summaryrefslogtreecommitdiff
path: root/net/radius
diff options
context:
space:
mode:
authorGarrett Wollman <wollman@FreeBSD.org>1997-07-28 15:29:29 +0000
committerGarrett Wollman <wollman@FreeBSD.org>1997-07-28 15:29:29 +0000
commit35d02eb78de79a4b37cd6aa4a2e50ff8a709ec12 (patch)
tree23d1030ef64334d88649a3ddc7bff03c7b36d4c6 /net/radius
parentnetatalk - File and Print Server for AppleTalk (diff)
I hope Torsten doesn't mind me stepping on his toes a bit here...
Fix one serious bug in the RADIUS server's Kerberos interface, one minor nit in the build, and add one feature: - Properly validate the Kerberos ticket we obtained against an actual service so we know it wasn't forged. - Make sure the test programs are built knowing where the database is. - If the make variable KRB_INSTANCE is defined, it names the instance of each user to be used in validating their Kerberos password. (If this instance doesn't exist, the validation will fail.) This can be used for both access control and to keep separate one's login password from the less secure RADIUS mechanism (since exposure of the instance does not expose the null instance).
Notes
Notes: svn path=/head/; revision=7428
Diffstat (limited to 'net/radius')
-rw-r--r--net/radius/files/patch-aa18
-rw-r--r--net/radius/files/patch-ad64
2 files changed, 74 insertions, 8 deletions
diff --git a/net/radius/files/patch-aa b/net/radius/files/patch-aa
index 94b09149a29c..95bc81413f73 100644
--- a/net/radius/files/patch-aa
+++ b/net/radius/files/patch-aa
@@ -1,6 +1,6 @@
diff -ru orig/Makefile ./Makefile
--- orig/Makefile Sun Sep 22 14:00:16 1996
-+++ Makefile Tue Jun 17 16:36:26 1997
++++ Makefile Mon Jul 28 11:07:04 1997
@@ -51,11 +51,11 @@
# Where the configuration files live.
RADDB = ./raddb
@@ -27,7 +27,7 @@ diff -ru orig/Makefile ./Makefile
# Define SRV to hold any combination of server names you'd like to override:
#SRV3 = -DDEFAULT_TACACS_SERVER=\"vms.dns.name\"
-@@ -110,17 +110,21 @@
+@@ -110,17 +110,22 @@
# radiusd -- the default
#
#--------------------------------------------------------------------------
@@ -45,14 +45,15 @@ diff -ru orig/Makefile ./Makefile
-#RADLIBS = /usr/kerberos/lib/libkrb.a /usr/kerberos/lib/libdes.a
-#INCS = -I/usr/kerberos/include
+.if defined(MAKE_EBONES)
-+DEFS = -DHAVE_SETVBUF -DM_KERB -DNOSHADOW $(MERIT) $(STUFF)
++DEFS = -DHAVE_SETVBUF -DM_KERB -DKRB_INSTANCE=\"$(KRB_INSTANCE)\" \
++ -DNOSHADOW $(MERIT) $(STUFF)
+RADLIBS = -lkrb -ldes
+INCS = -I/usr/include/kerberosIV
+.endif
#
# akerb
-@@ -219,12 +223,12 @@
+@@ -219,12 +224,12 @@
#
#--------------------------------------------------------------------------
@@ -71,7 +72,7 @@ diff -ru orig/Makefile ./Makefile
#
# Solaris 2.x
-@@ -304,14 +308,17 @@
+@@ -304,14 +309,17 @@
#
#--------------------------------------------------------------------------
@@ -84,7 +85,7 @@ diff -ru orig/Makefile ./Makefile
-#INSTALL = /usr/bin/install
-
+CC = cc
