2 * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: rshd.c,v 1.51.2.1 2003/08/19 11:36:17 joda Exp $");
38 login_access( struct passwd *user, char *from);
40 enum auth_method auth_method;
44 krb5_keyblock *keyblock;
49 des_key_schedule schedule;
54 krb5_ccache ccache, ccache2;
55 int kerberos_status = 0;
60 static int do_unique_tkfile = 0;
61 static char tkfile[MAXPATHLEN] = "";
63 static int do_inetd = 1;
64 static char *port_str;
65 static int do_rhosts = 1;
66 static int do_kerberos = 0;
69 static int do_vacuous = 0;
70 static int do_log = 1;
71 static int do_newpag = 1;
72 static int do_addr_verify = 0;
73 static int do_keepalive = 1;
74 static int do_version;
75 static int do_help = 0;
77 #if defined(KRB5) && defined(DCE)
81 krb5_ticket *user_ticket;
85 syslog_and_die (const char *m, ...)
86 __attribute__ ((format (printf, 1, 2)));
89 syslog_and_die (const char *m, ...)
94 vsyslog (LOG_ERR, m, args);
100 fatal (int, const char*, const char *, ...)
101 __attribute__ ((noreturn, format (printf, 3, 4)));
104 fatal (int sock, const char *what, const char *m, ...)
112 len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args);
113 len = min(len, sizeof(buf) - 1);
116 syslog (LOG_ERR, "%s: %m: %s", what, buf + 1);
118 syslog (LOG_ERR, "%s", buf + 1);
119 net_write (sock, buf, len + 1);
124 read_str (int s, size_t sz, char *expl)
126 char *str = malloc(sz);
129 fatal(s, NULL, "%s too long", expl);
130 while(p < str + sz) {
131 if(net_read(s, p, 1) != 1)
132 syslog_and_die("read: %m");
137 fatal(s, NULL, "%s too long", expl);
141 recv_bsd_auth (int s, u_char *buf,
142 struct sockaddr_in *thisaddr,
143 struct sockaddr_in *thataddr,
144 char **client_username,
145 char **server_username,
150 *client_username = read_str (s, USERNAME_SZ, "local username");
151 *server_username = read_str (s, USERNAME_SZ, "remote username");
152 *cmd = read_str (s, ARG_MAX + 1, "command");
153 pwd = getpwnam(*server_username);
155 fatal(s, NULL, "Login incorrect.");
156 if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0,
157 *client_username, *server_username))
158 fatal(s, NULL, "Login incorrect.");
164 recv_krb4_auth (int s, u_char *buf,
165 struct sockaddr *thisaddr,
166 struct sockaddr *thataddr,
167 char **client_username,
168 char **server_username,
175 char instance[INST_SZ + 1];
176 char version[KRB_SENDAUTH_VLEN + 1];
178 if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
180 if (net_read (s, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
181 KRB_SENDAUTH_VLEN - 4)
182 syslog_and_die ("reading auth info: %m");
183 if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
184 syslog_and_die("unrecognized auth protocol: %.8s", buf);
186 options = KOPT_IGNORE_PROTOCOL;
188 options |= KOPT_DO_MUTUAL;
189 k_getsockinst (s, instance, sizeof(instance));
190 status = krb_recvauth (options,
195 (struct sockaddr_in *)thataddr,
196 (struct sockaddr_in *)thisaddr,
201 if (status != KSUCCESS)
202 syslog_and_die ("recvauth: %s", krb_get_err_text(status));
203 if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0)
204 syslog_and_die ("bad version: %s", version);
206 *server_username = read_str (s, USERNAME_SZ, "remote username");
207 if (kuserok (&auth, *server_username) != 0)
208 fatal (s, NULL, "Permission denied.");
209 *cmd = read_str (s, ARG_MAX + 1, "command");
211 syslog(LOG_INFO|LOG_AUTH,
212 "kerberos v4 shell from %s on %s as %s, cmd '%.80s'",
213 krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm),
