- Merged very large OpenBSD source code reformat

- OpenBSD CVS updates - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] [ssh.h sshd.8 sshd.c] syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE messages. allows use of s/key in windows (ttssh, securecrt) and ssh-1.2.27 clients without 'ssh -v', ok: niels@ - [sshd.8] -V, for fallback to openssh in SSH2 compatibility mode - [sshd.c] fix sigchld race; cjc5@po.cwru.edu
author: Damien Miller <djm@mindrot.org> 1999-11-25 00:26:21 +1100
committer: Damien Miller <djm@mindrot.org> 1999-11-25 00:26:21 +1100
commit: 95def09838fc61b37b6ea7cd5c234a465b4b129b (patch)
tree: 042744f76f40a326b873cb1c3690a6d7d966bc3e /auth-krb4.c
parent: 4d2f15f895f4c795afc008aeff3fd2ceffbc44f4 (diff)
1 files changed, 204 insertions, 204 deletions
diff --git a/auth-krb4.c b/auth-krb4.c
index 72acd47db..9f99533b1 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -1,13 +1,7 @@
 /*
+ *    Dug Song <dugsong@UMICH.EDU>
-   auth-kerberos.c
+ *    Kerberos v4 authentication and ticket-passing routines.
+ */
-   Dug Song <dugsong@UMICH.EDU>
-   Kerberos v4 authentication and ticket-passing routines.
-   $Id: auth-krb4.c,v 1.4 1999/11/15 04:25:10 damien Exp $
-*/
 #include "includes.h"
 #include "packet.h"
@@ -20,216 +14,222 @@ char *ticket = NULL;
 void
 krb4_cleanup_proc(void *ignore)
 {
-  debug("krb4_cleanup_proc called");
+        debug("krb4_cleanup_proc called");
-  
+        if (ticket) {
-  if (ticket) {
+                (void) dest_tkt();
-    (void) dest_tkt();
+                xfree(ticket);
-    xfree(ticket);
+                ticket = NULL;
-    ticket = NULL;
+        }
-  }
 }
-int krb4_init(uid_t uid)
+int 
+krb4_init(uid_t uid)
 {
-  static int cleanup_registered = 0;
+        static int cleanup_registered = 0;
-  char *tkt_root = TKT_ROOT;
+        char *tkt_root = TKT_ROOT;
-  struct stat st;
+        struct stat st;
-  int fd;
+        int fd;
-  if (!ticket) {
+        if (!ticket) {
-    /* Set unique ticket string manually since we're still root. */
+                /* Set unique ticket string manually since we're still root. */
-    ticket = xmalloc(MAXPATHLEN);
+                ticket = xmalloc(MAXPATHLEN);
 #ifdef AFS
-    if (lstat("/ticket", &st) != -1)
+                if (lstat("/ticket", &st) != -1)
-      tkt_root = "/ticket/";
+                        tkt_root = "/ticket/";
 #endif /* AFS */
-    snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
+                snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
-    (void) krb_set_tkt_string(ticket);
+                (void) krb_set_tkt_string(ticket);
-  }
+        }
-  /* Register ticket cleanup in case of fatal error. */
+        /* Register ticket cleanup in case of fatal error. */
-  if (!cleanup_registered) {
+        if (!cleanup_registered) {
-    fatal_add_cleanup(krb4_cleanup_proc, NULL);
+                fatal_add_cleanup(krb4_cleanup_proc, NULL);
-    cleanup_registered = 1;
+                cleanup_registered = 1;
-  }
+        }
-  /* Try to create our ticket file. */
+        /* Try to create our ticket file. */
-  if ((fd = mkstemp(ticket)) != -1) {
+        if ((fd = mkstemp(ticket)) != -1) {
-    close(fd);
+                close(fd);
-    return 1;
+                return 1;
-  }
+        }
-  /* Ticket file exists - make sure user owns it (just passed ticket). */
+        /* Ticket file exists - make sure user owns it (just passed ticket). */
-  if (lstat(ticket, &st) != -1) {
+        if (lstat(ticket, &st) != -1) {
-    if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid)
+                if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
-      return 1;
+                    st.st_uid == uid)
-  }
+                        return 1;
-  /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
+        }
-  log("WARNING: bad ticket file %s", ticket);
+        /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
-  fatal_remove_cleanup(krb4_cleanup_proc, NULL);
+        log("WARNING: bad ticket file %s", ticket);
-  cleanup_registered = 0;
+        fatal_remove_cleanup(krb4_cleanup_proc, NULL);
-  xfree(ticket);
+        cleanup_registered = 0;
