summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog11
-rw-r--r--Makefile.in6
-rw-r--r--acconfig.h8
-rw-r--r--auth-krb4.c368
-rw-r--r--auth-passwd.c10
-rw-r--r--auth.h19
-rw-r--r--auth1.c45
-rw-r--r--configure.ac87
-rw-r--r--monitor.c54
-rw-r--r--monitor.h1
-rw-r--r--monitor_wrap.c38
-rw-r--r--monitor_wrap.h5
-rw-r--r--radix.c158
-rw-r--r--radix.h28
-rw-r--r--readconf.c17
-rw-r--r--readconf.h3
-rw-r--r--servconf.c25
-rw-r--r--servconf.h3
-rw-r--r--session.c57
-rw-r--r--ssh.14
-rw-r--r--ssh.c9
-rw-r--r--ssh.h5
-rw-r--r--ssh_config.510
-rw-r--r--sshconnect1.c287
-rw-r--r--sshd.c21
-rw-r--r--sshd_config.59
26 files changed, 52 insertions, 1236 deletions
diff --git a/ChangeLog b/ChangeLog
index c930ad347..67ca07ce4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
120030802 120030802
2 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. 2 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
3 - (dtucker) OpenBSD CVS Sync
4 - markus@cvs.openbsd.org 2003/07/22 13:35:22
5 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
6 monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
7 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
8 remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
9 test+ok henning@
10 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
11 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
3 12
420030730 1320030730
5 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal 14 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
@@ -738,4 +747,4 @@
738 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 747 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
739 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 748 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
740 749
741$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $ 750$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index 4252ae6f3..c5674c735 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $ 1# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
63LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ 63LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
64 cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ 64 cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
65 compat.o compress.o crc32.o deattack.o fatal.o \ 65 compat.o compress.o crc32.o deattack.o fatal.o \
66 hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \ 66 hostfile.o log.o match.o mpaux.o nchan.o packet.o \
67 readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ 67 readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
68 key.o dispatch.o kex.o mac.o uuencode.o misc.o \ 68 key.o dispatch.o kex.o mac.o uuencode.o misc.o \
69 rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ 69 rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
@@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
81 auth2-none.o auth2-passwd.o auth2-pubkey.o \ 81 auth2-none.o auth2-passwd.o auth2-pubkey.o \
82 monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ 82 monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
83 kexdhs.o kexgexs.o \ 83 kexdhs.o kexgexs.o \
84 auth-krb5.o auth2-krb5.o auth-krb4.o \ 84 auth-krb5.o auth2-krb5.o \
85 loginrec.o auth-pam.o auth-sia.o md5crypt.o 85 loginrec.o auth-pam.o auth-sia.o md5crypt.o
86 86
87MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out 87MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff --git a/acconfig.h b/acconfig.h
index 0af93663c..24c07beed 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
1/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */ 1/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -238,12 +238,6 @@
238/* Define this if you are using the Heimdal version of Kerberos V5 */ 238/* Define this if you are using the Heimdal version of Kerberos V5 */
239#undef HEIMDAL 239#undef HEIMDAL
240 240
241/* Define if you want Kerberos 4 support */
242#undef KRB4
243
244/* Define if you want AFS support */
245#undef AFS
246
247/* Define if you want S/Key support */ 241/* Define if you want S/Key support */
248#undef SKEY 242#undef SKEY
249 243
diff --git a/auth-krb4.c b/auth-krb4.c
deleted file mode 100644
index 9e1c800be..000000000
--- a/auth-krb4.c
+++ /dev/null
@@ -1,368 +0,0 @@
1/*
2 * Copyright (c) 1999 Dug Song. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
27
28#include "ssh.h"
29#include "ssh1.h"
30#include "packet.h"
31#include "xmalloc.h"
32#include "log.h"
33#include "servconf.h"
34#include "uidswap.h"
35#include "auth.h"
36
37#ifdef AFS
38#include "radix.h"
39#endif
40
41#ifdef KRB4
42extern ServerOptions options;
43
44static int
45krb4_init(void *context)
46{
47 static int cleanup_registered = 0;
48 Authctxt *authctxt = (Authctxt *)context;
49 const char *tkt_root = TKT_ROOT;
50 struct stat st;
51 int fd;
52
53 if (!authctxt->krb4_ticket_file) {
54 /* Set unique ticket string manually since we're still root. */
55 authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
56#ifdef AFS
57 if (lstat("/ticket", &st) != -1)
58 tkt_root = "/ticket/";
59#endif /* AFS */
60 snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
61 tkt_root, authctxt->pw->pw_uid, (long)getpid());
62 krb_set_tkt_string(authctxt->krb4_ticket_file);
63 }
64 /* Register ticket cleanup in case of fatal error. */
65 if (!cleanup_registered) {
66 fatal_add_cleanup(krb4_cleanup_proc, authctxt);
67 cleanup_registered = 1;
68 }
69 /* Try to create our ticket file. */
70 if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
71 close(fd);
72 return (1);
73 }
74 /* Ticket file exists - make sure user owns it (just passed ticket). */
75 if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
76 if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
77 st.st_uid == authctxt->pw->pw_uid)
78 return (1);
79 }
80 /* Failure - cancel cleanup function, leaving ticket for inspection. */
81 logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
82
83 fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
84 cleanup_registered = 0;
85
86 xfree(authctxt->krb4_ticket_file);
87 authctxt->krb4_ticket_file = NULL;
88
89 return (0);
90}
91
92/*
93 * try krb4 authentication,
94 * return 1 on success, 0 on failure, -1 if krb4 is not available
95 */
96int
97auth_krb4_password(Authctxt *authctxt, const char *password)
98{
99 AUTH_DAT adata;
100 KTEXT_ST tkt;
101 struct hostent *hp;
102 struct passwd *pw;
103 char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
104 u_int32_t faddr;
105 int r;
106
107 if ((pw = authctxt->pw) == NULL)
108 return (0);
109
110 /*
111 * Try Kerberos password authentication only for non-root
112 * users and only if Kerberos is installed.
113 */
114 if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
115 /* Set up our ticket file. */
116 if (!krb4_init(authctxt)) {
117 logit("Couldn't initialize Kerberos ticket file for %s!",
118 pw->pw_name);
119 goto failure;
120 }
121 /* Try to get TGT using our password. */
122 r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
123 "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
124 if (r != INTK_OK) {
125 debug("Kerberos v4 password authentication for %s "
126 "failed: %s", pw->pw_name, krb_err_txt[r]);
127 goto failure;
128 }
129 /* Successful authentication. */
130 chown(tkt_string(), pw->pw_uid, pw->pw_gid);
131
132 /*
133 * Now that we have a TGT, try to get a local
134 * "rcmd" ticket to ensure that we are not talking
135 * to a bogus Kerberos server.
136 */
137 gethostname(localhost, sizeof(localhost));
138 strlcpy(phost, (char *)krb_get_phost(localhost),
139 sizeof(phost));
140 r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
141
142 if (r == KSUCCESS) {
143 if ((hp = gethostbyname(localhost)) == NULL) {
144 logit("Couldn't get local host address!");
145 goto failure;
146 }
147 memmove((void *)&faddr, (void *)hp->h_addr,
148 sizeof(faddr));
149
150 /* Verify our "rcmd" ticket. */
151 r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
152 faddr, &adata, "");
153 if (r == RD_AP_UNDEC) {
154 /*
155 * Probably didn't have a srvtab on
156 * localhost. Disallow login.
157 */
158 logit("Kerberos v4 TGT for %s unverifiable, "
159 "no srvtab installed? krb_rd_req: %s",
160 pw->pw_name, krb_err_txt[r]);
161 goto failure;
162 } else if (r != KSUCCESS) {
163 logit("Kerberos v4 %s ticket unverifiable: %s",
164 KRB4_SERVICE_NAME, krb_err_txt[r]);
165 goto failure;
166 }
167 } else if (r == KDC_PR_UNKNOWN) {
168 /*
169 * Disallow login if no rcmd service exists, and
170 * log the error.
171 */
172 logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
173 "not registered, or srvtab is wrong?", pw->pw_name,
174 krb_err_txt[r], KRB4_SERVICE_NAME, phost);
175 goto failure;
176 } else {
177 /*
178 * TGT is bad, forget it. Possibly spoofed!
