summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog8
-rw-r--r--auth-krb5.c194
-rw-r--r--auth.h3
-rw-r--r--auth1.c57
-rw-r--r--monitor.c50
-rw-r--r--monitor.h3
-rw-r--r--monitor_wrap.c37
-rw-r--r--monitor_wrap.h9
-rw-r--r--readconf.c7
-rw-r--r--servconf.c5
-rw-r--r--session.c26
-rw-r--r--ssh_config.514
-rw-r--r--sshconnect1.c265
-rw-r--r--sshd.c16
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.512
16 files changed, 25 insertions, 684 deletions
diff --git a/ChangeLog b/ChangeLog
index 91e727198..b6cc55337 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
3 - deraadt@cvs.openbsd.org 2003/08/24 17:36:51 3 - deraadt@cvs.openbsd.org 2003/08/24 17:36:51
4 [auth2-gss.c] 4 [auth2-gss.c]
5 64 bit cleanups; markus ok 5 64 bit cleanups; markus ok
6 - markus@cvs.openbsd.org 2003/08/28 12:54:34
7 [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
8 [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
9 [sshconnect1.c sshd.c sshd_config sshd_config.5]
10 remove kerberos support from ssh1, since it has been replaced with GSSAPI;
11 but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
6 12
720030829 1320030829
8 - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our 14 - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our
@@ -918,4 +924,4 @@
918 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 924 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
919 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 925 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
920 926
921$Id: ChangeLog,v 1.2920 2003/09/02 12:14:07 djm Exp $ 927$Id: ChangeLog,v 1.2921 2003/09/02 12:51:17 djm Exp $
diff --git a/auth-krb5.c b/auth-krb5.c
index b9eeb5ba6..0aa5195b8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
28 */ 28 */
29 29
30#include "includes.h" 30#include "includes.h"
31RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); 31RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
32 32
33#include "ssh.h" 33#include "ssh.h"
34#include "ssh1.h" 34#include "ssh1.h"
@@ -65,193 +65,6 @@ krb5_init(void *context)
65 return (0); 65 return (0);
66} 66}
67 67
68/*
69 * Try krb5 authentication. server_user is passed for logging purposes
70 * only, in auth is received ticket, in client is returned principal
71 * from the ticket
72 */
73int
74auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
75{
76 krb5_error_code problem;
77 krb5_principal server;
78 krb5_ticket *ticket;
79 int fd, ret;
80
81 ret = 0;
82 server = NULL;
83 ticket = NULL;
84 reply->length = 0;
85
86 problem = krb5_init(authctxt);
87 if (problem)
88 goto err;
89
90 problem = krb5_auth_con_init(authctxt->krb5_ctx,
91 &authctxt->krb5_auth_ctx);
92 if (problem)
93 goto err;
94
95 fd = packet_get_connection_in();
96#ifdef HEIMDAL
97 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
98 authctxt->krb5_auth_ctx, &fd);
99#else
100 problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
101 authctxt->krb5_auth_ctx,fd,
102 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
103 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
104#endif
105 if (problem)
106 goto err;
107
108 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
109 KRB5_NT_SRV_HST, &server);
110 if (problem)
111 goto err;
112
113 problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
114 auth, server, NULL, NULL, &ticket);
115 if (problem)
116 goto err;
117
118#ifdef HEIMDAL
119 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
120 &authctxt->krb5_user);
121#else
122 problem = krb5_copy_principal(authctxt->krb5_ctx,
123 ticket->enc_part2->client,
124 &authctxt->krb5_user);
125#endif
126 if (problem)
127 goto err;
128
129 /* if client wants mutual auth */
130 problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
131 reply);
132 if (problem)
133 goto err;
134
135 /* Check .k5login authorization now. */
136 if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
137 authctxt->pw->pw_name))
138 goto err;
139
140 if (client)
141 krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
142 client);
143
144 ret = 1;
145 err:
146 if (server)
147 krb5_free_principal(authctxt->krb5_ctx, server);
148 if (ticket)
149 krb5_free_ticket(authctxt->krb5_ctx, ticket);
