xref: /onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c (revision 11415:2d2e5f652b7c)
10Sstevel@tonic-gate /*
20Sstevel@tonic-gate  * CDDL HEADER START
30Sstevel@tonic-gate  *
40Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
53011Sjbeck  * Common Development and Distribution License (the "License").
63011Sjbeck  * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate  *
80Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate  * See the License for the specific language governing permissions
110Sstevel@tonic-gate  * and limitations under the License.
120Sstevel@tonic-gate  *
130Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate  *
190Sstevel@tonic-gate  * CDDL HEADER END
200Sstevel@tonic-gate  */
213011Sjbeck 
220Sstevel@tonic-gate /*
23*11415SSurya.Prakki@Sun.COM  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
240Sstevel@tonic-gate  * Use is subject to license terms.
250Sstevel@tonic-gate  */
260Sstevel@tonic-gate 
270Sstevel@tonic-gate /*	Copyright (c) 1983-1989 AT&T	*/
280Sstevel@tonic-gate /*	  All Rights Reserved  	*/
290Sstevel@tonic-gate 
300Sstevel@tonic-gate /*
310Sstevel@tonic-gate  * Portions of this source code were derived from Berkeley 4.3 BSD
320Sstevel@tonic-gate  * under license from the Regents of the University of California.
330Sstevel@tonic-gate  */
340Sstevel@tonic-gate 
350Sstevel@tonic-gate #define	_FILE_OFFSET_BITS 64
360Sstevel@tonic-gate 
370Sstevel@tonic-gate /*
380Sstevel@tonic-gate  * remote shell server:
390Sstevel@tonic-gate  *	remuser\0
400Sstevel@tonic-gate  *	locuser\0
410Sstevel@tonic-gate  *	command\0
420Sstevel@tonic-gate  *	data
430Sstevel@tonic-gate  */
440Sstevel@tonic-gate #include <sys/types.h>
450Sstevel@tonic-gate #include <sys/ioctl.h>
460Sstevel@tonic-gate #include <sys/telioctl.h>
470Sstevel@tonic-gate #include <sys/param.h>
480Sstevel@tonic-gate #include <sys/socket.h>
490Sstevel@tonic-gate #include <sys/time.h>
500Sstevel@tonic-gate #include <sys/stat.h>
510Sstevel@tonic-gate #include <sys/file.h>
520Sstevel@tonic-gate #include <sys/select.h>
530Sstevel@tonic-gate 
540Sstevel@tonic-gate #include <netinet/in.h>
550Sstevel@tonic-gate 
560Sstevel@tonic-gate #include <arpa/inet.h>
570Sstevel@tonic-gate 
580Sstevel@tonic-gate #include <unistd.h>
590Sstevel@tonic-gate #include <string.h>
600Sstevel@tonic-gate #include <stdio.h>
610Sstevel@tonic-gate #include <stdarg.h>
620Sstevel@tonic-gate #include <errno.h>
630Sstevel@tonic-gate #include <pwd.h>
640Sstevel@tonic-gate #include <grp.h>
650Sstevel@tonic-gate #include <signal.h>
660Sstevel@tonic-gate #include <netdb.h>
670Sstevel@tonic-gate #include <syslog.h>
680Sstevel@tonic-gate #include <fcntl.h>
690Sstevel@tonic-gate #include <ctype.h>
700Sstevel@tonic-gate #include <locale.h>
710Sstevel@tonic-gate 
720Sstevel@tonic-gate #include <sys/resource.h>
730Sstevel@tonic-gate #include <sys/filio.h>
740Sstevel@tonic-gate #include <shadow.h>
750Sstevel@tonic-gate #include <stdlib.h>
760Sstevel@tonic-gate 
770Sstevel@tonic-gate #include <security/pam_appl.h>
788126SJoep.Vesseur@Sun.COM #include <deflt.h>
790Sstevel@tonic-gate 
800Sstevel@tonic-gate #include <k5-int.h>
810Sstevel@tonic-gate #include <krb5_repository.h>
820Sstevel@tonic-gate #include <com_err.h>
830Sstevel@tonic-gate #include <kcmd.h>
840Sstevel@tonic-gate 
853011Sjbeck #include <addr_match.h>
866536Sgtb #include <store_forw_creds.h>
873011Sjbeck 
880Sstevel@tonic-gate #ifndef NCARGS
890Sstevel@tonic-gate #define	NCARGS	5120
900Sstevel@tonic-gate #endif /* !NCARGS */
910Sstevel@tonic-gate 
920Sstevel@tonic-gate static void error(char *, ...);
930Sstevel@tonic-gate static void doit(int, struct sockaddr_storage *, char **);
940Sstevel@tonic-gate static void getstr(int, char *, int, char *);
950Sstevel@tonic-gate 
960Sstevel@tonic-gate static int legalenvvar(char *);
970Sstevel@tonic-gate static void add_to_envinit(char *);
980Sstevel@tonic-gate static int locale_envmatch(char *, char *);
990Sstevel@tonic-gate 
1000Sstevel@tonic-gate /* Function decls. for functions not in any header file.  (Grrrr.) */
1010Sstevel@tonic-gate extern int audit_rshd_setup(void);
1020Sstevel@tonic-gate extern int audit_rshd_success(char *, char *, char *, char *);
1030Sstevel@tonic-gate extern int audit_rshd_fail(char *, char *, char *, char *, char *);
1040Sstevel@tonic-gate extern int audit_settid(int);
1050Sstevel@tonic-gate 
1060Sstevel@tonic-gate static int do_encrypt = 0;
1070Sstevel@tonic-gate static pam_handle_t *pamh;
1080Sstevel@tonic-gate 
1090Sstevel@tonic-gate /*
1100Sstevel@tonic-gate  * This is the shell/kshell daemon. The very basic protocol for checking
1110Sstevel@tonic-gate  * authentication and authorization is:
1120Sstevel@tonic-gate  * 1) Check authentication.
1130Sstevel@tonic-gate  * 2) Check authorization via the access-control files:
1140Sstevel@tonic-gate  *    ~/.k5login (using krb5_kuserok) and/or
1150Sstevel@tonic-gate  * Execute command if configured authoriztion checks pass, else deny
1160Sstevel@tonic-gate  * permission.
1170Sstevel@tonic-gate  *
1180Sstevel@tonic-gate  * The configuration is done either by command-line arguments passed by inetd,
1190Sstevel@tonic-gate  * or by the name of the daemon. If command-line arguments are present, they
1200Sstevel@tonic-gate  * take priority. The options are:
1210Sstevel@tonic-gate  * -k allow kerberos authentication (krb5 only; krb4 support is not provided)
1220Sstevel@tonic-gate  * -5 same as `-k', mainly for compatability with MIT
1230Sstevel@tonic-gate  * -e allow encrypted session
1240Sstevel@tonic-gate  * -c demand authenticator checksum
1250Sstevel@tonic-gate  * -i ignore authenticator checksum
1260Sstevel@tonic-gate  * -U Refuse connections that cannot be mapped to a name via `gethostbyname'
1270Sstevel@tonic-gate  * -s <tos>	Set the IP TOS option
1280Sstevel@tonic-gate  * -S <keytab>	Set the keytab file to use
1290Sstevel@tonic-gate  * -M <realm>	Set the Kerberos realm to use
1300Sstevel@tonic-gate  */
1310Sstevel@tonic-gate 
1320Sstevel@tonic-gate #define	ARGSTR	"ek5ciUD:M:S:L:?:"
1330Sstevel@tonic-gate #define	RSHD_BUFSIZ	(50 * 1024)
1340Sstevel@tonic-gate 
1350Sstevel@tonic-gate static krb5_context bsd_context;
1360Sstevel@tonic-gate static krb5_keytab keytab = NULL;
1370Sstevel@tonic-gate static krb5_ccache ccache = NULL;
1380Sstevel@tonic-gate static krb5_keyblock *sessionkey = NULL;
1390Sstevel@tonic-gate 
1400Sstevel@tonic-gate static int require_encrypt = 0;
1410Sstevel@tonic-gate static int resolve_hostname = 0;
1420Sstevel@tonic-gate static int krb5auth_flag = 0;	/* Flag set, when KERBEROS is enabled */
1430Sstevel@tonic-gate static enum kcmd_proto kcmd_protocol;
1440Sstevel@tonic-gate 
1450Sstevel@tonic-gate #ifdef DEBUG
1460Sstevel@tonic-gate static int debug_port = 0;
1470Sstevel@tonic-gate #endif /* DEBUG */
1480Sstevel@tonic-gate 
1490Sstevel@tonic-gate /*
1500Sstevel@tonic-gate  * There are two authentication related masks:
1510Sstevel@tonic-gate  * auth_ok and auth_sent.
1520Sstevel@tonic-gate  * The auth_ok mask is the or'ing of authentication
1530Sstevel@tonic-gate  * systems any one of which can be used.
1540Sstevel@tonic-gate  * The auth_sent mask is the or'ing of one or more authentication/authorization
1550Sstevel@tonic-gate  * systems that succeeded.  If the and'ing
1560Sstevel@tonic-gate  * of these two masks is true, then authorization is successful.
1570Sstevel@tonic-gate  */
1580Sstevel@tonic-gate 
1590Sstevel@tonic-gate #define	AUTH_KRB5	(0x2)
1600Sstevel@tonic-gate static int auth_ok = 0;
1610Sstevel@tonic-gate static int auth_sent = 0;
1620Sstevel@tonic-gate static int checksum_required = 0;
1630Sstevel@tonic-gate static int checksum_ignored = 0;
1640Sstevel@tonic-gate 
1650Sstevel@tonic-gate /*
1660Sstevel@tonic-gate  * Leave room for 4 environment variables to be passed.
1670Sstevel@tonic-gate  * The "-L env_var" option has been added primarily to
1680Sstevel@tonic-gate  * maintain compatability with MIT.
1690Sstevel@tonic-gate  */
1700Sstevel@tonic-gate #define	MAXENV	4
1710Sstevel@tonic-gate static char *save_env[MAXENV];
1720Sstevel@tonic-gate static int num_env = 0;
1730Sstevel@tonic-gate 
1740Sstevel@tonic-gate static void usage(void);
1750Sstevel@tonic-gate static krb5_error_code recvauth(int, int *);
1760Sstevel@tonic-gate 
1770Sstevel@tonic-gate /*ARGSUSED*/
178473Sbw int
main(int argc,char ** argv,char ** renvp)1790Sstevel@tonic-gate main(int argc, char **argv, char **renvp)
1800Sstevel@tonic-gate {
1810Sstevel@tonic-gate 	struct linger linger;
1820Sstevel@tonic-gate 	int on = 1, fromlen;
1830Sstevel@tonic-gate 	struct sockaddr_storage from;
1840Sstevel@tonic-gate 	int fd = 0;
1850Sstevel@tonic-gate 
1860Sstevel@tonic-gate 	extern int opterr, optind;
1870Sstevel@tonic-gate 	extern char *optarg;
1880Sstevel@tonic-gate 	int ch;
1890Sstevel@tonic-gate 	int tos = -1;
1900Sstevel@tonic-gate 	krb5_error_code status;
1910Sstevel@tonic-gate 
1920Sstevel@tonic-gate 	openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON);
1930Sstevel@tonic-gate 	(void) audit_rshd_setup();	/* BSM */
1940Sstevel@tonic-gate 	fromlen = sizeof (from);
1950Sstevel@tonic-gate 
1960Sstevel@tonic-gate 	(void) setlocale(LC_ALL, "");
1970Sstevel@tonic-gate 
1980Sstevel@tonic-gate 	/*
1990Sstevel@tonic-gate 	 * Analyze parameters.
