From 51ae6d2929617a11edd86abd3bfcb8f8e710ac5f Mon Sep 17 00:00:00 2001 From: franklahm Date: Thu, 30 Apr 2009 09:35:06 +0000 Subject: [PATCH] Consistently set default UAMs to DHX,DHX2. From HAT. --- config/afpd.conf.tmpl | 8 ++++++-- config/netatalk.conf | 7 ++++--- config/netatalk.conf.cobalt | 7 ++++--- distrib/debian/logcheck/ignore.d.server | 3 ++- distrib/initscripts/rc.atalk.debian.tmpl | 4 ++-- doc/DEVELOPER | 8 +++++++- doc/FAQ | 16 +++++++++++++++- etc/afpd/afp_options.c | 4 ++-- man/man5/afpd.conf.5.tmpl | 13 +++++++++---- 9 files changed, 51 insertions(+), 19 deletions(-) diff --git a/config/afpd.conf.tmpl b/config/afpd.conf.tmpl index 37922ddd..983f7c4a 100644 --- a/config/afpd.conf.tmpl +++ b/config/afpd.conf.tmpl @@ -57,7 +57,7 @@ # -uampath Use this path to look for User Authentication Modules. # (default: :UAMS_PATH:) # -uamlist Comma-separated list of UAMs. (default: -# uams_guest.so,uams_clrtxt.so,uams_dhx.so) +# uams_dhx.so,uams_dhx2.so) # # some commonly available UAMs: # uams_guest.so: Allow guest logins @@ -74,6 +74,10 @@ # Allow Diffie-Hellman eXchange # (DHX) for authentication. # +# uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so) +# Allow Diffie-Hellman eXchange 2 +# (DHX2) for authentication. +# # Password Options: # -[no]savepassword [Don't] Allow clients to save password locally # -passwdfile Use this path to store Randnum @@ -208,4 +212,4 @@ # "special" -notcp -defaultvol -systemvol # # default: -# - -transall -uamlist uams_clrtxt.so,uams_dhx.so -nosavepassword +# - -transall -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword diff --git a/config/netatalk.conf b/config/netatalk.conf index b2760c0a..545a4640 100644 --- a/config/netatalk.conf +++ b/config/netatalk.conf @@ -20,10 +20,11 @@ ATALK_NAME=`echo ${HOSTNAME}|cut -d. -f1` ATALK_MAC_CHARSET='MAC_ROMAN' ATALK_UNIX_CHARSET='LOCALE' -# specify this if you don't want guest, clrtxt, and dhx -# available options: uams_guest.so, uams_clrtxt.so, uams_dhx.so, +# specify this if you don't want dhx and dhx2 +# available options: uams_guest.so, uams_clrtxt.so, +# uams_dhx.so, uams_dhx2.so, # uams_randnum.so -#AFPD_UAMLIST="-U uams_clrtxt.so,uams_dhx.so" +#AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so" # Change this to set the id of the guest user AFPD_GUEST=nobody diff --git a/config/netatalk.conf.cobalt b/config/netatalk.conf.cobalt index cf5ab6ac..3be97d4e 100644 --- a/config/netatalk.conf.cobalt +++ b/config/netatalk.conf.cobalt @@ -6,10 +6,11 @@ AFPD_MAX_CLIENTS=100 #ATALK_ZONE=@zone ATALK_NAME=`hostname|sed 's/\..*$//'` -# specify this if you don't want guest, clrtxt, and dhx -# available options: uams_guest.so, uams_clrtxt.so, uams_dhx.so, +# specify this if you don't want dhx and dhx2 +# available options: uams_guest.so, uams_clrtxt.so, +# uams_dhx.so, uams_dhx2.so, # uams_randnum.so -AFPD_UAMLIST="-U uams_clrtxt.so,uams_dhx.so" +AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so" # Change this to set the id of the guest user AFPD_GUEST=nobody diff --git a/distrib/debian/logcheck/ignore.d.server b/distrib/debian/logcheck/ignore.d.server index 3e3ce37e..bf7b562a 100644 --- a/distrib/debian/logcheck/ignore.d.server +++ b/distrib/debian/logcheck/ignore.d.server @@ -1,4 +1,4 @@ -afpd\[.