mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-21 11:24:20 +08:00
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/07/22 13:35:22 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. I hope I got this right....
This commit is contained in:
parent
4c29dd9f44
commit
6aaa58c470
11
ChangeLog
11
ChangeLog
@ -1,5 +1,14 @@
|
||||
20030802
|
||||
- (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- markus@cvs.openbsd.org 2003/07/22 13:35:22
|
||||
[auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
|
||||
monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
|
||||
ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
|
||||
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
|
||||
test+ok henning@
|
||||
- (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
|
||||
- (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
|
||||
|
||||
20030730
|
||||
- (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
|
||||
@ -738,4 +747,4 @@
|
||||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||
|
||||
$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $
|
||||
# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
|
||||
cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o \
|
||||
hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \
|
||||
hostfile.o log.o match.o mpaux.o nchan.o packet.o \
|
||||
readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
|
||||
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
|
||||
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
|
||||
@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
|
||||
kexdhs.o kexgexs.o \
|
||||
auth-krb5.o auth2-krb5.o auth-krb4.o \
|
||||
auth-krb5.o auth2-krb5.o \
|
||||
loginrec.o auth-pam.o auth-sia.o md5crypt.o
|
||||
|
||||
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */
|
||||
/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
|
||||
@ -238,12 +238,6 @@
|
||||
/* Define this if you are using the Heimdal version of Kerberos V5 */
|
||||
#undef HEIMDAL
|
||||
|
||||
/* Define if you want Kerberos 4 support */
|
||||
#undef KRB4
|
||||
|
||||
/* Define if you want AFS support */
|
||||
#undef AFS
|
||||
|
||||
/* Define if you want S/Key support */
|
||||
#undef SKEY
|
||||
|
||||
|
368
auth-krb4.c
368
auth-krb4.c
@ -1,368 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "uidswap.h"
|
||||
#include "auth.h"
|
||||
|
||||
#ifdef AFS
|
||||
#include "radix.h"
|
||||
#endif
|
||||
|
||||
#ifdef KRB4
|
||||
extern ServerOptions options;
|
||||
|
||||
static int
|
||||
krb4_init(void *context)
|
||||
{
|
||||
static int cleanup_registered = 0;
|
||||
Authctxt *authctxt = (Authctxt *)context;
|
||||
const char *tkt_root = TKT_ROOT;
|
||||
struct stat st;
|
||||
int fd;
|
||||
|
||||
if (!authctxt->krb4_ticket_file) {
|
||||
/* Set unique ticket string manually since we're still root. */
|
||||
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
|
||||
#ifdef AFS
|
||||
if (lstat("/ticket", &st) != -1)
|
||||
tkt_root = "/ticket/";
|
||||
#endif /* AFS */
|
||||
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
|
||||
tkt_root, authctxt->pw->pw_uid, (long)getpid());
|
||||
krb_set_tkt_string(authctxt->krb4_ticket_file);
|
||||
}
|
||||
/* Register ticket cleanup in case of fatal error. */
|
||||
if (!cleanup_registered) {
|
||||
fatal_add_cleanup(krb4_cleanup_proc, authctxt);
|
||||
cleanup_registered = 1;
|
||||
}
|
||||
/* Try to create our ticket file. */
|
||||
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
|
||||
close(fd);
|
||||
return (1);
|
||||
}
|
||||
/* Ticket file exists - make sure user owns it (just passed ticket). */
|
||||
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
|
||||
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
|
||||
st.st_uid == authctxt->pw->pw_uid)
|
||||
return (1);
|
||||
}
|
||||
/* Failure - cancel cleanup function, leaving ticket for inspection. */
|
||||
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
|
||||
|
||||
fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
|
||||
cleanup_registered = 0;
|
||||
|
||||
xfree(authctxt->krb4_ticket_file);
|
||||
authctxt->krb4_ticket_file = NULL;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* try krb4 authentication,
|
||||
* return 1 on success, 0 on failure, -1 if krb4 is not available
|
||||
*/
|
||||
int
|
||||
auth_krb4_password(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
AUTH_DAT adata;
|
||||
KTEXT_ST tkt;
|
||||
struct hostent *hp;
|
||||
struct passwd *pw;
|
||||
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
|
||||
u_int32_t faddr;
|
||||
int r;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
return (0);
|
||||
|
||||
/*
|
||||
* Try Kerberos password authentication only for non-root
|
||||
* users and only if Kerberos is installed.
|
||||
*/
|
||||
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
|
||||
/* Set up our ticket file. */
|
||||
if (!krb4_init(authctxt)) {
|
||||
logit("Couldn't initialize Kerberos ticket file for %s!",
|
||||
pw->pw_name);
|
||||
goto failure;
|
||||
}
|
||||
/* Try to get TGT using our password. */
|
||||
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
|
||||
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
|
||||
if (r != INTK_OK) {
|
||||
debug("Kerberos v4 password authentication for %s "
|
||||
"failed: %s", pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
/* Successful authentication. */
|
||||
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||
|
||||
/*
|
||||
* Now that we have a TGT, try to get a local
|
||||
* "rcmd" ticket to ensure that we are not talking
|
||||
* to a bogus Kerberos server.
|
||||
*/
|
||||
gethostname(localhost, sizeof(localhost));
|
||||
strlcpy(phost, (char *)krb_get_phost(localhost),
|
||||
sizeof(phost));
|
||||
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
|
||||
|
||||
if (r == KSUCCESS) {
|
||||
if ((hp = gethostbyname(localhost)) == NULL) {
|
||||
logit("Couldn't get local host address!");
|
||||
goto failure;
|
||||
}
|
||||
memmove((void *)&faddr, (void *)hp->h_addr,
|
||||
sizeof(faddr));
|
||||
|
||||
/* Verify our "rcmd" ticket. */
|
||||
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
|
||||
faddr, &adata, "");
|
||||
if (r == RD_AP_UNDEC) {
|
||||
/*
|
||||
* Probably didn't have a srvtab on
|
||||
* localhost. Disallow login.
|
||||
*/
|
||||
logit("Kerberos v4 TGT for %s unverifiable, "
|
||||
"no srvtab installed? krb_rd_req: %s",
|
||||
pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
} else if (r != KSUCCESS) {
|
||||
logit("Kerberos v4 %s ticket unverifiable: %s",
|
||||
KRB4_SERVICE_NAME, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
} else if (r == KDC_PR_UNKNOWN) {
|
||||
/*
|
||||
* Disallow login if no rcmd service exists, and
|
||||
* log the error.
