]> andersk Git - gssapi-openssh.git/blame - openssh/sshconnect1.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
merging in Simon Wilkinson's latest patch (openssh-3.1p1-gssapi-20020323.diff)
[gssapi-openssh.git] / openssh / sshconnect1.c
CommitLineData
3c0ef626 1/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 * Code to connect to a remote host, and to perform the client side of the
6 * login (authentication) dialog.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 */
14
15#include "includes.h"
e9702f7d 16RCSID("$OpenBSD: sshconnect1.c,v 1.48 2002/02/11 16:15:46 markus Exp $");
3c0ef626 17
18#include <openssl/bn.h>
e9702f7d 19#include <openssl/md5.h>
3c0ef626 20
21#ifdef KRB4
22#include <krb.h>
23#endif
24#ifdef KRB5
25#include <krb5.h>
63119dd9 26#ifndef HEIMDAL
27#define krb5_get_err_text(context,code) error_message(code)
28#endif /* !HEIMDAL */
3c0ef626 29#endif
30#ifdef AFS
31#include <kafs.h>
32#include "radix.h"
33#endif
34
35#include "ssh.h"
36#include "ssh1.h"
37#include "xmalloc.h"
38#include "rsa.h"
39#include "buffer.h"
40#include "packet.h"
41#include "mpaux.h"
42#include "uidswap.h"
43#include "log.h"
44#include "readconf.h"
45#include "key.h"
46#include "authfd.h"
47#include "sshconnect.h"
48#include "authfile.h"
49#include "readpass.h"
50#include "cipher.h"
51#include "canohost.h"
52#include "auth.h"
53
54/* Session id for the current session. */
55u_char session_id[16];
56u_int supported_authentications = 0;
57
58extern Options options;
59extern char *__progname;
60
61/*
62 * Checks if the user has an authentication agent, and if so, tries to
63 * authenticate using the agent.
64 */
65static int
66try_agent_authentication(void)
67{
68 int type;
69 char *comment;
70 AuthenticationConnection *auth;
71 u_char response[16];
72 u_int i;
3c0ef626 73 Key *key;
74 BIGNUM *challenge;
75
76 /* Get connection to the agent. */
77 auth = ssh_get_authentication_connection();
78 if (!auth)
79 return 0;
80
e9702f7d 81 if ((challenge = BN_new()) == NULL)
82 fatal("try_agent_authentication: BN_new failed");
3c0ef626 83 /* Loop through identities served by the agent. */
84 for (key = ssh_get_first_identity(auth, &comment, 1);
e9702f7d 85 key != NULL;
86 key = ssh_get_next_identity(auth, &comment, 1)) {
3c0ef626 87
88 /* Try this identity. */
89 debug("Trying RSA authentication via agent with '%.100s'", comment);
90 xfree(comment);
91
92 /* Tell the server that we are willing to authenticate using this key. */
93 packet_start(SSH_CMSG_AUTH_RSA);
94 packet_put_bignum(key->rsa->n);
95 packet_send();
96 packet_write_wait();
97
98 /* Wait for server's response. */
e9702f7d 99 type = packet_read();
3c0ef626 100
101 /* The server sends failure if it doesn\'t like our key or
102 does not support RSA authentication. */
103 if (type == SSH_SMSG_FAILURE) {
104 debug("Server refused our key.");
105 key_free(key);
106 continue;
107 }
108 /* Otherwise it should have sent a challenge. */
109 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
110 packet_disconnect("Protocol error during RSA authentication: %d",
111 type);
112
e9702f7d 113 packet_get_bignum(challenge);
114 packet_check_eom();
3c0ef626 115
116 debug("Received RSA challenge from server.");
117
118 /* Ask the agent to decrypt the challenge. */
119 if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
120 /*
121 * The agent failed to authenticate this identifier
122 * although it advertised it supports this. Just
123 * return a wrong value.
124 */
125 log("Authentication agent failed to decrypt challenge.");
126 memset(response, 0, sizeof(response));
127 }
128 key_free(key);
129 debug("Sending response to RSA challenge.");
130
131 /* Send the decrypted challenge back to the server. */
132 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
133 for (i = 0; i < 16; i++)
134 packet_put_char(response[i]);
135 packet_send();
136 packet_write_wait();
137
138 /* Wait for response from the server. */
e9702f7d 139 type = packet_read();
3c0ef626 140
141 /* The server returns success if it accepted the authentication. */
142 if (type == SSH_SMSG_SUCCESS) {
143 ssh_close_authentication_connection(auth);
144 BN_clear_free(challenge);
145 debug("RSA authentication accepted by server.");
146 return 1;
147 }
148 /* Otherwise it should return failure. */
149 if (type != SSH_SMSG_FAILURE)
150 packet_disconnect("Protocol error waiting RSA auth response: %d",
151 type);
152 }
153 ssh_close_authentication_connection(auth);
154 BN_clear_free(challenge);
155 debug("RSA authentication using agent refused.");
156 return 0;
157}
158
159/*
160 * Computes the proper response to a RSA challenge, and sends the response to
161 * the server.