2000Sstevel@tonic-gate 	 */
2010Sstevel@tonic-gate 	opterr = 0;
2020Sstevel@tonic-gate 	while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
2030Sstevel@tonic-gate 		switch (ch) {
2040Sstevel@tonic-gate 		case '5':
2050Sstevel@tonic-gate 		case 'k':
2060Sstevel@tonic-gate 			auth_ok |= AUTH_KRB5;
2070Sstevel@tonic-gate 			krb5auth_flag++;
2080Sstevel@tonic-gate 			break;
2090Sstevel@tonic-gate 
2100Sstevel@tonic-gate 		case 'c':
2110Sstevel@tonic-gate 			checksum_required = 1;
2120Sstevel@tonic-gate 			krb5auth_flag++;
2130Sstevel@tonic-gate 			break;
2140Sstevel@tonic-gate 		case 'i':
2150Sstevel@tonic-gate 			checksum_ignored = 1;
2160Sstevel@tonic-gate 			krb5auth_flag++;
2170Sstevel@tonic-gate 			break;
2180Sstevel@tonic-gate 
2190Sstevel@tonic-gate 		case 'e':
2200Sstevel@tonic-gate 			require_encrypt = 1;
2210Sstevel@tonic-gate 			krb5auth_flag++;
2220Sstevel@tonic-gate 			break;
2230Sstevel@tonic-gate #ifdef DEBUG
2240Sstevel@tonic-gate 		case 'D':
2250Sstevel@tonic-gate 			debug_port = atoi(optarg);
2260Sstevel@tonic-gate 			break;
2270Sstevel@tonic-gate #endif /* DEBUG */
2280Sstevel@tonic-gate 		case 'U':
2290Sstevel@tonic-gate 			resolve_hostname = 1;
2300Sstevel@tonic-gate 			break;
2310Sstevel@tonic-gate 
2320Sstevel@tonic-gate 		case 'M':
233*11415SSurya.Prakki@Sun.COM 			(void) krb5_set_default_realm(bsd_context, optarg);
2340Sstevel@tonic-gate 			krb5auth_flag++;
2350Sstevel@tonic-gate 			break;
2360Sstevel@tonic-gate 
2370Sstevel@tonic-gate 		case 'S':
2380Sstevel@tonic-gate 			if ((status = krb5_kt_resolve(bsd_context, optarg,
2390Sstevel@tonic-gate 				&keytab))) {
2400Sstevel@tonic-gate 				com_err("rsh", status,
2410Sstevel@tonic-gate 					gettext("while resolving "
2420Sstevel@tonic-gate 						"srvtab file %s"), optarg);
2430Sstevel@tonic-gate 				exit(2);
2440Sstevel@tonic-gate 			}
2450Sstevel@tonic-gate 			krb5auth_flag++;
2460Sstevel@tonic-gate 			break;
2470Sstevel@tonic-gate 
2480Sstevel@tonic-gate 		case 's':
2490Sstevel@tonic-gate 			if (optarg == NULL || ((tos = atoi(optarg)) < 0) ||
2500Sstevel@tonic-gate 				(tos > 255)) {
2510Sstevel@tonic-gate 				syslog(LOG_ERR, "rshd: illegal tos value: "
2520Sstevel@tonic-gate 				    "%s\n", optarg);
2530Sstevel@tonic-gate 			}
2540Sstevel@tonic-gate 			break;
2550Sstevel@tonic-gate 
2560Sstevel@tonic-gate 		case 'L':
2570Sstevel@tonic-gate 			if (num_env < MAXENV) {
2580Sstevel@tonic-gate 				save_env[num_env] = strdup(optarg);
2590Sstevel@tonic-gate 				if (!save_env[num_env++]) {
2600Sstevel@tonic-gate 					com_err("rsh", ENOMEM,
2610Sstevel@tonic-gate 						gettext("in saving env"));
2620Sstevel@tonic-gate 					exit(2);
2630Sstevel@tonic-gate 				}
2640Sstevel@tonic-gate 			} else {
2650Sstevel@tonic-gate 				(void) fprintf(stderr, gettext("rshd: Only %d"
2660Sstevel@tonic-gate 						" -L arguments allowed\n"),
2670Sstevel@tonic-gate 						MAXENV);
2680Sstevel@tonic-gate 				exit(2);
2690Sstevel@tonic-gate 			}
2700Sstevel@tonic-gate 			break;
2710Sstevel@tonic-gate 
2720Sstevel@tonic-gate 		case '?':
2730Sstevel@tonic-gate 		default:
2740Sstevel@tonic-gate 			usage();
2750Sstevel@tonic-gate 			exit(1);
2760Sstevel@tonic-gate 			break;
2770Sstevel@tonic-gate 		}
2780Sstevel@tonic-gate 
2790Sstevel@tonic-gate 	if (optind == 0) {
2800Sstevel@tonic-gate 		usage();
2810Sstevel@tonic-gate 		exit(1);
2820Sstevel@tonic-gate 	}
2830Sstevel@tonic-gate 	argc -= optind;
2840Sstevel@tonic-gate 	argv += optind;
2850Sstevel@tonic-gate 
2860Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
2870Sstevel@tonic-gate 		status = krb5_init_context(&bsd_context);
2880Sstevel@tonic-gate 		if (status) {
2890Sstevel@tonic-gate 			syslog(LOG_ERR, "Error initializing krb5: %s",
2900Sstevel@tonic-gate 			    error_message(status));
2910Sstevel@tonic-gate 			exit(1);
2920Sstevel@tonic-gate 		}
2930Sstevel@tonic-gate 	}
2940Sstevel@tonic-gate 
2950Sstevel@tonic-gate 	if (!checksum_required && !checksum_ignored)
2960Sstevel@tonic-gate 		checksum_ignored = 1;
2970Sstevel@tonic-gate 
2980Sstevel@tonic-gate 	if (checksum_required && checksum_ignored) {
2990Sstevel@tonic-gate 		syslog(LOG_CRIT, gettext("Checksums are required and ignored."
3000Sstevel@tonic-gate 		"These options are mutually exclusive"
3010Sstevel@tonic-gate 		"--check the documentation."));
3020Sstevel@tonic-gate 		error("Configuration error: mutually exclusive "
3030Sstevel@tonic-gate 				"options specified.\n");
3040Sstevel@tonic-gate 		exit(1);
3050Sstevel@tonic-gate 	}
3060Sstevel@tonic-gate 
3070Sstevel@tonic-gate #ifdef DEBUG
3080Sstevel@tonic-gate 	if (debug_port) {
3090Sstevel@tonic-gate 		int s;
3100Sstevel@tonic-gate 		struct sockaddr_in sin;
3110Sstevel@tonic-gate 
3120Sstevel@tonic-gate 		if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) {
3130Sstevel@tonic-gate 			fprintf(stderr, gettext("Error in socket: %s\n"),
3140Sstevel@tonic-gate 					strerror(errno));
3150Sstevel@tonic-gate 			exit(2);
3160Sstevel@tonic-gate 		}
3170Sstevel@tonic-gate 		(void) memset((char *)&sin, 0, sizeof (sin));
3180Sstevel@tonic-gate 		sin.sin_family = AF_INET;
3190Sstevel@tonic-gate 		sin.sin_port = htons(debug_port);
3200Sstevel@tonic-gate 		sin.sin_addr.s_addr = INADDR_ANY;
3210Sstevel@tonic-gate 
3220Sstevel@tonic-gate 		(void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
3230Sstevel@tonic-gate 			(char *)&on, sizeof (on));
3240Sstevel@tonic-gate 
3250Sstevel@tonic-gate 		if ((bind(s, (struct sockaddr *)&sin, sizeof (sin))) < 0) {
3260Sstevel@tonic-gate 			(void) fprintf(stderr, gettext("Error in bind: %s\n"),
3270Sstevel@tonic-gate 					strerror(errno));
3280Sstevel@tonic-gate 			exit(2);
3290Sstevel@tonic-gate 		}
3300Sstevel@tonic-gate 		if ((listen(s, 5)) < 0) {
3310Sstevel@tonic-gate 			(void) fprintf(stderr, gettext("Error in listen: %s\n"),
3320Sstevel@tonic-gate 					strerror(errno));
3330Sstevel@tonic-gate 			exit(2);
3340Sstevel@tonic-gate 		}
3350Sstevel@tonic-gate 		if ((fd = accept(s, (struct sockaddr *)&from,
3360Sstevel@tonic-gate 					&fromlen)) < 0) {
3370Sstevel@tonic-gate 			(void) fprintf(stderr, gettext("Error in accept: %s\n"),
3380Sstevel@tonic-gate 					strerror(errno));
3390Sstevel@tonic-gate 			exit(2);
3400Sstevel@tonic-gate 		}
3410Sstevel@tonic-gate 		(void) close(s);
3420Sstevel@tonic-gate 	}
3430Sstevel@tonic-gate 	else
3440Sstevel@tonic-gate #endif /* DEBUG */
3450Sstevel@tonic-gate 	{
3460Sstevel@tonic-gate 		if (getpeername(STDIN_FILENO, (struct sockaddr *)&from,
3470Sstevel@tonic-gate 				(socklen_t *)&fromlen) < 0) {
3480Sstevel@tonic-gate 			(void) fprintf(stderr, "rshd: ");
3490Sstevel@tonic-gate 			perror("getpeername");
3500Sstevel@tonic-gate 			_exit(1);
3510Sstevel@tonic-gate 		}
3520Sstevel@tonic-gate 		fd = STDIN_FILENO;
3530Sstevel@tonic-gate 	}
3540Sstevel@tonic-gate 
3550Sstevel@tonic-gate 	if (audit_settid(fd) != 0) {
3560Sstevel@tonic-gate 		perror("settid");
3570Sstevel@tonic-gate 		exit(1);
3580Sstevel@tonic-gate 	}
3590Sstevel@tonic-gate 
3600Sstevel@tonic-gate 	if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
3610Sstevel@tonic-gate 	    sizeof (on)) < 0)
3620Sstevel@tonic-gate 		syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
3630Sstevel@tonic-gate 	linger.l_onoff = 1;
3640Sstevel@tonic-gate 	linger.l_linger = 60;			/* XXX */
3650Sstevel@tonic-gate 	if (setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&linger,
3660Sstevel@tonic-gate 	    sizeof (linger)) < 0)
3670Sstevel@tonic-gate 		syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m");
3680Sstevel@tonic-gate 
3690Sstevel@tonic-gate 	if ((tos != -1) && (setsockopt(fd, IPPROTO_IP, IP_TOS, (char *)&tos,
3700Sstevel@tonic-gate 				sizeof (tos)) < 0) &&
3710Sstevel@tonic-gate 				(errno != ENOPROTOOPT)) {
3720Sstevel@tonic-gate 		syslog(LOG_ERR, "setsockopt (IP_TOS %d): %m");
3730Sstevel@tonic-gate 	}
3740Sstevel@tonic-gate 
3750Sstevel@tonic-gate 	doit(dup(fd), &from, renvp);
376473Sbw 	return (0);
3770Sstevel@tonic-gate }
3780Sstevel@tonic-gate 
3790Sstevel@tonic-gate /*
3800Sstevel@tonic-gate  * locale environments to be passed to shells.
3810Sstevel@tonic-gate  */
3820Sstevel@tonic-gate static char *localeenv[] = {
3830Sstevel@tonic-gate 	"LANG",
3840Sstevel@tonic-gate 	"LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE",
3850Sstevel@tonic-gate 	"LC_MONETARY", "LC_MESSAGES", "LC_ALL", NULL};
3860Sstevel@tonic-gate 
3870Sstevel@tonic-gate /*
3880Sstevel@tonic-gate  * The following is for the environment variable list
3890Sstevel@tonic-gate  * used in the call to execle().  envinit is declared here,
3900Sstevel@tonic-gate  * but populated after the call to getpwnam().
3910Sstevel@tonic-gate  */
3920Sstevel@tonic-gate static char	*homedir;	/* "HOME=" */
3930Sstevel@tonic-gate static char	*shell;		/* "SHELL=" */
3940Sstevel@tonic-gate static char	*username;	/* "USER=" */
3950Sstevel@tonic-gate static char	*tz;		/* "TZ=" */
3960Sstevel@tonic-gate 
3970Sstevel@tonic-gate static char	homestr[] = "HOME=";
3980Sstevel@tonic-gate static char	shellstr[] = "SHELL=";
3990Sstevel@tonic-gate static char	userstr[] = "USER=";
4000Sstevel@tonic-gate static char	tzstr[] = "TZ=";
4010Sstevel@tonic-gate 
4020Sstevel@tonic-gate static char	**envinit;
4030Sstevel@tonic-gate #define	PAM_ENV_ELIM	16	/* allow 16 PAM environment variables */
4040Sstevel@tonic-gate #define	USERNAME_LEN	16	/* maximum number of characters in user name */
4050Sstevel@tonic-gate 
4060Sstevel@tonic-gate /*
4070Sstevel@tonic-gate  *	See PSARC opinion 1992/025
4080Sstevel@tonic-gate  */
4090Sstevel@tonic-gate static char	userpath[] = "PATH=/usr/bin:";
4100Sstevel@tonic-gate static char	rootpath[] = "PATH=/usr/sbin:/usr/bin";
4110Sstevel@tonic-gate 
4120Sstevel@tonic-gate static char cmdbuf[NCARGS+1];
4130Sstevel@tonic-gate static char hostname [MAXHOSTNAMELEN + 1];
4140Sstevel@tonic-gate static char locuser[USERNAME_LEN + 1];
4150Sstevel@tonic-gate static char remuser[USERNAME_LEN + 1];
4160Sstevel@tonic-gate 
4170Sstevel@tonic-gate #define	KRB5_RECVAUTH_V5	5
4180Sstevel@tonic-gate #define	SIZEOF_INADDR sizeof	(struct in_addr)
4190Sstevel@tonic-gate 
4200Sstevel@tonic-gate #define	MAX_REPOSITORY_LEN	255
4210Sstevel@tonic-gate static char repository[MAX_REPOSITORY_LEN];
4220Sstevel@tonic-gate 
4230Sstevel@tonic-gate static char *kremuser;
4240Sstevel@tonic-gate static krb5_principal client = NULL;
4250Sstevel@tonic-gate 
4260Sstevel@tonic-gate static char	remote_addr[64];
4270Sstevel@tonic-gate static char	local_addr[64];
4280Sstevel@tonic-gate 
4298126SJoep.Vesseur@Sun.COM #define	_PATH_DEFAULT_LOGIN "/etc/default/login"
4308126SJoep.Vesseur@Sun.COM 
4310Sstevel@tonic-gate static void
doit(int f,struct sockaddr_storage * fromp,char ** renvp)4320Sstevel@tonic-gate doit(int f, struct sockaddr_storage *fromp, char **renvp)
4330Sstevel@tonic-gate {
4340Sstevel@tonic-gate 	char *cp;
4350Sstevel@tonic-gate 
4360Sstevel@tonic-gate 	struct passwd *pwd;
4370Sstevel@tonic-gate 	char *path;