215 inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr),
219 memcpy (iv, auth.session, sizeof(iv));
228 save_krb5_creds (int s,
229 krb5_auth_context auth_context,
230 krb5_principal client)
234 krb5_data remote_cred;
236 krb5_data_zero (&remote_cred);
237 ret= krb5_read_message (context, (void *)&s, &remote_cred);
239 krb5_data_free(&remote_cred);
242 if (remote_cred.length == 0)
245 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
247 krb5_data_free(&remote_cred);
251 krb5_cc_initialize(context,ccache,client);
252 ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred);
254 syslog(LOG_INFO|LOG_AUTH,
255 "reading creds: %s", krb5_get_err_text(context, ret));
256 krb5_data_free (&remote_cred);
263 krb5_start_session (void)
267 ret = krb5_cc_resolve (context, tkfile, &ccache2);
269 krb5_cc_destroy(context, ccache);
273 ret = krb5_cc_copy_cache (context, ccache, ccache2);
275 krb5_cc_destroy(context, ccache);
279 krb5_cc_close(context, ccache2);
280 krb5_cc_destroy(context, ccache);
284 static int protocol_version;
287 match_kcmd_version(const void *data, const char *version)
289 if(strcmp(version, KCMD_NEW_VERSION) == 0) {
290 protocol_version = 2;
293 if(strcmp(version, KCMD_OLD_VERSION) == 0) {
294 protocol_version = 1;
295 key_usage = KRB5_KU_OTHER_ENCRYPTED;
303 recv_krb5_auth (int s, u_char *buf,
304 struct sockaddr *thisaddr,
305 struct sockaddr *thataddr,
306 char **client_username,
307 char **server_username,
311 krb5_auth_context auth_context = NULL;
313 krb5_error_code status;
314 krb5_data cksum_data;
315 krb5_principal server;
317 if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
319 len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
321 if (net_read(s, buf, len) != len)
322 syslog_and_die ("reading auth info: %m");
323 if (len != sizeof(KRB5_SENDAUTH_VERSION)
324 || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0)
325 syslog_and_die ("bad sendauth version: %.8s", buf);
327 status = krb5_sock_to_principal (context,
333 syslog_and_die ("krb5_sock_to_principal: %s",
334 krb5_get_err_text(context, status));
336 status = krb5_recvauth_match_version(context,
342 KRB5_RECVAUTH_IGNORE_VERSION,
345 krb5_free_principal (context, server);
347 syslog_and_die ("krb5_recvauth: %s",
348 krb5_get_err_text(context, status));
350 *server_username = read_str (s, USERNAME_SZ, "remote username");
351 *cmd = read_str (s, ARG_MAX + 1, "command");
352 *client_username = read_str (s, ARG_MAX + 1, "local username");
354 if(protocol_version == 2) {
355 status = krb5_auth_con_getremotesubkey(context, auth_context,
357 if(status != 0 || keyblock == NULL)
358 syslog_and_die("failed to get remote subkey");
359 } else if(protocol_version == 1) {
360 status = krb5_auth_con_getkey (context, auth_context, &keyblock);
361 if(status != 0 || keyblock == NULL)
362 syslog_and_die("failed to get key");
364 if (status != 0 || keyblock == NULL)
365 syslog_and_die ("krb5_auth_con_getkey: %s",
366 krb5_get_err_text(context, status));
368 status = krb5_crypto_init(context, keyblock, 0, &crypto);
370 syslog_and_die("krb5_crypto_init: %s",
371 krb5_get_err_text(context, status));
374 cksum_data.length = asprintf ((char **)&cksum_data.data,
376 ntohs(socket_get_port (thisaddr)),
380 status = krb5_verify_authenticator_checksum(context,
386 syslog_and_die ("krb5_verify_authenticator_checksum: %s",
387 krb5_get_err_text(context, status));
389 free (cksum_data.data);
391 if (strncmp (*client_username, "-u ", 3) == 0) {
