summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CREDITS4
-rw-r--r--ChangeLog5
-rw-r--r--Makefile.in4
-rw-r--r--acconfig.h8
-rw-r--r--auth-krb5.c115
-rw-r--r--configure.ac45
-rw-r--r--servconf.c11
-rw-r--r--sshconnect1.c52
8 files changed, 230 insertions, 14 deletions
diff --git a/CREDITS b/CREDITS
index d0b320a52..ef267530a 100644
--- a/CREDITS
+++ b/CREDITS
@@ -75,7 +75,7 @@ Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
75Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix 75Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
76Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes 76Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
77SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes 77SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
78Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes 78Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
79Svante Signell <svante.signell@telia.com> - Bugfixes 79Svante Signell <svante.signell@telia.com> - Bugfixes
80Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords 80Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
81Tim Rice <tim@multitalents.net> - Portability & SCO fixes 81Tim Rice <tim@multitalents.net> - Portability & SCO fixes
@@ -90,5 +90,5 @@ Apologies to anyone I have missed.
90 90
91Damien Miller <djm@mindrot.org> 91Damien Miller <djm@mindrot.org>
92 92
93$Id: CREDITS,v 1.65 2002/03/05 03:38:35 mouring Exp $ 93$Id: CREDITS,v 1.66 2002/04/13 01:04:40 djm Exp $
94 94
diff --git a/ChangeLog b/ChangeLog
index a6d20ed1a..486e35056 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
120020413
2 - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>
3
120020412 420020412
2 - (stevesk) [auth-sia.[ch]] add BSD license from Chris Adams 5 - (stevesk) [auth-sia.[ch]] add BSD license from Chris Adams
3 - (tim) [configure.ac] add <sys/types.h> to msghdr tests. Change -L 6 - (tim) [configure.ac] add <sys/types.h> to msghdr tests. Change -L
@@ -8231,4 +8234,4 @@
8231 - Wrote replacements for strlcpy and mkdtemp 8234 - Wrote replacements for strlcpy and mkdtemp
8232 - Released 1.0pre1 8235 - Released 1.0pre1
8233 8236
8234$Id: ChangeLog,v 1.2050 2002/04/12 18:51:22 mouring Exp $ 8237$Id: ChangeLog,v 1.2051 2002/04/13 01:04:40 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 32f954096..4e0744c3e 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.201 2002/04/05 16:11:46 mouring Exp $ 1# $Id: Makefile.in,v 1.202 2002/04/13 01:04:41 djm Exp $
2 2
3prefix=@prefix@ 3prefix=@prefix@
4exec_prefix=@exec_prefix@ 4exec_prefix=@exec_prefix@
@@ -54,7 +54,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels
54 54
55SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o 55SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
56 56
57SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o 57SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
58 58
59MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out 59MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
60MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 60MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
diff --git a/acconfig.h b/acconfig.h
index 3f9e56a97..84bf60f04 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
1/* $Id: acconfig.h,v 1.130 2002/04/12 03:35:40 tim Exp $ */ 1/* $Id: acconfig.h,v 1.131 2002/04/13 01:04:41 djm Exp $ */
2 2
3#ifndef _CONFIG_H 3#ifndef _CONFIG_H
4#define _CONFIG_H 4#define _CONFIG_H
@@ -192,6 +192,12 @@
192/* Define if compiler implements __func__ */ 192/* Define if compiler implements __func__ */
193#undef HAVE___func__ 193#undef HAVE___func__
194 194
195/* Define if you want Kerberos 5 support */
196#undef KRB5
197
198/* Define this if you are using the Heimdal version of Kerberos V5 */
199#undef HEIMDAL
200
195/* Define if you want Kerberos 4 support */ 201/* Define if you want Kerberos 4 support */
196#undef KRB4 202#undef KRB4
197 203
diff --git a/auth-krb5.c b/auth-krb5.c
index f878b511f..76c2419aa 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -41,6 +41,9 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
41 41
42#ifdef KRB5 42#ifdef KRB5
43#include <krb5.h> 43#include <krb5.h>
44#ifndef HEIMDAL
45#define krb5_get_err_text(context,code) error_message(code)
46#endif /* !HEIMDAL */
44 47
45extern ServerOptions options; 48extern ServerOptions options;
46 49
@@ -93,8 +96,15 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
93 goto err; 96 goto err;
94 97
