tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) OpenBSD CVS Sync 

- markus@cvs.openbsd.org 2003/07/22 13:35:22
     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
     test+ok henning@
 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.

I hope I got this right....
This commit is contained in:
Darren Tucker 2003-08-02 22:24:49 +10:00
parent 4c29dd9f44
commit 6aaa58c470
26 changed files with 52 additions and 1236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,5 +1,14 @@
20030802
- (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/07/22 13:35:22
[auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
test+ok henning@
- (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
- (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
20030730
- (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
@ -738,4 +747,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $
$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $

6
Makefile.in
View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $
# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
compat.o compress.o crc32.o deattack.o fatal.o \
hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \
hostfile.o log.o match.o mpaux.o nchan.o packet.o \
readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
auth-krb5.o auth2-krb5.o auth-krb4.o \
auth-krb5.o auth2-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out

8
acconfig.h
View File

@ -1,4 +1,4 @@
/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */
/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -238,12 +238,6 @@
/* Define this if you are using the Heimdal version of Kerberos V5 */
#undef HEIMDAL
/* Define if you want Kerberos 4 support */
#undef KRB4
/* Define if you want AFS support */
#undef AFS
/* Define if you want S/Key support */
#undef SKEY

368
auth-krb4.c
View File

@ -1,368 +0,0 @@
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "packet.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
#include "uidswap.h"
#include "auth.h"
#ifdef AFS
#include "radix.h"
#endif
#ifdef KRB4
extern ServerOptions options;
static int
krb4_init(void *context)
{
static int cleanup_registered = 0;
Authctxt *authctxt = (Authctxt *)context;
const char *tkt_root = TKT_ROOT;
struct stat st;
int fd;
if (!authctxt->krb4_ticket_file) {
/* Set unique ticket string manually since we're still root. */
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
#ifdef AFS
if (lstat("/ticket", &st) != -1)
tkt_root = "/ticket/";
#endif /* AFS */
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
tkt_root, authctxt->pw->pw_uid, (long)getpid());
krb_set_tkt_string(authctxt->krb4_ticket_file);
}
/* Register ticket cleanup in case of fatal error. */
if (!cleanup_registered) {
fatal_add_cleanup(krb4_cleanup_proc, authctxt);
cleanup_registered = 1;
}
/* Try to create our ticket file. */
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
close(fd);
return (1);
}
/* Ticket file exists - make sure user owns it (just passed ticket). */
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
st.st_uid == authctxt->pw->pw_uid)
return (1);
}
/* Failure - cancel cleanup function, leaving ticket for inspection. */
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
cleanup_registered = 0;
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
return (0);
}
/*
* try krb4 authentication,
* return 1 on success, 0 on failure, -1 if krb4 is not available
*/
int
auth_krb4_password(Authctxt *authctxt, const char *password)
{
AUTH_DAT adata;
KTEXT_ST tkt;
struct hostent *hp;
struct passwd *pw;
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
u_int32_t faddr;
int r;
if ((pw = authctxt->pw) == NULL)
return (0);
/*
* Try Kerberos password authentication only for non-root
* users and only if Kerberos is installed.
*/
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
/* Set up our ticket file. */
if (!krb4_init(authctxt)) {
logit("Couldn't initialize Kerberos ticket file for %s!",
pw->pw_name);
goto failure;
}
/* Try to get TGT using our password. */
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
if (r != INTK_OK) {
debug("Kerberos v4 password authentication for %s "
"failed: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Successful authentication. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
/*
* Now that we have a TGT, try to get a local
* "rcmd" ticket to ensure that we are not talking
* to a bogus Kerberos server.
*/
gethostname(localhost, sizeof(localhost));
strlcpy(phost, (char *)krb_get_phost(localhost),
sizeof(phost));
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
if (r == KSUCCESS) {
if ((hp = gethostbyname(localhost)) == NULL) {
logit("Couldn't get local host address!");
goto failure;
}
