bring back krb4 support, just to suppress unwanted noise from other developers.
note that official openssh distribution have already dropped kerberosIV support, therefore maintenance cost needs to be paid by us. and have no intent to help.
This commit is contained in:
parent
bf6a317418
commit
88ec7d3792
370
crypto/dist/ssh/auth-krb4.c
vendored
Normal file
370
crypto/dist/ssh/auth-krb4.c
vendored
Normal file
@ -0,0 +1,370 @@
|
|||||||
|
/* $NetBSD: auth-krb4.c,v 1.13 2003/07/24 15:31:52 itojun Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
|
||||||
|
__RCSID("$NetBSD: auth-krb4.c,v 1.13 2003/07/24 15:31:52 itojun Exp $");
|
||||||
|
|
||||||
|
#include "ssh.h"
|
||||||
|
#include "ssh1.h"
|
||||||
|
#include "packet.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "servconf.h"
|
||||||
|
#include "uidswap.h"
|
||||||
|
#include "auth.h"
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
#include "radix.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
extern ServerOptions options;
|
||||||
|
|
||||||
|
static int
|
||||||
|
krb4_init(void *context)
|
||||||
|
{
|
||||||
|
static int cleanup_registered = 0;
|
||||||
|
Authctxt *authctxt = (Authctxt *)context;
|
||||||
|
const char *tkt_root = TKT_ROOT;
|
||||||
|
struct stat st;
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
if (!authctxt->krb4_ticket_file) {
|
||||||
|
/* Set unique ticket string manually since we're still root. */
|
||||||
|
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
|
||||||
|
#ifdef AFS
|
||||||
|
if (lstat("/ticket", &st) != -1)
|
||||||
|
tkt_root = "/ticket/";
|
||||||
|
#endif /* AFS */
|
||||||
|
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
|
||||||
|
tkt_root, authctxt->pw->pw_uid, (long)getpid());
|
||||||
|
krb_set_tkt_string(authctxt->krb4_ticket_file);
|
||||||
|
}
|
||||||
|
/* Register ticket cleanup in case of fatal error. */
|
||||||
|
if (!cleanup_registered) {
|
||||||
|
fatal_add_cleanup(krb4_cleanup_proc, authctxt);
|
||||||
|
cleanup_registered = 1;
|
||||||
|
}
|
||||||
|
/* Try to create our ticket file. */
|
||||||
|
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
|
||||||
|
close(fd);
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
/* Ticket file exists - make sure user owns it (just passed ticket). */
|
||||||
|
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
|
||||||
|
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
|
||||||
|
st.st_uid == authctxt->pw->pw_uid)
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
/* Failure - cancel cleanup function, leaving ticket for inspection. */
|
||||||
|
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
|
||||||
|
|
||||||
|
fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
|
||||||
|
cleanup_registered = 0;
|
||||||
|
|
||||||
|
xfree(authctxt->krb4_ticket_file);
|
||||||
|
authctxt->krb4_ticket_file = NULL;
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* try krb4 authentication,
|
||||||
|
* return 1 on success, 0 on failure, -1 if krb4 is not available
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
auth_krb4_password(Authctxt *authctxt, const char *password)
|
||||||
|
{
|
||||||
|
AUTH_DAT adata;
|
||||||
|
KTEXT_ST tkt;
|
||||||
|
struct hostent *hp;
|
||||||
|
struct passwd *pw;
|
||||||
|
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
|
||||||
|
u_int32_t faddr;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
if ((pw = authctxt->pw) == NULL)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Try Kerberos password authentication only for non-root
|
||||||
|
* users and only if Kerberos is installed.
|
||||||
|
*/
|
||||||
|
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
|
||||||
|
/* Set up our ticket file. */
|
||||||
|
if (!krb4_init(authctxt)) {
|
||||||
|
logit("Couldn't initialize Kerberos ticket file for %s!",
|
||||||
|
pw->pw_name);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
/* Try to get TGT using our password. */
|
||||||
|
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
|
||||||
|
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
|
||||||
|
if (r != INTK_OK) {
|
||||||
|
debug("Kerberos v4 password authentication for %s "
|
||||||
|
"failed: %s", pw->pw_name, krb_err_txt[r]);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
/* Successful authentication. */
|
||||||
|
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Now that we have a TGT, try to get a local
|
||||||
|
* "rcmd" ticket to ensure that we are not talking
|
||||||
|
* to a bogus Kerberos server.
|
||||||
|
*/
|
||||||
|
gethostname(localhost, sizeof(localhost));
|
||||||
|
strlcpy(phost, (char *)krb_get_phost(localhost),
|
||||||
|
sizeof(phost));
|
||||||
|
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
|
||||||
|
|
||||||
|
if (r == KSUCCESS) {
|
||||||
|
if ((hp = gethostbyname(localhost)) == NULL) {
|
||||||
|
logit("Couldn't get local host address!");
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
memmove((void *)&faddr, (void *)hp->h_addr,
|
||||||
|
sizeof(faddr));
|
||||||
|
|
||||||
|
/* Verify our "rcmd" ticket. */
|
||||||
|
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
|
||||||
|
faddr, &adata, "");
|
||||||
|
if (r == RD_AP_UNDEC) {
|
||||||
|
/*
|
||||||
|
* Probably didn't have a srvtab on
|
||||||
|
* localhost. Disallow login.
|
||||||
|
*/
|
||||||
|
logit("Kerberos v4 TGT for %s unverifiable, "
|
||||||
|
"no srvtab installed? krb_rd_req: %s",
|
||||||
|
pw->pw_name, krb_err_txt[r]);
|
||||||
|
goto failure;
|
||||||
|
} else if (r != KSUCCESS) {
|
||||||
|
logit("Kerberos v4 %s ticket unverifiable: %s",
|
||||||
|
KRB4_SERVICE_NAME, krb_err_txt[r]);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
} else if (r == KDC_PR_UNKNOWN) {
|
||||||
|
/*
|
||||||
|
* Disallow login if no rcmd service exists, and
|
||||||
|
* log the error.
|
||||||
|
*/
|
||||||
|
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
|
||||||
|
"not registered, or srvtab is wrong?", pw->pw_name,
|
||||||
|
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
|
||||||
|
goto failure;
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* TGT is bad, forget it. Possibly spoofed!
|
||||||
|
*/
|
||||||
|
debug("WARNING: Kerberos v4 TGT possibly spoofed "
|
||||||
|
"for %s: %s", pw->pw_name, krb_err_txt[r]);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
/* Authentication succeeded. */
|
||||||
|
return (1);
|
||||||
|
} else
|
||||||
|
/* Logging in as root or no local Kerberos realm. */
|
||||||
|
debug("Unable to authenticate to Kerberos.");
|
||||||
|
|
||||||
|
failure:
|
||||||
|
krb4_cleanup_proc(authctxt);
|
||||||
|
|
||||||
|
if (!options.kerberos_or_local_passwd)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
/* Fall back to ordinary passwd authentication. */
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
krb4_cleanup_proc(void *context)
|
||||||
|
{
|
||||||
|
Authctxt *authctxt = (Authctxt *)context;
|
||||||
|
debug("krb4_cleanup_proc called");
|
||||||
|
if (authctxt->krb4_ticket_file) {
|
||||||
|
(void) dest_tkt();
|
||||||
|
xfree(authctxt->krb4_ticket_file);
|
||||||
|
authctxt->krb4_ticket_file = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
|
||||||
|
{
|
||||||
|
AUTH_DAT adat = {0};
|
||||||
|
Key_schedule schedule;
|
||||||
|
struct sockaddr_in local, foreign;
|
||||||
|
char instance[INST_SZ];
|
||||||
|
socklen_t slen;
|
||||||
|
u_int cksum;
|
||||||
|
int r, s;
|
||||||
|
|
||||||
|
s = packet_get_connection_in();
|
||||||
|
|
||||||
|
slen = sizeof(local);
|
||||||
|
memset(&local, 0, sizeof(local));
|
||||||
|
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
|
||||||
|
debug("getsockname failed: %.100s", strerror(errno));
|
||||||
|
slen = sizeof(foreign);
|
||||||
|
memset(&foreign, 0, sizeof(foreign));
|
||||||
|
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
|
||||||
|
debug("getpeername failed: %.100s", strerror(errno));
|
||||||
|
fatal_cleanup();
|
||||||
|
}
|
||||||
|
instance[0] = '*';
|
||||||
|
instance[1] = 0;
|
||||||
|
|
||||||
|
/* Get the encrypted request, challenge, and session key. */
|
||||||
|
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
|
||||||
|
0, &adat, ""))) {
|
||||||
|
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
des_key_sched((des_cblock *) adat.session, schedule);
|
||||||
|
|
||||||
|
*client = xmalloc(MAX_K_NAME_SZ);
|
||||||
|
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
|
||||||
|
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
|
||||||
|
|
||||||
|
/* Check ~/.klogin authorization now. */
|
||||||
|
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
|
||||||
|
logit("Kerberos v4 .klogin authorization failed for %s to "
|
||||||
|
"account %s", *client, authctxt->user);
|
||||||
|
xfree(*client);
|
||||||
|
*client = NULL;
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
/* Increment the checksum, and return it encrypted with the
|
||||||
|
session key. */
|
||||||
|
cksum = adat.checksum + 1;
|
||||||
|
cksum = htonl(cksum);
|
||||||
|
|
||||||
|
/* If we can't successfully encrypt the checksum, we send back an
|
||||||
|
empty message, admitting our failure. */
|
||||||
|
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
|
||||||
|
schedule, &adat.session, &local, &foreign)) < 0) {
|
||||||
|
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
|
||||||
|
reply->dat[0] = 0;
|
||||||
|
reply->length = 0;
|
||||||
|
} else
|
||||||
|
reply->length = r;
|
||||||
|
|
||||||
|
/* Clear session key. */
|
||||||
|
memset(&adat.session, 0, sizeof(adat.session));
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
#endif /* KRB4 */
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
int
|
||||||
|
auth_krb4_tgt(Authctxt *authctxt, const char *string)
|
||||||
|
{
|
||||||
|
CREDENTIALS creds;
|
||||||
|
struct passwd *pw;
|
||||||
|
|
||||||
|
