[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

.k5command -- new stuff for rsh

To: heimdal-discuss@sics.se
Subject: .k5command -- new stuff for rsh
From: Leif Johansson <leifj@it.su.se>
Date: Mon, 12 Feb 2001 14:23:37 +0100
Sender: owner-heimdal-discuss@sics.se


I hate having to keep ssh around just to be able to allow
a certain key to perform a specific command. Enclosed is a
few patches agains 0.3e to do the same thing with rsh. First
is a patch against lib/krb5/kuserok.c and lib/krb5/krb5-protos.h
which adds a new library call krb5_kuserok_cmd which takes an
extra char * where a command is stored if found in .k5command. 
The format of this file is illustrated by this example

jsmith@EXAMPLE.COM:ls /tmp

In case a match is found the command line to the right of the 
':'-sign completely replaces whatever is sent to rshd. Before
.k5command is tested the standard .k5login is tested to allow
both authorization-methods to coexist.

The final patch is against rshd to use this library call instead
of krb5_kuserok. Hope you like it enough to include it in future
versions of heimdal.

	Cheers Leif

--- lib/krb5/krb5-protos.h.old	Mon Feb  5 09:10:36 2001
+++ lib/krb5/krb5-protos.h	Sat Feb 10 22:38:19 2001
@@ -1690,6 +1690,12 @@
 	krb5_principal principal,
 	const char *luser));
 
+krb5_boolean
+krb5_kuserok_cmd __P((krb5_context context,
+		      krb5_principal principal,
+		      const char *luser,
+		      char *cmd));
+
 krb5_error_code
 krb5_log __P((
 	krb5_context context,

--- lib/krb5/kuserok.c.old	Sat Feb 10 19:24:42 2001
+++ lib/krb5/kuserok.c	Mon Feb 12 14:17:02 2001
@@ -39,14 +39,64 @@
  * Return TRUE iff `principal' is allowed to login as `luser'.
  */
 
+static krb5_boolean
+_find_cmd(krb5_context context, krb5_principal principal, const char *filename, char *cmd)
+{
+  char buf[BUFSIZ];
+  FILE *f;
+  krb5_error_code ret;
+  krb5_boolean b;
+  
+  f = fopen (filename, "r");
+  if (f == NULL)
+    return FALSE;
+  while (fgets (buf, sizeof(buf), f) != NULL) {
+    krb5_principal tmp;
+    char *c;
+    
+    if(buf[strlen(buf) - 1] == '\n')
+      buf[strlen(buf) - 1] = '\0';
+    
+    c = strchr(buf,':');
+    if (c != NULL)
+      {
+	*c++ = '\0';
+	if (cmd != NULL)
+	  strcpy(cmd,c);
+      }
+
+    ret = krb5_parse_name (context, buf, &tmp);
+    if (ret) {
+      fclose (f);
+      return FALSE;
+    }
+    b = krb5_principal_compare (context, principal, tmp);
+    krb5_free_principal (context, tmp);
+    if (b) {
+      fclose (f);
+      return TRUE;
+    }
+  }
+  fclose (f);
+  return FALSE;
+}
+
 krb5_boolean
 krb5_kuserok (krb5_context context,
 	      krb5_principal principal,
 	      const char *luser)
 {
+  return krb5_kuserok_cmd(context,principal,luser,NULL);
+}
+
+krb5_boolean
+krb5_kuserok_cmd (krb5_context context,
+		  krb5_principal principal,
+		  const char *luser,
+		  char *cmd)
+{
     char buf[BUFSIZ];
     struct passwd *pwd;
-    FILE *f;
     krb5_realm *realms, *r;
     krb5_error_code ret;
     krb5_boolean b;
@@ -82,27 +132,14 @@
     if (pwd == NULL)
 	return FALSE;
     snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir);
-    f = fopen (buf, "r");
-    if (f == NULL)
-	return FALSE;
-    while (fgets (buf, sizeof(buf), f) != NULL) {
-	krb5_principal tmp;
 
-	if(buf[strlen(buf) - 1] == '\n')
-	    buf[strlen(buf) - 1] = '\0';
-
-	ret = krb5_parse_name (context, buf, &tmp);
-	if (ret) {
-	    fclose (f);
-	    return FALSE;
-	}
-	b = krb5_principal_compare (context, principal, tmp);
-	krb5_free_principal (context, tmp);
-	if (b) {
-	    fclose (f);
-	    return TRUE;
-	}
-    }
-    fclose (f);
-    return FALSE;
+    if (_find_cmd(context,principal,buf,NULL) == TRUE)
+      return TRUE;
+    
+    if (cmd == NULL)
+      return FALSE;
+
+    snprintf (buf, sizeof(buf), "%s/.k5command",pwd->pw_dir);
+    
+    return _find_cmd(context,principal,buf,cmd);
 }

--- appl/rsh/rshd.c.old	Sat Feb 10 19:21:42 2001
+++ appl/rsh/rshd.c	Mon Feb 12 14:16:05 2001
@@ -327,7 +327,7 @@
     if (status)
 	syslog_and_die ("krb5_verify_authenticator_checksum: %s",
 			krb5_get_err_text(context, status));
-
+    
     free (cksum_data.data);
 
     if (strncmp (client_username, "-u ", 3) == 0) {
@@ -351,13 +351,14 @@
 	temp_tkfile[end - client_username - 3] = '\0';
 	memmove (client_username, end +1, strlen(end+1)+1);
     }
-
+    
     kerberos_status = save_krb5_creds (s, auth_context, ticket->client);
-
-    if(!krb5_kuserok (context,
-		     ticket->client,
-		     server_username))
-	fatal (s, "Permission denied");
+    
+    if (!krb5_kuserok_cmd (context,
+			   ticket->client,
+			   server_username,
+			   cmd))
+      fatal (s, "Permission denied");
 
     if (strncmp (cmd, "-x ", 3) == 0) {
 	do_encrypt = 1;

Follow-Ups:
- Re: .k5command -- new stuff for rsh
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: Enforcing encryption
Next by Date: Re: .k5command -- new stuff for rsh
Prev by thread: Re: Enforcing encryption
Next by thread: Re: .k5command -- new stuff for rsh
Index(es):
- Date
- Thread