From pajs@carrick.bishnet.net Wed Feb 6 03:00:56 2008 Received: from carrick.bishnet.net (carrick.bishnet.net [84.234.17.56]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m16B0mMQ027520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 6 Feb 2008 03:00:55 -0800 (PST) Received: from pajs by carrick.bishnet.net with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1JMi1B-000MWb-77; Wed, 06 Feb 2008 11:00:41 +0000 Date: Wed, 6 Feb 2008 11:00:41 +0000 From: Peter Saunders To: users@conserver.com Subject: Odd ctrl-s problem. Message-ID: <20080206110041.GO55234@carrick.bishnet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) X-Bishnet-MailScanner-Information: Contact postmaster@bishnet.net X-Bishnet-MailScanner-VirusCheck: Found to be clean X-Bishnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.338, required 5, autolearn=not spam, AWL -0.60, BAYES_20 -0.74, NO_RELAYS -0.00) X-Bishnet-MailScanner-From: pajs@carrick.bishnet.net X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2008 11:00:57 -0000 Recently, we restarted conserver, (Killed the parent, waited for the children to exit) - and then started conserver again. Somewhere between shutting conserver down, or starting it up again, a significant number of our machines had "ctrl s" sent to the console, blocking all future /dev/console output. This in turn then caused some apps that were writing log messages to the console to then block, and to stop working. The only common thing we have noticed so far is that the only machines that seem to have suffered, are the ones we make an ssh connection with. (We use exec "ssh -c 3des user:port@hostname", followed by an initcmd which echo's the password to the console). Has anyone seen of this issue before? Obviously, I have no idea if it was conserver, ssh, or the terminal server that caused this - but it happened at the time conserver was restarted. As for possible workarounds, does anyone see an issue with sending a ^s with in the "idlestring" ? Many Thanks Pete From woods@weird.com Wed Feb 6 08:02:16 2008 Received: from wonder.planix.com (smtp.planix.com [204.29.161.37]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m16G284w002291 for ; Wed, 6 Feb 2008 08:02:13 -0800 (PST) Received: from [192.168.2.207] (ethereal.weird.com [204.92.254.251]) by wonder.planix.com (Postfix) with ESMTP id 1596B4C930; Wed, 6 Feb 2008 11:02:07 -0500 (EST) In-Reply-To: <20080206110041.GO55234@carrick.bishnet.net> References: <20080206110041.GO55234@carrick.bishnet.net> Mime-Version: 1.0 (Apple Message framework v753) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> Content-Transfer-Encoding: 7bit From: "Greg A. Woods" Subject: Re: Odd ctrl-s problem. Date: Wed, 6 Feb 2008 11:02:12 -0500 To: Peter Saunders X-Mailer: Apple Mail (2.753) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 Cc: Conserver Users X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Conserver Users List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2008 16:02:18 -0000 On 6-Feb-08, at 6:00 AM, Peter Saunders wrote: > Recently, we restarted conserver, (Killed the parent, waited for the > children to exit) - and then started conserver again. > > Somewhere between shutting conserver down, or starting it up again, a > significant number of our machines had "ctrl s" sent to the console, > blocking all future /dev/console output. This in turn then caused some > apps that were writing log messages to the console to then block, and > to stop working. > > The only common thing we have noticed so far is that the only machines > that seem to have suffered, are the ones we make an ssh connection > with. > (We use exec "ssh -c 3des user:port@hostname", followed by an initcmd > which echo's the password to the console). > > Has anyone seen of this issue before? Obviously, I have no idea if it > was conserver, ssh, or the terminal server that caused this - but it > happened at the time conserver was restarted. The XOFF issue is an oldie for sure. Back when I had Decwriter-III's on serial consoles I had the habit of always hitting every morning just in case they had been overflowed and stopped overnight. The worst is when the kernel obeys XON/XOFF and then it gets hung up entirely stopping the whole system. This was the case on SunOS, at least up to 5.9. It's 99.999% certain that it was the terminal server that caused it, since it may have been configured to try to pause the output from the attached device once its input buffer filled, and if its flow control method is set to XON/XOFF then it would use ^s to pause the output just as you've observed. On those old Xyplex MaxServers (which is what I'm running at home now), and perhaps on the DECservers too since they seem to run code derived from the same origin, there are several ways of dealing with device output when there's no connection open to send it down. One is to increase the typeahead size to a ridiculous amount (assuming you have enough RAM installed in the maxserver). That's what I've done: Xyplex>> show port 2 alt ch Port 2: (Remote) 07 Feb 2008 11:47:54 Resolve Service: Telnet DTR wait: Disabled Idle Timeout: 0 Typeahead Size: 2048 SLIP Address: 0.0.0.0 SLIP Mask: 255.255.255.255 Remote SLIP Addr: 0.0.0.0 Default Session Mode: Interactive TCP Window Size: 256 Prompt: Xyplex DCD Timeout: 2000 Dialback Timeout: 20 Stop Bits: 1 Script Login: Disabled TCP Keepalive Timer: 0 Username Filtering: None Nested Menu: Disabled Nested Menu Top Level: 0 Command Size: 80 Clear Security Entries: Disabled Rlogin Transparent Mode: Disabled Login Duration: 0 Xon Send Timer: 0 TCP Outbound Address: 0.0.0.0 Slip Autosend: Disabled Radius Accounting: Disabled Username Prompt: Enter username> Password Prompt: Enter user password> > As for possible workarounds, does anyone see an issue with sending > a ^s > with in the "idlestring" ? That's a better idea than anything else I had thought of so far! :-) (All I had thought of was sending a ^s with "chat" through initcmd, but of course that only fixes the problem on startup, not if it occurs regularly during normal use.) -- Greg A. Woods From brodie@mcw.edu Wed Feb 6 08:31:48 2008 Received: from guyton.phys.mcw.edu (guyton.phys.mcw.edu [141.106.224.91]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m16GVcva002583 for ; Wed, 6 Feb 2008 08:31:44 -0800 (PST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: Odd ctrl-s problem. Date: Wed, 6 Feb 2008 10:31:15 -0600 Message-ID: <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> In-Reply-To: <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Odd ctrl-s problem. Thread-Index: Acho2c/tLl2ec6EeRxKqoUOUODAuAAAA4r7g References: <20080206110041.GO55234@carrick.bishnet.net> <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> From: "Brodie, Kent" To: "Conserver Users" , "Peter Saunders" X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2008 16:31:49 -0000 Well, it's been a long while since I've had to mess with older terminal servers, but I seem to recall that some flavors of decservers for example allowed you to control the pass-through of various control characters to the port. Specifically, you could control whether things like BREAK, control-x, control-s, etc got passed through or trapped. I think. Might be worth looking into? --------------------------------------------------------- Kent C. Brodie - brodie@mcw.edu Department of Physiology Medical College of Wisconsin (414) 456-8590 -----Original Message----- From: users-bounces@conserver.com [mailto:users-bounces@conserver.com] On