1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
--- src/rad.kerberos.c.orig Wed Sep 18 17:34:21 1996
+++ src/rad.kerberos.c Tue Aug 26 12:57:28 1997
@@ -84,7 +84,7 @@
extern int mit_passwd_to_key ();
extern int afs_passwd_to_key ();
-static int krb_pass PROTO((AUTH_REQ *, int, char *));
+static int krb_pass (AUTH_REQ *, int, char *);
#if defined(A_KERB)
static AATV akrb_aatv =
@@ -177,7 +177,8 @@
#if defined(M_KERB)
if (strcmp (authreq->direct_aatv->id, "MKERB") == 0)
{
- krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
+ krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt",
+ realm,
DEFAULT_TKT_LIFE, mit_passwd_to_key,
NULL, passwd);
}
@@ -192,6 +193,12 @@
}
#endif /* A_KERB */
+ /*
+ * XXX
+ * This can be spoofed fairly easily... Should attempt to authenticate
+ * to some service on this machine (e.g., radius.thishost@REALM)
+ * in order to ensure that the ticket we just got is really valid.
+ */
switch (krbval)
{
case INTK_OK:
@@ -207,6 +214,37 @@
func, krbval);
break;
}
+#ifdef M_KERB
+ /*
+ * Ticket verification code based loosely on Berkeley klogin.c 8.3
+ */
+ if (krbreturn != EV_ACK) {
+ dest_tkt();
+ memset(passwd, 0, sizeof passwd);
+ } else {
+ struct sockaddr_in sin;
+ char host[MAXHOSTNAMELEN], *p;
+ AUTH_DAT authdata;
+ KTEXT_ST ticket;
+
+ krb_get_local_addr(&sin);
+ gethostname(host, sizeof host);
+ if ((p = strchr(host, '.')) != 0)
+ *p = '\0';
+ krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
+ if (krbval == KSUCCESS) {
+ krbval = krb_rd_req(&ticket, "radius", host,
+ sin.sin_addr.s_addr, &authdata,
+ "");
+ }
+ if (krbval != KSUCCESS) {
+ logit(LOG_DAEMON, LOG_ERR,
+ "Kerberos error verifying ticket for %s: %s",
+ func, krb_err_txt[krbval]);
+ krbreturn = EV_NAK;
+ }
+ }
+#endif /* M_KERB */
dest_tkt (); /* destroy the ticket */
memset (passwd, 0, sizeof (passwd));
|
