xref: /illumos-gate/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c (revision 0b4fd3b1)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*	Copyright (c) 1983-1989 AT&T	*/
/*	  All Rights Reserved  	*/

/*
 * Portions of this source code were derived from Berkeley 4.3 BSD
 * under license from the Regents of the University of California.
 */

#define	_FILE_OFFSET_BITS 64

/*
 * remote shell server:
 *	remuser\0
 *	locuser\0
 *	command\0
 *	data
 */
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/telioctl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/file.h>
#include <sys/select.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdarg.h>
#include <errno.h>
#include <pwd.h>
#include <grp.h>
#include <signal.h>
#include <netdb.h>
#include <syslog.h>
#include <fcntl.h>
#include <ctype.h>
#include <locale.h>

#include <sys/resource.h>
#include <sys/filio.h>
#include <shadow.h>
#include <stdlib.h>

#include <security/pam_appl.h>
#include <deflt.h>

#include <k5-int.h>
#include <krb5_repository.h>
#include <com_err.h>
#include <kcmd.h>

#include <addr_match.h>
#include <store_forw_creds.h>

#ifndef NCARGS
#define	NCARGS	5120
#endif /* !NCARGS */

static void error(char *, ...);
static void doit(int, struct sockaddr_storage *, char **);
static void getstr(int, char *, int, char *);

static int legalenvvar(char *);
static void add_to_envinit(char *);
static int locale_envmatch(char *, char *);

/* Function decls. for functions not in any header file.  (Grrrr.) */
extern int audit_rshd_setup(void);
extern int audit_rshd_success(char *, char *, char *, char *);
extern int audit_rshd_fail(char *, char *, char *, char *, char *);
extern int audit_settid(int);

static int do_encrypt = 0;
static pam_handle_t *pamh;

/*
 * This is the shell/kshell daemon. The very basic protocol for checking
 * authentication and authorization is:
 * 1) Check authentication.
 * 2) Check authorization via the access-control files:
 *    ~/.k5login (using krb5_kuserok) and/or
 * Execute command if configured authoriztion checks pass, else deny
 * permission.
 *
 * The configuration is done either by command-line arguments passed by inetd,
 * or by the name of the daemon. If command-line arguments are present, they
 * take priority. The options are:
 * -k allow kerberos authentication (krb5 only; krb4 support is not provided)
 * -5 same as `-k', mainly for compatability with MIT
 * -e allow encrypted session
 * -c demand authenticator checksum
 * -i ignore authenticator checksum
 * -U Refuse connections that cannot be mapped to a name via `gethostbyname'
 * -s <tos>	Set the IP TOS option
 * -S <keytab>	Set the keytab file to use
 * -M <realm>	Set the Kerberos realm to use
 */

#define	ARGSTR	"ek5ciUD:M:S:L:?:"
#define	RSHD_BUFSIZ	(50 * 1024)

static krb5_context bsd_context;
static krb5_keytab keytab = NULL;
static krb5_ccache ccache = NULL;
static krb5_keyblock *sessionkey = NULL;

static int require_encrypt = 0;
static int resolve_hostname = 0;
static int krb5auth_flag = 0;	/* Flag set, when KERBEROS is enabled */
static enum kcmd_proto kcmd_protocol;

#ifdef DEBUG
static int debug_port = 0;
#endif /* DEBUG */

/*
 * There are two authentication related masks:
 * auth_ok and auth_sent.
 * The auth_ok mask is the or'ing of authentication
 * systems any one of which can be used.
 * The auth_sent mask is the or'ing of one or more authentication/authorization
 * systems that succeeded.  If the and'ing
 * of these two masks is true, then authorization is successful.
 */

#define	AUTH_KRB5	(0x2)
static int auth_ok = 0;
static int auth_sent = 0;
static int checksum_required = 0;
static int checksum_ignored = 0;

/*
 * Leave room for 4 environment variables to be passed.
 * The "-L env_var" option has been added primarily to
 * maintain compatability with MIT.
 */
#define	MAXENV	4
static char *save_env[MAXENV];
static int num_env = 0;

static void usage(void);
static krb5_error_code recvauth(int, int *);

/*ARGSUSED*/
int
main(int argc, char **argv, char **renvp)
{
	struct linger linger;
	int on = 1, fromlen;
	struct sockaddr_storage from;
	int fd = 0;

	extern int opterr, optind;
	extern char *optarg;
	int ch;
	int tos = -1;
	krb5_error_code status;

	openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON);
	(void) audit_rshd_setup();	/* BSM */
	fromlen = sizeof (from);

	(void) setlocale(LC_ALL, "");

	/*
	 * Analyze parameters.
	 */
	opterr = 0;
	while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
		switch (ch) {
		case '5':
		case 'k':
			auth_ok |= AUTH_KRB5;
			krb5auth_flag++;
			break;

		case 'c':
			checksum_required = 1;
			krb5auth_flag++;
			break;
		case 'i':
			checksum_ignored = 1;
			krb5auth_flag++;
			break;

		case 'e':
			require_encrypt = 1;
			krb5auth_flag++;
			break;
#ifdef DEBUG
		case 'D':
			debug_port = atoi(optarg);
			break;
#endif /* DEBUG */
		case 'U':
			resolve_hostname = 1;
			break;

		case 'M':
			(void) krb5_set_default_realm(bsd_context, optarg);
			krb5auth_flag++;
			break;

		case 'S':
			if ((status = krb5_kt_resolve(bsd_context, optarg,
				&keytab))) {
				com_err("rsh", status,
					gettext("while resolving "
						"srvtab file %s"), optarg);
				exit(2);
			}
			krb5auth_flag++;
			break;

		case 's':
			if (optarg == NULL || ((tos = atoi(optarg)) < 0) ||
				(tos > 255)) {
				syslog(LOG_ERR, "rshd: illegal tos value: "
				    "%s\n", optarg);
			}
			break;

		case 'L':
			if (num_env < MAXENV) {
				save_env[num_env] = strdup(optarg);
				if (!save_env[num_env++]) {
					com_err("rsh", ENOMEM,
						gettext("in saving env"));
					exit(2);
				}
			} else {
				(void) fprintf(stderr, gettext("rshd: Only %d"
						" -L arguments allowed\n"),
						MAXENV);
				exit(2);
			}
			break;

		case '?':
		default:
			usage();
			exit(1);
			break;
		}

	if (optind == 0) {
		usage();
		exit(1);
	}
	argc -= optind;
	argv += optind;

	if (krb5auth_flag > 0) {
		status = krb5_init_context(&bsd_context);
		if (status) {
			syslog(LOG_ERR, "Error initializing krb5: %s",
			    error_message(status));
			exit(1);
		}
	}

	if (!checksum_required && !checksum_ignored)
		checksum_ignored = 1;

	if (checksum_required && checksum_ignored) {
		syslog(LOG_CRIT, gettext("Checksums are required and ignored."
		"These options are mutually exclusive"
		"--check the documentation."));
		error("Configuration error: mutually exclusive "
				"options specified.\n");
		exit(1);
	}