4380Sstevel@tonic-gate 	char *tzenv;
4390Sstevel@tonic-gate 	struct spwd *shpwd;
4400Sstevel@tonic-gate 	struct stat statb;
4410Sstevel@tonic-gate 	char **lenvp;
4420Sstevel@tonic-gate 
4430Sstevel@tonic-gate 	krb5_error_code status;
4440Sstevel@tonic-gate 	int valid_checksum;
4450Sstevel@tonic-gate 	int cnt;
4460Sstevel@tonic-gate 	int sin_len;
4470Sstevel@tonic-gate 	struct sockaddr_in localaddr;
4480Sstevel@tonic-gate 
4490Sstevel@tonic-gate 	int s;
4500Sstevel@tonic-gate 	in_port_t port;
4510Sstevel@tonic-gate 	pid_t pid;
4520Sstevel@tonic-gate 	int pv[2], pw[2], px[2], cc;
4530Sstevel@tonic-gate 	char buf[RSHD_BUFSIZ];
4540Sstevel@tonic-gate 	char sig;
4550Sstevel@tonic-gate 	int one = 1;
4560Sstevel@tonic-gate 	int v = 0;
4570Sstevel@tonic-gate 	int err = 0;
4580Sstevel@tonic-gate 	int idx = 0;
4590Sstevel@tonic-gate 	char **pam_env;
4600Sstevel@tonic-gate 	char abuf[INET6_ADDRSTRLEN];
4610Sstevel@tonic-gate 	struct sockaddr_in *sin;
4620Sstevel@tonic-gate 	struct sockaddr_in6 *sin6;
4630Sstevel@tonic-gate 	int fromplen;
4640Sstevel@tonic-gate 	int homedir_len, shell_len, username_len, tz_len;
4650Sstevel@tonic-gate 	int no_name;
4663011Sjbeck 	boolean_t bad_port;
4670Sstevel@tonic-gate 	int netf = 0;
4680Sstevel@tonic-gate 
4690Sstevel@tonic-gate 	(void) signal(SIGINT, SIG_DFL);
4700Sstevel@tonic-gate 	(void) signal(SIGQUIT, SIG_DFL);
4710Sstevel@tonic-gate 	(void) signal(SIGTERM, SIG_DFL);
4720Sstevel@tonic-gate 	(void) signal(SIGXCPU, SIG_DFL);
4730Sstevel@tonic-gate 	(void) signal(SIGXFSZ, SIG_DFL);
4740Sstevel@tonic-gate 	(void) sigset(SIGCHLD, SIG_IGN);
4750Sstevel@tonic-gate 	(void) signal(SIGPIPE, SIG_DFL);
4760Sstevel@tonic-gate 	(void) signal(SIGHUP, SIG_DFL);
4770Sstevel@tonic-gate 
4780Sstevel@tonic-gate #ifdef DEBUG
479*11415SSurya.Prakki@Sun.COM 	{
480*11415SSurya.Prakki@Sun.COM 	    int t = open("/dev/tty", 2);
481*11415SSurya.Prakki@Sun.COM 
4820Sstevel@tonic-gate 	    if (t >= 0) {
4830Sstevel@tonic-gate 		(void) setsid();
4840Sstevel@tonic-gate 		(void) close(t);
4850Sstevel@tonic-gate 	    }
4860Sstevel@tonic-gate 	}
4870Sstevel@tonic-gate #endif
4880Sstevel@tonic-gate 	if (fromp->ss_family == AF_INET) {
4890Sstevel@tonic-gate 		sin = (struct sockaddr_in *)fromp;
4900Sstevel@tonic-gate 		port = ntohs((ushort_t)sin->sin_port);
4910Sstevel@tonic-gate 		fromplen = sizeof (struct sockaddr_in);
4920Sstevel@tonic-gate 	} else if (fromp->ss_family == AF_INET6) {
4930Sstevel@tonic-gate 		sin6 = (struct sockaddr_in6 *)fromp;
4940Sstevel@tonic-gate 		port = ntohs((ushort_t)sin6->sin6_port);
4950Sstevel@tonic-gate 		fromplen = sizeof (struct sockaddr_in6);
4960Sstevel@tonic-gate 	} else {
4970Sstevel@tonic-gate 		syslog(LOG_ERR, "wrong address family\n");
4980Sstevel@tonic-gate 		exit(1);
4990Sstevel@tonic-gate 	}
5000Sstevel@tonic-gate 
5013011Sjbeck 	if (fromp->ss_family == AF_INET6) {
5023011Sjbeck 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
5033011Sjbeck 			struct in_addr ipv4_addr;
5043011Sjbeck 
5053011Sjbeck 			IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &ipv4_addr);
5063011Sjbeck 			(void) inet_ntop(AF_INET, &ipv4_addr, abuf,
5073011Sjbeck 			    sizeof (abuf));
5083011Sjbeck 		} else {
5093011Sjbeck 			(void) inet_ntop(AF_INET6, &sin6->sin6_addr, abuf,
5103011Sjbeck 			    sizeof (abuf));
5113011Sjbeck 		}
5123011Sjbeck 	} else if (fromp->ss_family == AF_INET) {
5133011Sjbeck 		(void) inet_ntop(AF_INET, &sin->sin_addr, abuf, sizeof (abuf));
5143011Sjbeck 	}
5153011Sjbeck 
5160Sstevel@tonic-gate 	sin_len = sizeof (struct sockaddr_in);
5173011Sjbeck 	if (getsockname(f, (struct sockaddr *)&localaddr, &sin_len) < 0) {
5180Sstevel@tonic-gate 		perror("getsockname");
5190Sstevel@tonic-gate 		exit(1);
5200Sstevel@tonic-gate 	}
5210Sstevel@tonic-gate 
5220Sstevel@tonic-gate 	netf = f;
5230Sstevel@tonic-gate 
5240Sstevel@tonic-gate 	bad_port = (port >= IPPORT_RESERVED ||
5250Sstevel@tonic-gate 		port < (uint_t)(IPPORT_RESERVED/2));
5260Sstevel@tonic-gate 
5273011Sjbeck 	/* Get the name of the client side host to use later */
5280Sstevel@tonic-gate 	no_name = (getnameinfo((const struct sockaddr *) fromp, fromplen,
5290Sstevel@tonic-gate 		hostname, sizeof (hostname), NULL, 0, 0) != 0);
5300Sstevel@tonic-gate 
5313011Sjbeck 	if (bad_port || no_name != 0) {
5323011Sjbeck 		/*
5333011Sjbeck 		 * If there is no host name available then use the
5343011Sjbeck 		 * IP address to identify the host in the PAM call
5353011Sjbeck 		 * below.  Do the same if a bad port was used, to
5363011Sjbeck 		 * prevent untrustworthy authentication.
5373011Sjbeck 		 */
5383011Sjbeck 		(void) strlcpy(hostname, abuf, sizeof (hostname));
5393011Sjbeck 	}
5403011Sjbeck 
5413011Sjbeck 	if (no_name != 0) {
5423011Sjbeck 		/*
5433011Sjbeck 		 * If the '-U' option was given on the cmd line,
5443011Sjbeck 		 * we must be able to lookup the hostname
5453011Sjbeck 		 */
5463011Sjbeck 		if (resolve_hostname) {
5473011Sjbeck 			syslog(LOG_ERR, "rshd: Couldn't resolve your "
5483011Sjbeck 			    "address into a host name.\r\n Please "
5493011Sjbeck 			    "contact your net administrator");
5503011Sjbeck 			exit(1);
5510Sstevel@tonic-gate 		}
5523011Sjbeck 	} else {
5533011Sjbeck 		/*
5543011Sjbeck 		 * Even if getnameinfo() succeeded, we still have to check
5553011Sjbeck 		 * for spoofing.
5563011Sjbeck 		 */
5573011Sjbeck 		check_address("rshd", fromp, sin, sin6, abuf, hostname,
5583011Sjbeck 		    sizeof (hostname));
5590Sstevel@tonic-gate 	}
5600Sstevel@tonic-gate 
5610Sstevel@tonic-gate 	if (!krb5auth_flag && bad_port) {
5620Sstevel@tonic-gate 		if (no_name)
5630Sstevel@tonic-gate 			syslog(LOG_NOTICE, "connection from %s - "
5640Sstevel@tonic-gate 			    "bad port\n", abuf);
5650Sstevel@tonic-gate 		else
5660Sstevel@tonic-gate 			syslog(LOG_NOTICE, "connection from %s (%s) - "
5670Sstevel@tonic-gate 			    "bad port\n", hostname, abuf);
5680Sstevel@tonic-gate 		exit(1);
5690Sstevel@tonic-gate 	}
5700Sstevel@tonic-gate 
5710Sstevel@tonic-gate 	(void) alarm(60);
5720Sstevel@tonic-gate 	port = 0;
5730Sstevel@tonic-gate 	for (;;) {
5740Sstevel@tonic-gate 		char c;
5750Sstevel@tonic-gate 		if ((cc = read(f, &c, 1)) != 1) {
5760Sstevel@tonic-gate 			if (cc < 0)
5770Sstevel@tonic-gate 				syslog(LOG_NOTICE, "read: %m");
5780Sstevel@tonic-gate 			(void) shutdown(f, 1+1);
5790Sstevel@tonic-gate 			exit(1);
5800Sstevel@tonic-gate 		}
5810Sstevel@tonic-gate 		if (c == 0)
5820Sstevel@tonic-gate 			break;
5830Sstevel@tonic-gate 		port = port * 10 + c - '0';
5840Sstevel@tonic-gate 	}
5850Sstevel@tonic-gate 	(void) alarm(0);
5860Sstevel@tonic-gate 	if (port != 0) {
5870Sstevel@tonic-gate 		int lport = 0;
5880Sstevel@tonic-gate 		struct sockaddr_storage ctl_addr;
5890Sstevel@tonic-gate 		int addrlen;
5900Sstevel@tonic-gate 
5910Sstevel@tonic-gate 		(void) memset(&ctl_addr, 0, sizeof (ctl_addr));
5920Sstevel@tonic-gate 		addrlen = sizeof (ctl_addr);
5930Sstevel@tonic-gate 		if (getsockname(f, (struct sockaddr *)&ctl_addr,
5940Sstevel@tonic-gate 			&addrlen) < 0) {
5950Sstevel@tonic-gate 			syslog(LOG_ERR, "getsockname: %m");
5960Sstevel@tonic-gate 			exit(1);
5970Sstevel@tonic-gate 		}
5980Sstevel@tonic-gate get_port:
5990Sstevel@tonic-gate 		/*
6000Sstevel@tonic-gate 		 * 0 means that rresvport_addr() will bind to a port in
6010Sstevel@tonic-gate 		 * the anonymous priviledged port range.
6020Sstevel@tonic-gate 		 */
6030Sstevel@tonic-gate 		if (krb5auth_flag) {
6040Sstevel@tonic-gate 			/*
6050Sstevel@tonic-gate 			 * Kerberos does not support IPv6 yet.
6060Sstevel@tonic-gate 			 */
6070Sstevel@tonic-gate 			lport = IPPORT_RESERVED - 1;
6080Sstevel@tonic-gate 		}
6090Sstevel@tonic-gate 		s = rresvport_addr(&lport, &ctl_addr);
6100Sstevel@tonic-gate 
6110Sstevel@tonic-gate 		if (s < 0) {
6120Sstevel@tonic-gate 			syslog(LOG_ERR, "can't get stderr port: %m");
6130Sstevel@tonic-gate 			exit(1);
6140Sstevel@tonic-gate 		}
6150Sstevel@tonic-gate 		if (!krb5auth_flag && (port >= IPPORT_RESERVED)) {
6160Sstevel@tonic-gate 			syslog(LOG_ERR, "2nd port not reserved\n");
6170Sstevel@tonic-gate 			exit(1);
6180Sstevel@tonic-gate 		}
6190Sstevel@tonic-gate 		if (fromp->ss_family == AF_INET) {
6200Sstevel@tonic-gate 			sin->sin_port = htons((ushort_t)port);
6210Sstevel@tonic-gate 		} else if (fromp->ss_family == AF_INET6) {
6220Sstevel@tonic-gate 			sin6->sin6_port = htons((ushort_t)port);
6230Sstevel@tonic-gate 		}
6240Sstevel@tonic-gate 		if (connect(s, (struct sockaddr *)fromp, fromplen) < 0) {
6250Sstevel@tonic-gate 			if (errno == EADDRINUSE) {
6260Sstevel@tonic-gate 				(void) close(s);
6270Sstevel@tonic-gate 				goto get_port;
6280Sstevel@tonic-gate 			}
6290Sstevel@tonic-gate 			syslog(LOG_INFO, "connect second port: %m");
6300Sstevel@tonic-gate 			exit(1);
6310Sstevel@tonic-gate 		}
6320Sstevel@tonic-gate 	}
6330Sstevel@tonic-gate 	(void) dup2(f, 0);
6340Sstevel@tonic-gate 	(void) dup2(f, 1);
6350Sstevel@tonic-gate 	(void) dup2(f, 2);
6360Sstevel@tonic-gate 
6370Sstevel@tonic-gate #ifdef DEBUG
6380Sstevel@tonic-gate 	syslog(LOG_NOTICE, "rshd: Client hostname = %s", hostname);
6390Sstevel@tonic-gate 	if (debug_port)
6400Sstevel@tonic-gate 		syslog(LOG_NOTICE, "rshd: Debug port is %d", debug_port);
6410Sstevel@tonic-gate 	if (krb5auth_flag > 0)
6420Sstevel@tonic-gate 		syslog(LOG_NOTICE, "rshd: Kerberos mode is ON");
6430Sstevel@tonic-gate 	else
6440Sstevel@tonic-gate 		syslog(LOG_NOTICE, "rshd: Kerberos mode is OFF");
6450Sstevel@tonic-gate #endif /* DEBUG */
6460Sstevel@tonic-gate 
6470Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
6480Sstevel@tonic-gate 		if ((status = recvauth(f, &valid_checksum))) {
6490Sstevel@tonic-gate 			syslog(LOG_ERR, gettext("Kerberos Authentication "
6500Sstevel@tonic-gate 					"failed \n"));
6510Sstevel@tonic-gate 			error("Authentication failed: %s\n",
6520Sstevel@tonic-gate 					error_message(status));
6530Sstevel@tonic-gate 			(void) audit_rshd_fail("Kerberos Authentication "
6540Sstevel@tonic-gate 				"failed", hostname, remuser, locuser, cmdbuf);
6550Sstevel@tonic-gate 			exit(1);
6560Sstevel@tonic-gate 		}
6570Sstevel@tonic-gate 
6580Sstevel@tonic-gate 		if (checksum_required && !valid_checksum &&
6590Sstevel@tonic-gate 			kcmd_protocol == KCMD_OLD_PROTOCOL) {
6600Sstevel@tonic-gate 			syslog(LOG_WARNING, "Client did not supply required"
6610Sstevel@tonic-gate 					" checksum--connection rejected.");
6620Sstevel@tonic-gate 			error("Client did not supply required"
6630Sstevel@tonic-gate 				"checksum--connection rejected.\n");
6640Sstevel@tonic-gate 			(void) audit_rshd_fail("Client did not supply required"
6650Sstevel@tonic-gate 				" checksum--connection rejected.", hostname,
6660Sstevel@tonic-gate 				remuser, locuser, cmdbuf);	/* BSM */
6670Sstevel@tonic-gate 			goto signout;
6680Sstevel@tonic-gate 		}
6690Sstevel@tonic-gate 
6700Sstevel@tonic-gate 		/*
6710Sstevel@tonic-gate 		 * Authentication has succeeded, we now need
6720Sstevel@tonic-gate 		 * to check authorization.
