diff options
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | acconfig.h | 8 | ||||
-rw-r--r-- | auth-krb4.c | 368 | ||||
-rw-r--r-- | auth-passwd.c | 10 | ||||
-rw-r--r-- | auth.h | 19 | ||||
-rw-r--r-- | auth1.c | 45 | ||||
-rw-r--r-- | configure.ac | 87 | ||||
-rw-r--r-- | monitor.c | 54 | ||||
-rw-r--r-- | monitor.h | 1 | ||||
-rw-r--r-- | monitor_wrap.c | 38 | ||||
-rw-r--r-- | monitor_wrap.h | 5 | ||||
-rw-r--r-- | radix.c | 158 | ||||
-rw-r--r-- | radix.h | 28 | ||||
-rw-r--r-- | readconf.c | 17 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | servconf.c | 25 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | session.c | 57 | ||||
-rw-r--r-- | ssh.1 | 4 | ||||
-rw-r--r-- | ssh.c | 9 | ||||
-rw-r--r-- | ssh.h | 5 | ||||
-rw-r--r-- | ssh_config.5 | 10 | ||||
-rw-r--r-- | sshconnect1.c | 287 | ||||
-rw-r--r-- | sshd.c | 21 | ||||
-rw-r--r-- | sshd_config.5 | 9 |
26 files changed, 52 insertions, 1236 deletions
@@ -1,5 +1,14 @@ | |||
1 | 20030802 | 1 | 20030802 |
2 | - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. | 2 | - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. |
3 | - (dtucker) OpenBSD CVS Sync | ||
4 | - markus@cvs.openbsd.org 2003/07/22 13:35:22 | ||
5 | [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c | ||
6 | monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 | ||
7 | ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] | ||
8 | remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); | ||
9 | test+ok henning@ | ||
10 | - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. | ||
11 | - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. | ||
3 | 12 | ||
4 | 20030730 | 13 | 20030730 |
5 | - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal | 14 | - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal |
@@ -738,4 +747,4 @@ | |||
738 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 747 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
739 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 748 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
740 | 749 | ||
741 | $Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $ | 750 | $Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $ |
diff --git a/Makefile.in b/Makefile.in index 4252ae6f3..c5674c735 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $ | 1 | # $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $ |
2 | 2 | ||
3 | # uncomment if you run a non bourne compatable shell. Ie. csh | 3 | # uncomment if you run a non bourne compatable shell. Ie. csh |
4 | #SHELL = @SH@ | 4 | #SHELL = @SH@ |
@@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys | |||
63 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ | 63 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ |
64 | cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ | 64 | cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ |
65 | compat.o compress.o crc32.o deattack.o fatal.o \ | 65 | compat.o compress.o crc32.o deattack.o fatal.o \ |
66 | hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \ | 66 | hostfile.o log.o match.o mpaux.o nchan.o packet.o \ |
67 | readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ | 67 | readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ |
68 | key.o dispatch.o kex.o mac.o uuencode.o misc.o \ | 68 | key.o dispatch.o kex.o mac.o uuencode.o misc.o \ |
69 | rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ | 69 | rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ |
@@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | |||
81 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 81 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
82 | monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ | 82 | monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ |
83 | kexdhs.o kexgexs.o \ | 83 | kexdhs.o kexgexs.o \ |
84 | auth-krb5.o auth2-krb5.o auth-krb4.o \ | 84 | auth-krb5.o auth2-krb5.o \ |
85 | loginrec.o auth-pam.o auth-sia.o md5crypt.o | 85 | loginrec.o auth-pam.o auth-sia.o md5crypt.o |
86 | 86 | ||
87 | MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out | 87 | MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out |
diff --git a/acconfig.h b/acconfig.h index 0af93663c..24c07beed 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */ | 1 | /* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
@@ -238,12 +238,6 @@ | |||
238 | /* Define this if you are using the Heimdal version of Kerberos V5 */ | 238 | /* Define this if you are using the Heimdal version of Kerberos V5 */ |
239 | #undef HEIMDAL | 239 | #undef HEIMDAL |
240 | 240 | ||
241 | /* Define if you want Kerberos 4 support */ | ||
242 | #undef KRB4 | ||
243 | |||
244 | /* Define if you want AFS support */ | ||
245 | #undef AFS | ||
246 | |||
247 | /* Define if you want S/Key support */ | 241 | /* Define if you want S/Key support */ |
248 | #undef SKEY | 242 | #undef SKEY |
249 | 243 | ||
diff --git a/auth-krb4.c b/auth-krb4.c deleted file mode 100644 index 9e1c800be..000000000 --- a/auth-krb4.c +++ /dev/null | |||
@@ -1,368 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) 1999 Dug Song. All rights reserved. | ||
3 | * | ||
4 | * Redistribution and use in source and binary forms, with or without | ||
5 | * modification, are permitted provided that the following conditions | ||
6 | * are met: | ||
7 | * 1. Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * 2. Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * | ||
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
23 | */ | ||
24 | |||
25 | #include "includes.h" | ||
26 | RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $"); | ||
27 | |||
28 | #include "ssh.h" | ||
29 | #include "ssh1.h" | ||
30 | #include "packet.h" | ||
31 | #include "xmalloc.h" | ||
32 | #include "log.h" | ||
33 | #include "servconf.h" | ||
34 | #include "uidswap.h" | ||
35 | #include "auth.h" | ||
36 | |||
37 | #ifdef AFS | ||
38 | #include "radix.h" | ||
39 | #endif | ||
40 | |||
41 | #ifdef KRB4 | ||
42 | extern ServerOptions options; | ||
43 | |||
44 | static int | ||
45 | krb4_init(void *context) | ||
46 | { | ||
47 | static int cleanup_registered = 0; | ||
48 | Authctxt *authctxt = (Authctxt *)context; | ||
49 | const char *tkt_root = TKT_ROOT; | ||
50 | struct stat st; | ||
51 | int fd; | ||
52 | |||
53 | if (!authctxt->krb4_ticket_file) { | ||
54 | /* Set unique ticket string manually since we're still root. */ | ||
55 | authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN); | ||
56 | #ifdef AFS | ||
57 | if (lstat("/ticket", &st) != -1) | ||
58 | tkt_root = "/ticket/"; | ||
59 | #endif /* AFS */ | ||
60 | snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld", | ||
61 | tkt_root, authctxt->pw->pw_uid, (long)getpid()); | ||
62 | krb_set_tkt_string(authctxt->krb4_ticket_file); | ||
63 | } | ||
64 | /* Register ticket cleanup in case of fatal error. */ | ||
65 | if (!cleanup_registered) { | ||
66 | fatal_add_cleanup(krb4_cleanup_proc, authctxt); | ||
67 | cleanup_registered = 1; | ||
68 | } | ||
69 | /* Try to create our ticket file. */ | ||
70 | if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { | ||
71 | close(fd); | ||
72 | return (1); | ||
73 | } | ||
74 | /* Ticket file exists - make sure user owns it (just passed ticket). */ | ||
75 | if (lstat(authctxt->krb4_ticket_file, &st) != -1) { | ||
76 | if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && | ||
77 | st.st_uid == authctxt->pw->pw_uid) | ||
78 | return (1); | ||
79 | } | ||
80 | /* Failure - cancel cleanup function, leaving ticket for inspection. */ | ||
81 | logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file); | ||
82 | |||
83 | fatal_remove_cleanup(krb4_cleanup_proc, authctxt); | ||
84 | cleanup_registered = 0; | ||
85 | |||
86 | xfree(authctxt->krb4_ticket_file); | ||
87 | authctxt->krb4_ticket_file = NULL; | ||
88 | |||
89 | return (0); | ||
90 | } | ||
91 | |||
92 | /* | ||
93 | * try krb4 authentication, | ||
94 | * return 1 on success, 0 on failure, -1 if krb4 is not available | ||
95 | */ | ||
96 | int | ||
97 | auth_krb4_password(Authctxt *authctxt, const char *password) | ||
98 | { | ||
99 | AUTH_DAT adata; | ||
100 | KTEXT_ST tkt; | ||
101 | struct hostent *hp; | ||
102 | struct passwd *pw; | ||
103 | char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ]; | ||
104 | u_int32_t faddr; | ||
105 | int r; | ||
106 | |||
107 | if ((pw = authctxt->pw) == NULL) | ||
108 | return (0); | ||
109 | |||
110 | /* | ||
111 | * Try Kerberos password authentication only for non-root | ||
112 | * users and only if Kerberos is installed. | ||
113 | */ | ||
114 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | ||
115 | /* Set up our ticket file. */ | ||
116 | if (!krb4_init(authctxt)) { | ||
117 | logit("Couldn't initialize Kerberos ticket file for %s!", | ||
118 | pw->pw_name); | ||
119 | goto failure; | ||
120 | } | ||
121 | /* Try to get TGT using our password. */ | ||
122 | r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, | ||
123 | "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password); | ||
124 | if (r != INTK_OK) { | ||
125 | debug("Kerberos v4 password authentication for %s " | ||
126 | "failed: %s", pw->pw_name, krb_err_txt[r]); | ||
127 | goto failure; | ||
128 | } | ||
129 | /* Successful authentication. */ | ||
130 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); | ||
131 | |||
132 | /* | ||
133 | * Now that we have a TGT, try to get a local | ||
134 | * "rcmd" ticket to ensure that we are not talking | ||
135 | * to a bogus Kerberos server. | ||
136 | */ | ||
137 | gethostname(localhost, sizeof(localhost)); | ||
138 | strlcpy(phost, (char *)krb_get_phost(localhost), | ||
139 | sizeof(phost)); | ||
140 | r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); | ||
141 | |||
142 | if (r == KSUCCESS) { | ||
143 | if ((hp = gethostbyname(localhost)) == NULL) { | ||
144 | logit("Couldn't get local host address!"); | ||
145 | goto failure; | ||
146 | } | ||
147 | memmove((void *)&faddr, (void *)hp->h_addr, | ||