-  ticket = NULL;
+        xfree(ticket);
-  
+        ticket = NULL;
-  return 0;
+        return 0;
 }
-int auth_krb4(const char *server_user, KTEXT auth, char **client)
+int 
+auth_krb4(const char *server_user, KTEXT auth, char **client)
 {
-  AUTH_DAT adat   = { 0 };
+        AUTH_DAT adat = {0};
-  KTEXT_ST reply;
+        KTEXT_ST reply;
-  char instance[INST_SZ];
+        char instance[INST_SZ];
-  int r, s;
+        int r, s;
-  u_int cksum;
+        u_int cksum;
-  Key_schedule schedule;
+        Key_schedule schedule;
-  struct sockaddr_in local, foreign;
+        struct sockaddr_in local, foreign;
-  
-  s = packet_get_connection_in();
+        s = packet_get_connection_in();
-  
-  r = sizeof(local);
+        r = sizeof(local);
-  memset(&local, 0, sizeof(local));
+        memset(&local, 0, sizeof(local));
-  if (getsockname(s, (struct sockaddr *) &local, &r) < 0)
+        if (getsockname(s, (struct sockaddr *) & local, &r) < 0)
-    debug("getsockname failed: %.100s", strerror(errno));
+                debug("getsockname failed: %.100s", strerror(errno));
-  r = sizeof(foreign);
+        r = sizeof(foreign);
-  memset(&foreign, 0, sizeof(foreign));
+        memset(&foreign, 0, sizeof(foreign));
-  if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0) {
+        if (getpeername(s, (struct sockaddr *) & foreign, &r) < 0) {
-    debug("getpeername failed: %.100s", strerror(errno));
+                debug("getpeername failed: %.100s", strerror(errno));
-    fatal_cleanup();
+                fatal_cleanup();
-  }
+        }
-  
+        instance[0] = '*';
-  instance[0] = '*'; instance[1] = 0;
+        instance[1] = 0;
-  
-  /* Get the encrypted request, challenge, and session key. */
+        /* Get the encrypted request, challenge, and session key. */
-  if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
+        if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
-    packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
+                packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
-    return 0;
+                return 0;
-  }
+        }
-  des_key_sched((des_cblock *)adat.session, schedule);
+        des_key_sched((des_cblock *) adat.session, schedule);
-  
-  *client = xmalloc(MAX_K_NAME_SZ);
+        *client = xmalloc(MAX_K_NAME_SZ);
-  (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
+        (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
-                  *adat.pinst ? "." : "", adat.pinst, adat.prealm);
+            *adat.pinst ? "." : "", adat.pinst, adat.prealm);
-  /* Check ~/.klogin authorization now. */
+        /* Check ~/.klogin authorization now. */
-  if (kuserok(&adat, (char *)server_user) != KSUCCESS) {
+        if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
-    packet_send_debug("Kerberos V4 .klogin authorization failed!");
+                packet_send_debug("Kerberos V4 .klogin authorization failed!");
-    log("Kerberos V4 .klogin authorization failed for %s to account %s",
+                log("Kerberos V4 .klogin authorization failed for %s to account %s",
-        *client, server_user);
+                    *client, server_user);
-    xfree(*client);
+                xfree(*client);
-    return 0;
+                return 0;
-  }
+        }
-  /* Increment the checksum, and return it encrypted with the session key. */
+        /* Increment the checksum, and return it encrypted with the
-  cksum = adat.checksum + 1;
+           session key. */
-  cksum = htonl(cksum);
+        cksum = adat.checksum + 1;
-  
+        cksum = htonl(cksum);
-  /* If we can't successfully encrypt the checksum, we send back an empty
-     message, admitting our failure. */
+        /* If we can't successfully encrypt the checksum, we send back an
-  if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1,
+           empty message, admitting our failure. */
-                       schedule, &adat.session, &local, &foreign)) < 0) {
+        if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
-    packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
+            schedule, &adat.session, &local, &foreign)) < 0) {
