INN commit: trunk (5 files)

INN Commit Russ_Allbery at isc.org
Sat Feb 28 22:28:21 UTC 2009 

    Date: Saturday, February 28, 2009 @ 14:28:21
  Author: eagle
Revision: 8365

Remove auth_smb.  This hasn't been maintained since it was contributed
apart from a single pass through to clean up warnings and dead code.
It was based on an old version of the Samba login code that had known
security issues and probably therefore has security issues of its own.
No one currently working on INN has the necessary background or test
environment to test this code and keep it working.

There are good PAM modules that do the same thing as this code.  Users
who want to authenticate users against Samba or SMB servers should use
ckpasswd with PAM support and the pam_smbpass or similar PAM module.

Modified:
  trunk/LICENSE
  trunk/authprogs/Makefile
  trunk/doc/pod/news.pod
Deleted:
  trunk/authprogs/auth_smb.c
  trunk/authprogs/smbval/

----------------------+
 LICENSE              |    6 ++--
 authprogs/Makefile   |   17 ++----------
 authprogs/auth_smb.c |   66 -------------------------------------------------
 doc/pod/news.pod     |    8 +++++
 4 files changed, 14 insertions(+), 83 deletions(-)

Modified: LICENSE
===================================================================
--- LICENSE	2009-02-28 22:17:49 UTC (rev 8364)
+++ LICENSE	2009-02-28 22:28:21 UTC (rev 8365)
@@ -26,9 +26,9 @@
 licenses, if present, will be noted prominantly at the top of those source
 files.  Specifically (but possibly not comprehensively):
 
-   authprogs/smbval/*, backends/send-uucp.in, and control/perl-nocem.in
-   are under the GNU General Public License.  See doc/GPL for a copy of
-   this license.
+   backends/send-uucp.in and control/perl-nocem.in are under the GNU
+   General Public License version 2 or later.  See doc/GPL for a copy of
+   the GPL v2.
 
    backends/shrinkfile.c, frontends/scanspool.in, lib/alloca.c,
    lib/concat.c, lib/hstrerror.c, lib/inet_aton.c, lib/inet_ntoa.c,

Modified: authprogs/Makefile
===================================================================
--- authprogs/Makefile	2009-02-28 22:17:49 UTC (rev 8364)
+++ authprogs/Makefile	2009-02-28 22:28:21 UTC (rev 8365)
@@ -5,14 +5,13 @@
 top	      = ..
 CFLAGS        = $(GCFLAGS)
 
-ALL           = auth_smb ckpasswd domain ident radius $(KRB5_AUTH)
+ALL           = ckpasswd domain ident radius $(KRB5_AUTH)
 
 LIBSMB	      = smbval/smbvalid.a
 
 LIBAUTH       = libauth.o
 
-SOURCES       = auth_krb5.c auth_smb.c ckpasswd.c domain.c ident.c libauth.c \
-		radius.c
+SOURCES       = auth_krb5.c ckpasswd.c domain.c ident.c libauth.c radius.c
 
 all: $(ALL)
 
@@ -23,7 +22,7 @@
 	if [ x"$(KRB5_AUTH)" != x ] ; then \
 	    $(LI_XPUB) auth_krb5 $(D)$(PATHAUTHPASSWD)/auth_krb5 ; \
 	fi
-	for F in auth_smb ckpasswd radius ; do \
+	for F in ckpasswd radius ; do \
 	    $(LI_XPUB) $$F $D$(PATHAUTHPASSWD)/$$F ; \
 	done
 	for F in domain ident ; do \
@@ -53,9 +52,6 @@
 auth_krb5: auth_krb5.o $(LIBAUTH) $(LIBINN)
 	$(LINK) auth_krb5.o $(KRB5_LDFLAGS) $(KRB5_LIBS) $(AUTH_LIBS)
 
-auth_smb: auth_smb.o $(LIBSMB) $(LIBAUTH) $(LIBINN)
-	$(LINK) auth_smb.o $(LIBSMB) $(AUTH_LIBS)
-
 ckpasswd: ckpasswd.o $(LIBAUTH) $(LIBINN)
 	$(LINK) ckpasswd.o $(CK_LIBS) $(AUTH_LIBS)
 
