- dugsong@cvs.openbsd.org 2001/06/26 16:15:25

[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h servconf.c servconf.h session.c sshconnect1.c sshd.c] Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
author: Ben Lindstrom <mouring@eviladmin.org> 2001-07-04 04:21:14 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2001-07-04 04:21:14 +0000
commit: ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch)
tree: 91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth1.c
parent: b4c774cf8878d9100fde92ff4e938671c3b0301b (diff)
1 files changed, 58 insertions, 51 deletions
diff --git a/auth1.c b/auth1.c
index d5b7fa7c8..da2c23e52 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.25 2001/06/26 16:15:23 dugsong Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -24,6 +24,7 @@ RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");
 #include "auth.h"
 #include "session.h"
 #include "misc.h"
+#include "uidswap.h"
 /* import */
 extern ServerOptions options;
@@ -51,7 +52,7 @@ get_authname(int type)
        case SSH_CMSG_AUTH_TIS:
        case SSH_CMSG_AUTH_TIS_RESPONSE:
                return "challenge-response";
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
        case SSH_CMSG_AUTH_KERBEROS:
                return "kerberos";
 #endif
@@ -84,7 +85,7 @@ do_authloop(Authctxt *authctxt)
        /* If the user has no password, accept authentication immediately. */
        if (options.password_authentication &&
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
            (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
 #ifdef USE_PAM
@@ -116,62 +117,64 @@ do_authloop(Authctxt *authctxt)
                /* Process the packet. */
                switch (type) {
-#ifdef AFS
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        if (!options.kerberos_tgt_passing) {
-                                verbose("Kerberos tgt passing disabled.");
-                                break;
-                        } else {
-                                /* Accept Kerberos tgt. */
-                                char *tgt = packet_get_string(&dlen);
-                                packet_integrity_check(plen, 4 + dlen, type);
-                                if (!auth_kerberos_tgt(pw, tgt))
-                                        verbose("Kerberos tgt REFUSED for %.100s", authctxt->user);
-                                xfree(tgt);
-                        }
-                        continue;
-                case SSH_CMSG_HAVE_AFS_TOKEN:
+#if defined(KRB4) || defined(KRB5)
-                        if (!options.afs_token_passing || !k_hasafs()) {
-                                verbose("AFS token passing disabled.");
-                                break;
-                        } else {
-                                /* Accept AFS token. */
-                                char *token_string = packet_get_string(&dlen);
-                                packet_integrity_check(plen, 4 + dlen, type);
-                                if (!auth_afs_token(pw, token_string))
-                                        verbose("AFS token REFUSED for %.100s", authctxt->user);
-                                xfree(token_string);
-                        }
-                        continue;
-#endif /* AFS */
-#ifdef KRB4
                case SSH_CMSG_AUTH_KERBEROS:
                        if (!options.kerberos_authentication) {
                                verbose("Kerberos authentication disabled.");
-                                break;
                        } else {
-                                /* Try Kerberos v4 authentication. */
+                                char *kdata = packet_get_string(&dlen);
-                                KTEXT_ST auth;
+                                
-                                char *tkt_user = NULL;
+                                packet_integrity_check(plen, 4 + dlen, type);
-                                char *kdata = packet_get_string((u_int *) &auth.length);
+                                
-                                packet_integrity_check(plen, 4 + auth.length, type);
+                                if (kdata[0] == 4) { /* KRB_PROT_VERSION */
+#ifdef KRB4
-                                if (authctxt->valid) {
+                                        KTEXT_ST tkt;
-                                        if (auth.length < MAX_KTXT_LEN)
+                                        
-                                                memcpy(auth.dat, kdata, auth.length);
+                                        tkt.length = dlen;
-                                        authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+                                        if (tkt.length < MAX_KTXT_LEN)
-                                        if (authenticated) {
+                                                memcpy(tkt.dat, kdata, tkt.length);
