[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-142-g3054a
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-142-g3054a34 |
|
Date: |
Fri, 03 Aug 2012 13:35:13 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 3054a34cda7ced89f28fcaf3401097ee0b83cebc (commit)
from a1df58afcb9f63e97ec6b944432a09ae52ed51a4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=3054a34cda7ced89f28fcaf3401097ee0b83cebc
commit 3054a34cda7ced89f28fcaf3401097ee0b83cebc
Author: Mats Erik Andersson <address@hidden>
Date: Fri Aug 3 15:19:06 2012 +0200
rlogind, rshd: Exchange protocol audit.
Make sure they follow identical protocols.
diff --git a/ChangeLog b/ChangeLog
index 4ac4f42..6ed2ba5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,26 @@
2012-08-03 Mats Erik Andersson <address@hidden>
+ rlogind, rshd: Protocol exchange adherence.
+ The implementations in both, with and without
+ Kerberization, did not follow identical protocols.
+
+ * libinetutils/kcmd.c (kcmd) [SHISHI]: Write remote user name
+ first, then the local user name, falling back to remote name.
+ * src/rlogind.c (do_shishi_login) [SHISHI]: Read local user
+ name first, then remote name.
+ * src/rshd.c (doit): Read `locuser' immediately before `command'.
+ [!KERBEROS && !SHISHI]: Read `remuser' first.
+ [KERBEROS || SHISHI]: Read `remuser' last.
+ [SHISHI]: Insert `Kerberized' into syslog message only for active
+ Kerberized connection.
+
+ * src/rsh.c (options) [WITH_ORCMD_AF || WITH_RCMD_AF || SHISHI]:
+ Add SHISHI as provider of `--ipv4' and `--ipv6'.
+
+ * doc/inetutils.text: Updated.
+
+2012-08-03 Mats Erik Andersson <address@hidden>
+
* configure.ac: Check whether `struct sockaddr_in6'
contains sin6_len. Correctly check for ut_addr_v6
inside `struct utmpx'.
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index 002c903..c1b67c8 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -1715,11 +1715,17 @@ Reference Manual}.
The options are as follows :
@table @option
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
-Turns off all Kerberos authentication.
address@hidden -4
address@hidden --ipv4
address@hidden -4
address@hidden --ipv4
+Use only IPv4.
+
address@hidden -6
address@hidden --ipv6
address@hidden -6
address@hidden --ipv6
+Use only IPv6.
@item -d
@itemx --debug
@@ -1732,26 +1738,38 @@ Turns on socket debugging used for communication with
the remote host.
@opindex -k
@opindex --realm
The option requests rsh to obtain tickets for the remote host in
address@hidden realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
+Turns off all Kerberos authentication.
+
address@hidden -l @var{user}
address@hidden address@hidden
address@hidden -l
address@hidden --user
+By default, the remote username is the same as the local username.
+The @option{-l} option and the @samp{username@@host} format allow the
+remote user name to be specified. Kerberos authentication is used,
+whenever available, and authorization is determined as in @command{rlogin}
+(@pxref{rlogin invocation}).
+
address@hidden -n
address@hidden --no-input
address@hidden -n
address@hidden --no-input
+Use @file{/dev/null} for all input, and use no separate @samp{stderr}
+at remote end. This option is void together with encryption.
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rsh session. This
+Turns on encryption for all data passed via the rsh session. This
may impact response time and CPU utilization, but provides increased
security.
-
address@hidden -l
address@hidden --user
address@hidden -l
address@hidden --user
-By default, the remote username is the same as the local username.
-The @option{-l} option or the @samp{username@@host} format allow the
-remote name to be specified. Kerberos authentication is used, and
-authorization is determined as in @command{rlogin} (@pxref{rlogin
-invocation}).
-
@end table
If no command is specified, you will be logged in on the remote host
@@ -1802,6 +1820,18 @@ Reference Manual}.
The options are as follows :
@table @option
address@hidden -4
address@hidden --ipv4
address@hidden -4
address@hidden --ipv4
+Use only IPv4.
+
address@hidden -6
address@hidden --ipv6
address@hidden -6
address@hidden --ipv6
+Use only IPv6.
+
@item -8
@itemx --8-bit
@opindex -8
@@ -1810,21 +1840,6 @@ Allows an eight-bit input data path at all times;
otherwise parity
bits are stripped except when the remote side's stop and start
characters are other than @kbd{C-S}/@kbd{C-Q}.
address@hidden -E
address@hidden --no-escape
address@hidden --no-escape
address@hidden -E
address@hidden --no-escape
-Stops any character from being recognized as an escape character.