Behalf Of Greg A. Woods Sent: Wednesday, February 06, 2008 10:02 AM To: Peter Saunders Cc: Conserver Users Subject: Re: Odd ctrl-s problem. On 6-Feb-08, at 6:00 AM, Peter Saunders wrote: > Recently, we restarted conserver, (Killed the parent, waited for the > children to exit) - and then started conserver again. > > Somewhere between shutting conserver down, or starting it up again, a > significant number of our machines had "ctrl s" sent to the console, > blocking all future /dev/console output. This in turn then caused some > apps that were writing log messages to the console to then block, and > to stop working. > > The only common thing we have noticed so far is that the only machines > that seem to have suffered, are the ones we make an ssh connection =20 > with. > (We use exec "ssh -c 3des user:port@hostname", followed by an initcmd > which echo's the password to the console). > > Has anyone seen of this issue before? Obviously, I have no idea if it > was conserver, ssh, or the terminal server that caused this - but it > happened at the time conserver was restarted. The XOFF issue is an oldie for sure. Back when I had Decwriter-III's =20 on serial consoles I had the habit of always hitting every =20 morning just in case they had been overflowed and stopped overnight. The worst is when the kernel obeys XON/XOFF and then it gets hung up =20 entirely stopping the whole system. This was the case on SunOS, at =20 least up to 5.9. It's 99.999% certain that it was the terminal server that caused it, =20 since it may have been configured to try to pause the output from the =20 attached device once its input buffer filled, and if its flow control =20 method is set to XON/XOFF then it would use ^s to pause the output =20 just as you've observed. On those old Xyplex MaxServers (which is what I'm running at home =20 now), and perhaps on the DECservers too since they seem to run code =20 derived from the same origin, there are several ways of dealing with =20 device output when there's no connection open to send it down. One =20 is to increase the typeahead size to a ridiculous amount (assuming =20 you have enough RAM installed in the maxserver). That's what I've done: Xyplex>> show port 2 alt ch Port 2: (Remote) 07 Feb 2008 =20 11:47:54 Resolve Service: Telnet DTR wait: =20 Disabled Idle Timeout: 0 Typeahead =20 Size: 2048 SLIP Address: 0.0.0.0 SLIP Mask: =20 255.255.255.255 Remote SLIP Addr: 0.0.0.0 Default Session Mode: =20 Interactive TCP Window Size: 256 Prompt: =20 Xyplex DCD Timeout: 2000 Dialback =20 Timeout: 20 Stop Bits: 1 Script Login: =20 Disabled TCP Keepalive Timer: 0 Username =20 Filtering: None Nested Menu: Disabled Nested Menu Top =20 Level: 0 Command Size: 80 Clear Security Entries: =20 Disabled Rlogin Transparent Mode: Disabled Login =20 Duration: 0 Xon Send Timer: 0 TCP Outbound Address: =20 0.0.0.0 Slip Autosend: Disabled Radius Accounting: =20 Disabled Username Prompt: Enter username> Password Prompt: Enter user password> > As for possible workarounds, does anyone see an issue with sending =20 > a ^s > with in the "idlestring" ? That's a better idea than anything else I had thought of so far! :-) (All I had thought of was sending a ^s with "chat" through initcmd, =20 but of course that only fixes the problem on startup, not if it =20 occurs regularly during normal use.) --=20 Greg A. Woods _______________________________________________ users mailing list users@conserver.com https://www.conserver.com/mailman/listinfo/users From woods@weird.com Wed Feb 6 09:42:28 2008 Received: from wonder.planix.com (wonder.planix.com [204.29.161.37]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m16HgJ6j003258 for ; Wed, 6 Feb 2008 09:42:25 -0800 (PST) Received: from [192.168.2.207] (ethereal.weird.com [204.92.254.251]) by wonder.planix.com (Postfix) with ESMTP id 5C58D4C971; Wed, 6 Feb 2008 12:42:18 -0500 (EST) In-Reply-To: <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> References: <20080206110041.GO55234@carrick.bishnet.net> <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> Mime-Version: 1.0 (Apple Message framework v753) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <292AB13C-0657-4470-88A9-4D2714BF0E94@weird.com> Content-Transfer-Encoding: 7bit From: "Greg A. Woods" Subject: Re: Odd ctrl-s problem. Date: Wed, 6 Feb 2008 12:42:25 -0500 To: "Brodie, Kent" X-Mailer: Apple Mail (2.753) X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 Cc: Conserver Users X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Conserver Users List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2008 17:42:29 -0000 On 6-Feb-08, at 11:31 AM, Brodie, Kent wrote: > Well, it's been a long while since I've had to mess with older > terminal > servers, but I seem to recall that some flavors of decservers for > example allowed you to control the pass-through of various control > characters to the port. Specifically, you could control whether > things > like BREAK, control-x, control-s, etc got passed through or trapped. The problem here is definitely not with pass-through of control characters. It's more to do with the terminal server generating control servers in its own attempt to control the data flowing from the attached device. Disabling flow control on the port could probably prevent the problem from happening, however then flow control during normal use would then be impossible (pass-through of flow control characters would not have the desired effect -- they don't get passed through SSH and TELNET connections in the way you would want them to be transmitted since buffering in the various network layers would defeat any attempt to use a raw connection). Proper flow control for interactive use requires that the terminal server perform flow control directly itself (and that the various network layers use whatever mechanisms they have to do flow control properly, right down to the connection to the attached device). Eg. you want output to stop almost immediately when you hit ^S but you don't want anything to be lost. That means the final output device in front of the user (eg. xterm) interpret the ^S from the user and immediately stop generating output, while at the same time pushing the flow control request back through the various layers (CONSERVER -> SSH -> TELNET -> RS232 or whatever) so that eventually a flow control request reaches the device generating the data in the appropriate form and that all buffered data is preserved in all the various layers in anticipation of the user hitting ^Q to see some more (or that it all be flushed if the user hits ^C or whatever). Note that this may sometimes involve translating the flow control request into a hardware signal change on the RS323 line, such as de- asserting CTS. Note that flow control may have to work properly though all the layers for more than just interactive uses too. If you don't want data from your attached devices to be lost by conserver in its logs, for example, then you need fully working flow control back through all the layers to the attached devices. If you don't have fully working flow control through all layers then something like a minor network glitch may cause a buffer to fill and all data between that time and the draining of the buffer to be lost forever. -- Greg A. Woods From pajs@carrick.bishnet.net Thu Feb 7 02:43:08 2008 Received: from carrick.bishnet.net (carrick.bishnet.net [84.234.17.56]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m17Agxxq016513 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 7 Feb 2008 02:43:05 -0800 (PST) Received: from pajs by carrick.bishnet.net with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1JN4DM-000Ctq-RI; Thu, 07 Feb 2008 10:42:44 +0000 Date: Thu, 7 Feb 2008 10:42:44 +0000 From: Peter Saunders To: Conserver Users Subject: Re: Odd ctrl-s problem. Message-ID: <20080207104244.GR55234@carrick.bishnet.net> References: <20080206110041.GO55234@carrick.bishnet.net> <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> <292AB13C-0657-4470-88A9-4D2714BF0E94@weird.