diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | auth-krb4.c | 362 | ||||
-rw-r--r-- | auth-passwd.c | 29 | ||||
-rw-r--r-- | auth.h | 53 | ||||
-rw-r--r-- | auth1.c | 109 | ||||
-rw-r--r-- | readconf.c | 47 | ||||
-rw-r--r-- | readconf.h | 11 | ||||
-rw-r--r-- | servconf.c | 43 | ||||
-rw-r--r-- | servconf.h | 10 | ||||
-rw-r--r-- | session.c | 92 | ||||
-rw-r--r-- | sshconnect1.c | 448 | ||||
-rw-r--r-- | sshd.c | 19 |
12 files changed, 775 insertions, 455 deletions
@@ -54,6 +54,11 @@ prototype pedant. not very creative... - () -> (void) - no variable names + - dugsong@cvs.openbsd.org 2001/06/26 16:15:25 + [auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h + servconf.c servconf.h session.c sshconnect1.c sshd.c] + Kerberos v5 support for SSH1, mostly from Assar Westerlund + <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok 20010629 - (bal) Removed net_aton() since we don't use it any more @@ -5881,4 +5886,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1357 2001/07/04 04:07:12 mouring Exp $ +$Id: ChangeLog,v 1.1358 2001/07/04 04:21:14 mouring Exp $ diff --git a/auth-krb4.c b/auth-krb4.c index 8bb6e3d6..031dcd30 100644 --- a/auth-krb4.c +++ b/auth-krb4.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.24 2001/06/26 16:15:22 dugsong Exp $"); #include "ssh.h" #include "ssh1.h" @@ -31,6 +31,7 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $"); #include "xmalloc.h" #include "log.h" #include "servconf.h" +#include "uidswap.h" #include "auth.h" #ifdef AFS @@ -38,70 +39,114 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $"); #endif #ifdef KRB4 -char *ticket = NULL; - extern ServerOptions options; +static int +krb4_init(void *context) +{ + static int cleanup_registered = 0; + Authctxt *authctxt = (Authctxt *)context; + const char *tkt_root = TKT_ROOT; + struct stat st; + int fd; + + if (!authctxt->krb4_ticket_file) { + /* Set unique ticket string manually since we're still root. */ + authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN); +#ifdef AFS + if (lstat("/ticket", &st) != -1) + tkt_root = "/ticket/"; +#endif /* AFS */ + snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%d", + tkt_root, authctxt->pw->pw_uid, getpid()); + krb_set_tkt_string(authctxt->krb4_ticket_file); + } + /* Register ticket cleanup in case of fatal error. */ + if (!cleanup_registered) { + fatal_add_cleanup(krb4_cleanup_proc, authctxt); + cleanup_registered = 1; + } + /* Try to create our ticket file. */ + if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { + close(fd); + return (1); + } + /* Ticket file exists - make sure user owns it (just passed ticket). */ + if (lstat(authctxt->krb4_ticket_file, &st) != -1) { + if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && + st.st_uid == authctxt->pw->pw_uid) + return (1); + } + /* Failure - cancel cleanup function, leaving ticket for inspection. */ + log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file); + + fatal_remove_cleanup(krb4_cleanup_proc, authctxt); + cleanup_registered = 0; + + xfree(authctxt->krb4_ticket_file); + authctxt->krb4_ticket_file = NULL; + + return (0); +} + /* * try krb4 authentication, * return 1 on success, 0 on failure, -1 if krb4 is not available */ - int -auth_krb4_password(struct passwd * pw, const char *password) +auth_krb4_password(Authctxt *authctxt, const char *password) { AUTH_DAT adata; KTEXT_ST tkt; struct hostent *hp; - u_long faddr; - char localhost[MAXHOSTNAMELEN]; - char phost[INST_SZ]; - char realm[REALM_SZ]; + struct passwd *pw; + char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ]; + u_int32_t faddr; int r; - + + if ((pw = authctxt->pw) == NULL) + return (0); + /* * Try Kerberos password authentication only for non-root * users and only if Kerberos is installed. */ if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { - /* Set up our ticket file. */ - if (!krb4_init(pw->pw_uid)) { + if (!krb4_init(authctxt)) { log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name); - goto kerberos_auth_failure; + goto failure; } /* Try to get TGT using our password. */ - r = krb_get_pw_in_tkt((char *) pw->pw_name, "", - realm, "krbtgt", realm, - DEFAULT_TKT_LIFE, (char *) password); + r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, + "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password); if (r != INTK_OK) { - packet_send_debug("Kerberos V4 password " - "authentication for %s failed: %s", - pw->pw_name, krb_err_txt[r]); - goto kerberos_auth_failure; + debug("Kerberos v4 password authentication for %s " + "failed: %s", pw->pw_name, krb_err_txt[r]); + goto failure; } /* Successful authentication. */ chown(tkt_string(), pw->pw_uid, pw->pw_gid); - + /* * Now that we have a TGT, try to get a local * "rcmd" ticket to ensure that we are not talking * to a bogus Kerberos server. */ - (void) gethostname(localhost, sizeof(localhost)); - (void) strlcpy(phost, (char *) krb_get_phost(localhost), - INST_SZ); + gethostname(localhost, sizeof(localhost)); + strlcpy(phost, (char *)krb_get_phost(localhost), + sizeof(phost)); r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); - + if (r == KSUCCESS) { - if (!(hp = gethostbyname(localhost))) { + if ((hp = gethostbyname(localhost)) == NULL) { log("Couldn't get local host address!"); - goto kerberos_auth_failure; + goto failure; } - memmove((void *) &faddr, (void *) hp->h_addr, + memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); - + /* Verify our "rcmd" ticket. */ r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); @@ -110,119 +155,74 @@ auth_krb4_password(struct passwd * pw, const char *password) * Probably didn't have a srvtab on * localhost. Disallow login. */ - log("Kerberos V4 TGT for %s unverifiable, " + log("Kerberos v4 TGT for %s unverifiable, " "no srvtab installed? krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); - goto kerberos_auth_failure; + goto failure; } else if (r != KSUCCESS) { - log("Kerberos V4 %s ticket unverifiable: %s", + log("Kerberos v4 %s ticket unverifiable: %s", KRB4_SERVICE_NAME, krb_err_txt[r]); - goto kerberos_auth_failure; + goto failure; } } else if (r == KDC_PR_UNKNOWN) { /* * Disallow login if no rcmd service exists, and * log the error. */ - log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " + log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s " "not registered, or srvtab is wrong?", pw->pw_name, - krb_err_txt[r], KRB4_SERVICE_NAME, phost); - goto kerberos_auth_failure; + krb_err_txt[r], KRB4_SERVICE_NAME, phost); + goto failure; } else { /* * TGT is bad, forget it. Possibly spoofed! */ - packet_send_debug("WARNING: Kerberos V4 TGT " - "possibly spoofed for %s: %s", - pw->pw_name, krb_err_txt[r]); - goto kerberos_auth_failure; + debug("WARNING: Kerberos v4 TGT possibly spoofed " + "for %s: %s", pw->pw_name, krb_err_txt[r]); + goto failure; } - /* Authentication succeeded. */ - return 1; - -kerberos_auth_failure: - krb4_cleanup_proc(NULL); - - if (!options.kerberos_or_local_passwd) - return 0; - } else { + return (1); + } else /* Logging in as root or no local Kerberos realm. */ - packet_send_debug("Unable to authenticate to Kerberos."); - } + debug("Unable to authenticate to Kerberos."); + + failure: + krb4_cleanup_proc(authctxt); + + if (!options.kerberos_or_local_passwd) + return (0); + /* Fall back to ordinary passwd authentication. */ - return -1; + return (-1); } void -krb4_cleanup_proc(void *ignore) +krb4_cleanup_proc(void *context) { + Authctxt *authctxt = (Authctxt *)context; debug("krb4_cleanup_proc called"); - if (ticket) { + if (authctxt->krb4_ticket_file) { (void) dest_tkt(); - xfree(ticket); - ticket = NULL; - } -} - -int -krb4_init(uid_t uid) -{ - static int cleanup_registered = 0; - const char *tkt_root = TKT_ROOT; - struct stat st; - int fd; - - if (!ticket) { - /* Set unique ticket string manually since we're still root. */ - ticket = xmalloc(MAXPATHLEN); -#ifdef AFS - if (lstat("/ticket", &st) != -1) - tkt_root = "/ticket/"; -#endif /* AFS */ - snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid()); - (void) krb_set_tkt_string(ticket); - } - /* Register ticket cleanup in case of fatal error. */ - if (!cleanup_registered) { - fatal_add_cleanup(krb4_cleanup_proc, NULL); - cleanup_registered = 1; - } - /* Try to create our ticket file. */ - if ((fd = mkstemp(ticket)) != -1) { - close(fd); - return 1; - } - /* Ticket file exists - make sure user owns it (just passed ticket). */ - if (lstat(ticket, &st) != -1) { - if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && - st.st_uid == uid) - return 1; + xfree(authctxt->krb4_ticket_file); + authctxt->krb4_ticket_file = NULL; } - /* Failure - cancel cleanup function, leaving