- markus@cvs.openbsd.org 2003/08/28 12:54:34

[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-09-02 22:51:17 +10:00 · 2003-09-02 22:51:17 +10:00 · 1a0c0b9621
parent 55c47edc81
commit 1a0c0b9621
16 changed files with 25 additions and 684 deletions
--- a/8
+++ b/8
@ -3,6 +3,12 @@
   - deraadt@cvs.openbsd.org 2003/08/24 17:36:51
     [auth2-gss.c]
     64 bit cleanups; markus ok
   - markus@cvs.openbsd.org 2003/08/28 12:54:34
     [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
     [sshconnect1.c sshd.c sshd_config sshd_config.5]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
 20030829
 - (bal) openbsd-compat/ clean up.  Considate headers, add in Id on our
@ -918,4 +924,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2920 2003/09/02 12:14:07 djm Exp $
+$Id: ChangeLog,v 1.2921 2003/09/02 12:51:17 djm Exp $
--- a/auth-krb5.c
+++ b/auth-krb5.c
@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@ -65,193 +65,6 @@ krb5_init(void *context)
 	return (0);
 }
 /*
 * Try krb5 authentication. server_user is passed for logging purposes
 * only, in auth is received ticket, in client is returned principal
 * from the ticket
 */
 int
 auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
 {
 	krb5_error_code problem;
 	krb5_principal server;
 	krb5_ticket *ticket;
 	int fd, ret;
 	ret = 0;
 	server = NULL;
 	ticket = NULL;
 	reply->length = 0;
 	problem = krb5_init(authctxt);
 	if (problem)
 		goto err;
 	problem = krb5_auth_con_init(authctxt->krb5_ctx,
 	    &authctxt->krb5_auth_ctx);
 	if (problem)
 		goto err;
 	fd = packet_get_connection_in();
 #ifdef HEIMDAL
 	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
 	    authctxt->krb5_auth_ctx, &fd);
 #else
 	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 
 	    authctxt->krb5_auth_ctx,fd,
 	    KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
 	    KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
 #endif
 	if (problem)
 		goto err;
 	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
 	    KRB5_NT_SRV_HST, &server);
 	if (problem)
 		goto err;
 	problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
 	    auth, server, NULL, NULL, &ticket);
 	if (problem)
 		goto err;
 #ifdef HEIMDAL
 	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
 	    &authctxt->krb5_user);
 #else
 	problem = krb5_copy_principal(authctxt->krb5_ctx, 
 				      ticket->enc_part2->client,
 				      &authctxt->krb5_user);
 #endif
 	if (problem)
 		goto err;
 	/* if client wants mutual auth */
 	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 	    reply);
 	if (problem)
 		goto err;
 	/* Check .k5login authorization now. */
 	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
 	    authctxt->pw->pw_name))
 		goto err;
 	if (client)
 		krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 		    client);
 	ret = 1;
 err:
 	if (server)
 		krb5_free_principal(authctxt->krb5_ctx, server);
 	if (ticket)
 		krb5_free_ticket(authctxt->krb5_ctx, ticket);
 	if (!ret && reply->length) {
 		xfree(reply->data);
 		memset(reply, 0, sizeof(*reply));
 	}
 	if (problem) {
 		if (authctxt->krb5_ctx != NULL)
 			debug("Kerberos v5 authentication failed: %s",
 			    krb5_get_err_text(authctxt->krb5_ctx, problem));
 		else
 			debug("Kerberos v5 authentication failed: %d",
 			    problem);
 	}
 	return (ret);
 }
 int
 auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
 {
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
 	char *pname;
 	krb5_creds **creds;
 	if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
 		return (0);
 	temporarily_use_uid(authctxt->pw);
 #ifdef HEIMDAL
 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
 #else
 {
 	char ccname[40];
 	int tmpfd;
 	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
 	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
 		logit("mkstemp(): %.100s", strerror(errno));
 		problem = errno;
 		goto fail;
 	}
 	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 		logit("fchmod(): %.100s", strerror(errno));
 		close(tmpfd);
 		problem = errno;
 		goto fail;
 	}
 	close(tmpfd);
 	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
 }
 #endif
 	if (problem)
 		goto fail;
 	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
 	    authctxt->krb5_user);
 	if (problem)
 		goto fail;
 #ifdef HEIMDAL
 	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 	    ccache, tgt);
 	if (problem)
 		goto fail;
 #else
 	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 	    tgt, &creds, NULL);
 	if (problem)