148 | sizeof(faddr)); | ||
149 | |||
150 | /* Verify our "rcmd" ticket. */ | ||
151 | r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, | ||
152 | faddr, &adata, ""); | ||
153 | if (r == RD_AP_UNDEC) { | ||
154 | /* | ||
155 | * Probably didn't have a srvtab on | ||
156 | * localhost. Disallow login. | ||
157 | */ | ||
158 | logit("Kerberos v4 TGT for %s unverifiable, " | ||
159 | "no srvtab installed? krb_rd_req: %s", | ||
160 | pw->pw_name, krb_err_txt[r]); | ||
161 | goto failure; | ||
162 | } else if (r != KSUCCESS) { | ||
163 | logit("Kerberos v4 %s ticket unverifiable: %s", | ||
164 | KRB4_SERVICE_NAME, krb_err_txt[r]); | ||
165 | goto failure; | ||
166 | } | ||
167 | } else if (r == KDC_PR_UNKNOWN) { | ||
168 | /* | ||
169 | * Disallow login if no rcmd service exists, and | ||
170 | * log the error. | ||
171 | */ | ||
172 | logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s " | ||
173 | "not registered, or srvtab is wrong?", pw->pw_name, | ||
174 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | ||
175 | goto failure; | ||
176 | } else { | ||
177 | /* | ||
178 | * TGT is bad, forget it. Possibly spoofed! | ||
179 | */ | ||
180 | debug("WARNING: Kerberos v4 TGT possibly spoofed " | ||
181 | "for %s: %s", pw->pw_name, krb_err_txt[r]); | ||
182 | goto failure; | ||
183 | } | ||
184 | /* Authentication succeeded. */ | ||
185 | return (1); | ||
186 | } else | ||
187 | /* Logging in as root or no local Kerberos realm. */ | ||
188 | debug("Unable to authenticate to Kerberos."); | ||
189 | |||
190 | failure: | ||
191 | krb4_cleanup_proc(authctxt); | ||
192 | |||
193 | if (!options.kerberos_or_local_passwd) | ||
194 | return (0); | ||
195 | |||
196 | /* Fall back to ordinary passwd authentication. */ | ||
197 | return (-1); | ||
198 | } | ||
199 | |||
200 | void | ||
201 | krb4_cleanup_proc(void *context) | ||
202 | { | ||
203 | Authctxt *authctxt = (Authctxt *)context; | ||
204 | debug("krb4_cleanup_proc called"); | ||
205 | if (authctxt->krb4_ticket_file) { | ||
206 | (void) dest_tkt(); | ||
207 | xfree(authctxt->krb4_ticket_file); | ||
208 | authctxt->krb4_ticket_file = NULL; | ||
209 | } | ||
210 | } | ||
211 | |||
212 | int | ||
213 | auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) | ||
214 | { | ||
215 | AUTH_DAT adat = {0}; | ||
216 | Key_schedule schedule; | ||
217 | struct sockaddr_in local, foreign; | ||
218 | char instance[INST_SZ]; | ||
219 | socklen_t slen; | ||
220 | u_int cksum; | ||
221 | int r, s; | ||
222 | |||
223 | s = packet_get_connection_in(); | ||
224 | |||
225 | slen = sizeof(local); | ||
226 | memset(&local, 0, sizeof(local)); | ||
227 | if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) | ||
228 | debug("getsockname failed: %.100s", strerror(errno)); | ||
229 | slen = sizeof(foreign); | ||
230 | memset(&foreign, 0, sizeof(foreign)); | ||
231 | if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { | ||
232 | debug("getpeername failed: %.100s", strerror(errno)); | ||
233 | fatal_cleanup(); | ||
234 | } | ||
235 | instance[0] = '*'; | ||
236 | instance[1] = 0; | ||
237 | |||
238 | /* Get the encrypted request, challenge, and session key. */ | ||
239 | if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, | ||
240 | 0, &adat, ""))) { | ||
241 | debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]); | ||
242 | return (0); | ||
243 | } | ||
244 | des_key_sched((des_cblock *) adat.session, schedule); | ||
245 | |||
246 | *client = xmalloc(MAX_K_NAME_SZ); | ||
247 | (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, | ||
248 | *adat.pinst ? "." : "", adat.pinst, adat.prealm); | ||
249 | |||
250 | /* Check ~/.klogin authorization now. */ | ||
251 | if (kuserok(&adat, authctxt->user) != KSUCCESS) { | ||
252 | logit("Kerberos v4 .klogin authorization failed for %s to " | ||
253 | "account %s", *client, authctxt->user); | ||
254 | xfree(*client); | ||
255 | *client = NULL; | ||
256 | return (0); | ||
257 | } | ||
258 | /* Increment the checksum, and return it encrypted with the | ||
259 | session key. */ | ||
260 | cksum = adat.checksum + 1; | ||
261 | cksum = htonl(cksum); | ||
262 | |||
263 | /* If we can't successfully encrypt the checksum, we send back an | ||
264 | empty message, admitting our failure. */ | ||
265 | if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, | ||
266 | schedule, &adat.session, &local, &foreign)) < 0) { | ||
267 | debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); | ||
268 | reply->dat[0] = 0; | ||
269 | reply->length = 0; | ||
270 | } else | ||
271 | reply->length = r; | ||
272 | |||
273 | /* Clear session key. */ | ||
274 | memset(&adat.session, 0, sizeof(adat.session)); | ||
275 | return (1); | ||
276 | } | ||
277 | #endif /* KRB4 */ | ||
278 | |||
279 | #ifdef AFS | ||
280 | int | ||
281 | auth_krb4_tgt(Authctxt *authctxt, const char *string) | ||
282 | { | ||
283 | CREDENTIALS creds; | ||
284 | struct passwd *pw; | ||
285 | |||
286 | if ((pw = authctxt->pw) == NULL) | ||
287 | goto failure; | ||
288 | |||
289 | temporarily_use_uid(pw); | ||
290 | |||
291 | if (!radix_to_creds(string, &creds)) { | ||
292 | logit("Protocol error decoding Kerberos v4 TGT"); | ||
293 | goto failure; | ||
294 | } | ||
295 | if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ | ||
296 | strlcpy(creds.service, "krbtgt", sizeof creds.service); | ||
297 | |||
298 | if (strcmp(creds.service, "krbtgt")) { | ||
299 | logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s", | ||
300 | creds.pname, creds.pinst[0] ? "." : "", creds.pinst, | ||
301 | creds.realm, pw->pw_name); | ||
302 | goto failure; | ||
303 | } | ||
304 | if (!krb4_init(authctxt)) | ||
305 | goto failure; | ||
306 | |||
307 | if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) | ||
308 | goto failure; | ||
309 | |||
310 | if (save_credentials(creds.service, creds.instance, creds.realm, | ||
311 | creds.session, creds.lifetime, creds.kvno, &creds.ticket_st, | ||
312 | creds.issue_date) != KSUCCESS) { | ||
313 | debug("Kerberos v4 TGT refused: couldn't save credentials"); | ||
314 | goto failure; | ||
315 | } | ||
316 | /* Successful authentication, passed all checks. */ | ||
317 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); | ||
318 | |||
319 | debug("Kerberos v4 TGT accepted (%s%s%s@%s)", | ||
320 | creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm); | ||
321 | memset(&creds, 0, sizeof(creds)); | ||
322 | |||
323 | restore_uid(); | ||
324 | |||
325 | return (1); | ||
326 | |||
327 | failure: | ||
328 | krb4_cleanup_proc(authctxt); | ||
329 | memset(&creds, 0, sizeof(creds)); | ||
330 | restore_uid(); | ||
331 | |||
332 | return (0); | ||
333 | } | ||
334 | |||
335 | int | ||
336 | auth_afs_token(Authctxt *authctxt, const char *token_string) | ||
337 | { | ||
338 | CREDENTIALS creds; | ||
339 | struct passwd *pw; | ||
340 | uid_t uid; | ||
341 | |||
342 | if ((pw = authctxt->pw) == NULL) | ||
343 | return (0); | ||
344 | |||
345 | if (!radix_to_creds(token_string, &creds)) { | ||
346 | logit("Protocol error decoding AFS token"); | ||
347 | return (0); | ||
348 | } | ||
349 | if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ | ||
350 | strlcpy(creds.service, "afs", sizeof creds.service); | ||
351 | |||
352 | if (strncmp(creds.pname, "AFS ID ", 7) == 0) | ||
353 | uid = atoi(creds.pname + 7); | ||
354 | else | ||
355 | uid = pw->pw_uid; | ||
356 | |||
357 | if (kafs_settoken(creds.realm, uid, &creds)) { | ||
358 | logit("AFS token (%s@%s) rejected for %s", | ||
359 | creds.pname, creds.realm, pw->pw_name); | ||
360 | memset(&creds, 0, sizeof(creds)); | ||
361 | return (0); | ||
362 | } | ||
363 | debug("AFS token accepted (%s@%s)", creds.pname, creds.realm); | ||
364 | memset(&creds, 0, sizeof(creds)); | ||
365 | |||
366 | return (1); | ||
367 | } | ||
368 | #endif /* AFS */ | ||
diff --git a/auth-passwd.c b/auth-passwd.c index c0b7f725f..780e92344 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -36,7 +36,7 @@ | |||
36 | */ | 36 | */ |
37 | 37 | ||
38 | #include "includes.h" | 38 | #include "includes.h" |
39 | RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); | 39 | RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); |
40 | 40 | ||
41 | #include "packet.h" | 41 | #include "packet.h" |
42 | #include "log.h" | 42 | #include "log.h" |
@@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password) | |||
131 | return (authsuccess); | 131 | return (authsuccess); |
132 | } | 132 | } |
133 | # endif | 133 | # endif |
134 | # ifdef KRB4 | ||
135 | if (options.kerberos_authentication == 1) { | ||
136 | int ret = auth_krb4_password(authctxt, password); | ||
137 | if (ret == 1 || ret == 0) | ||
138 | return ret; | ||
139 | /* Fall back to ordinary passwd authentication. */ | ||
140 | } | ||
141 | # endif | ||
142 | # ifdef BSD_AUTH | 134 | # ifdef BSD_AUTH |
143 | if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", | 135 | if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", |
144 | (char *)password) == 0) | 136 | (char *)password) == 0) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -60,9 +60,6 @@ struct Authctxt { | |||
60 | #ifdef BSD_AUTH | 60 | #ifdef BSD_AUTH |
61 | auth_session_t *as; | 61 | auth_session_t *as; |
62 | #endif | 62 | #endif |
63 | #ifdef KRB4 | ||
64 | char *krb4_ticket_file; | ||
65 | #endif | ||
66 | #ifdef KRB5 | 63 | #ifdef KRB5 |
67 | krb5_context krb5_ctx; | 64 | krb5_context krb5_ctx; |
68 | krb5_auth_context krb5_auth_ctx; | 65 | krb5_auth_context krb5_auth_ctx; |
@@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | |||
117 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 114 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
118 | int user_key_allowed(struct passwd *, Key *); | 115 | int user_key_allowed(struct passwd *, Key *); |
119 | 116 | ||
120 | #ifdef KRB4 | ||
121 | #include <krb.h> | ||
122 | int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); | ||
123 | int auth_krb4_password(Authctxt *, const char *); | ||
124 | void krb4_cleanup_proc(void *); | ||
