bring back krb4 support, just to suppress unwanted noise from other developers.

note that official openssh distribution have already dropped kerberosIV support,
therefore maintenance cost needs to be paid by us.  and have no intent to help.
This commit is contained in:
itojun 2003-07-24 15:31:52 +00:00
parent bf6a317418
commit 88ec7d3792
27 changed files with 1267 additions and 107 deletions

370
crypto/dist/ssh/auth-krb4.c vendored Normal file
View File

@ -0,0 +1,370 @@
/* $NetBSD: auth-krb4.c,v 1.13 2003/07/24 15:31:52 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
__RCSID("$NetBSD: auth-krb4.c,v 1.13 2003/07/24 15:31:52 itojun Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "packet.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
#include "uidswap.h"
#include "auth.h"
#ifdef AFS
#include "radix.h"
#endif
#ifdef KRB4
extern ServerOptions options;
static int
krb4_init(void *context)
{
static int cleanup_registered = 0;
Authctxt *authctxt = (Authctxt *)context;
const char *tkt_root = TKT_ROOT;
struct stat st;
int fd;
if (!authctxt->krb4_ticket_file) {
/* Set unique ticket string manually since we're still root. */
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
#ifdef AFS
if (lstat("/ticket", &st) != -1)
tkt_root = "/ticket/";
#endif /* AFS */
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
tkt_root, authctxt->pw->pw_uid, (long)getpid());
krb_set_tkt_string(authctxt->krb4_ticket_file);
}
/* Register ticket cleanup in case of fatal error. */
if (!cleanup_registered) {
fatal_add_cleanup(krb4_cleanup_proc, authctxt);
cleanup_registered = 1;
}
/* Try to create our ticket file. */
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
close(fd);
return (1);
}
/* Ticket file exists - make sure user owns it (just passed ticket). */
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
st.st_uid == authctxt->pw->pw_uid)
return (1);
}
/* Failure - cancel cleanup function, leaving ticket for inspection. */
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
cleanup_registered = 0;
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
return (0);
}
/*
* try krb4 authentication,
* return 1 on success, 0 on failure, -1 if krb4 is not available
*/
int
auth_krb4_password(Authctxt *authctxt, const char *password)
{
AUTH_DAT adata;
KTEXT_ST tkt;
struct hostent *hp;
struct passwd *pw;
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
u_int32_t faddr;
int r;
if ((pw = authctxt->pw) == NULL)
return (0);
/*
* Try Kerberos password authentication only for non-root
* users and only if Kerberos is installed.
*/
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
/* Set up our ticket file. */
if (!krb4_init(authctxt)) {
logit("Couldn't initialize Kerberos ticket file for %s!",
pw->pw_name);
goto failure;
}
/* Try to get TGT using our password. */
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
if (r != INTK_OK) {
debug("Kerberos v4 password authentication for %s "
"failed: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Successful authentication. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
/*
* Now that we have a TGT, try to get a local
* "rcmd" ticket to ensure that we are not talking
* to a bogus Kerberos server.
*/
gethostname(localhost, sizeof(localhost));
strlcpy(phost, (char *)krb_get_phost(localhost),
sizeof(phost));
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
if (r == KSUCCESS) {
if ((hp = gethostbyname(localhost)) == NULL) {
logit("Couldn't get local host address!");
goto failure;
}
memmove((void *)&faddr, (void *)hp->h_addr,
sizeof(faddr));
/* Verify our "rcmd" ticket. */
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
faddr, &adata, "");
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
logit("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
goto failure;
} else if (r != KSUCCESS) {
logit("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?", pw->pw_name,
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
goto failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
*/
debug("WARNING: Kerberos v4 TGT possibly spoofed "
"for %s: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Authentication succeeded. */
return (1);
} else
/* Logging in as root or no local Kerberos realm. */
debug("Unable to authenticate to Kerberos.");
failure:
krb4_cleanup_proc(authctxt);
if (!options.kerberos_or_local_passwd)
return (0);
/* Fall back to ordinary passwd authentication. */
return (-1);
}
void
krb4_cleanup_proc(void *context)
{
Authctxt *authctxt = (Authctxt *)context;
debug("krb4_cleanup_proc called");
if (authctxt->krb4_ticket_file) {
(void) dest_tkt();
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
}
}
int
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
{
AUTH_DAT adat = {0};
Key_schedule schedule;
struct sockaddr_in local, foreign;
char instance[INST_SZ];
socklen_t slen;
u_int cksum;
int r, s;
s = packet_get_connection_in();
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
debug("getsockname failed: %.100s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
fatal_cleanup();
}
instance[0] = '*';
instance[1] = 0;
/* Get the encrypted request, challenge, and session key. */
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
0, &adat, ""))) {
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
return (0);
}
des_key_sched((des_cblock *) adat.session, schedule);
*client = xmalloc(MAX_K_NAME_SZ);
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
/* Check ~/.klogin authorization now. */
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
logit("Kerberos v4 .klogin authorization failed for %s to "
"account %s", *client, authctxt->user);
xfree(*client);
*client = NULL;
return (0);
}
/* Increment the checksum, and return it encrypted with the
session key. */
cksum = adat.checksum + 1;
cksum = htonl(cksum);
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
schedule, &adat.session, &local, &foreign)) < 0) {
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
reply->dat[0] = 0;
reply->length = 0;
} else
reply->length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(adat.session));
return (1);
}
#endif /* KRB4 */
#ifdef AFS
int
auth_krb4_tgt(Authctxt *authctxt, const char *string)
{
CREDENTIALS creds;
struct passwd *pw;
if ((pw = authctxt->pw) == NULL)
goto failure;
temporarily_use_uid(pw);
if (!radix_to_creds(string, &creds)) {
logit("Protocol error decoding Kerberos v4 TGT");
goto failure;
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "krbtgt", sizeof creds.service);
if (strcmp(creds.service, "krbtgt")) {
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
creds.realm, pw->pw_name);
goto failure;
}
if (!krb4_init(authctxt))
goto failure;
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
goto failure;
if (save_credentials(creds.service, creds.instance, creds.realm,
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
creds.issue_date) != KSUCCESS) {
debug("Kerberos v4 TGT refused: couldn't save credentials");
goto failure;
}
/* Successful authentication, passed all checks. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (1);
failure:
krb4_cleanup_proc(authctxt);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (0);
}
int
auth_afs_token(Authctxt *authctxt, const char *token_string)
{
CREDENTIALS creds;
struct passwd *pw;
uid_t uid;
if ((pw = authctxt->pw) == NULL)
return (0);
if (!radix_to_creds(token_string, &creds)) {
logit("Protocol error decoding AFS token");
return (0);
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "afs", sizeof creds.service);
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
uid = atoi(creds.pname + 7);
else
uid = pw->pw_uid;
if (kafs_settoken(creds.realm, uid, &creds)) {
logit("AFS token (%s@%s) rejected for %s",
creds.pname, creds.realm, pw->pw_name);
memset(&creds, 0, sizeof(creds));
return (0);
}
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
memset(&creds, 0, sizeof(creds));
return (1);
}
#endif /* AFS */

