16 files changed, 25 insertions, 684 deletions
diff --git a/ChangeLog b/ChangeLog
index 91e727198..b6cc55337 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
   - deraadt@cvs.openbsd.org 2003/08/24 17:36:51
     [auth2-gss.c]
     64 bit cleanups; markus ok
+   - markus@cvs.openbsd.org 2003/08/28 12:54:34
+     [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
+     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
+     [sshconnect1.c sshd.c sshd_config sshd_config.5]
+     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
+     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
 20030829
 - (bal) openbsd-compat/ clean up.  Considate headers, add in Id on our
@@ -918,4 +924,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2920 2003/09/02 12:14:07 djm Exp $
+$Id: ChangeLog,v 1.2921 2003/09/02 12:51:17 djm Exp $
diff --git a/auth-krb5.c b/auth-krb5.c
index b9eeb5ba6..0aa5195b8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -65,193 +65,6 @@ krb5_init(void *context)
        return (0);
 }
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
-        krb5_error_code problem;
-        krb5_principal server;
-        krb5_ticket *ticket;
-        int fd, ret;
-        ret = 0;
-        server = NULL;
-        ticket = NULL;
-        reply->length = 0;
-        problem = krb5_init(authctxt);
-        if (problem)
-                goto err;
-        problem = krb5_auth_con_init(authctxt->krb5_ctx,
-            &authctxt->krb5_auth_ctx);
-        if (problem)
-                goto err;
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
-            authctxt->krb5_auth_ctx, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 
-            authctxt->krb5_auth_ctx,fd,
-            KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-            KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto err;
-        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-            KRB5_NT_SRV_HST, &server);
-        if (problem)
-                goto err;
-        problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
-            auth, server, NULL, NULL, &ticket);
-        if (problem)
-                goto err;
-#ifdef HEIMDAL
-        problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
-            &authctxt->krb5_user);
-#else
-        problem = krb5_copy_principal(authctxt->krb5_ctx, 
-                                      ticket->enc_part2->client,
-                                      &authctxt->krb5_user);
-#endif
-        if (problem)
-                goto err;
-        /* if client wants mutual auth */
-        problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            reply);
-        if (problem)
-                goto err;
-        /* Check .k5login authorization now. */
-        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->pw->pw_name))
-                goto err;
-        if (client)
-                krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-                    client);
-        ret = 1;
- err:
-        if (server)
-                krb5_free_principal(authctxt->krb5_ctx, server);
-        if (ticket)
-                krb5_free_ticket(authctxt->krb5_ctx, ticket);
-        if (!ret && reply->length) {
-                xfree(reply->data);
-                memset(reply, 0, sizeof(*reply));
-        }
-        if (problem) {
-                if (authctxt->krb5_ctx != NULL)
-                        debug("Kerberos v5 authentication failed: %s",
-                            krb5_get_err_text(authctxt->krb5_ctx, problem));
-                else
-                        debug("Kerberos v5 authentication failed: %d",
-                            problem);
-        }
-        return (ret);
-}
-int
-auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
-{
-        krb5_error_code problem;
-        krb5_ccache ccache = NULL;
-        char *pname;
-        krb5_creds **creds;
-        if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
-                return (0);
-        temporarily_use_uid(authctxt->pw);
-#ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
-#else
-{
-        char ccname[40];
-        int tmpfd;
-        
-        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-        
-        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-                logit("mkstemp(): %.100s", strerror(errno));
-                problem = errno;
-                goto fail;
-        }
-        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-                logit("fchmod(): %.100s", strerror(errno));
-                close(tmpfd);
-                problem = errno;
-                goto fail;
-        }
-        close(tmpfd);
-        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
-}
-#endif
-        if (problem)
-                goto fail;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_user);
-        if (problem)
-                goto fail;
-#ifdef HEIMDAL
-        problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            ccache, tgt);
-        if (problem)
-                goto fail;
-#else
-        problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            tgt, &creds, NULL);
-        if (problem)
-                goto fail;
-        problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
-        if (problem)
-                goto fail;
-#endif
-        authctxt->krb5_fwd_ccache = ccache;
-        ccache = NULL;
-        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-        problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-            &pname);
-        if (problem)
-                goto fail;
-        debug("Kerberos v5 TGT accepted (%s)", pname);