125 | |||
126 | #ifdef AFS | ||
127 | #include <kafs.h> | ||
128 | int auth_krb4_tgt(Authctxt *, const char *); | ||
129 | int auth_afs_token(Authctxt *, const char *); | ||
130 | #endif /* AFS */ | ||
131 | |||
132 | #endif /* KRB4 */ | ||
133 | |||
134 | #ifdef KRB5 | 117 | #ifdef KRB5 |
135 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); | 118 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); |
136 | int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); | 119 | int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); |
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $"); | 13 | RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $"); |
14 | 14 | ||
15 | #include "xmalloc.h" | 15 | #include "xmalloc.h" |
16 | #include "rsa.h" | 16 | #include "rsa.h" |
@@ -49,7 +49,7 @@ get_authname(int type) | |||
49 | case SSH_CMSG_AUTH_TIS: | 49 | case SSH_CMSG_AUTH_TIS: |
50 | case SSH_CMSG_AUTH_TIS_RESPONSE: | 50 | case SSH_CMSG_AUTH_TIS_RESPONSE: |
51 | return "challenge-response"; | 51 | return "challenge-response"; |
52 | #if defined(KRB4) || defined(KRB5) | 52 | #ifdef KRB5 |
53 | case SSH_CMSG_AUTH_KERBEROS: | 53 | case SSH_CMSG_AUTH_KERBEROS: |
54 | return "kerberos"; | 54 | return "kerberos"; |
55 | #endif | 55 | #endif |
@@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt) | |||
81 | 81 | ||
82 | /* If the user has no password, accept authentication immediately. */ | 82 | /* If the user has no password, accept authentication immediately. */ |
83 | if (options.password_authentication && | 83 | if (options.password_authentication && |
84 | #if defined(KRB4) || defined(KRB5) | 84 | #ifdef KRB5 |
85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
86 | #endif | 86 | #endif |
87 | PRIVSEP(auth_password(authctxt, ""))) { | 87 | PRIVSEP(auth_password(authctxt, ""))) { |
@@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt) | |||
120 | /* Process the packet. */ | 120 | /* Process the packet. */ |
121 | switch (type) { | 121 | switch (type) { |
122 | 122 | ||
123 | #if defined(KRB4) || defined(KRB5) | 123 | #ifdef KRB5 |
124 | case SSH_CMSG_AUTH_KERBEROS: | 124 | case SSH_CMSG_AUTH_KERBEROS: |
125 | if (!options.kerberos_authentication) { | 125 | if (!options.kerberos_authentication) { |
126 | verbose("Kerberos authentication disabled."); | 126 | verbose("Kerberos authentication disabled."); |
@@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt) | |||
128 | char *kdata = packet_get_string(&dlen); | 128 | char *kdata = packet_get_string(&dlen); |
129 | packet_check_eom(); | 129 | packet_check_eom(); |
130 | 130 | ||
131 | if (kdata[0] == 4) { /* KRB_PROT_VERSION */ | 131 | if (kdata[0] != 4) { /* KRB_PROT_VERSION */ |
132 | #ifdef KRB4 | ||
133 | KTEXT_ST tkt, reply; | ||
134 | tkt.length = dlen; | ||
135 | if (tkt.length < MAX_KTXT_LEN) | ||
136 | memcpy(tkt.dat, kdata, tkt.length); | ||
137 | |||
138 | if (PRIVSEP(auth_krb4(authctxt, &tkt, | ||
139 | &client_user, &reply))) { | ||
140 | authenticated = 1; | ||
141 | snprintf(info, sizeof(info), | ||
142 | " tktuser %.100s", | ||
143 | client_user); | ||
144 | |||
145 | packet_start( | ||
146 | SSH_SMSG_AUTH_KERBEROS_RESPONSE); | ||
147 | packet_put_string((char *) | ||
148 | reply.dat, reply.length); | ||
149 | packet_send(); | ||
150 | packet_write_wait(); | ||
151 | } | ||
152 | #endif /* KRB4 */ | ||
153 | } else { | ||
154 | #ifdef KRB5 | ||
155 | krb5_data tkt, reply; | 132 | krb5_data tkt, reply; |
156 | tkt.length = dlen; | 133 | tkt.length = dlen; |
157 | tkt.data = kdata; | 134 | tkt.data = kdata; |
@@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt) | |||
174 | if (reply.length) | 151 | if (reply.length) |
175 | xfree(reply.data); | 152 | xfree(reply.data); |
176 | } | 153 | } |
177 | #endif /* KRB5 */ | ||
178 | } | 154 | } |
179 | xfree(kdata); | 155 | xfree(kdata); |
180 | } | 156 | } |
181 | break; | 157 | break; |
182 | #endif /* KRB4 || KRB5 */ | ||
183 | |||
184 | #if defined(AFS) || defined(KRB5) | ||
185 | /* XXX - punt on backward compatibility here. */ | ||
186 | case SSH_CMSG_HAVE_KERBEROS_TGT: | 158 | case SSH_CMSG_HAVE_KERBEROS_TGT: |
187 | packet_send_debug("Kerberos TGT passing disabled before authentication."); | 159 | packet_send_debug("Kerberos TGT passing disabled before authentication."); |
188 | break; | 160 | break; |
189 | #ifdef AFS | 161 | #endif |
190 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
191 | packet_send_debug("AFS token passing disabled before authentication."); | ||
192 | break; | ||
193 | #endif /* AFS */ | ||
194 | #endif /* AFS || KRB5 */ | ||
195 | 162 | ||
196 | case SSH_CMSG_AUTH_RHOSTS: | 163 | case SSH_CMSG_AUTH_RHOSTS: |
197 | if (!options.rhosts_authentication) { | 164 | if (!options.rhosts_authentication) { |
diff --git a/configure.ac b/configure.ac index 74909343d..68fa5c1f2 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $ |
2 | 2 | ||
3 | AC_INIT | 3 | AC_INIT |
4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
@@ -54,7 +54,6 @@ fi | |||
54 | # Check for some target-specific stuff | 54 | # Check for some target-specific stuff |
55 | case "$host" in | 55 | case "$host" in |
56 | *-*-aix*) | 56 | *-*-aix*) |
57 | AFS_LIBS="-lld" | ||
58 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" | 57 | CPPFLAGS="$CPPFLAGS -I/usr/local/include" |
59 | LDFLAGS="$LDFLAGS -L/usr/local/lib" | 58 | LDFLAGS="$LDFLAGS -L/usr/local/lib" |
60 | AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) | 59 | AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) |
@@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5, | |||
1940 | fi | 1939 | fi |
1941 | ] | 1940 | ] |
1942 | ) | 1941 | ) |
1943 | # Check whether user wants Kerberos 4 support | 1942 | LIBS="$LIBS $K5LIBS" |
1944 | KRB4_MSG="no" | ||
1945 | AC_ARG_WITH(kerberos4, | ||
1946 | [ --with-kerberos4=PATH Enable Kerberos 4 support], | ||
1947 | [ | ||
1948 | if test "x$withval" != "xno" ; then | ||
1949 | if test "x$withval" != "xyes" ; then | ||
1950 | CPPFLAGS="$CPPFLAGS -I${withval}/include" | ||
1951 | LDFLAGS="$LDFLAGS -L${withval}/lib" | ||
1952 | if test ! -z "$need_dash_r" ; then | ||
1953 | LDFLAGS="$LDFLAGS -R${withval}/lib" | ||
1954 | fi | ||
1955 | if test ! -z "$blibpath" ; then | ||
1956 | blibpath="$blibpath:${withval}/lib" | ||
1957 | fi | ||
1958 | else | ||
1959 | if test -d /usr/include/kerberosIV ; then | ||
1960 | CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" | ||
1961 | fi | ||
1962 | fi | ||
1963 | |||
1964 | AC_CHECK_HEADERS(krb.h) | ||
1965 | if test "$ac_cv_header_krb_h" != yes; then | ||
1966 | AC_MSG_WARN([Cannot find krb.h, build may fail]) | ||
1967 | fi | ||
1968 | AC_CHECK_LIB(krb, main) | ||
1969 | if test "$ac_cv_lib_krb_main" != yes; then | ||
1970 | AC_CHECK_LIB(krb4, main) | ||
1971 | if test "$ac_cv_lib_krb4_main" != yes; then | ||
1972 | AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail]) | ||
1973 | else | ||
1974 | KLIBS="-lkrb4" | ||
1975 | fi | ||
1976 | else | ||
1977 | KLIBS="-lkrb" | ||
1978 | fi | ||
1979 | AC_CHECK_LIB(des, des_cbc_encrypt) | ||
1980 | if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then | ||
1981 | AC_CHECK_LIB(des425, des_cbc_encrypt) | ||
1982 | if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then | ||
1983 | AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail]) | ||
1984 | else | ||
1985 | KLIBS="-ldes425" | ||
1986 | fi | ||
1987 | else | ||
1988 | KLIBS="-ldes" | ||
1989 | fi | ||
1990 | AC_CHECK_LIB(resolv, dn_expand, , ) | ||
1991 | KRB4=yes | ||
1992 | KRB4_MSG="yes" | ||
1993 | AC_DEFINE(KRB4) | ||
1994 | fi | ||
1995 | ] | ||
1996 | ) | ||
1997 | |||
1998 | # Check whether user wants AFS support | ||
1999 | AFS_MSG="no" | ||
2000 | AC_ARG_WITH(afs, | ||
2001 | [ --with-afs=PATH Enable AFS support], | ||
2002 | [ | ||
2003 | if test "x$withval" != "xno" ; then | ||
2004 | |||
2005 | if test "x$withval" != "xyes" ; then | ||
2006 | CPPFLAGS="$CPPFLAGS -I${withval}/include" | ||
2007 | LDFLAGS="$LDFLAGS -L${withval}/lib" | ||
2008 | fi | ||
2009 | |||
2010 | if test -z "$KRB4" ; then | ||
2011 | AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) | ||
2012 | fi | ||
2013 | |||
2014 | LIBS="-lkafs $LIBS" | ||
2015 | if test ! -z "$AFS_LIBS" ; then | ||
2016 | LIBS="$LIBS $AFS_LIBS" | ||
2017 | fi | ||
2018 | AC_DEFINE(AFS) | ||
2019 | AFS_MSG="yes" | ||
2020 | fi | ||
2021 | ] | ||
2022 | ) | ||
2023 | LIBS="$LIBS $KLIBS $K5LIBS" | ||
2024 | 1943 | ||
2025 | # Looking for programs, paths and files | 1944 | # Looking for programs, paths and files |
2026 | 1945 | ||
@@ -2648,10 +2567,8 @@ fi | |||
2648 | echo " Manpage format: $MANTYPE" | 2567 | echo " Manpage format: $MANTYPE" |
2649 | echo " DNS support: $DNS_MSG" | 2568 | echo " DNS support: $DNS_MSG" |
2650 | echo " PAM support: $PAM_MSG" | 2569 | echo " PAM support: $PAM_MSG" |
2651 | echo " KerberosIV support: $KRB4_MSG" | ||
2652 | echo " KerberosV support: $KRB5_MSG" | 2570 | echo " KerberosV support: $KRB5_MSG" |
2653 | echo " Smartcard support: $SCARD_MSG" | 2571 | echo " Smartcard support: $SCARD_MSG" |
2654 | echo " AFS support: $AFS_MSG" | ||
2655 | echo " S/KEY support: $SKEY_MSG" | 2572 | echo " S/KEY support: $SKEY_MSG" |
2656 | echo " TCP Wrappers support: $TCPW_MSG" | 2573 | echo " TCP Wrappers support: $TCPW_MSG" |
2657 | echo " MD5 password support: $MD5_MSG" | 2574 | echo " MD5 password support: $MD5_MSG" |
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $"); | 28 | RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); |
29 | 29 | ||
30 | #include <openssl/dh.h> | 30 | #include <openssl/dh.h> |
31 | 31 | ||
@@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *); | |||
124 | int mm_answer_pam_free_ctx(int, Buffer *); | 124 | int mm_answer_pam_free_ctx(int, Buffer *); |
125 | #endif | 125 | #endif |
126 | 126 | ||
127 | #ifdef KRB4 | ||
128 | int mm_answer_krb4(int, Buffer *); | ||
129 | #endif | ||
130 | #ifdef KRB5 | 127 | #ifdef KRB5 |
131 | int mm_answer_krb5(int, Buffer *); | 128 | int mm_answer_krb5(int, Buffer *); |