-    reply.dat[0] = 0;
+                packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
-    reply.length = 0;
+                reply.dat[0] = 0;
-  }
+                reply.length = 0;
-  else reply.length = r;
+        } else
-  
+                reply.length = r;
-  /* Clear session key. */
-  memset(&adat.session, 0, sizeof(&adat.session));
+        /* Clear session key. */
-  
+        memset(&adat.session, 0, sizeof(&adat.session));
-  packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-  packet_put_string((char *) reply.dat, reply.length);
+        packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-  packet_send();
+        packet_put_string((char *) reply.dat, reply.length);
-  packet_write_wait();
+        packet_send();
-  return 1;
+        packet_write_wait();
+        return 1;
 }
 #endif /* KRB4 */
 #ifdef AFS
-int auth_kerberos_tgt(struct passwd *pw, const char *string)
+int 
+auth_kerberos_tgt(struct passwd *pw, const char *string)
 {
-  CREDENTIALS creds;
+        CREDENTIALS creds;
-  
-  if (!radix_to_creds(string, &creds)) {
+        if (!radix_to_creds(string, &creds)) {
-    log("Protocol error decoding Kerberos V4 tgt");
+                log("Protocol error decoding Kerberos V4 tgt");
-    packet_send_debug("Protocol error decoding Kerberos V4 tgt");
+                packet_send_debug("Protocol error decoding Kerberos V4 tgt");
-    goto auth_kerberos_tgt_failure;
+                goto auth_kerberos_tgt_failure;
-  }
+        }
-  if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
+        if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
-    strlcpy(creds.service, "krbtgt", sizeof creds.service);
+                strlcpy(creds.service, "krbtgt", sizeof creds.service);
-  
-  if (strcmp(creds.service, "krbtgt")) {
+        if (strcmp(creds.service, "krbtgt")) {
-    log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
+                log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
-        creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name);
+                    creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
-    packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
+                    pw->pw_name);
-                      creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
+                packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
-                      creds.realm, pw->pw_name);
+                    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
-    goto auth_kerberos_tgt_failure;
+                    creds.realm, pw->pw_name);
-  }
+                goto auth_kerberos_tgt_failure;
-  if (!krb4_init(pw->pw_uid))
+        }
-    goto auth_kerberos_tgt_failure;
+        if (!krb4_init(pw->pw_uid))
+                goto auth_kerberos_tgt_failure;
-  if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
-    goto auth_kerberos_tgt_failure;
+        if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
-  
+                goto auth_kerberos_tgt_failure;
-  if (save_credentials(creds.service, creds.instance, creds.realm,
-                       creds.session, creds.lifetime, creds.kvno,
+        if (save_credentials(creds.service, creds.instance, creds.realm,
-                       &creds.ticket_st, creds.issue_date) != KSUCCESS) {
+            creds.session, creds.lifetime, creds.kvno,
-    packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
+            &creds.ticket_st, creds.issue_date) != KSUCCESS) {
-    goto auth_kerberos_tgt_failure;
+                packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
-  }
+                goto auth_kerberos_tgt_failure;
-  /* Successful authentication, passed all checks. */
+        }
-  chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+        /* Successful authentication, passed all checks. */
-  
+        chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-  packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
-                    creds.service, creds.instance, creds.realm, creds.pname,
+        packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