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <292AB13C-0657-4470-88A9-4D2714BF0E94@weird.com> User-Agent: Mutt/1.5.13 (2006-08-11) X-Bishnet-MailScanner-Information: Contact postmaster@bishnet.net X-Bishnet-MailScanner-VirusCheck: Found to be clean X-Bishnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.168, required 5, autolearn=not spam, AWL 0.43, BAYES_00 -2.60, NO_RELAYS -0.00) X-Bishnet-MailScanner-From: pajs@carrick.bishnet.net X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2008 10:43:09 -0000 Many thanks for your replies, I still haven't got to the bottom of what actually caused it, but, it seems odd if was the terminal server. Its a reasonably recent event that conserver went live on these machines - and in the past, the terminal servers didn't have a connection to them from the network, so, all the serial traffic was silently thrown away. This is what I was expecting to happen during the conserver restart window. (People used to ssh to the terminal server only when they needed the console) However, I think i'll change the the idlestring to contain ^q - so in the event of a restart causing it again, at least after 5 minutes of inactivity, conserver would sent a ctrl-q to it again. (Assuming I can get it to do this?) Cheers Pete On Wed, Feb 06, 2008 at 12:42:25PM -0500, Greg A. Woods wrote: > > On 6-Feb-08, at 11:31 AM, Brodie, Kent wrote: > > > Well, it's been a long while since I've had to mess with older > > terminal > > servers, but I seem to recall that some flavors of decservers for > > example allowed you to control the pass-through of various control > > characters to the port. Specifically, you could control whether > > things > > like BREAK, control-x, control-s, etc got passed through or trapped. > > The problem here is definitely not with pass-through of control > characters. > > It's more to do with the terminal server generating control servers > in its own attempt to control the data flowing from the attached device. > > Disabling flow control on the port could probably prevent the problem > from happening, however then flow control during normal use would > then be impossible (pass-through of flow control characters would not > have the desired effect -- they don't get passed through SSH and > TELNET connections in the way you would want them to be transmitted > since buffering in the various network layers would defeat any > attempt to use a raw connection). > > Proper flow control for interactive use requires that the terminal > server perform flow control directly itself (and that the various > network layers use whatever mechanisms they have to do flow control > properly, right down to the connection to the attached device). > > Eg. you want output to stop almost immediately when you hit ^S but > you don't want anything to be lost. That means the final output > device in front of the user (eg. xterm) interpret the ^S from the > user and immediately stop generating output, while at the same time > pushing the flow control request back through the various layers > (CONSERVER -> SSH -> TELNET -> RS232 or whatever) so that eventually > a flow control request reaches the device generating the data in the > appropriate form and that all buffered data is preserved in all the > various layers in anticipation of the user hitting ^Q to see some > more (or that it all be flushed if the user hits ^C or whatever). > Note that this may sometimes involve translating the flow control > request into a hardware signal change on the RS323 line, such as de- > asserting CTS. > > Note that flow control may have to work properly though all the > layers for more than just interactive uses too. If you don't want > data from your attached devices to be lost by conserver in its logs, > for example, then you need fully working flow control back through > all the layers to the attached devices. If you don't have fully > working flow control through all layers then something like a minor > network glitch may cause a buffer to fill and all data between that > time and the draining of the buffer to be lost forever. > > -- > Greg A. Woods > > > > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From nstraz@redhat.com Thu Feb 7 11:36:20 2008 Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m17Ja5MG023541 for ; Thu, 7 Feb 2008 11:36:11 -0800 (PST) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m17Ja4Ms008071 for ; Thu, 7 Feb 2008 14:36:04 -0500 Received: from tin.rawstew (vpn-248-146.boston.redhat.com [10.13.248.146]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m17Ja1Fd005583 for ; Thu, 7 Feb 2008 14:36:02 -0500 Received: by tin.rawstew (Postfix, from userid 10119) id AE39E20AB1F; Thu, 7 Feb 2008 14:36:05 -0500 (EST) Date: Thu, 7 Feb 2008 14:36:05 -0500 To: Conserver Users Subject: [PATCH] GSS-API Authentication support Message-ID: <20080207193602.GB27752@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline User-Agent: Mutt/1.5.17 (2007-11-13) From: nstraz@redhat.com (Nathan Straz) X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Spam-Score: -2.312 () BAYES_00 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2008 19:36:21 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Here is a patch that I'm working on. It's not complete, but it works. What works: - authentication against "host" principals. - built w/o openssl What hasn't been tested - built w/ openssl Still to do: - Switch to using "console" principals. - I'm using a sleep in conserver to wait for the token from console. I think I should add a new I/O mode and switch to that. - the user logged in turns to "user@REALM@peername" which may have some side effects. Give it a shot in a test environment and let me know if you run into any problems. Nate Straz --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="conserver-gssapi.patch" diff --git a/config.h.in b/config.h.in index 1c3095c..a698b6b 100644 --- a/config.h.in +++ b/config.h.in @@ -75,6 +75,9 @@ /* Define to 1 if you have the `grantpt' function. */ #undef HAVE_GRANTPT +/* have gss-api support */ +#undef HAVE_GSSAPI + /* Define to 1 if you have the header file. */ #undef HAVE_HPSECURITY_H diff --git a/configure b/configure index 8f58bda..fb2bf67 100755 --- a/configure +++ b/configure @@ -868,6 +868,8 @@ Optional Packages: Compile in libwrap (tcp_wrappers) support --with-openssl[=PATH] Compile in OpenSSL support + --with-gssapi[=PATH] + Compile in GSS-API support --with-dmalloc[=PATH] Compile in dmalloc support --with-pam Enable PAM support @@ -6092,6 +6094,242 @@ fi fi; +cons_with_gssapi="NO" + +# Check whether --with-gssapi or --without-gssapi was given. +if test "${with_gssapi+set}" = set; then + withval="$with_gssapi" + if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 +else + # Is the header compilable? +echo "$as_me:$LINENO: checking gssapi/gssapi.h usability" >&5 +echo $ECHO_N "checking gssapi/gssapi.h usability... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_header_compiler=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6 + +# Is the header present? +echo "$as_me:$LINENO: checking gssapi/gssapi.h presence" >&5 +echo $ECHO_N "checking gssapi/gssapi.h presence... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + ac_cpp_err=$ac_cpp_err$ac_c_werror_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6 + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&2;} + ( + cat <<\_ASBOX +## ------------------------------------------ ## +## Report this to the AC_PACKAGE_NAME lists. ## +## ------------------------------------------ ## +_ASBOX + ) | + sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_cv_header_gssapi_gssapi_h=$ac_header_preproc +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 + +fi +if test $ac_cv_header_gssapi_gssapi_h = yes; then + LIBS="$LIBS -lgssapi" + echo "$as_me:$LINENO: checking for gssapi library -lgssapi" >&5 +echo $ECHO_N "checking for gssapi library -lgssapi... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +gss_create_empty_oid_set(NULL, NULL) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cons_with_gssapi="YES" + cat >>confdefs.h <<\_ACEOF +#define HAVE_GSSAPI 1 +_ACEOF + + have_gssapi=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + + + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi + +fi; + + cons_with_dmalloc="NO" # Check whether --with-dmalloc or --without-dmalloc was given. @@ -8844,6 +9082,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/configure.in b/configure.in index 8bd2620..c845c7e 100644 --- a/configure.in +++ b/configure.in @@ -14,6 +14,7 @@ AH_TEMPLATE([USE_LIBWRAP], [use tcp_wrappers libwrap]) dnl AH_TEMPLATE([HAVE_POSIX_REGCOMP], [have POSIX regcomp]) AH_TEMPLATE([HAVE_PAM], [have PAM support]) AH_TEMPLATE([HAVE_OPENSSL], [have openssl support]) +AH_TEMPLATE([HAVE_GSSAPI], [have gss-api support]) AH_TEMPLATE([HAVE_DMALLOC], [have dmalloc support]) AH_TEMPLATE([HAVE_SA_LEN],[Defined if sa_len member exists in struct sockaddr]) AH_TEMPLATE([TRUST_REVERSE_DNS],[Defined if we trust reverse DNS]) @@ -499,6 +500,51 @@ AC_ARG_WITH(openssl, fi] ) +cons_with_gssapi="NO" +AC_ARG_WITH(gssapi, + AS_HELP_STRING([--with-gssapi@<:@=PATH@:>@], + [Compile in GSS-API support]), + [if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + AC_CHECK_HEADER([gssapi/gssapi.h], + [LIBS="$LIBS -lgssapi" + AC_MSG_CHECKING(for gssapi library -lgssapi) + AC_TRY_LINK([#include + ],[gss_create_empty_oid_set(NULL, NULL)], + [AC_MSG_RESULT(yes) + cons_with_gssapi="YES" + AC_DEFINE(HAVE_GSSAPI) + have_gssapi=yes], + [AC_MSG_RESULT(no)])],) + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi] +) + + cons_with_dmalloc="NO" AC_ARG_WITH(dmalloc, AS_HELP_STRING([--with-dmalloc@<:@=PATH@:>@], @@ -657,6 +703,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/conserver/cutil.h b/conserver/cutil.h index a9b579a..f6e1a45 100644 --- a/conserver/cutil.h +++ b/conserver/cutil.h @@ -15,6 +15,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif /* communication constants */ diff --git a/conserver/group.c b/conserver/group.c index ea6bd76..c0ac61c 100644 --- a/conserver/group.c +++ b/conserver/group.c @@ -1869,6 +1869,65 @@ AttemptSSL(pCL) } #endif +#if HAVE_GSSAPI +int +#if PROTOTYPES +AttemptGSSAPI(CONSCLIENT *pCL) +#else +AttemptGSSAPI(pCL) + CONSCLIENT *pCL; +#endif +{ + int nr, ret = 0; + char buf[1024]; + gss_buffer_desc sendtok, recvtok, dbuf; + gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT; + OM_uint32 stmaj, stmin, mctx, dmin; + gss_name_t user = 0; + + sleep(1); /* XXX: probably need an IO mode to remove this */ + if ((nr = FileRead(pCL->fd, buf, sizeof(buf))) < 0) { + return 0; + } + recvtok.value = buf; + recvtok.length = nr; + + stmaj = gss_accept_sec_context(&stmin, &gssctx, gss_mycreds, + &recvtok, NULL, &user, NULL, &sendtok, NULL, NULL, NULL); + switch (stmaj) { + case GSS_S_COMPLETE: + FileSetQuoteIAC(pCL->fd, FLAGFALSE); + FileWrite(pCL->fd, FLAGFALSE, sendtok.value, sendtok.length); + FileSetQuoteIAC(pCL->fd, FLAGTRUE); + pCL->iState = S_NORMAL; + gss_release_buffer(NULL, &sendtok); + BuildString((char *)0, pCL->username); + BuildString((char *)0, pCL->acid); + stmaj = gss_display_name(&stmin, user, &dbuf, NULL); + + BuildStringN(dbuf.value, dbuf.length, pCL->username); + BuildStringN(dbuf.value, dbuf.length, pCL->acid); + BuildStringChar('@', pCL->acid); + BuildString(pCL->peername->string, + pCL->acid); + gss_release_name(&stmin, &user); + gss_release_buffer(NULL, &dbuf); + ret = 1; + break; + case GSS_S_CREDENTIALS_EXPIRED: + /* reacquire creds and try again */ + Error("Credentials expired"); + break; + default: + do { + gss_display_status(&dmin, stmaj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &mctx, &dbuf); + Error("GSSAPI didn't work, %*s", dbuf.length, dbuf.value); + } while (mctx && dbuf.length); + } + return ret; +} +#endif + CONSENT * #if PROTOTYPES HuntForConsole(GRPENT *pGE, char *name) @@ -2945,6 +3004,7 @@ DoClientRead(pGE, pCLServing) static char *pcArgs; static char *pcCmd; + CONDDEBUG((1, "state = %d", pCLServing->iState)); if ('\n' != acIn[i]) { BuildStringChar(acIn[i], pCLServing->accmd); continue; @@ -2993,6 +3053,9 @@ DoClientRead(pGE, pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -3033,6 +3096,16 @@ DoClientRead(pGE, pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + if (!AttemptGSSAPI(pCLServing)) { + DisconnectClient(pGE, pCLServing, (char *)0, + FLAGFALSE); + return; + } +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL @@ -3267,6 +3340,7 @@ DoClientRead(pGE, pCLServing) } else { FileWrite(pCLServing->fd, FLAGFALSE, "unknown command\r\n", -1); + CONDDEBUG((1, "command %s state %d", pcCmd, pCLServing->iState)); } BuildString((char *)0, pCLServing->accmd); } else diff --git a/conserver/main.c b/conserver/main.c index 38b66dd..24fbcbe 100644 --- a/conserver/main.c +++ b/conserver/main.c @@ -44,6 +44,9 @@ #if HAVE_OPENSSL # include #endif +#if HAVE_GSSAPI +# include +#endif int fAll = 0, fNoinit = 0, fVersion = 0, fStrip = 0, fReopen = @@ -378,6 +381,40 @@ SetupSSL() } #endif +#if HAVE_GSSAPI +gss_name_t gss_myname = GSS_C_NO_NAME; +gss_cred_id_t gss_mycreds = GSS_C_NO_CREDENTIAL; + +void +#if PROTOTYPES +SetupGSSAPI(void) +#else +SetupGSSAPI() +#endif +{ + OM_uint32 stmaj, stmin; + char namestr[128]; + gss_buffer_desc namebuf; + + snprintf(namestr, 128, "host@%s", myHostname); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_myname); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + } + /* Get some initial credentials */ + stmaj = gss_acquire_cred(&stmin, gss_myname, 0, GSS_C_NULL_OID_SET, + GSS_C_ACCEPT, &gss_mycreds, NULL, NULL); + if (stmaj != GSS_S_COMPLETE) { + Error("Could not acquire GSS-API credentials"); + } + +} +#endif + void #if PROTOTYPES ReopenLogfile(void) @@ -1563,6 +1600,9 @@ main(argc, argv) /* Prep the SSL layer */ SetupSSL(); #endif +#if HAVE_GSSAPI + SetupGSSAPI(); +#endif if (config->daemonmode == FLAGTRUE) Daemonize(); diff --git a/conserver/main.h b/conserver/main.h index 1b59a5a..aae8a10 100644 --- a/conserver/main.h +++ b/conserver/main.h @@ -54,6 +54,10 @@ extern char *interface; #if HAVE_OPENSSL extern SSL_CTX *ctx; #endif +#if HAVE_GSSAPI +extern gss_name_t gss_myname; +extern gss_cred_id_t gss_mycreds; +#endif extern void ReopenLogfile PARAMS((void)); extern void ReopenUnifiedlog PARAMS((void)); extern void DumpDataStructures PARAMS((void)); diff --git a/conserver/master.c b/conserver/master.c index 36622cc..ed838ef 100644 --- a/conserver/master.c +++ b/conserver/master.c @@ -494,6 +494,9 @@ DoNormalRead(pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -532,6 +535,15 @@ DoNormalRead(pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + if (!AttemptGSSAPI(pCLServing)) { + DropMasterClient(pCLServing, FLAGFALSE); + return; + } +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL diff --git a/console/console.c b/console/console.c index 4ec949b..d9be01f 100644 --- a/console/console.c +++ b/console/console.c @@ -40,6 +40,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif int fReplay = 0, fVersion = 0; @@ -152,6 +155,83 @@ AttemptSSL(pcf) } #endif +#if HAVE_GSSAPI +gss_name_t gss_server_name = GSS_C_NO_NAME; +gss_ctx_id_t secctx = GSS_C_NO_CONTEXT; +gss_buffer_desc mytok = GSS_C_EMPTY_BUFFER; + +int +#if PROTOTYPES +CanGetGSSContext(const char *servername) +#else +CanGetGSSContext(servername) + const char *servername; +#endif +{ + char namestr[128]; + gss_buffer_desc namebuf, dbuf; + OM_uint32 stmaj, stmin, mctx, dmin; + + snprintf(namestr, 128, "host@%s", servername); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_server_name); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + return 0; + } + secctx = GSS_C_NO_CONTEXT; + mytok.length = 0; mytok.value = NULL; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, + &mytok, NULL, NULL); + + if (stmaj != GSS_S_COMPLETE && stmaj != GSS_S_CONTINUE_NEEDED) { + do { + gss_display_status(&dmin, stmaj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &mctx, &dbuf); + Error("init sec context failed: %*s", dbuf.length, dbuf.value); + } while (mctx && dbuf.length); + return 0; + } +} + +int +#if PROTOTYPES +AttemptGSSAPI(CONSFILE *pcf) +#else +AttemptGSSAPI(pcf) + CONSFILE *pcf; +#endif +{ + OM_uint32 stmaj, stmin; + gss_buffer_desc servertok; + char buf[1024]; + int nr; + int ret; + + FileSetQuoteIAC(pcf, FLAGFALSE); + FileWrite(pcf, FLAGFALSE, mytok.value, mytok.length); + FileSetQuoteIAC(pcf, FLAGTRUE); + nr = FileRead(pcf, buf, sizeof(buf)); + servertok.length = nr; + servertok.value = buf; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, &servertok, + NULL, &mytok, NULL, NULL); + gss_release_buffer(NULL, &mytok); + + ret = (stmaj == GSS_S_COMPLETE); + gss_release_name(&stmin, &gss_server_name); + return ret; +} +#endif + /* output a control (or plain) character as a UNIX user would expect it (ksb) */ static void @@ -271,6 +351,9 @@ Version() #if HAVE_OPENSSL "openssl", #endif +#if HAVE_GSSAPI + "gssapi", +#endif #if HAVE_PAM "pam", #endif @@ -1522,6 +1605,9 @@ DoCmds(master, pports, cmdi) char *ports; char *pcopy; char *serverName; +#if HAVE_GSSAPI + int toksize; +#endif if ((pcopy = ports = StrDup(pports)) == (char *)0) OutOfMem(); @@ -1599,6 +1685,17 @@ DoCmds(master, pports, cmdi) } } #endif +#if HAVE_GSSAPI + if ((toksize = CanGetGSSContext(server)) > 0) { + FilePrint(pcf, FLAGFALSE, "gssapi %d\r\n", toksize); + t = ReadReply(pcf, FLAGFALSE); + if (strcmp(t, "ok\r\n") == 0) { + if (AttemptGSSAPI(pcf)) { + goto gssapi_logged_me_in; + } + } + } +#endif FilePrint(pcf, FLAGFALSE, "login %s\r\n", config->username); @@ -1651,6 +1748,9 @@ DoCmds(master, pports, cmdi) FilePrint(cfstdout, FLAGFALSE, "%s: %s", serverName, t); continue; } +#if HAVE_GSSAPI +gssapi_logged_me_in: +#endif /* now that we're logged in, we can do something */ /* if we're on the last cmd or the command is 'call' and we --envbJBWh7q8WU6mo-- From bryan@stansell.org Thu Feb 7 15:34:42 2008 Received: from underdog.stansell.org (localhost [127.0.0.1]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m17NYf7m025798 for ; Thu, 7 Feb 2008 15:34:41 -0800 (PST) Received: (from bryan@localhost) by underdog.stansell.org (8.14.2/8.14.2/Submit) id m17NYfnF025797 for users@conserver.com; Thu, 7 Feb 2008 15:34:41 -0800 (PST) Date: Thu, 7 Feb 2008 15:34:41 -0800 From: Bryan Stansell To: Conserver Users Subject: Re: Odd ctrl-s problem. Message-ID: <20080207233441.GU14121@underdog.stansell.org> References: <20080206110041.GO55234@carrick.bishnet.net> <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> <292AB13C-0657-4470-88A9-4D2714BF0E94@weird.com> <20080207104244.GR55234@carrick.bishnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080207104244.GR55234@carrick.bishnet.net> User-Agent: Mutt/1.4.2.2i X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2008 23:34:43 -0000 you can just use: idlestring "^Q"; (a literal carat and Q - two characters) conserver should only be sending characters it's told to send (the only exception i can think of is when it's doing telnet option negotiation). the ssh command is being run withing a pseudo-tty and those layers *might* be doing something. for example, there could be things buried in shell startup scripts (since conserver cranks off a /bin/sh to actually run the command) or some unexpected stty setting on the pseudo-tty. i'm lacking on any concrete ideas, however. well, aside from using truss/strace and seeing if there are ctrl-s characters flying around. Bryan On Thu, Feb 07, 2008 at 10:42:44AM +0000, Peter Saunders wrote: > Many thanks for your replies, > > I still haven't got to the bottom of what actually caused it, but, it > seems odd if was the terminal server. Its a reasonably recent event that > conserver went live on these machines - and in the past, the terminal > servers didn't have a connection to them from the network, so, all the > serial traffic was silently thrown away. This is what I was expecting to > happen during the conserver restart window. (People used to ssh to the > terminal server only when they needed the console) > > However, I think i'll change the the idlestring to contain ^q - so in > the event of a restart causing it again, at least after 5 minutes of > inactivity, conserver would sent a ctrl-q to it again. (Assuming I can > get it to do this?) > > Cheers > Pete From nstraz@redhat.com Thu Feb 21 12:11:42 2008 Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m1LKBQX6006107 for ; Thu, 21 Feb 2008 12:11:32 -0800 (PST) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m1LKBPKL011228 for ; Thu, 21 Feb 2008 15:11:25 -0500 Received: from tin.rawstew (vpn-248-48.boston.redhat.com [10.13.248.48]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m1LKBNk5016737 for ; Thu, 21 Feb 2008 15:11:24 -0500 Received: by tin.rawstew (Postfix, from userid 10119) id B1F041CBECB; Thu, 21 Feb 2008 15:11:14 -0500 (EST) Date: Thu, 21 Feb 2008 15:11:14 -0500 To: Conserver Users Subject: Re: [PATCH] GSS-API Authentication support Message-ID: <20080221201113.GJ2065@redhat.com> References: <20080207193602.GB27752@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: <20080207193602.GB27752@redhat.com> User-Agent: Mutt/1.5.17 (2007-11-13) From: nstraz@redhat.com (Nathan Straz) X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Spam-Score: -2.312 () BAYES_00 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 20:11:43 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Feb 7 14:36, Nathan Straz wrote: > Here is a patch that I'm working on. It's not complete, but it works. I'm a little closer to complete now. Here is v2 of the patch. > What works: > - authentication against "host" principals. > - built w/o openssl > What hasn't been tested > - built w/ openssl I did build and test with openssl. It Just Works(tm). > Still to do: > - Switch to using "console" principals. I haven't done this yet. > - I'm using a sleep in conserver to wait for the token from console. I > think I should add a new I/O mode and switch to that. I finished this and it was a lot easier than when I first looked at it. The trick was to just switch to the new ioState instead of trying to accept the