memmove((void *)&faddr, (void *)hp->h_addr,
sizeof(faddr));
/* Verify our "rcmd" ticket. */
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
faddr, &adata, "");
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
logit("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
goto failure;
} else if (r != KSUCCESS) {
logit("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?", pw->pw_name,
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
goto failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
*/
debug("WARNING: Kerberos v4 TGT possibly spoofed "
"for %s: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Authentication succeeded. */
return (1);
} else
/* Logging in as root or no local Kerberos realm. */
debug("Unable to authenticate to Kerberos.");
failure:
krb4_cleanup_proc(authctxt);
if (!options.kerberos_or_local_passwd)
return (0);
/* Fall back to ordinary passwd authentication. */
return (-1);
}
void
krb4_cleanup_proc(void *context)
{
Authctxt *authctxt = (Authctxt *)context;
debug("krb4_cleanup_proc called");
if (authctxt->krb4_ticket_file) {
(void) dest_tkt();
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
}
}
int
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
{
AUTH_DAT adat = {0};
Key_schedule schedule;
struct sockaddr_in local, foreign;
char instance[INST_SZ];
socklen_t slen;
u_int cksum;
int r, s;
s = packet_get_connection_in();
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
debug("getsockname failed: %.100s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
fatal_cleanup();
}
instance[0] = '*';
instance[1] = 0;
/* Get the encrypted request, challenge, and session key. */
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
0, &adat, ""))) {
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
return (0);
}
des_key_sched((des_cblock *) adat.session, schedule);
*client = xmalloc(MAX_K_NAME_SZ);
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
/* Check ~/.klogin authorization now. */
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
logit("Kerberos v4 .klogin authorization failed for %s to "
"account %s", *client, authctxt->user);
xfree(*client);
*client = NULL;
return (0);
}
/* Increment the checksum, and return it encrypted with the
session key. */
cksum = adat.checksum + 1;
cksum = htonl(cksum);
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
schedule, &adat.session, &local, &foreign)) < 0) {
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
reply->dat[0] = 0;
reply->length = 0;
} else
reply->length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(adat.session));
return (1);
}
#endif /* KRB4 */
#ifdef AFS
int
auth_krb4_tgt(Authctxt *authctxt, const char *string)
{
CREDENTIALS creds;
struct passwd *pw;
if ((pw = authctxt->pw) == NULL)
goto failure;
temporarily_use_uid(pw);
if (!radix_to_creds(string, &creds)) {
logit("Protocol error decoding Kerberos v4 TGT");
goto failure;
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "krbtgt", sizeof creds.service);
if (strcmp(creds.service, "krbtgt")) {
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
creds.realm, pw->pw_name);
goto failure;
}
if (!krb4_init(authctxt))
goto failure;
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
goto failure;
if (save_credentials(creds.service, creds.instance, creds.realm,
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
creds.issue_date) != KSUCCESS) {
debug("Kerberos v4 TGT refused: couldn't save credentials");
goto failure;
}
/* Successful authentication, passed all checks. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (1);
failure:
krb4_cleanup_proc(authctxt);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (0);
}
int
auth_afs_token(Authctxt *authctxt, const char *token_string)
{
CREDENTIALS creds;
struct passwd *pw;
uid_t uid;
if ((pw = authctxt->pw) == NULL)
return (0);
if (!radix_to_creds(token_string, &creds)) {
logit("Protocol error decoding AFS token");
return (0);
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "afs", sizeof creds.service);
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
uid = atoi(creds.pname + 7);
else
uid = pw->pw_uid;
if (kafs_settoken(creds.realm, uid, &creds)) {
logit("AFS token (%s@%s) rejected for %s",
creds.pname, creds.realm, pw->pw_name);
memset(&creds, 0, sizeof(creds));
return (0);
}
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
memset(&creds, 0, sizeof(creds));
return (1);
}
#endif /* AFS */

10
auth-passwd.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include "packet.h"
#include "log.h"
@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password)
return (authsuccess);
}
# endif
# ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
# endif
# ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)

