From: Peter Avalos Date: Sun, 4 Jan 2009 01:30:08 +0000 (-0500) Subject: Sync rsh(1) with FreeBSD. X-Git-Tag: v2.3.0~116 X-Git-Url: http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/d7f0d5a644286a5ac10ed367c1d890cda5e1f3f2 Sync rsh(1) with FreeBSD. -Take out all the kerberos stuff and offload that to PAM. -Use instead of a local pathnames.h. --- diff --git a/etc/pam.d/Makefile b/etc/pam.d/Makefile index 6ddd65b..9e638b0 100644 --- a/etc/pam.d/Makefile +++ b/etc/pam.d/Makefile @@ -11,6 +11,7 @@ FILES= README \ other \ passwd \ pop3 \ + rsh \ sshd \ su \ system \ diff --git a/etc/pam.d/rsh b/etc/pam.d/rsh new file mode 100644 index 0000000..74c513b --- /dev/null +++ b/etc/pam.d/rsh @@ -0,0 +1,18 @@ +# +# $FreeBSD: src/etc/pam.d/rsh,v 1.6 2007/06/10 18:57:20 yar Exp $ +# +# PAM configuration for the "rsh" service +# + +# auth +auth required pam_rhosts.so no_warn + +# account +account required pam_nologin.so +account required pam_unix.so + +# session +session required pam_permit.so + +# password +password required pam_deny.so diff --git a/usr.bin/rsh/Makefile b/usr.bin/rsh/Makefile index 27155ff..592315c 100644 --- a/usr.bin/rsh/Makefile +++ b/usr.bin/rsh/Makefile @@ -1,10 +1,11 @@ # @(#)Makefile 8.1 (Berkeley) 7/19/93 -# $FreeBSD: src/usr.bin/rsh/Makefile,v 1.17.2.1 2002/07/17 19:08:22 ru Exp $ +# $FreeBSD: src/usr.bin/rsh/Makefile,v 1.24 2005/01/27 14:52:45 delphij Exp $ # $DragonFly: src/usr.bin/rsh/Makefile,v 1.6 2007/08/27 16:50:58 pavalos Exp $ PROG= rsh CFLAGS+=-I${.CURDIR}/../../libexec/rlogind +BINOWN= root BINMODE=4555 .if !defined(NOFSCHG) INSTALLFLAGS=-fschg diff --git a/usr.bin/rsh/pathnames.h b/usr.bin/rsh/pathnames.h deleted file mode 100644 index 16753c8..0000000 --- a/usr.bin/rsh/pathnames.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 - */ - -#define _PATH_RLOGIN "/usr/bin/rlogin" diff --git a/usr.bin/rsh/rsh.1 b/usr.bin/rsh/rsh.1 index 35d3856..3aa80ec8 100644 --- a/usr.bin/rsh/rsh.1 +++ b/usr.bin/rsh/rsh.1 @@ -30,10 +30,10 @@ .\" SUCH DAMAGE. .\" .\" @(#)rsh.1 8.1 (Berkeley) 6/6/93 -.\" $FreeBSD: src/usr.bin/rsh/rsh.1,v 1.11.2.5 2002/06/21 15:28:58 charnier Exp $ +.\" $FreeBSD: src/usr.bin/rsh/rsh.1,v 1.21 2005/07/14 20:29:07 brueffer Exp $ .\" $DragonFly: src/usr.bin/rsh/rsh.1,v 1.2 2003/06/17 04:29:31 dillon Exp $ .\" -.Dd June 6, 1993 +.Dd October 16, 2002 .Dt RSH 1 .Os .Sh NAME @@ -41,10 +41,9 @@ .Nd remote shell .Sh SYNOPSIS .Nm -.Op Fl 46Kdnx -.Op Fl t Ar timeout -.Op Fl k Ar realm +.Op Fl 46dn .Op Fl l Ar username +.Op Fl t Ar timeout .Ar host .Op command .Sh DESCRIPTION @@ -70,27 +69,18 @@ The options are as follows: Use IPv4 addresses only. .It Fl 6 Use IPv6 addresses only. -.It Fl K -Turn off all Kerberos authentication. .It Fl d Turn on socket debugging (using .Xr setsockopt 2 ) on the .Tn TCP sockets used for communication with the remote host. -.It Fl k Ar realm -Cause -.Nm -to obtain tickets for the remote host in -.Ar realm -instead of the remote host's realm as determined by -.Xr krb_realmofhost 3 . .It Fl l Ar username Allow the remote .Ar username to be specified. By default, the remote username is the same as the local username. -Kerberos authentication is used, and authorization is determined +Authorization is determined as in .Xr rlogin 1 . .It Fl n @@ -99,15 +89,11 @@ Redirect input from the special device (see the .Sx BUGS section of this manual page). -.It Fl x -Turn on -.Tn DES -encryption for all data exchange. -This may introduce a significant delay in response time. .It Fl t Ar timeout Allow a .Ar timeout -to be specified (in seconds). If no +to be specified (in seconds). +If no data is sent or received in this time, .Nm will exit. @@ -149,9 +135,6 @@ to .Sh SEE ALSO .Xr rlogin 1 , .Xr setsockopt 2 , -.Xr kerberos 