179 */
180 debug("WARNING: Kerberos v4 TGT possibly spoofed "
181 "for %s: %s", pw->pw_name, krb_err_txt[r]);
182 goto failure;
183 }
184 /* Authentication succeeded. */
185 return (1);
186 } else
187 /* Logging in as root or no local Kerberos realm. */
188 debug("Unable to authenticate to Kerberos.");
189
190 failure:
191 krb4_cleanup_proc(authctxt);
192
193 if (!options.kerberos_or_local_passwd)
194 return (0);
195
196 /* Fall back to ordinary passwd authentication. */
197 return (-1);
198}
199
200void
201krb4_cleanup_proc(void *context)
202{
203 Authctxt *authctxt = (Authctxt *)context;
204 debug("krb4_cleanup_proc called");
205 if (authctxt->krb4_ticket_file) {
206 (void) dest_tkt();
207 xfree(authctxt->krb4_ticket_file);
208 authctxt->krb4_ticket_file = NULL;
209 }
210}
211
212int
213auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
214{
215 AUTH_DAT adat = {0};
216 Key_schedule schedule;
217 struct sockaddr_in local, foreign;
218 char instance[INST_SZ];
219 socklen_t slen;
220 u_int cksum;
221 int r, s;
222
223 s = packet_get_connection_in();
224
225 slen = sizeof(local);
226 memset(&local, 0, sizeof(local));
227 if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
228 debug("getsockname failed: %.100s", strerror(errno));
229 slen = sizeof(foreign);
230 memset(&foreign, 0, sizeof(foreign));
231 if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
232 debug("getpeername failed: %.100s", strerror(errno));
233 fatal_cleanup();
234 }
235 instance[0] = '*';
236 instance[1] = 0;
237
238 /* Get the encrypted request, challenge, and session key. */
239 if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
240 0, &adat, ""))) {
241 debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
242 return (0);
243 }
244 des_key_sched((des_cblock *) adat.session, schedule);
245
246 *client = xmalloc(MAX_K_NAME_SZ);
247 (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
248 *adat.pinst ? "." : "", adat.pinst, adat.prealm);
249
250 /* Check ~/.klogin authorization now. */
251 if (kuserok(&adat, authctxt->user) != KSUCCESS) {
252 logit("Kerberos v4 .klogin authorization failed for %s to "
253 "account %s", *client, authctxt->user);
254 xfree(*client);
255 *client = NULL;
256 return (0);
257 }
258 /* Increment the checksum, and return it encrypted with the
259 session key. */
260 cksum = adat.checksum + 1;
261 cksum = htonl(cksum);
262
263 /* If we can't successfully encrypt the checksum, we send back an
264 empty message, admitting our failure. */
265 if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
266 schedule, &adat.session, &local, &foreign)) < 0) {
267 debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
268 reply->dat[0] = 0;
269 reply->length = 0;
270 } else
271 reply->length = r;
272
273 /* Clear session key. */
274 memset(&adat.session, 0, sizeof(adat.session));
275 return (1);
276}
277#endif /* KRB4 */
278
279#ifdef AFS
280int
281auth_krb4_tgt(Authctxt *authctxt, const char *string)
282{
283 CREDENTIALS creds;
284 struct passwd *pw;
285
286 if ((pw = authctxt->pw) == NULL)
287 goto failure;
288
289 temporarily_use_uid(pw);
290
291 if (!radix_to_creds(string, &creds)) {
292 logit("Protocol error decoding Kerberos v4 TGT");
293 goto failure;
294 }
295 if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
296 strlcpy(creds.service, "krbtgt", sizeof creds.service);
297
298 if (strcmp(creds.service, "krbtgt")) {
299 logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
300 creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
301 creds.realm, pw->pw_name);
302 goto failure;
303 }
304 if (!krb4_init(authctxt))
305 goto failure;
306
307 if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
308 goto failure;
309
310 if (save_credentials(creds.service, creds.instance, creds.realm,
311 creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
312 creds.issue_date) != KSUCCESS) {
313 debug("Kerberos v4 TGT refused: couldn't save credentials");
314 goto failure;
315 }
316 /* Successful authentication, passed all checks. */
317 chown(tkt_string(), pw->pw_uid, pw->pw_gid);
318
319 debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
320 creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
321 memset(&creds, 0, sizeof(creds));
322
323 restore_uid();
324
325 return (1);
326
327 failure:
328 krb4_cleanup_proc(authctxt);
329 memset(&creds, 0, sizeof(creds));
330 restore_uid();
331
332 return (0);
333}
334
335int
336auth_afs_token(Authctxt *authctxt, const char *token_string)
337{
338 CREDENTIALS creds;
339 struct passwd *pw;
340 uid_t uid;
341
342 if ((pw = authctxt->pw) == NULL)
343 return (0);
344
345 if (!radix_to_creds(token_string, &creds)) {
346 logit("Protocol error decoding AFS token");
347 return (0);
348 }
349 if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
350 strlcpy(creds.service, "afs", sizeof creds.service);
351
352 if (strncmp(creds.pname, "AFS ID ", 7) == 0)
353 uid = atoi(creds.pname + 7);
354 else
355 uid = pw->pw_uid;
356
357 if (kafs_settoken(creds.realm, uid, &creds)) {
358 logit("AFS token (%s@%s) rejected for %s",
359 creds.pname, creds.realm, pw->pw_name);
360 memset(&creds, 0, sizeof(creds));
361 return (0);
362 }
363 debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
364 memset(&creds, 0, sizeof(creds));
365
366 return (1);
367}
368#endif /* AFS */
diff --git a/auth-passwd.c b/auth-passwd.c
index c0b7f725f..780e92344 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,7 +36,7 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); 39RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
40 40
41#include "packet.h" 41#include "packet.h"
42#include "log.h" 42#include "log.h"
@@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password)
131 return (authsuccess); 131 return (authsuccess);
132 } 132 }
133# endif 133# endif
134# ifdef KRB4
135 if (options.kerberos_authentication == 1) {
136 int ret = auth_krb4_password(authctxt, password);
137 if (ret == 1 || ret == 0)
138 return ret;
139 /* Fall back to ordinary passwd authentication. */
140 }
141# endif
142# ifdef BSD_AUTH 134# ifdef BSD_AUTH
143 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", 135 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
144 (char *)password) == 0) 136 (char *)password) == 0)
diff --git a/auth.h b/auth.h
index 776e4195c..1ed92e018 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */ 1/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -60,9 +60,6 @@ struct Authctxt {
60#ifdef BSD_AUTH 60#ifdef BSD_AUTH
61 auth_session_t *as; 61 auth_session_t *as;
62#endif 62#endif
63#ifdef KRB4
64 char *krb4_ticket_file;
65#endif
66#ifdef KRB5 63#ifdef KRB5
67 krb5_context krb5_ctx; 64 krb5_context krb5_ctx;
68 krb5_auth_context krb5_auth_ctx; 65 krb5_auth_context krb5_auth_ctx;
@@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
117int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 114int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
118int user_key_allowed(struct passwd *, Key *); 115int user_key_allowed(struct passwd *, Key *);
119 116
120#ifdef KRB4
121#include <krb.h>
122int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
123int auth_krb4_password(Authctxt *, const char *);
124void krb4_cleanup_proc(void *);
125
126#ifdef AFS
127#include <kafs.h>
128int auth_krb4_tgt(Authctxt *, const char *);
129int auth_afs_token(Authctxt *, const char *);
130#endif /* AFS */
131
132#endif /* KRB4 */
133
134#ifdef KRB5 117#ifdef KRB5
135int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); 118int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
136int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); 119int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
diff --git a/auth1.c b/auth1.c
index 6cb0b04b2..877e2e62d 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $"); 13RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "rsa.h" 16#include "rsa.h"