if ((pw = authctxt->pw) == NULL)
|
||||||
|
goto failure;
|
||||||
|
|
||||||
|
temporarily_use_uid(pw);
|
||||||
|
|
||||||
|
if (!radix_to_creds(string, &creds)) {
|
||||||
|
logit("Protocol error decoding Kerberos v4 TGT");
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||||
|
strlcpy(creds.service, "krbtgt", sizeof creds.service);
|
||||||
|
|
||||||
|
if (strcmp(creds.service, "krbtgt")) {
|
||||||
|
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
|
||||||
|
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
|
||||||
|
creds.realm, pw->pw_name);
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
if (!krb4_init(authctxt))
|
||||||
|
goto failure;
|
||||||
|
|
||||||
|
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
|
||||||
|
goto failure;
|
||||||
|
|
||||||
|
if (save_credentials(creds.service, creds.instance, creds.realm,
|
||||||
|
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
|
||||||
|
creds.issue_date) != KSUCCESS) {
|
||||||
|
debug("Kerberos v4 TGT refused: couldn't save credentials");
|
||||||
|
goto failure;
|
||||||
|
}
|
||||||
|
/* Successful authentication, passed all checks. */
|
||||||
|
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
|
||||||
|
|
||||||
|
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
|
||||||
|
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
|
||||||
|
memset(&creds, 0, sizeof(creds));
|
||||||
|
|
||||||
|
restore_uid();
|
||||||
|
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
failure:
|
||||||
|
krb4_cleanup_proc(authctxt);
|
||||||
|
memset(&creds, 0, sizeof(creds));
|
||||||
|
restore_uid();
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
auth_afs_token(Authctxt *authctxt, const char *token_string)
|
||||||
|
{
|
||||||
|
CREDENTIALS creds;
|
||||||
|
struct passwd *pw;
|
||||||
|
uid_t uid;
|
||||||
|
|
||||||
|
if ((pw = authctxt->pw) == NULL)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
if (!radix_to_creds(token_string, &creds)) {
|
||||||
|
logit("Protocol error decoding AFS token");
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
|
||||||
|
strlcpy(creds.service, "afs", sizeof creds.service);
|
||||||
|
|
||||||
|
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
|
||||||
|
uid = atoi(creds.pname + 7);
|
||||||
|
else
|
||||||
|
uid = pw->pw_uid;
|
||||||
|
|
||||||
|
if (kafs_settoken(creds.realm, uid, &creds)) {
|
||||||
|
logit("AFS token (%s@%s) rejected for %s",
|
||||||
|
creds.pname, creds.realm, pw->pw_name);
|
||||||
|
memset(&creds, 0, sizeof(creds));
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
|
||||||
|
memset(&creds, 0, sizeof(creds));
|
||||||
|
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
#endif /* AFS */
|
14
crypto/dist/ssh/auth-passwd.c
vendored
14
crypto/dist/ssh/auth-passwd.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: auth-passwd.c,v 1.10 2003/07/24 15:31:52 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -37,8 +37,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
|
||||||
__RCSID("$NetBSD: auth-passwd.c,v 1.9 2003/07/23 03:52:17 itojun Exp $");
|
__RCSID("$NetBSD: auth-passwd.c,v 1.10 2003/07/24 15:31:52 itojun Exp $");
|
||||||
|
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -72,6 +72,14 @@ auth_password(Authctxt *authctxt, const char *password)
|
|||||||
/* Fall back to ordinary passwd authentication. */
|
/* Fall back to ordinary passwd authentication. */
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef KRB4
|
||||||
|
if (options.kerberos_authentication == 1) {
|
||||||
|
int ret = auth_krb4_password(authctxt, password);
|
||||||
|
if (ret == 1 || ret == 0)
|
||||||
|
return ret;
|
||||||
|
/* Fall back to ordinary passwd authentication. */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
|
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
|
||||||
(char *)password) == 0)
|
(char *)password) == 0)
|
||||||
|
21
crypto/dist/ssh/auth.h
vendored
21
crypto/dist/ssh/auth.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: auth.h,v 1.15 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: auth.h,v 1.16 2003/07/24 15:31:52 itojun Exp $ */
|
||||||
/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
@ -61,6 +61,9 @@ struct Authctxt {
|
|||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
auth_session_t *as;
|
auth_session_t *as;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef KRB4
|
||||||
|
char *krb4_ticket_file;
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
krb5_context krb5_ctx;
|
krb5_context krb5_ctx;
|
||||||
krb5_auth_context krb5_auth_ctx;
|
krb5_auth_context krb5_auth_ctx;
|
||||||
@ -109,6 +112,20 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
|||||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||||
int user_key_allowed(struct passwd *, Key *);
|
int user_key_allowed(struct passwd *, Key *);
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
#include <krb.h>
|
||||||
|
int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
|
||||||
|
int auth_krb4_password(Authctxt *, const char *);
|
||||||
|
void krb4_cleanup_proc(void *);
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
#include <kafs.h>
|
||||||
|
int auth_krb4_tgt(Authctxt *, const char *);
|
||||||
|
int auth_afs_token(Authctxt *, const char *);
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
|
#endif /* KRB4 */
|
||||||
|
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||||
|
51
crypto/dist/ssh/auth1.c
vendored
51
crypto/dist/ssh/auth1.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: auth1.c,v 1.25 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
@ -11,8 +11,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
|
||||||
__RCSID("$NetBSD: auth1.c,v 1.24 2003/07/23 03:52:17 itojun Exp $");
|
__RCSID("$NetBSD: auth1.c,v 1.25 2003/07/24 15:31:53 itojun Exp $");
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "rsa.h"
|
#include "rsa.h"
|
||||||
@ -51,7 +51,7 @@ get_authname(int type)
|
|||||||
case SSH_CMSG_AUTH_TIS:
|
case SSH_CMSG_AUTH_TIS:
|
||||||
case SSH_CMSG_AUTH_TIS_RESPONSE:
|
case SSH_CMSG_AUTH_TIS_RESPONSE:
|
||||||
return "challenge-response";
|
return "challenge-response";
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
case SSH_CMSG_AUTH_KERBEROS:
|
case SSH_CMSG_AUTH_KERBEROS:
|
||||||
return "kerberos";
|
return "kerberos";
|
||||||
#endif
|
#endif
|
||||||
@ -83,7 +83,7 @@ do_authloop(Authctxt *authctxt)
|
|||||||
|
|
||||||
/* If the user has no password, accept authentication immediately. */
|
/* If the user has no password, accept authentication immediately. */
|
||||||
if (options.password_authentication &&
|
if (options.password_authentication &&
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||||
#endif
|
#endif
|
||||||
PRIVSEP(auth_password(authctxt, ""))) {
|
PRIVSEP(auth_password(authctxt, ""))) {
|
||||||
@ -108,7 +108,7 @@ do_authloop(Authctxt *authctxt)
|
|||||||
/* Process the packet. */
|
/* Process the packet. */
|
||||||
switch (type) {
|
switch (type) {
|
||||||
|
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
case SSH_CMSG_AUTH_KERBEROS:
|
case SSH_CMSG_AUTH_KERBEROS:
|
||||||
if (!options.kerberos_authentication) {
|
if (!options.kerberos_authentication) {
|
||||||
verbose("Kerberos authentication disabled.");
|
verbose("Kerberos authentication disabled.");
|
||||||
@ -116,7 +116,32 @@ do_authloop(Authctxt *authctxt)
|
|||||||
char *kdata = packet_get_string(&dlen);
|
char *kdata = packet_get_string(&dlen);
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
|
||||||
if (kdata[0] != 4) { /* KRB_PROT_VERSION */
|
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
|
||||||
|
#ifdef KRB4
|
||||||
|
KTEXT_ST tkt, reply;
|
||||||
|
tkt.length = dlen;
|
||||||
|
if (tkt.length < MAX_KTXT_LEN)
|
||||||
|
memcpy(tkt.dat, kdata, tkt.length);
|
||||||
|
|
||||||
|
if (PRIVSEP(auth_krb4(authctxt, &tkt,
|
||||||
|
&client_user, &reply))) {
|
||||||
|
authenticated = 1;
|
||||||
|
snprintf(info, sizeof(info),
|
||||||
|
" tktuser %.100s",
|
||||||
|
client_user);
|
||||||
|
|
||||||
|
packet_start(
|
||||||
|
SSH_SMSG_AUTH_KERBEROS_RESPONSE);
|
||||||
|
packet_put_string((char *)
|
||||||
|
reply.dat, reply.length);
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
|
||||||
|
xfree(client_user);
|
||||||
|
}
|
||||||
|
#endif /* KRB4 */
|
||||||
|
} else {
|
||||||
|
#ifdef KRB5
|
||||||
krb5_data tkt, reply;
|
krb5_data tkt, reply;
|
||||||
tkt.length = dlen;
|
tkt.length = dlen;
|
||||||
tkt.data = kdata;
|
tkt.data = kdata;
|
||||||
@ -140,14 +165,24 @@ do_authloop(Authctxt *authctxt)
|
|||||||
xfree(reply.data);
|
xfree(reply.data);
|
||||||
xfree(client_user);
|
xfree(client_user);
|
||||||
}
|
}
|
||||||
|
#endif /* KRB5 */
|
||||||
}
|
}
|
||||||
xfree(kdata);
|
xfree(kdata);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
#endif /* KRB4 || KRB5 */
|
||||||
|
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
|
/* XXX - punt on backward compatibility here. */
|
||||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||||
packet_send_debug("Kerberos TGT passing disabled before authentication.");
|
packet_send_debug("Kerberos TGT passing disabled before authentication.");
|
||||||
break;
|
break;
|
||||||
#endif
|
#ifdef AFS
|
||||||
|
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||||
|
packet_send_debug("AFS token passing disabled before authentication.");
|
||||||
|
break;
|
||||||
|
#endif /* AFS */
|
||||||
|
#endif /* AFS || KRB5 */
|
||||||
|
|
||||||
case SSH_CMSG_AUTH_RHOSTS:
|
case SSH_CMSG_AUTH_RHOSTS:
|
||||||
if (!options.rhosts_authentication) {
|
if (!options.rhosts_authentication) {
|
||||||
|
58
crypto/dist/ssh/monitor.c
vendored
58
crypto/dist/ssh/monitor.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: monitor.c,v 1.15 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
@ -26,8 +26,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");
