1 files changed, 1 insertions, 264 deletions
diff --git a/sshconnect1.c b/sshconnect1.c
index 5935e8b77..2f89964ec 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,15 +13,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
-#ifdef KRB5
-#include <krb5.h>
-#endif
 #include "ssh.h"
 #include "ssh1.h"
 #include "xmalloc.h"
@@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        return 0;
 }
-#ifdef KRB5
-static int
-try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
-{
-        krb5_error_code problem;
-        const char *tkfile;
-        struct stat buf;
-        krb5_ccache ccache = NULL;
-        const char *remotehost;
-        krb5_data ap;
-        int type;
-        krb5_ap_rep_enc_part *reply = NULL;
-        int ret;
-        memset(&ap, 0, sizeof(ap));
-        problem = krb5_init_context(context);
-        if (problem) {
-                debug("Kerberos v5: krb5_init_context failed");
-                ret = 0;
-                goto out;
-        }
-        
-        problem = krb5_auth_con_init(*context, auth_context);
-        if (problem) {
-                debug("Kerberos v5: krb5_auth_con_init failed");
-                ret = 0;
-                goto out;
-        }
-#ifndef HEIMDAL
-        problem = krb5_auth_con_setflags(*context, *auth_context,
-                                         KRB5_AUTH_CONTEXT_RET_TIME);
-        if (problem) {
-                debug("Keberos v5: krb5_auth_con_setflags failed");
-                ret = 0;
-                goto out;
-        }
-#endif
-        tkfile = krb5_cc_default_name(*context);
-        if (strncmp(tkfile, "FILE:", 5) == 0)
-                tkfile += 5;
-        if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-                debug("Kerberos v5: could not get default ccache (permission denied).");
-                ret = 0;
-                goto out;
-        }
-        problem = krb5_cc_default(*context, &ccache);
-        if (problem) {
-                debug("Kerberos v5: krb5_cc_default failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        remotehost = get_canonical_hostname(1);
-        problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-            "host", remotehost, NULL, ccache, &ap);
-        if (problem) {
-                debug("Kerberos v5: krb5_mk_req failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        packet_start(SSH_CMSG_AUTH_KERBEROS);
-        packet_put_string((char *) ap.data, ap.length);
-        packet_send();
-        packet_write_wait();
-        xfree(ap.data);
-        ap.length = 0;
-        type = packet_read();
-        switch (type) {
-        case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-                debug("Kerberos v5 authentication failed.");
-                ret = 0;
-                break;
-        case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-                debug("Kerberos v5 authentication accepted.");
-                /* Get server's response. */
-                ap.data = packet_get_string((unsigned int *) &ap.length);
-                packet_check_eom();
-                /* XXX je to dobre? */
-                problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
-                if (problem) {
-                        ret = 0;
-                }
-                ret = 1;
-                break;
-        default:
-                packet_disconnect("Protocol error on Kerberos v5 response: %d",
-                    type);
-                ret = 0;
-                break;
-        }
- out:
-        if (ccache != NULL)
-                krb5_cc_close(*context, ccache);
-        if (reply != NULL)
-                krb5_free_ap_rep_enc_part(*context, reply);
-        if (ap.length > 0)
-#ifdef HEIMDAL
-                krb5_data_free(&ap);
-#else
-                krb5_free_data_contents(*context, &ap);
-#endif
-        return (ret);
-}
-static void
-send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
-{
-        int fd, type;
-        krb5_error_code problem;
-        krb5_data outbuf;
-        krb5_ccache ccache = NULL;
-        krb5_creds creds;
-#ifdef HEIMDAL
-        krb5_kdc_flags flags;
-#else
-        int forwardable;
-#endif
-        const char *remotehost;
-        memset(&creds, 0, sizeof(creds));
-        memset(&outbuf, 0, sizeof(outbuf));
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(context, auth_context, fd,