19
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */
/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -60,9 +60,6 @@ struct Authctxt {
#ifdef BSD_AUTH
auth_session_t *as;
#endif
#ifdef KRB4
char *krb4_ticket_file;
#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_auth_context krb5_auth_ctx;
@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *);
#ifdef KRB4
#include <krb.h>
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);
#ifdef AFS
#include <kafs.h>
int auth_krb4_tgt(Authctxt *, const char *);
int auth_afs_token(Authctxt *, const char *);
#endif /* AFS */
#endif /* KRB4 */
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);

45
auth1.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@ -49,7 +49,7 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt)
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
PRIVSEP(auth_password(authctxt, ""))) {
@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */
switch (type) {
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled.");
@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen);
packet_check_eom();
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
#ifdef KRB4
KTEXT_ST tkt, reply;
tkt.length = dlen;
if (tkt.length < MAX_KTXT_LEN)
memcpy(tkt.dat, kdata, tkt.length);
if (PRIVSEP(auth_krb4(authctxt, &tkt,
&client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.dat, reply.length);
packet_send();
packet_write_wait();
}
#endif /* KRB4 */
} else {
#ifdef KRB5
if (kdata[0] != 4) { /* KRB_PROT_VERSION */
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt)
if (reply.length)
xfree(reply.data);
}
#endif /* KRB5 */
}
xfree(kdata);
}
break;
#endif /* KRB4 || KRB5 */
#if defined(AFS) || defined(KRB5)
/* XXX - punt on backward compatibility here. */
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
#ifdef AFS
case SSH_CMSG_HAVE_AFS_TOKEN:
packet_send_debug("AFS token passing disabled before authentication.");
break;
#endif /* AFS */
#endif /* AFS || KRB5 */
#endif
case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) {

87
configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $
# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@ -54,7 +54,6 @@ fi
# Check for some target-specific stuff
case "$host" in
*-*-aix*)
AFS_LIBS="-lld"
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5,
fi
]
)
# Check whether user wants Kerberos 4 support
KRB4_MSG="no"
AC_ARG_WITH(kerberos4,
[ --with-kerberos4=PATH Enable Kerberos 4 support],
[
if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes" ; then
CPPFLAGS="$CPPFLAGS -I${withval}/include"
LDFLAGS="$LDFLAGS -L${withval}/lib"
if test ! -z "$need_dash_r" ; then
LDFLAGS="$LDFLAGS -R${withval}/lib"
fi
if test ! -z "$blibpath" ; then
blibpath="$blibpath:${withval}/lib"
fi
else
if test -d /usr/include/kerberosIV ; then
CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
fi
fi
AC_CHECK_HEADERS(krb.h)
if test "$ac_cv_header_krb_h" != yes; then
AC_MSG_WARN([Cannot find krb.h, build may fail])
fi
AC_CHECK_LIB(krb, main)
if test "$ac_cv_lib_krb_main" != yes; then
AC_CHECK_LIB(krb4, main)
if test "$ac_cv_lib_krb4_main" != yes; then
AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
else
KLIBS="-lkrb4"
fi
else
KLIBS="-lkrb"
fi
AC_CHECK_LIB(des, des_cbc_encrypt)
if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
AC_CHECK_LIB(des425, des_cbc_encrypt)
if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
else
KLIBS="-ldes425"
fi
else
KLIBS="-ldes"
fi
AC_CHECK_LIB(resolv, dn_expand, , )
KRB4=yes
KRB4_MSG="yes"
AC_DEFINE(KRB4)
fi
]
)
# Check whether user wants AFS support
AFS_MSG="no"
AC_ARG_WITH(afs,
[ --with-afs=PATH Enable AFS support],
[
if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes" ; then
CPPFLAGS="$CPPFLAGS -I${withval}/include"
LDFLAGS="$LDFLAGS -L${withval}/lib"
fi
if test -z "$KRB4" ; then
AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
fi
LIBS="-lkafs $LIBS"
if test ! -z "$AFS_LIBS" ; then
LIBS="$LIBS $AFS_LIBS"
fi
AC_DEFINE(AFS)
AFS_MSG="yes"
fi
]
)
LIBS="$LIBS $KLIBS $K5LIBS"
LIBS="$LIBS $K5LIBS"
# Looking for programs, paths and files
@ -2648,10 +2567,8 @@ fi
echo " Manpage format: $MANTYPE"
echo " DNS support: $DNS_MSG"
echo " PAM support: $PAM_MSG"
echo " KerberosIV support: $KRB4_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " AFS support: $AFS_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"