|
||||||
__RCSID("$NetBSD: monitor.c,v 1.14 2003/07/23 03:52:17 itojun Exp $");
|
__RCSID("$NetBSD: monitor.c,v 1.15 2003/07/24 15:31:53 itojun Exp $");
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
|
|
||||||
@ -118,6 +118,9 @@ int mm_answer_rsa_response(int, Buffer *);
|
|||||||
int mm_answer_sesskey(int, Buffer *);
|
int mm_answer_sesskey(int, Buffer *);
|
||||||
int mm_answer_sessid(int, Buffer *);
|
int mm_answer_sessid(int, Buffer *);
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
int mm_answer_krb4(int, Buffer *);
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
int mm_answer_krb5(int, Buffer *);
|
int mm_answer_krb5(int, Buffer *);
|
||||||
#endif
|
#endif
|
||||||
@ -198,6 +201,9 @@ struct mon_table mon_dispatch_proto15[] = {
|
|||||||
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
|
||||||
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef KRB4
|
||||||
|
{MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
|
||||||
#endif
|
#endif
|
||||||
@ -1264,6 +1270,52 @@ mm_answer_rsa_response(int socket, Buffer *m)
|
|||||||
return (success);
|
return (success);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
int
|
||||||
|
mm_answer_krb4(int socket, Buffer *m)
|
||||||
|
{
|
||||||
|
KTEXT_ST auth, reply;
|
||||||
|
char *client, *p;
|
||||||
|
int success;
|
||||||
|
u_int alen;
|
||||||
|
|
||||||
|
reply.length = auth.length = 0;
|
||||||
|
|
||||||
|
p = buffer_get_string(m, &alen);
|
||||||
|
if (alen >= MAX_KTXT_LEN)
|
||||||
|
fatal("%s: auth too large", __func__);
|
||||||
|
memcpy(auth.dat, p, alen);
|
||||||
|
auth.length = alen;
|
||||||
|
memset(p, 0, alen);
|
||||||
|
xfree(p);
|
||||||
|
|
||||||
|
success = options.kerberos_authentication &&
|
||||||
|
authctxt->valid &&
|
||||||
|
auth_krb4(authctxt, &auth, &client, &reply);
|
||||||
|
|
||||||
|
memset(auth.dat, 0, alen);
|
||||||
|
buffer_clear(m);
|
||||||
|
buffer_put_int(m, success);
|
||||||
|
|
||||||
|
if (success) {
|
||||||
|
buffer_put_cstring(m, client);
|
||||||
|
buffer_put_string(m, reply.dat, reply.length);
|
||||||
|
if (client)
|
||||||
|
xfree(client);
|
||||||
|
if (reply.length)
|
||||||
|
memset(reply.dat, 0, reply.length);
|
||||||
|
}
|
||||||
|
|
||||||
|
debug3("%s: sending result %d", __func__, success);
|
||||||
|
mm_request_send(socket, MONITOR_ANS_KRB4, m);
|
||||||
|
|
||||||
|
auth_method = "kerberos";
|
||||||
|
|
||||||
|
/* Causes monitor loop to terminate if authenticated */
|
||||||
|
return (success);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
int
|
int
|
||||||
mm_answer_krb5(int socket, Buffer *m)
|
mm_answer_krb5(int socket, Buffer *m)
|
||||||
|
5
crypto/dist/ssh/monitor.h
vendored
5
crypto/dist/ssh/monitor.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: monitor.h,v 1.4 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: monitor.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/* $OpenBSD: monitor.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
@ -50,6 +50,7 @@ enum monitor_reqtype {
|
|||||||
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
|
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
|
||||||
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
|
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
|
||||||
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
|
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
|
||||||
|
MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
|
||||||
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
|
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
|
||||||
MONITOR_REQ_TERM
|
MONITOR_REQ_TERM
|
||||||
};
|
};
|
||||||
|
42
crypto/dist/ssh/monitor_wrap.c
vendored
42
crypto/dist/ssh/monitor_wrap.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $ */
|
/* $NetBSD: monitor_wrap.c,v 1.12 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
@ -26,8 +26,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: monitor_wrap.c,v 1.26 2003/04/07 08:29:57 markus Exp $");
|
||||||
__RCSID("$NetBSD: monitor_wrap.c,v 1.11 2003/07/23 03:52:17 itojun Exp $");
|
__RCSID("$NetBSD: monitor_wrap.c,v 1.12 2003/07/24 15:31:53 itojun Exp $");
|
||||||
|
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
@ -940,6 +940,42 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
|||||||
return (success);
|
return (success);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
int
|
||||||
|
mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
|
||||||
|
{
|
||||||
|
KTEXT auth, reply;
|
||||||
|
Buffer m;
|
||||||
|
u_int rlen;
|
||||||
|
int success = 0;
|
||||||
|
char *p;
|
||||||
|
|
||||||
|
debug3("%s entering", __func__);
|
||||||
|
auth = _auth;
|
||||||
|
reply = _reply;
|
||||||
|
|
||||||
|
buffer_init(&m);
|
||||||
|
buffer_put_string(&m, auth->dat, auth->length);
|
||||||
|
|
||||||
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
|
||||||
|
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
|
||||||
|
|
||||||
|
success = buffer_get_int(&m);
|
||||||
|
if (success) {
|
||||||
|
*client = buffer_get_string(&m, NULL);
|
||||||
|
p = buffer_get_string(&m, &rlen);
|
||||||
|
if (rlen >= MAX_KTXT_LEN)
|
||||||
|
fatal("%s: reply from monitor too large", __func__);
|
||||||
|
reply->length = rlen;
|
||||||
|
memcpy(reply->dat, p, rlen);
|
||||||
|
memset(p, 0, rlen);
|
||||||
|
xfree(p);
|
||||||
|
}
|
||||||
|
buffer_free(&m);
|
||||||
|
return (success);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
int
|
int
|
||||||
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
|
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
|
||||||
|
7
crypto/dist/ssh/monitor_wrap.h
vendored
7
crypto/dist/ssh/monitor_wrap.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: monitor_wrap.h,v 1.4 2003/07/23 03:52:18 itojun Exp $ */
|
/* $NetBSD: monitor_wrap.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
@ -81,6 +81,9 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
|
|||||||
int mm_skey_respond(void *, u_int, char **);
|
int mm_skey_respond(void *, u_int, char **);
|
||||||
|
|
||||||
/* auth_krb */
|
/* auth_krb */
|
||||||
|
#ifdef KRB4
|
||||||
|
int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
/* auth and reply are really krb5_data objects, but we don't want to
|
/* auth and reply are really krb5_data objects, but we don't want to
|
||||||
* include all of the krb5 headers here */
|
* include all of the krb5 headers here */
|
||||||
|
160
crypto/dist/ssh/radix.c
vendored
Normal file
160
crypto/dist/ssh/radix.c
vendored
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
/* $NetBSD: radix.c,v 1.13 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||||
|
* Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
#include "uuencode.h"
|
||||||
|
|
||||||
|
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
|
||||||
|
__RCSID("$NetBSD: radix.c,v 1.13 2003/07/24 15:31:53 itojun Exp $");
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
#include <krb.h>
|
||||||
|
|
||||||
|
#include <radix.h>
|
||||||
|
#include "bufaux.h"
|
||||||
|
|
||||||
|
int
|
||||||
|
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
|
||||||
|
{
|
||||||
|
Buffer b;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
buffer_init(&b);
|
||||||
|
|
||||||
|
buffer_put_char(&b, 1); /* version */
|
||||||
|
|
||||||
|
buffer_append(&b, creds->service, strlen(creds->service));
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
buffer_append(&b, creds->instance, strlen(creds->instance));
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
buffer_append(&b, creds->realm, strlen(creds->realm));
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
buffer_append(&b, creds->pname, strlen(creds->pname));
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
buffer_append(&b, creds->pinst, strlen(creds->pinst));
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
|
||||||
|
/* Null string to repeat the realm. */
|
||||||
|
buffer_put_char(&b, '\0');
|
||||||
|
|
||||||
|
buffer_put_int(&b, creds->issue_date);
|
||||||
|
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
|
||||||
|
creds->lifetime));
|
||||||
|
buffer_append(&b, creds->session, sizeof(creds->session));
|
||||||
|
buffer_put_short(&b, creds->kvno);
|
||||||
|
|
||||||
|
/* 32 bit size + data */
|
||||||
|
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
|
||||||
|
|
||||||
|
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
|
||||||
|
|
||||||
|
buffer_free(&b);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define GETSTRING(b, t, tlen) \
|
||||||
|
do { \
|
||||||
|
int i, found = 0; \
|
||||||
|
for (i = 0; i < tlen; i++) { \
|
||||||
|
if (buffer_len(b) == 0) \
|
||||||
|
goto done; \
|
||||||
|
t[i] = buffer_get_char(b); \
|
||||||
|
if (t[i] == '\0') { \
|
||||||
|
found = 1; \
|
||||||
|
break; \
|
||||||
|
} \
|
||||||
|
} \
|
||||||
|
if (!found) \
|
||||||
|
goto done; \
|
||||||
|
} while(0)
|
||||||
|
|
||||||
|
int
|
||||||
|
radix_to_creds(const char *buf, CREDENTIALS *creds)
|
||||||
|
{
|
||||||
|
Buffer b;
|
||||||
|
u_char *space;
|
||||||
|
char c, version, *p;
|
||||||
|
u_int endTime, len;
|
||||||
|
int blen, ret;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
blen = strlen(buf);
|
||||||
|
|
||||||
|
/* sanity check for size */
|
||||||
|
if (blen > 8192)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
buffer_init(&b);
|
||||||
|
space = buffer_append_space(&b, blen);
|
||||||
|
|
||||||
|
/* check version and length! */
|
||||||
|
len = uudecode(buf, space, blen);
|
||||||
|
if (len < 1)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
version = buffer_get_char(&b);
|
||||||
|
|
||||||
|
GETSTRING(&b, creds->service, sizeof creds->service);
|
||||||
|
GETSTRING(&b, creds->instance, sizeof creds->instance);
|
||||||
|
GETSTRING(&b, creds->realm, sizeof creds->realm);
|
||||||