|
||||
*/
|
||||
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
|
||||
"not registered, or srvtab is wrong?", pw->pw_name,
|
||||
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
|
||||
goto failure;
|
||||
} else {
|
||||
/*
|
||||
* TGT is bad, forget it. Possibly spoofed!
|
||||
*/
|
||||
debug("WARNING: Kerberos v4 TGT possibly spoofed "
|
||||
"for %s: %s", pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
/* Authentication succeeded. */
|
||||
return (1);
|
||||
} else
|
||||
/* Logging in as root or no local Kerberos realm. */
|
||||
debug("Unable to authenticate to Kerberos.");
|
||||
|
||||
failure:
|
||||
krb4_cleanup_proc(authctxt);
|
||||
|
||||
if (!options.kerberos_or_local_passwd)
|
||||
return (0);
|
||||
|
||||
/* Fall back to ordinary passwd authentication. */
|
||||
return (-1);
|
||||
}
|
||||
|
||||
void
|
||||
krb4_cleanup_proc(void *context)
|
||||
{
|
||||
Authctxt *authctxt = (Authctxt *)context;
|
||||
debug("krb4_cleanup_proc called");
|
||||
if (authctxt->krb4_ticket_file) {
|
||||
(void) dest_tkt();
|
||||
xfree(authctxt->krb4_ticket_file);
|
||||
authctxt->krb4_ticket_file = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
|
||||
{
|
||||
AUTH_DAT adat = {0};
|
||||
Key_schedule schedule;
|
||||
struct sockaddr_in local, foreign;
|
||||
char instance[INST_SZ];
|
||||
socklen_t slen;
|
||||
u_int cksum;
|
||||
int r, s;
|
||||
|
||||
s = packet_get_connection_in();
|
||||
|
||||
slen = sizeof(local);
|
||||
memset(&local, 0, sizeof(local));
|
||||
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
|
||||
debug("getsockname failed: %.100s", strerror(errno));
|
||||
slen = sizeof(foreign);
|
||||
memset(&foreign, 0, sizeof(foreign));
|
||||
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
|
||||
debug("getpeername failed: %.100s", strerror(errno));
|
||||
fatal_cleanup();
|
||||
}
|
||||
instance[0] = '*';
|
||||
instance[1] = 0;
|
||||
|
||||
/* Get the encrypted request, challenge, and session key. */
|
||||
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
|
||||
0, &adat, ""))) {
|
||||
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
|
||||
return (0);
|
||||
}
|
||||
des_key_sched((des_cblock *) adat.session, schedule);
|
||||
|
||||
*client = xmalloc(MAX_K_NAME_SZ);
|
||||
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
|
||||
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
|
||||
|
||||
/* Check ~/.klogin authorization now. */
|
||||
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
|
||||
logit("Kerberos v4 .klogin authorization failed for %s to "
|
||||
"account %s", *client, authctxt->user);
|
||||
xfree(*client);
|
||||
*client = NULL;
|
||||
return (0);
|
||||
}
|
||||
/* Increment the checksum, and return it encrypted with the
|
||||
session key. */
|
||||
cksum = adat.checksum + 1;
|
||||
cksum = htonl(cksum);
|
||||
|
||||
/* If we can't successfully encrypt the checksum, we send back an
|
||||
empty message, admitting our failure. */
|
||||
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
|
||||
schedule, &adat.session, &local, &foreign)) < 0) {
|
||||
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
|
||||
reply->dat[0] = 0;
|
||||
reply->length = 0;
|
||||
} else
|
||||
reply->length = r;
|
||||
|
||||
/* Clear session key. */
|
||||
memset(&adat.session, 0, sizeof(adat.session));
|
||||
return (1);
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef AFS
|
||||
int
|
||||
auth_krb4_tgt(Authctxt *authctxt, const char *string)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct passwd *pw;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
goto failure;
|
||||
|
||||
temporarily_use_uid(pw);
|
||||
|
||||
if (!radix_to_creds(string, &creds)) {
|
||||
logit("Protocol error decoding Kerberos v4 TGT");
|
||||
goto failure;
|
||||
}
|
||||
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||
strlcpy(creds.service, "krbtgt", sizeof creds.service);
|
||||
|
||||
if (strcmp(creds.service, "krbtgt")) {
|
||||
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
|
||||
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
|
||||
creds.realm, pw->pw_name);
|
||||
goto failure;
|
||||
}
|
||||
if (!krb4_init(authctxt))
|
||||
goto failure;
|
||||
|
||||
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
|
||||
goto failure;
|
||||
|
||||
if (save_credentials(creds.service, creds.instance, creds.realm,
|
||||
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
|
||||
creds.issue_date) != KSUCCESS) {
|
||||
debug("Kerberos v4 TGT refused: couldn't save credentials");
|
||||
goto failure;
|
||||
}
|
||||
/* Successful authentication, passed all checks. */
|
||||
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||
|
||||
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
|
||||
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
|
||||
restore_uid();
|
||||
|
||||
return (1);
|
||||
|
||||
failure:
|
||||
krb4_cleanup_proc(authctxt);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
restore_uid();
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
auth_afs_token(Authctxt *authctxt, const char *token_string)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct passwd *pw;
|
||||
uid_t uid;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
return (0);
|
||||
|
||||
if (!radix_to_creds(token_string, &creds)) {
|
||||
logit("Protocol error decoding AFS token");
|
||||
return (0);
|
||||
}
|
||||
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||
strlcpy(creds.service, "afs", sizeof creds.service);
|
||||
|
||||
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
|
||||
uid = atoi(creds.pname + 7);
|
||||
else
|
||||
uid = pw->pw_uid;
|
||||
|
||||
if (kafs_settoken(creds.realm, uid, &creds)) {
|
||||
logit("AFS token (%s@%s) rejected for %s",
|
||||
creds.pname, creds.realm, pw->pw_name);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
return (0);
|
||||
}
|
||||
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
|
||||
return (1);
|
||||
}
|
||||
#endif /* AFS */
|
@ -36,7 +36,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password)
|
||||
return (authsuccess);
|
||||
}
|
||||
# endif
|
||||
# ifdef KRB4
|
||||
if (options.kerberos_authentication == 1) {
|