54
monitor.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $");
RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *);
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
#ifdef KRB4
int mm_answer_krb4(int, Buffer *);
#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef KRB4
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
#ifdef KRB4
int
mm_answer_krb4(int socket, Buffer *m)
{
KTEXT_ST auth, reply;
char *client, *p;
int success;
u_int alen;
reply.length = auth.length = 0;
p = buffer_get_string(m, &alen);
if (alen >= MAX_KTXT_LEN)
fatal("%s: auth too large", __func__);
memcpy(auth.dat, p, alen);
auth.length = alen;
memset(p, 0, alen);
xfree(p);
success = options.kerberos_authentication &&
authctxt->valid &&
auth_krb4(authctxt, &auth, &client, &reply);
memset(auth.dat, 0, alen);
buffer_clear(m);
buffer_put_int(m, success);
if (success) {
buffer_put_cstring(m, client);
buffer_put_string(m, reply.dat, reply.length);
if (client)
xfree(client);
if (reply.length)
memset(reply.dat, 0, reply.length);
}
debug3("%s: sending result %d", __func__, success);
mm_request_send(socket, MONITOR_ANS_KRB4, m);
auth_method = "kerberos";
/* Causes monitor loop to terminate if authenticated */
return (success);
}
#endif
#ifdef KRB5
int
mm_answer_krb5(int socket, Buffer *m)

1
monitor.h
View File

@ -49,7 +49,6 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,

38
monitor_wrap.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
#ifdef KRB4
int
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
{
KTEXT auth, reply;
Buffer m;
u_int rlen;
int success = 0;
char *p;
debug3("%s entering", __func__);
auth = _auth;
reply = _reply;
buffer_init(&m);
buffer_put_string(&m, auth->dat, auth->length);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
success = buffer_get_int(&m);
if (success) {
*client = buffer_get_string(&m, NULL);
p = buffer_get_string(&m, &rlen);
if (rlen >= MAX_KTXT_LEN)
fatal("%s: reply from monitor too large", __func__);
reply->length = rlen;
memcpy(reply->dat, p, rlen);
memset(p, 0, rlen);
xfree(p);
}
buffer_free(&m);
return (success);
}
#endif
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)

5
monitor_wrap.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* auth_krb */
#ifdef KRB4
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
#endif
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */

158
radix.c
View File

@ -1,158 +0,0 @@
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include "uuencode.h"
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
#ifdef AFS
#include <krb.h>
#include <radix.h>
#include "bufaux.h"
int
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
{
Buffer b;
int ret;
buffer_init(&b);
buffer_put_char(&b, 1); /* version */
buffer_append(&b, creds->service, strlen(creds->service));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->instance, strlen(creds->instance));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->realm, strlen(creds->realm));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pname, strlen(creds->pname));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pinst, strlen(creds->pinst));
buffer_put_char(&b, '\0');
/* Null string to repeat the realm. */
buffer_put_char(&b, '\0');
buffer_put_int(&b, creds->issue_date);
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
creds->lifetime));
buffer_append(&b, creds->session, sizeof(creds->session));
buffer_put_short(&b, creds->kvno);
/* 32 bit size + data */
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
buffer_free(&b);
return ret;
}
#define GETSTRING(b, t, tlen) \
do { \
int i, found = 0; \
for (i = 0; i < tlen; i++) { \
if (buffer_len(b) == 0) \
goto done; \
t[i] = buffer_get_char(b); \
if (t[i] == '\0') { \
found = 1; \
break; \
} \
} \
if (!found) \
goto done; \
} while(0)
int
radix_to_creds(const char *buf, CREDENTIALS *creds)
{
Buffer b;
u_char *space;
char c, version, *p;
u_int endTime, len;
int blen, ret;
ret = 0;
blen = strlen(buf);
/* sanity check for size */
if (blen > 8192)
return 0;
buffer_init(&b);
space = buffer_append_space(&b, blen);
/* check version and length! */
len = uudecode(buf, space, blen);
if (len < 1)
goto done;
version = buffer_get_char(&b);
GETSTRING(&b, creds->service, sizeof creds->service);
GETSTRING(&b, creds->instance, sizeof creds->instance);
GETSTRING(&b, creds->realm, sizeof creds->realm);
GETSTRING(&b, creds->pname, sizeof creds->pname);
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
if (buffer_len(&b) == 0)
goto done;
/* Ignore possibly different realm. */
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
;
if (buffer_len(&b) == 0)
goto done;
creds->issue_date = buffer_get_int(&b);
endTime = buffer_get_int(&b);
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
len = buffer_len(&b);
if (len < sizeof(creds->session))
goto done;
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
buffer_consume(&b, sizeof(creds->session));
creds->kvno = buffer_get_short(&b);
p = buffer_get_string(&b, &len);
if (len < 0 || len > sizeof(creds->ticket_st.dat))
goto done;
memcpy(&creds->ticket_st.dat, p, len);
creds->ticket_st.length = len;
ret = 1;
done:
buffer_free(&b);
return ret;
}
#endif /* AFS */

28
radix.h
View File

@ -1,28 +0,0 @@
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
int radix_to_creds(const char *, CREDENTIALS *);

17
readconf.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $");
RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@ -94,7 +94,7 @@ typedef enum {
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing,
oKerberosAuthentication, oKerberosTgtPassing,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
@ -134,18 +134,14 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
{ "kerberosauthentication", oKerberosAuthentication },
{ "kerberostgtpassing", oKerberosTgtPassing },
#else
{ "kerberosauthentication", oUnsupported },
{ "kerberostgtpassing", oUnsupported },
#endif
#if defined(AFS)
{ "afstokenpassing", oAFSTokenPassing },
#else
{ "afstokenpassing", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
@ -399,10 +395,6 @@ parse_flag:
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
case oAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@ -828,7 +820,6 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->kerberos_authentication = -1;
options->kerberos_tgt_passing = -1;
options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@ -905,8 +896,6 @@ fill_default_options(Options * options)
options->kerberos_authentication = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1;
if (options->afs_token_passing == -1)
options->afs_token_passing = 1;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)

3
readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -43,7 +43,6 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int kerberos_authentication; /* Try Kerberos authentication. */
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
int afs_token_passing; /* Try AFS token passing. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */

25
servconf.c
View File

@ -10,15 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
#if defined(KRB4)
#include <krb.h>
#endif
#ifdef AFS
#include <kafs.h>
#endif
RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "log.h"
@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options)
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
options->kerberos_tgt_passing = -1;
options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
if (options->afs_token_passing == -1)
options->afs_token_passing = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@ -261,7 +250,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@ -306,7 +295,7 @@ static struct {
{ "rsaauthentication", sRSAAuthentication },
{ "pubkeyauthentication", sPubkeyAuthentication },
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
@ -317,11 +306,7 @@ static struct {
{ "kerberosticketcleanup", sUnsupported },
{ "kerberostgtpassing", sUnsupported },
#endif
#if defined(AFS)
{ "afstokenpassing", sAFSTokenPassing },
#else
{ "afstokenpassing", sUnsupported },
#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
@ -644,10 +629,6 @@ parse_flag:
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
case sAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;

3
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -84,7 +84,6 @@ typedef struct {
* file on logout. */
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */
int afs_token_passing; /* If true, permit AFS token passing. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */

57
session.c
View File

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt)
/* remove agent socket */
if (auth_sock_name != NULL)
auth_sock_cleanup_proc(authctxt->pw);
#ifdef KRB4
if (options.kerberos_ticket_cleanup)
krb4_cleanup_proc(authctxt);
#endif
#ifdef KRB5
if (options.kerberos_ticket_cleanup)
krb5_cleanup_proc(authctxt);
@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
break;
#if defined(AFS) || defined(KRB5)
#ifdef KRB5
case SSH_CMSG_HAVE_KERBEROS_TGT:
if (!options.kerberos_tgt_passing) {
verbose("Kerberos TGT passing disabled.");
@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen);
packet_check_eom();
/* XXX - 0x41, see creds_to_radix version */
/* XXX - 0x41, used for AFS */
if (kdata[0] != 0x41) {
#ifdef KRB5
krb5_data tgt;
tgt.data = kdata;
tgt.length = dlen;
@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
else
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
#endif /* KRB5 */
} else {
#ifdef AFS
if (auth_krb4_tgt(s->authctxt, kdata))
success = 1;
else
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
#endif /* AFS */
}
xfree(kdata);
}
break;
#endif /* AFS || KRB5 */
#ifdef AFS
case SSH_CMSG_HAVE_AFS_TOKEN:
if (!options.afs_token_passing || !k_hasafs()) {
verbose("AFS token passing disabled.");
} else {
/* Accept AFS token. */
char *token = packet_get_string(&dlen);
packet_check_eom();
if (auth_afs_token(s->authctxt, token))
success = 1;
else
verbose("AFS token refused for %.100s",
s->authctxt->user);
xfree(token);
}
break;
#endif /* AFS */
#endif
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell)
read_environment_file(&env, &envsize, "/etc/environment");
}
#endif
#ifdef KRB4
if (s->authctxt->krb4_ticket_file)
child_set_env(&env, &envsize, "KRBTKFILE",
s->authctxt->krb4_ticket_file);
#endif
#ifdef KRB5
if (s->authctxt->krb5_ticket_file)
child_set_env(&env, &envsize, "KRB5CCNAME",
@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command)
*/
environ = env;
#ifdef AFS
/* Try to get AFS tokens for the local cell. */
if (k_hasafs()) {
char cell[64];
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, 0);
krb_afslog(0, 0);
}
#endif /* AFS */
/* Change current directory to the user\'s home directory. */
if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n",

4
ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $
.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@ -494,7 +494,7 @@ The argument is the device
should use to communicate with a smartcard used for storing the user's
private RSA key.
.It Fl k
Disables forwarding of Kerberos tickets and AFS tokens.
Disables forwarding of Kerberos tickets.
This may also be specified on a per-host basis in the configuration file.
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.

9
ssh.c
View File

@ -40,7 +40,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $");
RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@ -154,9 +154,7 @@ usage(void)
_PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
#ifdef AFS
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
#endif /* AFS */
fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
@ -306,12 +304,9 @@ again:
case 'A':
options.forward_agent = 1;
break;
#ifdef AFS
case 'k':
options.kerberos_tgt_passing = 0;
options.afs_token_passing = 0;
break;
#endif
case 'i':
if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s "

5
ssh.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */
/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -88,9 +88,6 @@
*/
#define SSH_SESSION_KEY_LENGTH 32
/* Name of Kerberos service for SSH to use. */
#define KRB4_SERVICE_NAME "rcmd"
/* Used to identify ``EscapeChar none'' */
#define SSH_ESCAPECHAR_NONE -2

10
ssh_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $
.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@ -123,13 +123,6 @@ Valid arguments are
(Use IPv4 only) or
.Dq inet6
(Use IPv6 only.)
.It Cm AFSTokenPassing
Specifies whether to pass AFS tokens to remote host.
The argument to this keyword must be
.Dq yes
or
.Dq no .
This option applies to protocol version 1 only.
.It Cm BatchMode
If set to
.Dq yes ,
@ -410,7 +403,6 @@ or
.Dq no .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server.
This will only work if the Kerberos server is actually an AFS kaserver.
The argument to this keyword must be
.Dq yes
or