|
GETSTRING(&b, creds->pname, sizeof creds->pname);
|
||||||
|
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
|
||||||
|
|
||||||
|
if (buffer_len(&b) == 0)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
/* Ignore possibly different realm. */
|
||||||
|
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
|
||||||
|
;
|
||||||
|
|
||||||
|
if (buffer_len(&b) == 0)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
creds->issue_date = buffer_get_int(&b);
|
||||||
|
|
||||||
|
endTime = buffer_get_int(&b);
|
||||||
|
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
|
||||||
|
|
||||||
|
len = buffer_len(&b);
|
||||||
|
if (len < sizeof(creds->session))
|
||||||
|
goto done;
|
||||||
|
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
|
||||||
|
buffer_consume(&b, sizeof(creds->session));
|
||||||
|
|
||||||
|
creds->kvno = buffer_get_short(&b);
|
||||||
|
|
||||||
|
p = buffer_get_string(&b, &len);
|
||||||
|
if (len < 0 || len > sizeof(creds->ticket_st.dat))
|
||||||
|
goto done;
|
||||||
|
memcpy(&creds->ticket_st.dat, p, len);
|
||||||
|
creds->ticket_st.length = len;
|
||||||
|
|
||||||
|
ret = 1;
|
||||||
|
done:
|
||||||
|
buffer_free(&b);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#endif /* AFS */
|
29
crypto/dist/ssh/radix.h
vendored
Normal file
29
crypto/dist/ssh/radix.h
vendored
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
/* $NetBSD: radix.h,v 1.5 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
|
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (c) 1999 Dug Song. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
|
||||||
|
int radix_to_creds(const char *, CREDENTIALS *);
|
56
crypto/dist/ssh/readconf.c
vendored
56
crypto/dist/ssh/readconf.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $ */
|
/* $NetBSD: readconf.c,v 1.20 2003/07/24 15:31:53 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -13,8 +13,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: readconf.c,v 1.105 2003/04/02 09:48:07 markus Exp $");
|
||||||
__RCSID("$NetBSD: readconf.c,v 1.19 2003/07/23 03:52:19 itojun Exp $");
|
__RCSID("$NetBSD: readconf.c,v 1.20 2003/07/24 15:31:53 itojun Exp $");
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@ -96,8 +96,14 @@ typedef enum {
|
|||||||
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
|
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
|
||||||
oPasswordAuthentication, oRSAAuthentication,
|
oPasswordAuthentication, oRSAAuthentication,
|
||||||
oChallengeResponseAuthentication, oXAuthLocation,
|
oChallengeResponseAuthentication, oXAuthLocation,
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
oKerberosAuthentication, oKerberosTgtPassing,
|
oKerberosAuthentication,
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
|
oKerberosTgtPassing,
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
oAFSTokenPassing,
|
||||||
#endif
|
#endif
|
||||||
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
|
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
|
||||||
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
|
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
|
||||||
@ -111,7 +117,7 @@ typedef enum {
|
|||||||
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
oEnableSSHKeysign, oRekeyLimit,
|
oEnableSSHKeysign, oRekeyLimit,
|
||||||
oDeprecated, oUnsupported
|
oDeprecated
|
||||||
} OpCodes;
|
} OpCodes;
|
||||||
|
|
||||||
/* Textual representations of the tokens. */
|
/* Textual representations of the tokens. */
|
||||||
@ -137,17 +143,17 @@ static struct {
|
|||||||
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
|
||||||
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||||
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
{ "kerberosauthentication", oKerberosAuthentication },
|
{ "kerberosauthentication", oKerberosAuthentication },
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
{ "kerberostgtpassing", oKerberosTgtPassing },
|
{ "kerberostgtpassing", oKerberosTgtPassing },
|
||||||
{ "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */
|
{ "kerberos5tgtpassing", oKerberosTgtPassing }, /* alias */
|
||||||
#else
|
{ "kerberos4tgtpassing", oKerberosTgtPassing }, /* alias */
|
||||||
{ "kerberosauthentication", oUnsupported },
|
#endif
|
||||||
{ "kerberostgtpassing", oUnsupported },
|
#ifdef AFS
|
||||||
{ "kerberos5tgtpassing", oUnsupported }, /* alias */
|
{ "afstokenpassing", oAFSTokenPassing },
|
||||||
#endif
|
#endif
|
||||||
{ "kerberos4tgtpassing", oUnsupported }, /* alias */
|
|
||||||
{ "afstokenpassing", oUnsupported },
|
|
||||||
{ "fallbacktorsh", oDeprecated },
|
{ "fallbacktorsh", oDeprecated },
|
||||||
{ "usersh", oDeprecated },
|
{ "usersh", oDeprecated },
|
||||||
{ "identityfile", oIdentityFile },
|
{ "identityfile", oIdentityFile },
|
||||||
@ -358,13 +364,20 @@ parse_flag:
|
|||||||
case oChallengeResponseAuthentication:
|
case oChallengeResponseAuthentication:
|
||||||
intptr = &options->challenge_response_authentication;
|
intptr = &options->challenge_response_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
case oKerberosAuthentication:
|
case oKerberosAuthentication:
|
||||||
intptr = &options->kerberos_authentication;
|
intptr = &options->kerberos_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
case oKerberosTgtPassing:
|
case oKerberosTgtPassing:
|
||||||
intptr = &options->kerberos_tgt_passing;
|
intptr = &options->kerberos_tgt_passing;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
case oAFSTokenPassing:
|
||||||
|
intptr = &options->afs_token_passing;
|
||||||
|
goto parse_flag;
|
||||||
#endif
|
#endif
|
||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
@ -763,9 +776,14 @@ initialize_options(Options * options)
|
|||||||
options->rsa_authentication = -1;
|
options->rsa_authentication = -1;
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
options->kerberos_authentication = -1;
|
options->kerberos_authentication = -1;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
options->kerberos_tgt_passing = -1;
|
options->kerberos_tgt_passing = -1;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
options->afs_token_passing = -1;
|
||||||
#endif
|
#endif
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
@ -836,11 +854,17 @@ fill_default_options(Options * options)
|
|||||||
options->pubkey_authentication = 1;
|
options->pubkey_authentication = 1;
|
||||||
if (options->challenge_response_authentication == -1)
|
if (options->challenge_response_authentication == -1)
|
||||||
options->challenge_response_authentication = 1;
|
options->challenge_response_authentication = 1;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
if (options->kerberos_authentication == -1)
|
if (options->kerberos_authentication == -1)
|
||||||
options->kerberos_authentication = 1;
|
options->kerberos_authentication = 1;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
if (options->kerberos_tgt_passing == -1)
|
if (options->kerberos_tgt_passing == -1)
|
||||||
options->kerberos_tgt_passing = 1;
|
options->kerberos_tgt_passing = 1;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
if (options->afs_token_passing == -1)
|
||||||
|
options->afs_token_passing = 1;
|
||||||
#endif
|
#endif
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
|
11
crypto/dist/ssh/readconf.h
vendored
11
crypto/dist/ssh/readconf.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: readconf.h,v 1.12 2003/07/23 03:52:20 itojun Exp $ */
|
/* $NetBSD: readconf.h,v 1.13 2003/07/24 15:31:54 itojun Exp $ */
|
||||||
/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: readconf.h,v 1.47 2003/04/02 09:48:07 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -42,9 +42,14 @@ typedef struct {
|
|||||||
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
||||||
int challenge_response_authentication;
|
int challenge_response_authentication;
|
||||||
/* Try S/Key or TIS, authentication. */
|
/* Try S/Key or TIS, authentication. */
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
int kerberos_authentication; /* Try Kerberos authentication. */
|
int kerberos_authentication; /* Try Kerberos authentication. */
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
|
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
int afs_token_passing; /* Try AFS token passing. */
|
||||||
#endif
|
#endif
|
||||||
int password_authentication; /* Try password
|
int password_authentication; /* Try password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
|
12
crypto/dist/ssh/scp.c
vendored
12
crypto/dist/ssh/scp.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $ */
|
/* $NetBSD: scp.c,v 1.23 2003/07/24 15:31:54 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||||
* uses ssh to do the data transfer (instead of using rcmd).
|
* uses ssh to do the data transfer (instead of using rcmd).
|
||||||
@ -53,7 +53,11 @@
|
|||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
* notice, this list of conditions and the following disclaimer in the
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
* documentation and/or other materials provided with the distribution.
|
* documentation and/or other materials provided with the distribution.
|
||||||
* 3. Neither the name of the University nor the names of its contributors
|
* 3. All advertising materials mentioning features or use of this software
|
||||||
|
* must display the following acknowledgement:
|
||||||
|
* This product includes software developed by the University of
|
||||||
|
* California, Berkeley and its contributors.
|
||||||
|
* 4. Neither the name of the University nor the names of its contributors
|
||||||
* may be used to endorse or promote products derived from this software
|
* may be used to endorse or promote products derived from this software
|
||||||
* without specific prior written permission.
|
* without specific prior written permission.
