1 files changed, 1 insertions, 286 deletions
diff --git a/sshconnect1.c b/sshconnect1.c
index 2a822a98f..8851c35f6 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,24 +13,17 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
-#ifdef KRB4
-#include <krb.h>
-#endif
 #ifdef KRB5
 #include <krb5.h>
 #ifndef HEIMDAL
 #define krb5_get_err_text(context,code) error_message(code)
 #endif /* !HEIMDAL */
 #endif
-#ifdef AFS
-#include <kafs.h>
-#include "radix.h"
-#endif
 #include "ssh.h"
 #include "ssh1.h"
@@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        return 0;
 }
-#ifdef KRB4
-static int
-try_krb4_authentication(void)
-{
-        KTEXT_ST auth;          /* Kerberos data */
-        char *reply;
-        char inst[INST_SZ];
-        char *realm;
-        CREDENTIALS cred;
-        int r, type;
-        socklen_t slen;
-        Key_schedule schedule;
-        u_long checksum, cksum;
-        MSG_DAT msg_data;
-        struct sockaddr_in local, foreign;
-        struct stat st;
-        /* Don't do anything if we don't have any tickets. */
-        if (stat(tkt_string(), &st) < 0)
-                return 0;
-        strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
-            INST_SZ);
-        realm = (char *)krb_realmofhost(get_canonical_hostname(1));
-        if (!realm) {
-                debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
-                return 0;
-        }
-        /* This can really be anything. */
-        checksum = (u_long)getpid();
-        r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
-        if (r != KSUCCESS) {
-                debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
-                return 0;
-        }
-        /* Get session key to decrypt the server's reply with. */
-        r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
-        if (r != KSUCCESS) {
-                debug("get_cred failed: %s", krb_err_txt[r]);
-                return 0;
-        }
-        des_key_sched((des_cblock *) cred.session, schedule);
-        /* Send authentication info to server. */
-        packet_start(SSH_CMSG_AUTH_KERBEROS);
-        packet_put_string((char *) auth.dat, auth.length);
-        packet_send();
-        packet_write_wait();
-        /* Zero the buffer. */
-        (void) memset(auth.dat, 0, MAX_KTXT_LEN);
-        slen = sizeof(local);
-        memset(&local, 0, sizeof(local));
-        if (getsockname(packet_get_connection_in(),
-            (struct sockaddr *)&local, &slen) < 0)
-                debug("getsockname failed: %s", strerror(errno));
-        slen = sizeof(foreign);
-        memset(&foreign, 0, sizeof(foreign));
-        if (getpeername(packet_get_connection_in(),
-            (struct sockaddr *)&foreign, &slen) < 0) {
-                debug("getpeername failed: %s", strerror(errno));
-                fatal_cleanup();
-        }
-        /* Get server reply. */
-        type = packet_read();
-        switch (type) {
-        case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-                debug("Kerberos v4 authentication failed.");
-                return 0;
-                break;
-        case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-                debug("Kerberos v4 authentication accepted.");
-                /* Get server's response. */
-                reply = packet_get_string((u_int *) &auth.length);
-                if (auth.length >= MAX_KTXT_LEN)
-                        fatal("Kerberos v4: Malformed response from server");
-                memcpy(auth.dat, reply, auth.length);
-                xfree(reply);
-                packet_check_eom();
-                /*
-                 * If his response isn't properly encrypted with the session
-                 * key, and the decrypted checksum fails to match, he's
-                 * bogus. Bail out.