162 */
163static void
164respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
165{
166 u_char buf[32], response[16];
167 MD5_CTX md;
168 int i, len;
169
170 /* Decrypt the challenge using the private key. */
171 /* XXX think about Bleichenbacher, too */
172 if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
173 packet_disconnect(
174 "respond_to_rsa_challenge: rsa_private_decrypt failed");
175
176 /* Compute the response. */
177 /* The response is MD5 of decrypted challenge plus session id. */
178 len = BN_num_bytes(challenge);
179 if (len <= 0 || len > sizeof(buf))
180 packet_disconnect(
181 "respond_to_rsa_challenge: bad challenge length %d", len);
182
183 memset(buf, 0, sizeof(buf));
184 BN_bn2bin(challenge, buf + sizeof(buf) - len);
185 MD5_Init(&md);
186 MD5_Update(&md, buf, 32);
187 MD5_Update(&md, session_id, 16);
188 MD5_Final(response, &md);
189
190 debug("Sending response to host key RSA challenge.");
191
192 /* Send the response back to the server. */
193 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
194 for (i = 0; i < 16; i++)
195 packet_put_char(response[i]);
196 packet_send();
197 packet_write_wait();
198
199 memset(buf, 0, sizeof(buf));
200 memset(response, 0, sizeof(response));
201 memset(&md, 0, sizeof(md));
202}
203
204/*
205 * Checks if the user has authentication file, and if so, tries to authenticate
206 * the user using it.
207 */
208static int
209try_rsa_authentication(int idx)
210{
211 BIGNUM *challenge;
212 Key *public, *private;
213 char buf[300], *passphrase, *comment, *authfile;
e9702f7d 214 int i, type, quit;
3c0ef626 215
216 public = options.identity_keys[idx];
217 authfile = options.identity_files[idx];
218 comment = xstrdup(authfile);
219
220 debug("Trying RSA authentication with key '%.100s'", comment);
221
222 /* Tell the server that we are willing to authenticate using this key. */
223 packet_start(SSH_CMSG_AUTH_RSA);
224 packet_put_bignum(public->rsa->n);
225 packet_send();
226 packet_write_wait();
227
228 /* Wait for server's response. */
e9702f7d 229 type = packet_read();
3c0ef626 230
231 /*
232 * The server responds with failure if it doesn\'t like our key or
233 * doesn\'t support RSA authentication.
234 */
235 if (type == SSH_SMSG_FAILURE) {
236 debug("Server refused our key.");
237 xfree(comment);
238 return 0;
239 }
240 /* Otherwise, the server should respond with a challenge. */
241 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
242 packet_disconnect("Protocol error during RSA authentication: %d", type);
243
244 /* Get the challenge from the packet. */
e9702f7d 245 if ((challenge = BN_new()) == NULL)
246 fatal("try_rsa_authentication: BN_new failed");
247 packet_get_bignum(challenge);
248 packet_check_eom();
3c0ef626 249
250 debug("Received RSA challenge from server.");
251
252 /*
253 * If the key is not stored in external hardware, we have to
254 * load the private key. Try first with empty passphrase; if it
255 * fails, ask for a passphrase.
256 */
257 if (public->flags && KEY_FLAG_EXT)
258 private = public;
259 else
260 private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
261 if (private == NULL && !options.batch_mode) {
262 snprintf(buf, sizeof(buf),
263 "Enter passphrase for RSA key '%.100s': ", comment);
264 for (i = 0; i < options.number_of_password_prompts; i++) {
265 passphrase = read_passphrase(buf, 0);
266 if (strcmp(passphrase, "") != 0) {
267 private = key_load_private_type(KEY_RSA1,
268 authfile, passphrase, NULL);
269 quit = 0;
270 } else {
271 debug2("no passphrase given, try next key");
272 quit = 1;
273 }
274 memset(passphrase, 0, strlen(passphrase));
275 xfree(passphrase);
276 if (private != NULL || quit)
277 break;
278 debug2("bad passphrase given, try again...");
279 }
280 }
281 /* We no longer need the comment. */
282 xfree(comment);
283
284 if (private == NULL) {
285 if (!options.batch_mode)
286 error("Bad passphrase.");
287
288 /* Send a dummy response packet to avoid protocol error. */
289 packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
290 for (i = 0; i < 16; i++)
291 packet_put_char(0);
292 packet_send();
293 packet_write_wait();
294
295 /* Expect the server to reject it... */
e9702f7d 296 packet_read_expect(SSH_SMSG_FAILURE);
3c0ef626 297 BN_clear_free(challenge);
298 return 0;
299 }
300
301 /* Compute and send a response to the challenge. */
302 respond_to_rsa_challenge(challenge, private->rsa);
303
304 /* Destroy the private key unless it in external hardware. */
305 if (!(private->flags & KEY_FLAG_EXT))
306 key_free(private);
307
308 /* We no longer need the challenge. */
309 BN_clear_free(challenge);
310
311 /* Wait for response from the server. */
e9702f7d 312 type = packet_read();
3c0ef626 313 if (type == SSH_SMSG_SUCCESS) {
314 debug("RSA authentication accepted by server.");
315 return 1;
316 }
317 if (type != SSH_SMSG_FAILURE)
318 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
319 debug("RSA authentication refused.");
320 return 0;
321}
322
323/*
324 * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
325 * authentication and RSA host authentication.
