diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-07-04 04:21:14 +0000 |
commit | ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch) | |
tree | 91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /session.c | |
parent | b4c774cf8878d9100fde92ff4e938671c3b0301b (diff) |
- dugsong@cvs.openbsd.org 2001/06/26 16:15:25
[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h
servconf.c servconf.h session.c sshconnect1.c sshd.c]
Kerberos v5 support for SSH1, mostly from Assar Westerlund
<assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 92 |
1 files changed, 77 insertions, 15 deletions
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: session.c,v 1.95 2001/06/25 08:25:39 markus Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.96 2001/06/26 16:15:24 dugsong Exp $"); |
37 | 37 | ||
38 | #include "ssh.h" | 38 | #include "ssh.h" |
39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
@@ -99,7 +99,8 @@ typedef struct Session Session; | |||
99 | struct Session { | 99 | struct Session { |
100 | int used; | 100 | int used; |
101 | int self; | 101 | int self; |
102 | struct passwd *pw; | 102 | struct passwd *pw; |
103 | Authctxt *authctxt; | ||
103 | pid_t pid; | 104 | pid_t pid; |
104 | /* tty */ | 105 | /* tty */ |
105 | char *term; | 106 | char *term; |
@@ -198,6 +199,14 @@ do_authenticated(Authctxt *authctxt) | |||
198 | /* remove agent socket */ | 199 | /* remove agent socket */ |
199 | if (auth_get_socket_name()) | 200 | if (auth_get_socket_name()) |
200 | auth_sock_cleanup_proc(authctxt->pw); | 201 | auth_sock_cleanup_proc(authctxt->pw); |
202 | #ifdef KRB4 | ||
203 | if (options.kerberos_ticket_cleanup) | ||
204 | krb4_cleanup_proc(authctxt); | ||
205 | #endif | ||
206 | #ifdef KRB5 | ||
207 | if (options.kerberos_ticket_cleanup) | ||
208 | krb5_cleanup_proc(authctxt); | ||
209 | #endif | ||
201 | } | 210 | } |
202 | 211 | ||
203 | /* | 212 | /* |
@@ -216,6 +225,7 @@ do_authenticated1(Authctxt *authctxt) | |||
216 | u_int proto_len, data_len, dlen; | 225 | u_int proto_len, data_len, dlen; |
217 | 226 | ||
218 | s = session_new(); | 227 | s = session_new(); |
228 | s->authctxt = authctxt; | ||
219 | s->pw = authctxt->pw; | 229 | s->pw = authctxt->pw; |
220 | 230 | ||
221 | /* | 231 | /* |
@@ -300,6 +310,58 @@ do_authenticated1(Authctxt *authctxt) | |||
300 | if (packet_set_maxsize(packet_get_int()) > 0) | 310 | if (packet_set_maxsize(packet_get_int()) > 0) |
301 | success = 1; | 311 | success = 1; |
302 | break; | 312 | break; |
313 | |||
314 | #if defined(AFS) || defined(KRB5) | ||
315 | case SSH_CMSG_HAVE_KERBEROS_TGT: | ||
316 | if (!options.kerberos_tgt_passing) { | ||
317 | verbose("Kerberos TGT passing disabled."); | ||
318 | } else { | ||
319 | char *kdata = packet_get_string(&dlen); | ||
320 | packet_integrity_check(plen, 4 + dlen, type); | ||
321 | |||
322 | /* XXX - 0x41, see creds_to_radix version */ | ||
323 | if (kdata[0] != 0x41) { | ||
324 | #ifdef KRB5 | ||
325 | krb5_data tgt; | ||
326 | tgt.data = kdata; | ||
327 | tgt.length = dlen; | ||
328 | |||
329 | if (auth_krb5_tgt(s->authctxt, &tgt)) | ||
330 | success = 1; | ||
331 | else | ||
332 | verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); | ||
333 | #endif /* KRB5 */ | ||
334 | } else { | ||
335 | #ifdef AFS | ||
336 | if (auth_krb4_tgt(s->authctxt, kdata)) | ||
337 | success = 1; | ||
338 | else | ||
339 | verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user); | ||
340 | #endif /* AFS */ | ||
341 | } | ||
342 | xfree(kdata); | ||
343 | } | ||
344 | break; | ||
345 | #endif /* AFS || KRB5 */ | ||
346 | |||
