aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorwollman <wollman@FreeBSD.org>1997-07-28 23:29:29 +0800
committerwollman <wollman@FreeBSD.org>1997-07-28 23:29:29 +0800
commitb759800f07914d4ca8768743bcf997d9a178dd71 (patch)
tree92474dfb22fa2c9fd9852d7e0ba7d3734118c5ad /net
parent5dff671c332b318cd16e7770c035202851ce93f9 (diff)
downloadfreebsd-ports-graphics-b759800f07914d4ca8768743bcf997d9a178dd71.tar.gz
freebsd-ports-graphics-b759800f07914d4ca8768743bcf997d9a178dd71.tar.zst
freebsd-ports-graphics-b759800f07914d4ca8768743bcf997d9a178dd71.zip
I hope Torsten doesn't mind me stepping on his toes a bit here...
Fix one serious bug in the RADIUS server's Kerberos interface, one minor nit in the build, and add one feature: - Properly validate the Kerberos ticket we obtained against an actual service so we know it wasn't forged. - Make sure the test programs are built knowing where the database is. - If the make variable KRB_INSTANCE is defined, it names the instance of each user to be used in validating their Kerberos password. (If this instance doesn't exist, the validation will fail.) This can be used for both access control and to keep separate one's login password from the less secure RADIUS mechanism (since exposure of the instance does not expose the null instance).
Diffstat (limited to 'net')
-rw-r--r--net/radius/files/patch-aa18
-rw-r--r--net/radius/files/patch-ad64
2 files changed, 74 insertions, 8 deletions
diff --git a/net/radius/files/patch-aa b/net/radius/files/patch-aa
index 94b09149a29..95bc81413f7 100644
--- a/net/radius/files/patch-aa
+++ b/net/radius/files/patch-aa
@@ -1,6 +1,6 @@
diff -ru orig/Makefile ./Makefile
--- orig/Makefile Sun Sep 22 14:00:16 1996
-+++ Makefile Tue Jun 17 16:36:26 1997
++++ Makefile Mon Jul 28 11:07:04 1997
@@ -51,11 +51,11 @@
# Where the configuration files live.
RADDB = ./raddb
@@ -27,7 +27,7 @@ diff -ru orig/Makefile ./Makefile
# Define SRV to hold any combination of server names you'd like to override:
#SRV3 = -DDEFAULT_TACACS_SERVER=\"vms.dns.name\"
-@@ -110,17 +110,21 @@
+@@ -110,17 +110,22 @@
# radiusd -- the default
#
#--------------------------------------------------------------------------
@@ -45,14 +45,15 @@ diff -ru orig/Makefile ./Makefile
-#RADLIBS = /usr/kerberos/lib/libkrb.a /usr/kerberos/lib/libdes.a
-#INCS = -I/usr/kerberos/include
+.if defined(MAKE_EBONES)
-+DEFS = -DHAVE_SETVBUF -DM_KERB -DNOSHADOW $(MERIT) $(STUFF)
++DEFS = -DHAVE_SETVBUF -DM_KERB -DKRB_INSTANCE=\"$(KRB_INSTANCE)\" \
++ -DNOSHADOW $(MERIT) $(STUFF)
+RADLIBS = -lkrb -ldes
+INCS = -I/usr/include/kerberosIV
+.endif
#
# akerb
-@@ -219,12 +223,12 @@
+@@ -219,12 +224,12 @@
#
#--------------------------------------------------------------------------
@@ -71,7 +72,7 @@ diff -ru orig/Makefile ./Makefile
#
# Solaris 2.x
-@@ -304,14 +308,17 @@
+@@ -304,14 +309,17 @@
#
#--------------------------------------------------------------------------
@@ -84,7 +85,7 @@ diff -ru orig/Makefile ./Makefile
