17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 57c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 67c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 77c478bd9Sstevel@tonic-gate * with the License. 87c478bd9Sstevel@tonic-gate * 97c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate * and limitations under the License. 137c478bd9Sstevel@tonic-gate * 147c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate * 207c478bd9Sstevel@tonic-gate * CDDL HEADER END 217c478bd9Sstevel@tonic-gate */ 227c478bd9Sstevel@tonic-gate /* 23*740638c8Sbw * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate /* Copyright (c) 1983-1989 AT&T */ 287c478bd9Sstevel@tonic-gate /* All Rights Reserved */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate /* 317c478bd9Sstevel@tonic-gate * Portions of this source code were derived from Berkeley 4.3 BSD 327c478bd9Sstevel@tonic-gate * under license from the Regents of the University of California. 337c478bd9Sstevel@tonic-gate */ 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate #define _FILE_OFFSET_BITS 64 387c478bd9Sstevel@tonic-gate 397c478bd9Sstevel@tonic-gate /* 407c478bd9Sstevel@tonic-gate * remote shell server: 417c478bd9Sstevel@tonic-gate * remuser\0 427c478bd9Sstevel@tonic-gate * locuser\0 437c478bd9Sstevel@tonic-gate * command\0 447c478bd9Sstevel@tonic-gate * data 457c478bd9Sstevel@tonic-gate */ 467c478bd9Sstevel@tonic-gate #include <sys/types.h> 477c478bd9Sstevel@tonic-gate #include <sys/ioctl.h> 487c478bd9Sstevel@tonic-gate #include <sys/telioctl.h> 497c478bd9Sstevel@tonic-gate #include <sys/param.h> 507c478bd9Sstevel@tonic-gate #include <sys/socket.h> 517c478bd9Sstevel@tonic-gate #include <sys/time.h> 527c478bd9Sstevel@tonic-gate #include <sys/stat.h> 537c478bd9Sstevel@tonic-gate #include <sys/file.h> 547c478bd9Sstevel@tonic-gate #include <sys/select.h> 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate #include <netinet/in.h> 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate #include <arpa/inet.h> 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate #include <unistd.h> 617c478bd9Sstevel@tonic-gate #include <string.h> 627c478bd9Sstevel@tonic-gate #include <stdio.h> 637c478bd9Sstevel@tonic-gate #include <stdarg.h> 647c478bd9Sstevel@tonic-gate #include <errno.h> 657c478bd9Sstevel@tonic-gate #include <pwd.h> 667c478bd9Sstevel@tonic-gate #include <grp.h> 677c478bd9Sstevel@tonic-gate #include <signal.h> 687c478bd9Sstevel@tonic-gate #include <netdb.h> 697c478bd9Sstevel@tonic-gate #include <syslog.h> 707c478bd9Sstevel@tonic-gate #include <fcntl.h> 717c478bd9Sstevel@tonic-gate #include <ctype.h> 727c478bd9Sstevel@tonic-gate #include <locale.h> 737c478bd9Sstevel@tonic-gate 747c478bd9Sstevel@tonic-gate #include <sys/resource.h> 757c478bd9Sstevel@tonic-gate #include <sys/filio.h> 767c478bd9Sstevel@tonic-gate #include <shadow.h> 777c478bd9Sstevel@tonic-gate #include <stdlib.h> 787c478bd9Sstevel@tonic-gate 797c478bd9Sstevel@tonic-gate #include <security/pam_appl.h> 807c478bd9Sstevel@tonic-gate 817c478bd9Sstevel@tonic-gate #include <k5-int.h> 827c478bd9Sstevel@tonic-gate #include <krb5_repository.h> 837c478bd9Sstevel@tonic-gate #include <com_err.h> 847c478bd9Sstevel@tonic-gate #include <kcmd.h> 857c478bd9Sstevel@tonic-gate 867c478bd9Sstevel@tonic-gate #ifndef NCARGS 877c478bd9Sstevel@tonic-gate #define NCARGS 5120 887c478bd9Sstevel@tonic-gate #endif /* !NCARGS */ 897c478bd9Sstevel@tonic-gate 907c478bd9Sstevel@tonic-gate static void error(char *, ...); 917c478bd9Sstevel@tonic-gate static void doit(int, struct sockaddr_storage *, char **); 927c478bd9Sstevel@tonic-gate static void getstr(int, char *, int, char *); 937c478bd9Sstevel@tonic-gate 947c478bd9Sstevel@tonic-gate static int legalenvvar(char *); 957c478bd9Sstevel@tonic-gate static void add_to_envinit(char *); 967c478bd9Sstevel@tonic-gate static int locale_envmatch(char *, char *); 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate /* Function decls. for functions not in any header file. (Grrrr.) */ 997c478bd9Sstevel@tonic-gate extern int audit_rshd_setup(void); 1007c478bd9Sstevel@tonic-gate extern int audit_rshd_success(char *, char *, char *, char *); 1017c478bd9Sstevel@tonic-gate extern int audit_rshd_fail(char *, char *, char *, char *, char *); 1027c478bd9Sstevel@tonic-gate extern int audit_settid(int); 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate static int do_encrypt = 0; 1057c478bd9Sstevel@tonic-gate static pam_handle_t *pamh; 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate /* 1087c478bd9Sstevel@tonic-gate * This is the shell/kshell daemon. The very basic protocol for checking 1097c478bd9Sstevel@tonic-gate * authentication and authorization is: 1107c478bd9Sstevel@tonic-gate * 1) Check authentication. 1117c478bd9Sstevel@tonic-gate * 2) Check authorization via the access-control files: 1127c478bd9Sstevel@tonic-gate * ~/.k5login (using krb5_kuserok) and/or 1137c478bd9Sstevel@tonic-gate * Execute command if configured authoriztion checks pass, else deny 1147c478bd9Sstevel@tonic-gate * permission. 1157c478bd9Sstevel@tonic-gate * 1167c478bd9Sstevel@tonic-gate * The configuration is done either by command-line arguments passed by inetd, 1177c478bd9Sstevel@tonic-gate * or by the name of the daemon. If command-line arguments are present, they 1187c478bd9Sstevel@tonic-gate * take priority. The options are: 1197c478bd9Sstevel@tonic-gate * -k allow kerberos authentication (krb5 only; krb4 support is not provided) 1207c478bd9Sstevel@tonic-gate * -5 same as `-k', mainly for compatability with MIT 1217c478bd9Sstevel@tonic-gate * -e allow encrypted session 1227c478bd9Sstevel@tonic-gate * -c demand authenticator checksum 1237c478bd9Sstevel@tonic-gate * -i ignore authenticator checksum 1247c478bd9Sstevel@tonic-gate * -U Refuse connections that cannot be mapped to a name via `gethostbyname' 1257c478bd9Sstevel@tonic-gate * -s <tos> Set the IP TOS option 1267c478bd9Sstevel@tonic-gate * -S <keytab> Set the keytab file to use 1277c478bd9Sstevel@tonic-gate * -M <realm> Set the Kerberos realm to use 1287c478bd9Sstevel@tonic-gate */ 1297c478bd9Sstevel@tonic-gate 1307c478bd9Sstevel@tonic-gate #define ARGSTR "ek5ciUD:M:S:L:?:" 1317c478bd9Sstevel@tonic-gate #define RSHD_BUFSIZ (50 * 1024) 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate static krb5_context bsd_context; 1347c478bd9Sstevel@tonic-gate static krb5_keytab keytab = NULL; 1357c478bd9Sstevel@tonic-gate static krb5_ccache ccache = NULL; 1367c478bd9Sstevel@tonic-gate static krb5_keyblock *sessionkey = NULL; 1377c478bd9Sstevel@tonic-gate 1387c478bd9Sstevel@tonic-gate static int require_encrypt = 0; 1397c478bd9Sstevel@tonic-gate static int resolve_hostname = 0; 1407c478bd9Sstevel@tonic-gate static int krb5auth_flag = 0; /* Flag set, when KERBEROS is enabled */ 1417c478bd9Sstevel@tonic-gate static enum kcmd_proto kcmd_protocol; 1427c478bd9Sstevel@tonic-gate 1437c478bd9Sstevel@tonic-gate #ifdef DEBUG 1447c478bd9Sstevel@tonic-gate static int debug_port = 0; 1457c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate /* 1487c478bd9Sstevel@tonic-gate * There are two authentication related masks: 1497c478bd9Sstevel@tonic-gate * auth_ok and auth_sent. 1507c478bd9Sstevel@tonic-gate * The auth_ok mask is the or'ing of authentication 1517c478bd9Sstevel@tonic-gate * systems any one of which can be used. 1527c478bd9Sstevel@tonic-gate * The auth_sent mask is the or'ing of one or more authentication/authorization 1537c478bd9Sstevel@tonic-gate * systems that succeeded. If the and'ing 1547c478bd9Sstevel@tonic-gate * of these two masks is true, then authorization is successful. 1557c478bd9Sstevel@tonic-gate */ 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate #define AUTH_KRB5 (0x2) 1587c478bd9Sstevel@tonic-gate static int auth_ok = 0; 1597c478bd9Sstevel@tonic-gate static int auth_sent = 0; 1607c478bd9Sstevel@tonic-gate static int checksum_required = 0; 1617c478bd9Sstevel@tonic-gate static int checksum_ignored = 0; 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate /* 1647c478bd9Sstevel@tonic-gate * Leave room for 4 environment variables to be passed. 1657c478bd9Sstevel@tonic-gate * The "-L env_var" option has been added primarily to 1667c478bd9Sstevel@tonic-gate * maintain compatability with MIT. 1677c478bd9Sstevel@tonic-gate */ 1687c478bd9Sstevel@tonic-gate #define MAXENV 4 1697c478bd9Sstevel@tonic-gate static char *save_env[MAXENV]; 1707c478bd9Sstevel@tonic-gate static int num_env = 0; 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate static void usage(void); 1737c478bd9Sstevel@tonic-gate static krb5_error_code recvauth(int, int *); 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 176*740638c8Sbw int 1777c478bd9Sstevel@tonic-gate main(int argc, char **argv, char **renvp) 1787c478bd9Sstevel@tonic-gate { 1797c478bd9Sstevel@tonic-gate struct linger linger; 1807c478bd9Sstevel@tonic-gate int on = 1, fromlen; 1817c478bd9Sstevel@tonic-gate struct sockaddr_storage from; 1827c478bd9Sstevel@tonic-gate int fd = 0; 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate extern int opterr, optind; 1857c478bd9Sstevel@tonic-gate extern char *optarg; 1867c478bd9Sstevel@tonic-gate int ch; 1877c478bd9Sstevel@tonic-gate int tos = -1; 1887c478bd9Sstevel@tonic-gate krb5_error_code status; 1897c478bd9Sstevel@tonic-gate 1907c478bd9Sstevel@tonic-gate openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON); 1917c478bd9Sstevel@tonic-gate (void) audit_rshd_setup(); /* BSM */ 1927c478bd9Sstevel@tonic-gate fromlen = sizeof (from); 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1957c478bd9Sstevel@tonic-gate 1967c478bd9Sstevel@tonic-gate /* 1977c478bd9Sstevel@tonic-gate * Analyze parameters. 