-                                                snprintf(info, sizeof info,
+                                        
-                                                    " tktuser %.100s", tkt_user);
+                                        if (auth_krb4(authctxt, &tkt, &client_user)) {
-                                                xfree(tkt_user);
+                                                authenticated = 1;
+                                                snprintf(info, sizeof(info),
+                                                    " tktuser %.100s",
+                                                    client_user);
+                                                xfree(client_user);
                                        }
+#endif /* KRB4 */
+                                } else {
+#ifdef KRB5
+                                        krb5_data tkt;
+                                        tkt.length = dlen;
+                                        tkt.data = kdata;
+                                        
+                                        if (auth_krb5(authctxt, &tkt, &client_user)) {
+                                                authenticated = 1;
+                                                snprintf(info, sizeof(info),
+                                                    " tktuser %.100s",
+                                                    client_user);
+                                                xfree(client_user);
+                                        }
+#endif /* KRB5 */
                                }
                                xfree(kdata);
                        }
                        break;
-#endif /* KRB4 */
+#endif /* KRB4 || KRB5 */
+                        
+#if defined(AFS) || defined(KRB5)
+                        /* XXX - punt on backward compatibility here. */
+                case SSH_CMSG_HAVE_KERBEROS_TGT:
+                        packet_send_debug("Kerberos TGT passing disabled before authentication.");
+                        break;
+#ifdef AFS
+                case SSH_CMSG_HAVE_AFS_TOKEN:
+                        packet_send_debug("AFS token passing disabled before authentication.");
+                        break;
+#endif /* AFS */
+#endif /* AFS || KRB5 */
+                        
                case SSH_CMSG_AUTH_RHOSTS:
                        if (!options.rhosts_authentication) {
                                verbose("Rhosts authentication disabled.");
@@ -369,7 +372,7 @@ do_authentication()
        struct passwd *pw;
        int plen;
        u_int ulen;
-        char *user, *style = NULL;
+        char *p, *user, *style = NULL;
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(&plen, SSH_CMSG_USER);
@@ -379,8 +382,12 @@ do_authentication()
        packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
        if ((style = strchr(user, ':')) != NULL)
-                *style++ = 0;
+                *style++ = '\0';
+        /* XXX - SSH.com Kerberos v5 braindeath. */
+        if ((p = strchr(user, '@')) != NULL)
+                *p = '\0';
+        
        authctxt = authctxt_new();
        authctxt->user = user;
        authctxt->style = style;
author	Ben Lindstrom <mouring@eviladmin.org>	2001-07-04 04:21:14 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2001-07-04 04:21:14 +0000
commit	ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch)
tree	91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth1.c
parent	b4c774cf8878d9100fde92ff4e938671c3b0301b (diff)

diff --git a/auth1.c b/auth1.c index d5b7fa7c8..da2c23e52 100644 --- a/auth1.c +++ b/auth1.c
@@ -10,7 +10,7 @@
10	*/	10	*/
11		11
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");	13	RCSID("$OpenBSD: auth1.c,v 1.25 2001/06/26 16:15:23 dugsong Exp $");
14		14
15	#include "xmalloc.h"	15	#include "xmalloc.h"
16	#include "rsa.h"	16	#include "rsa.h"
@@ -24,6 +24,7 @@ RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");
24	#include "auth.h"	24	#include "auth.h"
25	#include "session.h"	25	#include "session.h"
26	#include "misc.h"	26	#include "misc.h"
		27	#include "uidswap.h"
27		28
28	/* import */	29	/* import */
29	extern ServerOptions options;	30	extern ServerOptions options;
@@ -51,7 +52,7 @@ get_authname(int type)
51	case SSH_CMSG_AUTH_TIS:	52	case SSH_CMSG_AUTH_TIS:
52	case SSH_CMSG_AUTH_TIS_RESPONSE:	53	case SSH_CMSG_AUTH_TIS_RESPONSE:
53	return "challenge-response";	54	return "challenge-response";
54	#ifdef KRB4	55	#if defined(KRB4) \|\| defined(KRB5)
55	case SSH_CMSG_AUTH_KERBEROS:	56	case SSH_CMSG_AUTH_KERBEROS:
56	return "kerberos";	57	return "kerberos";
57	#endif	58	#endif
@@ -84,7 +85,7 @@ do_authloop(Authctxt *authctxt)
84		85
85	/* If the user has no password, accept authentication immediately. */	86	/* If the user has no password, accept authentication immediately. */