-        restore_uid();
-        return (1);
- fail:
-        if (problem)
-                debug("Kerberos v5 TGT passing failed: %s",
-                    krb5_get_err_text(authctxt->krb5_ctx, problem));
-        if (ccache)
-                krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-        restore_uid();
-        return (0);
-}
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
@@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
                krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
                authctxt->krb5_user = NULL;
        }
-        if (authctxt->krb5_auth_ctx) {
-                krb5_auth_con_free(authctxt->krb5_ctx,
-                    authctxt->krb5_auth_ctx);
-                authctxt->krb5_auth_ctx = NULL;
-        }
        if (authctxt->krb5_ctx) {
                krb5_free_context(authctxt->krb5_ctx);
                authctxt->krb5_ctx = NULL;
diff --git a/auth.h b/auth.h
index 6beff7cc3..358f26b7e 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $        */
+/*      $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $        */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -62,7 +62,6 @@ struct Authctxt {
 #endif
 #ifdef KRB5
        krb5_context     krb5_ctx;
-        krb5_auth_context krb5_auth_ctx;
        krb5_ccache      krb5_fwd_ccache;
        krb5_principal   krb5_user;
        char            *krb5_ticket_file;
diff --git a/auth1.c b/auth1.c
index d8b5836ba..5b1922a11 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
        case SSH_CMSG_AUTH_TIS:
        case SSH_CMSG_AUTH_TIS_RESPONSE:
                return "challenge-response";
-#ifdef KRB5
-        case SSH_CMSG_AUTH_KERBEROS:
-                return "kerberos";
-#endif
        }
        snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
        return buf;
@@ -119,47 +115,6 @@ do_authloop(Authctxt *authctxt)
                /* Process the packet. */
                switch (type) {
-#ifdef KRB5
-                case SSH_CMSG_AUTH_KERBEROS:
-                        if (!options.kerberos_authentication) {
-                                verbose("Kerberos authentication disabled.");
-                        } else {
-                                char *kdata = packet_get_string(&dlen);
-                                packet_check_eom();
-                                if (kdata[0] != 4) { /* KRB_PROT_VERSION */
-                                        krb5_data tkt, reply;
-                                        tkt.length = dlen;
-                                        tkt.data = kdata;
-                                        if (PRIVSEP(auth_krb5(authctxt, &tkt,
-                                            &client_user, &reply))) {
-                                                authenticated = 1;
-                                                snprintf(info, sizeof(info),
-                                                    " tktuser %.100s",
-                                                    client_user);
-                                                /* Send response to client */
-                                                packet_start(
-                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-                                                packet_put_string((char *)
-                                                    reply.data, reply.length);
-                                                packet_send();
-                                                packet_write_wait();
-                                                if (reply.length)
-                                                        xfree(reply.data);
-                                        }
-                                }
-                                xfree(kdata);
-                        }
-                        break;
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        packet_send_debug("Kerberos TGT passing disabled before authentication.");
-                        break;
-#endif
                case SSH_CMSG_AUTH_RHOSTS_RSA:
                        if (!options.rhosts_rsa_authentication) {
                                verbose("Rhosts with RSA authentication disabled.");
@@ -337,16 +292,6 @@ do_authentication(void)
        if ((style = strchr(user, ':')) != NULL)
                *style++ = '\0';
-#ifdef KRB5
-        /* XXX - SSH.com Kerberos v5 braindeath. */
-        if ((datafellows & SSH_BUG_K5USER) &&
-            options.kerberos_authentication) {
-                char *p;
-                if ((p = strchr(user, '@')) != NULL)
-                        *p = '\0';
-        }
-#endif
        authctxt = authctxt_new();
        authctxt->user = user;
        authctxt->style = style;
diff --git a/monitor.c b/monitor.c
index e08181f74..9ea7b93b9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
@@ -130,9 +130,6 @@ int mm_answer_pam_respond(int, Buffer *);
 int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
-#ifdef KRB5
-int mm_answer_krb5(int, Buffer *);
-#endif
 #ifdef GSSAPI
 int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
@@ -192,9 +189,6 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
-#ifdef KRB5
-    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
 #ifdef GSSAPI
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@@ -237,9 +231,6 @@ struct mon_table mon_dispatch_proto15[] = {
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
-#ifdef KRB5
-    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
    {0, 0, NULL}
 };
@@ -1470,45 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
        return (success);
 }
-#ifdef KRB5
-int
-mm_answer_krb5(int socket, Buffer *m)
-{
-        krb5_data tkt, reply;