287
sshconnect1.c
View File

@ -13,24 +13,17 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");
RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
#ifdef KRB4
#include <krb.h>
#endif
#ifdef KRB5
#include <krb5.h>
#ifndef HEIMDAL
#define krb5_get_err_text(context,code) error_message(code)
#endif /* !HEIMDAL */
#endif
#ifdef AFS
#include <kafs.h>
#include "radix.h"
#endif
#include "ssh.h"
#include "ssh1.h"
@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
return 0;
}
#ifdef KRB4
static int
try_krb4_authentication(void)
{
KTEXT_ST auth; /* Kerberos data */
char *reply;
char inst[INST_SZ];
char *realm;
CREDENTIALS cred;
int r, type;
socklen_t slen;
Key_schedule schedule;
u_long checksum, cksum;
MSG_DAT msg_data;
struct sockaddr_in local, foreign;
struct stat st;
/* Don't do anything if we don't have any tickets. */
if (stat(tkt_string(), &st) < 0)
return 0;
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
INST_SZ);
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
if (!realm) {
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
return 0;
}
/* This can really be anything. */
checksum = (u_long)getpid();
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
return 0;
}
/* Get session key to decrypt the server's reply with. */
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
if (r != KSUCCESS) {
debug("get_cred failed: %s", krb_err_txt[r]);
return 0;
}
des_key_sched((des_cblock *) cred.session, schedule);
/* Send authentication info to server. */
packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) auth.dat, auth.length);
packet_send();
packet_write_wait();
/* Zero the buffer. */
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(packet_get_connection_in(),
(struct sockaddr *)&local, &slen) < 0)
debug("getsockname failed: %s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(packet_get_connection_in(),
(struct sockaddr *)&foreign, &slen) < 0) {
debug("getpeername failed: %s", strerror(errno));
fatal_cleanup();
}
/* Get server reply. */
type = packet_read();
switch (type) {
case SSH_SMSG_FAILURE:
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos v4 authentication failed.");
return 0;
break;
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos v4 authentication accepted.");
/* Get server's response. */
reply = packet_get_string((u_int *) &auth.length);
if (auth.length >= MAX_KTXT_LEN)
fatal("Kerberos v4: Malformed response from server");
memcpy(auth.dat, reply, auth.length);
xfree(reply);
packet_check_eom();
/*
* If his response isn't properly encrypted with the session
* key, and the decrypted checksum fails to match, he's
* bogus. Bail out.
*/
r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
&foreign, &local, &msg_data);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_rd_priv failed: %s",
krb_err_txt[r]);
packet_disconnect("Kerberos v4 challenge failed!");
}
/* Fetch the (incremented) checksum that we supplied in the request. */
memcpy((char *)&cksum, (char *)msg_data.app_data,
sizeof(cksum));
cksum = ntohl(cksum);
/* If it matches, we're golden. */
if (cksum == checksum + 1) {
debug("Kerberos v4 challenge successful.");
return 1;
} else
packet_disconnect("Kerberos v4 challenge failed!");
break;
default:
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
}
return 0;
}
#endif /* KRB4 */
#ifdef KRB5
static int
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
}
#endif /* KRB5 */
#ifdef AFS
static void
send_krb4_tgt(void)
{
CREDENTIALS *creds;
struct stat st;
char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
int problem, type;
/* Don't do anything if we don't have any tickets. */
if (stat(tkt_string(), &st) < 0)
return;
creds = xmalloc(sizeof(*creds));
problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
if (problem)
goto out;
problem = krb_get_cred("krbtgt", prealm, prealm, creds);
if (problem)
goto out;
if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
problem = RD_AP_EXP;
goto out;
}
creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
packet_put_cstring(buffer);
packet_send();
packet_write_wait();
type = packet_read();
if (type == SSH_SMSG_SUCCESS)
debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
creds->pname, creds->pinst[0] ? "." : "",
creds->pinst, creds->realm);
else
debug("Kerberos v4 TGT rejected.");
xfree(creds);
return;
out:
debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