@@ -49,7 +49,7 @@ get_authname(int type)
49 case SSH_CMSG_AUTH_TIS: 49 case SSH_CMSG_AUTH_TIS:
50 case SSH_CMSG_AUTH_TIS_RESPONSE: 50 case SSH_CMSG_AUTH_TIS_RESPONSE:
51 return "challenge-response"; 51 return "challenge-response";
52#if defined(KRB4) || defined(KRB5) 52#ifdef KRB5
53 case SSH_CMSG_AUTH_KERBEROS: 53 case SSH_CMSG_AUTH_KERBEROS:
54 return "kerberos"; 54 return "kerberos";
55#endif 55#endif
@@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt)
81 81
82 /* If the user has no password, accept authentication immediately. */ 82 /* If the user has no password, accept authentication immediately. */
83 if (options.password_authentication && 83 if (options.password_authentication &&
84#if defined(KRB4) || defined(KRB5) 84#ifdef KRB5
85 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && 85 (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
86#endif 86#endif
87 PRIVSEP(auth_password(authctxt, ""))) { 87 PRIVSEP(auth_password(authctxt, ""))) {
@@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt)
120 /* Process the packet. */ 120 /* Process the packet. */
121 switch (type) { 121 switch (type) {
122 122
123#if defined(KRB4) || defined(KRB5) 123#ifdef KRB5
124 case SSH_CMSG_AUTH_KERBEROS: 124 case SSH_CMSG_AUTH_KERBEROS:
125 if (!options.kerberos_authentication) { 125 if (!options.kerberos_authentication) {
126 verbose("Kerberos authentication disabled."); 126 verbose("Kerberos authentication disabled.");
@@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt)
128 char *kdata = packet_get_string(&dlen); 128 char *kdata = packet_get_string(&dlen);
129 packet_check_eom(); 129 packet_check_eom();
130 130
131 if (kdata[0] == 4) { /* KRB_PROT_VERSION */ 131 if (kdata[0] != 4) { /* KRB_PROT_VERSION */
132#ifdef KRB4
133 KTEXT_ST tkt, reply;
134 tkt.length = dlen;
135 if (tkt.length < MAX_KTXT_LEN)
136 memcpy(tkt.dat, kdata, tkt.length);
137
138 if (PRIVSEP(auth_krb4(authctxt, &tkt,
139 &client_user, &reply))) {
140 authenticated = 1;
141 snprintf(info, sizeof(info),
142 " tktuser %.100s",
143 client_user);
144
145 packet_start(
146 SSH_SMSG_AUTH_KERBEROS_RESPONSE);
147 packet_put_string((char *)
148 reply.dat, reply.length);
149 packet_send();
150 packet_write_wait();
151 }
152#endif /* KRB4 */
153 } else {
154#ifdef KRB5
155 krb5_data tkt, reply; 132 krb5_data tkt, reply;
156 tkt.length = dlen; 133 tkt.length = dlen;
157 tkt.data = kdata; 134 tkt.data = kdata;
@@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt)
174 if (reply.length) 151 if (reply.length)
175 xfree(reply.data); 152 xfree(reply.data);
176 } 153 }
177#endif /* KRB5 */
178 } 154 }
179 xfree(kdata); 155 xfree(kdata);
180 } 156 }
181 break; 157 break;
182#endif /* KRB4 || KRB5 */
183
184#if defined(AFS) || defined(KRB5)
185 /* XXX - punt on backward compatibility here. */
186 case SSH_CMSG_HAVE_KERBEROS_TGT: 158 case SSH_CMSG_HAVE_KERBEROS_TGT:
187 packet_send_debug("Kerberos TGT passing disabled before authentication."); 159 packet_send_debug("Kerberos TGT passing disabled before authentication.");
188 break; 160 break;
189#ifdef AFS 161#endif
190 case SSH_CMSG_HAVE_AFS_TOKEN:
191 packet_send_debug("AFS token passing disabled before authentication.");
192 break;
193#endif /* AFS */
194#endif /* AFS || KRB5 */
195 162
196 case SSH_CMSG_AUTH_RHOSTS: 163 case SSH_CMSG_AUTH_RHOSTS:
197 if (!options.rhosts_authentication) { 164 if (!options.rhosts_authentication) {
diff --git a/configure.ac b/configure.ac
index 74909343d..68fa5c1f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $ 1# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $
2 2
3AC_INIT 3AC_INIT
4AC_CONFIG_SRCDIR([ssh.c]) 4AC_CONFIG_SRCDIR([ssh.c])
@@ -54,7 +54,6 @@ fi
54# Check for some target-specific stuff 54# Check for some target-specific stuff
55case "$host" in 55case "$host" in
56*-*-aix*) 56*-*-aix*)
57 AFS_LIBS="-lld"
58 CPPFLAGS="$CPPFLAGS -I/usr/local/include" 57 CPPFLAGS="$CPPFLAGS -I/usr/local/include"
59 LDFLAGS="$LDFLAGS -L/usr/local/lib" 58 LDFLAGS="$LDFLAGS -L/usr/local/lib"
60 AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) 59 AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
@@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5,
1940 fi 1939 fi
1941 ] 1940 ]
1942) 1941)
1943# Check whether user wants Kerberos 4 support 1942LIBS="$LIBS $K5LIBS"
1944KRB4_MSG="no"
1945AC_ARG_WITH(kerberos4,
1946 [ --with-kerberos4=PATH Enable Kerberos 4 support],
1947 [
1948 if test "x$withval" != "xno" ; then
1949 if test "x$withval" != "xyes" ; then
1950 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1951 LDFLAGS="$LDFLAGS -L${withval}/lib"
1952 if test ! -z "$need_dash_r" ; then
1953 LDFLAGS="$LDFLAGS -R${withval}/lib"
1954 fi
1955 if test ! -z "$blibpath" ; then
1956 blibpath="$blibpath:${withval}/lib"
1957 fi
1958 else
1959 if test -d /usr/include/kerberosIV ; then
1960 CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
1961 fi
1962 fi
1963
1964 AC_CHECK_HEADERS(krb.h)
1965 if test "$ac_cv_header_krb_h" != yes; then
1966 AC_MSG_WARN([Cannot find krb.h, build may fail])
1967 fi
1968 AC_CHECK_LIB(krb, main)
1969 if test "$ac_cv_lib_krb_main" != yes; then
1970 AC_CHECK_LIB(krb4, main)
1971 if test "$ac_cv_lib_krb4_main" != yes; then
1972 AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
1973 else
1974 KLIBS="-lkrb4"
1975 fi
1976 else
1977 KLIBS="-lkrb"
1978 fi
1979 AC_CHECK_LIB(des, des_cbc_encrypt)
1980 if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
1981 AC_CHECK_LIB(des425, des_cbc_encrypt)
1982 if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
1983 AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
1984 else
1985 KLIBS="-ldes425"
1986 fi
1987 else
1988 KLIBS="-ldes"
1989 fi
1990 AC_CHECK_LIB(resolv, dn_expand, , )
1991 KRB4=yes
1992 KRB4_MSG="yes"
1993 AC_DEFINE(KRB4)
1994 fi
1995 ]
1996)
1997
1998# Check whether user wants AFS support
1999AFS_MSG="no"
2000AC_ARG_WITH(afs,
2001 [ --with-afs=PATH Enable AFS support],
2002 [
2003 if test "x$withval" != "xno" ; then
2004
2005 if test "x$withval" != "xyes" ; then
2006 CPPFLAGS="$CPPFLAGS -I${withval}/include"
2007 LDFLAGS="$LDFLAGS -L${withval}/lib"
2008 fi
2009
2010 if test -z "$KRB4" ; then
2011 AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
2012 fi
2013
2014 LIBS="-lkafs $LIBS"
2015 if test ! -z "$AFS_LIBS" ; then
2016 LIBS="$LIBS $AFS_LIBS"
2017 fi
2018 AC_DEFINE(AFS)
2019 AFS_MSG="yes"
2020 fi
2021 ]
2022)
2023LIBS="$LIBS $KLIBS $K5LIBS"
2024 1943
2025# Looking for programs, paths and files 1944# Looking for programs, paths and files
2026 1945
@@ -2648,10 +2567,8 @@ fi
2648echo " Manpage format: $MANTYPE" 2567echo " Manpage format: $MANTYPE"
2649echo " DNS support: $DNS_MSG" 2568echo " DNS support: $DNS_MSG"
2650echo " PAM support: $PAM_MSG" 2569echo " PAM support: $PAM_MSG"
2651echo " KerberosIV support: $KRB4_MSG"
2652echo " KerberosV support: $KRB5_MSG" 2570echo " KerberosV support: $KRB5_MSG"
2653echo " Smartcard support: $SCARD_MSG" 2571echo " Smartcard support: $SCARD_MSG"
2654echo " AFS support: $AFS_MSG"
2655echo " S/KEY support: $SKEY_MSG" 2572echo " S/KEY support: $SKEY_MSG"
2656echo " TCP Wrappers support: $TCPW_MSG" 2573echo " TCP Wrappers support: $TCPW_MSG"
2657echo " MD5 password support: $MD5_MSG" 2574echo " MD5 password support: $MD5_MSG"
diff --git a/monitor.c b/monitor.c
index 3a8735f58..95fd0cf64 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $"); 28RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
29 29
30#include <openssl/dh.h> 30#include <openssl/dh.h>
31 31
@@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *);
124int mm_answer_pam_free_ctx(int, Buffer *); 124int mm_answer_pam_free_ctx(int, Buffer *);
125#endif 125#endif
126 126
127#ifdef KRB4
128int mm_answer_krb4(int, Buffer *);