132 | #endif | 129 | #endif |
@@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = { | |||
222 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | 219 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
223 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, | 220 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, |
224 | #endif | 221 | #endif |
225 | #ifdef KRB4 | ||
226 | {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, | ||
227 | #endif | ||
228 | #ifdef KRB5 | 222 | #ifdef KRB5 |
229 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, | 223 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, |
230 | #endif | 224 | #endif |
@@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m) | |||
1428 | return (success); | 1422 | return (success); |
1429 | } | 1423 | } |
1430 | 1424 | ||
1431 | #ifdef KRB4 | ||
1432 | int | ||
1433 | mm_answer_krb4(int socket, Buffer *m) | ||
1434 | { | ||
1435 | KTEXT_ST auth, reply; | ||
1436 | char *client, *p; | ||
1437 | int success; | ||
1438 | u_int alen; | ||
1439 | |||
1440 | reply.length = auth.length = 0; | ||
1441 | |||
1442 | p = buffer_get_string(m, &alen); | ||
1443 | if (alen >= MAX_KTXT_LEN) | ||
1444 | fatal("%s: auth too large", __func__); | ||
1445 | memcpy(auth.dat, p, alen); | ||
1446 | auth.length = alen; | ||
1447 | memset(p, 0, alen); | ||
1448 | xfree(p); | ||
1449 | |||
1450 | success = options.kerberos_authentication && | ||
1451 | authctxt->valid && | ||
1452 | auth_krb4(authctxt, &auth, &client, &reply); | ||
1453 | |||
1454 | memset(auth.dat, 0, alen); | ||
1455 | buffer_clear(m); | ||
1456 | buffer_put_int(m, success); | ||
1457 | |||
1458 | if (success) { | ||
1459 | buffer_put_cstring(m, client); | ||
1460 | buffer_put_string(m, reply.dat, reply.length); | ||
1461 | if (client) | ||
1462 | xfree(client); | ||
1463 | if (reply.length) | ||
1464 | memset(reply.dat, 0, reply.length); | ||
1465 | } | ||
1466 | |||
1467 | debug3("%s: sending result %d", __func__, success); | ||
1468 | mm_request_send(socket, MONITOR_ANS_KRB4, m); | ||
1469 | |||
1470 | auth_method = "kerberos"; | ||
1471 | |||
1472 | /* Causes monitor loop to terminate if authenticated */ | ||
1473 | return (success); | ||
1474 | } | ||
1475 | #endif | ||
1476 | |||
1477 | #ifdef KRB5 | 1425 | #ifdef KRB5 |
1478 | int | 1426 | int |
1479 | mm_answer_krb5(int socket, Buffer *m) | 1427 | mm_answer_krb5(int socket, Buffer *m) |
@@ -49,7 +49,6 @@ enum monitor_reqtype { | |||
49 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, | 49 | MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, |
50 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, | 50 | MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, |
51 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, | 51 | MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, |
52 | MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, | ||
53 | MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, | 52 | MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, |
54 | MONITOR_REQ_PAM_START, | 53 | MONITOR_REQ_PAM_START, |
55 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | 54 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 10a79c035..c7ba86ffc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $"); | 28 | RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); |
29 | 29 | ||
30 | #include <openssl/bn.h> | 30 | #include <openssl/bn.h> |
31 | #include <openssl/dh.h> | 31 | #include <openssl/dh.h> |
@@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) | |||
1043 | return (success); | 1043 | return (success); |
1044 | } | 1044 | } |
1045 | 1045 | ||
1046 | #ifdef KRB4 | ||
1047 | int | ||
1048 | mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply) | ||
1049 | { | ||
1050 | KTEXT auth, reply; | ||
1051 | Buffer m; | ||
1052 | u_int rlen; | ||
1053 | int success = 0; | ||
1054 | char *p; | ||
1055 | |||
1056 | debug3("%s entering", __func__); | ||
1057 | auth = _auth; | ||
1058 | reply = _reply; | ||
1059 | |||
1060 | buffer_init(&m); | ||
1061 | buffer_put_string(&m, auth->dat, auth->length); | ||
1062 | |||
1063 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m); | ||
1064 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m); | ||
1065 | |||
1066 | success = buffer_get_int(&m); | ||
1067 | if (success) { | ||
1068 | *client = buffer_get_string(&m, NULL); | ||
1069 | p = buffer_get_string(&m, &rlen); | ||
1070 | if (rlen >= MAX_KTXT_LEN) | ||
1071 | fatal("%s: reply from monitor too large", __func__); | ||
1072 | reply->length = rlen; | ||
1073 | memcpy(reply->dat, p, rlen); | ||
1074 | memset(p, 0, rlen); | ||
1075 | xfree(p); | ||
1076 | } | ||
1077 | buffer_free(&m); | ||
1078 | return (success); | ||
1079 | } | ||
1080 | #endif | ||
1081 | |||
1082 | #ifdef KRB5 | 1046 | #ifdef KRB5 |
1083 | int | 1047 | int |
1084 | mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) | 1048 | mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) |
diff --git a/monitor_wrap.h b/monitor_wrap.h index d551c9d41..e0dd73bd0 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -88,9 +88,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); | |||
88 | int mm_skey_respond(void *, u_int, char **); | 88 | int mm_skey_respond(void *, u_int, char **); |
89 | 89 | ||
90 | /* auth_krb */ | 90 | /* auth_krb */ |
91 | #ifdef KRB4 | ||
92 | int mm_auth_krb4(struct Authctxt *, void *, char **, void *); | ||
93 | #endif | ||
94 | #ifdef KRB5 | 91 | #ifdef KRB5 |
95 | /* auth and reply are really krb5_data objects, but we don't want to | 92 | /* auth and reply are really krb5_data objects, but we don't want to |
96 | * include all of the krb5 headers here */ | 93 | * include all of the krb5 headers here */ |
diff --git a/radix.c b/radix.c deleted file mode 100644 index c680d6bf3..000000000 --- a/radix.c +++ /dev/null | |||
@@ -1,158 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (c) 1999 Dug Song. All rights reserved. | ||
3 | * Copyright (c) 2002 Markus Friedl. All rights reserved. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions | ||
7 | * are met: | ||
8 | * 1. Redistributions of source code must retain the above copyright | ||
9 | * notice, this list of conditions and the following disclaimer. | ||
10 | * 2. Redistributions in binary form must reproduce the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer in the | ||
12 | * documentation and/or other materials provided with the distribution. | ||
13 | * | ||
14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
15 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
16 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
17 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
18 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
19 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
20 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
21 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
22 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
24 | */ | ||
25 | |||
26 | #include "includes.h" | ||
27 | #include "uuencode.h" | ||
28 | |||
29 | RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $"); | ||
30 | |||
31 | #ifdef AFS | ||
32 | #include <krb.h> | ||
33 | |||
34 | #include <radix.h> | ||
35 | #include "bufaux.h" | ||
36 | |||
37 | int | ||
38 | creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen) | ||
39 | { | ||
40 | Buffer b; | ||
41 | int ret; | ||
42 | |||
43 | buffer_init(&b); | ||
44 | |||
45 | buffer_put_char(&b, 1); /* version */ | ||
46 | |||
47 | buffer_append(&b, creds->service, strlen(creds->service)); | ||
48 | buffer_put_char(&b, '\0'); | ||
49 | buffer_append(&b, creds->instance, strlen(creds->instance)); | ||
50 | buffer_put_char(&b, '\0'); | ||
51 | buffer_append(&b, creds->realm, strlen(creds->realm)); | ||
52 | buffer_put_char(&b, '\0'); | ||
53 | buffer_append(&b, creds->pname, strlen(creds->pname)); | ||
54 | buffer_put_char(&b, '\0'); | ||
55 | buffer_append(&b, creds->pinst, strlen(creds->pinst)); | ||
56 | buffer_put_char(&b, '\0'); | ||
57 | |||
58 | /* Null string to repeat the realm. */ | ||
59 | buffer_put_char(&b, '\0'); | ||
60 | |||
61 | buffer_put_int(&b, creds->issue_date); | ||
62 | buffer_put_int(&b, krb_life_to_time(creds->issue_date, | ||
63 | creds->lifetime)); | ||
64 | buffer_append(&b, creds->session, sizeof(creds->session)); | ||
65 | buffer_put_short(&b, creds->kvno); | ||
66 | |||
67 | /* 32 bit size + data */ | ||
68 | buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length); | ||
69 | |||
70 | ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen); | ||
71 | |||
72 | buffer_free(&b); | ||
73 | return ret; | ||
74 | } | ||
75 | |||
76 | #define GETSTRING(b, t, tlen) \ | ||
77 | do { \ | ||
78 | int i, found = 0; \ | ||
79 | for (i = 0; i < tlen; i++) { \ | ||
80 | if (buffer_len(b) == 0) \ | ||
81 | goto done; \ | ||
82 | t[i] = buffer_get_char(b); \ | ||
83 | if (t[i] == '\0') { \ | ||
84 | found = 1; \ | ||
85 | break; \ | ||
86 | } \ | ||
87 | } \ | ||
88 | if (!found) \ | ||
89 | goto done; \ | ||
90 | } while(0) | ||
91 | |||
92 | int | ||
93 | radix_to_creds(const char *buf, CREDENTIALS *creds) | ||
94 | { | ||
95 | Buffer b; | ||
96 | u_char *space; | ||
97 | char c, version, *p; | ||
98 | u_int endTime, len; | ||
99 | int blen, ret; | ||
100 | |||
101 | ret = 0; | ||
102 | blen = strlen(buf); | ||
103 | |||
104 | /* sanity check for size */ | ||
105 | if (blen > 8192) | ||
106 | return 0; | ||
107 | |||
108 | buffer_init(&b); | ||
109 | space = buffer_append_space(&b, blen); | ||
110 | |||
111 | /* check version and length! */ | ||
112 | len = uudecode(buf, space, blen); | ||
113 | if (len < 1) | ||
114 | goto done; | ||
115 | |||
116 | version = buffer_get_char(&b); | ||
117 | |||
118 | GETSTRING(&b, creds->service, sizeof creds->service); | ||
119 | GETSTRING(&b, creds->instance, sizeof creds->instance); | ||
120 | GETSTRING(&b, creds->realm, sizeof creds->realm); | ||
121 | GETSTRING(&b, creds->pname, sizeof creds->pname); | ||
