- Merged OpenBSD CVS changes:

- [auth-krb4.c auth-passwd.c auth-skey.c ssh. move skey-auth from auth-passwd.c to auth-s - [auth-rsa.c] warn only about mismatch if key is _used_ warn about keysize-mismatch with log() not channels.c readconf.c readconf.h ssh.c ssh. ports are u_short - [hostfile.c] indent, shorter warning - [nchan.c] use error() for internal errors - [packet.c] set loglevel for SSH_MSG_DISCONNECT to log( serverloop.c indent - [ssh-add.1 ssh-add.c ssh.h] document , reasonable default - [ssh.1] CheckHostIP is not available for connects v - [sshconnect.c] typo easier to read client code for passwd and s turn of checkhostip for proxy connects, sin
author: Damien Miller <djm@mindrot.org> 1999-12-06 11:47:28 +1100
committer: Damien Miller <djm@mindrot.org> 1999-12-06 11:47:28 +1100
commit: aae6c614da614eb10ced16505f35410671c95d9d (patch)
tree: 441e578781d38e7de4c5f609a4f86695d937e640 /auth-krb4.c
parent: dc33fc3910552c82518503b581efc1a51192fa76 (diff)
1 files changed, 113 insertions, 0 deletions
diff --git a/auth-krb4.c b/auth-krb4.c
index 9f99533b1..fb0e20ce2 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -7,10 +7,123 @@
 #include "packet.h"
 #include "xmalloc.h"
 #include "ssh.h"
+#include "servconf.h"
 #ifdef KRB4
 char *ticket = NULL;
+extern ServerOptions options;
+/*
+ * try krb4 authentication,
+ * return 1 on success, 0 on failure, -1 if krb4 is not available
+ */
+int 
+auth_krb4_password(struct passwd * pw, const char *password)
+{
+        AUTH_DAT adata;
+        KTEXT_ST tkt;
+        struct hostent *hp;
+        unsigned long faddr;
+        char localhost[MAXHOSTNAMELEN];
+        char phost[INST_SZ];
+        char realm[REALM_SZ];
+        int r;
+        /*
+         * Try Kerberos password authentication only for non-root
+         * users and only if Kerberos is installed.
+         */
+        if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
+                /* Set up our ticket file. */
+                if (!krb4_init(pw->pw_uid)) {
+                        log("Couldn't initialize Kerberos ticket file for %s!",
+                            pw->pw_name);
+                        goto kerberos_auth_failure;
+                }
+                /* Try to get TGT using our password. */
+                r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
+                    realm, "krbtgt", realm,
+                    DEFAULT_TKT_LIFE, (char *) password);
+                if (r != INTK_OK) {
+                        packet_send_debug("Kerberos V4 password "
+                            "authentication for %s failed: %s",
+                            pw->pw_name, krb_err_txt[r]);
+                        goto kerberos_auth_failure;
+                }
+                /* Successful authentication. */
+                chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+                /*
+                 * Now that we have a TGT, try to get a local
+                 * "rcmd" ticket to ensure that we are not talking
+                 * to a bogus Kerberos server.
+                 */
+                (void) gethostname(localhost, sizeof(localhost));
+                (void) strlcpy(phost, (char *) krb_get_phost(localhost),
+                    INST_SZ);
+                r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+                if (r == KSUCCESS) {
+                        if (!(hp = gethostbyname(localhost))) {
+                                log("Couldn't get local host address!");
+                                goto kerberos_auth_failure;
+                        }
+                        memmove((void *) &faddr, (void *) hp->h_addr,
+                            sizeof(faddr));
+                        /* Verify our "rcmd" ticket. */
+                        r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
+                            faddr, &adata, "");
+                        if (r == RD_AP_UNDEC) {
+                                /*
+                                 * Probably didn't have a srvtab on
+                                 * localhost. Allow login.
+                                 */
+                                log("Kerberos V4 TGT for %s unverifiable, "
+                                    "no srvtab installed? krb_rd_req: %s",
+                                    pw->pw_name, krb_err_txt[r]);
+                        } else if (r != KSUCCESS) {
+                                log("Kerberos V4 %s ticket unverifiable: %s",
+                                    KRB4_SERVICE_NAME, krb_err_txt[r]);
+                                goto kerberos_auth_failure;
+                        }
+                } else if (r == KDC_PR_UNKNOWN) {
+                        /*
+                         * Allow login if no rcmd service exists, but
+                         * log the error.
+                         */
+                        log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+                            "not registered, or srvtab is wrong?", pw->pw_name,
+                        krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+                } else {
+                        /*
+                         * TGT is bad, forget it. Possibly spoofed!