129#endif
130#ifdef KRB5 127#ifdef KRB5
131int mm_answer_krb5(int, Buffer *); 128int mm_answer_krb5(int, Buffer *);
132#endif 129#endif
@@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = {
222 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 219 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
223 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 220 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
224#endif 221#endif
225#ifdef KRB4
226 {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
227#endif
228#ifdef KRB5 222#ifdef KRB5
229 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, 223 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
230#endif 224#endif
@@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
1428 return (success); 1422 return (success);
1429} 1423}
1430 1424
1431#ifdef KRB4
1432int
1433mm_answer_krb4(int socket, Buffer *m)
1434{
1435 KTEXT_ST auth, reply;
1436 char *client, *p;
1437 int success;
1438 u_int alen;
1439
1440 reply.length = auth.length = 0;
1441
1442 p = buffer_get_string(m, &alen);
1443 if (alen >= MAX_KTXT_LEN)
1444 fatal("%s: auth too large", __func__);
1445 memcpy(auth.dat, p, alen);
1446 auth.length = alen;
1447 memset(p, 0, alen);
1448 xfree(p);
1449
1450 success = options.kerberos_authentication &&
1451 authctxt->valid &&
1452 auth_krb4(authctxt, &auth, &client, &reply);
1453
1454 memset(auth.dat, 0, alen);
1455 buffer_clear(m);
1456 buffer_put_int(m, success);
1457
1458 if (success) {
1459 buffer_put_cstring(m, client);
1460 buffer_put_string(m, reply.dat, reply.length);
1461 if (client)
1462 xfree(client);
1463 if (reply.length)
1464 memset(reply.dat, 0, reply.length);
1465 }
1466
1467 debug3("%s: sending result %d", __func__, success);
1468 mm_request_send(socket, MONITOR_ANS_KRB4, m);
1469
1470 auth_method = "kerberos";
1471
1472 /* Causes monitor loop to terminate if authenticated */
1473 return (success);
1474}
1475#endif
1476
1477#ifdef KRB5 1425#ifdef KRB5
1478int 1426int
1479mm_answer_krb5(int socket, Buffer *m) 1427mm_answer_krb5(int socket, Buffer *m)
diff --git a/monitor.h b/monitor.h
index 97044cb87..7d86b4595 100644
--- a/monitor.h
+++ b/monitor.h
@@ -49,7 +49,6 @@ enum monitor_reqtype {
49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, 49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, 50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, 51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
52 MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
53 MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, 52 MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
54 MONITOR_REQ_PAM_START, 53 MONITOR_REQ_PAM_START,
55 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 54 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 10a79c035..c7ba86ffc 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $"); 28RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
29 29
30#include <openssl/bn.h> 30#include <openssl/bn.h>
31#include <openssl/dh.h> 31#include <openssl/dh.h>
@@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
1043 return (success); 1043 return (success);
1044} 1044}
1045 1045
1046#ifdef KRB4
1047int
1048mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
1049{
1050 KTEXT auth, reply;
1051 Buffer m;
1052 u_int rlen;
1053 int success = 0;
1054 char *p;
1055
1056 debug3("%s entering", __func__);
1057 auth = _auth;
1058 reply = _reply;
1059
1060 buffer_init(&m);
1061 buffer_put_string(&m, auth->dat, auth->length);
1062
1063 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
1064 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
1065
1066 success = buffer_get_int(&m);
1067 if (success) {
1068 *client = buffer_get_string(&m, NULL);
1069 p = buffer_get_string(&m, &rlen);
1070 if (rlen >= MAX_KTXT_LEN)
1071 fatal("%s: reply from monitor too large", __func__);
1072 reply->length = rlen;
1073 memcpy(reply->dat, p, rlen);
1074 memset(p, 0, rlen);
1075 xfree(p);
1076 }
1077 buffer_free(&m);
1078 return (success);
1079}
1080#endif
1081
1082#ifdef KRB5 1046#ifdef KRB5
1083int 1047int
1084mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) 1048mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index d551c9d41..e0dd73bd0 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ 1/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
88int mm_skey_respond(void *, u_int, char **); 88int mm_skey_respond(void *, u_int, char **);
89 89
90/* auth_krb */ 90/* auth_krb */
91#ifdef KRB4
92int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
93#endif
94#ifdef KRB5 91#ifdef KRB5
95/* auth and reply are really krb5_data objects, but we don't want to 92/* auth and reply are really krb5_data objects, but we don't want to
96 * include all of the krb5 headers here */ 93 * include all of the krb5 headers here */
diff --git a/radix.c b/radix.c
deleted file mode 100644
index c680d6bf3..000000000
--- a/radix.c
+++ /dev/null
@@ -1,158 +0,0 @@
1/*
2 * Copyright (c) 1999 Dug Song. All rights reserved.
3 * Copyright (c) 2002 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
27#include "uuencode.h"
28
29RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
30
31#ifdef AFS
32#include <krb.h>
33
34#include <radix.h>
35#include "bufaux.h"
36
37int
38creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
39{
40 Buffer b;
41 int ret;
42
43 buffer_init(&b);
44
45 buffer_put_char(&b, 1); /* version */
46
47 buffer_append(&b, creds->service, strlen(creds->service));
48 buffer_put_char(&b, '\0');
49 buffer_append(&b, creds->instance, strlen(creds->instance));
50 buffer_put_char(&b, '\0');
51 buffer_append(&b, creds->realm, strlen(creds->realm));
52 buffer_put_char(&b, '\0');
53 buffer_append(&b, creds->pname, strlen(creds->pname));
54 buffer_put_char(&b, '\0');
55 buffer_append(&b, creds->pinst, strlen(creds->pinst));
56 buffer_put_char(&b, '\0');
57
58 /* Null string to repeat the realm. */
59 buffer_put_char(&b, '\0');
60
61 buffer_put_int(&b, creds->issue_date);
62 buffer_put_int(&b, krb_life_to_time(creds->issue_date,
63 creds->lifetime));
64 buffer_append(&b, creds->session, sizeof(creds->session));
65 buffer_put_short(&b, creds->kvno);
66
67 /* 32 bit size + data */
68 buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
69
70 ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
71
72 buffer_free(&b);
73 return ret;
74}
75
76#define GETSTRING(b, t, tlen) \
77 do { \
78 int i, found = 0; \
79 for (i = 0; i < tlen; i++) { \
80 if (buffer_len(b) == 0) \
81 goto done; \
82 t[i] = buffer_get_char(b); \
83 if (t[i] == '\0') { \
84 found = 1; \
85 break; \
86 } \
87 } \
88 if (!found) \
89 goto done; \
90 } while(0)
91
92int
93radix_to_creds(const char *buf, CREDENTIALS *creds)
94{
95 Buffer b;
96 u_char *space;
97 char c, version, *p;
98 u_int endTime, len;
99 int blen, ret;
100
101 ret = 0;
102 blen = strlen(buf);
103
104 /* sanity check for size */
105 if (blen > 8192)
106 return 0;
107
108 buffer_init(&b);
109 space = buffer_append_space(&b, blen);
110
111 /* check version and length! */
112 len = uudecode(buf, space, blen);
113 if (len < 1)
114 goto done;
115
116 version = buffer_get_char(&b);
117
118 GETSTRING(&b, creds->service, sizeof creds->service);
119 GETSTRING(&b, creds->instance, sizeof creds->instance);
120 GETSTRING(&b, creds->realm, sizeof creds->realm);
121 GETSTRING(&b, creds->pname, sizeof creds->pname);
122 GETSTRING(&b, creds->pinst, sizeof creds->pinst);
123
124 if (buffer_len(&b) == 0)
125 goto done;
126
127 /* Ignore possibly different realm. */
128 while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
129 ;
130
131 if (buffer_len(&b) == 0)
132 goto done;
133
134 creds->issue_date = buffer_get_int(&b);
135
136 endTime = buffer_get_int(&b);
137 creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
138
139 len = buffer_len(&b);
