- (dtucker) OpenBSD CVS SyncPOST_KRB4_REMOVAL

   - markus@cvs.openbsd.org 2003/07/22 13:35:22
     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
     test+ok henning@
 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.

I hope I got this right....

26 files changed, 52 insertions, 1236 deletions

diff --git a/ChangeLog b/ChangeLog
index c930ad34..67ca07ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 20030802
  - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/07/22 13:35:22
+     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
+     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
+     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
+     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
+     test+ok henning@
+ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
+ - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
 
 20030730
  - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
@@ -738,4 +747,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2868 2003/08/02 10:37:03 dtucker Exp $
+$Id: ChangeLog,v 1.2869 2003/08/02 12:24:49 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index 4252ae6f..c5674c73 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.238 2003/06/05 08:53:43 djm Exp $
+# $Id: Makefile.in,v 1.239 2003/08/02 12:24:49 dtucker Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -63,7 +63,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
 	cipher.o  cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
 	compat.o compress.o crc32.o deattack.o fatal.o \
-	hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \
+	hostfile.o log.o match.o mpaux.o nchan.o packet.o \
 	readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
 	key.o dispatch.o kex.o mac.o uuencode.o misc.o \
 	rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
@@ -81,7 +81,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
 	monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
 	kexdhs.o kexgexs.o \
-	auth-krb5.o auth2-krb5.o auth-krb4.o \
+	auth-krb5.o auth2-krb5.o \
 	loginrec.o auth-pam.o auth-sia.o md5crypt.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff --git a/acconfig.h b/acconfig.h
index 0af93663..24c07bee 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.159 2003/07/14 06:21:44 dtucker Exp $ */
+/* $Id: acconfig.h,v 1.160 2003/08/02 12:24:49 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -238,12 +238,6 @@
 /* Define this if you are using the Heimdal version of Kerberos V5 */
 #undef HEIMDAL
 
-/* Define if you want Kerberos 4 support */
-#undef KRB4
-
-/* Define if you want AFS support */
-#undef AFS
-
 /* Define if you want S/Key support */
 #undef SKEY
 