6730Sstevel@tonic-gate 		 *
6740Sstevel@tonic-gate 		 * krb5_kuserok returns 1 if OK.
6750Sstevel@tonic-gate 		 */
6760Sstevel@tonic-gate 		if (client && krb5_kuserok(bsd_context, client, locuser)) {
6770Sstevel@tonic-gate 			auth_sent |= AUTH_KRB5;
6780Sstevel@tonic-gate 		} else {
6790Sstevel@tonic-gate 			syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
6800Sstevel@tonic-gate 				"%s failed krb5_kuserok.\n",
6810Sstevel@tonic-gate 				kremuser, remuser, hostname, locuser);
6820Sstevel@tonic-gate 		}
6830Sstevel@tonic-gate 	} else {
6840Sstevel@tonic-gate 		getstr(netf, remuser, sizeof (remuser), "remuser");
6850Sstevel@tonic-gate 		getstr(netf, locuser, sizeof (locuser), "locuser");
6860Sstevel@tonic-gate 		getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
6870Sstevel@tonic-gate 	}
6880Sstevel@tonic-gate 
6890Sstevel@tonic-gate #ifdef DEBUG
6900Sstevel@tonic-gate 	syslog(LOG_NOTICE, "rshd: locuser = %s, remuser = %s, cmdbuf = %s",
6910Sstevel@tonic-gate 			locuser, remuser, cmdbuf);
6920Sstevel@tonic-gate #endif /* DEBUG */
6930Sstevel@tonic-gate 
6940Sstevel@tonic-gate 	/*
6950Sstevel@tonic-gate 	 * Note that there is no rsh conv functions at present.
6960Sstevel@tonic-gate 	 */
6970Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
6980Sstevel@tonic-gate 		if ((err = pam_start("krsh", locuser, NULL, &pamh))
6990Sstevel@tonic-gate 				!= PAM_SUCCESS) {
7000Sstevel@tonic-gate 			syslog(LOG_ERR, "pam_start() failed: %s\n",
7010Sstevel@tonic-gate 				pam_strerror(0, err));
7020Sstevel@tonic-gate 			exit(1);
7030Sstevel@tonic-gate 		}
7040Sstevel@tonic-gate 	}
7050Sstevel@tonic-gate 	else
7060Sstevel@tonic-gate 	{
7070Sstevel@tonic-gate 		if ((err = pam_start("rsh", locuser, NULL, &pamh))
7080Sstevel@tonic-gate 				!= PAM_SUCCESS) {
7090Sstevel@tonic-gate 			syslog(LOG_ERR, "pam_start() failed: %s\n",
7100Sstevel@tonic-gate 				pam_strerror(0, err));
7110Sstevel@tonic-gate 			exit(1);
7120Sstevel@tonic-gate 		}
7130Sstevel@tonic-gate 	}
7140Sstevel@tonic-gate 	if ((err = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
7150Sstevel@tonic-gate 		syslog(LOG_ERR, "pam_set_item() failed: %s\n",
7160Sstevel@tonic-gate 			pam_strerror(pamh, err));
7170Sstevel@tonic-gate 		exit(1);
7180Sstevel@tonic-gate 	}
7190Sstevel@tonic-gate 	if ((err = pam_set_item(pamh, PAM_RUSER, remuser)) != PAM_SUCCESS) {
7200Sstevel@tonic-gate 		syslog(LOG_ERR, "pam_set_item() failed: %s\n",
7210Sstevel@tonic-gate 			pam_strerror(pamh, err));
7220Sstevel@tonic-gate 		exit(1);
7230Sstevel@tonic-gate 	}
7240Sstevel@tonic-gate 
7250Sstevel@tonic-gate 	pwd = getpwnam(locuser);
7260Sstevel@tonic-gate 	shpwd = getspnam(locuser);
7270Sstevel@tonic-gate 	if ((pwd == NULL) || (shpwd == NULL)) {
7280Sstevel@tonic-gate 		if (krb5auth_flag > 0)
7290Sstevel@tonic-gate 			syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
7300Sstevel@tonic-gate 				"%s has no account.\n", kremuser, remuser,
7310Sstevel@tonic-gate 							hostname, locuser);
7320Sstevel@tonic-gate 		error("permission denied.\n");
7330Sstevel@tonic-gate 		(void) audit_rshd_fail("Login incorrect", hostname,
7340Sstevel@tonic-gate 			remuser, locuser, cmdbuf);	/* BSM */
7350Sstevel@tonic-gate 		exit(1);
7360Sstevel@tonic-gate 	}
7370Sstevel@tonic-gate 
7380Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
7390Sstevel@tonic-gate 		(void) snprintf(repository, sizeof (repository),
7400Sstevel@tonic-gate 					KRB5_REPOSITORY_NAME);
7410Sstevel@tonic-gate 		/*
7420Sstevel@tonic-gate 		 * We currently only support special handling of the
7430Sstevel@tonic-gate 		 * KRB5 PAM repository
7440Sstevel@tonic-gate 		 */
7450Sstevel@tonic-gate 		if (strlen(locuser) != 0) {
7460Sstevel@tonic-gate 			krb5_repository_data_t krb5_data;
7470Sstevel@tonic-gate 			pam_repository_t pam_rep_data;
7480Sstevel@tonic-gate 
7490Sstevel@tonic-gate 			krb5_data.principal = locuser;
7500Sstevel@tonic-gate 			krb5_data.flags = SUNW_PAM_KRB5_ALREADY_AUTHENTICATED;
7510Sstevel@tonic-gate 
7520Sstevel@tonic-gate 			pam_rep_data.type = repository;
7530Sstevel@tonic-gate 			pam_rep_data.scope = (void *)&krb5_data;
7540Sstevel@tonic-gate 			pam_rep_data.scope_len = sizeof (krb5_data);
7550Sstevel@tonic-gate 
7560Sstevel@tonic-gate 			(void) pam_set_item(pamh, PAM_REPOSITORY,
7570Sstevel@tonic-gate 					(void *)&pam_rep_data);
7580Sstevel@tonic-gate 		}
7590Sstevel@tonic-gate 	}
7600Sstevel@tonic-gate 
7618126SJoep.Vesseur@Sun.COM 	if (shpwd->sp_pwdp != 0) {
7628126SJoep.Vesseur@Sun.COM 		if (*shpwd->sp_pwdp != '\0') {
7638126SJoep.Vesseur@Sun.COM 			if ((v = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
7648126SJoep.Vesseur@Sun.COM 				error("permission denied\n");
7658126SJoep.Vesseur@Sun.COM 				(void) audit_rshd_fail("Permission denied",
7668126SJoep.Vesseur@Sun.COM 				    hostname, remuser, locuser, cmdbuf);
7678126SJoep.Vesseur@Sun.COM 				(void) pam_end(pamh, v);
7688126SJoep.Vesseur@Sun.COM 				exit(1);
7698126SJoep.Vesseur@Sun.COM 			}
7708126SJoep.Vesseur@Sun.COM 		} else {
7718126SJoep.Vesseur@Sun.COM 			int flags;
7728126SJoep.Vesseur@Sun.COM 			char *p;
7738126SJoep.Vesseur@Sun.COM 			/*
7748126SJoep.Vesseur@Sun.COM 			 * maintain 2.1 and 4.* and BSD semantics with
7758126SJoep.Vesseur@Sun.COM 			 * anonymous rshd unless PASSREQ is set to YES in
7768126SJoep.Vesseur@Sun.COM 			 * /etc/default/login: then we deny logins with empty
7778126SJoep.Vesseur@Sun.COM 			 * passwords.
7788126SJoep.Vesseur@Sun.COM 			 */
7798126SJoep.Vesseur@Sun.COM 			if (defopen(_PATH_DEFAULT_LOGIN) == 0) {
7808126SJoep.Vesseur@Sun.COM 				flags = defcntl(DC_GETFLAGS, 0);
7818126SJoep.Vesseur@Sun.COM 				TURNOFF(flags, DC_CASE);
7828126SJoep.Vesseur@Sun.COM 				(void) defcntl(DC_SETFLAGS, flags);
7838126SJoep.Vesseur@Sun.COM 
7848126SJoep.Vesseur@Sun.COM 				if ((p = defread("PASSREQ=")) != NULL &&
7858126SJoep.Vesseur@Sun.COM 				    strcasecmp(p, "YES") == 0) {
7868126SJoep.Vesseur@Sun.COM 					error("permission denied\n");
7878126SJoep.Vesseur@Sun.COM 					(void) audit_rshd_fail(
7888126SJoep.Vesseur@Sun.COM 					    "Permission denied", hostname,
7898126SJoep.Vesseur@Sun.COM 					    remuser, locuser, cmdbuf);
7908126SJoep.Vesseur@Sun.COM 					(void) pam_end(pamh, PAM_ABORT);
7918126SJoep.Vesseur@Sun.COM 					(void) defopen(NULL);
7928126SJoep.Vesseur@Sun.COM 					syslog(LOG_AUTH|LOG_NOTICE,
7938126SJoep.Vesseur@Sun.COM 					    "empty password not allowed for "
7948126SJoep.Vesseur@Sun.COM 					    "%s from %s.", locuser, hostname);
7958126SJoep.Vesseur@Sun.COM 					exit(1);
7968126SJoep.Vesseur@Sun.COM 				}
7978126SJoep.Vesseur@Sun.COM 				(void) defopen(NULL);
7988126SJoep.Vesseur@Sun.COM 			}
7998126SJoep.Vesseur@Sun.COM 			/*
8008126SJoep.Vesseur@Sun.COM 			 * /etc/default/login not found or PASSREQ not set
8018126SJoep.Vesseur@Sun.COM 			 * to YES. Allow logins without passwords.
8028126SJoep.Vesseur@Sun.COM 			 */
8038126SJoep.Vesseur@Sun.COM 		}
8040Sstevel@tonic-gate 	}
8050Sstevel@tonic-gate 
8060Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
8070Sstevel@tonic-gate 		if (require_encrypt && (!do_encrypt)) {
8080Sstevel@tonic-gate 			error("You must use encryption.\n");
8090Sstevel@tonic-gate 			(void) audit_rshd_fail("You must use encryption.",
8100Sstevel@tonic-gate 				hostname, remuser, locuser, cmdbuf); /* BSM */
8110Sstevel@tonic-gate 			goto signout;
8120Sstevel@tonic-gate 		}
8130Sstevel@tonic-gate 
8140Sstevel@tonic-gate 		if (!(auth_ok & auth_sent)) {
8150Sstevel@tonic-gate 			if (auth_sent) {
8160Sstevel@tonic-gate 				error("Another authentication mechanism "
8170Sstevel@tonic-gate 				    "must be used to access this host.\n");
8180Sstevel@tonic-gate 				(void) audit_rshd_fail("Another authentication"
8190Sstevel@tonic-gate 					" mechanism must be used to access"
8200Sstevel@tonic-gate 					" this host.\n", hostname, remuser,
8210Sstevel@tonic-gate 					locuser, cmdbuf); /* BSM */
8220Sstevel@tonic-gate 				goto signout;
8230Sstevel@tonic-gate 			} else {
8240Sstevel@tonic-gate 				error("Permission denied.\n");
8250Sstevel@tonic-gate 				(void) audit_rshd_fail("Permission denied.",
8260Sstevel@tonic-gate 					hostname, remuser, locuser, cmdbuf);
8270Sstevel@tonic-gate 					/* BSM */
8280Sstevel@tonic-gate 				goto signout;
8290Sstevel@tonic-gate 			}
8300Sstevel@tonic-gate 		}
8310Sstevel@tonic-gate 
8320Sstevel@tonic-gate 
8330Sstevel@tonic-gate 		if (pwd->pw_uid && !access("/etc/nologin", F_OK)) {
8340Sstevel@tonic-gate 			error("Logins currently disabled.\n");
8350Sstevel@tonic-gate 			(void) audit_rshd_fail("Logins currently disabled.",
8360Sstevel@tonic-gate 				hostname, remuser, locuser, cmdbuf);
8370Sstevel@tonic-gate 			goto signout;
8380Sstevel@tonic-gate 		}
8390Sstevel@tonic-gate 
8400Sstevel@tonic-gate 		/* Log access to account */
8410Sstevel@tonic-gate 		if (pwd && (pwd->pw_uid == 0)) {
8420Sstevel@tonic-gate 			syslog(LOG_NOTICE, "Executing %s for user %s (%s@%s)"
8430Sstevel@tonic-gate 			    " as ROOT", cmdbuf,
8440Sstevel@tonic-gate 			    kremuser, remuser, hostname);
8450Sstevel@tonic-gate 		}
8460Sstevel@tonic-gate 	}
8470Sstevel@tonic-gate 
8480Sstevel@tonic-gate 	if ((v = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
8490Sstevel@tonic-gate 		switch (v) {
8500Sstevel@tonic-gate 		case PAM_NEW_AUTHTOK_REQD:
8510Sstevel@tonic-gate 			error("password expired\n");
8520Sstevel@tonic-gate 			(void) audit_rshd_fail("Password expired", hostname,
8530Sstevel@tonic-gate 				remuser, locuser, cmdbuf); /* BSM */
8540Sstevel@tonic-gate 			break;
8550Sstevel@tonic-gate 		case PAM_PERM_DENIED:
8560Sstevel@tonic-gate 			error("account expired\n");
8570Sstevel@tonic-gate 			(void) audit_rshd_fail("Account expired", hostname,
8580Sstevel@tonic-gate 				remuser, locuser, cmdbuf); /* BSM */
8590Sstevel@tonic-gate 			break;
8600Sstevel@tonic-gate 		case PAM_AUTHTOK_EXPIRED:
8610Sstevel@tonic-gate 			error("password expired\n");