140 if (len < sizeof(creds->session))
141 goto done;
142 memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
143 buffer_consume(&b, sizeof(creds->session));
144
145 creds->kvno = buffer_get_short(&b);
146
147 p = buffer_get_string(&b, &len);
148 if (len < 0 || len > sizeof(creds->ticket_st.dat))
149 goto done;
150 memcpy(&creds->ticket_st.dat, p, len);
151 creds->ticket_st.length = len;
152
153 ret = 1;
154done:
155 buffer_free(&b);
156 return ret;
157}
158#endif /* AFS */
diff --git a/radix.h b/radix.h
deleted file mode 100644
index e94e4acc6..000000000
--- a/radix.h
+++ /dev/null
@@ -1,28 +0,0 @@
1/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
2
3/*
4 * Copyright (c) 1999 Dug Song. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27int creds_to_radix(CREDENTIALS *, u_char *, size_t);
28int radix_to_creds(const char *, CREDENTIALS *);
diff --git a/readconf.c b/readconf.c
index 3c08f7638..332500e7c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -94,7 +94,7 @@ typedef enum {
94 oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, 94 oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
95 oPasswordAuthentication, oRSAAuthentication, 95 oPasswordAuthentication, oRSAAuthentication,
96 oChallengeResponseAuthentication, oXAuthLocation, 96 oChallengeResponseAuthentication, oXAuthLocation,
97 oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing, 97 oKerberosAuthentication, oKerberosTgtPassing,
98 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 98 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
99 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, 99 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
100 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, 100 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
@@ -134,18 +134,14 @@ static struct {
134 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 134 { "challengeresponseauthentication", oChallengeResponseAuthentication },
135 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ 135 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
136 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ 136 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
137#if defined(KRB4) || defined(KRB5) 137#ifdef KRB5
138 { "kerberosauthentication", oKerberosAuthentication }, 138 { "kerberosauthentication", oKerberosAuthentication },
139 { "kerberostgtpassing", oKerberosTgtPassing }, 139 { "kerberostgtpassing", oKerberosTgtPassing },
140#else 140#else
141 { "kerberosauthentication", oUnsupported }, 141 { "kerberosauthentication", oUnsupported },
142 { "kerberostgtpassing", oUnsupported }, 142 { "kerberostgtpassing", oUnsupported },
143#endif 143#endif
144#if defined(AFS)
145 { "afstokenpassing", oAFSTokenPassing },
146#else
147 { "afstokenpassing", oUnsupported }, 144 { "afstokenpassing", oUnsupported },
148#endif
149 { "fallbacktorsh", oDeprecated }, 145 { "fallbacktorsh", oDeprecated },
150 { "usersh", oDeprecated }, 146 { "usersh", oDeprecated },
151 { "identityfile", oIdentityFile }, 147 { "identityfile", oIdentityFile },
@@ -399,10 +395,6 @@ parse_flag:
399 intptr = &options->kerberos_tgt_passing; 395 intptr = &options->kerberos_tgt_passing;
400 goto parse_flag; 396 goto parse_flag;
401 397
402 case oAFSTokenPassing:
403 intptr = &options->afs_token_passing;
404 goto parse_flag;
405
406 case oBatchMode: 398 case oBatchMode:
407 intptr = &options->batch_mode; 399 intptr = &options->batch_mode;
408 goto parse_flag; 400 goto parse_flag;
@@ -828,7 +820,6 @@ initialize_options(Options * options)
828 options->challenge_response_authentication = -1; 820 options->challenge_response_authentication = -1;
829 options->kerberos_authentication = -1; 821 options->kerberos_authentication = -1;
830 options->kerberos_tgt_passing = -1; 822 options->kerberos_tgt_passing = -1;
831 options->afs_token_passing = -1;
832 options->password_authentication = -1; 823 options->password_authentication = -1;
833 options->kbd_interactive_authentication = -1; 824 options->kbd_interactive_authentication = -1;
834 options->kbd_interactive_devices = NULL; 825 options->kbd_interactive_devices = NULL;
@@ -905,8 +896,6 @@ fill_default_options(Options * options)
905 options->kerberos_authentication = 1; 896 options->kerberos_authentication = 1;
906 if (options->kerberos_tgt_passing == -1) 897 if (options->kerberos_tgt_passing == -1)
907 options->kerberos_tgt_passing = 1; 898 options->kerberos_tgt_passing = 1;
908 if (options->afs_token_passing == -1)
909 options->afs_token_passing = 1;
910 if (options->password_authentication == -1) 899 if (options->password_authentication == -1)
911 options->password_authentication = 1; 900 options->password_authentication = 1;
912 if (options->kbd_interactive_authentication == -1) 901 if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index 4e0b74318..cc94253e6 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */ 1/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -43,7 +43,6 @@ typedef struct {
43 /* Try S/Key or TIS, authentication. */ 43 /* Try S/Key or TIS, authentication. */
44 int kerberos_authentication; /* Try Kerberos authentication. */ 44 int kerberos_authentication; /* Try Kerberos authentication. */
45 int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ 45 int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
46 int afs_token_passing; /* Try AFS token passing. */
47 int password_authentication; /* Try password 46 int password_authentication; /* Try password
48 * authentication. */ 47 * authentication. */
49 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 48 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
index 6df2a255b..c4b2bb284 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,15 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
14
15#if defined(KRB4)
16#include <krb.h>
17#endif
18
19#ifdef AFS
20#include <kafs.h>
21#endif
22 14
23#include "ssh.h" 15#include "ssh.h"
24#include "log.h" 16#include "log.h"
@@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options)
82 options->kerberos_or_local_passwd = -1; 74 options->kerberos_or_local_passwd = -1;
83 options->kerberos_ticket_cleanup = -1; 75 options->kerberos_ticket_cleanup = -1;
84 options->kerberos_tgt_passing = -1; 76 options->kerberos_tgt_passing = -1;
85 options->afs_token_passing = -1;
86 options->password_authentication = -1; 77 options->password_authentication = -1;
87 options->kbd_interactive_authentication = -1; 78 options->kbd_interactive_authentication = -1;
88 options->challenge_response_authentication = -1; 79 options->challenge_response_authentication = -1;
@@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options)
194 options->kerberos_ticket_cleanup = 1; 185 options->kerberos_ticket_cleanup = 1;
195 if (options->kerberos_tgt_passing == -1) 186 if (options->kerberos_tgt_passing == -1)
196 options->kerberos_tgt_passing = 0; 187 options->kerberos_tgt_passing = 0;
197 if (options->afs_token_passing == -1)
198 options->afs_token_passing = 0;
199 if (options->password_authentication == -1) 188 if (options->password_authentication == -1)
200 options->password_authentication = 1; 189 options->password_authentication = 1;
201 if (options->kbd_interactive_authentication == -1) 190 if (options->kbd_interactive_authentication == -1)
@@ -261,7 +250,7 @@ typedef enum {
261 sPermitRootLogin, sLogFacility, sLogLevel, 250 sPermitRootLogin, sLogFacility, sLogLevel,
262 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, 251 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
263 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
264 sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication, 253 sKerberosTgtPassing, sChallengeResponseAuthentication,
265 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