-                 */
-                r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
-                    &foreign, &local, &msg_data);
-                if (r != KSUCCESS) {
-                        debug("Kerberos v4 krb_rd_priv failed: %s",
-                            krb_err_txt[r]);
-                        packet_disconnect("Kerberos v4 challenge failed!");
-                }
-                /* Fetch the (incremented) checksum that we supplied in the request. */
-                memcpy((char *)&cksum, (char *)msg_data.app_data,
-                    sizeof(cksum));
-                cksum = ntohl(cksum);
-                /* If it matches, we're golden. */
-                if (cksum == checksum + 1) {
-                        debug("Kerberos v4 challenge successful.");
-                        return 1;
-                } else
-                        packet_disconnect("Kerberos v4 challenge failed!");
-                break;
-        default:
-                packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
-        }
-        return 0;
-}
-#endif /* KRB4 */
 #ifdef KRB5
 static int
 try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
@@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
 }
 #endif /* KRB5 */
-#ifdef AFS
-static void
-send_krb4_tgt(void)
-{
-        CREDENTIALS *creds;
-        struct stat st;
-        char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-        int problem, type;
-        /* Don't do anything if we don't have any tickets. */
-        if (stat(tkt_string(), &st) < 0)
-                return;
-        creds = xmalloc(sizeof(*creds));
-        problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
-        if (problem)
-                goto out;
-        problem = krb_get_cred("krbtgt", prealm, prealm, creds);
-        if (problem)
-                goto out;
-        if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
-                problem = RD_AP_EXP;
-                goto out;
-        }
-        creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
-        packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-        packet_put_cstring(buffer);
-        packet_send();
-        packet_write_wait();
-        type = packet_read();
-        if (type == SSH_SMSG_SUCCESS)
-                debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
-                    creds->pname, creds->pinst[0] ? "." : "",
-                    creds->pinst, creds->realm);
-        else
-                debug("Kerberos v4 TGT rejected.");
-        xfree(creds);
-        return;
- out:
-        debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
-        xfree(creds);
-}
-static void
-send_afs_tokens(void)
-{
-        CREDENTIALS creds;
-        struct ViceIoctl parms;
-        struct ClearToken ct;
-        int i, type, len;
-        char buf[2048], *p, *server_cell;
-        char buffer[8192];
-        /* Move over ktc_GetToken, here's something leaner. */
-        for (i = 0; i < 100; i++) {     /* just in case */
-                parms.in = (char *) &i;
-                parms.in_size = sizeof(i);
-                parms.out = buf;
-                parms.out_size = sizeof(buf);
-                if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
-                        break;
-                p = buf;
-                /* Get secret token. */
-                memcpy(&creds.ticket_st.length, p, sizeof(u_int));
-                if (creds.ticket_st.length > MAX_KTXT_LEN)
-                        break;
-                p += sizeof(u_int);
-                memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
-                p += creds.ticket_st.length;
-                /* Get clear token. */
-                memcpy(&len, p, sizeof(len));
-                if (len != sizeof(struct ClearToken))
-                        break;
-                p += sizeof(len);
-                memcpy(&ct, p, len);
-                p += len;
-                p += sizeof(len);       /* primary flag */
-                server_cell = p;
-                /* Flesh out our credentials. */
-                strlcpy(creds.service, "afs", sizeof(creds.service));
-                creds.instance[0] = '\0';
-                strlcpy(creds.realm, server_cell, REALM_SZ);
-                memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
-                creds.issue_date = ct.BeginTimestamp;
-                creds.lifetime = krb_time_to_life(creds.issue_date,
-                    ct.EndTimestamp);
-                creds.kvno = ct.AuthHandle;
-                snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
-                creds.pinst[0] = '\0';
-                /* Encode token, ship it off. */
-                if (creds_to_radix(&creds, (u_char *)buffer,
-                    sizeof(buffer)) <= 0)
-                        break;
-                packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
-                packet_put_cstring(buffer);
-                packet_send();
-                packet_write_wait();
-                /* Roger, Roger. Clearance, Clarence. What's your vector,
-                   Victor? */
-                type = packet_read();
-                if (type == SSH_SMSG_FAILURE)
-                        debug("AFS token for cell %s rejected.", server_cell);
-                else if (type != SSH_SMSG_SUCCESS)
-                        packet_disconnect("Protocol error on AFS token response: %d", type);
-        }
-}
-#endif /* AFS */
 /*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
@@ -1183,21 +931,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        }
 #endif /* KRB5 */
-#ifdef KRB4
-        if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-            options.kerberos_authentication) {
-                debug("Trying Kerberos v4 authentication.");
-                if (try_krb4_authentication()) {
-                        type = packet_read();
-                        if (type == SSH_SMSG_SUCCESS)
-                                goto success;
-                        if (type != SSH_SMSG_FAILURE)
-                                packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
-                }
-        }
-#endif /* KRB4 */
        /*
         * Use rhosts authentication if running in privileged socket and we
         * do not wish to remain anonymous.