#ifdef DEBUG
	if (debug_port) {
		int s;
		struct sockaddr_in sin;

		if ((s = socket(AF_INET, SOCK_STREAM, PF_UNSPEC)) < 0) {
			fprintf(stderr, gettext("Error in socket: %s\n"),
					strerror(errno));
			exit(2);
		}
		(void) memset((char *)&sin, 0, sizeof (sin));
		sin.sin_family = AF_INET;
		sin.sin_port = htons(debug_port);
		sin.sin_addr.s_addr = INADDR_ANY;

		(void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
			(char *)&on, sizeof (on));

		if ((bind(s, (struct sockaddr *)&sin, sizeof (sin))) < 0) {
			(void) fprintf(stderr, gettext("Error in bind: %s\n"),
					strerror(errno));
			exit(2);
		}
		if ((listen(s, 5)) < 0) {
			(void) fprintf(stderr, gettext("Error in listen: %s\n"),
					strerror(errno));
			exit(2);
		}
		if ((fd = accept(s, (struct sockaddr *)&from,
					&fromlen)) < 0) {
			(void) fprintf(stderr, gettext("Error in accept: %s\n"),
					strerror(errno));
			exit(2);
		}
		(void) close(s);
	}
	else
#endif /* DEBUG */
	{
		if (getpeername(STDIN_FILENO, (struct sockaddr *)&from,
				(socklen_t *)&fromlen) < 0) {
			(void) fprintf(stderr, "rshd: ");
			perror("getpeername");
			_exit(1);
		}
		fd = STDIN_FILENO;
	}

	if (audit_settid(fd) != 0) {
		perror("settid");
		exit(1);
	}

	if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
	    sizeof (on)) < 0)
		syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
	linger.l_onoff = 1;
	linger.l_linger = 60;			/* XXX */
	if (setsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&linger,
	    sizeof (linger)) < 0)
		syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m");

	if ((tos != -1) && (setsockopt(fd, IPPROTO_IP, IP_TOS, (char *)&tos,
				sizeof (tos)) < 0) &&
				(errno != ENOPROTOOPT)) {
		syslog(LOG_ERR, "setsockopt (IP_TOS %d): %m");
	}

	doit(dup(fd), &from, renvp);
	return (0);
}

/*
 * locale environments to be passed to shells.
 */
static char *localeenv[] = {
	"LANG",
	"LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE",
	"LC_MONETARY", "LC_MESSAGES", "LC_ALL", NULL};

/*
 * The following is for the environment variable list
 * used in the call to execle().  envinit is declared here,
 * but populated after the call to getpwnam().
 */
static char	*homedir;	/* "HOME=" */
static char	*shell;		/* "SHELL=" */
static char	*username;	/* "USER=" */
static char	*tz;		/* "TZ=" */

static char	homestr[] = "HOME=";
static char	shellstr[] = "SHELL=";
static char	userstr[] = "USER=";
static char	tzstr[] = "TZ=";

static char	**envinit;
#define	PAM_ENV_ELIM	16	/* allow 16 PAM environment variables */
#define	USERNAME_LEN	16	/* maximum number of characters in user name */

/*
 *	See PSARC opinion 1992/025
 */
static char	userpath[] = "PATH=/usr/bin:";
static char	rootpath[] = "PATH=/usr/sbin:/usr/bin";

static char cmdbuf[NCARGS+1];
static char hostname [MAXHOSTNAMELEN + 1];
static char locuser[USERNAME_LEN + 1];
static char remuser[USERNAME_LEN + 1];

#define	KRB5_RECVAUTH_V5	5
#define	SIZEOF_INADDR sizeof	(struct in_addr)

#define	MAX_REPOSITORY_LEN	255
static char repository[MAX_REPOSITORY_LEN];

static char *kremuser;
static krb5_principal client = NULL;

static char	remote_addr[64];
static char	local_addr[64];

#define	_PATH_DEFAULT_LOGIN "/etc/default/login"

static void
doit(int f, struct sockaddr_storage *fromp, char **renvp)
{
	char *cp;

	struct passwd *pwd;
	char *path;
	char *tzenv;
	struct spwd *shpwd;
	struct stat statb;
	char **lenvp;

	krb5_error_code status;
	int valid_checksum;
	int cnt;
	int sin_len;
	struct sockaddr_in localaddr;

	int s;
	in_port_t port;
	pid_t pid;
	int pv[2], pw[2], px[2], cc;
	char buf[RSHD_BUFSIZ];
	char sig;
	int one = 1;
	int v = 0;
	int err = 0;
	int idx = 0;
	char **pam_env;
	char abuf[INET6_ADDRSTRLEN];
	struct sockaddr_in *sin;
	struct sockaddr_in6 *sin6;
	int fromplen;
	int homedir_len, shell_len, username_len, tz_len;
	int no_name;
	boolean_t bad_port;
	int netf = 0;

	(void) signal(SIGINT, SIG_DFL);
	(void) signal(SIGQUIT, SIG_DFL);
	(void) signal(SIGTERM, SIG_DFL);
	(void) signal(SIGXCPU, SIG_DFL);
	(void) signal(SIGXFSZ, SIG_DFL);
	(void) sigset(SIGCHLD, SIG_IGN);
	(void) signal(SIGPIPE, SIG_DFL);
	(void) signal(SIGHUP, SIG_DFL);

#ifdef DEBUG
	{
	    int t = open("/dev/tty", 2);

	    if (t >= 0) {
		(void) setsid();
		(void) close(t);
	    }
	}
#endif
	if (fromp->ss_family == AF_INET) {
		sin = (struct sockaddr_in *)fromp;
		port = ntohs((ushort_t)sin->sin_port);
		fromplen = sizeof (struct sockaddr_in);
	} else if (fromp->ss_family == AF_INET6) {
		sin6 = (struct sockaddr_in6 *)fromp;
		port = ntohs((ushort_t)sin6->sin6_port);
		fromplen = sizeof (struct sockaddr_in6);
	} else {
		syslog(LOG_ERR, "wrong address family\n");
		exit(1);
	}

	if (fromp->ss_family == AF_INET6) {
		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
			struct in_addr ipv4_addr;