-                    creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
+            creds.service, creds.instance, creds.realm, creds.pname,
-  memset(&creds, 0, sizeof(creds));
+            creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
-  packet_start(SSH_SMSG_SUCCESS);
+        memset(&creds, 0, sizeof(creds));
-  packet_send();
+        packet_start(SSH_SMSG_SUCCESS);
-  packet_write_wait();
+        packet_send();
-  return 1;
+        packet_write_wait();
-  
+        return 1;
- auth_kerberos_tgt_failure:
-  krb4_cleanup_proc(NULL);
+auth_kerberos_tgt_failure:
-  memset(&creds, 0, sizeof(creds));
+        krb4_cleanup_proc(NULL);
-  packet_start(SSH_SMSG_FAILURE);
+        memset(&creds, 0, sizeof(creds));
-  packet_send();
+        packet_start(SSH_SMSG_FAILURE);
-  packet_write_wait();
+        packet_send();
-  return 0;
+        packet_write_wait();
+        return 0;
 }
-int auth_afs_token(struct passwd *pw, const char *token_string)
+int 
+auth_afs_token(struct passwd *pw, const char *token_string)
 {
-  CREDENTIALS creds;
+        CREDENTIALS creds;
-  uid_t uid = pw->pw_uid;
+        uid_t uid = pw->pw_uid;
-  if (!radix_to_creds(token_string, &creds)) {
+        if (!radix_to_creds(token_string, &creds)) {
-    log("Protocol error decoding AFS token");
+                log("Protocol error decoding AFS token");
-    packet_send_debug("Protocol error decoding AFS token");
+                packet_send_debug("Protocol error decoding AFS token");
-    packet_start(SSH_SMSG_FAILURE);
+                packet_start(SSH_SMSG_FAILURE);
-    packet_send();
+                packet_send();
-    packet_write_wait();
+                packet_write_wait();
-    return 0;
+                return 0;
-  }
+        }
-  if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
+        if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
-    strlcpy(creds.service, "afs", sizeof creds.service);
+                strlcpy(creds.service, "afs", sizeof creds.service);
-  
-  if (strncmp(creds.pname, "AFS ID ", 7) == 0)
+        if (strncmp(creds.pname, "AFS ID ", 7) == 0)
-    uid = atoi(creds.pname + 7);
+                uid = atoi(creds.pname + 7);
-  
-  if (kafs_settoken(creds.realm, uid, &creds)) {
+        if (kafs_settoken(creds.realm, uid, &creds)) {
-    log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
+                log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
-        pw->pw_name);
+                    pw->pw_name);
-    packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
+                packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
-                      creds.realm, pw->pw_name);
+                    creds.realm, pw->pw_name);
-    memset(&creds, 0, sizeof(creds));
+                memset(&creds, 0, sizeof(creds));
-    packet_start(SSH_SMSG_FAILURE);
+                packet_start(SSH_SMSG_FAILURE);
-    packet_send();
+                packet_send();
-    packet_write_wait();
+                packet_write_wait();
-    return 0;
+                return 0;
-  }
+        }
-  packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
+        packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
-                    creds.realm, creds.pname, creds.realm);
+            creds.realm, creds.pname, creds.realm);
-  memset(&creds, 0, sizeof(creds));
+        memset(&creds, 0, sizeof(creds));
-  packet_start(SSH_SMSG_SUCCESS);
+        packet_start(SSH_SMSG_SUCCESS);
-  packet_send();
+        packet_send();
-  packet_write_wait();
+        packet_write_wait();
-  return 1;
+        return 1;
 }
 #endif /* AFS */
author	Damien Miller <djm@mindrot.org>	1999-11-25 00:26:21 +1100
committer	Damien Miller <djm@mindrot.org>	1999-11-25 00:26:21 +1100
commit	95def09838fc61b37b6ea7cd5c234a465b4b129b (patch)
tree	042744f76f40a326b873cb1c3690a6d7d966bc3e /auth-krb4.c
parent	4d2f15f895f4c795afc008aeff3fd2ceffbc44f4 (diff)

diff --git a/auth-krb4.c b/auth-krb4.c index 72acd47db..9f99533b1 100644 --- a/auth-krb4.c +++ b/auth-krb4.c
@@ -1,13 +1,7 @@
1	/*	1	/*
2		2	* Dug Song <dugsong@UMICH.EDU>
3	auth-kerberos.c	3	* Kerberos v4 authentication and ticket-passing routines.