diff --git a/auth-krb4.c b/auth-krb4.c
deleted file mode 100644
index 9e1c800b..00000000
--- a/auth-krb4.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- * Copyright (c) 1999 Dug Song.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
-
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "auth.h"
-
-#ifdef AFS
-#include "radix.h"
-#endif
-
-#ifdef KRB4
-extern ServerOptions options;
-
-static int
-krb4_init(void *context)
-{
-	static int cleanup_registered = 0;
-	Authctxt *authctxt = (Authctxt *)context;
-	const char *tkt_root = TKT_ROOT;
-	struct stat st;
-	int fd;
-
-	if (!authctxt->krb4_ticket_file) {
-		/* Set unique ticket string manually since we're still root. */
-		authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
-#ifdef AFS
-		if (lstat("/ticket", &st) != -1)
-			tkt_root = "/ticket/";
-#endif /* AFS */
-		snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
-		    tkt_root, authctxt->pw->pw_uid, (long)getpid());
-		krb_set_tkt_string(authctxt->krb4_ticket_file);
-	}
-	/* Register ticket cleanup in case of fatal error. */
-	if (!cleanup_registered) {
-		fatal_add_cleanup(krb4_cleanup_proc, authctxt);
-		cleanup_registered = 1;
-	}
-	/* Try to create our ticket file. */
-	if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
-		close(fd);
-		return (1);
-	}
-	/* Ticket file exists - make sure user owns it (just passed ticket). */
-	if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
-		if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
-		    st.st_uid == authctxt->pw->pw_uid)
-			return (1);
-	}
-	/* Failure - cancel cleanup function, leaving ticket for inspection. */
-	logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
-
-	fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
-	cleanup_registered = 0;
-
-	xfree(authctxt->krb4_ticket_file);
-	authctxt->krb4_ticket_file = NULL;
-
-	return (0);
-}
-
-/*
- * try krb4 authentication,
- * return 1 on success, 0 on failure, -1 if krb4 is not available
- */
-int
-auth_krb4_password(Authctxt *authctxt, const char *password)
-{
-	AUTH_DAT adata;
-	KTEXT_ST tkt;
-	struct hostent *hp;
-	struct passwd *pw;
-	char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
-	u_int32_t faddr;
-	int r;
-
-	if ((pw = authctxt->pw) == NULL)
-		return (0);
-
-	/*
-	 * Try Kerberos password authentication only for non-root
-	 * users and only if Kerberos is installed.
-	 */
-	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-		/* Set up our ticket file. */
-		if (!krb4_init(authctxt)) {
-			logit("Couldn't initialize Kerberos ticket file for %s!",
-			    pw->pw_name);
-			goto failure;
-		}
-		/* Try to get TGT using our password. */
-		r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
-		    "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
-		if (r != INTK_OK) {
-			debug("Kerberos v4 password authentication for %s "
-			    "failed: %s", pw->pw_name, krb_err_txt[r]);
-			goto failure;
-		}
-		/* Successful authentication. */
-		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
-		/*
-		 * Now that we have a TGT, try to get a local
-		 * "rcmd" ticket to ensure that we are not talking
-		 * to a bogus Kerberos server.
-		 */
-		gethostname(localhost, sizeof(localhost));
-		strlcpy(phost, (char *)krb_get_phost(localhost),
-		    sizeof(phost));
-		r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
-		if (r == KSUCCESS) {
-			if ((hp = gethostbyname(localhost)) == NULL) {
-				logit("Couldn't get local host address!");
-				goto failure;
-			}
-			memmove((void *)&faddr, (void *)hp->h_addr,
-			    sizeof(faddr));
-
-			/* Verify our "rcmd" ticket. */
-			r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
-			    faddr, &adata, "");
-			if (r == RD_AP_UNDEC) {
-				/*
-				 * Probably didn't have a srvtab on
-				 * localhost. Disallow login.
-				 */
-				logit("Kerberos v4 TGT for %s unverifiable, "
-				    "no srvtab installed? krb_rd_req: %s",
-				    pw->pw_name, krb_err_txt[r]);
-				goto failure;
-			} else if (r != KSUCCESS) {
-				logit("Kerberos v4 %s ticket unverifiable: %s",
-				    KRB4_SERVICE_NAME, krb_err_txt[r]);
-				goto failure;
-			}
-		} else if (r == KDC_PR_UNKNOWN) {
-			/*
-			 * Disallow login if no rcmd service exists, and
-			 * log the error.
-			 */
-			logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
-			    "not registered, or srvtab is wrong?", pw->pw_name,
-			    krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-			goto failure;
-		} else {
-			/*
-			 * TGT is bad, forget it. Possibly spoofed!
-			 */
-			debug("WARNING: Kerberos v4 TGT possibly spoofed "
-			    "for %s: %s", pw->pw_name, krb_err_txt[r]);
-			goto failure;
-		}
-		/* Authentication succeeded. */
-		return (1);
-	} else
-		/* Logging in as root or no local Kerberos realm. */
-		debug("Unable to authenticate to Kerberos.");
-
- failure:
-	krb4_cleanup_proc(authctxt);