@@ -1284,23 +1017,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        if (context)
                krb5_free_context(context);
 #endif
-#ifdef AFS
-        /* Try Kerberos v4 TGT passing if the server supports it. */
-        if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-            options.kerberos_tgt_passing) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-                send_krb4_tgt();
-        }
-        /* Try AFS token passing if the server supports it. */
-        if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
-            options.afs_token_passing && k_hasafs()) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
-                send_afs_tokens();
-        }
-#endif /* AFS */
        return; /* need statement after label */
 }

diff --git a/sshconnect1.c b/sshconnect1.c index 2a822a98f..8851c35f6 100644 --- a/sshconnect1.c +++ b/sshconnect1.c
@@ -13,24 +13,17 @@
13	*/	13	*/
14		14
15	#include "includes.h"	15	#include "includes.h"
16	RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");	16	RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
17		17
18	#include <openssl/bn.h>	18	#include <openssl/bn.h>
19	#include <openssl/md5.h>	19	#include <openssl/md5.h>
20		20
21	#ifdef KRB4
22	#include <krb.h>
23	#endif
24	#ifdef KRB5	21	#ifdef KRB5
25	#include <krb5.h>	22	#include <krb5.h>
26	#ifndef HEIMDAL	23	#ifndef HEIMDAL
27	#define krb5_get_err_text(context,code) error_message(code)	24	#define krb5_get_err_text(context,code) error_message(code)
28	#endif /* !HEIMDAL */	25	#endif /* !HEIMDAL */
29	#endif	26	#endif
30	#ifdef AFS
31	#include <kafs.h>
32	#include "radix.h"
33	#endif
34		27
35	#include "ssh.h"	28	#include "ssh.h"
36	#include "ssh1.h"	29	#include "ssh1.h"
@@ -380,128 +373,6 @@ try_rhosts_rsa_authentication(const char local_user, Key host_key)
380	return 0;	373	return 0;
381	}	374	}
382		375
383	#ifdef KRB4
384	static int
385	try_krb4_authentication(void)
386	{
387	KTEXT_ST auth; /* Kerberos data */
388	char *reply;
389	char inst[INST_SZ];
390	char *realm;
391	CREDENTIALS cred;
392	int r, type;
393	socklen_t slen;
394	Key_schedule schedule;
395	u_long checksum, cksum;
396	MSG_DAT msg_data;
397	struct sockaddr_in local, foreign;
398	struct stat st;
399
400	/* Don't do anything if we don't have any tickets. */
401	if (stat(tkt_string(), &st) < 0)
402	return 0;
403
404	strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
405	INST_SZ);
406
407	realm = (char *)krb_realmofhost(get_canonical_hostname(1));
408	if (!realm) {
409	debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
410	return 0;
411	}
412	/* This can really be anything. */
413	checksum = (u_long)getpid();
414
415	r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
416	if (r != KSUCCESS) {
417	debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
418	return 0;
419	}
420	/* Get session key to decrypt the server's reply with. */
421	r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
422	if (r != KSUCCESS) {
423	debug("get_cred failed: %s", krb_err_txt[r]);
424	return 0;
425	}
426	des_key_sched((des_cblock *) cred.session, schedule);
427
428	/* Send authentication info to server. */
429	packet_start(SSH_CMSG_AUTH_KERBEROS);
430	packet_put_string((char *) auth.dat, auth.length);
431	packet_send();
432	packet_write_wait();
433
434	/* Zero the buffer. */
435	(void) memset(auth.dat, 0, MAX_KTXT_LEN);
436
437	slen = sizeof(local);
438	memset(&local, 0, sizeof(local));
439	if (getsockname(packet_get_connection_in(),
440	(struct sockaddr *)&local, &slen) < 0)
441	debug("getsockname failed: %s", strerror(errno));
442
443	slen = sizeof(foreign);
444	memset(&foreign, 0, sizeof(foreign));
445	if (getpeername(packet_get_connection_in(),
446	(struct sockaddr *)&foreign, &slen) < 0) {
447	debug("getpeername failed: %s", strerror(errno));
448	fatal_cleanup();
449	}
450	/* Get server reply. */
451	type = packet_read();
452	switch (type) {
453	case SSH_SMSG_FAILURE:
454	/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
455	debug("Kerberos v4 authentication failed.");
456	return 0;
457	break;
458
459	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
460	/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
461	debug("Kerberos v4 authentication accepted.");
462
463	/* Get server's response. */
464	reply = packet_get_string((u_int *) &auth.length);
465	if (auth.length >= MAX_KTXT_LEN)
466	fatal("Kerberos v4: Malformed response from server");
467	memcpy(auth.dat, reply, auth.length);
468	xfree(reply);
469
470	packet_check_eom();
471
472	/*
473	* If his response isn't properly encrypted with the session
474	* key, and the decrypted checksum fails to match, he's
475	* bogus. Bail out.
