[OpenAFS-devel] PATCH: mac aklog & login/Logout plugin
Troy Benjegerdes
hozer@hozed.org
Thu, 24 Feb 2005 17:57:58 -0600
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_kalmia.hozed.org-2625-1109289478-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Can someone please examine this and ideally apply it to CVS? (or, at
least parts of it?)
I've tested this locally, and both aklog and the KFM plugin seem to work
fine. The changes to the packageing script are needed if you decide to
build from an afs directory due to the UNIX mode bit fakeouts AFS on
OSX does.
I've also been able to build a working aklog for my Debian linux
machine, but I haven't fixed the makefile to play nice yet. I did try
building against heimdal as well, and it seems to work, but gives an
error.
--=_kalmia.hozed.org-2625-1109289478-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="openafs-mac-aklog.diff"
diff -uNr openafs-cvs/Makefile.in openafs-aklog/Makefile.in
--- openafs-cvs/Makefile.in 2005-02-24 17:46:37.000000000 -0600
+++ openafs-aklog/Makefile.in 2005-02-24 17:38:29.000000000 -0600
@@ -189,6 +189,9 @@
kauth: cmd comerr ubik cmd auth comerr ptserver audit libacl kauth_depinstall
${COMPILE_PART1} kauth ${COMPILE_PART2}
+aklog: comerr
+ ${COMPILE_PART1} aklog ${COMPILE_PART2}
+
dauth: cmd comerr ubik cmd auth kauth comerr
${COMPILE_PART1} dauth ${COMPILE_PART2}
@@ -550,13 +553,13 @@
jafsadm: libjafsadm
-finale: project cmd comerr afsd allrcmds butc tbutc @ENABLE_KERNEL_MODULE@ libuafs audit kauth log package \
+finale: project cmd comerr afsd allrcmds butc tbutc @ENABLE_KERNEL_MODULE@ libuafs audit kauth log aklog package \
ptserver scout bu_utils ubik uss bozo vfsck volser tvolser \
venus update xstat afsmonitor dauth rxdebug libafsrpc \
libafsauthent shlibafsrpc shlibafsauthent libadmin
${COMPILE_PART1} finale ${COMPILE_PART2}
-finale_nolibafs: project cmd comerr afsd allrcmds butc tbutc libuafs audit kauth log package \
+finale_nolibafs: project cmd comerr afsd allrcmds butc tbutc libuafs audit kauth log aklog package \
ptserver scout bu_utils ubik uss bozo vfsck volser tvolser \
venus update xstat afsmonitor dauth rxdebug libafsrpc \
libafsauthent shlibafsrpc shlibafsauthent libadmin
@@ -603,6 +606,7 @@
-${COMPILE_PART1} sys ${COMPILE_CLEAN}
-${COMPILE_PART1} rxkad ${COMPILE_CLEAN}
-${COMPILE_PART1} auth ${COMPILE_CLEAN}
+ -${COMPILE_PART1} aklog ${COMPILE_CLEAN}
-${COMPILE_PART1} ubik ${COMPILE_CLEAN}
-${COMPILE_PART1} ptserver ${COMPILE_CLEAN}
-${COMPILE_PART1} kauth ${COMPILE_CLEAN}
@@ -691,6 +695,7 @@
src/audit/Makefile \
src/auth/test/Makefile \
src/auth/Makefile \
+ src/aklog/Makefile \
src/bozo/test/Makefile \
src/bozo/Makefile \
src/bu_utils/Makefile \
diff -uNr openafs-cvs/acinclude.m4 openafs-aklog/acinclude.m4
--- openafs-cvs/acinclude.m4 2005-02-24 17:46:37.000000000 -0600
+++ openafs-aklog/acinclude.m4 2005-02-18 13:36:25.000000000 -0600
@@ -21,6 +21,8 @@
[ --disable-afsdb disable AFSDB RR support],, enable_afsdb="yes")
AC_ARG_ENABLE( pam,
[ --disable-pam disable PAM support],, enable_pam="yes")
+AC_ARG_ENABLE( mac_aklog,
+[ --disable-mac_aklog, disable Kerberos For Mac login/logout plugin],, enable_mac_aklog="yes")