266 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 255 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
267 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 256 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -306,7 +295,7 @@ static struct {
306 { "rsaauthentication", sRSAAuthentication }, 295 { "rsaauthentication", sRSAAuthentication },
307 { "pubkeyauthentication", sPubkeyAuthentication }, 296 { "pubkeyauthentication", sPubkeyAuthentication },
308 { "dsaauthentication", sPubkeyAuthentication }, /* alias */ 297 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
309#if defined(KRB4) || defined(KRB5) 298#ifdef KRB5
310 { "kerberosauthentication", sKerberosAuthentication }, 299 { "kerberosauthentication", sKerberosAuthentication },
311 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 300 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
312 { "kerberosticketcleanup", sKerberosTicketCleanup }, 301 { "kerberosticketcleanup", sKerberosTicketCleanup },
@@ -317,11 +306,7 @@ static struct {
317 { "kerberosticketcleanup", sUnsupported }, 306 { "kerberosticketcleanup", sUnsupported },
318 { "kerberostgtpassing", sUnsupported }, 307 { "kerberostgtpassing", sUnsupported },
319#endif 308#endif
320#if defined(AFS)
321 { "afstokenpassing", sAFSTokenPassing },
322#else
323 { "afstokenpassing", sUnsupported }, 309 { "afstokenpassing", sUnsupported },
324#endif
325 { "passwordauthentication", sPasswordAuthentication }, 310 { "passwordauthentication", sPasswordAuthentication },
326 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, 311 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
327 { "challengeresponseauthentication", sChallengeResponseAuthentication }, 312 { "challengeresponseauthentication", sChallengeResponseAuthentication },
@@ -644,10 +629,6 @@ parse_flag:
644 intptr = &options->kerberos_tgt_passing; 629 intptr = &options->kerberos_tgt_passing;
645 goto parse_flag; 630 goto parse_flag;
646 631
647 case sAFSTokenPassing:
648 intptr = &options->afs_token_passing;
649 goto parse_flag;
650
651 case sPasswordAuthentication: 632 case sPasswordAuthentication:
652 intptr = &options->password_authentication; 633 intptr = &options->password_authentication;
653 goto parse_flag; 634 goto parse_flag;
diff --git a/servconf.h b/servconf.h
index b676f2b67..65ad2071a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */ 1/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -84,7 +84,6 @@ typedef struct {
84 * file on logout. */ 84 * file on logout. */
85 int kerberos_tgt_passing; /* If true, permit Kerberos TGT 85 int kerberos_tgt_passing; /* If true, permit Kerberos TGT
86 * passing. */ 86 * passing. */
87 int afs_token_passing; /* If true, permit AFS token passing. */
88 int password_authentication; /* If true, permit password 87 int password_authentication; /* If true, permit password
89 * authentication. */ 88 * authentication. */
90 int kbd_interactive_authentication; /* If true, permit */ 89 int kbd_interactive_authentication; /* If true, permit */
diff --git a/session.c b/session.c
index 4b443831b..7a064ad50 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt)
222 /* remove agent socket */ 222 /* remove agent socket */
223 if (auth_sock_name != NULL) 223 if (auth_sock_name != NULL)
224 auth_sock_cleanup_proc(authctxt->pw); 224 auth_sock_cleanup_proc(authctxt->pw);
225#ifdef KRB4
226 if (options.kerberos_ticket_cleanup)
227 krb4_cleanup_proc(authctxt);
228#endif
229#ifdef KRB5 225#ifdef KRB5
230 if (options.kerberos_ticket_cleanup) 226 if (options.kerberos_ticket_cleanup)
231 krb5_cleanup_proc(authctxt); 227 krb5_cleanup_proc(authctxt);
@@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt)
338 success = 1; 334 success = 1;
339 break; 335 break;
340 336
341#if defined(AFS) || defined(KRB5) 337#ifdef KRB5
342 case SSH_CMSG_HAVE_KERBEROS_TGT: 338 case SSH_CMSG_HAVE_KERBEROS_TGT:
343 if (!options.kerberos_tgt_passing) { 339 if (!options.kerberos_tgt_passing) {
344 verbose("Kerberos TGT passing disabled."); 340 verbose("Kerberos TGT passing disabled.");
@@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt)
346 char *kdata = packet_get_string(&dlen); 342 char *kdata = packet_get_string(&dlen);
347 packet_check_eom(); 343 packet_check_eom();
348 344
349 /* XXX - 0x41, see creds_to_radix version */ 345 /* XXX - 0x41, used for AFS */
350 if (kdata[0] != 0x41) { 346 if (kdata[0] != 0x41) {
351#ifdef KRB5
352 krb5_data tgt; 347 krb5_data tgt;
353 tgt.data = kdata; 348 tgt.data = kdata;
354 tgt.length = dlen; 349 tgt.length = dlen;
@@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt)
357 success = 1; 352 success = 1;
358 else 353 else
359 verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); 354 verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
360#endif /* KRB5 */
361 } else {
362#ifdef AFS
363 if (auth_krb4_tgt(s->authctxt, kdata))
364 success = 1;
365 else
366 verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
367#endif /* AFS */
368 } 355 }
369 xfree(kdata); 356 xfree(kdata);
370 } 357 }
371 break; 358 break;
372#endif /* AFS || KRB5 */ 359#endif
373
374#ifdef AFS
375 case SSH_CMSG_HAVE_AFS_TOKEN:
376 if (!options.afs_token_passing || !k_hasafs()) {
377 verbose("AFS token passing disabled.");
378 } else {
379 /* Accept AFS token. */
380 char *token = packet_get_string(&dlen);
381 packet_check_eom();
382
383 if (auth_afs_token(s->authctxt, token))
384 success = 1;
385 else
386 verbose("AFS token refused for %.100s",
387 s->authctxt->user);
388 xfree(token);
389 }
390 break;
391#endif /* AFS */
392 360
393 case SSH_CMSG_EXEC_SHELL: 361 case SSH_CMSG_EXEC_SHELL:
394 case SSH_CMSG_EXEC_CMD: 362 case SSH_CMSG_EXEC_CMD:
@@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell)
1066 read_environment_file(&env, &envsize, "/etc/environment"); 1034 read_environment_file(&env, &envsize, "/etc/environment");
1067 } 1035 }
1068#endif 1036#endif
1069#ifdef KRB4
1070 if (s->authctxt->krb4_ticket_file)
1071 child_set_env(&env, &envsize, "KRBTKFILE",
1072 s->authctxt->krb4_ticket_file);
1073#endif
1074#ifdef KRB5 1037#ifdef KRB5
1075 if (s->authctxt->krb5_ticket_file) 1038 if (s->authctxt->krb5_ticket_file)
1076 child_set_env(&env, &envsize, "KRB5CCNAME", 1039 child_set_env(&env, &envsize, "KRB5CCNAME",
@@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command)
1396 */ 1359 */
1397 environ = env; 1360 environ = env;
1398 1361
1399#ifdef AFS
1400 /* Try to get AFS tokens for the local cell. */
1401 if (k_hasafs()) {
1402 char cell[64];
1403
1404 if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
1405 krb_afslog(cell, 0);
1406
1407 krb_afslog(0, 0);
1408 }
1409#endif /* AFS */
1410
1411 /* Change current directory to the user\'s home directory. */ 1362 /* Change current directory to the user\'s home directory. */
1412 if (chdir(pw->pw_dir) < 0) { 1363 if (chdir(pw->pw_dir) < 0) {
1413 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 1364 fprintf(stderr, "Could not chdir to home directory %s: %s\n",
diff --git a/ssh.1 b/ssh.1
index 8a7d2f428..c81cb42c6 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $ 37.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -494,7 +494,7 @@ The argument is the device
494should use to communicate with a smartcard used for storing the user's 494should use to communicate with a smartcard used for storing the user's
495private RSA key. 495private RSA key.
496.It Fl k 496.It Fl k
497Disables forwarding of Kerberos tickets and AFS tokens. 497Disables forwarding of Kerberos tickets.
498This may also be specified on a per-host basis in the configuration file. 498This may also be specified on a per-host basis in the configuration file.
499.It Fl l Ar login_name 499.It Fl l Ar login_name
500Specifies the user to log in as on the remote machine. 500Specifies the user to log in as on the remote machine.