|
||||||
*
|
*
|
||||||
@ -72,8 +76,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: scp.c,v 1.108 2003/07/18 01:54:25 deraadt Exp $");
|
RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
|
||||||
__RCSID("$NetBSD: scp.c,v 1.22 2003/07/23 03:52:20 itojun Exp $");
|
__RCSID("$NetBSD: scp.c,v 1.23 2003/07/24 15:31:54 itojun Exp $");
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "atomicio.h"
|
#include "atomicio.h"
|
||||||
|
62
crypto/dist/ssh/servconf.c
vendored
62
crypto/dist/ssh/servconf.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $ */
|
/* $NetBSD: servconf.c,v 1.26 2003/07/24 15:31:54 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
@ -11,8 +11,15 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
|
||||||
__RCSID("$NetBSD: servconf.c,v 1.25 2003/07/23 03:52:20 itojun Exp $");
|
__RCSID("$NetBSD: servconf.c,v 1.26 2003/07/24 15:31:54 itojun Exp $");
|
||||||
|
|
||||||
|
#if defined(KRB4) || defined(KRB5)
|
||||||
|
#include <krb.h>
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
#include <kafs.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -68,11 +75,16 @@ initialize_server_options(ServerOptions *options)
|
|||||||
options->hostbased_uses_name_from_packet_only = -1;
|
options->hostbased_uses_name_from_packet_only = -1;
|
||||||
options->rsa_authentication = -1;
|
options->rsa_authentication = -1;
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
options->kerberos_authentication = -1;
|
options->kerberos_authentication = -1;
|
||||||
options->kerberos_or_local_passwd = -1;
|
options->kerberos_or_local_passwd = -1;
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
options->kerberos_tgt_passing = -1;
|
options->kerberos_tgt_passing = -1;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
options->afs_token_passing = -1;
|
||||||
#endif
|
#endif
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
@ -174,15 +186,21 @@ fill_default_server_options(ServerOptions *options)
|
|||||||
options->rsa_authentication = 1;
|
options->rsa_authentication = 1;
|
||||||
if (options->pubkey_authentication == -1)
|
if (options->pubkey_authentication == -1)
|
||||||
options->pubkey_authentication = 1;
|
options->pubkey_authentication = 1;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
if (options->kerberos_authentication == -1)
|
if (options->kerberos_authentication == -1)
|
||||||
options->kerberos_authentication = 0;
|
options->kerberos_authentication = 0;
|
||||||
if (options->kerberos_or_local_passwd == -1)
|
if (options->kerberos_or_local_passwd == -1)
|
||||||
options->kerberos_or_local_passwd = 1;
|
options->kerberos_or_local_passwd = 1;
|
||||||
if (options->kerberos_ticket_cleanup == -1)
|
if (options->kerberos_ticket_cleanup == -1)
|
||||||
options->kerberos_ticket_cleanup = 1;
|
options->kerberos_ticket_cleanup = 1;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
if (options->kerberos_tgt_passing == -1)
|
if (options->kerberos_tgt_passing == -1)
|
||||||
options->kerberos_tgt_passing = 0;
|
options->kerberos_tgt_passing = 0;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
if (options->afs_token_passing == -1)
|
||||||
|
options->afs_token_passing = 0;
|
||||||
#endif
|
#endif
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
@ -235,9 +253,14 @@ typedef enum {
|
|||||||
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
|
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
sKerberosTgtPassing,
|
sKerberosTgtPassing,
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
sAFSTokenPassing,
|
||||||
#endif
|
#endif
|
||||||
sChallengeResponseAuthentication,
|
sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||||
@ -253,7 +276,7 @@ typedef enum {
|
|||||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||||
sUsePrivilegeSeparation,
|
sUsePrivilegeSeparation,
|
||||||
sIgnoreRootRhosts,
|
sIgnoreRootRhosts,
|
||||||
sDeprecated, sUnsupported
|
sDeprecated
|
||||||
} ServerOpCodes;
|
} ServerOpCodes;
|
||||||
|
|
||||||
/* Textual representation of the tokens. */
|
/* Textual representation of the tokens. */
|
||||||
@ -278,18 +301,17 @@ static struct {
|
|||||||
{ "rsaauthentication", sRSAAuthentication },
|
{ "rsaauthentication", sRSAAuthentication },
|
||||||
{ "pubkeyauthentication", sPubkeyAuthentication },
|
{ "pubkeyauthentication", sPubkeyAuthentication },
|
||||||
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
|
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
{ "kerberosauthentication", sKerberosAuthentication },
|
{ "kerberosauthentication", sKerberosAuthentication },
|
||||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
|
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
|
||||||
{ "kerberosticketcleanup", sKerberosTicketCleanup },
|
{ "kerberosticketcleanup", sKerberosTicketCleanup },
|
||||||
{ "kerberostgtpassing", sKerberosTgtPassing },
|
|
||||||
#else
|
|
||||||
{ "kerberosauthentication", sUnsupported },
|
|
||||||
{ "kerberosorlocalpasswd", sUnsupported },
|
|
||||||
{ "kerberosticketcleanup", sUnsupported },
|
|
||||||
{ "kerberostgtpassing", sUnsupported },
|
|
||||||
#endif
|
#endif
|
||||||
{ "afstokenpassing", sUnsupported },
|
#if defined(AFS) || defined(KRB5)
|
||||||
|
{ "kerberostgtpassing", sKerberosTgtPassing },
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
{ "afstokenpassing", sAFSTokenPassing },
|
||||||
|
#endif
|
||||||
{ "passwordauthentication", sPasswordAuthentication },
|
{ "passwordauthentication", sPasswordAuthentication },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
|
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
|
||||||
@ -593,7 +615,7 @@ parse_flag:
|
|||||||
case sPubkeyAuthentication:
|
case sPubkeyAuthentication:
|
||||||
intptr = &options->pubkey_authentication;
|
intptr = &options->pubkey_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
case sKerberosAuthentication:
|
case sKerberosAuthentication:
|
||||||
intptr = &options->kerberos_authentication;
|
intptr = &options->kerberos_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@ -605,11 +627,17 @@ parse_flag:
|
|||||||
case sKerberosTicketCleanup:
|
case sKerberosTicketCleanup:
|
||||||
intptr = &options->kerberos_ticket_cleanup;
|
intptr = &options->kerberos_ticket_cleanup;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
case sKerberosTgtPassing:
|
case sKerberosTgtPassing:
|
||||||
intptr = &options->kerberos_tgt_passing;
|
intptr = &options->kerberos_tgt_passing;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
case sAFSTokenPassing:
|
||||||
|
intptr = &options->afs_token_passing;
|
||||||
|
goto parse_flag;
|
||||||
|
#endif
|
||||||
|
|
||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
|
11
crypto/dist/ssh/servconf.h
vendored
11
crypto/dist/ssh/servconf.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: servconf.h,v 1.15 2003/07/23 03:52:21 itojun Exp $ */
|
/* $NetBSD: servconf.h,v 1.16 2003/07/24 15:31:54 itojun Exp $ */
|
||||||
/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -77,7 +77,7 @@ typedef struct {
|
|||||||
int hostbased_uses_name_from_packet_only; /* experimental */
|
int hostbased_uses_name_from_packet_only; /* experimental */
|
||||||
int rsa_authentication; /* If true, permit RSA authentication. */
|
int rsa_authentication; /* If true, permit RSA authentication. */
|
||||||
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
int kerberos_authentication; /* If true, permit Kerberos
|
int kerberos_authentication; /* If true, permit Kerberos
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kerberos_or_local_passwd; /* If true, permit kerberos
|
int kerberos_or_local_passwd; /* If true, permit kerberos
|
||||||
@ -87,8 +87,13 @@ typedef struct {
|
|||||||
* /etc/passwd */
|
* /etc/passwd */
|
||||||
int kerberos_ticket_cleanup; /* If true, destroy ticket
|
int kerberos_ticket_cleanup; /* If true, destroy ticket
|
||||||
* file on logout. */
|
* file on logout. */
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
|
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
|
||||||
* passing. */
|
* passing. */
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
int afs_token_passing; /* If true, permit AFS token passing. */
|
||||||
#endif
|
#endif
|
||||||
int password_authentication; /* If true, permit password
|
int password_authentication; /* If true, permit password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
|
61
crypto/dist/ssh/session.c
vendored
61
crypto/dist/ssh/session.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $ */
|
/* $NetBSD: session.c,v 1.34 2003/07/24 15:31:54 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
@ -34,8 +34,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
|
||||||
__RCSID("$NetBSD: session.c,v 1.33 2003/07/23 03:52:21 itojun Exp $");
|
__RCSID("$NetBSD: session.c,v 1.34 2003/07/24 15:31:54 itojun Exp $");
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "ssh1.h"
|
#include "ssh1.h"
|
||||||
@ -213,6 +213,10 @@ do_authenticated(Authctxt *authctxt)
|
|||||||
/* remove agent socket */
|
/* remove agent socket */
|
||||||
if (auth_sock_name != NULL)
|
if (auth_sock_name != NULL)
|
||||||
auth_sock_cleanup_proc(authctxt->pw);
|
auth_sock_cleanup_proc(authctxt->pw);
|
||||||
|
#ifdef KRB4
|
||||||
|
if (options.kerberos_ticket_cleanup)
|
||||||
|
krb4_cleanup_proc(authctxt);
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
if (options.kerberos_ticket_cleanup)
|
if (options.kerberos_ticket_cleanup)
|
||||||
krb5_cleanup_proc(authctxt);
|
krb5_cleanup_proc(authctxt);
|
||||||
@ -325,7 +329,7 @@ do_authenticated1(Authctxt *authctxt)
|
|||||||