-
-	if (!options.kerberos_or_local_passwd)
-		return (0);
-
-	/* Fall back to ordinary passwd authentication. */
-	return (-1);
-}
-
-void
-krb4_cleanup_proc(void *context)
-{
-	Authctxt *authctxt = (Authctxt *)context;
-	debug("krb4_cleanup_proc called");
-	if (authctxt->krb4_ticket_file) {
-		(void) dest_tkt();
-		xfree(authctxt->krb4_ticket_file);
-		authctxt->krb4_ticket_file = NULL;
-	}
-}
-
-int
-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
-{
-	AUTH_DAT adat = {0};
-	Key_schedule schedule;
-	struct sockaddr_in local, foreign;
-	char instance[INST_SZ];
-	socklen_t slen;
-	u_int cksum;
-	int r, s;
-
-	s = packet_get_connection_in();
-
-	slen = sizeof(local);
-	memset(&local, 0, sizeof(local));
-	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
-		debug("getsockname failed: %.100s", strerror(errno));
-	slen = sizeof(foreign);
-	memset(&foreign, 0, sizeof(foreign));
-	if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
-		debug("getpeername failed: %.100s", strerror(errno));
-		fatal_cleanup();
-	}
-	instance[0] = '*';
-	instance[1] = 0;
-
-	/* Get the encrypted request, challenge, and session key. */
-	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
-	    0, &adat, ""))) {
-		debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
-		return (0);
-	}
-	des_key_sched((des_cblock *) adat.session, schedule);
-
-	*client = xmalloc(MAX_K_NAME_SZ);
-	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
-	    *adat.pinst ? "." : "", adat.pinst, adat.prealm);
-
-	/* Check ~/.klogin authorization now. */
-	if (kuserok(&adat, authctxt->user) != KSUCCESS) {
-		logit("Kerberos v4 .klogin authorization failed for %s to "
-		    "account %s", *client, authctxt->user);
-		xfree(*client);
-		*client = NULL;
-		return (0);
-	}
-	/* Increment the checksum, and return it encrypted with the
-	   session key. */
-	cksum = adat.checksum + 1;
-	cksum = htonl(cksum);
-
-	/* If we can't successfully encrypt the checksum, we send back an
-	   empty message, admitting our failure. */
-	if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
-	    schedule, &adat.session, &local, &foreign)) < 0) {
-		debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
-		reply->dat[0] = 0;
-		reply->length = 0;
-	} else
-		reply->length = r;
-
-	/* Clear session key. */
-	memset(&adat.session, 0, sizeof(adat.session));
-	return (1);
-}
-#endif /* KRB4 */
-
-#ifdef AFS
-int
-auth_krb4_tgt(Authctxt *authctxt, const char *string)
-{
-	CREDENTIALS creds;
-	struct passwd *pw;
-
-	if ((pw = authctxt->pw) == NULL)
-		goto failure;
-
-	temporarily_use_uid(pw);
-
-	if (!radix_to_creds(string, &creds)) {
-		logit("Protocol error decoding Kerberos v4 TGT");
-		goto failure;
-	}
-	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
-		strlcpy(creds.service, "krbtgt", sizeof creds.service);
-
-	if (strcmp(creds.service, "krbtgt")) {
-		logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
-		    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
-		    creds.realm, pw->pw_name);
-		goto failure;
-	}
-	if (!krb4_init(authctxt))
-		goto failure;
-
-	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
-		goto failure;
-
-	if (save_credentials(creds.service, creds.instance, creds.realm,
-	    creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
-	    creds.issue_date) != KSUCCESS) {
-		debug("Kerberos v4 TGT refused: couldn't save credentials");
-		goto failure;
-	}
-	/* Successful authentication, passed all checks. */
-	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
-	debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
-	    creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
-	memset(&creds, 0, sizeof(creds));
-
-	restore_uid();
-
-	return (1);
-
- failure:
-	krb4_cleanup_proc(authctxt);
-	memset(&creds, 0, sizeof(creds));
-	restore_uid();
-
-	return (0);
-}
-
-int
-auth_afs_token(Authctxt *authctxt, const char *token_string)
-{
-	CREDENTIALS creds;
-	struct passwd *pw;
-	uid_t uid;
-
-	if ((pw = authctxt->pw) == NULL)
-		return (0);
-
-	if (!radix_to_creds(token_string, &creds)) {
-		logit("Protocol error decoding AFS token");
-		return (0);
-	}
-	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
-		strlcpy(creds.service, "afs", sizeof creds.service);
-
-	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
-		uid = atoi(creds.pname + 7);
-	else
-		uid = pw->pw_uid;
-
-	if (kafs_settoken(creds.realm, uid, &creds)) {
-		logit("AFS token (%s@%s) rejected for %s",
-		    creds.pname, creds.realm, pw->pw_name);
-		memset(&creds, 0, sizeof(creds));
-		return (0);
-	}
-	debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
-	memset(&creds, 0, sizeof(creds));
-
-	return (1);
-}
-#endif /* AFS */
diff --git a/auth-passwd.c b/auth-passwd.c
index c0b7f725..780e9234 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,7 +36,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
 