-When used with the @option{-8} option, this provides a completely
-transparent connection.
-
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
-Turns off all Kerberos authentication.
-
@item -d
@itemx --debug
@opindex -d
@@ -1832,7 +1847,7 @@ Turns off all Kerberos authentication.
Turns on socket debugging on the TCP sockets used for communication
with the remote host.
address@hidden -e
address@hidden -e @var{char}
@itemx address@hidden
@opindex -e
@opindex --escape
@@ -1840,18 +1855,40 @@ Allows user specification of the escape character,
which is @samp{~}
by default. This specification may be as a literal character, or as
an octal value in the form @samp{\nnn}.
address@hidden -k
address@hidden -E
address@hidden --no-escape
address@hidden -E
address@hidden --no-escape
+Stops any character from being recognized as an escape character.
+When used with the @option{-8} option, this provides a completely
+transparent connection.
+
address@hidden -k @var{realm}
@itemx address@hidden
@opindex -k
@opindex --realm
The option requests rlogin to obtain tickets for the remote host in
address@hidden realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
+Turns off all Kerberos authentication.
+
address@hidden -l @var{user}
address@hidden address@hidden
address@hidden -l
address@hidden --user
+By default, the remote username is the same as the local username.
+This option, and the @samp{user@@host} format, allow the remote
+user name to be made explicit, or changed.
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rlogin session.
+Turns on encryption for all data passed via the rlogin session.
This may impact response time and CPU utilization, but provides
increased security.
@end table
@@ -1906,18 +1943,42 @@ rcp address@hidden@dots{} @address@hidden
@var{directory}
@end example
@table @option
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
-Turns off all Kerberos authentication.
address@hidden -4
address@hidden --ipv4
address@hidden -4
address@hidden --ipv4
+Use only IPv4.
address@hidden -k
address@hidden -6
address@hidden --ipv6
address@hidden -6
address@hidden --ipv6
+Use only IPv6.
+
address@hidden -d @var{directory}
address@hidden address@hidden
address@hidden -d
address@hidden --target-directory
+Copy all source arguments into @var{directory}.
+
address@hidden -f
address@hidden --from
address@hidden -f
address@hidden --from
+(Server mode only.) Copying from remote host.
+
address@hidden -k @var{realm}
@itemx address@hidden
@opindex -k
@opindex --realm
The option requests rcp to obtain tickets for the remote host in
address@hidden realm instead of the remote host's realm.
+realm @var{realm} instead of the remote host's realm.
+
address@hidden -K
address@hidden --kerberos
address@hidden -K
address@hidden --kerberos
+Turns off all Kerberos authentication.
@item -p
@itemx --preserve
@@ -1925,9 +1986,9 @@ The option requests rcp to obtain tickets for the remote
host in
@opindex --preserve
Causes @code{rcp} to attempt to preserve (duplicate) in its copies the
modification times and modes of the source files, ignoring the umask.
-By default, the mode and owner of file are preserved if it already
-existed; otherwise the mode of the source file modified by the
address@hidden function on the destination host is used.
+By default, the mode and owner of the target file are preserved
+if the target itself already exists; otherwise the mode of the source
+file is modified by the @code{umask} setting on the destination host.
@item -r
@itemx --recursive
@@ -1937,12 +1998,18 @@ If any of the source files are directories,
@command{rcp} copies each
subtree rooted at that name; in this case the destination must be a
directory.
address@hidden -t
address@hidden --to
address@hidden -t
address@hidden --to
+(Server mode only.) Copying to remote host.
+
@item -x
@itemx --encrypt
@opindex -x
@opindex --encrypt
-Turns on DES encryption for all data passed via the rcp session. This
-may impact response time and CPU utilization, but provides increased
+Turns on encryption for all data passed via the @command{rcp} session.
+This may impact response time and CPU utilization, but provides increased
security.
@end table
@@ -3064,7 +3131,8 @@ request is received the following protocol is initiated:
@enumerate
@item
The server checks the client's source port. If the port is not in the
-range 512--1023, the server aborts the connection.
+range 512--1023, the server aborts the connection. However, this
+condition is not applied for Kerberized service.
@item
The server reads characters from the socket up to a NUL (@samp{\0})
@@ -3150,17 +3218,23 @@ Ask hostname for verification.
@c @opindex --daemon
@c Daemon mode.
address@hidden -k
address@hidden --kerberos
address@hidden -k
address@hidden --kerberos
+Use Kerberos authentication.