4		4	*/
5	Dug Song <dugsong@UMICH.EDU>
6
7	Kerberos v4 authentication and ticket-passing routines.
8
9	$Id: auth-krb4.c,v 1.4 1999/11/15 04:25:10 damien Exp $
10	*/
11		5
12	#include "includes.h"	6	#include "includes.h"
13	#include "packet.h"	7	#include "packet.h"
@@ -20,216 +14,222 @@ char *ticket = NULL;
20	void	14	void
21	krb4_cleanup_proc(void *ignore)	15	krb4_cleanup_proc(void *ignore)
22	{	16	{
23	debug("krb4_cleanup_proc called");	17	debug("krb4_cleanup_proc called");
24		18	if (ticket) {
25	if (ticket) {	19	(void) dest_tkt();
26	(void) dest_tkt();	20	xfree(ticket);
27	xfree(ticket);	21	ticket = NULL;
28	ticket = NULL;	22	}
29	}
30	}	23	}
31		24
32	int krb4_init(uid_t uid)	25	int
		26	krb4_init(uid_t uid)
33	{	27	{
34	static int cleanup_registered = 0;	28	static int cleanup_registered = 0;
35	char *tkt_root = TKT_ROOT;	29	char *tkt_root = TKT_ROOT;
36	struct stat st;	30	struct stat st;
37	int fd;	31	int fd;
38		32
39	if (!ticket) {	33	if (!ticket) {
40	/* Set unique ticket string manually since we're still root. */	34	/* Set unique ticket string manually since we're still root. */
41	ticket = xmalloc(MAXPATHLEN);	35	ticket = xmalloc(MAXPATHLEN);
42	#ifdef AFS	36	#ifdef AFS
43	if (lstat("/ticket", &st) != -1)	37	if (lstat("/ticket", &st) != -1)
44	tkt_root = "/ticket/";	38	tkt_root = "/ticket/";
45	#endif /* AFS */	39	#endif /* AFS */
46	snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());	40	snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
47	(void) krb_set_tkt_string(ticket);	41	(void) krb_set_tkt_string(ticket);
48	}	42	}
49	/* Register ticket cleanup in case of fatal error. */	43	/* Register ticket cleanup in case of fatal error. */
50	if (!cleanup_registered) {	44	if (!cleanup_registered) {
51	fatal_add_cleanup(krb4_cleanup_proc, NULL);	45	fatal_add_cleanup(krb4_cleanup_proc, NULL);
52	cleanup_registered = 1;	46	cleanup_registered = 1;
53	}	47	}
54	/* Try to create our ticket file. */	48	/* Try to create our ticket file. */
55	if ((fd = mkstemp(ticket)) != -1) {	49	if ((fd = mkstemp(ticket)) != -1) {
56	close(fd);	50	close(fd);
57	return 1;	51	return 1;
58	}	52	}
59	/* Ticket file exists - make sure user owns it (just passed ticket). */	53	/* Ticket file exists - make sure user owns it (just passed ticket). */
60	if (lstat(ticket, &st) != -1) {	54	if (lstat(ticket, &st) != -1) {
61	if (st.st_mode == (S_IFREG\|S_IRUSR\|S_IWUSR) && st.st_uid == uid)	55	if (st.st_mode == (S_IFREG \| S_IRUSR \| S_IWUSR) &&
62	return 1;	56	st.st_uid == uid)
63	}	57	return 1;
64	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */	58	}
65	log("WARNING: bad ticket file %s", ticket);	59	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
66	fatal_remove_cleanup(krb4_cleanup_proc, NULL);	60	log("WARNING: bad ticket file %s", ticket);
67	cleanup_registered = 0;	61	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
68	xfree(ticket);	62	cleanup_registered = 0;
69	ticket = NULL;	63	xfree(ticket);
70		64	ticket = NULL;
71	return 0;	65
		66	return 0;
72	}	67	}
73		68
74	int auth_krb4(const char server_user, KTEXT auth, char *client)	69	int
		70	auth_krb4(const char server_user, KTEXT auth, char *client)
75	{	71	{
76	AUTH_DAT adat = { 0 };	72	AUTH_DAT adat = {0};
77	KTEXT_ST reply;	73	KTEXT_ST reply;
78	char instance[INST_SZ];	74	char instance[INST_SZ];
79	int r, s;	75	int r, s;
80	u_int cksum;	76	u_int cksum;
81	Key_schedule schedule;	77	Key_schedule schedule;
