diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
| commit | ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch) | |
| tree | 91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /session.c | |
| parent | b4c774cf8878d9100fde92ff4e938671c3b0301b (diff) | |
- dugsong@cvs.openbsd.org 2001/06/26 16:15:25
[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h
servconf.c servconf.h session.c sshconnect1.c sshd.c]
Kerberos v5 support for SSH1, mostly from Assar Westerlund
<assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 92 |
1 files changed, 77 insertions, 15 deletions
| @@ -33,7 +33,7 @@ | |||
| 33 | */ | 33 | */ |
| 34 | 34 | ||
| 35 | #include "includes.h" | 35 | #include "includes.h" |
| 36 | RCSID("$OpenBSD: session.c,v 1.95 2001/06/25 08:25:39 markus Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.96 2001/06/26 16:15:24 dugsong Exp $"); |
| 37 | 37 | ||
| 38 | #include "ssh.h" | 38 | #include "ssh.h" |
| 39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
| @@ -99,7 +99,8 @@ typedef struct Session Session; | |||
| 99 | struct Session { | 99 | struct Session { |
| 100 | int used; | 100 | int used; |
| 101 | int self; | 101 | int self; |
| 102 | struct passwd *pw; | 102 | struct passwd *pw; |
| 103 | Authctxt *authctxt; | ||
| 103 | pid_t pid; | 104 | pid_t pid; |
| 104 | /* tty */ | 105 | /* tty */ |
| 105 | char *term; | 106 | char *term; |
| @@ -198,6 +199,14 @@ do_authenticated(Authctxt *authctxt) | |||
| 198 | /* remove agent socket */ | 199 | /* remove agent socket */ |
| 199 | if (auth_get_socket_name()) | 200 | if (auth_get_socket_name()) |
| 200 | auth_sock_cleanup_proc(authctxt->pw); | 201 | auth_sock_cleanup_proc(authctxt->pw); |
| 202 | #ifdef KRB4 | ||
| 203 | if (options.kerberos_ticket_cleanup) | ||
| 204 | krb4_cleanup_proc(authctxt); | ||
| 205 | #endif | ||
| 206 | #ifdef KRB5 | ||
| 207 | if (options.kerberos_ticket_cleanup) | ||
| 208 | krb5_cleanup_proc(authctxt); | ||
| 209 | #endif | ||
| 201 | } | 210 | } |
| 202 | 211 | ||
| 203 | /* | 212 | /* |
| @@ -216,6 +225,7 @@ do_authenticated1(Authctxt *authctxt) | |||
| 216 | u_int proto_len, data_len, dlen; | 225 | u_int proto_len, data_len, dlen; |
| 217 | 226 | ||
| 218 | s = session_new(); | 227 | s = session_new(); |
| 228 | s->authctxt = authctxt; | ||
| 219 | s->pw = authctxt->pw; | 229 | s->pw = authctxt->pw; |
| 220 | 230 | ||
| 221 | /* | 231 | /* |
| @@ -300,6 +310,58 @@ do_authenticated1(Authctxt *authctxt) | |||
| 300 | if (packet_set_maxsize(packet_get_int()) > 0) | 310 | if (packet_set_maxsize(packet_get_int()) > 0) |
| 301 | success = 1; | 311 | success = 1; |
| 302 | break; | 312 | break; |
| 313 | |||
| 314 | #if defined(AFS) || defined(KRB5) | ||
| 315 | case SSH_CMSG_HAVE_KERBEROS_TGT: | ||
| 316 | if (!options.kerberos_tgt_passing) { | ||
| 317 | verbose("Kerberos TGT passing disabled."); | ||
| 318 | } else { | ||
| 319 | char *kdata = packet_get_string(&dlen); | ||
| 320 | packet_integrity_check(plen, 4 + dlen, type); | ||
| 321 | |||
| 322 | /* XXX - 0x41, see creds_to_radix version */ | ||
| 323 | if (kdata[0] != 0x41) { | ||
| 324 | #ifdef KRB5 | ||
| 325 | krb5_data tgt; | ||
| 326 | tgt.data = kdata; | ||
| 327 | tgt.length = dlen; | ||
| 328 | |||
| 329 | if (auth_krb5_tgt(s->authctxt, &tgt)) | ||
| 330 | success = 1; | ||
| 331 | else | ||
| 332 | verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); | ||
| 333 | #endif /* KRB5 */ | ||
| 334 | } else { | ||
| 335 | #ifdef AFS | ||
| 336 | if (auth_krb4_tgt(s->authctxt, kdata)) | ||
| 337 | success = 1; | ||
| 338 | else | ||
| 339 | verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user); | ||
| 340 | #endif /* AFS */ | ||
| 341 | } | ||
| 342 | xfree(kdata); | ||
| 343 | } | ||
| 344 | break; | ||