392 do_unique_tkfile = 1;
393 memmove (*client_username, *client_username + 3,
394 strlen(*client_username) - 2);
397 if (strncmp (*client_username, "-U ", 3) == 0) {
398 char *end, *temp_tkfile;
400 do_unique_tkfile = 1;
401 if (strncmp (*client_username + 3, "FILE:", 5) == 0) {
402 temp_tkfile = tkfile;
404 strcpy (tkfile, "FILE:");
405 temp_tkfile = tkfile + 5;
407 end = strchr(*client_username + 3,' ');
408 strncpy(temp_tkfile, *client_username + 3, end - *client_username - 3);
409 temp_tkfile[end - *client_username - 3] = '\0';
410 memmove (*client_username, end + 1, strlen(end+1)+1);
413 kerberos_status = save_krb5_creds (s, auth_context, ticket->client);
415 if(!krb5_kuserok (context,
418 fatal (s, NULL, "Permission denied.");
420 if (strncmp (*cmd, "-x ", 3) == 0) {
422 memmove (*cmd, *cmd + 3, strlen(*cmd) - 2);
425 fatal (s, NULL, "Encryption is required.");
432 if (krb5_unparse_name (context, ticket->client, &name) == 0) {
435 if (inet_ntop (thataddr->sa_family,
436 socket_get_address (thataddr),
437 addr_str, sizeof(addr_str)) == NULL)
438 strlcpy (addr_str, "unknown address",
441 syslog(LOG_INFO|LOG_AUTH,
442 "kerberos v5 shell from %s on %s as %s, cmd '%.80s'",
452 user_ticket = ticket;
460 loop (int from0, int to0,
468 if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE)
469 errx (1, "fd too large");
472 if(auth_method == AUTH_KRB5 && protocol_version == 2)
476 FD_ZERO(&real_readset);
477 FD_SET(from0, &real_readset);
478 FD_SET(from1, &real_readset);
479 FD_SET(from2, &real_readset);
480 max_fd = max(from0, max(from1, from2)) + 1;
483 fd_set readset = real_readset;
484 char buf[RSH_BUFSIZ];
486 ret = select (max_fd, &readset, NULL, NULL, NULL);
491 syslog_and_die ("select: %m");
493 if (FD_ISSET(from0, &readset)) {
494 ret = do_read (from0, buf, sizeof(buf), ivec_in[0]);
496 syslog_and_die ("read: %m");
500 FD_CLR(from0, &real_readset);
502 net_write (to0, buf, ret);
504 if (FD_ISSET(from1, &readset)) {
505 ret = read (from1, buf, sizeof(buf));
507 syslog_and_die ("read: %m");
511 FD_CLR(from1, &real_readset);
515 do_write (to1, buf, ret, ivec_out[0]);
517 if (FD_ISSET(from2, &readset)) {
518 ret = read (from2, buf, sizeof(buf));
520 syslog_and_die ("read: %m");
524 FD_CLR(from2, &real_readset);
528 do_write (to2, buf, ret, ivec_out[1]);
534 * Used by `setup_copier' to create some pipe-like means of
535 * communcation. Real pipes would probably be the best thing, but
536 * then the shell doesn't understand it's talking to rshd. If
537 * socketpair doesn't work everywhere, some autoconf magic would have
540 * If it fails creating the `pipe', it aborts by calling fatal.
544 pipe_a_like (int fd[2])
546 if (socketpair (AF_UNIX, SOCK_STREAM, 0, fd) < 0)
547 fatal (STDOUT_FILENO, "socketpair", "Pipe creation failed.");
551 * Start a child process and leave the parent copying data to and from it. */
556 int p0[2], p1[2], p2[2];
564 fatal (STDOUT_FILENO, "fork", "Could not create child process.");
565 if (pid == 0) { /* child */
569 dup2 (p0[0], STDIN_FILENO);
570 dup2 (p1[1], STDOUT_FILENO);
571 dup2 (p2[1], STDERR_FILENO);
575 } else { /* parent */
580 if (net_write (STDOUT_FILENO, "", 1) != 1)
581 fatal (STDOUT_FILENO, "net_write", "Write failure.");
583 loop (STDIN_FILENO, p0[1],
584 STDOUT_FILENO, p1[0],
585 STDERR_FILENO, p2[0]);
590 * Is `port' a ``reserverd'' port?
594 is_reserved(u_short port)
596 return ntohs(port) < IPPORT_RESERVED;
600 * Set the necessary part of the environment in `env'.