-#INSTALL = /usr/bin/install
-
+CC = cc
-+CFLAGS += -DRADIUS_DIR=\"${PREFIX}/lib/radius/db\" \
++CFLAGS += -DRADIUS_DIR=\"${RADDB_INSDIR}\" -DDEFAULT_DIR2=\"${RADDB_INSDIR}\" \
+ -DRADACCT_DIR=\"${PREFIX}/lib/radius/acct\" \
+ -DRADIUS_COMPRESS=\"/usr/bin/gzip\" \
+ $(DEFS) $(INCS)
@@ -97,7 +98,7 @@ diff -ru orig/Makefile ./Makefile
#
# AIX 3.2.5 (if using xlc(1) add -D_ALL_SOURCE to CFLAGS below)
#
-@@ -604,8 +611,6 @@
+@@ -604,8 +612,6 @@
$(MAN_INSDIR)/man5/clients.5
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/dictionary.5 \
$(MAN_INSDIR)/man5/dictionary.5
@@ -106,7 +107,7 @@ diff -ru orig/Makefile ./Makefile
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/radius.fsm.5 \
$(MAN_INSDIR)/man5/radius.fsm.5
$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/users.5 \
-@@ -625,17 +630,17 @@
+@@ -625,17 +631,17 @@
/bin/mkdir -p $(RADDB_INSDIR) ;\
fi
$(INSTALL) $(M) 660 $(O) $(RADOWN) $(G) $(RADGRP) $(RADDB)/authfile \
@@ -130,3 +131,4 @@ diff -ru orig/Makefile ./Makefile
-if [ ! -d $(RADACCT_INSDIR) ] ;\
then \
/bin/mkdir -p $(RADACCT_INSDIR) ;\
+
diff --git a/net/radius/files/patch-ad b/net/radius/files/patch-ad
new file mode 100644
index 00000000000..535bd0f0aa9
--- /dev/null
+++ b/net/radius/files/patch-ad
@@ -0,0 +1,64 @@
+diff -ru orig/src/rad.kerberos.c ./src/rad.kerberos.c
+--- orig/src/rad.kerberos.c Wed Sep 18 11:34:21 1996
++++ src/rad.kerberos.c Sat Jul 26 17:33:30 1997
+@@ -177,7 +177,8 @@
+ #if defined(M_KERB)
+ if (strcmp (authreq->direct_aatv->id, "MKERB") == 0)
+ {
+- krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
++ krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt",
++ realm,
+ DEFAULT_TKT_LIFE, mit_passwd_to_key,
+ NULL, passwd);
+ }
+@@ -192,6 +193,12 @@
+ }
+ #endif /* A_KERB */
+
++ /*
++ * XXX
++ * This can be spoofed fairly easily... Should attempt to authenticate
++ * to some service on this machine (e.g., radius.thishost@REALM)
++ * in order to ensure that the ticket we just got is really valid.
++ */
+ switch (krbval)
+ {
+ case INTK_OK:
+@@ -207,6 +214,37 @@
+ func, krbval);
+ break;
+ }
++#ifdef M_KERB
++ /*
++ * Ticket verification code based loosely on Berkeley klogin.c 8.3
++ */
++ if (krbreturn != EV_ACK) {
++ dest_tkt();
++ memset(passwd, 0, sizeof passwd);
++ } else {
++ struct sockaddr_in sin;
++ char host[MAXHOSTNAMELEN], *p;
++ AUTH_DAT authdata;
++ KTEXT_ST ticket;
++
++ krb_get_local_addr(&sin);
++ gethostname(host, sizeof host);
++ if ((p = strchr(host, '.')) != 0)
++ *p = '\0';
++ krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
++ if (krbval == KSUCCESS) {
++ krbval = krb_rd_req(&ticket, "radius", host,
++ sin.sin_addr.s_addr, &authdata,
++ "");
++ }
++ if (krbval != KSUCCESS) {
++ logit(LOG_DAEMON, LOG_ERR,
++ "Kerberos error verifying ticket for %s: %s",
++ func, krb_err_txt[krbval]);
++ krbreturn = EV_NAK;
++ }
++ }
++#endif /* M_KERB */
+
+ dest_tkt (); /* destroy the ticket */
+ memset (passwd, 0, sizeof (passwd));