| 345 | #endif /* AFS || KRB5 */ | ||
| 346 | |||
| 347 | #ifdef AFS | ||
| 348 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
| 349 | if (!options.afs_token_passing || !k_hasafs()) { | ||
| 350 | verbose("AFS token passing disabled."); | ||
| 351 | } else { | ||
| 352 | /* Accept AFS token. */ | ||
| 353 | char *token = packet_get_string(&dlen); | ||
| 354 | packet_integrity_check(plen, 4 + dlen, type); | ||
| 355 | |||
| 356 | if (auth_afs_token(s->authctxt, token)) | ||
| 357 | success = 1; | ||
| 358 | else | ||
| 359 | verbose("AFS token refused for %.100s", | ||
| 360 | s->authctxt->user); | ||
| 361 | xfree(token); | ||
| 362 | } | ||
| 363 | break; | ||
| 364 | #endif /* AFS */ | ||
| 303 | 365 | ||
| 304 | case SSH_CMSG_EXEC_SHELL: | 366 | case SSH_CMSG_EXEC_SHELL: |
| 305 | case SSH_CMSG_EXEC_CMD: | 367 | case SSH_CMSG_EXEC_CMD: |
| @@ -615,7 +677,7 @@ static int | |||
| 615 | check_quietlogin(Session *s, const char *command) | 677 | check_quietlogin(Session *s, const char *command) |
| 616 | { | 678 | { |
| 617 | char buf[256]; | 679 | char buf[256]; |
| 618 | struct passwd * pw = s->pw; | 680 | struct passwd *pw = s->pw; |
| 619 | struct stat st; | 681 | struct stat st; |
| 620 | 682 | ||
| 621 | /* Return 1 if .hushlogin exists or a command given. */ | 683 | /* Return 1 if .hushlogin exists or a command given. */ |
| @@ -955,7 +1017,7 @@ void | |||
| 955 | do_child(Session *s, const char *command) | 1017 | do_child(Session *s, const char *command) |
| 956 | { | 1018 | { |
| 957 | const char *shell, *hostname = NULL, *cp = NULL; | 1019 | const char *shell, *hostname = NULL, *cp = NULL; |
| 958 | struct passwd * pw = s->pw; | 1020 | struct passwd *pw = s->pw; |
| 959 | char buf[256]; | 1021 | char buf[256]; |
| 960 | char cmd[1024]; | 1022 | char cmd[1024]; |
| 961 | FILE *f = NULL; | 1023 | FILE *f = NULL; |
| @@ -1134,10 +1196,10 @@ do_child(Session *s, const char *command) | |||
| 1134 | /* Try to get AFS tokens for the local cell. */ | 1196 | /* Try to get AFS tokens for the local cell. */ |
| 1135 | if (k_hasafs()) { | 1197 | if (k_hasafs()) { |
| 1136 | char cell[64]; | 1198 | char cell[64]; |
| 1137 | 1199 | ||
| 1138 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) | 1200 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) |
| 1139 | krb_afslog(cell, 0); | 1201 | krb_afslog(cell, 0); |
| 1140 | 1202 | ||
| 1141 | krb_afslog(0, 0); | 1203 | krb_afslog(0, 0); |
| 1142 | } | 1204 | } |
| 1143 | #endif /* AFS */ | 1205 | #endif /* AFS */ |
| @@ -1221,16 +1283,16 @@ do_child(Session *s, const char *command) | |||
| 1221 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); | 1283 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); |
| 1222 | read_environment_file(&env, &envsize, "/etc/environment"); | 1284 | read_environment_file(&env, &envsize, "/etc/environment"); |
| 1223 | #endif | 1285 | #endif |
| 1224 | |||
| 1225 | #ifdef KRB4 | 1286 | #ifdef KRB4 |
| 1226 | { | 1287 | if (s->authctxt->krb4_ticket_file) |
| 1227 | extern char *ticket; | 1288 | child_set_env(&env, &envsize, "KRBTKFILE", |
| 1228 | 1289 | s->authctxt->krb4_ticket_file); | |
| 1229 | if (ticket) | 1290 | #endif |
| 1230 | child_set_env(&env, &envsize, "KRBTKFILE", ticket); | 1291 | #ifdef KRB5 |
| 1231 | } | 1292 | if (s->authctxt->krb5_ticket_file) |
| 1232 | #endif /* KRB4 */ | 1293 | child_set_env(&env, &envsize, "KRB5CCNAME", |
| 1233 | 1294 | s->authctxt->krb5_ticket_file); | |
| 1295 | #endif | ||
| 1234 | #ifdef USE_PAM | 1296 | #ifdef USE_PAM |
| 1235 | /* Pull in any environment variables that may have been set by PAM. */ | 1297 | /* Pull in any environment variables that may have been set by PAM. */ |
| 1236 | do_pam_environment(&env, &envsize); | 1298 | do_pam_environment(&env, &envsize); |