diff options
author | Damien Miller <djm@mindrot.org> | 1999-12-06 11:47:28 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-12-06 11:47:28 +1100 |
commit | aae6c614da614eb10ced16505f35410671c95d9d (patch) | |
tree | 441e578781d38e7de4c5f609a4f86695d937e640 /auth-passwd.c | |
parent | dc33fc3910552c82518503b581efc1a51192fa76 (diff) |
- Merged OpenBSD CVS changes:
- [auth-krb4.c auth-passwd.c auth-skey.c ssh.
move skey-auth from auth-passwd.c to auth-s
- [auth-rsa.c]
warn only about mismatch if key is _used_
warn about keysize-mismatch with log() not
channels.c readconf.c readconf.h ssh.c ssh.
ports are u_short
- [hostfile.c]
indent, shorter warning
- [nchan.c]
use error() for internal errors
- [packet.c]
set loglevel for SSH_MSG_DISCONNECT to log(
serverloop.c
indent
- [ssh-add.1 ssh-add.c ssh.h]
document , reasonable default
- [ssh.1]
CheckHostIP is not available for connects v
- [sshconnect.c]
typo
easier to read client code for passwd and s
turn of checkhostip for proxy connects, sin
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 133 |
1 files changed, 10 insertions, 123 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index e5574ffbe..efae0fd2b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -11,7 +11,7 @@ | |||
11 | 11 | ||
12 | #ifndef HAVE_PAM | 12 | #ifndef HAVE_PAM |
13 | 13 | ||
14 | RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $"); | 14 | RCSID("$Id: auth-passwd.c,v 1.8 1999/12/06 00:47:28 damien Exp $"); |
15 | 15 | ||
16 | #include "packet.h" | 16 | #include "packet.h" |
17 | #include "ssh.h" | 17 | #include "ssh.h" |
@@ -49,133 +49,20 @@ auth_password(struct passwd * pw, const char *password) | |||
49 | 49 | ||
50 | #ifdef SKEY | 50 | #ifdef SKEY |
51 | if (options.skey_authentication == 1) { | 51 | if (options.skey_authentication == 1) { |
52 | if (strncasecmp(password, "s/key", 5) == 0) { | 52 | int ret = auth_skey_password(pw, password); |
53 | char *skeyinfo = skey_keyinfo(pw->pw_name); | 53 | if (ret == 1 || ret == 0) |
54 | if (skeyinfo == NULL) { | 54 | return ret; |
55 | debug("generating fake skeyinfo for %.100s.", | ||
56 | pw->pw_name); | ||
57 | skeyinfo = skey_fake_keyinfo(pw->pw_name); | ||
58 | } | ||
59 | if (skeyinfo != NULL) | ||
60 | packet_send_debug(skeyinfo); | ||
61 | /* Try again. */ | ||
62 | return 0; | ||
63 | } else if (skey_haskey(pw->pw_name) == 0 && | ||
64 | skey_passcheck(pw->pw_name, (char *) password) != -1) { | ||
65 | /* Authentication succeeded. */ | ||
66 | return 1; | ||
67 | } | ||
68 | /* Fall back to ordinary passwd authentication. */ | 55 | /* Fall back to ordinary passwd authentication. */ |
69 | } | 56 | } |
70 | #endif | 57 | #endif |
71 | 58 | #ifdef KRB4 | |
72 | #if defined(KRB4) | 59 | if (options.kerberos_authentication == 1) { |
73 | /* | 60 | int ret = auth_krb4_password(pw, password); |
74 | * Support for Kerberos v4 authentication | 61 | if (ret == 1 || ret == 0) |
75 | * - Dug Song <dugsong@UMICH.EDU> | 62 | return ret; |
76 | */ | ||
77 | if (options.kerberos_authentication) { | ||
78 | AUTH_DAT adata; | ||
79 | KTEXT_ST tkt; | ||
80 | struct hostent *hp; | ||
81 | unsigned long faddr; | ||
82 | char localhost[MAXHOSTNAMELEN]; | ||
83 | char phost[INST_SZ]; | ||
84 | char realm[REALM_SZ]; | ||
85 | int r; | ||
86 | |||
87 | /* | ||
88 | * Try Kerberos password authentication only for non-root | ||
89 | * users and only if Kerberos is installed. | ||
90 | */ | ||
91 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | ||
92 | |||