bad ticket for inspection. */ - log("WARNING: bad ticket file %s", ticket); - fatal_remove_cleanup(krb4_cleanup_proc, NULL); - cleanup_registered = 0; - xfree(ticket); - ticket = NULL; - - return 0; } int -auth_krb4(const char *server_user, KTEXT auth, char **client) +auth_krb4(Authctxt *authctxt, KTEXT auth, char **client) { AUTH_DAT adat = {0}; KTEXT_ST reply; + Key_schedule schedule; + struct sockaddr_in local, foreign; char instance[INST_SZ]; - int r, s; socklen_t slen; u_int cksum; - Key_schedule schedule; - struct sockaddr_in local, foreign; - + int r, s; + s = packet_get_connection_in(); - + slen = sizeof(local); memset(&local, 0, sizeof(local)); if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) @@ -235,157 +235,139 @@ auth_krb4(const char *server_user, KTEXT auth, char **client) } instance[0] = '*'; instance[1] = 0; - + /* Get the encrypted request, challenge, and session key. */ - if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) { - packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]); - return 0; + if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, + 0, &adat, ""))) { + debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]); + return (0); } des_key_sched((des_cblock *) adat.session, schedule); - + *client = xmalloc(MAX_K_NAME_SZ); (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, *adat.pinst ? "." : "", adat.pinst, adat.prealm); - + /* Check ~/.klogin authorization now. */ - if (kuserok(&adat, (char *) server_user) != KSUCCESS) { - packet_send_debug("Kerberos V4 .klogin authorization failed!"); - log("Kerberos V4 .klogin authorization failed for %s to account %s", - *client, server_user); + if (kuserok(&adat, authctxt->user) != KSUCCESS) { + log("Kerberos v4 .klogin authorization failed for %s to " + "account %s", *client, authctxt->user); xfree(*client); - return 0; + return (0); } /* Increment the checksum, and return it encrypted with the session key. */ cksum = adat.checksum + 1; cksum = htonl(cksum); - + /* If we can't successfully encrypt the checksum, we send back an empty message, admitting our failure. */ if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1, schedule, &adat.session, &local, &foreign)) < 0) { - packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]); + debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); reply.dat[0] = 0; reply.length = 0; } else reply.length = r; - + /* Clear session key. */ memset(&adat.session, 0, sizeof(&adat.session)); - + packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); packet_put_string((char *) reply.dat, reply.length); packet_send(); packet_write_wait(); - return 1; + return (1); } #endif /* KRB4 */ #ifdef AFS int -auth_kerberos_tgt(struct passwd *pw, const char *string) +auth_krb4_tgt(Authctxt *authctxt, const char *string) { CREDENTIALS creds; - - if (pw == NULL) - goto auth_kerberos_tgt_failure; + struct passwd *pw; + + if ((pw = authctxt->pw) == NULL) + goto failure; + + temporarily_use_uid(pw); + if (!radix_to_creds(string, &creds)) { - log("Protocol error decoding Kerberos V4 tgt"); - packet_send_debug("Protocol error decoding Kerberos V4 tgt"); - goto auth_kerberos_tgt_failure; + log("Protocol error decoding Kerberos v4 TGT"); + goto failure; } if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ strlcpy(creds.service, "krbtgt", sizeof creds.service); - + if (strcmp(creds.service, "krbtgt")) { - log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname, - creds.pinst[0] ? "." : "", creds.pinst, creds.realm, - pw->pw_name); - packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", + log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s", creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name); - goto auth_kerberos_tgt_failure; + goto failure; } - if (!krb4_init(pw->pw_uid)) - goto auth_kerberos_tgt_failure; - + if (!krb4_init(authctxt)) + goto failure; + if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) - goto auth_kerberos_tgt_failure; - + goto failure; + if (save_credentials(creds.service, creds.instance, creds.realm, - creds.session, creds.lifetime, creds.kvno, - &creds.ticket_st, creds.issue_date) != KSUCCESS) { - packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials"); - goto auth_kerberos_tgt_failure; + creds.session, creds.lifetime, creds.kvno, &creds.ticket_st, + creds.issue_date) != KSUCCESS) { + debug("Kerberos