- Merged OpenBSD CVS changes:

- [auth-krb4.c auth-passwd.c auth-skey.c ssh. move skey-auth from auth-passwd.c to auth-s - [auth-rsa.c] warn only about mismatch if key is _used_ warn about keysize-mismatch with log() not channels.c readconf.c readconf.h ssh.c ssh. ports are u_short - [hostfile.c] indent, shorter warning - [nchan.c] use error() for internal errors - [packet.c] set loglevel for SSH_MSG_DISCONNECT to log( serverloop.c indent - [ssh-add.1 ssh-add.c ssh.h] document , reasonable default - [ssh.1] CheckHostIP is not available for connects v - [sshconnect.c] typo easier to read client code for passwd and s turn of checkhostip for proxy connects, sin
author: Damien Miller <djm@mindrot.org> 1999-12-06 11:47:28 +1100
committer: Damien Miller <djm@mindrot.org> 1999-12-06 11:47:28 +1100
commit: aae6c614da614eb10ced16505f35410671c95d9d (patch)
tree: 441e578781d38e7de4c5f609a4f86695d937e640 /auth-passwd.c
parent: dc33fc3910552c82518503b581efc1a51192fa76 (diff)
1 files changed, 10 insertions, 123 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index e5574ffbe..efae0fd2b 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -11,7 +11,7 @@
 #ifndef HAVE_PAM
-RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.8 1999/12/06 00:47:28 damien Exp $");
 #include "packet.h"
 #include "ssh.h"
@@ -49,133 +49,20 @@ auth_password(struct passwd * pw, const char *password)
 #ifdef SKEY
        if (options.skey_authentication == 1) {
-                if (strncasecmp(password, "s/key", 5) == 0) {
+                int ret = auth_skey_password(pw, password);
-                        char *skeyinfo = skey_keyinfo(pw->pw_name);
+                if (ret == 1 || ret == 0)
-                        if (skeyinfo == NULL) {
+                        return ret;
-                                debug("generating fake skeyinfo for %.100s.",
-                                    pw->pw_name);
-                                skeyinfo = skey_fake_keyinfo(pw->pw_name);
-                        }
-                        if (skeyinfo != NULL)
-                                packet_send_debug(skeyinfo);
-                        /* Try again. */
-                        return 0;
-                } else if (skey_haskey(pw->pw_name) == 0 &&
-                           skey_passcheck(pw->pw_name, (char *) password) != -1) {
-                        /* Authentication succeeded. */
-                        return 1;
-                }
                /* Fall back to ordinary passwd authentication. */
        }
 #endif
+#ifdef KRB4
-#if defined(KRB4)
+        if (options.kerberos_authentication == 1) {
-        /*
+                int ret = auth_krb4_password(pw, password);
-         * Support for Kerberos v4 authentication
+                if (ret == 1 || ret == 0)
-         * - Dug Song <dugsong@UMICH.EDU>
+                        return ret;
-         */
-        if (options.kerberos_authentication) {
-                AUTH_DAT adata;
-                KTEXT_ST tkt;
-                struct hostent *hp;
-                unsigned long faddr;
-                char localhost[MAXHOSTNAMELEN];
-                char phost[INST_SZ];
-                char realm[REALM_SZ];
-                int r;
-                /*
-                 * Try Kerberos password authentication only for non-root
-                 * users and only if Kerberos is installed.
-                 */
-                if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-                        /* Set up our ticket file. */
-                        if (!krb4_init(pw->pw_uid)) {
-                                log("Couldn't initialize Kerberos ticket file for %s!",
-                                    pw->pw_name);
-                                goto kerberos_auth_failure;
-                        }
-                        /* Try to get TGT using our password. */
-                        r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
-                            realm, "krbtgt", realm,
-                            DEFAULT_TKT_LIFE, (char *) password);
-                        if (r != INTK_OK) {
-                                packet_send_debug("Kerberos V4 password "
-                                    "authentication for %s failed: %s",
-                                    pw->pw_name, krb_err_txt[r]);
-                                goto kerberos_auth_failure;
-                        }
-                        /* Successful authentication. */
-                        chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-                        /*
-                         * Now that we have a TGT, try to get a local
-                         * "rcmd" ticket to ensure that we are not talking
-                         * to a bogus Kerberos server.
