-#if KRB5
-static int
-ssh_krb5_helper(krb5_data *ap, krb5_context *context)
-{
- krb5_context xcontext = NULL; /* XXX share with ssh1 */
- krb5_auth_context xauth_context = NULL;
- krb5_auth_context *auth_context;
- krb5_error_code problem;
- const char *tkfile;
- struct stat buf;
- krb5_ccache ccache = NULL;
- const char *remotehost;
- int ret;
-
- memset(ap, 0, sizeof(*ap));
-
- context = &xcontext;
- auth_context = &xauth_context;
-
- problem = krb5_init_context(context);
- if (problem) {
- debug("Kerberos v5: krb5_init_context failed");
- ret = 0;
- goto out;
- }
-
- tkfile = krb5_cc_default_name(*context);
- if (strncmp(tkfile, "FILE:", 5) == 0)
- tkfile += 5;
-
- if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
- debug("Kerberos v5: could not get default ccache (permission denied).");
- ret = 0;
- goto out;
- }
-
- problem = krb5_cc_default(*context, &ccache);
- if (problem) {
- debug("Kerberos v5: krb5_cc_default failed: %s",
- krb5_get_err_text(*context, problem));
- ret = 0;
- goto out;
- }
-
- remotehost = get_canonical_hostname(1);
-
- problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
- "host", remotehost, NULL, ccache, ap);
- if (problem) {
- debug("Kerberos v5: krb5_mk_req failed: %s",
- krb5_get_err_text(*context, problem));
- ret = 0;
- goto out;
- }
- ret = 1;
-
- out:
- if (ccache != NULL)
- krb5_cc_close(*context, ccache);
- if (*auth_context)
- krb5_auth_con_free(*context, *auth_context);
- return (ret);
-}
-
-int
-userauth_kerberos(Authctxt *authctxt)
-{
- krb5_data ap;
- krb5_context *context;
- int ret = 0;
-
- if (ssh_krb5_helper(&ap, context) == 0)
- goto out;
-
- packet_start(SSH2_MSG_USERAUTH_REQUEST);
- packet_put_cstring(authctxt->server_user);
- packet_put_cstring(authctxt->service);
- packet_put_cstring(authctxt->method->name);
- packet_put_string(ap.data, ap.length);
- packet_send();
-
-#ifdef HEIMDAL
- krb5_data_free(&ap);
-#else
- krb5_free_data_contents(*context, &ap);
-#endif
- ret = 1;
-
-out:
- if (*context)
- krb5_free_context(*context);
- return ret;
-}
-#endif
-