diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | auth-krb5.c | 20 | ||||
| -rw-r--r-- | auth.h | 4 | ||||
| -rw-r--r-- | auth1.c | 18 | ||||
| -rw-r--r-- | monitor.c | 45 | ||||
| -rw-r--r-- | monitor.h | 3 | ||||
| -rw-r--r-- | monitor_wrap.c | 37 | ||||
| -rw-r--r-- | monitor_wrap.h | 9 |
8 files changed, 121 insertions, 22 deletions
@@ -3,6 +3,11 @@ - markus@cvs.openbsd.org 2002/09/08 20:24:08 [hostfile.h] no comma at end of enumerator list + - itojun@cvs.openbsd.org 2002/09/09 06:48:06 + [auth1.c auth.h auth-krb5.c monitor.c monitor.h] + [monitor_wrap.c monitor_wrap.h] + kerberos support for privsep. confirmed to work by lha@stacken.kth.se + patch from markus 20020911 - (djm) Sync openbsd-compat with OpenBSD -current @@ -1623,4 +1628,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2452 2002/09/11 23:43:56 djm Exp $ +$Id: ChangeLog,v 1.2453 2002/09/11 23:47:29 djm Exp $ diff --git a/auth-krb5.c b/auth-krb5.c index 308a6d5f..512f70b7 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $"); #include "ssh.h" #include "ssh1.h" @@ -73,18 +73,17 @@ krb5_init(void *context) * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) +auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) { krb5_error_code problem; krb5_principal server; - krb5_data reply; krb5_ticket *ticket; int fd, ret; ret = 0; server = NULL; ticket = NULL; - reply.length = 0; + reply->length = 0; problem = krb5_init(authctxt); if (problem) @@ -131,7 +130,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) /* if client wants mutual auth */ problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, - &reply); + reply); if (problem) goto err; @@ -144,19 +143,16 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, client); - packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) reply.data, reply.length); - packet_send(); - packet_write_wait(); - ret = 1; err: if (server) krb5_free_principal(authctxt->krb5_ctx, server); if (ticket) krb5_free_ticket(authctxt->krb5_ctx, ticket); - if (reply.length) - xfree(reply.data); + if (!ret && reply->length) { + xfree(reply->data); + memset(reply, 0, sizeof(*reply)); + } if (problem) { if (authctxt->krb5_ctx != NULL) @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.40 2002/09/09 06:48:06 itojun Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -126,7 +126,7 @@ int auth_afs_token(Authctxt *, const char *); #endif /* KRB4 */ #ifdef KRB5 -int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client); +int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(void *authctxt); @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.42 2002/08/22 21:33:58 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -133,15 +133,27 @@ do_authloop(Authctxt *authctxt) #endif /* KRB4 */ } else { #ifdef KRB5 - krb5_data tkt; + krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; - if (auth_krb5(authctxt, &tkt, &client_user)) { + if (PRIVSEP(auth_krb5(authctxt, &tkt, + &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); + + /* Send response to client */ + packet_start( + SSH_SMSG_AUTH_KERBEROS_RESPONSE); + packet_put_string((char *) + reply.data, reply.length); + packet_send(); + packet_write_wait(); + + if (reply.length) + xfree(reply.data); } #endif /* KRB5 */ } @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.24 2002/08/29 15:57:25 stevesk Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.25 2002/09/09 06:48:06 itojun Exp $"); #include <openssl/dh.h> @@ -120,6 +120,10 @@ int mm_answer_sessid(int, Buffer *); int mm_answer_pam_start(int, Buffer *); #endif +#ifdef KRB5 +int mm_answer_krb5(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -199,6 +203,9 @@ struct mon_table mon_dispatch_proto15[] = { #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif {0, 0, NULL} }; @@ -1277,6 +1284,42 @@ mm_answer_rsa_response(int socket, Buffer *m) return (success); } + +#ifdef KRB5 +int +mm_answer_krb5(int socket, Buffer *m) +{ + krb5_data tkt, reply; + char *client_user; + u_int len; + int success; + + /* use temporary var to avoid size issues on 64bit arch */ + tkt.data = buffer_get_string(m, &len); + tkt.length = len; + + success = auth_krb5(authctxt, &tkt, &client_user, &reply); + + if (tkt.length) + xfree(tkt.data); + + buffer_clear(m); + buffer_put_int(m, success); + + if (success) { + buffer_put_cstring(m, client_user); + buffer_put_string(m, reply.data, reply.length); + if (client_user) + xfree(client_user); + if (reply.length) + xfree(reply.data); + } + mm_request_send(socket, MONITOR_ANS_KRB5, m); + + return success; +} +#endif + int mm_answer_term(int socket, Buffer *req) { @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $ */ +/* $OpenBSD: monitor.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -49,6 +49,7 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, + MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, MONITOR_REQ_TERM }; diff --git a/monitor_wrap.c b/monitor_wrap.c index 78be2915..ed1c50ff 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.16 2002/07/04 10:41:47 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.17 2002/09/09 06:48:06 itojun Exp $"); #include <openssl/bn.h> #include <openssl/dh.h> @@ -936,3 +936,38 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } + +#ifdef KRB5 +int +mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) +{ + krb5_data *tkt, *reply; + Buffer m; + int success; + + debug3("%s entering", __func__); + tkt = (krb5_data *) argp; + reply = (krb5_data *) resp; + + buffer_init(&m); + buffer_put_string(&m, tkt->data, tkt->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m); + + success = buffer_get_int(&m); + if (success) { + u_int len; + + *userp = buffer_get_string(&m, NULL); + reply->data = buffer_get_string(&m, &len); + reply->length = len; + } else { + memset(reply, 0, sizeof(*reply)); + *userp = NULL; + } + + buffer_free(&m); + return (success); +} +#endif diff --git a/monitor_wrap.h b/monitor_wrap.h index f97862b5..5e583e15 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.6 2002/06/30 21:59:45 deraadt Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -83,6 +83,13 @@ int mm_bsdauth_respond(void *, u_int, char **); int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* auth_krb5 */ +#ifdef KRB5 +/* auth and reply are really krb5_data objects, but we don't want to + * include all of the krb5 headers here */ +int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply); +#endif + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); |