150 if (!ret && reply->length) {
151 xfree(reply->data);
152 memset(reply, 0, sizeof(*reply));
153 }
154
155 if (problem) {
156 if (authctxt->krb5_ctx != NULL)
157 debug("Kerberos v5 authentication failed: %s",
158 krb5_get_err_text(authctxt->krb5_ctx, problem));
159 else
160 debug("Kerberos v5 authentication failed: %d",
161 problem);
162 }
163
164 return (ret);
165}
166
167int
168auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
169{
170 krb5_error_code problem;
171 krb5_ccache ccache = NULL;
172 char *pname;
173 krb5_creds **creds;
174
175 if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
176 return (0);
177
178 temporarily_use_uid(authctxt->pw);
179
180#ifdef HEIMDAL
181 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
182#else
183{
184 char ccname[40];
185 int tmpfd;
186
187 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
188
189 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
190 logit("mkstemp(): %.100s", strerror(errno));
191 problem = errno;
192 goto fail;
193 }
194 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
195 logit("fchmod(): %.100s", strerror(errno));
196 close(tmpfd);
197 problem = errno;
198 goto fail;
199 }
200 close(tmpfd);
201 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
202}
203#endif
204 if (problem)
205 goto fail;
206
207 problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
208 authctxt->krb5_user);
209 if (problem)
210 goto fail;
211
212#ifdef HEIMDAL
213 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
214 ccache, tgt);
215 if (problem)
216 goto fail;
217#else
218 problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
219 tgt, &creds, NULL);
220 if (problem)
221 goto fail;
222 problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
223 if (problem)
224 goto fail;
225#endif
226
227 authctxt->krb5_fwd_ccache = ccache;
228 ccache = NULL;
229
230 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
231
232 problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
233 &pname);
234 if (problem)
235 goto fail;
236
237 debug("Kerberos v5 TGT accepted (%s)", pname);
238
239 restore_uid();
240
241 return (1);
242
243 fail:
244 if (problem)
245 debug("Kerberos v5 TGT passing failed: %s",
246 krb5_get_err_text(authctxt->krb5_ctx, problem));
247 if (ccache)
248 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
249
250 restore_uid();
251
252 return (0);
253}
254
255int 68int
256auth_krb5_password(Authctxt *authctxt, const char *password) 69auth_krb5_password(Authctxt *authctxt, const char *password)
257{ 70{
@@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
405 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); 218 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
406 authctxt->krb5_user = NULL; 219 authctxt->krb5_user = NULL;
407 } 220 }
408 if (authctxt->krb5_auth_ctx) {
409 krb5_auth_con_free(authctxt->krb5_ctx,
410 authctxt->krb5_auth_ctx);
411 authctxt->krb5_auth_ctx = NULL;
412 }
413 if (authctxt->krb5_ctx) { 221 if (authctxt->krb5_ctx) {
414 krb5_free_context(authctxt->krb5_ctx); 222 krb5_free_context(authctxt->krb5_ctx);
415 authctxt->krb5_ctx = NULL; 223 authctxt->krb5_ctx = NULL;
diff --git a/auth.h b/auth.h
index 6beff7cc3..358f26b7e 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $ */ 1/* $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -62,7 +62,6 @@ struct Authctxt {
62#endif 62#endif
63#ifdef KRB5 63#ifdef KRB5
64 krb5_context krb5_ctx; 64 krb5_context krb5_ctx;
65 krb5_auth_context krb5_auth_ctx;
66 krb5_ccache krb5_fwd_ccache; 65 krb5_ccache krb5_fwd_ccache;
67 krb5_principal krb5_user; 66 krb5_principal krb5_user;
68 char *krb5_ticket_file; 67 char *krb5_ticket_file;
diff --git a/auth1.c b/auth1.c
index d8b5836ba..5b1922a11 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $"); 13RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
14 14
15#include "xmalloc.h" 15#include "xmalloc.h"
16#include "rsa.h" 16#include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
49 case SSH_CMSG_AUTH_TIS: 49 case SSH_CMSG_AUTH_TIS:
50 case SSH_CMSG_AUTH_TIS_RESPONSE: 50 case SSH_CMSG_AUTH_TIS_RESPONSE:
51 return "challenge-response"; 51 return "challenge-response";
