diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
commit | ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch) | |
tree | 91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth1.c | |
parent | b4c774cf8878d9100fde92ff4e938671c3b0301b (diff) |
- dugsong@cvs.openbsd.org 2001/06/26 16:15:25
[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h
servconf.c servconf.h session.c sshconnect1.c sshd.c]
Kerberos v5 support for SSH1, mostly from Assar Westerlund
<assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Diffstat (limited to 'auth1.c')
-rw-r--r-- | auth1.c | 109 |
1 files changed, 58 insertions, 51 deletions
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $"); | 13 | RCSID("$OpenBSD: auth1.c,v 1.25 2001/06/26 16:15:23 dugsong Exp $"); |
14 | 14 | ||
15 | #include "xmalloc.h" | 15 | #include "xmalloc.h" |
16 | #include "rsa.h" | 16 | #include "rsa.h" |
@@ -24,6 +24,7 @@ RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $"); | |||
24 | #include "auth.h" | 24 | #include "auth.h" |
25 | #include "session.h" | 25 | #include "session.h" |
26 | #include "misc.h" | 26 | #include "misc.h" |
27 | #include "uidswap.h" | ||
27 | 28 | ||
28 | /* import */ | 29 | /* import */ |
29 | extern ServerOptions options; | 30 | extern ServerOptions options; |
@@ -51,7 +52,7 @@ get_authname(int type) | |||
51 | case SSH_CMSG_AUTH_TIS: | 52 | case SSH_CMSG_AUTH_TIS: |
52 | case SSH_CMSG_AUTH_TIS_RESPONSE: | 53 | case SSH_CMSG_AUTH_TIS_RESPONSE: |
53 | return "challenge-response"; | 54 | return "challenge-response"; |
54 | #ifdef KRB4 | 55 | #if defined(KRB4) || defined(KRB5) |
55 | case SSH_CMSG_AUTH_KERBEROS: | 56 | case SSH_CMSG_AUTH_KERBEROS: |
56 | return "kerberos"; | 57 | return "kerberos"; |
57 | #endif | 58 | #endif |
@@ -84,7 +85,7 @@ do_authloop(Authctxt *authctxt) | |||
84 | 85 | ||
85 | /* If the user has no password, accept authentication immediately. */ | 86 | /* If the user has no password, accept authentication immediately. */ |
86 | if (options.password_authentication && | 87 | if (options.password_authentication && |
87 | #ifdef KRB4 | 88 | #if defined(KRB4) || defined(KRB5) |
88 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 89 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
89 | #endif | 90 | #endif |
90 | #ifdef USE_PAM | 91 | #ifdef USE_PAM |
@@ -116,62 +117,64 @@ do_authloop(Authctxt *authctxt) | |||
116 | 117 | ||
117 | /* Process the packet. */ | 118 | /* Process the packet. */ |
118 | switch (type) { | 119 | switch (type) { |
119 | #ifdef AFS | ||
120 | case SSH_CMSG_HAVE_KERBEROS_TGT: | ||
121 | if (!options.kerberos_tgt_passing) { | ||
122 | verbose("Kerberos tgt passing disabled."); | ||
123 | break; | ||
124 | } else { | ||
125 | /* Accept Kerberos tgt. */ | ||
126 | char *tgt = packet_get_string(&dlen); | ||
127 | packet_integrity_check(plen, 4 + dlen, type); | ||
128 | if (!auth_kerberos_tgt(pw, tgt)) | ||
129 | verbose("Kerberos tgt REFUSED for %.100s", authctxt->user); | ||
130 | xfree(tgt); | ||
131 | } | ||
132 | continue; | ||
133 | 120 | ||
134 | case SSH_CMSG_HAVE_AFS_TOKEN: | 121 | #if defined(KRB4) || defined(KRB5) |
135 | if (!options.afs_token_passing || !k_hasafs()) { | ||
136 | verbose("AFS token passing disabled."); | ||
137 | break; | ||
138 | } else { | ||
139 | /* Accept AFS token. */ | ||
140 | char *token_string = packet_get_string(&dlen); | ||
141 | packet_integrity_check(plen, 4 + dlen, type); | ||
142 | if (!auth_afs_token(pw, token_string)) | ||
143 | verbose("AFS token REFUSED for %.100s", authctxt->user); | ||
144 | xfree(token_string); | ||
145 | } | ||
146 | continue; | ||
147 | #endif /* AFS */ | ||
148 | #ifdef KRB4 | ||
149 | case SSH_CMSG_AUTH_KERBEROS: | 122 | case SSH_CMSG_AUTH_KERBEROS: |
150 | if (!options.kerberos_authentication) { | 123 | if (!options.kerberos_authentication) { |