86	if (options.password_authentication &&	87	if (options.password_authentication &&
87	#ifdef KRB4	88	#if defined(KRB4) \|\| defined(KRB5)
88	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	89	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
89	#endif	90	#endif
90	#ifdef USE_PAM	91	#ifdef USE_PAM
@@ -116,62 +117,64 @@ do_authloop(Authctxt *authctxt)
116		117
117	/* Process the packet. */	118	/* Process the packet. */
118	switch (type) {	119	switch (type) {
119	#ifdef AFS
120	case SSH_CMSG_HAVE_KERBEROS_TGT:
121	if (!options.kerberos_tgt_passing) {
122	verbose("Kerberos tgt passing disabled.");
123	break;
124	} else {
125	/* Accept Kerberos tgt. */
126	char *tgt = packet_get_string(&dlen);
127	packet_integrity_check(plen, 4 + dlen, type);
128	if (!auth_kerberos_tgt(pw, tgt))
129	verbose("Kerberos tgt REFUSED for %.100s", authctxt->user);
130	xfree(tgt);
131	}
132	continue;
133		120
134	case SSH_CMSG_HAVE_AFS_TOKEN:	121	#if defined(KRB4) \|\| defined(KRB5)
135	if (!options.afs_token_passing \|\| !k_hasafs()) {
136	verbose("AFS token passing disabled.");
137	break;
138	} else {
139	/* Accept AFS token. */
140	char *token_string = packet_get_string(&dlen);
141	packet_integrity_check(plen, 4 + dlen, type);
142	if (!auth_afs_token(pw, token_string))
143	verbose("AFS token REFUSED for %.100s", authctxt->user);
144	xfree(token_string);
145	}
146	continue;
147	#endif /* AFS */
148	#ifdef KRB4
149	case SSH_CMSG_AUTH_KERBEROS:	122	case SSH_CMSG_AUTH_KERBEROS:
150	if (!options.kerberos_authentication) {	123	if (!options.kerberos_authentication) {
151	verbose("Kerberos authentication disabled.");	124	verbose("Kerberos authentication disabled.");
152	break;
153	} else {	125	} else {
154	/* Try Kerberos v4 authentication. */	126	char *kdata = packet_get_string(&dlen);
155	KTEXT_ST auth;	127
156	char *tkt_user = NULL;	128	packet_integrity_check(plen, 4 + dlen, type);
157	char kdata = packet_get_string((u_int ) &auth.length);	129
158	packet_integrity_check(plen, 4 + auth.length, type);	130	if (kdata[0] == 4) { /* KRB_PROT_VERSION */
159		131	#ifdef KRB4
160	if (authctxt->valid) {	132	KTEXT_ST tkt;
161	if (auth.length < MAX_KTXT_LEN)	133
162	memcpy(auth.dat, kdata, auth.length);	134	tkt.length = dlen;
163	authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);	135	if (tkt.length < MAX_KTXT_LEN)
164	if (authenticated) {	136	memcpy(tkt.dat, kdata, tkt.length);
165	snprintf(info, sizeof info,	137
166	" tktuser %.100s", tkt_user);	138	if (auth_krb4(authctxt, &tkt, &client_user)) {
167	xfree(tkt_user);	139	authenticated = 1;
		140	snprintf(info, sizeof(info),
		141	" tktuser %.100s",
		142	client_user);
		143	xfree(client_user);
168	}	144	}
		145	#endif /* KRB4 */
		146	} else {
		147	#ifdef KRB5
		148	krb5_data tkt;
		149	tkt.length = dlen;
		150	tkt.data = kdata;
		151
		152	if (auth_krb5(authctxt, &tkt, &client_user)) {
		153	authenticated = 1;
		154	snprintf(info, sizeof(info),
		155	" tktuser %.100s",
		156	client_user);
		157	xfree(client_user);
		158	}
		159	#endif /* KRB5 */
169	}	160	}
170	xfree(kdata);	161	xfree(kdata);
171	}	162	}
172	break;	163	break;
173	#endif /* KRB4 */	164	#endif /* KRB4 \|\| KRB5 */
174		165
		166	#if defined(AFS) \|\| defined(KRB5)
		167	/* XXX - punt on backward compatibility here. */
		168	case SSH_CMSG_HAVE_KERBEROS_TGT:
		169	packet_send_debug("Kerberos TGT passing disabled before authentication.");
		170	break;
		171	#ifdef AFS
		172	case SSH_CMSG_HAVE_AFS_TOKEN:
		173	packet_send_debug("AFS token passing disabled before authentication.");
		174	break;
		175	#endif /* AFS */
		176	#endif /* AFS \|\| KRB5 */
		177
175	case SSH_CMSG_AUTH_RHOSTS:	178	case SSH_CMSG_AUTH_RHOSTS:
176	if (!options.rhosts_authentication) {	179	if (!options.rhosts_authentication) {
177	verbose("Rhosts authentication disabled.");	180	verbose("Rhosts authentication disabled.");
@@ -369,7 +372,7 @@ do_authentication()
369	struct passwd *pw;	372	struct passwd *pw;
370	int plen;	373	int plen;
371	u_int ulen;	374	u_int ulen;
372	char user, style = NULL;	375	char p, user, *style = NULL;
373		376
374	/* Get the name of the user that we wish to log in as. */	377	/* Get the name of the user that we wish to log in as. */
375	packet_read_expect(&plen, SSH_CMSG_USER);	378	packet_read_expect(&plen, SSH_CMSG_USER);
@@ -379,8 +382,12 @@ do_authentication()
379	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);	382	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
380		383
381	if ((style = strchr(user, ':')) != NULL)	384	if ((style = strchr(user, ':')) != NULL)
382	*style++ = 0;	385	*style++ = '\0';
383		386
		387	/* XXX - SSH.com Kerberos v5 braindeath. */
		388	if ((p = strchr(user, '@')) != NULL)
		389	*p = '\0';
		390
384	authctxt = authctxt_new();	391	authctxt = authctxt_new();
385	authctxt->user = user;	392	authctxt->user = user;
386	authctxt->style = style;	393	authctxt->style = style;