kerberos support w/ privsep. confirmed to work by lha@stacken.kth.se
This commit is contained in:
parent
e2125ae174
commit
32e004f92a
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: auth-krb5.c,v 1.9 2002/04/22 07:59:36 itojun Exp $ */
|
||||
/* $NetBSD: auth-krb5.c,v 1.10 2002/09/09 06:45:17 itojun Exp $ */
|
||||
/*
|
||||
* Kerberos v5 authentication and ticket-passing routines.
|
||||
*
|
||||
|
@ -71,18 +71,17 @@ krb5_init(void *context)
|
|||
* from the ticket
|
||||
*/
|
||||
int
|
||||
auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
|
||||
auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
|
||||
{
|
||||
krb5_error_code problem;
|
||||
krb5_principal server;
|
||||
krb5_data reply;
|
||||
krb5_ticket *ticket;
|
||||
int fd, ret;
|
||||
|
||||
ret = 0;
|
||||
server = NULL;
|
||||
ticket = NULL;
|
||||
reply.length = 0;
|
||||
reply->length = 0;
|
||||
|
||||
problem = krb5_init(authctxt);
|
||||
if (problem)
|
||||
|
@ -116,7 +115,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
|
|||
|
||||
/* if client wants mutual auth */
|
||||
problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
|
||||
&reply);
|
||||
reply);
|
||||
if (problem)
|
||||
goto err;
|
||||
|
||||
|
@ -129,19 +128,16 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
|
|||
krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
|
||||
client);
|
||||
|
||||
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
|
||||
packet_put_string((char *) reply.data, reply.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
if (server)
|
||||
krb5_free_principal(authctxt->krb5_ctx, server);
|
||||
if (ticket)
|
||||
krb5_free_ticket(authctxt->krb5_ctx, ticket);
|
||||
if (reply.length)
|
||||
xfree(reply.data);
|
||||
if (!ret && reply->length) {
|
||||
xfree(reply->data);
|
||||
memset(reply, 0, sizeof(*reply));
|
||||
}
|
||||
|
||||
if (problem) {
|
||||
if (authctxt->krb5_ctx != NULL)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: auth.h,v 1.12 2002/06/24 05:48:27 itojun Exp $ */
|
||||
/* $NetBSD: auth.h,v 1.13 2002/09/09 06:45:17 itojun Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -127,7 +127,7 @@ int auth_afs_token(Authctxt *, const char *);
|
|||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
int auth_krb5_password(Authctxt *authctxt, const char *password);
|
||||
void krb5_cleanup_proc(void *authctxt);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: auth1.c,v 1.18 2002/06/24 05:48:27 itojun Exp $ */
|
||||
/* $NetBSD: auth1.c,v 1.19 2002/09/09 06:45:18 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -133,15 +133,27 @@ do_authloop(Authctxt *authctxt)
|
|||
#endif /* KRB4 */
|
||||
} else {
|
||||
#ifdef KRB5
|
||||
krb5_data tkt;
|
||||
krb5_data tkt, reply;
|
||||
tkt.length = dlen;
|
||||
tkt.data = kdata;
|
||||
|
||||
if (auth_krb5(authctxt, &tkt, &client_user)) {
|
||||
if (PRIVSEP(auth_krb5(authctxt, &tkt,
|
||||
&client_user, &reply))) {
|
||||
authenticated = 1;
|
||||
snprintf(info, sizeof(info),
|
||||
" tktuser %.100s",
|
||||
client_user);
|
||||
|
||||
/* Send response to client */
|
||||
packet_start(
|
||||
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
|
||||
packet_put_string((char *)
|
||||
reply.data, reply.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
if (reply.length)
|
||||
xfree(reply.data);
|
||||
xfree(client_user);
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: monitor.c,v 1.7 2002/07/01 06:17:12 itojun Exp $ */
|
||||
/* $NetBSD: monitor.c,v 1.8 2002/09/09 06:45:18 itojun Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -117,6 +117,10 @@ int mm_answer_rsa_response(int, Buffer *);
|
|||
int mm_answer_sesskey(int, Buffer *);
|
||||
int mm_answer_sessid(int, Buffer *);
