[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
     [monitor_wrap.c monitor_wrap.h]
     kerberos support for privsep.  confirmed to work by lha@stacken.kth.se
     patch from markus
This commit is contained in:
Damien Miller 2002-09-12 09:47:29 +10:00
parent 4d53d39b07
commit 25162f2518
8 changed files with 121 additions and 22 deletions

View File

@ -3,6 +3,11 @@
- markus@cvs.openbsd.org 2002/09/08 20:24:08
[hostfile.h]
no comma at end of enumerator list
- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
[monitor_wrap.c monitor_wrap.h]
kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus
20020911
- (djm) Sync openbsd-compat with OpenBSD -current
@ -1623,4 +1628,4 @@
- (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
$Id: ChangeLog,v 1.2452 2002/09/11 23:43:56 djm Exp $
$Id: ChangeLog,v 1.2453 2002/09/11 23:47:29 djm Exp $

View File

@ -28,7 +28,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -73,18 +73,17 @@ krb5_init(void *context)
* from the ticket
*/
int
auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
{
krb5_error_code problem;
krb5_principal server;
krb5_data reply;
krb5_ticket *ticket;
int fd, ret;
ret = 0;
server = NULL;
ticket = NULL;
reply.length = 0;
reply->length = 0;
problem = krb5_init(authctxt);
if (problem)
@ -131,7 +130,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
/* if client wants mutual auth */
problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
&reply);
reply);
if (problem)
goto err;
@ -144,19 +143,16 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
client);
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *) reply.data, reply.length);
packet_send();
packet_write_wait();
ret = 1;
err:
if (server)
krb5_free_principal(authctxt->krb5_ctx, server);
if (ticket)
krb5_free_ticket(authctxt->krb5_ctx, ticket);
if (reply.length)
xfree(reply.data);
if (!ret && reply->length) {
xfree(reply->data);
memset(reply, 0, sizeof(*reply));
}
if (problem) {
if (authctxt->krb5_ctx != NULL)

4
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $ */
/* $OpenBSD: auth.h,v 1.40 2002/09/09 06:48:06 itojun Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -126,7 +126,7 @@ int auth_afs_token(Authctxt *, const char *);
#endif /* KRB4 */
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
int auth_krb5_password(Authctxt *authctxt, const char *password);
void krb5_cleanup_proc(void *authctxt);

18
auth1.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.42 2002/08/22 21:33:58 markus Exp $");
RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $");
#include "xmalloc.h"
#include "rsa.h"
@ -133,15 +133,27 @@ do_authloop(Authctxt *authctxt)
#endif /* KRB4 */
} else {
#ifdef KRB5
krb5_data tkt;
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
if (auth_krb5(authctxt, &tkt, &client_user)) {
if (PRIVSEP(auth_krb5(authctxt, &tkt,
&client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
/* Send response to client */
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.data, reply.length);
packet_send();
packet_write_wait();
if (reply.length)
xfree(reply.data);
}
#endif /* KRB5 */
}

View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.24 2002/08/29 15:57:25 stevesk Exp $");
RCSID("$OpenBSD: monitor.c,v 1.25 2002/09/09 06:48:06 itojun Exp $");
#include <openssl/dh.h>
@ -120,6 +120,10 @@ int mm_answer_sessid(int, Buffer *);
int mm_answer_pam_start(int, Buffer *);
#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@ -198,6 +202,9 @@ struct mon_table mon_dispatch_proto15[] = {
#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
{0, 0, NULL}
};
@ -1277,6 +1284,42 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
#ifdef KRB5
int
mm_answer_krb5(int socket, Buffer *m)
{
krb5_data tkt, reply;
char *client_user;
u_int len;
int success;
/* use temporary var to avoid size issues on 64bit arch */
tkt.data = buffer_get_string(m, &len);
tkt.length = len;
success = auth_krb5(authctxt, &tkt, &client_user, &reply);
if (tkt.length)
xfree(tkt.data);
buffer_clear(m);
buffer_put_int(m, success);
if (success) {
buffer_put_cstring(m, client_user);
buffer_put_string(m, reply.data, reply.length);
if (client_user)
xfree(client_user);
if (reply.length)
xfree(reply.data);
}
mm_request_send(socket, MONITOR_ANS_KRB5, m);
return success;
}
#endif
int
mm_answer_term(int socket, Buffer *req)
{

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $ */
/* $OpenBSD: monitor.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -49,6 +49,7 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_PAM_START,
MONITOR_REQ_TERM
};

View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.16 2002/07/04 10:41:47 markus Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.17 2002/09/09 06:48:06 itojun Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -936,3 +936,38 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
{
krb5_data *tkt, *reply;
Buffer m;
int success;
debug3("%s entering", __func__);
tkt = (krb5_data *) argp;
reply = (krb5_data *) resp;
buffer_init(&m);
buffer_put_string(&m, tkt->data, tkt->length);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
success = buffer_get_int(&m);
if (success) {
u_int len;
*userp = buffer_get_string(&m, NULL);
reply->data = buffer_get_string(&m, &len);
reply->length = len;
} else {
memset(reply, 0, sizeof(*reply));
*userp = NULL;
}
buffer_free(&m);
return (success);
}
#endif

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.h,v 1.6 2002/06/30 21:59:45 deraadt Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -83,6 +83,13 @@ int mm_bsdauth_respond(void *, u_int, char **);
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* auth_krb5 */
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */
int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
#endif
/* zlib allocation hooks */
void *mm_zalloc(struct mm_master *, u_int, u_int);