View File

@ -1,4 +1,4 @@
/* $NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: auth-passwd.c,v 1.10 2003/07/24 15:31:52 itojun Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -37,8 +37,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
__RCSID("$NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $"); __RCSID("$NetBSD: auth-passwd.c,v 1.10 2003/07/24 15:31:52 itojun Exp $");
#include "packet.h" #include "packet.h"
#include "log.h" #include "log.h"
@ -72,6 +72,14 @@ auth_password(Authctxt *authctxt, const char *password)
/* Fall back to ordinary passwd authentication. */ /* Fall back to ordinary passwd authentication. */
} }
#endif #endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0) (char *)password) == 0)

View File

@ -1,5 +1,5 @@
/* $NetBSD: auth.h,v 1.15 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: auth.h,v 1.16 2003/07/24 15:31:52 itojun Exp $ */
/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -61,6 +61,9 @@ struct Authctxt {
#ifdef BSD_AUTH #ifdef BSD_AUTH
auth_session_t *as; auth_session_t *as;
#endif #endif
#ifdef KRB4
char *krb4_ticket_file;
#endif
#ifdef KRB5 #ifdef KRB5
krb5_context krb5_ctx; krb5_context krb5_ctx;
krb5_auth_context krb5_auth_ctx; krb5_auth_context krb5_auth_ctx;
@ -109,6 +112,20 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *); int user_key_allowed(struct passwd *, Key *);
#ifdef KRB4
#include <krb.h>
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);
#ifdef AFS
#include <kafs.h>
int auth_krb4_tgt(Authctxt *, const char *);
int auth_afs_token(Authctxt *, const char *);
#endif /* AFS */
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);

View File

@ -1,4 +1,4 @@
/* $NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: auth1.c,v 1.25 2003/07/24 15:31:53 itojun Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -11,8 +11,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
__RCSID("$NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $"); __RCSID("$NetBSD: auth1.c,v 1.25 2003/07/24 15:31:53 itojun Exp $");
#include "xmalloc.h" #include "xmalloc.h"
#include "rsa.h" #include "rsa.h"
@ -51,7 +51,7 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE: case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response"; return "challenge-response";
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
case SSH_CMSG_AUTH_KERBEROS: case SSH_CMSG_AUTH_KERBEROS:
return "kerberos"; return "kerberos";
#endif #endif
@ -83,7 +83,7 @@ do_authloop(Authctxt *authctxt)
/* If the user has no password, accept authentication immediately. */ /* If the user has no password, accept authentication immediately. */
if (options.password_authentication && if (options.password_authentication &&
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
(!options.kerberos_authentication || options.kerberos_or_local_passwd) && (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif #endif
PRIVSEP(auth_password(authctxt, ""))) { PRIVSEP(auth_password(authctxt, ""))) {
@ -108,7 +108,7 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */ /* Process the packet. */
switch (type) { switch (type) {
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
case SSH_CMSG_AUTH_KERBEROS: case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) { if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled."); verbose("Kerberos authentication disabled.");
@ -116,7 +116,32 @@ do_authloop(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen); char *kdata = packet_get_string(&dlen);
packet_check_eom(); packet_check_eom();
if (kdata[0] != 4) { /* KRB_PROT_VERSION */ if (kdata[0] == 4) { /* KRB_PROT_VERSION */
#ifdef KRB4
KTEXT_ST tkt, reply;
tkt.length = dlen;
if (tkt.length < MAX_KTXT_LEN)
memcpy(tkt.dat, kdata, tkt.length);
if (PRIVSEP(auth_krb4(authctxt, &tkt,
&client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
packet_start(
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *)
reply.dat, reply.length);
packet_send();
packet_write_wait();
xfree(client_user);
}
#endif /* KRB4 */
} else {
#ifdef KRB5
krb5_data tkt, reply; krb5_data tkt, reply;
tkt.length = dlen; tkt.length = dlen;
tkt.data = kdata; tkt.data = kdata;
@ -140,14 +165,24 @@ do_authloop(Authctxt *authctxt)
xfree(reply.data); xfree(reply.data);
xfree(client_user); xfree(client_user);
} }
#endif /* KRB5 */
} }
xfree(kdata); xfree(kdata);
} }
break; break;
#endif /* KRB4 || KRB5 */
#if defined(AFS) || defined(KRB5)
/* XXX - punt on backward compatibility here. */
case SSH_CMSG_HAVE_KERBEROS_TGT: case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication."); packet_send_debug("Kerberos TGT passing disabled before authentication.");
break; break;
#endif #ifdef AFS
case SSH_CMSG_HAVE_AFS_TOKEN:
packet_send_debug("AFS token passing disabled before authentication.");
break;
#endif /* AFS */
#endif /* AFS || KRB5 */
case SSH_CMSG_AUTH_RHOSTS: case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) { if (!options.rhosts_authentication) {

View File

@ -1,4 +1,4 @@
/* $NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: monitor.c,v 1.15 2003/07/24 15:31:53 itojun Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -26,8 +26,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");
__RCSID("$NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $"); __RCSID("$NetBSD: monitor.c,v 1.15 2003/07/24 15:31:53 itojun Exp $");
#include <openssl/dh.h> #include <openssl/dh.h>
@ -118,6 +118,9 @@ int mm_answer_rsa_response(int, Buffer *);
int mm_answer_sesskey(int, Buffer *); int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *); int mm_answer_sessid(int, Buffer *);
#ifdef KRB4
int mm_answer_krb4(int, Buffer *);
#endif
#ifdef KRB5 #ifdef KRB5
int mm_answer_krb5(int, Buffer *); int mm_answer_krb5(int, Buffer *);
#endif #endif
@ -198,6 +201,9 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif #endif
#ifdef KRB4
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
#endif
#ifdef KRB5 #ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif #endif
@ -1264,6 +1270,52 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success); return (success);
} }
#ifdef KRB4
int
mm_answer_krb4(int socket, Buffer *m)
{
KTEXT_ST auth, reply;
char *client, *p;
int success;
u_int alen;
reply.length = auth.length = 0;
p = buffer_get_string(m, &alen);
if (alen >= MAX_KTXT_LEN)
fatal("%s: auth too large", __func__);
memcpy(auth.dat, p, alen);
auth.length = alen;
memset(p, 0, alen);
xfree(p);
success = options.kerberos_authentication &&
authctxt->valid &&
auth_krb4(authctxt, &auth, &client, &reply);
memset(auth.dat, 0, alen);
buffer_clear(m);
buffer_put_int(m, success);
if (success) {
buffer_put_cstring(m, client);
buffer_put_string(m, reply.dat, reply.length);
if (client)
xfree(client);
if (reply.length)
memset(reply.dat, 0, reply.length);
}
debug3("%s: sending result %d", __func__, success);
mm_request_send(socket, MONITOR_ANS_KRB4, m);
auth_method = "kerberos";
/* Causes monitor loop to terminate if authenticated */
return (success);
}
#endif
#ifdef KRB5 #ifdef KRB5
int int
mm_answer_krb5(int socket, Buffer *m) mm_answer_krb5(int socket, Buffer *m)