8620Sstevel@tonic-gate 			(void) audit_rshd_fail("Password expired", hostname,
8630Sstevel@tonic-gate 				remuser, locuser, cmdbuf); /* BSM */
8640Sstevel@tonic-gate 			break;
8650Sstevel@tonic-gate 		default:
8660Sstevel@tonic-gate 			error("login incorrect\n");
8670Sstevel@tonic-gate 			(void) audit_rshd_fail("Permission denied", hostname,
8680Sstevel@tonic-gate 				remuser, locuser, cmdbuf); /* BSM */
8690Sstevel@tonic-gate 			break;
8700Sstevel@tonic-gate 		}
8710Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
8720Sstevel@tonic-gate 		exit(1);
8730Sstevel@tonic-gate 	}
8740Sstevel@tonic-gate 
8750Sstevel@tonic-gate 	if (chdir(pwd->pw_dir) < 0) {
8760Sstevel@tonic-gate 		(void) chdir("/");
8770Sstevel@tonic-gate #ifdef notdef
8780Sstevel@tonic-gate 		error("No remote directory.\n");
8790Sstevel@tonic-gate 
8800Sstevel@tonic-gate 		exit(1);
8810Sstevel@tonic-gate #endif
8820Sstevel@tonic-gate 	}
8830Sstevel@tonic-gate 
8840Sstevel@tonic-gate 	/*
8850Sstevel@tonic-gate 	 * XXX There is no session management currently being done
8860Sstevel@tonic-gate 	 */
8870Sstevel@tonic-gate 
8880Sstevel@tonic-gate 	(void) write(STDERR_FILENO, "\0", 1);
8890Sstevel@tonic-gate 	if (port || do_encrypt) {
8900Sstevel@tonic-gate 		if ((pipe(pv) < 0)) {
8910Sstevel@tonic-gate 			error("Can't make pipe.\n");
8920Sstevel@tonic-gate 			(void) pam_end(pamh, PAM_ABORT);
8930Sstevel@tonic-gate 			exit(1);
8940Sstevel@tonic-gate 		}
8950Sstevel@tonic-gate 		if (do_encrypt) {
8960Sstevel@tonic-gate 			if (pipe(pw) < 0) {
8970Sstevel@tonic-gate 				error("Can't make pipe 2.\n");
8980Sstevel@tonic-gate 				(void) pam_end(pamh, PAM_ABORT);
8990Sstevel@tonic-gate 				exit(1);
9000Sstevel@tonic-gate 			}
9010Sstevel@tonic-gate 			if (pipe(px) < 0) {
9020Sstevel@tonic-gate 				error("Can't make pipe 3.\n");
9030Sstevel@tonic-gate 				(void) pam_end(pamh, PAM_ABORT);
9040Sstevel@tonic-gate 				exit(1);
9050Sstevel@tonic-gate 			}
9060Sstevel@tonic-gate 		}
9070Sstevel@tonic-gate 		pid = fork();
9080Sstevel@tonic-gate 		if (pid == (pid_t)-1)  {
9090Sstevel@tonic-gate 			error("Fork (to start shell) failed on server.  "
9100Sstevel@tonic-gate 				"Please try again later.\n");
9110Sstevel@tonic-gate 			(void) pam_end(pamh, PAM_ABORT);
9120Sstevel@tonic-gate 			exit(1);
9130Sstevel@tonic-gate 		}
9140Sstevel@tonic-gate 		if (pid) {
9150Sstevel@tonic-gate 			fd_set ready;
9160Sstevel@tonic-gate 			fd_set readfrom;
9170Sstevel@tonic-gate 
9180Sstevel@tonic-gate 			(void) close(STDIN_FILENO);
9190Sstevel@tonic-gate 			(void) close(STDOUT_FILENO);
9200Sstevel@tonic-gate 			(void) close(STDERR_FILENO);
9210Sstevel@tonic-gate 			(void) close(pv[1]);
9220Sstevel@tonic-gate 			if (do_encrypt) {
9230Sstevel@tonic-gate 				(void) close(pw[1]);
9240Sstevel@tonic-gate 				(void) close(px[0]);
9250Sstevel@tonic-gate 			} else {
9260Sstevel@tonic-gate 				(void) close(f);
9270Sstevel@tonic-gate 			}
9280Sstevel@tonic-gate 
9290Sstevel@tonic-gate 			(void) FD_ZERO(&readfrom);
9300Sstevel@tonic-gate 
9310Sstevel@tonic-gate 			FD_SET(pv[0], &readfrom);
9320Sstevel@tonic-gate 			if (do_encrypt) {
9330Sstevel@tonic-gate 				FD_SET(pw[0], &readfrom);
9340Sstevel@tonic-gate 				FD_SET(f, &readfrom);
9350Sstevel@tonic-gate 			}
9360Sstevel@tonic-gate 			if (port)
9370Sstevel@tonic-gate 				FD_SET(s, &readfrom);
9380Sstevel@tonic-gate 
9390Sstevel@tonic-gate 			/* read f (net), write to px[1] (child stdin) */
9400Sstevel@tonic-gate 			/* read pw[0] (child stdout), write to f (net) */
9410Sstevel@tonic-gate 			/* read s (alt. channel), signal child */
9420Sstevel@tonic-gate 			/* read pv[0] (child stderr), write to s */
9430Sstevel@tonic-gate 			if (ioctl(pv[0], FIONBIO, (char *)&one) == -1)
9440Sstevel@tonic-gate 				syslog(LOG_INFO, "ioctl FIONBIO: %m");
9450Sstevel@tonic-gate 			if (do_encrypt &&
9460Sstevel@tonic-gate 				ioctl(pw[0], FIONBIO, (char *)&one) == -1)
9470Sstevel@tonic-gate 				syslog(LOG_INFO, "ioctl FIONBIO: %m");
9480Sstevel@tonic-gate 			do {
9490Sstevel@tonic-gate 				ready = readfrom;
9500Sstevel@tonic-gate 				if (select(FD_SETSIZE, &ready, NULL,
9510Sstevel@tonic-gate 					NULL, NULL) < 0) {
9520Sstevel@tonic-gate 					if (errno == EINTR) {
9530Sstevel@tonic-gate 						continue;
9540Sstevel@tonic-gate 					} else {
9550Sstevel@tonic-gate 						break;
9560Sstevel@tonic-gate 					}
9570Sstevel@tonic-gate 				}
9580Sstevel@tonic-gate 				/*
9590Sstevel@tonic-gate 				 * Read from child stderr, write to net
9600Sstevel@tonic-gate 				 */
9610Sstevel@tonic-gate 				if (port && FD_ISSET(pv[0], &ready)) {
9620Sstevel@tonic-gate 					errno = 0;
9630Sstevel@tonic-gate 					cc = read(pv[0], buf, sizeof (buf));
9640Sstevel@tonic-gate 					if (cc <= 0) {
9650Sstevel@tonic-gate 						(void) shutdown(s, 2);
9660Sstevel@tonic-gate 						FD_CLR(pv[0], &readfrom);
9670Sstevel@tonic-gate 					} else {
9680Sstevel@tonic-gate 						(void) deswrite(s, buf, cc, 1);
9690Sstevel@tonic-gate 					}
9700Sstevel@tonic-gate 				}
9710Sstevel@tonic-gate 				/*
9720Sstevel@tonic-gate 				 * Read from alternate channel, signal child
9730Sstevel@tonic-gate 				 */
9740Sstevel@tonic-gate 				if (port && FD_ISSET(s, &ready)) {
9750Sstevel@tonic-gate 					if ((int)desread(s, &sig, 1, 1) <= 0)
9760Sstevel@tonic-gate 						FD_CLR(s, &readfrom);
9770Sstevel@tonic-gate 					else
9780Sstevel@tonic-gate 						(void) killpg(pid, sig);
9790Sstevel@tonic-gate 				}
9800Sstevel@tonic-gate 				/*
9810Sstevel@tonic-gate 				 * Read from child stdout, write to net
9820Sstevel@tonic-gate 				 */
9830Sstevel@tonic-gate 				if (do_encrypt && FD_ISSET(pw[0], &ready)) {
9840Sstevel@tonic-gate 					errno = 0;
9850Sstevel@tonic-gate 					cc = read(pw[0], buf, sizeof (buf));
9860Sstevel@tonic-gate 					if (cc <= 0) {
9870Sstevel@tonic-gate 						(void) shutdown(f, 2);
9880Sstevel@tonic-gate 						FD_CLR(pw[0], &readfrom);
9890Sstevel@tonic-gate 					} else {
9900Sstevel@tonic-gate 						(void) deswrite(f, buf, cc, 0);
9910Sstevel@tonic-gate 					}
9920Sstevel@tonic-gate 				}
9930Sstevel@tonic-gate 				/*
9940Sstevel@tonic-gate 				 * Read from the net, write to child stdin
9950Sstevel@tonic-gate 				 */
9960Sstevel@tonic-gate 				if (do_encrypt && FD_ISSET(f, &ready)) {
9970Sstevel@tonic-gate 					errno = 0;
9980Sstevel@tonic-gate 					cc = desread(f, buf, sizeof (buf), 0);
9990Sstevel@tonic-gate 					if (cc <= 0) {
10000Sstevel@tonic-gate 						(void) close(px[1]);
10010Sstevel@tonic-gate 						FD_CLR(f, &readfrom);
10020Sstevel@tonic-gate 					} else {
10030Sstevel@tonic-gate 						int wcc;
10040Sstevel@tonic-gate 						wcc = write(px[1], buf, cc);
10050Sstevel@tonic-gate 						if (wcc == -1) {
10060Sstevel@tonic-gate 							/*
10070Sstevel@tonic-gate 							 * pipe closed,
10080Sstevel@tonic-gate 							 * don't read any
10090Sstevel@tonic-gate 							 * more
10100Sstevel@tonic-gate 							 *
10110Sstevel@tonic-gate 							 * might check for
10120Sstevel@tonic-gate 							 * EPIPE
10130Sstevel@tonic-gate 							 */
10140Sstevel@tonic-gate 						    (void) close(px[1]);
10150Sstevel@tonic-gate 						    FD_CLR(f, &readfrom);
10160Sstevel@tonic-gate 						} else if (wcc != cc) {
10170Sstevel@tonic-gate 						    /* CSTYLED */
10180Sstevel@tonic-gate 						    syslog(LOG_INFO, gettext("only wrote %d/%d to child"),
10190Sstevel@tonic-gate 						    wcc, cc);
10200Sstevel@tonic-gate 						}
10210Sstevel@tonic-gate 					}
10220Sstevel@tonic-gate 				}
10230Sstevel@tonic-gate 			} while ((port && FD_ISSET(s, &readfrom)) ||
10240Sstevel@tonic-gate 				(port && FD_ISSET(pv[0], &readfrom)) ||
10250Sstevel@tonic-gate 				(do_encrypt && FD_ISSET(f, &readfrom)) ||
10260Sstevel@tonic-gate 				(do_encrypt && FD_ISSET(pw[0], &readfrom)));
10270Sstevel@tonic-gate #ifdef DEBUG
10280Sstevel@tonic-gate 			syslog(LOG_INFO, "Shell process completed.");
10290Sstevel@tonic-gate #endif /* DEBUG */
10300Sstevel@tonic-gate 			if (ccache)
10310Sstevel@tonic-gate 				(void) pam_close_session(pamh, 0);
10320Sstevel@tonic-gate 			(void) pam_end(pamh, PAM_SUCCESS);
10330Sstevel@tonic-gate 
10340Sstevel@tonic-gate 			exit(0);
10350Sstevel@tonic-gate 		} /* End of Parent block */
10360Sstevel@tonic-gate 
10370Sstevel@tonic-gate 		(void) setsid();	/* Should be the same as above. */
10380Sstevel@tonic-gate 		(void) close(pv[0]);
10390Sstevel@tonic-gate 		(void) dup2(pv[1], 2);
10400Sstevel@tonic-gate 		(void) close(pv[1]);
10410Sstevel@tonic-gate 		if (port)
10420Sstevel@tonic-gate 			(void) close(s);
10430Sstevel@tonic-gate 		if (do_encrypt) {
10440Sstevel@tonic-gate 			(void) close(f);
10450Sstevel@tonic-gate 			(void) close(pw[0]);
10460Sstevel@tonic-gate 			(void) close(px[1]);
10470Sstevel@tonic-gate 
10480Sstevel@tonic-gate 			(void) dup2(px[0], 0);
10490Sstevel@tonic-gate 			(void) dup2(pw[1], 1);
10500Sstevel@tonic-gate 
10510Sstevel@tonic-gate 			(void) close(px[0]);
10520Sstevel@tonic-gate 			(void) close(pw[1]);
10530Sstevel@tonic-gate 		}
10540Sstevel@tonic-gate 	}
10550Sstevel@tonic-gate 
10560Sstevel@tonic-gate 	if (*pwd->pw_shell == '\0')
10570Sstevel@tonic-gate 		pwd->pw_shell = "/bin/sh";
10580Sstevel@tonic-gate 	if (!do_encrypt)
10590Sstevel@tonic-gate 		(void) close(f);
10600Sstevel@tonic-gate 	/*
10610Sstevel@tonic-gate 	 * write audit record before making uid switch
10620Sstevel@tonic-gate 	 */
10630Sstevel@tonic-gate 	(void) audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */
10640Sstevel@tonic-gate 
10650Sstevel@tonic-gate 	/* set the real (and effective) GID */
10660Sstevel@tonic-gate 	if (setgid(pwd->pw_gid) == -1) {
10670Sstevel@tonic-gate 		error("Invalid gid.\n");
10680Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
10690Sstevel@tonic-gate 		exit(1);
10700Sstevel@tonic-gate 	}
10710Sstevel@tonic-gate 
10720Sstevel@tonic-gate 	/*
10730Sstevel@tonic-gate 	 * Initialize the supplementary group access list.