success = 1;
|
success = 1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef KRB5
|
#if defined(AFS) || defined(KRB5)
|
||||||
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
case SSH_CMSG_HAVE_KERBEROS_TGT:
|
||||||
if (!options.kerberos_tgt_passing) {
|
if (!options.kerberos_tgt_passing) {
|
||||||
verbose("Kerberos TGT passing disabled.");
|
verbose("Kerberos TGT passing disabled.");
|
||||||
@ -333,8 +337,9 @@ do_authenticated1(Authctxt *authctxt)
|
|||||||
char *kdata = packet_get_string(&dlen);
|
char *kdata = packet_get_string(&dlen);
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
|
||||||
/* XXX - 0x41, used for AFS */
|
/* XXX - 0x41, see creds_to_radix version */
|
||||||
if (kdata[0] != 0x41) {
|
if (kdata[0] != 0x41) {
|
||||||
|
#ifdef KRB5
|
||||||
krb5_data tgt;
|
krb5_data tgt;
|
||||||
tgt.data = kdata;
|
tgt.data = kdata;
|
||||||
tgt.length = dlen;
|
tgt.length = dlen;
|
||||||
@ -343,11 +348,38 @@ do_authenticated1(Authctxt *authctxt)
|
|||||||
success = 1;
|
success = 1;
|
||||||
else
|
else
|
||||||
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
|
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
|
||||||
|
#endif /* KRB5 */
|
||||||
|
} else {
|
||||||
|
#ifdef AFS
|
||||||
|
if (auth_krb4_tgt(s->authctxt, kdata))
|
||||||
|
success = 1;
|
||||||
|
else
|
||||||
|
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
|
||||||
|
#endif /* AFS */
|
||||||
}
|
}
|
||||||
xfree(kdata);
|
xfree(kdata);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif /* AFS || KRB5 */
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
case SSH_CMSG_HAVE_AFS_TOKEN:
|
||||||
|
if (!options.afs_token_passing || !k_hasafs()) {
|
||||||
|
verbose("AFS token passing disabled.");
|
||||||
|
} else {
|
||||||
|
/* Accept AFS token. */
|
||||||
|
char *token = packet_get_string(&dlen);
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
if (auth_afs_token(s->authctxt, token))
|
||||||
|
success = 1;
|
||||||
|
else
|
||||||
|
verbose("AFS token refused for %.100s",
|
||||||
|
s->authctxt->user);
|
||||||
|
xfree(token);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
case SSH_CMSG_EXEC_SHELL:
|
case SSH_CMSG_EXEC_SHELL:
|
||||||
case SSH_CMSG_EXEC_CMD:
|
case SSH_CMSG_EXEC_CMD:
|
||||||
@ -945,6 +977,11 @@ do_setup_env(Session *s, const char *shell)
|
|||||||
if (original_command)
|
if (original_command)
|
||||||
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
|
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
|
||||||
original_command);
|
original_command);
|
||||||
|
#ifdef KRB4
|
||||||
|
if (s->authctxt->krb4_ticket_file)
|
||||||
|
child_set_env(&env, &envsize, "KRBTKFILE",
|
||||||
|
s->authctxt->krb4_ticket_file);
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
if (s->authctxt->krb5_ticket_file)
|
if (s->authctxt->krb5_ticket_file)
|
||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||||
@ -1204,6 +1241,18 @@ do_child(Session *s, const char *command)
|
|||||||
*/
|
*/
|
||||||
environ = env;
|
environ = env;
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
/* Try to get AFS tokens for the local cell. */
|
||||||
|
if (k_hasafs()) {
|
||||||
|
char cell[64];
|
||||||
|
|
||||||
|
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
|
||||||
|
krb_afslog(cell, 0);
|
||||||
|
|
||||||
|
krb_afslog(0, 0);
|
||||||
|
}
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
/* Change current directory to the user\'s home directory. */
|
/* Change current directory to the user\'s home directory. */
|
||||||
if (chdir(pw->pw_dir) < 0) {
|
if (chdir(pw->pw_dir) < 0) {
|
||||||
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
|
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
|
||||||
|
6
crypto/dist/ssh/ssh.1
vendored
6
crypto/dist/ssh/ssh.1
vendored
@ -1,4 +1,4 @@
|
|||||||
.\" $NetBSD: ssh.1,v 1.27 2003/07/23 03:52:21 itojun Exp $
|
.\" $NetBSD: ssh.1,v 1.28 2003/07/24 15:31:55 itojun Exp $
|
||||||
.\" -*- nroff -*-
|
.\" -*- nroff -*-
|
||||||
.\"
|
.\"
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -35,7 +35,7 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
|
.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
|
||||||
.Dd September 25, 1999
|
.Dd September 25, 1999
|
||||||
.Dt SSH 1
|
.Dt SSH 1
|
||||||
.Os
|
.Os
|
||||||
@ -494,7 +494,7 @@ the device
|
|||||||
should use to communicate with a smartcard used for storing the user's
|
should use to communicate with a smartcard used for storing the user's
|
||||||
private RSA key.
|
private RSA key.
|
||||||
.It Fl k
|
.It Fl k
|
||||||
Disables forwarding of Kerberos tickets.
|
Disables forwarding of Kerberos tickets and AFS tokens.
|
||||||
This may also be specified on a per-host basis in the configuration file.
|
This may also be specified on a per-host basis in the configuration file.
|
||||||
.It Fl l Ar login_name
|
.It Fl l Ar login_name
|
||||||
Specifies the user to log in as on the remote machine.
|
Specifies the user to log in as on the remote machine.
|
||||||
|
17
crypto/dist/ssh/ssh.c
vendored
17
crypto/dist/ssh/ssh.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $ */
|
/* $NetBSD: ssh.c,v 1.30 2003/07/24 15:31:55 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -41,8 +41,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
|
||||||
__RCSID("$NetBSD: ssh.c,v 1.29 2003/07/23 03:52:22 itojun Exp $");
|
__RCSID("$NetBSD: ssh.c,v 1.30 2003/07/24 15:31:55 itojun Exp $");
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
@ -156,7 +156,9 @@ usage(void)
|
|||||||
_PATH_SSH_USER_CONFFILE);
|
_PATH_SSH_USER_CONFFILE);
|
||||||
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
|
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
|
||||||
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
|
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
|
||||||
fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
|
#ifdef AFS
|
||||||
|
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
|
||||||
|
#endif /* AFS */
|
||||||
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
|
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
|
||||||
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
|
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
|
||||||
fprintf(stderr, " -i file Identity for public key authentication "
|
fprintf(stderr, " -i file Identity for public key authentication "
|
||||||
@ -301,13 +303,12 @@ again:
|
|||||||
case 'A':
|
case 'A':
|
||||||
options.forward_agent = 1;
|
options.forward_agent = 1;
|
||||||
break;
|
break;
|
||||||
|
#ifdef AFS
|
||||||
case 'k':
|
case 'k':
|
||||||
#ifdef KRB5
|
|
||||||
options.kerberos_tgt_passing = 0;
|
options.kerberos_tgt_passing = 0;
|
||||||
#else
|
options.afs_token_passing = 0;
|
||||||
fprintf(stderr, "no support for kerberos.\n");
|
|
||||||
#endif
|
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
case 'i':
|
case 'i':
|
||||||
if (stat(optarg, &st) < 0) {
|
if (stat(optarg, &st) < 0) {
|
||||||
fprintf(stderr, "Warning: Identity file %s "
|
fprintf(stderr, "Warning: Identity file %s "
|
||||||
|
7
crypto/dist/ssh/ssh.h
vendored
7
crypto/dist/ssh/ssh.h
vendored
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: ssh.h,v 1.11 2003/07/23 03:52:22 itojun Exp $ */
|
/* $NetBSD: ssh.h,v 1.12 2003/07/24 15:31:55 itojun Exp $ */
|
||||||
/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
|
/* $OpenBSD: ssh.h,v 1.71 2002/06/22 02:00:29 stevesk Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -80,6 +80,9 @@
|
|||||||
*/
|
*/
|
||||||
#define SSH_SESSION_KEY_LENGTH 32
|
#define SSH_SESSION_KEY_LENGTH 32
|
||||||
|
|
||||||
|
/* Name of Kerberos service for SSH to use. */
|
||||||
|
#define KRB4_SERVICE_NAME "rcmd"
|
||||||
|
|
||||||
/* Used to identify ``EscapeChar none'' */
|
/* Used to identify ``EscapeChar none'' */
|
||||||
#define SSH_ESCAPECHAR_NONE -2
|
#define SSH_ESCAPECHAR_NONE -2
|
||||||
|
|
||||||
|
12
crypto/dist/ssh/ssh_config.5
vendored
12
crypto/dist/ssh/ssh_config.5
vendored
@ -1,4 +1,4 @@
|
|||||||
.\" $NetBSD: ssh_config.5,v 1.5 2003/07/23 03:52:22 itojun Exp $
|
.\" $NetBSD: ssh_config.5,v 1.6 2003/07/24 15:31:55 itojun Exp $
|
||||||
.\" -*- nroff -*-
|
.\" -*- nroff -*-
|
||||||
.\"
|
.\"
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -35,7 +35,7 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
|
.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
|
||||||
.Dd September 25, 1999
|
.Dd September 25, 1999
|
||||||
.Dt SSH_CONFIG 5
|
.Dt SSH_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
@ -116,6 +116,13 @@ The host is the
|
|||||||
.Ar hostname
|
.Ar hostname
|
||||||
argument given on the command line (i.e., the name is not converted to
|
argument given on the command line (i.e., the name is not converted to
|
||||||
a canonicalized host name before matching).
|
a canonicalized host name before matching).
|
||||||
|
.It Cm AFSTokenPassing
|
||||||
|
Specifies whether to pass AFS tokens to remote host.
|
||||||
|
The argument to this keyword must be
|
||||||
|
.Dq yes
|
||||||
|
or
|
||||||
|
.Dq no .
|
||||||
|
This option applies to protocol version 1 only.
|
||||||
.It Cm BatchMode
|
.It Cm BatchMode
|
||||||
If set to
|
If set to
|
||||||
.Dq yes ,
|
.Dq yes ,
|
||||||
@ -372,6 +379,7 @@ or
|
|||||||
.Dq no .
|
.Dq no .
|
||||||
.It Cm KerberosTgtPassing
|
.It Cm KerberosTgtPassing
|
||||||
Specifies whether a Kerberos TGT will be forwarded to the server.
|
Specifies whether a Kerberos TGT will be forwarded to the server.
|
||||||
|
This will only work if the Kerberos server is actually an AFS kaserver.