||||
int ret = auth_krb4_password(authctxt, password);
|
||||
if (ret == 1 || ret == 0)
|
||||
return ret;
|
||||
/* Fall back to ordinary passwd authentication. */
|
||||
}
|
||||
# endif
|
||||
# ifdef BSD_AUTH
|
||||
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
|
||||
(char *)password) == 0)
|
||||
|
19
auth.h
19
auth.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -60,9 +60,6 @@ struct Authctxt {
|
||||
#ifdef BSD_AUTH
|
||||
auth_session_t *as;
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
char *krb4_ticket_file;
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
krb5_context krb5_ctx;
|
||||
krb5_auth_context krb5_auth_ctx;
|
||||
@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||
int user_key_allowed(struct passwd *, Key *);
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
|
||||
int auth_krb4_password(Authctxt *, const char *);
|
||||
void krb4_cleanup_proc(void *);
|
||||
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
int auth_krb4_tgt(Authctxt *, const char *);
|
||||
int auth_afs_token(Authctxt *, const char *);
|
||||
#endif /* AFS */
|
||||
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
|
45
auth1.c
45
auth1.c
@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
@ -49,7 +49,7 @@ get_authname(int type)
|
||||
case SSH_CMSG_AUTH_TIS:
|
||||
case SSH_CMSG_AUTH_TIS_RESPONSE:
|
||||
return "challenge-response";
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_AUTH_KERBEROS:
|
||||
return "kerberos";
|
||||
#endif
|
||||
@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt)
|
||||
|
||||
/* If the user has no password, accept authentication immediately. */
|
||||
if (options.password_authentication &&
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||
#endif
|
||||
PRIVSEP(auth_password(authctxt, ""))) {
|
||||
@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt)
|
||||
/* Process the packet. */
|
||||
switch (type) {
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_AUTH_KERBEROS:
|
||||
if (!options.kerberos_authentication) {
|
||||
verbose("Kerberos authentication disabled.");
|
||||
@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt)
|
||||
char *kdata = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
|
||||
#ifdef KRB4
|
||||
KTEXT_ST tkt, reply;
|
||||
tkt.length = dlen;
|
||||
if (tkt.length < MAX_KTXT_LEN)
|
||||
memcpy(tkt.dat, kdata, tkt.length);
|
||||
|
||||
if (PRIVSEP(auth_krb4(authctxt, &tkt,
|
||||
&client_user, &reply))) {
|
||||
authenticated = 1;
|
||||
snprintf(info, sizeof(info),
|
||||
" tktuser %.100s",
|
||||
client_user);
|
||||
|
||||
packet_start(
|
||||
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
|
||||
packet_put_string((char *)
|
||||
reply.dat, reply.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
} else {
|
||||
#ifdef KRB5
|
||||
if (kdata[0] != 4) { /* KRB_PROT_VERSION */
|
||||
krb5_data tkt, reply;
|
||||
tkt.length = dlen;
|
||||
tkt.data = kdata;
|
||||
@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt)
|
||||
if (reply.length)
|
||||
xfree(reply.data);
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
}
|
||||
xfree(kdata);
|
||||
}
|
||||
break;
|
||||
#endif /* KRB4 || KRB5 */
|
||||
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
/* XXX - punt on backward compatibility here. */
|
||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||
packet_send_debug("Kerberos TGT passing disabled before authentication.");
|
||||
break;
|
||||
#ifdef AFS
|
||||
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||
packet_send_debug("AFS token passing disabled before authentication.");
|
||||
break;
|
||||
#endif /* AFS */
|
||||
#endif /* AFS || KRB5 */
|
||||
#endif
|
||||
|
||||
case SSH_CMSG_AUTH_RHOSTS:
|
||||
if (!options.rhosts_authentication) {
|
||||
|
87
configure.ac
87
configure.ac
@ -1,4 +1,4 @@
|
||||
# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $
|
||||
# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $
|
||||
|
||||
AC_INIT
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
@ -54,7 +54,6 @@ fi
|
||||
# Check for some target-specific stuff
|
||||
case "$host" in
|
||||
*-*-aix*)
|
||||
AFS_LIBS="-lld"
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
|
||||
LDFLAGS="$LDFLAGS -L/usr/local/lib"
|
||||
AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
|
||||
@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5,
|
||||
fi
|
||||
]
|
||||
)
|
||||
# Check whether user wants Kerberos 4 support
|
||||
KRB4_MSG="no"
|
||||
AC_ARG_WITH(kerberos4,
|
||||
[ --with-kerberos4=PATH Enable Kerberos 4 support],
|
||||
[
|
||||
if test "x$withval" != "xno" ; then
|
||||
if test "x$withval" != "xyes" ; then
|
||||
CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
LDFLAGS="$LDFLAGS -L${withval}/lib"
|
||||
if test ! -z "$need_dash_r" ; then
|
||||
LDFLAGS="$LDFLAGS -R${withval}/lib"
|
||||
fi
|
||||
if test ! -z "$blibpath" ; then
|
||||
blibpath="$blibpath:${withval}/lib"
|
||||
fi
|
||||
else
|
||||
if test -d /usr/include/kerberosIV ; then
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_CHECK_HEADERS(krb.h)
|
||||
if test "$ac_cv_header_krb_h" != yes; then
|
||||
AC_MSG_WARN([Cannot find krb.h, build may fail])
|
||||
fi
|
||||
AC_CHECK_LIB(krb, main)
|
||||
if test "$ac_cv_lib_krb_main" != yes; then
|
||||
AC_CHECK_LIB(krb4, main)
|
||||
if test "$ac_cv_lib_krb4_main" != yes; then
|
||||
AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
|
||||
else
|
||||
KLIBS="-lkrb4"
|
||||
fi
|
||||
else
|
||||
KLIBS="-lkrb"
|
||||
fi
|
||||
AC_CHECK_LIB(des, des_cbc_encrypt)
|
||||
if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
|
||||
AC_CHECK_LIB(des425, des_cbc_encrypt)
|
||||
if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
|
||||
AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
|
||||
else
|
||||
KLIBS="-ldes425"
|
||||
fi
|
||||
else
|
||||
KLIBS="-ldes"
|
||||
fi
|
||||
AC_CHECK_LIB(resolv, dn_expand, , )
|
||||
KRB4=yes
|
||||
KRB4_MSG="yes"
|
||||
AC_DEFINE(KRB4)
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
# Check whether user wants AFS support
|
||||
AFS_MSG="no"
|
||||
AC_ARG_WITH(afs,
|
||||
[ --with-afs=PATH Enable AFS support],
|
||||
[
|
||||
if test "x$withval" != "xno" ; then