3 , -.Xr krb_realmofhost 3 , -.Xr krb_sendauth 3 , .Xr rcmd 3 , .Xr ruserok 3 , .Xr auth.conf 5 , @@ -166,7 +149,7 @@ command appeared in .Bx 4.2 . .Sh BUGS If you are using -.Xr csh 1 +.Xr csh 1 and put a .Nm in the background without redirecting its input away from the terminal, @@ -181,7 +164,7 @@ option. .Pp You cannot run an interactive command (like -.Xr rogue 6 +.Xr ee 1 or .Xr vi 1 ) using diff --git a/usr.bin/rsh/rsh.c b/usr.bin/rsh/rsh.c index 7080b0a..388b021 100644 --- a/usr.bin/rsh/rsh.c +++ b/usr.bin/rsh/rsh.c @@ -1,6 +1,13 @@ /*- * Copyright (c) 1983, 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,9 +37,8 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * @(#) Copyright (c) 1983, 1990, 1993, 1994 The Regents of the University of California. All rights reserved. * @(#)rsh.c 8.3 (Berkeley) 4/6/94 - * $FreeBSD: src/usr.bin/rsh/rsh.c,v 1.21.2.4 2002/09/17 15:34:41 nectar Exp $ + * $FreeBSD: src/usr.bin/rsh/rsh.c,v 1.35 2005/05/21 09:55:07 ru Exp $ * $DragonFly: src/usr.bin/rsh/rsh.c,v 1.7 2007/05/18 17:05:12 dillon Exp $ */ @@ -49,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -56,49 +63,31 @@ #include #include -#include "pathnames.h" - -#ifdef KERBEROS -#include -#include -#include "krb.h" - -CREDENTIALS cred; -Key_schedule schedule; -int use_kerberos = 1, doencrypt; -char dst_realm_buf[REALM_SZ], *dest_realm; -extern char *krb_realmofhost(); -#endif - /* * rsh - remote shell */ int rfd2; int family = PF_UNSPEC; +char rlogin[] = "rlogin"; void connect_timeout(int); -char *copyargs(char **); +char *copyargs(char * const *); void sendsig(int); void talk(int, long, pid_t, int, int); void usage(void); -static char rlogin[] = "rlogin"; - int main(int argc, char **argv) { - struct passwd *pw; - struct servent *sp; + struct passwd const *pw; + struct servent const *sp; long omask; int argoff, asrsh, ch, dflag, nflag, one, rem; pid_t pid = 0; uid_t uid; char *args, *host, *p, *user; int timeout = 0; -#ifdef KERBEROS - char *k; -#endif argoff = asrsh = dflag = nflag = 0; one = 1; @@ -120,15 +109,7 @@ main(int argc, char **argv) argoff = 1; } -#ifdef KERBEROS -#ifdef CRYPT -#define OPTIONS "468KLde:k:l:nt:wx" -#else -#define OPTIONS "468KLde:k:l:nt:w" -#endif -#else -#define OPTIONS "468KLde:l:nt:w" -#endif +#define OPTIONS "468Lde:l:nt:w" while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != -1) switch(ch) { case '4': @@ -139,11 +120,6 @@ main(int argc, char **argv) family = PF_INET6; break; - case 'K': -#ifdef KERBEROS - use_kerberos = 0; -#endif - break; case 'L': /* -8Lew are ignored to allow rlogin aliases */ case 'e': case 'w': @@ -155,22 +131,9 @@ main(int argc, char **argv) case 'l': user = optarg; break; -#ifdef KERBEROS - case 'k': - dest_realm = dst_realm_buf; - strncpy(dest_realm, optarg, REALM_SZ); - break; -#endif case 'n': nflag = 1; break; -#ifdef KERBEROS -#ifdef CRYPT - case 'x': - doencrypt = 1; - break; -#endif -#endif case 't': timeout = atoi(optarg); break; @@ -200,80 +163,14 @@ main(int argc, char **argv) if (!user) user = pw->pw_name; -#ifdef KERBEROS -#ifdef CRYPT - /* -x turns off -n */ - if (doencrypt) - nflag = 0; -#endif -#endif - args = copyargs(argv); sp = NULL; -#ifdef KERBEROS - k = auth_getval("auth_list"); - if (k && !strstr(k, "kerberos")) - use_kerberos = 0; - if (use_kerberos) { - sp = getservbyname((doencrypt ? "ekshell" : "kshell"), "tcp"); - if (sp == NULL) { - use_kerberos = 0; - warnx( - "warning, using standard rsh: can't get entry for %s/tcp service", - doencrypt ? "ekshell" : "kshell"); - } - } -#endif if (sp == NULL) sp = getservbyname("shell", "tcp"); if (sp == NULL) errx(1, "shell/tcp: unknown service"); -#ifdef KERBEROS -try_connect: - if (use_kerberos) { - struct hostent *hp; - - /* fully qualify hostname (needed for krb_realmofhost) */ - hp = gethostbyname(host); - if (hp != NULL && !