82	struct sockaddr_in local, foreign;	78	struct sockaddr_in local, foreign;
83		79
84	s = packet_get_connection_in();	80	s = packet_get_connection_in();
85		81
86	r = sizeof(local);	82	r = sizeof(local);
87	memset(&local, 0, sizeof(local));	83	memset(&local, 0, sizeof(local));
88	if (getsockname(s, (struct sockaddr *) &local, &r) < 0)	84	if (getsockname(s, (struct sockaddr *) & local, &r) < 0)
89	debug("getsockname failed: %.100s", strerror(errno));	85	debug("getsockname failed: %.100s", strerror(errno));
90	r = sizeof(foreign);	86	r = sizeof(foreign);
91	memset(&foreign, 0, sizeof(foreign));	87	memset(&foreign, 0, sizeof(foreign));
92	if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0) {	88	if (getpeername(s, (struct sockaddr *) & foreign, &r) < 0) {
93	debug("getpeername failed: %.100s", strerror(errno));	89	debug("getpeername failed: %.100s", strerror(errno));
94	fatal_cleanup();	90	fatal_cleanup();
95	}	91	}
96		92	instance[0] = '*';
97	instance[0] = '*'; instance[1] = 0;	93	instance[1] = 0;
98		94
99	/* Get the encrypted request, challenge, and session key. */	95	/* Get the encrypted request, challenge, and session key. */
100	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {	96	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
101	packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);	97	packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
102	return 0;	98	return 0;
103	}	99	}
104	des_key_sched((des_cblock *)adat.session, schedule);	100	des_key_sched((des_cblock *) adat.session, schedule);
105		101
106	*client = xmalloc(MAX_K_NAME_SZ);	102	*client = xmalloc(MAX_K_NAME_SZ);
107	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,	103	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
108	*adat.pinst ? "." : "", adat.pinst, adat.prealm);	104	*adat.pinst ? "." : "", adat.pinst, adat.prealm);
109		105
110	/* Check ~/.klogin authorization now. */	106	/* Check ~/.klogin authorization now. */
111	if (kuserok(&adat, (char *)server_user) != KSUCCESS) {	107	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
112	packet_send_debug("Kerberos V4 .klogin authorization failed!");	108	packet_send_debug("Kerberos V4 .klogin authorization failed!");
113	log("Kerberos V4 .klogin authorization failed for %s to account %s",	109	log("Kerberos V4 .klogin authorization failed for %s to account %s",
114	*client, server_user);	110	*client, server_user);
115	xfree(*client);	111	xfree(*client);
116	return 0;	112	return 0;
117	}	113	}
118	/* Increment the checksum, and return it encrypted with the session key. */	114	/* Increment the checksum, and return it encrypted with the
119	cksum = adat.checksum + 1;	115	session key. */
120	cksum = htonl(cksum);	116	cksum = adat.checksum + 1;
121		117	cksum = htonl(cksum);
122	/* If we can't successfully encrypt the checksum, we send back an empty	118
123	message, admitting our failure. */	119	/* If we can't successfully encrypt the checksum, we send back an
124	if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1,	120	empty message, admitting our failure. */
125	schedule, &adat.session, &local, &foreign)) < 0) {	121	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
126	packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);	122	schedule, &adat.session, &local, &foreign)) < 0) {
127	reply.dat[0] = 0;	123	packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
128	reply.length = 0;	124	reply.dat[0] = 0;
129	}	125	reply.length = 0;