122 | GETSTRING(&b, creds->pinst, sizeof creds->pinst); | ||
123 | |||
124 | if (buffer_len(&b) == 0) | ||
125 | goto done; | ||
126 | |||
127 | /* Ignore possibly different realm. */ | ||
128 | while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0') | ||
129 | ; | ||
130 | |||
131 | if (buffer_len(&b) == 0) | ||
132 | goto done; | ||
133 | |||
134 | creds->issue_date = buffer_get_int(&b); | ||
135 | |||
136 | endTime = buffer_get_int(&b); | ||
137 | creds->lifetime = krb_time_to_life(creds->issue_date, endTime); | ||
138 | |||
139 | len = buffer_len(&b); | ||
140 | if (len < sizeof(creds->session)) | ||
141 | goto done; | ||
142 | memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session)); | ||
143 | buffer_consume(&b, sizeof(creds->session)); | ||
144 | |||
145 | creds->kvno = buffer_get_short(&b); | ||
146 | |||
147 | p = buffer_get_string(&b, &len); | ||
148 | if (len < 0 || len > sizeof(creds->ticket_st.dat)) | ||
149 | goto done; | ||
150 | memcpy(&creds->ticket_st.dat, p, len); | ||
151 | creds->ticket_st.length = len; | ||
152 | |||
153 | ret = 1; | ||
154 | done: | ||
155 | buffer_free(&b); | ||
156 | return ret; | ||
157 | } | ||
158 | #endif /* AFS */ | ||
diff --git a/radix.h b/radix.h deleted file mode 100644 index e94e4acc6..000000000 --- a/radix.h +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | /* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * Copyright (c) 1999 Dug Song. All rights reserved. | ||
5 | * | ||
6 | * Redistribution and use in source and binary forms, with or without | ||
7 | * modification, are permitted provided that the following conditions | ||
8 | * are met: | ||
9 | * 1. Redistributions of source code must retain the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer. | ||
11 | * 2. Redistributions in binary form must reproduce the above copyright | ||
12 | * notice, this list of conditions and the following disclaimer in the | ||
13 | * documentation and/or other materials provided with the distribution. | ||
14 | * | ||
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
25 | */ | ||
26 | |||
27 | int creds_to_radix(CREDENTIALS *, u_char *, size_t); | ||
28 | int radix_to_creds(const char *, CREDENTIALS *); | ||
diff --git a/readconf.c b/readconf.c index 3c08f7638..332500e7c 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $"); | 15 | RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); |
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include "ssh.h" |
18 | #include "xmalloc.h" | 18 | #include "xmalloc.h" |
@@ -94,7 +94,7 @@ typedef enum { | |||
94 | oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, | 94 | oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, |
95 | oPasswordAuthentication, oRSAAuthentication, | 95 | oPasswordAuthentication, oRSAAuthentication, |
96 | oChallengeResponseAuthentication, oXAuthLocation, | 96 | oChallengeResponseAuthentication, oXAuthLocation, |
97 | oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing, | 97 | oKerberosAuthentication, oKerberosTgtPassing, |
98 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, | 98 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, |
99 | oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, | 99 | oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, |
100 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, | 100 | oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, |
@@ -134,18 +134,14 @@ static struct { | |||
134 | { "challengeresponseauthentication", oChallengeResponseAuthentication }, | 134 | { "challengeresponseauthentication", oChallengeResponseAuthentication }, |
135 | { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ | 135 | { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ |
136 | { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ | 136 | { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ |
137 | #if defined(KRB4) || defined(KRB5) | 137 | #ifdef KRB5 |
138 | { "kerberosauthentication", oKerberosAuthentication }, | 138 | { "kerberosauthentication", oKerberosAuthentication }, |
139 | { "kerberostgtpassing", oKerberosTgtPassing }, | 139 | { "kerberostgtpassing", oKerberosTgtPassing }, |
140 | #else | 140 | #else |
141 | { "kerberosauthentication", oUnsupported }, | 141 | { "kerberosauthentication", oUnsupported }, |
142 | { "kerberostgtpassing", oUnsupported }, | 142 | { "kerberostgtpassing", oUnsupported }, |
143 | #endif | 143 | #endif |
144 | #if defined(AFS) | ||
145 | { "afstokenpassing", oAFSTokenPassing }, | ||
146 | #else | ||
147 | { "afstokenpassing", oUnsupported }, | 144 | { "afstokenpassing", oUnsupported }, |
148 | #endif | ||
149 | { "fallbacktorsh", oDeprecated }, | 145 | { "fallbacktorsh", oDeprecated }, |
150 | { "usersh", oDeprecated }, | 146 | { "usersh", oDeprecated }, |
151 | { "identityfile", oIdentityFile }, | 147 | { "identityfile", oIdentityFile }, |
@@ -399,10 +395,6 @@ parse_flag: | |||
399 | intptr = &options->kerberos_tgt_passing; | 395 | intptr = &options->kerberos_tgt_passing; |
400 | goto parse_flag; | 396 | goto parse_flag; |
401 | 397 | ||
402 | case oAFSTokenPassing: | ||
403 | intptr = &options->afs_token_passing; | ||
404 | goto parse_flag; | ||
405 | |||
406 | case oBatchMode: | 398 | case oBatchMode: |
407 | intptr = &options->batch_mode; | 399 | intptr = &options->batch_mode; |
408 | goto parse_flag; | 400 | goto parse_flag; |
@@ -828,7 +820,6 @@ initialize_options(Options * options) | |||
828 | options->challenge_response_authentication = -1; | 820 | options->challenge_response_authentication = -1; |
829 | options->kerberos_authentication = -1; | 821 | options->kerberos_authentication = -1; |
830 | options->kerberos_tgt_passing = -1; | 822 | options->kerberos_tgt_passing = -1; |
831 | options->afs_token_passing = -1; | ||
832 | options->password_authentication = -1; | 823 | options->password_authentication = -1; |
833 | options->kbd_interactive_authentication = -1; | 824 | options->kbd_interactive_authentication = -1; |
834 | options->kbd_interactive_devices = NULL; | 825 | options->kbd_interactive_devices = NULL; |
@@ -905,8 +896,6 @@ fill_default_options(Options * options) | |||
905 | options->kerberos_authentication = 1; | 896 | options->kerberos_authentication = 1; |
906 | if (options->kerberos_tgt_passing == -1) | 897 | if (options->kerberos_tgt_passing == -1) |
907 | options->kerberos_tgt_passing = 1; | 898 | options->kerberos_tgt_passing = 1; |
908 | if (options->afs_token_passing == -1) | ||
909 | options->afs_token_passing = 1; | ||
910 | if (options->password_authentication == -1) | 899 | if (options->password_authentication == -1) |
911 | options->password_authentication = 1; | 900 | options->password_authentication = 1; |
912 | if (options->kbd_interactive_authentication == -1) | 901 | if (options->kbd_interactive_authentication == -1) |
diff --git a/readconf.h b/readconf.h index 4e0b74318..cc94253e6 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */ | 1 | /* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -43,7 +43,6 @@ typedef struct { | |||
43 | /* Try S/Key or TIS, authentication. */ | 43 | /* Try S/Key or TIS, authentication. */ |
44 | int kerberos_authentication; /* Try Kerberos authentication. */ | 44 | int kerberos_authentication; /* Try Kerberos authentication. */ |
45 | int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ | 45 | int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ |
46 | int afs_token_passing; /* Try AFS token passing. */ | ||
47 | int password_authentication; /* Try password | 46 | int password_authentication; /* Try password |
48 | * authentication. */ | 47 | * authentication. */ |
49 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 48 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
diff --git a/servconf.c b/servconf.c index 6df2a255b..c4b2bb284 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -10,15 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $"); |
14 | |||
15 | #if defined(KRB4) | ||
16 | #include <krb.h> | ||
17 | #endif | ||
18 | |||
19 | #ifdef AFS | ||
20 | #include <kafs.h> | ||
21 | #endif | ||
22 | 14 | ||
23 | #include "ssh.h" | 15 | #include "ssh.h" |
24 | #include "log.h" | 16 | #include "log.h" |
@@ -82,7 +74,6 @@ initialize_server_options(ServerOptions *options) | |||
82 | options->kerberos_or_local_passwd = -1; | 74 | options->kerberos_or_local_passwd = -1; |
83 | options->kerberos_ticket_cleanup = -1; | 75 | options->kerberos_ticket_cleanup = -1; |
84 | options->kerberos_tgt_passing = -1; | 76 | options->kerberos_tgt_passing = -1; |
85 | options->afs_token_passing = -1; | ||
86 | options->password_authentication = -1; | 77 | options->password_authentication = -1; |
87 | options->kbd_interactive_authentication = -1; | 78 | options->kbd_interactive_authentication = -1; |
88 | options->challenge_response_authentication = -1; | 79 | options->challenge_response_authentication = -1; |
@@ -194,8 +185,6 @@ fill_default_server_options(ServerOptions *options) | |||
194 | options->kerberos_ticket_cleanup = 1; | 185 | options->kerberos_ticket_cleanup = 1; |
195 | if (options->kerberos_tgt_passing == -1) | 186 | if (options->kerberos_tgt_passing == -1) |
196 | options->kerberos_tgt_passing = 0; | 187 | options->kerberos_tgt_passing = 0; |
197 | if (options->afs_token_passing == -1) | ||
198 | options->afs_token_passing = 0; | ||
199 | if (options->password_authentication == -1) | 188 | if (options->password_authentication == -1) |
200 | options->password_authentication = 1; | 189 | options->password_authentication = 1; |
201 | if (options->kbd_interactive_authentication == -1) | 190 | if (options->kbd_interactive_authentication == -1) |
@@ -261,7 +250,7 @@ typedef enum { | |||
261 | sPermitRootLogin, sLogFacility, sLogLevel, | 250 | sPermitRootLogin, sLogFacility, sLogLevel, |
262 | sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, | 251 | sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, |
263 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, | 252 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