+
@item -l
@itemx --no-rhosts
@opindex -l
@opindex --no-rhosts
Ignore @file{.rhosts} file.
address@hidden -L @var{name}
address@hidden address@hidden
address@hidden -L
address@hidden --log-sessions
@opindex -L
address@hidden --local-domain
-Set local domain name.
address@hidden --log-sessions
+Log successful logins.
@item -n
@itemx --no-keepalive
@@ -3168,25 +3242,32 @@ Set local domain name.
@opindex --no-keepalive
Do not set SO_KEEPALIVE.
address@hidden -k
address@hidden --kerberos
address@hidden -k
address@hidden --kerberos
-Use kerberos IV authentication.
-
address@hidden -x
address@hidden --encrypt
address@hidden -x
address@hidden --encrypt
-Turns on DES encryption for all data passed via the @command{rshd}
-session. This may impact response time and CPU utilization, but
-provides increased security.
-
address@hidden address@hidden
address@hidden address@hidden
address@hidden -D
address@hidden -debug
-Set debug level, not implemented.
address@hidden -S @var{name}
address@hidden address@hidden
address@hidden -S
address@hidden --servername
+Set Kerberos server name, overriding canonical hostname.
+
address@hidden -v
address@hidden --vacuous
address@hidden -v
address@hidden --vacuous
+Fail any call asking for non-Kerberos authentication.
+
address@hidden OBSOLETE?
address@hidden @item -x
address@hidden @itemx --encrypt
address@hidden @opindex -x
address@hidden @opindex --encrypt
address@hidden Turns on DES encryption for all data passed via the
@command{rshd}
address@hidden session. This may impact response time and CPU utilization, but
address@hidden provides increased security.
+
address@hidden @item address@hidden
address@hidden @itemx address@hidden
address@hidden @opindex -D
address@hidden @opindex -debug
address@hidden Set debug level, not implemented.
@c @item -o
@c @itemx --allow-root
@@ -3327,6 +3408,18 @@ Ask hostname for verification.
@opindex --daemon
Daemon mode.
address@hidden address@hidden
address@hidden address@hidden
address@hidden -D
address@hidden -debug
+Set debug level, not implemented.
+
address@hidden -k
address@hidden --kerberos
address@hidden -k
address@hidden --kerberos
+Use Kerberos authentication.
+
@item -l
@itemx --no-rhosts
@opindex -l
@@ -3345,43 +3438,37 @@ Set local domain name.
@opindex --no-keepalive
Do not set SO_KEEPALIVE.
address@hidden -k
address@hidden --kerberos
address@hidden -k
address@hidden --kerberos
-Use kerberos IV authentication.
-
address@hidden -x
address@hidden --encrypt
address@hidden -x
address@hidden --encrypt
-Turns on DES encryption for all data passed via the rlogind session.
-This may impact response time and CPU utilization, but provides
-increased security.
-
address@hidden address@hidden
address@hidden address@hidden
address@hidden -D
address@hidden -debug
-Set debug level, not implemented.
-
@item -o
@itemx --allow-root
@opindex -o
@opindex --allow-root
-Allow the root user to login, disabled by default.
+Allow the root user to login. This is disallowed by default.
@item -p @var{port}
@itemx address@hidden
@opindex -p
@opindex --port
-Listen on given port (valid only in daemon mode).
+Listen on given port. (Applicable only in daemon mode.)
@item -r
@itemx --reverse-required
@opindex -r
@opindex --reverse-required
-Require reverse resolving of a remote host IP.
+Require reverse resolving of remote host's numerical IP.
+
address@hidden -S @var{name}
address@hidden address@hidden
address@hidden -S
address@hidden --servername
+Set Kerberos server name, overriding canonical hostname.
+
address@hidden -x
address@hidden --encrypt
address@hidden -x
address@hidden --encrypt
+Turns on encryption for all data passed via the @command{rlogind} session.
+This may impact response time and CPU utilization, but provides
+increased security.
