>implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@

>server interops with commercial client; ok jakob@ djm@ markus@openbsd
2003-05-14 18:22:07 +00:00 · 2003-05-14 18:22:07 +00:00 · 56d0ea03cf
parent d6fa2807d4
commit 56d0ea03cf
4 changed files with 118 additions and 8 deletions
--- a/crypto/dist/ssh/auth2.c
+++ b/crypto/dist/ssh/auth2.c
@ -1,4 +1,4 @@
-/*	$NetBSD: auth2.c,v 1.21 2003/04/03 06:21:32 itojun Exp $	*/
+/*	$NetBSD: auth2.c,v 1.22 2003/05/14 18:22:07 itojun Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -24,7 +24,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $");

 #include "ssh2.h"
 #include "xmalloc.h"
@ -51,6 +51,9 @@ extern Authmethod method_pubkey;
 extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
+#ifdef KRB5
+extern Authmethod method_kerberos;
+#endif

 Authmethod *authmethods[] = {
 	&method_none,
@ -58,6 +61,9 @@ Authmethod *authmethods[] = {
 	&method_passwd,
 	&method_kbdint,
 	&method_hostbased,
+#ifdef KRB5
+	&method_kerberos,
+#endif
 	NULL
 };

--- a/crypto/dist/ssh/monitor.c
+++ b/crypto/dist/ssh/monitor.c
@ -1,4 +1,4 @@
-/*	$NetBSD: monitor.c,v 1.11 2003/04/03 06:21:33 itojun Exp $	*/
+/*	$NetBSD: monitor.c,v 1.12 2003/05/14 18:22:07 itojun Exp $	*/
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -26,7 +26,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.37 2003/04/02 09:48:07 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");

 #include <openssl/dh.h>

@ -168,6 +168,9 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
+#ifdef KRB5
+    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
    {0, 0, NULL}
 };

@ -1345,6 +1348,8 @@ mm_answer_krb5(int socket, Buffer *m)
 	}
 	mm_request_send(socket, MONITOR_ANS_KRB5, m);

+	auth_method = "kerberos";
+
 	return success;
 }
 #endif
--- a/crypto/dist/ssh/sshconnect2.c
+++ b/crypto/dist/ssh/sshconnect2.c
@ -1,4 +1,4 @@
-/*	$NetBSD: sshconnect2.c,v 1.22 2003/04/03 06:21:36 itojun Exp $	*/
+/*	$NetBSD: sshconnect2.c,v 1.23 2003/05/14 18:22:07 itojun Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -24,7 +24,11 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.115 2003/04/02 09:48:07 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $");
+
+#ifdef KRB5
+#include <krb5.h>
+#endif

 #include "ssh.h"
 #include "ssh2.h"
@ -185,6 +189,7 @@ int	userauth_pubkey(Authctxt *);
 int	userauth_passwd(Authctxt *);
 int	userauth_kbdint(Authctxt *);
 int	userauth_hostbased(Authctxt *);
+int	userauth_kerberos(Authctxt *);

 void	userauth(Authctxt *, char *);

@ -200,6 +205,12 @@ Authmethod authmethods[] = {
 		userauth_hostbased,
 		&options.hostbased_authentication,
 		NULL},
+#if KRB5
+	{"kerberos-2@ssh.com",
+		userauth_kerberos,
+		&options.kerberos_authentication,
+		NULL},
+#endif
 	{"publickey",
 		userauth_pubkey,
 		&options.pubkey_authentication,
@ -1069,6 +1080,94 @@ userauth_hostbased(Authctxt *authctxt)
 	return 1;
 }

+#if KRB5
+static int
+ssh_krb5_helper(krb5_data *ap)
+{
+	krb5_context xcontext = NULL;	/* XXX share with ssh1 */
+	krb5_auth_context xauth_context = NULL;
+
+	krb5_context *context;
+	krb5_auth_context *auth_context;
+	krb5_error_code problem;
+	const char *tkfile;
+	struct stat buf;
+	krb5_ccache ccache = NULL;
+	const char *remotehost;
+	int ret;
+
+	memset(ap, 0, sizeof(*ap));
+
+	context = &xcontext;
+	auth_context = &xauth_context;
+
+	problem = krb5_init_context(context);
+	if (problem) {
+		debug("Kerberos v5: krb5_init_context failed");
+		ret = 0;
+		goto out;
+	}
+
+	tkfile = krb5_cc_default_name(*context);
+	if (strncmp(tkfile, "FILE:", 5) == 0)
+		tkfile += 5;
+
+	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+		debug("Kerberos v5: could not get default ccache (permission denied).");
+		ret = 0;
+		goto out;
+	}
+
+	problem = krb5_cc_default(*context, &ccache);
+	if (problem) {
+		debug("Kerberos v5: krb5_cc_default failed: %s",
+		    krb5_get_err_text(*context, problem));
+		ret = 0;
+		goto out;
+	}
+
+	remotehost = get_canonical_hostname(1);
+
+	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+	    "host", remotehost, NULL, ccache, ap);
+	if (problem) {
+		debug("Kerberos v5: krb5_mk_req failed: %s",
+		    krb5_get_err_text(*context, problem));
+		ret = 0;
+		goto out;
+	}
+	ret = 1;
+
+ out:
+	if (ccache != NULL)
+		krb5_cc_close(*context, ccache);
+	if (*auth_context)
+		krb5_auth_con_free(*context, *auth_context);
+	if (*context)
+		krb5_free_context(*context);
+	return (ret);
+}
+
+int
+userauth_kerberos(Authctxt *authctxt)
+{
+	krb5_data ap;
+
+	if (ssh_krb5_helper(&ap) == 0)
+		return (0);
+
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_put_string(ap.data, ap.length);
+	packet_send();
+
+	krb5_data_free(&ap);
+	return (1);
+}
+#endif
+
 /* find auth method */

 /*
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.14 2003/04/03 06:21:38 itojun Exp $
+#	$NetBSD: Makefile,v 1.15 2003/05/14 18:22:07 itojun Exp $

 .include <bsd.own.mk>

@ -18,7 +18,7 @@ SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \

 .if (${USE_KERBEROS} != "no")
 CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
-SRCS+=	auth-krb5.c
+SRCS+=	auth-krb5.c auth2-krb5.c
 LDADD+=	-lkrb5 -lkafs -lasn1
 DPADD+=	${LIBKRB5} ${LIBKAFS} ${LIBASN1}