 #include "packet.h"
 #include "log.h"
@@ -131,14 +131,6 @@ auth_password(Authctxt *authctxt, const char *password)
 		return (authsuccess);
 	}
 # endif
-# ifdef KRB4
-	if (options.kerberos_authentication == 1) {
-		int ret = auth_krb4_password(authctxt, password);
-		if (ret == 1 || ret == 0)
-			return ret;
-		/* Fall back to ordinary passwd authentication. */
-	}
-# endif
 # ifdef BSD_AUTH
 	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
 	    (char *)password) == 0)
diff --git a/auth.h b/auth.h
index 776e4195..1ed92e01 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $	*/
+/*	$OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -60,9 +60,6 @@ struct Authctxt {
 #ifdef BSD_AUTH
 	auth_session_t	*as;
 #endif
-#ifdef KRB4
-	char		*krb4_ticket_file;
-#endif
 #ifdef KRB5
 	krb5_context	 krb5_ctx;
 	krb5_auth_context krb5_auth_ctx;
@@ -117,20 +114,6 @@ int	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
 int	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 int	 user_key_allowed(struct passwd *, Key *);
 
-#ifdef KRB4
-#include <krb.h>
-int     auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
-int	auth_krb4_password(Authctxt *, const char *);
-void    krb4_cleanup_proc(void *);
-
-#ifdef AFS
-#include <kafs.h>
-int     auth_krb4_tgt(Authctxt *, const char *);
-int     auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
-#endif /* KRB4 */
-
 #ifdef KRB5
 int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
diff --git a/auth1.c b/auth1.c
index 6cb0b04b..877e2e62 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,7 +49,7 @@ get_authname(int type)
 	case SSH_CMSG_AUTH_TIS:
 	case SSH_CMSG_AUTH_TIS_RESPONSE:
 		return "challenge-response";
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
 	case SSH_CMSG_AUTH_KERBEROS:
 		return "kerberos";
 #endif
@@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt)
 
 	/* If the user has no password, accept authentication immediately. */
 	if (options.password_authentication &&
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
 	    PRIVSEP(auth_password(authctxt, ""))) {
@@ -120,7 +120,7 @@ do_authloop(Authctxt *authctxt)
 		/* Process the packet. */
 		switch (type) {
 
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
 		case SSH_CMSG_AUTH_KERBEROS:
 			if (!options.kerberos_authentication) {
 				verbose("Kerberos authentication disabled.");
@@ -128,30 +128,7 @@ do_authloop(Authctxt *authctxt)
 				char *kdata = packet_get_string(&dlen);
 				packet_check_eom();
 