604 setup_environment (char ***env, const struct passwd *pwd)
613 i = read_environment(_PATH_ETC_ENVIRONMENT, env);
615 for (j = 0; j < i; j++) {
616 if (!strncmp(e[j], "PATH=", 5)) {
622 e = realloc(e, (i + 7) * sizeof(char *));
624 asprintf (&e[i++], "USER=%s", pwd->pw_name);
625 asprintf (&e[i++], "HOME=%s", pwd->pw_dir);
626 asprintf (&e[i++], "SHELL=%s", pwd->pw_shell);
628 asprintf (&e[i++], "PATH=%s", _PATH_DEFPATH);
630 asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
632 if (getenv("KRB5CCNAME"))
633 asprintf (&e[i++], "KRB5CCNAME=%s", getenv("KRB5CCNAME"));
635 if (do_unique_tkfile)
636 asprintf (&e[i++], "KRB5CCNAME=%s", tkfile);
647 struct sockaddr_storage thisaddr_ss;
648 struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
649 struct sockaddr_storage thataddr_ss;
650 struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
651 struct sockaddr_storage erraddr_ss;
652 struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
653 socklen_t thisaddr_len, thataddr_len;
656 char *client_user, *server_user, *cmd;
658 int s = STDIN_FILENO;
661 char that_host[NI_MAXHOST];
663 thisaddr_len = sizeof(thisaddr_ss);
664 if (getsockname (s, thisaddr, &thisaddr_len) < 0)
665 syslog_and_die("getsockname: %m");
666 thataddr_len = sizeof(thataddr_ss);
667 if (getpeername (s, thataddr, &thataddr_len) < 0)
668 syslog_and_die ("getpeername: %m");
670 /* check for V4MAPPED addresses? */
672 if (do_kerberos == 0 && !is_reserved(socket_get_port(thataddr)))
673 fatal(s, NULL, "Permission denied.");
678 if (net_read (s, p, 1) != 1)
679 syslog_and_die ("reading port number: %m");
682 else if (isdigit(*p))
683 port = port * 10 + *p - '0';
685 syslog_and_die ("non-digit in port number: %c", *p);
688 if (do_kerberos == 0 && !is_reserved(htons(port)))
689 fatal(s, NULL, "Permission denied.");
692 int priv_port = IPPORT_RESERVED - 1;
695 * There's no reason to require a ``privileged'' port number
696 * here, but for some reason the brain dead rsh clients
700 erraddr->sa_family = thataddr->sa_family;
701 socket_set_address_and_port (erraddr,
702 socket_get_address (thataddr),
706 * we only do reserved port for IPv4
709 if (erraddr->sa_family == AF_INET)
710 errsock = rresvport (&priv_port);
712 errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
714 syslog_and_die ("socket: %m");
715 if (connect (errsock,
717 socket_sockaddr_size (erraddr)) < 0) {
718 syslog (LOG_WARNING, "connect: %m");
724 if (net_read (s, buf, 4) != 4)
725 syslog_and_die ("reading auth info: %m");
728 if ((do_kerberos & DO_KRB4) &&
729 recv_krb4_auth (s, buf, thisaddr, thataddr,
733 auth_method = AUTH_KRB4;
737 if((do_kerberos & DO_KRB5) &&
738 recv_krb5_auth (s, buf, thisaddr, thataddr,
742 auth_method = AUTH_KRB5;
745 syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
746 buf[0], buf[1], buf[2], buf[3]);
748 if(recv_bsd_auth (s, buf,
749 (struct sockaddr_in *)thisaddr,
750 (struct sockaddr_in *)thataddr,
754 auth_method = AUTH_BROKEN;
756 printf("Remote host requires Kerberos authentication\n");
760 syslog_and_die("recv_bsd_auth failed");
763 #if defined(DCE) && defined(_AIX)
764 esetenv("AUTHSTATE", "DCE", 1);
767 pwd = getpwnam (server_user);
769 fatal (s, NULL, "Login incorrect.");
771 if (*pwd->pw_shell == '\0')
772 pwd->pw_shell = _PATH_BSHELL;
774 if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
775 fatal (s, NULL, "Login disabled.");
778 ret = getnameinfo_verified (thataddr, thataddr_len,
779 that_host, sizeof(that_host),
782 fatal (s, NULL, "getnameinfo: %s", gai_strerror(ret));
784 if (login_access(pwd, that_host) == 0) {
785 syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
786 server_user, that_host);
787 fatal(s, NULL, "Permission denied.");
795 sp = getspnam(server_user);
797 today = time(0)/(24L * 60 * 60);
798 if (sp->sp_expire > 0)
799 if (today > sp->sp_expire)
800 fatal(s, NULL, "Account has expired.");
810 if (!do_unique_tkfile)
811 snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid);
812 else if (*tkfile=='\0') {
813 snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
814 fd = mkstemp(tkfile+5);
820 krb5_start_session();
822 chown(tkfile + 5, pwd->pw_uid, -1);
825 if (kerberos_status) {
826 esetenv("KRB5CCNAME", tkfile, 1);
827 dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user);