326 */
327static int
328try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
329{
330 int type;
331 BIGNUM *challenge;
3c0ef626 332
333 debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
334
335 /* Tell the server that we are willing to authenticate using this key. */
336 packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
337 packet_put_cstring(local_user);
338 packet_put_int(BN_num_bits(host_key->rsa->n));
339 packet_put_bignum(host_key->rsa->e);
340 packet_put_bignum(host_key->rsa->n);
341 packet_send();
342 packet_write_wait();
343
344 /* Wait for server's response. */
e9702f7d 345 type = packet_read();
3c0ef626 346
347 /* The server responds with failure if it doesn't admit our
348 .rhosts authentication or doesn't know our host key. */
349 if (type == SSH_SMSG_FAILURE) {
350 debug("Server refused our rhosts authentication or host key.");
351 return 0;
352 }
353 /* Otherwise, the server should respond with a challenge. */
354 if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
355 packet_disconnect("Protocol error during RSA authentication: %d", type);
356
357 /* Get the challenge from the packet. */
e9702f7d 358 if ((challenge = BN_new()) == NULL)
359 fatal("try_rhosts_rsa_authentication: BN_new failed");
360 packet_get_bignum(challenge);
361 packet_check_eom();
3c0ef626 362
363 debug("Received RSA challenge for host key from server.");
364
365 /* Compute a response to the challenge. */
366 respond_to_rsa_challenge(challenge, host_key->rsa);
367
368 /* We no longer need the challenge. */
369 BN_clear_free(challenge);
370
371 /* Wait for response from the server. */
e9702f7d 372 type = packet_read();
3c0ef626 373 if (type == SSH_SMSG_SUCCESS) {
374 debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
375 return 1;
376 }
377 if (type != SSH_SMSG_FAILURE)
378 packet_disconnect("Protocol error waiting RSA auth response: %d", type);
379 debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
380 return 0;
381}
382
383#ifdef KRB4
384static int
385try_krb4_authentication(void)
386{
387 KTEXT_ST auth; /* Kerberos data */
388 char *reply;
389 char inst[INST_SZ];
390 char *realm;
391 CREDENTIALS cred;
e9702f7d 392 int r, type;
3c0ef626 393 socklen_t slen;
394 Key_schedule schedule;
395 u_long checksum, cksum;
396 MSG_DAT msg_data;
397 struct sockaddr_in local, foreign;
398 struct stat st;
399
400 /* Don't do anything if we don't have any tickets. */
401 if (stat(tkt_string(), &st) < 0)
402 return 0;
e9702f7d 403
3c0ef626 404 strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
405 INST_SZ);
e9702f7d 406
3c0ef626 407 realm = (char *)krb_realmofhost(get_canonical_hostname(1));
408 if (!realm) {
409 debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
410 return 0;
411 }
412 /* This can really be anything. */
413 checksum = (u_long)getpid();
e9702f7d 414
3c0ef626 415 r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
416 if (r != KSUCCESS) {
417 debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
418 return 0;
419 }
420 /* Get session key to decrypt the server's reply with. */
421 r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
422 if (r != KSUCCESS) {
423 debug("get_cred failed: %s", krb_err_txt[r]);
424 return 0;
425 }
426 des_key_sched((des_cblock *) cred.session, schedule);
e9702f7d 427
3c0ef626 428 /* Send authentication info to server. */
429 packet_start(SSH_CMSG_AUTH_KERBEROS);
430 packet_put_string((char *) auth.dat, auth.length);
431 packet_send();
432 packet_write_wait();
e9702f7d 433
3c0ef626 434 /* Zero the buffer. */
435 (void) memset(auth.dat, 0, MAX_KTXT_LEN);
e9702f7d 436
3c0ef626 437 slen = sizeof(local);
438 memset(&local, 0, sizeof(local));
439 if (getsockname(packet_get_connection_in(),
440 (struct sockaddr *)&local, &slen) < 0)
441 debug("getsockname failed: %s", strerror(errno));
e9702f7d 442
3c0ef626 443 slen = sizeof(foreign);
444 memset(&foreign, 0, sizeof(foreign));
445 if (getpeername(packet_get_connection_in(),
446 (struct sockaddr *)&foreign, &slen) < 0) {
447 debug("getpeername failed: %s", strerror(errno));
448 fatal_cleanup();
449 }
450 /* Get server reply. */
e9702f7d 451 type = packet_read();
3c0ef626 452 switch (type) {
453 case SSH_SMSG_FAILURE:
454 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
455 debug("Kerberos v4 authentication failed.");
456 return 0;
457 break;
e9702f7d 458
3c0ef626 459 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
460 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
461 debug("Kerberos v4 authentication accepted.");
e9702f7d 462
3c0ef626 463 /* Get server's response. */
464 reply = packet_get_string((u_int *) &auth.length);
465 memcpy(auth.dat, reply, auth.length);
466 xfree(reply);
e9702f7d 467
468 packet_check_eom();
469
3c0ef626 470 /*
471 * If his response isn't properly encrypted with the session
472 * key, and the decrypted checksum fails to match, he's
473 * bogus. Bail out.