|
||||
|
||||
#ifdef KRB5
|
||||
int mm_answer_krb5(int, Buffer *);
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
|
||||
|
@ -189,6 +193,9 @@ struct mon_table mon_dispatch_proto15[] = {
|
|||
#ifdef SKEY
|
||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
@ -1242,6 +1249,42 @@ mm_answer_rsa_response(int socket, Buffer *m)
|
|||
return (success);
|
||||
}
|
||||
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_answer_krb5(int socket, Buffer *m)
|
||||
{
|
||||
krb5_data tkt, reply;
|
||||
char *client_user;
|
||||
u_int len;
|
||||
int success;
|
||||
|
||||
/* use temporary var to avoid size issues on 64bit arch */
|
||||
tkt.data = buffer_get_string(m, &len);
|
||||
tkt.length = len;
|
||||
|
||||
success = auth_krb5(authctxt, &tkt, &client_user, &reply);
|
||||
|
||||
if (tkt.length)
|
||||
xfree(tkt.data);
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, success);
|
||||
|
||||
if (success) {
|
||||
buffer_put_cstring(m, client_user);
|
||||
buffer_put_string(m, reply.data, reply.length);
|
||||
if (client_user)
|
||||
xfree(client_user);
|
||||
if (reply.length)
|
||||
xfree(reply.data);
|
||||
}
|
||||
mm_request_send(socket, MONITOR_ANS_KRB5, m);
|
||||
|
||||
return success;
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
mm_answer_term(int socket, Buffer *req)
|
||||
{
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: monitor.h,v 1.1.1.3 2002/06/24 05:26:11 itojun Exp $ */
|
||||
/* $NetBSD: monitor.h,v 1.2 2002/09/09 06:45:18 itojun Exp $ */
|
||||
/* $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -50,6 +50,7 @@ enum monitor_reqtype {
|
|||
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
|
||||
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
|
||||
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
|
||||
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
|
||||
MONITOR_REQ_TERM
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: monitor_wrap.c,v 1.5 2002/07/01 06:17:12 itojun Exp $ */
|
||||
/* $NetBSD: monitor_wrap.c,v 1.6 2002/09/09 06:45:18 itojun Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -919,3 +919,38 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
|||
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
|
||||
{
|
||||
krb5_data *tkt, *reply;
|
||||
Buffer m;
|
||||
int success;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
tkt = (krb5_data *) argp;
|
||||
reply = (krb5_data *) resp;
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_string(&m, tkt->data, tkt->length);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
|
||||
|
||||
success = buffer_get_int(&m);
|
||||
if (success) {
|
||||
u_int len;
|
||||
|
||||
*userp = buffer_get_string(&m, NULL);
|
||||
reply->data = buffer_get_string(&m, &len);
|
||||
reply->length = len;
|
||||
} else {
|
||||
memset(reply, 0, sizeof(*reply));
|
||||
*userp = NULL;
|
||||
}
|
||||
|
||||
buffer_free(&m);
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: monitor_wrap.h,v 1.1.1.2 2002/05/13 02:28:42 itojun Exp $ */
|
||||
/* $NetBSD: monitor_wrap.h,v 1.2 2002/09/09 06:45:19 itojun Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -80,6 +80,13 @@ int mm_bsdauth_respond(void *, u_int, char **);
|
|||
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
|
||||
int mm_skey_respond(void *, u_int, char **);
|
||||
|
||||
/* auth_krb5 */
|
||||
#ifdef KRB5
|
||||
/* auth and reply are really krb5_data objects, but we don't want to
|
||||
* include all of the krb5 headers here */
|
||||
int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
|
||||
#endif
|
||||
|
||||
/* zlib allocation hooks */
|
||||
|
||||
void *mm_zalloc(struct mm_master *, u_int, u_int);
|
||||
|
|
Loading…
Reference in New Issue