-        char *client_user;
-        u_int len;
-        int success;
-        /* use temporary var to avoid size issues on 64bit arch */
-        tkt.data = buffer_get_string(m, &len);
-        tkt.length = len;
-        success = options.kerberos_authentication &&
-            authctxt->valid &&
-            auth_krb5(authctxt, &tkt, &client_user, &reply);
-        if (tkt.length)
-                xfree(tkt.data);
-        buffer_clear(m);
-        buffer_put_int(m, success);
-        if (success) {
-                buffer_put_cstring(m, client_user);
-                buffer_put_string(m, reply.data, reply.length);
-                if (client_user)
-                        xfree(client_user);
-                if (reply.length)
-                        xfree(reply.data);
-        }
-        mm_request_send(socket, MONITOR_ANS_KRB5, m);
-        auth_method = "kerberos";
-        return success;
-}
-#endif
 int
 mm_answer_term(int socket, Buffer *req)
 {
diff --git a/monitor.h b/monitor.h
index da33ed613..2461156c7 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $     */
+/*      $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $     */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,7 +49,6 @@ enum monitor_reqtype {
        MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
        MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
        MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
-        MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
        MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
        MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
        MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 82649a7cc..4034d569c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -1071,41 +1071,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
        return (success);
 }
-#ifdef KRB5
-int
-mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
-{
-        krb5_data *tkt, *reply;
-        Buffer m;
-        int success;
-        debug3("%s entering", __func__);
-        tkt = (krb5_data *) argp;
-        reply = (krb5_data *) resp;
-        buffer_init(&m);
-        buffer_put_string(&m, tkt->data, tkt->length);
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
-        success = buffer_get_int(&m);
-        if (success) {
-                u_int len;
-                *userp = buffer_get_string(&m, NULL);
-                reply->data = buffer_get_string(&m, &len);
-                reply->length = len;
-        } else {
-                memset(reply, 0, sizeof(*reply));
-                *userp = NULL;
-        }
-        buffer_free(&m);
-        return (success);
-}
-#endif /* KRB5 */
 #ifdef GSSAPI
 OM_uint32
 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index c6251924a..5e0334588 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $        */
+/*      $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $        */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -96,13 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
-/* auth_krb */
-#ifdef KRB5
-/* auth and reply are really krb5_data objects, but we don't want to
- * include all of the krb5 headers here */
-int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
-#endif
 /* zlib allocation hooks */
 void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/readconf.c b/readconf.c
index 9447cb55f..281b66872 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "xmalloc.h"
@@ -132,13 +132,8 @@ static struct {
        { "challengeresponseauthentication", oChallengeResponseAuthentication },
        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
-#ifdef KRB5
-        { "kerberosauthentication", oKerberosAuthentication },
-        { "kerberostgtpassing", oKerberosTgtPassing },
-#else
        { "kerberosauthentication", oUnsupported },
        { "kerberostgtpassing", oUnsupported },
-#endif
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
diff --git a/servconf.c b/servconf.c
index e13309388..6051918c2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "log.h"
@@ -304,13 +304,12 @@ static struct {
        { "kerberosauthentication", sKerberosAuthentication },
        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
        { "kerberosticketcleanup", sKerberosTicketCleanup },
-        { "kerberostgtpassing", sKerberosTgtPassing },
 #else
        { "kerberosauthentication", sUnsupported },
        { "kerberosorlocalpasswd", sUnsupported },
        { "kerberosticketcleanup", sUnsupported },
-        { "kerberostgtpassing", sUnsupported },
 #endif
+        { "kerberostgtpassing", sUnsupported },
        { "afstokenpassing", sUnsupported },
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication },
diff --git a/session.c b/session.c
index 6ba0233e5..351b40c13 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -332,30 +332,6 @@ do_authenticated1(Authctxt *authctxt)
                                success = 1;
                        break;
-#ifdef KRB5
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        if (!options.kerberos_tgt_passing) {
-                                verbose("Kerberos TGT passing disabled.");
-                        } else {
-                                char *kdata = packet_get_string(&dlen);
-                                packet_check_eom();
-                                /* XXX - 0x41, used for AFS */
-                                if (kdata[0] != 0x41) {
-                                        krb5_data tgt;
-                                        tgt.data = kdata;
-                                        tgt.length = dlen;
-                                        if (auth_krb5_tgt(s->authctxt, &tgt))
