2 ===================================================================
3 RCS file: /cvsroot/inetutils/inetutils/README,v
4 retrieving revision 1.10
5 diff -u -p -r1.10 README
6 --- README 25 Dec 2001 18:47:44 -0000 1.10
7 +++ README 9 Aug 2003 21:10:35 -0000
8 @@ -47,6 +47,12 @@ not want to install these files.
9 install setuid root to work correctly they use priviledge ports
12 +3) If both Kerberos 5 (MIT and Heimdal) and Shishi is specified, the
13 +applications that have been ported to use Shishi will use Shishi only,
14 +and the applications that have not been ported to use Shishi will use
15 +MIT or Heimdal Kerberos. If you want MIT or Heimdal instead of
16 +Shishi, don't specify --with-shishi.
18 Some known deficiencies:
19 o Many programs do not support long options, such as --version or --help.
20 o The authentication and encryption options have not been tested.
22 ===================================================================
23 RCS file: /cvsroot/inetutils/inetutils/configure.ac,v
24 retrieving revision 1.18
25 diff -u -p -r1.18 configure.ac
26 --- configure.ac 24 May 2003 23:36:45 -0000 1.18
27 +++ configure.ac 9 Aug 2003 21:10:35 -0000
29 # Configuration for inetutils
31 -# Copyright (C) 1995, 1996, 1997, 1998, 2000, 2001, 2002 Free Software Foundation, Inc.
32 +# Copyright (C) 1995, 1996, 1997, 1998, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
34 # Written by Miles Bader <miles@gnu.ai.mit.edu>
36 @@ -63,6 +63,9 @@ AC_ARG_WITH(krb4, [ --with-krb4[[=PATH]
37 AC_ARG_WITH(krb5, [ --with-krb5[[=PATH]] Compile with Kerberos V],
39 KERBEROS_DIR=$withval])
40 +AC_ARG_WITH(shishi, AC_HELP_STRING([--with-shishi[[=PATH]]],
41 + [Compile with Shishi (Kerberos 5)]),
42 + [SHISHI_DIR=$withval])
43 AC_ARG_WITH(wrap, [ --with-wrap add tcp wrapper support])
44 AC_ARG_WITH(pam, [ --with-pam add support for PAM])
46 @@ -242,6 +245,7 @@ if test "$enable_encryption" = yes -o "$
47 AH_TEMPLATE(KERBEROS, [Define to one if you have Kerberos])
48 AH_TEMPLATE(KRB4, [Define to one if you have Kerberos IV])
49 AH_TEMPLATE(KRB5, [Define to one if you have Kerberos V])
50 + AH_TEMPLATE(SHISHI, [Define to 1 if you have Shishi])
51 AH_TEMPLATE(DES_ENCRYPTION, [FIXME])
53 if test "$KERBEROS_VERSION" = 4; then
54 @@ -275,6 +279,14 @@ if test "$enable_encryption" = yes -o "$
59 + if test "$with_shishi" = "yes"; then
60 + if test x$SHISHI_DIR != x; then
61 + LIBAUTH="$LIBAUTH -L$SHISHI_DIR/lib"
62 + INCAUTH="$INCAUTH -I$SHISHI_DIR/include "
64 + LIBAUTH="$LIBAUTH -lshishi"
69 Index: libtelnet/Makefile.am
70 ===================================================================
71 RCS file: /cvsroot/inetutils/inetutils/libtelnet/Makefile.am,v
72 retrieving revision 1.5
73 diff -u -p -r1.5 Makefile.am
74 --- libtelnet/Makefile.am 8 Apr 2002 14:02:39 -0000 1.5
75 +++ libtelnet/Makefile.am 9 Aug 2003 21:10:35 -0000
76 @@ -4,6 +4,6 @@ INCLUDES = -I$(top_builddir)/include @IN
78 noinst_LIBRARIES = libtelnet.a
80 -libtelnet_a_SOURCES = auth.c enc_des.c encrypt.c forward.c genget.c getent.c kerberos.c kerberos5.c misc.c read_passwd.c
81 +libtelnet_a_SOURCES = auth.c enc_des.c encrypt.c forward.c genget.c getent.c kerberos.c kerberos5.c misc.c read_passwd.c shishi.c
83 noinst_HEADERS = auth-proto.h auth.h enc-proto.h encrypt.h key-proto.h misc-proto.h misc.h
84 Index: libtelnet/auth-proto.h