View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor.h,v 1.4 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: monitor.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
/* $OpenBSD: monitor.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -50,6 +50,7 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_TERM MONITOR_REQ_TERM
}; };

View File

@ -1,4 +1,4 @@
/* $NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $ */ /* $NetBSD: monitor_wrap.c,v 1.12 2003/07/24 15:31:53 itojun Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org> * Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -26,8 +26,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: monitor_wrap.c,v 1.26 2003/04/07 08:29:57 markus Exp $");
__RCSID("$NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $"); __RCSID("$NetBSD: monitor_wrap.c,v 1.12 2003/07/24 15:31:53 itojun Exp $");
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/dh.h> #include <openssl/dh.h>
@ -940,6 +940,42 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success); return (success);
} }
#ifdef KRB4
int
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
{
KTEXT auth, reply;
Buffer m;
u_int rlen;
int success = 0;
char *p;
debug3("%s entering", __func__);
auth = _auth;
reply = _reply;
buffer_init(&m);
buffer_put_string(&m, auth->dat, auth->length);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
success = buffer_get_int(&m);
if (success) {
*client = buffer_get_string(&m, NULL);
p = buffer_get_string(&m, &rlen);
if (rlen >= MAX_KTXT_LEN)
fatal("%s: reply from monitor too large", __func__);
reply->length = rlen;
memcpy(reply->dat, p, rlen);
memset(p, 0, rlen);
xfree(p);
}
buffer_free(&m);
return (success);
}
#endif
#ifdef KRB5 #ifdef KRB5
int int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)

View File

@ -1,5 +1,5 @@
/* $NetBSD: monitor_wrap.h,v 1.4 2003/07/23 03:52:18 itojun Exp $ */ /* $NetBSD: monitor_wrap.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/* /*
* Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -81,6 +81,9 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **); int mm_skey_respond(void *, u_int, char **);
/* auth_krb */ /* auth_krb */
#ifdef KRB4
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
#endif
#ifdef KRB5 #ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to /* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */ * include all of the krb5 headers here */

160
crypto/dist/ssh/radix.c vendored Normal file
View File

@ -0,0 +1,160 @@
/* $NetBSD: radix.c,v 1.13 2003/07/24 15:31:53 itojun Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include "uuencode.h"
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
__RCSID("$NetBSD: radix.c,v 1.13 2003/07/24 15:31:53 itojun Exp $");
#ifdef AFS
#include <krb.h>
#include <radix.h>
#include "bufaux.h"
int
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
{
Buffer b;
int ret;
buffer_init(&b);
buffer_put_char(&b, 1); /* version */
buffer_append(&b, creds->service, strlen(creds->service));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->instance, strlen(creds->instance));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->realm, strlen(creds->realm));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pname, strlen(creds->pname));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pinst, strlen(creds->pinst));
buffer_put_char(&b, '\0');
/* Null string to repeat the realm. */
buffer_put_char(&b, '\0');
buffer_put_int(&b, creds->issue_date);
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
creds->lifetime));
buffer_append(&b, creds->session, sizeof(creds->session));
buffer_put_short(&b, creds->kvno);
/* 32 bit size + data */
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
buffer_free(&b);
return ret;
}
#define GETSTRING(b, t, tlen) \
do { \
int i, found = 0; \
for (i = 0; i < tlen; i++) { \
if (buffer_len(b) == 0) \
goto done; \
t[i] = buffer_get_char(b); \
if (t[i] == '\0') { \
found = 1; \
break; \
} \
} \
if (!found) \
goto done; \
} while(0)
int
radix_to_creds(const char *buf, CREDENTIALS *creds)
{
Buffer b;
u_char *space;
char c, version, *p;
u_int endTime, len;
int blen, ret;
ret = 0;
blen = strlen(buf);
/* sanity check for size */
if (blen > 8192)
return 0;
buffer_init(&b);
space = buffer_append_space(&b, blen);
/* check version and length! */
len = uudecode(buf, space, blen);
if (len < 1)
goto done;
version = buffer_get_char(&b);
GETSTRING(&b, creds->service, sizeof creds->service);
GETSTRING(&b, creds->instance, sizeof creds->instance);
GETSTRING(&b, creds->realm, sizeof creds->realm);
GETSTRING(&b, creds->pname, sizeof creds->pname);
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
if (buffer_len(&b) == 0)
goto done;
/* Ignore possibly different realm. */
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
;
if (buffer_len(&b) == 0)
goto done;
creds->issue_date = buffer_get_int(&b);
endTime = buffer_get_int(&b);
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
len = buffer_len(&b);
if (len < sizeof(creds->session))
goto done;
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
buffer_consume(&b, sizeof(creds->session));
creds->kvno = buffer_get_short(&b);
p = buffer_get_string(&b, &len);
if (len < 0 || len > sizeof(creds->ticket_st.dat))
goto done;
memcpy(&creds->ticket_st.dat, p, len);
creds->ticket_st.length = len;
ret = 1;
done:
buffer_free(&b);
return ret;
}
#endif /* AFS */

29
crypto/dist/ssh/radix.h vendored Normal file
View File

@ -0,0 +1,29 @@
/* $NetBSD: radix.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
int radix_to_creds(const char *, CREDENTIALS *);

