*** coda-5.3.15/Makeconf.ori Tue Feb 27 17:53:38 2001 --- coda-5.3.15/Makeconf Sat Aug 25 18:50:57 2001 *************** *** 56,64 **** LIBS := $(LIBS) $(LIBFIXUP) # uncomment some of the next lines if you have kerberos ! # KERBEROS=yes # KERBEROS4=yes ! # KERBEROS5=yes ############################## # Library definitions --- 56,64 ---- LIBS := $(LIBS) $(LIBFIXUP) # uncomment some of the next lines if you have kerberos ! KERBEROS=yes # KERBEROS4=yes ! KERBEROS5=yes ############################## # Library definitions *** coda-5.3.15/coda-src/auth2/Makefile.ori1 Sat Oct 27 19:17:26 2001 --- coda-5.3.15/coda-src/auth2/Makefile Sat Oct 27 20:39:37 2001 *************** *** 42,47 **** --- 42,49 ---- AU=kau LIBAUTH2OBJS=auth2.server.o acommon.o avice.o pwsupport.o krbsupport.o LIBAUSEROBJS=auth2.client.o acommon.o auser.o avenus.o krbsupport.o + LIBKRBS=-L/.../chalmers.se/fs/cab/md/sw/pm/1/TOP/k/krb5/V/1.2.2/L/1/TOP/lib -lkrb5 -lk5crypto -lcom_err -lresolv + KRBINCLFLAGS=-I/.../chalmers.se/fs/cab/md/sw/pm/1/TOP/k/krb5/V/1.2.2/L/1/TOP/include CFLAGS += $(KRBINCLFLAGS) endif *************** *** 53,59 **** CFLAGS += -DKERBEROS4 endif ! CFLAGS += -DCODAAUTH # --- 55,61 ---- CFLAGS += -DKERBEROS4 endif ! #CFLAGS += -DCODAAUTH # *** coda-5.3.15/coda-src/auth2/krbsupport.c.ori Tue Nov 6 16:15:29 2001 --- coda-5.3.15/coda-src/auth2/krbsupport.c Wed Nov 7 20:13:38 2001 *************** *** 15,20 **** --- 15,21 ---- #*/ + //#define NO_MULTILEVEL_PRINCIPALS /* pin */ /* krbsupport.cc -- kerberos support routines for ViceII *************** *** 62,68 **** #ifdef KERBEROS5 krb5_context coda_auth_krb5context; krb5_principal coda_auth_krb5princ; ! char *K5KINIT = "/usr/athena/bin/kinit"; static krb5_keytab coda_keytab = NULL; #endif --- 63,69 ---- #ifdef KERBEROS5 krb5_context coda_auth_krb5context; krb5_principal coda_auth_krb5princ; ! char *K5KINIT = "/usr/bin/kinit"; static krb5_keytab coda_keytab = NULL; #endif *************** *** 237,243 **** #ifdef KERBEROS5 /* The following will definitely go away with a config file! XXXX */ ! #define SRV5PRINC "host" //#define SRV5PRINC "coda" long Krb5Init(char *initrealm, char *keytab_filename) --- 238,244 ---- #ifdef KERBEROS5 /* The following will definitely go away with a config file! XXXX */ ! #define SRV5PRINC "cab/md/subsys/coda" //#define SRV5PRINC "coda" long Krb5Init(char *initrealm, char *keytab_filename) *************** *** 246,251 **** --- 247,253 ---- char thishost[MAXHOSTNAMELEN]; struct hostent *authserver; int rc; + char tmp_h_name[257]; /* pin */ LogMsg(0, AuthDebugLevel, stdout, "In Krb5Init()"); *************** *** 259,264 **** --- 261,268 ---- herror("Krb5Init: cannot do gethostbyname"); return -1; } + strncpy(tmp_h_name, authserver->h_name, 256); /* pin */ + tmp_h_name[256]=0; /* initialize Kerberos 5 contex */ *************** *** 281,290 **** if (initrealm) realm = strdup(initrealm); ! /* generate principal given the service name codaauth */ ! retval = krb5_sname_to_principal(coda_auth_krb5context, authserver->h_name, SRV5PRINC, KRB5_NT_SRV_HST, &coda_auth_krb5princ); if (retval) { com_err("auth2", retval, "while generating servicename"); --- 285,320 ---- if (initrealm) realm = strdup(initrealm); ! /* generate principal given the service name ! like "codaauth" or "cab/md/subsys/coda" */ ! /* unnecessary when called from kclog, but... */ ! #ifdef NO_MULTILEVEL_PRINCIPALS /* no hierarchical service names -- pin */ ! retval = krb5_sname_to_principal(coda_auth_krb5context, tmp_h_name, SRV5PRINC, KRB5_NT_SRV_HST, &coda_auth_krb5princ); + #else /* hierarchical service names possible -- pin */ + { /* manual work needed */ + char authprincipalfullname[513]; /* yes, an arbitrary limitation :) */ + /* yes, one more than 512 */ + char **realm_list; + authprincipalfullname[512] = 0; /* yes, it is needed with strnxxx() */ + strncpy(authprincipalfullname, SRV5PRINC, 512); + strncat(authprincipalfullname, "/", 512-strlen(authprincipalfullname)); + strncat(authprincipalfullname, tmp_h_name, 512-strlen(authprincipalfullname)); + strncat(authprincipalfullname, "@", 