52#ifdef KRB5
53 case SSH_CMSG_AUTH_KERBEROS:
54 return "kerberos";
55#endif
56 } 52 }
57 snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); 53 snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
58 return buf; 54 return buf;
@@ -119,47 +115,6 @@ do_authloop(Authctxt *authctxt)
119 115
120 /* Process the packet. */ 116 /* Process the packet. */
121 switch (type) { 117 switch (type) {
122
123#ifdef KRB5
124 case SSH_CMSG_AUTH_KERBEROS:
125 if (!options.kerberos_authentication) {
126 verbose("Kerberos authentication disabled.");
127 } else {
128 char *kdata = packet_get_string(&dlen);
129 packet_check_eom();
130
131 if (kdata[0] != 4) { /* KRB_PROT_VERSION */
132 krb5_data tkt, reply;
133 tkt.length = dlen;
134 tkt.data = kdata;
135
136 if (PRIVSEP(auth_krb5(authctxt, &tkt,
137 &client_user, &reply))) {
138 authenticated = 1;
139 snprintf(info, sizeof(info),
140 " tktuser %.100s",
141 client_user);
142
143 /* Send response to client */
144 packet_start(
145 SSH_SMSG_AUTH_KERBEROS_RESPONSE);
146 packet_put_string((char *)
147 reply.data, reply.length);
148 packet_send();
149 packet_write_wait();
150
151 if (reply.length)
152 xfree(reply.data);
153 }
154 }
155 xfree(kdata);
156 }
157 break;
158 case SSH_CMSG_HAVE_KERBEROS_TGT:
159 packet_send_debug("Kerberos TGT passing disabled before authentication.");
160 break;
161#endif
162
163 case SSH_CMSG_AUTH_RHOSTS_RSA: 118 case SSH_CMSG_AUTH_RHOSTS_RSA:
164 if (!options.rhosts_rsa_authentication) { 119 if (!options.rhosts_rsa_authentication) {
165 verbose("Rhosts with RSA authentication disabled."); 120 verbose("Rhosts with RSA authentication disabled.");
@@ -337,16 +292,6 @@ do_authentication(void)
337 if ((style = strchr(user, ':')) != NULL) 292 if ((style = strchr(user, ':')) != NULL)
338 *style++ = '\0'; 293 *style++ = '\0';
339 294
340#ifdef KRB5
341 /* XXX - SSH.com Kerberos v5 braindeath. */
342 if ((datafellows & SSH_BUG_K5USER) &&
343 options.kerberos_authentication) {
344 char *p;
345 if ((p = strchr(user, '@')) != NULL)
346 *p = '\0';
347 }
348#endif
349
350 authctxt = authctxt_new(); 295 authctxt = authctxt_new();
351 authctxt->user = user; 296 authctxt->user = user;
352 authctxt->style = style; 297 authctxt->style = style;
diff --git a/monitor.c b/monitor.c
index e08181f74..9ea7b93b9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $"); 28RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
29 29
30#include <openssl/dh.h> 30#include <openssl/dh.h>
31 31
@@ -130,9 +130,6 @@ int mm_answer_pam_respond(int, Buffer *);
130int mm_answer_pam_free_ctx(int, Buffer *); 130int mm_answer_pam_free_ctx(int, Buffer *);
131#endif 131#endif
132 132
133#ifdef KRB5
134int mm_answer_krb5(int, Buffer *);
135#endif
136#ifdef GSSAPI 133#ifdef GSSAPI
137int mm_answer_gss_setup_ctx(int, Buffer *); 134int mm_answer_gss_setup_ctx(int, Buffer *);
138int mm_answer_gss_accept_ctx(int, Buffer *); 135int mm_answer_gss_accept_ctx(int, Buffer *);
@@ -192,9 +189,6 @@ struct mon_table mon_dispatch_proto20[] = {
192#endif 189#endif
193 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, 190 {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
194 {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, 191 {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
195#ifdef KRB5
196 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
197#endif
198#ifdef GSSAPI 192#ifdef GSSAPI
199 {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, 193 {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
200 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 194 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@@ -237,9 +231,6 @@ struct mon_table mon_dispatch_proto15[] = {
237 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 231 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
238 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 232 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
239#endif 233#endif
240#ifdef KRB5
241 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
242#endif
243 {0, 0, NULL} 234 {0, 0, NULL}
244}; 235};
245 236
@@ -1470,45 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
1470 return (success); 1461 return (success);
1471} 1462}