View File

@ -1,4 +1,4 @@
/* $NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $ */ /* $NetBSD: readconf.c,v 1.20 2003/07/24 15:31:53 itojun Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -13,8 +13,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: readconf.c,v 1.105 2003/04/02 09:48:07 markus Exp $");
__RCSID("$NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $"); __RCSID("$NetBSD: readconf.c,v 1.20 2003/07/24 15:31:53 itojun Exp $");
#include "ssh.h" #include "ssh.h"
#include "xmalloc.h" #include "xmalloc.h"
@ -96,8 +96,14 @@ typedef enum {
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation, oChallengeResponseAuthentication, oXAuthLocation,
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
oKerberosAuthentication, oKerberosTgtPassing, oKerberosAuthentication,
#endif
#if defined(AFS) || defined(KRB5)
oKerberosTgtPassing,
#endif
#ifdef AFS
oAFSTokenPassing,
#endif #endif
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
@ -111,7 +117,7 @@ typedef enum {
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oEnableSSHKeysign, oRekeyLimit,
oDeprecated, oUnsupported oDeprecated
} OpCodes; } OpCodes;
/* Textual representations of the tokens. */ /* Textual representations of the tokens. */
@ -137,17 +143,17 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication }, { "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
{ "kerberosauthentication", oKerberosAuthentication }, { "kerberosauthentication", oKerberosAuthentication },
#endif
#if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", oKerberosTgtPassing }, { "kerberostgtpassing", oKerberosTgtPassing },
{ "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */ { "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */
#else { "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */
{ "kerberosauthentication", oUnsupported }, #endif
{ "kerberostgtpassing", oUnsupported }, #ifdef AFS
{ "kerberos5tgtpassing", oUnsupported }, /* alias */ { "afstokenpassing", oAFSTokenPassing },
#endif #endif
{ "kerberos4tgtpassing", oUnsupported }, /* alias */
{ "afstokenpassing", oUnsupported },
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
{ "identityfile", oIdentityFile }, { "identityfile", oIdentityFile },
@ -358,13 +364,20 @@ parse_flag:
case oChallengeResponseAuthentication: case oChallengeResponseAuthentication:
intptr = &options->challenge_response_authentication; intptr = &options->challenge_response_authentication;
goto parse_flag; goto parse_flag;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
case oKerberosAuthentication: case oKerberosAuthentication:
intptr = &options->kerberos_authentication; intptr = &options->kerberos_authentication;
goto parse_flag; goto parse_flag;
#endif
#if defined(AFS) || defined(KRB5)
case oKerberosTgtPassing: case oKerberosTgtPassing:
intptr = &options->kerberos_tgt_passing; intptr = &options->kerberos_tgt_passing;
goto parse_flag; goto parse_flag;
#endif
#ifdef AFS
case oAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
#endif #endif
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
@ -763,9 +776,14 @@ initialize_options(Options * options)
options->rsa_authentication = -1; options->rsa_authentication = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
options->kerberos_authentication = -1; options->kerberos_authentication = -1;
#endif
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1; options->kerberos_tgt_passing = -1;
#endif
#ifdef AFS
options->afs_token_passing = -1;
#endif #endif
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
@ -836,11 +854,17 @@ fill_default_options(Options * options)
options->pubkey_authentication = 1; options->pubkey_authentication = 1;
if (options->challenge_response_authentication == -1) if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
if (options->kerberos_authentication == -1) if (options->kerberos_authentication == -1)
options->kerberos_authentication = 1; options->kerberos_authentication = 1;
#endif
#if defined(AFS) || defined(KRB5)
if (options->kerberos_tgt_passing == -1) if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1; options->kerberos_tgt_passing = 1;
#endif
#ifdef AFS
if (options->afs_token_passing == -1)
options->afs_token_passing = 1;
#endif #endif
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;

View File

@ -1,5 +1,5 @@
/* $NetBSD: readconf.h,v 1.12 2003/07/23 03:52:20 itojun Exp $ */ /* $NetBSD: readconf.h,v 1.13 2003/07/24 15:31:54 itojun Exp $ */
/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: readconf.h,v 1.47 2003/04/02 09:48:07 markus Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -42,9 +42,14 @@ typedef struct {
int hostbased_authentication; /* ssh2's rhosts_rsa */ int hostbased_authentication; /* ssh2's rhosts_rsa */
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
int kerberos_authentication; /* Try Kerberos authentication. */ int kerberos_authentication; /* Try Kerberos authentication. */
#endif
#if defined(AFS) || defined(KRB5)
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */ int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
#endif
#ifdef AFS
int afs_token_passing; /* Try AFS token passing. */
#endif #endif
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */

12
crypto/dist/ssh/scp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $ */ /* $NetBSD: scp.c,v 1.23 2003/07/24 15:31:54 itojun Exp $ */
/* /*
* scp - secure remote copy. This is basically patched BSD rcp which * scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd). * uses ssh to do the data transfer (instead of using rcmd).
@ -53,7 +53,11 @@
* 2. Redistributions in binary form must reproduce the above copyright * 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the * notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. * documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors * 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software * may be used to endorse or promote products derived from this software
* without specific prior written permission. * without specific prior written permission.
* *
@ -72,8 +76,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: scp.c,v 1.108 2003/07/18 01:54:25 deraadt Exp $"); RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
__RCSID("$NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $"); __RCSID("$NetBSD: scp.c,v 1.23 2003/07/24 15:31:54 itojun Exp $");
#include "xmalloc.h" #include "xmalloc.h"
#include "atomicio.h" #include "atomicio.h"