130	else reply.length = r;	126	} else
131		127	reply.length = r;
132	/* Clear session key. */	128
133	memset(&adat.session, 0, sizeof(&adat.session));	129	/* Clear session key. */
134		130	memset(&adat.session, 0, sizeof(&adat.session));
135	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);	131
136	packet_put_string((char *) reply.dat, reply.length);	132	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
137	packet_send();	133	packet_put_string((char *) reply.dat, reply.length);
138	packet_write_wait();	134	packet_send();
139	return 1;	135	packet_write_wait();
		136	return 1;
140	}	137	}
141	#endif /* KRB4 */	138	#endif /* KRB4 */
142		139
143	#ifdef AFS	140	#ifdef AFS
144	int auth_kerberos_tgt(struct passwd pw, const char string)	141	int
		142	auth_kerberos_tgt(struct passwd pw, const char string)
145	{	143	{
146	CREDENTIALS creds;	144	CREDENTIALS creds;
147		145
148	if (!radix_to_creds(string, &creds)) {	146	if (!radix_to_creds(string, &creds)) {
149	log("Protocol error decoding Kerberos V4 tgt");	147	log("Protocol error decoding Kerberos V4 tgt");
150	packet_send_debug("Protocol error decoding Kerberos V4 tgt");	148	packet_send_debug("Protocol error decoding Kerberos V4 tgt");
151	goto auth_kerberos_tgt_failure;	149	goto auth_kerberos_tgt_failure;
152	}	150	}
153	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */	151	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
154	strlcpy(creds.service, "krbtgt", sizeof creds.service);	152	strlcpy(creds.service, "krbtgt", sizeof creds.service);
155		153
156	if (strcmp(creds.service, "krbtgt")) {	154	if (strcmp(creds.service, "krbtgt")) {
157	log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,	155	log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
158	creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name);	156	creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
159	packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",	157	pw->pw_name);
160	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,	158	packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
161	creds.realm, pw->pw_name);	159	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
162	goto auth_kerberos_tgt_failure;	160	creds.realm, pw->pw_name);
163	}	161	goto auth_kerberos_tgt_failure;
164	if (!krb4_init(pw->pw_uid))	162	}
165	goto auth_kerberos_tgt_failure;	163	if (!krb4_init(pw->pw_uid))
166		164	goto auth_kerberos_tgt_failure;
167	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)	165
168	goto auth_kerberos_tgt_failure;	166	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
169		167	goto auth_kerberos_tgt_failure;
170	if (save_credentials(creds.service, creds.instance, creds.realm,	168
171	creds.session, creds.lifetime, creds.kvno,	169	if (save_credentials(creds.service, creds.instance, creds.realm,
172	&creds.ticket_st, creds.issue_date) != KSUCCESS) {	170	creds.session, creds.lifetime, creds.kvno,
173	packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");	171	&creds.ticket_st, creds.issue_date) != KSUCCESS) {
174	goto auth_kerberos_tgt_failure;	172	packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
175	}	173	goto auth_kerberos_tgt_failure;
176	/* Successful authentication, passed all checks. */	174	}
177	chown(tkt_string(), pw->pw_uid, pw->pw_gid);	175	/* Successful authentication, passed all checks. */
178		176	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
179	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",	177