1472 1463
1473#ifdef KRB5
1474int
1475mm_answer_krb5(int socket, Buffer *m)
1476{
1477 krb5_data tkt, reply;
1478 char *client_user;
1479 u_int len;
1480 int success;
1481
1482 /* use temporary var to avoid size issues on 64bit arch */
1483 tkt.data = buffer_get_string(m, &len);
1484 tkt.length = len;
1485
1486 success = options.kerberos_authentication &&
1487 authctxt->valid &&
1488 auth_krb5(authctxt, &tkt, &client_user, &reply);
1489
1490 if (tkt.length)
1491 xfree(tkt.data);
1492
1493 buffer_clear(m);
1494 buffer_put_int(m, success);
1495
1496 if (success) {
1497 buffer_put_cstring(m, client_user);
1498 buffer_put_string(m, reply.data, reply.length);
1499 if (client_user)
1500 xfree(client_user);
1501 if (reply.length)
1502 xfree(reply.data);
1503 }
1504 mm_request_send(socket, MONITOR_ANS_KRB5, m);
1505
1506 auth_method = "kerberos";
1507
1508 return success;
1509}
1510#endif
1511
1512int 1464int
1513mm_answer_term(int socket, Buffer *req) 1465mm_answer_term(int socket, Buffer *req)
1514{ 1466{
diff --git a/monitor.h b/monitor.h
index da33ed613..2461156c7 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */ 1/* $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,7 +49,6 @@ enum monitor_reqtype {
49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, 49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, 50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, 51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
52 MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
53 MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, 52 MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
54 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 53 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
55 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 54 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 82649a7cc..4034d569c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
25 */ 25 */
26 26
27#include "includes.h" 27#include "includes.h"
28RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $"); 28RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
29 29
30#include <openssl/bn.h> 30#include <openssl/bn.h>
31#include <openssl/dh.h> 31#include <openssl/dh.h>
@@ -1071,41 +1071,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
1071 return (success); 1071 return (success);
1072} 1072}
1073 1073
1074#ifdef KRB5
1075int
1076mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
1077{
1078 krb5_data *tkt, *reply;
1079 Buffer m;
1080 int success;
1081
1082 debug3("%s entering", __func__);
1083 tkt = (krb5_data *) argp;
1084 reply = (krb5_data *) resp;
1085
1086 buffer_init(&m);
1087 buffer_put_string(&m, tkt->data, tkt->length);
1088
1089 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
1090 mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
1091
1092 success = buffer_get_int(&m);
1093 if (success) {
1094 u_int len;
1095
1096 *userp = buffer_get_string(&m, NULL);
1097 reply->data = buffer_get_string(&m, &len);
1098 reply->length = len;
1099 } else {
1100 memset(reply, 0, sizeof(*reply));
1101 *userp = NULL;
1102 }
1103
1104 buffer_free(&m);
1105 return (success);
1106}
1107#endif /* KRB5 */
1108
1109#ifdef GSSAPI 1074#ifdef GSSAPI
1110OM_uint32 1075OM_uint32
1111mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1076mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index c6251924a..5e0334588 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */ 1/* $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -96,13 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
96int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); 96int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
97int mm_skey_respond(void *, u_int, char **); 97int mm_skey_respond(void *, u_int, char **);
98 98
99/* auth_krb */
100#ifdef KRB5
101/* auth and reply are really krb5_data objects, but we don't want to
102 * include all of the krb5 headers here */
103int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
104#endif
105
106/* zlib allocation hooks */ 99/* zlib allocation hooks */
107 100
108void *mm_zalloc(struct mm_master *, u_int, u_int); 101void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/readconf.c b/readconf.c
