1 files changed, 100 insertions, 1 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 74d699ff2..0605e4e5f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $");
+#ifdef KRB5
+#include <krb5.h>
+#endif
 #include "ssh.h"
 #include "ssh2.h"
@@ -190,6 +194,7 @@ int	userauth_pubkey(Authctxt *);
 int     userauth_passwd(Authctxt *);
 int     userauth_kbdint(Authctxt *);
 int     userauth_hostbased(Authctxt *);
+int     userauth_kerberos(Authctxt *);
 void    userauth(Authctxt *, char *);
@@ -208,6 +213,12 @@ Authmethod authmethods[] = {
                userauth_hostbased,
                &options.hostbased_authentication,
                NULL},
+#if KRB5
+        {"kerberos-2@ssh.com",
+                userauth_kerberos,
+                &options.kerberos_authentication,
+                NULL},
+#endif
        {"publickey",
                userauth_pubkey,
                &options.pubkey_authentication,
@@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt)
        return 1;
 }
+#if KRB5
+static int
+ssh_krb5_helper(krb5_data *ap)
+{
+        krb5_context xcontext = NULL;   /* XXX share with ssh1 */
+        krb5_auth_context xauth_context = NULL;
+        krb5_context *context;
+        krb5_auth_context *auth_context;
+        krb5_error_code problem;
+        const char *tkfile;
+        struct stat buf;
+        krb5_ccache ccache = NULL;
+        const char *remotehost;
+        int ret;
+        memset(ap, 0, sizeof(*ap));
+        context = &xcontext;
+        auth_context = &xauth_context;
+        problem = krb5_init_context(context);
+        if (problem) {
+                debug("Kerberos v5: krb5_init_context failed");
+                ret = 0;
+                goto out;
+        }
+        tkfile = krb5_cc_default_name(*context);
+        if (strncmp(tkfile, "FILE:", 5) == 0)
+                tkfile += 5;
+        if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+                debug("Kerberos v5: could not get default ccache (permission denied).");
+                ret = 0;
+                goto out;
+        }
+        problem = krb5_cc_default(*context, &ccache);
+        if (problem) {
+                debug("Kerberos v5: krb5_cc_default failed: %s",
+                    krb5_get_err_text(*context, problem));
+                ret = 0;
+                goto out;
+        }
+        remotehost = get_canonical_hostname(1);
+        problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+            "host", remotehost, NULL, ccache, ap);
+        if (problem) {
+                debug("Kerberos v5: krb5_mk_req failed: %s",
+                    krb5_get_err_text(*context, problem));
+                ret = 0;
+                goto out;
+        }
+        ret = 1;
+ out:
+        if (ccache != NULL)
+                krb5_cc_close(*context, ccache);
+        if (*auth_context)
+                krb5_auth_con_free(*context, *auth_context);
+        if (*context)
+                krb5_free_context(*context);
+        return (ret);
+}
+int
+userauth_kerberos(Authctxt *authctxt)
+{
+        krb5_data ap;
+        if (ssh_krb5_helper(&ap) == 0)
+                return (0);
+        packet_start(SSH2_MSG_USERAUTH_REQUEST);
+        packet_put_cstring(authctxt->server_user);
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+        packet_put_string(ap.data, ap.length);
+        packet_send();
+        krb5_data_free(&ap);
+        return (1);
+}
+#endif
 /* find auth method */
 /*

diff --git a/sshconnect2.c b/sshconnect2.c index 74d699ff2..0605e4e5f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c
@@ -23,7 +23,11 @@
23	*/	23	*/
24		24
25	#include "includes.h"	25	#include "includes.h"