*\]: ((dhx|cleartext) )?login: [[:alnum:]]+ +afpd\[.*\]: ((dhx|dhx2) )?login: [[:alnum:]]+ afpd\[.*\]: (server_child\[[[:digit:]]+\] [[:digit:]]+ )?(done|exited 1) afpd\[.*\]: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written afpd\[.*\]: .*: Broken pipe @@ -18,6 +18,7 @@ afpd\[.*\]: logout [[:alnum:]]+ afpd\[.*\]: registering [[:alnum:]]+ \(uid [[:digit:]]+\) on [\.[:digit:]]+ as /.+/net[\.[:digit:]]+node[[:digit:]]+ afpd\[.*\]: session from [\.:[:digit:]]+ on [\.:[:digit:]]+ afpd\[.*\]: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success) +afpd\[.*\]: uams_dhx2_pam.c :PAM: PAM (Auth OK!|Success -- Success) afpd\[.*\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.[:alnum:]-]+ atalkd\[.*\]: .*: Network is unreachable atalkd\[.*\]: zip gnireply from [\.[:digit:]]+ \(.* [[:digit:]]\) diff --git a/distrib/initscripts/rc.atalk.debian.tmpl b/distrib/initscripts/rc.atalk.debian.tmpl index 8fbcb880..625442f0 100644 --- a/distrib/initscripts/rc.atalk.debian.tmpl +++ b/distrib/initscripts/rc.atalk.debian.tmpl @@ -4,7 +4,7 @@ # # Author: Thomas Kaiser # -# Version: $Id: rc.atalk.debian.tmpl,v 1.1.4.1 2004-10-27 13:31:04 tkaiser Exp $ +# Version: $Id: rc.atalk.debian.tmpl,v 1.1.4.2 2009-04-30 09:35:06 franklahm Exp $ set -e @@ -17,7 +17,7 @@ SCRIPTNAME=/etc/init.d/$NAME test -x :SBINDIR:/atalkd || exit 0 # Set defaults. Please change these options in :ETCDIR:/netatalk.conf. -AFPD_UAMLIST="-U uams_dhx.so,uams_clrtxt.so" +AFPD_UAMLIST="-U uams_dhx.so" AFPD_GUEST=nobody AFPD_MAX_CLIENTS=50 ATALK_ZONE= diff --git a/doc/DEVELOPER b/doc/DEVELOPER index 9e308de7..82d702d3 100644 --- a/doc/DEVELOPER +++ b/doc/DEVELOPER @@ -108,7 +108,7 @@ Program: (see the GNU mirrors) /gnu/automake/automake-1.5.tar.gz Optional ======== -5. OpenSSL +5. OpenSSL and/or Libgcrypt The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS @@ -118,6 +118,12 @@ This is required to enable DHX login support. Get everything at http://www.openssl.org/ +The Libgcrypt is a general purpose cryptographic library based on +the code from GnuPG. +This is required to enable DHX2 login support. + +Get everything at http://directory.fsf.org/project/libgcrypt/ + 6. TCP Wrappers Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, diff --git a/doc/FAQ b/doc/FAQ index 0c3d8065..ea085e6e 100644 --- a/doc/FAQ +++ b/doc/FAQ @@ -1,5 +1,5 @@ Netatalk Frequently Asked Questions -($Id: FAQ,v 1.12 2003-02-24 23:33:14 srittau Exp $) +($Id: FAQ,v 1.12.8.1 2009-04-30 09:35:06 franklahm Exp $) ----------------------------------------------------------------------------- @@ -616,6 +616,20 @@ A: Most of the security for Netatalk must be derived from the http://www.openssl.org/ + --with-libgcrypt-dir=[PATH]: specify path to Libgcrypt installation. + + NOTE: This is dependent on the same directory layout as the + source distribution of Libgcrypt. That is: include/ and + lib/ to be on the same level. + This is required to enable DHX2 login support, which + will encrypt all