347 | #ifdef AFS | ||
348 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
349 | if (!options.afs_token_passing || !k_hasafs()) { | ||
350 | verbose("AFS token passing disabled."); | ||
351 | } else { | ||
352 | /* Accept AFS token. */ | ||
353 | char *token = packet_get_string(&dlen); | ||
354 | packet_integrity_check(plen, 4 + dlen, type); | ||
355 | |||
356 | if (auth_afs_token(s->authctxt, token)) | ||
357 | success = 1; | ||
358 | else | ||
359 | verbose("AFS token refused for %.100s", | ||
360 | s->authctxt->user); | ||
361 | xfree(token); | ||
362 | } | ||
363 | break; | ||
364 | #endif /* AFS */ | ||
303 | 365 | ||
304 | case SSH_CMSG_EXEC_SHELL: | 366 | case SSH_CMSG_EXEC_SHELL: |
305 | case SSH_CMSG_EXEC_CMD: | 367 | case SSH_CMSG_EXEC_CMD: |
@@ -615,7 +677,7 @@ static int | |||
615 | check_quietlogin(Session *s, const char *command) | 677 | check_quietlogin(Session *s, const char *command) |
616 | { | 678 | { |
617 | char buf[256]; | 679 | char buf[256]; |
618 | struct passwd * pw = s->pw; | 680 | struct passwd *pw = s->pw; |
619 | struct stat st; | 681 | struct stat st; |
620 | 682 | ||
621 | /* Return 1 if .hushlogin exists or a command given. */ | 683 | /* Return 1 if .hushlogin exists or a command given. */ |
@@ -955,7 +1017,7 @@ void | |||
955 | do_child(Session *s, const char *command) | 1017 | do_child(Session *s, const char *command) |
956 | { | 1018 | { |
957 | const char *shell, *hostname = NULL, *cp = NULL; | 1019 | const char *shell, *hostname = NULL, *cp = NULL; |
958 | struct passwd * pw = s->pw; | 1020 | struct passwd *pw = s->pw; |
959 | char buf[256]; | 1021 | char buf[256]; |
960 | char cmd[1024]; | 1022 | char cmd[1024]; |
961 | FILE *f = NULL; | 1023 | FILE *f = NULL; |
@@ -1134,10 +1196,10 @@ do_child(Session *s, const char *command) | |||
1134 | /* Try to get AFS tokens for the local cell. */ | 1196 | /* Try to get AFS tokens for the local cell. */ |
1135 | if (k_hasafs()) { | 1197 | if (k_hasafs()) { |
1136 | char cell[64]; | 1198 | char cell[64]; |
1137 | 1199 | ||
1138 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) | 1200 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) |
1139 | krb_afslog(cell, 0); | 1201 | krb_afslog(cell, 0); |
1140 | 1202 | ||
1141 | krb_afslog(0, 0); | 1203 | krb_afslog(0, 0); |
1142 | } | 1204 | } |
1143 | #endif /* AFS */ | 1205 | #endif /* AFS */ |
@@ -1221,16 +1283,16 @@ do_child(Session *s, const char *command) | |||
1221 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); | 1283 | child_set_env(&env, &envsize, "KRB5CCNAME", cp); |
1222 | read_environment_file(&env, &envsize, "/etc/environment"); | 1284 | read_environment_file(&env, &envsize, "/etc/environment"); |
1223 | #endif | 1285 | #endif |
1224 | |||
1225 | #ifdef KRB4 | 1286 | #ifdef KRB4 |
1226 | { | 1287 | if (s->authctxt->krb4_ticket_file) |
1227 | extern char *ticket; | 1288 | child_set_env(&env, &envsize, "KRBTKFILE", |
1228 | 1289 | s->authctxt->krb4_ticket_file); | |
1229 | if (ticket) | 1290 | #endif |
1230 | child_set_env(&env, &envsize, "KRBTKFILE", ticket); | 1291 | #ifdef KRB5 |
1231 | } | 1292 | if (s->authctxt->krb5_ticket_file) |
1232 | #endif /* KRB4 */ | 1293 | child_set_env(&env, &envsize, "KRB5CCNAME", |
1233 | 1294 | s->authctxt->krb5_ticket_file); | |
1295 | #endif | ||
1234 | #ifdef USE_PAM | 1296 | #ifdef USE_PAM |
1235 | /* Pull in any environment variables that may have been set by PAM. */ | 1297 | /* Pull in any environment variables that may have been set by PAM. */ |
1236 | do_pam_environment(&env, &envsize); | 1298 | do_pam_environment(&env, &envsize); |