95 fd = packet_get_connection_in(); 98 fd = packet_get_connection_in();
99#ifdef HEIMDAL
96 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, 100 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
97 authctxt->krb5_auth_ctx, &fd); 101 authctxt->krb5_auth_ctx, &fd);
102#else
103 problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
104 authctxt->krb5_auth_ctx,fd,
105 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
106 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
107#endif
98 if (problem) 108 if (problem)
99 goto err; 109 goto err;
100 110
@@ -108,8 +118,14 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
108 if (problem) 118 if (problem)
109 goto err; 119 goto err;
110 120
121#ifdef HEIMDAL
111 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, 122 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
112 &authctxt->krb5_user); 123 &authctxt->krb5_user);
124#else
125 problem = krb5_copy_principal(authctxt->krb5_ctx,
126 ticket->enc_part2->client,
127 &authctxt->krb5_user);
128#endif
113 if (problem) 129 if (problem)
114 goto err; 130 goto err;
115 131
@@ -160,13 +176,37 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
160 krb5_error_code problem; 176 krb5_error_code problem;
161 krb5_ccache ccache = NULL; 177 krb5_ccache ccache = NULL;
162 char *pname; 178 char *pname;
179 krb5_creds **creds;
163 180
164 if (authctxt->pw == NULL || authctxt->krb5_user == NULL) 181 if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
165 return (0); 182 return (0);
166 183
167 temporarily_use_uid(authctxt->pw); 184 temporarily_use_uid(authctxt->pw);
168 185
186#ifdef HEIMDAL
169 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); 187 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
188#else
189{
190 char ccname[40];
191 int tmpfd;
192
193 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
194
195 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
196 log("mkstemp(): %.100s", strerror(errno));
197 problem = errno;
198 goto fail;
199 }
200 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
201 log("fchmod(): %.100s", strerror(errno));
202 close(tmpfd);
203 problem = errno;
204 goto fail;
205 }
206 close(tmpfd);
207 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
208}
209#endif
170 if (problem) 210 if (problem)
171 goto fail; 211 goto fail;
172 212
@@ -175,10 +215,20 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
175 if (problem) 215 if (problem)
176 goto fail; 216 goto fail;
177 217
218#ifdef HEIMDAL
178 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 219 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
179 ccache, tgt); 220 ccache, tgt);
180 if (problem) 221 if (problem)
181 goto fail; 222 goto fail;
223#else
224 problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
225 tgt, &creds, NULL);
226 if (problem)
227 goto fail;
228 problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
229 if (problem)
230 goto fail;
231#endif
182 232
183 authctxt->krb5_fwd_ccache = ccache; 233 authctxt->krb5_fwd_ccache = ccache;
184 ccache = NULL; 234 ccache = NULL;
@@ -211,6 +261,12 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
211int 261int
212auth_krb5_password(Authctxt *authctxt, const char *password) 262auth_krb5_password(Authctxt *authctxt, const char *password)
213{ 263{
264#ifndef HEIMDAL
265 krb5_creds creds;
266 krb5_principal server;
267 char ccname[40];
268 int tmpfd;
269#endif
214 krb5_error_code problem; 270 krb5_error_code problem;
215 271
216 if (authctxt->pw == NULL) 272 if (authctxt->pw == NULL)
@@ -227,6 +283,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
227 if (problem) 283 if (problem)
228 goto out; 284 goto out;
229 285
286#ifdef HEIMDAL
230 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, 287 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
231 &authctxt->krb5_fwd_ccache); 288 &authctxt->krb5_fwd_ccache);
232 if (problem) 289 if (problem)
@@ -245,13 +302,69 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
245 if (problem) 302 if (problem)
246 goto out; 303 goto out;
247 304
305#else
306 problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
307 authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
308 if (problem)
309 goto out;
310
311 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
312 KRB5_NT_SRV_HST, &server);
313 if (problem)
314 goto out;
315
316 restore_uid();
317 problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
318 NULL, NULL, NULL);
319 krb5_free_principal(authctxt->krb5_ctx, server);
