diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 101 |
1 files changed, 100 insertions, 1 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 74d699ff2..0605e4e5f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,11 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); |
27 | |||
28 | #ifdef KRB5 | ||
29 | #include <krb5.h> | ||
30 | #endif | ||
27 | 31 | ||
28 | #include "ssh.h" | 32 | #include "ssh.h" |
29 | #include "ssh2.h" | 33 | #include "ssh2.h" |
@@ -190,6 +194,7 @@ int userauth_pubkey(Authctxt *); | |||
190 | int userauth_passwd(Authctxt *); | 194 | int userauth_passwd(Authctxt *); |
191 | int userauth_kbdint(Authctxt *); | 195 | int userauth_kbdint(Authctxt *); |
192 | int userauth_hostbased(Authctxt *); | 196 | int userauth_hostbased(Authctxt *); |
197 | int userauth_kerberos(Authctxt *); | ||
193 | 198 | ||
194 | void userauth(Authctxt *, char *); | 199 | void userauth(Authctxt *, char *); |
195 | 200 | ||
@@ -208,6 +213,12 @@ Authmethod authmethods[] = { | |||
208 | userauth_hostbased, | 213 | userauth_hostbased, |
209 | &options.hostbased_authentication, | 214 | &options.hostbased_authentication, |
210 | NULL}, | 215 | NULL}, |
216 | #if KRB5 | ||
217 | {"kerberos-2@ssh.com", | ||
218 | userauth_kerberos, | ||
219 | &options.kerberos_authentication, | ||
220 | NULL}, | ||
221 | #endif | ||
211 | {"publickey", | 222 | {"publickey", |
212 | userauth_pubkey, | 223 | userauth_pubkey, |
213 | &options.pubkey_authentication, | 224 | &options.pubkey_authentication, |
@@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt) | |||
1112 | return 1; | 1123 | return 1; |
1113 | } | 1124 | } |
1114 | 1125 | ||
1126 | #if KRB5 | ||
1127 | static int | ||
1128 | ssh_krb5_helper(krb5_data *ap) | ||
1129 | { | ||
1130 | krb5_context xcontext = NULL; /* XXX share with ssh1 */ | ||
1131 | krb5_auth_context xauth_context = NULL; | ||
1132 | |||
1133 | krb5_context *context; | ||
1134 | krb5_auth_context *auth_context; | ||
1135 | krb5_error_code problem; | ||
1136 | const char *tkfile; | ||
1137 | struct stat buf; | ||
1138 | krb5_ccache ccache = NULL; | ||
1139 | const char *remotehost; | ||
1140 | int ret; | ||
1141 | |||
1142 | memset(ap, 0, sizeof(*ap)); | ||
1143 | |||
1144 | context = &xcontext; | ||
1145 | auth_context = &xauth_context; | ||
1146 | |||
1147 | problem = krb5_init_context(context); | ||
1148 | if (problem) { | ||
1149 | debug("Kerberos v5: krb5_init_context failed"); | ||
1150 | ret = 0; | ||
1151 | goto out; | ||
1152 | } | ||
1153 | |||
1154 | tkfile = krb5_cc_default_name(*context); | ||
1155 | if (strncmp(tkfile, "FILE:", 5) == 0) | ||
1156 | tkfile += 5; | ||
1157 | |||
1158 | if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { | ||
1159 | debug("Kerberos v5: could not get default ccache (permission denied)."); | ||
1160 | ret = 0; | ||
1161 | goto out; | ||
1162 | } | ||
1163 | |||
1164 | problem = krb5_cc_default(*context, &ccache); | ||
1165 | if (problem) { | ||
1166 | debug("Kerberos v5: krb5_cc_default failed: %s", | ||
1167 | krb5_get_err_text(*context, problem)); | ||
1168 | ret = 0; | ||
1169 | goto out; | ||
1170 | } | ||
1171 | |||
1172 | remotehost = get_canonical_hostname(1); | ||
1173 | |||
1174 | problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, | ||
1175 | "host", remotehost, NULL, ccache, ap); | ||
1176 | if (problem) { | ||
1177 | debug("Kerberos v5: krb5_mk_req failed: %s", | ||
1178 | krb5_get_err_text(*context, problem)); | ||
1179 | ret = 0; | ||
1180 | goto out; | ||
1181 | } | ||
1182 | ret = 1; | ||
1183 | |||
1184 | out: | ||
1185 | if (ccache != NULL) | ||
1186 | krb5_cc_close(*context, ccache); | ||
1187 | if (*auth_context) | ||
1188 | krb5_auth_con_free(*context, *auth_context); | ||
1189 | if (*context) | ||
1190 | krb5_free_context(*context); | ||
1191 | return (ret); | ||
1192 | } | ||
1193 | |||
1194 | int | ||
1195 | userauth_kerberos(Authctxt *authctxt) | ||
1196 | { | ||
1197 | krb5_data ap; | ||
1198 | |||
1199 | if (ssh_krb5_helper(&ap) == 0) | ||
1200 | return (0); | ||
1201 | |||
1202 | packet_start(SSH2_MSG_USERAUTH_REQUEST); | ||
1203 | packet_put_cstring(authctxt->server_user); | ||
1204 | packet_put_cstring(authctxt->service); | ||
1205 | packet_put_cstring(authctxt->method->name); | ||
1206 | packet_put_string(ap.data, ap.length); | ||
1207 | packet_send(); | ||
1208 | |||
1209 | krb5_data_free(&ap); | ||
1210 | return (1); | ||
1211 | } | ||
1212 | #endif | ||
1213 | |||
1115 | /* find auth method */ | 1214 | /* find auth method */ |
1116 | 1215 | ||
1117 | /* | 1216 | /* |