diff --git a/ssh.c b/ssh.c
index 2bcd5871e..82b40193d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $"); 43RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
44 44
45#include <openssl/evp.h> 45#include <openssl/evp.h>
46#include <openssl/err.h> 46#include <openssl/err.h>
@@ -154,9 +154,7 @@ usage(void)
154 _PATH_SSH_USER_CONFFILE); 154 _PATH_SSH_USER_CONFFILE);
155 fprintf(stderr, " -A Enable authentication agent forwarding.\n"); 155 fprintf(stderr, " -A Enable authentication agent forwarding.\n");
156 fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); 156 fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
157#ifdef AFS 157 fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
158 fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
159#endif /* AFS */
160 fprintf(stderr, " -X Enable X11 connection forwarding.\n"); 158 fprintf(stderr, " -X Enable X11 connection forwarding.\n");
161 fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); 159 fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
162 fprintf(stderr, " -i file Identity for public key authentication " 160 fprintf(stderr, " -i file Identity for public key authentication "
@@ -306,12 +304,9 @@ again:
306 case 'A': 304 case 'A':
307 options.forward_agent = 1; 305 options.forward_agent = 1;
308 break; 306 break;
309#ifdef AFS
310 case 'k': 307 case 'k':
311 options.kerberos_tgt_passing = 0; 308 options.kerberos_tgt_passing = 0;
312 options.afs_token_passing = 0;
313 break; 309 break;
314#endif
315 case 'i': 310 case 'i':
316 if (stat(optarg, &st) < 0) { 311 if (stat(optarg, &st) < 0) {
317 fprintf(stderr, "Warning: Identity file %s " 312 fprintf(stderr, "Warning: Identity file %s "
diff --git a/ssh.h b/ssh.h
index 25a9213f3..607621769 100644
--- a/ssh.h
+++ b/ssh.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */ 1/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -88,9 +88,6 @@
88 */ 88 */
89#define SSH_SESSION_KEY_LENGTH 32 89#define SSH_SESSION_KEY_LENGTH 32
90 90
91/* Name of Kerberos service for SSH to use. */
92#define KRB4_SERVICE_NAME "rcmd"
93
94/* Used to identify ``EscapeChar none'' */ 91/* Used to identify ``EscapeChar none'' */
95#define SSH_ESCAPECHAR_NONE -2 92#define SSH_ESCAPECHAR_NONE -2
96 93
diff --git a/ssh_config.5 b/ssh_config.5
index 79d05f018..3a79af8f0 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -123,13 +123,6 @@ Valid arguments are
123(Use IPv4 only) or 123(Use IPv4 only) or
124.Dq inet6 124.Dq inet6
125(Use IPv6 only.) 125(Use IPv6 only.)
126.It Cm AFSTokenPassing
127Specifies whether to pass AFS tokens to remote host.
128The argument to this keyword must be
129.Dq yes
130or
131.Dq no .
132This option applies to protocol version 1 only.
133.It Cm BatchMode 126.It Cm BatchMode
134If set to 127If set to
135.Dq yes , 128.Dq yes ,
@@ -410,7 +403,6 @@ or
410.Dq no . 403.Dq no .
411.It Cm KerberosTgtPassing 404.It Cm KerberosTgtPassing
412Specifies whether a Kerberos TGT will be forwarded to the server. 405Specifies whether a Kerberos TGT will be forwarded to the server.
413This will only work if the Kerberos server is actually an AFS kaserver.
414The argument to this keyword must be 406The argument to this keyword must be
415.Dq yes 407.Dq yes
416or 408or
diff --git a/sshconnect1.c b/sshconnect1.c
index 2a822a98f..8851c35f6 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,24 +13,17 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/md5.h> 19#include <openssl/md5.h>
20 20
21#ifdef KRB4
22#include <krb.h>
23#endif
24#ifdef KRB5 21#ifdef KRB5
25#include <krb5.h> 22#include <krb5.h>
26#ifndef HEIMDAL 23#ifndef HEIMDAL
27#define krb5_get_err_text(context,code) error_message(code) 24#define krb5_get_err_text(context,code) error_message(code)
28#endif /* !HEIMDAL */ 25#endif /* !HEIMDAL */
29#endif 26#endif
30#ifdef AFS
31#include <kafs.h>
32#include "radix.h"
33#endif
34 27
35#include "ssh.h" 28#include "ssh.h"
36#include "ssh1.h" 29#include "ssh1.h"
@@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
380 return 0; 373 return 0;
381} 374}
382 375
383#ifdef KRB4
384static int
385try_krb4_authentication(void)
386{
387 KTEXT_ST auth; /* Kerberos data */
388 char *reply;
389 char inst[INST_SZ];
390 char *realm;
391 CREDENTIALS cred;
392 int r, type;
393 socklen_t slen;
394 Key_schedule schedule;
395 u_long checksum, cksum;
396 MSG_DAT msg_data;
397 struct sockaddr_in local, foreign;
398 struct stat st;
399
400 /* Don't do anything if we don't have any tickets. */
401 if (stat(tkt_string(), &st) < 0)
402 return 0;
403
404 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
405 INST_SZ);
406
407 realm = (char *)krb_realmofhost(get_canonical_hostname(1));
408 if (!realm) {
409 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
410 return 0;
411 }
412 /* This can really be anything. */
413 checksum = (u_long)getpid();
414
415 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
416 if (r != KSUCCESS) {
417 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
418 return 0;
419 }
420 /* Get session key to decrypt the server's reply with. */
421 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
422 if (r != KSUCCESS) {
423 debug("get_cred failed: %s", krb_err_txt[r]);
424 return 0;
425 }
426 des_key_sched((des_cblock *) cred.session, schedule);
427
428 /* Send authentication info to server. */
429 packet_start(SSH_CMSG_AUTH_KERBEROS);
430 packet_put_string((char *) auth.dat, auth.length);
431 packet_send();
432 packet_write_wait();
433
434 /* Zero the buffer. */
435 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
436
437 slen = sizeof(local);
438 memset(&local, 0, sizeof(local));
439 if (getsockname(packet_get_connection_in(),
440 (struct sockaddr *)&local, &slen) < 0)
441 debug("getsockname failed: %s", strerror(errno));
442
443 slen = sizeof(foreign);
444 memset(&foreign, 0, sizeof(foreign));
445 if (getpeername(packet_get_connection_in(),
446 (struct sockaddr *)&foreign, &slen) < 0) {
447 debug("getpeername failed: %s", strerror(errno));
448 fatal_cleanup();
449 }
450 /* Get server reply. */
451 type = packet_read();
452 switch (type) {
453 case SSH_SMSG_FAILURE:
454 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
455 debug("Kerberos v4 authentication failed.");
456 return 0;
457 break;
458
459 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
460 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
461 debug("Kerberos v4 authentication accepted.");
462
463 /* Get server's response. */
464 reply = packet_get_string((u_int *) &auth.length);
465 if (auth.length >= MAX_KTXT_LEN)
466 fatal("Kerberos v4: Malformed response from server");
467 memcpy(auth.dat, reply, auth.length);
468 xfree(reply);
469
470 packet_check_eom();
471
472 /*
473 * If his response isn't properly encrypted with the session
474 * key, and the decrypted checksum fails to match, he's
475 * bogus. Bail out.