AC_ARG_ENABLE( bos-restricted-mode,
[ --enable-bos-restricted-mode enable bosserver restricted mode which disables certain bosserver functionality],, enable_bos_restricted_mode="no")
AC_ARG_ENABLE( bos-new-config,
@@ -367,40 +369,10 @@
powerpc-apple-darwin5.5*)
AFS_SYSNAME="ppc_darwin_14"
;;
- powerpc-apple-darwin6.0*)
+ powerpc-apple-darwin6.*)
AFS_SYSNAME="ppc_darwin_60"
;;
- powerpc-apple-darwin6.1*)
- AFS_SYSNAME="ppc_darwin_60"
- ;;
- powerpc-apple-darwin6.2*)
- AFS_SYSNAME="ppc_darwin_60"
- ;;
- powerpc-apple-darwin6.3*)
- AFS_SYSNAME="ppc_darwin_60"
- ;;
- powerpc-apple-darwin6.4*)
- AFS_SYSNAME="ppc_darwin_60"
- ;;
- powerpc-apple-darwin6.5*)
- AFS_SYSNAME="ppc_darwin_60"
- ;;
- powerpc-apple-darwin7.0*)
- AFS_SYSNAME="ppc_darwin_70"
- ;;
- powerpc-apple-darwin7.1*)
- AFS_SYSNAME="ppc_darwin_70"
- ;;
- powerpc-apple-darwin7.2*)
- AFS_SYSNAME="ppc_darwin_70"
- ;;
- powerpc-apple-darwin7.3*)
- AFS_SYSNAME="ppc_darwin_70"
- ;;
- powerpc-apple-darwin7.4*)
- AFS_SYSNAME="ppc_darwin_70"
- ;;
- powerpc-apple-darwin7.5*)
+ powerpc-apple-darwin7.*)
AFS_SYSNAME="ppc_darwin_70"
;;
sparc-sun-solaris2.5*)
@@ -977,6 +949,13 @@
fi
AC_SUBST(HAVE_PAM)
+if test "$enable_mac_aklog" = yes; then
+ BUILD_MAC_AKLOG="yes"
+else
+ BUILD_MAC_AKLOG="no"
+fi
+AC_SUBST(BUILD_KFM_AKLOG)
+
if test "$enable_login" = yes; then
BUILD_LOGIN="yes"
else
diff -uNr openafs-cvs/configure.in openafs-aklog/configure.in
--- openafs-cvs/configure.in 2005-02-24 17:46:37.000000000 -0600
+++ openafs-aklog/configure.in 2005-02-16 18:34:26.000000000 -0600
@@ -45,6 +45,7 @@
src/JAVA/libjafs/Makefile \
src/kauth/test/Makefile \
src/kauth/Makefile \
+src/aklog/Makefile \
src/libacl/test/Makefile \
src/libacl/Makefile \
src/libadmin/adminutil/Makefile \
diff -uNr openafs-cvs/src/aklog/Makefile openafs-aklog/src/aklog/Makefile
--- openafs-cvs/src/aklog/Makefile 1969-12-31 18:00:00.000000000 -0600
+++ openafs-aklog/src/aklog/Makefile 2005-02-24 17:01:31.000000000 -0600
@@ -0,0 +1,68 @@
+#
+# $Id: Makefile.in,v 1.9 1999/09/10 18:47:04 kenh Exp $
+#
+# This is the Makefile for the AFS-Kerberos 5 Migration Kit. See the
+# directions below for the meaning of each flag.
+#
+
+srcdir = .
+include /afs/scl.ameslab.gov/user/troy/krb/openafs-cvs/src/config/Makefile.config
+
+# Defines to add to the command line
+DEFS=-DALLOW_REGISTER
+
+# Library files
+#LIBS=-lkrb5 -lk5crypto
+LIBS=-lkrb5 -lresolv
+
+# AFS libraries
+AFSLIBS=${TOP_LIBDIR}/libcom_err.a \
+ ${TOP_LIBDIR}/libsys.a \
+ ${TOP_LIBDIR}/libprot.a \
+ ${TOP_LIBDIR}/libubik.a \
+ ${TOP_LIBDIR}/libauth.a \
+ ${TOP_LIBDIR}/librxkad.a \
+ ${TOP_LIBDIR}/librx.a \
+ ${TOP_LIBDIR}/liblwp.a \
+ ${TOP_LIBDIR}/libafsutil.a \
+ ${TOP_LIBDIR}/libdes.a
+
+PROGS=aklog aklog.loginLogout
+MACPLIST=mac/Info.plist mac/InfoPlist.strings
+XCFLAGS+= $(DEFS)
+
+AKLOG_OBJS=aklog_main.o aklog_param.o krb_util.o linked_list.o
+
+all: $(PROGS)
+
+clean:
+ rm -f $(PROGS) $(AKLOG_OBJS) aklog.o mac_aklog.o
+
+distclean: clean
+ rm -f config.cache config.log config.status Makefile
+
+aklog: aklog.o $(AKLOG_OBJS) $(LIBOBJS) $(MACPLIST)
+ $(CC) -o aklog aklog.o $(AKLOG_OBJS) $(LIBOBJS) $(SYSLIBS) $(AFSLIBS) $(LDPATH_FLAGS) $(LIBS)