1987c478bd9Sstevel@tonic-gate */ 1997c478bd9Sstevel@tonic-gate opterr = 0; 2007c478bd9Sstevel@tonic-gate while ((ch = getopt(argc, argv, ARGSTR)) != EOF) 2017c478bd9Sstevel@tonic-gate switch (ch) { 2027c478bd9Sstevel@tonic-gate case '5': 2037c478bd9Sstevel@tonic-gate case 'k': 2047c478bd9Sstevel@tonic-gate auth_ok |= AUTH_KRB5; 2057c478bd9Sstevel@tonic-gate krb5auth_flag++; 2067c478bd9Sstevel@tonic-gate break; 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate case 'c': 2097c478bd9Sstevel@tonic-gate checksum_required = 1; 2107c478bd9Sstevel@tonic-gate krb5auth_flag++; 2117c478bd9Sstevel@tonic-gate break; 2127c478bd9Sstevel@tonic-gate case 'i': 2137c478bd9Sstevel@tonic-gate checksum_ignored = 1; 2147c478bd9Sstevel@tonic-gate krb5auth_flag++; 2157c478bd9Sstevel@tonic-gate break; 2167c478bd9Sstevel@tonic-gate 2177c478bd9Sstevel@tonic-gate case 'e': 2187c478bd9Sstevel@tonic-gate require_encrypt = 1; 2197c478bd9Sstevel@tonic-gate krb5auth_flag++; 2207c478bd9Sstevel@tonic-gate break; 2217c478bd9Sstevel@tonic-gate #ifdef DEBUG 2227c478bd9Sstevel@tonic-gate case 'D': 2237c478bd9Sstevel@tonic-gate debug_port = atoi(optarg); 2247c478bd9Sstevel@tonic-gate break; 2257c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 2267c478bd9Sstevel@tonic-gate case 'U': 2277c478bd9Sstevel@tonic-gate resolve_hostname = 1; 2287c478bd9Sstevel@tonic-gate break; 2297c478bd9Sstevel@tonic-gate 2307c478bd9Sstevel@tonic-gate case 'M': 2317c478bd9Sstevel@tonic-gate krb5_set_default_realm(bsd_context, optarg); 2327c478bd9Sstevel@tonic-gate krb5auth_flag++; 2337c478bd9Sstevel@tonic-gate break; 2347c478bd9Sstevel@tonic-gate 2357c478bd9Sstevel@tonic-gate case 'S': 2367c478bd9Sstevel@tonic-gate if ((status = krb5_kt_resolve(bsd_context, optarg, 2377c478bd9Sstevel@tonic-gate &keytab))) { 2387c478bd9Sstevel@tonic-gate com_err("rsh", status, 2397c478bd9Sstevel@tonic-gate gettext("while resolving " 2407c478bd9Sstevel@tonic-gate "srvtab file %s"), optarg); 2417c478bd9Sstevel@tonic-gate exit(2); 2427c478bd9Sstevel@tonic-gate } 2437c478bd9Sstevel@tonic-gate krb5auth_flag++; 2447c478bd9Sstevel@tonic-gate break; 2457c478bd9Sstevel@tonic-gate 2467c478bd9Sstevel@tonic-gate case 's': 2477c478bd9Sstevel@tonic-gate if (optarg == NULL || ((tos = atoi(optarg)) < 0) || 2487c478bd9Sstevel@tonic-gate (tos > 255)) { 2497c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "rshd: illegal tos value: " 2507c478bd9Sstevel@tonic-gate "%s\n", optarg); 2517c478bd9Sstevel@tonic-gate } 2527c478bd9Sstevel@tonic-gate break; 2537c478bd9Sstevel@tonic-gate 2547c478bd9Sstevel@tonic-gate case 'L': 2557c478bd9Sstevel@tonic-gate if (num_env < MAXENV) { 2567c478bd9Sstevel@tonic-gate save_env[num_env] = strdup(optarg); 2577c478bd9Sstevel@tonic-gate if (!save_env[num_env++]) { 2587c478bd9Sstevel@tonic-gate com_err("rsh", ENOMEM, 2597c478bd9Sstevel@tonic-gate gettext("in saving env")); 2607c478bd9Sstevel@tonic-gate exit(2); 2617c478bd9Sstevel@tonic-gate } 2627c478bd9Sstevel@tonic-gate } else { 2637c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("rshd: Only %d" 2647c478bd9Sstevel@tonic-gate " -L arguments allowed\n"), 2657c478bd9Sstevel@tonic-gate MAXENV); 2667c478bd9Sstevel@tonic-gate exit(2); 2677c478bd9Sstevel@tonic-gate } 2687c478bd9Sstevel@tonic-gate break; 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gate case '?': 2717c478bd9Sstevel@tonic-gate default: 2727c478bd9Sstevel@tonic-gate usage(); 2737c478bd9Sstevel@tonic-gate exit(1); 2747c478bd9Sstevel@tonic-gate break; 2757c478bd9Sstevel@tonic-gate } 2767c478bd9Sstevel@tonic-gate 2777c478bd9Sstevel@tonic-gate if (optind == 0) { 2787c478bd9Sstevel@tonic-gate usage(); 2797c478bd9Sstevel@tonic-gate exit(1); 2807c478bd9Sstevel@tonic-gate } 2817c478bd9Sstevel@tonic-gate argc -= optind; 2827c478bd9Sstevel@tonic-gate argv += optind; 2837c478bd9Sstevel@tonic-gate 2847c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 2857c478bd9Sstevel@tonic-gate status = krb5_init_context(&bsd_context); 2867c478bd9Sstevel@tonic-gate if (status) { 2877c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Error initializing krb5: %s", 2887c478bd9Sstevel@tonic-gate error_message(status)); 2897c478bd9Sstevel@tonic-gate exit(1); 2907c478bd9Sstevel@tonic-gate } 2917c478bd9Sstevel@tonic-gate } 2927c478bd9Sstevel@tonic-gate 2937c478bd9Sstevel@tonic-gate if (!checksum_required && !checksum_ignored) 2947c478bd9Sstevel@tonic-gate checksum_ignored = 1; 2957c478bd9Sstevel@tonic-gate 2967c478bd9Sstevel@tonic-gate if (checksum_required && checksum_ignored) { 2977c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, gettext("Checksums are required and ignored." 2987c478bd9Sstevel@tonic-gate "These options are mutually exclusive" 2997c478bd9Sstevel@tonic-gate "--check the documentation.")); 3007c478bd9Sstevel@tonic-gate error("Configuration error: mutually exclusive " 3017c478bd9Sstevel@tonic-gate "options specified.\n"); 3027c478bd9Sstevel@tonic-gate exit(1); 3037c478bd9Sstevel@tonic-gate } 3047c478bd9Sstevel@tonic-gate 3057c478bd9Sstevel@tonic-gate #ifdef DEBUG 3067c478bd9Sstevel@tonic-gate if (debug_port) { 3077c478bd9Sstevel@tonic-gate int s; 3087c478bd9Sstevel@tonic-gate struct sockaddr_in sin; 3097c478bd9Sstevel@tonic-gate 3107c478bd9Sstevel@tonic-gate if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) { 3117c478bd9Sstevel@tonic-gate fprintf(stderr, gettext("Error in socket: %s\n"), 3127c478bd9Sstevel@tonic-gate strerror(errno)); 3137c478bd9Sstevel@tonic-gate exit(2); 3147c478bd9Sstevel@tonic-gate } 3157c478bd9Sstevel@tonic-gate (void) memset((char *)&sin, 0, sizeof (sin)); 3167c478bd9Sstevel@tonic-gate sin.sin_family = AF_INET; 3177c478bd9Sstevel@tonic-gate sin.sin_port = htons(debug_port); 3187c478bd9Sstevel@tonic-gate sin.sin_addr.s_addr = INADDR_ANY; 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gate (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR, 3217c478bd9Sstevel@tonic-gate (char *)&on, sizeof (on)); 3227c478bd9Sstevel@tonic-gate 3237c478bd9Sstevel@tonic-gate if ((bind(s, (struct sockaddr *)&sin, sizeof (sin))) < 0) { 3247c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in bind: %s\n"), 3257c478bd9Sstevel@tonic-gate strerror(errno)); 3267c478bd9Sstevel@tonic-gate exit(2); 3277c478bd9Sstevel@tonic-gate } 3287c478bd9Sstevel@tonic-gate if ((listen(s, 5)) < 0) { 3297c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in listen: %s\n"), 3307c478bd9Sstevel@tonic-gate strerror(errno)); 3317c478bd9Sstevel@tonic-gate exit(2); 3327c478bd9Sstevel@tonic-gate } 3337c478bd9Sstevel@tonic-gate if ((fd = accept(s, (struct sockaddr *)&from, 3347c478bd9Sstevel@tonic-gate &fromlen)) < 0) { 3357c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("Error in accept: %s\n"), 3367c478bd9Sstevel@tonic-gate strerror(errno)); 3377c478bd9Sstevel@tonic-gate exit(2); 3387c478bd9Sstevel@tonic-gate } 3397c478bd9Sstevel@tonic-gate (void) close(s); 3407c478bd9Sstevel@tonic-gate } 3417c478bd9Sstevel@tonic-gate else 3427c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 3437c478bd9Sstevel@tonic-gate { 3447c478bd9Sstevel@tonic-gate if (getpeername(STDIN_FILENO, (struct sockaddr *)&from, 3457c478bd9Sstevel@tonic-gate (socklen_t *)&fromlen) < 0) { 3467c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "rshd: "); 3477c478bd9Sstevel@tonic-gate perror("getpeername"); 3487c478bd9Sstevel@tonic-gate _exit(1); 3497c478bd9Sstevel@tonic-gate } 3507c478bd9Sstevel@tonic-gate fd = STDIN_FILENO; 3517c478bd9Sstevel@tonic-gate } 3527c478bd9Sstevel@tonic-gate 3537c478bd9Sstevel@tonic-gate if (audit_settid(fd) != 0) { 3547c478bd9Sstevel@tonic-gate perror("settid"); 3557c478bd9Sstevel@tonic-gate exit(1); 3567c478bd9Sstevel@tonic-gate } 3577c478bd9Sstevel@tonic-gate 3587c478bd9Sstevel@tonic-gate if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, 3597c478bd9Sstevel@tonic-gate sizeof (on)) < 0) 3607c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); 3617c478bd9Sstevel@tonic-gate linger.l_onoff = 1; 3627c478bd9Sstevel@tonic-gate linger.l_linger = 60; /* XXX */ 3637c478bd9Sstevel@tonic-gate if (setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&linger, 3647c478bd9Sstevel@tonic-gate sizeof (linger)) < 0) 3657c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m"); 3667c478bd9Sstevel@tonic-gate 3677c478bd9Sstevel@tonic-gate if ((tos != -1) && (setsockopt(fd, IPPROTO_IP, IP_TOS, (char *)&tos, 3687c478bd9Sstevel@tonic-gate sizeof (tos)) < 0) && 3697c478bd9Sstevel@tonic-gate (errno != ENOPROTOOPT)) { 3707c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "setsockopt (IP_TOS %d): %m"); 3717c478bd9Sstevel@tonic-gate } 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gate doit(dup(fd), &from, renvp); 374*740638c8Sbw return (0); 3757c478bd9Sstevel@tonic-gate } 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gate /* 3787c478bd9Sstevel@tonic-gate * locale environments to be passed to shells. 3797c478bd9Sstevel@tonic-gate */ 3807c478bd9Sstevel@tonic-gate static char *localeenv[] = { 3817c478bd9Sstevel@tonic-gate "LANG", 3827c478bd9Sstevel@tonic-gate "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE", 3837c478bd9Sstevel@tonic-gate "LC_MONETARY", "LC_MESSAGES", "LC_ALL", NULL}; 3847c478bd9Sstevel@tonic-gate 3857c478bd9Sstevel@tonic-gate /* 3867c478bd9Sstevel@tonic-gate * The following is for the environment variable list 3877c478bd9Sstevel@tonic-gate * used in the call to execle(). envinit is declared here, 3887c478bd9Sstevel@tonic-gate * but populated after the call to getpwnam(). 3897c478bd9Sstevel@tonic-gate */ 3907c478bd9Sstevel@tonic-gate static char *homedir; /* "HOME=" */ 3917c478bd9Sstevel@tonic-gate static char *shell; /* "SHELL=" */ 3927c478bd9Sstevel@tonic-gate static char *username; /* "USER=" */ 3937c478bd9Sstevel@tonic-gate static char *tz; /* "TZ=" */ 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate static char homestr[] = "HOME="; 3967c478bd9Sstevel@tonic-gate static char shellstr[] = "SHELL="; 3977c478bd9Sstevel@tonic-gate static char userstr[] = "USER="; 3987c478bd9Sstevel@tonic-gate static char tzstr[] = "TZ="; 3997c478bd9Sstevel@tonic-gate 4007c478bd9Sstevel@tonic-gate static char **envinit; 4017c478bd9Sstevel@tonic-gate #define PAM_ENV_ELIM 16 /* allow 16 PAM environment variables */ 4027c478bd9Sstevel@tonic-gate #define USERNAME_LEN 16 /* maximum number of characters in user name */ 4037c478bd9Sstevel@tonic-gate 4047c478bd9Sstevel@tonic-gate /* 4057c478bd9Sstevel@tonic-gate * See PSARC opinion 1992/025 4067c478bd9Sstevel@tonic-gate */ 4077c478bd9Sstevel@tonic-gate static char userpath[] = "PATH=/usr/bin:"; 4087c478bd9Sstevel@tonic-gate static char rootpath[] = "PATH=/usr/sbin:/usr/bin"; 4097c478bd9Sstevel@tonic-gate 4107c478bd9Sstevel@tonic-gate static char cmdbuf[NCARGS+1]; 4117c478bd9Sstevel@tonic-gate static char hostname [MAXHOSTNAMELEN + 1]; 4127c478bd9Sstevel@tonic-gate static char locuser[USERNAME_LEN + 1]; 4137c478bd9Sstevel@tonic-gate static char remuser[USERNAME_LEN + 1]; 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gate #define KRB5_RECVAUTH_V5 5 4167c478bd9Sstevel@tonic-gate #define SIZEOF_INADDR sizeof (struct in_addr) 4177c478bd9Sstevel@tonic-gate 4187c478bd9Sstevel@tonic-gate #define MAX_REPOSITORY_LEN 255 4197c478bd9Sstevel@tonic-gate static char repository[MAX_REPOSITORY_LEN]; 4207c478bd9Sstevel@tonic-gate 4217c478bd9Sstevel@tonic-gate static char *kremuser; 4227c478bd9Sstevel@tonic-gate static krb5_principal client = NULL; 4237c478bd9Sstevel@tonic-gate 4247c478bd9Sstevel@tonic-gate static char remote_addr[64]; 4257c478bd9Sstevel@tonic-gate static char local_addr[64]; 4267c478bd9Sstevel@tonic-gate 4277c478bd9Sstevel@tonic-gate static void 4287c478bd9Sstevel@tonic-gate doit(int f, struct sockaddr_storage *fromp, char **renvp) 4297c478bd9Sstevel@tonic-gate { 4307c478bd9Sstevel@tonic-gate char *cp; 4317c478bd9Sstevel@tonic-gate 4327c478bd9Sstevel@tonic-gate struct passwd *pwd; 4337c478bd9Sstevel@tonic-gate char *path; 4347c478bd9Sstevel@tonic-gate char *tzenv; 4357c478bd9Sstevel@tonic-gate struct spwd *shpwd; 