index 9447cb55f..281b66872 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -132,13 +132,8 @@ static struct {
132 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 132 { "challengeresponseauthentication", oChallengeResponseAuthentication },
133 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ 133 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
134 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ 134 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
135#ifdef KRB5
136 { "kerberosauthentication", oKerberosAuthentication },
137 { "kerberostgtpassing", oKerberosTgtPassing },
138#else
139 { "kerberosauthentication", oUnsupported }, 135 { "kerberosauthentication", oUnsupported },
140 { "kerberostgtpassing", oUnsupported }, 136 { "kerberostgtpassing", oUnsupported },
141#endif
142 { "afstokenpassing", oUnsupported }, 137 { "afstokenpassing", oUnsupported },
143#if defined(GSSAPI) 138#if defined(GSSAPI)
144 { "gssapiauthentication", oGssAuthentication }, 139 { "gssapiauthentication", oGssAuthentication },
diff --git a/servconf.c b/servconf.c
index e13309388..6051918c2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -304,13 +304,12 @@ static struct {
304 { "kerberosauthentication", sKerberosAuthentication }, 304 { "kerberosauthentication", sKerberosAuthentication },
305 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 305 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
306 { "kerberosticketcleanup", sKerberosTicketCleanup }, 306 { "kerberosticketcleanup", sKerberosTicketCleanup },
307 { "kerberostgtpassing", sKerberosTgtPassing },
308#else 307#else
309 { "kerberosauthentication", sUnsupported }, 308 { "kerberosauthentication", sUnsupported },
310 { "kerberosorlocalpasswd", sUnsupported }, 309 { "kerberosorlocalpasswd", sUnsupported },
311 { "kerberosticketcleanup", sUnsupported }, 310 { "kerberosticketcleanup", sUnsupported },
312 { "kerberostgtpassing", sUnsupported },
313#endif 311#endif
312 { "kerberostgtpassing", sUnsupported },
314 { "afstokenpassing", sUnsupported }, 313 { "afstokenpassing", sUnsupported },
315#ifdef GSSAPI 314#ifdef GSSAPI
316 { "gssapiauthentication", sGssAuthentication }, 315 { "gssapiauthentication", sGssAuthentication },
diff --git a/session.c b/session.c
index 6ba0233e5..351b40c13 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -332,30 +332,6 @@ do_authenticated1(Authctxt *authctxt)
332 success = 1; 332 success = 1;
333 break; 333 break;
334 334
335#ifdef KRB5
336 case SSH_CMSG_HAVE_KERBEROS_TGT:
337 if (!options.kerberos_tgt_passing) {
338 verbose("Kerberos TGT passing disabled.");
339 } else {
340 char *kdata = packet_get_string(&dlen);
341 packet_check_eom();
342
343 /* XXX - 0x41, used for AFS */
344 if (kdata[0] != 0x41) {
345 krb5_data tgt;
346 tgt.data = kdata;
347 tgt.length = dlen;
348
349 if (auth_krb5_tgt(s->authctxt, &tgt))
350 success = 1;
351 else
352 verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
353 }
354 xfree(kdata);
355 }
356 break;
357#endif
358
359 case SSH_CMSG_EXEC_SHELL: 335 case SSH_CMSG_EXEC_SHELL:
360 case SSH_CMSG_EXEC_CMD: 336 case SSH_CMSG_EXEC_CMD:
361 if (type == SSH_CMSG_EXEC_CMD) { 337 if (type == SSH_CMSG_EXEC_CMD) {
diff --git a/ssh_config.5 b/ssh_config.5
index f99562b96..b20452ce2 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
407.Pp 407.Pp
408To disable keepalives, the value should be set to 408To disable keepalives, the value should be set to
409.Dq no . 409.Dq no .
410.It Cm KerberosAuthentication
411Specifies whether Kerberos authentication will be used.
412The argument to this keyword must be
413.Dq yes
414or
415.Dq no .
416.It Cm KerberosTgtPassing
417Specifies whether a Kerberos TGT will be forwarded to the server.
418The argument to this keyword must be
419.Dq yes
420or
421.Dq no .
422.It Cm LocalForward 410.It Cm LocalForward
423Specifies that a TCP/IP port on the local machine be forwarded over 411Specifies that a TCP/IP port on the local machine be forwarded over
424the secure channel to the specified host and port from the remote machine. 412the secure channel to the specified host and port from the remote machine.