+
+aklog.loginLogout: mac_aklog.o $(AKLOG_OBJS)
+ $(CC) -o aklog.loginLogout mac_aklog.o \
+ $(AKLOG_OBJS) $(AFSLIBS) -framework Kerberos \
+ -arch ppc -bundle -read_only_relocs suppress -lresolv
+
+ifeq ($(MKAFS_OSTYPE),DARWIN)
+dest: \
+ ${DEST}/bin/aklog \
+ ${DEST}/aklog.loginLogout
+else
+dest: ${DEST}/bin/aklog
+endif
+
+${DEST}/bin/aklog: aklog
+ ${INSTALL} -s $? $@
+
+${DEST}/aklog.loginLogout: aklog.loginLogout
+ mkdir -p ${DEST}/aklog.loginLogout/Contents/MacOS/
+ cp aklog.loginLogout ${DEST}/aklog.loginLogout/Contents/MacOS/aklog
+ cp mac/Info.plist ${DEST}/aklog.loginLogout/Contents
+ mkdir -p ${DEST}/aklog.loginLogout/Contents/Resources/English.lproj
+ cp mac/InfoPlist.strings ${DEST}/aklog.loginLogout/Contents/Resources/English.lproj
diff -uNr openafs-cvs/src/aklog/aklog.h openafs-aklog/src/aklog/aklog.h
--- openafs-cvs/src/aklog/aklog.h 2004-11-19 14:01:29.000000000 -0600
+++ openafs-aklog/src/aklog/aklog.h 2005-02-18 11:39:13.000000000 -0600
@@ -12,8 +12,10 @@
static char *rcsid_aklog_h = "$Id: aklog.h,v 1.1 2004/11/19 20:01:29 kenh Exp $";
#endif /* lint || SABER */
+#include <afsconfig.h>
+#include <stds.h>
#include <krb5.h>
-#include <kerberosIV/krb.h>
+#include <krb.h>
#include "linked_list.h"
#ifdef __STDC__
diff -uNr openafs-cvs/src/aklog/aklog_main.c openafs-aklog/src/aklog/aklog_main.c
--- openafs-cvs/src/aklog/aklog_main.c 2004-11-19 14:01:29.000000000 -0600
+++ openafs-aklog/src/aklog/aklog_main.c 2005-02-18 11:39:13.000000000 -0600
@@ -10,6 +10,7 @@
"$Id: aklog_main.c,v 1.1 2004/11/19 20:01:29 kenh Exp $";
#endif /* lint || SABER */
+#include <afsconfig.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -75,7 +76,7 @@
#else /* !WINDOWS */
#include <afs/stds.h>
-#include <afs/com_err.h>
+//#include <afs/com_err.h>
#include <afs/param.h>
#ifdef AFS_SUN5_ENV
diff -uNr openafs-cvs/src/aklog/aklog_param.c openafs-aklog/src/aklog/aklog_param.c
--- openafs-cvs/src/aklog/aklog_param.c 2004-11-19 14:01:29.000000000 -0600
+++ openafs-aklog/src/aklog/aklog_param.c 2005-02-18 11:39:13.000000000 -0600
@@ -26,7 +26,7 @@
#ifdef HAVE_MALLOC_H
#include <malloc.h>
#endif
-#include <kerberosIV/krb.h>
+#include <krb.h>
#include <krb5.h>
@@ -114,7 +114,11 @@
return((int)r);
/* This requires krb524d to be running with the KDC */
+#if 0
r = krb5_524_convert_creds(context, *creds, c);
+#else
+ r = krb524_convert_creds_kdc(context, *creds, c);
+#endif
return((int)r);
}
@@ -136,10 +140,16 @@
if (!client_principal)
krb5_cc_get_principal(context, _krb425_ccache, &client_principal);
+#if 1 /* MIT */
i = krb5_princ_realm(context, client_principal)->length;
if (i > REALM_SZ-1) i = REALM_SZ-1;
strncpy(realm,krb5_princ_realm(context, client_principal)->data,i);
realm[i] = 0;
+#else /* HEIMDAL */
+ Realm test;
+ test = krb5_princ_realm(context, client_principal);
+ strncpy(realm,test,strnlen(test));
+#endif
return(KSUCCESS);
}
diff -uNr openafs-cvs/src/aklog/krb_util.c openafs-aklog/src/aklog/krb_util.c
--- openafs-cvs/src/aklog/krb_util.c 2004-11-19 14:01:29.000000000 -0600
+++ openafs-aklog/src/aklog/krb_util.c 2005-02-18 11:39:13.000000000 -0600
@@ -17,8 +17,9 @@
#if 0
