From 63119dd9c87e72981127a5592255ac5139d09202 Mon Sep 17 00:00:00 2001 From: jbasney Date: Mon, 11 Mar 2002 15:24:49 +0000 Subject: [PATCH] Fixes for krb5 support in OpenSSH 3.0.2p1 by Simon Wilkinson from http://www.sxw.org.uk/computing/patches/openssh-3.0.2p1-krb5.patch --- openssh/Makefile.in | 2 +- openssh/acconfig.h | 6 ++++ openssh/auth-krb5.c | 71 +++++++++++++++++++++++++++++++++++++++++++ openssh/configure.ac | 40 ++++++++++++++++++++++-- openssh/servconf.c | 11 ++++++- openssh/sshconnect1.c | 57 ++++++++++++++++++++++++++++++++++ 6 files changed, 183 insertions(+), 4 deletions(-) diff --git a/openssh/Makefile.in b/openssh/Makefile.in index d20bfca..87a7c13 100644 --- a/openssh/Makefile.in +++ b/openssh/Makefile.in @@ -50,7 +50,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 diff --git a/openssh/acconfig.h b/openssh/acconfig.h index 436d72e..405f200 100644 --- a/openssh/acconfig.h +++ b/openssh/acconfig.h @@ -184,6 +184,12 @@ /* Define if libc defines __progname */ #undef HAVE___PROGNAME +/* Define if you want Kerberos 5 support */ +#undef KRB5 + +/* Define this if you are using Heimdal version of Kerberos V5 */ +#undef HEIMDAL + /* Define if you want Kerberos 4 support */ #undef KRB4 diff --git a/openssh/auth-krb5.c b/openssh/auth-krb5.c index b56f43a..176eb27 100644 --- a/openssh/auth-krb5.c +++ b/openssh/auth-krb5.c @@ -17,6 +17,9 @@ #ifdef KRB5 #include +#ifndef HEIMDAL +#define krb5_get_err_text(context,code) error_message(code) +#endif /* !HEIMDAL */ extern ServerOptions options; @@ -69,8 +72,15 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) goto err; fd = packet_get_connection_in(); +#ifdef HEIMDAL problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, &fd); +#else + problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, + authctxt->krb5_auth_ctx,fd, + KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | + KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); +#endif if (problem) goto err; @@ -84,8 +94,13 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) if (problem) goto err; +#ifdef HEIMDAL problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, &authctxt->krb5_user); +#else + problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->enc_part2->client, + &authctxt->krb5_user); +#endif if (problem) goto err; @@ -131,13 +146,23 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) krb5_error_code problem; krb5_ccache ccache = NULL; char *pname; + krb5_creds **creds; if (authctxt->pw == NULL || authctxt->krb5_user == NULL) return (0); temporarily_use_uid(authctxt->pw); +#ifdef HEIMDAL problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); +#else +{ + char ccname[35]; + + snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid); + problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); +} +#endif if (problem) goto fail; @@ -146,10 +171,20 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) if (problem) goto fail; +#ifdef HEIMDAL problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, ccache, tgt); if (problem) goto fail; +#else + problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, + tgt, &creds, NULL); + if (problem) + goto fail; + problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); + if (problem) + goto fail; +#endif authctxt->krb5_fwd_ccache = ccache; ccache = NULL; @@ -182,6 +217,10 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) int auth_krb5_password(Authctxt *authctxt, const char *password) { +#ifndef HEIMDAL + krb5_creds creds; + krb5_principal server; +#endif krb5_error_code problem; if (authctxt->pw == NULL) @@ -198,8 +237,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; +#ifdef HEIMDAL problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &authctxt->krb5_fwd_ccache); +#else + problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", + &authctxt->krb5_fwd_ccache); +#endif if (problem) goto out; @@ -208,11 +252,38 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; +#ifdef HEIMDAL problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->krb5_fwd_ccache, password, 1, NULL); if (problem) goto out; +#else + problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, + authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL); + if (problem) + goto out; + + problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, + KRB5_NT_SRV_HST, &server); + if (problem) + goto out; + + restore_uid(); + problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, NULL, NULL, + NULL); + temporarily_use_uid(authctxt->pw); + + krb5_free_principal(authctxt->krb5_ctx, server); + if (problem) + goto out; + + problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds); + if (problem) + goto out; + +#endif /* HEIMDAL */ + authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); out: diff --git a/openssh/configure.ac b/openssh/configure.ac index 3cc9365..ca36df1 100644 --- a/openssh/configure.ac +++ b/openssh/configure.ac @@ -1443,7 +1443,43 @@ AC_ARG_WITH(smartcard, ] ) -# Check whether user wants Kerberos support +# Check whether user wants Kerberos 5 support +AC_ARG_WITH(kerberos5, + [ --with-kerberos5=PATH Enable Kerberos 5 support], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_DEFINE(KRB5) + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) + K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" + ], + [ AC_MSG_RESULT(no) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + ] + ) + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + AC_CHECK_LIB(resolv, dn_expand, , ) + + KRB5=yes + fi + ] +) +# Check whether user wants Kerberos 4 support KRB4_MSG="no" AC_ARG_WITH(kerberos4, [ --with-kerberos4=PATH Enable Kerberos 4 support], @@ -1523,7 +1559,7 @@ AC_ARG_WITH(afs, fi ] ) -LIBS="$LIBS $KLIBS" +LIBS="$LIBS $KLIBS $K5LIBS" # Looking for programs, paths and files AC_ARG_WITH(rsh, diff --git a/openssh/servconf.c b/openssh/servconf.c index e914d4c..1587765 100644 --- a/openssh/servconf.c +++ b/openssh/servconf.c @@ -12,8 +12,17 @@ #include "includes.h" RCSID("$OpenBSD: servconf.c,v 1.91 2001/11/12 18:17:07 markus Exp $"); -#if defined(KRB4) || defined(KRB5) +#if defined(KRB4) +#include +#endif +#if defined(KRB5) +#ifdef HEIMDAL #include +#else +/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V + * keytab */ +#define KEYFILE "/etc/krb5.keytab" +#endif #endif #ifdef AFS #include diff --git a/openssh/sshconnect1.c b/openssh/sshconnect1.c index d6b8623..1c35f03 100644 --- a/openssh/sshconnect1.c +++ b/openssh/sshconnect1.c @@ -23,6 +23,9 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.41 2001/10/06 11:18:19 markus Exp $"); #endif #ifdef KRB5 #include +#ifndef HEIMDAL +#define krb5_get_err_text(context,code) error_message(code) +#endif /* !HEIMDAL */ #endif #ifdef AFS #include @@ -523,6 +526,23 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) goto out; } + problem = krb5_auth_con_init(*context, auth_context); + if (problem) { + debug("Kerberos v5: krb5_auth_con_init failed"); + ret = 0; + goto out; + } + +#ifndef HEIMDAL + problem = krb5_auth_con_setflags(*context, *auth_context, + KRB5_AUTH_CONTEXT_RET_TIME); + if (problem) { + debug("Kerberos v5: krb5_auth_con_setflags failed"); + ret = 0; + goto out; + } +#endif + tkfile = krb5_cc_default_name(*context); if (strncmp(tkfile, "FILE:", 5) == 0) tkfile += 5; @@ -599,7 +619,11 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) if (reply != NULL) krb5_free_ap_rep_enc_part(*context, reply); if (ap.length > 0) +#ifdef HEIMDAL krb5_data_free(&ap); +#else + xfree(ap.data); +#endif return (ret); } @@ -612,7 +636,11 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) krb5_data outbuf; krb5_ccache ccache = NULL; krb5_creds creds; +#ifdef HEIMDAL krb5_kdc_flags flags; +#else + int forwardable; +#endif const char *remotehost; memset(&creds, 0, sizeof(creds)); @@ -620,9 +648,19 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) fd = packet_get_connection_in(); +#ifdef HEIMDAL problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); if (problem) goto out; +#else + problem = krb5_auth_con_genaddrs(context, auth_context, fd, + KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | + KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); + if (problem) { + debug("krb5_auth_con_genaddrs: %.100s", error_message(problem)); + goto out; + } +#endif problem = krb5_cc_default(context, &ccache); if (problem) @@ -632,14 +670,22 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) if (problem) goto out; +#ifdef HEIMDAL problem = krb5_build_principal(context, &creds.server, strlen(creds.client->realm), creds.client->realm, "krbtgt", creds.client->realm, NULL); +#else + problem = krb5_build_principal(context, &creds.server, + creds.client->realm.length, creds.client->realm.data, + "krbtgt", creds.client->realm.data, NULL); +#endif + if (problem) goto out; creds.times.endtime = 0; +#ifdef HEIMDAL flags.i = 0; flags.b.forwarded = 1; flags.b.forwardable = krb5_config_get_bool(context, NULL, @@ -651,6 +697,17 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) ccache, flags.i, remotehost, &creds, &outbuf); if (problem) goto out; +#else + forwardable = 1; + + remotehost = get_canonical_hostname(1); + + problem = krb5_fwd_tgt_creds (context, auth_context, + remotehost, creds.client, creds.server, ccache, forwardable, + &outbuf); + if (problem) + goto out; +#endif packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); packet_put_string((char *)outbuf.data, outbuf.length); -- 2.45.2