85 ===================================================================
86 RCS file: /cvsroot/inetutils/inetutils/libtelnet/auth-proto.h,v
87 retrieving revision 1.3
88 diff -u -p -r1.3 auth-proto.h
89 --- libtelnet/auth-proto.h 6 Dec 2002 16:09:06 -0000 1.3
90 +++ libtelnet/auth-proto.h 9 Aug 2003 21:10:35 -0000
91 @@ -89,4 +89,14 @@ void kerberos5_reply P((TN_Authenticator
92 int kerberos5_status P((TN_Authenticator *, char *, int));
93 void kerberos5_printsub P((unsigned char *, int, unsigned char *, int));
97 +int krb5shishi_init P((TN_Authenticator *, int));
98 +int krb5shishi_send P((TN_Authenticator *));
99 +void krb5shishi_is P((TN_Authenticator *, unsigned char *, int));
100 +void krb5shishi_reply P((TN_Authenticator *, unsigned char *, int));
101 +int krb5shishi_status P((TN_Authenticator *, char *, int));
102 +void krb5shishi_printsub P((unsigned char *, int, unsigned char *, int));
103 +void krb5shishi_cleanup P((TN_Authenticator *));
106 Index: libtelnet/auth.c
107 ===================================================================
108 RCS file: /cvsroot/inetutils/inetutils/libtelnet/auth.c,v
109 retrieving revision 1.6
110 diff -u -p -r1.6 auth.c
111 --- libtelnet/auth.c 6 Dec 2002 16:10:07 -0000 1.6
112 +++ libtelnet/auth.c 9 Aug 2003 21:10:35 -0000
113 @@ -126,6 +126,24 @@ TN_Authenticator authenticators[] = {
118 + { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
124 + krb5shishi_printsub,
125 + krb5shishi_cleanup },
126 + { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
132 + krb5shishi_printsub,
133 + krb5shishi_cleanup },
137 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
138 @@ -610,6 +628,8 @@ auth_finished(ap, result)
139 TN_Authenticator *ap;
142 + if (ap && ap->cleanup)
143 + (*ap->cleanup) (ap);
144 if (!(authenticated = ap))
145 authenticated = &NoAuth;
147 Index: libtelnet/auth.h
148 ===================================================================
149 RCS file: /cvsroot/inetutils/inetutils/libtelnet/auth.h,v
150 retrieving revision 1.4
151 diff -u -p -r1.4 auth.h
152 --- libtelnet/auth.h 6 Dec 2002 16:09:06 -0000 1.4
153 +++ libtelnet/auth.h 9 Aug 2003 21:10:35 -0000
154 @@ -75,6 +75,7 @@ typedef struct XauthP {
155 void (*reply) P((struct XauthP *, unsigned char *, int));
156 int (*status) P((struct XauthP *, char *, int));
157 void (*printsub) P((unsigned char *, int, unsigned char *, int));
158 + void (*cleanup) P((struct XauthP *));
161 #include "auth-proto.h"
162 Index: libtelnet/shishi.c
163 ===================================================================
164 RCS file: libtelnet/shishi.c
165 diff -N libtelnet/shishi.c
166 --- /dev/null 1 Jan 1970 00:00:00 -0000
167 +++ libtelnet/shishi.c 9 Aug 2003 21:10:35 -0000
169 +/* Copyright (C) 2002, 2003 Free Software Foundation, Inc.
171 +This file is part of GNU Inetutils.
173 +GNU Inetutils is free software; you can redistribute it and/or modify
174 +it under the terms of the GNU General Public License as published by
175 +the Free Software Foundation; either version 2, or (at your option)
178 +GNU Inetutils is distributed in the hope that it will be useful,
179 +but WITHOUT ANY WARRANTY; without even the implied warranty of
180 +MERCHANTABILITY or FITNESS FOR PARTICULAR PURPOSE. See the
181 +GNU General Public License for more details.