|
||||
|
||||
if test "x$withval" != "xyes" ; then
|
||||
CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
LDFLAGS="$LDFLAGS -L${withval}/lib"
|
||||
fi
|
||||
|
||||
if test -z "$KRB4" ; then
|
||||
AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
|
||||
fi
|
||||
|
||||
LIBS="-lkafs $LIBS"
|
||||
if test ! -z "$AFS_LIBS" ; then
|
||||
LIBS="$LIBS $AFS_LIBS"
|
||||
fi
|
||||
AC_DEFINE(AFS)
|
||||
AFS_MSG="yes"
|
||||
fi
|
||||
]
|
||||
)
|
||||
LIBS="$LIBS $KLIBS $K5LIBS"
|
||||
LIBS="$LIBS $K5LIBS"
|
||||
|
||||
# Looking for programs, paths and files
|
||||
|
||||
@ -2648,10 +2567,8 @@ fi
|
||||
echo " Manpage format: $MANTYPE"
|
||||
echo " DNS support: $DNS_MSG"
|
||||
echo " PAM support: $PAM_MSG"
|
||||
echo " KerberosIV support: $KRB4_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " AFS support: $AFS_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
|
54
monitor.c
54
monitor.c
@ -25,7 +25,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *);
|
||||
int mm_answer_pam_free_ctx(int, Buffer *);
|
||||
#endif
|
||||
|
||||
#ifdef KRB4
|
||||
int mm_answer_krb4(int, Buffer *);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
int mm_answer_krb5(int, Buffer *);
|
||||
#endif
|
||||
@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = {
|
||||
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
|
||||
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
||||
#endif
|
||||
@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
int
|
||||
mm_answer_krb4(int socket, Buffer *m)
|
||||
{
|
||||
KTEXT_ST auth, reply;
|
||||
char *client, *p;
|
||||
int success;
|
||||
u_int alen;
|
||||
|
||||
reply.length = auth.length = 0;
|
||||
|
||||
p = buffer_get_string(m, &alen);
|
||||
if (alen >= MAX_KTXT_LEN)
|
||||
fatal("%s: auth too large", __func__);
|
||||
memcpy(auth.dat, p, alen);
|
||||
auth.length = alen;
|
||||
memset(p, 0, alen);
|
||||
xfree(p);
|
||||
|
||||
success = options.kerberos_authentication &&
|
||||
authctxt->valid &&
|
||||
auth_krb4(authctxt, &auth, &client, &reply);
|
||||
|
||||
memset(auth.dat, 0, alen);
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, success);
|
||||
|
||||
if (success) {
|
||||
buffer_put_cstring(m, client);
|
||||
buffer_put_string(m, reply.dat, reply.length);
|
||||
if (client)
|
||||
xfree(client);
|
||||
if (reply.length)
|
||||
memset(reply.dat, 0, reply.length);
|
||||
}
|
||||
|
||||
debug3("%s: sending result %d", __func__, success);
|
||||
mm_request_send(socket, MONITOR_ANS_KRB4, m);
|
||||
|
||||
auth_method = "kerberos";
|
||||
|
||||
/* Causes monitor loop to terminate if authenticated */
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_answer_krb5(int socket, Buffer *m)
|
||||
|
@ -49,7 +49,6 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
|
||||
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
|
||||
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
|
||||
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
|
||||
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
|
||||
MONITOR_REQ_PAM_START,
|
||||
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
|
||||
|
@ -25,7 +25,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $");
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
int
|
||||
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
|
||||
{
|
||||
KTEXT auth, reply;
|
||||
Buffer m;
|
||||
u_int rlen;
|
||||
int success = 0;
|
||||
char *p;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
auth = _auth;
|
||||
reply = _reply;
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_string(&m, auth->dat, auth->length);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
|
||||
|
||||
success = buffer_get_int(&m);
|
||||
if (success) {
|
||||
*client = buffer_get_string(&m, NULL);
|
||||
p = buffer_get_string(&m, &rlen);
|
||||
if (rlen >= MAX_KTXT_LEN)
|
||||
fatal("%s: reply from monitor too large", __func__);
|
||||
reply->length = rlen;
|
||||
memcpy(reply->dat, p, rlen);
|
||||
memset(p, 0, rlen);
|
||||
xfree(p);
|
||||
}
|
||||
buffer_free(&m);
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
|
||||
int mm_skey_respond(void *, u_int, char **);
|
||||
|
||||
/* auth_krb */
|
||||
#ifdef KRB4
|
||||
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
/* auth and reply are really krb5_data objects, but we don't want to
|
||||
* include all of the krb5 headers here */
|
||||
|
158
radix.c
158
radix.c
@ -1,158 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
* Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "uuencode.h"
|
||||
|
||||
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
|
||||
|
||||
#ifdef AFS
|
||||
#include <krb.h>
|
||||
|
||||
#include <radix.h>
|
||||
#include "bufaux.h"
|
||||
|
||||
int
|
||||
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
|
||||
{
|
||||
Buffer b;
|
||||
int ret;
|
||||
|
||||
buffer_init(&b);
|
||||
|
||||
buffer_put_char(&b, 1); /* version */
|
||||
|
||||
buffer_append(&b, creds->service, strlen(creds->service));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->instance, strlen(creds->instance));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->realm, strlen(creds->realm));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->pname, strlen(creds->pname));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->pinst, strlen(creds->pinst));
|
||||
buffer_put_char(&b, '\0');
|
||||
|
||||
/* Null string to repeat the realm. */
|
||||
buffer_put_char(&b, '\0');
|
||||
|
||||
buffer_put_int(&b, creds->issue_date);
|
||||
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
|
||||
creds->lifetime));
|
||||
buffer_append(&b, creds->session, sizeof(creds->session));
|
||||
buffer_put_short(&b, creds->kvno);
|
||||
|
||||
/* 32 bit size + data */
|
||||
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
|
||||
|
||||
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
|
||||
|
||||
buffer_free(&b);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#define GETSTRING(b, t, tlen) \
|
||||
do { \
|
||||
int i, found = 0; \
|
||||
for (i = 0; i < tlen; i++) { \
|
||||
if (buffer_len(b) == 0) \
|
||||
goto done; \
|
||||
t[i] = buffer_get_char(b); \
|
||||
if (t[i] == '\0') { \
|
||||
found = 1; \
|
||||
break; \
|
||||
} \
|
||||
} \
|
||||
if (!found) \
|
||||
goto done; \
|
||||
} while(0)
|
||||
|
||||
int
|
||||
radix_to_creds(const char *buf, CREDENTIALS *creds)
|
||||
{
|
||||
Buffer b;
|
||||
u_char *space;
|
||||
char c, version, *p;
|
||||
u_int endTime, len;
|
||||
int blen, ret;
|
||||
|
||||
ret = 0;
|
||||
blen = strlen(buf);
|
||||
|
||||
/* sanity check for size */
|
||||
if (blen > 8192)
|
||||
return 0;
|
||||
|
||||
buffer_init(&b);
|
||||
space = buffer_append_space(&b, blen);
|
||||
|
||||
/* check version and length! */
|
||||
len = uudecode(buf, space, blen);
|
||||
if (len < 1)
|
||||
goto done;
|
||||
|
||||
version = buffer_get_char(&b);
|
||||
|
||||
GETSTRING(&b, creds->service, sizeof creds->service);
|
||||
GETSTRING(&b, creds->instance, sizeof creds->instance);
|
||||
GETSTRING(&b, creds->realm, sizeof creds->realm);
|
||||
GETSTRING(&b, creds->pname, sizeof creds->pname);
|
||||
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
|
||||
|
||||
if (buffer_len(&b) == 0)
|
||||
goto done;
|
||||
|
||||
/* Ignore possibly different realm. */
|
||||
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
|
||||
;
|
||||
|
||||
if (buffer_len(&b) == 0)
|
||||
goto done;
|
||||
|
||||
creds->issue_date = buffer_get_int(&b);
|
||||
|
||||
endTime = buffer_get_int(&b);
|
||||
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
|
||||
|
||||
len = buffer_len(&b);
|
||||
if (len < sizeof(creds->session))
|
||||
goto done;
|
||||
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
|
||||
buffer_consume(&b, sizeof(creds->session));
|
||||
|
||||
creds->kvno = buffer_get_short(&b);
|
||||
|
||||
p = buffer_get_string(&b, &len);
|
||||
if (len < 0 || len > sizeof(creds->ticket_st.dat))
|
||||
goto done;
|
||||
memcpy(&creds->ticket_st.dat, p, len);
|
||||
creds->ticket_st.length = len;
|
||||
|
||||
ret = 1;
|
||||
done:
|
||||
buffer_free(&b);
|
||||
return ret;
|
||||
}
|
||||
#endif /* AFS */
|
28
radix.h
28
radix.h
@ -1,28 +0,0 @@
|
||||
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
|
||||
int radix_to_creds(const char *, CREDENTIALS *);
|
17
readconf.c
17
readconf.c
@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $");
|
||||
RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
@ -94,7 +94,7 @@ typedef enum {
|
||||
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
|
||||
oPasswordAuthentication, oRSAAuthentication,
|
||||
oChallengeResponseAuthentication, oXAuthLocation,
|
||||
oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing,
|
||||
oKerberosAuthentication, oKerberosTgtPassing,
|
||||
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
|
||||
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
|
||||
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
|
||||
@ -134,18 +134,14 @@ static struct {
|
||||
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
||||
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
{ "kerberosauthentication", oKerberosAuthentication },
|
||||
{ "kerberostgtpassing", oKerberosTgtPassing },
|
||||
#else
|
||||
{ "kerberosauthentication", oUnsupported },
|
||||
{ "kerberostgtpassing", oUnsupported },
|
||||
#endif
|
||||
#if defined(AFS)
|
||||
{ "afstokenpassing", oAFSTokenPassing },
|
||||
#else
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
{ "identityfile", oIdentityFile },
|
||||
@ -399,10 +395,6 @@ parse_flag:
|
||||
intptr = &options->kerberos_tgt_passing;
|
||||
goto parse_flag;
|
||||
|
||||
case oAFSTokenPassing:
|
||||
intptr = &options->afs_token_passing;
|
||||
goto parse_flag;
|
||||
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@ -828,7 +820,6 @@ initialize_options(Options * options)
|
||||
options->challenge_response_authentication = -1;
|
||||
options->kerberos_authentication = -1;
|
||||
options->kerberos_tgt_passing = -1;
|
||||
options->afs_token_passing = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@ -905,8 +896,6 @@ fill_default_options(Options * options)
|
||||
options->kerberos_authentication = 1;
|
||||
if (options->kerberos_tgt_passing == -1)
|
||||
options->kerberos_tgt_passing = 1;
|
||||
if (options->afs_token_passing == -1)
|
||||
options->afs_token_passing = 1;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -43,7 +43,6 @@ typedef struct {
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
int kerberos_authentication; /* Try Kerberos authentication. */
|
||||
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
|
||||
int afs_token_passing; /* Try AFS token passing. */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
|
25
servconf.c
25
servconf.c
@ -10,15 +10,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#if defined(KRB4)
|
||||
#include <krb.h>
|
||||
#endif
|
||||
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
#endif
|
||||
RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options)
|
||||
options->kerberos_or_local_passwd = -1;
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_tgt_passing = -1;
|
||||
options->afs_token_passing = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->kerberos_ticket_cleanup = 1;
|
||||
if (options->kerberos_tgt_passing == -1)
|
||||
options->kerberos_tgt_passing = 0;
|
||||
if (options->afs_token_passing == -1)
|
||||
options->afs_token_passing = 0;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@ -261,7 +250,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
@ -306,7 +295,7 @@ static struct {
|
||||
{ "rsaauthentication", sRSAAuthentication },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication },
|
||||
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
{ "kerberosauthentication", sKerberosAuthentication },
|
||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
|
||||
{ "kerberosticketcleanup", sKerberosTicketCleanup },
|
||||
@ -317,11 +306,7 @@ static struct {
|
||||
{ "kerberosticketcleanup", sUnsupported },
|
||||
{ "kerberostgtpassing", sUnsupported },
|
||||
#endif
|
||||
#if defined(AFS)
|
||||
{ "afstokenpassing", sAFSTokenPassing },
|
||||
#else
|
||||
{ "afstokenpassing", sUnsupported },
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
|
||||
@ -644,10 +629,6 @@ parse_flag:
|
||||
intptr = &options->kerberos_tgt_passing;
|
||||
goto parse_flag;
|
||||
|