-				if (kdata[0] == 4) { /* KRB_PROT_VERSION */
-#ifdef KRB4
-					KTEXT_ST tkt, reply;
-					tkt.length = dlen;
-					if (tkt.length < MAX_KTXT_LEN)
-						memcpy(tkt.dat, kdata, tkt.length);
-
-					if (PRIVSEP(auth_krb4(authctxt, &tkt,
-					    &client_user, &reply))) {
-						authenticated = 1;
-						snprintf(info, sizeof(info),
-						    " tktuser %.100s",
-						    client_user);
-
-						packet_start(
-						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-						packet_put_string((char *)
-						    reply.dat, reply.length);
-						packet_send();
-						packet_write_wait();
-					}
-#endif /* KRB4 */
-				} else {
-#ifdef KRB5
+				if (kdata[0] != 4) { /* KRB_PROT_VERSION */
 					krb5_data tkt, reply;
 					tkt.length = dlen;
 					tkt.data = kdata;
@@ -174,24 +151,14 @@ do_authloop(Authctxt *authctxt)
  						if (reply.length)
  							xfree(reply.data);
 					}
-#endif /* KRB5 */
 				}
 				xfree(kdata);
 			}
 			break;
-#endif /* KRB4 || KRB5 */
-
-#if defined(AFS) || defined(KRB5)
-			/* XXX - punt on backward compatibility here. */
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			packet_send_debug("Kerberos TGT passing disabled before authentication.");
 			break;
-#ifdef AFS
-		case SSH_CMSG_HAVE_AFS_TOKEN:
-			packet_send_debug("AFS token passing disabled before authentication.");
-			break;
-#endif /* AFS */
-#endif /* AFS || KRB5 */
+#endif
 
 		case SSH_CMSG_AUTH_RHOSTS:
 			if (!options.rhosts_authentication) {
diff --git a/configure.ac b/configure.ac
index 74909343..68fa5c1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.137 2003/07/23 04:33:10 dtucker Exp $
+# $Id: configure.ac,v 1.138 2003/08/02 12:24:49 dtucker Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -54,7 +54,6 @@ fi
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
-	AFS_LIBS="-lld"
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib"
 	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) 
@@ -1940,87 +1939,7 @@ AC_ARG_WITH(kerberos5,
                 fi
         ]
 )
-# Check whether user wants Kerberos 4 support
-KRB4_MSG="no" 
-AC_ARG_WITH(kerberos4,
-	[  --with-kerberos4=PATH   Enable Kerberos 4 support],
-	[
-		if test "x$withval" != "xno" ; then
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}/include"
-				LDFLAGS="$LDFLAGS -L${withval}/lib"
-				if test ! -z "$need_dash_r" ; then
-					LDFLAGS="$LDFLAGS -R${withval}/lib"
-				fi
-				if test ! -z "$blibpath" ; then
-					blibpath="$blibpath:${withval}/lib"
-				fi
-			else
-				if test -d /usr/include/kerberosIV ; then
-					CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
-				fi
-			fi
-
-			AC_CHECK_HEADERS(krb.h)
-			if test "$ac_cv_header_krb_h" != yes; then
-				AC_MSG_WARN([Cannot find krb.h, build may fail])
-			fi
-			AC_CHECK_LIB(krb, main)
-			if test "$ac_cv_lib_krb_main" != yes; then
-				AC_CHECK_LIB(krb4, main)
-				if test "$ac_cv_lib_krb4_main" != yes; then
-					AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
-				else
-					KLIBS="-lkrb4"
-				fi
-			else
-				KLIBS="-lkrb"
-			fi
-			AC_CHECK_LIB(des, des_cbc_encrypt)
-			if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
-				AC_CHECK_LIB(des425, des_cbc_encrypt)
-				if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
-					AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
-				else
-					KLIBS="-ldes425"
-				fi
-			else
-				KLIBS="-ldes"
-			fi
-			AC_CHECK_LIB(resolv, dn_expand, , )
-			KRB4=yes
-			KRB4_MSG="yes" 
-			AC_DEFINE(KRB4)
-		fi
-	]
-)
-
-# Check whether user wants AFS support
-AFS_MSG="no" 
-AC_ARG_WITH(afs,
-	[  --with-afs=PATH         Enable AFS support],
-	[
-		if test "x$withval" != "xno" ; then
-
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}/include"
-				LDFLAGS="$LDFLAGS -L${withval}/lib"
-			fi
-
-			if test -z "$KRB4" ; then
-				AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
-			fi
-
-			LIBS="-lkafs $LIBS"
-			if test ! -z "$AFS_LIBS" ; then
-				LIBS="$LIBS $AFS_LIBS"
-			fi
-			AC_DEFINE(AFS)
-			AFS_MSG="yes" 
-		fi
-	]
-)
-LIBS="$LIBS $KLIBS $K5LIBS"
+LIBS="$LIBS $K5LIBS"
 