diff --git a/sshconnect1.c b/sshconnect1.c
index 5935e8b77..2f89964ec 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,15 +13,11 @@
13 */ 13 */
14 14
15#include "includes.h" 15#include "includes.h"
16RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $"); 16RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
17 17
18#include <openssl/bn.h> 18#include <openssl/bn.h>
19#include <openssl/md5.h> 19#include <openssl/md5.h>
20 20
21#ifdef KRB5
22#include <krb5.h>
23#endif
24
25#include "ssh.h" 21#include "ssh.h"
26#include "ssh1.h" 22#include "ssh1.h"
27#include "xmalloc.h" 23#include "xmalloc.h"
@@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
370 return 0; 366 return 0;
371} 367}
372 368
373#ifdef KRB5
374static int
375try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
376{
377 krb5_error_code problem;
378 const char *tkfile;
379 struct stat buf;
380 krb5_ccache ccache = NULL;
381 const char *remotehost;
382 krb5_data ap;
383 int type;
384 krb5_ap_rep_enc_part *reply = NULL;
385 int ret;
386
387 memset(&ap, 0, sizeof(ap));
388
389 problem = krb5_init_context(context);
390 if (problem) {
391 debug("Kerberos v5: krb5_init_context failed");
392 ret = 0;
393 goto out;
394 }
395
396 problem = krb5_auth_con_init(*context, auth_context);
397 if (problem) {
398 debug("Kerberos v5: krb5_auth_con_init failed");
399 ret = 0;
400 goto out;
401 }
402
403#ifndef HEIMDAL
404 problem = krb5_auth_con_setflags(*context, *auth_context,
405 KRB5_AUTH_CONTEXT_RET_TIME);
406 if (problem) {
407 debug("Keberos v5: krb5_auth_con_setflags failed");
408 ret = 0;
409 goto out;
410 }
411#endif
412
413 tkfile = krb5_cc_default_name(*context);
414 if (strncmp(tkfile, "FILE:", 5) == 0)
415 tkfile += 5;
416
417 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
418 debug("Kerberos v5: could not get default ccache (permission denied).");
419 ret = 0;
420 goto out;
421 }
422
423 problem = krb5_cc_default(*context, &ccache);
424 if (problem) {
425 debug("Kerberos v5: krb5_cc_default failed: %s",
426 krb5_get_err_text(*context, problem));
427 ret = 0;
428 goto out;
429 }
430
431 remotehost = get_canonical_hostname(1);
432
433 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
434 "host", remotehost, NULL, ccache, &ap);
435 if (problem) {
436 debug("Kerberos v5: krb5_mk_req failed: %s",
437 krb5_get_err_text(*context, problem));
438 ret = 0;
439 goto out;
440 }
441
442 packet_start(SSH_CMSG_AUTH_KERBEROS);
443 packet_put_string((char *) ap.data, ap.length);
444 packet_send();
445 packet_write_wait();
446
447 xfree(ap.data);
448 ap.length = 0;
449
450 type = packet_read();
451 switch (type) {
452 case SSH_SMSG_FAILURE:
453 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
454 debug("Kerberos v5 authentication failed.");
455 ret = 0;
456 break;
457
458 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
459 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
460 debug("Kerberos v5 authentication accepted.");
461
462 /* Get server's response. */
463 ap.data = packet_get_string((unsigned int *) &ap.length);
464 packet_check_eom();
465 /* XXX je to dobre? */
466
467 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
468 if (problem) {
469 ret = 0;
470 }
471 ret = 1;
472 break;
473
474 default:
475 packet_disconnect("Protocol error on Kerberos v5 response: %d",
476 type);
477 ret = 0;
478 break;
479
480 }
481
482 out:
483 if (ccache != NULL)
484 krb5_cc_close(*context, ccache);
485 if (reply != NULL)
486 krb5_free_ap_rep_enc_part(*context, reply);
487 if (ap.length > 0)
488#ifdef HEIMDAL
489 krb5_data_free(&ap);
490#else
491 krb5_free_data_contents(*context, &ap);
492#endif
493
494 return (ret);
495}
496
497static void
498send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
499{
500 int fd, type;
501 krb5_error_code problem;
502 krb5_data outbuf;
503 krb5_ccache ccache = NULL;
504 krb5_creds creds;
505#ifdef HEIMDAL
506 krb5_kdc_flags flags;
507#else
508 int forwardable;
509#endif
510 const char *remotehost;
511
512 memset(&creds, 0, sizeof(creds));
