I hope Torsten doesn't mind me stepping on his toes a bit here...

Fix one serious bug in the RADIUS server's Kerberos interface, one minor nit in the build, and add one feature: - Properly validate the Kerberos ticket we obtained against an actual service so we know it wasn't forged. - Make sure the test programs are built knowing where the database is. - If the make variable KRB_INSTANCE is defined, it names the instance of each user to be used in validating their Kerberos password. (If this instance doesn't exist, the validation will fail.) This can be used for both access control and to keep separate one's login password from the less secure RADIUS mechanism (since exposure of the instance does not expose the null instance).
svn path=/head/; revision=7428
1997-07-28 15:29:29 +00:00 · 1997-07-28 15:29:29 +00:00 · 35d02eb78d · 2021-03-31 03:12:20 +00:00
commit 35d02eb78d
parent 8b4d4b0b18
2 changed files with 74 additions and 8 deletions
--- a/net/radius/files/patch-aa
+++ b/net/radius/files/patch-aa
@ -1,6 +1,6 @@
 diff -ru orig/Makefile ./Makefile
 --- orig/Makefile	Sun Sep 22 14:00:16 1996
-+++ Makefile	Tue Jun 17 16:36:26 1997
+++ Makefile	Mon Jul 28 11:07:04 1997
@@ -51,11 +51,11 @@
 # Where the configuration files live.
 RADDB		= ./raddb
@ -27,7 +27,7 @@ diff -ru orig/Makefile ./Makefile
 
 # Define SRV to hold any combination of server names you'd like to override:
 #SRV3	  = -DDEFAULT_TACACS_SERVER=\"vms.dns.name\"
-@@ -110,17 +110,21 @@
+@@ -110,17 +110,22 @@
 # radiusd -- the default
 #
 #--------------------------------------------------------------------------
@ -45,14 +45,15 @@ diff -ru orig/Makefile ./Makefile
 -#RADLIBS	  = /usr/kerberos/lib/libkrb.a /usr/kerberos/lib/libdes.a
 -#INCS	  = -I/usr/kerberos/include
 +.if defined(MAKE_EBONES)
-+DEFS	  = -DHAVE_SETVBUF -DM_KERB -DNOSHADOW $(MERIT) $(STUFF)
+DEFS	  = -DHAVE_SETVBUF -DM_KERB -DKRB_INSTANCE=\"$(KRB_INSTANCE)\" \
+	    -DNOSHADOW $(MERIT) $(STUFF)
 +RADLIBS	  = -lkrb -ldes
 +INCS	  = -I/usr/include/kerberosIV
 +.endif
 
 #
 # akerb
-@@ -219,12 +223,12 @@
+@@ -219,12 +224,12 @@
 #
 #--------------------------------------------------------------------------
 
@ -71,7 +72,7 @@ diff -ru orig/Makefile ./Makefile
 
 #
 # Solaris 2.x
-@@ -304,14 +308,17 @@
+@@ -304,14 +309,17 @@
 #
 #--------------------------------------------------------------------------
 
@ -84,7 +85,7 @@ diff -ru orig/Makefile ./Makefile
 -#INSTALL	  = /usr/bin/install
 -
 +CC	  = cc
-+CFLAGS += -DRADIUS_DIR=\"${PREFIX}/lib/radius/db\" \
+CFLAGS += -DRADIUS_DIR=\"${RADDB_INSDIR}\" -DDEFAULT_DIR2=\"${RADDB_INSDIR}\" \
 +	-DRADACCT_DIR=\"${PREFIX}/lib/radius/acct\" \
 +	-DRADIUS_COMPRESS=\"/usr/bin/gzip\" \
 +	$(DEFS) $(INCS)
@ -97,7 +98,7 @@ diff -ru orig/Makefile ./Makefile
 #
 # AIX 3.2.5 (if using xlc(1) add -D_ALL_SOURCE to CFLAGS below)
 #
-@@ -604,8 +611,6 @@
+@@ -604,8 +612,6 @@
 						$(MAN_INSDIR)/man5/clients.5
 	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/dictionary.5 \
 						$(MAN_INSDIR)/man5/dictionary.5
@ -106,7 +107,7 @@ diff -ru orig/Makefile ./Makefile
 	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/radius.fsm.5 \
 						$(MAN_INSDIR)/man5/radius.fsm.5
 	$(INSTALL) $(M) 644 $(O) $(RADOWN) $(G) $(RADGRP) $(MAN)/users.5 \
-@@ -625,17 +630,17 @@
+@@ -625,17 +631,17 @@
 		/bin/mkdir -p $(RADDB_INSDIR) ;\
 	fi
 	$(INSTALL) $(M) 660 $(O) $(RADOWN) $(G) $(RADGRP) $(RADDB)/authfile \
@ -130,3 +131,4 @@ diff -ru orig/Makefile ./Makefile
 	-if [ ! -d $(RADACCT_INSDIR) ] ;\
 	then \
 		/bin/mkdir -p $(RADACCT_INSDIR) ;\
+
--- a/net/radius/files/patch-ad
+++ b/net/radius/files/patch-ad
@ -0,0 +1,64 @@
+diff -ru orig/src/rad.kerberos.c ./src/rad.kerberos.c
+--- orig/src/rad.kerberos.c	Wed Sep 18 11:34:21 1996
+++ src/rad.kerberos.c	Sat Jul 26 17:33:30 1997
+@@ -177,7 +177,8 @@
+ #if defined(M_KERB)
+ 	if (strcmp (authreq->direct_aatv->id, "MKERB") == 0)
+ 	{
+-		krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm,
+		krbval = krb_get_in_tkt (userid, KRB_INSTANCE, realm, "krbtgt",
+					 realm,
+ 					DEFAULT_TKT_LIFE, mit_passwd_to_key,
+ 					NULL, passwd);
+ 	}
+@@ -192,6 +193,12 @@
+ 	}
+ #endif	/* A_KERB */
+ 
+	/*
+	 * XXX
+	 * This can be spoofed fairly easily... Should attempt to authenticate
+	 * to some service on this machine (e.g., radius.thishost@REALM)
+	 * in order to ensure that the ticket we just got is really valid.
+	 */
+ 	switch (krbval)
+ 	{
+ 	    case INTK_OK:
+@@ -207,6 +214,37 @@
+ 			func, krbval);
+ 		break;
+ 	}
+#ifdef M_KERB
+	/*
+	 * Ticket verification code based loosely on Berkeley klogin.c 8.3
+	 */
+	if (krbreturn != EV_ACK) {
+		dest_tkt();
+		memset(passwd, 0, sizeof passwd);
+	} else {
+		struct sockaddr_in sin;
+		char host[MAXHOSTNAMELEN], *p;
+		AUTH_DAT authdata;
+		KTEXT_ST ticket;
+
+		krb_get_local_addr(&sin);
+		gethostname(host, sizeof host);
+		if ((p = strchr(host, '.')) != 0)
+			*p = '\0';
+		krbval = krb_mk_req(&ticket, "radius", host, realm, 33);
+		if (krbval == KSUCCESS) {
+			krbval = krb_rd_req(&ticket, "radius", host, 
+					    sin.sin_addr.s_addr, &authdata,
+					    "");
+		}
+		if (krbval != KSUCCESS) {
+			logit(LOG_DAEMON, LOG_ERR, 
+			      "Kerberos error verifying ticket for %s: %s",
+			      func, krb_err_txt[krbval]);
+			krbreturn = EV_NAK;
+		}
+	}
+#endif /* M_KERB */
+ 
+ 	dest_tkt ();		/* destroy the ticket */
+ 	memset (passwd, 0, sizeof (passwd));