telnetd: Server principal naming.

2026-01-12 00:19:39 +08:00 · 2012-08-16 18:11:19 +02:00
parent 4d1fc9ac2c
commit 32746bf664
8 changed files with 139 additions and 26 deletions
--- a/27
+++ b/27
@@ -1,3 +1,30 @@
+2012-08-16  Mats Erik Andersson  <gnu@gisladisker.se>
+
+	telnetd: Configurable principal name.
+
+	* libtelnet/misc.c (ServerPrincipal): New variable.
+	(auth_encrypt_init): Add `char *principal' to signature.
+	Assign value to ServerPrincipal.
+	* libtelnet/misc.h (ServerPrincipal): New external variable.
+	* libtelnet/misc-proto.h (auth_encrypt_init): Updated.
+	* libtelnet/shishi.c: Prune newlines in error messages.
+	(krb5shishi_is_auth): New variable REALM.  Delay shishi_ap()
+	and shishi_ap_req_der_set() until after complete setup.
+	Extract server name and realm from ServerPrincipal and
+	override defaults accordingly.  Use variant calls to access
+	realm also, shishi_hostkeys_for_serverrealm() and
+	shishi_hostkeys_for_localservicerealm().
+
+	* telnet/telnet.c (telnet): Call auth_encrypt_init()
+	with `principal = NULL'.
+	* telnetd/telnetd.c (principal) [AUTHENTICATION || ENCRYPTION]:
+	New variable.
+	(argp_options) [AUTHENTICATION || ENCRYPTION]: New option
+	`-S/--server-principal'.
+	(parse_opt) [AUTHENTICATION || ENCRYPTION] <'S'>: New case.
+	(telnetd_setup) [AUTHENTICATION || ENCRYPTION]: Pass
+	`principal' in call to auth_encrypt_init().
+
 2012-08-15  Mats Erik Andersson  <gnu@gisladisker.se>

 	* src/rcp.c (main) [KERBEROS || SHISHI]: Add `!use_kerberos'
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -3755,6 +3755,18 @@ The only recognised value is otherwise @samp{nokludge}.
@opindex --no-keepalive
 Disable TCP keep-alives.

+@item -S @var{principal}
+@itemx --server-principal=@var{principal}
+@opindex -S
+@opindex --server-principal
+Set principal name for the server, to be used in Kerberos
+authentication.  The value @var{principal} can be set
+to provide full specification like @samp{srv.local@@REALM}
+and @samp{tnt/localhost@@REALM}, where the first uses the
+standard prefix `host/'. Or @var{principal} can override
+default settings in part only, like @samp{srv.local},
+@samp{tnt/srv.local}, or @samp{@@REALM}.
+
@item -U
@itemx --reverse-lookup
@opindex -U
--- a/libtelnet/misc-proto.h
+++ b/libtelnet/misc-proto.h
@@ -70,7 +70,7 @@
 #ifndef __MISC_PROTO__
 # define __MISC_PROTO__

-void auth_encrypt_init (char *, char *, char *, int);
+void auth_encrypt_init (char *, char *, char *, char *, int);
 void auth_encrypt_user (char *);
 void auth_encrypt_connect (int);
 void printd (unsigned char *, int);
--- a/libtelnet/misc.c
+++ b/libtelnet/misc.c
@@ -59,12 +59,15 @@
 char *RemoteHostName;
 char *LocalHostName;
 char *UserNameRequested = NULL;
+char *ServerPrincipal;

 void
-auth_encrypt_init (char *local, char *remote, char *name, int server)
+auth_encrypt_init (char *local, char *remote, char *principal,
+		   char *name, int server)
 {
  RemoteHostName = remote;
  LocalHostName = local;
+  ServerPrincipal = principal;
  (void) name;
  (void) server;		/* silence gcc */
 #if defined AUTHENTICATION
--- a/libtelnet/misc.h
+++ b/libtelnet/misc.h
@@ -50,6 +50,7 @@
 extern char *UserNameRequested;
 extern char *LocalHostName;
 extern char *RemoteHostName;
+extern char *ServerPrincipal;
 extern int ConnectedCount;
 extern int ReservedPort;

--- a/libtelnet/shishi.c
+++ b/libtelnet/shishi.c
@@ -306,7 +306,7 @@ krb5shishi_reply (TN_Authenticator * ap, unsigned char *data, int cnt)
    {
    case KRB_REJECT:
      if (cnt > 0)
-	printf ("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+	printf ("[ Kerberos V5 rejects authentication: %.*s ]\r\n",
 		cnt, data);
      else
 	printf ("[ Kerberos V5 refuses authentication ]\r\n");
@@ -402,7 +402,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
 {
  Shishi_key *key, *key2;
  int rc;
-  char *cnamerealm, *server;
+  char *cnamerealm, *server = NULL, *realm = NULL;
  int cnamerealmlen;
 # ifdef ENCRYPTION
  Session_Key skey;
@@ -427,6 +427,78 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
 	}
    }