||||
case sAFSTokenPassing:
|
||||
intptr = &options->afs_token_passing;
|
||||
goto parse_flag;
|
||||
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -84,7 +84,6 @@ typedef struct {
|
||||
* file on logout. */
|
||||
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
|
||||
* passing. */
|
||||
int afs_token_passing; /* If true, permit AFS token passing. */
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
|
57
session.c
57
session.c
@ -33,7 +33,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt)
|
||||
/* remove agent socket */
|
||||
if (auth_sock_name != NULL)
|
||||
auth_sock_cleanup_proc(authctxt->pw);
|
||||
#ifdef KRB4
|
||||
if (options.kerberos_ticket_cleanup)
|
||||
krb4_cleanup_proc(authctxt);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_ticket_cleanup)
|
||||
krb5_cleanup_proc(authctxt);
|
||||
@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt)
|
||||
success = 1;
|
||||
break;
|
||||
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||
if (!options.kerberos_tgt_passing) {
|
||||
verbose("Kerberos TGT passing disabled.");
|
||||
@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt)
|
||||
char *kdata = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
/* XXX - 0x41, see creds_to_radix version */
|
||||
/* XXX - 0x41, used for AFS */
|
||||
if (kdata[0] != 0x41) {
|
||||
#ifdef KRB5
|
||||
krb5_data tgt;
|
||||
tgt.data = kdata;
|
||||
tgt.length = dlen;
|
||||
@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt)
|
||||
success = 1;
|
||||
else
|
||||
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
|
||||
#endif /* KRB5 */
|
||||
} else {
|
||||
#ifdef AFS
|
||||
if (auth_krb4_tgt(s->authctxt, kdata))
|
||||
success = 1;
|
||||
else
|
||||
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
|
||||
#endif /* AFS */
|
||||
}
|
||||
xfree(kdata);
|
||||
}
|
||||
break;
|
||||
#endif /* AFS || KRB5 */
|
||||
|
||||
#ifdef AFS
|
||||
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||
if (!options.afs_token_passing || !k_hasafs()) {
|
||||
verbose("AFS token passing disabled.");
|
||||
} else {
|
||||
/* Accept AFS token. */
|
||||
char *token = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
if (auth_afs_token(s->authctxt, token))
|
||||
success = 1;
|
||||
else
|
||||
verbose("AFS token refused for %.100s",
|
||||
s->authctxt->user);
|
||||
xfree(token);
|
||||
}
|
||||
break;
|
||||
#endif /* AFS */
|
||||
#endif
|
||||
|
||||
case SSH_CMSG_EXEC_SHELL:
|
||||
case SSH_CMSG_EXEC_CMD:
|
||||
@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell)
|
||||
read_environment_file(&env, &envsize, "/etc/environment");
|
||||
}
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
if (s->authctxt->krb4_ticket_file)
|
||||
child_set_env(&env, &envsize, "KRBTKFILE",
|
||||
s->authctxt->krb4_ticket_file);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
if (s->authctxt->krb5_ticket_file)
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||
@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command)
|
||||
*/
|
||||
environ = env;
|
||||
|
||||
#ifdef AFS
|
||||
/* Try to get AFS tokens for the local cell. */
|
||||
if (k_hasafs()) {
|
||||
char cell[64];
|
||||
|
||||
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
|
||||
krb_afslog(cell, 0);
|
||||
|
||||
krb_afslog(0, 0);
|
||||
}
|
||||
#endif /* AFS */
|
||||
|
||||
/* Change current directory to the user\'s home directory. */
|
||||
if (chdir(pw->pw_dir) < 0) {
|
||||
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
|
||||
|
4
ssh.1
4
ssh.1
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
@ -494,7 +494,7 @@ The argument is the device
|
||||
should use to communicate with a smartcard used for storing the user's
|
||||
private RSA key.
|
||||
.It Fl k
|
||||
Disables forwarding of Kerberos tickets and AFS tokens.
|
||||
Disables forwarding of Kerberos tickets.
|
||||
This may also be specified on a per-host basis in the configuration file.
|
||||
.It Fl l Ar login_name
|
||||
Specifies the user to log in as on the remote machine.
|
||||
|
9
ssh.c
9
ssh.c
@ -40,7 +40,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $");
|
||||
RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -154,9 +154,7 @@ usage(void)
|
||||
_PATH_SSH_USER_CONFFILE);
|
||||
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
|
||||
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
|
||||
#ifdef AFS
|
||||
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
|
||||
#endif /* AFS */
|
||||
fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
|
||||
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
|
||||
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
|
||||
fprintf(stderr, " -i file Identity for public key authentication "
|
||||
@ -306,12 +304,9 @@ again:
|
||||
case 'A':
|
||||
options.forward_agent = 1;
|
||||
break;
|
||||
#ifdef AFS
|
||||
case 'k':
|
||||
options.kerberos_tgt_passing = 0;
|
||||
options.afs_token_passing = 0;
|
||||
break;
|
||||
#endif
|
||||
case 'i':
|
||||
if (stat(optarg, &st) < 0) {
|
||||
fprintf(stderr, "Warning: Identity file %s "
|
||||
|
5
ssh.h
5
ssh.h
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */
|
||||
/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -88,9 +88,6 @@
|
||||
*/
|
||||
#define SSH_SESSION_KEY_LENGTH 32
|
||||
|
||||
/* Name of Kerberos service for SSH to use. */
|
||||
#define KRB4_SERVICE_NAME "rcmd"
|
||||
|
||||
/* Used to identify ``EscapeChar none'' */
|
||||
#define SSH_ESCAPECHAR_NONE -2
|
||||
|
||||
|
10
ssh_config.5
10
ssh_config.5
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
@ -123,13 +123,6 @@ Valid arguments are
|
||||
(Use IPv4 only) or
|
||||
.Dq inet6
|
||||
(Use IPv6 only.)
|
||||
.It Cm AFSTokenPassing
|
||||
Specifies whether to pass AFS tokens to remote host.
|
||||
The argument to this keyword must be
|
||||
.Dq yes
|
||||
or
|
||||
.Dq no .
|
||||
This option applies to protocol version 1 only.
|
||||
.It Cm BatchMode
|
||||
If set to
|
||||
.Dq yes ,
|
||||
@ -410,7 +403,6 @@ or
|
||||
.Dq no .
|
||||
.It Cm KerberosTgtPassing
|
||||
Specifies whether a Kerberos TGT will be forwarded to the server.
|
||||
This will only work if the Kerberos server is actually an AFS kaserver.