v4 TGT refused: couldn't save credentials"); + goto failure; } /* Successful authentication, passed all checks. */ chown(tkt_string(), pw->pw_uid, pw->pw_gid); - - packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)", - creds.service, creds.instance, creds.realm, creds.pname, - creds.pinst[0] ? "." : "", creds.pinst, creds.realm); + + debug("Kerberos v4 TGT accepted (%s%s%s@%s)", + creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm); memset(&creds, 0, sizeof(creds)); - packet_start(SSH_SMSG_SUCCESS); - packet_send(); - packet_write_wait(); - return 1; - -auth_kerberos_tgt_failure: - krb4_cleanup_proc(NULL); + + restore_uid(); + + return (1); + + failure: + krb4_cleanup_proc(authctxt); memset(&creds, 0, sizeof(creds)); - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - return 0; + restore_uid(); + + return (0); } int -auth_afs_token(struct passwd *pw, const char *token_string) +auth_afs_token(Authctxt *authctxt, const char *token_string) { CREDENTIALS creds; + struct passwd *pw; uid_t uid; - - if (pw == NULL) { - /* XXX fake protocol error */ - packet_send_debug("Protocol error decoding AFS token"); - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - return 0; - } + + if ((pw = authctxt->pw) == NULL) + return (0); + if (!radix_to_creds(token_string, &creds)) { log("Protocol error decoding AFS token"); - packet_send_debug("Protocol error decoding AFS token"); - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - return 0; + return (0); } if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ strlcpy(creds.service, "afs", sizeof creds.service); - + if (strncmp(creds.pname, "AFS ID ", 7) == 0) uid = atoi(creds.pname + 7); else uid = pw->pw_uid; - + if (kafs_settoken(creds.realm, uid, &creds)) { - log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm, - pw->pw_name); - packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname, - creds.realm, pw->pw_name); + log("AFS token (%s@%s) rejected for %s", + creds.pname, creds.realm, pw->pw_name); memset(&creds, 0, sizeof(creds)); - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - return 0; + return (0); } - packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service, - creds.realm, creds.pname, creds.realm); + debug("AFS token accepted (%s@%s)", creds.pname, creds.realm); memset(&creds, 0, sizeof(creds)); - packet_start(SSH_SMSG_SUCCESS); - packet_send(); - packet_write_wait(); - return 1; + + return (1); } #endif /* AFS */ diff --git a/auth-passwd.c b/auth-passwd.c index d53a9ea2..988297cb 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.23 2001/06/26 16:15:23 dugsong Exp $"); #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) @@ -128,14 +128,14 @@ auth_password(Authctxt *authctxt, const char *password) #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; -#ifdef BSD_AUTH - if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", - (char *)password) == 0) - return 0; - else - return 1; +#ifdef KRB5 + if (options.kerberos_authentication == 1) { + int ret = auth_krb5_password(authctxt, password); + if (ret == 1 || ret == 0) + return ret; + /* Fall back to ordinary passwd authentication. */ + } #endif - #ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); @@ -146,21 +146,24 @@ auth_password(Authctxt *authctxt, const char *password) return 1; } #endif - #ifdef WITH_AIXAUTHENTICATE return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); #endif - #ifdef KRB4 if (options.kerberos_authentication == 1) { - int ret = auth_krb4_password(pw, password); + int ret = auth_krb4_password(authctxt, password); if (ret == 1 || ret == 0) return ret; /* Fall back to ordinary passwd authentication. */ } #endif - - +#ifdef BSD_AUTH + if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password) == 0) + return 0; + else + return 1; +#endif pw_password = pw->pw_passwd; /* @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $OpenBSD: auth.h,v 1.20 2001/06/26 06:32:47 itojun Exp $ + * $OpenBSD: auth.h,v 1.21 2001/06/26 16:15:23 dugsong Exp $ */ #ifndef AUTH_H #define AUTH_H @@ -36,23 +36,36 @@ #ifdef BSD_AUTH #include <bsd_auth.h> #endif +#ifdef KRB5 +#include <krb5.h> +#endif typedef struct Authctxt Authctxt; typedef struct KbdintDevice KbdintDevice; struct Authctxt { - int success; - int postponed; - int valid; - int