513 memset(&outbuf, 0, sizeof(outbuf));
514
515 fd = packet_get_connection_in();
516
517#ifdef HEIMDAL
518 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
519#else
520 problem = krb5_auth_con_genaddrs(context, auth_context, fd,
521 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
522 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
523#endif
524 if (problem)
525 goto out;
526
527 problem = krb5_cc_default(context, &ccache);
528 if (problem)
529 goto out;
530
531 problem = krb5_cc_get_principal(context, ccache, &creds.client);
532 if (problem)
533 goto out;
534
535 remotehost = get_canonical_hostname(1);
536
537#ifdef HEIMDAL
538 problem = krb5_build_principal(context, &creds.server,
539 strlen(creds.client->realm), creds.client->realm,
540 "krbtgt", creds.client->realm, NULL);
541#else
542 problem = krb5_build_principal(context, &creds.server,
543 creds.client->realm.length, creds.client->realm.data,
544 "host", remotehost, NULL);
545#endif
546 if (problem)
547 goto out;
548
549 creds.times.endtime = 0;
550
551#ifdef HEIMDAL
552 flags.i = 0;
553 flags.b.forwarded = 1;
554 flags.b.forwardable = krb5_config_get_bool(context, NULL,
555 "libdefaults", "forwardable", NULL);
556 problem = krb5_get_forwarded_creds(context, auth_context,
557 ccache, flags.i, remotehost, &creds, &outbuf);
558#else
559 forwardable = 1;
560 problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
561 creds.client, creds.server, ccache, forwardable, &outbuf);
562#endif
563
564 if (problem)
565 goto out;
566
567 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
568 packet_put_string((char *)outbuf.data, outbuf.length);
569 packet_send();
570 packet_write_wait();
571
572 type = packet_read();
573
574 if (type == SSH_SMSG_SUCCESS) {
575 char *pname;
576
577 krb5_unparse_name(context, creds.client, &pname);
578 debug("Kerberos v5 TGT forwarded (%s).", pname);
579 xfree(pname);
580 } else
581 debug("Kerberos v5 TGT forwarding failed.");
582
583 return;
584
585 out:
586 if (problem)
587 debug("Kerberos v5 TGT forwarding failed: %s",
588 krb5_get_err_text(context, problem));
589 if (creds.client)
590 krb5_free_principal(context, creds.client);
591 if (creds.server)
592 krb5_free_principal(context, creds.server);
593 if (ccache)
594 krb5_cc_close(context, ccache);
595 if (outbuf.data)
596 xfree(outbuf.data);
597}
598#endif /* KRB5 */
599
600/* 369/*
601 * Tries to authenticate with any string-based challenge/response system. 370 * Tries to authenticate with any string-based challenge/response system.
602 * Note that the client code is not tied to s/key or TIS. 371 * Note that the client code is not tied to s/key or TIS.
@@ -885,10 +654,6 @@ void
885ssh_userauth1(const char *local_user, const char *server_user, char *host, 654ssh_userauth1(const char *local_user, const char *server_user, char *host,
886 Sensitive *sensitive) 655 Sensitive *sensitive)
887{ 656{
888#ifdef KRB5
889 krb5_context context = NULL;
890 krb5_auth_context auth_context = NULL;
891#endif
892 int i, type; 657 int i, type;
893 658
894 if (supported_authentications == 0) 659 if (supported_authentications == 0)
@@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
913 if (type != SSH_SMSG_FAILURE) 678 if (type != SSH_SMSG_FAILURE)
914 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); 679 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
915 680
916#ifdef KRB5
917 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
918 options.kerberos_authentication) {
919 debug("Trying Kerberos v5 authentication.");
920
921 if (try_krb5_authentication(&context, &auth_context)) {
922 type = packet_read();
923 if (type == SSH_SMSG_SUCCESS)
924 goto success;
925 if (type != SSH_SMSG_FAILURE)
926 packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
927 }
928 }
929#endif /* KRB5 */
930
931 /* 681 /*
932 * Try .rhosts or /etc/hosts.equiv authentication with RSA host 682 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
933 * authentication. 683 * authentication.