320 temporarily_use_uid(authctxt->pw);
321 if (problem)
322 goto out;
323
324 if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
325 authctxt->pw->pw_name)) {
326 problem = -1;
327 goto out;
328 }
329
330 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
331
332 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
333 log("mkstemp(): %.100s", strerror(errno));
334 problem = errno;
335 goto out;
336 }
337
338 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
339 log("fchmod(): %.100s", strerror(errno));
340 close(tmpfd);
341 problem = errno;
342 goto out;
343 }
344 close(tmpfd);
345
346 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
347 if (problem)
348 goto out;
349
350 problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
351 authctxt->krb5_user);
352 if (problem)
353 goto out;
354
355 problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
356 &creds);
357 if (problem)
358 goto out;
359#endif
360
248 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); 361 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
249 362
250 out: 363 out:
251 restore_uid(); 364 restore_uid();
252 365
253 if (problem) { 366 if (problem) {
254 if (authctxt->krb5_ctx != NULL) 367 if (authctxt->krb5_ctx != NULL && problem!=-1)
255 debug("Kerberos password authentication failed: %s", 368 debug("Kerberos password authentication failed: %s",
256 krb5_get_err_text(authctxt->krb5_ctx, problem)); 369 krb5_get_err_text(authctxt->krb5_ctx, problem));
257 else 370 else
diff --git a/configure.ac b/configure.ac
index c0cce4bdd..9516bf7fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.43 2002/04/12 17:26:23 tim Exp $ 1# $Id: configure.ac,v 1.44 2002/04/13 01:04:41 djm Exp $
2 2
3AC_INIT 3AC_INIT
4AC_CONFIG_SRCDIR([ssh.c]) 4AC_CONFIG_SRCDIR([ssh.c])
@@ -1747,7 +1747,45 @@ AC_ARG_WITH(opensc,
1747 ] 1747 ]
1748) 1748)
1749 1749
1750# Check whether user wants Kerberos support 1750# Check whether user wants Kerberos 5 support
1751KRB5_MSG="no"
1752AC_ARG_WITH(kerberos5,
1753 [ --with-kerberos5=PATH Enable Kerberos 5 support],
1754 [
1755 if test "x$withval" != "xno" ; then
1756 if test "x$withval" = "xyes" ; then
1757 KRB5ROOT="/usr/local"
1758 else
1759 KRB5ROOT=${withval}
1760 fi
1761 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
1762 LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
1763 AC_DEFINE(KRB5)
1764 KRB5_MSG="yes"
1765 AC_MSG_CHECKING(whether we are using Heimdal)
1766 AC_TRY_COMPILE([ #include <krb5.h> ],
1767 [ char *tmp = heimdal_version; ],
1768 [ AC_MSG_RESULT(yes)
1769 AC_DEFINE(HEIMDAL)
1770 K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
1771 ],
1772 [ AC_MSG_RESULT(no)
1773 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
1774 ]
1775 )
1776 if test ! -z "$need_dash_r" ; then
1777 LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
1778 fi
1779 if test ! -z "$blibpath" ; then
1780 blibpath="$blibpath:${KRB5ROOT}/lib"
1781 fi
1782 AC_CHECK_LIB(resolv, dn_expand, , )
1783
1784 KRB5=yes
1785 fi
1786 ]
1787)
1788# Check whether user wants Kerberos 4 support
1751KRB4_MSG="no" 1789KRB4_MSG="no"
1752AC_ARG_WITH(kerberos4, 1790AC_ARG_WITH(kerberos4,
1753 [ --with-kerberos4=PATH Enable Kerberos 4 support], 1791 [ --with-kerberos4=PATH Enable Kerberos 4 support],
@@ -1827,7 +1865,7 @@ AC_ARG_WITH(afs,
1827 fi 1865 fi
1828 ] 1866 ]
1829) 1867)
1830LIBS="$LIBS $KLIBS" 1868LIBS="$LIBS $KLIBS $K5LIBS"
1831 1869
1832# Looking for programs, paths and files 1870# Looking for programs, paths and files
1833AC_ARG_WITH(rsh, 1871AC_ARG_WITH(rsh,
@@ -2399,6 +2437,7 @@ echo " sshd default user PATH: $H"
2399echo " Manpage format: $MANTYPE" 2437echo " Manpage format: $MANTYPE"
2400echo " PAM support: ${PAM_MSG}" 2438echo " PAM support: ${PAM_MSG}"
2401echo " KerberosIV support: $KRB4_MSG" 2439echo " KerberosIV support: $KRB4_MSG"
2440echo " KerberosV support: $KRB5_MSG"
2402echo " Smartcard support: $SCARD_MSG" 2441echo " Smartcard support: $SCARD_MSG"
2403echo " AFS support: $AFS_MSG" 2442echo " AFS support: $AFS_MSG"
2404echo " S/KEY support: $SKEY_MSG" 2443echo " S/KEY support: $SKEY_MSG"
diff --git a/servconf.c b/servconf.c
index 8e6ee5bb3..8b5ee7bf1 100644
--- a/servconf.c
+++ b/servconf.c
@@ -12,8 +12,17 @@
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");
14 14
15#if defined(KRB4) || defined(KRB5) 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
16#include <krb.h> 20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
17#endif 26#endif
18#ifdef AFS 27#ifdef AFS