4367c478bd9Sstevel@tonic-gate struct stat statb; 4377c478bd9Sstevel@tonic-gate char **lenvp; 4387c478bd9Sstevel@tonic-gate 4397c478bd9Sstevel@tonic-gate krb5_error_code status; 4407c478bd9Sstevel@tonic-gate int valid_checksum; 4417c478bd9Sstevel@tonic-gate int cnt; 4427c478bd9Sstevel@tonic-gate int sin_len; 4437c478bd9Sstevel@tonic-gate struct sockaddr_in localaddr; 4447c478bd9Sstevel@tonic-gate 4457c478bd9Sstevel@tonic-gate int s; 4467c478bd9Sstevel@tonic-gate in_port_t port; 4477c478bd9Sstevel@tonic-gate pid_t pid; 4487c478bd9Sstevel@tonic-gate int pv[2], pw[2], px[2], cc; 4497c478bd9Sstevel@tonic-gate char buf[RSHD_BUFSIZ]; 4507c478bd9Sstevel@tonic-gate char sig; 4517c478bd9Sstevel@tonic-gate int one = 1; 4527c478bd9Sstevel@tonic-gate int v = 0; 4537c478bd9Sstevel@tonic-gate int err = 0; 4547c478bd9Sstevel@tonic-gate int idx = 0; 4557c478bd9Sstevel@tonic-gate char **pam_env; 4567c478bd9Sstevel@tonic-gate char abuf[INET6_ADDRSTRLEN]; 4577c478bd9Sstevel@tonic-gate struct sockaddr_in *sin; 4587c478bd9Sstevel@tonic-gate struct sockaddr_in6 *sin6; 4597c478bd9Sstevel@tonic-gate int fromplen; 4607c478bd9Sstevel@tonic-gate int homedir_len, shell_len, username_len, tz_len; 4617c478bd9Sstevel@tonic-gate int no_name; 4627c478bd9Sstevel@tonic-gate int bad_port; 4637c478bd9Sstevel@tonic-gate int netf = 0; 4647c478bd9Sstevel@tonic-gate 4657c478bd9Sstevel@tonic-gate (void) signal(SIGINT, SIG_DFL); 4667c478bd9Sstevel@tonic-gate (void) signal(SIGQUIT, SIG_DFL); 4677c478bd9Sstevel@tonic-gate (void) signal(SIGTERM, SIG_DFL); 4687c478bd9Sstevel@tonic-gate (void) signal(SIGXCPU, SIG_DFL); 4697c478bd9Sstevel@tonic-gate (void) signal(SIGXFSZ, SIG_DFL); 4707c478bd9Sstevel@tonic-gate (void) sigset(SIGCHLD, SIG_IGN); 4717c478bd9Sstevel@tonic-gate (void) signal(SIGPIPE, SIG_DFL); 4727c478bd9Sstevel@tonic-gate (void) signal(SIGHUP, SIG_DFL); 4737c478bd9Sstevel@tonic-gate 4747c478bd9Sstevel@tonic-gate #ifdef DEBUG 4757c478bd9Sstevel@tonic-gate { int t = open("/dev/tty", 2); 4767c478bd9Sstevel@tonic-gate if (t >= 0) { 4777c478bd9Sstevel@tonic-gate (void) setsid(); 4787c478bd9Sstevel@tonic-gate (void) close(t); 4797c478bd9Sstevel@tonic-gate } 4807c478bd9Sstevel@tonic-gate } 4817c478bd9Sstevel@tonic-gate #endif 4827c478bd9Sstevel@tonic-gate if (fromp->ss_family == AF_INET) { 4837c478bd9Sstevel@tonic-gate sin = (struct sockaddr_in *)fromp; 4847c478bd9Sstevel@tonic-gate port = ntohs((ushort_t)sin->sin_port); 4857c478bd9Sstevel@tonic-gate fromplen = sizeof (struct sockaddr_in); 4867c478bd9Sstevel@tonic-gate } else if (fromp->ss_family == AF_INET6) { 4877c478bd9Sstevel@tonic-gate sin6 = (struct sockaddr_in6 *)fromp; 4887c478bd9Sstevel@tonic-gate port = ntohs((ushort_t)sin6->sin6_port); 4897c478bd9Sstevel@tonic-gate fromplen = sizeof (struct sockaddr_in6); 4907c478bd9Sstevel@tonic-gate } else { 4917c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "wrong address family\n"); 4927c478bd9Sstevel@tonic-gate exit(1); 4937c478bd9Sstevel@tonic-gate } 4947c478bd9Sstevel@tonic-gate 4957c478bd9Sstevel@tonic-gate sin_len = sizeof (struct sockaddr_in); 4967c478bd9Sstevel@tonic-gate if (getsockname(f, (struct sockaddr *)&localaddr, 4977c478bd9Sstevel@tonic-gate &sin_len) < 0) { 4987c478bd9Sstevel@tonic-gate perror("getsockname"); 4997c478bd9Sstevel@tonic-gate exit(1); 5007c478bd9Sstevel@tonic-gate } 5017c478bd9Sstevel@tonic-gate 5027c478bd9Sstevel@tonic-gate netf = f; 5037c478bd9Sstevel@tonic-gate 5047c478bd9Sstevel@tonic-gate bad_port = (port >= IPPORT_RESERVED || 5057c478bd9Sstevel@tonic-gate port < (uint_t)(IPPORT_RESERVED/2)); 5067c478bd9Sstevel@tonic-gate 5077c478bd9Sstevel@tonic-gate no_name = (getnameinfo((const struct sockaddr *) fromp, fromplen, 5087c478bd9Sstevel@tonic-gate hostname, sizeof (hostname), NULL, 0, 0) != 0); 5097c478bd9Sstevel@tonic-gate 5107c478bd9Sstevel@tonic-gate /* Get the name of the client side host to use later */ 5117c478bd9Sstevel@tonic-gate if (no_name == 1 || bad_port == 1) { 5127c478bd9Sstevel@tonic-gate if (no_name != 0) { 5137c478bd9Sstevel@tonic-gate /* 5147c478bd9Sstevel@tonic-gate * If the '-U' option was given on the cmd line, 5157c478bd9Sstevel@tonic-gate * we must be able to lookup the hostname 5167c478bd9Sstevel@tonic-gate */ 5177c478bd9Sstevel@tonic-gate if (resolve_hostname) { 5187c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "rshd: Couldn't resolve your " 5197c478bd9Sstevel@tonic-gate "address into a host name.\r\n Please " 5207c478bd9Sstevel@tonic-gate "contact your net administrator"); 5217c478bd9Sstevel@tonic-gate exit(1); 5227c478bd9Sstevel@tonic-gate } else { 5237c478bd9Sstevel@tonic-gate /* 5247c478bd9Sstevel@tonic-gate * If there is no host name available and the 5257c478bd9Sstevel@tonic-gate * -U option hasnt been used on the cmd line, 5267c478bd9Sstevel@tonic-gate * use the IP address to identify the 5277c478bd9Sstevel@tonic-gate * host in the pam call below. 5287c478bd9Sstevel@tonic-gate */ 5297c478bd9Sstevel@tonic-gate (void) strncpy(hostname, abuf, 5307c478bd9Sstevel@tonic-gate sizeof (hostname)); 5317c478bd9Sstevel@tonic-gate } 5327c478bd9Sstevel@tonic-gate } 5337c478bd9Sstevel@tonic-gate 5347c478bd9Sstevel@tonic-gate if (fromp->ss_family == AF_INET6) { 5357c478bd9Sstevel@tonic-gate if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { 5367c478bd9Sstevel@tonic-gate struct in_addr ipv4_addr; 5377c478bd9Sstevel@tonic-gate 5387c478bd9Sstevel@tonic-gate IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, 5397c478bd9Sstevel@tonic-gate &ipv4_addr); 5407c478bd9Sstevel@tonic-gate (void) inet_ntop(AF_INET, &ipv4_addr, abuf, 5417c478bd9Sstevel@tonic-gate sizeof (abuf)); 5427c478bd9Sstevel@tonic-gate } else { 5437c478bd9Sstevel@tonic-gate (void) inet_ntop(AF_INET6, &sin6->sin6_addr, 5447c478bd9Sstevel@tonic-gate abuf, sizeof (abuf)); 5457c478bd9Sstevel@tonic-gate } 5467c478bd9Sstevel@tonic-gate } else if (fromp->ss_family == AF_INET) { 5477c478bd9Sstevel@tonic-gate (void) inet_ntop(AF_INET, &sin->sin_addr, 5487c478bd9Sstevel@tonic-gate abuf, sizeof (abuf)); 5497c478bd9Sstevel@tonic-gate } 5507c478bd9Sstevel@tonic-gate } 5517c478bd9Sstevel@tonic-gate 5527c478bd9Sstevel@tonic-gate if (!krb5auth_flag && bad_port) { 5537c478bd9Sstevel@tonic-gate if (no_name) 5547c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "connection from %s - " 5557c478bd9Sstevel@tonic-gate "bad port\n", abuf); 5567c478bd9Sstevel@tonic-gate else 5577c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "connection from %s (%s) - " 5587c478bd9Sstevel@tonic-gate "bad port\n", hostname, abuf); 5597c478bd9Sstevel@tonic-gate exit(1); 5607c478bd9Sstevel@tonic-gate } 5617c478bd9Sstevel@tonic-gate 5627c478bd9Sstevel@tonic-gate (void) alarm(60); 5637c478bd9Sstevel@tonic-gate port = 0; 5647c478bd9Sstevel@tonic-gate for (;;) { 5657c478bd9Sstevel@tonic-gate char c; 5667c478bd9Sstevel@tonic-gate if ((cc = read(f, &c, 1)) != 1) { 5677c478bd9Sstevel@tonic-gate if (cc < 0) 5687c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "read: %m"); 5697c478bd9Sstevel@tonic-gate (void) shutdown(f, 1+1); 5707c478bd9Sstevel@tonic-gate exit(1); 5717c478bd9Sstevel@tonic-gate } 5727c478bd9Sstevel@tonic-gate if (c == 0) 5737c478bd9Sstevel@tonic-gate break; 5747c478bd9Sstevel@tonic-gate port = port * 10 + c - '0'; 5757c478bd9Sstevel@tonic-gate } 5767c478bd9Sstevel@tonic-gate (void) alarm(0); 5777c478bd9Sstevel@tonic-gate if (port != 0) { 5787c478bd9Sstevel@tonic-gate int lport = 0; 5797c478bd9Sstevel@tonic-gate struct sockaddr_storage ctl_addr; 5807c478bd9Sstevel@tonic-gate int addrlen; 5817c478bd9Sstevel@tonic-gate 5827c478bd9Sstevel@tonic-gate (void) memset(&ctl_addr, 0, sizeof (ctl_addr)); 5837c478bd9Sstevel@tonic-gate addrlen = sizeof (ctl_addr); 5847c478bd9Sstevel@tonic-gate if (getsockname(f, (struct sockaddr *)&ctl_addr, 5857c478bd9Sstevel@tonic-gate &addrlen) < 0) { 5867c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "getsockname: %m"); 5877c478bd9Sstevel@tonic-gate exit(1); 5887c478bd9Sstevel@tonic-gate } 5897c478bd9Sstevel@tonic-gate get_port: 5907c478bd9Sstevel@tonic-gate /* 5917c478bd9Sstevel@tonic-gate * 0 means that rresvport_addr() will bind to a port in 5927c478bd9Sstevel@tonic-gate * the anonymous priviledged port range. 5937c478bd9Sstevel@tonic-gate */ 5947c478bd9Sstevel@tonic-gate if (krb5auth_flag) { 5957c478bd9Sstevel@tonic-gate /* 5967c478bd9Sstevel@tonic-gate * Kerberos does not support IPv6 yet. 5977c478bd9Sstevel@tonic-gate */ 5987c478bd9Sstevel@tonic-gate lport = IPPORT_RESERVED - 1; 5997c478bd9Sstevel@tonic-gate } 6007c478bd9Sstevel@tonic-gate s = rresvport_addr(&lport, &ctl_addr); 6017c478bd9Sstevel@tonic-gate 6027c478bd9Sstevel@tonic-gate if (s < 0) { 6037c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "can't get stderr port: %m"); 6047c478bd9Sstevel@tonic-gate exit(1); 6057c478bd9Sstevel@tonic-gate } 6067c478bd9Sstevel@tonic-gate if (!krb5auth_flag && (port >= IPPORT_RESERVED)) { 6077c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "2nd port not reserved\n"); 6087c478bd9Sstevel@tonic-gate exit(1); 6097c478bd9Sstevel@tonic-gate } 6107c478bd9Sstevel@tonic-gate if (fromp->ss_family == AF_INET) { 6117c478bd9Sstevel@tonic-gate sin->sin_port = htons((ushort_t)port); 6127c478bd9Sstevel@tonic-gate } else if (fromp->ss_family == AF_INET6) { 6137c478bd9Sstevel@tonic-gate sin6->sin6_port = htons((ushort_t)port); 6147c478bd9Sstevel@tonic-gate } 6157c478bd9Sstevel@tonic-gate if (connect(s, (struct sockaddr *)fromp, fromplen) < 0) { 6167c478bd9Sstevel@tonic-gate if (errno == EADDRINUSE) { 6177c478bd9Sstevel@tonic-gate (void) close(s); 6187c478bd9Sstevel@tonic-gate goto get_port; 6197c478bd9Sstevel@tonic-gate } 6207c478bd9Sstevel@tonic-gate syslog(LOG_INFO, "connect second port: %m"); 6217c478bd9Sstevel@tonic-gate exit(1); 6227c478bd9Sstevel@tonic-gate } 6237c478bd9Sstevel@tonic-gate } 6247c478bd9Sstevel@tonic-gate (void) dup2(f, 0); 6257c478bd9Sstevel@tonic-gate (void) dup2(f, 1); 6267c478bd9Sstevel@tonic-gate (void) dup2(f, 2); 6277c478bd9Sstevel@tonic-gate 6287c478bd9Sstevel@tonic-gate #ifdef DEBUG 6297c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Client hostname = %s", hostname); 6307c478bd9Sstevel@tonic-gate if (debug_port) 6317c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Debug port is %d", debug_port); 6327c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) 6337c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Kerberos mode is ON"); 6347c478bd9Sstevel@tonic-gate else 6357c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: Kerberos mode is OFF"); 6367c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 6377c478bd9Sstevel@tonic-gate 6387c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 6397c478bd9Sstevel@tonic-gate if ((status = recvauth(f, &valid_checksum))) { 6407c478bd9Sstevel@tonic-gate syslog(LOG_ERR, gettext("Kerberos Authentication " 6417c478bd9Sstevel@tonic-gate "failed \n")); 6427c478bd9Sstevel@tonic-gate error("Authentication failed: %s\n", 6437c478bd9Sstevel@tonic-gate error_message(status)); 6447c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Kerberos Authentication " 6457c478bd9Sstevel@tonic-gate "failed", hostname, remuser, locuser, cmdbuf); 6467c478bd9Sstevel@tonic-gate exit(1); 6477c478bd9Sstevel@tonic-gate } 6487c478bd9Sstevel@tonic-gate 6497c478bd9Sstevel@tonic-gate if (checksum_required && !valid_checksum && 6507c478bd9Sstevel@tonic-gate kcmd_protocol == KCMD_OLD_PROTOCOL) { 6517c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "Client did not supply required" 6527c478bd9Sstevel@tonic-gate " checksum--connection rejected."); 6537c478bd9Sstevel@tonic-gate error("Client did not supply required" 6547c478bd9Sstevel@tonic-gate "checksum--connection rejected.