26	RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $");	26	RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $");
		27
		28	#ifdef KRB5
		29	#include <krb5.h>
		30	#endif
27		31
28	#include "ssh.h"	32	#include "ssh.h"
29	#include "ssh2.h"	33	#include "ssh2.h"
@@ -190,6 +194,7 @@ int userauth_pubkey(Authctxt *);
190	int userauth_passwd(Authctxt *);	194	int userauth_passwd(Authctxt *);
191	int userauth_kbdint(Authctxt *);	195	int userauth_kbdint(Authctxt *);
192	int userauth_hostbased(Authctxt *);	196	int userauth_hostbased(Authctxt *);
		197	int userauth_kerberos(Authctxt *);
193		198
194	void userauth(Authctxt , char );	199	void userauth(Authctxt , char );
195		200
@@ -208,6 +213,12 @@ Authmethod authmethods[] = {
208	userauth_hostbased,	213	userauth_hostbased,
209	&options.hostbased_authentication,	214	&options.hostbased_authentication,
210	NULL},	215	NULL},
		216	#if KRB5
		217	{"kerberos-2@ssh.com",
		218	userauth_kerberos,
		219	&options.kerberos_authentication,
		220	NULL},
		221	#endif
211	{"publickey",	222	{"publickey",
212	userauth_pubkey,	223	userauth_pubkey,
213	&options.pubkey_authentication,	224	&options.pubkey_authentication,
@@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt)
1112	return 1;	1123	return 1;
1113	}	1124	}
1114		1125
		1126	#if KRB5
		1127	static int
		1128	ssh_krb5_helper(krb5_data *ap)
		1129	{
		1130	krb5_context xcontext = NULL; /* XXX share with ssh1 */
		1131	krb5_auth_context xauth_context = NULL;
		1132
		1133	krb5_context *context;
		1134	krb5_auth_context *auth_context;
		1135	krb5_error_code problem;
		1136	const char *tkfile;
		1137	struct stat buf;
		1138	krb5_ccache ccache = NULL;
		1139	const char *remotehost;
		1140	int ret;
		1141
		1142	memset(ap, 0, sizeof(*ap));
		1143
		1144	context = &xcontext;
		1145	auth_context = &xauth_context;
		1146
		1147	problem = krb5_init_context(context);
		1148	if (problem) {
		1149	debug("Kerberos v5: krb5_init_context failed");
		1150	ret = 0;
		1151	goto out;
		1152	}
		1153
		1154	tkfile = krb5_cc_default_name(*context);
		1155	if (strncmp(tkfile, "FILE:", 5) == 0)
		1156	tkfile += 5;
		1157
		1158	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
		1159	debug("Kerberos v5: could not get default ccache (permission denied).");
		1160	ret = 0;
		1161	goto out;
		1162	}
		1163
		1164	problem = krb5_cc_default(*context, &ccache);
		1165	if (problem) {
		1166	debug("Kerberos v5: krb5_cc_default failed: %s",
		1167	krb5_get_err_text(*context, problem));
		1168	ret = 0;
		1169	goto out;
		1170	}
		1171
		1172	remotehost = get_canonical_hostname(1);
		1173
		1174	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
		1175	"host", remotehost, NULL, ccache, ap);
		1176	if (problem) {
		1177	debug("Kerberos v5: krb5_mk_req failed: %s",
		1178	krb5_get_err_text(*context, problem));
		1179	ret = 0;
		1180	goto out;
		1181	}
		1182	ret = 1;
		1183
		1184	out:
		1185	if (ccache != NULL)
		1186	krb5_cc_close(*context, ccache);
		1187	if (*auth_context)
		1188	krb5_auth_con_free(context, auth_context);
		1189	if (*context)
		1190	krb5_free_context(*context);
		1191	return (ret);
		1192	}
		1193
		1194	int
		1195	userauth_kerberos(Authctxt *authctxt)
		1196	{
		1197	krb5_data ap;
		1198
		1199	if (ssh_krb5_helper(&ap) == 0)
		1200	return (0);
		1201
		1202	packet_start(SSH2_MSG_USERAUTH_REQUEST);
		1203	packet_put_cstring(authctxt->server_user);
		1204	packet_put_cstring(authctxt->service);
		1205	packet_put_cstring(authctxt->method->name);
		1206	packet_put_string(ap.data, ap.length);
		1207	packet_send();
		1208
		1209	krb5_data_free(&ap);
		1210	return (1);
		1211	}
		1212	#endif
		1213
1115	/* find auth method */	1214	/* find auth method */
1116		1215
1117	/*	1216	/*