 		goto fail;
 	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
 	if (problem)
 		goto fail;
 #endif
 	authctxt->krb5_fwd_ccache = ccache;
 	ccache = NULL;
 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 	problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 	    &pname);
 	if (problem)
 		goto fail;
 	debug("Kerberos v5 TGT accepted (%s)", pname);
 	restore_uid();
 	return (1);
 fail:
 	if (problem)
 		debug("Kerberos v5 TGT passing failed: %s",
 		    krb5_get_err_text(authctxt->krb5_ctx, problem));
 	if (ccache)
 		krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 	restore_uid();
 	return (0);
 }
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 		authctxt->krb5_user = NULL;
 	}
 	if (authctxt->krb5_auth_ctx) {
 		krb5_auth_con_free(authctxt->krb5_ctx,
 		    authctxt->krb5_auth_ctx);
 		authctxt->krb5_auth_ctx = NULL;
 	}
 	if (authctxt->krb5_ctx) {
 		krb5_free_context(authctxt->krb5_ctx);
 		authctxt->krb5_ctx = NULL;
--- a/auth.h
+++ b/auth.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $	*/
+/*	$OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@ -62,7 +62,6 @@ struct Authctxt {
 #endif
 #ifdef KRB5
 	krb5_context	 krb5_ctx;
 	krb5_auth_context krb5_auth_ctx;
 	krb5_ccache	 krb5_fwd_ccache;
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
--- a/auth1.c
+++ b/auth1.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@ -49,10 +49,6 @@ get_authname(int type)
 	case SSH_CMSG_AUTH_TIS:
 	case SSH_CMSG_AUTH_TIS_RESPONSE:
 		return "challenge-response";
 #ifdef KRB5
 	case SSH_CMSG_AUTH_KERBEROS:
 		return "kerberos";
 #endif
 	}
 	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
 	return buf;
@ -119,47 +115,6 @@ do_authloop(Authctxt *authctxt)
 		/* Process the packet. */
 		switch (type) {
 #ifdef KRB5
 		case SSH_CMSG_AUTH_KERBEROS:
 			if (!options.kerberos_authentication) {
 				verbose("Kerberos authentication disabled.");
 			} else {
 				char *kdata = packet_get_string(&dlen);
 				packet_check_eom();
 				if (kdata[0] != 4) { /* KRB_PROT_VERSION */
 					krb5_data tkt, reply;
 					tkt.length = dlen;
 					tkt.data = kdata;
 					if (PRIVSEP(auth_krb5(authctxt, &tkt,
 					    &client_user, &reply))) {
 						authenticated = 1;
 						snprintf(info, sizeof(info),
 						    " tktuser %.100s",
 						    client_user);
 						/* Send response to client */
 						packet_start(
 						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 						packet_put_string((char *)
 						    reply.data, reply.length);
 						packet_send();
 						packet_write_wait();
 						if (reply.length)
 							xfree(reply.data);
 					}
 				}
 				xfree(kdata);
 			}
 			break;
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			packet_send_debug("Kerberos TGT passing disabled before authentication.");
 			break;
 #endif
 		case SSH_CMSG_AUTH_RHOSTS_RSA:
 			if (!options.rhosts_rsa_authentication) {
 				verbose("Rhosts with RSA authentication disabled.");
@ -337,16 +292,6 @@ do_authentication(void)
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 #ifdef KRB5
 	/* XXX - SSH.com Kerberos v5 braindeath. */
 	if ((datafellows & SSH_BUG_K5USER) &&
 	    options.kerberos_authentication) {
 		char *p;
 		if ((p = strchr(user, '@')) != NULL)
 			*p = '\0';
 	}
 #endif
 	authctxt = authctxt_new();
 	authctxt->user = user;
 	authctxt->style = style;
--- a/monitor.c
+++ b/monitor.c
@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
@ -130,9 +130,6 @@ int mm_answer_pam_respond(int, Buffer *);
 int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
 #ifdef KRB5
 int mm_answer_krb5(int, Buffer *);
 #endif
 #ifdef GSSAPI
 int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
@ -192,9 +189,6 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
 #ifdef KRB5
    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
 #endif
 #ifdef GSSAPI
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@ -236,9 +230,6 @@ struct mon_table mon_dispatch_proto15[] = {
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef KRB5
    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
 #endif
    {0, 0, NULL}
 };
@ -1470,45 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
 	return (success);
 }
 #ifdef KRB5
 int
 mm_answer_krb5(int socket, Buffer *m)
 {
 	krb5_data tkt, reply;
 	char *client_user;
 	u_int len;
 	int success;
 	/* use temporary var to avoid size issues on 64bit arch */
 	tkt.data = buffer_get_string(m, &len);
 	tkt.length = len;
 	success = options.kerberos_authentication &&
 	    authctxt->valid &&
