diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth2-krb5.c | 66 | ||||
-rw-r--r-- | auth2.c | 8 | ||||
-rw-r--r-- | monitor.c | 7 | ||||
-rw-r--r-- | sshconnect2.c | 101 |
5 files changed, 184 insertions, 4 deletions
@@ -63,6 +63,10 @@ | |||
63 | [sftp.1] | 63 | [sftp.1] |
64 | emphasise the batchmode functionality and make reference to pubkey auth, | 64 | emphasise the batchmode functionality and make reference to pubkey auth, |
65 | both of which are FAQs; ok markus@ | 65 | both of which are FAQs; ok markus@ |
66 | - markus@cvs.openbsd.org 2003/05/14 02:15:47 | ||
67 | [auth2.c monitor.c sshconnect2.c auth2-krb5.c] | ||
68 | implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ | ||
69 | server interops with commercial client; ok jakob@ djm@ | ||
66 | 70 | ||
67 | 20030512 | 71 | 20030512 |
68 | - (djm) Redhat spec: Don't install profile.d scripts when not | 72 | - (djm) Redhat spec: Don't install profile.d scripts when not |
@@ -1450,4 +1454,4 @@ | |||
1450 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1454 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1451 | ok provos@ | 1455 | ok provos@ |
1452 | 1456 | ||
1453 | $Id: ChangeLog,v 1.2691 2003/05/14 03:47:07 djm Exp $ | 1457 | $Id: ChangeLog,v 1.2692 2003/05/14 03:47:37 djm Exp $ |
diff --git a/auth2-krb5.c b/auth2-krb5.c new file mode 100644 index 000000000..ea4d76da0 --- /dev/null +++ b/auth2-krb5.c | |||
@@ -0,0 +1,66 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2003 Markus Friedl. All rights reserved. | ||
3 | * | ||
4 | * Redistribution and use in source and binary forms, with or without | ||
5 | * modification, are permitted provided that the following conditions | ||
6 | * are met: | ||
7 | * 1. Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * 2. Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * | ||
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
23 | */ | ||
24 | |||
25 | #include "includes.h" | ||
26 | RCSID("$OpenBSD: auth2-krb5.c,v 1.1 2003/05/14 02:15:47 markus Exp $"); | ||
27 | |||
28 | #include <krb5.h> | ||
29 | |||
30 | #include "ssh2.h" | ||
31 | #include "xmalloc.h" | ||
32 | #include "packet.h" | ||
33 | #include "log.h" | ||
34 | #include "auth.h" | ||
35 | #include "monitor_wrap.h" | ||
36 | #include "servconf.h" | ||
37 | |||
38 | /* import */ | ||
39 | extern ServerOptions options; | ||
40 | |||
41 | static int | ||
42 | userauth_kerberos(Authctxt *authctxt) | ||
43 | { | ||
44 | krb5_data tkt, reply; | ||
45 | char *client = NULL; | ||
46 | int authenticated = 0; | ||
47 | |||
48 | tkt.data = packet_get_string(&tkt.length); | ||
49 | packet_check_eom(); | ||
50 | |||
51 | if (PRIVSEP(auth_krb5(authctxt, &tkt, &client, &reply))) { | ||
52 | authenticated = 1; | ||
53 | if (reply.length) | ||
54 | xfree(reply.data); | ||
55 | } | ||
56 | if (client) | ||
57 | xfree(client); | ||
58 | xfree(tkt.data); | ||
59 | return (authenticated); | ||
60 | } | ||
61 | |||
62 | Authmethod method_kerberos = { | ||
63 | "kerberos-2@ssh.com", | ||
64 | userauth_kerberos, | ||
65 | &options.kerberos_authentication | ||
66 | }; | ||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.97 2003/04/08 20:21:28 itojun Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $"); |
27 | 27 | ||