-                         */
-                        (void) gethostname(localhost, sizeof(localhost));
-                        (void) strlcpy(phost, (char *) krb_get_phost(localhost),
-                            INST_SZ);
-                        r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-                        if (r == KSUCCESS) {
-                                if (!(hp = gethostbyname(localhost))) {
-                                        log("Couldn't get local host address!");
-                                        goto kerberos_auth_failure;
-                                }
-                                memmove((void *) &faddr, (void *) hp->h_addr,
-                                    sizeof(faddr));
-                                /* Verify our "rcmd" ticket. */
-                                r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
-                                    faddr, &adata, "");
-                                if (r == RD_AP_UNDEC) {
-                                        /*
-                                         * Probably didn't have a srvtab on
-                                         * localhost. Allow login.
-                                         */
-                                        log("Kerberos V4 TGT for %s unverifiable, "
-                                            "no srvtab installed? krb_rd_req: %s",
-                                            pw->pw_name, krb_err_txt[r]);
-                                } else if (r != KSUCCESS) {
-                                        log("Kerberos V4 %s ticket unverifiable: %s",
-                                            KRB4_SERVICE_NAME, krb_err_txt[r]);
-                                        goto kerberos_auth_failure;
-                                }
-                        } else if (r == KDC_PR_UNKNOWN) {
-                                /*
-                                 * Allow login if no rcmd service exists, but
-                                 * log the error.
-                                 */
-                                log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
-                                    "not registered, or srvtab is wrong?", pw->pw_name,
-                                krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-                        } else {
-                                /*
-                                 * TGT is bad, forget it. Possibly spoofed!
-                                 */
-                                packet_send_debug("WARNING: Kerberos V4 TGT "
-                                    "possibly spoofed for %s: %s",
-                                    pw->pw_name, krb_err_txt[r]);
-                                goto kerberos_auth_failure;
-                        }
-                        /* Authentication succeeded. */
-                        return 1;
-        kerberos_auth_failure:
-                        krb4_cleanup_proc(NULL);
-                        if (!options.kerberos_or_local_passwd)
-                                return 0;
-                } else {
-                        /* Logging in as root or no local Kerberos realm. */
-                        packet_send_debug("Unable to authenticate to Kerberos.");
-                }
                /* Fall back to ordinary passwd authentication. */
        }
-#endif                          /* KRB4 */
+#endif
        /* Check for users with no password. */
        if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
author	Damien Miller <djm@mindrot.org>	1999-12-06 11:47:28 +1100
committer	Damien Miller <djm@mindrot.org>	1999-12-06 11:47:28 +1100
commit	aae6c614da614eb10ced16505f35410671c95d9d (patch)
tree	441e578781d38e7de4c5f609a4f86695d937e640 /auth-passwd.c
parent	dc33fc3910552c82518503b581efc1a51192fa76 (diff)

diff --git a/auth-passwd.c b/auth-passwd.c index e5574ffbe..efae0fd2b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -11,7 +11,7 @@
11		11
12	#ifndef HAVE_PAM	12	#ifndef HAVE_PAM
13		13
14	RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $");	14	RCSID("$Id: auth-passwd.c,v 1.8 1999/12/06 00:47:28 damien Exp $");
15		15
16	#include "packet.h"	16	#include "packet.h"
17	#include "ssh.h"	17	#include "ssh.h"
@@ -49,133 +49,20 @@ auth_password(struct passwd * pw, const char *password)
49		49
50	#ifdef SKEY	50	#ifdef SKEY
51	if (options.skey_authentication == 1) {	51	if (options.skey_authentication == 1) {
52	if (strncasecmp(password, "s/key", 5) == 0) {	52	int ret = auth_skey_password(pw, password);
53	char *skeyinfo = skey_keyinfo(pw->pw_name);	53	if (ret == 1 \|\| ret == 0)
54	if (skeyinfo == NULL) {	54	return ret;
55	debug("generating fake skeyinfo for %.100s.",
56	pw->pw_name);
57	skeyinfo = skey_fake_keyinfo(pw->pw_name);
58	}
59	if (skeyinfo != NULL)
60	packet_send_debug(skeyinfo);
61	/* Try again. */
62	return 0;
63	} else if (skey_haskey(pw->pw_name) == 0 &&
64	skey_passcheck(pw->pw_name, (char *) password) != -1) {
65	/* Authentication succeeded. */
66	return 1;
67	}
68	/* Fall back to ordinary passwd authentication. */	55	/* Fall back to ordinary passwd authentication. */
69	}	56	}
70	#endif	57	#endif
71		58	#ifdef KRB4
72	#if defined(KRB4)	59	if (options.kerberos_authentication == 1) {
73	/*	60	int ret = auth_krb4_password(pw, password);
74	* Support for Kerberos v4 authentication	61	if (ret == 1 \|\| ret == 0)
75	* - Dug Song <dugsong@UMICH.EDU>	62	return ret;
76	*/
77	if (options.kerberos_authentication) {
78	AUTH_DAT adata;
79	KTEXT_ST tkt;
80	struct hostent *hp;
81	unsigned long faddr;
82	char localhost[MAXHOSTNAMELEN];
83	char phost[INST_SZ];
84	char realm[REALM_SZ];
85	int r;
86
87	/*
88	* Try Kerberos password authentication only for non-root
89	* users and only if Kerberos is installed.