GSS-API token first. > - the user logged in turns to "user@REALM@peername" which may have some > side effects. I did some investigation on the side effects with this. When specifying admin users, I needed to specify user@REALM instead of just user. I don't know if anyone deploys conserver in a multi-realm environment, but I don't think it would be a good idea to strip off @REALM just in case someone wants to. > Give it a shot in a test environment and let me know if you run into any > problems. Please do, Nate Straz --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="conserver-gssapi-2.patch" diff --git a/config.h.in b/config.h.in index 1c3095c..a698b6b 100644 --- a/config.h.in +++ b/config.h.in @@ -75,6 +75,9 @@ /* Define to 1 if you have the `grantpt' function. */ #undef HAVE_GRANTPT +/* have gss-api support */ +#undef HAVE_GSSAPI + /* Define to 1 if you have the header file. */ #undef HAVE_HPSECURITY_H diff --git a/configure b/configure index 8f58bda..fb2bf67 100755 --- a/configure +++ b/configure @@ -868,6 +868,8 @@ Optional Packages: Compile in libwrap (tcp_wrappers) support --with-openssl[=PATH] Compile in OpenSSL support + --with-gssapi[=PATH] + Compile in GSS-API support --with-dmalloc[=PATH] Compile in dmalloc support --with-pam Enable PAM support @@ -6092,6 +6094,242 @@ fi fi; +cons_with_gssapi="NO" + +# Check whether --with-gssapi or --without-gssapi was given. +if test "${with_gssapi+set}" = set; then + withval="$with_gssapi" + if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 +else + # Is the header compilable? +echo "$as_me:$LINENO: checking gssapi/gssapi.h usability" >&5 +echo $ECHO_N "checking gssapi/gssapi.h usability... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_header_compiler=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6 + +# Is the header present? +echo "$as_me:$LINENO: checking gssapi/gssapi.h presence" >&5 +echo $ECHO_N "checking gssapi/gssapi.h presence... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + ac_cpp_err=$ac_cpp_err$ac_c_werror_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6 + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: gssapi/gssapi.h: in the future, the compiler will take precedence" >&2;} + ( + cat <<\_ASBOX +## ------------------------------------------ ## +## Report this to the AC_PACKAGE_NAME lists. ## +## ------------------------------------------ ## +_ASBOX + ) | + sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +echo "$as_me:$LINENO: checking for gssapi/gssapi.h" >&5 +echo $ECHO_N "checking for gssapi/gssapi.h... $ECHO_C" >&6 +if test "${ac_cv_header_gssapi_gssapi_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_cv_header_gssapi_gssapi_h=$ac_header_preproc +fi +echo "$as_me:$LINENO: result: $ac_cv_header_gssapi_gssapi_h" >&5 +echo "${ECHO_T}$ac_cv_header_gssapi_gssapi_h" >&6 + +fi +if test $ac_cv_header_gssapi_gssapi_h = yes; then + LIBS="$LIBS -lgssapi" + echo "$as_me:$LINENO: checking for gssapi library -lgssapi" >&5 +echo $ECHO_N "checking for gssapi library -lgssapi... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +int +main () +{ +gss_create_empty_oid_set(NULL, NULL) + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cons_with_gssapi="YES" + cat >>confdefs.h <<\_ACEOF +#define HAVE_GSSAPI 1 +_ACEOF + + have_gssapi=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + + + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi + +fi; + + cons_with_dmalloc="NO" # Check whether --with-dmalloc or --without-dmalloc was given. @@ -8844,6 +9082,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/configure.in b/configure.in index 8bd2620..c845c7e 100644 --- a/configure.in +++ b/configure.in @@ -14,6 +14,7 @@ AH_TEMPLATE([USE_LIBWRAP], [use tcp_wrappers libwrap]) dnl AH_TEMPLATE([HAVE_POSIX_REGCOMP], [have POSIX regcomp]) AH_TEMPLATE([HAVE_PAM], [have PAM support]) AH_TEMPLATE([HAVE_OPENSSL], [have openssl support]) +AH_TEMPLATE([HAVE_GSSAPI], [have gss-api support]) AH_TEMPLATE([HAVE_DMALLOC], [have dmalloc support]) AH_TEMPLATE([HAVE_SA_LEN],[Defined if sa_len member exists in struct sockaddr]) AH_TEMPLATE([TRUST_REVERSE_DNS],[Defined if we trust reverse DNS]) @@ -499,6 +500,51 @@ AC_ARG_WITH(openssl, fi] ) +cons_with_gssapi="NO" +AC_ARG_WITH(gssapi, + AS_HELP_STRING([--with-gssapi@<:@=PATH@:>@], + [Compile in GSS-API support]), + [if test "$withval" != "no"; then + if test "$withval" != "yes"; then + GSSAPICPPFLAGS="-I$withval/include" + if test "$use_dash_r" != "yes"; then + GSSAPILDFLAGS="-L$withval/lib" + else + GSSAPILDFLAGS="-L$withval/lib -R$withval/lib" + fi + else + GSSAPICPPFLAGS="" + GSSAPILDFLAGS="" + fi + + oCPPFLAGS="$CPPFLAGS" + oLDFLAGS="$LDFLAGS" + oLIBS="$LIBS" + have_gssapi=no + + CPPFLAGS="$CPPFLAGS $GSSAPICPPFLAGS" + LDFLAGS="$LDFLAGS $GSSAPILDFLAGS" + + AC_CHECK_HEADER([gssapi/gssapi.h], + [LIBS="$LIBS -lgssapi" + AC_MSG_CHECKING(for gssapi library -lgssapi) + AC_TRY_LINK([#include + ],[gss_create_empty_oid_set(NULL, NULL)], + [AC_MSG_RESULT(yes) + cons_with_gssapi="YES" + AC_DEFINE(HAVE_GSSAPI) + have_gssapi=yes], + [AC_MSG_RESULT(no)])],) + + if test $have_gssapi = no; then + LIBS="$oLIBS" + CPPFLAGS="$oCPPFLAGS" + LDFLAGS="$oLDFLAGS" + fi + fi] +) + + cons_with_dmalloc="NO" AC_ARG_WITH(dmalloc, AS_HELP_STRING([--with-dmalloc@<:@=PATH@:>@], @@ -657,6 +703,7 @@ echo "" echo " Unix domain sockets (--with-uds) : $cons_with_uds" echo " TCP wrappers (--with-libwrap): $cons_with_libwrap" echo " OpenSSL (--with-openssl): $cons_with_openssl" +echo " GSS-API (--with-gssapi) : $cons_with_gssapi" echo " dmalloc (--with-dmalloc): $cons_with_dmalloc" echo " PAM support (--with-pam) : $cons_with_pam" echo "" diff --git a/conserver/cutil.h b/conserver/cutil.h index a9b579a..da1a5ae 100644 --- a/conserver/cutil.h +++ b/conserver/cutil.h @@ -15,6 +15,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif /* communication constants */ @@ -46,6 +49,9 @@ typedef enum IOState { INSSLACCEPT, INSSLSHUTDOWN, #endif +#if HAVE_GSSAPI + INGSSACCEPT, +#endif ISFLUSHING } IOSTATE; diff --git a/conserver/group.c b/conserver/group.c index ea6bd76..b8c3c06 100644 --- a/conserver/group.c +++ b/conserver/group.c @@ -1869,6 +1869,65 @@ AttemptSSL(pCL) } #endif +#if HAVE_GSSAPI +int +#if PROTOTYPES +AttemptGSSAPI(CONSCLIENT *pCL) +#else +AttemptGSSAPI(pCL) + CONSCLIENT *pCL; +#endif +{ + int nr, ret = 0; + char buf[1024]; + gss_buffer_desc sendtok, recvtok, dbuf; + gss_ctx_id_t gssctx = GSS_C_NO_CONTEXT; + OM_uint32 stmaj, stmin, mctx, dmin; + gss_name_t user = 0; + + if ((nr = FileRead(pCL->fd, buf, sizeof(buf))) < 0) { + return 0; + } + recvtok.value = buf; + recvtok.length = nr; + + stmaj = gss_accept_sec_context(&stmin, &gssctx, gss_mycreds, + &recvtok, NULL, &user, NULL, &sendtok, NULL, NULL, NULL); + switch (stmaj) { + case GSS_S_COMPLETE: + FileSetQuoteIAC(pCL->fd, FLAGFALSE); + FileWrite(pCL->fd, FLAGFALSE, sendtok.value, sendtok.length); + FileSetQuoteIAC(pCL->fd, FLAGTRUE); + pCL->iState = S_NORMAL; + gss_release_buffer(NULL, &sendtok); + BuildString((char *)0, pCL->username); + BuildString((char *)0, pCL->acid); + stmaj = gss_display_name(&stmin, user, &dbuf, NULL); + + BuildStringN(dbuf.value, dbuf.length, pCL->username); + BuildStringN(dbuf.value, dbuf.length, pCL->acid); + BuildStringChar('@', pCL->acid); + BuildString(pCL->peername->string, + pCL->acid); + gss_release_name(&stmin, &user); + gss_release_buffer(NULL, &dbuf); + ret = 1; + break; + case GSS_S_CREDENTIALS_EXPIRED: + /* reacquire creds and try again */ + Error("Credentials expired"); + break; + default: + do { + gss_display_status(&dmin, stmaj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &mctx, &dbuf); + Error("GSSAPI didn't work, %*s", dbuf.length, dbuf.value); + } while (mctx && dbuf.length); + ret = -1; + } + return ret; +} +#endif + CONSENT * #if PROTOTYPES HuntForConsole(GRPENT *pGE, char *name) @@ -2945,6 +3004,7 @@ DoClientRead(pGE, pCLServing) static char *pcArgs; static char *pcCmd; + CONDDEBUG((1, "state = %d", pCLServing->iState)); if ('\n' != acIn[i]) { BuildStringChar(acIn[i], pCLServing->accmd); continue; @@ -2993,6 +3053,9 @@ DoClientRead(pGE, pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -3033,6 +3096,14 @@ DoClientRead(pGE, pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + /* Change the I/O mode right away, we'll do the read + * and accept when the select gets back to us */ + pCLServing->ioState = INGSSACCEPT; +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL @@ -3267,6 +3338,7 @@ DoClientRead(pGE, pCLServing) } else { FileWrite(pCLServing->fd, FLAGFALSE, "unknown command\r\n", -1); + CONDDEBUG((1, "command %s state %d", pcCmd, pCLServing->iState)); } BuildString((char *)0, pCLServing->accmd); } else @@ -4651,6 +4723,16 @@ Kiddie(pGE, sfd) } break; #endif +#if HAVE_GSSAPI + case INGSSACCEPT: + { int r; + if ((r = AttemptGSSAPI(pCLServing)) < 0) + DropMasterClient(pCLServing, FLAGFALSE); + else if (r == 1) + pCLServing->ioState = ISNORMAL; + } + break; +#endif case ISNORMAL: if (FileCanRead(pCLServing->fd, &rmask, &wmask)) DoClientRead(pGE, pCLServing); diff --git a/conserver/main.c b/conserver/main.c index 38b66dd..24fbcbe 100644 --- a/conserver/main.c +++ b/conserver/main.c @@ -44,6 +44,9 @@ #if HAVE_OPENSSL # include #endif +#if HAVE_GSSAPI +# include +#endif int fAll = 0, fNoinit = 0, fVersion = 0, fStrip = 0, fReopen = @@ -378,6 +381,40 @@ SetupSSL() } #endif +#if HAVE_GSSAPI +gss_name_t gss_myname = GSS_C_NO_NAME; +gss_cred_id_t gss_mycreds = GSS_C_NO_CREDENTIAL; + +void +#if PROTOTYPES +SetupGSSAPI(void) +#else +SetupGSSAPI() +#endif +{ + OM_uint32 stmaj, stmin; + char namestr[128]; + gss_buffer_desc namebuf; + + snprintf(namestr, 128, "host@%s", myHostname); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_myname); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + } + /* Get some initial credentials */ + stmaj = gss_acquire_cred(&stmin, gss_myname, 0, GSS_C_NULL_OID_SET, + GSS_C_ACCEPT, &gss_mycreds, NULL, NULL); + if (stmaj != GSS_S_COMPLETE) { + Error("Could not acquire GSS-API credentials"); + } + +} +#endif + void #if PROTOTYPES ReopenLogfile(void) @@ -1563,6 +1600,9 @@ main(argc, argv) /* Prep the SSL layer */ SetupSSL(); #endif +#if HAVE_GSSAPI + SetupGSSAPI(); +#endif if (config->daemonmode == FLAGTRUE) Daemonize(); diff --git a/conserver/main.h b/conserver/main.h index 1b59a5a..aae8a10 100644 --- a/conserver/main.h +++ b/conserver/main.h @@ -54,6 +54,10 @@ extern char *interface; #if HAVE_OPENSSL extern SSL_CTX *ctx; #endif +#if HAVE_GSSAPI +extern gss_name_t gss_myname; +extern gss_cred_id_t gss_mycreds; +#endif extern void ReopenLogfile PARAMS((void)); extern void ReopenUnifiedlog PARAMS((void)); extern void DumpDataStructures PARAMS((void)); diff --git a/conserver/master.c b/conserver/master.c index 36622cc..d406b19 100644 --- a/conserver/master.c +++ b/conserver/master.c @@ -494,6 +494,9 @@ DoNormalRead(pCLServing) #if HAVE_OPENSSL "ssl start ssl session\r\n", #endif +#if HAVE_GSSAPI + "gssapi log in with gssapi\r\n", +#endif (char *)0 }; static char *apcHelp2[] = { @@ -532,6 +535,14 @@ DoNormalRead(pCLServing) return; } #endif +#if HAVE_GSSAPI + } else if (pCLServing->iState == S_IDENT && + strcmp(pcCmd, "gssapi") == 0) { + FileWrite(pCLServing->fd, FLAGFALSE, "ok\r\n", -1); + /* Change the I/O mode right away, we'll do the read + * and accept when the select gets back to us */ + pCLServing->ioState = INGSSACCEPT; +#endif } else if (pCLServing->iState == S_IDENT && strcmp(pcCmd, "login") == 0) { #if HAVE_OPENSSL @@ -921,6 +932,16 @@ Master() } break; #endif +#if HAVE_GSSAPI + case INGSSACCEPT: + { int r; + if ((r = AttemptGSSAPI(pCLServing)) < 0) + DropMasterClient(pCLServing, FLAGFALSE); + else if (r == 1) + pCLServing->ioState = ISNORMAL; + } + break; +#endif case ISNORMAL: if (FileCanRead(pCLServing->fd, &rmask, &wmask)) DoNormalRead(pCLServing); diff --git a/console/console.c b/console/console.c index 4ec949b..d9be01f 100644 --- a/console/console.c +++ b/console/console.c @@ -40,6 +40,9 @@ #include #include #endif +#if HAVE_GSSAPI +#include +#endif int fReplay = 0, fVersion = 0; @@ -152,6 +155,83 @@ AttemptSSL(pcf) } #endif +#if HAVE_GSSAPI +gss_name_t gss_server_name = GSS_C_NO_NAME; +gss_ctx_id_t secctx = GSS_C_NO_CONTEXT; +gss_buffer_desc mytok = GSS_C_EMPTY_BUFFER; + +int +#if PROTOTYPES +CanGetGSSContext(const char *servername) +#else +CanGetGSSContext(servername) + const char *servername; +#endif +{ + char namestr[128]; + gss_buffer_desc namebuf, dbuf; + OM_uint32 stmaj, stmin, mctx, dmin; + + snprintf(namestr, 128, "host@%s", servername); + namebuf.value = namestr; + namebuf.length = strlen(namestr) + 1; + stmaj = gss_import_name(&stmin, &namebuf, GSS_C_NT_HOSTBASED_SERVICE, + &gss_server_name); + /* XXX: handle error */ + if (stmaj != GSS_S_COMPLETE) { + Error("gss_import_name failed"); + return 0; + } + secctx = GSS_C_NO_CONTEXT; + mytok.length = 0; mytok.value = NULL; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, + &mytok, NULL, NULL); + + if (stmaj != GSS_S_COMPLETE && stmaj != GSS_S_CONTINUE_NEEDED) { + do { + gss_display_status(&dmin, stmaj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &mctx, &dbuf); + Error("init sec context failed: %*s", dbuf.length, dbuf.value); + } while (mctx && dbuf.length); + return 0; + } +} + +int +#if PROTOTYPES +AttemptGSSAPI(CONSFILE *pcf) +#else +AttemptGSSAPI(pcf) + CONSFILE *pcf; +#endif +{ + OM_uint32 stmaj, stmin; + gss_buffer_desc servertok; + char buf[1024]; + int nr; + int ret; + + FileSetQuoteIAC(pcf, FLAGFALSE); + FileWrite(pcf, FLAGFALSE, mytok.value, mytok.length); + FileSetQuoteIAC(pcf, FLAGTRUE); + nr = FileRead(pcf, buf, sizeof(buf)); + servertok.length = nr; + servertok.value = buf; + + stmaj = gss_init_sec_context(&stmin, GSS_C_NO_CREDENTIAL, &secctx, + gss_server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG, 0, + GSS_C_NO_CHANNEL_BINDINGS, &servertok, + NULL, &mytok, NULL, NULL); + gss_release_buffer(NULL, &mytok); + + ret = (stmaj == GSS_S_COMPLETE); + gss_release_name(&stmin, &gss_server_name); + return ret; +} +#endif + /* output a control (or plain) character as a UNIX user would expect it (ksb) */ static void @@ -271,6 +351,9 @@ Version() #if HAVE_OPENSSL "openssl", #endif +#if HAVE_GSSAPI + "gssapi", +#endif #if HAVE_PAM "pam", #endif @@ -1522,6 +1605,9 @@ DoCmds(master, pports, cmdi) char *ports; char *pcopy; char *serverName; +#if HAVE_GSSAPI + int toksize; +#endif if ((pcopy = ports = StrDup(pports)) == (char *)0) OutOfMem(); @@ -1599,6 +1685,17 @@ DoCmds(master, pports, cmdi) } } #endif +#if HAVE_GSSAPI + if ((toksize = CanGetGSSContext(server)) > 0) { + FilePrint(pcf, FLAGFALSE, "gssapi %d\r\n", toksize); + t = ReadReply(pcf, FLAGFALSE); + if (strcmp(t, "ok\r\n") == 0) { + if (AttemptGSSAPI(pcf)) { + goto gssapi_logged_me_in; + } + } + } +#endif FilePrint(pcf, FLAGFALSE, "login %s\r\n", config->username); @@ -1651,6 +1748,9 @@ DoCmds(master, pports, cmdi) FilePrint(cfstdout, FLAGFALSE, "%s: %s", serverName, t); continue; } +#if HAVE_GSSAPI +gssapi_logged_me_in: +#endif /* now that we're logged in, we can do something */ /* if we're on the last