28 | #include "ssh2.h" | 28 | #include "ssh2.h" |
29 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
@@ -50,6 +50,9 @@ extern Authmethod method_pubkey; | |||
50 | extern Authmethod method_passwd; | 50 | extern Authmethod method_passwd; |
51 | extern Authmethod method_kbdint; | 51 | extern Authmethod method_kbdint; |
52 | extern Authmethod method_hostbased; | 52 | extern Authmethod method_hostbased; |
53 | #ifdef KRB5 | ||
54 | extern Authmethod method_kerberos; | ||
55 | #endif | ||
53 | 56 | ||
54 | Authmethod *authmethods[] = { | 57 | Authmethod *authmethods[] = { |
55 | &method_none, | 58 | &method_none, |
@@ -57,6 +60,9 @@ Authmethod *authmethods[] = { | |||
57 | &method_passwd, | 60 | &method_passwd, |
58 | &method_kbdint, | 61 | &method_kbdint, |
59 | &method_hostbased, | 62 | &method_hostbased, |
63 | #ifdef KRB5 | ||
64 | &method_kerberos, | ||
65 | #endif | ||
60 | NULL | 66 | NULL |
61 | }; | 67 | }; |
62 | 68 | ||
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor.c,v 1.38 2003/04/08 20:21:28 itojun Exp $"); | 28 | RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $"); |
29 | 29 | ||
30 | #include <openssl/dh.h> | 30 | #include <openssl/dh.h> |
31 | 31 | ||
@@ -182,6 +182,9 @@ struct mon_table mon_dispatch_proto20[] = { | |||
182 | #endif | 182 | #endif |
183 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 183 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, |
184 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, | 184 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, |
185 | #ifdef KRB5 | ||
186 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, | ||
187 | #endif | ||
185 | {0, 0, NULL} | 188 | {0, 0, NULL} |
186 | }; | 189 | }; |
187 | 190 | ||
@@ -1483,6 +1486,8 @@ mm_answer_krb5(int socket, Buffer *m) | |||
1483 | } | 1486 | } |
1484 | mm_request_send(socket, MONITOR_ANS_KRB5, m); | 1487 | mm_request_send(socket, MONITOR_ANS_KRB5, m); |
1485 | 1488 | ||
1489 | auth_method = "kerberos"; | ||
1490 | |||
1486 | return success; | 1491 | return success; |
1487 | } | 1492 | } |
1488 | #endif | 1493 | #endif |
diff --git a/sshconnect2.c b/sshconnect2.c index 74d699ff2..0605e4e5f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,11 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); |
27 | |||
28 | #ifdef KRB5 | ||
29 | #include <krb5.h> | ||
30 | #endif | ||
27 | 31 | ||
28 | #include "ssh.h" | 32 | #include "ssh.h" |
29 | #include "ssh2.h" | 33 | #include "ssh2.h" |
@@ -190,6 +194,7 @@ int userauth_pubkey(Authctxt *); | |||
190 | int userauth_passwd(Authctxt *); | 194 | int userauth_passwd(Authctxt *); |
191 | int userauth_kbdint(Authctxt *); | 195 | int userauth_kbdint(Authctxt *); |
192 | int userauth_hostbased(Authctxt *); | 196 | int userauth_hostbased(Authctxt *); |
197 | int userauth_kerberos(Authctxt *); | ||
193 | 198 | ||
194 | void userauth(Authctxt *, char *); | 199 | void userauth(Authctxt *, char *); |
195 | 200 | ||
@@ -208,6 +213,12 @@ Authmethod authmethods[] = { | |||
208 | userauth_hostbased, | 213 | userauth_hostbased, |
209 | &options.hostbased_authentication, | 214 | &options.hostbased_authentication, |
210 | NULL}, | 215 | NULL}, |
216 | #if KRB5 | ||
217 | {"kerberos-2@ssh.com", | ||
218 | userauth_kerberos, | ||
219 | &options.kerberos_authentication, | ||