-                        KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-                        KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto out;
-        problem = krb5_cc_default(context, &ccache);
-        if (problem)
-                goto out;
-        problem = krb5_cc_get_principal(context, ccache, &creds.client);
-        if (problem)
-                goto out;
-        remotehost = get_canonical_hostname(1);
-        
-#ifdef HEIMDAL
-        problem = krb5_build_principal(context, &creds.server,
-            strlen(creds.client->realm), creds.client->realm,
-            "krbtgt", creds.client->realm, NULL);
-#else
-        problem = krb5_build_principal(context, &creds.server,
-            creds.client->realm.length, creds.client->realm.data,
-            "host", remotehost, NULL);
-#endif
-        if (problem)
-                goto out;
-        creds.times.endtime = 0;
-#ifdef HEIMDAL
-        flags.i = 0;
-        flags.b.forwarded = 1;
-        flags.b.forwardable = krb5_config_get_bool(context,  NULL,
-            "libdefaults", "forwardable", NULL);
-        problem = krb5_get_forwarded_creds(context, auth_context,
-            ccache, flags.i, remotehost, &creds, &outbuf);
-#else
-        forwardable = 1;
-        problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
-            creds.client, creds.server, ccache, forwardable, &outbuf);
-#endif
-        if (problem)
-                goto out;
-        packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-        packet_put_string((char *)outbuf.data, outbuf.length);
-        packet_send();
-        packet_write_wait();
-        type = packet_read();
-        if (type == SSH_SMSG_SUCCESS) {
-                char *pname;
-                krb5_unparse_name(context, creds.client, &pname);
-                debug("Kerberos v5 TGT forwarded (%s).", pname);
-                xfree(pname);
-        } else
-                debug("Kerberos v5 TGT forwarding failed.");
-        return;
- out:
-        if (problem)
-                debug("Kerberos v5 TGT forwarding failed: %s",
-                    krb5_get_err_text(context, problem));
-        if (creds.client)
-                krb5_free_principal(context, creds.client);
-        if (creds.server)
-                krb5_free_principal(context, creds.server);
-        if (ccache)
-                krb5_cc_close(context, ccache);
-        if (outbuf.data)
-                xfree(outbuf.data);
-}
-#endif /* KRB5 */
 /*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
@@ -885,10 +654,6 @@ void
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
    Sensitive *sensitive)
 {
-#ifdef KRB5
-        krb5_context context = NULL;
-        krb5_auth_context auth_context = NULL;
-#endif
        int i, type;
        if (supported_authentications == 0)
@@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        if (type != SSH_SMSG_FAILURE)
                packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
-#ifdef KRB5
-        if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-            options.kerberos_authentication) {
-                debug("Trying Kerberos v5 authentication.");
-                if (try_krb5_authentication(&context, &auth_context)) {
-                        type = packet_read();
-                        if (type == SSH_SMSG_SUCCESS)
-                                goto success;
-                        if (type != SSH_SMSG_FAILURE)
-                                packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
-                }
-        }
-#endif /* KRB5 */
        /*
         * Try .rhosts or /etc/hosts.equiv authentication with RSA host
         * authentication.
@@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        /* NOTREACHED */
 success:
-#ifdef KRB5
-        /* Try Kerberos v5 TGT passing. */
-        if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-            options.kerberos_tgt_passing && context && auth_context) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-                send_krb5_tgt(context, auth_context);
-        }
-        if (auth_context)
-                krb5_auth_con_free(context, auth_context);
-        if (context)
-                krb5_free_context(context);
-#endif
        return; /* need statement after label */
 }

diff --git a/sshconnect1.c b/sshconnect1.c index 5935e8b77..2f89964ec 100644 --- a/sshconnect1.c +++ b/sshconnect1.c
