tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- markus@cvs.openbsd.org 2003/08/28 12:54:34 

[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
     [sshconnect1.c sshd.c sshd_config sshd_config.5]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
This commit is contained in:
Damien Miller 2003-09-02 22:51:17 +10:00
parent 55c47edc81
commit 1a0c0b9621
16 changed files with 25 additions and 684 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -3,6 +3,12 @@
- deraadt@cvs.openbsd.org 2003/08/24 17:36:51
[auth2-gss.c]
64 bit cleanups; markus ok
- markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
[sshconnect1.c sshd.c sshd_config sshd_config.5]
remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
20030829
- (bal) openbsd-compat/ clean up. Considate headers, add in Id on our
@ -918,4 +924,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.2920 2003/09/02 12:14:07 djm Exp $
$Id: ChangeLog,v 1.2921 2003/09/02 12:51:17 djm Exp $

194
auth-krb5.c
View File

@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -65,193 +65,6 @@ krb5_init(void *context)
return (0);
}
/*
* Try krb5 authentication. server_user is passed for logging purposes
* only, in auth is received ticket, in client is returned principal
* from the ticket
*/
int
auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
{
krb5_error_code problem;
krb5_principal server;
krb5_ticket *ticket;
int fd, ret;
ret = 0;
server = NULL;
ticket = NULL;
reply->length = 0;
problem = krb5_init(authctxt);
if (problem)
goto err;
problem = krb5_auth_con_init(authctxt->krb5_ctx,
&authctxt->krb5_auth_ctx);
if (problem)
goto err;
fd = packet_get_connection_in();
#ifdef HEIMDAL
problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
authctxt->krb5_auth_ctx, &fd);
#else
problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
authctxt->krb5_auth_ctx,fd,
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
#endif
if (problem)
goto err;
problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
KRB5_NT_SRV_HST, &server);
if (problem)
goto err;
problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
auth, server, NULL, NULL, &ticket);
if (problem)
goto err;
#ifdef HEIMDAL
problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
&authctxt->krb5_user);
#else
problem = krb5_copy_principal(authctxt->krb5_ctx,
ticket->enc_part2->client,
&authctxt->krb5_user);
#endif
if (problem)
goto err;
/* if client wants mutual auth */
problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
reply);
if (problem)
goto err;
/* Check .k5login authorization now. */
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name))
goto err;
if (client)
krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
client);
ret = 1;
err:
if (server)
krb5_free_principal(authctxt->krb5_ctx, server);
if (ticket)
krb5_free_ticket(authctxt->krb5_ctx, ticket);
if (!ret && reply->length) {
xfree(reply->data);
memset(reply, 0, sizeof(*reply));
}
if (problem) {
if (authctxt->krb5_ctx != NULL)
debug("Kerberos v5 authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else
debug("Kerberos v5 authentication failed: %d",
problem);
}
return (ret);
}
int
auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
{
krb5_error_code problem;
krb5_ccache ccache = NULL;
char *pname;
krb5_creds **creds;
if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
return (0);
temporarily_use_uid(authctxt->pw);
#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
#else
{
char ccname[40];
int tmpfd;
snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
goto fail;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
goto fail;
}
close(tmpfd);
problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
}
#endif
if (problem)
goto fail;
problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
authctxt->krb5_user);
if (problem)
goto fail;
#ifdef HEIMDAL
problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
ccache, tgt);
if (problem)
goto fail;
#else
problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
tgt, &creds, NULL);
if (problem)
goto fail;
problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
if (problem)
goto fail;
#endif
authctxt->krb5_fwd_ccache = ccache;
ccache = NULL;
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
&pname);
if (problem)
goto fail;
debug("Kerberos v5 TGT accepted (%s)", pname);
restore_uid();
return (1);
fail:
if (problem)
debug("Kerberos v5 TGT passing failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
restore_uid();
return (0);
}
int
auth_krb5_password(Authctxt *authctxt, const char *password)
{
@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL;
}
if (authctxt->krb5_auth_ctx) {
krb5_auth_con_free(authctxt->krb5_ctx,
authctxt->krb5_auth_ctx);
authctxt->krb5_auth_ctx = NULL;
}
if (authctxt->krb5_ctx) {
krb5_free_context(authctxt->krb5_ctx);
authctxt->krb5_ctx = NULL;