220 | NULL}, | ||
221 | #endif | ||
211 | {"publickey", | 222 | {"publickey", |
212 | userauth_pubkey, | 223 | userauth_pubkey, |
213 | &options.pubkey_authentication, | 224 | &options.pubkey_authentication, |
@@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt) | |||
1112 | return 1; | 1123 | return 1; |
1113 | } | 1124 | } |
1114 | 1125 | ||
1126 | #if KRB5 | ||
1127 | static int | ||
1128 | ssh_krb5_helper(krb5_data *ap) | ||
1129 | { | ||
1130 | krb5_context xcontext = NULL; /* XXX share with ssh1 */ | ||
1131 | krb5_auth_context xauth_context = NULL; | ||
1132 | |||
1133 | krb5_context *context; | ||
1134 | krb5_auth_context *auth_context; | ||
1135 | krb5_error_code problem; | ||
1136 | const char *tkfile; | ||
1137 | struct stat buf; | ||
1138 | krb5_ccache ccache = NULL; | ||
1139 | const char *remotehost; | ||
1140 | int ret; | ||
1141 | |||
1142 | memset(ap, 0, sizeof(*ap)); | ||
1143 | |||
1144 | context = &xcontext; | ||
1145 | auth_context = &xauth_context; | ||
1146 | |||
1147 | problem = krb5_init_context(context); | ||
1148 | if (problem) { | ||
1149 | debug("Kerberos v5: krb5_init_context failed"); | ||
1150 | ret = 0; | ||
1151 | goto out; | ||
1152 | } | ||
1153 | |||
1154 | tkfile = krb5_cc_default_name(*context); | ||
1155 | if (strncmp(tkfile, "FILE:", 5) == 0) | ||
1156 | tkfile += 5; | ||
1157 | |||
1158 | if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { | ||
1159 | debug("Kerberos v5: could not get default ccache (permission denied)."); | ||
1160 | ret = 0; | ||
1161 | goto out; | ||
1162 | } | ||
1163 | |||
1164 | problem = krb5_cc_default(*context, &ccache); | ||
1165 | if (problem) { | ||
1166 | debug("Kerberos v5: krb5_cc_default failed: %s", | ||
1167 | krb5_get_err_text(*context, problem)); | ||
1168 | ret = 0; | ||
1169 | goto out; | ||
1170 | } | ||
1171 | |||
1172 | remotehost = get_canonical_hostname(1); | ||
1173 | |||
1174 | problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, | ||
1175 | "host", remotehost, NULL, ccache, ap); | ||
1176 | if (problem) { | ||
1177 | debug("Kerberos v5: krb5_mk_req failed: %s", | ||
1178 | krb5_get_err_text(*context, problem)); | ||
1179 | ret = 0; | ||
1180 | goto out; | ||
1181 | } | ||
1182 | ret = 1; | ||
1183 | |||
1184 | out: | ||
1185 | if (ccache != NULL) | ||
1186 | krb5_cc_close(*context, ccache); | ||
1187 | if (*auth_context) | ||
1188 | krb5_auth_con_free(*context, *auth_context); | ||
1189 | if (*context) | ||
1190 | krb5_free_context(*context); | ||
1191 | return (ret); | ||
1192 | } | ||
1193 | |||
1194 | int | ||
1195 | userauth_kerberos(Authctxt *authctxt) | ||
1196 | { | ||
1197 | krb5_data ap; | ||
1198 | |||
1199 | if (ssh_krb5_helper(&ap) == 0) | ||
1200 | return (0); | ||
1201 | |||
1202 | packet_start(SSH2_MSG_USERAUTH_REQUEST); | ||
1203 | packet_put_cstring(authctxt->server_user); | ||
1204 | packet_put_cstring(authctxt->service); | ||
1205 | packet_put_cstring(authctxt->method->name); | ||
1206 | packet_put_string(ap.data, ap.length); | ||
1207 | packet_send(); | ||
1208 | |||
1209 | krb5_data_free(&ap); | ||
1210 | return (1); | ||
1211 | } | ||
1212 | #endif | ||
1213 | |||
1115 | /* find auth method */ | 1214 | /* find auth method */ |
1116 | 1215 | ||
1117 | /* | 1216 | /* |