diff options
author | Garrett Wollman <wollman@FreeBSD.org> | 1997-07-28 15:29:29 +0000 |
---|---|---|
committer | Garrett Wollman <wollman@FreeBSD.org> | 1997-07-28 15:29:29 +0000 |
commit | 35d02eb78de79a4b37cd6aa4a2e50ff8a709ec12 (patch) | |
tree | 23d1030ef64334d88649a3ddc7bff03c7b36d4c6 /net/radius | |
parent | netatalk - File and Print Server for AppleTalk (diff) |
I hope Torsten doesn't mind me stepping on his toes a bit here...
Fix one serious bug in the RADIUS server's Kerberos interface, one
minor nit in the build, and add one feature:
- Properly validate the Kerberos ticket we obtained against an actual
service so we know it wasn't forged.
- Make sure the test programs are built knowing where the database is.
- If the make variable KRB_INSTANCE is defined, it names the instance of
each user to be used in validating their Kerberos password. (If this
instance doesn't exist, the validation will fail.) This can be used
for both access control and to keep separate one's login password from
the less secure RADIUS mechanism (since exposure of the instance does
not expose the null instance).
Notes
Notes:
svn path=/head/; revision=7428
Diffstat (limited to 'net/radius')
-rw-r--r-- | net/radius/files/patch-aa | 18 | ||||
-rw-r--r-- | net/radius/files/patch-ad | 64 |
2 files changed, 74 insertions, 8 deletions
diff --git a/net/radius/files/patch-aa b/net/radius/files/patch-aa index 94b09149a29c..95bc81413f73 100644 --- a/net/radius/files/patch-aa +++ b/net/radius/files/patch-aa @@ -1,6 +1,6 @@ diff -ru orig/Makefile ./Makefile --- orig/Makefile Sun Sep 22 14:00:16 1996 -+++ Makefile Tue Jun 17 16:36:26 1997 ++++ Makefile Mon Jul 28 11:07:04 1997 @@ -51,11 +51,11 @@ # Where the configuration files live. RADDB = ./raddb @@ -27,7 +27,7 @@ diff -ru orig/Makefile ./Makefile # Define SRV to hold any combination of server names you'd like to override: #SRV3 = -DDEFAULT_TACACS_SERVER=\"vms.dns.name\" -@@ -110,17 +110,21 @@ +@@ -110,17 +110,22 @@ # radiusd -- the default # #-------------------------------------------------------------------------- @@ -45,14 +45,15 @@ diff -ru orig/Makefile ./Makefile -#RADLIBS = /usr/kerberos/lib/libkrb.a /usr/kerberos/lib/libdes.a -#INCS = -I/usr/kerberos/include +.if defined(MAKE_EBONES) -+DEFS = -DHAVE_SETVBUF -DM_KERB -DNOSHADOW $(MERIT) $(STUFF) ++DEFS = -DHAVE_SETVBUF -DM_KERB -DKRB_INSTANCE=\"$(KRB_INSTANCE)\" \ ++ -DNOSHADOW $(MERIT) $(STUFF) +RADLIBS = -lkrb -ldes +INCS = -I/usr/include/kerberosIV +.endif # # akerb -@@ -219,12 +223,12 @@ +@@ -219,12 +224,12 @@ # #-------------------------------------------------------------------------- @@ -71,7 +72,7 @@ diff -ru orig/Makefile ./Makefile # # Solaris 2.x -@@ -304,14 +308,17 @@ +@@ -304,14 +309,17 @@ # #-------------------------------------------------------------------------- @@ -84,7 +85,7 @@ diff -ru orig/Makefile ./Makefile -#INSTALL = /usr/bin/install - +CC = cc -+CFLAGS += -DRADIUS_DIR=\"${PREFIX}/lib/radius/db\" \ ++CFLAGS += -DRADIUS_DIR=\"${RADDB_INSDIR}\" -DDEFAULT_DIR2=\"${RADDB_INSDIR}\" \ + -DRADACCT_DIR=\"${PREFIX}/lib/radius/acct\" \ + -DRADIUS_COMPRESS=\"/usr/bin/gzip\" \ + $(DEFS) $(INCS) @@ -97,7 +98,7 @@ diff -ru orig/Makefile ./Makefile # # AIX 3.2.5 (if using xlc(1) add -D_ALL_SOURCE to CFLAGS below) # -@@ -604,8 +611,6 @@ +@@ -604,8 +612,6 @@ $(MAN_INSDIR)/man5/clients.5 $(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/dictionary.5 \ $(MAN_INSDIR)/man5/dictionary.5 @@ -106,7 +107,7 @@ diff -ru orig/Makefile ./Makefile $(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/radius.fsm.5 \ $(MAN_INSDIR)/man5/radius.fsm.5 $(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/users.5 \ -@@ -625,17 +630,17 @@ +@@ -625,17 +631,17 @@ /bin/mkdir -p $(RADDB_INSDIR) ;\ fi $(INSTALL) $(M) 660 $(O) $(RADOWN) $(G) $(RADGRP) $(RADDB)/authfile \ @@ -130,3 +131,4 @@ diff -ru orig/Makefile ./Makefile -if [ ! -d $(RADACCT_INSDIR) ] ;\ then \ /bin/mkdir -p $(RADACCT_INSDIR) ;\ + diff --git a/net/radius/files/patch-ad b/net/radius/files/patch-ad new file mode 100644 index 000000000000..535bd0f0aa90 --- /dev/null +++ b/net/radius/files/patch-ad @@ -0,0 +1,64 @@ +diff -ru orig/src/rad.kerberos.c ./src/rad.kerberos.c +--- orig/src/rad.kerberos.c Wed Sep 18 11:34:21 1996 ++++ src/rad.kerberos.c Sat Jul 26 17:33:30 1997 +@@ -177,7 +177,8 @@ + #if defined(M_KERB) + if (strcmp (authreq->direct_aatv->id, "MKERB") == 0) + { +- krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm, ++ krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt", ++ realm, + DEFAULT_TKT_LIFE, mit_passwd_to_key, + NULL, passwd); + } +@@ -192,6 +193,12 @@ + } + #endif /* A_KERB */ + ++ /* ++ * XXX ++ * This can be spoofed fairly easily... Should attempt to authenticate ++ * to some service on this machine (e.g., radius.thishost@REALM) ++ * in order to ensure that the ticket we just got is really valid. ++ */ + switch (krbval) + { + case INTK_OK: +@@ -207,6 +214,37 @@ + func, krbval); + break; + } ++#ifdef M_KERB ++ /* ++ * Ticket verification code based loosely on Berkeley klogin.c 8.3 ++ */ ++ if (krbreturn != EV_ACK) { ++ dest_tkt(); ++ memset(passwd, 0, sizeof passwd); ++ } else { ++ struct sockaddr_in sin; ++ char host[MAXHOSTNAMELEN], *p; ++ AUTH_DAT authdata; ++ KTEXT_ST ticket; ++ ++ krb_get_local_addr(&sin); ++ gethostname(host, sizeof host); ++ if ((p = strchr(host, '.')) != 0) ++ *p = '\0'; ++ krbval = krb_mk_req(&ticket, "radius", host, realm, 33); ++ if (krbval == KSUCCESS) { ++ krbval = krb_rd_req(&ticket, "radius", host, ++ sin.sin_addr.s_addr, &authdata, ++ ""); ++ } ++ if (krbval != KSUCCESS) { ++ logit(LOG_DAEMON, LOG_ERR, ++ "Kerberos error verifying ticket for %s: %s", ++ func, krb_err_txt[krbval]); ++ krbreturn = EV_NAK; ++ } ++ } ++#endif /* M_KERB */ + + dest_tkt (); /* destroy the ticket */ + memset (passwd, 0, sizeof (passwd)); |