			IN6_V4MAPPED_TO_INADDR(&sin6->sin6_addr, &ipv4_addr);
			(void) inet_ntop(AF_INET, &ipv4_addr, abuf,
			    sizeof (abuf));
		} else {
			(void) inet_ntop(AF_INET6, &sin6->sin6_addr, abuf,
			    sizeof (abuf));
		}
	} else if (fromp->ss_family == AF_INET) {
		(void) inet_ntop(AF_INET, &sin->sin_addr, abuf, sizeof (abuf));
	}

	sin_len = sizeof (struct sockaddr_in);
	if (getsockname(f, (struct sockaddr *)&localaddr, &sin_len) < 0) {
		perror("getsockname");
		exit(1);
	}

	netf = f;

	bad_port = (port >= IPPORT_RESERVED ||
		port < (uint_t)(IPPORT_RESERVED/2));

	/* Get the name of the client side host to use later */
	no_name = (getnameinfo((const struct sockaddr *) fromp, fromplen,
		hostname, sizeof (hostname), NULL, 0, 0) != 0);

	if (bad_port || no_name != 0) {
		/*
		 * If there is no host name available then use the
		 * IP address to identify the host in the PAM call
		 * below.  Do the same if a bad port was used, to
		 * prevent untrustworthy authentication.
		 */
		(void) strlcpy(hostname, abuf, sizeof (hostname));
	}

	if (no_name != 0) {
		/*
		 * If the '-U' option was given on the cmd line,
		 * we must be able to lookup the hostname
		 */
		if (resolve_hostname) {
			syslog(LOG_ERR, "rshd: Couldn't resolve your "
			    "address into a host name.\r\n Please "
			    "contact your net administrator");
			exit(1);
		}
	} else {
		/*
		 * Even if getnameinfo() succeeded, we still have to check
		 * for spoofing.
		 */
		check_address("rshd", fromp, sin, sin6, abuf, hostname,
		    sizeof (hostname));
	}

	if (!krb5auth_flag && bad_port) {
		if (no_name)
			syslog(LOG_NOTICE, "connection from %s - "
			    "bad port\n", abuf);
		else
			syslog(LOG_NOTICE, "connection from %s (%s) - "
			    "bad port\n", hostname, abuf);
		exit(1);
	}

	(void) alarm(60);
	port = 0;
	for (;;) {
		char c;
		if ((cc = read(f, &c, 1)) != 1) {
			if (cc < 0)
				syslog(LOG_NOTICE, "read: %m");
			(void) shutdown(f, 1+1);
			exit(1);
		}
		if (c == 0)
			break;
		port = port * 10 + c - '0';
	}
	(void) alarm(0);
	if (port != 0) {
		int lport = 0;
		struct sockaddr_storage ctl_addr;
		int addrlen;

		(void) memset(&ctl_addr, 0, sizeof (ctl_addr));
		addrlen = sizeof (ctl_addr);
		if (getsockname(f, (struct sockaddr *)&ctl_addr,
			&addrlen) < 0) {
			syslog(LOG_ERR, "getsockname: %m");
			exit(1);
		}
get_port:
		/*
		 * 0 means that rresvport_addr() will bind to a port in
		 * the anonymous priviledged port range.
		 */
		if (krb5auth_flag) {
			/*
			 * Kerberos does not support IPv6 yet.
			 */
			lport = IPPORT_RESERVED - 1;
		}
		s = rresvport_addr(&lport, &ctl_addr);

		if (s < 0) {
			syslog(LOG_ERR, "can't get stderr port: %m");
			exit(1);
		}
		if (!krb5auth_flag && (port >= IPPORT_RESERVED)) {
			syslog(LOG_ERR, "2nd port not reserved\n");
			exit(1);
		}
		if (fromp->ss_family == AF_INET) {
			sin->sin_port = htons((ushort_t)port);
		} else if (fromp->ss_family == AF_INET6) {
			sin6->sin6_port = htons((ushort_t)port);
		}
		if (connect(s, (struct sockaddr *)fromp, fromplen) < 0) {
			if (errno == EADDRINUSE) {
				(void) close(s);
				goto get_port;
			}
			syslog(LOG_INFO, "connect second port: %m");
			exit(1);
		}
	}
	(void) dup2(f, 0);
	(void) dup2(f, 1);
	(void) dup2(f, 2);

#ifdef DEBUG
	syslog(LOG_NOTICE, "rshd: Client hostname = %s", hostname);
	if (debug_port)
		syslog(LOG_NOTICE, "rshd: Debug port is %d", debug_port);
	if (krb5auth_flag > 0)
		syslog(LOG_NOTICE, "rshd: Kerberos mode is ON");
	else
		syslog(LOG_NOTICE, "rshd: Kerberos mode is OFF");
#endif /* DEBUG */

	if (krb5auth_flag > 0) {
		if ((status = recvauth(f, &valid_checksum))) {
			syslog(LOG_ERR, gettext("Kerberos Authentication "
					"failed \n"));
			error("Authentication failed: %s\n",
					error_message(status));
			(void) audit_rshd_fail("Kerberos Authentication "
				"failed", hostname, remuser, locuser, cmdbuf);
			exit(1);
		}

		if (checksum_required && !valid_checksum &&
			kcmd_protocol == KCMD_OLD_PROTOCOL) {
			syslog(LOG_WARNING, "Client did not supply required"
					" checksum--connection rejected.");
			error("Client did not supply required"
				"checksum--connection rejected.\n");
			(void) audit_rshd_fail("Client did not supply required"
				" checksum--connection rejected.", hostname,
				remuser, locuser, cmdbuf);	/* BSM */
			goto signout;
		}

		/*
		 * Authentication has succeeded, we now need
		 * to check authorization.
		 *
		 * krb5_kuserok returns 1 if OK.
		 */
		if (client && krb5_kuserok(bsd_context, client, locuser)) {
			auth_sent |= AUTH_KRB5;
		} else {
			syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
				"%s failed krb5_kuserok.\n",
				kremuser, remuser, hostname, locuser);
		}
	} else {
		getstr(netf, remuser, sizeof (remuser), "remuser");
		getstr(netf, locuser, sizeof (locuser), "locuser");
		getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
	}