 # Looking for programs, paths and files
 
@@ -2648,10 +2567,8 @@ fi
 echo "                    Manpage format: $MANTYPE"
 echo "                       DNS support: $DNS_MSG"
 echo "                       PAM support: $PAM_MSG"
-echo "                KerberosIV support: $KRB4_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
-echo "                       AFS support: $AFS_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
diff --git a/monitor.c b/monitor.c
index 3a8735f5..95fd0cf6 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -124,9 +124,6 @@ int mm_answer_pam_respond(int, Buffer *);
 int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
 
-#ifdef KRB4
-int mm_answer_krb4(int, Buffer *);
-#endif
 #ifdef KRB5
 int mm_answer_krb5(int, Buffer *);
 #endif
@@ -222,9 +219,6 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
-#ifdef KRB4
-    {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
-#endif
 #ifdef KRB5
     {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
 #endif
@@ -1428,52 +1422,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
 	return (success);
 }
 
-#ifdef KRB4
-int
-mm_answer_krb4(int socket, Buffer *m)
-{
-	KTEXT_ST auth, reply;
-	char  *client, *p;
-	int success;
-	u_int alen;
-
-	reply.length = auth.length = 0;
- 
-	p = buffer_get_string(m, &alen);
-	if (alen >=  MAX_KTXT_LEN)
-		 fatal("%s: auth too large", __func__);
-	memcpy(auth.dat, p, alen);
-	auth.length = alen;
-	memset(p, 0, alen);
-	xfree(p);
-
-	success = options.kerberos_authentication &&
-	    authctxt->valid &&
-	    auth_krb4(authctxt, &auth, &client, &reply);
-
-	memset(auth.dat, 0, alen);
-	buffer_clear(m);
-	buffer_put_int(m, success);
-
-	if (success) {
-		buffer_put_cstring(m, client);
-		buffer_put_string(m, reply.dat, reply.length);
-		if (client)
-			xfree(client);
-		if (reply.length)
-			memset(reply.dat, 0, reply.length);
-	}
-
-	debug3("%s: sending result %d", __func__, success);
-	mm_request_send(socket, MONITOR_ANS_KRB4, m);
-
-	auth_method = "kerberos";
-
-	/* Causes monitor loop to terminate if authenticated */
-	return (success);
-}
-#endif
-
 #ifdef KRB5
 int
 mm_answer_krb5(int socket, Buffer *m)
diff --git a/monitor.h b/monitor.h
index 97044cb8..7d86b459 100644
--- a/monitor.h
+++ b/monitor.h
@@ -49,7 +49,6 @@ enum monitor_reqtype {
 	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
-	MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
  	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 10a79c03..c7ba86ff 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -1043,42 +1043,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
 	return (success);
 }
 
-#ifdef KRB4
-int
-mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
-{
-	KTEXT auth, reply;
- 	Buffer m;
-	u_int rlen;
-	int success = 0;
-	char *p;
-
-	debug3("%s entering", __func__);
-	auth = _auth;
-	reply = _reply;
-
-	buffer_init(&m);
-	buffer_put_string(&m, auth->dat, auth->length);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
-
-	success = buffer_get_int(&m);
-	if (success) {
-		*client = buffer_get_string(&m, NULL);
-		p = buffer_get_string(&m, &rlen);
-		if (rlen >= MAX_KTXT_LEN)
-			fatal("%s: reply from monitor too large", __func__);
-		reply->length = rlen;
-		memcpy(reply->dat, p, rlen);
-		memset(p, 0, rlen);
-		xfree(p);
-	}
-	buffer_free(&m);