 	    auth_krb5(authctxt, &tkt, &client_user, &reply);
 	if (tkt.length)
 		xfree(tkt.data);
 	buffer_clear(m);
 	buffer_put_int(m, success);
 	if (success) {
 		buffer_put_cstring(m, client_user);
 		buffer_put_string(m, reply.data, reply.length);
 		if (client_user)
 			xfree(client_user);
 		if (reply.length)
 			xfree(reply.data);
 	}
 	mm_request_send(socket, MONITOR_ANS_KRB5, m);
 	auth_method = "kerberos";
 	return success;
 }
 #endif
 int
 mm_answer_term(int socket, Buffer *req)
 {
--- a/monitor.h
+++ b/monitor.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $	*/
+/*	$OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $	*/
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -49,7 +49,6 @@ enum monitor_reqtype {
 	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
 	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
 	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
 	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@ -1071,41 +1071,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
 	return (success);
 }
 #ifdef KRB5
 int
 mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
 {
 	krb5_data *tkt, *reply;
 	Buffer m;
 	int success;
 	debug3("%s entering", __func__);
 	tkt = (krb5_data *) argp;
 	reply = (krb5_data *) resp;
 	buffer_init(&m);
 	buffer_put_string(&m, tkt->data, tkt->length);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
 	success = buffer_get_int(&m);
 	if (success) {
 		u_int len;
 		*userp = buffer_get_string(&m, NULL);
 		reply->data = buffer_get_string(&m, &len);
 		reply->length = len;
 	} else {
 		memset(reply, 0, sizeof(*reply));
 		*userp = NULL;
 	}
 	buffer_free(&m);
 	return (success);
 }
 #endif /* KRB5 */
 #ifdef GSSAPI
 OM_uint32
 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $	*/
+/*	$OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $	*/
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -96,13 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 /* auth_krb */
 #ifdef KRB5
 /* auth and reply are really krb5_data objects, but we don't want to
 * include all of the krb5 headers here */
 int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
 #endif
 /* zlib allocation hooks */
 void *mm_zalloc(struct mm_master *, u_int, u_int);
--- a/readconf.c
+++ b/readconf.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "xmalloc.h"
@ -132,13 +132,8 @@ static struct {
 	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
 	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 #ifdef KRB5
 	{ "kerberosauthentication", oKerberosAuthentication },
 	{ "kerberostgtpassing", oKerberosTgtPassing },
 #else
 	{ "kerberosauthentication", oUnsupported },
 	{ "kerberostgtpassing", oUnsupported },
 #endif
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
--- a/servconf.c
+++ b/servconf.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "log.h"
@ -304,13 +304,12 @@ static struct {
 	{ "kerberosauthentication", sKerberosAuthentication },
 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
 	{ "kerberosticketcleanup", sKerberosTicketCleanup },
 	{ "kerberostgtpassing", sKerberosTgtPassing },
 #else
 	{ "kerberosauthentication", sUnsupported },
 	{ "kerberosorlocalpasswd", sUnsupported },
 	{ "kerberosticketcleanup", sUnsupported },
 	{ "kerberostgtpassing", sUnsupported },
 #endif
 	{ "kerberostgtpassing", sUnsupported },
 	{ "afstokenpassing", sUnsupported },
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication },
--- a/session.c
+++ b/session.c
@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@ -332,30 +332,6 @@ do_authenticated1(Authctxt *authctxt)
 				success = 1;
 			break;
 #ifdef KRB5
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			if (!options.kerberos_tgt_passing) {
 				verbose("Kerberos TGT passing disabled.");
 			} else {
 				char *kdata = packet_get_string(&dlen);
 				packet_check_eom();
 				/* XXX - 0x41, used for AFS */
 				if (kdata[0] != 0x41) {
 					krb5_data tgt;
 					tgt.data = kdata;
 					tgt.length = dlen;
 					if (auth_krb5_tgt(s->authctxt, &tgt))
 						success = 1;
 					else
 						verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
 				}
 				xfree(kdata);
 			}
 			break;
 #endif
 		case SSH_CMSG_EXEC_SHELL:
 		case SSH_CMSG_EXEC_CMD:
 			if (type == SSH_CMSG_EXEC_CMD) {
--- a/ssh_config.5
+++ b/ssh_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
 Specifies whether Kerberos authentication will be used.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT will be forwarded to the server.