19#include <kafs.h> 28#include <kafs.h>
diff --git a/sshconnect1.c b/sshconnect1.c
index 393694138..3b5c7186f 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -23,6 +23,9 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.49 2002/03/14 15:24:27 markus Exp $");
23#endif 23#endif
24#ifdef KRB5 24#ifdef KRB5
25#include <krb5.h> 25#include <krb5.h>
26#ifndef HEIMDAL
27#define krb5_get_err_text(context,code) error_message(code)
28#endif /* !HEIMDAL */
26#endif 29#endif
27#ifdef AFS 30#ifdef AFS
28#include <kafs.h> 31#include <kafs.h>
@@ -521,6 +524,23 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
521 ret = 0; 524 ret = 0;
522 goto out; 525 goto out;
523 } 526 }
527
528 problem = krb5_auth_con_init(*context, auth_context);
529 if (problem) {
530 debug("Kerberos v5: krb5_auth_con_init failed");
531 ret = 0;
532 goto out;
533 }
534
535#ifndef HEIMDAL
536 problem = krb5_auth_con_setflags(*context, *auth_context,
537 KRB5_AUTH_CONTEXT_RET_TIME);
538 if (problem) {
539 debug("Keberos v5: krb5_auth_con_setflags failed");
540 ret = 0;
541 goto out;
542 }
543#endif
524 544
525 tkfile = krb5_cc_default_name(*context); 545 tkfile = krb5_cc_default_name(*context);
526 if (strncmp(tkfile, "FILE:", 5) == 0) 546 if (strncmp(tkfile, "FILE:", 5) == 0)
@@ -597,7 +617,11 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
597 if (reply != NULL) 617 if (reply != NULL)
598 krb5_free_ap_rep_enc_part(*context, reply); 618 krb5_free_ap_rep_enc_part(*context, reply);
599 if (ap.length > 0) 619 if (ap.length > 0)
620#ifdef HEIMDAL
600 krb5_data_free(&ap); 621 krb5_data_free(&ap);
622#else
623 krb5_free_data_contents(*context, &ap);
624#endif
601 625
602 return (ret); 626 return (ret);
603} 627}
@@ -610,7 +634,11 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
610 krb5_data outbuf; 634 krb5_data outbuf;
611 krb5_ccache ccache = NULL; 635 krb5_ccache ccache = NULL;
612 krb5_creds creds; 636 krb5_creds creds;
637#ifdef HEIMDAL
613 krb5_kdc_flags flags; 638 krb5_kdc_flags flags;
639#else
640 int forwardable;
641#endif
614 const char *remotehost; 642 const char *remotehost;
615 643
616 memset(&creds, 0, sizeof(creds)); 644 memset(&creds, 0, sizeof(creds));
@@ -618,7 +646,13 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
618 646
619 fd = packet_get_connection_in(); 647 fd = packet_get_connection_in();
620 648
649#ifdef HEIMDAL
621 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); 650 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
651#else
652 problem = krb5_auth_con_genaddrs(context, auth_context, fd,
653 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
654 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
655#endif
622 if (problem) 656 if (problem)
623 goto out; 657 goto out;
624 658
@@ -630,23 +664,35 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
630 if (problem) 664 if (problem)
631 goto out; 665 goto out;
632 666
667 remotehost = get_canonical_hostname(1);
668
669#ifdef HEIMDAL
633 problem = krb5_build_principal(context, &creds.server, 670 problem = krb5_build_principal(context, &creds.server,
634 strlen(creds.client->realm), creds.client->realm, 671 strlen(creds.client->realm), creds.client->realm,
635 "krbtgt", creds.client->realm, NULL); 672 "krbtgt", creds.client->realm, NULL);
673#else
674 problem = krb5_build_principal(context, &creds.server,
675 creds.client->realm.length, creds.client->realm.data,
676 "host", remotehost, NULL);
677#endif
636 if (problem) 678 if (problem)
637 goto out; 679 goto out;
638 680
639 creds.times.endtime = 0; 681 creds.times.endtime = 0;
640 682
683#ifdef HEIMDAL
641 flags.i = 0; 684 flags.i = 0;
642 flags.b.forwarded = 1; 685 flags.b.forwarded = 1;
643 flags.b.forwardable = krb5_config_get_bool(context, NULL, 686 flags.b.forwardable = krb5_config_get_bool(context, NULL,
644 "libdefaults", "forwardable", NULL); 687 "libdefaults", "forwardable", NULL);
645
646 remotehost = get_canonical_hostname(1);
647
648 problem = krb5_get_forwarded_creds(context, auth_context, 688 problem = krb5_get_forwarded_creds(context, auth_context,
649 ccache, flags.i, remotehost, &creds, &outbuf); 689 ccache, flags.i, remotehost, &creds, &outbuf);
690#else
691 forwardable = 1;
692 problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
693 creds.client, creds.server, ccache, forwardable, &outbuf);
694#endif
695
650 if (problem) 696 if (problem)
651 goto out; 697 goto out;
652 698
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-26 23:19:29 +0000