summaryrefslogtreecommitdiffstats
path: root/main/heimdal/heimdal-remove-broken-auth.patch
blob: 1affcba2c24d24f151ec7a9cef0b3554329df437 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
--- appl/rsh/rsh.c.orig
+++ appl/rsh/rsh.c
@@ -399,6 +399,8 @@
 
 #endif /* KRB5 */
 
+#ifdef BROKEN_AUTH
+
 static int
 send_broken_auth(int s,
 		 struct sockaddr *thisaddr,
@@ -428,6 +430,8 @@
     return 0;
 }
 
+#endif /* BROKEN_AUTH */
+
 static int
 proto (int s, int errsock,
        const char *hostname, const char *local_user, const char *remote_user,
@@ -629,6 +633,8 @@
     return res;
 }
 
+#ifdef BROKEN_AUTH
+
 static int
 doit_broken (int argc,
 	     char **argv,
@@ -702,6 +708,8 @@
     }
 }
 
+#endif
+
 #if defined(KRB5)
 static int
 doit (const char *hostname,
@@ -796,7 +804,9 @@
     { "protocol", 'P', arg_string,      &protocol_version_str,
       "Protocol version [krb5]", "protocol" },
 #endif
+#ifdef BROKEN_AUTH
     { "broken", 'K', arg_flag,		&use_only_broken, "Use only priv port" },
+#endif
 #if defined(KRB5)
     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection" },
     { NULL, 	'z', arg_negative_flag,      &do_encrypt,
@@ -831,8 +841,10 @@
 int
 main(int argc, char **argv)
 {
+#ifdef BROKEN_AUTH
     int priv_port1, priv_port2;
     int priv_socket1, priv_socket2;
+#endif
     int argindex = 0;
     int error;
     struct addrinfo hints, *ai;
@@ -848,9 +860,11 @@
 #endif
     uid_t uid;
 
+#ifdef BROKEN_AUTH
     priv_port1 = priv_port2 = IPPORT_RESERVED-1;
     priv_socket1 = rresvport(&priv_port1);
     priv_socket2 = rresvport(&priv_port2);
+#endif
     uid = getuid ();
     if (setuid (uid) || (uid != 0 && setuid(0) == 0))
 	err (1, "setuid");
@@ -907,6 +921,7 @@
 
 #endif
 
+#ifdef BROKEN_AUTH
     if (use_only_broken) {
 #ifdef KRB5
 	use_v5 = 0;
@@ -918,6 +933,7 @@
 	    errx (1, "unable to bind reserved port: is rsh setuid root?");
 	use_broken = 0;
     }
+#endif
 
 #if defined(KRB5)
     if (do_encrypt == 1 && use_only_broken)
@@ -956,8 +972,10 @@
     }
 
     if (argindex == argc) {
+#ifdef BROKEN_AUTH
 	close (priv_socket1);
 	close (priv_socket2);
+#endif
 	argv[0] = "rlogin";
 	execvp ("rlogin", argv);
 	err (1, "execvp rlogin");
@@ -1004,6 +1022,7 @@
 	freeaddrinfo(ai);
     }
 #endif
+#ifdef BROKEN_AUTH
     if (ret && use_broken) {
 	memset (&hints, 0, sizeof(hints));
 	hints.ai_socktype = SOCK_STREAM;
@@ -1027,6 +1046,7 @@
 			   cmd, cmd_len);
 	freeaddrinfo(ai);
     }
+#endif
     free(cmd);
     return ret;
 }
--- appl/rsh/rshd.c.orig
+++ appl/rsh/rshd.c
@@ -131,6 +131,7 @@
     fatal(s, NULL, "%s too long", expl);
 }
 
+#ifdef BROKEN_AUTH
 static int
 recv_bsd_auth (int s, u_char *buf,
 	       struct sockaddr_in *thisaddr,
@@ -152,6 +153,7 @@
 	fatal(s, NULL, "Login incorrect.");
     return 0;
 }
+#endif
 
 #ifdef KRB5
 static int
@@ -658,10 +660,11 @@
 	/*
 	 * we only do reserved port for IPv4
 	 */
-
+#ifdef BROKEN_AUTH
 	if (erraddr->sa_family == AF_INET)
 	    errsock = rresvport (&priv_port);
 	else
+#endif
 	    errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
 	if (errsock < 0)
 	    syslog_and_die ("socket: %s", strerror(errno));
@@ -689,6 +692,7 @@
 		syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
 				buf[0], buf[1], buf[2], buf[3]);
     } else {
+#ifdef BROKEN_AUTH
 	if(recv_bsd_auth (s, buf,
 			  (struct sockaddr_in *)thisaddr,
 			  (struct sockaddr_in *)thataddr,
@@ -702,6 +706,9 @@
 	    }
 	} else
 	    syslog_and_die("recv_bsd_auth failed");
+#else
+	syslog_and_die("recv_bsd_auth is disabled for security reasons");
+#endif
     }
 
     if (client_user == NULL || server_user == NULL || cmd == NULL)