View File

@ -1,4 +1,4 @@
/* $NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $ */ /* $NetBSD: servconf.c,v 1.26 2003/07/24 15:31:54 itojun Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -11,8 +11,15 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
__RCSID("$NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $"); __RCSID("$NetBSD: servconf.c,v 1.26 2003/07/24 15:31:54 itojun Exp $");
#if defined(KRB4) || defined(KRB5)
#include <krb.h>
#endif
#ifdef AFS
#include <kafs.h>
#endif
#include "ssh.h" #include "ssh.h"
#include "log.h" #include "log.h"
@ -68,11 +75,16 @@ initialize_server_options(ServerOptions *options)
options->hostbased_uses_name_from_packet_only = -1; options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1; options->rsa_authentication = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
options->kerberos_authentication = -1; options->kerberos_authentication = -1;
options->kerberos_or_local_passwd = -1; options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
#endif
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1; options->kerberos_tgt_passing = -1;
#endif
#ifdef AFS
options->afs_token_passing = -1;
#endif #endif
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
@ -174,15 +186,21 @@ fill_default_server_options(ServerOptions *options)
options->rsa_authentication = 1; options->rsa_authentication = 1;
if (options->pubkey_authentication == -1) if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1; options->pubkey_authentication = 1;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
if (options->kerberos_authentication == -1) if (options->kerberos_authentication == -1)
options->kerberos_authentication = 0; options->kerberos_authentication = 0;
if (options->kerberos_or_local_passwd == -1) if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1; options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1) if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1; options->kerberos_ticket_cleanup = 1;
#endif
#if defined(AFS) || defined(KRB5)
if (options->kerberos_tgt_passing == -1) if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0; options->kerberos_tgt_passing = 0;
#endif
#ifdef AFS
if (options->afs_token_passing == -1)
options->afs_token_passing = 0;
#endif #endif
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
@ -235,9 +253,14 @@ typedef enum {
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
#endif
#if defined(AFS) || defined(KRB5)
sKerberosTgtPassing, sKerberosTgtPassing,
#endif
#ifdef AFS
sAFSTokenPassing,
#endif #endif
sChallengeResponseAuthentication, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@ -253,7 +276,7 @@ typedef enum {
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation, sUsePrivilegeSeparation,
sIgnoreRootRhosts, sIgnoreRootRhosts,
sDeprecated, sUnsupported sDeprecated
} ServerOpCodes; } ServerOpCodes;
/* Textual representation of the tokens. */ /* Textual representation of the tokens. */
@ -278,18 +301,17 @@ static struct {
{ "rsaauthentication", sRSAAuthentication }, { "rsaauthentication", sRSAAuthentication },
{ "pubkeyauthentication", sPubkeyAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication },
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */ { "dsaauthentication", sPubkeyAuthentication }, /* alias */
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
{ "kerberosauthentication", sKerberosAuthentication }, { "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup }, { "kerberosticketcleanup", sKerberosTicketCleanup },
{ "kerberostgtpassing", sKerberosTgtPassing },
#else
{ "kerberosauthentication", sUnsupported },
{ "kerberosorlocalpasswd", sUnsupported },
{ "kerberosticketcleanup", sUnsupported },
{ "kerberostgtpassing", sUnsupported },
#endif #endif
{ "afstokenpassing", sUnsupported }, #if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", sKerberosTgtPassing },
#endif
#ifdef AFS
{ "afstokenpassing", sAFSTokenPassing },
#endif
{ "passwordauthentication", sPasswordAuthentication }, { "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication },
@ -593,7 +615,7 @@ parse_flag:
case sPubkeyAuthentication: case sPubkeyAuthentication:
intptr = &options->pubkey_authentication; intptr = &options->pubkey_authentication;
goto parse_flag; goto parse_flag;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
case sKerberosAuthentication: case sKerberosAuthentication:
intptr = &options->kerberos_authentication; intptr = &options->kerberos_authentication;
goto parse_flag; goto parse_flag;
@ -605,11 +627,17 @@ parse_flag:
case sKerberosTicketCleanup: case sKerberosTicketCleanup:
intptr = &options->kerberos_ticket_cleanup; intptr = &options->kerberos_ticket_cleanup;
goto parse_flag; goto parse_flag;
#endif
#if defined(AFS) || defined(KRB5)
case sKerberosTgtPassing: case sKerberosTgtPassing:
intptr = &options->kerberos_tgt_passing; intptr = &options->kerberos_tgt_passing;
goto parse_flag; goto parse_flag;
#endif #endif
#ifdef AFS
case sAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
#endif
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;

View File

@ -1,5 +1,5 @@
/* $NetBSD: servconf.h,v 1.15 2003/07/23 03:52:21 itojun Exp $ */ /* $NetBSD: servconf.h,v 1.16 2003/07/24 15:31:54 itojun Exp $ */
/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -77,7 +77,7 @@ typedef struct {
int hostbased_uses_name_from_packet_only; /* experimental */ int hostbased_uses_name_from_packet_only; /* experimental */
int rsa_authentication; /* If true, permit RSA authentication. */ int rsa_authentication; /* If true, permit RSA authentication. */
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
int kerberos_authentication; /* If true, permit Kerberos int kerberos_authentication; /* If true, permit Kerberos
* authentication. */ * authentication. */
int kerberos_or_local_passwd; /* If true, permit kerberos int kerberos_or_local_passwd; /* If true, permit kerberos
@ -87,8 +87,13 @@ typedef struct {
* /etc/passwd */ * /etc/passwd */
int kerberos_ticket_cleanup; /* If true, destroy ticket int kerberos_ticket_cleanup; /* If true, destroy ticket
* file on logout. */ * file on logout. */
#endif
#if defined(AFS) || defined(KRB5)
int kerberos_tgt_passing; /* If true, permit Kerberos TGT int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */ * passing. */
#endif
#ifdef AFS
int afs_token_passing; /* If true, permit AFS token passing. */
#endif #endif
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */

View File

@ -1,4 +1,4 @@
/* $NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $ */ /* $NetBSD: session.c,v 1.34 2003/07/24 15:31:54 itojun Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -34,8 +34,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
__RCSID("$NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $"); __RCSID("$NetBSD: session.c,v 1.34 2003/07/24 15:31:54 itojun Exp $");
#include "ssh.h" #include "ssh.h"
#include "ssh1.h" #include "ssh1.h"
@ -213,6 +213,10 @@ do_authenticated(Authctxt *authctxt)
/* remove agent socket */ /* remove agent socket */
if (auth_sock_name != NULL) if (auth_sock_name != NULL)
auth_sock_cleanup_proc(authctxt->pw); auth_sock_cleanup_proc(authctxt->pw);
#ifdef KRB4
if (options.kerberos_ticket_cleanup)
krb4_cleanup_proc(authctxt);
#endif
#ifdef KRB5 #ifdef KRB5
if (options.kerberos_ticket_cleanup) if (options.kerberos_ticket_cleanup)
krb5_cleanup_proc(authctxt); krb5_cleanup_proc(authctxt);
@ -325,7 +329,7 @@ do_authenticated1(Authctxt *authctxt)
success = 1; success = 1;
break; break;
#ifdef KRB5 #if defined(AFS) || defined(KRB5)
case SSH_CMSG_HAVE_KERBEROS_TGT: case SSH_CMSG_HAVE_KERBEROS_TGT:
if (!options.kerberos_tgt_passing) { if (!options.kerberos_tgt_passing) {
verbose("Kerberos TGT passing disabled."); verbose("Kerberos TGT passing disabled.");
@ -333,8 +337,9 @@ do_authenticated1(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen); char *kdata = packet_get_string(&dlen);
packet_check_eom(); packet_check_eom();
/* XXX - 0x41, used for AFS */ /* XXX - 0x41, see creds_to_radix version */
if (kdata[0] != 0x41) { if (kdata[0] != 0x41) {
#ifdef KRB5
krb5_data tgt; krb5_data tgt;
tgt.data = kdata; tgt.data = kdata;
tgt.length = dlen; tgt.length = dlen;
@ -343,11 +348,38 @@ do_authenticated1(Authctxt *authctxt)
success = 1; success = 1;
else else
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user); verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
#endif /* KRB5 */
} else {
#ifdef AFS
if (auth_krb4_tgt(s->authctxt, kdata))
success = 1;
else
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
#endif /* AFS */
} }
xfree(kdata); xfree(kdata);
} }
break; break;
#endif #endif /* AFS || KRB5 */
#ifdef AFS
case SSH_CMSG_HAVE_AFS_TOKEN:
if (!options.afs_token_passing || !k_hasafs()) {
verbose("AFS token passing disabled.");
} else {
/* Accept AFS token. */
char *token = packet_get_string(&dlen);
packet_check_eom();
if (auth_afs_token(s->authctxt, token))
success = 1;
else
verbose("AFS token refused for %.100s",
s->authctxt->user);
xfree(token);
}
break;
#endif /* AFS */
case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD: case SSH_CMSG_EXEC_CMD:
@ -945,6 +977,11 @@ do_setup_env(Session *s, const char *shell)
if (original_command) if (original_command)
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command); original_command);
#ifdef KRB4
if (s->authctxt->krb4_ticket_file)
child_set_env(&env, &envsize, "KRBTKFILE",
s->authctxt->krb4_ticket_file);
#endif
#ifdef KRB5 #ifdef KRB5
if (s->authctxt->krb5_ticket_file) if (s->authctxt->krb5_ticket_file)
child_set_env(&env, &envsize, "KRB5CCNAME", child_set_env(&env, &envsize, "KRB5CCNAME",
@ -1204,6 +1241,18 @@ do_child(Session *s, const char *command)
*/ */
environ = env; environ = env;
#ifdef AFS
/* Try to get AFS tokens for the local cell. */
if (k_hasafs()) {
char cell[64];
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, 0);
krb_afslog(0, 0);
}
#endif /* AFS */
/* Change current directory to the user\'s home directory. */ /* Change current directory to the user\'s home directory. */
if (chdir(pw->pw_dir) < 0) { if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n", fprintf(stderr, "Could not chdir to home directory %s: %s\n",

View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh.1,v 1.27 2003/07/23 03:52:21 itojun Exp $ .\" $NetBSD: ssh.1,v 1.28 2003/07/24 15:31:55 itojun Exp $
.\" -*- nroff -*- .\" -*- nroff -*-
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ .\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSH 1 .Dt SSH 1
.Os .Os
@ -494,7 +494,7 @@ the device
should use to communicate with a smartcard used for storing the user's should use to communicate with a smartcard used for storing the user's
private RSA key. private RSA key.
.It Fl k .It Fl k
Disables forwarding of Kerberos tickets. Disables forwarding of Kerberos tickets and AFS tokens.
This may also be specified on a per-host basis in the configuration file. This may also be specified on a per-host basis in the configuration file.
.It Fl l Ar login_name .It Fl l Ar login_name
Specifies the user to log in as on the remote machine. Specifies the user to log in as on the remote machine.

17
crypto/dist/ssh/ssh.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $ */ /* $NetBSD: ssh.c,v 1.30 2003/07/24 15:31:55 itojun Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,8 +41,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
__RCSID("$NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $"); __RCSID("$NetBSD: ssh.c,v 1.30 2003/07/24 15:31:55 itojun Exp $");
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -156,7 +156,9 @@ usage(void)
_PATH_SSH_USER_CONFFILE); _PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n"); #ifdef AFS
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
#endif /* AFS */
fprintf(stderr, " -X Enable X11 connection forwarding.\n"); fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication " fprintf(stderr, " -i file Identity for public key authentication "
@ -301,13 +303,12 @@ again:
case 'A': case 'A':
options.forward_agent = 1; options.forward_agent = 1;
break; break;
#ifdef AFS
case 'k': case 'k':
#ifdef KRB5
options.kerberos_tgt_passing = 0; options.kerberos_tgt_passing = 0;
#else options.afs_token_passing = 0;
fprintf(stderr, "no support for kerberos.\n");
#endif
break; break;
#endif
case 'i': case 'i':
if (stat(optarg, &st) < 0) { if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s " fprintf(stderr, "Warning: Identity file %s "

View File

@ -1,5 +1,5 @@
/* $NetBSD: ssh.h,v 1.11 2003/07/23 03:52:22 itojun Exp $ */ /* $NetBSD: ssh.h,v 1.12 2003/07/24 15:31:55 itojun Exp $ */
/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */ /* $OpenBSD: ssh.h,v 1.71 2002/06/22 02:00:29 stevesk Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -80,6 +80,9 @@
*/ */
#define SSH_SESSION_KEY_LENGTH 32 #define SSH_SESSION_KEY_LENGTH 32
/* Name of Kerberos service for SSH to use. */
#define KRB4_SERVICE_NAME "rcmd"
/* Used to identify ``EscapeChar none'' */ /* Used to identify ``EscapeChar none'' */
#define SSH_ESCAPECHAR_NONE -2 #define SSH_ESCAPECHAR_NONE -2

View File

@ -1,4 +1,4 @@
.\" $NetBSD: ssh_config.5,v 1.5 2003/07/23 03:52:22 itojun Exp $ .\" $NetBSD: ssh_config.5,v 1.6 2003/07/24 15:31:55 itojun Exp $
.\" -*- nroff -*- .\" -*- nroff -*-
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $ .\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
@ -116,6 +116,13 @@ The host is the
.Ar hostname .Ar hostname
argument given on the command line (i.e., the name is not converted to argument given on the command line (i.e., the name is not converted to
a canonicalized host name before matching). a canonicalized host name before matching).
.It Cm AFSTokenPassing
Specifies whether to pass AFS tokens to remote host.
The argument to this keyword must be
.Dq yes
or
.Dq no .
This option applies to protocol version 1 only.
.It Cm BatchMode .It Cm BatchMode
If set to If set to
.Dq yes , .Dq yes ,
@ -372,6 +379,7 @@ or
.Dq no . .Dq no .
.It Cm KerberosTgtPassing .It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server. Specifies whether a Kerberos TGT will be forwarded to the server.
This will only work if the Kerberos server is actually an AFS kaserver.
The argument to this keyword must be The argument to this keyword must be
.Dq yes .Dq yes
or or