#ifdef DEBUG
	syslog(LOG_NOTICE, "rshd: locuser = %s, remuser = %s, cmdbuf = %s",
			locuser, remuser, cmdbuf);
#endif /* DEBUG */

	/*
	 * Note that there is no rsh conv functions at present.
	 */
	if (krb5auth_flag > 0) {
		if ((err = pam_start("krsh", locuser, NULL, &pamh))
				!= PAM_SUCCESS) {
			syslog(LOG_ERR, "pam_start() failed: %s\n",
				pam_strerror(0, err));
			exit(1);
		}
	}
	else
	{
		if ((err = pam_start("rsh", locuser, NULL, &pamh))
				!= PAM_SUCCESS) {
			syslog(LOG_ERR, "pam_start() failed: %s\n",
				pam_strerror(0, err));
			exit(1);
		}
	}
	if ((err = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
		syslog(LOG_ERR, "pam_set_item() failed: %s\n",
			pam_strerror(pamh, err));
		exit(1);
	}
	if ((err = pam_set_item(pamh, PAM_RUSER, remuser)) != PAM_SUCCESS) {
		syslog(LOG_ERR, "pam_set_item() failed: %s\n",
			pam_strerror(pamh, err));
		exit(1);
	}

	pwd = getpwnam(locuser);
	shpwd = getspnam(locuser);
	if ((pwd == NULL) || (shpwd == NULL)) {
		if (krb5auth_flag > 0)
			syslog(LOG_ERR, "Principal %s (%s@%s) for local user "
				"%s has no account.\n", kremuser, remuser,
							hostname, locuser);
		error("permission denied.\n");
		(void) audit_rshd_fail("Login incorrect", hostname,
			remuser, locuser, cmdbuf);	/* BSM */
		exit(1);
	}

	if (krb5auth_flag > 0) {
		(void) snprintf(repository, sizeof (repository),
					KRB5_REPOSITORY_NAME);
		/*
		 * We currently only support special handling of the
		 * KRB5 PAM repository
		 */
		if (strlen(locuser) != 0) {
			krb5_repository_data_t krb5_data;
			pam_repository_t pam_rep_data;

			krb5_data.principal = locuser;
			krb5_data.flags = SUNW_PAM_KRB5_ALREADY_AUTHENTICATED;

			pam_rep_data.type = repository;
			pam_rep_data.scope = (void *)&krb5_data;
			pam_rep_data.scope_len = sizeof (krb5_data);

			(void) pam_set_item(pamh, PAM_REPOSITORY,
					(void *)&pam_rep_data);
		}
	}

	if (shpwd->sp_pwdp != 0) {
		if (*shpwd->sp_pwdp != '\0') {
			if ((v = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
				error("permission denied\n");
				(void) audit_rshd_fail("Permission denied",
				    hostname, remuser, locuser, cmdbuf);
				(void) pam_end(pamh, v);
				exit(1);
			}
		} else {
			int flags;
			char *p;
			/*
			 * maintain 2.1 and 4.* and BSD semantics with
			 * anonymous rshd unless PASSREQ is set to YES in
			 * /etc/default/login: then we deny logins with empty
			 * passwords.
			 */
			if (defopen(_PATH_DEFAULT_LOGIN) == 0) {
				flags = defcntl(DC_GETFLAGS, 0);
				TURNOFF(flags, DC_CASE);
				(void) defcntl(DC_SETFLAGS, flags);

				if ((p = defread("PASSREQ=")) != NULL &&
				    strcasecmp(p, "YES") == 0) {
					error("permission denied\n");
					(void) audit_rshd_fail(
					    "Permission denied", hostname,
					    remuser, locuser, cmdbuf);
					(void) pam_end(pamh, PAM_ABORT);
					(void) defopen(NULL);
					syslog(LOG_AUTH|LOG_NOTICE,
					    "empty password not allowed for "
					    "%s from %s.", locuser, hostname);
					exit(1);
				}
				(void) defopen(NULL);
			}
			/*
			 * /etc/default/login not found or PASSREQ not set
			 * to YES. Allow logins without passwords.
			 */
		}
	}

	if (krb5auth_flag > 0) {
		if (require_encrypt && (!do_encrypt)) {
			error("You must use encryption.\n");
			(void) audit_rshd_fail("You must use encryption.",
				hostname, remuser, locuser, cmdbuf); /* BSM */
			goto signout;
		}

		if (!(auth_ok & auth_sent)) {
			if (auth_sent) {
				error("Another authentication mechanism "
				    "must be used to access this host.\n");
				(void) audit_rshd_fail("Another authentication"
					" mechanism must be used to access"
					" this host.\n", hostname, remuser,
					locuser, cmdbuf); /* BSM */
				goto signout;
			} else {
				error("Permission denied.\n");
				(void) audit_rshd_fail("Permission denied.",
					hostname, remuser, locuser, cmdbuf);
					/* BSM */
				goto signout;
			}
		}


		if (pwd->pw_uid && !access("/etc/nologin", F_OK)) {
			error("Logins currently disabled.\n");
			(void) audit_rshd_fail("Logins currently disabled.",
				hostname, remuser, locuser, cmdbuf);
			goto signout;
		}

		/* Log access to account */
		if (pwd && (pwd->pw_uid == 0)) {
			syslog(LOG_NOTICE, "Executing %s for user %s (%s@%s)"
			    " as ROOT", cmdbuf,
			    kremuser, remuser, hostname);
		}
	}

	if ((v = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
		switch (v) {
		case PAM_NEW_AUTHTOK_REQD:
			error("password expired\n");
			(void) audit_rshd_fail("Password expired", hostname,
				remuser, locuser, cmdbuf); /* BSM */
			break;
		case PAM_PERM_DENIED:
			error("account expired\n");
			(void) audit_rshd_fail("Account expired", hostname,
				remuser, locuser, cmdbuf); /* BSM */
			break;
		case PAM_AUTHTOK_EXPIRED:
			error("password expired\n");
			(void) audit_rshd_fail("Password expired", hostname,
				remuser, locuser, cmdbuf); /* BSM */
			break;
		default:
			error("login incorrect\n");
			(void) audit_rshd_fail("Permission denied", hostname,
				remuser, locuser, cmdbuf); /* BSM */
			break;
		}
		(void) pam_end(pamh, PAM_ABORT);
		exit(1);
	}