264 | sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication, | 253 | sKerberosTgtPassing, sChallengeResponseAuthentication, |
265 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, | 254 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
266 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 255 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
267 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 256 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -306,7 +295,7 @@ static struct { | |||
306 | { "rsaauthentication", sRSAAuthentication }, | 295 | { "rsaauthentication", sRSAAuthentication }, |
307 | { "pubkeyauthentication", sPubkeyAuthentication }, | 296 | { "pubkeyauthentication", sPubkeyAuthentication }, |
308 | { "dsaauthentication", sPubkeyAuthentication }, /* alias */ | 297 | { "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
309 | #if defined(KRB4) || defined(KRB5) | 298 | #ifdef KRB5 |
310 | { "kerberosauthentication", sKerberosAuthentication }, | 299 | { "kerberosauthentication", sKerberosAuthentication }, |
311 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, | 300 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
312 | { "kerberosticketcleanup", sKerberosTicketCleanup }, | 301 | { "kerberosticketcleanup", sKerberosTicketCleanup }, |
@@ -317,11 +306,7 @@ static struct { | |||
317 | { "kerberosticketcleanup", sUnsupported }, | 306 | { "kerberosticketcleanup", sUnsupported }, |
318 | { "kerberostgtpassing", sUnsupported }, | 307 | { "kerberostgtpassing", sUnsupported }, |
319 | #endif | 308 | #endif |
320 | #if defined(AFS) | ||
321 | { "afstokenpassing", sAFSTokenPassing }, | ||
322 | #else | ||
323 | { "afstokenpassing", sUnsupported }, | 309 | { "afstokenpassing", sUnsupported }, |
324 | #endif | ||
325 | { "passwordauthentication", sPasswordAuthentication }, | 310 | { "passwordauthentication", sPasswordAuthentication }, |
326 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, | 311 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
327 | { "challengeresponseauthentication", sChallengeResponseAuthentication }, | 312 | { "challengeresponseauthentication", sChallengeResponseAuthentication }, |
@@ -644,10 +629,6 @@ parse_flag: | |||
644 | intptr = &options->kerberos_tgt_passing; | 629 | intptr = &options->kerberos_tgt_passing; |
645 | goto parse_flag; | 630 | goto parse_flag; |
646 | 631 | ||
647 | case sAFSTokenPassing: | ||
648 | intptr = &options->afs_token_passing; | ||
649 | goto parse_flag; | ||
650 | |||
651 | case sPasswordAuthentication: | 632 | case sPasswordAuthentication: |
652 | intptr = &options->password_authentication; | 633 | intptr = &options->password_authentication; |
653 | goto parse_flag; | 634 | goto parse_flag; |
diff --git a/servconf.h b/servconf.h index b676f2b67..65ad2071a 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -84,7 +84,6 @@ typedef struct { | |||
84 | * file on logout. */ | 84 | * file on logout. */ |
85 | int kerberos_tgt_passing; /* If true, permit Kerberos TGT | 85 | int kerberos_tgt_passing; /* If true, permit Kerberos TGT |
86 | * passing. */ | 86 | * passing. */ |
87 | int afs_token_passing; /* If true, permit AFS token passing. */ | ||
88 | int password_authentication; /* If true, permit password | 87 | int password_authentication; /* If true, permit password |
89 | * authentication. */ | 88 | * authentication. */ |
90 | int kbd_interactive_authentication; /* If true, permit */ | 89 | int kbd_interactive_authentication; /* If true, permit */ |
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $"); |
37 | 37 | ||
38 | #include "ssh.h" | 38 | #include "ssh.h" |
39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
@@ -222,10 +222,6 @@ do_authenticated(Authctxt *authctxt) | |||
222 | /* remove agent socket */ | 222 | /* remove agent socket */ |
223 | if (auth_sock_name != NULL) | 223 | if (auth_sock_name != NULL) |
224 | auth_sock_cleanup_proc(authctxt->pw); | 224 | auth_sock_cleanup_proc(authctxt->pw); |
225 | #ifdef KRB4 | ||
226 | if (options.kerberos_ticket_cleanup) | ||
227 | krb4_cleanup_proc(authctxt); | ||
228 | #endif | ||
229 | #ifdef KRB5 | 225 | #ifdef KRB5 |
230 | if (options.kerberos_ticket_cleanup) | 226 | if (options.kerberos_ticket_cleanup) |
231 | krb5_cleanup_proc(authctxt); | 227 | krb5_cleanup_proc(authctxt); |
@@ -338,7 +334,7 @@ do_authenticated1(Authctxt *authctxt) | |||
338 | success = 1; | 334 | success = 1; |
339 | break; | 335 | break; |
340 | 336 | ||
341 | #if defined(AFS) || defined(KRB5) | 337 | #ifdef KRB5 |
342 | case SSH_CMSG_HAVE_KERBEROS_TGT: | 338 | case SSH_CMSG_HAVE_KERBEROS_TGT: |
343 | if (!options.kerberos_tgt_passing) { | 339 | if (!options.kerberos_tgt_passing) { |
344 | verbose("Kerberos TGT passing disabled."); | 340 | verbose("Kerberos TGT passing disabled."); |
@@ -346,9 +342,8 @@ do_authenticated1(Authctxt *authctxt) | |||
346 | char *kdata = packet_get_string(&dlen); | 342 | char *kdata = packet_get_string(&dlen); |
347 | packet_check_eom(); | 343 | packet_check_eom(); |
348 | 344 | ||
349 | /* XXX - 0x41, see creds_to_radix version */ | 345 | /* XXX - 0x41, used for AFS */ |
350 | if (kdata[0] != 0x41) { | 346 | if (kdata[0] != 0x41) { |
351 | #ifdef KRB5 | ||
352 | krb5_data tgt; | 347 | krb5_data tgt; |
353 | tgt.data = kdata; | 348 | tgt.data = kdata; |
354 | tgt.length = dlen; | 349 | tgt.length = dlen; |
@@ -357,38 +352,11 @@ do_authenticated1(Authctxt *authctxt) | |||
357 | success = 1; | 352 | success = 1; |
358 | else | 353 | else |
359 | verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); | 354 | verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); |
360 | #endif /* KRB5 */ | ||
361 | } else { | ||
362 | #ifdef AFS | ||
363 | if (auth_krb4_tgt(s->authctxt, kdata)) | ||
364 | success = 1; | ||
365 | else | ||
366 | verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user); | ||
367 | #endif /* AFS */ | ||
368 | } | 355 | } |
369 | xfree(kdata); | 356 | xfree(kdata); |
370 | } | 357 | } |
371 | break; | 358 | break; |
372 | #endif /* AFS || KRB5 */ | 359 | #endif |
373 | |||
374 | #ifdef AFS | ||
375 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
376 | if (!options.afs_token_passing || !k_hasafs()) { | ||
377 | verbose("AFS token passing disabled."); | ||
378 | } else { | ||
379 | /* Accept AFS token. */ | ||
380 | char *token = packet_get_string(&dlen); | ||
381 | packet_check_eom(); | ||
382 | |||
383 | if (auth_afs_token(s->authctxt, token)) | ||
384 | success = 1; | ||
385 | else | ||
386 | verbose("AFS token refused for %.100s", | ||
387 | s->authctxt->user); | ||
388 | xfree(token); | ||
389 | } | ||
390 | break; | ||
391 | #endif /* AFS */ | ||
392 | 360 | ||
393 | case SSH_CMSG_EXEC_SHELL: | 361 | case SSH_CMSG_EXEC_SHELL: |
394 | case SSH_CMSG_EXEC_CMD: | 362 | case SSH_CMSG_EXEC_CMD: |
@@ -1066,11 +1034,6 @@ do_setup_env(Session *s, const char *shell) | |||
1066 | read_environment_file(&env, &envsize, "/etc/environment"); | 1034 | read_environment_file(&env, &envsize, "/etc/environment"); |
1067 | } | 1035 | } |
1068 | #endif | 1036 | #endif |
1069 | #ifdef KRB4 | ||
1070 | if (s->authctxt->krb4_ticket_file) | ||
1071 | child_set_env(&env, &envsize, "KRBTKFILE", | ||
1072 | s->authctxt->krb4_ticket_file); | ||
1073 | #endif | ||
1074 | #ifdef KRB5 | 1037 | #ifdef KRB5 |
1075 | if (s->authctxt->krb5_ticket_file) | 1038 | if (s->authctxt->krb5_ticket_file) |
1076 | child_set_env(&env, &envsize, "KRB5CCNAME", | 1039 | child_set_env(&env, &envsize, "KRB5CCNAME", |
@@ -1396,18 +1359,6 @@ do_child(Session *s, const char *command) | |||
1396 | */ | 1359 | */ |
1397 | environ = env; | 1360 | environ = env; |
1398 | 1361 | ||
1399 | #ifdef AFS | ||
1400 | /* Try to get AFS tokens for the local cell. */ | ||
1401 | if (k_hasafs()) { | ||
1402 | char cell[64]; | ||
1403 | |||
1404 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) | ||
1405 | krb_afslog(cell, 0); | ||
1406 | |||
1407 | krb_afslog(0, 0); | ||
1408 | } | ||
1409 | #endif /* AFS */ | ||
1410 | |||
1411 | /* Change current directory to the user\'s home directory. */ | 1362 | /* Change current directory to the user\'s home directory. */ |
1412 | if (chdir(pw->pw_dir) < 0) { | 1363 | if (chdir(pw->pw_dir) < 0) { |
1413 | fprintf(stderr, "Could not chdir to home directory %s: %s\n", | 1364 | fprintf(stderr, "Could not chdir to home directory %s: %s\n", |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -494,7 +494,7 @@ The argument is the device | |||
494 | should use to communicate with a smartcard used for storing the user's | 494 | should use to communicate with a smartcard used for storing the user's |
495 | private RSA key. | 495 | private RSA key. |
496 | .It Fl k | 496 | .It Fl k |
497 | Disables forwarding of Kerberos tickets and AFS tokens. | 497 | Disables forwarding of Kerberos tickets. |
498 | This may also be specified on a per-host basis in the configuration file. | 498 | This may also be specified on a per-host basis in the configuration file. |
499 | .It Fl l Ar login_name | 499 | .It Fl l Ar login_name |
500 | Specifies the user to log in as on the remote machine. | 500 | Specifies the user to log in as on the remote machine. |
@@ -40,7 +40,7 @@ | |||
40 | */ | 40 | */ |
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $"); | 43 | RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $"); |
44 | 44 | ||
45 | #include <openssl/evp.h> | 45 | #include <openssl/evp.h> |
46 | #include <openssl/err.h> | 46 | #include <openssl/err.h> |
@@ -154,9 +154,7 @@ usage(void) | |||
154 | _PATH_SSH_USER_CONFFILE); | 154 | _PATH_SSH_USER_CONFFILE); |
155 | fprintf(stderr, " -A Enable authentication agent forwarding.\n"); | 155 | fprintf(stderr, " -A Enable authentication agent forwarding.\n"); |
156 | fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); | 156 | fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); |
157 | #ifdef AFS | 157 | fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n"); |