476 */
477 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
478 &foreign, &local, &msg_data);
479 if (r != KSUCCESS) {
480 debug("Kerberos v4 krb_rd_priv failed: %s",
481 krb_err_txt[r]);
482 packet_disconnect("Kerberos v4 challenge failed!");
483 }
484 /* Fetch the (incremented) checksum that we supplied in the request. */
485 memcpy((char *)&cksum, (char *)msg_data.app_data,
486 sizeof(cksum));
487 cksum = ntohl(cksum);
488
489 /* If it matches, we're golden. */
490 if (cksum == checksum + 1) {
491 debug("Kerberos v4 challenge successful.");
492 return 1;
493 } else
494 packet_disconnect("Kerberos v4 challenge failed!");
495 break;
496
497 default:
498 packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
499 }
500 return 0;
501}
502
503#endif /* KRB4 */
504
505#ifdef KRB5 376#ifdef KRB5
506static int 377static int
507try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) 378try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
@@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
729} 600}
730#endif /* KRB5 */ 601#endif /* KRB5 */
731 602
732#ifdef AFS
733static void
734send_krb4_tgt(void)
735{
736 CREDENTIALS *creds;
737 struct stat st;
738 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
739 int problem, type;
740
741 /* Don't do anything if we don't have any tickets. */
742 if (stat(tkt_string(), &st) < 0)
743 return;
744
745 creds = xmalloc(sizeof(*creds));
746
747 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
748 if (problem)
749 goto out;
750
751 problem = krb_get_cred("krbtgt", prealm, prealm, creds);
752 if (problem)
753 goto out;
754
755 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
756 problem = RD_AP_EXP;
757 goto out;
758 }
759 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
760
761 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
762 packet_put_cstring(buffer);
763 packet_send();
764 packet_write_wait();
765
766 type = packet_read();
767
768 if (type == SSH_SMSG_SUCCESS)
769 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
770 creds->pname, creds->pinst[0] ? "." : "",
771 creds->pinst, creds->realm);
772 else
773 debug("Kerberos v4 TGT rejected.");
774
775 xfree(creds);
776 return;
777
778 out:
779 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
780 xfree(creds);
781}
782
783static void
784send_afs_tokens(void)
785{
786 CREDENTIALS creds;
787 struct ViceIoctl parms;
788 struct ClearToken ct;
789 int i, type, len;
790 char buf[2048], *p, *server_cell;
791 char buffer[8192];
792
793 /* Move over ktc_GetToken, here's something leaner. */
794 for (i = 0; i < 100; i++) { /* just in case */
795 parms.in = (char *) &i;
796 parms.in_size = sizeof(i);
797 parms.out = buf;
798 parms.out_size = sizeof(buf);
799 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
800 break;
801 p = buf;
802
803 /* Get secret token. */
804 memcpy(&creds.ticket_st.length, p, sizeof(u_int));
805 if (creds.ticket_st.length > MAX_KTXT_LEN)
806 break;
807 p += sizeof(u_int);
808 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
809 p += creds.ticket_st.length;
810
811 /* Get clear token. */
812 memcpy(&len, p, sizeof(len));
813 if (len != sizeof(struct ClearToken))
814 break;
815 p += sizeof(len);
816 memcpy(&ct, p, len);
817 p += len;
818 p += sizeof(len); /* primary flag */
819 server_cell = p;
820
821 /* Flesh out our credentials. */
822 strlcpy(creds.service, "afs", sizeof(creds.service));
823 creds.instance[0] = '\0';
824 strlcpy(creds.realm, server_cell, REALM_SZ);
825 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
826 creds.issue_date = ct.BeginTimestamp;
827 creds.lifetime = krb_time_to_life(creds.issue_date,
828 ct.EndTimestamp);
829 creds.kvno = ct.AuthHandle;
830 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
831 creds.pinst[0] = '\0';
832
833 /* Encode token, ship it off. */
834 if (creds_to_radix(&creds, (u_char *)buffer,
835 sizeof(buffer)) <= 0)
836 break;
837 packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
838 packet_put_cstring(buffer);
839 packet_send();
840 packet_write_wait();
841
842 /* Roger, Roger. Clearance, Clarence. What's your vector,
843 Victor? */
844 type = packet_read();
845
846 if (type == SSH_SMSG_FAILURE)
847 debug("AFS token for cell %s rejected.", server_cell);
848 else if (type != SSH_SMSG_SUCCESS)
849 packet_disconnect("Protocol error on AFS token response: %d", type);
850 }
851}
852
853#endif /* AFS */
854
855/* 603/*
856 * Tries to authenticate with any string-based challenge/response system. 604 * Tries to authenticate with any string-based challenge/response system.
857 * Note that the client code is not tied to s/key or TIS. 605 * Note that the client code is not tied to s/key or TIS.
@@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1183 } 931 }
1184#endif /* KRB5 */ 932#endif /* KRB5 */
1185 933
1186#ifdef KRB4
1187 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1188 options.kerberos_authentication) {
1189 debug("Trying Kerberos v4 authentication.");
1190
1191 if (try_krb4_authentication()) {
1192 type = packet_read();
1193 if (type == SSH_SMSG_SUCCESS)
1194 goto success;
1195 if (type != SSH_SMSG_FAILURE)
1196 packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
1197 }
1198 }
1199#endif /* KRB4 */
1200
1201 /* 934 /*
1202 * Use rhosts authentication if running in privileged socket and we 935 * Use rhosts authentication if running in privileged socket and we
1203 * do not wish to remain anonymous. 936 * do not wish to remain anonymous.
@@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
1284 if (context) 1017 if (context)
1285 krb5_free_context(context); 1018 krb5_free_context(context);
1286#endif 1019#endif
1287
1288#ifdef AFS
1289 /* Try Kerberos v4 TGT passing if the server supports it. */
1290 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1291 options.kerberos_tgt_passing) {
1292 if (options.cipher == SSH_CIPHER_NONE)
1293 logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1294 send_krb4_tgt();
1295 }
1296 /* Try AFS token passing if the server supports it. */
1297 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
1298 options.afs_token_passing && k_hasafs()) {
1299 if (options.cipher == SSH_CIPHER_NONE)
1300 logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
1301 send_afs_tokens();
1302 }
1303#endif /* AFS */
1304
1305 return; /* need statement after label */ 1020 return; /* need statement after label */
1306} 1021}
diff --git a/sshd.c b/sshd.c
index a8cb966b0..896e56c76 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
42 */ 42 */
43 43
44#include "includes.h" 44#include "includes.h"
45RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $"); 45RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
46 46
47#include <openssl/dh.h> 47#include <openssl/dh.h>
48#include <openssl/bn.h> 48#include <openssl/bn.h>
@@ -1476,20 +1476,13 @@ main(int ac, char **av)
1476 "originating port %d not trusted.", remote_port); 1476 "originating port %d not trusted.", remote_port);
1477 options.rhosts_authentication = 0; 1477 options.rhosts_authentication = 0;
1478 } 1478 }
1479#if defined(KRB4) && !defined(KRB5) 1479#ifdef KRB5
1480 if (!packet_connection_is_ipv4() && 1480 if (!packet_connection_is_ipv4() &&
1481 options.kerberos_authentication) { 1481 options.kerberos_authentication) {
1482 debug("Kerberos Authentication disabled, only available for IPv4."); 1482 debug("Kerberos Authentication disabled, only available for IPv4.");
1483 options.kerberos_authentication = 0; 1483 options.kerberos_authentication = 0;
1484 } 1484 }
1485#endif /* KRB4 && !KRB5 */ 1485#endif
1486#ifdef AFS
1487 /* If machine has AFS, set process authentication group. */
1488 if (k_hasafs()) {
1489 k_setpag();
1490 k_unlog();
1491 }
1492#endif /* AFS */
1493 1486
1494 packet_set_nonblocking(); 1487 packet_set_nonblocking();
1495 1488
@@ -1656,18 +1649,12 @@ do_ssh1_kex(void)
1656 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1649 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1657 if (options.rsa_authentication) 1650 if (options.rsa_authentication)
1658 auth_mask |= 1 << SSH_AUTH_RSA; 1651 auth_mask |= 1 << SSH_AUTH_RSA;
1659#if defined(KRB4) || defined(KRB5) 1652#ifdef KRB5
1660 if (options.kerberos_authentication) 1653 if (options.kerberos_authentication)
1661 auth_mask |= 1 << SSH_AUTH_KERBEROS; 1654 auth_mask |= 1 << SSH_AUTH_KERBEROS;
1662#endif
1663#if defined(AFS) || defined(KRB5)
1664 if (options.kerberos_tgt_passing) 1655 if (options.kerberos_tgt_passing)
1665 auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; 1656 auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1666#endif 1657#endif
1667#ifdef AFS
1668 if (options.afs_token_passing)
1669 auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
1670#endif
1671 if (options.challenge_response_authentication == 1) 1658 if (options.challenge_response_authentication == 1)
1672 auth_mask |= 1 << SSH_AUTH_TIS; 1659 auth_mask |= 1 << SSH_AUTH_TIS;
1673 if (options.password_authentication) 1660 if (options.password_authentication)
diff --git a/sshd_config.5 b/sshd_config.5
index dfd3565a6..223ff8aae 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -61,10 +61,6 @@ The possible
61keywords and their meanings are as follows (note that 61keywords and their meanings are as follows (note that
62keywords are case-insensitive and arguments are case-sensitive): 62keywords are case-insensitive and arguments are case-sensitive):
63.Bl -tag -width Ds 63.Bl -tag -width Ds
64.It Cm AFSTokenPassing
65Specifies whether an AFS token may be forwarded to the server.
66Default is
67.Dq no .
68.It Cm AllowGroups 64.It Cm AllowGroups
69This keyword can be followed by a list of group name patterns, separated 65This keyword can be followed by a list of group name patterns, separated
70by spaces. 66by spaces.
@@ -327,8 +323,7 @@ Default is
327.It Cm KerberosTgtPassing 323.It Cm KerberosTgtPassing
328Specifies whether a Kerberos TGT may be forwarded to the server. 324Specifies whether a Kerberos TGT may be forwarded to the server.
329Default is 325Default is
330.Dq no , 326.Dq no .
331as this only works when the Kerberos KDC is actually an AFS kaserver.
332.It Cm KerberosTicketCleanup 327.It Cm KerberosTicketCleanup
333Specifies whether to automatically destroy the user's ticket cache 328Specifies whether to automatically destroy the user's ticket cache
334file on logout. 329file on logout.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-19 19:26:24 +0000