From 2aa0ab463f479649760110ca52fa341880c5ae3a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 12:05:28 +1000 Subject: [PATCH] - jakob@cvs.openbsd.org 2003/05/15 01:48:10 [readconf.c readconf.h servconf.c servconf.h] always parse kerberos options. ok djm@ markus@ - (djm) Always parse UsePAM --- ChangeLog | 6 +++++- readconf.c | 40 ++++++---------------------------------- readconf.h | 8 +------- servconf.c | 45 ++++++--------------------------------------- servconf.h | 8 +------- sshd_config | 5 +++-- 6 files changed, 22 insertions(+), 90 deletions(-) diff --git a/ChangeLog b/ChangeLog index a6e2446e5..97acfef06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ - markus@cvs.openbsd.org 2003/05/15 00:28:28 [sshconnect2.c] cleanup unregister of per-method packet handlers; ok djm@ + - jakob@cvs.openbsd.org 2003/05/15 01:48:10 + [readconf.c readconf.h servconf.c servconf.h] + always parse kerberos options. ok djm@ markus@ + - (djm) Always parse UsePAM - (djm) Configure glue for DNS support (code doesn't work in portable yet) 20030514 @@ -1492,4 +1496,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2705 2003/05/15 02:01:28 djm Exp $ +$Id: ChangeLog,v 1.2706 2003/05/15 02:05:28 djm Exp $ diff --git a/readconf.c b/readconf.c index c9c463b29..4c5d44859 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.107 2003/05/14 18:16:20 jakob Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.108 2003/05/15 01:48:10 jakob Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -94,15 +94,7 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, -#if defined(KRB4) || defined(KRB5) - oKerberosAuthentication, -#endif -#if defined(AFS) || defined(KRB5) - oKerberosTgtPassing, -#endif -#ifdef AFS - oAFSTokenPassing, -#endif + oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -141,15 +133,9 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) { "kerberosauthentication", oKerberosAuthentication }, -#endif -#if defined(AFS) || defined(KRB5) { "kerberostgtpassing", oKerberosTgtPassing }, -#endif -#ifdef AFS { "afstokenpassing", oAFSTokenPassing }, -#endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, @@ -370,21 +356,19 @@ parse_flag: case oChallengeResponseAuthentication: intptr = &options->challenge_response_authentication; goto parse_flag; -#if defined(KRB4) || defined(KRB5) + case oKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; -#endif -#if defined(AFS) || defined(KRB5) + case oKerberosTgtPassing: intptr = &options->kerberos_tgt_passing; goto parse_flag; -#endif -#ifdef AFS + case oAFSTokenPassing: intptr = &options->afs_token_passing; goto parse_flag; -#endif + case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -786,15 +770,9 @@ initialize_options(Options * options) options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; -#if defined(KRB4) || defined(KRB5) options->kerberos_authentication = -1; -#endif -#if defined(AFS) || defined(KRB5) options->kerberos_tgt_passing = -1; -#endif -#ifdef AFS options->afs_token_passing = -1; -#endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -865,18 +843,12 @@ fill_default_options(Options * options) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; -#if defined(KRB4) || defined(KRB5) if (options->kerberos_authentication == -1) options->kerberos_authentication = 1; -#endif -#if defined(AFS) || defined(KRB5) if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; -#endif -#ifdef AFS if (options->afs_token_passing == -1) options->afs_token_passing = 1; -#endif if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h index d141b8c00..991e20091 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.48 2003/05/14 18:16:20 jakob Exp $ */ +/* $OpenBSD: readconf.h,v 1.49 2003/05/15 01:48:10 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -41,15 +41,9 @@ typedef struct { int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ -#if defined(KRB4) || defined(KRB5) int kerberos_authentication; /* Try Kerberos authentication. */ -#endif -#if defined(AFS) || defined(KRB5) int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ -#endif -#ifdef AFS int afs_token_passing; /* Try AFS token passing. */ -#endif int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c index fbdc4d8fa..5076c5df6 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.118 2003/04/09 08:23:52 hin Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.119 2003/05/15 