474 */
475 r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
476 &foreign, &local, &msg_data);
477 if (r != KSUCCESS) {
478 debug("Kerberos v4 krb_rd_priv failed: %s",
479 krb_err_txt[r]);
480 packet_disconnect("Kerberos v4 challenge failed!");
481 }
482 /* Fetch the (incremented) checksum that we supplied in the request. */
483 memcpy((char *)&cksum, (char *)msg_data.app_data,
484 sizeof(cksum));
485 cksum = ntohl(cksum);
e9702f7d 486
3c0ef626 487 /* If it matches, we're golden. */
488 if (cksum == checksum + 1) {
489 debug("Kerberos v4 challenge successful.");
490 return 1;
491 } else
492 packet_disconnect("Kerberos v4 challenge failed!");
493 break;
e9702f7d 494
3c0ef626 495 default:
496 packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
497 }
498 return 0;
499}
500
501#endif /* KRB4 */
502
503#ifdef KRB5
504static int
505try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
506{
507 krb5_error_code problem;
508 const char *tkfile;
509 struct stat buf;
510 krb5_ccache ccache = NULL;
511 const char *remotehost;
512 krb5_data ap;
e9702f7d 513 int type;
3c0ef626 514 krb5_ap_rep_enc_part *reply = NULL;
515 int ret;
e9702f7d 516
3c0ef626 517 memset(&ap, 0, sizeof(ap));
e9702f7d 518
3c0ef626 519 problem = krb5_init_context(context);
520 if (problem) {
521 debug("Kerberos v5: krb5_init_context failed");
522 ret = 0;
523 goto out;
524 }
525
63119dd9 526 problem = krb5_auth_con_init(*context, auth_context);
527 if (problem) {
528 debug("Kerberos v5: krb5_auth_con_init failed");
529 ret = 0;
530 goto out;
531 }
532
905081a4 533#ifndef HEIMDAL
63119dd9 534 problem = krb5_auth_con_setflags(*context, *auth_context,
535 KRB5_AUTH_CONTEXT_RET_TIME);
536 if (problem) {
905081a4 537 debug("Keberos v5: krb5_auth_con_setflags failed");
63119dd9 538 ret = 0;
539 goto out;
905081a4 540 }
63119dd9 541#endif
542
3c0ef626 543 tkfile = krb5_cc_default_name(*context);
544 if (strncmp(tkfile, "FILE:", 5) == 0)
545 tkfile += 5;
e9702f7d 546
3c0ef626 547 if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
548 debug("Kerberos v5: could not get default ccache (permission denied).");
549 ret = 0;
550 goto out;
551 }
e9702f7d 552
3c0ef626 553 problem = krb5_cc_default(*context, &ccache);
554 if (problem) {
555 debug("Kerberos v5: krb5_cc_default failed: %s",
556 krb5_get_err_text(*context, problem));
557 ret = 0;
558 goto out;
559 }
e9702f7d 560
3c0ef626 561 remotehost = get_canonical_hostname(1);
e9702f7d 562
3c0ef626 563 problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
564 "host", remotehost, NULL, ccache, &ap);
565 if (problem) {
566 debug("Kerberos v5: krb5_mk_req failed: %s",
567 krb5_get_err_text(*context, problem));
568 ret = 0;
569 goto out;
570 }
e9702f7d 571
3c0ef626 572 packet_start(SSH_CMSG_AUTH_KERBEROS);
573 packet_put_string((char *) ap.data, ap.length);
574 packet_send();
575 packet_write_wait();
e9702f7d 576
3c0ef626 577 xfree(ap.data);
578 ap.length = 0;
e9702f7d 579
580 type = packet_read();
3c0ef626 581 switch (type) {
e9702f7d 582 case SSH_SMSG_FAILURE:
583 /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
584 debug("Kerberos v5 authentication failed.");
585 ret = 0;
586 break;
587
3c0ef626 588 case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
e9702f7d 589 /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
590 debug("Kerberos v5 authentication accepted.");
591
592 /* Get server's response. */
593 ap.data = packet_get_string((unsigned int *) &ap.length);
594 packet_check_eom();
595 /* XXX je to dobre? */
596
597 problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
598 if (problem) {
3c0ef626 599 ret = 0;
600 }
601 ret = 1;
602 break;
e9702f7d 603
3c0ef626 604 default:
605 packet_disconnect("Protocol error on Kerberos v5 response: %d",
606 type);
607 ret = 0;
608 break;
e9702f7d 609
3c0ef626 610 }
e9702f7d 611
3c0ef626 612 out:
613 if (ccache != NULL)
614 krb5_cc_close(*context, ccache);
615 if (reply != NULL)
616 krb5_free_ap_rep_enc_part(*context, reply);
617 if (ap.length > 0)
63119dd9 618#ifdef HEIMDAL
3c0ef626 619 krb5_data_free(&ap);
63119dd9 620#else
905081a4 621 krb5_free_data_contents(*context, &ap);
622#endif
623
3c0ef626 624 return (ret);
625}
626
627static void
628send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
629{
e9702f7d 630 int fd, type;
3c0ef626 631 krb5_error_code problem;
632 krb5_data outbuf;
633 krb5_ccache ccache = NULL;
634 krb5_creds creds;
63119dd9 635#ifdef HEIMDAL
3c0ef626 636 krb5_kdc_flags flags;
63119dd9 637#else
638 int forwardable;
639#endif
3c0ef626 640 const char *remotehost;
e9702f7d 641
3c0ef626 642 memset(&creds, 0, sizeof(creds));
643 memset(&outbuf, 0, sizeof(outbuf));
e9702f7d 644
3c0ef626 645 fd = packet_get_connection_in();
905081a4 646
647#ifdef HEIMDAL
3c0ef626 648 problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
63119dd9 649#else
905081a4 650 problem = krb5_auth_con_genaddrs(context, auth_context, fd,
63119dd9 651 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
652 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
63119dd9 653#endif
905081a4 654 if (problem)
655 goto out;
656
3c0ef626 657 problem = krb5_cc_default(context, &ccache);
658 if (problem)
659 goto out;
e9702f7d 660
3c0ef626 661 problem = krb5_cc_get_principal(context, ccache, &creds.client);
662 if (problem)
663 goto out;
905081a4 664
665 remotehost = get_canonical_hostname(1);
3c0ef626 666
63119dd9 667#ifdef HEIMDAL
3c0ef626 668 problem = krb5_build_principal(context, &creds.server,
669 strlen(creds.client->realm), creds.client->realm,