	if (chdir(pwd->pw_dir) < 0) {
		(void) chdir("/");
#ifdef notdef
		error("No remote directory.\n");

		exit(1);
#endif
	}

	/*
	 * XXX There is no session management currently being done
	 */

	(void) write(STDERR_FILENO, "\0", 1);
	if (port || do_encrypt) {
		if ((pipe(pv) < 0)) {
			error("Can't make pipe.\n");
			(void) pam_end(pamh, PAM_ABORT);
			exit(1);
		}
		if (do_encrypt) {
			if (pipe(pw) < 0) {
				error("Can't make pipe 2.\n");
				(void) pam_end(pamh, PAM_ABORT);
				exit(1);
			}
			if (pipe(px) < 0) {
				error("Can't make pipe 3.\n");
				(void) pam_end(pamh, PAM_ABORT);
				exit(1);
			}
		}
		pid = fork();
		if (pid == (pid_t)-1)  {
			error("Fork (to start shell) failed on server.  "
				"Please try again later.\n");
			(void) pam_end(pamh, PAM_ABORT);
			exit(1);
		}
		if (pid) {
			fd_set ready;
			fd_set readfrom;

			(void) close(STDIN_FILENO);
			(void) close(STDOUT_FILENO);
			(void) close(STDERR_FILENO);
			(void) close(pv[1]);
			if (do_encrypt) {
				(void) close(pw[1]);
				(void) close(px[0]);
			} else {
				(void) close(f);
			}

			(void) FD_ZERO(&readfrom);

			FD_SET(pv[0], &readfrom);
			if (do_encrypt) {
				FD_SET(pw[0], &readfrom);
				FD_SET(f, &readfrom);
			}
			if (port)
				FD_SET(s, &readfrom);

			/* read f (net), write to px[1] (child stdin) */
			/* read pw[0] (child stdout), write to f (net) */
			/* read s (alt. channel), signal child */
			/* read pv[0] (child stderr), write to s */
			if (ioctl(pv[0], FIONBIO, (char *)&one) == -1)
				syslog(LOG_INFO, "ioctl FIONBIO: %m");
			if (do_encrypt &&
				ioctl(pw[0], FIONBIO, (char *)&one) == -1)
				syslog(LOG_INFO, "ioctl FIONBIO: %m");
			do {
				ready = readfrom;
				if (select(FD_SETSIZE, &ready, NULL,
					NULL, NULL) < 0) {
					if (errno == EINTR) {
						continue;
					} else {
						break;
					}
				}
				/*
				 * Read from child stderr, write to net
				 */
				if (port && FD_ISSET(pv[0], &ready)) {
					errno = 0;
					cc = read(pv[0], buf, sizeof (buf));
					if (cc <= 0) {
						(void) shutdown(s, 2);
						FD_CLR(pv[0], &readfrom);
					} else {
						(void) deswrite(s, buf, cc, 1);
					}
				}
				/*
				 * Read from alternate channel, signal child
				 */
				if (port && FD_ISSET(s, &ready)) {
					if ((int)desread(s, &sig, 1, 1) <= 0)
						FD_CLR(s, &readfrom);
					else
						(void) killpg(pid, sig);
				}
				/*
				 * Read from child stdout, write to net
				 */
				if (do_encrypt && FD_ISSET(pw[0], &ready)) {
					errno = 0;
					cc = read(pw[0], buf, sizeof (buf));
					if (cc <= 0) {
						(void) shutdown(f, 2);
						FD_CLR(pw[0], &readfrom);
					} else {
						(void) deswrite(f, buf, cc, 0);
					}
				}
				/*
				 * Read from the net, write to child stdin
				 */
				if (do_encrypt && FD_ISSET(f, &ready)) {
					errno = 0;
					cc = desread(f, buf, sizeof (buf), 0);
					if (cc <= 0) {
						(void) close(px[1]);
						FD_CLR(f, &readfrom);
					} else {
						int wcc;
						wcc = write(px[1], buf, cc);
						if (wcc == -1) {
							/*
							 * pipe closed,
							 * don't read any
							 * more
							 *
							 * might check for
							 * EPIPE
							 */
						    (void) close(px[1]);
						    FD_CLR(f, &readfrom);
						} else if (wcc != cc) {
						    /* CSTYLED */
						    syslog(LOG_INFO, gettext("only wrote %d/%d to child"),
						    wcc, cc);
						}
					}
				}
			} while ((port && FD_ISSET(s, &readfrom)) ||
				(port && FD_ISSET(pv[0], &readfrom)) ||
				(do_encrypt && FD_ISSET(f, &readfrom)) ||
				(do_encrypt && FD_ISSET(pw[0], &readfrom)));
#ifdef DEBUG
			syslog(LOG_INFO, "Shell process completed.");
#endif /* DEBUG */
			if (ccache)
				(void) pam_close_session(pamh, 0);
			(void) pam_end(pamh, PAM_SUCCESS);

			exit(0);
		} /* End of Parent block */

		(void) setsid();	/* Should be the same as above. */
		(void) close(pv[0]);
		(void) dup2(pv[1], 2);
		(void) close(pv[1]);
		if (port)
			(void) close(s);
		if (do_encrypt) {
			(void) close(f);
			(void) close(pw[0]);
			(void) close(px[1]);

			(void) dup2(px[0], 0);
			(void) dup2(pw[1], 1);

			(void) close(px[0]);
			(void) close(pw[1]);
		}
	}

	if (*pwd->pw_shell == '\0')
		pwd->pw_shell = "/bin/sh";
	if (!do_encrypt)
		(void) close(f);
	/*
	 * write audit record before making uid switch
	 */
	(void) audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */

	/* set the real (and effective) GID */
	if (setgid(pwd->pw_gid) == -1) {
		error("Invalid gid.\n");
		(void) pam_end(pamh, PAM_ABORT);
		exit(1);
	}

	/*
	 * Initialize the supplementary group access list.
	 */
	if (strlen(locuser) == 0) {
		error("No local user.\n");
		(void) pam_end(pamh, PAM_ABORT);
		exit(1);
	}
	if (initgroups(locuser, pwd->pw_gid) == -1) {
		error("Initgroup failed.\n");
		(void) pam_end(pamh, PAM_ABORT);
		exit(1);
	}

	if ((v = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
		error("Insufficient credentials.\n");
		(void) pam_end(pamh, v);
		exit(1);
	}