@@ -13,15 +13,11 @@
13	*/	13	*/
14		14
15	#include "includes.h"	15	#include "includes.h"
16	RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");	16	RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
17		17
18	#include <openssl/bn.h>	18	#include <openssl/bn.h>
19	#include <openssl/md5.h>	19	#include <openssl/md5.h>
20		20
21	#ifdef KRB5
22	#include <krb5.h>
23	#endif
24
25	#include "ssh.h"	21	#include "ssh.h"
26	#include "ssh1.h"	22	#include "ssh1.h"
27	#include "xmalloc.h"	23	#include "xmalloc.h"
@@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char local_user, Key host_key)
370	return 0;	366	return 0;
371	}	367	}
372		368
373	#ifdef KRB5
374	static int
375	try_krb5_authentication(krb5_context context, krb5_auth_context auth_context)
376	{
377	krb5_error_code problem;
378	const char *tkfile;
379	struct stat buf;
380	krb5_ccache ccache = NULL;
381	const char *remotehost;
382	krb5_data ap;
383	int type;
384	krb5_ap_rep_enc_part *reply = NULL;
385	int ret;
386
387	memset(&ap, 0, sizeof(ap));
388
389	problem = krb5_init_context(context);
390	if (problem) {
391	debug("Kerberos v5: krb5_init_context failed");
392	ret = 0;
393	goto out;
394	}
395
396	problem = krb5_auth_con_init(*context, auth_context);
397	if (problem) {
398	debug("Kerberos v5: krb5_auth_con_init failed");
399	ret = 0;
400	goto out;
401	}
402
403	#ifndef HEIMDAL
404	problem = krb5_auth_con_setflags(context, auth_context,
405	KRB5_AUTH_CONTEXT_RET_TIME);
406	if (problem) {
407	debug("Keberos v5: krb5_auth_con_setflags failed");
408	ret = 0;
409	goto out;
410	}
411	#endif
412
413	tkfile = krb5_cc_default_name(*context);
414	if (strncmp(tkfile, "FILE:", 5) == 0)
415	tkfile += 5;
416
417	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
418	debug("Kerberos v5: could not get default ccache (permission denied).");
419	ret = 0;
420	goto out;
421	}
422
423	problem = krb5_cc_default(*context, &ccache);
424	if (problem) {
425	debug("Kerberos v5: krb5_cc_default failed: %s",
426	krb5_get_err_text(*context, problem));
427	ret = 0;
428	goto out;
429	}
430
431	remotehost = get_canonical_hostname(1);
432
433	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
434	"host", remotehost, NULL, ccache, &ap);
435	if (problem) {
436	debug("Kerberos v5: krb5_mk_req failed: %s",
437	krb5_get_err_text(*context, problem));
438	ret = 0;
439	goto out;
440	}
441
442	packet_start(SSH_CMSG_AUTH_KERBEROS);
443	packet_put_string((char *) ap.data, ap.length);
444	packet_send();
445	packet_write_wait();
446
447	xfree(ap.data);
448	ap.length = 0;
449
450	type = packet_read();
451	switch (type) {
452	case SSH_SMSG_FAILURE:
453	/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
454	debug("Kerberos v5 authentication failed.");
455	ret = 0;
456	break;
457
458	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
459	/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
460	debug("Kerberos v5 authentication accepted.");
461
462	/* Get server's response. */
463	ap.data = packet_get_string((unsigned int *) &ap.length);
464	packet_check_eom();
465	/* XXX je to dobre? */
466
467	problem = krb5_rd_rep(context, auth_context, &ap, &reply);
468	if (problem) {
469	ret = 0;
470	}
471	ret = 1;
472	break;
473
474	default:
475	packet_disconnect("Protocol error on Kerberos v5 response: %d",
476	type);
477	ret = 0;
478	break;
479
480	}
481
482	out:
483	if (ccache != NULL)
484	krb5_cc_close(*context, ccache);
485	if (reply != NULL)
486	krb5_free_ap_rep_enc_part(*context, reply);
487	if (ap.length > 0)
488	#ifdef HEIMDAL
489	krb5_data_free(&ap);
490	#else
491	krb5_free_data_contents(*context, &ap);
492	#endif
493
494	return (ret);
495	}
496
497	static void
498	send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
499	{
500	int fd, type;
501	krb5_error_code problem;
502	krb5_data outbuf;
503	krb5_ccache ccache = NULL;
504	krb5_creds creds;
505	#ifdef HEIMDAL
506	krb5_kdc_flags flags;
507	#else
508	int forwardable;
509	#endif
510	const char *remotehost;
511
512	memset(&creds, 0, sizeof(creds));
513	memset(&outbuf, 0, sizeof(outbuf));
514
515	fd = packet_get_connection_in();
516
517	#ifdef HEIMDAL
518	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
519	#else
520	problem = krb5_auth_con_genaddrs(context, auth_context, fd,
521	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
522	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
523	#endif
524	if (problem)