#include <kerberosIV/mit-copyright.h>
#endif
+#include <stds.h>
#include <krb5.h>
-#include <kerberosIV/krb.h>
+#include <krb.h>
#ifndef MAX_HSTNM
#define MAX_HSTNM 100
diff -uNr openafs-cvs/src/aklog/mac/Info.plist openafs-aklog/src/aklog/mac/Info.plist
--- openafs-cvs/src/aklog/mac/Info.plist 1969-12-31 18:00:00.000000000 -0600
+++ openafs-aklog/src/aklog/mac/Info.plist 2005-02-18 14:17:28.000000000 -0600
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>CFBundleDevelopmentRegion</key>
+ <string>English</string>
+ <key>CFBundleExecutable</key>
+ <string>aklog</string>
+ <key>CFBundleIdentifier</key>
+ <string>org.openafs.mac_aklog_krb5</string>
+ <key>CFBundleInfoDictionaryVersion</key>
+ <string>6.0</string>
+ <key>CFBundlePackageType</key>
+ <string>BNDL</string>
+ <key>CFBundleSignature</key>
+ <string>????</string>
+ <key>CFBundleVersion</key>
+ <string>1.0.0</string>
+ <key>CSResourcesFileMapped</key>
+ <true/>
+</dict>
+</plist>
Binary files openafs-cvs/src/aklog/mac/InfoPlist.strings and openafs-aklog/src/aklog/mac/InfoPlist.strings differ
diff -uNr openafs-cvs/src/aklog/mac_aklog.c openafs-aklog/src/aklog/mac_aklog.c
--- openafs-cvs/src/aklog/mac_aklog.c 1969-12-31 18:00:00.000000000 -0600
+++ openafs-aklog/src/aklog/mac_aklog.c 2005-02-24 16:23:35.000000000 -0600
@@ -0,0 +1,109 @@
+/* Kerberos for Macintosh aklog plugin
+ *
+ * This has been reimplemented for licensing reason
+ * by Troy Benjegerdes <hozer@hozed.org>, based
+ * on the kfm_aklog_krb5 code by
+ * Nicholas Riley <njriley@uiuc.edu>
+ * which was based upon plugin by Alexei Kosut <akosut@cs.stanford.edu>
+ * and afs-krb5-darwin from <http://web.mit.edu/openafs/>
+ *
+ * This plugin obtains an AFS token after each login into Kerberos for
+ * Macintosh, and destroys the AFS token after each (explicit) Kerberos logout.
+ *
+ * To use, place aklog.loginLogout in /Library/Kerberos Plug-Ins, and add
+ * the following to the [libdefaults] stanza in
+ * /Library/Preferences/edu.mit.Kerberos:
+ *
+ * login_logout_notification = "aklog"
+ *
+ */
+
+
+#include <Kerberos/Kerberos.h>
+#include <Kerberos/KLLoginLogoutNotification.h>
+
+#include <unistd.h>
+#include <syslog.h>
+#include <pwd.h>
+
+#include "aklog.h"
+
+/* silly mac frameworks and their long function names ;) */
+KLStatus KerberosLoginNotification_InitializePlugin(KLN_APIVersion apivers){
+ if (apivers == kKLN_APIVersion_1) {
+ return noErr;
+ } else {
+ syslog(LOG_NOTICE, "aklog.loginLogout: version %d of login/logout API not implemented, not loading", apivers);
+ return paramErr;
+ }
+}
+
+KLStatus KerberosLoginNotification_Login (KLN_LoginType inLoginType, const char* inCredentialsCache) {
+ int err = KSUCCESS;
+
+ char *oldCCache;
+ char **progname;
+ int uid = 0;
+
+ /* Use the credentials of the user who just logged in.
+ * We set it back later since we might be in some other application's
+ * space. This also probably breaks Kerberos v4, but does anyone care?
+ */
+ oldCCache = strdup(tkt_string());
+ krb_set_tkt_string(inCredentialsCache);
+
+ /* Assume that "SecurityAgent" is the loginwindow.. this is a bit of a
+ * hack, and this apparently runs twice, once as root, once as the user.