	/* set the real (and effective) UID */
	if (setuid(pwd->pw_uid) == -1) {
		error("Invalid uid.\n");
		(void) pam_end(pamh, PAM_ABORT);
		exit(1);
	}

	/* Change directory only after becoming the appropriate user. */
	if (chdir(pwd->pw_dir) < 0) {
		(void) chdir("/");
		if (krb5auth_flag > 0) {
			syslog(LOG_ERR, "Principal %s  (%s@%s) for local user"
				" %s has no home directory.",
				kremuser, remuser, hostname, locuser);
			error("No remote directory.\n");
			goto signout;
		}
#ifdef notdef
		error("No remote directory.\n");
		exit(1);
#endif
	}

	path = (pwd->pw_uid == 0) ? rootpath : userpath;

	/*
	 * Space for the following environment variables are dynamically
	 * allocated because their lengths are not known before calling
	 * getpwnam().
	 */
	homedir_len = strlen(pwd->pw_dir) + strlen(homestr) + 1;
	shell_len = strlen(pwd->pw_shell) + strlen(shellstr) + 1;
	username_len = strlen(pwd->pw_name) + strlen(userstr) + 1;
	homedir = (char *)malloc(homedir_len);
	shell = (char *)malloc(shell_len);
	username = (char *)malloc(username_len);
	if (homedir == NULL || shell == NULL || username == NULL) {
		perror("malloc");
		exit(1);
	}
	(void) snprintf(homedir, homedir_len, "%s%s", homestr, pwd->pw_dir);
	(void) snprintf(shell, shell_len, "%s%s", shellstr, pwd->pw_shell);
	(void) snprintf(username, username_len, "%s%s", userstr, pwd->pw_name);

	/* Pass timezone to executed command. */
	if (tzenv = getenv("TZ")) {
		tz_len = strlen(tzenv) + strlen(tzstr) + 1;
		tz = malloc(tz_len);
		if (tz != NULL)
			(void) snprintf(tz, tz_len, "%s%s", tzstr, tzenv);
	}

	add_to_envinit(homedir);
	add_to_envinit(shell);
	add_to_envinit(path);
	add_to_envinit(username);
	add_to_envinit(tz);

	if (krb5auth_flag > 0) {
		int length;
		char *buffer;

		/*
		 * If we have KRB5CCNAME set, then copy into the child's
		 * environment.  This can't really have a fixed position
		 * because `tz' may or may not be set.
		 */
		if (getenv("KRB5CCNAME")) {
			length = (int)strlen(getenv("KRB5CCNAME")) +
					(int)strlen("KRB5CCNAME=") + 1;
			buffer = (char *)malloc(length);

			if (buffer) {
				(void) snprintf(buffer, length, "KRB5CCNAME=%s",
						getenv("KRB5CCNAME"));
				add_to_envinit(buffer);
			}
		} {
			/* These two are covered by ADDRPAD */
			length = strlen(inet_ntoa(localaddr.sin_addr)) + 1 +
					strlen("KRB5LOCALADDR=");
			(void) snprintf(local_addr, length, "KRB5LOCALADDR=%s",
				inet_ntoa(localaddr.sin_addr));
			add_to_envinit(local_addr);

			length = strlen(inet_ntoa(sin->sin_addr)) + 1 +
					strlen("KRB5REMOTEADDR=");
			(void) snprintf(remote_addr, length,
				"KRB5REMOTEADDR=%s", inet_ntoa(sin->sin_addr));
			add_to_envinit(remote_addr);
		}

		/*
		 * If we do anything else, make sure there is
		 * space in the array.
		 */
		for (cnt = 0; cnt < num_env; cnt++) {
			char *buf;

			if (getenv(save_env[cnt])) {
				length = (int)strlen(getenv(save_env[cnt])) +
					(int)strlen(save_env[cnt]) + 2;

				buf = (char *)malloc(length);
				if (buf) {
					(void) snprintf(buf, length, "%s=%s",
						save_env[cnt],
						getenv(save_env[cnt]));
					add_to_envinit(buf);
				}
			}
		}

	}

	/*
	 * add PAM environment variables set by modules
	 * -- only allowed 16 (PAM_ENV_ELIM)
	 * -- check to see if the environment variable is legal
	 */
	if ((pam_env = pam_getenvlist(pamh)) != 0) {
		while (pam_env[idx] != 0) {
			if (idx < PAM_ENV_ELIM &&
			    legalenvvar(pam_env[idx])) {
				add_to_envinit(pam_env[idx]);
			}
			idx++;
		}
	}

	(void) pam_end(pamh, PAM_SUCCESS);

	/*
	 * Pick up locale environment variables, if any.
	 */
	lenvp = renvp;
	while (*lenvp != NULL) {
		int	index;

		for (index = 0; localeenv[index] != NULL; index++)
			/*
			 * locale_envmatch() returns 1 if
			 * *lenvp is localenev[index] and valid.
			 */
			if (locale_envmatch(localeenv[index], *lenvp)) {
				add_to_envinit(*lenvp);
				break;
			}

		lenvp++;
	}

	cp = strrchr(pwd->pw_shell, '/');
	if (cp != NULL)
		cp++;
	else
		cp = pwd->pw_shell;
	/*
	 * rdist has been moved to /usr/bin, so /usr/ucb/rdist might not
	 * be present on a system.  So if it doesn't exist we fall back
	 * and try for it in /usr/bin.  We take care to match the space
	 * after the name because the only purpose of this is to protect
	 * the internal call from old rdist's, not humans who type
	 * "rsh foo /usr/ucb/rdist".
	 */
#define	RDIST_PROG_NAME	"/usr/ucb/rdist -Server"
	if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) {
		if (stat("/usr/ucb/rdist", &statb) != 0) {
			(void) strncpy(cmdbuf + 5, "bin", 3);
		}
	}

#ifdef DEBUG
	syslog(LOG_NOTICE, "rshd: cmdbuf = %s", cmdbuf);
	if (do_encrypt)
		syslog(LOG_NOTICE, "rshd: cmd to be exec'ed = %s",
			((char *)cmdbuf + 3));
#endif /* DEBUG */

	if (do_encrypt && (strncmp(cmdbuf, "-x ", 3) == 0)) {
		(void) execle(pwd->pw_shell, cp, "-c", (char *)cmdbuf + 3,
				NULL, envinit);
	} else {
		(void) execle(pwd->pw_shell, cp, "-c", cmdbuf, NULL,
				envinit);
	}

	perror(pwd->pw_shell);
	exit(1);

signout:
	if (ccache)
		(void) pam_close_session(pamh, 0);
	ccache = NULL;
	(void) pam_end(pamh, PAM_ABORT);
	exit(1);
}

static void
getstr(fd, buf, cnt, err)
	int fd;
	char *buf;
	int cnt;
	char *err;
{
	char c;

	do {
		if (read(fd, &c, 1) != 1)
			exit(1);
		if (cnt-- == 0) {
			error("%s too long\n", err);
			exit(1);
		}
		*buf++ = c;
	} while (c != 0);
}