\n"); 6557c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Client did not supply required" 6567c478bd9Sstevel@tonic-gate " checksum--connection rejected.", hostname, 6577c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 6587c478bd9Sstevel@tonic-gate goto signout; 6597c478bd9Sstevel@tonic-gate } 6607c478bd9Sstevel@tonic-gate 6617c478bd9Sstevel@tonic-gate /* 6627c478bd9Sstevel@tonic-gate * Authentication has succeeded, we now need 6637c478bd9Sstevel@tonic-gate * to check authorization. 6647c478bd9Sstevel@tonic-gate * 6657c478bd9Sstevel@tonic-gate * krb5_kuserok returns 1 if OK. 6667c478bd9Sstevel@tonic-gate */ 6677c478bd9Sstevel@tonic-gate if (client && krb5_kuserok(bsd_context, client, locuser)) { 6687c478bd9Sstevel@tonic-gate auth_sent |= AUTH_KRB5; 6697c478bd9Sstevel@tonic-gate } else { 6707c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user " 6717c478bd9Sstevel@tonic-gate "%s failed krb5_kuserok.\n", 6727c478bd9Sstevel@tonic-gate kremuser, remuser, hostname, locuser); 6737c478bd9Sstevel@tonic-gate } 6747c478bd9Sstevel@tonic-gate } else { 6757c478bd9Sstevel@tonic-gate getstr(netf, remuser, sizeof (remuser), "remuser"); 6767c478bd9Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser"); 6777c478bd9Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command"); 6787c478bd9Sstevel@tonic-gate } 6797c478bd9Sstevel@tonic-gate 6807c478bd9Sstevel@tonic-gate #ifdef DEBUG 6817c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: locuser = %s, remuser = %s, cmdbuf = %s", 6827c478bd9Sstevel@tonic-gate locuser, remuser, cmdbuf); 6837c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 6847c478bd9Sstevel@tonic-gate 6857c478bd9Sstevel@tonic-gate /* 6867c478bd9Sstevel@tonic-gate * Note that there is no rsh conv functions at present. 6877c478bd9Sstevel@tonic-gate */ 6887c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 6897c478bd9Sstevel@tonic-gate if ((err = pam_start("krsh", locuser, NULL, &pamh)) 6907c478bd9Sstevel@tonic-gate != PAM_SUCCESS) { 6917c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_start() failed: %s\n", 6927c478bd9Sstevel@tonic-gate pam_strerror(0, err)); 6937c478bd9Sstevel@tonic-gate exit(1); 6947c478bd9Sstevel@tonic-gate } 6957c478bd9Sstevel@tonic-gate } 6967c478bd9Sstevel@tonic-gate else 6977c478bd9Sstevel@tonic-gate { 6987c478bd9Sstevel@tonic-gate if ((err = pam_start("rsh", locuser, NULL, &pamh)) 6997c478bd9Sstevel@tonic-gate != PAM_SUCCESS) { 7007c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_start() failed: %s\n", 7017c478bd9Sstevel@tonic-gate pam_strerror(0, err)); 7027c478bd9Sstevel@tonic-gate exit(1); 7037c478bd9Sstevel@tonic-gate } 7047c478bd9Sstevel@tonic-gate } 7057c478bd9Sstevel@tonic-gate if ((err = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) { 7067c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_set_item() failed: %s\n", 7077c478bd9Sstevel@tonic-gate pam_strerror(pamh, err)); 7087c478bd9Sstevel@tonic-gate exit(1); 7097c478bd9Sstevel@tonic-gate } 7107c478bd9Sstevel@tonic-gate if ((err = pam_set_item(pamh, PAM_RUSER, remuser)) != PAM_SUCCESS) { 7117c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_set_item() failed: %s\n", 7127c478bd9Sstevel@tonic-gate pam_strerror(pamh, err)); 7137c478bd9Sstevel@tonic-gate exit(1); 7147c478bd9Sstevel@tonic-gate } 7157c478bd9Sstevel@tonic-gate 7167c478bd9Sstevel@tonic-gate pwd = getpwnam(locuser); 7177c478bd9Sstevel@tonic-gate shpwd = getspnam(locuser); 7187c478bd9Sstevel@tonic-gate if ((pwd == NULL) || (shpwd == NULL)) { 7197c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) 7207c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user " 7217c478bd9Sstevel@tonic-gate "%s has no account.\n", kremuser, remuser, 7227c478bd9Sstevel@tonic-gate hostname, locuser); 7237c478bd9Sstevel@tonic-gate error("permission denied.\n"); 7247c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Login incorrect", hostname, 7257c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 7267c478bd9Sstevel@tonic-gate exit(1); 7277c478bd9Sstevel@tonic-gate } 7287c478bd9Sstevel@tonic-gate 7297c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 7307c478bd9Sstevel@tonic-gate (void) snprintf(repository, sizeof (repository), 7317c478bd9Sstevel@tonic-gate KRB5_REPOSITORY_NAME); 7327c478bd9Sstevel@tonic-gate /* 7337c478bd9Sstevel@tonic-gate * We currently only support special handling of the 7347c478bd9Sstevel@tonic-gate * KRB5 PAM repository 7357c478bd9Sstevel@tonic-gate */ 7367c478bd9Sstevel@tonic-gate if (strlen(locuser) != 0) { 7377c478bd9Sstevel@tonic-gate krb5_repository_data_t krb5_data; 7387c478bd9Sstevel@tonic-gate pam_repository_t pam_rep_data; 7397c478bd9Sstevel@tonic-gate 7407c478bd9Sstevel@tonic-gate krb5_data.principal = locuser; 7417c478bd9Sstevel@tonic-gate krb5_data.flags = SUNW_PAM_KRB5_ALREADY_AUTHENTICATED; 7427c478bd9Sstevel@tonic-gate 7437c478bd9Sstevel@tonic-gate pam_rep_data.type = repository; 7447c478bd9Sstevel@tonic-gate pam_rep_data.scope = (void *)&krb5_data; 7457c478bd9Sstevel@tonic-gate pam_rep_data.scope_len = sizeof (krb5_data); 7467c478bd9Sstevel@tonic-gate 7477c478bd9Sstevel@tonic-gate (void) pam_set_item(pamh, PAM_REPOSITORY, 7487c478bd9Sstevel@tonic-gate (void *)&pam_rep_data); 7497c478bd9Sstevel@tonic-gate } 7507c478bd9Sstevel@tonic-gate } 7517c478bd9Sstevel@tonic-gate 7527c478bd9Sstevel@tonic-gate /* 7537c478bd9Sstevel@tonic-gate * maintain 2.1 and 4.* and BSD semantics with anonymous rshd 7547c478bd9Sstevel@tonic-gate */ 7557c478bd9Sstevel@tonic-gate if (shpwd->sp_pwdp != 0 && *shpwd->sp_pwdp != '\0' && 7567c478bd9Sstevel@tonic-gate (v = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { 7577c478bd9Sstevel@tonic-gate error("permission denied\n"); 7587c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Permission denied", hostname, 7597c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 7607c478bd9Sstevel@tonic-gate (void) pam_end(pamh, v); 7617c478bd9Sstevel@tonic-gate exit(1); 7627c478bd9Sstevel@tonic-gate } 7637c478bd9Sstevel@tonic-gate 7647c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 7657c478bd9Sstevel@tonic-gate if (require_encrypt && (!do_encrypt)) { 7667c478bd9Sstevel@tonic-gate error("You must use encryption.\n"); 7677c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("You must use encryption.", 7687c478bd9Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf); /* BSM */ 7697c478bd9Sstevel@tonic-gate goto signout; 7707c478bd9Sstevel@tonic-gate } 7717c478bd9Sstevel@tonic-gate 7727c478bd9Sstevel@tonic-gate if (!(auth_ok & auth_sent)) { 7737c478bd9Sstevel@tonic-gate if (auth_sent) { 7747c478bd9Sstevel@tonic-gate error("Another authentication mechanism " 7757c478bd9Sstevel@tonic-gate "must be used to access this host.\n"); 7767c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Another authentication" 7777c478bd9Sstevel@tonic-gate " mechanism must be used to access" 7787c478bd9Sstevel@tonic-gate " this host.\n", hostname, remuser, 7797c478bd9Sstevel@tonic-gate locuser, cmdbuf); /* BSM */ 7807c478bd9Sstevel@tonic-gate goto signout; 7817c478bd9Sstevel@tonic-gate } else { 7827c478bd9Sstevel@tonic-gate error("Permission denied.\n"); 7837c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Permission denied.", 7847c478bd9Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf); 7857c478bd9Sstevel@tonic-gate /* BSM */ 7867c478bd9Sstevel@tonic-gate goto signout; 7877c478bd9Sstevel@tonic-gate } 7887c478bd9Sstevel@tonic-gate } 7897c478bd9Sstevel@tonic-gate 7907c478bd9Sstevel@tonic-gate 7917c478bd9Sstevel@tonic-gate if (pwd->pw_uid && !access("/etc/nologin", F_OK)) { 7927c478bd9Sstevel@tonic-gate error("Logins currently disabled.\n"); 7937c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Logins currently disabled.", 7947c478bd9Sstevel@tonic-gate hostname, remuser, locuser, cmdbuf); 7957c478bd9Sstevel@tonic-gate goto signout; 7967c478bd9Sstevel@tonic-gate } 7977c478bd9Sstevel@tonic-gate 7987c478bd9Sstevel@tonic-gate /* Log access to account */ 7997c478bd9Sstevel@tonic-gate if (pwd && (pwd->pw_uid == 0)) { 8007c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "Executing %s for user %s (%s@%s)" 8017c478bd9Sstevel@tonic-gate " as ROOT", cmdbuf, 8027c478bd9Sstevel@tonic-gate kremuser, remuser, hostname); 8037c478bd9Sstevel@tonic-gate } 8047c478bd9Sstevel@tonic-gate } 8057c478bd9Sstevel@tonic-gate 8067c478bd9Sstevel@tonic-gate if ((v = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { 8077c478bd9Sstevel@tonic-gate switch (v) { 8087c478bd9Sstevel@tonic-gate case PAM_NEW_AUTHTOK_REQD: 8097c478bd9Sstevel@tonic-gate error("password expired\n"); 8107c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Password expired", hostname, 8117c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 8127c478bd9Sstevel@tonic-gate break; 8137c478bd9Sstevel@tonic-gate case PAM_PERM_DENIED: 8147c478bd9Sstevel@tonic-gate error("account expired\n"); 8157c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Account expired", hostname, 8167c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 8177c478bd9Sstevel@tonic-gate break; 8187c478bd9Sstevel@tonic-gate case PAM_AUTHTOK_EXPIRED: 8197c478bd9Sstevel@tonic-gate error("password expired\n"); 8207c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Password expired", hostname, 8217c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 8227c478bd9Sstevel@tonic-gate break; 8237c478bd9Sstevel@tonic-gate default: 8247c478bd9Sstevel@tonic-gate error("login incorrect\n"); 8257c478bd9Sstevel@tonic-gate (void) audit_rshd_fail("Permission denied", hostname, 8267c478bd9Sstevel@tonic-gate remuser, locuser, cmdbuf); /* BSM */ 8277c478bd9Sstevel@tonic-gate break; 8287c478bd9Sstevel@tonic-gate } 8297c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 8307c478bd9Sstevel@tonic-gate exit(1); 8317c478bd9Sstevel@tonic-gate } 8327c478bd9Sstevel@tonic-gate 8337c478bd9Sstevel@tonic-gate if (chdir(pwd->pw_dir) < 0) { 8347c478bd9Sstevel@tonic-gate (void) chdir("/"); 8357c478bd9Sstevel@tonic-gate #ifdef notdef 8367c478bd9Sstevel@tonic-gate error("No remote directory.