aboutsummaryrefslogtreecommitdiffstats
path: root/net/radius/files/patch-ad
blob: d6fe8e6628e968dd19db3f7f1399040b6068d006 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
--- src/rad.kerberos.c~ Fri Jun 26 00:40:50 1998
+++ src/rad.kerberos.c  Thu Sep 17 18:50:28 1998
@@ -80,8 +80,8 @@
 
 #include   <krb.h>
 
-static int      krb_pass PROTO((AUTH_REQ *, int, char *,
-               int (*) (AUTH_REQ *, int, char *)));
+static int      krb_pass (AUTH_REQ *, int, char *,
+             int (*) (AUTH_REQ *, int, char *));
 
 extern int      debug_flag;
 
@@ -225,8 +225,14 @@
    krbval = INTK_BADPW;  /* Fail if type is bad somehow */
 
    /* get the ticket */
-   krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
+   krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt", realm,
                DEFAULT_TKT_LIFE, passwd_to_key, NULL, passwd);
+   /*
+    * XXX
+    * This can be spoofed fairly easily... Should attempt to authenticate
+    * to some service on this machine (e.g., radius.thishost@REALM)
+    * in order to ensure that the ticket we just got is really valid.
+    */
    switch (krbval)
    {
        case INTK_OK:
@@ -294,6 +300,37 @@
            krbval, userid, realm);
        break;
    }
+#ifdef M_KERB
+   /*
+    * Ticket verification code based loosely on Berkeley klogin.c 8.3
+    */
+   if (krbreturn != EV_ACK) {
+       dest_tkt();
+       memset(passwd, 0, sizeof passwd);
+   } else {
+       struct sockaddr_in sin;
+       char host[MAXHOSTNAMELEN], *p;
+       AUTH_DAT authdata;
+       KTEXT_ST ticket;
+
+       krb_get_local_addr(&sin);
+       gethostname(host, sizeof host);
+       if ((p = strchr(host, '.')) != 0)
+           *p = '\0';
+       krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
+       if (krbval == KSUCCESS) {
+           krbval = krb_rd_req(&ticket, "radius", host, 
+                       sin.sin_addr.s_addr, &authdata,
+                       "");
+       }
+       if (krbval != KSUCCESS) {
+           logit(LOG_DAEMON, LOG_ERR, 
+                 "Kerberos error verifying ticket for %s: %s",
+                 func, krb_err_txt[krbval]);
+           krbreturn = EV_NAK;
+       }
+   }
+#endif /* M_KERB */
 
    dest_tkt ();        /* destroy the ticket */
    memset (passwd, 0, sizeof (passwd));