 The argument to this keyword must be
 .Dq yes
 or
 .Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
--- a/sshconnect1.c
+++ b/sshconnect1.c
@ -13,15 +13,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #ifdef KRB5
 #include <krb5.h>
 #endif
 #include "ssh.h"
 #include "ssh1.h"
 #include "xmalloc.h"
@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
 	return 0;
 }
 #ifdef KRB5
 static int
 try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
 {
 	krb5_error_code problem;
 	const char *tkfile;
 	struct stat buf;
 	krb5_ccache ccache = NULL;
 	const char *remotehost;
 	krb5_data ap;
 	int type;
 	krb5_ap_rep_enc_part *reply = NULL;
 	int ret;
 	memset(&ap, 0, sizeof(ap));
 	problem = krb5_init_context(context);
 	if (problem) {
 		debug("Kerberos v5: krb5_init_context failed");
 		ret = 0;
 		goto out;
 	}
 	problem = krb5_auth_con_init(*context, auth_context);
 	if (problem) {
 		debug("Kerberos v5: krb5_auth_con_init failed");
 		ret = 0;
 		goto out;
 	}
 #ifndef HEIMDAL
 	problem = krb5_auth_con_setflags(*context, *auth_context,
 					 KRB5_AUTH_CONTEXT_RET_TIME);
 	if (problem) {
 		debug("Keberos v5: krb5_auth_con_setflags failed");
 		ret = 0;
 		goto out;
 	}
 #endif
 	tkfile = krb5_cc_default_name(*context);
 	if (strncmp(tkfile, "FILE:", 5) == 0)
 		tkfile += 5;
 	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
 		debug("Kerberos v5: could not get default ccache (permission denied).");
 		ret = 0;
 		goto out;
 	}
 	problem = krb5_cc_default(*context, &ccache);
 	if (problem) {
 		debug("Kerberos v5: krb5_cc_default failed: %s",
 		    krb5_get_err_text(*context, problem));
 		ret = 0;
 		goto out;
 	}
 	remotehost = get_canonical_hostname(1);
 	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
 	    "host", remotehost, NULL, ccache, &ap);
 	if (problem) {
 		debug("Kerberos v5: krb5_mk_req failed: %s",
 		    krb5_get_err_text(*context, problem));
 		ret = 0;
 		goto out;
 	}
 	packet_start(SSH_CMSG_AUTH_KERBEROS);
 	packet_put_string((char *) ap.data, ap.length);
 	packet_send();
 	packet_write_wait();
 	xfree(ap.data);
 	ap.length = 0;
 	type = packet_read();
 	switch (type) {
 	case SSH_SMSG_FAILURE:
 		/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
 		debug("Kerberos v5 authentication failed.");
 		ret = 0;
 		break;
 	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
 		/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
 		debug("Kerberos v5 authentication accepted.");
 		/* Get server's response. */
 		ap.data = packet_get_string((unsigned int *) &ap.length);
 		packet_check_eom();
 		/* XXX je to dobre? */
 		problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
 		if (problem) {
 			ret = 0;
 		}
 		ret = 1;
 		break;
 	default:
 		packet_disconnect("Protocol error on Kerberos v5 response: %d",
 		    type);
 		ret = 0;
 		break;
 	}
 out:
 	if (ccache != NULL)
 		krb5_cc_close(*context, ccache);
 	if (reply != NULL)
 		krb5_free_ap_rep_enc_part(*context, reply);
 	if (ap.length > 0)
 #ifdef HEIMDAL
 		krb5_data_free(&ap);
 #else
 		krb5_free_data_contents(*context, &ap);
 #endif
 	return (ret);
 }
 static void
 send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
 {
 	int fd, type;
 	krb5_error_code problem;
 	krb5_data outbuf;
 	krb5_ccache ccache = NULL;
 	krb5_creds creds;
 #ifdef HEIMDAL
 	krb5_kdc_flags flags;
 #else
 	int forwardable;
 #endif
 	const char *remotehost;
 	memset(&creds, 0, sizeof(creds));
 	memset(&outbuf, 0, sizeof(outbuf));
 	fd = packet_get_connection_in();
 #ifdef HEIMDAL
 	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
 #else
 	problem = krb5_auth_con_genaddrs(context, auth_context, fd,
 			KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
 			KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
 #endif
 	if (problem)
 		goto out;
 	problem = krb5_cc_default(context, &ccache);
 	if (problem)
 		goto out;
 	problem = krb5_cc_get_principal(context, ccache, &creds.client);
 	if (problem)
 		goto out;
 	remotehost = get_canonical_hostname(1);
 #ifdef HEIMDAL
 	problem = krb5_build_principal(context, &creds.server,
 	    strlen(creds.client->realm), creds.client->realm,
 	    "krbtgt", creds.client->realm, NULL);
 #else
 	problem = krb5_build_principal(context, &creds.server,
 	    creds.client->realm.length, creds.client->realm.data,
 	    "host", remotehost, NULL);
 #endif
 	if (problem)
 		goto out;
 	creds.times.endtime = 0;
 #ifdef HEIMDAL
 	flags.i = 0;
