inbuf);
16510Sstevel@tonic-gate desoutbuf.length = sizeof (des_outbuf);
16520Sstevel@tonic-gate
16530Sstevel@tonic-gate eblock.crypto_entry = sessionkey->enctype;
16540Sstevel@tonic-gate eblock.key = (krb5_keyblock *)sessionkey;
16550Sstevel@tonic-gate
16560Sstevel@tonic-gate init_encrypt(do_encrypt, bsd_context, kcmd_protocol,
16570Sstevel@tonic-gate &desinbuf, &desoutbuf, SERVER, &eblock);
16580Sstevel@tonic-gate }
16590Sstevel@tonic-gate
16600Sstevel@tonic-gate ticket->enc_part2->session = 0;
16610Sstevel@tonic-gate
16620Sstevel@tonic-gate if ((status = krb5_read_message(bsd_context, (krb5_pointer) & netf,
16630Sstevel@tonic-gate &inbuf))) {
16640Sstevel@tonic-gate error(gettext("Error reading message: %s\n"),
16650Sstevel@tonic-gate error_message(status));
16660Sstevel@tonic-gate exit(1);
16670Sstevel@tonic-gate }
16680Sstevel@tonic-gate
16690Sstevel@tonic-gate if (inbuf.length) {
16706536Sgtb krb5_creds **creds = NULL;
16716536Sgtb
16720Sstevel@tonic-gate /* Forwarding being done, read creds */
16736536Sgtb if ((status = krb5_rd_cred(bsd_context,
16746536Sgtb auth_context, &inbuf, &creds,
16756536Sgtb NULL))) {
16760Sstevel@tonic-gate error("Can't get forwarded credentials: %s\n",
16770Sstevel@tonic-gate error_message(status));
16780Sstevel@tonic-gate exit(1);
16790Sstevel@tonic-gate }
16800Sstevel@tonic-gate
16816536Sgtb /* Store the forwarded creds in the ccache */
16826536Sgtb if ((status = store_forw_creds(bsd_context,
16836536Sgtb creds, ticket, locuser,
16846536Sgtb &ccache))) {
16856536Sgtb error("Can't store forwarded credentials: %s\n",
16866536Sgtb error_message(status));
16876536Sgtb exit(1);
16886536Sgtb }
16896536Sgtb krb5_free_creds(bsd_context, *creds);
16900Sstevel@tonic-gate }
16916536Sgtb
16920Sstevel@tonic-gate krb5_free_ticket(bsd_context, ticket);
16930Sstevel@tonic-gate return (0);
16940Sstevel@tonic-gate }
16950Sstevel@tonic-gate
16960Sstevel@tonic-gate static void
usage(void)16970Sstevel@tonic-gate usage(void)
16980Sstevel@tonic-gate {
16990Sstevel@tonic-gate (void) fprintf(stderr, gettext("%s: rshd [-k5eciU] "
17000Sstevel@tonic-gate "[-P path] [-M realm] [-s tos] "
17010Sstevel@tonic-gate #ifdef DEBUG
17020Sstevel@tonic-gate "[-D port] "
17030Sstevel@tonic-gate #endif /* DEBUG */
17040Sstevel@tonic-gate "[-S keytab]"), gettext("usage"));
17050Sstevel@tonic-gate
17060Sstevel@tonic-gate syslog(LOG_ERR, "%s: rshd [-k5eciU] [-P path] [-M realm] [-s tos] "
17070Sstevel@tonic-gate #ifdef DEBUG
17080Sstevel@tonic-gate "[-D port] "
17090Sstevel@tonic-gate #endif /* DEBUG */
17100Sstevel@tonic-gate "[-S keytab]", gettext("usage"));
17110Sstevel@tonic-gate }
1712