|
||||
The argument to this keyword must be
|
||||
.Dq yes
|
||||
or
|
||||
|
287
sshconnect1.c
287
sshconnect1.c
@ -13,24 +13,17 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");
|
||||
RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
#include <krb5.h>
|
||||
#ifndef HEIMDAL
|
||||
#define krb5_get_err_text(context,code) error_message(code)
|
||||
#endif /* !HEIMDAL */
|
||||
#endif
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
#include "radix.h"
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
static int
|
||||
try_krb4_authentication(void)
|
||||
{
|
||||
KTEXT_ST auth; /* Kerberos data */
|
||||
char *reply;
|
||||
char inst[INST_SZ];
|
||||
char *realm;
|
||||
CREDENTIALS cred;
|
||||
int r, type;
|
||||
socklen_t slen;
|
||||
Key_schedule schedule;
|
||||
u_long checksum, cksum;
|
||||
MSG_DAT msg_data;
|
||||
struct sockaddr_in local, foreign;
|
||||
struct stat st;
|
||||
|
||||
/* Don't do anything if we don't have any tickets. */
|
||||
if (stat(tkt_string(), &st) < 0)
|
||||
return 0;
|
||||
|
||||
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
|
||||
INST_SZ);
|
||||
|
||||
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
|
||||
if (!realm) {
|
||||
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
|
||||
return 0;
|
||||
}
|
||||
/* This can really be anything. */
|
||||
checksum = (u_long)getpid();
|
||||
|
||||
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
|
||||
if (r != KSUCCESS) {
|
||||
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
|
||||
return 0;
|
||||
}
|
||||
/* Get session key to decrypt the server's reply with. */
|
||||
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
|
||||
if (r != KSUCCESS) {
|
||||
debug("get_cred failed: %s", krb_err_txt[r]);
|
||||
return 0;
|
||||
}
|
||||
des_key_sched((des_cblock *) cred.session, schedule);
|
||||
|
||||
/* Send authentication info to server. */
|
||||
packet_start(SSH_CMSG_AUTH_KERBEROS);
|
||||
packet_put_string((char *) auth.dat, auth.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
/* Zero the buffer. */
|
||||
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
|
||||
|
||||
slen = sizeof(local);
|
||||
memset(&local, 0, sizeof(local));
|
||||
if (getsockname(packet_get_connection_in(),
|
||||
(struct sockaddr *)&local, &slen) < 0)
|
||||
debug("getsockname failed: %s", strerror(errno));
|
||||
|
||||
slen = sizeof(foreign);
|
||||
memset(&foreign, 0, sizeof(foreign));
|
||||
if (getpeername(packet_get_connection_in(),
|
||||
(struct sockaddr *)&foreign, &slen) < 0) {
|
||||
debug("getpeername failed: %s", strerror(errno));
|
||||
fatal_cleanup();
|
||||
}
|
||||
/* Get server reply. */
|
||||
type = packet_read();
|
||||
switch (type) {
|
||||
case SSH_SMSG_FAILURE:
|
||||
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
|
||||
debug("Kerberos v4 authentication failed.");
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
|
||||
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
|
||||
debug("Kerberos v4 authentication accepted.");
|
||||
|
||||
/* Get server's response. */
|
||||
reply = packet_get_string((u_int *) &auth.length);
|
||||
if (auth.length >= MAX_KTXT_LEN)
|
||||
fatal("Kerberos v4: Malformed response from server");
|
||||
memcpy(auth.dat, reply, auth.length);
|
||||
xfree(reply);
|
||||
|
||||
packet_check_eom();
|
||||
|
||||
/*
|
||||
* If his response isn't properly encrypted with the session
|
||||
* key, and the decrypted checksum fails to match, he's
|
||||
* bogus. Bail out.
|
||||
*/
|
||||
r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
|
||||
&foreign, &local, &msg_data);
|
||||
if (r != KSUCCESS) {
|
||||
debug("Kerberos v4 krb_rd_priv failed: %s",
|
||||
krb_err_txt[r]);
|
||||
packet_disconnect("Kerberos v4 challenge failed!");
|
||||
}
|
||||
/* Fetch the (incremented) checksum that we supplied in the request. */
|
||||
memcpy((char *)&cksum, (char *)msg_data.app_data,
|
||||
sizeof(cksum));
|
||||
cksum = ntohl(cksum);
|
||||
|
||||
/* If it matches, we're golden. */
|
||||
if (cksum == checksum + 1) {
|
||||
debug("Kerberos v4 challenge successful.");
|
||||
return 1;
|
||||
} else
|
||||
packet_disconnect("Kerberos v4 challenge failed!");
|
||||
break;
|
||||
|
||||
default:
|
||||
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
static int
|
||||
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
|
||||
@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef AFS
|
||||
static void
|
||||
send_krb4_tgt(void)
|
||||
{
|
||||
CREDENTIALS *creds;
|
||||
struct stat st;
|
||||
char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
|
||||
int problem, type;
|
||||
|
||||
/* Don't do anything if we don't have any tickets. */
|
||||
if (stat(tkt_string(), &st) < 0)
|
||||
return;
|
||||
|
||||
creds = xmalloc(sizeof(*creds));
|
||||
|
||||
problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
problem = krb_get_cred("krbtgt", prealm, prealm, creds);
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
|
||||
problem = RD_AP_EXP;
|
||||
goto out;
|
||||
}
|
||||
creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
|
||||
|
||||
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
|
||||
packet_put_cstring(buffer);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
type = packet_read();
|
||||
|
||||
if (type == SSH_SMSG_SUCCESS)
|
||||
debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
|
||||
creds->pname, creds->pinst[0] ? "." : "",
|
||||
creds->pinst, creds->realm);
|
||||
else
|
||||
debug("Kerberos v4 TGT rejected.");
|
||||
|
||||
xfree(creds);
|
||||
return;
|
||||
|
||||
out:
|
||||
debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
|
||||
xfree(creds);
|
||||
}
|
||||
|
||||
static void
|
||||
send_afs_tokens(void)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct ViceIoctl parms;
|
||||
struct ClearToken ct;
|
||||
int i, type, len;
|
||||
char buf[2048], *p, *server_cell;
|
||||
char buffer[8192];
|
||||
|
||||
/* Move over ktc_GetToken, here's something leaner. */
|
||||
for (i = 0; i < 100; i++) { /* just in case */
|
