>implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
>server interops with commercial client; ok jakob@ djm@ markus@openbsd
This commit is contained in:
parent
d6fa2807d4
commit
56d0ea03cf
10
crypto/dist/ssh/auth2.c
vendored
10
crypto/dist/ssh/auth2.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: auth2.c,v 1.21 2003/04/03 06:21:32 itojun Exp $ */
|
||||
/* $NetBSD: auth2.c,v 1.22 2003/05/14 18:22:07 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -24,7 +24,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
|
||||
RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $");
|
||||
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
@ -51,6 +51,9 @@ extern Authmethod method_pubkey;
|
||||
extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
#ifdef KRB5
|
||||
extern Authmethod method_kerberos;
|
||||
#endif
|
||||
|
||||
Authmethod *authmethods[] = {
|
||||
&method_none,
|
||||
@ -58,6 +61,9 @@ Authmethod *authmethods[] = {
|
||||
&method_passwd,
|
||||
&method_kbdint,
|
||||
&method_hostbased,
|
||||
#ifdef KRB5
|
||||
&method_kerberos,
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
|
||||
|
9
crypto/dist/ssh/monitor.c
vendored
9
crypto/dist/ssh/monitor.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: monitor.c,v 1.11 2003/04/03 06:21:33 itojun Exp $ */
|
||||
/* $NetBSD: monitor.c,v 1.12 2003/05/14 18:22:07 itojun Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -26,7 +26,7 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.37 2003/04/02 09:48:07 markus Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
@ -168,6 +168,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
#endif
|
||||
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
|
||||
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
|
||||
#ifdef KRB5
|
||||
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
@ -1345,6 +1348,8 @@ mm_answer_krb5(int socket, Buffer *m)
|
||||
}
|
||||
mm_request_send(socket, MONITOR_ANS_KRB5, m);
|
||||
|
||||
auth_method = "kerberos";
|
||||
|
||||
return success;
|
||||
}
|
||||
#endif
|
||||
|
103
crypto/dist/ssh/sshconnect2.c
vendored
103
crypto/dist/ssh/sshconnect2.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: sshconnect2.c,v 1.22 2003/04/03 06:21:36 itojun Exp $ */
|
||||
/* $NetBSD: sshconnect2.c,v 1.23 2003/05/14 18:22:07 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -24,7 +24,11 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.115 2003/04/02 09:48:07 markus Exp $");
|
||||
RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $");
|
||||
|
||||
#ifdef KRB5
|
||||
#include <krb5.h>
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
@ -185,6 +189,7 @@ int userauth_pubkey(Authctxt *);
|
||||
int userauth_passwd(Authctxt *);
|
||||
int userauth_kbdint(Authctxt *);
|
||||
int userauth_hostbased(Authctxt *);
|
||||
int userauth_kerberos(Authctxt *);
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
|
||||
@ -200,6 +205,12 @@ Authmethod authmethods[] = {
|
||||
userauth_hostbased,
|
||||
&options.hostbased_authentication,
|
||||
NULL},
|
||||
#if KRB5
|
||||
{"kerberos-2@ssh.com",
|
||||
userauth_kerberos,
|
||||
&options.kerberos_authentication,
|
||||
NULL},
|
||||
#endif
|
||||
{"publickey",
|
||||
userauth_pubkey,
|
||||
&options.pubkey_authentication,
|
||||
@ -1069,6 +1080,94 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if KRB5
|
||||
static int
|
||||
ssh_krb5_helper(krb5_data *ap)
|
||||
{
|
||||
krb5_context xcontext = NULL; /* XXX share with ssh1 */
|
||||
krb5_auth_context xauth_context = NULL;
|
||||
|
||||
krb5_context *context;
|
||||
krb5_auth_context *auth_context;
|
||||
krb5_error_code problem;
|
||||
const char *tkfile;
|
||||
struct stat buf;
|
||||
krb5_ccache ccache = NULL;
|
||||
const char *remotehost;
|
||||
int ret;
|
||||
|
||||
memset(ap, 0, sizeof(*ap));
|
||||
|
||||
context = &xcontext;
|
||||
auth_context = &xauth_context;
|
||||
|
||||
problem = krb5_init_context(context);
|
||||
if (problem) {
|
||||
debug("Kerberos v5: krb5_init_context failed");
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
tkfile = krb5_cc_default_name(*context);
|
||||
if (strncmp(tkfile, "FILE:", 5) == 0)
|
||||
tkfile += 5;
|
||||
|
||||
if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
|
||||
debug("Kerberos v5: could not get default ccache (permission denied).");
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
problem = krb5_cc_default(*context, &ccache);
|
||||
if (problem) {
|
||||
debug("Kerberos v5: krb5_cc_default failed: %s",
|
||||
krb5_get_err_text(*context, problem));
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
remotehost = get_canonical_hostname(1);
|
||||
|
||||
problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
|
||||
"host", remotehost, NULL, ccache, ap);
|
||||
if (problem) {
|
||||
debug("Kerberos v5: krb5_mk_req failed: %s",
|
||||
krb5_get_err_text(*context, problem));
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
ret = 1;
|
||||
|
||||
out:
|
||||
if (ccache != NULL)
|
||||
krb5_cc_close(*context, ccache);
|
||||
if (*auth_context)
|
||||
krb5_auth_con_free(*context, *auth_context);
|
||||
if (*context)
|
||||
krb5_free_context(*context);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
userauth_kerberos(Authctxt *authctxt)
|
||||
{
|
||||
krb5_data ap;
|
||||
|
||||
if (ssh_krb5_helper(&ap) == 0)
|
||||
return (0);
|
||||
|
||||
packet_start(SSH2_MSG_USERAUTH_REQUEST);
|
||||
packet_put_cstring(authctxt->server_user);
|
||||
packet_put_cstring(authctxt->service);
|
||||
packet_put_cstring(authctxt->method->name);
|
||||
packet_put_string(ap.data, ap.length);
|
||||
packet_send();
|
||||
|
||||
krb5_data_free(&ap);
|
||||
return (1);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* find auth method */
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $NetBSD: Makefile,v 1.14 2003/04/03 06:21:38 itojun Exp $
|
||||
# $NetBSD: Makefile,v 1.15 2003/05/14 18:22:07 itojun Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
@ -18,7 +18,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
|
||||
|
||||
.if (${USE_KERBEROS} != "no")
|
||||
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||
SRCS+= auth-krb5.c
|
||||
SRCS+= auth-krb5.c auth2-krb5.c
|
||||
LDADD+= -lkrb5 -lkafs -lasn1
|
||||
DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user