\n"); 8377c478bd9Sstevel@tonic-gate 8387c478bd9Sstevel@tonic-gate exit(1); 8397c478bd9Sstevel@tonic-gate #endif 8407c478bd9Sstevel@tonic-gate } 8417c478bd9Sstevel@tonic-gate 8427c478bd9Sstevel@tonic-gate /* 8437c478bd9Sstevel@tonic-gate * XXX There is no session management currently being done 8447c478bd9Sstevel@tonic-gate */ 8457c478bd9Sstevel@tonic-gate 8467c478bd9Sstevel@tonic-gate (void) write(STDERR_FILENO, "\0", 1); 8477c478bd9Sstevel@tonic-gate if (port || do_encrypt) { 8487c478bd9Sstevel@tonic-gate if ((pipe(pv) < 0)) { 8497c478bd9Sstevel@tonic-gate error("Can't make pipe.\n"); 8507c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 8517c478bd9Sstevel@tonic-gate exit(1); 8527c478bd9Sstevel@tonic-gate } 8537c478bd9Sstevel@tonic-gate if (do_encrypt) { 8547c478bd9Sstevel@tonic-gate if (pipe(pw) < 0) { 8557c478bd9Sstevel@tonic-gate error("Can't make pipe 2.\n"); 8567c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 8577c478bd9Sstevel@tonic-gate exit(1); 8587c478bd9Sstevel@tonic-gate } 8597c478bd9Sstevel@tonic-gate if (pipe(px) < 0) { 8607c478bd9Sstevel@tonic-gate error("Can't make pipe 3.\n"); 8617c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 8627c478bd9Sstevel@tonic-gate exit(1); 8637c478bd9Sstevel@tonic-gate } 8647c478bd9Sstevel@tonic-gate } 8657c478bd9Sstevel@tonic-gate pid = fork(); 8667c478bd9Sstevel@tonic-gate if (pid == (pid_t)-1) { 8677c478bd9Sstevel@tonic-gate error("Fork (to start shell) failed on server. " 8687c478bd9Sstevel@tonic-gate "Please try again later.\n"); 8697c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 8707c478bd9Sstevel@tonic-gate exit(1); 8717c478bd9Sstevel@tonic-gate } 8727c478bd9Sstevel@tonic-gate if (pid) { 8737c478bd9Sstevel@tonic-gate fd_set ready; 8747c478bd9Sstevel@tonic-gate fd_set readfrom; 8757c478bd9Sstevel@tonic-gate 8767c478bd9Sstevel@tonic-gate (void) close(STDIN_FILENO); 8777c478bd9Sstevel@tonic-gate (void) close(STDOUT_FILENO); 8787c478bd9Sstevel@tonic-gate (void) close(STDERR_FILENO); 8797c478bd9Sstevel@tonic-gate (void) close(pv[1]); 8807c478bd9Sstevel@tonic-gate if (do_encrypt) { 8817c478bd9Sstevel@tonic-gate (void) close(pw[1]); 8827c478bd9Sstevel@tonic-gate (void) close(px[0]); 8837c478bd9Sstevel@tonic-gate } else { 8847c478bd9Sstevel@tonic-gate (void) close(f); 8857c478bd9Sstevel@tonic-gate } 8867c478bd9Sstevel@tonic-gate 8877c478bd9Sstevel@tonic-gate (void) FD_ZERO(&readfrom); 8887c478bd9Sstevel@tonic-gate 8897c478bd9Sstevel@tonic-gate FD_SET(pv[0], &readfrom); 8907c478bd9Sstevel@tonic-gate if (do_encrypt) { 8917c478bd9Sstevel@tonic-gate FD_SET(pw[0], &readfrom); 8927c478bd9Sstevel@tonic-gate FD_SET(f, &readfrom); 8937c478bd9Sstevel@tonic-gate } 8947c478bd9Sstevel@tonic-gate if (port) 8957c478bd9Sstevel@tonic-gate FD_SET(s, &readfrom); 8967c478bd9Sstevel@tonic-gate 8977c478bd9Sstevel@tonic-gate /* read f (net), write to px[1] (child stdin) */ 8987c478bd9Sstevel@tonic-gate /* read pw[0] (child stdout), write to f (net) */ 8997c478bd9Sstevel@tonic-gate /* read s (alt. channel), signal child */ 9007c478bd9Sstevel@tonic-gate /* read pv[0] (child stderr), write to s */ 9017c478bd9Sstevel@tonic-gate if (ioctl(pv[0], FIONBIO, (char *)&one) == -1) 9027c478bd9Sstevel@tonic-gate syslog(LOG_INFO, "ioctl FIONBIO: %m"); 9037c478bd9Sstevel@tonic-gate if (do_encrypt && 9047c478bd9Sstevel@tonic-gate ioctl(pw[0], FIONBIO, (char *)&one) == -1) 9057c478bd9Sstevel@tonic-gate syslog(LOG_INFO, "ioctl FIONBIO: %m"); 9067c478bd9Sstevel@tonic-gate do { 9077c478bd9Sstevel@tonic-gate ready = readfrom; 9087c478bd9Sstevel@tonic-gate if (select(FD_SETSIZE, &ready, NULL, 9097c478bd9Sstevel@tonic-gate NULL, NULL) < 0) { 9107c478bd9Sstevel@tonic-gate if (errno == EINTR) { 9117c478bd9Sstevel@tonic-gate continue; 9127c478bd9Sstevel@tonic-gate } else { 9137c478bd9Sstevel@tonic-gate break; 9147c478bd9Sstevel@tonic-gate } 9157c478bd9Sstevel@tonic-gate } 9167c478bd9Sstevel@tonic-gate /* 9177c478bd9Sstevel@tonic-gate * Read from child stderr, write to net 9187c478bd9Sstevel@tonic-gate */ 9197c478bd9Sstevel@tonic-gate if (port && FD_ISSET(pv[0], &ready)) { 9207c478bd9Sstevel@tonic-gate errno = 0; 9217c478bd9Sstevel@tonic-gate cc = read(pv[0], buf, sizeof (buf)); 9227c478bd9Sstevel@tonic-gate if (cc <= 0) { 9237c478bd9Sstevel@tonic-gate (void) shutdown(s, 2); 9247c478bd9Sstevel@tonic-gate FD_CLR(pv[0], &readfrom); 9257c478bd9Sstevel@tonic-gate } else { 9267c478bd9Sstevel@tonic-gate (void) deswrite(s, buf, cc, 1); 9277c478bd9Sstevel@tonic-gate } 9287c478bd9Sstevel@tonic-gate } 9297c478bd9Sstevel@tonic-gate /* 9307c478bd9Sstevel@tonic-gate * Read from alternate channel, signal child 9317c478bd9Sstevel@tonic-gate */ 9327c478bd9Sstevel@tonic-gate if (port && FD_ISSET(s, &ready)) { 9337c478bd9Sstevel@tonic-gate if ((int)desread(s, &sig, 1, 1) <= 0) 9347c478bd9Sstevel@tonic-gate FD_CLR(s, &readfrom); 9357c478bd9Sstevel@tonic-gate else 9367c478bd9Sstevel@tonic-gate (void) killpg(pid, sig); 9377c478bd9Sstevel@tonic-gate } 9387c478bd9Sstevel@tonic-gate /* 9397c478bd9Sstevel@tonic-gate * Read from child stdout, write to net 9407c478bd9Sstevel@tonic-gate */ 9417c478bd9Sstevel@tonic-gate if (do_encrypt && FD_ISSET(pw[0], &ready)) { 9427c478bd9Sstevel@tonic-gate errno = 0; 9437c478bd9Sstevel@tonic-gate cc = read(pw[0], buf, sizeof (buf)); 9447c478bd9Sstevel@tonic-gate if (cc <= 0) { 9457c478bd9Sstevel@tonic-gate (void) shutdown(f, 2); 9467c478bd9Sstevel@tonic-gate FD_CLR(pw[0], &readfrom); 9477c478bd9Sstevel@tonic-gate } else { 9487c478bd9Sstevel@tonic-gate (void) deswrite(f, buf, cc, 0); 9497c478bd9Sstevel@tonic-gate } 9507c478bd9Sstevel@tonic-gate } 9517c478bd9Sstevel@tonic-gate /* 9527c478bd9Sstevel@tonic-gate * Read from the net, write to child stdin 9537c478bd9Sstevel@tonic-gate */ 9547c478bd9Sstevel@tonic-gate if (do_encrypt && FD_ISSET(f, &ready)) { 9557c478bd9Sstevel@tonic-gate errno = 0; 9567c478bd9Sstevel@tonic-gate cc = desread(f, buf, sizeof (buf), 0); 9577c478bd9Sstevel@tonic-gate if (cc <= 0) { 9587c478bd9Sstevel@tonic-gate (void) close(px[1]); 9597c478bd9Sstevel@tonic-gate FD_CLR(f, &readfrom); 9607c478bd9Sstevel@tonic-gate } else { 9617c478bd9Sstevel@tonic-gate int wcc; 9627c478bd9Sstevel@tonic-gate wcc = write(px[1], buf, cc); 9637c478bd9Sstevel@tonic-gate if (wcc == -1) { 9647c478bd9Sstevel@tonic-gate /* 9657c478bd9Sstevel@tonic-gate * pipe closed, 9667c478bd9Sstevel@tonic-gate * don't read any 9677c478bd9Sstevel@tonic-gate * more 9687c478bd9Sstevel@tonic-gate * 9697c478bd9Sstevel@tonic-gate * might check for 9707c478bd9Sstevel@tonic-gate * EPIPE 9717c478bd9Sstevel@tonic-gate */ 9727c478bd9Sstevel@tonic-gate (void) close(px[1]); 9737c478bd9Sstevel@tonic-gate FD_CLR(f, &readfrom); 9747c478bd9Sstevel@tonic-gate } else if (wcc != cc) { 9757c478bd9Sstevel@tonic-gate /* CSTYLED */ 9767c478bd9Sstevel@tonic-gate syslog(LOG_INFO, gettext("only wrote %d/%d to child"), 9777c478bd9Sstevel@tonic-gate wcc, cc); 9787c478bd9Sstevel@tonic-gate } 9797c478bd9Sstevel@tonic-gate } 9807c478bd9Sstevel@tonic-gate } 9817c478bd9Sstevel@tonic-gate } while ((port && FD_ISSET(s, &readfrom)) || 9827c478bd9Sstevel@tonic-gate (port && FD_ISSET(pv[0], &readfrom)) || 9837c478bd9Sstevel@tonic-gate (do_encrypt && FD_ISSET(f, &readfrom)) || 9847c478bd9Sstevel@tonic-gate (do_encrypt && FD_ISSET(pw[0], &readfrom))); 9857c478bd9Sstevel@tonic-gate #ifdef DEBUG 9867c478bd9Sstevel@tonic-gate syslog(LOG_INFO, "Shell process completed."); 9877c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 9887c478bd9Sstevel@tonic-gate if (ccache) 9897c478bd9Sstevel@tonic-gate (void) pam_close_session(pamh, 0); 9907c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_SUCCESS); 9917c478bd9Sstevel@tonic-gate 9927c478bd9Sstevel@tonic-gate exit(0); 9937c478bd9Sstevel@tonic-gate } /* End of Parent block */ 9947c478bd9Sstevel@tonic-gate 9957c478bd9Sstevel@tonic-gate (void) setsid(); /* Should be the same as above. */ 9967c478bd9Sstevel@tonic-gate (void) close(pv[0]); 9977c478bd9Sstevel@tonic-gate (void) dup2(pv[1], 2); 9987c478bd9Sstevel@tonic-gate (void) close(pv[1]); 9997c478bd9Sstevel@tonic-gate if (port) 10007c478bd9Sstevel@tonic-gate (void) close(s); 10017c478bd9Sstevel@tonic-gate if (do_encrypt) { 10027c478bd9Sstevel@tonic-gate (void) close(f); 10037c478bd9Sstevel@tonic-gate (void) close(pw[0]); 10047c478bd9Sstevel@tonic-gate (void) close(px[1]); 10057c478bd9Sstevel@tonic-gate 10067c478bd9Sstevel@tonic-gate (void) dup2(px[0], 0); 10077c478bd9Sstevel@tonic-gate (void) dup2(pw[1], 1); 10087c478bd9Sstevel@tonic-gate 10097c478bd9Sstevel@tonic-gate (void) close(px[0]); 10107c478bd9Sstevel@tonic-gate (void) close(pw[1]); 10117c478bd9Sstevel@tonic-gate } 10127c478bd9Sstevel@tonic-gate } 10137c478bd9Sstevel@tonic-gate 10147c478bd9Sstevel@tonic-gate if (*pwd->pw_shell == '\0') 10157c478bd9Sstevel@tonic-gate pwd->pw_shell = "/bin/sh"; 10167c478bd9Sstevel@tonic-gate if (!do_encrypt) 10177c478bd9Sstevel@tonic-gate (void) close(f); 10187c478bd9Sstevel@tonic-gate /* 10197c478bd9Sstevel@tonic-gate * write audit record before making uid switch 10207c478bd9Sstevel@tonic-gate */ 10217c478bd9Sstevel@tonic-gate (void) audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */ 10227c478bd9Sstevel@tonic-gate 10237c478bd9Sstevel@tonic-gate /* set the real (and effective) GID */ 10247c478bd9Sstevel@tonic-gate if (setgid(pwd->pw_gid) == -1) { 10257c478bd9Sstevel@tonic-gate error("Invalid gid.\n"); 10267c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 10277c478bd9Sstevel@tonic-gate exit(1); 10287c478bd9Sstevel@tonic-gate } 10297c478bd9Sstevel@tonic-gate 10307c478bd9Sstevel@tonic-gate /* 10317c478bd9Sstevel@tonic-gate * Initialize the supplementary group access list. 10327c478bd9Sstevel@tonic-gate */ 10337c478bd9Sstevel@tonic-gate if (strlen(locuser) == 0) { 10347c478bd9Sstevel@tonic-gate error("No local user.\n"); 10357c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 10367c478bd9Sstevel@tonic-gate exit(1); 10377c478bd9Sstevel@tonic-gate } 10387c478bd9Sstevel@tonic-gate if (initgroups(locuser, pwd->pw_gid) == -1) { 10397c478bd9Sstevel@tonic-gate error("Initgroup failed.\n"); 10407c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 10417c478bd9Sstevel@tonic-gate exit(1); 10427c478bd9Sstevel@tonic-gate } 10437c478bd9Sstevel@tonic-gate 10447c478bd9Sstevel@tonic-gate if ((v = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { 10457c478bd9Sstevel@tonic-gate error("Insufficient credentials.\n"); 10467c478bd9Sstevel@tonic-gate (void) pam_end(pamh, v); 10477c478bd9Sstevel@tonic-gate exit(1); 10487c478bd9Sstevel@tonic-gate } 10497c478bd9Sstevel@tonic-gate 10507c478bd9Sstevel@tonic-gate /* set the real (and effective) UID */ 10517c478bd9Sstevel@tonic-gate if (setuid(pwd->pw_uid) == -1) { 10527c478bd9Sstevel@tonic-gate error("Invalid uid.