View File

@ -1,4 +1,4 @@
/* $NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $ */ /* $NetBSD: sshconnect1.c,v 1.26 2003/07/24 15:31:55 itojun Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -14,15 +14,22 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
__RCSID("$NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $"); __RCSID("$NetBSD: sshconnect1.c,v 1.26 2003/07/24 15:31:55 itojun Exp $");
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/md5.h> #include <openssl/md5.h>
#ifdef KRB4
#include <krb.h>
#endif
#ifdef KRB5 #ifdef KRB5
#include <krb5.h> #include <krb5.h>
#endif #endif
#ifdef AFS
#include <kafs.h>
#include "radix.h"
#endif
#include "ssh.h" #include "ssh.h"
#include "ssh1.h" #include "ssh1.h"
@ -372,6 +379,128 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
return 0; return 0;
} }
#ifdef KRB4
static int
try_krb4_authentication(void)
{
KTEXT_ST auth; /* Kerberos data */
char *reply;
char inst[INST_SZ];
char *realm;
CREDENTIALS cred;
int r, type;
socklen_t slen;
Key_schedule schedule;
u_long checksum, cksum;
MSG_DAT msg_data;
struct sockaddr_in local, foreign;
struct stat st;
/* Don't do anything if we don't have any tickets. */
if (stat(tkt_string(), &st) < 0)
return 0;
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
INST_SZ);
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
if (!realm) {
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
return 0;
}
/* This can really be anything. */
checksum = (u_long)getpid();
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
return 0;
}
/* Get session key to decrypt the server's reply with. */
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
if (r != KSUCCESS) {
debug("get_cred failed: %s", krb_err_txt[r]);
return 0;
}
des_key_sched((des_cblock *) cred.session, schedule);
/* Send authentication info to server. */
packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) auth.dat, auth.length);
packet_send();
packet_write_wait();
/* Zero the buffer. */
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(packet_get_connection_in(),
(struct sockaddr *)&local, &slen) < 0)
debug("getsockname failed: %s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(packet_get_connection_in(),
(struct sockaddr *)&foreign, &slen) < 0) {
debug("getpeername failed: %s", strerror(errno));
fatal_cleanup();
}
/* Get server reply. */
type = packet_read();
switch (type) {
case SSH_SMSG_FAILURE:
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos v4 authentication failed.");
return 0;
break;
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos v4 authentication accepted.");
/* Get server's response. */
reply = packet_get_string((u_int *) &auth.length);
if (auth.length >= MAX_KTXT_LEN)
fatal("Kerberos v4: Malformed response from server");
memcpy(auth.dat, reply, auth.length);
xfree(reply);
packet_check_eom();
/*
* If his response isn't properly encrypted with the session
* key, and the decrypted checksum fails to match, he's
* bogus. Bail out.
*/
r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
&foreign, &local, &msg_data);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_rd_priv failed: %s",
krb_err_txt[r]);
packet_disconnect("Kerberos v4 challenge failed!");
}
/* Fetch the (incremented) checksum that we supplied in the request. */
memcpy((char *)&cksum, (char *)msg_data.app_data,
sizeof(cksum));
cksum = ntohl(cksum);
/* If it matches, we're golden. */
if (cksum == checksum + 1) {
debug("Kerberos v4 challenge successful.");
return 1;
} else
packet_disconnect("Kerberos v4 challenge failed!");
break;
default:
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
}
return 0;
}
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
static int static int
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
@ -556,6 +685,129 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
} }
#endif /* KRB5 */ #endif /* KRB5 */
#ifdef AFS
static void
send_krb4_tgt(void)
{
CREDENTIALS *creds;
struct stat st;
char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
int problem, type;
/* Don't do anything if we don't have any tickets. */
if (stat(tkt_string(), &st) < 0)
return;
creds = xmalloc(sizeof(*creds));
problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
if (problem)
goto out;
problem = krb_get_cred("krbtgt", prealm, prealm, creds);
if (problem)
goto out;
if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
problem = RD_AP_EXP;
goto out;
}
creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
packet_put_cstring(buffer);
packet_send();
packet_write_wait();
type = packet_read();
if (type == SSH_SMSG_SUCCESS)
debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
creds->pname, creds->pinst[0] ? "." : "",
creds->pinst, creds->realm);
else
debug("Kerberos v4 TGT rejected.");
xfree(creds);
return;
out:
debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
xfree(creds);
}
static void
send_afs_tokens(void)
{
CREDENTIALS creds;
struct ViceIoctl parms;
struct ClearToken ct;
int i, type, len;
char buf[2048], *p, *server_cell;
char buffer[8192];
/* Move over ktc_GetToken, here's something leaner. */
for (i = 0; i < 100; i++) { /* just in case */
parms.in = (char *) &i;
parms.in_size = sizeof(i);
parms.out = buf;
parms.out_size = sizeof(buf);
if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
break;
p = buf;
/* Get secret token. */
memcpy(&creds.ticket_st.length, p, sizeof(u_int));
if (creds.ticket_st.length > MAX_KTXT_LEN)
break;
p += sizeof(u_int);
memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
p += creds.ticket_st.length;
/* Get clear token. */
memcpy(&len, p, sizeof(len));
if (len != sizeof(struct ClearToken))
break;
p += sizeof(len);
memcpy(&ct, p, len);
p += len;
p += sizeof(len); /* primary flag */
server_cell = p;
/* Flesh out our credentials. */
strlcpy(creds.service, "afs", sizeof(creds.service));
creds.instance[0] = '\0';
strlcpy(creds.realm, server_cell, REALM_SZ);
memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
creds.issue_date = ct.BeginTimestamp;
creds.lifetime = krb_time_to_life(creds.issue_date,
ct.EndTimestamp);
creds.kvno = ct.AuthHandle;
snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
creds.pinst[0] = '\0';
/* Encode token, ship it off. */
if (creds_to_radix(&creds, (u_char *)buffer,
sizeof(buffer)) <= 0)
break;
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
packet_put_cstring(buffer);
packet_send();
packet_write_wait();
/* Roger, Roger. Clearance, Clarence. What's your vector,
Victor? */
type = packet_read();
if (type == SSH_SMSG_FAILURE)
debug("AFS token for cell %s rejected.", server_cell);
else if (type != SSH_SMSG_SUCCESS)
packet_disconnect("Protocol error on AFS token response: %d", type);
}
}
#endif /* AFS */
/* /*
* Tries to authenticate with any string-based challenge/response system. * Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS. * Note that the client code is not tied to s/key or TIS.
@ -887,6 +1139,21 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
} }
#endif /* KRB5 */ #endif /* KRB5 */
#ifdef KRB4
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
options.kerberos_authentication) {
debug("Trying Kerberos v4 authentication.");
if (try_krb4_authentication()) {
type = packet_read();
if (type == SSH_SMSG_SUCCESS)
goto success;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
}
}
#endif /* KRB4 */
/* /*
* Use rhosts authentication if running in privileged socket and we * Use rhosts authentication if running in privileged socket and we
* do not wish to remain anonymous. * do not wish to remain anonymous.
@ -973,5 +1240,23 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
if (context) if (context)
krb5_free_context(context); krb5_free_context(context);
#endif #endif
#ifdef AFS
/* Try Kerberos v4 TGT passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing) {
if (options.cipher == SSH_CIPHER_NONE)
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
send_krb4_tgt();
}
/* Try AFS token passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
options.afs_token_passing && k_hasafs()) {
if (options.cipher == SSH_CIPHER_NONE)
logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
#endif /* AFS */
return; /* need statement after label */ return; /* need statement after label */
} }