/*PRINTFLIKE1*/
static void
error(char *fmt, ...)
{
	va_list ap;
	char buf[RSHD_BUFSIZ];

	buf[0] = 1;
	va_start(ap, fmt);
	(void) vsnprintf(&buf[1], sizeof (buf) - 1, fmt, ap);
	va_end(ap);
	(void) write(STDERR_FILENO, buf, strlen(buf));
}

static char *illegal[] = {
	"SHELL=",
	"HOME=",
	"LOGNAME=",
#ifndef NO_MAIL
	"MAIL=",
#endif
	"CDPATH=",
	"IFS=",
	"PATH=",
	"USER=",
	"TZ=",
	0
};

/*
 * legalenvvar - can PAM modules insert this environmental variable?
 */

static int
legalenvvar(char *s)
{
	register char **p;

	for (p = illegal; *p; p++)
		if (strncmp(s, *p, strlen(*p)) == 0)
			return (0);

	if (s[0] == 'L' && s[1] == 'D' && s[2] == '_')
		return (0);

	return (1);
}

/*
 * Add a string to the environment of the new process.
 */

static void
add_to_envinit(char *string)
{
	/*
	 * Reserve space for 2 * 8 = 16 environment entries initially which
	 * should be enough to avoid reallocation of "envinit" in most cases.
	 */
	static int	size = 8;
	static int	index = 0;

	if (string == NULL)
		return;

	if ((envinit == NULL) || (index == size)) {
		size *= 2;
		envinit = realloc(envinit, (size + 1) * sizeof (char *));
		if (envinit == NULL) {
			perror("malloc");
			exit(1);
		}
	}

	envinit[index++] = string;
	envinit[index] = NULL;
}

/*
 * Check if lenv and penv matches or not.
 */
static int
locale_envmatch(char *lenv, char *penv)
{
	while ((*lenv == *penv) && (*lenv != '\0') && (*penv != '=')) {
		lenv++;
		penv++;
	}

	/*
	 * '/' is eliminated for security reason.
	 */
	return ((*lenv == '\0' && *penv == '=' && *(penv + 1) != '/'));
}

#ifndef	KRB_SENDAUTH_VLEN
#define	KRB_SENDAUTH_VLEN	8	/* length for version strings */
#endif

/* MUST be KRB_SENDAUTH_VLEN chars */
#define	KRB_SENDAUTH_VERS	"AUTHV0.1"
#define	SIZEOF_INADDR sizeof (struct in_addr)

static krb5_error_code
recvauth(int netf, int *valid_checksum)
{
	krb5_auth_context auth_context = NULL;
	krb5_error_code status;
	struct sockaddr_in laddr;
	int len;
	krb5_data inbuf;
	krb5_authenticator *authenticator;
	krb5_ticket *ticket;
	krb5_rcache rcache;
	krb5_data version;
	krb5_encrypt_block eblock;	/* eblock for encrypt/decrypt */
	krb5_data desinbuf;
	krb5_data desoutbuf;
	char des_inbuf[2 * RSHD_BUFSIZ];
			/* needs to be > largest read size */
	char des_outbuf[2 * RSHD_BUFSIZ + 4];
			/* needs to be > largest write size */

	*valid_checksum = 0;
	len = sizeof (laddr);

	if (getsockname(netf, (struct sockaddr *)&laddr, &len)) {
		exit(1);
	}

	if (status = krb5_auth_con_init(bsd_context, &auth_context))
		return (status);

	if (status = krb5_auth_con_genaddrs(bsd_context, auth_context, netf,
		KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
		return (status);

	status = krb5_auth_con_getrcache(bsd_context, auth_context, &rcache);
	if (status)
		return (status);

	if (!rcache) {
		krb5_principal server;

		status = krb5_sname_to_principal(bsd_context, 0, 0,
			KRB5_NT_SRV_HST, &server);
		if (status)
			return (status);

		status = krb5_get_server_rcache(bsd_context,
			krb5_princ_component(bsd_context, server, 0),
			&rcache);
		krb5_free_principal(bsd_context, server);
		if (status)
			return (status);

		status = krb5_auth_con_setrcache(bsd_context, auth_context,
							rcache);
		if (status)
			return (status);
	}

	status = krb5_recvauth_version(bsd_context, &auth_context, &netf,
		NULL,		/* Specify daemon principal */
		0,		/* no flags */
		keytab,		/* normally NULL to use v5srvtab */
		&ticket,	/* return ticket */
		&version);	/* application version string */


	if (status) {
		getstr(netf, locuser, sizeof (locuser), "locuser");
		getstr(netf, cmdbuf, sizeof (cmdbuf), "command");
		getstr(netf, remuser, sizeof (locuser), "remuser");
		return (status);
	}
	getstr(netf, locuser, sizeof (locuser), "locuser");
	getstr(netf, cmdbuf, sizeof (cmdbuf), "command");

	/* Must be V5  */

	kcmd_protocol = KCMD_UNKNOWN_PROTOCOL;
	if (version.length != 9 || version.data == NULL) {
		syslog(LOG_ERR, "bad application version length");
		error(gettext("bad application version length\n"));
		exit(1);
	}
	if (strncmp(version.data, "KCMDV0.1", 9) == 0) {
		kcmd_protocol = KCMD_OLD_PROTOCOL;
	} else if (strncmp(version.data, "KCMDV0.2", 9) == 0) {
		kcmd_protocol = KCMD_NEW_PROTOCOL;
	} else {
		syslog(LOG_ERR, "Unrecognized KCMD protocol (%s)",
			(char *)version.data);
		error(gettext("Unrecognized KCMD protocol (%s)"),
			(char *)version.data);
		exit(1);
	}
	getstr(netf, remuser, sizeof (locuser), "remuser");

	if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client,
			&kremuser)))
		return (status);

	if ((status = krb5_copy_principal(bsd_context,
				ticket->enc_part2->client, &client)))
		return (status);


	if (checksum_required && (kcmd_protocol == KCMD_OLD_PROTOCOL)) {
		if ((status = krb5_auth_con_getauthenticator(bsd_context,
			auth_context, &authenticator)))
			return (status);

		if (authenticator->checksum && checksum_required) {
			struct sockaddr_in adr;
			int adr_length = sizeof (adr);
			int chksumsize = strlen(cmdbuf) + strlen(locuser) + 32;
			krb5_data input;
			krb5_keyblock key;

			char *chksumbuf = (char *)malloc(chksumsize);

			if (chksumbuf == 0)
				goto error_cleanup;
			if (getsockname(netf, (struct sockaddr *)&adr,
					&adr_length) != 0)
				goto error_cleanup;