\n"); 10537c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 10547c478bd9Sstevel@tonic-gate exit(1); 10557c478bd9Sstevel@tonic-gate } 10567c478bd9Sstevel@tonic-gate 10577c478bd9Sstevel@tonic-gate /* Change directory only after becoming the appropriate user. */ 10587c478bd9Sstevel@tonic-gate if (chdir(pwd->pw_dir) < 0) { 10597c478bd9Sstevel@tonic-gate (void) chdir("/"); 10607c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 10617c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Principal %s (%s@%s) for local user" 10627c478bd9Sstevel@tonic-gate " %s has no home directory.", 10637c478bd9Sstevel@tonic-gate kremuser, remuser, hostname, locuser); 10647c478bd9Sstevel@tonic-gate error("No remote directory.\n"); 10657c478bd9Sstevel@tonic-gate goto signout; 10667c478bd9Sstevel@tonic-gate } 10677c478bd9Sstevel@tonic-gate #ifdef notdef 10687c478bd9Sstevel@tonic-gate error("No remote directory.\n"); 10697c478bd9Sstevel@tonic-gate exit(1); 10707c478bd9Sstevel@tonic-gate #endif 10717c478bd9Sstevel@tonic-gate } 10727c478bd9Sstevel@tonic-gate 10737c478bd9Sstevel@tonic-gate path = (pwd->pw_uid == 0) ? rootpath : userpath; 10747c478bd9Sstevel@tonic-gate 10757c478bd9Sstevel@tonic-gate /* 10767c478bd9Sstevel@tonic-gate * Space for the following environment variables are dynamically 10777c478bd9Sstevel@tonic-gate * allocated because their lengths are not known before calling 10787c478bd9Sstevel@tonic-gate * getpwnam(). 10797c478bd9Sstevel@tonic-gate */ 10807c478bd9Sstevel@tonic-gate homedir_len = strlen(pwd->pw_dir) + strlen(homestr) + 1; 10817c478bd9Sstevel@tonic-gate shell_len = strlen(pwd->pw_shell) + strlen(shellstr) + 1; 10827c478bd9Sstevel@tonic-gate username_len = strlen(pwd->pw_name) + strlen(userstr) + 1; 10837c478bd9Sstevel@tonic-gate homedir = (char *)malloc(homedir_len); 10847c478bd9Sstevel@tonic-gate shell = (char *)malloc(shell_len); 10857c478bd9Sstevel@tonic-gate username = (char *)malloc(username_len); 10867c478bd9Sstevel@tonic-gate if (homedir == NULL || shell == NULL || username == NULL) { 10877c478bd9Sstevel@tonic-gate perror("malloc"); 10887c478bd9Sstevel@tonic-gate exit(1); 10897c478bd9Sstevel@tonic-gate } 10907c478bd9Sstevel@tonic-gate (void) snprintf(homedir, homedir_len, "%s%s", homestr, pwd->pw_dir); 10917c478bd9Sstevel@tonic-gate (void) snprintf(shell, shell_len, "%s%s", shellstr, pwd->pw_shell); 10927c478bd9Sstevel@tonic-gate (void) snprintf(username, username_len, "%s%s", userstr, pwd->pw_name); 10937c478bd9Sstevel@tonic-gate 10947c478bd9Sstevel@tonic-gate /* Pass timezone to executed command. */ 10957c478bd9Sstevel@tonic-gate if (tzenv = getenv("TZ")) { 10967c478bd9Sstevel@tonic-gate tz_len = strlen(tzenv) + strlen(tzstr) + 1; 10977c478bd9Sstevel@tonic-gate tz = malloc(tz_len); 10987c478bd9Sstevel@tonic-gate if (tz != NULL) 10997c478bd9Sstevel@tonic-gate (void) snprintf(tz, tz_len, "%s%s", tzstr, tzenv); 11007c478bd9Sstevel@tonic-gate } 11017c478bd9Sstevel@tonic-gate 11027c478bd9Sstevel@tonic-gate add_to_envinit(homedir); 11037c478bd9Sstevel@tonic-gate add_to_envinit(shell); 11047c478bd9Sstevel@tonic-gate add_to_envinit(path); 11057c478bd9Sstevel@tonic-gate add_to_envinit(username); 11067c478bd9Sstevel@tonic-gate add_to_envinit(tz); 11077c478bd9Sstevel@tonic-gate 11087c478bd9Sstevel@tonic-gate if (krb5auth_flag > 0) { 11097c478bd9Sstevel@tonic-gate int length; 11107c478bd9Sstevel@tonic-gate char *buffer; 11117c478bd9Sstevel@tonic-gate 11127c478bd9Sstevel@tonic-gate /* 11137c478bd9Sstevel@tonic-gate * If we have KRB5CCNAME set, then copy into the child's 11147c478bd9Sstevel@tonic-gate * environment. This can't really have a fixed position 11157c478bd9Sstevel@tonic-gate * because `tz' may or may not be set. 11167c478bd9Sstevel@tonic-gate */ 11177c478bd9Sstevel@tonic-gate if (getenv("KRB5CCNAME")) { 11187c478bd9Sstevel@tonic-gate length = (int)strlen(getenv("KRB5CCNAME")) + 11197c478bd9Sstevel@tonic-gate (int)strlen("KRB5CCNAME=") + 1; 11207c478bd9Sstevel@tonic-gate buffer = (char *)malloc(length); 11217c478bd9Sstevel@tonic-gate 11227c478bd9Sstevel@tonic-gate if (buffer) { 11237c478bd9Sstevel@tonic-gate (void) snprintf(buffer, length, "KRB5CCNAME=%s", 11247c478bd9Sstevel@tonic-gate getenv("KRB5CCNAME")); 11257c478bd9Sstevel@tonic-gate add_to_envinit(buffer); 11267c478bd9Sstevel@tonic-gate } 11277c478bd9Sstevel@tonic-gate } { 11287c478bd9Sstevel@tonic-gate /* These two are covered by ADDRPAD */ 11297c478bd9Sstevel@tonic-gate length = strlen(inet_ntoa(localaddr.sin_addr)) + 1 + 11307c478bd9Sstevel@tonic-gate strlen("KRB5LOCALADDR="); 11317c478bd9Sstevel@tonic-gate (void) snprintf(local_addr, length, "KRB5LOCALADDR=%s", 11327c478bd9Sstevel@tonic-gate inet_ntoa(localaddr.sin_addr)); 11337c478bd9Sstevel@tonic-gate add_to_envinit(local_addr); 11347c478bd9Sstevel@tonic-gate 11357c478bd9Sstevel@tonic-gate length = strlen(inet_ntoa(sin->sin_addr)) + 1 + 11367c478bd9Sstevel@tonic-gate strlen("KRB5REMOTEADDR="); 11377c478bd9Sstevel@tonic-gate (void) snprintf(remote_addr, length, 11387c478bd9Sstevel@tonic-gate "KRB5REMOTEADDR=%s", inet_ntoa(sin->sin_addr)); 11397c478bd9Sstevel@tonic-gate add_to_envinit(remote_addr); 11407c478bd9Sstevel@tonic-gate } 11417c478bd9Sstevel@tonic-gate 11427c478bd9Sstevel@tonic-gate /* 11437c478bd9Sstevel@tonic-gate * If we do anything else, make sure there is 11447c478bd9Sstevel@tonic-gate * space in the array. 11457c478bd9Sstevel@tonic-gate */ 11467c478bd9Sstevel@tonic-gate for (cnt = 0; cnt < num_env; cnt++) { 11477c478bd9Sstevel@tonic-gate char *buf; 11487c478bd9Sstevel@tonic-gate 11497c478bd9Sstevel@tonic-gate if (getenv(save_env[cnt])) { 11507c478bd9Sstevel@tonic-gate length = (int)strlen(getenv(save_env[cnt])) + 11517c478bd9Sstevel@tonic-gate (int)strlen(save_env[cnt]) + 2; 11527c478bd9Sstevel@tonic-gate 11537c478bd9Sstevel@tonic-gate buf = (char *)malloc(length); 11547c478bd9Sstevel@tonic-gate if (buf) { 11557c478bd9Sstevel@tonic-gate (void) snprintf(buf, length, "%s=%s", 11567c478bd9Sstevel@tonic-gate save_env[cnt], 11577c478bd9Sstevel@tonic-gate getenv(save_env[cnt])); 11587c478bd9Sstevel@tonic-gate add_to_envinit(buf); 11597c478bd9Sstevel@tonic-gate } 11607c478bd9Sstevel@tonic-gate } 11617c478bd9Sstevel@tonic-gate } 11627c478bd9Sstevel@tonic-gate 11637c478bd9Sstevel@tonic-gate } 11647c478bd9Sstevel@tonic-gate 11657c478bd9Sstevel@tonic-gate /* 11667c478bd9Sstevel@tonic-gate * add PAM environment variables set by modules 11677c478bd9Sstevel@tonic-gate * -- only allowed 16 (PAM_ENV_ELIM) 11687c478bd9Sstevel@tonic-gate * -- check to see if the environment variable is legal 11697c478bd9Sstevel@tonic-gate */ 11707c478bd9Sstevel@tonic-gate if ((pam_env = pam_getenvlist(pamh)) != 0) { 11717c478bd9Sstevel@tonic-gate while (pam_env[idx] != 0) { 11727c478bd9Sstevel@tonic-gate if (idx < PAM_ENV_ELIM && 11737c478bd9Sstevel@tonic-gate legalenvvar(pam_env[idx])) { 11747c478bd9Sstevel@tonic-gate add_to_envinit(pam_env[idx]); 11757c478bd9Sstevel@tonic-gate } 11767c478bd9Sstevel@tonic-gate idx++; 11777c478bd9Sstevel@tonic-gate } 11787c478bd9Sstevel@tonic-gate } 11797c478bd9Sstevel@tonic-gate 11807c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_SUCCESS); 11817c478bd9Sstevel@tonic-gate 11827c478bd9Sstevel@tonic-gate /* 11837c478bd9Sstevel@tonic-gate * Pick up locale environment variables, if any. 11847c478bd9Sstevel@tonic-gate */ 11857c478bd9Sstevel@tonic-gate lenvp = renvp; 11867c478bd9Sstevel@tonic-gate while (*lenvp != NULL) { 11877c478bd9Sstevel@tonic-gate int index; 11887c478bd9Sstevel@tonic-gate 11897c478bd9Sstevel@tonic-gate for (index = 0; localeenv[index] != NULL; index++) 11907c478bd9Sstevel@tonic-gate /* 11917c478bd9Sstevel@tonic-gate * locale_envmatch() returns 1 if 11927c478bd9Sstevel@tonic-gate * *lenvp is localenev[index] and valid. 11937c478bd9Sstevel@tonic-gate */ 11947c478bd9Sstevel@tonic-gate if (locale_envmatch(localeenv[index], *lenvp)) { 11957c478bd9Sstevel@tonic-gate add_to_envinit(*lenvp); 11967c478bd9Sstevel@tonic-gate break; 11977c478bd9Sstevel@tonic-gate } 11987c478bd9Sstevel@tonic-gate 11997c478bd9Sstevel@tonic-gate lenvp++; 12007c478bd9Sstevel@tonic-gate } 12017c478bd9Sstevel@tonic-gate 12027c478bd9Sstevel@tonic-gate cp = strrchr(pwd->pw_shell, '/'); 12037c478bd9Sstevel@tonic-gate if (cp != NULL) 12047c478bd9Sstevel@tonic-gate cp++; 12057c478bd9Sstevel@tonic-gate else 12067c478bd9Sstevel@tonic-gate cp = pwd->pw_shell; 12077c478bd9Sstevel@tonic-gate /* 12087c478bd9Sstevel@tonic-gate * rdist has been moved to /usr/bin, so /usr/ucb/rdist might not 12097c478bd9Sstevel@tonic-gate * be present on a system. So if it doesn't exist we fall back 12107c478bd9Sstevel@tonic-gate * and try for it in /usr/bin. We take care to match the space 12117c478bd9Sstevel@tonic-gate * after the name because the only purpose of this is to protect 12127c478bd9Sstevel@tonic-gate * the internal call from old rdist's, not humans who type 12137c478bd9Sstevel@tonic-gate * "rsh foo /usr/ucb/rdist". 12147c478bd9Sstevel@tonic-gate */ 12157c478bd9Sstevel@tonic-gate #define RDIST_PROG_NAME "/usr/ucb/rdist -Server" 12167c478bd9Sstevel@tonic-gate if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) { 12177c478bd9Sstevel@tonic-gate if (stat("/usr/ucb/rdist", &statb) != 0) { 12187c478bd9Sstevel@tonic-gate (void) strncpy(cmdbuf + 5, "bin", 3); 12197c478bd9Sstevel@tonic-gate } 12207c478bd9Sstevel@tonic-gate } 12217c478bd9Sstevel@tonic-gate 12227c478bd9Sstevel@tonic-gate #ifdef DEBUG 12237c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: cmdbuf = %s", cmdbuf); 12247c478bd9Sstevel@tonic-gate if (do_encrypt) 12257c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE, "rshd: cmd to be exec'ed = %s", 12267c478bd9Sstevel@tonic-gate ((char *)cmdbuf + 3)); 12277c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 12287c478bd9Sstevel@tonic-gate 12297c478bd9Sstevel@tonic-gate if (do_encrypt && (strncmp(cmdbuf, "-x ", 3) == 0)) { 12307c478bd9Sstevel@tonic-gate (void) execle(pwd->pw_shell, cp, "-c", (char *)cmdbuf + 3, 12317c478bd9Sstevel@tonic-gate NULL, envinit); 12327c478bd9Sstevel@tonic-gate } else { 12337c478bd9Sstevel@tonic-gate (void) execle(pwd->pw_shell, cp, "-c", cmdbuf, NULL, 12347c478bd9Sstevel@tonic-gate envinit); 12357c478bd9Sstevel@tonic-gate } 12367c478bd9Sstevel@tonic-gate 12377c478bd9Sstevel@tonic-gate perror(pwd->pw_shell); 12387c478bd9Sstevel@tonic-gate exit(1); 12397c478bd9Sstevel@tonic-gate 12407c478bd9Sstevel@tonic-gate signout: 12417c478bd9Sstevel@tonic-gate if (ccache) 12427c478bd9Sstevel@tonic-gate (void) pam_close_session(pamh, 0); 12437c478bd9Sstevel@tonic-gate ccache = NULL; 12447c478bd9Sstevel@tonic-gate (void) pam_end(pamh, PAM_ABORT); 12457c478bd9Sstevel@tonic-gate exit(1); 12467c478bd9Sstevel@tonic-gate } 12477c478bd9Sstevel@tonic-gate 12487c478bd9Sstevel@tonic-gate static void 12497c478bd9Sstevel@tonic-gate getstr(fd, buf, cnt, err) 12507c478bd9Sstevel@tonic-gate int fd; 12517c478bd9Sstevel@tonic-gate char *buf; 12527c478bd9Sstevel@tonic-gate int cnt; 12537c478bd9Sstevel@tonic-gate char *err; 12547c478bd9Sstevel@tonic-gate { 12557c478bd9Sstevel@tonic-gate char c; 12567c478bd9Sstevel@tonic-gate 12577c478bd9Sstevel@tonic-gate do { 12587c478bd9Sstevel@tonic-gate if (read(fd, &c, 1) != 1) 12597c478bd9Sstevel@tonic-gate exit(1); 12607c478bd9Sstevel@tonic-gate if (cnt-- == 0) { 12617c478bd9Sstevel@tonic-gate error("%s too long\n", err); 12627c478bd9Sstevel@tonic-gate exit(1); 12637c478bd9Sstevel@tonic-gate } 12647c478bd9Sstevel@tonic-gate *buf++ = c; 12657c478bd9Sstevel@tonic-gate } while (c != 0); 12667c478bd9Sstevel@tonic-gate } 12677c478bd9Sstevel@tonic-gate 12687c478bd9Sstevel@tonic-gate /*PRINTFLIKE1*/ 12697c478bd9Sstevel@tonic-gate static void 12707c478bd9Sstevel@tonic-gate error(char *fmt, ...) 