93 | /* Set up our ticket file. */ | ||
94 | if (!krb4_init(pw->pw_uid)) { | ||
95 | log("Couldn't initialize Kerberos ticket file for %s!", | ||
96 | pw->pw_name); | ||
97 | goto kerberos_auth_failure; | ||
98 | } | ||
99 | /* Try to get TGT using our password. */ | ||
100 | r = krb_get_pw_in_tkt((char *) pw->pw_name, "", | ||
101 | realm, "krbtgt", realm, | ||
102 | DEFAULT_TKT_LIFE, (char *) password); | ||
103 | if (r != INTK_OK) { | ||
104 | packet_send_debug("Kerberos V4 password " | ||
105 | "authentication for %s failed: %s", | ||
106 | pw->pw_name, krb_err_txt[r]); | ||
107 | goto kerberos_auth_failure; | ||
108 | } | ||
109 | /* Successful authentication. */ | ||
110 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); | ||
111 | |||
112 | /* | ||
113 | * Now that we have a TGT, try to get a local | ||
114 | * "rcmd" ticket to ensure that we are not talking | ||
115 | * to a bogus Kerberos server. | ||
116 | */ | ||
117 | (void) gethostname(localhost, sizeof(localhost)); | ||
118 | (void) strlcpy(phost, (char *) krb_get_phost(localhost), | ||
119 | INST_SZ); | ||
120 | r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); | ||
121 | |||
122 | if (r == KSUCCESS) { | ||
123 | if (!(hp = gethostbyname(localhost))) { | ||
124 | log("Couldn't get local host address!"); | ||
125 | goto kerberos_auth_failure; | ||
126 | } | ||
127 | memmove((void *) &faddr, (void *) hp->h_addr, | ||
128 | sizeof(faddr)); | ||
129 | |||
130 | /* Verify our "rcmd" ticket. */ | ||
131 | r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, | ||
132 | faddr, &adata, ""); | ||
133 | if (r == RD_AP_UNDEC) { | ||
134 | /* | ||
135 | * Probably didn't have a srvtab on | ||
136 | * localhost. Allow login. | ||
137 | */ | ||
138 | log("Kerberos V4 TGT for %s unverifiable, " | ||
139 | "no srvtab installed? krb_rd_req: %s", | ||
140 | pw->pw_name, krb_err_txt[r]); | ||
141 | } else if (r != KSUCCESS) { | ||
142 | log("Kerberos V4 %s ticket unverifiable: %s", | ||
143 | KRB4_SERVICE_NAME, krb_err_txt[r]); | ||
144 | goto kerberos_auth_failure; | ||
145 | } | ||
146 | } else if (r == KDC_PR_UNKNOWN) { | ||
147 | /* | ||
148 | * Allow login if no rcmd service exists, but | ||
149 | * log the error. | ||
150 | */ | ||
151 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " | ||
152 | "not registered, or srvtab is wrong?", pw->pw_name, | ||
153 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | ||
154 | } else { | ||
155 | /* | ||
156 | * TGT is bad, forget it. Possibly spoofed! | ||
157 | */ | ||
158 | packet_send_debug("WARNING: Kerberos V4 TGT " | ||
159 | "possibly spoofed for %s: %s", | ||
160 | pw->pw_name, krb_err_txt[r]); | ||
161 | goto kerberos_auth_failure; | ||
162 | } | ||
163 | |||
164 | /* Authentication succeeded. */ | ||
165 | return 1; | ||
166 | |||
167 | kerberos_auth_failure: | ||
168 | krb4_cleanup_proc(NULL); | ||
169 | |||
170 | if (!options.kerberos_or_local_passwd) | ||
171 | return 0; | ||
172 | } else { | ||
173 | /* Logging in as root or no local Kerberos realm. */ | ||
174 | packet_send_debug("Unable to authenticate to Kerberos."); | ||
175 | } | ||
176 | /* Fall back to ordinary passwd authentication. */ | 63 | /* Fall back to ordinary passwd authentication. */ |
177 | } | 64 | } |
178 | #endif /* KRB4 */ | 65 | #endif |
179 | 66 | ||
180 | /* Check for users with no password. */ | 67 | /* Check for users with no password. */ |
181 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) | 68 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) |