+                         */
+                        packet_send_debug("WARNING: Kerberos V4 TGT "
+                            "possibly spoofed for %s: %s",
+                            pw->pw_name, krb_err_txt[r]);
+                        goto kerberos_auth_failure;
+                }
+                /* Authentication succeeded. */
+                return 1;
+kerberos_auth_failure:
+                krb4_cleanup_proc(NULL);
+                if (!options.kerberos_or_local_passwd)
+                        return 0;
+        } else {
+                /* Logging in as root or no local Kerberos realm. */
+                packet_send_debug("Unable to authenticate to Kerberos.");
+        }
+        /* Fall back to ordinary passwd authentication. */
+        return -1;
+}
 void
 krb4_cleanup_proc(void *ignore)
 {
author	Damien Miller <djm@mindrot.org>	1999-12-06 11:47:28 +1100
committer	Damien Miller <djm@mindrot.org>	1999-12-06 11:47:28 +1100
commit	aae6c614da614eb10ced16505f35410671c95d9d (patch)
tree	441e578781d38e7de4c5f609a4f86695d937e640 /auth-krb4.c
parent	dc33fc3910552c82518503b581efc1a51192fa76 (diff)

diff --git a/auth-krb4.c b/auth-krb4.c index 9f99533b1..fb0e20ce2 100644 --- a/auth-krb4.c +++ b/auth-krb4.c
@@ -7,10 +7,123 @@
7	#include "packet.h"	7	#include "packet.h"
8	#include "xmalloc.h"	8	#include "xmalloc.h"
9	#include "ssh.h"	9	#include "ssh.h"
		10	#include "servconf.h"
10		11
11	#ifdef KRB4	12	#ifdef KRB4
12	char *ticket = NULL;	13	char *ticket = NULL;
13		14
		15	extern ServerOptions options;
		16
		17	/*
		18	* try krb4 authentication,
		19	* return 1 on success, 0 on failure, -1 if krb4 is not available
		20	*/
		21
		22	int
		23	auth_krb4_password(struct passwd * pw, const char *password)
		24	{
		25	AUTH_DAT adata;
		26	KTEXT_ST tkt;
		27	struct hostent *hp;
		28	unsigned long faddr;
		29	char localhost[MAXHOSTNAMELEN];
		30	char phost[INST_SZ];
		31	char realm[REALM_SZ];
		32	int r;
		33
		34	/*
		35	* Try Kerberos password authentication only for non-root
		36	* users and only if Kerberos is installed.
		37	*/
		38	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
		39
		40	/* Set up our ticket file. */
		41	if (!krb4_init(pw->pw_uid)) {
		42	log("Couldn't initialize Kerberos ticket file for %s!",
		43	pw->pw_name);
		44	goto kerberos_auth_failure;
		45	}
		46	/* Try to get TGT using our password. */
		47	r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
		48	realm, "krbtgt", realm,
		49	DEFAULT_TKT_LIFE, (char *) password);
		50	if (r != INTK_OK) {
		51	packet_send_debug("Kerberos V4 password "
		52	"authentication for %s failed: %s",
		53	pw->pw_name, krb_err_txt[r]);
		54	goto kerberos_auth_failure;
		55	}
		56	/* Successful authentication. */
		57	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
		58
		59	/*
		60	* Now that we have a TGT, try to get a local
		61	* "rcmd" ticket to ensure that we are not talking
		62	* to a bogus Kerberos server.
		63	*/
		64	(void) gethostname(localhost, sizeof(localhost));
		65	(void) strlcpy(phost, (char *) krb_get_phost(localhost),
		66	INST_SZ);
		67	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
		68
		69	if (r == KSUCCESS) {
		70	if (!(hp = gethostbyname(localhost))) {
		71	log("Couldn't get local host address!");
		72	goto kerberos_auth_failure;
		73	}
		74	memmove((void ) &faddr, (void ) hp->h_addr,
		75	sizeof(faddr));
		76
		77	/* Verify our "rcmd" ticket. */
		78	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
		79	faddr, &adata, "");
		80	if (r == RD_AP_UNDEC) {
		81	/*
		82	* Probably didn't have a srvtab on
		83	* localhost. Allow login.
		84	*/
		85	log("Kerberos V4 TGT for %s unverifiable, "
		86	"no srvtab installed? krb_rd_req: %s",
		87	pw->pw_name, krb_err_txt[r]);
		88	} else if (r != KSUCCESS) {
		89	log("Kerberos V4 %s ticket unverifiable: %s",
		90	KRB4_SERVICE_NAME, krb_err_txt[r]);
		91	goto kerberos_auth_failure;
		92	}
		93	} else if (r == KDC_PR_UNKNOWN) {
		94	/*
		95	* Allow login if no rcmd service exists, but
		96	* log the error.
		97	*/
		98	log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
		99	"not registered, or srvtab is wrong?", pw->pw_name,
		100	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
		101	} else {
		102	/*
		103	* TGT is bad, forget it. Possibly spoofed!
		104	*/
		105	packet_send_debug("WARNING: Kerberos V4 TGT "
		106	"possibly spoofed for %s: %s",
		107	pw->pw_name, krb_err_txt[r]);
		108	goto kerberos_auth_failure;
		109	}
		110
		111	/* Authentication succeeded. */
		112	return 1;
		113
		114	kerberos_auth_failure:
		115	krb4_cleanup_proc(NULL);
		116
		117	if (!options.kerberos_or_local_passwd)
		118	return 0;
		119	} else {
		120	/* Logging in as root or no local Kerberos realm. */
		121	packet_send_debug("Unable to authenticate to Kerberos.");
		122	}
		123	/* Fall back to ordinary passwd authentication. */
		124	return -1;
		125	}
		126
14	void	127	void
15	krb4_cleanup_proc(void *ignore)	128	krb4_cleanup_proc(void *ignore)
16	{	129	{