12717c478bd9Sstevel@tonic-gate { 12727c478bd9Sstevel@tonic-gate va_list ap; 12737c478bd9Sstevel@tonic-gate char buf[RSHD_BUFSIZ]; 12747c478bd9Sstevel@tonic-gate 12757c478bd9Sstevel@tonic-gate buf[0] = 1; 12767c478bd9Sstevel@tonic-gate va_start(ap, fmt); 12777c478bd9Sstevel@tonic-gate (void) vsnprintf(&buf[1], sizeof (buf) - 1, fmt, ap); 12787c478bd9Sstevel@tonic-gate va_end(ap); 12797c478bd9Sstevel@tonic-gate (void) write(STDERR_FILENO, buf, strlen(buf)); 12807c478bd9Sstevel@tonic-gate } 12817c478bd9Sstevel@tonic-gate 12827c478bd9Sstevel@tonic-gate static char *illegal[] = { 12837c478bd9Sstevel@tonic-gate "SHELL=", 12847c478bd9Sstevel@tonic-gate "HOME=", 12857c478bd9Sstevel@tonic-gate "LOGNAME=", 12867c478bd9Sstevel@tonic-gate #ifndef NO_MAIL 12877c478bd9Sstevel@tonic-gate "MAIL=", 12887c478bd9Sstevel@tonic-gate #endif 12897c478bd9Sstevel@tonic-gate "CDPATH=", 12907c478bd9Sstevel@tonic-gate "IFS=", 12917c478bd9Sstevel@tonic-gate "PATH=", 12927c478bd9Sstevel@tonic-gate "USER=", 12937c478bd9Sstevel@tonic-gate "TZ=", 12947c478bd9Sstevel@tonic-gate 0 12957c478bd9Sstevel@tonic-gate }; 12967c478bd9Sstevel@tonic-gate 12977c478bd9Sstevel@tonic-gate /* 12987c478bd9Sstevel@tonic-gate * legalenvvar - can PAM modules insert this environmental variable? 12997c478bd9Sstevel@tonic-gate */ 13007c478bd9Sstevel@tonic-gate 13017c478bd9Sstevel@tonic-gate static int 13027c478bd9Sstevel@tonic-gate legalenvvar(char *s) 13037c478bd9Sstevel@tonic-gate { 13047c478bd9Sstevel@tonic-gate register char **p; 13057c478bd9Sstevel@tonic-gate 13067c478bd9Sstevel@tonic-gate for (p = illegal; *p; p++) 13077c478bd9Sstevel@tonic-gate if (strncmp(s, *p, strlen(*p)) == 0) 13087c478bd9Sstevel@tonic-gate return (0); 13097c478bd9Sstevel@tonic-gate 13107c478bd9Sstevel@tonic-gate if (s[0] == 'L' && s[1] == 'D' && s[2] == '_') 13117c478bd9Sstevel@tonic-gate return (0); 13127c478bd9Sstevel@tonic-gate 13137c478bd9Sstevel@tonic-gate return (1); 13147c478bd9Sstevel@tonic-gate } 13157c478bd9Sstevel@tonic-gate 13167c478bd9Sstevel@tonic-gate /* 13177c478bd9Sstevel@tonic-gate * Add a string to the environment of the new process. 13187c478bd9Sstevel@tonic-gate */ 13197c478bd9Sstevel@tonic-gate 13207c478bd9Sstevel@tonic-gate static void 13217c478bd9Sstevel@tonic-gate add_to_envinit(char *string) 13227c478bd9Sstevel@tonic-gate { 13237c478bd9Sstevel@tonic-gate /* 13247c478bd9Sstevel@tonic-gate * Reserve space for 2 * 8 = 16 environment entries initially which 13257c478bd9Sstevel@tonic-gate * should be enough to avoid reallocation of "envinit" in most cases. 13267c478bd9Sstevel@tonic-gate */ 13277c478bd9Sstevel@tonic-gate static int size = 8; 13287c478bd9Sstevel@tonic-gate static int index = 0; 13297c478bd9Sstevel@tonic-gate 13307c478bd9Sstevel@tonic-gate if (string == NULL) 13317c478bd9Sstevel@tonic-gate return; 13327c478bd9Sstevel@tonic-gate 13337c478bd9Sstevel@tonic-gate if ((envinit == NULL) || (index == size)) { 13347c478bd9Sstevel@tonic-gate size *= 2; 13357c478bd9Sstevel@tonic-gate envinit = realloc(envinit, (size + 1) * sizeof (char *)); 13367c478bd9Sstevel@tonic-gate if (envinit == NULL) { 13377c478bd9Sstevel@tonic-gate perror("malloc"); 13387c478bd9Sstevel@tonic-gate exit(1); 13397c478bd9Sstevel@tonic-gate } 13407c478bd9Sstevel@tonic-gate } 13417c478bd9Sstevel@tonic-gate 13427c478bd9Sstevel@tonic-gate envinit[index++] = string; 13437c478bd9Sstevel@tonic-gate envinit[index] = NULL; 13447c478bd9Sstevel@tonic-gate } 13457c478bd9Sstevel@tonic-gate 13467c478bd9Sstevel@tonic-gate /* 13477c478bd9Sstevel@tonic-gate * Check if lenv and penv matches or not. 13487c478bd9Sstevel@tonic-gate */ 13497c478bd9Sstevel@tonic-gate static int 13507c478bd9Sstevel@tonic-gate locale_envmatch(char *lenv, char *penv) 13517c478bd9Sstevel@tonic-gate { 13527c478bd9Sstevel@tonic-gate while ((*lenv == *penv) && (*lenv != '\0') && (*penv != '=')) { 13537c478bd9Sstevel@tonic-gate lenv++; 13547c478bd9Sstevel@tonic-gate penv++; 13557c478bd9Sstevel@tonic-gate } 13567c478bd9Sstevel@tonic-gate 13577c478bd9Sstevel@tonic-gate /* 13587c478bd9Sstevel@tonic-gate * '/' is eliminated for security reason. 13597c478bd9Sstevel@tonic-gate */ 13607c478bd9Sstevel@tonic-gate return ((*lenv == '\0' && *penv == '=' && *(penv + 1) != '/')); 13617c478bd9Sstevel@tonic-gate } 13627c478bd9Sstevel@tonic-gate 13637c478bd9Sstevel@tonic-gate #ifndef KRB_SENDAUTH_VLEN 13647c478bd9Sstevel@tonic-gate #define KRB_SENDAUTH_VLEN 8 /* length for version strings */ 13657c478bd9Sstevel@tonic-gate #endif 13667c478bd9Sstevel@tonic-gate 13677c478bd9Sstevel@tonic-gate /* MUST be KRB_SENDAUTH_VLEN chars */ 13687c478bd9Sstevel@tonic-gate #define KRB_SENDAUTH_VERS "AUTHV0.1" 13697c478bd9Sstevel@tonic-gate #define SIZEOF_INADDR sizeof (struct in_addr) 13707c478bd9Sstevel@tonic-gate 13717c478bd9Sstevel@tonic-gate static krb5_error_code 13727c478bd9Sstevel@tonic-gate recvauth(int netf, int *valid_checksum) 13737c478bd9Sstevel@tonic-gate { 13747c478bd9Sstevel@tonic-gate krb5_auth_context auth_context = NULL; 13757c478bd9Sstevel@tonic-gate krb5_error_code status; 13767c478bd9Sstevel@tonic-gate struct sockaddr_in laddr; 13777c478bd9Sstevel@tonic-gate int len; 13787c478bd9Sstevel@tonic-gate krb5_data inbuf; 13797c478bd9Sstevel@tonic-gate krb5_authenticator *authenticator; 13807c478bd9Sstevel@tonic-gate krb5_ticket *ticket; 13817c478bd9Sstevel@tonic-gate krb5_rcache rcache; 13827c478bd9Sstevel@tonic-gate krb5_data version; 13837c478bd9Sstevel@tonic-gate krb5_encrypt_block eblock; /* eblock for encrypt/decrypt */ 13847c478bd9Sstevel@tonic-gate krb5_data desinbuf; 13857c478bd9Sstevel@tonic-gate krb5_data desoutbuf; 13867c478bd9Sstevel@tonic-gate char des_inbuf[2 * RSHD_BUFSIZ]; 13877c478bd9Sstevel@tonic-gate /* needs to be > largest read size */ 13887c478bd9Sstevel@tonic-gate char des_outbuf[2 * RSHD_BUFSIZ + 4]; 13897c478bd9Sstevel@tonic-gate /* needs to be > largest write size */ 13907c478bd9Sstevel@tonic-gate 13917c478bd9Sstevel@tonic-gate *valid_checksum = 0; 13927c478bd9Sstevel@tonic-gate len = sizeof (laddr); 13937c478bd9Sstevel@tonic-gate 13947c478bd9Sstevel@tonic-gate if (getsockname(netf, (struct sockaddr *)&laddr, &len)) { 13957c478bd9Sstevel@tonic-gate exit(1); 13967c478bd9Sstevel@tonic-gate } 13977c478bd9Sstevel@tonic-gate 13987c478bd9Sstevel@tonic-gate if (status = krb5_auth_con_init(bsd_context, &auth_context)) 13997c478bd9Sstevel@tonic-gate return (status); 14007c478bd9Sstevel@tonic-gate 14017c478bd9Sstevel@tonic-gate if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf, 14027c478bd9Sstevel@tonic-gate KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)) 14037c478bd9Sstevel@tonic-gate return (status); 14047c478bd9Sstevel@tonic-gate 14057c478bd9Sstevel@tonic-gate status = krb5_auth_con_getrcache(bsd_context, auth_context, &rcache); 14067c478bd9Sstevel@tonic-gate if (status) 14077c478bd9Sstevel@tonic-gate return (status); 14087c478bd9Sstevel@tonic-gate 14097c478bd9Sstevel@tonic-gate if (!rcache) { 14107c478bd9Sstevel@tonic-gate krb5_principal server; 14117c478bd9Sstevel@tonic-gate 14127c478bd9Sstevel@tonic-gate status = krb5_sname_to_principal(bsd_context, 0, 0, 14137c478bd9Sstevel@tonic-gate KRB5_NT_SRV_HST, &server); 14147c478bd9Sstevel@tonic-gate if (status) 14157c478bd9Sstevel@tonic-gate return (status); 14167c478bd9Sstevel@tonic-gate 14177c478bd9Sstevel@tonic-gate status = krb5_get_server_rcache(bsd_context, 14187c478bd9Sstevel@tonic-gate krb5_princ_component(bsd_context, server, 0), 14197c478bd9Sstevel@tonic-gate &rcache); 14207c478bd9Sstevel@tonic-gate krb5_free_principal(bsd_context, server); 14217c478bd9Sstevel@tonic-gate if (status) 14227c478bd9Sstevel@tonic-gate return (status); 14237c478bd9Sstevel@tonic-gate 14247c478bd9Sstevel@tonic-gate status = krb5_auth_con_setrcache(bsd_context, auth_context, 14257c478bd9Sstevel@tonic-gate rcache); 14267c478bd9Sstevel@tonic-gate if (status) 14277c478bd9Sstevel@tonic-gate return (status); 14287c478bd9Sstevel@tonic-gate } 14297c478bd9Sstevel@tonic-gate 14307c478bd9Sstevel@tonic-gate status = krb5_recvauth_version(bsd_context, &auth_context, &netf, 14317c478bd9Sstevel@tonic-gate NULL, /* Specify daemon principal */ 14327c478bd9Sstevel@tonic-gate 0, /* no flags */ 14337c478bd9Sstevel@tonic-gate keytab, /* normally NULL to use v5srvtab */ 14347c478bd9Sstevel@tonic-gate &ticket, /* return ticket */ 14357c478bd9Sstevel@tonic-gate &version); /* application version string */ 14367c478bd9Sstevel@tonic-gate 14377c478bd9Sstevel@tonic-gate 14387c478bd9Sstevel@tonic-gate if (status) { 14397c478bd9Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser"); 14407c478bd9Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command"); 14417c478bd9Sstevel@tonic-gate getstr(netf, remuser, sizeof (locuser), "remuser"); 14427c478bd9Sstevel@tonic-gate return (status); 14437c478bd9Sstevel@tonic-gate } 14447c478bd9Sstevel@tonic-gate getstr(netf, locuser, sizeof (locuser), "locuser"); 14457c478bd9Sstevel@tonic-gate getstr(netf, cmdbuf, sizeof (cmdbuf), "command"); 14467c478bd9Sstevel@tonic-gate 14477c478bd9Sstevel@tonic-gate /* Must be V5 */ 14487c478bd9Sstevel@tonic-gate 14497c478bd9Sstevel@tonic-gate kcmd_protocol = KCMD_UNKNOWN_PROTOCOL; 14507c478bd9Sstevel@tonic-gate if (version.length != 9 || version.data == NULL) { 14517c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "bad application version length"); 14527c478bd9Sstevel@tonic-gate error(gettext("bad application version length\n")); 14537c478bd9Sstevel@tonic-gate exit(1); 14547c478bd9Sstevel@tonic-gate } 14557c478bd9Sstevel@tonic-gate if (strncmp(version.data, "KCMDV0.1", 9) == 0) { 14567c478bd9Sstevel@tonic-gate kcmd_protocol = KCMD_OLD_PROTOCOL; 14577c478bd9Sstevel@tonic-gate } else if (strncmp(version.data, "KCMDV0.2", 9) == 0) { 14587c478bd9Sstevel@tonic-gate kcmd_protocol = KCMD_NEW_PROTOCOL; 14597c478bd9Sstevel@tonic-gate } else { 14607c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Unrecognized KCMD protocol (%s)", 14617c478bd9Sstevel@tonic-gate (char *)version.data); 14627c478bd9Sstevel@tonic-gate error(gettext("Unrecognized KCMD protocol (%s)"), 14637c478bd9Sstevel@tonic-gate (char *)version.data); 14647c478bd9Sstevel@tonic-gate exit(1); 14657c478bd9Sstevel@tonic-gate } 14667c478bd9Sstevel@tonic-gate getstr(netf, remuser, sizeof (locuser), "remuser"); 14677c478bd9Sstevel@tonic-gate 14687c478bd9Sstevel@tonic-gate if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client, 14697c478bd9Sstevel@tonic-gate &kremuser))) 14707c478bd9Sstevel@tonic-gate return (status); 14717c478bd9Sstevel@tonic-gate 14727c478bd9Sstevel@tonic-gate if ((status = krb5_copy_principal(bsd_context, 14737c478bd9Sstevel@tonic-gate ticket->enc_part2->client, &client))) 14747c478bd9Sstevel@tonic-gate return (status); 14757c478bd9Sstevel@tonic-gate 14767c478bd9Sstevel@tonic-gate 14777c478bd9Sstevel@tonic-gate if (checksum_required && (kcmd_protocol == KCMD_OLD_PROTOCOL)) { 14787c478bd9Sstevel@tonic-gate if ((status = krb5_auth_con_getauthenticator(bsd_context, 14797c478bd9Sstevel@tonic-gate auth_context, &authenticator))) 14807c478bd9Sstevel@tonic-gate return (status); 14817c478bd9Sstevel@tonic-gate 14827c478bd9Sstevel@tonic-gate if (authenticator->checksum && checksum_required) { 14837c478bd9Sstevel@tonic-gate struct sockaddr_in adr; 14847c478bd9Sstevel@tonic-gate int adr_length = sizeof (adr); 14857c478bd9Sstevel@tonic-gate int chksumsize = strlen(cmdbuf) + strlen(locuser) + 32; 14867c478bd9Sstevel@tonic-gate krb5_data input; 14877c478bd9Sstevel@tonic-gate krb5_keyblock key; 14887c478bd9Sstevel@tonic-gate 14897c478bd9Sstevel@tonic-gate char *chksumbuf = (char *)malloc(chksumsize); 14907c478bd9Sstevel@tonic-gate 14917c478bd9Sstevel@tonic-gate if (chksumbuf == 0) 14927c478bd9Sstevel@tonic-gate goto error_cleanup; 14937c478bd9Sstevel@tonic-gate if (getsockname(netf, (struct sockaddr *)&adr, 14947c478bd9Sstevel@tonic-gate &adr_length) != 0) 14957c478bd9Sstevel@tonic-gate goto error_cleanup; 14967c478bd9Sstevel@tonic-gate 14977c478bd9Sstevel@tonic-gate (void) snprintf(chksumbuf, chksumsize, "%u:", 14987c478bd9Sstevel@tonic-gate ntohs(adr.sin_port)); 14997c478bd9Sstevel@tonic-gate if (strlcat(chksumbuf, cmdbuf, 15007c478bd9Sstevel@tonic-gate chksumsize) >= chksumsize) { 15017c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "cmd buffer too long."); 15027c478bd9Sstevel@tonic-gate free(chksumbuf); 15037c478bd9Sstevel@tonic-gate return (-1); 15047c478bd9Sstevel@tonic-gate } 15057c478bd9Sstevel@tonic-gate if (strlcat(chksumbuf, locuser, 15067c478bd9Sstevel@tonic-gate chksumsize) >= chksumsize) { 15077c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "locuser too long."); 15087c478bd9Sstevel@tonic-gate free(chksumbuf); 15097c478bd9Sstevel@tonic-gate return (-1); 15107c478bd9Sstevel@tonic-gate } 15117c478bd9Sstevel@tonic-gate 15127c478bd9Sstevel@tonic-gate input.data = chksumbuf; 15137c478bd9Sstevel@tonic-gate input.length = strlen(chksumbuf); 15147c478bd9Sstevel@tonic-gate key.magic = ticket->enc_part2->session->magic; 15157c478bd9Sstevel@tonic-gate key.enctype = ticket->enc_part2->session->enctype; 15167c478bd9Sstevel@tonic-gate key.contents = ticket->enc_part2->session->contents; 15177c478bd9Sstevel@tonic-gate key.length = ticket->enc_part2->session->length; 15187c478bd9Sstevel@tonic-gate 15197c478bd9Sstevel@tonic-gate status = krb5_c_verify_checksum(bsd_context, 15207c478bd9Sstevel@tonic-gate &key, 0, &input, authenticator->checksum, 15217c478bd9Sstevel@tonic-gate (unsigned int *)valid_checksum); 15227c478bd9Sstevel@tonic-gate 15237c478bd9Sstevel@tonic-gate if (status == 0 && *valid_checksum == 0) 15247c478bd9Sstevel@tonic-gate status = KRB5KRB_AP_ERR_BAD_INTEGRITY; 15257c478bd9Sstevel@tonic-gate error_cleanup: 15267c478bd9Sstevel@tonic-gate if (chksumbuf) 15277c478bd9Sstevel@tonic-gate krb5_xfree(chksumbuf); 15287c478bd9Sstevel@tonic-gate if (status) { 15297c478bd9Sstevel@tonic-gate krb5_free_authenticator(bsd_context, 15307c478bd9Sstevel@tonic-gate authenticator); 15317c478bd9Sstevel@tonic-gate return (status); 15327c478bd9Sstevel@tonic-gate } 15337c478bd9Sstevel@tonic-gate } 15347c478bd9Sstevel@tonic-gate krb5_free_authenticator(bsd_context, authenticator); 15357c478bd9Sstevel@tonic-gate } 15367c478bd9Sstevel@tonic-gate 15377c478bd9Sstevel@tonic-gate 15387c478bd9Sstevel@tonic-gate if ((strncmp(cmdbuf, "-x ", 3) == 0)) { 15397c478bd9Sstevel@tonic-gate if (krb5_privacy_allowed()) { 15407c478bd9Sstevel@tonic-gate do_encrypt = 1; 15417c478bd9Sstevel@tonic-gate } else { 15427c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "rshd: Encryption not supported"); 15437c478bd9Sstevel@tonic-gate error("rshd: Encryption not supported. \n"); 15447c478bd9Sstevel@tonic-gate exit(2); 15457c478bd9Sstevel@tonic-gate } 15467c478bd9Sstevel@tonic-gate 15477c478bd9Sstevel@tonic-gate status = krb5_auth_con_getremotesubkey(bsd_context, 15487c478bd9Sstevel@tonic-gate auth_context, 15497c478bd9Sstevel@tonic-gate &sessionkey); 15507c478bd9Sstevel@tonic-gate if (status) { 15517c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Error getting KRB5 session subkey"); 15527c478bd9Sstevel@tonic-gate error(gettext("Error getting KRB5 session subkey")); 15537c478bd9Sstevel@tonic-gate exit(1); 15547c478bd9Sstevel@tonic-gate } 15557c478bd9Sstevel@tonic-gate /* 15567c478bd9Sstevel@tonic-gate * The "new" protocol requires that a subkey be sent. 15577c478bd9Sstevel@tonic-gate */ 15587c478bd9Sstevel@tonic-gate if (sessionkey == NULL && kcmd_protocol == KCMD_NEW_PROTOCOL) { 15597c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "No KRB5 session subkey sent"); 15607c478bd9Sstevel@tonic-gate error(gettext("No KRB5 session subkey sent")); 15617c478bd9Sstevel@tonic-gate exit(1); 15627c478bd9Sstevel@tonic-gate } 15637c478bd9Sstevel@tonic-gate /* 15647c478bd9Sstevel@tonic-gate * The "old" protocol does not permit an authenticator subkey. 15657c478bd9Sstevel@tonic-gate * The key is taken from the ticket instead (see below). 15667c478bd9Sstevel@tonic-gate */ 15677c478bd9Sstevel@tonic-gate if (sessionkey != NULL && kcmd_protocol == KCMD_OLD_PROTOCOL) { 15687c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "KRB5 session subkey not permitted " 15697c478bd9Sstevel@tonic-gate "with old KCMD protocol"); 15707c478bd9Sstevel@tonic-gate error(gettext("KRB5 session subkey not permitted " 15717c478bd9Sstevel@tonic-gate "with old KCMD protocol")); 15727c478bd9Sstevel@tonic-gate exit(1); 15737c478bd9Sstevel@tonic-gate } 15747c478bd9Sstevel@tonic-gate /* 15757c478bd9Sstevel@tonic-gate * If no key at this point, use the session key from 15767c478bd9Sstevel@tonic-gate * the ticket. 15777c478bd9Sstevel@tonic-gate */ 15787c478bd9Sstevel@tonic-gate if (sessionkey == NULL) { 15797c478bd9Sstevel@tonic-gate /* 15807c478bd9Sstevel@tonic-gate * Save the session key so we can configure the crypto 15817c478bd9Sstevel@tonic-gate * module later. 15827c478bd9Sstevel@tonic-gate */ 15837c478bd9Sstevel@tonic-gate status = krb5_copy_keyblock(bsd_context, 15847c478bd9Sstevel@tonic-gate ticket->enc_part2->session, 15857c478bd9Sstevel@tonic-gate &sessionkey); 15867c478bd9Sstevel@tonic-gate if (status) { 15877c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "krb5_copy_keyblock failed"); 15887c478bd9Sstevel@tonic-gate error(gettext("krb5_copy_keyblock failed")); 15897c478bd9Sstevel@tonic-gate exit(1); 15907c478bd9Sstevel@tonic-gate } 15917c478bd9Sstevel@tonic-gate } 15927c478bd9Sstevel@tonic-gate /* 15937c478bd9Sstevel@tonic-gate * If session key still cannot be found, we must 15947c478bd9Sstevel@tonic-gate * exit because encryption is required here 15957c478bd9Sstevel@tonic-gate * when encr_flag (-x) is set. 15967c478bd9Sstevel@tonic-gate */ 15977c478bd9Sstevel@tonic-gate if (sessionkey == NULL) { 15987c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "Could not find an encryption key"); 15997c478bd9Sstevel@tonic-gate error(gettext("Could not find an encryption key")); 16007c478bd9Sstevel@tonic-gate exit(1); 16017c478bd9Sstevel@tonic-gate } 16027c478bd9Sstevel@tonic-gate 16037c478bd9Sstevel@tonic-gate /* 16047c478bd9Sstevel@tonic-gate * Initialize parameters/buffers for desread & deswrite here. 16057c478bd9Sstevel@tonic-gate */ 16067c478bd9Sstevel@tonic-gate desinbuf.data = des_inbuf; 16077c478bd9Sstevel@tonic-gate desoutbuf.data = des_outbuf; 16087c478bd9Sstevel@tonic-gate desinbuf.length = sizeof (des_inbuf); 16097c478bd9Sstevel@tonic-gate desoutbuf.length = sizeof (des_outbuf); 16107c478bd9Sstevel@tonic-gate 16117c478bd9Sstevel@tonic-gate eblock.crypto_entry = sessionkey->enctype; 16127c478bd9Sstevel@tonic-gate eblock.key = (krb5_keyblock *)sessionkey; 16137c478bd9Sstevel@tonic-gate 16147c478bd9Sstevel@tonic-gate init_encrypt(do_encrypt, bsd_context, kcmd_protocol, 16157c478bd9Sstevel@tonic-gate &desinbuf, &desoutbuf, SERVER, &eblock); 16167c478bd9Sstevel@tonic-gate } 16177c478bd9Sstevel@tonic-gate 16187c478bd9Sstevel@tonic-gate ticket->enc_part2->session = 0; 16197c478bd9Sstevel@tonic-gate 16207c478bd9Sstevel@tonic-gate if ((status = krb5_read_message(bsd_context, (krb5_pointer) & netf, 16217c478bd9Sstevel@tonic-gate &inbuf))) { 16227c478bd9Sstevel@tonic-gate error(gettext("Error reading message: %s\n"), 16237c478bd9Sstevel@tonic-gate error_message(status)); 16247c478bd9Sstevel@tonic-gate exit(1); 16257c478bd9Sstevel@tonic-gate } 16267c478bd9Sstevel@tonic-gate 16277c478bd9Sstevel@tonic-gate if (inbuf.length) { 16287c478bd9Sstevel@tonic-gate /* Forwarding being done, read creds */ 16297c478bd9Sstevel@tonic-gate if ((status = rd_and_store_for_creds(bsd_context, 16307c478bd9Sstevel@tonic-gate auth_context, &inbuf, ticket, locuser, 16317c478bd9Sstevel@tonic-gate &ccache))) { 16327c478bd9Sstevel@tonic-gate error("Can't get forwarded credentials: %s\n", 16337c478bd9Sstevel@tonic-gate error_message(status)); 16347c478bd9Sstevel@tonic-gate exit(1); 16357c478bd9Sstevel@tonic-gate } 16367c478bd9Sstevel@tonic-gate 16377c478bd9Sstevel@tonic-gate } 16387c478bd9Sstevel@tonic-gate krb5_free_ticket(bsd_context, ticket); 16397c478bd9Sstevel@tonic-gate return (0); 16407c478bd9Sstevel@tonic-gate } 16417c478bd9Sstevel@tonic-gate 16427c478bd9Sstevel@tonic-gate static void 16437c478bd9Sstevel@tonic-gate usage(void) 16447c478bd9Sstevel@tonic-gate { 16457c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("%s: rshd [-k5eciU] " 16467c478bd9Sstevel@tonic-gate "[-P path] [-M realm] [-s tos] " 16477c478bd9Sstevel@tonic-gate #ifdef DEBUG 16487c478bd9Sstevel@tonic-gate "[-D port] " 16497c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 16507c478bd9Sstevel@tonic-gate "[-S keytab]"), gettext("usage")); 16517c478bd9Sstevel@tonic-gate 16527c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "%s: rshd [-k5eciU] [-P path] [-M realm] [-s tos] " 16537c478bd9Sstevel@tonic-gate #ifdef DEBUG 16547c478bd9Sstevel@tonic-gate "[-D port] " 16557c478bd9Sstevel@tonic-gate #endif /* DEBUG */ 16567c478bd9Sstevel@tonic-gate "[-S keytab]", gettext("usage")); 16577c478bd9Sstevel@tonic-gate } 1658