View File

@ -1,4 +1,4 @@
/* $NetBSD: sshd.c,v 1.33 2003/07/23 21:25:08 itojun Exp $ */ /* $NetBSD: sshd.c,v 1.34 2003/07/24 15:31:56 itojun Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -43,8 +43,8 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $"); RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
__RCSID("$NetBSD: sshd.c,v 1.33 2003/07/23 21:25:08 itojun Exp $"); __RCSID("$NetBSD: sshd.c,v 1.34 2003/07/24 15:31:56 itojun Exp $");
#include <openssl/dh.h> #include <openssl/dh.h>
#include <openssl/bn.h> #include <openssl/bn.h>
@ -1424,6 +1424,20 @@ main(int ac, char **av)
"originating port %d not trusted.", remote_port); "originating port %d not trusted.", remote_port);
options.rhosts_authentication = 0; options.rhosts_authentication = 0;
} }
#if defined(KRB4) && !defined(KRB5)
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
#endif /* KRB4 && !KRB5 */
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
k_setpag();
k_unlog();
}
#endif /* AFS */
packet_set_nonblocking(); packet_set_nonblocking();
@ -1581,11 +1595,17 @@ do_ssh1_kex(void)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication) if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA; auth_mask |= 1 << SSH_AUTH_RSA;
#ifdef KRB5 #if defined(KRB4) || defined(KRB5)
if (options.kerberos_authentication) if (options.kerberos_authentication)
auth_mask |= 1 << SSH_AUTH_KERBEROS; auth_mask |= 1 << SSH_AUTH_KERBEROS;
#endif
#if defined(AFS) || defined(KRB5)
if (options.kerberos_tgt_passing) if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
#ifdef AFS
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif #endif
if (options.challenge_response_authentication == 1) if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS; auth_mask |= 1 << SSH_AUTH_TIS;

View File

@ -1,4 +1,4 @@
# $NetBSD: sshd_config,v 1.17 2003/07/23 03:52:23 itojun Exp $ # $NetBSD: sshd_config,v 1.18 2003/07/24 15:31:56 itojun Exp $
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
@ -64,6 +64,8 @@
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver # Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no #KerberosTgtPassing no

View File

@ -1,4 +1,4 @@
.\" $NetBSD: sshd_config.5,v 1.6 2003/07/23 03:52:23 itojun Exp $ .\" $NetBSD: sshd_config.5,v 1.7 2003/07/24 15:31:56 itojun Exp $
.\" -*- nroff -*- .\" -*- nroff -*-
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -62,6 +62,10 @@ The possible
keywords and their meanings are as follows (note that keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive): keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds .Bl -tag -width Ds
.It Cm AFSTokenPassing
Specifies whether an AFS token may be forwarded to the server.
Default is
.Dq no .
.It Cm AllowGroups .It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated This keyword can be followed by a list of group name patterns, separated
by spaces. by spaces.
@ -325,7 +329,8 @@ Default is
.It Cm KerberosTgtPassing .It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server. Specifies whether a Kerberos TGT may be forwarded to the server.
Default is Default is
.Dq no . .Dq no ,
as this only works when the Kerberos KDC is actually an AFS kaserver.
.It Cm KerberosTicketCleanup .It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache Specifies whether to automatically destroy the user's ticket cache
file on logout. file on logout.

View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:25 itojun Exp $ # $NetBSD: Makefile,v 1.18 2003/07/24 15:31:57 itojun Exp $
NOLINT= # defined NOLINT= # defined
NOMAN= # defined NOMAN= # defined
@ -25,8 +25,9 @@ SRCS+= readpassphrase.c getpeereid.c
libinstall:: libinstall::
.if (${USE_KERBEROS} != "no") .if (${USE_KERBEROS} != "no")
CPPFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/krb5 CPPFLAGS+= -DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
#SRCS+= radix.c CPPFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
SRCS+= radix.c
.endif .endif
.include <bsd.lib.mk> .include <bsd.lib.mk>

View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.15 2003/07/23 08:00:52 itojun Exp $ # $NetBSD: Makefile,v 1.16 2003/07/24 15:31:57 itojun Exp $
.include <bsd.own.mk> .include <bsd.own.mk>
@ -12,9 +12,13 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \
sshconnect.c sshconnect1.c sshconnect2.c sshconnect.c sshconnect1.c sshconnect2.c
.if (${USE_KERBEROS} != "no") .if (${USE_KERBEROS} != "no")
CPPFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/krb5 CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
LDADD+= -lkrb5 -lasn1 -lcom_err -lroken LDADD+= -lkrb5 -lkafs -lasn1
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
LDADD+= -lkrb -lcom_err -lroken
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
.endif .endif
.include <bsd.prog.mk> .include <bsd.prog.mk>

View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:27 itojun Exp $ # $NetBSD: Makefile,v 1.18 2003/07/24 15:31:57 itojun Exp $
.include <bsd.own.mk> .include <bsd.own.mk>
@ -19,8 +19,13 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
.if (${USE_KERBEROS} != "no") .if (${USE_KERBEROS} != "no")
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5 CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
SRCS+= auth-krb5.c auth2-krb5.c SRCS+= auth-krb5.c auth2-krb5.c
LDADD+= -lkrb5 -lasn1 -lcom_err -lroken LDADD+= -lkrb5 -lkafs -lasn1
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN} DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
SRCS+= auth-krb4.c
LDADD+= -lkrb -lcom_err -lroken
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
.endif .endif
.include <bsd.prog.mk> .include <bsd.prog.mk>