3
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $ */
/* $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -62,7 +62,6 @@ struct Authctxt {
#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_auth_context krb5_auth_ctx;
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;

57
auth1.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@ -49,10 +49,6 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
}
snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
return buf;
@ -119,47 +115,6 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */
switch (type) {
#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled.");
} else {
char *kdata = packet_get_string(&dlen);
packet_check_eom();
if (kdata[0] != 4) { /* KRB_PROT_VERSION */
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
if (PRIVSEP(auth_krb5(authctxt, &tkt,
&client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
/* Send response to client */
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.data, reply.length);
packet_send();
packet_write_wait();
if (reply.length)
xfree(reply.data);
}
}
xfree(kdata);
}
break;
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
#endif
case SSH_CMSG_AUTH_RHOSTS_RSA:
if (!options.rhosts_rsa_authentication) {
verbose("Rhosts with RSA authentication disabled.");
@ -337,16 +292,6 @@ do_authentication(void)
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
#ifdef KRB5
/* XXX - SSH.com Kerberos v5 braindeath. */
if ((datafellows & SSH_BUG_K5USER) &&
options.kerberos_authentication) {
char *p;
if ((p = strchr(user, '@')) != NULL)
*p = '\0';
}
#endif
authctxt = authctxt_new();
authctxt->user = user;
authctxt->style = style;

50
monitor.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $");
RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
#include <openssl/dh.h>
@ -130,9 +130,6 @@ int mm_answer_pam_respond(int, Buffer *);
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
#ifdef GSSAPI
int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
@ -192,9 +189,6 @@ struct mon_table mon_dispatch_proto20[] = {
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
#ifdef GSSAPI
{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@ -236,9 +230,6 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
{0, 0, NULL}
};
@ -1470,45 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
#ifdef KRB5
int
mm_answer_krb5(int socket, Buffer *m)
{
krb5_data tkt, reply;
char *client_user;
u_int len;
int success;
/* use temporary var to avoid size issues on 64bit arch */
tkt.data = buffer_get_string(m, &len);
tkt.length = len;
success = options.kerberos_authentication &&
authctxt->valid &&
auth_krb5(authctxt, &tkt, &client_user, &reply);
if (tkt.length)
xfree(tkt.data);
buffer_clear(m);
buffer_put_int(m, success);
if (success) {
buffer_put_cstring(m, client_user);
buffer_put_string(m, reply.data, reply.length);
if (client_user)
xfree(client_user);
if (reply.length)
xfree(reply.data);
}
mm_request_send(socket, MONITOR_ANS_KRB5, m);
auth_method = "kerberos";
return success;
}
#endif
int
mm_answer_term(int socket, Buffer *req)
{

3
monitor.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */
/* $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -49,7 +49,6 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,

37
monitor_wrap.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -1071,41 +1071,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
{
krb5_data *tkt, *reply;
Buffer m;
int success;
debug3("%s entering", __func__);
tkt = (krb5_data *) argp;
reply = (krb5_data *) resp;
buffer_init(&m);
buffer_put_string(&m, tkt->data, tkt->length);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
success = buffer_get_int(&m);
if (success) {
u_int len;
*userp = buffer_get_string(&m, NULL);
reply->data = buffer_get_string(&m, &len);
reply->length = len;
} else {
memset(reply, 0, sizeof(*reply));
*userp = NULL;
}
buffer_free(&m);
return (success);
}
#endif /* KRB5 */
#ifdef GSSAPI
OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)

9
monitor_wrap.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -96,13 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* auth_krb */
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */
int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
#endif
/* zlib allocation hooks */
void *mm_zalloc(struct mm_master *, u_int, u_int);

7
readconf.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $");
RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@ -132,13 +132,8 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#ifdef KRB5
{ "kerberosauthentication", oKerberosAuthentication },
{ "kerberostgtpassing", oKerberosTgtPassing },
#else
{ "kerberosauthentication", oUnsupported },
{ "kerberostgtpassing", oUnsupported },
#endif
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },

5
servconf.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $");
RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "log.h"
@ -304,13 +304,12 @@ static struct {
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
{ "kerberostgtpassing", sKerberosTgtPassing },
#else
{ "kerberosauthentication", sUnsupported },
{ "kerberosorlocalpasswd", sUnsupported },
{ "kerberosticketcleanup", sUnsupported },
{ "kerberostgtpassing", sUnsupported },
#endif
{ "kerberostgtpassing", sUnsupported },
{ "afstokenpassing", sUnsupported },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication },

26
session.c
View File

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -332,30 +332,6 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
break;
#ifdef KRB5
case SSH_CMSG_HAVE_KERBEROS_TGT:
if (!options.kerberos_tgt_passing) {
verbose("Kerberos TGT passing disabled.");
} else {
char *kdata = packet_get_string(&dlen);
packet_check_eom();
/* XXX - 0x41, used for AFS */
if (kdata[0] != 0x41) {
krb5_data tgt;
tgt.data = kdata;
tgt.length = dlen;
if (auth_krb5_tgt(s->authctxt, &tgt))
success = 1;
else
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
}
xfree(kdata);
}
break;
#endif
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
if (type == SSH_CMSG_EXEC_CMD) {

14
ssh_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $
.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
.Pp
To disable keepalives, the value should be set to
.Dq no .
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication will be used.
The argument to this keyword must be
.Dq yes
or
.Dq no .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server.
The argument to this keyword must be
.Dq yes
or
.Dq no .
.It Cm LocalForward
Specifies that a TCP/IP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote machine.

265
sshconnect1.c
View File

@ -13,15 +13,11 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
#ifdef KRB5
#include <krb5.h>
#endif
#include "ssh.h"
#include "ssh1.h"
#include "xmalloc.h"
@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
return 0;
}
#ifdef KRB5
static int
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
{
krb5_error_code problem;
const char *tkfile;
struct stat buf;
krb5_ccache ccache = NULL;
const char *remotehost;
krb5_data ap;
int type;
krb5_ap_rep_enc_part *reply = NULL;
int ret;
memset(&ap, 0, sizeof(ap));
problem = krb5_init_context(context);
if (problem) {
debug("Kerberos v5: krb5_init_context failed");
ret = 0;
goto out;
}
problem = krb5_auth_con_init(*context, auth_context);
if (problem) {
debug("Kerberos v5: krb5_auth_con_init failed");
ret = 0;
goto out;
}
#ifndef HEIMDAL
problem = krb5_auth_con_setflags(*context, *auth_context,
KRB5_AUTH_CONTEXT_RET_TIME);
if (problem) {
debug("Keberos v5: krb5_auth_con_setflags failed");
ret = 0;
goto out;
}
#endif
tkfile = krb5_cc_default_name(*context);
if (strncmp(tkfile, "FILE:", 5) == 0)
tkfile += 5;
if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
debug("Kerberos v5: could not get default ccache (permission denied).");
ret = 0;
goto out;
}
problem = krb5_cc_default(*context, &ccache);
if (problem) {
debug("Kerberos v5: krb5_cc_default failed: %s",
krb5_get_err_text(*context, problem));
ret = 0;
goto out;
}
remotehost = get_canonical_hostname(1);
problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
"host", remotehost, NULL, ccache, &ap);
if (problem) {
debug("Kerberos v5: krb5_mk_req failed: %s",
krb5_get_err_text(*context, problem));
ret = 0;
goto out;
}
packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) ap.data, ap.length);
packet_send();
packet_write_wait();
xfree(ap.data);
ap.length = 0;
type = packet_read();
switch (type) {
case SSH_SMSG_FAILURE:
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos v5 authentication failed.");
ret = 0;
break;
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos v5 authentication accepted.");
/* Get server's response. */
ap.data = packet_get_string((unsigned int *) &ap.length);
packet_check_eom();
/* XXX je to dobre? */
problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
if (problem) {
ret = 0;
}
ret = 1;
break;
default:
packet_disconnect("Protocol error on Kerberos v5 response: %d",
type);
ret = 0;
break;
}
out:
if (ccache != NULL)
krb5_cc_close(*context, ccache);
if (reply != NULL)
krb5_free_ap_rep_enc_part(*context, reply);
if (ap.length > 0)
#ifdef HEIMDAL
krb5_data_free(&ap);
#else
krb5_free_data_contents(*context, &ap);
#endif
return (ret);
}
static void
send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
{
int fd, type;
krb5_error_code problem;
krb5_data outbuf;
krb5_ccache ccache = NULL;
krb5_creds creds;
#ifdef HEIMDAL
krb5_kdc_flags flags;
#else
int forwardable;
#endif
const char *remotehost;
memset(&creds, 0, sizeof(creds));
memset(&outbuf, 0, sizeof(outbuf));
fd = packet_get_connection_in();
#ifdef HEIMDAL
problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
#else
problem = krb5_auth_con_genaddrs(context, auth_context, fd,
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
#endif
if (problem)
goto out;
problem = krb5_cc_default(context, &ccache);
if (problem)
goto out;
problem = krb5_cc_get_principal(context, ccache, &creds.client);
if (problem)
goto out;
remotehost = get_canonical_hostname(1);
#ifdef HEIMDAL
problem = krb5_build_principal(context, &creds.server,
strlen(creds.client->realm), creds.client->realm,
"krbtgt", creds.client->realm, NULL);
#else
problem = krb5_build_principal(context, &creds.server,
creds.client->realm.length, creds.client->realm.data,
"host", remotehost, NULL);
#endif
if (problem)
goto out;
creds.times.endtime = 0;
#ifdef HEIMDAL
flags.i = 0;
flags.b.forwarded = 1;
flags.b.forwardable = krb5_config_get_bool(context, NULL,
"libdefaults", "forwardable", NULL);
problem = krb5_get_forwarded_creds(context, auth_context,
ccache, flags.i, remotehost, &creds, &outbuf);
#else
forwardable = 1;
problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
creds.client, creds.server, ccache, forwardable, &outbuf);
#endif
if (problem)
goto out;
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
packet_put_string((char *)outbuf.data, outbuf.length);
packet_send();
packet_write_wait();
type = packet_read();
if (type == SSH_SMSG_SUCCESS) {
char *pname;
krb5_unparse_name(context, creds.client, &pname);
debug("Kerberos v5 TGT forwarded (%s).", pname);
xfree(pname);
} else
debug("Kerberos v5 TGT forwarding failed.");
return;
out:
if (problem)
debug("Kerberos v5 TGT forwarding failed: %s",
krb5_get_err_text(context, problem));
if (creds.client)
krb5_free_principal(context, creds.client);
if (creds.server)
krb5_free_principal(context, creds.server);
if (ccache)
krb5_cc_close(context, ccache);
if (outbuf.data)
xfree(outbuf.data);
}
#endif /* KRB5 */
/*
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
@ -885,10 +654,6 @@ void
ssh_userauth1(const char *local_user, const char *server_user, char *host,
Sensitive *sensitive)
{
#ifdef KRB5
krb5_context context = NULL;
krb5_auth_context auth_context = NULL;
#endif
int i, type;
if (supported_authentications == 0)
@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
#ifdef KRB5
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
options.kerberos_authentication) {
debug("Trying Kerberos v5 authentication.");
if (try_krb5_authentication(&context, &auth_context)) {
type = packet_read();
if (type == SSH_SMSG_SUCCESS)
goto success;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
}
}
#endif /* KRB5 */
/*
* Try .rhosts or /etc/hosts.equiv authentication with RSA host
* authentication.
@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
/* NOTREACHED */
success:
#ifdef KRB5
/* Try Kerberos v5 TGT passing. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing && context && auth_context) {
if (options.cipher == SSH_CIPHER_NONE)
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
send_krb5_tgt(context, auth_context);
}
if (auth_context)
krb5_auth_con_free(context, auth_context);
if (context)
krb5_free_context(context);
#endif
return; /* need statement after label */
}

16
sshd.c
View File

@ -42,7 +42,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@ -1463,14 +1463,6 @@ main(int ac, char **av)
sshd_exchange_identification(sock_in, sock_out);
#ifdef KRB5
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
#endif
packet_set_nonblocking();
/* prepare buffers to collect authentication messages */
@ -1634,12 +1626,6 @@ do_ssh1_kex(void)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
#ifdef KRB5
if (options.kerberos_authentication)
auth_mask |= 1 << SSH_AUTH_KERBEROS;
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)

3
sshd_config
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -61,7 +61,6 @@
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosTgtPassing no
# GSSAPI options
#GSSAPIAuthentication no

12
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $
.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
To disable keepalives, the value should be set to
.Dq no .
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication is allowed.
This can be in the form of a Kerberos ticket, or if
Specifies whether the password provided by the user for
.Cm PasswordAuthentication
is yes, the password provided by the user will be validated through
the Kerberos KDC.
will be validated through the Kerberos KDC.
To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
@ -332,10 +330,6 @@ such as
.Pa /etc/passwd .
Default is
.Dq yes .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.