90	*/
91	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
92
93	/* Set up our ticket file. */
94	if (!krb4_init(pw->pw_uid)) {
95	log("Couldn't initialize Kerberos ticket file for %s!",
96	pw->pw_name);
97	goto kerberos_auth_failure;
98	}
99	/* Try to get TGT using our password. */
100	r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
101	realm, "krbtgt", realm,
102	DEFAULT_TKT_LIFE, (char *) password);
103	if (r != INTK_OK) {
104	packet_send_debug("Kerberos V4 password "
105	"authentication for %s failed: %s",
106	pw->pw_name, krb_err_txt[r]);
107	goto kerberos_auth_failure;
108	}
109	/* Successful authentication. */
110	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
111
112	/*
113	* Now that we have a TGT, try to get a local
114	* "rcmd" ticket to ensure that we are not talking
115	* to a bogus Kerberos server.
116	*/
117	(void) gethostname(localhost, sizeof(localhost));
118	(void) strlcpy(phost, (char *) krb_get_phost(localhost),
119	INST_SZ);
120	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
121
122	if (r == KSUCCESS) {
123	if (!(hp = gethostbyname(localhost))) {
124	log("Couldn't get local host address!");
125	goto kerberos_auth_failure;
126	}
127	memmove((void ) &faddr, (void ) hp->h_addr,
128	sizeof(faddr));
129
130	/* Verify our "rcmd" ticket. */
131	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
132	faddr, &adata, "");
133	if (r == RD_AP_UNDEC) {
134	/*
135	* Probably didn't have a srvtab on
136	* localhost. Allow login.
137	*/
138	log("Kerberos V4 TGT for %s unverifiable, "
139	"no srvtab installed? krb_rd_req: %s",
140	pw->pw_name, krb_err_txt[r]);
141	} else if (r != KSUCCESS) {
142	log("Kerberos V4 %s ticket unverifiable: %s",
143	KRB4_SERVICE_NAME, krb_err_txt[r]);
144	goto kerberos_auth_failure;
145	}
146	} else if (r == KDC_PR_UNKNOWN) {
147	/*
148	* Allow login if no rcmd service exists, but
149	* log the error.
150	*/
151	log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
152	"not registered, or srvtab is wrong?", pw->pw_name,
153	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
154	} else {
155	/*
156	* TGT is bad, forget it. Possibly spoofed!
157	*/
158	packet_send_debug("WARNING: Kerberos V4 TGT "
159	"possibly spoofed for %s: %s",
160	pw->pw_name, krb_err_txt[r]);
161	goto kerberos_auth_failure;
162	}
163
164	/* Authentication succeeded. */
165	return 1;
166
167	kerberos_auth_failure:
168	krb4_cleanup_proc(NULL);
169
170	if (!options.kerberos_or_local_passwd)
171	return 0;
172	} else {
173	/* Logging in as root or no local Kerberos realm. */
174	packet_send_debug("Unable to authenticate to Kerberos.");
175	}
176	/* Fall back to ordinary passwd authentication. */	63	/* Fall back to ordinary passwd authentication. */
177	}	64	}
178	#endif /* KRB4 */	65	#endif
179		66
180	/* Check for users with no password. */	67	/* Check for users with no password. */
181	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)	68	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)