@@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
981 /* NOTREACHED */ 731 /* NOTREACHED */
982 732
983 success: 733 success:
984#ifdef KRB5
985 /* Try Kerberos v5 TGT passing. */
986 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
987 options.kerberos_tgt_passing && context && auth_context) {
988 if (options.cipher == SSH_CIPHER_NONE)
989 logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
990 send_krb5_tgt(context, auth_context);
991 }
992 if (auth_context)
993 krb5_auth_con_free(context, auth_context);
994 if (context)
995 krb5_free_context(context);
996#endif
997 return; /* need statement after label */ 734 return; /* need statement after label */
998} 735}
diff --git a/sshd.c b/sshd.c
index 8d04f6a74..47df9caf1 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
42 */ 42 */
43 43
44#include "includes.h" 44#include "includes.h"
45RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $"); 45RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
46 46
47#include <openssl/dh.h> 47#include <openssl/dh.h>
48#include <openssl/bn.h> 48#include <openssl/bn.h>
@@ -1463,14 +1463,6 @@ main(int ac, char **av)
1463 1463
1464 sshd_exchange_identification(sock_in, sock_out); 1464 sshd_exchange_identification(sock_in, sock_out);
1465 1465
1466#ifdef KRB5
1467 if (!packet_connection_is_ipv4() &&
1468 options.kerberos_authentication) {
1469 debug("Kerberos Authentication disabled, only available for IPv4.");
1470 options.kerberos_authentication = 0;
1471 }
1472#endif
1473
1474 packet_set_nonblocking(); 1466 packet_set_nonblocking();
1475 1467
1476 /* prepare buffers to collect authentication messages */ 1468 /* prepare buffers to collect authentication messages */
@@ -1634,12 +1626,6 @@ do_ssh1_kex(void)
1634 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; 1626 auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
1635 if (options.rsa_authentication) 1627 if (options.rsa_authentication)
1636 auth_mask |= 1 << SSH_AUTH_RSA; 1628 auth_mask |= 1 << SSH_AUTH_RSA;
1637#ifdef KRB5
1638 if (options.kerberos_authentication)
1639 auth_mask |= 1 << SSH_AUTH_KERBEROS;
1640 if (options.kerberos_tgt_passing)
1641 auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
1642#endif
1643 if (options.challenge_response_authentication == 1) 1629 if (options.challenge_response_authentication == 1)
1644 auth_mask |= 1 << SSH_AUTH_TIS; 1630 auth_mask |= 1 << SSH_AUTH_TIS;
1645 if (options.password_authentication) 1631 if (options.password_authentication)
diff --git a/sshd_config b/sshd_config
index 294539096..dd53f1057 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $ 1# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -61,7 +61,6 @@
61#KerberosAuthentication no 61#KerberosAuthentication no
62#KerberosOrLocalPasswd yes 62#KerberosOrLocalPasswd yes
63#KerberosTicketCleanup yes 63#KerberosTicketCleanup yes
64#KerberosTgtPassing no
65 64
66# GSSAPI options 65# GSSAPI options
67#GSSAPIAuthentication no 66#GSSAPIAuthentication no
diff --git a/sshd_config.5 b/sshd_config.5
index 8857c673d..577605f3e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $ 37.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD_CONFIG 5 39.Dt SSHD_CONFIG 5
40.Os 40.Os
@@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
316To disable keepalives, the value should be set to 316To disable keepalives, the value should be set to
317.Dq no . 317.Dq no .
318.It Cm KerberosAuthentication 318.It Cm KerberosAuthentication
319Specifies whether Kerberos authentication is allowed. 319Specifies whether the password provided by the user for
320This can be in the form of a Kerberos ticket, or if
321.Cm PasswordAuthentication 320.Cm PasswordAuthentication
322is yes, the password provided by the user will be validated through 321will be validated through the Kerberos KDC.
323the Kerberos KDC.
324To use this option, the server needs a 322To use this option, the server needs a
325Kerberos servtab which allows the verification of the KDC's identity. 323Kerberos servtab which allows the verification of the KDC's identity.
326Default is 324Default is
@@ -332,10 +330,6 @@ such as
332.Pa /etc/passwd . 330.Pa /etc/passwd .
333Default is 331Default is
334.Dq yes . 332.Dq yes .
335.It Cm KerberosTgtPassing
336Specifies whether a Kerberos TGT may be forwarded to the server.
337Default is
338.Dq no .
339.It Cm KerberosTicketCleanup 333.It Cm KerberosTicketCleanup
340Specifies whether to automatically destroy the user's ticket cache 334Specifies whether to automatically destroy the user's ticket cache
341file on logout. 335file on logout.