834 if (setlogin(pwd->pw_name) < 0)
835 syslog(LOG_ERR, "setlogin() failed: %m");
839 if (setpcred (pwd->pw_name, NULL) == -1)
840 syslog(LOG_ERR, "setpcred() failure: %m");
841 #endif /* HAVE_SETPCRED */
843 if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
844 fatal (s, "initgroups", "Login incorrect.");
846 if (setgid(pwd->pw_gid) < 0)
847 fatal (s, "setgid", "Login incorrect.");
849 if (setuid (pwd->pw_uid) < 0)
850 fatal (s, "setuid", "Login incorrect.");
852 if (chdir (pwd->pw_dir) < 0)
853 fatal (s, "chdir", "Remote directory.");
856 if (dup2 (errsock, STDERR_FILENO) < 0)
857 fatal (s, "dup2", "Cannot dup stderr.");
861 setup_environment (&env, pwd);
866 if (net_write (s, "", 1) != 1)
867 fatal (s, "net_write", "write failed");
870 #if defined(KRB4) || defined(KRB5)
877 if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0)
878 krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir);
879 krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir);
884 if (kerberos_status) {
886 krb5_error_code status;
888 status = krb5_cc_resolve (context, tkfile, &ccache);
890 if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0)
891 krb5_afslog_uid_home(context, ccache, cell, NULL,
892 pwd->pw_uid, pwd->pw_dir);
893 krb5_afslog_uid_home(context, ccache, NULL, NULL,
894 pwd->pw_uid, pwd->pw_dir);
895 krb5_cc_close (context, ccache);
900 #endif /* KRB5 || KRB4 */
901 execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env);
902 err(1, "exec %s", pwd->pw_shell);
905 struct getargs args[] = {
906 { NULL, 'a', arg_flag, &do_addr_verify },
907 { "keepalive", 'n', arg_negative_flag, &do_keepalive },
908 { "inetd", 'i', arg_negative_flag, &do_inetd,
909 "Not started from inetd" },
910 #if defined(KRB4) || defined(KRB5)
911 { "kerberos", 'k', arg_flag, &do_kerberos,
912 "Implement kerberised services" },
913 { "encrypt", 'x', arg_flag, &do_encrypt,
914 "Implement encrypted service" },
916 { "rhosts", 'l', arg_negative_flag, &do_rhosts,
917 "Don't check users .rhosts" },
918 { "port", 'p', arg_string, &port_str, "Use this port",
920 { "vacuous", 'v', arg_flag, &do_vacuous,
921 "Don't accept non-kerberised connections" },
922 #if defined(KRB4) || defined(KRB5)
923 { NULL, 'P', arg_negative_flag, &do_newpag,
924 "Don't put process in new PAG" },
926 /* compatibility flag: */
927 { NULL, 'L', arg_flag, &do_log },
928 { "version", 0, arg_flag, &do_version },
929 { "help", 0, arg_flag, &do_help }
935 if(isatty(STDIN_FILENO))
936 arg_printusage (args,
937 sizeof(args) / sizeof(args[0]),
941 syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", getprogname());
947 main(int argc, char **argv)
952 setprogname (argv[0]);
953 roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH);
955 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv,
967 #if defined(KRB4) || defined(KRB5)
972 do_kerberos = DO_KRB4 | DO_KRB5;
976 setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
978 syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
983 if((do_kerberos & DO_KRB5) && krb5_init_context (&context) != 0)
984 do_kerberos &= ~DO_KRB5;
989 struct addrinfo *ai = NULL, hints;
990 char portstr[NI_MAXSERV];
992 memset (&hints, 0, sizeof(hints));
993 hints.ai_flags = AI_PASSIVE;
994 hints.ai_socktype = SOCK_STREAM;
995 hints.ai_family = PF_UNSPEC;
997 if(port_str != NULL) {
998 error = getaddrinfo (NULL, port_str, &hints, &ai);
1000 errx (1, "getaddrinfo: %s", gai_strerror (error));
1003 #if defined(KRB4) || defined(KRB5)
1006 error = getaddrinfo(NULL, "ekshell", &hints, &ai);
1007 if(error == EAI_NONAME) {
1008 snprintf(portstr, sizeof(portstr), "%d", 545);
1009 error = getaddrinfo(NULL, portstr, &hints, &ai);
1012 errx (1, "getaddrinfo: %s", gai_strerror (error));
1014 error = getaddrinfo(NULL, "kshell", &hints, &ai);
1015 if(error == EAI_NONAME) {
1016 snprintf(portstr, sizeof(portstr), "%d", 544);
1017 error = getaddrinfo(NULL, portstr, &hints, &ai);
1020 errx (1, "getaddrinfo: %s", gai_strerror (error));
1025 error = getaddrinfo(NULL, "shell", &hints, &ai);
1026 if(error == EAI_NONAME) {
1027 snprintf(portstr, sizeof(portstr), "%d", 514);
1028 error = getaddrinfo(NULL, portstr, &hints, &ai);
1031 errx (1, "getaddrinfo: %s", gai_strerror (error));
1034 mini_inetd_addrinfo (ai);
1038 signal (SIGPIPE, SIG_IGN);