670 "krbtgt", creds.client->realm, NULL);
63119dd9 671#else
672 problem = krb5_build_principal(context, &creds.server,
673 creds.client->realm.length, creds.client->realm.data,
905081a4 674 "host", remotehost, NULL);
63119dd9 675#endif
3c0ef626 676 if (problem)
677 goto out;
e9702f7d 678
3c0ef626 679 creds.times.endtime = 0;
905081a4 680
681#ifdef HEIMDAL
3c0ef626 682 flags.i = 0;
683 flags.b.forwarded = 1;
684 flags.b.forwardable = krb5_config_get_bool(context, NULL,
685 "libdefaults", "forwardable", NULL);
3c0ef626 686 problem = krb5_get_forwarded_creds(context, auth_context,
687 ccache, flags.i, remotehost, &creds, &outbuf);
63119dd9 688#else
689 forwardable = 1;
905081a4 690 problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
691 creds.client, creds.server, ccache, forwardable, &outbuf);
692#endif
63119dd9 693
905081a4 694 if (problem)
695 goto out;
63119dd9 696
3c0ef626 697 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
698 packet_put_string((char *)outbuf.data, outbuf.length);
699 packet_send();
700 packet_write_wait();
e9702f7d 701
702 type = packet_read();
703
3c0ef626 704 if (type == SSH_SMSG_SUCCESS) {
705 char *pname;
e9702f7d 706
3c0ef626 707 krb5_unparse_name(context, creds.client, &pname);
708 debug("Kerberos v5 TGT forwarded (%s).", pname);
709 xfree(pname);
710 } else
711 debug("Kerberos v5 TGT forwarding failed.");
e9702f7d 712
3c0ef626 713 return;
e9702f7d 714
3c0ef626 715 out:
716 if (problem)
717 debug("Kerberos v5 TGT forwarding failed: %s",
718 krb5_get_err_text(context, problem));
719 if (creds.client)
720 krb5_free_principal(context, creds.client);
721 if (creds.server)
722 krb5_free_principal(context, creds.server);
723 if (ccache)
724 krb5_cc_close(context, ccache);
725 if (outbuf.data)
726 xfree(outbuf.data);
727}
728#endif /* KRB5 */
729
730#ifdef AFS
731static void
732send_krb4_tgt(void)
733{
734 CREDENTIALS *creds;
735 struct stat st;
736 char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
e9702f7d 737 int problem, type;
738
3c0ef626 739 /* Don't do anything if we don't have any tickets. */
740 if (stat(tkt_string(), &st) < 0)
741 return;
e9702f7d 742
3c0ef626 743 creds = xmalloc(sizeof(*creds));
e9702f7d 744
3c0ef626 745 problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
746 if (problem)
747 goto out;
e9702f7d 748
3c0ef626 749 problem = krb_get_cred("krbtgt", prealm, prealm, creds);
750 if (problem)
751 goto out;
e9702f7d 752
3c0ef626 753 if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
754 problem = RD_AP_EXP;
755 goto out;
756 }
757 creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
e9702f7d 758
3c0ef626 759 packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
760 packet_put_cstring(buffer);
761 packet_send();
762 packet_write_wait();
e9702f7d 763
764 type = packet_read();
765
3c0ef626 766 if (type == SSH_SMSG_SUCCESS)
767 debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
768 creds->pname, creds->pinst[0] ? "." : "",
769 creds->pinst, creds->realm);
770 else
771 debug("Kerberos v4 TGT rejected.");
e9702f7d 772
3c0ef626 773 xfree(creds);
774 return;
e9702f7d 775
3c0ef626 776 out:
777 debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
778 xfree(creds);
779}
780
781static void
782send_afs_tokens(void)
783{
784 CREDENTIALS creds;
785 struct ViceIoctl parms;
786 struct ClearToken ct;
787 int i, type, len;
788 char buf[2048], *p, *server_cell;
789 char buffer[8192];
e9702f7d 790
3c0ef626 791 /* Move over ktc_GetToken, here's something leaner. */
792 for (i = 0; i < 100; i++) { /* just in case */
793 parms.in = (char *) &i;
794 parms.in_size = sizeof(i);
795 parms.out = buf;
796 parms.out_size = sizeof(buf);
797 if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
798 break;
799 p = buf;
e9702f7d 800
3c0ef626 801 /* Get secret token. */
802 memcpy(&creds.ticket_st.length, p, sizeof(u_int));
803 if (creds.ticket_st.length > MAX_KTXT_LEN)
804 break;
805 p += sizeof(u_int);
806 memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
807 p += creds.ticket_st.length;
e9702f7d 808
3c0ef626 809 /* Get clear token. */
810 memcpy(&len, p, sizeof(len));
811 if (len != sizeof(struct ClearToken))
812 break;
813 p += sizeof(len);
814 memcpy(&ct, p, len);
815 p += len;
816 p += sizeof(len); /* primary flag */
817 server_cell = p;
e9702f7d 818
3c0ef626 819 /* Flesh out our credentials. */
820 strlcpy(creds.service, "afs", sizeof(creds.service));
821 creds.instance[0] = '\0';
822 strlcpy(creds.realm, server_cell, REALM_SZ);
823 memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
824 creds.issue_date = ct.BeginTimestamp;
825 creds.lifetime = krb_time_to_life(creds.issue_date,
826 ct.EndTimestamp);
827 creds.kvno = ct.AuthHandle;
828 snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
829 creds.pinst[0] = '\0';
e9702f7d 830
3c0ef626 831 /* Encode token, ship it off. */
832 if (creds_to_radix(&creds, (u_char *)buffer,
833 sizeof(buffer)) <= 0)
834 break;
835 packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
836 packet_put_cstring(buffer);
837 packet_send();
838 packet_write_wait();
839
840 /* Roger, Roger. Clearance, Clarence. What's your vector,
841 Victor? */
e9702f7d 842 type = packet_read();
843
3c0ef626 844 if (type == SSH_SMSG_FAILURE)
845 debug("AFS token for cell %s rejected.", server_cell);
846 else if (type != SSH_SMSG_SUCCESS)
847 packet_disconnect("Protocol error on AFS token response: %d", type);
848 }
849}
850
851#endif /* AFS */
852
853/*
854 * Tries to authenticate with any string-based challenge/response system.