512-strlen(authprincipalfullname)); + /* what is the realm? */ + retval = krb5_get_host_realm(coda_auth_krb5context, tmp_h_name, &realm_list); + if (retval) { + com_err("auth2", retval, "while looking for authserver realm"); + exit(-1); + } + strncat(authprincipalfullname, *realm_list, 512-strlen(authprincipalfullname)); + krb5_free_host_realm(coda_auth_krb5context, realm_list); + retval = krb5_parse_name(coda_auth_krb5context, + authprincipalfullname, + &coda_auth_krb5princ); + } + #endif /* hierarchical service names possible -- pin */ if (retval) { com_err("auth2", retval, "while generating servicename"); *************** *** 305,316 **** --- 335,349 ---- char *s; int i; struct hostent *authserver; + char tmp_h_name[257]; /* pin */ authserver = gethostbyname(hostname); if ( ! authserver ) { herror("Krb5GetSecret:"); return -1; } + strncpy(tmp_h_name, authserver->h_name, 256); /* pin */ + tmp_h_name[256]=0; /* aquire cache of existing authenticators */ retval = krb5_cc_default(coda_auth_krb5context, &ccdef); *************** *** 320,328 **** } /* construct a new authenticator, or find an old one */ retval = krb5_mk_req(coda_auth_krb5context, &auth_context, 0, SRV5PRINC, ! authserver->h_name, NULL, ccdef, &authenticator); if (retval) { com_err("krbsupport", retval, "while preparing AP_REQ"); return(1); --- 353,418 ---- } /* construct a new authenticator, or find an old one */ + #ifdef NO_MULTILEVEL_PRINCIPALS /* no hierarchical service names -- pin */ retval = krb5_mk_req(coda_auth_krb5context, &auth_context, 0, SRV5PRINC, ! tmp_h_name, NULL, ccdef, &authenticator); + #else /* hierarchical service names possible -- pin */ + { /* manual work needed */ + krb5_creds * credsp; + krb5_creds creds; + char authprincipalfullname[513]; /* yes, an arbitrary limitation :) */ + /* yes, one more than 512 */ + char **realm_list; + + authprincipalfullname[512] = 0; /* yes, it is needed with strnxxx() */ + strncpy(authprincipalfullname, SRV5PRINC, 512); + strncat(authprincipalfullname, "/", 512-strlen(authprincipalfullname)); + strncat(authprincipalfullname, tmp_h_name, 512-strlen(authprincipalfullname)); + strncat(authprincipalfullname, "@", 512-strlen(authprincipalfullname)); + /* what is the realm? */ + retval = krb5_get_host_realm(coda_auth_krb5context, tmp_h_name, &realm_list); + if (retval) { + com_err("auth2", retval, "while looking for authserver realm"); + exit(-1); + } + strncat(authprincipalfullname, *realm_list, 512-strlen(authprincipalfullname)); + krb5_free_host_realm(coda_auth_krb5context, realm_list); + retval = krb5_parse_name(coda_auth_krb5context, + authprincipalfullname, + &coda_auth_krb5princ); + if (retval) { + com_err("krbsupport", retval, "while parsing principal name"); + return(1); + } + /* obtain ticket & session key */ + memset((char *)&creds, 0, sizeof(creds)); + if ((retval = krb5_copy_principal(coda_auth_krb5context, coda_auth_krb5princ, &creds.server))){ + com_err("krbsupport", retval, "while copying server principal"); + goto cleanup_princ; + } + if ((retval = krb5_cc_get_principal(coda_auth_krb5context, ccdef, &creds.client))){ + com_err("krbsupport", retval, "while getting client principal"); + goto cleanup_creds; + } + if ((retval = krb5_get_credentials(coda_auth_krb5context, 0, + ccdef, &creds, &credsp))){ + com_err("krbsupport", retval, "while getting client credentials"); + goto cleanup_creds; + } + retval = krb5_mk_req_extended(coda_auth_krb5context, &auth_context, 0, + NULL, credsp, &authenticator); + + krb5_free_creds(coda_auth_krb5context, credsp); + + cleanup_creds: + krb5_free_cred_contents(coda_auth_krb5context, &creds); + + cleanup_princ: + krb5_free_principal(coda_auth_krb5context, coda_auth_krb5princ); + } + #endif /* hierarchical principal names possible -- pin */ + if (retval) { com_err("krbsupport", retval, "while preparing AP_REQ"); return(1); *************** *** 419,425 **** return -1; } - authenticator.length = cIdent->SeqLen; authenticator.data = (krb5_pointer) cIdent->SeqBody; --- 509,514 ----