cmd or the command is 'call' and we --bp/iNruPH9dso1Pn-- From pajs@carrick.bishnet.net Wed Feb 27 06:31:29 2008 Received: from carrick.bishnet.net (carrick.bishnet.net [84.234.17.56]) by underdog.stansell.org (8.14.2/8.14.2) with ESMTP id m1REVDhX022638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 27 Feb 2008 06:31:25 -0800 (PST) Received: from pajs by carrick.bishnet.net with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1JUNIh-000JNc-RH for users@conserver.com; Wed, 27 Feb 2008 14:30:27 +0000 Date: Wed, 27 Feb 2008 14:30:27 +0000 From: Peter Saunders To: Conserver Users Subject: Re: Odd ctrl-s problem. Message-ID: <20080227143027.GB88696@carrick.bishnet.net> References: <20080206110041.GO55234@carrick.bishnet.net> <4CB44D4A-2673-4363-8F81-2439A8E304BF@weird.com> <8F78639AC56F4143B267FE5F5A1B92C80163762B@guyton.phys.mcw.edu> <292AB13C-0657-4470-88A9-4D2714BF0E94@weird.com> <20080207104244.GR55234@carrick.bishnet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080207104244.GR55234@carrick.bishnet.net> User-Agent: Mutt/1.5.13 (2006-08-11) X-Bishnet-MailScanner-Information: Contact postmaster@bishnet.net X-Bishnet-MailScanner-VirusCheck: Found to be clean X-Bishnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6, required 5, autolearn=not spam, BAYES_00 -2.60, NO_RELAYS -0.00) X-Bishnet-MailScanner-From: pajs@carrick.bishnet.net X-Spam-Score: -2.312 () BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 209.182.219.30 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 14:31:30 -0000 A follow up.. I did some testing after this problem occured again. In 1 window: while true; do pkill conserver; conserver start; sleep 7; done (some times for testing, make it a pkill -SEGV - to simulate when conserver crashes) In other window while true; do console ; done On the host itself while true; do date > /dev/console; sleep 1; done After about 20-30 conserver restarts - the end host required a ctrl q to send output again. So, my next test. I created a file which contained ^Eco to force a console restart. while true; do cat /tmp/eco | console sleep 5 done Again, after about 20-30 restarts, flow contol has occured again. For my last test, I took conserver out of the equation, and wrote an expect script that connected to the console directly: #!/opt/sfw/bin/expect -f spawn /usr/bin/ssh -o StrictHostKeyChecking=no -o ForwardX11=no -c 3des user:port@terminalserver set timeout 60 expect -nocase -re "password:" send -- "PASSWORD\n" expect -nocase -re "\n" expect -nocase -re "\n" expect -nocase -re "\n" exit And ran this in a while true loop. (So doing exactly what conserver would do, spawn an ssh connection and reading it). If it was a terminal server bug, i would expect this to behave the same as conserver, e.g. on the 20-30 time, need a ctrl q. However, this ran every time, never having an issue. It just kept working forever. So, it does look like it is something in conserver causing this to happen, unfortunately intermittently. I tried setting the default "options" to: options "!ixon,!ixoff,autoreinit,reinitoncc"; and even options "ixon,ixoff,autoreinit,reinitoncc"; However, this made no difference. Getting a ^Q sent at startup (in the initcmd) does stop this happening, as does sending it in the idlestring. So I have a workaround to my specific issue, but it would be intresting to know why this happens at all. Any thoughts? Thanks Pete On Thu, Feb 07, 2008 at 10:42:44AM +0000, Peter Saunders wrote: > Many thanks for your replies, > > I still haven't got to the bottom of what actually caused it, but, it > seems odd if was the terminal server. Its a reasonably recent event that > conserver went live on these machines - and in the past, the terminal > servers didn't have a connection to them from the network, so, all the > serial traffic was silently thrown away. This is what I was expecting to > happen during the conserver restart window. (People used to ssh to the > terminal server only when they needed the console) > > However, I think i'll change the the idlestring to contain ^q - so in > the event of a restart causing it again, at least after 5 minutes of > inactivity, conserver would sent a ctrl-q to it again. (Assuming I can > get it to do this?) > > Cheers > Pete > > On Wed, Feb 06, 2008 at 12:42:25PM -0500, Greg A. Woods wrote: > > > > On 6-Feb-08, at 11:31 AM, Brodie, Kent wrote: > > > > > Well, it's been a long while since I've had to mess with older > > > terminal > > > servers, but I seem to recall that some flavors of decservers for > > > example allowed you to control the pass-through of various control > > > characters to the port. Specifically, you could control whether > > > things > > > like BREAK, control-x, control-s, etc got passed through or trapped. > > > > The problem here is definitely not with pass-through of control > > characters. > > > > It's more to do with the terminal server generating control servers > > in its own attempt to control the data flowing from the attached device. > > > > Disabling flow control on the port could probably prevent the problem > > from happening, however then flow control during normal use would > > then be impossible (pass-through of flow control characters would not > > have the desired effect -- they don't get passed through SSH and > > TELNET connections in the way you would want them to be transmitted > > since buffering in the various network layers would defeat any > > attempt to use a raw connection). > > > > Proper flow control for interactive use requires that the terminal > > server perform flow control directly itself (and that the various > > network layers use whatever mechanisms they have to do flow control > > properly, right down to the connection to the attached device). > > > > Eg. you want output to stop almost immediately when you hit ^S but > > you don't want anything to be lost. That means the final output > > device in front of the user (eg. xterm) interpret the ^S from the > > user and immediately stop generating output, while at the same time > > pushing the flow control request back through the various layers > > (CONSERVER -> SSH -> TELNET -> RS232 or whatever) so that eventually > > a flow control request reaches the device generating the data in the > > appropriate form and that all buffered data is preserved in all the > > various layers in anticipation of the user hitting ^Q to see some > > more (or that it all be flushed if the user hits ^C or whatever). > > Note that this may sometimes involve translating the flow control > > request into a hardware signal change on the RS323 line, such as de- > > asserting CTS. > > > > Note that flow control may have to work properly though all the > > layers for more than just interactive uses too. If you don't want > > data from your attached devices to be lost by conserver in its logs, > > for example, then you need fully working flow control back through > > all the layers to the attached devices. If you don't have fully > > working flow control through all layers then something like a minor > > network glitch may cause a buffer to fill and all data between that > > time and the draining of the buffer to be lost forever. > > > > -- > > Greg A. Woods > > > > > > > > > > _______________________________________________ > > users mailing list > > users@conserver.com > > https://www.conserver.com/mailman/listinfo/users > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users -- Pete "Money doesn't make you happy, but money can buy gizmos, and gizmos make you happy"