			(void) snprintf(chksumbuf, chksumsize, "%u:",
					ntohs(adr.sin_port));
			if (strlcat(chksumbuf, cmdbuf,
					chksumsize) >= chksumsize) {
				syslog(LOG_ERR, "cmd buffer too long.");
				free(chksumbuf);
				return (-1);
			}
			if (strlcat(chksumbuf, locuser,
					chksumsize) >= chksumsize) {
				syslog(LOG_ERR, "locuser too long.");
				free(chksumbuf);
				return (-1);
			}

			input.data = chksumbuf;
			input.length = strlen(chksumbuf);
			key.magic = ticket->enc_part2->session->magic;
			key.enctype = ticket->enc_part2->session->enctype;
			key.contents = ticket->enc_part2->session->contents;
			key.length = ticket->enc_part2->session->length;

			status = krb5_c_verify_checksum(bsd_context,
			    &key, 0, &input, authenticator->checksum,
			    (unsigned int *)valid_checksum);

			if (status == 0 && *valid_checksum == 0)
			    status = KRB5KRB_AP_ERR_BAD_INTEGRITY;
error_cleanup:
			if (chksumbuf)
				krb5_xfree(chksumbuf);
			if (status) {
				krb5_free_authenticator(bsd_context,
						authenticator);
				return (status);
			}
		}
		krb5_free_authenticator(bsd_context, authenticator);
	}


	if ((strncmp(cmdbuf, "-x ", 3) == 0)) {
		if (krb5_privacy_allowed()) {
			do_encrypt = 1;
		} else {
			syslog(LOG_ERR, "rshd: Encryption not supported");
			error("rshd: Encryption not supported. \n");
			exit(2);
		}

		status = krb5_auth_con_getremotesubkey(bsd_context,
						    auth_context,
						    &sessionkey);
		if (status) {
			syslog(LOG_ERR, "Error getting KRB5 session subkey");
			error(gettext("Error getting KRB5 session subkey"));
			exit(1);
		}
		/*
		 * The "new" protocol requires that a subkey be sent.
		 */
		if (sessionkey == NULL && kcmd_protocol == KCMD_NEW_PROTOCOL) {
			syslog(LOG_ERR, "No KRB5 session subkey sent");
			error(gettext("No KRB5 session subkey sent"));
			exit(1);
		}
		/*
		 * The "old" protocol does not permit an authenticator subkey.
		 * The key is taken from the ticket instead (see below).
		 */
		if (sessionkey != NULL && kcmd_protocol == KCMD_OLD_PROTOCOL) {
			syslog(LOG_ERR, "KRB5 session subkey not permitted "
				"with old KCMD protocol");
			error(gettext("KRB5 session subkey not permitted "
				"with old KCMD protocol"));
			exit(1);
		}
		/*
		 * If no key at this point, use the session key from
		 * the ticket.
		 */
		if (sessionkey == NULL) {
			/*
			 * Save the session key so we can configure the crypto
			 * module later.
			 */
			status = krb5_copy_keyblock(bsd_context,
						ticket->enc_part2->session,
						&sessionkey);
			if (status) {
				syslog(LOG_ERR, "krb5_copy_keyblock failed");
				error(gettext("krb5_copy_keyblock failed"));
				exit(1);
			}
		}
		/*
		 * If session key still cannot be found, we must
		 * exit because encryption is required here
		 * when encr_flag (-x) is set.
		 */
		if (sessionkey == NULL) {
			syslog(LOG_ERR, "Could not find an encryption key");
			error(gettext("Could not find an encryption key"));
			exit(1);
		}

		/*
		 * Initialize parameters/buffers for desread & deswrite here.
		 */
		desinbuf.data = des_inbuf;
		desoutbuf.data = des_outbuf;
		desinbuf.length = sizeof (des_inbuf);
		desoutbuf.length = sizeof (des_outbuf);

		eblock.crypto_entry = sessionkey->enctype;
		eblock.key = (krb5_keyblock *)sessionkey;

		init_encrypt(do_encrypt, bsd_context, kcmd_protocol,
				&desinbuf, &desoutbuf, SERVER, &eblock);
	}

	ticket->enc_part2->session = 0;

	if ((status = krb5_read_message(bsd_context, (krb5_pointer) & netf,
				&inbuf))) {
		error(gettext("Error reading message: %s\n"),
				error_message(status));
		exit(1);
	}

	if (inbuf.length) {
		krb5_creds **creds = NULL;

		/* Forwarding being done, read creds */
		if ((status = krb5_rd_cred(bsd_context,
					    auth_context, &inbuf, &creds,
					    NULL))) {
			error("Can't get forwarded credentials: %s\n",
				error_message(status));
			exit(1);
		}

		/* Store the forwarded creds in the ccache */
		if ((status = store_forw_creds(bsd_context,
					    creds, ticket, locuser,
					    &ccache))) {
			error("Can't store forwarded credentials: %s\n",
				error_message(status));
			exit(1);
		}
		krb5_free_creds(bsd_context, *creds);
	}

	krb5_free_ticket(bsd_context, ticket);
	return (0);
}

static void
usage(void)
{
	(void) fprintf(stderr, gettext("%s: rshd [-k5eciU] "
			"[-P path] [-M realm] [-s tos] "
#ifdef DEBUG
			"[-D port] "
#endif /* DEBUG */
			"[-S keytab]"), gettext("usage"));

	syslog(LOG_ERR, "%s: rshd [-k5eciU] [-P path] [-M realm] [-s tos] "
#ifdef DEBUG
			"[-D port] "
#endif /* DEBUG */
			"[-S keytab]", gettext("usage"));
}