-                                                success = 1;
-                                        else
-                                                verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
-                                }
-                                xfree(kdata);
-                        }
-                        break;
-#endif
                case SSH_CMSG_EXEC_SHELL:
                case SSH_CMSG_EXEC_CMD:
                        if (type == SSH_CMSG_EXEC_CMD) {
diff --git a/ssh_config.5 b/ssh_config.5
index f99562b96..b20452ce2 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable keepalives, the value should be set to
 .Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
diff --git a/sshconnect1.c b/sshconnect1.c
index 5935e8b77..2f89964ec 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,15 +13,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
-#ifdef KRB5
-#include <krb5.h>
-#endif
 #include "ssh.h"
 #include "ssh1.h"
 #include "xmalloc.h"
@@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        return 0;
 }
-#ifdef KRB5
-static int
-try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
-{
-        krb5_error_code problem;
-        const char *tkfile;
-        struct stat buf;
-        krb5_ccache ccache = NULL;
-        const char *remotehost;
-        krb5_data ap;
-        int type;
-        krb5_ap_rep_enc_part *reply = NULL;
-        int ret;
-        memset(&ap, 0, sizeof(ap));
-        problem = krb5_init_context(context);
-        if (problem) {
-                debug("Kerberos v5: krb5_init_context failed");
-                ret = 0;
-                goto out;
-        }
-        
-        problem = krb5_auth_con_init(*context, auth_context);
-        if (problem) {
-                debug("Kerberos v5: krb5_auth_con_init failed");
-                ret = 0;
-                goto out;
-        }
-#ifndef HEIMDAL
-        problem = krb5_auth_con_setflags(*context, *auth_context,
-                                         KRB5_AUTH_CONTEXT_RET_TIME);
-        if (problem) {
-                debug("Keberos v5: krb5_auth_con_setflags failed");
-                ret = 0;
-                goto out;
-        }
-#endif
-        tkfile = krb5_cc_default_name(*context);
-        if (strncmp(tkfile, "FILE:", 5) == 0)
-                tkfile += 5;
-        if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-                debug("Kerberos v5: could not get default ccache (permission denied).");
-                ret = 0;
-                goto out;
-        }
-        problem = krb5_cc_default(*context, &ccache);
-        if (problem) {
-                debug("Kerberos v5: krb5_cc_default failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        remotehost = get_canonical_hostname(1);
-        problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-            "host", remotehost, NULL, ccache, &ap);
-        if (problem) {
-                debug("Kerberos v5: krb5_mk_req failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        packet_start(SSH_CMSG_AUTH_KERBEROS);
-        packet_put_string((char *) ap.data, ap.length);
-        packet_send();
-        packet_write_wait();
-        xfree(ap.data);
-        ap.length = 0;
-        type = packet_read();
-        switch (type) {
-        case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-                debug("Kerberos v5 authentication failed.");
-                ret = 0;
-                break;
-        case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-                debug("Kerberos v5 authentication accepted.");
-                /* Get server's response. */
-                ap.data = packet_get_string((unsigned int *) &ap.length);
-                packet_check_eom();
-                /* XXX je to dobre? */
-                problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
-                if (problem) {
-                        ret = 0;
-                }
-                ret = 1;
-                break;
-        default:
-                packet_disconnect("Protocol error on Kerberos v5 response: %d",
-                    type);
-                ret = 0;
-                break;
-        }
- out:
-        if (ccache != NULL)
-                krb5_cc_close(*context, ccache);
-        if (reply != NULL)
-                krb5_free_ap_rep_enc_part(*context, reply);
-        if (ap.length > 0)
-#ifdef HEIMDAL
-                krb5_data_free(&ap);
-#else
-                krb5_free_data_contents(*context, &ap);
-#endif
-        return (ret);
-}
-static void
-send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
-{
-        int fd, type;
-        krb5_error_code problem;
-        krb5_data outbuf;
-        krb5_ccache ccache = NULL;
-        krb5_creds creds;
-#ifdef HEIMDAL
-        krb5_kdc_flags flags;
-#else
-        int forwardable;
-#endif
-        const char *remotehost;
-        memset(&creds, 0, sizeof(creds));
-        memset(&outbuf, 0, sizeof(outbuf));
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(context, auth_context, fd,
-                        KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-                        KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto out;
-        problem = krb5_cc_default(context, &ccache);
-        if (problem)
-                goto out;
-        problem = krb5_cc_get_principal(context, ccache, &creds.client);
-        if (problem)
-                goto out;
-        remotehost = get_canonical_hostname(1);
-        
-#ifdef HEIMDAL
-        problem = krb5_build_principal(context, &creds.server,
-            strlen(creds.client->realm), creds.client->realm,
-            "krbtgt", creds.client->realm, NULL);