(host = strdup(hp->h_name))) - err(1, NULL); - - rem = KSUCCESS; - errno = 0; - if (dest_realm == NULL) - dest_realm = krb_realmofhost(host); - -#ifdef CRYPT - if (doencrypt) { - rem = krcmd_mutual(&host, sp->s_port, user, args, - &rfd2, dest_realm, &cred, schedule); - des_set_key(&cred.session, schedule); - } else -#endif - rem = krcmd(&host, sp->s_port, user, args, &rfd2, - dest_realm); - if (rem < 0) { - use_kerberos = 0; - sp = getservbyname("shell", "tcp"); - if (sp == NULL) - errx(1, "shell/tcp: unknown service"); - if (errno == ECONNREFUSED) - warnx( - "warning, using standard rsh: remote host doesn't support Kerberos"); - if (errno == ENOENT) - warnx( - "warning, using standard rsh: can't provide Kerberos auth data"); - goto try_connect; - } - } else { - if (doencrypt) - errx(1, "the -x flag requires Kerberos authentication"); - rem = rcmd_af(&host, sp->s_port, pw->pw_name, user, args, - &rfd2, family); - } -#else if (timeout) { signal(SIGALRM, connect_timeout); alarm(timeout); @@ -284,7 +181,6 @@ try_connect: signal(SIGALRM, SIG_DFL); alarm(0); } -#endif if (rem < 0) exit(1); @@ -314,18 +210,11 @@ try_connect: if (pid < 0) err(1, "fork"); } - else + else shutdown(rem, SHUT_WR); -#ifdef KERBEROS -#ifdef CRYPT - if (!doencrypt) -#endif -#endif - { - ioctl(rfd2, FIONBIO, &one); - ioctl(rem, FIONBIO, &one); - } + ioctl(rfd2, FIONBIO, &one); + ioctl(rem, FIONBIO, &one); talk(nflag, omask, pid, rem, timeout); @@ -339,7 +228,8 @@ talk(int nflag, long omask, pid_t pid, int rem, int timeout) { int cc, wc; fd_set readfrom, ready, rembits; - char *bp, buf[BUFSIZ]; + char buf[BUFSIZ]; + const char *bp; struct timeval tvtimeout; int nfds, srval; @@ -364,14 +254,7 @@ rewrite: } if (!FD_ISSET(rem, &rembits)) goto rewrite; -#ifdef KERBEROS -#ifdef CRYPT - if (doencrypt) - wc = des_enc_write(rem, bp, cc, schedule, &cred.session); - else -#endif -#endif - wc = write(rem, bp, cc); + wc = write(rem, bp, cc); if (wc < 0) { if (errno == EWOULDBLOCK) goto rewrite; @@ -414,14 +297,7 @@ done: errx(1, "timeout reached (%d seconds)", timeout); if (FD_ISSET(rfd2, &ready)) { errno = 0; -#ifdef KERBEROS -#ifdef CRYPT - if (doencrypt) - cc = des_enc_read(rfd2, buf, sizeof(buf), schedule, &cred.session); - else -#endif -#endif - cc = read(rfd2, buf, sizeof(buf)); + cc = read(rfd2, buf, sizeof(buf)); if (cc <= 0) { if (errno != EWOULDBLOCK) FD_CLR(rfd2, &readfrom); @@ -430,14 +306,7 @@ done: } if (FD_ISSET(rem, &ready)) { errno = 0; -#ifdef KERBEROS -#ifdef CRYPT - if (doencrypt) - cc = des_enc_read(rem, buf, sizeof(buf), schedule, &cred.session); - else -#endif -#endif - cc = read(rem, buf, sizeof(buf)); + cc = read(rem, buf, sizeof(buf)); if (cc <= 0) { if (errno != EWOULDBLOCK) FD_CLR(rem, &readfrom); @@ -448,7 +317,7 @@ done: } void -connect_timeout(__unused int sig) +connect_timeout(int sig __unused) { char message[] = "timeout reached before connection completed.\n"; @@ -462,21 +331,15 @@ sendsig(int sig) char signo; signo = sig; -#ifdef KERBEROS -#ifdef CRYPT - if (doencrypt) - des_enc_write(rfd2, &signo, 1, schedule, &cred.session); - else -#endif -#endif - write(rfd2, &signo, 1); + write(rfd2, &signo, 1); } char * -copyargs(char **argv) +copyargs(char * const *argv) { int cc; - char **ap, *args, *p; + char *args, *p; + char * const *ap; cc = 0; for (ap = argv; *ap; ++ap) @@ -497,16 +360,6 @@ usage(void) { fprintf(stderr, - "usage: rsh [-46] [-ndK%s]%s[-l login] [-t timeout] host [command]\n", -#ifdef KERBEROS -#ifdef CRYPT - "x", " [-k realm] "); -#else - "", " [-k realm] "); -#endif -#else - "", " "); -#endif + "usage: rsh [-46dn] [-l username] [-t timeout] host [command]\n"); exit(1); } -