@end table
diff --git a/libinetutils/kcmd.c b/libinetutils/kcmd.c
index 1d1858b..5266b15 100644
--- a/libinetutils/kcmd.c
+++ b/libinetutils/kcmd.c
@@ -431,16 +431,16 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
realm)) != SHISHI_OK)
goto bad2;
- if (locuser && locuser[0])
- write (s, locuser, strlen (locuser) + 1);
- else
- write (s, *remuser, strlen (*remuser) + 1);
+ write (s, *remuser, strlen (*remuser) + 1);
# endif /* SHISHI */
write (s, cmd, strlen (cmd) + 1);
# ifdef SHISHI
- write (s, *remuser, strlen (*remuser) + 1);
+ if (locuser && locuser[0])
+ write (s, locuser, strlen (locuser) + 1);
+ else
+ write (s, *remuser, strlen (*remuser) + 1);
write (s, &zero, sizeof (int)); /* XXX: not protocol */
# endif
diff --git a/src/rlogind.c b/src/rlogind.c
index 4af17cd..76e2a27 100644
--- a/src/rlogind.c
+++ b/src/rlogind.c
@@ -964,8 +964,8 @@ do_rlogin (int infd, struct auth_data *ap)
}
#endif /* WITH_IRUSEROK_AF || WITH_IRUSEROK */
- getstr (infd, &ap->rusername, NULL);
- getstr (infd, &ap->lusername, NULL);
+ getstr (infd, &ap->rusername, NULL); /* Requesting user. */
+ getstr (infd, &ap->lusername, NULL); /* Acting user. */
getstr (infd, &ap->term, "TERM=");
pwd = getpwnam (ap->lusername);
@@ -1293,9 +1293,9 @@ do_shishi_login (int infd, struct auth_data *ad, const
char **err_msg)
}
# endif
- getstr (infd, &ad->rusername, NULL);
+ getstr (infd, &ad->lusername, NULL); /* Acting user. */
getstr (infd, &ad->term, "TERM=");
- getstr (infd, &ad->lusername, NULL);
+ getstr (infd, &ad->rusername, NULL); /* Requesting user. */
rc = read (infd, &error, sizeof (int)); /* XXX: not protocol */
if ((rc != sizeof (int)) || error)
diff --git a/src/rsh.c b/src/rsh.c
index d2dbe99..e01d662 100644
--- a/src/rsh.c
+++ b/src/rsh.c
@@ -156,7 +156,7 @@ static struct argp_option options[] = {
{ "encrypt", 'x', NULL, 0,
"encrypt all data transfer" },
#endif
-#if defined WITH_ORCMD_AF || defined WITH_RCMD_AF
+#if defined WITH_ORCMD_AF || defined WITH_RCMD_AF || defined SHISHI
{ "ipv4", '4', NULL, 0, "use only IPv4" },
{ "ipv6", '6', NULL, 0, "use only IPv6" },
#endif
diff --git a/src/rshd.c b/src/rshd.c
index 30b87f6..3805d9a 100644
--- a/src/rshd.c
+++ b/src/rshd.c
@@ -86,7 +86,7 @@
*/
/*
- * remote shell server exchange protocol (client view!):
+ * remote shell server exchange protocol (server view!):
* [port]\0
* remuser\0
* locuser\0
@@ -216,7 +216,7 @@ static struct argp_option options[] = {
{ "no-keepalive", 'n', NULL, 0,
"do not set SO_KEEPALIVE" },
{ "log-sessions", 'L', NULL, 0,
- "log successfull logins" },
+ "log successful logins" },
#if defined KERBEROS || defined SHISHI
/* FIXME: The option semantics does not match that of others r* utilities */
{ "kerberos", 'k', NULL, 0,
@@ -838,10 +838,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
}
else
#endif /* KERBEROS || SHISHI */
- locuser = getstr ("locuser");
+ remuser = getstr ("remuser"); /* The requesting user! */
/* Read three strings from the client. */
- remuser = getstr ("remuser"); /* The acting client! */
+ locuser = getstr ("locuser"); /* The acting user! */
cmdbuf = getstr ("command");
#ifdef SHISHI
@@ -916,7 +916,7 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
}
# endif /* ENCRYPTION */
- locuser = getstr ("locuser"); /* The agent here! */
+ remuser = getstr ("remuser"); /* The requesting user! */
rc = read (STDIN_FILENO, &error, sizeof (int)); /* XXX: not protocol */
if ((rc != sizeof (int)) || error)
@@ -1608,10 +1608,12 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t
fromlen)
else
#endif /* KERBEROS */
syslog (LOG_INFO | LOG_AUTH,
+ "address@hidden as %s: cmd='%.80s'",
#ifdef SHISHI
- "Kerberized "
+ use_kerberos ? "Kerberized " : "",
+#else
+ "",
#endif
- "address@hidden as %s: cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
}
#ifdef SHISHI
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 21 ++++
doc/inetutils.texi | 279 +++++++++++++++++++++++++++++++++------------------
libinetutils/kcmd.c | 10 +-
src/rlogind.c | 8 +-
src/rsh.c | 2 +-
src/rshd.c | 16 ++--
6 files changed, 223 insertions(+), 113 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1-142-g3054a34,
Mats Erik Andersson <=