476	*/
477	r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
478	&foreign, &local, &msg_data);
479	if (r != KSUCCESS) {
480	debug("Kerberos v4 krb_rd_priv failed: %s",
481	krb_err_txt[r]);
482	packet_disconnect("Kerberos v4 challenge failed!");
483	}
484	/* Fetch the (incremented) checksum that we supplied in the request. */
485	memcpy((char )&cksum, (char )msg_data.app_data,
486	sizeof(cksum));
487	cksum = ntohl(cksum);
488
489	/* If it matches, we're golden. */
490	if (cksum == checksum + 1) {
491	debug("Kerberos v4 challenge successful.");
492	return 1;
493	} else
494	packet_disconnect("Kerberos v4 challenge failed!");
495	break;
496
497	default:
498	packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
499	}
500	return 0;
501	}
502
503	#endif /* KRB4 */
504
505	#ifdef KRB5	376	#ifdef KRB5
506	static int	377	static int
507	try_krb5_authentication(krb5_context context, krb5_auth_context auth_context)	378	try_krb5_authentication(krb5_context context, krb5_auth_context auth_context)
@@ -729,129 +600,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
729	}	600	}
730	#endif /* KRB5 */	601	#endif /* KRB5 */
731		602
732	#ifdef AFS
733	static void
734	send_krb4_tgt(void)
735	{
736	CREDENTIALS *creds;
737	struct stat st;
738	char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
739	int problem, type;
740
741	/* Don't do anything if we don't have any tickets. */
742	if (stat(tkt_string(), &st) < 0)
743	return;
744
745	creds = xmalloc(sizeof(*creds));
746
747	problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
748	if (problem)
749	goto out;
750
751	problem = krb_get_cred("krbtgt", prealm, prealm, creds);
752	if (problem)
753	goto out;
754
755	if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
756	problem = RD_AP_EXP;
757	goto out;
758	}
759	creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
760
761	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
762	packet_put_cstring(buffer);
763	packet_send();
764	packet_write_wait();
765
766	type = packet_read();
767
768	if (type == SSH_SMSG_SUCCESS)
769	debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
770	creds->pname, creds->pinst[0] ? "." : "",
771	creds->pinst, creds->realm);
772	else
773	debug("Kerberos v4 TGT rejected.");
774
775	xfree(creds);
776	return;
777
778	out:
779	debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
780	xfree(creds);
781	}
782
783	static void
784	send_afs_tokens(void)
785	{
786	CREDENTIALS creds;
787	struct ViceIoctl parms;
788	struct ClearToken ct;
789	int i, type, len;
790	char buf[2048], p, server_cell;
791	char buffer[8192];
792
793	/* Move over ktc_GetToken, here's something leaner. */
794	for (i = 0; i < 100; i++) { /* just in case */
795	parms.in = (char *) &i;
796	parms.in_size = sizeof(i);
797	parms.out = buf;
798	parms.out_size = sizeof(buf);
799	if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
800	break;
801	p = buf;
802
803	/* Get secret token. */
804	memcpy(&creds.ticket_st.length, p, sizeof(u_int));
805	if (creds.ticket_st.length > MAX_KTXT_LEN)
806	break;
807	p += sizeof(u_int);
808	memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
809	p += creds.ticket_st.length;
810
811	/* Get clear token. */
812	memcpy(&len, p, sizeof(len));
813	if (len != sizeof(struct ClearToken))
814	break;
815	p += sizeof(len);