+  if (ServerPrincipal && *ServerPrincipal)
+    {
+      rc = shishi_parse_name (shishi_handle, ServerPrincipal,
+			      &server, &realm);
+      if (rc != SHISHI_OK)
+	{
+	  snprintf (errbuf, errbuflen,
+		    "Cannot parse server principal name: %s",
+		    shishi_strerror (rc));
+	  return 1;
+	}
+      if (realm)
+	shishi_realm_default_set (shishi_handle, realm);
+
+      /* Reclaim an empty server part.  */
+      if (server && !*server)
+	{
+	  free (server);
+	  server = NULL;
+	}
+    }
+
+  if (!server)
+    {
+      server = malloc (strlen ("host/") + strlen (LocalHostName) + 1);
+      if (server)
+	sprintf (server, "host/%s", LocalHostName);
+    }
+
+  if (server)
+    {
+      /* Two possible action on `server':
+       *   "srv.local"    :  rewrite as "host/srv.local"
+       *   "tn/srv.local" :  accept as is
+       */
+      char *p = strchr (server, '/');
+
+      if (!p)
+	{
+	  p = server;
+	  server = malloc (strlen ("host/") + strlen (p) + 1);
+	  if (!server)
+	    {
+	      free (p);		/* This old `server'.  */
+	      snprintf (errbuf, errbuflen,
+			"Cannot allocate memory for server name");
+	      return 1;
+	    }
+	  sprintf (server, "host/%s", p);
+	}
+
+      if (realm)
+	key = shishi_hostkeys_for_serverrealm (shishi_handle,
+					       server, realm);
+      else
+	key = shishi_hostkeys_for_server (shishi_handle, server);
+
+      free (server);
+    }
+  else
+    key = shishi_hostkeys_for_localservicerealm (shishi_handle,
+						 "host", realm);
+
+  free (realm);
+
+  if (key == NULL)
+    {
+      snprintf (errbuf, errbuflen, "Could not find key: %s",
+		shishi_error (shishi_handle));
+      return 1;
+    }
+
  rc = shishi_ap (shishi_handle, &auth_handle);
  if (rc != SHISHI_OK)
    {
@@ -445,27 +517,10 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
      return 1;
    }

-  server = malloc (strlen ("host/") + strlen (LocalHostName) + 1);
-  if (server)
-    {
-      sprintf (server, "host/%s", LocalHostName);
-      key = shishi_hostkeys_for_server (shishi_handle, server);
-      free (server);
-    }
-  else
-    key = shishi_hostkeys_for_localservice (shishi_handle, "host");
-
-  if (key == NULL)
-    {
-      snprintf (errbuf, errbuflen, "Could not find key:\n%s\n",
-		shishi_error (shishi_handle));
-      return 1;
-    }
-
  rc = shishi_ap_req_process (auth_handle, key);
  if (rc != SHISHI_OK)
    {
-      snprintf (errbuf, errbuflen, "Could not process AP-REQ: %s\n",
+      snprintf (errbuf, errbuflen, "Could not process AP-REQ: %s",
 		shishi_strerror (rc));
      return 1;
    }
@@ -479,7 +534,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
      rc = shishi_ap_rep_der (auth_handle, &der, &derlen);
      if (rc != SHISHI_OK)
 	{
-	  snprintf (errbuf, errbuflen, "Error DER encoding aprep: %s\n",
+	  snprintf (errbuf, errbuflen, "Error DER encoding aprep: %s",
 		    shishi_strerror (rc));
 	  return 1;
 	}
@@ -494,7 +549,7 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
 		&cnamerealm, &cnamerealmlen);
  if (rc != SHISHI_OK)
    {
-      snprintf (errbuf, errbuflen, "Error getting authenticator name: %s\n",
+      snprintf (errbuf, errbuflen, "Error getting authenticator name: %s",
 		shishi_strerror (rc));
      return 1;
    }
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -2413,7 +2413,7 @@ telnet (char *user)
    if (!local_host)
      local_host = localhost ();

-    auth_encrypt_init (local_host, hostname, "TELNET", 0);
+    auth_encrypt_init (local_host, hostname, NULL, "TELNET", 0);
    auth_encrypt_user (user);
  }
 #endif /* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
@@ -65,6 +65,9 @@ int debug_tcp = 0;		/* Should the SO_DEBUG be set? */

 int net;			/* Network connection socket */
 int pty;			/* PTY master descriptor */
+#if defined AUTHENTICATION || defined ENCRYPTION
+char *principal = NULL;
+#endif
 char *remote_hostname;
 char *local_hostname;
 char *user_name;
@@ -110,6 +113,11 @@ static struct argp_option argp_options[] = {
    "set line mode" },
  { "no-keepalive", 'n', NULL, 0,
    "disable TCP keep-alives" },
+#if defined AUTHENTICATION || defined ENCRYPTION
+  { "server-principal", 'S', "NAME", 0,
+    "set Kerberos principal name for this server instance, "
+    "with or without explicit realm" },
+#endif
  { "reverse-lookup", 'U', NULL, 0,
    "refuse connections from addresses that "
    "cannot be mapped back into a symbolic name" },
@@ -151,6 +159,12 @@ parse_opt (int key, char *arg, struct argp_state *state)
      keepalive = 0;
      break;

+#if defined AUTHENTICATION || defined ENCRYPTION
+    case 'S':
+      principal = arg;
+      break;
+#endif
+
    case 'U':
      reverse_lookup = 1;
      break;
@@ -448,7 +462,8 @@ telnetd_setup (int fd)

  local_hostname = localhost ();
 #if defined AUTHENTICATION || defined ENCRYPTION
-  auth_encrypt_init (remote_hostname, local_hostname, "TELNETD", 1);
+  auth_encrypt_init (remote_hostname, local_hostname, principal,
+		     "TELNETD", 1);
 #endif

  io_setup ();