183 +You should have received a copy of the GNU General Public License
184 +along with GNU Inetutils; see the file COPYING. If not, write to
185 +the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
186 +Boston, MA 02111-1307, USA. */
188 +#ifdef HAVE_CONFIG_H
195 +#include <arpa/telnet.h>
202 +#ifdef HAVE_STRING_H
203 +# include <string.h>
205 +# include <strings.h>
211 +static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
212 + AUTHTYPE_KERBEROS_V5,
215 +#define KRB_AUTH 0 /* Authentication data follows */
216 +#define KRB_REJECT 1 /* Rejected (reason might follow) */
217 +#define KRB_ACCEPT 2 /* Accepted */
218 +#define KRB_RESPONSE 3 /* Response for mutual auth. */
220 +Shishi *shishi_handle = 0;
221 +Shishi_ap *auth_handle;
223 +#define DEBUG(c) if (auth_debug_mode) printf c
226 +Data (TN_Authenticator * ap, int type, unsigned char *d, int c)
228 + unsigned char *p = str_data + 4;
229 + unsigned char *cd = (unsigned char *) d;
234 + if (auth_debug_mode)
236 + printf ("%s:%d: [%d] (%d)",
237 + str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
238 + str_data[3], type, c);
249 + if ((*p++ = *cd++) == IAC)
254 + if (str_data[3] == TELQUAL_IS)
255 + printsub ('>', &str_data[2], p - &str_data[2]);
256 + return (net_write (str_data, p - str_data));
259 +/* FIXME: Reverse return code! */
261 +krb5shishi_init (TN_Authenticator * ap, int server)
265 + str_data[3] = TELQUAL_REPLY;
266 + if (!shishi_handle && shishi_init_server (&shishi_handle) != SHISHI_OK)
271 + str_data[3] = TELQUAL_IS;
272 + if (!shishi_handle && shishi_init (&shishi_handle) != SHISHI_OK)
280 +krb5shishi_cleanup (TN_Authenticator * ap)
282 + if (shishi_handle == 0)
285 + shishi_done (shishi_handle);
290 +krb5shishi_send (TN_Authenticator * ap)
293 + char type_check[2];
295 + Shishi_tkts_hint hint;
301 + tmp = malloc (strlen ("host/") + strlen (RemoteHostName) + 1);
302 + sprintf (tmp, "host/%s", RemoteHostName);
303 + memset (&hint, 0, sizeof (hint));
305 + hint.etype = SHISHI_DES_CBC_MD5;
306 + tkt = shishi_tkts_get (shishi_tkts_default (shishi_handle), &hint);
310 + DEBUG (("telnet: Kerberos V5: no shishi ticket for server\r\n"));
314 + if (auth_debug_mode)
315 + shishi_tkt_pretty_print (tkt, stdout);
317 + if (!UserNameRequested)
319 + DEBUG (("telnet: Kerberos V5: no user name supplied\r\n"));
323 + if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
324 + ap_opts = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
328 + type_check[0] = ap->type;
329 + type_check[1] = ap->way;
333 + rc = shishi_ap_tktoptionsdata (shishi_handle, &auth_handle, tkt,
334 + ap_opts, (char *) &type_check, 2);
335 + if (rc != SHISHI_OK)
337 + DEBUG (("telnet: Kerberos V5: Could not make AP-REQ (%s)\r\n",
338 + shishi_strerror (rc)));
342 + apreq_len = sizeof (apreq);
343 + rc = shishi_ap_req_der (auth_handle, apreq, &apreq_len);
344 + if (rc != SHISHI_OK)
346 + DEBUG (("telnet: Kerberos V5: could not DER encode (%s)\r\n",
347 + shishi_strerror (rc)));
351 + if (auth_debug_mode)
353 + shishi_authenticator_print
354 + (shishi_handle, stdout, shishi_ap_authenticator (auth_handle));
355 + shishi_apreq_print (shishi_handle, stdout,
356 + shishi_ap_req (auth_handle));
360 + if (!auth_sendname (UserNameRequested, strlen (UserNameRequested)))
362 + DEBUG (("telnet: Not enough room for user name\r\n"));
366 + if (!Data (ap, KRB_AUTH, apreq, apreq_len))
368 + DEBUG (("telnet: Not enough room for authentication data\r\n"));
372 + DEBUG (("telnet: Sent Kerberos V5 credentials to server\r\n"));
378 +krb5shishi_reply (TN_Authenticator * ap, unsigned char *data, int cnt)
380 + static int mutual_complete = 0;
389 + printf ("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
392 + printf ("[ Kerberos V5 refuses authentication ]\r\n");
393 + auth_send_retry ();
397 + if (!mutual_complete)
399 + if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
401 + printf ("[ Kerberos V5 accepted you, "
402 + "but didn't provide mutual authentication! ]\r\n");
403 + auth_send_retry ();
409 + printf ("[ Kerberos V5 accepts you as ``%.*s''%s ]\r\n", cnt, data,
411 + " (server authenticated)" : " (server NOT authenticated)");
413 + printf ("[ Kerberos V5 accepts you ]\r\n");
414 + auth_finished (ap, AUTH_USER);