151 | verbose("Kerberos authentication disabled."); | 124 | verbose("Kerberos authentication disabled."); |
152 | break; | ||
153 | } else { | 125 | } else { |
154 | /* Try Kerberos v4 authentication. */ | 126 | char *kdata = packet_get_string(&dlen); |
155 | KTEXT_ST auth; | 127 | |
156 | char *tkt_user = NULL; | 128 | packet_integrity_check(plen, 4 + dlen, type); |
157 | char *kdata = packet_get_string((u_int *) &auth.length); | 129 | |
158 | packet_integrity_check(plen, 4 + auth.length, type); | 130 | if (kdata[0] == 4) { /* KRB_PROT_VERSION */ |
159 | 131 | #ifdef KRB4 | |
160 | if (authctxt->valid) { | 132 | KTEXT_ST tkt; |
161 | if (auth.length < MAX_KTXT_LEN) | 133 | |
162 | memcpy(auth.dat, kdata, auth.length); | 134 | tkt.length = dlen; |
163 | authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); | 135 | if (tkt.length < MAX_KTXT_LEN) |
164 | if (authenticated) { | 136 | memcpy(tkt.dat, kdata, tkt.length); |
165 | snprintf(info, sizeof info, | 137 | |
166 | " tktuser %.100s", tkt_user); | 138 | if (auth_krb4(authctxt, &tkt, &client_user)) { |
167 | xfree(tkt_user); | 139 | authenticated = 1; |
140 | snprintf(info, sizeof(info), | ||
141 | " tktuser %.100s", | ||
142 | client_user); | ||
143 | xfree(client_user); | ||
168 | } | 144 | } |
145 | #endif /* KRB4 */ | ||
146 | } else { | ||
147 | #ifdef KRB5 | ||
148 | krb5_data tkt; | ||
149 | tkt.length = dlen; | ||
150 | tkt.data = kdata; | ||
151 | |||
152 | if (auth_krb5(authctxt, &tkt, &client_user)) { | ||
153 | authenticated = 1; | ||
154 | snprintf(info, sizeof(info), | ||
155 | " tktuser %.100s", | ||
156 | client_user); | ||
157 | xfree(client_user); | ||
158 | } | ||
159 | #endif /* KRB5 */ | ||
169 | } | 160 | } |
170 | xfree(kdata); | 161 | xfree(kdata); |
171 | } | 162 | } |
172 | break; | 163 | break; |
173 | #endif /* KRB4 */ | 164 | #endif /* KRB4 || KRB5 */ |
174 | 165 | ||
166 | #if defined(AFS) || defined(KRB5) | ||
167 | /* XXX - punt on backward compatibility here. */ | ||
168 | case SSH_CMSG_HAVE_KERBEROS_TGT: | ||
169 | packet_send_debug("Kerberos TGT passing disabled before authentication."); | ||
170 | break; | ||
171 | #ifdef AFS | ||
172 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
173 | packet_send_debug("AFS token passing disabled before authentication."); | ||
174 | break; | ||
175 | #endif /* AFS */ | ||
176 | #endif /* AFS || KRB5 */ | ||
177 | |||
175 | case SSH_CMSG_AUTH_RHOSTS: | 178 | case SSH_CMSG_AUTH_RHOSTS: |
176 | if (!options.rhosts_authentication) { | 179 | if (!options.rhosts_authentication) { |
177 | verbose("Rhosts authentication disabled."); | 180 | verbose("Rhosts authentication disabled."); |
@@ -369,7 +372,7 @@ do_authentication() | |||
369 | struct passwd *pw; | 372 | struct passwd *pw; |
370 | int plen; | 373 | int plen; |
371 | u_int ulen; | 374 | u_int ulen; |
372 | char *user, *style = NULL; | 375 | char *p, *user, *style = NULL; |
373 | 376 | ||
374 | /* Get the name of the user that we wish to log in as. */ | 377 | /* Get the name of the user that we wish to log in as. */ |
375 | packet_read_expect(&plen, SSH_CMSG_USER); | 378 | packet_read_expect(&plen, SSH_CMSG_USER); |
@@ -379,8 +382,12 @@ do_authentication() | |||
379 | packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); | 382 | packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); |
380 | 383 | ||
381 | if ((style = strchr(user, ':')) != NULL) | 384 | if ((style = strchr(user, ':')) != NULL) |
382 | *style++ = 0; | 385 | *style++ = '\0'; |
383 | 386 | ||
387 | /* XXX - SSH.com Kerberos v5 braindeath. */ | ||
388 | if ((p = strchr(user, '@')) != NULL) | ||
389 | *p = '\0'; | ||
390 | |||
384 | authctxt = authctxt_new(); | 391 | authctxt = authctxt_new(); |
385 | authctxt->user = user; | 392 | authctxt->user = user; |
386 | authctxt->style = style; | 393 | authctxt->style = style; |