-#else
-        problem = krb5_build_principal(context, &creds.server,
-            creds.client->realm.length, creds.client->realm.data,
-            "host", remotehost, NULL);
-#endif
-        if (problem)
-                goto out;
-        creds.times.endtime = 0;
-#ifdef HEIMDAL
-        flags.i = 0;
-        flags.b.forwarded = 1;
-        flags.b.forwardable = krb5_config_get_bool(context,  NULL,
-            "libdefaults", "forwardable", NULL);
-        problem = krb5_get_forwarded_creds(context, auth_context,
-            ccache, flags.i, remotehost, &creds, &outbuf);
-#else
-        forwardable = 1;
-        problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
-            creds.client, creds.server, ccache, forwardable, &outbuf);
-#endif
-        if (problem)
-                goto out;
-        packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-        packet_put_string((char *)outbuf.data, outbuf.length);
-        packet_send();
-        packet_write_wait();
-        type = packet_read();
-        if (type == SSH_SMSG_SUCCESS) {
-                char *pname;
-                krb5_unparse_name(context, creds.client, &pname);
-                debug("Kerberos v5 TGT forwarded (%s).", pname);
-                xfree(pname);
-        } else
-                debug("Kerberos v5 TGT forwarding failed.");
-        return;
- out:
-        if (problem)
-                debug("Kerberos v5 TGT forwarding failed: %s",
-                    krb5_get_err_text(context, problem));
-        if (creds.client)
-                krb5_free_principal(context, creds.client);
-        if (creds.server)
-                krb5_free_principal(context, creds.server);
-        if (ccache)
-                krb5_cc_close(context, ccache);
-        if (outbuf.data)
-                xfree(outbuf.data);
-}
-#endif /* KRB5 */
 /*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
@@ -885,10 +654,6 @@ void
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
    Sensitive *sensitive)
 {
-#ifdef KRB5
-        krb5_context context = NULL;
-        krb5_auth_context auth_context = NULL;
-#endif
        int i, type;
        if (supported_authentications == 0)
@@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        if (type != SSH_SMSG_FAILURE)
                packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
-#ifdef KRB5
-        if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-            options.kerberos_authentication) {
-                debug("Trying Kerberos v5 authentication.");
-                if (try_krb5_authentication(&context, &auth_context)) {
-                        type = packet_read();
-                        if (type == SSH_SMSG_SUCCESS)
-                                goto success;
-                        if (type != SSH_SMSG_FAILURE)
-                                packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
-                }
-        }
-#endif /* KRB5 */
        /*
         * Try .rhosts or /etc/hosts.equiv authentication with RSA host
         * authentication.
@@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        /* NOTREACHED */
 success:
-#ifdef KRB5
-        /* Try Kerberos v5 TGT passing. */
-        if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-            options.kerberos_tgt_passing && context && auth_context) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-                send_krb5_tgt(context, auth_context);
-        }
-        if (auth_context)
-                krb5_auth_con_free(context, auth_context);
-        if (context)
-                krb5_free_context(context);
-#endif
        return; /* need statement after label */
 }
diff --git a/sshd.c b/sshd.c
index 8d04f6a74..47df9caf1 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1463,14 +1463,6 @@ main(int ac, char **av)
        sshd_exchange_identification(sock_in, sock_out);
-#ifdef KRB5
-        if (!packet_connection_is_ipv4() &&
-            options.kerberos_authentication) {
-                debug("Kerberos Authentication disabled, only available for IPv4.");
-                options.kerberos_authentication = 0;
-        }
-#endif
        packet_set_nonblocking();
        /* prepare buffers to collect authentication messages */
@@ -1634,12 +1626,6 @@ do_ssh1_kex(void)
                auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
        if (options.rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef KRB5
-        if (options.kerberos_authentication)
-                auth_mask |= 1 << SSH_AUTH_KERBEROS;
-        if (options.kerberos_tgt_passing)
-                auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
-#endif
        if (options.challenge_response_authentication == 1)
                auth_mask |= 1 << SSH_AUTH_TIS;
        if (options.password_authentication)
diff --git a/sshd_config b/sshd_config
index 294539096..dd53f1057 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $
+#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -61,7 +61,6 @@
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
-#KerberosTgtPassing no
 # GSSAPI options
 #GSSAPIAuthentication no
diff --git a/sshd_config.5 b/sshd_config.5
index 8857c673d..577605f3e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
+Specifies whether the password provided by the user for
-This can be in the form of a Kerberos ticket, or if
 .Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
+will be validated through the Kerberos KDC.
-the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
@@ -332,10 +330,6 @@ such as
 .Pa /etc/passwd .
 Default is
 .Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no .
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.