855 * Note that the client code is not tied to s/key or TIS.
856 */
857static int
858try_challenge_response_authentication(void)
859{
860 int type, i;
3c0ef626 861 u_int clen;
862 char prompt[1024];
863 char *challenge, *response;
864
865 debug("Doing challenge response authentication.");
866
867 for (i = 0; i < options.number_of_password_prompts; i++) {
868 /* request a challenge */
869 packet_start(SSH_CMSG_AUTH_TIS);
870 packet_send();
871 packet_write_wait();
872
e9702f7d 873 type = packet_read();
3c0ef626 874 if (type != SSH_SMSG_FAILURE &&
875 type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
876 packet_disconnect("Protocol error: got %d in response "
877 "to SSH_CMSG_AUTH_TIS", type);
878 }
879 if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
880 debug("No challenge.");
881 return 0;
882 }
883 challenge = packet_get_string(&clen);
e9702f7d 884 packet_check_eom();
3c0ef626 885 snprintf(prompt, sizeof prompt, "%s%s", challenge,
e9702f7d 886 strchr(challenge, '\n') ? "" : "\nResponse: ");
3c0ef626 887 xfree(challenge);
888 if (i != 0)
889 error("Permission denied, please try again.");
890 if (options.cipher == SSH_CIPHER_NONE)
891 log("WARNING: Encryption is disabled! "
892 "Reponse will be transmitted in clear text.");
893 response = read_passphrase(prompt, 0);
894 if (strcmp(response, "") == 0) {
895 xfree(response);
896 break;
897 }
898 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
899 ssh_put_password(response);
900 memset(response, 0, strlen(response));
901 xfree(response);
902 packet_send();
903 packet_write_wait();
e9702f7d 904 type = packet_read();
3c0ef626 905 if (type == SSH_SMSG_SUCCESS)
906 return 1;
907 if (type != SSH_SMSG_FAILURE)
908 packet_disconnect("Protocol error: got %d in response "
909 "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
910 }
911 /* failure */
912 return 0;
913}
914
915/*
916 * Tries to authenticate with plain passwd authentication.
917 */
918static int
919try_password_authentication(char *prompt)
920{
e9702f7d 921 int type, i;
3c0ef626 922 char *password;
923
924 debug("Doing password authentication.");
925 if (options.cipher == SSH_CIPHER_NONE)
926 log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
927 for (i = 0; i < options.number_of_password_prompts; i++) {
928 if (i != 0)
929 error("Permission denied, please try again.");
930 password = read_passphrase(prompt, 0);
931 packet_start(SSH_CMSG_AUTH_PASSWORD);
932 ssh_put_password(password);
933 memset(password, 0, strlen(password));
934 xfree(password);
935 packet_send();
936 packet_write_wait();
937
e9702f7d 938 type = packet_read();
3c0ef626 939 if (type == SSH_SMSG_SUCCESS)
940 return 1;
941 if (type != SSH_SMSG_FAILURE)
942 packet_disconnect("Protocol error: got %d in response to passwd auth", type);
943 }
944 /* failure */
945 return 0;
946}
947
948/*
949 * SSH1 key exchange
950 */
951void
952ssh_kex(char *host, struct sockaddr *hostaddr)
953{
954 int i;
955 BIGNUM *key;
e9702f7d 956 Key *host_key, *server_key;
3c0ef626 957 int bits, rbits;
958 int ssh_cipher_default = SSH_CIPHER_3DES;
959 u_char session_key[SSH_SESSION_KEY_LENGTH];
960 u_char cookie[8];
961 u_int supported_ciphers;
962 u_int server_flags, client_flags;
3c0ef626 963 u_int32_t rand = 0;
964
965 debug("Waiting for server public key.");
966
967 /* Wait for a public key packet from the server. */
e9702f7d 968 packet_read_expect(SSH_SMSG_PUBLIC_KEY);
3c0ef626 969
970 /* Get cookie from the packet. */
971 for (i = 0; i < 8; i++)
972 cookie[i] = packet_get_char();
973
974 /* Get the public key. */
e9702f7d 975 server_key = key_new(KEY_RSA1);
976 bits = packet_get_int();
977 packet_get_bignum(server_key->rsa->e);
978 packet_get_bignum(server_key->rsa->n);
979
980 rbits = BN_num_bits(server_key->rsa->n);
3c0ef626 981 if (bits != rbits) {
982 log("Warning: Server lies about size of server public key: "
983 "actual size is %d bits vs. announced %d.", rbits, bits);
984 log("Warning: This may be due to an old implementation of ssh.");
985 }
986 /* Get the host key. */
e9702f7d 987 host_key = key_new(KEY_RSA1);
988 bits = packet_get_int();
989 packet_get_bignum(host_key->rsa->e);
990 packet_get_bignum(host_key->rsa->n);
991
992 rbits = BN_num_bits(host_key->rsa->n);
3c0ef626 993 if (bits != rbits) {
994 log("Warning: Server lies about size of server host key: "
995 "actual size is %d bits vs. announced %d.", rbits, bits);
996 log("Warning: This may be due to an old implementation of ssh.");
997 }
998
999 /* Get protocol flags. */
1000 server_flags = packet_get_int();
1001 packet_set_protocol_flags(server_flags);
1002
1003 supported_ciphers = packet_get_int();
1004 supported_authentications = packet_get_int();
e9702f7d 1005 packet_check_eom();
3c0ef626 1006
1007 debug("Received server public key (%d bits) and host key (%d bits).",
e9702f7d 1008 BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
1009
1010 if (verify_host_key(host, hostaddr, host_key) == -1)
3c0ef626 1011 fatal("Host key verification failed.");
1012
1013 client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
1014
e9702f7d 1015 compute_session_id(session_id, cookie, host_key->rsa->n, server_key->rsa->n);
3c0ef626 1016
1017 /* Generate a session key. */
1018 arc4random_stir();
1019
1020 /*
1021 * Generate an encryption key for the session. The key is a 256 bit
1022 * random number, interpreted as a 32-byte key, with the least
1023 * significant 8 bits being the first byte of the key.