|
||||||
The argument to this keyword must be
|
The argument to this keyword must be
|
||||||
.Dq yes
|
.Dq yes
|
||||||
or
|
or
|
||||||
|
291
crypto/dist/ssh/sshconnect1.c
vendored
291
crypto/dist/ssh/sshconnect1.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $ */
|
/* $NetBSD: sshconnect1.c,v 1.26 2003/07/24 15:31:55 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -14,15 +14,22 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
|
||||||
__RCSID("$NetBSD: sshconnect1.c,v 1.25 2003/07/23 03:52:22 itojun Exp $");
|
__RCSID("$NetBSD: sshconnect1.c,v 1.26 2003/07/24 15:31:55 itojun Exp $");
|
||||||
|
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
#include <krb.h>
|
||||||
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
#include <krb5.h>
|
#include <krb5.h>
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
#include <kafs.h>
|
||||||
|
#include "radix.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "ssh1.h"
|
#include "ssh1.h"
|
||||||
@ -372,6 +379,128 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
static int
|
||||||
|
try_krb4_authentication(void)
|
||||||
|
{
|
||||||
|
KTEXT_ST auth; /* Kerberos data */
|
||||||
|
char *reply;
|
||||||
|
char inst[INST_SZ];
|
||||||
|
char *realm;
|
||||||
|
CREDENTIALS cred;
|
||||||
|
int r, type;
|
||||||
|
socklen_t slen;
|
||||||
|
Key_schedule schedule;
|
||||||
|
u_long checksum, cksum;
|
||||||
|
MSG_DAT msg_data;
|
||||||
|
struct sockaddr_in local, foreign;
|
||||||
|
struct stat st;
|
||||||
|
|
||||||
|
/* Don't do anything if we don't have any tickets. */
|
||||||
|
if (stat(tkt_string(), &st) < 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
|
||||||
|
INST_SZ);
|
||||||
|
|
||||||
|
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
|
||||||
|
if (!realm) {
|
||||||
|
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
/* This can really be anything. */
|
||||||
|
checksum = (u_long)getpid();
|
||||||
|
|
||||||
|
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
|
||||||
|
if (r != KSUCCESS) {
|
||||||
|
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
/* Get session key to decrypt the server's reply with. */
|
||||||
|
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
|
||||||
|
if (r != KSUCCESS) {
|
||||||
|
debug("get_cred failed: %s", krb_err_txt[r]);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
des_key_sched((des_cblock *) cred.session, schedule);
|
||||||
|
|
||||||
|
/* Send authentication info to server. */
|
||||||
|
packet_start(SSH_CMSG_AUTH_KERBEROS);
|
||||||
|
packet_put_string((char *) auth.dat, auth.length);
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
|
||||||
|
/* Zero the buffer. */
|
||||||
|
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
|
||||||
|
|
||||||
|
slen = sizeof(local);
|
||||||
|
memset(&local, 0, sizeof(local));
|
||||||
|
if (getsockname(packet_get_connection_in(),
|
||||||
|
(struct sockaddr *)&local, &slen) < 0)
|
||||||
|
debug("getsockname failed: %s", strerror(errno));
|
||||||
|
|
||||||
|
slen = sizeof(foreign);
|
||||||
|
memset(&foreign, 0, sizeof(foreign));
|
||||||
|
if (getpeername(packet_get_connection_in(),
|
||||||
|
(struct sockaddr *)&foreign, &slen) < 0) {
|
||||||
|
debug("getpeername failed: %s", strerror(errno));
|
||||||
|
fatal_cleanup();
|
||||||
|
}
|
||||||
|
/* Get server reply. */
|
||||||
|
type = packet_read();
|
||||||
|
switch (type) {
|
||||||
|
case SSH_SMSG_FAILURE:
|
||||||
|
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
|
||||||
|
debug("Kerberos v4 authentication failed.");
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
|
||||||
|
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
|
||||||
|
debug("Kerberos v4 authentication accepted.");
|
||||||
|
|
||||||
|
/* Get server's response. */
|
||||||
|
reply = packet_get_string((u_int *) &auth.length);
|
||||||
|
if (auth.length >= MAX_KTXT_LEN)
|
||||||
|
fatal("Kerberos v4: Malformed response from server");
|
||||||
|
memcpy(auth.dat, reply, auth.length);
|
||||||
|
xfree(reply);
|
||||||
|
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If his response isn't properly encrypted with the session
|
||||||
|
* key, and the decrypted checksum fails to match, he's
|
||||||
|
* bogus. Bail out.
|
||||||
|
*/
|
||||||
|
r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
|
||||||
|
&foreign, &local, &msg_data);
|
||||||
|
if (r != KSUCCESS) {
|
||||||
|
debug("Kerberos v4 krb_rd_priv failed: %s",
|
||||||
|
krb_err_txt[r]);
|
||||||
|
packet_disconnect("Kerberos v4 challenge failed!");
|
||||||
|
}
|
||||||
|
/* Fetch the (incremented) checksum that we supplied in the request. */
|
||||||
|
memcpy((char *)&cksum, (char *)msg_data.app_data,
|
||||||
|
sizeof(cksum));
|
||||||
|
cksum = ntohl(cksum);
|
||||||
|
|
||||||
|
/* If it matches, we're golden. */
|
||||||
|
if (cksum == checksum + 1) {
|
||||||
|
debug("Kerberos v4 challenge successful.");
|
||||||
|
return 1;
|
||||||
|
} else
|
||||||
|
packet_disconnect("Kerberos v4 challenge failed!");
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* KRB4 */
|
||||||
|
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
static int
|
static int
|
||||||
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
|
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
|
||||||
@ -556,6 +685,129 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
|
|||||||
}
|
}
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
static void
|
||||||
|
send_krb4_tgt(void)
|
||||||
|
{
|
||||||
|
CREDENTIALS *creds;
|
||||||
|
struct stat st;
|
||||||
|
char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
|
||||||
|
int problem, type;
|
||||||
|
|
||||||
|
/* Don't do anything if we don't have any tickets. */
|
||||||
|
if (stat(tkt_string(), &st) < 0)
|
||||||
|
return;
|
||||||
|
|
||||||
|
creds = xmalloc(sizeof(*creds));
|
||||||
|
|
||||||
|
problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
problem = krb_get_cred("krbtgt", prealm, prealm, creds);
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
|
||||||
|
problem = RD_AP_EXP;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
|
||||||
|
|
||||||
|
packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
|
||||||
|
packet_put_cstring(buffer);
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
|
||||||
|
type = packet_read();
|
||||||
|
|
||||||
|
if (type == SSH_SMSG_SUCCESS)
|
||||||
|
debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
|
||||||
|
creds->pname, creds->pinst[0] ? "." : "",
|
||||||
|
creds->pinst, creds->realm);
|
||||||
|
else
|
||||||
|
debug("Kerberos v4 TGT rejected.");
|
||||||
|
|
||||||
|
xfree(creds);
|
||||||
|
return;
|
||||||
|
|
||||||
|
out:
|
||||||
|
debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
|
||||||
|
xfree(creds);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
send_afs_tokens(void)
|
||||||
|
{
|
||||||
|
CREDENTIALS creds;
|
||||||
|
struct ViceIoctl parms;
|
||||||
|
struct ClearToken ct;
|
||||||
|
int i, type, len;
|
||||||
|
char buf[2048], *p, *server_cell;
|
||||||
|
char buffer[8192];
|
||||||
|
|
||||||
|
/* Move over ktc_GetToken, here's something leaner. */
|
||||||
|
for (i = 0; i < 100; i++) { /* just in case */
|
||||||
|
parms.in = (char *) &i;
|
||||||
|
parms.in_size = sizeof(i);
|
||||||
|
parms.out = buf;
|
||||||
|
parms.out_size = sizeof(buf);
|
||||||
|
if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
|
||||||
|
break;
|
||||||
|
p = buf;
|
||||||
|
|
||||||
|
/* Get secret token. */
|
||||||
|
memcpy(&creds.ticket_st.length, p, sizeof(u_int));
|
||||||
|
if (creds.ticket_st.length > MAX_KTXT_LEN)
|
||||||
|
break;
|
||||||
|
p += sizeof(u_int);
|
||||||
|
memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
|
||||||
|
p += creds.ticket_st.length;
|
||||||
|
|
||||||
|
/* Get clear token. */
|
||||||
|
memcpy(&len, p, sizeof(len));
|
||||||
|
if (len != sizeof(struct ClearToken))
|
||||||
|
break;
|
||||||
|
p += sizeof(len);
|
||||||
|
memcpy(&ct, p, len);
|
||||||
|
p += len;
|
||||||
|
p += sizeof(len); /* primary flag */
|
||||||
|
server_cell = p;
|
||||||
|
|
||||||
|
/* Flesh out our credentials. */
|
||||||
|
strlcpy(creds.service, "afs", sizeof(creds.service));
|
||||||
|
creds.instance[0] = '\0';
|
||||||
|
strlcpy(creds.realm, server_cell, REALM_SZ);
|
||||||
|
memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
|
||||||
|
creds.issue_date = ct.BeginTimestamp;
|
||||||
|
creds.lifetime = krb_time_to_life(creds.issue_date,
|
||||||
|
ct.EndTimestamp);
|
||||||
|
creds.kvno = ct.AuthHandle;
|
||||||
|
snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
|
||||||
|
creds.pinst[0] = '\0';
|
||||||
|
|
||||||
|
/* Encode token, ship it off. */
|
||||||
|
if (creds_to_radix(&creds, (u_char *)buffer,
|
||||||
|
sizeof(buffer)) <= 0)
|
||||||
|
break;
|
||||||
|
packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
|
||||||
|
packet_put_cstring(buffer);
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
|
||||||
|
/* Roger, Roger. Clearance, Clarence. What's your vector,
|
||||||
|
Victor? */
|
||||||
|
type = packet_read();
|
||||||
|
|
||||||
|
if (type == SSH_SMSG_FAILURE)
|
||||||
|
debug("AFS token for cell %s rejected.", server_cell);
|
||||||
|
else if (type != SSH_SMSG_SUCCESS)
|
||||||
|
packet_disconnect("Protocol error on AFS token response: %d", type);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Tries to authenticate with any string-based challenge/response system.
|
* Tries to authenticate with any string-based challenge/response system.
|
||||||
* Note that the client code is not tied to s/key or TIS.
|
* Note that the client code is not tied to s/key or TIS.
|
||||||
@ -887,6 +1139,21 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
|||||||
}
|
}
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
|
|
||||||
|
#ifdef KRB4
|
||||||
|
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
|
||||||
|
options.kerberos_authentication) {
|
||||||
|
debug("Trying Kerberos v4 authentication.");
|
||||||
|
|
||||||
|
if (try_krb4_authentication()) {
|
||||||
|
type = packet_read();
|
||||||
|
if (type == SSH_SMSG_SUCCESS)
|
||||||
|
goto success;
|
||||||
|
if (type != SSH_SMSG_FAILURE)
|
||||||
|
packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* KRB4 */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Use rhosts authentication if running in privileged socket and we
|
* Use rhosts authentication if running in privileged socket and we
|
||||||
* do not wish to remain anonymous.
|
* do not wish to remain anonymous.
