From aae6c614da614eb10ced16505f35410671c95d9d Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Mon, 6 Dec 1999 11:47:28 +1100
Subject:  - Merged OpenBSD CVS changes:    - [auth-krb4.c auth-passwd.c
 auth-skey.c ssh.      move skey-auth from auth-passwd.c to auth-s    -
 [auth-rsa.c]      warn only about mismatch if key is _used_      warn about
 keysize-mismatch with log() not      channels.c readconf.c readconf.h ssh.c
 ssh.      ports are u_short    - [hostfile.c]      indent, shorter warning   
 - [nchan.c]      use error() for internal errors    - [packet.c]      set
 loglevel for SSH_MSG_DISCONNECT to log(      serverloop.c      indent    -
 [ssh-add.1 ssh-add.c ssh.h]      document , reasonable default    - [ssh.1]  
    CheckHostIP is not available for connects v    - [sshconnect.c]      typo 
     easier to read client code for passwd and s      turn of checkhostip for
 proxy connects, sin

---
 auth-passwd.c | 133 +++++-----------------------------------------------------
 1 file changed, 10 insertions(+), 123 deletions(-)

(limited to 'auth-passwd.c')

diff --git a/auth-passwd.c b/auth-passwd.c
index e5574ffb..efae0fd2 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -11,7 +11,7 @@
 
 #ifndef HAVE_PAM
 
-RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.8 1999/12/06 00:47:28 damien Exp $");
 
 #include "packet.h"
 #include "ssh.h"
@@ -49,133 +49,20 @@ auth_password(struct passwd * pw, const char *password)
 
 #ifdef SKEY
 	if (options.skey_authentication == 1) {
-		if (strncasecmp(password, "s/key", 5) == 0) {
-			char *skeyinfo = skey_keyinfo(pw->pw_name);
-			if (skeyinfo == NULL) {
-				debug("generating fake skeyinfo for %.100s.",
-				    pw->pw_name);
-				skeyinfo = skey_fake_keyinfo(pw->pw_name);
-			}
-			if (skeyinfo != NULL)
-				packet_send_debug(skeyinfo);
-			/* Try again. */
-			return 0;
-		} else if (skey_haskey(pw->pw_name) == 0 &&
-			   skey_passcheck(pw->pw_name, (char *) password) != -1) {
-			/* Authentication succeeded. */
-			return 1;
-		}
+		int ret = auth_skey_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
-
-#if defined(KRB4)
-	/*
-	 * Support for Kerberos v4 authentication
-	 * - Dug Song <dugsong@UMICH.EDU>
-	 */
-	if (options.kerberos_authentication) {
-		AUTH_DAT adata;
-		KTEXT_ST tkt;
-		struct hostent *hp;
-		unsigned long faddr;
-		char localhost[MAXHOSTNAMELEN];
-		char phost[INST_SZ];
-		char realm[REALM_SZ];
-		int r;
-
-		/*
-		 * Try Kerberos password authentication only for non-root
-		 * users and only if Kerberos is installed.
-		 */
-		if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-
-			/* Set up our ticket file. */
-			if (!krb4_init(pw->pw_uid)) {
-				log("Couldn't initialize Kerberos ticket file for %s!",
-				    pw->pw_name);
-				goto kerberos_auth_failure;
-			}
-			/* Try to get TGT using our password. */
-			r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
-			    realm, "krbtgt", realm,
-			    DEFAULT_TKT_LIFE, (char *) password);
-			if (r != INTK_OK) {
-				packet_send_debug("Kerberos V4 password "
-				    "authentication for %s failed: %s",
-				    pw->pw_name, krb_err_txt[r]);
-				goto kerberos_auth_failure;
-			}
-			/* Successful authentication. */
-			chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
-			/*
-			 * Now that we have a TGT, try to get a local
-			 * "rcmd" ticket to ensure that we are not talking
-			 * to a bogus Kerberos server.
-			 */
-			(void) gethostname(localhost, sizeof(localhost));
-			(void) strlcpy(phost, (char *) krb_get_phost(localhost),
-			    INST_SZ);
-			r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
-			if (r == KSUCCESS) {
-				if (!(hp = gethostbyname(localhost))) {
-					log("Couldn't get local host address!");
-					goto kerberos_auth_failure;
-				}
-				memmove((void *) &faddr, (void *) hp->h_addr,
-				    sizeof(faddr));
-
-				/* Verify our "rcmd" ticket. */
-				r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
-				    faddr, &adata, "");
-				if (r == RD_AP_UNDEC) {
-					/*
-					 * Probably didn't have a srvtab on
-					 * localhost. Allow login.
-					 */
-					log("Kerberos V4 TGT for %s unverifiable, "
-					    "no srvtab installed? krb_rd_req: %s",
-					    pw->pw_name, krb_err_txt[r]);
-				} else if (r != KSUCCESS) {
-					log("Kerberos V4 %s ticket unverifiable: %s",
-					    KRB4_SERVICE_NAME, krb_err_txt[r]);
-					goto kerberos_auth_failure;
-				}
-			} else if (r == KDC_PR_UNKNOWN) {
-				/*
-				 * Allow login if no rcmd service exists, but
-				 * log the error.
-				 */
-				log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
-				    "not registered, or srvtab is wrong?", pw->pw_name,
-				krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-			} else {
-				/*
-				 * TGT is bad, forget it. Possibly spoofed!
-				 */
-				packet_send_debug("WARNING: Kerberos V4 TGT "
-				    "possibly spoofed for %s: %s",
-				    pw->pw_name, krb_err_txt[r]);
-				goto kerberos_auth_failure;
-			}
-
-			/* Authentication succeeded. */
-			return 1;
-
-	kerberos_auth_failure:
-			krb4_cleanup_proc(NULL);
-
-			if (!options.kerberos_or_local_passwd)
-				return 0;
-		} else {
-			/* Logging in as root or no local Kerberos realm. */
-			packet_send_debug("Unable to authenticate to Kerberos.");
-		}
+#ifdef KRB4
+	if (options.kerberos_authentication == 1) {
+		int ret = auth_krb4_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
-#endif				/* KRB4 */
+#endif
 
 	/* Check for users with no password. */
 	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
-- 
cgit v1.2.3