 	flags.b.forwarded = 1;
 	flags.b.forwardable = krb5_config_get_bool(context,  NULL,
 	    "libdefaults", "forwardable", NULL);
 	problem = krb5_get_forwarded_creds(context, auth_context,
 	    ccache, flags.i, remotehost, &creds, &outbuf);
 #else
 	forwardable = 1;
 	problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
 	    creds.client, creds.server, ccache, forwardable, &outbuf);
 #endif
 	if (problem)
 		goto out;
 	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
 	packet_put_string((char *)outbuf.data, outbuf.length);
 	packet_send();
 	packet_write_wait();
 	type = packet_read();
 	if (type == SSH_SMSG_SUCCESS) {
 		char *pname;
 		krb5_unparse_name(context, creds.client, &pname);
 		debug("Kerberos v5 TGT forwarded (%s).", pname);
 		xfree(pname);
 	} else
 		debug("Kerberos v5 TGT forwarding failed.");
 	return;
 out:
 	if (problem)
 		debug("Kerberos v5 TGT forwarding failed: %s",
 		    krb5_get_err_text(context, problem));
 	if (creds.client)
 		krb5_free_principal(context, creds.client);
 	if (creds.server)
 		krb5_free_principal(context, creds.server);
 	if (ccache)
 		krb5_cc_close(context, ccache);
 	if (outbuf.data)
 		xfree(outbuf.data);
 }
 #endif /* KRB5 */
 /*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
@ -885,10 +654,6 @@ void
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
    Sensitive *sensitive)
 {
 #ifdef KRB5
 	krb5_context context = NULL;
 	krb5_auth_context auth_context = NULL;
 #endif
 	int i, type;
 	if (supported_authentications == 0)
@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
 #ifdef KRB5
 	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
 	    options.kerberos_authentication) {
 		debug("Trying Kerberos v5 authentication.");
 		if (try_krb5_authentication(&context, &auth_context)) {
 			type = packet_read();
 			if (type == SSH_SMSG_SUCCESS)
 				goto success;
 			if (type != SSH_SMSG_FAILURE)
 				packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
 		}
 	}
 #endif /* KRB5 */
 	/*
 	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
 	 * authentication.
@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	/* NOTREACHED */
 success:
 #ifdef KRB5
 	/* Try Kerberos v5 TGT passing. */
 	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
 	    options.kerberos_tgt_passing && context && auth_context) {
 		if (options.cipher == SSH_CIPHER_NONE)
 			logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
 		send_krb5_tgt(context, auth_context);
 	}
 	if (auth_context)
 		krb5_auth_con_free(context, auth_context);
 	if (context)
 		krb5_free_context(context);
 #endif
 	return;	/* need statement after label */
 }
--- a/sshd.c
+++ b/sshd.c
@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@ -1463,14 +1463,6 @@ main(int ac, char **av)
 	sshd_exchange_identification(sock_in, sock_out);
 #ifdef KRB5
 	if (!packet_connection_is_ipv4() &&
 	    options.kerberos_authentication) {
 		debug("Kerberos Authentication disabled, only available for IPv4.");
 		options.kerberos_authentication = 0;
 	}
 #endif
 	packet_set_nonblocking();
        /* prepare buffers to collect authentication messages */
@ -1634,12 +1626,6 @@ do_ssh1_kex(void)
 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
 	if (options.rsa_authentication)
 		auth_mask |= 1 << SSH_AUTH_RSA;
 #ifdef KRB5
 	if (options.kerberos_authentication)
 		auth_mask |= 1 << SSH_AUTH_KERBEROS;
 	if (options.kerberos_tgt_passing)
 		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
 #endif
 	if (options.challenge_response_authentication == 1)
 		auth_mask |= 1 << SSH_AUTH_TIS;
 	if (options.password_authentication)
--- a/3
+++ b/3
@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $
+#	$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@ -61,7 +61,6 @@
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosTgtPassing no
 # GSSAPI options
 #GSSAPIAuthentication no
--- a/sshd_config.5
+++ b/sshd_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
+Specifies whether the password provided by the user for
 This can be in the form of a Kerberos ticket, or if
 .Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
+will be validated through the Kerberos KDC.
 the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
@ -332,10 +330,6 @@ such as
 .Pa /etc/passwd .
 Default is
 .Dq yes .
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT may be forwarded to the server.
 Default is
 .Dq no .
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.