180	creds.service, creds.instance, creds.realm, creds.pname,	178	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
181	creds.pinst[0] ? "." : "", creds.pinst, creds.realm);	179	creds.service, creds.instance, creds.realm, creds.pname,
182	memset(&creds, 0, sizeof(creds));	180	creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
183	packet_start(SSH_SMSG_SUCCESS);	181	memset(&creds, 0, sizeof(creds));
184	packet_send();	182	packet_start(SSH_SMSG_SUCCESS);
185	packet_write_wait();	183	packet_send();
186	return 1;	184	packet_write_wait();
187		185	return 1;
188	auth_kerberos_tgt_failure:	186
189	krb4_cleanup_proc(NULL);	187	auth_kerberos_tgt_failure:
190	memset(&creds, 0, sizeof(creds));	188	krb4_cleanup_proc(NULL);
191	packet_start(SSH_SMSG_FAILURE);	189	memset(&creds, 0, sizeof(creds));
192	packet_send();	190	packet_start(SSH_SMSG_FAILURE);
193	packet_write_wait();	191	packet_send();
194	return 0;	192	packet_write_wait();
		193	return 0;
195	}	194	}
196		195
197	int auth_afs_token(struct passwd pw, const char token_string)	196	int
		197	auth_afs_token(struct passwd pw, const char token_string)
198	{	198	{
199	CREDENTIALS creds;	199	CREDENTIALS creds;
200	uid_t uid = pw->pw_uid;	200	uid_t uid = pw->pw_uid;
201		201
202	if (!radix_to_creds(token_string, &creds)) {	202	if (!radix_to_creds(token_string, &creds)) {
203	log("Protocol error decoding AFS token");	203	log("Protocol error decoding AFS token");
204	packet_send_debug("Protocol error decoding AFS token");	204	packet_send_debug("Protocol error decoding AFS token");
205	packet_start(SSH_SMSG_FAILURE);	205	packet_start(SSH_SMSG_FAILURE);
206	packet_send();	206	packet_send();
207	packet_write_wait();	207	packet_write_wait();
208	return 0;	208	return 0;
209	}	209	}
210	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */	210	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
211	strlcpy(creds.service, "afs", sizeof creds.service);	211	strlcpy(creds.service, "afs", sizeof creds.service);
212		212
213	if (strncmp(creds.pname, "AFS ID ", 7) == 0)	213	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
214	uid = atoi(creds.pname + 7);	214	uid = atoi(creds.pname + 7);
215		215
216	if (kafs_settoken(creds.realm, uid, &creds)) {	216	if (kafs_settoken(creds.realm, uid, &creds)) {
217	log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,	217	log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
218	pw->pw_name);	218	pw->pw_name);
219	packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,	219	packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
220	creds.realm, pw->pw_name);	220	creds.realm, pw->pw_name);
221	memset(&creds, 0, sizeof(creds));	221	memset(&creds, 0, sizeof(creds));
222	packet_start(SSH_SMSG_FAILURE);	222	packet_start(SSH_SMSG_FAILURE);
223	packet_send();	223	packet_send();
224	packet_write_wait();	224	packet_write_wait();
225	return 0;	225	return 0;
226	}	226	}
227	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,	227	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
228	creds.realm, creds.pname, creds.realm);	228	creds.realm, creds.pname, creds.realm);
229	memset(&creds, 0, sizeof(creds));	229	memset(&creds, 0, sizeof(creds));
230	packet_start(SSH_SMSG_SUCCESS);	230	packet_start(SSH_SMSG_SUCCESS);
231	packet_send();	231	packet_send();
232	packet_write_wait();	232	packet_write_wait();
233	return 1;	233	return 1;
234	}	234	}
235	#endif /* AFS */	235	#endif /* AFS */