158 | fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n"); | ||
159 | #endif /* AFS */ | ||
160 | fprintf(stderr, " -X Enable X11 connection forwarding.\n"); | 158 | fprintf(stderr, " -X Enable X11 connection forwarding.\n"); |
161 | fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); | 159 | fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); |
162 | fprintf(stderr, " -i file Identity for public key authentication " | 160 | fprintf(stderr, " -i file Identity for public key authentication " |
@@ -306,12 +304,9 @@ again: | |||
306 | case 'A': | 304 | case 'A': |
307 | options.forward_agent = 1; | 305 | options.forward_agent = 1; |
308 | break; | 306 | break; |
309 | #ifdef AFS | ||
310 | case 'k': | 307 | case 'k': |
311 | options.kerberos_tgt_passing = 0; | 308 | options.kerberos_tgt_passing = 0; |
312 | options.afs_token_passing = 0; | ||
313 | break; | 309 | break; |
314 | #endif | ||
315 | case 'i': | 310 | case 'i': |
316 | if (stat(optarg, &st) < 0) { | 311 | if (stat(optarg, &st) < 0) { |
317 | fprintf(stderr, "Warning: Identity file %s " | 312 | fprintf(stderr, "Warning: Identity file %s " |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */ | 1 | /* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -88,9 +88,6 @@ | |||
88 | */ | 88 | */ |
89 | #define SSH_SESSION_KEY_LENGTH 32 | 89 | #define SSH_SESSION_KEY_LENGTH 32 |
90 | 90 | ||
91 | /* Name of Kerberos service for SSH to use. */ | ||
92 | #define KRB4_SERVICE_NAME "rcmd" | ||
93 | |||
94 | /* Used to identify ``EscapeChar none'' */ | 91 | /* Used to identify ``EscapeChar none'' */ |
95 | #define SSH_ESCAPECHAR_NONE -2 | 92 | #define SSH_ESCAPECHAR_NONE -2 |
96 | 93 | ||
diff --git a/ssh_config.5 b/ssh_config.5 index 79d05f018..3a79af8f0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -123,13 +123,6 @@ Valid arguments are | |||
123 | (Use IPv4 only) or | 123 | (Use IPv4 only) or |
124 | .Dq inet6 | 124 | .Dq inet6 |
125 | (Use IPv6 only.) | 125 | (Use IPv6 only.) |
126 | .It Cm AFSTokenPassing | ||
127 | Specifies whether to pass AFS tokens to remote host. | ||
128 | The argument to this keyword must be | ||
129 | .Dq yes | ||
130 | or | ||
131 | .Dq no . | ||
132 | This option applies to protocol version 1 only. | ||
133 | .It Cm BatchMode | 126 | .It Cm BatchMode |
134 | If set to | 127 | If set to |
135 | .Dq yes , | 128 | .Dq yes , |
@@ -410,7 +403,6 @@ or | |||
410 | .Dq no . | 403 | .Dq no . |
411 | .It Cm KerberosTgtPassing | 404 | .It Cm KerberosTgtPassing |
412 | Specifies whether a Kerberos TGT will be forwarded to the server. | 405 | Specifies whether a Kerberos TGT will be forwarded to the server. |
413 | This will only work if the Kerberos server is actually an AFS kaserver. | ||
414 | The argument to this keyword must be | 406 | The argument to this keyword must be |
415 | .Dq yes | 407 | .Dq yes |
416 | or | 408 | or |
diff --git a/sshconnect1.c b/sshconnect1.c index 2a822a98f..8851c35f6 100644 --- a/sshconnect1.c +++ b/sshconnect1.c | |||
@@ -13,24 +13,17 @@ | |||
13 | */ | 13 | */ |
14 | 14 | ||
15 | #include "includes.h" | 15 | #include "includes.h" |
16 | RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $"); | 16 | RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $"); |
17 | 17 | ||
18 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
19 | #include <openssl/md5.h> | 19 | #include <openssl/md5.h> |
20 | 20 | ||
21 | #ifdef KRB4 | ||
22 | #include <krb.h> | ||
23 | #endif | ||
24 | #ifdef KRB5 | 21 | #ifdef KRB5 |
25 | #include <krb5.h> | 22 | #include <krb5.h> |
26 | #ifndef HEIMDAL | 23 | #ifndef HEIMDAL |
27 | #define krb5_get_err_text(context,code) error_message(code) | 24 | #define krb5_get_err_text(context,code) error_message(code) |
28 | #endif /* !HEIMDAL */ | 25 | #endif /* !HEIMDAL */ |
29 | #endif | 26 | #endif |
30 | #ifdef AFS | ||
31 | #include <kafs.h> | ||
32 | #include "radix.h" | ||
33 | #endif | ||
34 | 27 | ||
35 | #include "ssh.h" | 28 | #include "ssh.h" |
36 | #include "ssh1.h" | 29 | #include "ssh1.h" |
@@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key) | |||
380 | return 0; | 373 | return 0; |
381 | } | 374 | } |
382 | 375 | ||
383 | #ifdef KRB4 | ||
384 | static int | ||
385 | try_krb4_authentication(void) | ||
386 | { | ||
387 | KTEXT_ST auth; /* Kerberos data */ | ||
388 | char *reply; | ||
389 | char inst[INST_SZ]; | ||
390 | char *realm; | ||
391 | CREDENTIALS cred; | ||
392 | int r, type; | ||
393 | socklen_t slen; | ||
394 | Key_schedule schedule; | ||
395 | u_long checksum, cksum; | ||
396 | MSG_DAT msg_data; | ||
397 | struct sockaddr_in local, foreign; | ||
398 | struct stat st; | ||
399 | |||
400 | /* Don't do anything if we don't have any tickets. */ | ||
401 | if (stat(tkt_string(), &st) < 0) | ||
402 | return 0; | ||
403 | |||
404 | strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), | ||
405 | INST_SZ); | ||
406 | |||
407 | realm = (char *)krb_realmofhost(get_canonical_hostname(1)); | ||
408 | if (!realm) { | ||
409 | debug("Kerberos v4: no realm for %s", get_canonical_hostname(1)); | ||
410 | return 0; | ||
411 | } | ||
412 | /* This can really be anything. */ | ||
413 | checksum = (u_long)getpid(); | ||
414 | |||
415 | r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum); | ||
416 | if (r != KSUCCESS) { | ||
417 | debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]); | ||
418 | return 0; | ||
419 | } | ||
420 | /* Get session key to decrypt the server's reply with. */ | ||
421 | r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred); | ||
422 | if (r != KSUCCESS) { | ||
423 | debug("get_cred failed: %s", krb_err_txt[r]); | ||
424 | return 0; | ||
425 | } | ||
426 | des_key_sched((des_cblock *) cred.session, schedule); | ||
427 | |||
428 | /* Send authentication info to server. */ | ||
429 | packet_start(SSH_CMSG_AUTH_KERBEROS); | ||
430 | packet_put_string((char *) auth.dat, auth.length); | ||
431 | packet_send(); | ||
432 | packet_write_wait(); | ||
433 | |||
434 | /* Zero the buffer. */ | ||
435 | (void) memset(auth.dat, 0, MAX_KTXT_LEN); | ||
436 | |||
437 | slen = sizeof(local); | ||
438 | memset(&local, 0, sizeof(local)); | ||
439 | if (getsockname(packet_get_connection_in(), | ||
440 | (struct sockaddr *)&local, &slen) < 0) | ||
441 | debug("getsockname failed: %s", strerror(errno)); | ||
442 | |||
443 | slen = sizeof(foreign); | ||
444 | memset(&foreign, 0, sizeof(foreign)); | ||
445 | if (getpeername(packet_get_connection_in(), | ||
446 | (struct sockaddr *)&foreign, &slen) < 0) { | ||
447 | debug("getpeername failed: %s", strerror(errno)); | ||
448 | fatal_cleanup(); | ||
449 | } | ||
450 | /* Get server reply. */ | ||
451 | type = packet_read(); | ||
452 | switch (type) { | ||
453 | case SSH_SMSG_FAILURE: | ||
454 | /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ | ||
455 | debug("Kerberos v4 authentication failed."); | ||
456 | return 0; | ||
457 | break; | ||
458 | |||
459 | case SSH_SMSG_AUTH_KERBEROS_RESPONSE: | ||
460 | /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ | ||
461 | debug("Kerberos v4 authentication accepted."); | ||
462 | |||
463 | /* Get server's response. */ | ||
464 | reply = packet_get_string((u_int *) &auth.length); | ||
465 | if (auth.length >= MAX_KTXT_LEN) | ||
466 | fatal("Kerberos v4: Malformed response from server"); | ||
467 | memcpy(auth.dat, reply, auth.length); | ||
468 | xfree(reply); | ||
469 | |||
470 | packet_check_eom(); | ||
471 | |||
472 | /* | ||
473 | * If his response isn't properly encrypted with the session | ||
474 | * key, and the decrypted checksum fails to match, he's | ||
475 | * bogus. Bail out. | ||
476 | */ | ||
477 | r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, | ||
478 | &foreign, &local, &msg_data); | ||
479 | if (r != KSUCCESS) { | ||
480 | debug("Kerberos v4 krb_rd_priv failed: %s", | ||
481 | krb_err_txt[r]); | ||
482 | packet_disconnect("Kerberos v4 challenge failed!"); | ||
483 | } | ||
484 | /* Fetch the (incremented) checksum that we supplied in the request. */ | ||
485 | memcpy((char *)&cksum, (char *)msg_data.app_data, | ||
486 | sizeof(cksum)); | ||
487 | cksum = ntohl(cksum); | ||
488 | |||
489 | /* If it matches, we're golden. */ | ||
490 | if (cksum == checksum + 1) { | ||
491 | debug("Kerberos v4 challenge successful."); | ||
492 | return 1; | ||
493 | } else | ||
494 | packet_disconnect("Kerberos v4 challenge failed!"); | ||
495 | break; | ||
496 | |||
497 | default: | ||
498 | packet_disconnect("Protocol error on Kerberos v4 response: %d", type); | ||
499 | } | ||
500 | return 0; | ||
501 | } | ||
502 | |||
503 | #endif /* KRB4 */ | ||
504 | |||
505 | #ifdef KRB5 | 376 | #ifdef KRB5 |
506 | static int | 377 | static int |
507 | try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) | 378 | try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) |
@@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) | |||
729 | } | 600 | } |
730 | #endif /* KRB5 */ | 601 | #endif /* KRB5 */ |
731 | 602 | ||
732 | #ifdef AFS | ||
733 | static void | ||
734 | send_krb4_tgt(void) | ||
735 | { | ||
736 | CREDENTIALS *creds; | ||
737 | struct stat st; | ||
738 | char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; | ||
739 | int problem, type; | ||
740 | |||
741 | /* Don't do anything if we don't have any tickets. */ | ||
742 | if (stat(tkt_string(), &st) < 0) | ||
743 | return; | ||
744 | |||
745 | creds = xmalloc(sizeof(*creds)); | ||
746 | |||
747 | problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm); | ||
748 | if (problem) | ||
749 | goto out; | ||
750 | |||
751 | problem = krb_get_cred("krbtgt", prealm, prealm, creds); | ||
752 | if (problem) | ||
753 | goto out; | ||
754 | |||
755 | if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) { | ||
756 | problem = RD_AP_EXP; | ||
757 | goto out; | ||
758 | } | ||
759 | creds_to_radix(creds, (u_char *)buffer, sizeof(buffer)); | ||
760 | |||
761 | packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); | ||
762 | packet_put_cstring(buffer); | ||