525	goto out;
526
527	problem = krb5_cc_default(context, &ccache);
528	if (problem)
529	goto out;
530
531	problem = krb5_cc_get_principal(context, ccache, &creds.client);
532	if (problem)
533	goto out;
534
535	remotehost = get_canonical_hostname(1);
536
537	#ifdef HEIMDAL
538	problem = krb5_build_principal(context, &creds.server,
539	strlen(creds.client->realm), creds.client->realm,
540	"krbtgt", creds.client->realm, NULL);
541	#else
542	problem = krb5_build_principal(context, &creds.server,
543	creds.client->realm.length, creds.client->realm.data,
544	"host", remotehost, NULL);
545	#endif
546	if (problem)
547	goto out;
548
549	creds.times.endtime = 0;
550
551	#ifdef HEIMDAL
552	flags.i = 0;
553	flags.b.forwarded = 1;
554	flags.b.forwardable = krb5_config_get_bool(context, NULL,
555	"libdefaults", "forwardable", NULL);
556	problem = krb5_get_forwarded_creds(context, auth_context,
557	ccache, flags.i, remotehost, &creds, &outbuf);
558	#else
559	forwardable = 1;
560	problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
561	creds.client, creds.server, ccache, forwardable, &outbuf);
562	#endif
563
564	if (problem)
565	goto out;
566
567	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
568	packet_put_string((char *)outbuf.data, outbuf.length);
569	packet_send();
570	packet_write_wait();
571
572	type = packet_read();
573
574	if (type == SSH_SMSG_SUCCESS) {
575	char *pname;
576
577	krb5_unparse_name(context, creds.client, &pname);
578	debug("Kerberos v5 TGT forwarded (%s).", pname);
579	xfree(pname);
580	} else
581	debug("Kerberos v5 TGT forwarding failed.");
582
583	return;
584
585	out:
586	if (problem)
587	debug("Kerberos v5 TGT forwarding failed: %s",
588	krb5_get_err_text(context, problem));
589	if (creds.client)
590	krb5_free_principal(context, creds.client);
591	if (creds.server)
592	krb5_free_principal(context, creds.server);
593	if (ccache)
594	krb5_cc_close(context, ccache);
595	if (outbuf.data)
596	xfree(outbuf.data);
597	}
598	#endif /* KRB5 */
599
600	/*	369	/*
601	* Tries to authenticate with any string-based challenge/response system.	370	* Tries to authenticate with any string-based challenge/response system.
602	* Note that the client code is not tied to s/key or TIS.	371	* Note that the client code is not tied to s/key or TIS.
@@ -885,10 +654,6 @@ void
885	ssh_userauth1(const char local_user, const char server_user, char *host,	654	ssh_userauth1(const char local_user, const char server_user, char *host,
886	Sensitive *sensitive)	655	Sensitive *sensitive)
887	{	656	{
888	#ifdef KRB5
889	krb5_context context = NULL;
890	krb5_auth_context auth_context = NULL;
891	#endif
892	int i, type;	657	int i, type;
893		658
894	if (supported_authentications == 0)	659	if (supported_authentications == 0)
@@ -913,21 +678,6 @@ ssh_userauth1(const char local_user, const char server_user, char *host,
913	if (type != SSH_SMSG_FAILURE)	678	if (type != SSH_SMSG_FAILURE)
914	packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);	679	packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
915		680
916	#ifdef KRB5
917	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
918	options.kerberos_authentication) {
919	debug("Trying Kerberos v5 authentication.");
920
921	if (try_krb5_authentication(&context, &auth_context)) {
922	type = packet_read();
923	if (type == SSH_SMSG_SUCCESS)
924	goto success;
925	if (type != SSH_SMSG_FAILURE)
926	packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
927	}
928	}
929	#endif /* KRB5 */
930
931	/*	681	/*
932	* Try .rhosts or /etc/hosts.equiv authentication with RSA host	682	* Try .rhosts or /etc/hosts.equiv authentication with RSA host
933	* authentication.	683	* authentication.
@@ -981,18 +731,5 @@ ssh_userauth1(const char local_user, const char server_user, char *host,
981	/* NOTREACHED */	731	/* NOTREACHED */
982		732
983	success:	733	success:
984	#ifdef KRB5
985	/* Try Kerberos v5 TGT passing. */
986	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
987	options.kerberos_tgt_passing && context && auth_context) {
988	if (options.cipher == SSH_CIPHER_NONE)
989	logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
990	send_krb5_tgt(context, auth_context);
991	}
992	if (auth_context)
993	krb5_auth_con_free(context, auth_context);
994	if (context)
995	krb5_free_context(context);
996	#endif
997	return; /* need statement after label */	734	return; /* need statement after label */
998	}	735	}