Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!agate!agate!rusty
From: rusty@groan.Berkeley.EDU (Rusty Wright)
Newsgroups: comp.protocols.appletalk
Subject: Re: cap 6.0 and Ultrix 4.n enhanced security
Message-ID: <RUSTY.91May28174824@groan.Berkeley.EDU>
Date: 29 May 91 01:48:24 GMT
Article-I.D.: groan.RUSTY.91May28174824
References: <RUSTY.91May28152417@groan.Berkeley.EDU>
Sender: root@agate.berkeley.edu (Charlie Root)
Distribution: comp
Organization: University of California Berkeley
Lines: 98
In-Reply-To: rusty@groan.Berkeley.EDU's message of Tue, 28 May 1991 23: 24:17 GMT

I ended up doing it myself.  Here are my diffs.  I only have 1 Ultrix
machine available to me; i.e., I don't have a machine running Ultrix
4.1 that's not at Enhanced Security so I can't test if this works on a
machine at BSD Security level.  Seems to me it should.  I also added
the following 2 lines to m4.setup:

# any special libraries
ifelse(os,[ultrix40],[
        define([libspecial],concat(libspecial,[ -lauth]))])


------- afpos.c -------
*** /tmp/da07498	Tue May 28 17:40:50 1991
--- afpos.c	Tue May 28 16:28:16 1991
***************
*** 2762,2767 ****
--- 2762,2770 ----
  byte *pwdother;
  int uam;
  {
+ # ifdef ultrix
+   extern char *ultrix_crypt();
+ # endif
    struct passwd *p;
    boolean safedebug;
    byte encrypted[8];		/* 64 bits */
***************
*** 2848,2854 ****
--- 2851,2861 ----
  	logit(0,"Login: user %s has a NULL password",nam);
  	return(aeUserNotAuth);
        }
+ # ifdef ultrix
+       if (strcmp(ultrix_crypt(pwd,p),p->pw_passwd) != 0) {
+ # else
        if (strcmp(crypt(pwd,p->pw_passwd),p->pw_passwd) != 0) {
+ # endif
  	logit(0,"Login: Incorrect password for user %s",nam);
  	if (!safedebug)
  	  return(aeUserNotAuth);
***************
*** 3361,3364 ****
    }
  }
  
!   
--- 3368,3418 ----
    }
  }
  
! # ifdef ultrix
! # include <sys/svcinfo.h>
! # include <auth.h>
! 
! char *
! ultrix_crypt(pwd, pw)
! 	char			*pwd;
! 	struct passwd		*pw;
! {
! 	extern char		*crypt(), *crypt16();
! 	extern AUTHORIZATION	*getauthuid();
! 	AUTHORIZATION		*au;
! 	struct svcinfo		*si;
! 	char			*passwd;
! 
! 	/*
! 	 * the asterisk means that the real encrypted password
! 	 * is in the auth file.  But we really should check to
! 	 * see if the security level is either SEC_UPGRADE or
! 	 * SEC_ENHANCED and the password is an asterisk because
! 	 * the security level could be BSD and someone put an
! 	 * asterisk in to turn an account off, but if that's the
! 	 * case the right thing will happen here anyways (i.e.,
! 	 * nothing encrypts to a single asterisk so the test will
! 	 * fail).
! 	 */
! 	if (strcmp(pw->pw_passwd, "*") == 0) {
! 		si = getsvc();
! 
! 		if ((si->svcauth.seclevel == SEC_UPGRADE) ||
! 		    (si->svcauth.seclevel == SEC_ENHANCED)) {
! 			/*
! 			 * if they aren't in the auth file return
! 			 * the empty string.  this can't match since
! 			 * we've already thrown out empty passwords.
! 			 */
! 			if ((au = getauthuid(pw->pw_uid)) == NULL)
! 				return("");
! 
! 			pw->pw_passwd = au->a_password;
! 		}
! 
! 		return(crypt16(pwd, pw->pw_passwd));
! 	}
! 
! 	return(crypt(pwd, pw->pw_passwd));
! }
! # endif