10740Sstevel@tonic-gate 	 */
10750Sstevel@tonic-gate 	if (strlen(locuser) == 0) {
10760Sstevel@tonic-gate 		error("No local user.\n");
10770Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
10780Sstevel@tonic-gate 		exit(1);
10790Sstevel@tonic-gate 	}
10800Sstevel@tonic-gate 	if (initgroups(locuser, pwd->pw_gid) == -1) {
10810Sstevel@tonic-gate 		error("Initgroup failed.\n");
10820Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
10830Sstevel@tonic-gate 		exit(1);
10840Sstevel@tonic-gate 	}
10850Sstevel@tonic-gate 
10860Sstevel@tonic-gate 	if ((v = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
10870Sstevel@tonic-gate 		error("Insufficient credentials.\n");
10880Sstevel@tonic-gate 		(void) pam_end(pamh, v);
10890Sstevel@tonic-gate 		exit(1);
10900Sstevel@tonic-gate 	}
10910Sstevel@tonic-gate 
10920Sstevel@tonic-gate 	/* set the real (and effective) UID */
10930Sstevel@tonic-gate 	if (setuid(pwd->pw_uid) == -1) {
10940Sstevel@tonic-gate 		error("Invalid uid.\n");
10950Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
10960Sstevel@tonic-gate 		exit(1);
10970Sstevel@tonic-gate 	}
10980Sstevel@tonic-gate 
10990Sstevel@tonic-gate 	/* Change directory only after becoming the appropriate user. */
11000Sstevel@tonic-gate 	if (chdir(pwd->pw_dir) < 0) {
11010Sstevel@tonic-gate 		(void) chdir("/");
11020Sstevel@tonic-gate 		if (krb5auth_flag > 0) {
11030Sstevel@tonic-gate 			syslog(LOG_ERR, "Principal %s  (%s@%s) for local user"
11040Sstevel@tonic-gate 				" %s has no home directory.",
11050Sstevel@tonic-gate 				kremuser, remuser, hostname, locuser);
11060Sstevel@tonic-gate 			error("No remote directory.\n");
11070Sstevel@tonic-gate 			goto signout;
11080Sstevel@tonic-gate 		}
11090Sstevel@tonic-gate #ifdef notdef
11100Sstevel@tonic-gate 		error("No remote directory.\n");
11110Sstevel@tonic-gate 		exit(1);
11120Sstevel@tonic-gate #endif
11130Sstevel@tonic-gate 	}
11140Sstevel@tonic-gate 
11150Sstevel@tonic-gate 	path = (pwd->pw_uid == 0) ? rootpath : userpath;
11160Sstevel@tonic-gate 
11170Sstevel@tonic-gate 	/*
11180Sstevel@tonic-gate 	 * Space for the following environment variables are dynamically
11190Sstevel@tonic-gate 	 * allocated because their lengths are not known before calling
11200Sstevel@tonic-gate 	 * getpwnam().
11210Sstevel@tonic-gate 	 */
11220Sstevel@tonic-gate 	homedir_len = strlen(pwd->pw_dir) + strlen(homestr) + 1;
11230Sstevel@tonic-gate 	shell_len = strlen(pwd->pw_shell) + strlen(shellstr) + 1;
11240Sstevel@tonic-gate 	username_len = strlen(pwd->pw_name) + strlen(userstr) + 1;
11250Sstevel@tonic-gate 	homedir = (char *)malloc(homedir_len);
11260Sstevel@tonic-gate 	shell = (char *)malloc(shell_len);
11270Sstevel@tonic-gate 	username = (char *)malloc(username_len);
11280Sstevel@tonic-gate 	if (homedir == NULL || shell == NULL || username == NULL) {
11290Sstevel@tonic-gate 		perror("malloc");
11300Sstevel@tonic-gate 		exit(1);
11310Sstevel@tonic-gate 	}
11320Sstevel@tonic-gate 	(void) snprintf(homedir, homedir_len, "%s%s", homestr, pwd->pw_dir);
11330Sstevel@tonic-gate 	(void) snprintf(shell, shell_len, "%s%s", shellstr, pwd->pw_shell);
11340Sstevel@tonic-gate 	(void) snprintf(username, username_len, "%s%s", userstr, pwd->pw_name);
11350Sstevel@tonic-gate 
11360Sstevel@tonic-gate 	/* Pass timezone to executed command. */
11370Sstevel@tonic-gate 	if (tzenv = getenv("TZ")) {
11380Sstevel@tonic-gate 		tz_len = strlen(tzenv) + strlen(tzstr) + 1;
11390Sstevel@tonic-gate 		tz = malloc(tz_len);
11400Sstevel@tonic-gate 		if (tz != NULL)
11410Sstevel@tonic-gate 			(void) snprintf(tz, tz_len, "%s%s", tzstr, tzenv);
11420Sstevel@tonic-gate 	}
11430Sstevel@tonic-gate 
11440Sstevel@tonic-gate 	add_to_envinit(homedir);
11450Sstevel@tonic-gate 	add_to_envinit(shell);
11460Sstevel@tonic-gate 	add_to_envinit(path);
11470Sstevel@tonic-gate 	add_to_envinit(username);
11480Sstevel@tonic-gate 	add_to_envinit(tz);
11490Sstevel@tonic-gate 
11500Sstevel@tonic-gate 	if (krb5auth_flag > 0) {
11510Sstevel@tonic-gate 		int length;
11520Sstevel@tonic-gate 		char *buffer;
11530Sstevel@tonic-gate 
11540Sstevel@tonic-gate 		/*
11550Sstevel@tonic-gate 		 * If we have KRB5CCNAME set, then copy into the child's
11560Sstevel@tonic-gate 		 * environment.  This can't really have a fixed position
11570Sstevel@tonic-gate 		 * because `tz' may or may not be set.
11580Sstevel@tonic-gate 		 */
11590Sstevel@tonic-gate 		if (getenv("KRB5CCNAME")) {
11600Sstevel@tonic-gate 			length = (int)strlen(getenv("KRB5CCNAME")) +
11610Sstevel@tonic-gate 					(int)strlen("KRB5CCNAME=") + 1;
11620Sstevel@tonic-gate 			buffer = (char *)malloc(length);
11630Sstevel@tonic-gate 
11640Sstevel@tonic-gate 			if (buffer) {
11650Sstevel@tonic-gate 				(void) snprintf(buffer, length, "KRB5CCNAME=%s",
11660Sstevel@tonic-gate 						getenv("KRB5CCNAME"));
11670Sstevel@tonic-gate 				add_to_envinit(buffer);
11680Sstevel@tonic-gate 			}
11690Sstevel@tonic-gate 		} {
11700Sstevel@tonic-gate 			/* These two are covered by ADDRPAD */
11710Sstevel@tonic-gate 			length = strlen(inet_ntoa(localaddr.sin_addr)) + 1 +
11720Sstevel@tonic-gate 					strlen("KRB5LOCALADDR=");
11730Sstevel@tonic-gate 			(void) snprintf(local_addr, length, "KRB5LOCALADDR=%s",
11740Sstevel@tonic-gate 				inet_ntoa(localaddr.sin_addr));
11750Sstevel@tonic-gate 			add_to_envinit(local_addr);
11760Sstevel@tonic-gate 
11770Sstevel@tonic-gate 			length = strlen(inet_ntoa(sin->sin_addr)) + 1 +
11780Sstevel@tonic-gate 					strlen("KRB5REMOTEADDR=");
11790Sstevel@tonic-gate 			(void) snprintf(remote_addr, length,
11800Sstevel@tonic-gate 				"KRB5REMOTEADDR=%s", inet_ntoa(sin->sin_addr));
11810Sstevel@tonic-gate 			add_to_envinit(remote_addr);
11820Sstevel@tonic-gate 		}
11830Sstevel@tonic-gate 
11840Sstevel@tonic-gate 		/*
11850Sstevel@tonic-gate 		 * If we do anything else, make sure there is
11860Sstevel@tonic-gate 		 * space in the array.
11870Sstevel@tonic-gate 		 */
11880Sstevel@tonic-gate 		for (cnt = 0; cnt < num_env; cnt++) {
11890Sstevel@tonic-gate 			char *buf;
11900Sstevel@tonic-gate 
11910Sstevel@tonic-gate 			if (getenv(save_env[cnt])) {
11920Sstevel@tonic-gate 				length = (int)strlen(getenv(save_env[cnt])) +
11930Sstevel@tonic-gate 					(int)strlen(save_env[cnt]) + 2;
11940Sstevel@tonic-gate 
11950Sstevel@tonic-gate 				buf = (char *)malloc(length);
11960Sstevel@tonic-gate 				if (buf) {
11970Sstevel@tonic-gate 					(void) snprintf(buf, length, "%s=%s",
11980Sstevel@tonic-gate 						save_env[cnt],
11990Sstevel@tonic-gate 						getenv(save_env[cnt]));
12000Sstevel@tonic-gate 					add_to_envinit(buf);
12010Sstevel@tonic-gate 				}
12020Sstevel@tonic-gate 			}
12030Sstevel@tonic-gate 		}
12040Sstevel@tonic-gate 
12050Sstevel@tonic-gate 	}
12060Sstevel@tonic-gate 
12070Sstevel@tonic-gate 	/*
12080Sstevel@tonic-gate 	 * add PAM environment variables set by modules
12090Sstevel@tonic-gate 	 * -- only allowed 16 (PAM_ENV_ELIM)
12100Sstevel@tonic-gate 	 * -- check to see if the environment variable is legal
12110Sstevel@tonic-gate 	 */
12120Sstevel@tonic-gate 	if ((pam_env = pam_getenvlist(pamh)) != 0) {
12130Sstevel@tonic-gate 		while (pam_env[idx] != 0) {
12140Sstevel@tonic-gate 			if (idx < PAM_ENV_ELIM &&
12150Sstevel@tonic-gate 			    legalenvvar(pam_env[idx])) {
12160Sstevel@tonic-gate 				add_to_envinit(pam_env[idx]);
12170Sstevel@tonic-gate 			}
12180Sstevel@tonic-gate 			idx++;
12190Sstevel@tonic-gate 		}
12200Sstevel@tonic-gate 	}
12210Sstevel@tonic-gate 
12220Sstevel@tonic-gate 	(void) pam_end(pamh, PAM_SUCCESS);
12230Sstevel@tonic-gate 
12240Sstevel@tonic-gate 	/*
12250Sstevel@tonic-gate 	 * Pick up locale environment variables, if any.
12260Sstevel@tonic-gate 	 */
12270Sstevel@tonic-gate 	lenvp = renvp;
12280Sstevel@tonic-gate 	while (*lenvp != NULL) {
12290Sstevel@tonic-gate 		int	index;
12300Sstevel@tonic-gate 
12310Sstevel@tonic-gate 		for (index = 0; localeenv[index] != NULL; index++)
12320Sstevel@tonic-gate 			/*
12330Sstevel@tonic-gate 			 * locale_envmatch() returns 1 if
12340Sstevel@tonic-gate 			 * *lenvp is localenev[index] and valid.
12350Sstevel@tonic-gate 			 */
12360Sstevel@tonic-gate 			if (locale_envmatch(localeenv[index], *lenvp)) {
12370Sstevel@tonic-gate 				add_to_envinit(*lenvp);
12380Sstevel@tonic-gate 				break;
12390Sstevel@tonic-gate 			}
12400Sstevel@tonic-gate 
12410Sstevel@tonic-gate 		lenvp++;
12420Sstevel@tonic-gate 	}
12430Sstevel@tonic-gate 
12440Sstevel@tonic-gate 	cp = strrchr(pwd->pw_shell, '/');
12450Sstevel@tonic-gate 	if (cp != NULL)
12460Sstevel@tonic-gate 		cp++;
12470Sstevel@tonic-gate 	else
12480Sstevel@tonic-gate 		cp = pwd->pw_shell;
12490Sstevel@tonic-gate 	/*
12500Sstevel@tonic-gate 	 * rdist has been moved to /usr/bin, so /usr/ucb/rdist might not
12510Sstevel@tonic-gate 	 * be present on a system.  So if it doesn't exist we fall back
12520Sstevel@tonic-gate 	 * and try for it in /usr/bin.  We take care to match the space
12530Sstevel@tonic-gate 	 * after the name because the only purpose of this is to protect
12540Sstevel@tonic-gate 	 * the internal call from old rdist's, not humans who type
12550Sstevel@tonic-gate 	 * "rsh foo /usr/ucb/rdist".
12560Sstevel@tonic-gate 	 */
12570Sstevel@tonic-gate #define	RDIST_PROG_NAME	"/usr/ucb/rdist -Server"
12580Sstevel@tonic-gate 	if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) {
12590Sstevel@tonic-gate 		if (stat("/usr/ucb/rdist", &statb) != 0) {
12600Sstevel@tonic-gate 			(void) strncpy(cmdbuf + 5, "bin", 3);
12610Sstevel@tonic-gate 		}
12620Sstevel@tonic-gate 	}
12630Sstevel@tonic-gate 
12640Sstevel@tonic-gate #ifdef DEBUG
12650Sstevel@tonic-gate 	syslog(LOG_NOTICE, "rshd: cmdbuf = %s", cmdbuf);
12660Sstevel@tonic-gate 	if (do_encrypt)
12670Sstevel@tonic-gate 		syslog(LOG_NOTICE, "rshd: cmd to be exec'ed = %s",
12680Sstevel@tonic-gate 			((char *)cmdbuf + 3));
12690Sstevel@tonic-gate #endif /* DEBUG */
12700Sstevel@tonic-gate 
12710Sstevel@tonic-gate 	if (do_encrypt && (strncmp(cmdbuf, "-x ", 3) == 0)) {
12720Sstevel@tonic-gate 		(void) execle(pwd->pw_shell, cp, "-c", (char *)cmdbuf + 3,
12730Sstevel@tonic-gate 				NULL, envinit);
12740Sstevel@tonic-gate 	} else {
12750Sstevel@tonic-gate 		(void) execle(pwd->pw_shell, cp, "-c", cmdbuf, NULL,
12760Sstevel@tonic-gate 				envinit);
12770Sstevel@tonic-gate 	}
12780Sstevel@tonic-gate 
12790Sstevel@tonic-gate 	perror(pwd->pw_shell);
12800Sstevel@tonic-gate 	exit(1);
12810Sstevel@tonic-gate 
12820Sstevel@tonic-gate signout:
12830Sstevel@tonic-gate 	if (ccache)
12840Sstevel@tonic-gate 		(void) pam_close_session(pamh, 0);
12850Sstevel@tonic-gate 	ccache = NULL;
12860Sstevel@tonic-gate 	(void) pam_end(pamh, PAM_ABORT);
12870Sstevel@tonic-gate 	exit(1);
12880Sstevel@tonic-gate }
12890Sstevel@tonic-gate 
12900Sstevel@tonic-gate static void
getstr(fd,buf,cnt,err)12910Sstevel@tonic-gate getstr(fd, buf, cnt, err)
12920Sstevel@tonic-gate 	int fd;
12930Sstevel@tonic-gate 	char *buf;
12940Sstevel@tonic-gate 	int cnt;
12950Sstevel@tonic-gate 	char *err;
12960Sstevel@tonic-gate {
12970Sstevel@tonic-gate 	char c;
12980Sstevel@tonic-gate 
12990Sstevel@tonic-gate 	do {
13000Sstevel@tonic-gate 		if (read(fd, &c, 1) != 1)
13010Sstevel@tonic-gate 			exit(1);
13020Sstevel@tonic-gate 		if (cnt-- == 0) {
13030Sstevel@tonic-gate 			error("%s too long\n", err);
13040Sstevel@tonic-gate 			exit(1);
13050Sstevel@tonic-gate 		}
13060Sstevel@tonic-gate 		*buf++ = c;
13070Sstevel@tonic-gate 	} while (c != 0);
13080Sstevel@tonic-gate }
13090Sstevel@tonic-gate 
13100Sstevel@tonic-gate /*PRINTFLIKE1*/
13110Sstevel@tonic-gate static void
error(char * fmt,...)13120Sstevel@tonic-gate error(char *fmt, ...)