xfree(creds);
}
static void
send_afs_tokens(void)
{
CREDENTIALS creds;
struct ViceIoctl parms;
struct ClearToken ct;
int i, type, len;
char buf[2048], *p, *server_cell;
char buffer[8192];
/* Move over ktc_GetToken, here's something leaner. */
for (i = 0; i < 100; i++) { /* just in case */
parms.in = (char *) &i;
parms.in_size = sizeof(i);
parms.out = buf;
parms.out_size = sizeof(buf);
if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
break;
p = buf;
/* Get secret token. */
memcpy(&creds.ticket_st.length, p, sizeof(u_int));
if (creds.ticket_st.length > MAX_KTXT_LEN)
break;
p += sizeof(u_int);
memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
p += creds.ticket_st.length;
/* Get clear token. */
memcpy(&len, p, sizeof(len));
if (len != sizeof(struct ClearToken))
break;
p += sizeof(len);
memcpy(&ct, p, len);
p += len;
p += sizeof(len); /* primary flag */
server_cell = p;
/* Flesh out our credentials. */
strlcpy(creds.service, "afs", sizeof(creds.service));
creds.instance[0] = '\0';
strlcpy(creds.realm, server_cell, REALM_SZ);
memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
creds.issue_date = ct.BeginTimestamp;
creds.lifetime = krb_time_to_life(creds.issue_date,
ct.EndTimestamp);
creds.kvno = ct.AuthHandle;
snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
creds.pinst[0] = '\0';
/* Encode token, ship it off. */
if (creds_to_radix(&creds, (u_char *)buffer,
sizeof(buffer)) <= 0)
break;
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
packet_put_cstring(buffer);
packet_send();
packet_write_wait();
/* Roger, Roger. Clearance, Clarence. What's your vector,
Victor? */
type = packet_read();
if (type == SSH_SMSG_FAILURE)
debug("AFS token for cell %s rejected.", server_cell);
else if (type != SSH_SMSG_SUCCESS)
packet_disconnect("Protocol error on AFS token response: %d", type);
}
}
#endif /* AFS */
/*
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
}
#endif /* KRB5 */
#ifdef KRB4
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
options.kerberos_authentication) {
debug("Trying Kerberos v4 authentication.");
if (try_krb4_authentication()) {
type = packet_read();
if (type == SSH_SMSG_SUCCESS)
goto success;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
}
}
#endif /* KRB4 */
/*
* Use rhosts authentication if running in privileged socket and we
* do not wish to remain anonymous.
@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
if (context)
krb5_free_context(context);
#endif
#ifdef AFS
/* Try Kerberos v4 TGT passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing) {
if (options.cipher == SSH_CIPHER_NONE)
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
send_krb4_tgt();
}
/* Try AFS token passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
options.afs_token_passing && k_hasafs()) {
if (options.cipher == SSH_CIPHER_NONE)
logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
#endif /* AFS */
return; /* need statement after label */
}

21
sshd.c
View File

@ -42,7 +42,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $");
RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@ -1476,20 +1476,13 @@ main(int ac, char **av)
"originating port %d not trusted.", remote_port);
options.rhosts_authentication = 0;
}
#if defined(KRB4) && !defined(KRB5)
#ifdef KRB5
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
#endif /* KRB4 && !KRB5 */
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
k_setpag();
k_unlog();
}
#endif /* AFS */
#endif
packet_set_nonblocking();
@ -1656,17 +1649,11 @@ do_ssh1_kex(void)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
if (options.kerberos_authentication)
auth_mask |= 1 << SSH_AUTH_KERBEROS;
#endif
#if defined(AFS) || defined(KRB5)
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
#ifdef AFS
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;

9
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $
.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -61,10 +61,6 @@ The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
.It Cm AFSTokenPassing
Specifies whether an AFS token may be forwarded to the server.
Default is
.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
@ -327,8 +323,7 @@ Default is
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
.Dq no ,
as this only works when the Kerberos KDC is actually an AFS kaserver.
.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.