From d4d1815cae3ad1d9536e456a2772a97e7f666446 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 25 Sep 2003 19:04:34 -0700 Subject: [sshd_config] UsePAM defaults to no. --- sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sshd_config') diff --git a/sshd_config b/sshd_config index dd53f1057..af0dec09f 100644 --- a/sshd_config +++ b/sshd_config @@ -69,7 +69,7 @@ # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' -#UsePAM yes +#UsePAM no #AllowTcpForwarding yes #GatewayPorts no -- cgit v1.2.3 From a49d36e7b9727edf472750a249dd7655ae1594fd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:20:54 +1000 Subject: - markus@cvs.openbsd.org 2003/09/29 20:19:57 [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials --- ChangeLog | 5 ++++- servconf.c | 6 +++--- sshd_config | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index d25f7c05b..b8cd03252 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - some other cleanup requested by deraadt@; ok deraadt@ markus@ + - markus@cvs.openbsd.org 2003/09/29 20:19:57 + [servconf.c sshd_config] + GSSAPICleanupCreds -> GSSAPICleanupCredentials 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1260,4 +1263,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3049 2003/10/02 06:19:47 dtucker Exp $ +$Id: ChangeLog,v 1.3050 2003/10/02 06:20:54 dtucker Exp $ diff --git a/servconf.c b/servconf.c index 58f49a2f4..0df62ad63 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.128 2003/09/29 20:19:57 markus Exp $"); #include "ssh.h" #include "log.h" @@ -310,10 +310,10 @@ static struct { { "afstokenpassing", sUnsupported }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication }, - { "gssapicleanupcreds", sGssCleanupCreds }, + { "gssapicleanupcredentials", sGssCleanupCreds }, #else { "gssapiauthentication", sUnsupported }, - { "gssapicleanupcreds", sUnsupported }, + { "gssapicleanupcredentials", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, diff --git a/sshd_config b/sshd_config index af0dec09f..5e026a609 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ +# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -64,7 +64,7 @@ # GSSAPI options #GSSAPIAuthentication no -#GSSAPICleanupCreds yes +#GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may -- cgit v1.2.3 From 418a386f2bb62ff03cee5dfc2c8d561aba08d8c1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 6 Nov 2003 20:27:51 +1100 Subject: - (djm) Clarify UsePAM consequences a little more --- ChangeLog | 5 ++++- sshd_config | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index ebf64f942..d31002b08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031106 + - (djm) Clarify UsePAM consequences a little more + 20031103 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services are created correctly with CRLF line terminations. Patch from vinschen at @@ -1394,4 +1397,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3092 2003/11/03 11:52:52 dtucker Exp $ +$Id: ChangeLog,v 1.3093 2003/11/06 09:27:51 djm Exp $ diff --git a/sshd_config b/sshd_config index 5e026a609..8dfc772e8 100644 --- a/sshd_config +++ b/sshd_config @@ -68,7 +68,7 @@ # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may -# bypass the setting of 'PasswordAuthentication' +# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords' #UsePAM no #AllowTcpForwarding yes -- cgit v1.2.3 From 22ef5087543839dd14e1591923e669518b5c13e8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:37:34 +1100 Subject: - jakob@cvs.openbsd.org 2003/12/23 16:12:10 [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@ --- ChangeLog | 5 ++++- servconf.c | 12 +++++++++++- servconf.h | 4 +++- session.c | 28 +++++++++++++++++++++++++++- sshd_config | 3 ++- 5 files changed, 47 insertions(+), 5 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index c80577e5a..d325407ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - markus@cvs.openbsd.org 2003/12/22 20:29:55 [cipher-3des1.c] EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr + - jakob@cvs.openbsd.org 2003/12/23 16:12:10 + [servconf.c servconf.h session.c sshd_config] + implement KerberosGetAFSToken server option. ok markus@, beck@ 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1626,4 +1629,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ +$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ diff --git a/servconf.c b/servconf.c index a6824a863..b832c75b3 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "log.h" @@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; + options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; options->password_authentication = -1; @@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; + if (options->kerberos_get_afs_token == -1) + options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) @@ -250,6 +253,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -301,10 +305,12 @@ static struct { { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, + { "kerberosgetafstoken", sKerberosGetAFSToken }, #else { "kerberosauthentication", sUnsupported }, { "kerberosorlocalpasswd", sUnsupported }, { "kerberosticketcleanup", sUnsupported }, + { "kerberosgetafstoken", sUnsupported }, #endif { "kerberostgtpassing", sUnsupported }, { "afstokenpassing", sUnsupported }, @@ -630,6 +636,10 @@ parse_flag: intptr = &options->kerberos_ticket_cleanup; goto parse_flag; + case sKerberosGetAFSToken: + intptr = &options->kerberos_get_afs_token; + goto parse_flag; + case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index 3cf47bf2f..57c7e5fab 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -80,6 +80,8 @@ typedef struct { * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket * file on logout. */ + int kerberos_get_afs_token; /* If true, try to get AFS token if + * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int password_authentication; /* If true, permit password diff --git a/session.c b/session.c index 00f8785f5..03a5ec570 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command) */ environ = env; +#ifdef KRB5 + /* + * At this point, we check to see if AFS is active and if we have + * a valid Kerberos 5 TGT. If so, it seems like a good idea to see + * if we can (and need to) extend the ticket into an AFS token. If + * we don't do this, we run into potential problems if the user's + * home directory is in AFS and it's not world-readable. + */ + + if (options.kerberos_get_afs_token && k_hasafs() && + (s->authctxt->krb5_ctx != NULL)) { + char cell[64]; + + debug("Getting AFS token"); + + k_setpag(); + + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) + krb5_afslog(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, cell, NULL); + + krb5_afslog_home(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); + } +#endif + /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", diff --git a/sshd_config b/sshd_config index 8dfc772e8..aaa30f4ba 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ +# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -61,6 +61,7 @@ #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes +#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no -- cgit v1.2.3 From 0b3b97512fc3bae1aad38ddff2222bcca5f80f0e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:38:32 +1100 Subject: - millert@cvs.openbsd.org 2003/12/29 16:39:50 [sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK --- ChangeLog | 5 ++++- sshd_config | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index d325407ab..ad79ceb36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - jakob@cvs.openbsd.org 2003/12/23 16:12:10 [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@ + - millert@cvs.openbsd.org 2003/12/29 16:39:50 + [sshd_config] + KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1629,4 +1632,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ +$Id: ChangeLog,v 1.3156 2003/12/31 00:38:32 dtucker Exp $ diff --git a/sshd_config b/sshd_config index aaa30f4ba..b45c8c561 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ +# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -79,7 +79,7 @@ #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes -#KeepAlive yes +#TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no -- cgit v1.2.3