From d558092522153caa627e33e4a76c6f64332bc609 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:40:06 +1000 Subject: - (djm) RCSID sync w/ OpenBSD --- sshconnect2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sshconnect2.c') diff --git a/sshconnect2.c b/sshconnect2.c index 90b884a39..d32960447 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.115 2003/04/02 09:48:07 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.116 2003/04/08 20:21:29 itojun Exp $"); #include "ssh.h" #include "ssh2.h" -- cgit v1.2.3 From 280ecfb6e4072ebe4e6e29850492b5cc15491eb4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:46:00 +1000 Subject: - markus@cvs.openbsd.org 2003/05/12 16:55:37 [sshconnect2.c] for pubkey authentication try the user keys in the following order: 1. agent keys that are found in the config file 2. other agent keys 3. keys that are only listed in the config file this helps when an agent has many keys, where the server might close the connection before the correct key is used. report & ok pb@ --- ChangeLog | 10 +- sshconnect2.c | 336 +++++++++++++++++++++++++++++++++------------------------- 2 files changed, 199 insertions(+), 147 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index 795bae3c4..f02114c01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -45,6 +45,14 @@ - markus@cvs.openbsd.org 2003/05/11 20:30:25 [channels.c clientloop.c serverloop.c session.c ssh.c] make channel_new() strdup the 'remote_name' (not the caller); ok theo + - markus@cvs.openbsd.org 2003/05/12 16:55:37 + [sshconnect2.c] + for pubkey authentication try the user keys in the following order: + 1. agent keys that are found in the config file + 2. other agent keys + 3. keys that are only listed in the config file + this helps when an agent has many keys, where the server might + close the connection before the correct key is used. report & ok pb@ 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1432,4 +1440,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2688 2003/05/14 03:45:42 djm Exp $ +$Id: ChangeLog,v 1.2689 2003/05/14 03:46:00 djm Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index d32960447..74d699ff2 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.116 2003/04/08 20:21:29 itojun Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $"); #include "ssh.h" #include "ssh2.h" @@ -141,10 +141,18 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) typedef struct Authctxt Authctxt; typedef struct Authmethod Authmethod; - -typedef int sign_cb_fn( - Authctxt *authctxt, Key *key, - u_char **sigp, u_int *lenp, u_char *data, u_int datalen); +typedef struct identity Identity; +typedef struct idlist Idlist; + +struct identity { + TAILQ_ENTRY(identity) next; + AuthenticationConnection *ac; /* set if agent supports key */ + Key *key; /* public/private key */ + char *filename; /* comment for agent-only keys */ + int tried; + int isprivate; /* key points to the private key */ +}; +TAILQ_HEAD(idlist, identity); struct Authctxt { const char *server_user; @@ -155,9 +163,7 @@ struct Authctxt { int success; char *authlist; /* pubkey */ - Key *last_key; - sign_cb_fn *last_key_sign; - int last_key_hint; + Idlist keys; AuthenticationConnection *agent; /* hostbased */ Sensitive *sensitive; @@ -187,8 +193,11 @@ int userauth_hostbased(Authctxt *); void userauth(Authctxt *, char *); -static int sign_and_send_pubkey(Authctxt *, Key *, sign_cb_fn *); +static int sign_and_send_pubkey(Authctxt *, Identity *); static void clear_auth_state(Authctxt *); +static void pubkey_prepare(Authctxt *); +static void pubkey_cleanup(Authctxt *); +static Key *load_identity_file(char *); static Authmethod *authmethod_get(char *authlist); static Authmethod *authmethod_lookup(const char *name); @@ -251,7 +260,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, /* setup authentication context */ memset(&authctxt, 0, sizeof(authctxt)); - authctxt.agent = ssh_get_authentication_connection(); + pubkey_prepare(&authctxt); authctxt.server_user = server_user; authctxt.local_user = local_user; authctxt.host = host; @@ -273,9 +282,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner); dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ - if (authctxt.agent != NULL) - ssh_close_authentication_connection(authctxt.agent); - + pubkey_cleanup(&authctxt); debug("Authentication succeeded (%s).", authctxt.method->name); } void @@ -360,6 +367,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) { Authctxt *authctxt = ctxt; Key *key = NULL; + Identity *id = NULL; Buffer b; int pktype, sent = 0; u_int alen, blen; @@ -382,40 +390,33 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d", - pkalg, blen, authctxt->last_key, authctxt->last_key_hint); + debug("Server accepts key: pkalg %s blen %u", pkalg, blen); - do { - if (authctxt->last_key == NULL || - authctxt->last_key_sign == NULL) { - debug("no last key or no sign cb"); - break; - } - if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) { - debug("unknown pkalg %s", pkalg); - break; - } - if ((key = key_from_blob(pkblob, blen)) == NULL) { - debug("no key from blob. pkalg %s", pkalg); - break; - } - if (key->type != pktype) { - error("input_userauth_pk_ok: type mismatch " - "for decoded key (received %d, expected %d)", - key->type, pktype); - break; - } - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - debug2("input_userauth_pk_ok: fp %s", fp); - xfree(fp); - if (!key_equal(key, authctxt->last_key)) { - debug("key != last_key"); + if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) { + debug("unknown pkalg %s", pkalg); + goto done; + } + if ((key = key_from_blob(pkblob, blen)) == NULL) { + debug("no key from blob. pkalg %s", pkalg); + goto done; + } + if (key->type != pktype) { + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); + goto done; + } + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + debug2("input_userauth_pk_ok: fp %s", fp); + xfree(fp); + + TAILQ_FOREACH(id, &authctxt->keys, next) { + if (key_equal(key, id->key)) { + sent = sign_and_send_pubkey(authctxt, id); break; } - sent = sign_and_send_pubkey(authctxt, key, - authctxt->last_key_sign); - } while (0); - + } +done: if (key != NULL) key_free(key); xfree(pkalg); @@ -428,7 +429,6 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) /* try another method if we did not send a packet */ if (sent == 0) userauth(authctxt, NULL); - } int @@ -547,18 +547,35 @@ clear_auth_state(Authctxt *authctxt) { /* XXX clear authentication state */ dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, NULL); +} - if (authctxt->last_key != NULL && authctxt->last_key_hint == -1) { - debug3("clear_auth_state: key_free %p", authctxt->last_key); - key_free(authctxt->last_key); - } - authctxt->last_key = NULL; - authctxt->last_key_hint = -2; - authctxt->last_key_sign = NULL; +static int +identity_sign(Identity *id, u_char **sigp, u_int *lenp, + u_char *data, u_int datalen) +{ + Key *prv; + int ret; + + /* the agent supports this key */ + if (id->ac) + return (ssh_agent_sign(id->ac, id->key, sigp, lenp, + data, datalen)); + /* + * we have already loaded the private key or + * the private key is stored in external hardware + */ + if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) + return (key_sign(id->key, sigp, lenp, data, datalen)); + /* load the private key from the file */ + if ((prv = load_identity_file(id->filename)) == NULL) + return (-1); + ret = key_sign(prv, sigp, lenp, data, datalen); + key_free(prv); + return (ret); } static int -sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) +sign_and_send_pubkey(Authctxt *authctxt, Identity *id) { Buffer b; u_char *blob, *signature; @@ -569,7 +586,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) debug3("sign_and_send_pubkey"); - if (key_to_blob(k, &blob, &bloblen) == 0) { + if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ debug3("sign_and_send_pubkey: cannot handle key"); return 0; @@ -594,12 +611,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) } else { buffer_put_cstring(&b, authctxt->method->name); buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, key_ssh_name(k)); + buffer_put_cstring(&b, key_ssh_name(id->key)); } buffer_put_string(&b, blob, bloblen); /* generate signature */ - ret = (*sign_callback)(authctxt, k, &signature, &slen, + ret = identity_sign(id, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { xfree(blob); @@ -619,7 +636,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) buffer_put_cstring(&b, authctxt->method->name); buffer_put_char(&b, have_sig); if (!(datafellows & SSH_BUG_PKAUTH)) - buffer_put_cstring(&b, key_ssh_name(k)); + buffer_put_cstring(&b, key_ssh_name(id->key)); buffer_put_string(&b, blob, bloblen); } xfree(blob); @@ -643,23 +660,19 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback) } static int -send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback, - int hint) +send_pubkey_test(Authctxt *authctxt, Identity *id) { u_char *blob; u_int bloblen, have_sig = 0; debug3("send_pubkey_test"); - if (key_to_blob(k, &blob, &bloblen) == 0) { + if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ debug3("send_pubkey_test: cannot handle key"); return 0; } /* register callback for USERAUTH_PK_OK message */ - authctxt->last_key_sign = sign_callback; - authctxt->last_key_hint = hint; - authctxt->last_key = k; dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok); packet_start(SSH2_MSG_USERAUTH_REQUEST); @@ -668,7 +681,7 @@ send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback, packet_put_cstring(authctxt->method->name); packet_put_char(have_sig); if (!(datafellows & SSH_BUG_PKAUTH)) - packet_put_cstring(key_ssh_name(k)); + packet_put_cstring(key_ssh_name(id->key)); packet_put_string(blob, bloblen); xfree(blob); packet_send(); @@ -713,103 +726,134 @@ load_identity_file(char *filename) return private; } -static int -identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) -{ - Key *private; - int idx, ret; - - idx = authctxt->last_key_hint; - if (idx < 0) - return -1; - - /* private key is stored in external hardware */ - if (options.identity_keys[idx]->flags & KEY_FLAG_EXT) - return key_sign(options.identity_keys[idx], sigp, lenp, data, datalen); - - private = load_identity_file(options.identity_files[idx]); - if (private == NULL) - return -1; - ret = key_sign(private, sigp, lenp, data, datalen); - key_free(private); - return ret; -} - -static int -agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) -{ - return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen); -} - -static int -key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) +/* + * try keys in the following order: + * 1. agent keys that are found in the config file + * 2. other agent keys + * 3. keys that are only listed in the config file + */ +static void +pubkey_prepare(Authctxt *authctxt) { - return key_sign(key, sigp, lenp, data, datalen); + Identity *id; + Idlist agent, files, *preferred; + Key *key; + AuthenticationConnection *ac; + char *comment; + int i, found; + + TAILQ_INIT(&agent); /* keys from the agent */ + TAILQ_INIT(&files); /* keys from the config file */ + preferred = &authctxt->keys; + TAILQ_INIT(preferred); /* preferred order of keys */ + + /* list of keys stored in the filesystem */ + for (i = 0; i < options.num_identity_files; i++) { + key = options.identity_keys[i]; + if (key && key->type == KEY_RSA1) + continue; + options.identity_keys[i] = NULL; + id = xmalloc(sizeof(*id)); + memset(id, 0, sizeof(*id)); + id->key = key; + id->filename = xstrdup(options.identity_files[i]); + TAILQ_INSERT_TAIL(&files, id, next); + } + /* list of keys supported by the agent */ + if ((ac = ssh_get_authentication_connection())) { + for (key = ssh_get_first_identity(ac, &comment, 2); + key != NULL; + key = ssh_get_next_identity(ac, &comment, 2)) { + found = 0; + TAILQ_FOREACH(id, &files, next) { + /* agent keys from the config file are preferred */ + if (key_equal(key, id->key)) { + key_free(key); + xfree(comment); + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + id->ac = ac; + found = 1; + break; + } + } + if (!found) { + id = xmalloc(sizeof(*id)); + memset(id, 0, sizeof(*id)); + id->key = key; + id->filename = comment; + id->ac = ac; + TAILQ_INSERT_TAIL(&agent, id, next); + } + } + /* append remaining agent keys */ + for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) { + TAILQ_REMOVE(&agent, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + } + authctxt->agent = ac; + } + /* append remaining keys from the config file */ + for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) { + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + } + TAILQ_FOREACH(id, preferred, next) { + debug2("key: %s (%p)", id->filename, id->key); + } } -static int -userauth_pubkey_agent(Authctxt *authctxt) +static void +pubkey_cleanup(Authctxt *authctxt) { - static int called = 0; - int ret = 0; - char *comment; - Key *k; - - if (called == 0) { - if (ssh_get_num_identities(authctxt->agent, 2) == 0) - debug2("userauth_pubkey_agent: no keys at all"); - called = 1; + Identity *id; + + if (authctxt->agent != NULL) + ssh_close_authentication_connection(authctxt->agent); + for (id = TAILQ_FIRST(&authctxt->keys); id; + id = TAILQ_FIRST(&authctxt->keys)) { + TAILQ_REMOVE(&authctxt->keys, id, next); + if (id->key) + key_free(id->key); + if (id->filename) + xfree(id->filename); + xfree(id); } - k = ssh_get_next_identity(authctxt->agent, &comment, 2); - if (k == NULL) { - debug2("userauth_pubkey_agent: no more keys"); - } else { - debug("Offering agent key: %s", comment); - xfree(comment); - ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1); - if (ret == 0) - key_free(k); - } - if (ret == 0) - debug2("userauth_pubkey_agent: no message sent"); - return ret; } int userauth_pubkey(Authctxt *authctxt) { - static int idx = 0; + Identity *id; int sent = 0; - Key *key; - char *filename; - if (authctxt->agent != NULL) { - do { - sent = userauth_pubkey_agent(authctxt); - } while (!sent && authctxt->agent->howmany > 0); - } - while (!sent && idx < options.num_identity_files) { - key = options.identity_keys[idx]; - filename = options.identity_files[idx]; - if (key == NULL) { - debug("Trying private key: %s", filename); - key = load_identity_file(filename); - if (key != NULL) { - sent = sign_and_send_pubkey(authctxt, key, - key_sign_cb); - key_free(key); + while ((id = TAILQ_FIRST(&authctxt->keys))) { + if (id->tried++) + return (0); + TAILQ_REMOVE(&authctxt->keys, id, next); + TAILQ_INSERT_TAIL(&authctxt->keys, id, next); + /* + * send a test message if we have the public key. for + * encrypted keys we cannot do this and have to load the + * private key instead + */ + if (id->key && id->key->type != KEY_RSA1) { + debug("Offering public key: %s", id->filename); + sent = send_pubkey_test(authctxt, id); + } else if (id->key == NULL) { + debug("Trying private key: %s", id->filename); + id->key = load_identity_file(id->filename); + if (id->key != NULL) { + id->isprivate = 1; + sent = sign_and_send_pubkey(authctxt, id); + key_free(id->key); + id->key = NULL; } - } else if (key->type != KEY_RSA1) { - debug("Offering public key: %s", filename); - sent = send_pubkey_test(authctxt, key, - identity_sign_cb, idx); } - idx++; + if (sent) + return (sent); } - return sent; + return (0); } /* -- cgit v1.2.3 From 3ab496b3dd961423bc5e312fd5dbbef975f4d238 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 13:47:37 +1000 Subject: - markus@cvs.openbsd.org 2003/05/14 02:15:47 [auth2.c monitor.c sshconnect2.c auth2-krb5.c] implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@ --- ChangeLog | 6 +++- auth2-krb5.c | 66 ++++++++++++++++++++++++++++++++++++++ auth2.c | 8 ++++- monitor.c | 7 +++- sshconnect2.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 5 files changed, 184 insertions(+), 4 deletions(-) create mode 100644 auth2-krb5.c (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index 53d039fc3..e37d26ad7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -63,6 +63,10 @@ [sftp.1] emphasise the batchmode functionality and make reference to pubkey auth, both of which are FAQs; ok markus@ + - markus@cvs.openbsd.org 2003/05/14 02:15:47 + [auth2.c monitor.c sshconnect2.c auth2-krb5.c] + implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ + server interops with commercial client; ok jakob@ djm@ 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1450,4 +1454,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2691 2003/05/14 03:47:07 djm Exp $ +$Id: ChangeLog,v 1.2692 2003/05/14 03:47:37 djm Exp $ diff --git a/auth2-krb5.c b/auth2-krb5.c new file mode 100644 index 000000000..ea4d76da0 --- /dev/null +++ b/auth2-krb5.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2003 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$OpenBSD: auth2-krb5.c,v 1.1 2003/05/14 02:15:47 markus Exp $"); + +#include + +#include "ssh2.h" +#include "xmalloc.h" +#include "packet.h" +#include "log.h" +#include "auth.h" +#include "monitor_wrap.h" +#include "servconf.h" + +/* import */ +extern ServerOptions options; + +static int +userauth_kerberos(Authctxt *authctxt) +{ + krb5_data tkt, reply; + char *client = NULL; + int authenticated = 0; + + tkt.data = packet_get_string(&tkt.length); + packet_check_eom(); + + if (PRIVSEP(auth_krb5(authctxt, &tkt, &client, &reply))) { + authenticated = 1; + if (reply.length) + xfree(reply.data); + } + if (client) + xfree(client); + xfree(tkt.data); + return (authenticated); +} + +Authmethod method_kerberos = { + "kerberos-2@ssh.com", + userauth_kerberos, + &options.kerberos_authentication +}; diff --git a/auth2.c b/auth2.c index b2f14bacd..03d170e23 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.97 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -50,6 +50,9 @@ extern Authmethod method_pubkey; extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; +#ifdef KRB5 +extern Authmethod method_kerberos; +#endif Authmethod *authmethods[] = { &method_none, @@ -57,6 +60,9 @@ Authmethod *authmethods[] = { &method_passwd, &method_kbdint, &method_hostbased, +#ifdef KRB5 + &method_kerberos, +#endif NULL }; diff --git a/monitor.c b/monitor.c index 1f6677581..78d1e2e0c 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.38 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $"); #include @@ -182,6 +182,9 @@ struct mon_table mon_dispatch_proto20[] = { #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif {0, 0, NULL} }; @@ -1483,6 +1486,8 @@ mm_answer_krb5(int socket, Buffer *m) } mm_request_send(socket, MONITOR_ANS_KRB5, m); + auth_method = "kerberos"; + return success; } #endif diff --git a/sshconnect2.c b/sshconnect2.c index 74d699ff2..0605e4e5f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); + +#ifdef KRB5 +#include +#endif #include "ssh.h" #include "ssh2.h" @@ -190,6 +194,7 @@ int userauth_pubkey(Authctxt *); int userauth_passwd(Authctxt *); int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); +int userauth_kerberos(Authctxt *); void userauth(Authctxt *, char *); @@ -208,6 +213,12 @@ Authmethod authmethods[] = { userauth_hostbased, &options.hostbased_authentication, NULL}, +#if KRB5 + {"kerberos-2@ssh.com", + userauth_kerberos, + &options.kerberos_authentication, + NULL}, +#endif {"publickey", userauth_pubkey, &options.pubkey_authentication, @@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt) return 1; } +#if KRB5 +static int +ssh_krb5_helper(krb5_data *ap) +{ + krb5_context xcontext = NULL; /* XXX share with ssh1 */ + krb5_auth_context xauth_context = NULL; + + krb5_context *context; + krb5_auth_context *auth_context; + krb5_error_code problem; + const char *tkfile; + struct stat buf; + krb5_ccache ccache = NULL; + const char *remotehost; + int ret; + + memset(ap, 0, sizeof(*ap)); + + context = &xcontext; + auth_context = &xauth_context; + + problem = krb5_init_context(context); + if (problem) { + debug("Kerberos v5: krb5_init_context failed"); + ret = 0; + goto out; + } + + tkfile = krb5_cc_default_name(*context); + if (strncmp(tkfile, "FILE:", 5) == 0) + tkfile += 5; + + if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { + debug("Kerberos v5: could not get default ccache (permission denied)."); + ret = 0; + goto out; + } + + problem = krb5_cc_default(*context, &ccache); + if (problem) { + debug("Kerberos v5: krb5_cc_default failed: %s", + krb5_get_err_text(*context, problem)); + ret = 0; + goto out; + } + + remotehost = get_canonical_hostname(1); + + problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, + "host", remotehost, NULL, ccache, ap); + if (problem) { + debug("Kerberos v5: krb5_mk_req failed: %s", + krb5_get_err_text(*context, problem)); + ret = 0; + goto out; + } + ret = 1; + + out: + if (ccache != NULL) + krb5_cc_close(*context, ccache); + if (*auth_context) + krb5_auth_con_free(*context, *auth_context); + if (*context) + krb5_free_context(*context); + return (ret); +} + +int +userauth_kerberos(Authctxt *authctxt) +{ + krb5_data ap; + + if (ssh_krb5_helper(&ap) == 0) + return (0); + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_string(ap.data, ap.length); + packet_send(); + + krb5_data_free(&ap); + return (1); +} +#endif + /* find auth method */ /* -- cgit v1.2.3 From 9c617693c2250c62e5e326372bc783e3416a94b0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 14:31:11 +1000 Subject: - (djm) Make portable build with MIT krb5 (some issues remain) --- ChangeLog | 3 ++- Makefile.in | 4 ++-- auth-krb5.c | 1 + auth2-krb5.c | 4 ++++ sshconnect2.c | 10 ++++++++++ 5 files changed, 19 insertions(+), 3 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index e37d26ad7..6d79daeba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -67,6 +67,7 @@ [auth2.c monitor.c sshconnect2.c auth2-krb5.c] implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ server interops with commercial client; ok jakob@ djm@ + - (djm) Make portable build with MIT krb5 (some issues remain) 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1454,4 +1455,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2692 2003/05/14 03:47:37 djm Exp $ +$Id: ChangeLog,v 1.2693 2003/05/14 04:31:11 djm Exp $ diff --git a/Makefile.in b/Makefile.in index 670d9b500..ba898db40 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.231 2003/05/10 09:28:02 djm Exp $ +# $Id: Makefile.in,v 1.232 2003/05/14 04:31:11 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -80,7 +80,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ - auth-krb5.o auth-krb4.o \ + auth-krb5.o auth2-krb5.o auth-krb4.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff --git a/auth-krb5.c b/auth-krb5.c index 34b9d661a..0a6f826e7 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -40,6 +40,7 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); #include "auth.h" #ifdef KRB5 + #include #ifndef HEIMDAL #define krb5_get_err_text(context,code) error_message(code) diff --git a/auth2-krb5.c b/auth2-krb5.c index ea4d76da0..b4ff16b62 100644 --- a/auth2-krb5.c +++ b/auth2-krb5.c @@ -25,6 +25,8 @@ #include "includes.h" RCSID("$OpenBSD: auth2-krb5.c,v 1.1 2003/05/14 02:15:47 markus Exp $"); +#ifdef KRB5 + #include #include "ssh2.h" @@ -64,3 +66,5 @@ Authmethod method_kerberos = { userauth_kerberos, &options.kerberos_authentication }; + +#endif /* KRB5 */ diff --git a/sshconnect2.c b/sshconnect2.c index 0605e4e5f..f91f5b274 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -27,8 +27,13 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); #ifdef KRB5 #include +#ifndef HEIMDAL +#define krb5_get_err_text(context,code) error_message(code) +#endif /* !HEIMDAL */ #endif +#include "openbsd-compat/sys-queue.h" + #include "ssh.h" #include "ssh2.h" #include "xmalloc.h" @@ -1206,7 +1211,12 @@ userauth_kerberos(Authctxt *authctxt) packet_put_string(ap.data, ap.length); packet_send(); +#ifdef HEIMDAL krb5_data_free(&ap); +#else +# warning "XXX - leaks ap data on MIT kerberos" +#endif + return (1); } #endif -- cgit v1.2.3 From 4d995195354696ae0ab6dea7dfa3367fc144ce89 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 14 May 2003 19:23:56 +1000 Subject: - (djm) Avoid KrbV leak for MIT Kerberos --- ChangeLog | 3 ++- sshconnect2.c | 20 +++++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index a4e47e09a..67bf74e78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -72,6 +72,7 @@ over usage of PAM. This allows non-root use of sshd when built with --with-pam - (djm) Die screaming if start_pam() is called when UsePAM=no + - (djm) Avoid KrbV leak for MIT Kerberos 20030512 - (djm) Redhat spec: Don't install profile.d scripts when not @@ -1459,4 +1460,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2695 2003/05/14 05:31:12 djm Exp $ +$Id: ChangeLog,v 1.2696 2003/05/14 09:23:56 djm Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index f91f5b274..36d592b42 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1130,12 +1130,10 @@ userauth_hostbased(Authctxt *authctxt) #if KRB5 static int -ssh_krb5_helper(krb5_data *ap) +ssh_krb5_helper(krb5_data *ap, krb5_context *context) { krb5_context xcontext = NULL; /* XXX share with ssh1 */ krb5_auth_context xauth_context = NULL; - - krb5_context *context; krb5_auth_context *auth_context; krb5_error_code problem; const char *tkfile; @@ -1191,8 +1189,6 @@ ssh_krb5_helper(krb5_data *ap) krb5_cc_close(*context, ccache); if (*auth_context) krb5_auth_con_free(*context, *auth_context); - if (*context) - krb5_free_context(*context); return (ret); } @@ -1200,9 +1196,11 @@ int userauth_kerberos(Authctxt *authctxt) { krb5_data ap; + krb5_context *context; + int ret = 0; - if (ssh_krb5_helper(&ap) == 0) - return (0); + if (ssh_krb5_helper(&ap, context) == 0) + goto out; packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); @@ -1214,10 +1212,14 @@ userauth_kerberos(Authctxt *authctxt) #ifdef HEIMDAL krb5_data_free(&ap); #else -# warning "XXX - leaks ap data on MIT kerberos" + krb5_free_data_contents(*context, &ap); #endif + ret = 1; - return (1); +out: + if (*context) + krb5_free_context(*context); + return ret; } #endif -- cgit v1.2.3 From f842fcb296b9fbc0de905837c6074c732db550e5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 May 2003 12:01:28 +1000 Subject: - markus@cvs.openbsd.org 2003/05/15 00:28:28 [sshconnect2.c] cleanup unregister of per-method packet handlers; ok djm@ --- ChangeLog | 5 ++++- sshconnect2.c | 25 ++++++++++--------------- 2 files changed, 14 insertions(+), 16 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index 590a3f6c4..a6e2446e5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - markus@cvs.openbsd.org 2003/05/14 22:24:42 [clientloop.c session.c ssh.1] allow to send a BREAK to the remote system; ok various + - markus@cvs.openbsd.org 2003/05/15 00:28:28 + [sshconnect2.c] + cleanup unregister of per-method packet handlers; ok djm@ - (djm) Configure glue for DNS support (code doesn't work in portable yet) 20030514 @@ -1489,4 +1492,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2704 2003/05/15 00:53:49 djm Exp $ +$Id: ChangeLog,v 1.2705 2003/05/15 02:01:28 djm Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 36d592b42..1b85730fe 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.119 2003/05/15 00:28:28 markus Exp $"); #ifdef KRB5 #include @@ -204,7 +204,6 @@ int userauth_kerberos(Authctxt *); void userauth(Authctxt *, char *); static int sign_and_send_pubkey(Authctxt *, Identity *); -static void clear_auth_state(Authctxt *); static void pubkey_prepare(Authctxt *); static void pubkey_cleanup(Authctxt *); static Key *load_identity_file(char *); @@ -299,8 +298,11 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt); /* loop until success */ pubkey_cleanup(&authctxt); + dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); + debug("Authentication succeeded (%s).", authctxt.method->name); } + void userauth(Authctxt *authctxt, char *authlist) { @@ -316,6 +318,12 @@ userauth(Authctxt *authctxt, char *authlist) if (method == NULL) fatal("Permission denied (%s).", authlist); authctxt->method = method; + + /* reset the per method handler */ + dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN, + SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL); + + /* and try new method */ if (method->userauth(authctxt) != 0) { debug2("we sent a %s packet, wait for reply", method->name); break; @@ -353,7 +361,6 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) fatal("input_userauth_success: no authentication context"); if (authctxt->authlist) xfree(authctxt->authlist); - clear_auth_state(authctxt); authctxt->success = 1; /* break out */ } @@ -375,7 +382,6 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) logit("Authenticated with partial success."); debug("Authentications that can continue: %s", authlist); - clear_auth_state(authctxt); userauth(authctxt, authlist); } void @@ -438,10 +444,6 @@ done: xfree(pkalg); xfree(pkblob); - /* unregister */ - clear_auth_state(authctxt); - dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL); - /* try another method if we did not send a packet */ if (sent == 0) userauth(authctxt, NULL); @@ -558,13 +560,6 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt) &input_userauth_passwd_changereq); } -static void -clear_auth_state(Authctxt *authctxt) -{ - /* XXX clear authentication state */ - dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, NULL); -} - static int identity_sign(Identity *id, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) -- cgit v1.2.3 From 502d384b74fae68dd9e265f48c2026cef6c12806 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 28 Jun 2003 12:38:01 +1000 Subject: - markus@cvs.openbsd.org 2003/06/24 08:23:46 [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c] int -> u_int; ok djm@, deraadt@, mouring@ --- ChangeLog | 6 +++++- auth2-hostbased.c | 4 ++-- auth2-pubkey.c | 4 ++-- auth2.c | 4 ++-- channels.c | 4 ++-- key.c | 6 +++--- key.h | 4 ++-- monitor.c | 4 ++-- packet.c | 8 ++++---- packet.h | 6 +++--- serverloop.c | 6 +++--- sshconnect2.c | 6 +++--- sshd.c | 4 ++-- 13 files changed, 35 insertions(+), 31 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index e6d0ce878..e64ef5b33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - markus@cvs.openbsd.org 2003/06/23 09:02:44 [ssh_config.5] document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@ + - markus@cvs.openbsd.org 2003/06/24 08:23:46 + [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h + monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c] + int -> u_int; ok djm@, deraadt@, mouring@ 20030624 - (dtucker) Have configure refer the user to config.log and @@ -589,4 +593,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2824 2003/06/28 02:33:12 dtucker Exp $ +$Id: ChangeLog,v 1.2825 2003/06/28 02:38:01 dtucker Exp $ diff --git a/auth2-hostbased.c b/auth2-hostbased.c index bbc7d8a4d..505d3eff4 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: auth2-hostbased.c,v 1.5 2003/06/24 08:23:46 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -42,7 +42,7 @@ RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $"); /* import */ extern ServerOptions options; extern u_char *session_id2; -extern int session_id2_len; +extern u_int session_id2_len; static int userauth_hostbased(Authctxt *authctxt) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 85ee33eed..d51e939f1 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-pubkey.c,v 1.3 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth2-pubkey.c,v 1.4 2003/06/24 08:23:46 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -44,7 +44,7 @@ RCSID("$OpenBSD: auth2-pubkey.c,v 1.3 2003/04/08 20:21:28 itojun Exp $"); /* import */ extern ServerOptions options; extern u_char *session_id2; -extern int session_id2_len; +extern u_int session_id2_len; static int userauth_pubkey(Authctxt *authctxt) diff --git a/auth2.c b/auth2.c index 5ca020001..639bf9117 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.99 2003/06/24 08:23:46 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -39,7 +39,7 @@ RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $"); /* import */ extern ServerOptions options; extern u_char *session_id2; -extern int session_id2_len; +extern u_int session_id2_len; Authctxt *x_authctxt = NULL; diff --git a/channels.c b/channels.c index ad879cc61..04ef6575c 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.190 2003/05/11 20:30:24 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.191 2003/06/24 08:23:46 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -419,7 +419,7 @@ channel_not_very_much_buffered_data(void) } #endif if (buffer_len(&c->output) > packet_get_maxsize()) { - debug2("channel %d: big output buffer %d > %d", + debug2("channel %d: big output buffer %u > %u", c->self, buffer_len(&c->output), packet_get_maxsize()); return 0; diff --git a/key.c b/key.c index d918cfd0a..b101e1b27 100644 --- a/key.c +++ b/key.c @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.52 2003/05/14 18:16:20 jakob Exp $"); +RCSID("$OpenBSD: key.c,v 1.53 2003/06/24 08:23:46 markus Exp $"); #include @@ -438,7 +438,7 @@ key_read(Key *ret, char **cpp) xfree(blob); return -1; } - k = key_from_blob(blob, n); + k = key_from_blob(blob, (u_int)n); xfree(blob); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); @@ -674,7 +674,7 @@ key_names_valid2(const char *names) } Key * -key_from_blob(u_char *blob, int blen) +key_from_blob(u_char *blob, u_int blen) { Buffer b; char *ktype; diff --git a/key.h b/key.h index a7b6afe86..28753fdfa 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.21 2003/05/14 18:16:20 jakob Exp $ */ +/* $OpenBSD: key.h,v 1.22 2003/06/24 08:23:46 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -71,7 +71,7 @@ Key *key_generate(int, u_int); Key *key_from_private(Key *); int key_type_from_name(char *); -Key *key_from_blob(u_char *, int); +Key *key_from_blob(u_char *, u_int); int key_to_blob(Key *, u_char **, u_int *); char *key_ssh_name(Key *); int key_names_valid2(const char *); diff --git a/monitor.c b/monitor.c index f306794d4..3a8735f58 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.43 2003/06/12 07:57:38 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $"); #include @@ -141,7 +141,7 @@ static int key_blobtype = MM_NOKEY; static char *hostbased_cuser = NULL; static char *hostbased_chost = NULL; static char *auth_method = "unknown"; -static int session_id2_len = 0; +static u_int session_id2_len = 0; static u_char *session_id2 = NULL; static pid_t monitor_child_pid; diff --git a/packet.c b/packet.c index 07e90b899..022212074 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.107 2003/06/10 22:20:52 deraadt Exp $"); +RCSID("$OpenBSD: packet.c,v 1.108 2003/06/24 08:23:46 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -108,7 +108,7 @@ static int compression_buffer_ready = 0; static int packet_compression = 0; /* default maximum packet size */ -int max_packet_size = 32768; +u_int max_packet_size = 32768; /* Flag indicating whether this module has been initialized. */ static int initialized = 0; @@ -1446,8 +1446,8 @@ packet_is_interactive(void) return interactive_mode; } -int -packet_set_maxsize(int s) +u_int +packet_set_maxsize(u_int s) { static int called = 0; diff --git a/packet.h b/packet.h index fa000d686..7732fafb7 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.39 2003/04/08 20:21:29 itojun Exp $ */ +/* $OpenBSD: packet.h,v 1.40 2003/06/24 08:23:46 markus Exp $ */ /* * Author: Tatu Ylonen @@ -81,8 +81,8 @@ void packet_add_padding(u_char); void tty_make_modes(int, struct termios *); void tty_parse_modes(int, int *); -extern int max_packet_size; -int packet_set_maxsize(int); +extern u_int max_packet_size; +u_int packet_set_maxsize(u_int); #define packet_get_maxsize() max_packet_size /* don't allow remaining bytes after the end of the message */ diff --git a/serverloop.c b/serverloop.c index 90eec0855..a95390273 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.109 2003/06/04 12:03:59 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.110 2003/06/24 08:23:46 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -158,7 +158,7 @@ sigchld_handler(int sig) static void make_packets_from_stderr_data(void) { - int len; + u_int len; /* Send buffered stderr data to the client. */ while (buffer_len(&stderr_buffer) > 0 && @@ -187,7 +187,7 @@ make_packets_from_stderr_data(void) static void make_packets_from_stdout_data(void) { - int len; + u_int len; /* Send buffered stdout data to the client. */ while (buffer_len(&stdout_buffer) > 0 && diff --git a/sshconnect2.c b/sshconnect2.c index 1b85730fe..6a0bd409a 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.119 2003/05/15 00:28:28 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.120 2003/06/24 08:23:46 markus Exp $"); #ifdef KRB5 #include @@ -67,7 +67,7 @@ extern Options options; */ u_char *session_id2 = NULL; -int session_id2_len = 0; +u_int session_id2_len = 0; char *xxx_host; struct sockaddr *xxx_hostaddr; @@ -591,7 +591,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) Buffer b; u_char *blob, *signature; u_int bloblen, slen; - int skip = 0; + u_int skip = 0; int ret = -1; int have_sig = 1; diff --git a/sshd.c b/sshd.c index bc458488b..b8f360841 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.268 2003/06/04 10:23:48 djm Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.269 2003/06/24 08:23:46 markus Exp $"); #include #include @@ -188,7 +188,7 @@ u_char session_id[16]; /* same for ssh2 */ u_char *session_id2 = NULL; -int session_id2_len = 0; +u_int session_id2_len = 0; /* record remote hostname or ip */ u_int utmp_len = MAXHOSTNAMELEN; -- cgit v1.2.3 From 0efd155c3c184f0eaa2e1eb244eaaf066e6906e0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 11:49:55 +1000 Subject: - markus@cvs.openbsd.org 2003/08/22 10:56:09 [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. --- ChangeLog | 10 +- auth.h | 3 +- auth2-gss.c | 243 ++++++++++++++++++++++++++++++++++++++++++++++ auth2.c | 18 +++- compat.c | 8 +- compat.h | 3 +- gss-genr.c | 256 +++++++++++++++++++++++++++++++++++++++++++++++++ gss-serv-krb5.c | 168 ++++++++++++++++++++++++++++++++ gss-serv.c | 291 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ monitor.c | 92 +++++++++++++++++- monitor.h | 5 +- monitor_wrap.c | 73 +++++++++++++- monitor_wrap.h | 10 +- readconf.c | 26 ++++- readconf.h | 4 +- servconf.c | 24 ++++- servconf.h | 4 +- session.c | 31 +++++- session.h | 5 +- ssh-gss.h | 109 +++++++++++++++++++++ ssh_config.5 | 14 ++- sshconnect2.c | 252 +++++++++++++++++++++++++++++++++++++++++++++++- sshd_config | 6 +- sshd_config.5 | 15 ++- 24 files changed, 1646 insertions(+), 24 deletions(-) create mode 100644 auth2-gss.c create mode 100644 gss-genr.c create mode 100644 gss-serv-krb5.c create mode 100644 gss-serv.c create mode 100644 ssh-gss.h (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index e8727e2f0..142af1b06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,14 @@ - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint" as deprecated. Remove mention from README.privsep. Patch from aet AT cc.hut.fi + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/22 10:56:09 + [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c + gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c + readconf.h servconf.c servconf.h session.c session.h ssh-gss.h + ssh_config.5 sshconnect2.c sshd_config sshd_config.5] + support GSS API user authentication; patches from Simon Wilkinson, + stripped down and tested by Jakob and myself. 