01:48:10 jakob Exp $"); #if defined(KRB4) #include @@ -59,10 +59,8 @@ initialize_server_options(ServerOptions *options) { memset(options, 0, sizeof(*options)); -#ifdef USE_PAM /* Portable-specific options */ options->use_pam = -1; -#endif /* Standard Options */ options->num_ports = 0; @@ -92,17 +90,11 @@ initialize_server_options(ServerOptions *options) options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; -#if defined(KRB4) || defined(KRB5) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; -#endif -#if defined(AFS) || defined(KRB5) options->kerberos_tgt_passing = -1; -#endif -#ifdef AFS options->afs_token_passing = -1; -#endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -138,10 +130,8 @@ void fill_default_server_options(ServerOptions *options) { /* Portable-specific options */ -#ifdef USE_PAM if (options->use_pam == -1) - options->use_pam = 1; -#endif + options->use_pam = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) @@ -208,22 +198,16 @@ fill_default_server_options(ServerOptions *options) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; -#if defined(KRB4) || defined(KRB5) if (options->kerberos_authentication == -1) options->kerberos_authentication = 0; if (options->kerberos_or_local_passwd == -1) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; -#endif -#if defined(AFS) || defined(KRB5) if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; -#endif -#ifdef AFS if (options->afs_token_passing == -1) options->afs_token_passing = 0; -#endif if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -288,16 +272,8 @@ typedef enum { sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, -#if defined(KRB4) || defined(KRB5) sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -#endif -#if defined(AFS) || defined(KRB5) - sKerberosTgtPassing, -#endif -#ifdef AFS - sAFSTokenPassing, -#endif - sChallengeResponseAuthentication, + sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -338,17 +314,11 @@ static struct { { "rsaauthentication", sRSAAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication }, { "dsaauthentication", sPubkeyAuthentication }, /* alias */ -#if defined(KRB4) || defined(KRB5) { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, -#endif -#if defined(AFS) || defined(KRB5) { "kerberostgtpassing", sKerberosTgtPassing }, -#endif -#ifdef AFS { "afstokenpassing", sAFSTokenPassing }, -#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -653,7 +623,7 @@ parse_flag: case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; -#if defined(KRB4) || defined(KRB5) + case sKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; @@ -665,17 +635,14 @@ parse_flag: case sKerberosTicketCleanup: intptr = &options->kerberos_ticket_cleanup; goto parse_flag; -#endif -#if defined(AFS) || defined(KRB5) + case sKerberosTgtPassing: intptr = &options->kerberos_tgt_passing; goto parse_flag; -#endif -#ifdef AFS + case sAFSTokenPassing: intptr = &options->afs_token_passing; goto parse_flag; -#endif case sPasswordAuthentication: intptr = &options->password_authentication; diff --git a/servconf.h b/servconf.h index afa80675e..4ad1ee7be 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -73,7 +73,6 @@ typedef struct { int hostbased_uses_name_from_packet_only; /* experimental */ int rsa_authentication; /* If true, permit RSA authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ -#if defined(KRB4) || defined(KRB5) int kerberos_authentication; /* If true, permit Kerberos * authentication. */ int kerberos_or_local_passwd; /* If true, permit kerberos @@ -83,14 +82,9 @@ typedef struct { * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket * file on logout. */ -#endif -#if defined(AFS) || defined(KRB5) int kerberos_tgt_passing; /* If true, permit Kerberos TGT * passing. */ -#endif -#ifdef AFS int afs_token_passing; /* If true, permit AFS token passing. */ -#endif int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/sshd_config b/sshd_config index 36429c9d0..57a1f2bec 100644 --- a/sshd_config +++ b/sshd_config @@ -69,9 +69,10 @@ # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no -# Set this to 'yes' to enable PAM keyboard-interactive authentication +# Set this to 'yes' to enable PAM authentication (via challenge-response) +# and session processing # Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt no +#UsePAM no #X11Forwarding no #X11DisplayOffset 10