attempt; - int failures; - char *user; - char *service; - struct passwd *pw; - char *style; - void *kbdintctxt; + int success; + int postponed; + int valid; + int attempt; + int failures; + char *user; + char *service; + struct passwd *pw; + char *style; + void *kbdintctxt; #ifdef BSD_AUTH - auth_session_t *as; + auth_session_t *as; +#endif +#ifdef KRB4 + char *krb4_ticket_file; +#endif +#ifdef KRB5 + krb5_context krb5_ctx; + krb5_auth_context krb5_auth_ctx; + krb5_ccache krb5_fwd_ccache; + krb5_principal krb5_user; + char *krb5_ticket_file; #endif }; @@ -125,21 +138,27 @@ int auth_rsa_challenge_dialog(RSA *); * if the client could not be authenticated, and 1 if authentication was * successful. This may exit if there is a serious protocol violation. */ -int auth_krb4(const char *, KTEXT, char **); -int krb4_init(uid_t); +int auth_krb4(Authctxt *, KTEXT, char **); +int auth_krb4_password(Authctxt *, const char *); void krb4_cleanup_proc(void *); -int auth_krb4_password(struct passwd *, const char *); #ifdef AFS #include <kafs.h> /* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */ -int auth_kerberos_tgt(struct passwd *, const char *); -int auth_afs_token(struct passwd *, const char *); +int auth_krb4_tgt(Authctxt *, const char *); +int auth_afs_token(Authctxt *, const char *); #endif /* AFS */ #endif /* KRB4 */ +#ifdef KRB5 +int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client); +int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); +int auth_krb5_password(Authctxt *authctxt, const char *password); +void krb5_cleanup_proc(void *authctxt); +#endif /* KRB5 */ + #include "auth-pam.h" #include "auth2-pam.h" @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.25 2001/06/26 16:15:23 dugsong Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -24,6 +24,7 @@ RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $"); #include "auth.h" #include "session.h" #include "misc.h" +#include "uidswap.h" /* import */ extern ServerOptions options; @@ -51,7 +52,7 @@ get_authname(int type) case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) case SSH_CMSG_AUTH_KERBEROS: return "kerberos"; #endif @@ -84,7 +85,7 @@ do_authloop(Authctxt *authctxt) /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif #ifdef USE_PAM @@ -116,62 +117,64 @@ do_authloop(Authctxt *authctxt) /* Process the packet. */ switch (type) { -#ifdef AFS - case SSH_CMSG_HAVE_KERBEROS_TGT: - if (!options.kerberos_tgt_passing) { - verbose("Kerberos tgt passing disabled."); - break; - } else { - /* Accept Kerberos tgt. */ - char *tgt = packet_get_string(&dlen); - packet_integrity_check(plen, 4 + dlen, type); - if (!auth_kerberos_tgt(pw, tgt)) - verbose("Kerberos tgt REFUSED for %.100s", authctxt->user); - xfree(tgt); - } - continue; - case SSH_CMSG_HAVE_AFS_TOKEN: - if (!options.afs_token_passing || !k_hasafs()) { - verbose("AFS token passing disabled."); - break; - } else { - /* Accept AFS token. */ - char *token_string = packet_get_string(&dlen); - packet_integrity_check(plen, 4 + dlen, type); - if (!auth_afs_token(pw, token_string)) - verbose("AFS token REFUSED for %.100s", authctxt->user); - xfree(token_string); - } - continue; -#endif /* AFS */ -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { verbose("Kerberos authentication disabled."); - break; } else { - /* Try Kerberos v4 authentication. */ - KTEXT_ST auth; - char *tkt_user = NULL; - char *kdata = packet_get_string((u_int *) &auth.length); - packet_integrity_check(plen, 4 + auth.length, type); - - if (authctxt->valid) { - if (auth.length < MAX_KTXT_LEN) - memcpy(auth.dat, kdata, auth.length); - authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); - if (authenticated) { - snprintf(info, sizeof info, - " tktuser %.100s", tkt_user); - xfree(tkt_user); + char *kdata = packet_get_string(&dlen); + + packet_integrity_check(plen, 4 + dlen, type); + + if (kdata[0] == 4) { /* KRB_PROT_VERSION */ +#ifdef KRB4 + KTEXT_ST tkt; + + tkt.length = dlen; + if (tkt.length < MAX_KTXT_LEN) + memcpy(tkt.dat, kdata, tkt.length); + + if (auth_krb4(authctxt, &tkt, &client_user)) { + authenticated = 1; + snprintf(info, sizeof(info), + " tktuser %.100s", + client_user); + xfree(client_user); } +#endif /* KRB4 */ + } else { +#ifdef KRB5 + krb5_data tkt; + tkt.length = dlen; + tkt.data = kdata; + + if (auth_krb5(authctxt, &tkt, &client_user)) { + authenticated = 1; + snprintf(info, sizeof(info), + " tktuser %.100s", + client_user); + xfree(client_user); + } +#endif /* KRB5 */ } xfree(kdata); } break; -#endif /* KRB4 */ - +#endif /* KRB4 || KRB5 */ + +#if defined(AFS) || defined(KRB5) + /* XXX - punt on backward compatibility here. */ + case SSH_CMSG_HAVE_KERBEROS_TGT: + packet_send_debug("Kerberos TGT passing disabled before authentication."); + break; +#ifdef AFS + case SSH_CMSG_HAVE_AFS_TOKEN: + packet_send_debug("AFS token passing disabled before authentication."); + break; +#endif /* AFS */ +#endif /* AFS || KRB5 */ + case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { verbose("Rhosts authentication disabled."); @@ -369,7 +372,7 @@ do_authentication() struct passwd *pw; int plen; u_int ulen; - char *user, *style = NULL; + char *p, *user, *style = NULL; /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -379,8 +382,12 @@ do_authentication() packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); if ((style = strchr(user, ':')) != NULL) - *style++ = 0; + *style++ = '\0'; + /* XXX - SSH.com Kerberos v5 braindeath. */ + if ((p = strchr(user, '@')) != NULL) + *p = '\0'; + authctxt = authctxt_new(); authctxt->user = user; authctxt->style = style; @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.81 2001/06/23 02:34:30 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.82 2001/06/26 16:15:23 dugsong Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -96,11 +96,14 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, oChallengeResponseAuthentication, oXAuthLocation, -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) oKerberosAuthentication, -#endif /* KRB4 */ +#endif +#if defined(AFS) || defined(KRB5) + oKerberosTgtPassing, +#endif #ifdef AFS - oKerberosTgtPassing, oAFSTokenPassing, + oAFSTokenPassing, #endif oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, @@ -137,11 +140,13 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) { "kerberosauthentication", oKerberosAuthentication }, -#endif /* KRB4 */ -#ifdef AFS +#endif +#if defined(AFS) || defined(KRB5) { "kerberostgtpassing", oKerberosTgtPassing }, +#endif +#ifdef AFS { "afstokenpassing", oAFSTokenPassing }, #endif { "fallbacktorsh", oFallBackToRsh }, @@ -335,23 +340,21 @@ parse_flag: case oChallengeResponseAuthentication: intptr = &options->challenge_response_authentication; goto parse_flag; - -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) case oKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; -#endif /* KRB4 */ - -#ifdef AFS +#endif +#if defined(AFS) || defined(KRB5) case oKerberosTgtPassing: intptr = &options->kerberos_tgt_passing; goto parse_flag; - +#endif +#ifdef AFS case oAFSTokenPassing: intptr = &options->afs_token_passing; goto parse_flag; #endif - case oFallBackToRsh: intptr = &options->fallback_to_rsh; goto parse_flag; @@ -724,11 +727,13 @@ initialize_options(Options * options) options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) options->kerberos_authentication = -1; #endif -#ifdef AFS +#if defined(AFS) || defined(KRB5) options->kerberos_tgt_passing = -1; +#endif +#ifdef AFS options->afs_token_passing = -1; #endif options->password_authentication = -1; @@ -799,16 +804,18 @@ fill_default_options(Options * options) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 0; -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) if (options->kerberos_authentication == -1) options->kerberos_authentication = 1; -#endif /* KRB4 */ -#ifdef AFS +#endif +#if defined(AFS) || defined(KRB5) if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 1; +#endif +#ifdef AFS if (options->afs_token_passing == -1) options->afs_token_passing = 1; -#endif /* AFS */ +#endif if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: readconf.h,v 1.33 2001/06/26 06:32:58 itojun Exp $"); */ +/* RCSID("$OpenBSD: readconf.h,v 1.34 2001/06/26 16:15:24 dugsong Exp $"); */ #ifndef READCONF_H #define READCONF_H @@ -41,12 +41,13 @@ typedef struct { int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ -#ifdef KRB4 - int kerberos_authentication; /* Try Kerberos - * authentication. */ +#if defined(KRB4) || defined(KRB5) + int kerberos_authentication; /* Try Kerberos authentication. */ +#endif +#if defined(AFS) || defined(KRB5) + int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ |