remove KRB4 and AFS support. sync w/ openssh main tree
This commit is contained in:
parent
a9503412ba
commit
8556dff80c
370
crypto/dist/ssh/auth-krb4.c
vendored
370
crypto/dist/ssh/auth-krb4.c
vendored
@ -1,370 +0,0 @@
|
||||
/* $NetBSD: auth-krb4.c,v 1.11 2003/07/10 01:09:41 lukem Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
|
||||
__RCSID("$NetBSD: auth-krb4.c,v 1.11 2003/07/10 01:09:41 lukem Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "uidswap.h"
|
||||
#include "auth.h"
|
||||
|
||||
#ifdef AFS
|
||||
#include "radix.h"
|
||||
#endif
|
||||
|
||||
#ifdef KRB4
|
||||
extern ServerOptions options;
|
||||
|
||||
static int
|
||||
krb4_init(void *context)
|
||||
{
|
||||
static int cleanup_registered = 0;
|
||||
Authctxt *authctxt = (Authctxt *)context;
|
||||
const char *tkt_root = TKT_ROOT;
|
||||
struct stat st;
|
||||
int fd;
|
||||
|
||||
if (!authctxt->krb4_ticket_file) {
|
||||
/* Set unique ticket string manually since we're still root. */
|
||||
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
|
||||
#ifdef AFS
|
||||
if (lstat("/ticket", &st) != -1)
|
||||
tkt_root = "/ticket/";
|
||||
#endif /* AFS */
|
||||
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
|
||||
tkt_root, authctxt->pw->pw_uid, (long)getpid());
|
||||
krb_set_tkt_string(authctxt->krb4_ticket_file);
|
||||
}
|
||||
/* Register ticket cleanup in case of fatal error. */
|
||||
if (!cleanup_registered) {
|
||||
fatal_add_cleanup(krb4_cleanup_proc, authctxt);
|
||||
cleanup_registered = 1;
|
||||
}
|
||||
/* Try to create our ticket file. */
|
||||
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
|
||||
close(fd);
|
||||
return (1);
|
||||
}
|
||||
/* Ticket file exists - make sure user owns it (just passed ticket). */
|
||||
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
|
||||
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
|
||||
st.st_uid == authctxt->pw->pw_uid)
|
||||
return (1);
|
||||
}
|
||||
/* Failure - cancel cleanup function, leaving ticket for inspection. */
|
||||
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
|
||||
|
||||
fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
|
||||
cleanup_registered = 0;
|
||||
|
||||
xfree(authctxt->krb4_ticket_file);
|
||||
authctxt->krb4_ticket_file = NULL;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* try krb4 authentication,
|
||||
* return 1 on success, 0 on failure, -1 if krb4 is not available
|
||||
*/
|
||||
int
|
||||
auth_krb4_password(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
AUTH_DAT adata;
|
||||
KTEXT_ST tkt;
|
||||
struct hostent *hp;
|
||||
struct passwd *pw;
|
||||
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
|
||||
u_int32_t faddr;
|
||||
int r;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
return (0);
|
||||
|
||||
/*
|
||||
* Try Kerberos password authentication only for non-root
|
||||
* users and only if Kerberos is installed.
|
||||
*/
|
||||
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
|
||||
/* Set up our ticket file. */
|
||||
if (!krb4_init(authctxt)) {
|
||||
logit("Couldn't initialize Kerberos ticket file for %s!",
|
||||
pw->pw_name);
|
||||
goto failure;
|
||||
}
|
||||
/* Try to get TGT using our password. */
|
||||
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
|
||||
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
|
||||
if (r != INTK_OK) {
|
||||
debug("Kerberos v4 password authentication for %s "
|
||||
"failed: %s", pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
/* Successful authentication. */
|
||||
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||
|
||||
/*
|
||||
* Now that we have a TGT, try to get a local
|
||||
* "rcmd" ticket to ensure that we are not talking
|
||||
* to a bogus Kerberos server.
|
||||
*/
|
||||
gethostname(localhost, sizeof(localhost));
|
||||
strlcpy(phost, (char *)krb_get_phost(localhost),
|
||||
sizeof(phost));
|
||||
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
|
||||
|
||||
if (r == KSUCCESS) {
|
||||
if ((hp = gethostbyname(localhost)) == NULL) {
|
||||
logit("Couldn't get local host address!");
|
||||
goto failure;
|
||||
}
|
||||
memmove((void *)&faddr, (void *)hp->h_addr,
|
||||
sizeof(faddr));
|
||||
|
||||
/* Verify our "rcmd" ticket. */
|
||||
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
|
||||
faddr, &adata, "");
|
||||
if (r == RD_AP_UNDEC) {
|
||||
/*
|
||||
* Probably didn't have a srvtab on
|
||||
* localhost. Disallow login.
|
||||
*/
|
||||
logit("Kerberos v4 TGT for %s unverifiable, "
|
||||
"no srvtab installed? krb_rd_req: %s",
|
||||
pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
} else if (r != KSUCCESS) {
|
||||
logit("Kerberos v4 %s ticket unverifiable: %s",
|
||||
KRB4_SERVICE_NAME, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
} else if (r == KDC_PR_UNKNOWN) {
|
||||
/*
|
||||
* Disallow login if no rcmd service exists, and
|
||||
* log the error.
|
||||
*/
|
||||
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
|
||||
"not registered, or srvtab is wrong?", pw->pw_name,
|
||||
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
|
||||
goto failure;
|
||||
} else {
|
||||
/*
|
||||
* TGT is bad, forget it. Possibly spoofed!
|
||||
*/
|
||||
debug("WARNING: Kerberos v4 TGT possibly spoofed "
|
||||
"for %s: %s", pw->pw_name, krb_err_txt[r]);
|
||||
goto failure;
|
||||
}
|
||||
/* Authentication succeeded. */
|
||||
return (1);
|
||||
} else
|
||||
/* Logging in as root or no local Kerberos realm. */
|
||||
debug("Unable to authenticate to Kerberos.");
|
||||
|
||||
failure:
|
||||
krb4_cleanup_proc(authctxt);
|
||||
|
||||
if (!options.kerberos_or_local_passwd)
|
||||
return (0);
|
||||
|
||||
/* Fall back to ordinary passwd authentication. */
|
||||
return (-1);
|
||||
}
|
||||
|
||||
void
|
||||
krb4_cleanup_proc(void *context)
|
||||
{
|
||||
Authctxt *authctxt = (Authctxt *)context;
|
||||
debug("krb4_cleanup_proc called");
|
||||
if (authctxt->krb4_ticket_file) {
|
||||
(void) dest_tkt();
|
||||
xfree(authctxt->krb4_ticket_file);
|
||||
authctxt->krb4_ticket_file = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
|
||||
{
|
||||
AUTH_DAT adat = {0};
|
||||
Key_schedule schedule;
|
||||
struct sockaddr_in local, foreign;
|
||||
char instance[INST_SZ];
|
||||
socklen_t slen;
|
||||
u_int cksum;
|
||||
int r, s;
|
||||
|
||||
s = packet_get_connection_in();
|
||||
|
||||
slen = sizeof(local);
|
||||
memset(&local, 0, sizeof(local));
|
||||
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
|
||||
debug("getsockname failed: %.100s", strerror(errno));
|
||||
slen = sizeof(foreign);
|
||||
memset(&foreign, 0, sizeof(foreign));
|
||||
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
|
||||
debug("getpeername failed: %.100s", strerror(errno));
|
||||
fatal_cleanup();
|
||||
}
|
||||
instance[0] = '*';
|
||||
instance[1] = 0;
|
||||
|
||||
/* Get the encrypted request, challenge, and session key. */
|
||||
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
|
||||
0, &adat, ""))) {
|
||||
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
|
||||
return (0);
|
||||
}
|
||||
des_key_sched((des_cblock *) adat.session, schedule);
|
||||
|
||||
*client = xmalloc(MAX_K_NAME_SZ);
|
||||
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
|
||||
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
|
||||
|
||||
/* Check ~/.klogin authorization now. */
|
||||
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
|
||||
logit("Kerberos v4 .klogin authorization failed for %s to "
|
||||
"account %s", *client, authctxt->user);
|
||||
xfree(*client);
|
||||
*client = NULL;
|
||||
return (0);
|
||||
}
|
||||
/* Increment the checksum, and return it encrypted with the
|
||||
session key. */
|
||||
cksum = adat.checksum + 1;
|
||||
cksum = htonl(cksum);
|
||||
|
||||
/* If we can't successfully encrypt the checksum, we send back an
|
||||
empty message, admitting our failure. */
|
||||
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
|
||||
schedule, &adat.session, &local, &foreign)) < 0) {
|
||||
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
|
||||
reply->dat[0] = 0;
|
||||
reply->length = 0;
|
||||
} else
|
||||
reply->length = r;
|
||||
|
||||
/* Clear session key. */
|
||||
memset(&adat.session, 0, sizeof(adat.session));
|
||||
return (1);
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef AFS
|
||||
int
|
||||
auth_krb4_tgt(Authctxt *authctxt, const char *string)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct passwd *pw;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
goto failure;
|
||||
|
||||
temporarily_use_uid(pw);
|
||||
|
||||
if (!radix_to_creds(string, &creds)) {
|
||||
logit("Protocol error decoding Kerberos v4 TGT");
|
||||
goto failure;
|
||||
}
|
||||
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||
strlcpy(creds.service, "krbtgt", sizeof creds.service);
|
||||
|
||||
if (strcmp(creds.service, "krbtgt")) {
|
||||
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
|
||||
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
|
||||
creds.realm, pw->pw_name);
|
||||
goto failure;
|
||||
}
|
||||
if (!krb4_init(authctxt))
|
||||
goto failure;
|
||||
|
||||
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
|
||||
goto failure;
|
||||
|
||||
if (save_credentials(creds.service, creds.instance, creds.realm,
|
||||
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
|
||||
creds.issue_date) != KSUCCESS) {
|
||||
debug("Kerberos v4 TGT refused: couldn't save credentials");
|
||||
goto failure;
|
||||
}
|
||||
/* Successful authentication, passed all checks. */
|
||||
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||
|
||||
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
|
||||
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
|
||||
restore_uid();
|
||||
|
||||
return (1);
|
||||
|
||||
failure:
|
||||
krb4_cleanup_proc(authctxt);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
restore_uid();
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
auth_afs_token(Authctxt *authctxt, const char *token_string)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct passwd *pw;
|
||||
uid_t uid;
|
||||
|
||||
if ((pw = authctxt->pw) == NULL)
|
||||
return (0);
|
||||
|
||||
if (!radix_to_creds(token_string, &creds)) {
|
||||
logit("Protocol error decoding AFS token");
|
||||
return (0);
|
||||
}
|
||||
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||
strlcpy(creds.service, "afs", sizeof creds.service);
|
||||
|
||||
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
|
||||
uid = atoi(creds.pname + 7);
|
||||
else
|
||||
uid = pw->pw_uid;
|
||||
|
||||
if (kafs_settoken(creds.realm, uid, &creds)) {
|
||||
logit("AFS token (%s@%s) rejected for %s",
|
||||
creds.pname, creds.realm, pw->pw_name);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
return (0);
|
||||
}
|
||||
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
|
||||
memset(&creds, 0, sizeof(creds));
|
||||
|
||||
return (1);
|
||||
}
|
||||
#endif /* AFS */
|
14
crypto/dist/ssh/auth-passwd.c
vendored
14
crypto/dist/ssh/auth-passwd.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: auth-passwd.c,v 1.8 2003/07/10 01:09:41 lukem Exp $ */
|
||||
/* $NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -37,8 +37,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
|
||||
__RCSID("$NetBSD: auth-passwd.c,v 1.8 2003/07/10 01:09:41 lukem Exp $");
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
@ -72,14 +72,6 @@ auth_password(Authctxt *authctxt, const char *password)
|
||||
/* Fall back to ordinary passwd authentication. */
|
||||
}
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
if (options.kerberos_authentication == 1) {
|
||||
int ret = auth_krb4_password(authctxt, password);
|
||||
if (ret == 1 || ret == 0)
|
||||
return ret;
|
||||
/* Fall back to ordinary passwd authentication. */
|
||||
}
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
|
||||
(char *)password) == 0)
|
||||
|
21
crypto/dist/ssh/auth.h
vendored
21
crypto/dist/ssh/auth.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: auth.h,v 1.14 2002/10/01 14:07:27 itojun Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
|
||||
/* $NetBSD: auth.h,v 1.15 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -61,9 +61,6 @@ struct Authctxt {
|
||||
#ifdef BSD_AUTH
|
||||
auth_session_t *as;
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
char *krb4_ticket_file;
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
krb5_context krb5_ctx;
|
||||
krb5_auth_context krb5_auth_ctx;
|
||||
@ -112,20 +109,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||
int user_key_allowed(struct passwd *, Key *);
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
|
||||
int auth_krb4_password(Authctxt *, const char *);
|
||||
void krb4_cleanup_proc(void *);
|
||||
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
int auth_krb4_tgt(Authctxt *, const char *);
|
||||
int auth_afs_token(Authctxt *, const char *);
|
||||
#endif /* AFS */
|
||||
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
|
51
crypto/dist/ssh/auth1.c
vendored
51
crypto/dist/ssh/auth1.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: auth1.c,v 1.23 2003/07/10 01:09:42 lukem Exp $ */
|
||||
/* $NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -11,8 +11,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
|
||||
__RCSID("$NetBSD: auth1.c,v 1.23 2003/07/10 01:09:42 lukem Exp $");
|
||||
RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
@ -51,7 +51,7 @@ get_authname(int type)
|
||||
case SSH_CMSG_AUTH_TIS:
|
||||
case SSH_CMSG_AUTH_TIS_RESPONSE:
|
||||
return "challenge-response";
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_AUTH_KERBEROS:
|
||||
return "kerberos";
|
||||
#endif
|
||||
@ -83,7 +83,7 @@ do_authloop(Authctxt *authctxt)
|
||||
|
||||
/* If the user has no password, accept authentication immediately. */
|
||||
if (options.password_authentication &&
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||
#endif
|
||||
PRIVSEP(auth_password(authctxt, ""))) {
|
||||
@ -108,7 +108,7 @@ do_authloop(Authctxt *authctxt)
|
||||
/* Process the packet. */
|
||||
switch (type) {
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_AUTH_KERBEROS:
|
||||
if (!options.kerberos_authentication) {
|
||||
verbose("Kerberos authentication disabled.");
|
||||
@ -116,32 +116,7 @@ do_authloop(Authctxt *authctxt)
|
||||
char *kdata = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
|
||||
#ifdef KRB4
|
||||
KTEXT_ST tkt, reply;
|
||||
tkt.length = dlen;
|
||||
if (tkt.length < MAX_KTXT_LEN)
|
||||
memcpy(tkt.dat, kdata, tkt.length);
|
||||
|
||||
if (PRIVSEP(auth_krb4(authctxt, &tkt,
|
||||
&client_user, &reply))) {
|
||||
authenticated = 1;
|
||||
snprintf(info, sizeof(info),
|
||||
" tktuser %.100s",
|
||||
client_user);
|
||||
|
||||
packet_start(
|
||||
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
|
||||
packet_put_string((char *)
|
||||
reply.dat, reply.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
xfree(client_user);
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
} else {
|
||||
#ifdef KRB5
|
||||
if (kdata[0] != 4) { /* KRB_PROT_VERSION */
|
||||
krb5_data tkt, reply;
|
||||
tkt.length = dlen;
|
||||
tkt.data = kdata;
|
||||
@ -165,24 +140,14 @@ do_authloop(Authctxt *authctxt)
|
||||
xfree(reply.data);
|
||||
xfree(client_user);
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
}
|
||||
xfree(kdata);
|
||||
}
|
||||
break;
|
||||
#endif /* KRB4 || KRB5 */
|
||||
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
/* XXX - punt on backward compatibility here. */
|
||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||
packet_send_debug("Kerberos TGT passing disabled before authentication.");
|
||||
break;
|
||||
#ifdef AFS
|
||||
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||
packet_send_debug("AFS token passing disabled before authentication.");
|
||||
break;
|
||||
#endif /* AFS */
|
||||
#endif /* AFS || KRB5 */
|
||||
#endif
|
||||
|
||||
case SSH_CMSG_AUTH_RHOSTS:
|
||||
if (!options.rhosts_authentication) {
|
||||
|
58
crypto/dist/ssh/monitor.c
vendored
58
crypto/dist/ssh/monitor.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: monitor.c,v 1.13 2003/07/10 01:09:45 lukem Exp $ */
|
||||
/* $NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -26,8 +26,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");
|
||||
__RCSID("$NetBSD: monitor.c,v 1.13 2003/07/10 01:09:45 lukem Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
@ -118,9 +118,6 @@ int mm_answer_rsa_response(int, Buffer *);
|
||||
int mm_answer_sesskey(int, Buffer *);
|
||||
int mm_answer_sessid(int, Buffer *);
|
||||
|
||||
#ifdef KRB4
|
||||
int mm_answer_krb4(int, Buffer *);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
int mm_answer_krb5(int, Buffer *);
|
||||
#endif
|
||||
@ -201,9 +198,6 @@ struct mon_table mon_dispatch_proto15[] = {
|
||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
||||
#endif
|
||||
@ -1270,52 +1264,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
int
|
||||
mm_answer_krb4(int socket, Buffer *m)
|
||||
{
|
||||
KTEXT_ST auth, reply;
|
||||
char *client, *p;
|
||||
int success;
|
||||
u_int alen;
|
||||
|
||||
reply.length = auth.length = 0;
|
||||
|
||||
p = buffer_get_string(m, &alen);
|
||||
if (alen >= MAX_KTXT_LEN)
|
||||
fatal("%s: auth too large", __func__);
|
||||
memcpy(auth.dat, p, alen);
|
||||
auth.length = alen;
|
||||
memset(p, 0, alen);
|
||||
xfree(p);
|
||||
|
||||
success = options.kerberos_authentication &&
|
||||
authctxt->valid &&
|
||||
auth_krb4(authctxt, &auth, &client, &reply);
|
||||
|
||||
memset(auth.dat, 0, alen);
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, success);
|
||||
|
||||
if (success) {
|
||||
buffer_put_cstring(m, client);
|
||||
buffer_put_string(m, reply.dat, reply.length);
|
||||
if (client)
|
||||
xfree(client);
|
||||
if (reply.length)
|
||||
memset(reply.dat, 0, reply.length);
|
||||
}
|
||||
|
||||
debug3("%s: sending result %d", __func__, success);
|
||||
mm_request_send(socket, MONITOR_ANS_KRB4, m);
|
||||
|
||||
auth_method = "kerberos";
|
||||
|
||||
/* Causes monitor loop to terminate if authenticated */
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_answer_krb5(int socket, Buffer *m)
|
||||
|
5
crypto/dist/ssh/monitor.h
vendored
5
crypto/dist/ssh/monitor.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: monitor.h,v 1.3 2002/10/01 14:07:33 itojun Exp $ */
|
||||
/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
|
||||
/* $NetBSD: monitor.h,v 1.4 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/* $OpenBSD: monitor.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -50,7 +50,6 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
|
||||
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
|
||||
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
|
||||
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
|
||||
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
|
||||
MONITOR_REQ_TERM
|
||||
};
|
||||
|
42
crypto/dist/ssh/monitor_wrap.c
vendored
42
crypto/dist/ssh/monitor_wrap.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: monitor_wrap.c,v 1.10 2003/07/10 01:09:45 lukem Exp $ */
|
||||
/* $NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -26,8 +26,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.26 2003/04/07 08:29:57 markus Exp $");
|
||||
__RCSID("$NetBSD: monitor_wrap.c,v 1.10 2003/07/10 01:09:45 lukem Exp $");
|
||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
@ -940,42 +940,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
||||
return (success);
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
int
|
||||
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
|
||||
{
|
||||
KTEXT auth, reply;
|
||||
Buffer m;
|
||||
u_int rlen;
|
||||
int success = 0;
|
||||
char *p;
|
||||
|
||||
debug3("%s entering", __func__);
|
||||
auth = _auth;
|
||||
reply = _reply;
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_string(&m, auth->dat, auth->length);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
|
||||
|
||||
success = buffer_get_int(&m);
|
||||
if (success) {
|
||||
*client = buffer_get_string(&m, NULL);
|
||||
p = buffer_get_string(&m, &rlen);
|
||||
if (rlen >= MAX_KTXT_LEN)
|
||||
fatal("%s: reply from monitor too large", __func__);
|
||||
reply->length = rlen;
|
||||
memcpy(reply->dat, p, rlen);
|
||||
memset(p, 0, rlen);
|
||||
xfree(p);
|
||||
}
|
||||
buffer_free(&m);
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef KRB5
|
||||
int
|
||||
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
|
||||
|
7
crypto/dist/ssh/monitor_wrap.h
vendored
7
crypto/dist/ssh/monitor_wrap.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: monitor_wrap.h,v 1.3 2002/10/01 14:07:34 itojun Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
|
||||
/* $NetBSD: monitor_wrap.h,v 1.4 2003/07/23 03:52:18 itojun Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -81,9 +81,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
|
||||
int mm_skey_respond(void *, u_int, char **);
|
||||
|
||||
/* auth_krb */
|
||||
#ifdef KRB4
|
||||
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
/* auth and reply are really krb5_data objects, but we don't want to
|
||||
* include all of the krb5 headers here */
|
||||
|
160
crypto/dist/ssh/radix.c
vendored
160
crypto/dist/ssh/radix.c
vendored
@ -1,160 +0,0 @@
|
||||
/* $NetBSD: radix.c,v 1.11 2003/07/10 01:09:46 lukem Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
* Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "uuencode.h"
|
||||
|
||||
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
|
||||
__RCSID("$NetBSD: radix.c,v 1.11 2003/07/10 01:09:46 lukem Exp $");
|
||||
|
||||
#ifdef AFS
|
||||
#include <krb.h>
|
||||
|
||||
#include <radix.h>
|
||||
#include "bufaux.h"
|
||||
|
||||
int
|
||||
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
|
||||
{
|
||||
Buffer b;
|
||||
int ret;
|
||||
|
||||
buffer_init(&b);
|
||||
|
||||
buffer_put_char(&b, 1); /* version */
|
||||
|
||||
buffer_append(&b, creds->service, strlen(creds->service));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->instance, strlen(creds->instance));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->realm, strlen(creds->realm));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->pname, strlen(creds->pname));
|
||||
buffer_put_char(&b, '\0');
|
||||
buffer_append(&b, creds->pinst, strlen(creds->pinst));
|
||||
buffer_put_char(&b, '\0');
|
||||
|
||||
/* Null string to repeat the realm. */
|
||||
buffer_put_char(&b, '\0');
|
||||
|
||||
buffer_put_int(&b, creds->issue_date);
|
||||
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
|
||||
creds->lifetime));
|
||||
buffer_append(&b, creds->session, sizeof(creds->session));
|
||||
buffer_put_short(&b, creds->kvno);
|
||||
|
||||
/* 32 bit size + data */
|
||||
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
|
||||
|
||||
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
|
||||
|
||||
buffer_free(&b);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#define GETSTRING(b, t, tlen) \
|
||||
do { \
|
||||
int i, found = 0; \
|
||||
for (i = 0; i < tlen; i++) { \
|
||||
if (buffer_len(b) == 0) \
|
||||
goto done; \
|
||||
t[i] = buffer_get_char(b); \
|
||||
if (t[i] == '\0') { \
|
||||
found = 1; \
|
||||
break; \
|
||||
} \
|
||||
} \
|
||||
if (!found) \
|
||||
goto done; \
|
||||
} while(0)
|
||||
|
||||
int
|
||||
radix_to_creds(const char *buf, CREDENTIALS *creds)
|
||||
{
|
||||
Buffer b;
|
||||
u_char *space;
|
||||
char c, version, *p;
|
||||
u_int endTime, len;
|
||||
int blen, ret;
|
||||
|
||||
ret = 0;
|
||||
blen = strlen(buf);
|
||||
|
||||
/* sanity check for size */
|
||||
if (blen > 8192)
|
||||
return 0;
|
||||
|
||||
buffer_init(&b);
|
||||
space = buffer_append_space(&b, blen);
|
||||
|
||||
/* check version and length! */
|
||||
len = uudecode(buf, space, blen);
|
||||
if (len < 1)
|
||||
goto done;
|
||||
|
||||
version = buffer_get_char(&b);
|
||||
|
||||
GETSTRING(&b, creds->service, sizeof creds->service);
|
||||
GETSTRING(&b, creds->instance, sizeof creds->instance);
|
||||
GETSTRING(&b, creds->realm, sizeof creds->realm);
|
||||
GETSTRING(&b, creds->pname, sizeof creds->pname);
|
||||
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
|
||||
|
||||
if (buffer_len(&b) == 0)
|
||||
goto done;
|
||||
|
||||
/* Ignore possibly different realm. */
|
||||
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
|
||||
;
|
||||
|
||||
if (buffer_len(&b) == 0)
|
||||
goto done;
|
||||
|
||||
creds->issue_date = buffer_get_int(&b);
|
||||
|
||||
endTime = buffer_get_int(&b);
|
||||
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
|
||||
|
||||
len = buffer_len(&b);
|
||||
if (len < sizeof(creds->session))
|
||||
goto done;
|
||||
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
|
||||
buffer_consume(&b, sizeof(creds->session));
|
||||
|
||||
creds->kvno = buffer_get_short(&b);
|
||||
|
||||
p = buffer_get_string(&b, &len);
|
||||
if (len < 0 || len > sizeof(creds->ticket_st.dat))
|
||||
goto done;
|
||||
memcpy(&creds->ticket_st.dat, p, len);
|
||||
creds->ticket_st.length = len;
|
||||
|
||||
ret = 1;
|
||||
done:
|
||||
buffer_free(&b);
|
||||
return ret;
|
||||
}
|
||||
#endif /* AFS */
|
29
crypto/dist/ssh/radix.h
vendored
29
crypto/dist/ssh/radix.h
vendored
@ -1,29 +0,0 @@
|
||||
/* $NetBSD: radix.h,v 1.3 2001/09/27 03:24:04 itojun Exp $ */
|
||||
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
|
||||
int radix_to_creds(const char *, CREDENTIALS *);
|
56
crypto/dist/ssh/readconf.c
vendored
56
crypto/dist/ssh/readconf.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: readconf.c,v 1.18 2003/07/10 01:09:46 lukem Exp $ */
|
||||
/* $NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -13,8 +13,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: readconf.c,v 1.105 2003/04/02 09:48:07 markus Exp $");
|
||||
__RCSID("$NetBSD: readconf.c,v 1.18 2003/07/10 01:09:46 lukem Exp $");
|
||||
RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "xmalloc.h"
|
||||
@ -96,14 +96,8 @@ typedef enum {
|
||||
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
|
||||
oPasswordAuthentication, oRSAAuthentication,
|
||||
oChallengeResponseAuthentication, oXAuthLocation,
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
oKerberosAuthentication,
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
oKerberosTgtPassing,
|
||||
#endif
|
||||
#ifdef AFS
|
||||
oAFSTokenPassing,
|
||||
#ifdef KRB5
|
||||
oKerberosAuthentication, oKerberosTgtPassing,
|
||||
#endif
|
||||
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
|
||||
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
|
||||
@ -117,7 +111,7 @@ typedef enum {
|
||||
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit,
|
||||
oDeprecated
|
||||
oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
/* Textual representations of the tokens. */
|
||||
@ -143,17 +137,17 @@ static struct {
|
||||
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
||||
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
{ "kerberosauthentication", oKerberosAuthentication },
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
{ "kerberostgtpassing", oKerberosTgtPassing },
|
||||
{ "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */
|
||||
{ "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */
|
||||
#endif
|
||||
#ifdef AFS
|
||||
{ "afstokenpassing", oAFSTokenPassing },
|
||||
#else
|
||||
{ "kerberosauthentication", oUnsupported },
|
||||
{ "kerberostgtpassing", oUnsupported },
|
||||
{ "kerberos5tgtpassing", oUnsupported }, /* alias */
|
||||
#endif
|
||||
{ "kerberos4tgtpassing", oUnsupported }, /* alias */
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
{ "identityfile", oIdentityFile },
|
||||
@ -364,20 +358,13 @@ parse_flag:
|
||||
case oChallengeResponseAuthentication:
|
||||
intptr = &options->challenge_response_authentication;
|
||||
goto parse_flag;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case oKerberosAuthentication:
|
||||
intptr = &options->kerberos_authentication;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
case oKerberosTgtPassing:
|
||||
intptr = &options->kerberos_tgt_passing;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
case oAFSTokenPassing:
|
||||
intptr = &options->afs_token_passing;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
@ -776,14 +763,9 @@ initialize_options(Options * options)
|
||||
options->rsa_authentication = -1;
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
options->kerberos_authentication = -1;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
options->kerberos_tgt_passing = -1;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
options->afs_token_passing = -1;
|
||||
#endif
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
@ -854,17 +836,11 @@ fill_default_options(Options * options)
|
||||
options->pubkey_authentication = 1;
|
||||
if (options->challenge_response_authentication == -1)
|
||||
options->challenge_response_authentication = 1;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (options->kerberos_authentication == -1)
|
||||
options->kerberos_authentication = 1;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
if (options->kerberos_tgt_passing == -1)
|
||||
options->kerberos_tgt_passing = 1;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
if (options->afs_token_passing == -1)
|
||||
options->afs_token_passing = 1;
|
||||
#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
|
11
crypto/dist/ssh/readconf.h
vendored
11
crypto/dist/ssh/readconf.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: readconf.h,v 1.11 2003/04/03 06:21:34 itojun Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.47 2003/04/02 09:48:07 markus Exp $ */
|
||||
/* $NetBSD: readconf.h,v 1.12 2003/07/23 03:52:20 itojun Exp $ */
|
||||
/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -42,14 +42,9 @@ typedef struct {
|
||||
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
int kerberos_authentication; /* Try Kerberos authentication. */
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
|
||||
#endif
|
||||
#ifdef AFS
|
||||
int afs_token_passing; /* Try AFS token passing. */
|
||||
#endif
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
|
12
crypto/dist/ssh/scp.c
vendored
12
crypto/dist/ssh/scp.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: scp.c,v 1.21 2003/07/10 01:09:46 lukem Exp $ */
|
||||
/* $NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@ -53,11 +53,7 @@
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the University of
|
||||
* California, Berkeley and its contributors.
|
||||
* 4. Neither the name of the University nor the names of its contributors
|
||||
* 3. Neither the name of the University nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
@ -76,8 +72,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
|
||||
__RCSID("$NetBSD: scp.c,v 1.21 2003/07/10 01:09:46 lukem Exp $");
|
||||
RCSID("$OpenBSD: scp.c,v 1.108 2003/07/18 01:54:25 deraadt Exp $");
|
||||
__RCSID("$NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "atomicio.h"
|
||||
|
60
crypto/dist/ssh/servconf.c
vendored
60
crypto/dist/ssh/servconf.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: servconf.c,v 1.24 2003/07/10 01:09:46 lukem Exp $ */
|
||||
/* $NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -11,15 +11,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
|
||||
__RCSID("$NetBSD: servconf.c,v 1.24 2003/07/10 01:09:46 lukem Exp $");
|
||||
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#include <krb.h>
|
||||
#endif
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
#endif
|
||||
RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
@ -75,16 +68,11 @@ initialize_server_options(ServerOptions *options)
|
||||
options->hostbased_uses_name_from_packet_only = -1;
|
||||
options->rsa_authentication = -1;
|
||||
options->pubkey_authentication = -1;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
options->kerberos_authentication = -1;
|
||||
options->kerberos_or_local_passwd = -1;
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
options->kerberos_tgt_passing = -1;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
options->afs_token_passing = -1;
|
||||
#endif
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
@ -186,21 +174,15 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->rsa_authentication = 1;
|
||||
if (options->pubkey_authentication == -1)
|
||||
options->pubkey_authentication = 1;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (options->kerberos_authentication == -1)
|
||||
options->kerberos_authentication = 0;
|
||||
if (options->kerberos_or_local_passwd == -1)
|
||||
options->kerberos_or_local_passwd = 1;
|
||||
if (options->kerberos_ticket_cleanup == -1)
|
||||
options->kerberos_ticket_cleanup = 1;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
if (options->kerberos_tgt_passing == -1)
|
||||
options->kerberos_tgt_passing = 0;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
if (options->afs_token_passing == -1)
|
||||
options->afs_token_passing = 0;
|
||||
#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
@ -253,14 +235,9 @@ typedef enum {
|
||||
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
sKerberosTgtPassing,
|
||||
#endif
|
||||
#ifdef AFS
|
||||
sAFSTokenPassing,
|
||||
#endif
|
||||
sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||
@ -276,7 +253,7 @@ typedef enum {
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sUsePrivilegeSeparation,
|
||||
sIgnoreRootRhosts,
|
||||
sDeprecated
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
/* Textual representation of the tokens. */
|
||||
@ -301,17 +278,18 @@ static struct {
|
||||
{ "rsaauthentication", sRSAAuthentication },
|
||||
{ "pubkeyauthentication", sPubkeyAuthentication },
|
||||
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
{ "kerberosauthentication", sKerberosAuthentication },
|
||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
|
||||
{ "kerberosticketcleanup", sKerberosTicketCleanup },
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
{ "kerberostgtpassing", sKerberosTgtPassing },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported },
|
||||
{ "kerberosorlocalpasswd", sUnsupported },
|
||||
{ "kerberosticketcleanup", sUnsupported },
|
||||
{ "kerberostgtpassing", sUnsupported },
|
||||
#endif
|
||||
#ifdef AFS
|
||||
{ "afstokenpassing", sAFSTokenPassing },
|
||||
#endif
|
||||
{ "afstokenpassing", sUnsupported },
|
||||
{ "passwordauthentication", sPasswordAuthentication },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
|
||||
@ -615,7 +593,7 @@ parse_flag:
|
||||
case sPubkeyAuthentication:
|
||||
intptr = &options->pubkey_authentication;
|
||||
goto parse_flag;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case sKerberosAuthentication:
|
||||
intptr = &options->kerberos_authentication;
|
||||
goto parse_flag;
|
||||
@ -627,17 +605,11 @@ parse_flag:
|
||||
case sKerberosTicketCleanup:
|
||||
intptr = &options->kerberos_ticket_cleanup;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
|
||||
case sKerberosTgtPassing:
|
||||
intptr = &options->kerberos_tgt_passing;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
case sAFSTokenPassing:
|
||||
intptr = &options->afs_token_passing;
|
||||
goto parse_flag;
|
||||
#endif
|
||||
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
|
11
crypto/dist/ssh/servconf.h
vendored
11
crypto/dist/ssh/servconf.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: servconf.h,v 1.14 2002/10/01 14:07:36 itojun Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
|
||||
/* $NetBSD: servconf.h,v 1.15 2003/07/23 03:52:21 itojun Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -77,7 +77,7 @@ typedef struct {
|
||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||
int rsa_authentication; /* If true, permit RSA authentication. */
|
||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
int kerberos_authentication; /* If true, permit Kerberos
|
||||
* authentication. */
|
||||
int kerberos_or_local_passwd; /* If true, permit kerberos
|
||||
@ -87,13 +87,8 @@ typedef struct {
|
||||
* /etc/passwd */
|
||||
int kerberos_ticket_cleanup; /* If true, destroy ticket
|
||||
* file on logout. */
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
|
||||
* passing. */
|
||||
#endif
|
||||
#ifdef AFS
|
||||
int afs_token_passing; /* If true, permit AFS token passing. */
|
||||
#endif
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
|
61
crypto/dist/ssh/session.c
vendored
61
crypto/dist/ssh/session.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: session.c,v 1.32 2003/07/10 01:09:46 lukem Exp $ */
|
||||
/* $NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -34,8 +34,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
|
||||
__RCSID("$NetBSD: session.c,v 1.32 2003/07/10 01:09:46 lukem Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -213,10 +213,6 @@ do_authenticated(Authctxt *authctxt)
|
||||
/* remove agent socket */
|
||||
if (auth_sock_name != NULL)
|
||||
auth_sock_cleanup_proc(authctxt->pw);
|
||||
#ifdef KRB4
|
||||
if (options.kerberos_ticket_cleanup)
|
||||
krb4_cleanup_proc(authctxt);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_ticket_cleanup)
|
||||
krb5_cleanup_proc(authctxt);
|
||||
@ -329,7 +325,7 @@ do_authenticated1(Authctxt *authctxt)
|
||||
success = 1;
|
||||
break;
|
||||
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||
if (!options.kerberos_tgt_passing) {
|
||||
verbose("Kerberos TGT passing disabled.");
|
||||
@ -337,9 +333,8 @@ do_authenticated1(Authctxt *authctxt)
|
||||
char *kdata = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
/* XXX - 0x41, see creds_to_radix version */
|
||||
/* XXX - 0x41, used for AFS */
|
||||
if (kdata[0] != 0x41) {
|
||||
#ifdef KRB5
|
||||
krb5_data tgt;
|
||||
tgt.data = kdata;
|
||||
tgt.length = dlen;
|
||||
@ -348,38 +343,11 @@ do_authenticated1(Authctxt *authctxt)
|
||||
success = 1;
|
||||
else
|
||||
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
|
||||
#endif /* KRB5 */
|
||||
} else {
|
||||
#ifdef AFS
|
||||
if (auth_krb4_tgt(s->authctxt, kdata))
|
||||
success = 1;
|
||||
else
|
||||
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
|
||||
#endif /* AFS */
|
||||
}
|
||||
xfree(kdata);
|
||||
}
|
||||
break;
|
||||
#endif /* AFS || KRB5 */
|
||||
|
||||
#ifdef AFS
|
||||
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||
if (!options.afs_token_passing || !k_hasafs()) {
|
||||
verbose("AFS token passing disabled.");
|
||||
} else {
|
||||
/* Accept AFS token. */
|
||||
char *token = packet_get_string(&dlen);
|
||||
packet_check_eom();
|
||||
|
||||
if (auth_afs_token(s->authctxt, token))
|
||||
success = 1;
|
||||
else
|
||||
verbose("AFS token refused for %.100s",
|
||||
s->authctxt->user);
|
||||
xfree(token);
|
||||
}
|
||||
break;
|
||||
#endif /* AFS */
|
||||
#endif
|
||||
|
||||
case SSH_CMSG_EXEC_SHELL:
|
||||
case SSH_CMSG_EXEC_CMD:
|
||||
@ -977,11 +945,6 @@ do_setup_env(Session *s, const char *shell)
|
||||
if (original_command)
|
||||
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
|
||||
original_command);
|
||||
#ifdef KRB4
|
||||
if (s->authctxt->krb4_ticket_file)
|
||||
child_set_env(&env, &envsize, "KRBTKFILE",
|
||||
s->authctxt->krb4_ticket_file);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
if (s->authctxt->krb5_ticket_file)
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||
@ -1241,18 +1204,6 @@ do_child(Session *s, const char *command)
|
||||
*/
|
||||
environ = env;
|
||||
|
||||
#ifdef AFS
|
||||
/* Try to get AFS tokens for the local cell. */
|
||||
if (k_hasafs()) {
|
||||
char cell[64];
|
||||
|
||||
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
|
||||
krb_afslog(cell, 0);
|
||||
|
||||
krb_afslog(0, 0);
|
||||
}
|
||||
#endif /* AFS */
|
||||
|
||||
/* Change current directory to the user\'s home directory. */
|
||||
if (chdir(pw->pw_dir) < 0) {
|
||||
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
|
||||
|
6
crypto/dist/ssh/ssh.1
vendored
6
crypto/dist/ssh/ssh.1
vendored
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: ssh.1,v 1.26 2003/06/27 09:14:56 wiz Exp $
|
||||
.\" $NetBSD: ssh.1,v 1.27 2003/07/23 03:52:21 itojun Exp $
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
@ -494,7 +494,7 @@ the device
|
||||
should use to communicate with a smartcard used for storing the user's
|
||||
private RSA key.
|
||||
.It Fl k
|
||||
Disables forwarding of Kerberos tickets and AFS tokens.
|
||||
Disables forwarding of Kerberos tickets.
|
||||
This may also be specified on a per-host basis in the configuration file.
|
||||
.It Fl l Ar login_name
|
||||
Specifies the user to log in as on the remote machine.
|
||||
|
17
crypto/dist/ssh/ssh.c
vendored
17
crypto/dist/ssh/ssh.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ssh.c,v 1.28 2003/07/10 01:09:48 lukem Exp $ */
|
||||
/* $NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -41,8 +41,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
|
||||
__RCSID("$NetBSD: ssh.c,v 1.28 2003/07/10 01:09:48 lukem Exp $");
|
||||
RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $");
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -156,9 +156,7 @@ usage(void)
|
||||
_PATH_SSH_USER_CONFFILE);
|
||||
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
|
||||
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
|
||||
#ifdef AFS
|
||||
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
|
||||
#endif /* AFS */
|
||||
fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
|
||||
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
|
||||
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
|
||||
fprintf(stderr, " -i file Identity for public key authentication "
|
||||
@ -303,12 +301,13 @@ again:
|
||||
case 'A':
|
||||
options.forward_agent = 1;
|
||||
break;
|
||||
#ifdef AFS
|
||||
case 'k':
|
||||
#ifdef KRB5
|
||||
options.kerberos_tgt_passing = 0;
|
||||
options.afs_token_passing = 0;
|
||||
break;
|
||||
#else
|
||||
fprintf(stderr, "no support for kerberos.\n");
|
||||
#endif
|
||||
break;
|
||||
case 'i':
|
||||
if (stat(optarg, &st) < 0) {
|
||||
fprintf(stderr, "Warning: Identity file %s "
|
||||
|
7
crypto/dist/ssh/ssh.h
vendored
7
crypto/dist/ssh/ssh.h
vendored
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: ssh.h,v 1.10 2002/06/24 05:48:38 itojun Exp $ */
|
||||
/* $OpenBSD: ssh.h,v 1.71 2002/06/22 02:00:29 stevesk Exp $ */
|
||||
/* $NetBSD: ssh.h,v 1.11 2003/07/23 03:52:22 itojun Exp $ */
|
||||
/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -80,9 +80,6 @@
|
||||
*/
|
||||
#define SSH_SESSION_KEY_LENGTH 32
|
||||
|
||||
/* Name of Kerberos service for SSH to use. */
|
||||
#define KRB4_SERVICE_NAME "rcmd"
|
||||
|
||||
/* Used to identify ``EscapeChar none'' */
|
||||
#define SSH_ESCAPECHAR_NONE -2
|
||||
|
||||
|
12
crypto/dist/ssh/ssh_config.5
vendored
12
crypto/dist/ssh/ssh_config.5
vendored
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: ssh_config.5,v 1.4 2003/06/27 22:35:48 wiz Exp $
|
||||
.\" $NetBSD: ssh_config.5,v 1.5 2003/07/23 03:52:22 itojun Exp $
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
@ -116,13 +116,6 @@ The host is the
|
||||
.Ar hostname
|
||||
argument given on the command line (i.e., the name is not converted to
|
||||
a canonicalized host name before matching).
|
||||
.It Cm AFSTokenPassing
|
||||
Specifies whether to pass AFS tokens to remote host.
|
||||
The argument to this keyword must be
|
||||
.Dq yes
|
||||
or
|
||||
.Dq no .
|
||||
This option applies to protocol version 1 only.
|
||||
.It Cm BatchMode
|
||||
If set to
|
||||
.Dq yes ,
|
||||
@ -379,7 +372,6 @@ or
|
||||
.Dq no .
|
||||
.It Cm KerberosTgtPassing
|
||||
Specifies whether a Kerberos TGT will be forwarded to the server.
|
||||
This will only work if the Kerberos server is actually an AFS kaserver.
|
||||
The argument to this keyword must be
|
||||
.Dq yes
|
||||
or
|
||||
|
291
crypto/dist/ssh/sshconnect1.c
vendored
291
crypto/dist/ssh/sshconnect1.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: sshconnect1.c,v 1.24 2003/07/10 01:09:48 lukem Exp $ */
|
||||
/* $NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -14,22 +14,15 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
|
||||
__RCSID("$NetBSD: sshconnect1.c,v 1.24 2003/07/10 01:09:48 lukem Exp $");
|
||||
RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $");
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
#include <krb5.h>
|
||||
#endif
|
||||
#ifdef AFS
|
||||
#include <kafs.h>
|
||||
#include "radix.h"
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
@ -379,128 +372,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
static int
|
||||
try_krb4_authentication(void)
|
||||
{
|
||||
KTEXT_ST auth; /* Kerberos data */
|
||||
char *reply;
|
||||
char inst[INST_SZ];
|
||||
char *realm;
|
||||
CREDENTIALS cred;
|
||||
int r, type;
|
||||
socklen_t slen;
|
||||
Key_schedule schedule;
|
||||
u_long checksum, cksum;
|
||||
MSG_DAT msg_data;
|
||||
struct sockaddr_in local, foreign;
|
||||
struct stat st;
|
||||
|
||||
/* Don't do anything if we don't have any tickets. */
|
||||
if (stat(tkt_string(), &st) < 0)
|
||||
return 0;
|
||||
|
||||
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
|
||||
INST_SZ);
|
||||
|
||||
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
|
||||
if (!realm) {
|
||||
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
|
||||
return 0;
|
||||
}
|
||||
/* This can really be anything. */
|
||||
checksum = (u_long)getpid();
|
||||
|
||||
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
|
||||
if (r != KSUCCESS) {
|
||||
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
|
||||
return 0;
|
||||
}
|
||||
/* Get session key to decrypt the server's reply with. */
|
||||
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
|
||||
if (r != KSUCCESS) {
|
||||
debug("get_cred failed: %s", krb_err_txt[r]);
|
||||
return 0;
|
||||
}
|
||||
des_key_sched((des_cblock *) cred.session, schedule);
|
||||
|
||||
/* Send authentication info to server. */
|
||||
packet_start(SSH_CMSG_AUTH_KERBEROS);
|
||||
packet_put_string((char *) auth.dat, auth.length);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
/* Zero the buffer. */
|
||||
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
|
||||
|
||||
slen = sizeof(local);
|
||||
memset(&local, 0, sizeof(local));
|
||||
if (getsockname(packet_get_connection_in(),
|
||||
(struct sockaddr *)&local, &slen) < 0)
|
||||
debug("getsockname failed: %s", strerror(errno));
|
||||
|
||||
slen = sizeof(foreign);
|
||||
memset(&foreign, 0, sizeof(foreign));
|
||||
if (getpeername(packet_get_connection_in(),
|
||||
(struct sockaddr *)&foreign, &slen) < 0) {
|
||||
debug("getpeername failed: %s", strerror(errno));
|
||||
fatal_cleanup();
|
||||
}
|
||||
/* Get server reply. */
|
||||
type = packet_read();
|
||||
switch (type) {
|
||||
case SSH_SMSG_FAILURE:
|
||||
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
|
||||
debug("Kerberos v4 authentication failed.");
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
|
||||
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
|
||||
debug("Kerberos v4 authentication accepted.");
|
||||
|
||||
/* Get server's response. */
|
||||
reply = packet_get_string((u_int *) &auth.length);
|
||||
if (auth.length >= MAX_KTXT_LEN)
|
||||
fatal("Kerberos v4: Malformed response from server");
|
||||
memcpy(auth.dat, reply, auth.length);
|
||||
xfree(reply);
|
||||
|
||||
packet_check_eom();
|
||||
|
||||
/*
|
||||
* If his response isn't properly encrypted with the session
|
||||
* key, and the decrypted checksum fails to match, he's
|
||||
* bogus. Bail out.
|
||||
*/
|
||||
r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
|
||||
&foreign, &local, &msg_data);
|
||||
if (r != KSUCCESS) {
|
||||
debug("Kerberos v4 krb_rd_priv failed: %s",
|
||||
krb_err_txt[r]);
|
||||
packet_disconnect("Kerberos v4 challenge failed!");
|
||||
}
|
||||
/* Fetch the (incremented) checksum that we supplied in the request. */
|
||||
memcpy((char *)&cksum, (char *)msg_data.app_data,
|
||||
sizeof(cksum));
|
||||
cksum = ntohl(cksum);
|
||||
|
||||
/* If it matches, we're golden. */
|
||||
if (cksum == checksum + 1) {
|
||||
debug("Kerberos v4 challenge successful.");
|
||||
return 1;
|
||||
} else
|
||||
packet_disconnect("Kerberos v4 challenge failed!");
|
||||
break;
|
||||
|
||||
default:
|
||||
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* KRB4 */
|
||||
|
||||
#ifdef KRB5
|
||||
static int
|
||||
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
|
||||
@ -685,129 +556,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef AFS
|
||||
static void
|
||||
send_krb4_tgt(void)
|
||||
{
|
||||
CREDENTIALS *creds;
|
||||
struct stat st;
|
||||
char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
|
||||
int problem, type;
|
||||
|
||||
/* Don't do anything if we don't have any tickets. */
|
||||
if (stat(tkt_string(), &st) < 0)
|
||||
return;
|
||||
|
||||
creds = xmalloc(sizeof(*creds));
|
||||
|
||||
problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
problem = krb_get_cred("krbtgt", prealm, prealm, creds);
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
|
||||
problem = RD_AP_EXP;
|
||||
goto out;
|
||||
}
|
||||
creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
|
||||
|
||||
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
|
||||
packet_put_cstring(buffer);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
type = packet_read();
|
||||
|
||||
if (type == SSH_SMSG_SUCCESS)
|
||||
debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
|
||||
creds->pname, creds->pinst[0] ? "." : "",
|
||||
creds->pinst, creds->realm);
|
||||
else
|
||||
debug("Kerberos v4 TGT rejected.");
|
||||
|
||||
xfree(creds);
|
||||
return;
|
||||
|
||||
out:
|
||||
debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
|
||||
xfree(creds);
|
||||
}
|
||||
|
||||
static void
|
||||
send_afs_tokens(void)
|
||||
{
|
||||
CREDENTIALS creds;
|
||||
struct ViceIoctl parms;
|
||||
struct ClearToken ct;
|
||||
int i, type, len;
|
||||
char buf[2048], *p, *server_cell;
|
||||
char buffer[8192];
|
||||
|
||||
/* Move over ktc_GetToken, here's something leaner. */
|
||||
for (i = 0; i < 100; i++) { /* just in case */
|
||||
parms.in = (char *) &i;
|
||||
parms.in_size = sizeof(i);
|
||||
parms.out = buf;
|
||||
parms.out_size = sizeof(buf);
|
||||
if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
|
||||
break;
|
||||
p = buf;
|
||||
|
||||
/* Get secret token. */
|
||||
memcpy(&creds.ticket_st.length, p, sizeof(u_int));
|
||||
if (creds.ticket_st.length > MAX_KTXT_LEN)
|
||||
break;
|
||||
p += sizeof(u_int);
|
||||
memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
|
||||
p += creds.ticket_st.length;
|
||||
|
||||
/* Get clear token. */
|
||||
memcpy(&len, p, sizeof(len));
|
||||
if (len != sizeof(struct ClearToken))
|
||||
break;
|
||||
p += sizeof(len);
|
||||
memcpy(&ct, p, len);
|
||||
p += len;
|
||||
p += sizeof(len); /* primary flag */
|
||||
server_cell = p;
|
||||
|
||||
/* Flesh out our credentials. */
|
||||
strlcpy(creds.service, "afs", sizeof(creds.service));
|
||||
creds.instance[0] = '\0';
|
||||
strlcpy(creds.realm, server_cell, REALM_SZ);
|
||||
memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
|
||||
creds.issue_date = ct.BeginTimestamp;
|
||||
creds.lifetime = krb_time_to_life(creds.issue_date,
|
||||
ct.EndTimestamp);
|
||||
creds.kvno = ct.AuthHandle;
|
||||
snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
|
||||
creds.pinst[0] = '\0';
|
||||
|
||||
/* Encode token, ship it off. */
|
||||
if (creds_to_radix(&creds, (u_char *)buffer,
|
||||
sizeof(buffer)) <= 0)
|
||||
break;
|
||||
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
|
||||
packet_put_cstring(buffer);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
|
||||
/* Roger, Roger. Clearance, Clarence. What's your vector,
|
||||
Victor? */
|
||||
type = packet_read();
|
||||
|
||||
if (type == SSH_SMSG_FAILURE)
|
||||
debug("AFS token for cell %s rejected.", server_cell);
|
||||
else if (type != SSH_SMSG_SUCCESS)
|
||||
packet_disconnect("Protocol error on AFS token response: %d", type);
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* AFS */
|
||||
|
||||
/*
|
||||
* Tries to authenticate with any string-based challenge/response system.
|
||||
* Note that the client code is not tied to s/key or TIS.