|
||||||
@ -973,5 +1240,23 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
|
|||||||
if (context)
|
if (context)
|
||||||
krb5_free_context(context);
|
krb5_free_context(context);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef AFS
|
||||||
|
/* Try Kerberos v4 TGT passing if the server supports it. */
|
||||||
|
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
|
||||||
|
options.kerberos_tgt_passing) {
|
||||||
|
if (options.cipher == SSH_CIPHER_NONE)
|
||||||
|
logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
|
||||||
|
send_krb4_tgt();
|
||||||
|
}
|
||||||
|
/* Try AFS token passing if the server supports it. */
|
||||||
|
if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
|
||||||
|
options.afs_token_passing && k_hasafs()) {
|
||||||
|
if (options.cipher == SSH_CIPHER_NONE)
|
||||||
|
logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
|
||||||
|
send_afs_tokens();
|
||||||
|
}
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
return; /* need statement after label */
|
return; /* need statement after label */
|
||||||
}
|
}
|
||||||
|
28
crypto/dist/ssh/sshd.c
vendored
28
crypto/dist/ssh/sshd.c
vendored
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: sshd.c,v 1.33 2003/07/23 21:25:08 itojun Exp $ */
|
/* $NetBSD: sshd.c,v 1.34 2003/07/24 15:31:56 itojun Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -43,8 +43,8 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
|
RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
|
||||||
__RCSID("$NetBSD: sshd.c,v 1.33 2003/07/23 21:25:08 itojun Exp $");
|
__RCSID("$NetBSD: sshd.c,v 1.34 2003/07/24 15:31:56 itojun Exp $");
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
@ -1424,6 +1424,20 @@ main(int ac, char **av)
|
|||||||
"originating port %d not trusted.", remote_port);
|
"originating port %d not trusted.", remote_port);
|
||||||
options.rhosts_authentication = 0;
|
options.rhosts_authentication = 0;
|
||||||
}
|
}
|
||||||
|
#if defined(KRB4) && !defined(KRB5)
|
||||||
|
if (!packet_connection_is_ipv4() &&
|
||||||
|
options.kerberos_authentication) {
|
||||||
|
debug("Kerberos Authentication disabled, only available for IPv4.");
|
||||||
|
options.kerberos_authentication = 0;
|
||||||
|
}
|
||||||
|
#endif /* KRB4 && !KRB5 */
|
||||||
|
#ifdef AFS
|
||||||
|
/* If machine has AFS, set process authentication group. */
|
||||||
|
if (k_hasafs()) {
|
||||||
|
k_setpag();
|
||||||
|
k_unlog();
|
||||||
|
}
|
||||||
|
#endif /* AFS */
|
||||||
|
|
||||||
packet_set_nonblocking();
|
packet_set_nonblocking();
|
||||||
|
|
||||||
@ -1581,11 +1595,17 @@ do_ssh1_kex(void)
|
|||||||
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
|
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
|
||||||
if (options.rsa_authentication)
|
if (options.rsa_authentication)
|
||||||
auth_mask |= 1 << SSH_AUTH_RSA;
|
auth_mask |= 1 << SSH_AUTH_RSA;
|
||||||
#ifdef KRB5
|
#if defined(KRB4) || defined(KRB5)
|
||||||
if (options.kerberos_authentication)
|
if (options.kerberos_authentication)
|
||||||
auth_mask |= 1 << SSH_AUTH_KERBEROS;
|
auth_mask |= 1 << SSH_AUTH_KERBEROS;
|
||||||
|
#endif
|
||||||
|
#if defined(AFS) || defined(KRB5)
|
||||||
if (options.kerberos_tgt_passing)
|
if (options.kerberos_tgt_passing)
|
||||||
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
|
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
|
||||||
|
#endif
|
||||||
|
#ifdef AFS
|
||||||
|
if (options.afs_token_passing)
|
||||||
|
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
|
||||||
#endif
|
#endif
|
||||||
if (options.challenge_response_authentication == 1)
|
if (options.challenge_response_authentication == 1)
|
||||||
auth_mask |= 1 << SSH_AUTH_TIS;
|
auth_mask |= 1 << SSH_AUTH_TIS;
|
||||||
|
4
crypto/dist/ssh/sshd_config
vendored
4
crypto/dist/ssh/sshd_config
vendored
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: sshd_config,v 1.17 2003/07/23 03:52:23 itojun Exp $
|
# $NetBSD: sshd_config,v 1.18 2003/07/24 15:31:56 itojun Exp $
|
||||||
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
|
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
|
||||||
|
|
||||||
# This is the sshd server system-wide configuration file. See
|
# This is the sshd server system-wide configuration file. See
|
||||||
@ -64,6 +64,8 @@
|
|||||||
#KerberosOrLocalPasswd yes
|
#KerberosOrLocalPasswd yes
|
||||||
#KerberosTicketCleanup yes
|
#KerberosTicketCleanup yes
|
||||||
|
|
||||||
|
#AFSTokenPassing no
|
||||||
|
|
||||||
# Kerberos TGT Passing only works with the AFS kaserver
|
# Kerberos TGT Passing only works with the AFS kaserver
|
||||||
#KerberosTgtPassing no
|
#KerberosTgtPassing no
|
||||||
|
|
||||||
|
9
crypto/dist/ssh/sshd_config.5
vendored
9
crypto/dist/ssh/sshd_config.5
vendored
@ -1,4 +1,4 @@
|
|||||||
.\" $NetBSD: sshd_config.5,v 1.6 2003/07/23 03:52:23 itojun Exp $
|
.\" $NetBSD: sshd_config.5,v 1.7 2003/07/24 15:31:56 itojun Exp $
|
||||||
.\" -*- nroff -*-
|
.\" -*- nroff -*-
|
||||||
.\"
|
.\"
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -62,6 +62,10 @@ The possible
|
|||||||
keywords and their meanings are as follows (note that
|
keywords and their meanings are as follows (note that
|
||||||
keywords are case-insensitive and arguments are case-sensitive):
|
keywords are case-insensitive and arguments are case-sensitive):
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
|
.It Cm AFSTokenPassing
|
||||||
|
Specifies whether an AFS token may be forwarded to the server.
|
||||||
|
Default is
|
||||||
|
.Dq no .
|
||||||
.It Cm AllowGroups
|
.It Cm AllowGroups
|
||||||
This keyword can be followed by a list of group name patterns, separated
|
This keyword can be followed by a list of group name patterns, separated
|
||||||
by spaces.
|
by spaces.
|
||||||
@ -325,7 +329,8 @@ Default is
|
|||||||
.It Cm KerberosTgtPassing
|
.It Cm KerberosTgtPassing
|
||||||
Specifies whether a Kerberos TGT may be forwarded to the server.
|
Specifies whether a Kerberos TGT may be forwarded to the server.
|
||||||
Default is
|
Default is
|
||||||
.Dq no .
|
.Dq no ,
|
||||||
|
as this only works when the Kerberos KDC is actually an AFS kaserver.
|
||||||
.It Cm KerberosTicketCleanup
|
.It Cm KerberosTicketCleanup
|
||||||
Specifies whether to automatically destroy the user's ticket cache
|
Specifies whether to automatically destroy the user's ticket cache
|
||||||
file on logout.
|
file on logout.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:25 itojun Exp $
|
# $NetBSD: Makefile,v 1.18 2003/07/24 15:31:57 itojun Exp $
|
||||||
|
|
||||||
NOLINT= # defined
|
NOLINT= # defined
|
||||||
NOMAN= # defined
|
NOMAN= # defined
|
||||||
@ -25,8 +25,9 @@ SRCS+= readpassphrase.c getpeereid.c
|
|||||||
libinstall::
|
libinstall::
|
||||||
|
|
||||||
.if (${USE_KERBEROS} != "no")
|
.if (${USE_KERBEROS} != "no")
|
||||||
CPPFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/krb5
|
CPPFLAGS+= -DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||||
#SRCS+= radix.c
|
CPPFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||||
|
SRCS+= radix.c
|
||||||
.endif
|
.endif
|
||||||
|
|
||||||
.include <bsd.lib.mk>
|
.include <bsd.lib.mk>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: Makefile,v 1.15 2003/07/23 08:00:52 itojun Exp $
|
# $NetBSD: Makefile,v 1.16 2003/07/24 15:31:57 itojun Exp $
|
||||||
|
|
||||||
.include <bsd.own.mk>
|
.include <bsd.own.mk>
|
||||||
|
|
||||||
@ -12,9 +12,13 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \
|
|||||||
sshconnect.c sshconnect1.c sshconnect2.c
|
sshconnect.c sshconnect1.c sshconnect2.c
|
||||||
|
|
||||||
.if (${USE_KERBEROS} != "no")
|
.if (${USE_KERBEROS} != "no")
|
||||||
CPPFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/krb5
|
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||||
LDADD+= -lkrb5 -lasn1 -lcom_err -lroken
|
LDADD+= -lkrb5 -lkafs -lasn1
|
||||||
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN}
|
DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
|
||||||
|
|
||||||
|
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||||
|
LDADD+= -lkrb -lcom_err -lroken
|
||||||
|
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
|
||||||
.endif
|
.endif
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
.include <bsd.prog.mk>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# $NetBSD: Makefile,v 1.17 2003/07/23 03:52:27 itojun Exp $
|
# $NetBSD: Makefile,v 1.18 2003/07/24 15:31:57 itojun Exp $
|
||||||
|
|
||||||
.include <bsd.own.mk>
|
.include <bsd.own.mk>
|
||||||
|
|
||||||
@ -19,8 +19,13 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
|
|||||||
.if (${USE_KERBEROS} != "no")
|
.if (${USE_KERBEROS} != "no")
|
||||||
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
|
||||||
SRCS+= auth-krb5.c auth2-krb5.c
|
SRCS+= auth-krb5.c auth2-krb5.c
|
||||||
LDADD+= -lkrb5 -lasn1 -lcom_err -lroken
|
LDADD+= -lkrb5 -lkafs -lasn1
|
||||||
DPADD+= ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN}
|
DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
|
||||||
|
|
||||||
|
CPPFLAGS+=-DKRB4 -I${DESTDIR}/usr/include/kerberosIV
|
||||||
|
SRCS+= auth-krb4.c
|
||||||
|
LDADD+= -lkrb -lcom_err -lroken
|
||||||
|
DPADD+= ${LIBKRB} ${LIBCOM_ERR} ${LIBROKEN}
|
||||||
.endif
|
.endif
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
.include <bsd.prog.mk>
|
||||||
|
Loading…
Reference in New Issue
Block a user