763 | packet_send(); | ||
764 | packet_write_wait(); | ||
765 | |||
766 | type = packet_read(); | ||
767 | |||
768 | if (type == SSH_SMSG_SUCCESS) | ||
769 | debug("Kerberos v4 TGT forwarded (%s%s%s@%s).", | ||
770 | creds->pname, creds->pinst[0] ? "." : "", | ||
771 | creds->pinst, creds->realm); | ||
772 | else | ||
773 | debug("Kerberos v4 TGT rejected."); | ||
774 | |||
775 | xfree(creds); | ||
776 | return; | ||
777 | |||
778 | out: | ||
779 | debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]); | ||
780 | xfree(creds); | ||
781 | } | ||
782 | |||
783 | static void | ||
784 | send_afs_tokens(void) | ||
785 | { | ||
786 | CREDENTIALS creds; | ||
787 | struct ViceIoctl parms; | ||
788 | struct ClearToken ct; | ||
789 | int i, type, len; | ||
790 | char buf[2048], *p, *server_cell; | ||
791 | char buffer[8192]; | ||
792 | |||
793 | /* Move over ktc_GetToken, here's something leaner. */ | ||
794 | for (i = 0; i < 100; i++) { /* just in case */ | ||
795 | parms.in = (char *) &i; | ||
796 | parms.in_size = sizeof(i); | ||
797 | parms.out = buf; | ||
798 | parms.out_size = sizeof(buf); | ||
799 | if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) | ||
800 | break; | ||
801 | p = buf; | ||
802 | |||
803 | /* Get secret token. */ | ||
804 | memcpy(&creds.ticket_st.length, p, sizeof(u_int)); | ||
805 | if (creds.ticket_st.length > MAX_KTXT_LEN) | ||
806 | break; | ||
807 | p += sizeof(u_int); | ||
808 | memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); | ||
809 | p += creds.ticket_st.length; | ||
810 | |||
811 | /* Get clear token. */ | ||
812 | memcpy(&len, p, sizeof(len)); | ||
813 | if (len != sizeof(struct ClearToken)) | ||
814 | break; | ||
815 | p += sizeof(len); | ||
816 | memcpy(&ct, p, len); | ||
817 | p += len; | ||
818 | p += sizeof(len); /* primary flag */ | ||
819 | server_cell = p; | ||
820 | |||
821 | /* Flesh out our credentials. */ | ||
822 | strlcpy(creds.service, "afs", sizeof(creds.service)); | ||
823 | creds.instance[0] = '\0'; | ||
824 | strlcpy(creds.realm, server_cell, REALM_SZ); | ||
825 | memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); | ||
826 | creds.issue_date = ct.BeginTimestamp; | ||
827 | creds.lifetime = krb_time_to_life(creds.issue_date, | ||
828 | ct.EndTimestamp); | ||
829 | creds.kvno = ct.AuthHandle; | ||
830 | snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); | ||
831 | creds.pinst[0] = '\0'; | ||
832 | |||
833 | /* Encode token, ship it off. */ | ||
834 | if (creds_to_radix(&creds, (u_char *)buffer, | ||
835 | sizeof(buffer)) <= 0) | ||
836 | break; | ||
837 | packet_start(SSH_CMSG_HAVE_AFS_TOKEN); | ||
838 | packet_put_cstring(buffer); | ||
839 | packet_send(); | ||
840 | packet_write_wait(); | ||
841 | |||
842 | /* Roger, Roger. Clearance, Clarence. What's your vector, | ||
843 | Victor? */ | ||
844 | type = packet_read(); | ||
845 | |||
846 | if (type == SSH_SMSG_FAILURE) | ||
847 | debug("AFS token for cell %s rejected.", server_cell); | ||
848 | else if (type != SSH_SMSG_SUCCESS) | ||
849 | packet_disconnect("Protocol error on AFS token response: %d", type); | ||
850 | } | ||
851 | } | ||
852 | |||
853 | #endif /* AFS */ | ||
854 | |||
855 | /* | 603 | /* |
856 | * Tries to authenticate with any string-based challenge/response system. | 604 | * Tries to authenticate with any string-based challenge/response system. |
857 | * Note that the client code is not tied to s/key or TIS. | 605 | * Note that the client code is not tied to s/key or TIS. |
@@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, | |||
1183 | } | 931 | } |
1184 | #endif /* KRB5 */ | 932 | #endif /* KRB5 */ |
1185 | 933 | ||
1186 | #ifdef KRB4 | ||
1187 | if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && | ||
1188 | options.kerberos_authentication) { | ||
1189 | debug("Trying Kerberos v4 authentication."); | ||
1190 | |||
1191 | if (try_krb4_authentication()) { | ||
1192 | type = packet_read(); | ||
1193 | if (type == SSH_SMSG_SUCCESS) | ||
1194 | goto success; | ||
1195 | if (type != SSH_SMSG_FAILURE) | ||
1196 | packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type); | ||
1197 | } | ||
1198 | } | ||
1199 | #endif /* KRB4 */ | ||
1200 | |||
1201 | /* | 934 | /* |
1202 | * Use rhosts authentication if running in privileged socket and we | 935 | * Use rhosts authentication if running in privileged socket and we |
1203 | * do not wish to remain anonymous. | 936 | * do not wish to remain anonymous. |
@@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, | |||
1284 | if (context) | 1017 | if (context) |
1285 | krb5_free_context(context); | 1018 | krb5_free_context(context); |
1286 | #endif | 1019 | #endif |
1287 | |||
1288 | #ifdef AFS | ||
1289 | /* Try Kerberos v4 TGT passing if the server supports it. */ | ||
1290 | if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && | ||
1291 | options.kerberos_tgt_passing) { | ||
1292 | if (options.cipher == SSH_CIPHER_NONE) | ||
1293 | logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); | ||
1294 | send_krb4_tgt(); | ||
1295 | } | ||
1296 | /* Try AFS token passing if the server supports it. */ | ||
1297 | if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && | ||
1298 | options.afs_token_passing && k_hasafs()) { | ||
1299 | if (options.cipher == SSH_CIPHER_NONE) | ||
1300 | logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); | ||
1301 | send_afs_tokens(); | ||
1302 | } | ||
1303 | #endif /* AFS */ | ||
1304 | |||
1305 | return; /* need statement after label */ | 1020 | return; /* need statement after label */ |
1306 | } | 1021 | } |
@@ -42,7 +42,7 @@ | |||
42 | */ | 42 | */ |
43 | 43 | ||
44 | #include "includes.h" | 44 | #include "includes.h" |
45 | RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $"); | 45 | RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $"); |
46 | 46 | ||
47 | #include <openssl/dh.h> | 47 | #include <openssl/dh.h> |
48 | #include <openssl/bn.h> | 48 | #include <openssl/bn.h> |
@@ -1476,20 +1476,13 @@ main(int ac, char **av) | |||
1476 | "originating port %d not trusted.", remote_port); | 1476 | "originating port %d not trusted.", remote_port); |
1477 | options.rhosts_authentication = 0; | 1477 | options.rhosts_authentication = 0; |
1478 | } | 1478 | } |
1479 | #if defined(KRB4) && !defined(KRB5) | 1479 | #ifdef KRB5 |
1480 | if (!packet_connection_is_ipv4() && | 1480 | if (!packet_connection_is_ipv4() && |
1481 | options.kerberos_authentication) { | 1481 | options.kerberos_authentication) { |
1482 | debug("Kerberos Authentication disabled, only available for IPv4."); | 1482 | debug("Kerberos Authentication disabled, only available for IPv4."); |
1483 | options.kerberos_authentication = 0; | 1483 | options.kerberos_authentication = 0; |
1484 | } | 1484 | } |
1485 | #endif /* KRB4 && !KRB5 */ | 1485 | #endif |
1486 | #ifdef AFS | ||
1487 | /* If machine has AFS, set process authentication group. */ | ||
1488 | if (k_hasafs()) { | ||
1489 | k_setpag(); | ||
1490 | k_unlog(); | ||
1491 | } | ||
1492 | #endif /* AFS */ | ||
1493 | 1486 | ||
1494 | packet_set_nonblocking(); | 1487 | packet_set_nonblocking(); |
1495 | 1488 | ||
@@ -1656,18 +1649,12 @@ do_ssh1_kex(void) | |||
1656 | auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; | 1649 | auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; |
1657 | if (options.rsa_authentication) | 1650 | if (options.rsa_authentication) |
1658 | auth_mask |= 1 << SSH_AUTH_RSA; | 1651 | auth_mask |= 1 << SSH_AUTH_RSA; |
1659 | #if defined(KRB4) || defined(KRB5) | 1652 | #ifdef KRB5 |
1660 | if (options.kerberos_authentication) | 1653 | if (options.kerberos_authentication) |
1661 | auth_mask |= 1 << SSH_AUTH_KERBEROS; | 1654 | auth_mask |= 1 << SSH_AUTH_KERBEROS; |
1662 | #endif | ||
1663 | #if defined(AFS) || defined(KRB5) | ||
1664 | if (options.kerberos_tgt_passing) | 1655 | if (options.kerberos_tgt_passing) |
1665 | auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; | 1656 | auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; |
1666 | #endif | 1657 | #endif |
1667 | #ifdef AFS | ||
1668 | if (options.afs_token_passing) | ||
1669 | auth_mask |= 1 << SSH_PASS_AFS_TOKEN; | ||
1670 | #endif | ||
1671 | if (options.challenge_response_authentication == 1) | 1658 | if (options.challenge_response_authentication == 1) |
1672 | auth_mask |= 1 << SSH_AUTH_TIS; | 1659 | auth_mask |= 1 << SSH_AUTH_TIS; |
1673 | if (options.password_authentication) | 1660 | if (options.password_authentication) |
diff --git a/sshd_config.5 b/sshd_config.5 index dfd3565a6..223ff8aae 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -61,10 +61,6 @@ The possible | |||
61 | keywords and their meanings are as follows (note that | 61 | keywords and their meanings are as follows (note that |
62 | keywords are case-insensitive and arguments are case-sensitive): | 62 | keywords are case-insensitive and arguments are case-sensitive): |
63 | .Bl -tag -width Ds | 63 | .Bl -tag -width Ds |
64 | .It Cm AFSTokenPassing | ||
65 | Specifies whether an AFS token may be forwarded to the server. | ||
66 | Default is | ||
67 | .Dq no . | ||
68 | .It Cm AllowGroups | 64 | .It Cm AllowGroups |
69 | This keyword can be followed by a list of group name patterns, separated | 65 | This keyword can be followed by a list of group name patterns, separated |
70 | by spaces. | 66 | by spaces. |
@@ -327,8 +323,7 @@ Default is | |||
327 | .It Cm KerberosTgtPassing | 323 | .It Cm KerberosTgtPassing |
328 | Specifies whether a Kerberos TGT may be forwarded to the server. | 324 | Specifies whether a Kerberos TGT may be forwarded to the server. |
329 | Default is | 325 | Default is |
330 | .Dq no , | 326 | .Dq no . |
331 | as this only works when the Kerberos KDC is actually an AFS kaserver. | ||
332 | .It Cm KerberosTicketCleanup | 327 | .It Cm KerberosTicketCleanup |
333 | Specifies whether to automatically destroy the user's ticket cache | 328 | Specifies whether to automatically destroy the user's ticket cache |
334 | file on logout. | 329 | file on logout. |