13130Sstevel@tonic-gate {
13140Sstevel@tonic-gate 	va_list ap;
13150Sstevel@tonic-gate 	char buf[RSHD_BUFSIZ];
13160Sstevel@tonic-gate 
13170Sstevel@tonic-gate 	buf[0] = 1;
13180Sstevel@tonic-gate 	va_start(ap, fmt);
13190Sstevel@tonic-gate 	(void) vsnprintf(&buf[1], sizeof (buf) - 1, fmt, ap);
13200Sstevel@tonic-gate 	va_end(ap);
13210Sstevel@tonic-gate 	(void) write(STDERR_FILENO, buf, strlen(buf));
13220Sstevel@tonic-gate }
13230Sstevel@tonic-gate 
13240Sstevel@tonic-gate static char *illegal[] = {
13250Sstevel@tonic-gate 	"SHELL=",
13260Sstevel@tonic-gate 	"HOME=",
13270Sstevel@tonic-gate 	"LOGNAME=",
13280Sstevel@tonic-gate #ifndef NO_MAIL
13290Sstevel@tonic-gate 	"MAIL=",
13300Sstevel@tonic-gate #endif
13310Sstevel@tonic-gate 	"CDPATH=",
13320Sstevel@tonic-gate 	"IFS=",
13330Sstevel@tonic-gate 	"PATH=",
13340Sstevel@tonic-gate 	"USER=",
13350Sstevel@tonic-gate 	"TZ=",
13360Sstevel@tonic-gate 	0
13370Sstevel@tonic-gate };
13380Sstevel@tonic-gate 
13390Sstevel@tonic-gate /*
13400Sstevel@tonic-gate  * legalenvvar - can PAM modules insert this environmental variable?
13410Sstevel@tonic-gate  */
13420Sstevel@tonic-gate 
13430Sstevel@tonic-gate static int
legalenvvar(char * s)13440Sstevel@tonic-gate legalenvvar(char *s)
13450Sstevel@tonic-gate {
13460Sstevel@tonic-gate 	register char **p;
13470Sstevel@tonic-gate 
13480Sstevel@tonic-gate 	for (p = illegal; *p; p++)
13490Sstevel@tonic-gate 		if (strncmp(s, *p, strlen(*p)) == 0)
13500Sstevel@tonic-gate 			return (0);
13510Sstevel@tonic-gate 
13520Sstevel@tonic-gate 	if (s[0] == 'L' && s[1] == 'D' && s[2] == '_')
13530Sstevel@tonic-gate 		return (0);
13540Sstevel@tonic-gate 
13550Sstevel@tonic-gate 	return (1);
13560Sstevel@tonic-gate }
13570Sstevel@tonic-gate 
13580Sstevel@tonic-gate /*
13590Sstevel@tonic-gate  * Add a string to the environment of the new process.
13600Sstevel@tonic-gate  */
13610Sstevel@tonic-gate 
13620Sstevel@tonic-gate static void
add_to_envinit(char * string)13630Sstevel@tonic-gate add_to_envinit(char *string)
13640Sstevel@tonic-gate {
13650Sstevel@tonic-gate 	/*
13660Sstevel@tonic-gate 	 * Reserve space for 2 * 8 = 16 environment entries initially which
13670Sstevel@tonic-gate 	 * should be enough to avoid reallocation of "envinit" in most cases.
13680Sstevel@tonic-gate 	 */
13690Sstevel@tonic-gate 	static int	size = 8;
13700Sstevel@tonic-gate 	static int	index = 0;
13710Sstevel@tonic-gate 
13720Sstevel@tonic-gate 	if (string == NULL)
13730Sstevel@tonic-gate 		return;
13740Sstevel@tonic-gate 
13750Sstevel@tonic-gate 	if ((envinit == NULL) || (index == size)) {
13760Sstevel@tonic-gate 		size *= 2;
13770Sstevel@tonic-gate 		envinit = realloc(envinit, (size + 1) * sizeof (char *));
13780Sstevel@tonic-gate 		if (envinit == NULL) {
13790Sstevel@tonic-gate 			perror("malloc");
13800Sstevel@tonic-gate 			exit(1);
13810Sstevel@tonic-gate 		}
13820Sstevel@tonic-gate 	}
13830Sstevel@tonic-gate 
13840Sstevel@tonic-gate 	envinit[index++] = string;
13850Sstevel@tonic-gate 	envinit[index] = NULL;
13860Sstevel@tonic-gate }
13870Sstevel@tonic-gate 
13880Sstevel@tonic-gate /*
13890Sstevel@tonic-gate  * Check if lenv and penv matches or not.
13900Sstevel@tonic-gate  */
13910Sstevel@tonic-gate static int
locale_envmatch(char * lenv,char * penv)13920Sstevel@tonic-gate locale_envmatch(char *lenv, char *penv)
13930Sstevel@tonic-gate {
13940Sstevel@tonic-gate 	while ((*lenv == *penv) && (*lenv != '\0') && (*penv != '=')) {
13950Sstevel@tonic-gate 		lenv++;
13960Sstevel@tonic-gate 		penv++;
13970Sstevel@tonic-gate 	}
13980Sstevel@tonic-gate 
13990Sstevel@tonic-gate 	/*
14000Sstevel@tonic-gate 	 * '/' is eliminated for security reason.
14010Sstevel@tonic-gate 	 */
14020Sstevel@tonic-gate 	return ((*lenv == '\0' && *penv == '=' && *(penv + 1) != '/'));
14030Sstevel@tonic-gate }
14040Sstevel@tonic-gate 
14050Sstevel@tonic-gate #ifndef	KRB_SENDAUTH_VLEN
14060Sstevel@tonic-gate #define	KRB_SENDAUTH_VLEN	8	/* length for version strings */
14070Sstevel@tonic-gate #endif
14080Sstevel@tonic-gate 
14090Sstevel@tonic-gate /* MUST be KRB_SENDAUTH_VLEN chars */
14100Sstevel@tonic-gate #define	KRB_SENDAUTH_VERS	"AUTHV0.1"
14110Sstevel@tonic-gate #define	SIZEOF_INADDR sizeof (struct in_addr)
14120Sstevel@tonic-gate 
14130Sstevel@tonic-gate static krb5_error_code
recvauth(int netf,int * valid_checksum)14140Sstevel@tonic-gate recvauth(int netf, int *valid_checksum)
14150Sstevel@tonic-gate {
14160Sstevel@tonic-gate 	krb5_auth_context auth_context = NULL;
14170Sstevel@tonic-gate 	krb5_error_code status;
14180Sstevel@tonic-gate 	struct sockaddr_in laddr;
14190Sstevel@tonic-gate 	int len;
14200Sstevel@tonic-gate 	krb5_data inbuf;
14210Sstevel@tonic-gate 	krb5_authenticator *authenticator;
14220Sstevel@tonic-gate 	krb5_ticket *ticket;
14230Sstevel@tonic-gate 	krb5_rcache rcache;
14240Sstevel@tonic-gate 	krb5_data version;
14250Sstevel@tonic-gate 	krb5_encrypt_block eblock;	/* eblock for encrypt/decrypt */
14260Sstevel@tonic-gate 	krb5_data desinbuf;
14270Sstevel@tonic-gate 	krb5_data desoutbuf;
14280Sstevel@tonic-gate 	char des_inbuf[2 * RSHD_BUFSIZ];
14290Sstevel@tonic-gate 			/* needs to be > largest read size */
14300Sstevel@tonic-gate 	char des_outbuf[2 * RSHD_BUFSIZ + 4];
14310Sstevel@tonic-gate 			/* needs to be > largest write size */
14320Sstevel@tonic-gate 
14330Sstevel@tonic-gate 	*valid_checksum = 0;
14340Sstevel@tonic-gate 	len = sizeof (laddr);
14350Sstevel@tonic-gate 
14360Sstevel@tonic-gate 	if (getsockname(netf, (struct sockaddr *)&laddr, &len)) {
14370Sstevel@tonic-gate 		exit(1);
14380Sstevel@tonic-gate 	}
14390Sstevel@tonic-gate 
14400Sstevel@tonic-gate 	if (status = krb5_auth_con_init(bsd_context, &auth_context))
14410Sstevel@tonic-gate 		return (status);
14420Sstevel@tonic-gate 
14430Sstevel@tonic-gate 	if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
14440Sstevel@tonic-gate 		KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
14450Sstevel@tonic-gate 		return (status);
14460Sstevel@tonic-gate 
14470Sstevel@tonic-gate 	status = krb5_auth_con_getrcache(bsd_context, auth_context, &rcache);
14480Sstevel@tonic-gate 	if (status)
14490Sstevel@tonic-gate 		return (status);
14500Sstevel@tonic-gate 
14510Sstevel@tonic-gate 	if (!rcache) {
14520Sstevel@tonic-gate 		krb5_principal server;
14530Sstevel@tonic-gate 
14540Sstevel@tonic-gate 		status = krb5_sname_to_principal(bsd_context, 0, 0,
14550Sstevel@tonic-gate 			KRB5_NT_SRV_HST, &server);
14560Sstevel@tonic-gate 		if (status)
14570Sstevel@tonic-gate 			return (status);
14580Sstevel@tonic-gate 
14590Sstevel@tonic-gate 		status = krb5_get_server_rcache(bsd_context,
14600Sstevel@tonic-gate 			krb5_princ_component(bsd_context, server, 0),
14610Sstevel@tonic-gate 			&rcache);
14620Sstevel@tonic-gate 		krb5_free_principal(bsd_context, server);
14630Sstevel@tonic-gate 		if (status)
14640Sstevel@tonic-gate 			return (status);
14650Sstevel@tonic-gate 
14660Sstevel@tonic-gate 		status = krb5_auth_con_setrcache(bsd_context, auth_context,
14670Sstevel@tonic-gate 							rcache);
14680Sstevel@tonic-gate 		if (status)
14690Sstevel@tonic-gate 			return (status);
14700Sstevel@tonic-gate 	}
14710Sstevel@tonic-gate 
14720Sstevel@tonic-gate 	status = krb5_recvauth_version(bsd_context, &auth_context, &netf,
14730Sstevel@tonic-gate 		NULL,		/* Specify daemon principal */
14740Sstevel@tonic-gate 		0,		/* no flags */
14750Sstevel@tonic-gate 		keytab,		/* normally NULL to use v5srvtab */
14760Sstevel@tonic-gate 		&ticket,	/* return ticket */
14770Sstevel@tonic-gate 		&version);	/* application version string */
14780Sstevel@tonic-gate 
14790Sstevel@tonic-gate 
14800Sstevel@tonic-gate 	if (status) {
14810Sstevel@tonic-gate 		getstr(netf, locuser, sizeof (locuser), "locuser");
14820Sstevel@tonic-gate 		getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
14830Sstevel@tonic-gate 		getstr(netf, remuser, sizeof (locuser), "remuser");
14840Sstevel@tonic-gate 		return (status);
14850Sstevel@tonic-gate 	}
14860Sstevel@tonic-gate 	getstr(netf, locuser, sizeof (locuser), "locuser");
14870Sstevel@tonic-gate 	getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
14880Sstevel@tonic-gate 
14890Sstevel@tonic-gate 	/* Must be V5  */
14900Sstevel@tonic-gate 
14910Sstevel@tonic-gate 	kcmd_protocol = KCMD_UNKNOWN_PROTOCOL;
14920Sstevel@tonic-gate 	if (version.length != 9 || version.data == NULL) {
14930Sstevel@tonic-gate 		syslog(LOG_ERR, "bad application version length");
14940Sstevel@tonic-gate 		error(gettext("bad application version length\n"));
14950Sstevel@tonic-gate 		exit(1);
14960Sstevel@tonic-gate 	}
14970Sstevel@tonic-gate 	if (strncmp(version.data, "KCMDV0.1", 9) == 0) {
14980Sstevel@tonic-gate 		kcmd_protocol = KCMD_OLD_PROTOCOL;
14990Sstevel@tonic-gate 	} else if (strncmp(version.data, "KCMDV0.2", 9) == 0) {
15000Sstevel@tonic-gate 		kcmd_protocol = KCMD_NEW_PROTOCOL;
15010Sstevel@tonic-gate 	} else {
15020Sstevel@tonic-gate 		syslog(LOG_ERR, "Unrecognized KCMD protocol (%s)",
15030Sstevel@tonic-gate 			(char *)version.data);
15040Sstevel@tonic-gate 		error(gettext("Unrecognized KCMD protocol (%s)"),
15050Sstevel@tonic-gate 			(char *)version.data);
15060Sstevel@tonic-gate 		exit(1);
15070Sstevel@tonic-gate 	}
15080Sstevel@tonic-gate 	getstr(netf, remuser, sizeof (locuser), "remuser");
15090Sstevel@tonic-gate 
15100Sstevel@tonic-gate 	if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client,
15110Sstevel@tonic-gate 			&kremuser)))
15120Sstevel@tonic-gate 		return (status);
15130Sstevel@tonic-gate 
15140Sstevel@tonic-gate 	if ((status = krb5_copy_principal(bsd_context,
15150Sstevel@tonic-gate 				ticket->enc_part2->client, &client)))
15160Sstevel@tonic-gate 		return (status);
15170Sstevel@tonic-gate 