20030825 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from @@ -874,4 +882,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2906 2003/08/26 00:48:14 djm Exp $ +$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $ diff --git a/auth.h b/auth.h index 1ed92e018..6beff7cc3 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -67,6 +67,7 @@ struct Authctxt { krb5_principal krb5_user; char *krb5_ticket_file; #endif + void *methoddata; }; /* * Every authentication method has to handle authentication requests for diff --git a/auth2-gss.c b/auth2-gss.c new file mode 100644 index 000000000..c7651112d --- /dev/null +++ b/auth2-gss.c @@ -0,0 +1,243 @@ +/* $OpenBSD: auth2-gss.c,v 1.1 2003/08/22 10:56:08 markus Exp $ */ + +/* + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef GSSAPI + +#include "auth.h" +#include "ssh2.h" +#include "xmalloc.h" +#include "log.h" +#include "dispatch.h" +#include "servconf.h" +#include "compat.h" +#include "packet.h" +#include "monitor_wrap.h" + +#include "ssh-gss.h" + +extern ServerOptions options; + +static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_errtok(int, u_int32_t, void *); + +/* + * We only support those mechanisms that we know about (ie ones that we know + * how to check local user kuserok and the like + */ +static int +userauth_gssapi(Authctxt *authctxt) +{ + gss_OID_desc oid = {0, NULL}; + Gssctxt *ctxt = NULL; + int mechs; + gss_OID_set supported; + int present; + OM_uint32 ms; + u_int len; + char *doid = NULL; + + if (!authctxt->valid || authctxt->user == NULL) + return (0); + + mechs = packet_get_int(); + if (mechs == 0) { + debug("Mechanism negotiation is not supported"); + return (0); + } + + ssh_gssapi_supported_oids(&supported); + do { + mechs--; + + if (doid) + xfree(doid); + + doid = packet_get_string(&len); + + if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { + logit("Mechanism OID received using the old encoding form"); + oid.elements = doid; + oid.length = len; + } else { + oid.elements = doid + 2; + oid.length = len - 2; + } + gss_test_oid_set_member(&ms, &oid, supported, &present); + } while (mechs > 0 && !present); + + gss_release_oid_set(&ms, &supported); + + if (!present) { + xfree(doid); + return (0); + } + + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) + return (0); + + authctxt->methoddata=(void *)ctxt; + + packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); + + /* Return OID in same format as we received it*/ + packet_put_string(doid, len); + + packet_send(); + xfree(doid); + + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); + authctxt->postponed = 1; + + return (0); +} + +static void +input_gssapi_token(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc recv_tok; + OM_uint32 maj_status, min_status; + u_int len; + + if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) + fatal("No authentication or GSSAPI context"); + + gssctxt = authctxt->methoddata; + recv_tok.value = packet_get_string(&len); + recv_tok.length = len; /* u_int vs. size_t */ + + packet_check_eom(); + + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, + &send_tok, NULL)); + + xfree(recv_tok.value); + + if (GSS_ERROR(maj_status)) { + if (send_tok.length != 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + } + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + userauth_finish(authctxt, 0, "gssapi"); + } else { + if (send_tok.length != 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + } + if (maj_status == GSS_S_COMPLETE) { + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); + } + } + + gss_release_buffer(&min_status, &send_tok); +} + +static void +input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc recv_tok; + OM_uint32 maj_status; + + if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) + fatal("No authentication or GSSAPI context"); + + gssctxt = authctxt->methoddata; + recv_tok.value = packet_get_string(&recv_tok.length); + + packet_check_eom(); + + /* Push the error token into GSSAPI to see what it says */ + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, + &send_tok, NULL)); + + xfree(recv_tok.value); + + /* We can't return anything to the client, even if we wanted to */ + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + + /* The client will have already moved on to the next auth */ + + gss_release_buffer(&maj_status, &send_tok); +} + +/* + * This is called when the client thinks we've completed authentication. + * It should only be enabled in the dispatch handler by the function above, + * which only enables it once the GSSAPI exchange is complete. + */ + +static void +input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + int authenticated; + + if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) + fatal("No authentication or GSSAPI context"); + + gssctxt = authctxt->methoddata; + + /* + * We don't need to check the status, because the stored credentials + * which userok uses are only populated once the context init step + * has returned complete. + */ + + packet_check_eom(); + + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); + + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); + userauth_finish(authctxt, authenticated, "gssapi"); +} + +Authmethod method_gssapi = { + "gssapi", + userauth_gssapi, + &options.gss_authentication +}; + +#endif /* GSSAPI */ diff --git a/auth2.c b/auth2.c index e6ec8ddcd..4a305a416 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.99 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.100 2003/08/22 10:56:08 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -36,6 +36,10 @@ RCSID("$OpenBSD: auth2.c,v 1.99 2003/06/24 08:23:46 markus Exp $"); #include "pathnames.h" #include "monitor_wrap.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif + /* import */ extern ServerOptions options; extern u_char *session_id2; @@ -53,10 +57,16 @@ extern Authmethod method_hostbased; #ifdef KRB5 extern Authmethod method_kerberos; #endif +#ifdef GSSAPI +extern Authmethod method_gssapi; +#endif Authmethod *authmethods[] = { &method_none, &method_pubkey, +#ifdef GSSAPI + &method_gssapi, +#endif &method_passwd, &method_kbdint, &method_hostbased, @@ -184,6 +194,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } /* reset state */ auth2_challenge_stop(authctxt); + +#ifdef GSSAPI + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); +#endif + authctxt->postponed = 0; /* try to authenticate user */ diff --git a/compat.c b/compat.c index 63a5d91ff..6bd42a6f5 100644 --- a/compat.c +++ b/compat.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.67 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: compat.c,v 1.68 2003/08/22 10:56:09 markus Exp $"); #include "buffer.h" #include "packet.h" @@ -79,7 +79,11 @@ compat_datafellows(const char *version) { "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, { "OpenSSH_2.*," "OpenSSH_3.0*," - "OpenSSH_3.1*", SSH_BUG_EXTEOF}, + "OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_BUG_GSSAPI_BER}, + { "OpenSSH_3.2*," + "OpenSSH_3.3*," + "OpenSSH_3.4*," + "OpenSSH_3.5*", SSH_BUG_GSSAPI_BER}, { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, { "OpenSSH*", 0 }, { "*MindTerm*", 0 }, diff --git a/compat.h b/compat.h index 881e450d3..a21e473c5 100644 --- a/compat.h +++ b/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.34 2003/04/01 10:31:26 markus Exp $ */ +/* $OpenBSD: compat.h,v 1.35 2003/08/22 10:56:09 markus Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -56,6 +56,7 @@ #define SSH_BUG_K5USER 0x00400000 #define SSH_BUG_PROBE 0x00800000 #define SSH_BUG_FIRSTKEX 0x01000000 +#define SSH_BUG_GSSAPI_BER 0x02000000 void enable_compat13(void); void enable_compat20(void); diff --git a/gss-genr.c b/gss-genr.c new file mode 100644 index 000000000..bda12d6f1 --- /dev/null +++ b/gss-genr.c @@ -0,0 +1,256 @@ +/* $OpenBSD: gss-genr.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */ + +/* + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef GSSAPI + +#include "xmalloc.h" +#include "bufaux.h" +#include "compat.h" +#include "log.h" +#include "monitor_wrap.h" + +#include "ssh-gss.h" + + +/* Check that the OID in a data stream matches that in the context */ +int +ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) +{ + return (ctx != NULL && ctx->oid != GSS_C_NO_OID && + ctx->oid->length == len && + memcmp(ctx->oid->elements, data, len) == 0); +} + +/* Set the contexts OID from a data stream */ +void +ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) +{ + if (ctx->oid != GSS_C_NO_OID) { + xfree(ctx->oid->elements); + xfree(ctx->oid); + } + ctx->oid = xmalloc(sizeof(gss_OID_desc)); + ctx->oid->length = len; + ctx->oid->elements = xmalloc(len); + memcpy(ctx->oid->elements, data, len); +} + +/* Set the contexts OID */ +void +ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) +{ + ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length); +} + +/* All this effort to report an error ... */ +void +ssh_gssapi_error(Gssctxt *ctxt) +{ + debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL)); +} + +char * +ssh_gssapi_last_error(Gssctxt *ctxt, + OM_uint32 *major_status, OM_uint32 *minor_status) +{ + OM_uint32 lmin; + gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; + OM_uint32 ctx; + Buffer b; + char *ret; + + buffer_init(&b); + + if (major_status != NULL) + *major_status = ctxt->major; + if (minor_status != NULL) + *minor_status = ctxt->minor; + + ctx = 0; + /* The GSSAPI error */ + do { + gss_display_status(&lmin, ctxt->major, + GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg); + + buffer_append(&b, msg.value, msg.length); + buffer_put_char(&b, '\n'); + + gss_release_buffer(&lmin, &msg); + } while (ctx != 0); + + /* The mechanism specific error */ + do { + gss_display_status(&lmin, ctxt->minor, + GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg); + + buffer_append(&b, msg.value, msg.length); + buffer_put_char(&b, '\n'); + + gss_release_buffer(&lmin, &msg); + } while (ctx != 0); + + buffer_put_char(&b, '\0'); + ret = xmalloc(buffer_len(&b)); + buffer_get(&b, ret, buffer_len(&b)); + buffer_free(&b); + return (ret); +} + +/* + * Initialise our GSSAPI context. We use this opaque structure to contain all + * of the data which both the client and server need to persist across + * {accept,init}_sec_context calls, so that when we do it from the userauth + * stuff life is a little easier + */ +void +ssh_gssapi_build_ctx(Gssctxt **ctx) +{ + *ctx = xmalloc(sizeof (Gssctxt)); + (*ctx)->major = 0; + (*ctx)->minor = 0; + (*ctx)->context = GSS_C_NO_CONTEXT; + (*ctx)->name = GSS_C_NO_NAME; + (*ctx)->oid = GSS_C_NO_OID; + (*ctx)->creds = GSS_C_NO_CREDENTIAL; + (*ctx)->client = GSS_C_NO_NAME; + (*ctx)->client_creds = GSS_C_NO_CREDENTIAL; +} + +/* Delete our context, providing it has been built correctly */ +void +ssh_gssapi_delete_ctx(Gssctxt **ctx) +{ + OM_uint32 ms; + + if ((*ctx) == NULL) + return; + if ((*ctx)->context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER); + if ((*ctx)->name != GSS_C_NO_NAME) + gss_release_name(&ms, &(*ctx)->name); + if ((*ctx)->oid != GSS_C_NO_OID) { + xfree((*ctx)->oid->elements); + xfree((*ctx)->oid); + (*ctx)->oid = GSS_C_NO_OID; + } + if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) + gss_release_cred(&ms, &(*ctx)->creds); + if ((*ctx)->client != GSS_C_NO_NAME) + gss_release_name(&ms, &(*ctx)->client); + if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) + gss_release_cred(&ms, &(*ctx)->client_creds); + + xfree(*ctx); + *ctx = NULL; +} + +/* + * Wrapper to init_sec_context + * Requires that the context contains: + * oid + * server name (from ssh_gssapi_import_name) + */ +OM_uint32 +ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, + gss_buffer_desc* send_tok, OM_uint32 *flags) +{ + int deleg_flag = 0; + + if (deleg_creds) { + deleg_flag = GSS_C_DELEG_FLAG; + debug("Delegating credentials"); + } + + ctx->major = gss_init_sec_context(&ctx->minor, + GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, + GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, + 0, NULL, recv_tok, NULL, send_tok, flags, NULL); + + if (GSS_ERROR(ctx->major)) + ssh_gssapi_error(ctx); + + return (ctx->major); +} + +/* Create a service name for the given host */ +OM_uint32 +ssh_gssapi_import_name(Gssctxt *ctx, const char *host) +{ + gss_buffer_desc gssbuf; + + gssbuf.length = sizeof("host@") + strlen(host); + gssbuf.value = xmalloc(gssbuf.length); + snprintf(gssbuf.value, gssbuf.length, "host@%s", host); + + if ((ctx->major = gss_import_name(&ctx->minor, + &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) + ssh_gssapi_error(ctx); + + xfree(gssbuf.value); + return (ctx->major); +} + +/* Acquire credentials for a server running on the current host. + * Requires that the context structure contains a valid OID + */ + +/* Returns a GSSAPI error code */ +OM_uint32 +ssh_gssapi_acquire_cred(Gssctxt *ctx) +{ + OM_uint32 status; + char lname[MAXHOSTNAMELEN]; + gss_OID_set oidset; + + gss_create_empty_oid_set(&status, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset); + + if (gethostname(lname, MAXHOSTNAMELEN)) + return (-1); + + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) + return (ctx->major); + + if ((ctx->major = gss_acquire_cred(&ctx->minor, + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) + ssh_gssapi_error(ctx); + + gss_release_oid_set(&status, &oidset); + return (ctx->major); +} + +OM_uint32 +ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { + if (*ctx) + ssh_gssapi_delete_ctx(ctx); + ssh_gssapi_build_ctx(ctx); + ssh_gssapi_set_oid(*ctx, oid); + return (ssh_gssapi_acquire_cred(*ctx)); +} + +#endif /* GSSAPI */ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c new file mode 100644 index 000000000..d86872258 --- /dev/null +++ b/gss-serv-krb5.c @@ -0,0 +1,168 @@ +/* $OpenBSD: gss-serv-krb5.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */ + +/* + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef GSSAPI +#ifdef KRB5 + +#include "auth.h" +#include "xmalloc.h" +#include "log.h" +#include "servconf.h" + +#include "ssh-gss.h" + +extern ServerOptions options; + +#include + +static krb5_context krb_context = NULL; + +/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ + +static int +ssh_gssapi_krb5_init() +{ + krb5_error_code problem; + + if (krb_context != NULL) + return 1; + + problem = krb5_init_context(&krb_context); + if (problem) { + logit("Cannot initialize krb5 context"); + return 0; + } + krb5_init_ets(krb_context); + + return 1; +} + +/* Check if this user is OK to login. This only works with krb5 - other + * GSSAPI mechanisms will need their own. + * Returns true if the user is OK to log in, otherwise returns 0 + */ + +static int +ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +{ + krb5_principal princ; + int retval; + + if (ssh_gssapi_krb5_init() == 0) + return 0; + + if ((retval = krb5_parse_name(krb_context, client->exportedname.value, + &princ))) { + logit("krb5_parse_name(): %.100s", + krb5_get_err_text(krb_context, retval)); + return 0; + } + if (krb5_kuserok(krb_context, princ, name)) { + retval = 1; + logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", + name, (char *)client->displayname.value); + } else + retval = 0; + + krb5_free_principal(krb_context, princ); + return retval; +} + + +/* This writes out any forwarded credentials from the structure populated + * during userauth. Called after we have setuid to the user */ + +static void +ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +{ + krb5_ccache ccache; + krb5_error_code problem; + krb5_principal princ; + OM_uint32 maj_status, min_status; + + if (client->creds == NULL) { + debug("No credentials stored"); + return; + } + + if (ssh_gssapi_krb5_init() == 0) + return; + + if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { + logit("krb5_cc_gen_new(): %.100s", + krb5_get_err_text(krb_context, problem)); + return; + } + + if ((problem = krb5_parse_name(krb_context, + client->exportedname.value, &princ))) { + logit("krb5_parse_name(): %.100s", + krb5_get_err_text(krb_context, problem)); + krb5_cc_destroy(krb_context, ccache); + return; + } + + if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { + logit("krb5_cc_initialize(): %.100s", + krb5_get_err_text(krb_context, problem)); + krb5_free_principal(krb_context, princ); + krb5_cc_destroy(krb_context, ccache); + return; + } + + krb5_free_principal(krb_context, princ); + + if ((maj_status = gss_krb5_copy_ccache(&min_status, + client->creds, ccache))) { + logit("gss_krb5_copy_ccache() failed"); + krb5_cc_destroy(krb_context, ccache); + return; + } + + client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); + client->store.envvar = "KRB5CCNAME"; + client->store.envval = xstrdup(client->store.filename); + + krb5_cc_close(krb_context, ccache); + + return; +} + +ssh_gssapi_mech gssapi_kerberos_mech = { + "toWM5Slw5Ew8Mqkay+al2g==", + "Kerberos", + {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, + NULL, + &ssh_gssapi_krb5_userok, + NULL, + &ssh_gssapi_krb5_storecreds +}; + +#endif /* KRB5 */ + +#endif /* GSSAPI */ diff --git a/gss-serv.c b/gss-serv.c new file mode 100644 index 000000000..42718177d --- /dev/null +++ b/gss-serv.c @@ -0,0 +1,291 @@ +/* $OpenBSD: gss-serv.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */ + +/* + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" + +#ifdef GSSAPI + +#include "bufaux.h" +#include "compat.h" +#include "auth.h" +#include "log.h" +#include "channels.h" +#include "session.h" +#include "servconf.h" +#include "monitor_wrap.h" +#include "xmalloc.h" +#include "getput.h" + +#include "ssh-gss.h" + +extern ServerOptions options; + +static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; + +ssh_gssapi_mech gssapi_null_mech = + { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; + +#ifdef KRB5 +extern ssh_gssapi_mech gssapi_kerberos_mech; +#endif + +ssh_gssapi_mech* supported_mechs[]= { +#ifdef KRB5 + &gssapi_kerberos_mech, +#endif + &gssapi_null_mech, +}; + +/* Unpriviledged */ +void +ssh_gssapi_supported_oids(gss_OID_set *oidset) +{ + int i = 0; + OM_uint32 min_status; + int present; + gss_OID_set supported; + + gss_create_empty_oid_set(&min_status, oidset); + gss_indicate_mechs(&min_status, &supported); + + while (supported_mechs[i]->name != NULL) { + if (GSS_ERROR(gss_test_oid_set_member(&min_status, + &supported_mechs[i]->oid, supported, &present))) + present = 0; + if (present) + gss_add_oid_set_member(&min_status, + &supported_mechs[i]->oid, oidset); + i++; + } +} + + +/* Wrapper around accept_sec_context + * Requires that the context contains: + * oid + * credentials (from ssh_gssapi_acquire_cred) + */ +/* Priviledged */ +OM_uint32 +ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, + gss_buffer_desc *send_tok, OM_uint32 *flags) +{ + OM_uint32 status; + gss_OID mech; + + ctx->major = gss_accept_sec_context(&ctx->minor, + &ctx->context, ctx->creds, recv_tok, + GSS_C_NO_CHANNEL_BINDINGS, &ctx->client, &mech, + send_tok, flags, NULL, &ctx->client_creds); + + if (GSS_ERROR(ctx->major)) + ssh_gssapi_error(ctx); + + if (ctx->client_creds) + debug("Received some client credentials"); + else + debug("Got no client credentials"); + + status = ctx->major; + + /* Now, if we're complete and we have the right flags, then + * we flag the user as also having been authenticated + */ + + if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && + (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { + if (ssh_gssapi_getclient(ctx, &gssapi_client)) + fatal("Couldn't convert client name"); + } + + return (status); +} + +/* + * This parses an exported name, extracting the mechanism specific portion + * to use for ACL checking. It verifies that the name belongs the mechanism + * originally selected. + */ +static OM_uint32 +ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) +{ + char *tok; + OM_uint32 offset; + OM_uint32 oidl; + + tok=ename->value; + + /* + * Check that ename is long enough for all of the fixed length + * header, and that the initial ID bytes are correct + */ + + if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) + return GSS_S_FAILURE; + + /* + * Extract the OID, and check it. Here GSSAPI breaks with tradition + * and does use the OID type and length bytes. To confuse things + * there are two lengths - the first including these, and the + * second without. + */ + + oidl = GET_16BIT(tok+2); /* length including next two bytes */ + oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ + + /* + * Check the BER encoding for correct type and length, that the + * string is long enough and that the OID matches that in our context + */ + if (tok[4] != 0x06 || tok[5] != oidl || + ename->length < oidl+6 || + !ssh_gssapi_check_oid(ctx,tok+6,oidl)) + return GSS_S_FAILURE; + + offset = oidl+6; + + if (ename->length < offset+4) + return GSS_S_FAILURE; + + name->length = GET_32BIT(tok+offset); + offset += 4; + + if (ename->length < offset+name->length) + return GSS_S_FAILURE; + + name->value = xmalloc(name->length); + memcpy(name->value,tok+offset,name->length); + + return GSS_S_COMPLETE; +} + +/* Extract the client details from a given context. This can only reliably + * be called once for a context */ + +/* Priviledged (called from accept_secure_ctx) */ +OM_uint32 +ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +{ + int i = 0; + + gss_buffer_desc ename; + + client->mech = NULL; + + while (supported_mechs[i]->name != NULL) { + if (supported_mechs[i]->oid.length == ctx->oid->length && + (memcmp(supported_mechs[i]->oid.elements, + ctx->oid->elements, ctx->oid->length) == 0)) + client->mech = supported_mechs[i]; + i++; + } + + if (client->mech == NULL) + return GSS_S_FAILURE; + + if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, + &client->displayname, NULL))) { + ssh_gssapi_error(ctx); + return (ctx->major); + } + + if ((ctx->major = gss_export_name(&ctx->minor, ctx->client, + &ename))) { + ssh_gssapi_error(ctx); + return (ctx->major); + } + + if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename, + &client->exportedname))) { + return (ctx->major); + } + + /* We can't copy this structure, so we just move the pointer to it */ + client->creds = ctx->client_creds; + ctx->client_creds = GSS_C_NO_CREDENTIAL; + return (ctx->major); +} + +/* As user - called through fatal cleanup hook */ +void +ssh_gssapi_cleanup_creds(void *ignored) +{ + if (gssapi_client.store.filename != NULL) { + /* Unlink probably isn't sufficient */ + debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); + unlink(gssapi_client.store.filename); + } +} + +/* As user */ +void +ssh_gssapi_storecreds(void) +{ + if (gssapi_client.mech && gssapi_client.mech->storecreds) { + (*gssapi_client.mech->storecreds)(&gssapi_client); + if (options.gss_cleanup_creds) + fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL); + } else + debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); +} + +/* This allows GSSAPI methods to do things to the childs environment based + * on the passed authentication process and credentials. + */ +/* As user */ +void +ssh_gssapi_do_child(char ***envp, u_int *envsizep) +{ + + if (gssapi_client.store.envvar != NULL && + gssapi_client.store.envval != NULL) { + + debug("Setting %s to %s", gssapi_client.store.envvar, + gssapi_client.store.envval); + child_set_env(envp, envsizep, gssapi_client.store.envvar, + gssapi_client.store.envval); + } +} + +/* Priviledged */ +int +ssh_gssapi_userok(char *user) +{ + if (gssapi_client.exportedname.length == 0 || + gssapi_client.exportedname.value == NULL) { + debug("No suitable client data"); + return 0; + } + if (gssapi_client.mech && gssapi_client.mech->userok) + return ((*gssapi_client.mech->userok)(&gssapi_client, user)); + else + debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); + return (0); +} + +#endif diff --git a/monitor.c b/monitor.c index 80b1a8fba..f90a90461 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.46 2003/08/22 10:56:09 markus Exp $"); #include @@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); #include "ssh2.h" #include "mpaux.h" +#ifdef GSSAPI +#include "ssh-gss.h" +static Gssctxt *gsscontext = NULL; +#endif + /* Imports */ extern ServerOptions options; extern u_int utmp_len; @@ -128,6 +133,11 @@ int mm_answer_pam_free_ctx(int, Buffer *); #ifdef KRB5 int mm_answer_krb5(int, Buffer *); #endif +#ifdef GSSAPI +int mm_answer_gss_setup_ctx(int, Buffer *); +int mm_answer_gss_accept_ctx(int, Buffer *); +int mm_answer_gss_userok(int, Buffer *); +#endif static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -184,6 +194,11 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, #ifdef KRB5 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif +#ifdef GSSAPI + {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, + {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, #endif {0, 0, NULL} }; @@ -357,7 +372,6 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); - } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1769,3 +1783,77 @@ monitor_reinit(struct monitor *mon) mon->m_recvfd = pair[0]; mon->m_sendfd = pair[1]; } + +#ifdef GSSAPI +int +mm_answer_gss_setup_ctx(int socket, Buffer *m) +{ + gss_OID_desc oid; + OM_uint32 major; + u_int len; + + oid.elements = buffer_get_string(m, &len); + oid.length = len; + + major = ssh_gssapi_server_ctx(&gsscontext, &oid); + + xfree(oid.elements); + + buffer_clear(m); + buffer_put_int(m, major); + + mm_request_send(socket,MONITOR_ANS_GSSSETUP, m); + + /* Now we have a context, enable the step */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); + + return (0); +} + +int +mm_answer_gss_accept_ctx(int socket, Buffer *m) +{ + gss_buffer_desc in; + gss_buffer_desc out = GSS_C_EMPTY_BUFFER; + OM_uint32 major,minor; + OM_uint32 flags = 0; /* GSI needs this */ + + in.value = buffer_get_string(m, &in.length); + major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); + xfree(in.value); + + buffer_clear(m); + buffer_put_int(m, major); + buffer_put_string(m, out.value, out.length); + buffer_put_int(m, flags); + mm_request_send(socket, MONITOR_ANS_GSSSTEP, m); + + gss_release_buffer(&minor, &out); + + /* Complete - now we can do signing */ + if (major==GSS_S_COMPLETE) { + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + } + return (0); +} + +int +mm_answer_gss_userok(int socket, Buffer *m) +{ + int authenticated; + + authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); + + buffer_clear(m); + buffer_put_int(m, authenticated); + + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); + + auth_method="gssapi"; + + /* Monitor loop will terminate if authenticated */ + return (authenticated); +} +#endif /* GSSAPI */ diff --git a/monitor.h b/monitor.h index eeac78e03..da33ed613 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ +/* $OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -50,6 +50,9 @@ enum monitor_reqtype { MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, + MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, + MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, + MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff --git a/monitor_wrap.c b/monitor_wrap.c index 9e7e6b3c3..4073905f6 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.29 2003/08/22 10:56:09 markus Exp $"); #include #include @@ -53,6 +53,10 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); #include "channels.h" #include "session.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif + /* Imports */ extern int compat20; extern Newkeys *newkeys[]; @@ -1100,4 +1104,69 @@ mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) buffer_free(&m); return (success); } -#endif +#endif /* KRB5 */ + +#ifdef GSSAPI +OM_uint32 +mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) +{ + Buffer m; + OM_uint32 major; + + /* Client doesn't get to see the context */ + *ctx = NULL; + + buffer_init(&m); + buffer_put_string(&m, oid->elements, oid->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); + + major = buffer_get_int(&m); + + buffer_free(&m); + return (major); +} + +OM_uint32 +mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, + gss_buffer_desc *out, OM_uint32 *flags) +{ + Buffer m; + OM_uint32 major; + + buffer_init(&m); + buffer_put_string(&m, in->value, in->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); + + major = buffer_get_int(&m); + out->value = buffer_get_string(&m, &out->length); + if (flags) + *flags = buffer_get_int(&m); + + buffer_free(&m); + + return (major); +} + +int +mm_ssh_gssapi_userok(char *user) +{ + Buffer m; + int authenticated = 0; + + buffer_init(&m); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, + &m); + + authenticated = buffer_get_int(&m); + + buffer_free(&m); + debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + return (authenticated); +} +#endif /* GSSAPI */ diff --git a/monitor_wrap.h b/monitor_wrap.h index ddd42ee28..c6251924a 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -55,6 +55,14 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); BIGNUM *mm_auth_rsa_generate_challenge(Key *); +#ifdef GSSAPI +#include "ssh-gss.h" +OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctxt, gss_OID oid); +OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *ctxt, + gss_buffer_desc *recv, gss_buffer_desc *send, OM_uint32 *flags); +int mm_ssh_gssapi_userok(char *user); +#endif + #ifdef USE_PAM void mm_start_pam(char *); u_int mm_do_pam_account(void); diff --git a/readconf.c b/readconf.c index 96ad25a51..9447cb55f 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.117 2003/08/13 09:07:09 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -105,7 +105,7 @@ typedef enum { oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oDeprecated, oUnsupported } OpCodes; @@ -140,6 +140,14 @@ static struct { { "kerberostgtpassing", oUnsupported }, #endif { "afstokenpassing", oUnsupported }, +#if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecreds", oGssDelegateCreds }, + { "gssapidelegatecredentials", oGssDelegateCreds }, +#else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, +#endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, @@ -389,6 +397,14 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; + case oGssAuthentication: + intptr = &options->gss_authentication; + goto parse_flag; + + case oGssDelegateCreds: + intptr = &options->gss_deleg_creds; + goto parse_flag; + case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -813,6 +829,8 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->kerberos_authentication = -1; options->kerberos_tgt_passing = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -887,6 +905,10 @@ fill_default_options(Options * options) options->kerberos_authentication = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; + if (options->gss_authentication == -1) + options->gss_authentication = 1; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h index 6fbf467e5..1100205b8 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.53 2003/08/13 08:46:30 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.54 2003/08/22 10:56:09 markus Exp $ */ /* * Author: Tatu Ylonen @@ -42,6 +42,8 @@ typedef struct { /* Try S/Key or TIS, authentication. */ int kerberos_authentication; /* Try Kerberos authentication. */ int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c index 09fdbf424..e13309388 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $"); #include "ssh.h" #include "log.h" @@ -73,6 +73,8 @@ initialize_server_options(ServerOptions *options) options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_tgt_passing = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -182,6 +184,10 @@ fill_default_server_options(ServerOptions *options) options->kerberos_ticket_cleanup = 1; if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; + if (options->gss_authentication == -1) + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -259,6 +265,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sGssAuthentication, sGssCleanupCreds, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -305,6 +312,13 @@ static struct { { "kerberostgtpassing", sUnsupported }, #endif { "afstokenpassing", sUnsupported }, +#ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication }, + { "gssapicleanupcreds", sGssCleanupCreds }, +#else + { "gssapiauthentication", sUnsupported }, + { "gssapicleanupcreds", sUnsupported }, +#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -623,6 +637,14 @@ parse_flag: intptr = &options->kerberos_tgt_passing; goto parse_flag; + case sGssAuthentication: + intptr = &options->gss_authentication; + goto parse_flag; + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; + goto parse_flag; + case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index 42bcda757..f86cb2209 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.63 2003/08/13 08:46:30 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.64 2003/08/22 10:56:09 markus Exp $ */ /* * Author: Tatu Ylonen @@ -82,6 +82,8 @@ typedef struct { * file on logout. */ int kerberos_tgt_passing; /* If true, permit Kerberos TGT * passing. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/session.c b/session.c index 20c4b8a97..3593a3ff5 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.160 2003/08/13 08:33:02 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -58,6 +58,10 @@ RCSID("$OpenBSD: session.c,v 1.160 2003/08/13 08:33:02 markus Exp $"); #include "session.h" #include "monitor_wrap.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif + /* func */ Session *session_new(void); @@ -424,6 +428,12 @@ do_exec_no_pty(Session *s, const char *command) } #endif /* USE_PAM */ +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -550,6 +560,12 @@ do_exec_pty(Session *s, const char *command) } #endif +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -807,7 +823,7 @@ check_quietlogin(Session *s, const char *command) * Sets the value of the given variable in the environment. If the variable * already exists, its value is overriden. */ -static void +void child_set_env(char ***envp, u_int *envsizep, const char *name, const char *value) { @@ -934,6 +950,13 @@ do_setup_env(Session *s, const char *shell) copy_environment(environ, &env, &envsize); #endif +#ifdef GSSAPI + /* Allow any GSSAPI methods that we've used to alter + * the childs environment as they see fit + */ + ssh_gssapi_do_child(&env, &envsize); +#endif + if (!options.use_login) { /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); @@ -2088,4 +2111,8 @@ static void do_authenticated2(Authctxt *authctxt) { server_loop2(authctxt); +#if defined(GSSAPI) + if (options.gss_cleanup_creds) + ssh_gssapi_cleanup_creds(NULL); +#endif } diff --git a/session.h b/session.h index d3ddfab75..525e47f64 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.19 2002/06/30 21:59:45 deraadt Exp $ */ +/* $OpenBSD: session.h,v 1.20 2003/08/22 10:56:09 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -68,4 +68,7 @@ Session *session_new(void); Session *session_by_tty(char *); void session_close(Session *); void do_setusercontext(struct passwd *); +void child_set_env(char ***envp, u_int *envsizep, const char *name, + const char *value); + #endif diff --git a/ssh-gss.h b/ssh-gss.h new file mode 100644 index 000000000..263e51b94 --- /dev/null +++ b/ssh-gss.h @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SSH_GSS_H +#define _SSH_GSS_H + +#ifdef GSSAPI + +#include "buffer.h" + +#include + +/* draft-ietf-secsh-gsskeyex-06 */ +#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 +#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 +#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63 +#define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64 +#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 + +#define SSH_GSS_OIDTYPE 0x06 + +typedef struct { + char *filename; + char *envvar; + char *envval; + void *data; +} ssh_gssapi_ccache; + +typedef struct { + gss_buffer_desc displayname; + gss_buffer_desc exportedname; + gss_cred_id_t creds; + struct ssh_gssapi_mech_struct *mech; + ssh_gssapi_ccache store; +} ssh_gssapi_client; + +typedef struct ssh_gssapi_mech_struct { + char *enc_name; + char *name; + gss_OID_desc oid; + int (*dochild) (ssh_gssapi_client *); + int (*userok) (ssh_gssapi_client *, char *); + int (*localname) (ssh_gssapi_client *, char **); + void (*storecreds) (ssh_gssapi_client *); +} ssh_gssapi_mech; + +typedef struct { + OM_uint32 major; /* both */ + OM_uint32 minor; /* both */ + gss_ctx_id_t context; /* both */ + gss_name_t name; /* both */ + gss_OID oid; /* client */ + gss_cred_id_t creds; /* server */ + gss_name_t client; /* server */ + gss_cred_id_t client_creds; /* server */ +} Gssctxt; + +extern ssh_gssapi_mech *supported_mechs[]; + +int ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len); +void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len); +void ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid); +void ssh_gssapi_supported_oids(gss_OID_set *oidset); +ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *ctxt); + +OM_uint32 ssh_gssapi_import_name(Gssctxt *ctx, const char *host); +OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *ctx); +OM_uint32 ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, + gss_buffer_desc *recv_tok, gss_buffer_desc *send_tok, OM_uint32 *flags); +OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *ctx, + gss_buffer_desc *recv_tok, gss_buffer_desc *send_tok, OM_uint32 *flags); +OM_uint32 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *); +void ssh_gssapi_error(Gssctxt *ctx); +char *ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min); +void ssh_gssapi_build_ctx(Gssctxt **ctx); +void ssh_gssapi_delete_ctx(Gssctxt **ctx); +OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid); + +/* In the server */ +int ssh_gssapi_userok(char *name); + +void ssh_gssapi_do_child(char ***envp, u_int *envsizep); +void ssh_gssapi_cleanup_creds(void *ignored); +void ssh_gssapi_storecreds(void); + +#endif /* GSSAPI */ + +#endif /* _SSH_GSS_H */ diff --git a/ssh_config.5 b/ssh_config.5 index fb341d79b..f99562b96 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.17 2003/08/13 08:46:31 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -331,6 +331,18 @@ The default is Specifies a file to use for the global host key database instead of .Pa /etc/ssh/ssh_known_hosts . +.It Cm GSSAPIAuthentication +Specifies whether authentication based on GSSAPI may be used, either using +the result of a successful key exchange, or using GSSAPI user +authentication. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. +.It Cm GSSAPIDelegateCredentials +Forward (delegate) credentials to the server. +The default is +.Dq no . +Note that this option applies to protocol version 2 only. .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. diff --git a/sshconnect2.c b/sshconnect2.c index 6a0bd409a..c71ad506b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.120 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); #ifdef KRB5 #include @@ -57,6 +57,10 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.120 2003/06/24 08:23:46 markus Exp $"); #include "msg.h" #include "pathnames.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif + /* import */ extern char *client_version_string; extern char *server_version_string; @@ -178,6 +182,8 @@ struct Authctxt { Sensitive *sensitive; /* kbd-interactive */ int info_req_seen; + /* generic */ + void *methoddata; }; struct Authmethod { char *name; /* string to compare against server's list */ @@ -201,6 +207,15 @@ int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); int userauth_kerberos(Authctxt *); +#ifdef GSSAPI +int userauth_gssapi(Authctxt *authctxt); +void input_gssapi_response(int type, u_int32_t, void *); +void input_gssapi_token(int type, u_int32_t, void *); +void input_gssapi_hash(int type, u_int32_t, void *); +void input_gssapi_error(int, u_int32_t, void *); +void input_gssapi_errtok(int, u_int32_t, void *); +#endif + void userauth(Authctxt *, char *); static int sign_and_send_pubkey(Authctxt *, Identity *); @@ -213,6 +228,12 @@ static Authmethod *authmethod_lookup(const char *name); static char *authmethods_get(void); Authmethod authmethods[] = { +#ifdef GSSAPI + {"gssapi", + userauth_gssapi, + &options.gss_authentication, + NULL}, +#endif {"hostbased", userauth_hostbased, &options.hostbased_authentication, @@ -283,6 +304,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, authctxt.success = 0; authctxt.method = authmethod_lookup("none"); authctxt.authlist = NULL; + authctxt.methoddata = NULL; authctxt.sensitive = sensitive; authctxt.info_req_seen = 0; if (authctxt.method == NULL) @@ -306,6 +328,10 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, void userauth(Authctxt *authctxt, char *authlist) { + if (authctxt->methoddata) { + xfree(authctxt->methoddata); + authctxt->methoddata = NULL; + } if (authlist == NULL) { authlist = authctxt->authlist; } else { @@ -361,6 +387,8 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) fatal("input_userauth_success: no authentication context"); if (authctxt->authlist) xfree(authctxt->authlist); + if (authctxt->methoddata) + xfree(authctxt->methoddata); authctxt->success = 1; /* break out */ } @@ -449,6 +477,228 @@ done: userauth(authctxt, NULL); } +#ifdef GSSAPI +int +userauth_gssapi(Authctxt *authctxt) +{ + Gssctxt *gssctxt = NULL; + static gss_OID_set supported = NULL; + static int mech = 0; + OM_uint32 min; + int ok = 0; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ + + if (supported == NULL) + gss_indicate_mechs(&min, &supported); + + /* Check to see if the mechanism is usable before we offer it */ + while (mechcount && !ok) { + if (gssctxt) + ssh_gssapi_delete_ctx(&gssctxt); + ssh_gssapi_build_ctx(&gssctxt); + ssh_gssapi_set_oid(gssctxt, &supported->elements[mech]); + + /* My DER encoding requires length<128 */ + if (supported->elements[mech].length < 128 && + !GSS_ERROR(ssh_gssapi_import_name(gssctxt, + authctxt->host))) { + ok = 1; /* Mechanism works */ + } else { + mech++; + } + } + + if (!ok) return 0; + + authctxt->methoddata=(void *)gssctxt; + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + + packet_put_int(1); + + /* Some servers encode the OID incorrectly (as we used to) */ + if (datafellows & SSH_BUG_GSSAPI_BER) { + packet_put_string(supported->elements[mech].elements, + supported->elements[mech].length); + } else { + packet_put_int((supported->elements[mech].length)+2); + packet_put_char(SSH_GSS_OIDTYPE); + packet_put_char(supported->elements[mech].length); + packet_put_raw(supported->elements[mech].elements, + supported->elements[mech].length); + } + + packet_send(); + + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); + + mech++; /* Move along to next candidate */ + + return 1; +} + +void +input_gssapi_response(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + OM_uint32 status, ms; + int oidlen; + char *oidv; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + + if (authctxt == NULL) + fatal("input_gssapi_response: no authentication context"); + gssctxt = authctxt->methoddata; + + /* Setup our OID */ + oidv = packet_get_string(&oidlen); + + if (datafellows & SSH_BUG_GSSAPI_BER) { + if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) + fatal("Server returned different OID than expected"); + } else { + if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) { + debug("Badly encoded mechanism OID received"); + userauth(authctxt, NULL); + xfree(oidv); + return; + } + if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2)) + fatal("Server returned different OID than expected"); + } + + packet_check_eom(); + + xfree(oidv); + + status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + GSS_C_NO_BUFFER, &send_tok, NULL); + if (GSS_ERROR(status)) { + if (send_tok.length > 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + gss_release_buffer(&ms, &send_tok); + } + /* Start again with next method on list */ + debug("Trying to start again"); + userauth(authctxt, NULL); + return; + } + + /* We must have data to send */ + packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + gss_release_buffer(&ms, &send_tok); +} + +void +input_gssapi_token(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc recv_tok; + OM_uint32 status, ms; + u_int slen; + + if (authctxt == NULL) + fatal("input_gssapi_response: no authentication context"); + gssctxt = authctxt->methoddata; + + recv_tok.value = packet_get_string(&slen); + recv_tok.length = slen; /* safe typecast */ + + packet_check_eom(); + + status=ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + &recv_tok, &send_tok, NULL); + + xfree(recv_tok.value); + + if (GSS_ERROR(status)) { + if (send_tok.length > 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + gss_release_buffer(&ms, &send_tok); + } + /* Start again with the next method in the list */ + userauth(authctxt, NULL); + return; + } + + if (send_tok.length > 0) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + gss_release_buffer(&ms, &send_tok); + } + + if (status == GSS_S_COMPLETE) { + /* If that succeeded, send a exchange complete message */ + packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); + packet_send(); + } +} + +void +input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc recv_tok; + OM_uint32 status, ms; + + if (authctxt == NULL) + fatal("input_gssapi_response: no authentication context"); + gssctxt = authctxt->methoddata; + + recv_tok.value = packet_get_string(&recv_tok.length); + + packet_check_eom(); + + /* Stick it into GSSAPI and see what it says */ + status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + &recv_tok, &send_tok, NULL); + + xfree(recv_tok.value); + gss_release_buffer(&ms, &send_tok); + + /* Server will be returning a failed packet after this one */ +} + +void +input_gssapi_error(int type, u_int32_t plen, void *ctxt) +{ + OM_uint32 maj, min; + char *msg; + char *lang; + + maj=packet_get_int(); + min=packet_get_int(); + msg=packet_get_string(NULL); + lang=packet_get_string(NULL); + + packet_check_eom(); + + debug("Server GSSAPI Error:\n%s\n", msg); + xfree(msg); + xfree(lang); +} +#endif /* GSSAPI */ + int userauth_none(Authctxt *authctxt) { diff --git a/sshd_config b/sshd_config index a2bd2ff60..294539096 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.63 2003/08/13 08:46:31 markus Exp $ +# $OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -63,6 +63,10 @@ #KerberosTicketCleanup yes #KerberosTgtPassing no +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCreds yes + # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' diff --git a/sshd_config.5 b/sshd_config.5 index 3d920cc80..8857c673d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.22 2003/08/13 08:46:31 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -225,6 +225,19 @@ or .Dq no . The default is .Dq no . +.It Cm GSSAPIAuthentication +Specifies whether authentication based on GSSAPI may be used, either using +the result of a successful key exchange, or using GSSAPI user +authentication. +The default is +.Dq no . +Note that this option applies to protocol version 2 only. +.It Cm GSSAPICleanupCredentials +Specifies whether to automatically destroy the user's credentials cache +on logout. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -- cgit v1.2.3 From 49aaf4ad522c6b599ec13f75f8a6b7eab6942143 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 11:58:16 +1000 Subject: - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. --- ChangeLog | 5 ++++- Makefile.in | 5 +++-- acconfig.h | 5 ++++- auth-krb5.c | 3 --- auth-pam.c | 25 ++++++++++++++++++++++++- auth-pam.h | 3 ++- configure.ac | 28 +++++++++++++++++++++++++++- defines.h | 6 +++++- gss-serv-krb5.c | 37 +++++++++++++++++++++++++++++++++++++ session.c | 24 ++++++++++++------------ ssh-gss.h | 12 ++++++++++++ sshconnect1.c | 3 --- sshconnect2.c | 3 --- 13 files changed, 130 insertions(+), 29 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index 142af1b06..042334b01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. + - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h + configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c + sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. 20030825 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from @@ -882,4 +885,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $ +$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index cffefece6..eba34f341 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $ +# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ - entropy.o scard-opensc.o + entropy.o scard-opensc.o gss-genr.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o @@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ auth-krb5.o auth2-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out diff --git a/acconfig.h b/acconfig.h index 0e04c65b2..c83a45619 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -232,6 +232,9 @@ /* Define if compiler implements __func__ */ #undef HAVE___func__ +/* Define this is you want GSSAPI support in the version 2 protocol */ +#undef GSSAPI + /* Define if you want Kerberos 5 support */ #undef KRB5 diff --git a/auth-krb5.c b/auth-krb5.c index b04c6649b..b9eeb5ba6 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ extern ServerOptions options; diff --git a/auth-pam.c b/auth-pam.c index c0b6ded12..08b88f0dd 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $"); #ifdef USE_PAM #include @@ -650,6 +650,29 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } +/* + * Set a PAM environment string. We need to do this so that the session + * modules can handle things like Kerberos/GSI credentials that appear + * during the ssh authentication process. + */ + +int +do_pam_putenv(char *name, char *value) +{ + char *compound; + int ret = 1; + +#ifdef HAVE_PAM_PUTENV + compound = xmalloc(strlen(name)+strlen(value)+2); + if (compound) { + sprintf(compound,"%s=%s",name,value); + ret = pam_putenv(sshpam_handle,compound); + xfree(compound); + } +#endif + return (ret); +} + void print_pam_messages(void) { diff --git a/auth-pam.h b/auth-pam.h index 7f7c16d2e..03868312c 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */ +/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *); void do_pam_setcred(int ); int is_pam_password_change_required(void); void do_pam_chauthtok(void); +int do_pam_putenv(char *, char *); void print_pam_messages(void); char ** fetch_pam_environment(void); void free_pam_environment(char **); diff --git a/configure.ac b/configure.ac index 600155ccd..bbc00e703 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $ +# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -831,6 +831,7 @@ AC_ARG_WITH(pam, AC_CHECK_LIB(dl, dlopen, , ) AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_FUNCS(pam_putenv) disable_shadow=yes PAM_MSG="yes" @@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5, fi AC_SEARCH_LIBS(dn_expand, resolv) + AC_CHECK_LIB(gssapi,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], + $K5LIBS) + + AC_CHECK_HEADER(gssapi.h, , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS(gssapi.h, , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER(gssapi_krb5.h, , + [ CPPFLAGS="$oldCPP" ]) + KRB5=yes fi ] diff --git a/defines.h b/defines.h index b2ea15d9f..7bff839cc 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */ +/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */ /* Constants */ @@ -521,6 +521,10 @@ struct winsize { # define __func__ "" #endif +#if defined(KRB5) && !defined(HEIMDAL) +# define krb5_get_err_text(context,code) error_message(code) +#endif + /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index d86872258..f48e09911 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -38,7 +38,11 @@ extern ServerOptions options; +#ifdef HEIMDAL #include +#else +#include +#endif static krb5_context krb_context = NULL; @@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) if (ssh_gssapi_krb5_init() == 0) return; +#ifdef HEIMDAL if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { logit("krb5_cc_gen_new(): %.100s", krb5_get_err_text(krb_context, problem)); return; } +#else + { + int tmpfd; + char ccname[40]; + + snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid()); + + if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + problem = errno; + return; + } + if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + problem = errno; + return; + } + close(tmpfd); + if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) { + logit("krb5_cc_resolve(): %.100s", + krb5_get_err_text(krb_context, problem)); + return; + } + } +#endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { @@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->store.envvar = "KRB5CCNAME"; client->store.envval = xstrdup(client->store.filename); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv(client->store.envvar,client->store.envval); +#endif + krb5_cc_close(krb_context, ccache); return; diff --git a/session.c b/session.c index 3593a3ff5..6ba0233e5 100644 --- a/session.c +++ b/session.c @@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, NULL); @@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command) } #endif /* USE_PAM */ -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, s->tty); @@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command) } #endif -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); diff --git a/ssh-gss.h b/ssh-gss.h index 263e51b94..6b58adb3a 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -31,6 +31,18 @@ #include +#ifdef KRB5 +#ifndef HEIMDAL +#include + +/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ + +#ifndef GSS_C_NT_HOSTBASED_SERVICE +#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#endif /* GSS_C_NT_... */ +#endif /* !HEIMDAL */ +#endif /* KRB5 */ + /* draft-ietf-secsh-gsskeyex-06 */ #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 diff --git a/sshconnect1.c b/sshconnect1.c index 5e1802b10..5935e8b77 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "ssh.h" diff --git a/sshconnect2.c b/sshconnect2.c index c71ad506b..549853907 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); #ifdef KRB5 #include -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "openbsd-compat/sys-queue.h" -- cgit v1.2.3 From be1a901f9947fdcf56703afaf15942c33462a3dc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 12:04:31 +1000 Subject: - markus@cvs.openbsd.org 2003/08/22 13:20:03 [sshconnect2.c] remove support for "kerberos-2@ssh.com" --- ChangeLog | 5 ++- sshconnect2.c | 107 +--------------------------------------------------------- 2 files changed, 5 insertions(+), 107 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index 042334b01..3c32afb87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. + - markus@cvs.openbsd.org 2003/08/22 13:20:03 + [sshconnect2.c] + remove support for "kerberos-2@ssh.com" - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. @@ -885,4 +888,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $ +$Id: ChangeLog,v 1.2909 2003/08/26 02:04:31 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 549853907..558a0a749 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,11 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); - -#ifdef KRB5 -#include -#endif +RCSID("$OpenBSD: sshconnect2.c,v 1.122 2003/08/22 13:20:03 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -235,12 +231,6 @@ Authmethod authmethods[] = { userauth_hostbased, &options.hostbased_authentication, NULL}, -#if KRB5 - {"kerberos-2@ssh.com", - userauth_kerberos, - &options.kerberos_authentication, - NULL}, -#endif {"publickey", userauth_pubkey, &options.pubkey_authentication, @@ -1370,101 +1360,6 @@ userauth_hostbased(Authctxt *authctxt) return 1; } -#if KRB5 -static int -ssh_krb5_helper(krb5_data *ap, krb5_context *context) -{ - krb5_context xcontext = NULL; /* XXX share with ssh1 */ - krb5_auth_context xauth_context = NULL; - krb5_auth_context *auth_context; - krb5_error_code problem; - const char *tkfile; - struct stat buf; - krb5_ccache ccache = NULL; - const char *remotehost; - int ret; - - memset(ap, 0, sizeof(*ap)); - - context = &xcontext; - auth_context = &xauth_context; - - problem = krb5_init_context(context); - if (problem) { - debug("Kerberos v5: krb5_init_context failed"); - ret = 0; - goto out; - } - - tkfile = krb5_cc_default_name(*context); - if (strncmp(tkfile, "FILE:", 5) == 0) - tkfile += 5; - - if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { - debug("Kerberos v5: could not get default ccache (permission denied)."); - ret = 0; - goto out; - } - - problem = krb5_cc_default(*context, &ccache); - if (problem) { - debug("Kerberos v5: krb5_cc_default failed: %s", - krb5_get_err_text(*context, problem)); - ret = 0; - goto out; - } - - remotehost = get_canonical_hostname(1); - - problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, - "host", remotehost, NULL, ccache, ap); - if (problem) { - debug("Kerberos v5: krb5_mk_req failed: %s", - krb5_get_err_text(*context, problem)); - ret = 0; - goto out; - } - ret = 1; - - out: - if (ccache != NULL) - krb5_cc_close(*context, ccache); - if (*auth_context) - krb5_auth_con_free(*context, *auth_context); - return (ret); -} - -int -userauth_kerberos(Authctxt *authctxt) -{ - krb5_data ap; - krb5_context *context; - int ret = 0; - - if (ssh_krb5_helper(&ap, context) == 0) - goto out; - - packet_start(SSH2_MSG_USERAUTH_REQUEST); - packet_put_cstring(authctxt->server_user); - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - packet_put_string(ap.data, ap.length); - packet_send(); - -#ifdef HEIMDAL - krb5_data_free(&ap); -#else - krb5_free_data_contents(*context, &ap); -#endif - ret = 1; - -out: - if (*context) - krb5_free_context(*context); - return ret; -} -#endif - /* find auth method */ /* -- cgit v1.2.3 From 600ad8de76e12820ed1ff0db71946b4e03d5349c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 12:10:48 +1000 Subject: - deraadt@cvs.openbsd.org 2003/08/24 17:36:52 [monitor.c monitor_wrap.c sshconnect2.c] 64 bit cleanups; markus ok --- ChangeLog | 5 ++++- monitor.c | 6 ++++-- monitor_wrap.c | 6 ++++-- sshconnect2.c | 6 ++++-- 4 files changed, 16 insertions(+), 7 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index e10a3c425..ba3e56d8d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ - markus@cvs.openbsd.org 2003/08/22 20:55:06 [LICENCE] add Simon Wilkinson + - deraadt@cvs.openbsd.org 2003/08/24 17:36:52 + [monitor.c monitor_wrap.c sshconnect2.c] + 64 bit cleanups; markus ok - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. @@ -894,4 +897,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2911 2003/08/26 02:09:53 dtucker Exp $ +$Id: ChangeLog,v 1.2912 2003/08/26 02:10:48 dtucker Exp $ diff --git a/monitor.c b/monitor.c index f90a90461..e08181f74 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.46 2003/08/22 10:56:09 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $"); #include @@ -1817,8 +1817,10 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) gss_buffer_desc out = GSS_C_EMPTY_BUFFER; OM_uint32 major,minor; OM_uint32 flags = 0; /* GSI needs this */ + u_int len; - in.value = buffer_get_string(m, &in.length); + in.value = buffer_get_string(m, &len); + in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); xfree(in.value); diff --git a/monitor_wrap.c b/monitor_wrap.c index 4073905f6..82649a7cc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.29 2003/08/22 10:56:09 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $"); #include #include @@ -1134,6 +1134,7 @@ mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, { Buffer m; OM_uint32 major; + u_int len; buffer_init(&m); buffer_put_string(&m, in->value, in->length); @@ -1142,7 +1143,8 @@ mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); major = buffer_get_int(&m); - out->value = buffer_get_string(&m, &out->length); + out->value = buffer_get_string(&m, &len); + out->length = len; if (flags) *flags = buffer_get_int(&m); diff --git a/sshconnect2.c b/sshconnect2.c index 558a0a749..22795395e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.122 2003/08/22 13:20:03 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.123 2003/08/24 17:36:52 deraadt Exp $"); #include "openbsd-compat/sys-queue.h" @@ -647,12 +647,14 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; OM_uint32 status, ms; + u_int len; if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); gssctxt = authctxt->methoddata; - recv_tok.value = packet_get_string(&recv_tok.length); + recv_tok.value = packet_get_string(&len); + recv_tok.length = len; packet_check_eom(); -- cgit v1.2.3 From 08bbb2f69d83c687f5aaea053a30dac3c3ef1cd3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 26 Aug 2003 12:14:05 +1000 Subject: - djm@cvs.openbsd.org 2003/08/25 10:33:33 [sshconnect2.c] fprintf->logit to silence login banner with "ssh -q"; ok markus@ --- ChangeLog | 5 ++++- sshconnect2.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshconnect2.c') diff --git a/ChangeLog b/ChangeLog index cb0b2db35..ffb9c997c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ [sftp-int.c] fix div by zero when listing for filename lengths longer than width. markus@ ok. + - djm@cvs.openbsd.org 2003/08/25 10:33:33 + [sshconnect2.c] + fprintf->logit to silence login banner with "ssh -q"; ok markus@ - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. @@ -901,4 +904,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2913 2003/08/26 02:12:56 dtucker Exp $ +$Id: ChangeLog,v 1.2914 2003/08/26 02:14:05 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 22795395e..933c223ec 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.123 2003/08/24 17:36:52 deraadt Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.124 2003/08/25 10:33:33 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -361,7 +361,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) debug3("input_userauth_banner"); msg = packet_get_string(NULL); lang = packet_get_string(NULL); - fprintf(stderr, "%s", msg); + logit("%s", msg); xfree(msg); xfree(lang); } -- cgit v1.2.3