1024 */
1025 for (i = 0; i < 32; i++) {
1026 if (i % 4 == 0)
1027 rand = arc4random();
1028 session_key[i] = rand & 0xff;
1029 rand >>= 8;
1030 }
1031
1032 /*
1033 * According to the protocol spec, the first byte of the session key
1034 * is the highest byte of the integer. The session key is xored with
1035 * the first 16 bytes of the session id.
1036 */
e9702f7d 1037 if ((key = BN_new()) == NULL)
1038 fatal("respond_to_rsa_challenge: BN_new failed");
3c0ef626 1039 BN_set_word(key, 0);
1040 for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
1041 BN_lshift(key, key, 8);
1042 if (i < 16)
1043 BN_add_word(key, session_key[i] ^ session_id[i]);
1044 else
1045 BN_add_word(key, session_key[i]);
1046 }
1047
1048 /*
1049 * Encrypt the integer using the public key and host key of the
1050 * server (key with smaller modulus first).
1051 */
e9702f7d 1052 if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
3c0ef626 1053 /* Public key has smaller modulus. */
e9702f7d 1054 if (BN_num_bits(host_key->rsa->n) <
1055 BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1056 fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
1057 "SSH_KEY_BITS_RESERVED %d",
1058 BN_num_bits(host_key->rsa->n),
1059 BN_num_bits(server_key->rsa->n),
1060 SSH_KEY_BITS_RESERVED);
3c0ef626 1061 }
e9702f7d 1062 rsa_public_encrypt(key, key, server_key->rsa);
1063 rsa_public_encrypt(key, key, host_key->rsa);
3c0ef626 1064 } else {
1065 /* Host key has smaller modulus (or they are equal). */
e9702f7d 1066 if (BN_num_bits(server_key->rsa->n) <
1067 BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
1068 fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
1069 "SSH_KEY_BITS_RESERVED %d",
1070 BN_num_bits(server_key->rsa->n),
1071 BN_num_bits(host_key->rsa->n),
1072 SSH_KEY_BITS_RESERVED);
3c0ef626 1073 }
e9702f7d 1074 rsa_public_encrypt(key, key, host_key->rsa);
1075 rsa_public_encrypt(key, key, server_key->rsa);
3c0ef626 1076 }
1077
1078 /* Destroy the public keys since we no longer need them. */
e9702f7d 1079 key_free(server_key);
1080 key_free(host_key);
3c0ef626 1081
1082 if (options.cipher == SSH_CIPHER_NOT_SET) {
1083 if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
1084 options.cipher = ssh_cipher_default;
1085 } else if (options.cipher == SSH_CIPHER_ILLEGAL ||
1086 !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
1087 log("No valid SSH1 cipher, using %.100s instead.",
1088 cipher_name(ssh_cipher_default));
1089 options.cipher = ssh_cipher_default;
1090 }
1091 /* Check that the selected cipher is supported. */
1092 if (!(supported_ciphers & (1 << options.cipher)))
1093 fatal("Selected cipher type %.100s not supported by server.",
e9702f7d 1094 cipher_name(options.cipher));
3c0ef626 1095
1096 debug("Encryption type: %.100s", cipher_name(options.cipher));
1097
1098 /* Send the encrypted session key to the server. */
1099 packet_start(SSH_CMSG_SESSION_KEY);
1100 packet_put_char(options.cipher);
1101
1102 /* Send the cookie back to the server. */
1103 for (i = 0; i < 8; i++)
1104 packet_put_char(cookie[i]);
1105
1106 /* Send and destroy the encrypted encryption key integer. */
1107 packet_put_bignum(key);
1108 BN_clear_free(key);
1109
1110 /* Send protocol flags. */
1111 packet_put_int(client_flags);
1112
1113 /* Send the packet now. */
1114 packet_send();
1115 packet_write_wait();
1116
1117 debug("Sent encrypted session key.");
1118
1119 /* Set the encryption key. */
1120 packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
1121
1122 /* We will no longer need the session key here. Destroy any extra copies. */
1123 memset(session_key, 0, sizeof(session_key));
1124
1125 /*
1126 * Expect a success message from the server. Note that this message
1127 * will be received in encrypted form.
1128 */
e9702f7d 1129 packet_read_expect(SSH_SMSG_SUCCESS);
3c0ef626 1130
1131 debug("Received encrypted confirmation.");
1132}
1133
1134/*
1135 * Authenticate user
1136 */
1137void
1138ssh_userauth1(const char *local_user, const char *server_user, char *host,
1139 Key **keys, int nkeys)
1140{
1141#ifdef KRB5
1142 krb5_context context = NULL;
1143 krb5_auth_context auth_context = NULL;
1144#endif
1145 int i, type;
e9702f7d 1146
3c0ef626 1147 if (supported_authentications == 0)
1148 fatal("ssh_userauth1: server supports no auth methods");
1149
1150 /* Send the name of the user to log in as on the server. */
1151 packet_start(SSH_CMSG_USER);
1152 packet_put_cstring(server_user);
1153 packet_send();
1154 packet_write_wait();
1155
1156 /*
1157 * The server should respond with success if no authentication is
1158 * needed (the user has no password). Otherwise the server responds
1159 * with failure.