15180Sstevel@tonic-gate 
15190Sstevel@tonic-gate 	if (checksum_required && (kcmd_protocol == KCMD_OLD_PROTOCOL)) {
15200Sstevel@tonic-gate 		if ((status = krb5_auth_con_getauthenticator(bsd_context,
15210Sstevel@tonic-gate 			auth_context, &authenticator)))
15220Sstevel@tonic-gate 			return (status);
15230Sstevel@tonic-gate 
15240Sstevel@tonic-gate 		if (authenticator->checksum && checksum_required) {
15250Sstevel@tonic-gate 			struct sockaddr_in adr;
15260Sstevel@tonic-gate 			int adr_length = sizeof (adr);
15270Sstevel@tonic-gate 			int chksumsize = strlen(cmdbuf) + strlen(locuser) + 32;
15280Sstevel@tonic-gate 			krb5_data input;
15290Sstevel@tonic-gate 			krb5_keyblock key;
15300Sstevel@tonic-gate 
15310Sstevel@tonic-gate 			char *chksumbuf = (char *)malloc(chksumsize);
15320Sstevel@tonic-gate 
15330Sstevel@tonic-gate 			if (chksumbuf == 0)
15340Sstevel@tonic-gate 				goto error_cleanup;
15350Sstevel@tonic-gate 			if (getsockname(netf, (struct sockaddr *)&adr,
15360Sstevel@tonic-gate 					&adr_length) != 0)
15370Sstevel@tonic-gate 				goto error_cleanup;
15380Sstevel@tonic-gate 
15390Sstevel@tonic-gate 			(void) snprintf(chksumbuf, chksumsize, "%u:",
15400Sstevel@tonic-gate 					ntohs(adr.sin_port));
15410Sstevel@tonic-gate 			if (strlcat(chksumbuf, cmdbuf,
15420Sstevel@tonic-gate 					chksumsize) >= chksumsize) {
15430Sstevel@tonic-gate 				syslog(LOG_ERR, "cmd buffer too long.");
15440Sstevel@tonic-gate 				free(chksumbuf);
15450Sstevel@tonic-gate 				return (-1);
15460Sstevel@tonic-gate 			}
15470Sstevel@tonic-gate 			if (strlcat(chksumbuf, locuser,
15480Sstevel@tonic-gate 					chksumsize) >= chksumsize) {
15490Sstevel@tonic-gate 				syslog(LOG_ERR, "locuser too long.");
15500Sstevel@tonic-gate 				free(chksumbuf);
15510Sstevel@tonic-gate 				return (-1);
15520Sstevel@tonic-gate 			}
15530Sstevel@tonic-gate 
15540Sstevel@tonic-gate 			input.data = chksumbuf;
15550Sstevel@tonic-gate 			input.length = strlen(chksumbuf);
15560Sstevel@tonic-gate 			key.magic = ticket->enc_part2->session->magic;
15570Sstevel@tonic-gate 			key.enctype = ticket->enc_part2->session->enctype;
15580Sstevel@tonic-gate 			key.contents = ticket->enc_part2->session->contents;
15590Sstevel@tonic-gate 			key.length = ticket->enc_part2->session->length;
15600Sstevel@tonic-gate 
15610Sstevel@tonic-gate 			status = krb5_c_verify_checksum(bsd_context,
15620Sstevel@tonic-gate 			    &key, 0, &input, authenticator->checksum,
15630Sstevel@tonic-gate 			    (unsigned int *)valid_checksum);
15640Sstevel@tonic-gate 
15650Sstevel@tonic-gate 			if (status == 0 && *valid_checksum == 0)
15660Sstevel@tonic-gate 			    status = KRB5KRB_AP_ERR_BAD_INTEGRITY;
15670Sstevel@tonic-gate error_cleanup:
15680Sstevel@tonic-gate 			if (chksumbuf)
15690Sstevel@tonic-gate 				krb5_xfree(chksumbuf);
15700Sstevel@tonic-gate 			if (status) {
15710Sstevel@tonic-gate 				krb5_free_authenticator(bsd_context,
15720Sstevel@tonic-gate 						authenticator);
15730Sstevel@tonic-gate 				return (status);
15740Sstevel@tonic-gate 			}
15750Sstevel@tonic-gate 		}
15760Sstevel@tonic-gate 		krb5_free_authenticator(bsd_context, authenticator);
15770Sstevel@tonic-gate 	}
15780Sstevel@tonic-gate 
15790Sstevel@tonic-gate 
15800Sstevel@tonic-gate 	if ((strncmp(cmdbuf, "-x ", 3) == 0)) {
15810Sstevel@tonic-gate 		if (krb5_privacy_allowed()) {
15820Sstevel@tonic-gate 			do_encrypt = 1;
15830Sstevel@tonic-gate 		} else {
15840Sstevel@tonic-gate 			syslog(LOG_ERR, "rshd: Encryption not supported");
15850Sstevel@tonic-gate 			error("rshd: Encryption not supported. \n");
15860Sstevel@tonic-gate 			exit(2);
15870Sstevel@tonic-gate 		}
15880Sstevel@tonic-gate 
15890Sstevel@tonic-gate 		status = krb5_auth_con_getremotesubkey(bsd_context,
15900Sstevel@tonic-gate 						    auth_context,
15910Sstevel@tonic-gate 						    &sessionkey);
15920Sstevel@tonic-gate 		if (status) {
15930Sstevel@tonic-gate 			syslog(LOG_ERR, "Error getting KRB5 session subkey");
15940Sstevel@tonic-gate 			error(gettext("Error getting KRB5 session subkey"));
15950Sstevel@tonic-gate 			exit(1);
15960Sstevel@tonic-gate 		}
15970Sstevel@tonic-gate 		/*
15980Sstevel@tonic-gate 		 * The "new" protocol requires that a subkey be sent.
15990Sstevel@tonic-gate 		 */
16000Sstevel@tonic-gate 		if (sessionkey == NULL && kcmd_protocol == KCMD_NEW_PROTOCOL) {
16010Sstevel@tonic-gate 			syslog(LOG_ERR, "No KRB5 session subkey sent");
16020Sstevel@tonic-gate 			error(gettext("No KRB5 session subkey sent"));
16030Sstevel@tonic-gate 			exit(1);
16040Sstevel@tonic-gate 		}
16050Sstevel@tonic-gate 		/*
16060Sstevel@tonic-gate 		 * The "old" protocol does not permit an authenticator subkey.
16070Sstevel@tonic-gate 		 * The key is taken from the ticket instead (see below).
16080Sstevel@tonic-gate 		 */
16090Sstevel@tonic-gate 		if (sessionkey != NULL && kcmd_protocol == KCMD_OLD_PROTOCOL) {
16100Sstevel@tonic-gate 			syslog(LOG_ERR, "KRB5 session subkey not permitted "
16110Sstevel@tonic-gate 				"with old KCMD protocol");
16120Sstevel@tonic-gate 			error(gettext("KRB5 session subkey not permitted "
16130Sstevel@tonic-gate 				"with old KCMD protocol"));
16140Sstevel@tonic-gate 			exit(1);
16150Sstevel@tonic-gate 		}
16160Sstevel@tonic-gate 		/*
16170Sstevel@tonic-gate 		 * If no key at this point, use the session key from
16180Sstevel@tonic-gate 		 * the ticket.
16190Sstevel@tonic-gate 		 */
16200Sstevel@tonic-gate 		if (sessionkey == NULL) {
16210Sstevel@tonic-gate 			/*
16220Sstevel@tonic-gate 			 * Save the session key so we can configure the crypto
16230Sstevel@tonic-gate 			 * module later.
16240Sstevel@tonic-gate 			 */
16250Sstevel@tonic-gate 			status = krb5_copy_keyblock(bsd_context,
16260Sstevel@tonic-gate 						ticket->enc_part2->session,
16270Sstevel@tonic-gate 						&sessionkey);
16280Sstevel@tonic-gate 			if (status) {
16290Sstevel@tonic-gate 				syslog(LOG_ERR, "krb5_copy_keyblock failed");
16300Sstevel@tonic-gate 				error(gettext("krb5_copy_keyblock failed"));
16310Sstevel@tonic-gate 				exit(1);
16320Sstevel@tonic-gate 			}
16330Sstevel@tonic-gate 		}
16340Sstevel@tonic-gate 		/*
16350Sstevel@tonic-gate 		 * If session key still cannot be found, we must
16360Sstevel@tonic-gate 		 * exit because encryption is required here
16370Sstevel@tonic-gate 		 * when encr_flag (-x) is set.
16380Sstevel@tonic-gate 		 */
16390Sstevel@tonic-gate 		if (sessionkey == NULL) {
16400Sstevel@tonic-gate 			syslog(LOG_ERR, "Could not find an encryption key");
16410Sstevel@tonic-gate 			error(gettext("Could not find an encryption key"));
16420Sstevel@tonic-gate 			exit(1);
16430Sstevel@tonic-gate 		}
16440Sstevel@tonic-gate 
16450Sstevel@tonic-gate 		/*
16460Sstevel@tonic-gate 		 * Initialize parameters/buffers for desread & deswrite here.
16470Sstevel@tonic-gate 		 */
16480Sstevel@tonic-gate 		desinbuf.data = des_inbuf;
16490Sstevel@tonic-gate 		desoutbuf.data = des_outbuf;
16500Sstevel@tonic-gate 		desinbuf.length = sizeof (des_inbuf);
16510Sstevel@tonic-gate 		desoutbuf.length = sizeof (des_outbuf);
16520Sstevel@tonic-gate 
16530Sstevel@tonic-gate 		eblock.crypto_entry = sessionkey->enctype;
16540Sstevel@tonic-gate 		eblock.key = (krb5_keyblock *)sessionkey;
16550Sstevel@tonic-gate 
16560Sstevel@tonic-gate 		init_encrypt(do_encrypt, bsd_context, kcmd_protocol,
16570Sstevel@tonic-gate 				&desinbuf, &desoutbuf, SERVER, &eblock);
16580Sstevel@tonic-gate 	}
16590Sstevel@tonic-gate 
16600Sstevel@tonic-gate 	ticket->enc_part2->session = 0;
16610Sstevel@tonic-gate 
16620Sstevel@tonic-gate 	if ((status = krb5_read_message(bsd_context, (krb5_pointer) & netf,
16630Sstevel@tonic-gate 				&inbuf))) {
16640Sstevel@tonic-gate 		error(gettext("Error reading message: %s\n"),
16650Sstevel@tonic-gate 				error_message(status));
16660Sstevel@tonic-gate 		exit(1);
16670Sstevel@tonic-gate 	}
16680Sstevel@tonic-gate 
16690Sstevel@tonic-gate 	if (inbuf.length) {
16706536Sgtb 		krb5_creds **creds = NULL;
16716536Sgtb 
16720Sstevel@tonic-gate 		/* Forwarding being done, read creds */
16736536Sgtb 		if ((status = krb5_rd_cred(bsd_context,
16746536Sgtb 					    auth_context, &inbuf, &creds,
16756536Sgtb 					    NULL))) {
16760Sstevel@tonic-gate 			error("Can't get forwarded credentials: %s\n",
16770Sstevel@tonic-gate 				error_message(status));
16780Sstevel@tonic-gate 			exit(1);
16790Sstevel@tonic-gate 		}
16800Sstevel@tonic-gate 
16816536Sgtb 		/* Store the forwarded creds in the ccache */
16826536Sgtb 		if ((status = store_forw_creds(bsd_context,
16836536Sgtb 					    creds, ticket, locuser,
16846536Sgtb 					    &ccache))) {
16856536Sgtb 			error("Can't store forwarded credentials: %s\n",
16866536Sgtb 				error_message(status));
16876536Sgtb 			exit(1);
16886536Sgtb 		}
16896536Sgtb 		krb5_free_creds(bsd_context, *creds);
16900Sstevel@tonic-gate 	}
16916536Sgtb 
16920Sstevel@tonic-gate 	krb5_free_ticket(bsd_context, ticket);
16930Sstevel@tonic-gate 	return (0);
16940Sstevel@tonic-gate }
16950Sstevel@tonic-gate 
16960Sstevel@tonic-gate static void
usage(void)16970Sstevel@tonic-gate usage(void)
16980Sstevel@tonic-gate {
16990Sstevel@tonic-gate 	(void) fprintf(stderr, gettext("%s: rshd [-k5eciU] "
17000Sstevel@tonic-gate 			"[-P path] [-M realm] [-s tos] "
17010Sstevel@tonic-gate #ifdef DEBUG
17020Sstevel@tonic-gate 			"[-D port] "
17030Sstevel@tonic-gate #endif /* DEBUG */
17040Sstevel@tonic-gate 			"[-S keytab]"), gettext("usage"));
17050Sstevel@tonic-gate 
17060Sstevel@tonic-gate 	syslog(LOG_ERR, "%s: rshd [-k5eciU] [-P path] [-M realm] [-s tos] "
17070Sstevel@tonic-gate #ifdef DEBUG
17080Sstevel@tonic-gate 			"[-D port] "
17090Sstevel@tonic-gate #endif /* DEBUG */
17100Sstevel@tonic-gate 			"[-S keytab]", gettext("usage"));
17110Sstevel@tonic-gate }
1712