+ * We can't just check for root in case somebody decided to have
+ * root@REALM afs creds */
+ /* TODO: Figure out how to get a PAG and have it work.. */
+ progname = _NSGetProgname();
+ if (!strcmp(*progname, "SecurityAgent") && getuid() == 0) {
+ char name[ANAME_SZ] = {'\0'};
+ char inst[INST_SZ] = {'\0'};
+ char realm[REALM_SZ] = {'\0'};
+
+ err = krb_get_tf_fullname(inCredentialsCache, name, inst, realm);
+ if (err == KSUCCESS) {
+ struct passwd *pwd = getpwnam(name);
+
+ if (pwd != NULL) {
+ uid = pwd->pw_uid;
+ } else {
+ syslog(LOG_NOTICE, "aklog.loginLogout: getpwnam() returned NULL for user %s", name);
+ }
+ } else {
+ syslog(LOG_NOTICE, "aklog.loginLogout: krb_get_tf_fullname() failed with error %s", krb_get_err_text(err));
+ }
+ }
+
+ if (err == KSUCCESS) {
+ aklog_params params;
+
+ aklog_init_params(¶ms);
+
+ /* Run aklog as the non-root user if we are root, or
+ * root will get the tokens. */
+ int oldUID = 0;
+ if (uid != 0) {
+ oldUID = geteuid();
+ seteuid(uid);
+ }
+ aklog(1, progname, ¶ms);
+ if (uid != 0) seteuid(oldUID);
+ }
+
+ /* Restore the credentials cache */
+ krb_set_tkt_string(oldCCache);
+ free(oldCCache);
+
+ /* Always allow the login to continue, even if aklog failed */
+ return klNoErr;
+
+}
+
+void KerberosLoginNotification_Logout (const char* cache)
+{
+ /* TODO: this should be configurable */
+ system("/usr/bin/unlog");
+}
diff -uNr openafs-cvs/src/packaging/MacOS/buildpkg.sh openafs-aklog/src/packaging/MacOS/buildpkg.sh
--- openafs-cvs/src/packaging/MacOS/buildpkg.sh 2005-02-24 17:46:39.000000000 -0600
+++ openafs-aklog/src/packaging/MacOS/buildpkg.sh 2005-02-24 17:23:27.000000000 -0600
@@ -6,7 +6,9 @@
exit 1
fi
BINDEST=$1
-RESSRC=`pwd`
+RESSRC=/tmp/pkg
+STARTDIR=`pwd`
+
majorvers=`uname -r | sed 's/\..*//'`
if [ $majorvers -ge 7 ]; then
SEP=:
@@ -64,7 +66,7 @@
PKGROOT=$RESSRC/pkgroot
PKGRES=$RESSRC/pkgres
-rm -rf pkgroot pkgres
+rm -rf $RESSRC
mkdir -p $PKGROOT $PKGRES
mkdir $PKGROOT/Library
@@ -114,7 +116,7 @@
BINLIST="fs klog klog.krb pagsh pagsh.krb pts sys tokens tokens.krb unlog unlog.krb"
# Should these be linked into /usr too?
-OTHER_BINLIST="bos cmdebug rxgen translate_et udebug xstat_cm_test xstat_fs_test"
+OTHER_BINLIST="bos cmdebug aklog rxgen translate_et udebug xstat_cm_test xstat_fs_test"
OTHER_ETCLIST="vos rxdebug"
for f in $BINLIST; do
@@ -124,6 +126,9 @@
ln -s ../../Library/OpenAFS/Tools/root.client/usr/vice/etc/afsd $PKGROOT/usr/sbin/afsd
+mkdir -p $PKGROOT/Library/Kerberos-Plug\ Ins
+ln -s ../../Library/OpenAFS/Tools/aklog.loginLogout $PKGROOT/Library/Kerberos-Plug\ Ins/
+
chown -R root${SEP}wheel $PKGROOT/usr
chmod -R og-w $PKGROOT/usr
@@ -142,6 +147,9 @@
chmod a+x $PKGRES/csrvdbmerge.pl
cp CellServDB.list $PKGRES
chown -R root${SEP}wheel $PKGRES
+
+#back where we started
+cd $STARTDIR
rm -rf OpenAFS.pkg
if [ $majorvers -ge 7 ]; then
echo $package -build -p $RESSRC/OpenAFS.pkg -f $PKGROOT -r $PKGRES \
@@ -161,7 +169,8 @@
fi
fi
-rm -rf pkgroot pkgres
+mv $RESSRC/OpenAFS.pkg OpenAFS.pkg
+rm -rf $RESSRC
# Unfortunately, sudo sets $USER to root, so I can't chown the
#.pkg dir back to myself
#chown -R $USER OpenAFS.pkg
--=_kalmia.hozed.org-2625-1109289478-0001-2--