-+CFLAGS += -DRADIUS_DIR=\"${PREFIX}/lib/radius/db\" \
++CFLAGS += -DRADIUS_DIR=\"${RADDB_INSDIR}\" -DDEFAULT_DIR2=\"${RADDB_INSDIR}\" \
+ -DRADACCT_DIR=\"${PREFIX}/lib/radius/acct\" \
+ -DRADIUS_COMPRESS=\"/usr/bin/gzip\" \
+ $(DEFS) $(INCS)
@@ -97,7 +98,7 @@ diff -ru orig/Makefile ./Makefile
#
# AIX 3.2.5 (if using xlc(1) add -D_ALL_SOURCE to CFLAGS below)
#
-@@ -604,8 +611,6 @@
+@@ -604,8 +612,6 @@
$(MAN_INSDIR)/man5/clients.5
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/dictionary.5 \
$(MAN_INSDIR)/man5/dictionary.5
@@ -106,7 +107,7 @@ diff -ru orig/Makefile ./Makefile
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/radius.fsm.5 \
$(MAN_INSDIR)/man5/radius.fsm.5
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/users.5 \
-@@ -625,17 +630,17 @@
+@@ -625,17 +631,17 @@
/bin/mkdir -p $(RADDB_INSDIR) ;\
fi
$(INSTALL) $(M) 660 $(O) $(RADOWN) $(G) $(RADGRP) $(RADDB)/authfile \
@@ -130,3 +131,4 @@ diff -ru orig/Makefile ./Makefile
-if [ ! -d $(RADACCT_INSDIR) ] ;\
then \
/bin/mkdir -p $(RADACCT_INSDIR) ;\
+
diff --git a/net/radius/files/patch-ad b/net/radius/files/patch-ad
new file mode 100644
index 000000000000..535bd0f0aa90
--- /dev/null
+++ b/net/radius/files/patch-ad
@@ -0,0 +1,64 @@
+diff -ru orig/src/rad.kerberos.c ./src/rad.kerberos.c
+--- orig/src/rad.kerberos.c Wed Sep 18 11:34:21 1996
++++ src/rad.kerberos.c Sat Jul 26 17:33:30 1997
+@@ -177,7 +177,8 @@
+ #if defined(M_KERB)
+ if (strcmp (authreq->direct_aatv->id, "MKERB") == 0)
+ {
+- krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
++ krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt",
++ realm,
+ DEFAULT_TKT_LIFE, mit_passwd_to_key,
+ NULL, passwd);
+ }
+@@ -192,6 +193,12 @@
+ }
+ #endif /* A_KERB */
+
++ /*
++ * XXX
++ * This can be spoofed fairly easily... Should attempt to authenticate
++ * to some service on this machine (e.g., radius.thishost@REALM)
++ * in order to ensure that the ticket we just got is really valid.
++ */
+ switch (krbval)
+ {
+ case INTK_OK:
+@@ -207,6 +214,37 @@
+ func, krbval);
+ break;
+ }
++#ifdef M_KERB
++ /*
++ * Ticket verification code based loosely on Berkeley klogin.c 8.3
++ */
++ if (krbreturn != EV_ACK) {
++ dest_tkt();
++ memset(passwd, 0, sizeof passwd);
++ } else {
++ struct sockaddr_in sin;
++ char host[MAXHOSTNAMELEN], *p;
++ AUTH_DAT authdata;
++ KTEXT_ST ticket;
++
++ krb_get_local_addr(&sin);
++ gethostname(host, sizeof host);
++ if ((p = strchr(host, '.')) != 0)
++ *p = '\0';
++ krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
++ if (krbval == KSUCCESS) {
++ krbval = krb_rd_req(&ticket, "radius", host,
++ sin.sin_addr.s_addr, &authdata,
++ "");
++ }
++ if (krbval != KSUCCESS) {
++ logit(LOG_DAEMON, LOG_ERR,
++ "Kerberos error verifying ticket for %s: %s",
++ func, krb_err_txt[krbval]);
++ krbreturn = EV_NAK;
++ }
++ }
++#endif /* M_KERB */
+
+ dest_tkt (); /* destroy the ticket */
+ memset (passwd, 0, sizeof (passwd));