|
||||
@ -1139,21 +887,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef KRB4
|
||||
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
|
||||
options.kerberos_authentication) {
|
||||
debug("Trying Kerberos v4 authentication.");
|
||||
|
||||
if (try_krb4_authentication()) {
|
||||
type = packet_read();
|
||||
if (type == SSH_SMSG_SUCCESS)
|
||||
goto success;
|
||||
if (type != SSH_SMSG_FAILURE)
|
||||
packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
|
||||
}
|
||||
}
|
||||
#endif /* KRB4 */
|
||||
|
||||
/*
|
||||
* Use rhosts authentication if running in privileged socket and we
|
||||
* do not wish to remain anonymous.
|
||||
@ -1240,23 +973,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
||||
if (context)
|
||||
krb5_free_context(context);
|
||||
#endif
|
||||
|
||||
#ifdef AFS
|
||||
/* Try Kerberos v4 TGT passing if the server supports it. */
|
||||
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
|
||||
options.kerberos_tgt_passing) {
|
||||
if (options.cipher == SSH_CIPHER_NONE)
|
||||
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
|
||||
send_krb4_tgt();
|
||||
}
|
||||
/* Try AFS token passing if the server supports it. */
|
||||
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
|
||||
options.afs_token_passing && k_hasafs()) {
|
||||
if (options.cipher == SSH_CIPHER_NONE)
|
||||
logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
|
||||
send_afs_tokens();
|
||||
}
|
||||
#endif /* AFS */
|
||||
|
||||
return; /* need statement after label */
|
||||
}
|
||||
|
25
crypto/dist/ssh/sshd.c
vendored
25
crypto/dist/ssh/sshd.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: sshd.c,v 1.30 2003/07/10 01:09:48 lukem Exp $ */
|
||||
/* $NetBSD: sshd.c,v 1.31 2003/07/23 03:52:23 itojun Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -43,8 +43,8 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
|
||||
__RCSID("$NetBSD: sshd.c,v 1.30 2003/07/10 01:09:48 lukem Exp $");
|
||||
RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
|
||||
__RCSID("$NetBSD: sshd.c,v 1.31 2003/07/23 03:52:23 itojun Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
@ -1424,20 +1424,13 @@ main(int ac, char **av)
|
||||
"originating port %d not trusted.", remote_port);
|
||||
options.rhosts_authentication = 0;
|
||||
}
|
||||
#if defined(KRB4) && !defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (!packet_connection_is_ipv4() &&
|
||||
options.kerberos_authentication) {
|
||||
debug("Kerberos Authentication disabled, only available for IPv4.");
|
||||
options.kerberos_authentication = 0;
|
||||
}
|
||||
#endif /* KRB4 && !KRB5 */
|
||||
#ifdef AFS
|
||||
/* If machine has AFS, set process authentication group. */
|
||||
if (k_hasafs()) {
|
||||
k_setpag();
|
||||
k_unlog();
|
||||
}
|
||||
#endif /* AFS */
|
||||
#endif
|
||||
|
||||
packet_set_nonblocking();
|
||||
|
||||
@ -1595,17 +1588,11 @@ do_ssh1_kex(void)
|
||||
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
|
||||
if (options.rsa_authentication)
|
||||
auth_mask |= 1 << SSH_AUTH_RSA;
|
||||
#if defined(KRB4) || defined(KRB5)
|
||||
#ifdef KRB5
|
||||
if (options.kerberos_authentication)
|
||||
auth_mask |= 1 << SSH_AUTH_KERBEROS;
|
||||
#endif
|
||||
#if defined(AFS) || defined(KRB5)
|
||||
if (options.kerberos_tgt_passing)
|
||||
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
|
||||
#endif
|
||||
#ifdef AFS
|
||||
if (options.afs_token_passing)
|
||||
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
|
||||
#endif
|
||||
if (options.challenge_response_authentication == 1)
|
||||
auth_mask |= 1 << SSH_AUTH_TIS;
|
||||
|
4
crypto/dist/ssh/sshd_config
vendored
4
crypto/dist/ssh/sshd_config
vendored
@ -1,4 +1,4 @@
|
||||
# $NetBSD: sshd_config,v 1.16 2002/10/01 14:07:47 itojun Exp $
|
||||
# $NetBSD: sshd_config,v 1.17 2003/07/23 03:52:23 itojun Exp $
|
||||
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
@ -64,8 +64,6 @@
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
#AFSTokenPassing no
|
||||
|
||||
# Kerberos TGT Passing only works with the AFS kaserver
|
||||
#KerberosTgtPassing no
|
||||
|
||||
|
9
crypto/dist/ssh/sshd_config.5
vendored
9
crypto/dist/ssh/sshd_config.5
vendored
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: sshd_config.5,v 1.5 2003/06/27 22:37:13 wiz Exp $
|
||||
.\" $NetBSD: sshd_config.5,v 1.6 2003/07/23 03:52:23 itojun Exp $
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -62,10 +62,6 @@ The possible
|
||||
keywords and their meanings are as follows (note that
|
||||
keywords are case-insensitive and arguments are case-sensitive):
|
||||
.Bl -tag -width Ds
|
||||
.It Cm AFSTokenPassing
|
||||
Specifies whether an AFS token may be forwarded to the server.
|
||||
Default is
|
||||
.Dq no .
|
||||
.It Cm AllowGroups
|
||||
This keyword can be followed by a list of group name patterns, separated
|
||||
by spaces.
|
||||
@ -329,8 +325,7 @@ Default is
|
||||
.It Cm KerberosTgtPassing
|
||||
Specifies whether a Kerberos TGT may be forwarded to the server.
|
||||
Default is
|
||||
.Dq no ,
|
||||
as this only works when the Kerberos KDC is actually an AFS kaserver.
|
||||
.Dq no .
|
||||
.It Cm KerberosTicketCleanup
|
||||
Specifies whether to automatically destroy the user's ticket cache
|
||||
file on logout.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $NetBSD: Makefile,v 1.16 2003/04/03 06:21:38 itojun Exp $
|
||||
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:25 itojun Exp $
|
||||
|
||||
NOLINT= # defined
|
||||
NOMAN= # defined
|
||||
@ -25,9 +25,8 @@ SRCS+= readpassphrase.c getpeereid.c
|
||||
libinstall::
|
||||
|
||||
.if (${USE_KERBEROS} != "no")
|
||||
CPPFLAGS+= -DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||
CPPFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||
SRCS+= radix.c
|
||||
CPPFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/krb5
|
||||
#SRCS+= radix.c
|
||||
.endif
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $NetBSD: Makefile,v 1.13 2002/08/02 04:05:13 simonb Exp $
|
||||
# $NetBSD: Makefile,v 1.14 2003/07/23 03:52:25 itojun Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
@ -12,13 +12,9 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \
|
||||
sshconnect.c sshconnect1.c sshconnect2.c
|
||||
|
||||
.if (${USE_KERBEROS} != "no")
|
||||
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||
LDADD+= -lkrb5 -lkafs -lasn1
|
||||
DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
|
||||
|
||||
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||
LDADD+= -lkrb -lcom_err -lroken
|
||||
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
|
||||
CPPFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/krb5
|
||||
LDADD+= -lkrb5 -lkafs -lasn1 -lcom_err -lroken
|
||||
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN}
|
||||
.endif
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $NetBSD: Makefile,v 1.16 2003/07/21 03:37:43 itojun Exp $
|
||||
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:27 itojun Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
@ -19,13 +19,8 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
|
||||
.if (${USE_KERBEROS} != "no")
|
||||
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||
SRCS+= auth-krb5.c auth2-krb5.c
|
||||
LDADD+= -lkrb5 -lkafs -lasn1
|
||||
DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
|
||||
|
||||
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||
SRCS+= auth-krb4.c
|
||||
LDADD+= -lkrb -lcom_err -lroken
|
||||
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
|
||||
LDADD+= -lkrb5 -lasn1 -lcom_err -lroken
|
||||
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN}
|
||||
.endif
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
Loading…
Reference in New Issue
Block a user