418 + if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
420 + if (shishi_ap_rep_verify_der (auth_handle, data, cnt) != SHISHI_OK)
422 + printf ("[ Mutual authentication failed ]\r\n");
423 + auth_send_retry ();
427 + if (auth_debug_mode)
429 + shishi_aprep_print (shishi_handle, stdout,
430 + shishi_ap_rep (auth_handle));
431 + shishi_encapreppart_print (shishi_handle, stdout,
432 + shishi_ap_encapreppart
436 + mutual_complete = 1;
441 + DEBUG (("Unknown Kerberos option %d\r\n", data[-1]));
446 +krb5shishi_status (TN_Authenticator * ap, char *name, int level)
448 + char cname[BUFSIZ];
452 + if (level < AUTH_USER)
455 + cnamelen = sizeof (cname);
456 + rc = shishi_encticketpart_cname_get
457 + (shishi_handle, shishi_tkt_encticketpart (shishi_ap_tkt (auth_handle)),
460 + if (UserNameRequested && rc == SHISHI_OK &&
461 + cnamelen == strlen (UserNameRequested) &&
462 + memcmp (UserNameRequested, cname, cnamelen) == 0)
464 + /* FIXME: Check buffer length */
465 + strcpy (name, UserNameRequested);
473 +krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
474 + char *errbuf, int errbuflen)
476 + Shishi_key *key, *key2;
478 + char cnamerealm[BUFSIZ];
481 + rc = shishi_ap (shishi_handle, &auth_handle);
482 + if (rc != SHISHI_OK)
484 + snprintf (errbuf, errbuflen,
485 + "Cannot allocate authentication structures: %s",
486 + shishi_strerror (rc));
490 + rc = shishi_ap_req_der_set (auth_handle, data, cnt);
491 + if (rc != SHISHI_OK)
493 + snprintf (errbuf, errbuflen,
494 + "Cannot parse authentication information: %s",
495 + shishi_strerror (rc));
499 + key = shishi_hostkeys_for_localservice (shishi_handle, "host");
502 + snprintf (errbuf, errbuflen, "Could not find key:\n%s\n",
503 + shishi_strerror_details (shishi_handle));
507 + rc = shishi_ap_req_process (auth_handle, key);
508 + if (rc != SHISHI_OK)
510 + snprintf (errbuf, errbuflen, "Could not process AP-REQ: %s\n",
511 + shishi_strerror (rc));
515 + if (shishi_apreq_mutual_required_p
516 + (shishi_handle, shishi_ap_req (auth_handle)))
520 + int derlen = BUFSIZ;;
522 + rc = shishi_ap_rep_asn1 (auth_handle, &aprep);
523 + if (rc != SHISHI_OK)
525 + snprintf (errbuf, errbuflen, "Error creating AP-REP: %s\n",
526 + shishi_strerror (rc));
530 + rc = shishi_a2d (shishi_handle, aprep, der, &derlen);
531 + if (rc != SHISHI_OK)
533 + snprintf (errbuf, errbuflen, "Error der encoding aprep: %s\n",
534 + shishi_strerror (rc));
538 + Data (a, KRB_RESPONSE, der, derlen);
541 + cnamerealmlen = sizeof (cnamerealm);
542 + rc = shishi_encticketpart_cnamerealm_get
543 + (shishi_handle, shishi_tkt_encticketpart (shishi_ap_tkt (auth_handle)),
544 + cnamerealm, &cnamerealmlen);
545 + if (rc != SHISHI_OK)
547 + snprintf (errbuf, errbuflen, "Error getting authenticator name: %s\n",
548 + shishi_strerror (rc));
551 + cnamerealm[cnamerealmlen] = '\0';
553 + Data (a, KRB_ACCEPT, cnamerealm, cnamerealm ? -1 : 0);
554 + DEBUG (("telnetd: Kerberos5 identifies him as ``%s''\r\n",
555 + cnamerealm ? cnamerealm : ""));
556 + auth_finished (a, AUTH_USER);
562 +krb5shishi_is (TN_Authenticator * ap, unsigned char *data, int cnt)
567 + puts ("krb5shishi_is");
575 + r = krb5shishi_is_auth (ap, data, cnt, errbuf, sizeof errbuf);
579 + DEBUG (("Unknown Kerberos option %d\r\n", data[-1]));
580 + Data (ap, KRB_REJECT, 0, 0);
587 + snprintf (errbuf, sizeof errbuf, "kerberos_is: error");
588 + Data (ap, KRB_REJECT, errbuf, -1);
589 + DEBUG (("%s\r\n", errbuf));
590 + syslog (LOG_ERR, "%s", errbuf);
595 +req_type_str (int type)
615 +#define ADDC(p,l,c) if ((l) > 0) {*(p)++ = (c); --(l);}
618 +krb5shishi_printsub (unsigned char *data, int cnt,
619 + unsigned char *buf, int buflen)
624 + puts ("krb5shishi_printsub");
626 + buf[buflen - 1] = '\0'; /* make sure its NULL terminated */
629 + p = req_type_str (data[3]);
632 + int l = snprintf (buf, buflen, " %d (unknown)", data[3]);
638 + while (buflen > 0 && (*buf++ = *p++) != 0)
644 + case KRB_REJECT: /* Rejected (reason might follow) */
645 + case KRB_ACCEPT: /* Accepted (username might follow) */
648 + ADDC (buf, buflen, '"');
649 + for (i = 4; i < cnt; i++)
650 + ADDC (buf, buflen, data[i]);
651 + ADDC (buf, buflen, '"');
652 + ADDC (buf, buflen, '\0');
657 + for (i = 4; buflen > 0 && i < cnt; i++)
659 + int l = snprintf (buf, buflen, " %d", data[i]);