816	memcpy(&ct, p, len);
817	p += len;
818	p += sizeof(len); /* primary flag */
819	server_cell = p;
820
821	/* Flesh out our credentials. */
822	strlcpy(creds.service, "afs", sizeof(creds.service));
823	creds.instance[0] = '\0';
824	strlcpy(creds.realm, server_cell, REALM_SZ);
825	memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
826	creds.issue_date = ct.BeginTimestamp;
827	creds.lifetime = krb_time_to_life(creds.issue_date,
828	ct.EndTimestamp);
829	creds.kvno = ct.AuthHandle;
830	snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
831	creds.pinst[0] = '\0';
832
833	/* Encode token, ship it off. */
834	if (creds_to_radix(&creds, (u_char *)buffer,
835	sizeof(buffer)) <= 0)
836	break;
837	packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
838	packet_put_cstring(buffer);
839	packet_send();
840	packet_write_wait();
841
842	/* Roger, Roger. Clearance, Clarence. What's your vector,
843	Victor? */
844	type = packet_read();
845
846	if (type == SSH_SMSG_FAILURE)
847	debug("AFS token for cell %s rejected.", server_cell);
848	else if (type != SSH_SMSG_SUCCESS)
849	packet_disconnect("Protocol error on AFS token response: %d", type);
850	}
851	}
852
853	#endif /* AFS */
854
855	/*	603	/*
856	* Tries to authenticate with any string-based challenge/response system.	604	* Tries to authenticate with any string-based challenge/response system.
857	* Note that the client code is not tied to s/key or TIS.	605	* Note that the client code is not tied to s/key or TIS.
@@ -1183,21 +931,6 @@ ssh_userauth1(const char local_user, const char server_user, char *host,
1183	}	931	}
1184	#endif /* KRB5 */	932	#endif /* KRB5 */
1185		933
1186	#ifdef KRB4
1187	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1188	options.kerberos_authentication) {
1189	debug("Trying Kerberos v4 authentication.");
1190
1191	if (try_krb4_authentication()) {
1192	type = packet_read();
1193	if (type == SSH_SMSG_SUCCESS)
1194	goto success;
1195	if (type != SSH_SMSG_FAILURE)
1196	packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
1197	}
1198	}
1199	#endif /* KRB4 */
1200
1201	/*	934	/*
1202	* Use rhosts authentication if running in privileged socket and we	935	* Use rhosts authentication if running in privileged socket and we
1203	* do not wish to remain anonymous.	936	* do not wish to remain anonymous.
@@ -1284,23 +1017,5 @@ ssh_userauth1(const char local_user, const char server_user, char *host,
1284	if (context)	1017	if (context)
1285	krb5_free_context(context);	1018	krb5_free_context(context);
1286	#endif	1019	#endif
1287
1288	#ifdef AFS
1289	/* Try Kerberos v4 TGT passing if the server supports it. */
1290	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1291	options.kerberos_tgt_passing) {
1292	if (options.cipher == SSH_CIPHER_NONE)
1293	logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1294	send_krb4_tgt();
1295	}
1296	/* Try AFS token passing if the server supports it. */
1297	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
1298	options.afs_token_passing && k_hasafs()) {
1299	if (options.cipher == SSH_CIPHER_NONE)
1300	logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
1301	send_afs_tokens();
1302	}
1303	#endif /* AFS */
1304
1305	return; /* need statement after label */	1020	return; /* need statement after label */
1306	}	1021	}