||||
parms.in = (char *) &i;
|
||||
parms.in_size = sizeof(i);
|
||||
parms.out = buf;
|
||||
parms.out_size = sizeof(buf);
|
||||
if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
|
||||
break;
|
||||
p = buf;
|
||||
|
||||
/* Get secret token. */
|
||||
memcpy(&creds.ticket_st.length, p, sizeof(u_int));
|
||||
if (creds.ticket_st.length > MAX_KTXT_LEN)
|
||||
break;
|
||||
p += sizeof(u_int);
|
||||
memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
|
||||
p += creds.ticket_st.length;
|
||||
|
||||
/* Get clear token. */
|
||||
memcpy(&len, p, sizeof(len));
|
||||
if (len != sizeof(struct ClearToken))
|
||||
break;
|
||||
p += sizeof(len);
|
||||
memcpy(&ct, p, len);
|
||||
p += len;
|
||||
p += sizeof(len); /* primary flag */
|
||||
server_cell = p;
|
||||
|
||||
/* Flesh out our credentials. */
|
||||
strlcpy(creds.service, "afs", sizeof(creds.service));
|
||||
creds.instance[0] = '\0';
|
||||
strlcpy(creds.realm, server_cell, REALM_SZ);
|
||||
memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
|
||||
creds.issue_date = ct.BeginTimestamp;
|
||||
creds.lifetime = krb_time_to_life(creds.issue_date,
|
||||
ct.EndTimestamp);
|
||||
creds.kvno = ct.AuthHandle;
|
||||
snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
|
||||
creds.pinst[0] = '\0';
|
||||
|
||||
/* Encode token, ship it off. */
|
||||
if (creds_to_radix(&creds, (u_char *)buffer,
|
||||
sizeof(buffer)) <= 0)
|
||||
break;
|
||||
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
|
||||
packet_put_cstring(buffer);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
/* Roger, Roger. Clearance, Clarence. What's your vector,
|
||||
Victor? */
|
||||
type = packet_read();
|
||||
|
||||
if (type == SSH_SMSG_FAILURE)
|
||||
debug("AFS token for cell %s rejected.", server_cell);
|
||||
else if (type != SSH_SMSG_SUCCESS)
|
||||
packet_disconnect("Protocol error on AFS token response: %d", type);
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* AFS */
|
||||
|
||||
/*
|
||||
* Tries to authenticate with any string-based challenge/response system.
|
||||
* Note that the client code is not tied to s/key or TIS.
|
||||
@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef KRB4
|
||||
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
|
||||
options.kerberos_authentication) {
|
||||
debug("Trying Kerberos v4 authentication.");
|
||||
|
||||
if (try_krb4_authentication()) {
|
||||
type = packet_read();
|
||||
if (type == SSH_SMSG_SUCCESS)
|
||||
goto success;
|
||||
if (type != SSH_SMSG_FAILURE)
|
||||
packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
|
||||
}
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
|
||||
/*
|
||||
* Use rhosts authentication if running in privileged socket and we
|
||||
* do not wish to remain anonymous.
|
||||
@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
||||
if (context)
|
||||
krb5_free_context(context);
|
||||
#endif
|
||||
|
||||
#ifdef AFS
|
||||
/* Try Kerberos v4 TGT passing if the server supports it. */
|
||||
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
|
||||
options.kerberos_tgt_passing) {
|
||||
if (options.cipher == SSH_CIPHER_NONE)
|
||||
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
|
||||
send_krb4_tgt();
|
||||
}
|
||||
/* Try AFS token passing if the server supports it. */
|
||||
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
|
||||
options.afs_token_passing && k_hasafs()) {
|
||||
if (options.cipher == SSH_CIPHER_NONE)
|
||||
logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
|
||||
send_afs_tokens();
|
||||
}
|
||||
#endif /* AFS */
|
||||
|
||||
return; /* need statement after label */
|
||||
}
|
||||
|
21
sshd.c
21
sshd.c
@ -42,7 +42,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
@ -1476,20 +1476,13 @@ main(int ac, char **av)
|
||||
"originating port %d not trusted.", remote_port);
|
||||
options.rhosts_authentication = 0;
|
||||
}
|
||||
#if defined(KRB4) && !defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (!packet_connection_is_ipv4() &&
|
||||
options.kerberos_authentication) {
|
||||
debug("Kerberos Authentication disabled, only available for IPv4.");
|
||||
options.kerberos_authentication = 0;
|
||||
}
|
||||
#endif /* KRB4 && !KRB5 */
|
||||
#ifdef AFS
|
||||
/* If machine has AFS, set process authentication group. */
|
||||
if (k_hasafs()) {
|
||||
k_setpag();
|
||||
k_unlog();
|
||||
}
|
||||
#endif /* AFS */
|
||||
#endif
|
||||
|
||||
packet_set_nonblocking();
|
||||
|
||||
@ -1656,17 +1649,11 @@ do_ssh1_kex(void)
|
||||
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
|
||||
if (options.rsa_authentication)
|
||||
auth_mask |= 1 << SSH_AUTH_RSA;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_authentication)
|
||||
auth_mask |= 1 << SSH_AUTH_KERBEROS;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
if (options.kerberos_tgt_passing)
|
||||
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
if (options.afs_token_passing)
|
||||
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
|
||||
#endif
|
||||
if (options.challenge_response_authentication == 1)
|
||||
auth_mask |= 1 << SSH_AUTH_TIS;
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
@ -61,10 +61,6 @@ The possible
|
||||
keywords and their meanings are as follows (note that
|
||||
keywords are case-insensitive and arguments are case-sensitive):
|
||||
.Bl -tag -width Ds
|
||||
.It Cm AFSTokenPassing
|
||||
Specifies whether an AFS token may be forwarded to the server.
|
||||
Default is
|
||||
.Dq no .
|
||||
.It Cm AllowGroups
|
||||
This keyword can be followed by a list of group name patterns, separated
|
||||
by spaces.
|
||||
@ -327,8 +323,7 @@ Default is
|
||||
.It Cm KerberosTgtPassing
|
||||
Specifies whether a Kerberos TGT may be forwarded to the server.
|
||||
Default is
|
||||
.Dq no ,
|
||||
as this only works when the Kerberos KDC is actually an AFS kaserver.
|
||||
.Dq no .
|
||||
.It Cm KerberosTicketCleanup
|
||||
Specifies whether to automatically destroy the user's ticket cache
|
||||
file on logout.
|
||||
|
Loading…
Reference in New Issue
Block a user