@@ -76,7 +72,6 @@
 
 $(LIBINN):	; (cd ../lib ; $(MAKE))
 $(LIBSTORAGE):	; (cd ../storage ; $(MAKE))
-$(LIBSMB):	; (cd smbval ; $(MAKE))
 $(LIBAUTH): 	libauth.h libauth.c
 
 
@@ -92,12 +87,6 @@
   ../include/config.h ../include/portable/getaddrinfo.h \
   ../include/portable/getnameinfo.h ../include/inn/defines.h \
   ../include/inn/messages.h ../include/inn/libinn.h
-auth_smb.o: auth_smb.c ../include/config.h ../include/inn/defines.h \
-  ../include/inn/system.h ../include/inn/options.h ../include/clibrary.h \
-  ../include/config.h ../include/inn/messages.h ../include/inn/defines.h \
-  libauth.h ../include/portable/socket.h ../include/config.h \
-  ../include/portable/getaddrinfo.h ../include/portable/getnameinfo.h \
-  smbval/valid.h
 ckpasswd.o: ckpasswd.c ../include/config.h ../include/inn/defines.h \
   ../include/inn/system.h ../include/inn/options.h ../include/clibrary.h \
   ../include/config.h ../include/inn/messages.h ../include/inn/defines.h \

Deleted: authprogs/auth_smb.c
===================================================================
--- authprogs/auth_smb.c	2009-02-28 22:17:49 UTC (rev 8364)
+++ authprogs/auth_smb.c	2009-02-28 22:28:21 UTC (rev 8365)
@@ -1,66 +0,0 @@
-/*
- * Samba authenticator.
- * usage: auth_smb <server> [<backup_server>] <domain>
- *
- * Heavily based on:
- * pam_smb -- David Airlie 1998-2000 v1.1.6 <airlied at samba.org>
- * http://www.csn.ul.ie/~airlied
- *
- * Written 2000 October by Krischan Jodies <krischan at jodies.cx>
- * 
- */
-
-#include "config.h"
-#include "clibrary.h"
-#include "inn/messages.h"
-
-#include "libauth.h"
-#include "smbval/valid.h"
-
-int
-main(int argc, char *argv[])
-{
-    struct auth_info *authinfo;
-    int result;
-    char *server, *backup, *domain;
-
-    message_program_name = "auth_smb";
-
-    if ((argc > 4) || (argc < 3))
-        die("wrong number of arguments"
-            " (auth_smb <server> [<backup-server>] <domain>");
-
-    authinfo = get_auth_info(stdin);
-    if (authinfo == NULL)
-        die("no user information provided by nnrpd");
-
-    /* Got a username and password.  Now check to see if they're valid. */
-    server = argv[1];
-    backup = (argc > 3) ? argv[2] : argv[1];
-    domain = (argc > 3) ? argv[3] : argv[2];
-    result = Valid_User(authinfo->username, authinfo->password, server,
-                        backup, domain);
-
-    /* Analyze the result. */
-    switch (result) {
-    case NTV_NO_ERROR:
-        print_user(authinfo->username);
-        exit(0);
-        break;
-    case NTV_SERVER_ERROR:
-        die("server error");
-        break;
-    case NTV_PROTOCOL_ERROR:
-        die("protocol error");
-        break;
-    case NTV_LOGON_ERROR:
-        die("logon error");
-        break;
-    default:
-        die("unknown error");
-        break;
-    }
-
-    /* Never reached. */
-    return 1;
-}

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2009-02-28 22:17:49 UTC (rev 8364)
+++ doc/pod/news.pod	2009-02-28 22:28:21 UTC (rev 8365)
@@ -46,6 +46,14 @@
 B<gpgverify> is no longer included in INN,  B<pgpverify> now has better
 support for GnuPG and should be used instead.
 
+=item *
+
+The B<auth_smb> authenticator program to check passwords with an SMB
+authentication is no longer included in INN.  It was a stripped-down
+version of pam_smbpass, wasn't maintained, and likely had security
+problems.  To authenticate to an SMB server such as Samba, use PAM and
+B<ckpasswd>'s PAM support instead.
+
 =back
 
 The parameters used by B<nnrpd> to provide TLS support are now

More information about the inn-committers mailing list