of the passwords being sent across the + connection. (Some old Mac clients don't support this, check + this FAQ for the section on AppleShare clients.) + Check to see if your Unix has Libgcrypt already, or + get everything at: + + http://directory.fsf.org/project/libgcrypt/ + Be aware that on the volumes that are shared, some of the special folders (.AppleDesktop, "Network Trash Folder") get assigned. A lot of these get created as world-writable (because that's diff --git a/etc/afpd/afp_options.c b/etc/afpd/afp_options.c index 878c6b49..59d0066f 100644 --- a/etc/afpd/afp_options.c +++ b/etc/afpd/afp_options.c @@ -1,5 +1,5 @@ /* - * $Id: afp_options.c,v 1.30.2.2.2.11.2.1 2004-12-07 18:22:38 bfernhomberg Exp $ + * $Id: afp_options.c,v 1.30.2.2.2.11.2.2 2009-04-30 09:35:06 franklahm Exp $ * * Copyright (c) 1997 Adrian Sun (asun@zoology.washington.edu) * Copyright (c) 1990,1993 Regents of The University of Michigan. @@ -159,7 +159,7 @@ void afp_options_init(struct afp_options *options) options->systemvol.name = _PATH_AFPDSYSVOL; options->configfile = _PATH_AFPDCONF; options->uampath = _PATH_AFPDUAMPATH; - options->uamlist = "uams_clrtxt.so,uams_dhx.so"; + options->uamlist = "uams_dhx.so,uams_dhx2.so"; options->guest = "nobody"; options->loginmesg = ""; options->transports = AFPTRANS_ALL; diff --git a/man/man5/afpd.conf.5.tmpl b/man/man5/afpd.conf.5.tmpl index a749d86a..35d4c308 100644 --- a/man/man5/afpd.conf.5.tmpl +++ b/man/man5/afpd.conf.5.tmpl @@ -79,7 +79,7 @@ file\&. .PP \-uamlist \fI[uams list]\fR .RS 4 -Comma separated list of UAMs\&. (The default is uams_clrtxt\&.so,uams_dhx\&.so)\&. +Comma separated list of UAMs\&. (The default is uams_dhx\&.so,uams_dhx2\&.so)\&. .sp The most commonly used UAMs are: .PP @@ -106,6 +106,11 @@ uams_dhx\&.so (uams_dhx_pam\&.so or uams_dhx_passwd\&.so) Allow Diffie\-Hellman eXchange (DHX) for authentication\&. .RE .PP +uams_dhx2\&.so +.RS 4 +(uams_dhx2_pam\&.so or uams_dhx2_passwd\&.so) Allow Diffie\-Hellman eXchange 2 (DHX2) for authentication\&. +.RE +.PP uam_gss\&.so .RS 4 Allow Kerberos V for authentication (optional) @@ -439,7 +444,7 @@ Specify the number of tickles to send before timing out a connection\&. The defa .RS 4 .\} .nf -\- \-transall \-uamlist uams_clrtxt\&.so,uams_dhx\&.so +\- \-transall \-uamlist uams_dhx\&.so,uams_dhx2\&.so .fi .if n \{\ .RE @@ -463,7 +468,7 @@ Specify the number of tickles to send before timing out a connection\&. The defa .RS 4 .\} .nf -\- \-transall \-uamlist uams_clrtxt\&.so,uams_dhx\&.so,uams_guest\&.so,uams_gss\&.so \e +\- \-transall \-uamlist uams_clrtxt\&.so,uams_dhx\&.so,uams_dhx2\&.so,uams_guest\&.so,uams_gss\&.so \e \-k5service afpserver \-k5keytab /path/to/afpserver\&.keytab \e \-k5realm YOUR\&.REALM \-fqdn your\&.fqdn\&.namel:548 .fi @@ -478,7 +483,7 @@ Specify the number of tickles to send before timing out a connection\&. The defa .\} .nf "Guest Server" \-uamlist uams_guest\&.so \-loginmesg "Welcome guest!" -"User Server" \-uamlist uams_dhx\&.so \-port 12000 +"User Server" \-uamlist uams_dhx2\&.so \-port 12000 "special" \-notcp \-defaultvol \-systemvol .fi .if n \{\ -- 2.39.2