1160 */
e9702f7d 1161 type = packet_read();
3c0ef626 1162
1163 /* check whether the connection was accepted without authentication. */
1164 if (type == SSH_SMSG_SUCCESS)
1165 goto success;
1166 if (type != SSH_SMSG_FAILURE)
1167 packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
e9702f7d 1168
3c0ef626 1169#ifdef KRB5
1170 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
e9702f7d 1171 options.kerberos_authentication) {
3c0ef626 1172 debug("Trying Kerberos v5 authentication.");
e9702f7d 1173
3c0ef626 1174 if (try_krb5_authentication(&context, &auth_context)) {
e9702f7d 1175 type = packet_read();
3c0ef626 1176 if (type == SSH_SMSG_SUCCESS)
1177 goto success;
1178 if (type != SSH_SMSG_FAILURE)
1179 packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
1180 }
1181 }
1182#endif /* KRB5 */
e9702f7d 1183
3c0ef626 1184#ifdef KRB4
1185 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
1186 options.kerberos_authentication) {
1187 debug("Trying Kerberos v4 authentication.");
e9702f7d 1188
3c0ef626 1189 if (try_krb4_authentication()) {
e9702f7d 1190 type = packet_read();
3c0ef626 1191 if (type == SSH_SMSG_SUCCESS)
1192 goto success;
1193 if (type != SSH_SMSG_FAILURE)
1194 packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
1195 }
1196 }
1197#endif /* KRB4 */
e9702f7d 1198
3c0ef626 1199 /*
1200 * Use rhosts authentication if running in privileged socket and we
1201 * do not wish to remain anonymous.
1202 */
1203 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
1204 options.rhosts_authentication) {
1205 debug("Trying rhosts authentication.");
1206 packet_start(SSH_CMSG_AUTH_RHOSTS);
1207 packet_put_cstring(local_user);
1208 packet_send();
1209 packet_write_wait();
1210
1211 /* The server should respond with success or failure. */
e9702f7d 1212 type = packet_read();
3c0ef626 1213 if (type == SSH_SMSG_SUCCESS)
1214 goto success;
1215 if (type != SSH_SMSG_FAILURE)
1216 packet_disconnect("Protocol error: got %d in response to rhosts auth",
1217 type);
1218 }
1219 /*
1220 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
1221 * authentication.
1222 */
1223 if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
1224 options.rhosts_rsa_authentication) {
1225 for (i = 0; i < nkeys; i++) {
1226 if (keys[i] != NULL && keys[i]->type == KEY_RSA1 &&
1227 try_rhosts_rsa_authentication(local_user, keys[i]))
1228 goto success;
1229 }
1230 }
1231 /* Try RSA authentication if the server supports it. */
1232 if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
1233 options.rsa_authentication) {
1234 /*
1235 * Try RSA authentication using the authentication agent. The
1236 * agent is tried first because no passphrase is needed for
1237 * it, whereas identity files may require passphrases.
1238 */
1239 if (try_agent_authentication())
1240 goto success;
1241
1242 /* Try RSA authentication for each identity. */
1243 for (i = 0; i < options.num_identity_files; i++)
1244 if (options.identity_keys[i] != NULL &&
1245 options.identity_keys[i]->type == KEY_RSA1 &&
1246 try_rsa_authentication(i))
1247 goto success;
1248 }
1249 /* Try challenge response authentication if the server supports it. */
1250 if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
1251 options.challenge_response_authentication && !options.batch_mode) {
1252 if (try_challenge_response_authentication())
1253 goto success;
1254 }
1255 /* Try password authentication if the server supports it. */
1256 if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
1257 options.password_authentication && !options.batch_mode) {
1258 char prompt[80];
1259
1260 snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
1261 server_user, host);
1262 if (try_password_authentication(prompt))
1263 goto success;
1264 }
1265 /* All authentication methods have failed. Exit with an error message. */
1266 fatal("Permission denied.");
1267 /* NOTREACHED */
1268
1269 success:
1270#ifdef KRB5
1271 /* Try Kerberos v5 TGT passing. */
1272 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1273 options.kerberos_tgt_passing && context && auth_context) {
1274 if (options.cipher == SSH_CIPHER_NONE)
1275 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1276 send_krb5_tgt(context, auth_context);
1277 }
1278 if (auth_context)
1279 krb5_auth_con_free(context, auth_context);
1280 if (context)
1281 krb5_free_context(context);
1282#endif
e9702f7d 1283
3c0ef626 1284#ifdef AFS
1285 /* Try Kerberos v4 TGT passing if the server supports it. */
1286 if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
1287 options.kerberos_tgt_passing) {
1288 if (options.cipher == SSH_CIPHER_NONE)
1289 log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
1290 send_krb4_tgt();
1291 }
1292 /* Try AFS token passing if the server supports it. */
1293 if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
1294 options.afs_token_passing && k_hasafs()) {
1295 if (options.cipher == SSH_CIPHER_NONE)
1296 log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
1297 send_afs_tokens();
1298 }
1299#endif /* AFS */
1300
1301 return; /* need statement after label */
1302}
git-cvsimport mirror of GSI OpenSSH
This page took 0.280432 seconds and 5 git commands to generate.