From 94f0716fffdd4a29055ff47943cae85106e42847 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Jan 2014 10:54:29 +1300 Subject: [PATCH] auth: Remove dfs_auth() from pass_check.c and s4's auth_unix The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider --- source3/auth/pass_check.c | 315 ---------------------------------- source4/auth/ntlm/auth_unix.c | 4 - 2 files changed, 319 deletions(-) diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 10889bde45e..27e1c20cc9d 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -97,317 +97,6 @@ static bool afs_auth(char *user, char *password) #endif -#ifdef WITH_DFS - -#include -#include - -/***************************************************************** - This new version of the DFS_AUTH code was donated by Karsten Muuss - . It fixes the following problems with the - old code : - - - Server credentials may expire - - Client credential cache files have wrong owner - - purge_context() function is called with invalid argument - - This new code was modified to ensure that on exit the uid/gid is - still root, and the original directory is restored. JRA. -******************************************************************/ - -sec_login_handle_t my_dce_sec_context; -int dcelogin_atmost_once = 0; - -/******************************************************************* -check on a DCE/DFS authentication -********************************************************************/ -static bool dfs_auth(char *user, char *password) -{ - struct tm *t; - error_status_t err; - int err2; - int prterr; - signed32 expire_time, current_time; - boolean32 password_reset; - struct passwd *pw; - sec_passwd_rec_t passwd_rec; - sec_login_auth_src_t auth_src = sec_login_auth_src_network; - unsigned char dce_errstr[dce_c_error_string_len]; - gid_t egid; - - if (dcelogin_atmost_once) - return (False); - -#ifdef HAVE_CRYPT - /* - * We only go for a DCE login context if the given password - * matches that stored in the local password file.. - * Assumes local passwd file is kept in sync w/ DCE RGY! - */ - - if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted())) - { - return (False); - } -#endif - - sec_login_get_current_context(&my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); - - return (False); - } - - sec_login_certify_identity(my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); - - return (False); - } - - sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); - - return (False); - } - - time(¤t_time); - - if (expire_time < (current_time + 60)) - { - struct passwd *pw; - sec_passwd_rec_t *key; - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t *) & pw, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); - - return (False); - } - - sec_login_refresh_identity(my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't refresh identity. %s\n", - dce_errstr)); - - return (False); - } - - sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, - (unsigned char *)pw->pw_name, - sec_c_key_version_none, - (void **)&key, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get key for %s. %s\n", - pw->pw_name, dce_errstr)); - - return (False); - } - - sec_login_valid_and_cert_ident(my_dce_sec_context, key, - &password_reset, &auth_src, - &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, - ("DCE can't validate and certify identity for %s. %s\n", - pw->pw_name, dce_errstr)); - } - - sec_key_mgmt_free_key(key, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't free key.\n", dce_errstr)); - } - } - - if (sec_login_setup_identity((unsigned char *)user, - sec_login_no_flags, - &my_dce_sec_context, &err) == 0) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", - user, dce_errstr)); - return (False); - } - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t *) & pw, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); - - return (False); - } - - sec_login_purge_context(&my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr)); - - return (False); - } - - /* - * NB. I'd like to change these to call something like change_to_user() - * instead but currently we don't have a connection - * context to become the correct user. This is already - * fairly platform specific code however, so I think - * this should be ok. I have added code to go - * back to being root on error though. JRA. - */ - - egid = getegid(); - - set_effective_gid(pw->pw_gid); - set_effective_uid(pw->pw_uid); - - if (sec_login_setup_identity((unsigned char *)user, - sec_login_no_flags, - &my_dce_sec_context, &err) == 0) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", - user, dce_errstr)); - goto err; - } - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t *) & pw, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); - goto err; - } - - passwd_rec.version_number = sec_passwd_c_version_none; - passwd_rec.pepper = NULL; - passwd_rec.key.key_type = sec_passwd_plain; - passwd_rec.key.tagged_union.plain = (idl_char *) password; - - sec_login_validate_identity(my_dce_sec_context, - &passwd_rec, &password_reset, - &auth_src, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, - ("DCE Identity Validation failed for principal %s: %s\n", - user, dce_errstr)); - goto err; - } - - sec_login_certify_identity(my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr)); - goto err; - } - - if (auth_src != sec_login_auth_src_network) - { - DEBUG(0, ("DCE context has no network credentials.\n")); - } - - sec_login_set_context(my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, - ("DCE login failed for principal %s, cant set context: %s\n", - user, dce_errstr)); - - sec_login_purge_context(&my_dce_sec_context, &err); - goto err; - } - - sec_login_get_pwent(my_dce_sec_context, - (sec_login_passwd_t *) & pw, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); - goto err; - } - - DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", - user, getpid())); - - DEBUG(3, ("DCE principal: %s\n" - " uid: %d\n" - " gid: %d\n", - pw->pw_name, pw->pw_uid, pw->pw_gid)); - DEBUG(3, (" info: %s\n" - " dir: %s\n" - " shell: %s\n", - pw->pw_gecos, pw->pw_dir, pw->pw_shell)); - - sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); - goto err; - } - - set_effective_uid(0); - set_effective_gid(0); - - t = localtime(&expire_time); - if (t) { - const char *asct = asctime(t); - if (asct) { - DEBUG(0,("DCE context expires: %s", asct)); - } - } - - dcelogin_atmost_once = 1; - return (True); - - err: - - /* Go back to root, JRA. */ - set_effective_uid(0); - set_effective_gid(egid); - return (False); -} - -void dfs_unlogin(void) -{ - error_status_t err; - int err2; - unsigned char dce_errstr[dce_c_error_string_len]; - - sec_login_purge_context(&my_dce_sec_context, &err); - if (err != error_status_ok) - { - dce_error_inq_text(err, dce_errstr, &err2); - DEBUG(0, - ("DCE purge login context failed for server instance %d: %s\n", - getpid(), dce_errstr)); - } -} -#endif #ifdef LINUX_BIGCRYPT /**************************************************************************** @@ -483,10 +172,6 @@ static NTSTATUS password_check(const char *user, const char *password, const voi return NT_STATUS_OK; #endif /* WITH_AFS */ -#ifdef WITH_DFS - if (dfs_auth(user, password)) - return NT_STATUS_OK; -#endif /* WITH_DFS */ #ifdef OSF1_ENH_SEC diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c index 57bca6cc5b5..86139b4409b 100644 --- a/source4/auth/ntlm/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -518,10 +518,6 @@ static NTSTATUS password_check(const char *username, const char *password, return NT_STATUS_OK; #endif /* WITH_AFS */ -#ifdef WITH_DFS - if (dfs_auth(username, password)) - return NT_STATUS_OK; -#endif /* WITH_DFS */ #ifdef OSF1_ENH_SEC -- 2.34.1