]> andersk Git - openssh.git/blobdiff - auth1.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[openssh.git] / auth1.c
diff --git a/auth1.c b/auth1.c
index 55dbf78facb513253b87b73f887c89bc18a51d8a..4d2b92a22aebb6daeed9554a4cb585282974fba1 100644 (file)
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.39 2002/03/19 14:27:39 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -133,15 +133,27 @@ do_authloop(Authctxt *authctxt)
 #endif /* KRB4 */
                                } else {
 #ifdef KRB5
-                                       krb5_data tkt;
+                                       krb5_data tkt, reply;
                                        tkt.length = dlen;
                                        tkt.data = kdata;
 
-                                       if (auth_krb5(authctxt, &tkt, &client_user)) {
+                                       if (PRIVSEP(auth_krb5(authctxt, &tkt,
+                                           &client_user, &reply))) {
                                                authenticated = 1;
                                                snprintf(info, sizeof(info),
                                                    " tktuser %.100s",
                                                    client_user);
+                                               /* Send response to client */
+                                               packet_start(
+                                                   SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+                                               packet_put_string((char *)
+                                                   reply.data, reply.length);
+                                               packet_send();
+                                               packet_write_wait();
+
+                                               if (reply.length)
+                                                       xfree(reply.data);
                                        }
 #endif /* KRB5 */
                                }
@@ -203,7 +215,7 @@ do_authloop(Authctxt *authctxt)
                        if (bits != BN_num_bits(client_host_key->rsa->n))
                                verbose("Warning: keysize mismatch for client_host_key: "
                                    "actual %d, announced %d",
-                                    BN_num_bits(client_host_key->rsa->n), bits);
+                                   BN_num_bits(client_host_key->rsa->n), bits);
                        packet_check_eom();
 
                        authenticated = auth_rhosts_rsa(pw, client_user,
@@ -301,12 +313,14 @@ do_authloop(Authctxt *authctxt)
                }
 #else
                /* Special handling for root */
-               if (authenticated && authctxt->pw->pw_uid == 0 &&
+               if (!use_privsep &&
+                   authenticated && authctxt->pw->pw_uid == 0 &&
                    !auth_root_allowed(get_authname(type)))
                        authenticated = 0;
 #endif
 #ifdef USE_PAM
-               if (authenticated && !do_pam_account(pw->pw_name, client_user))
+               if (!use_privsep && authenticated && 
+                   !do_pam_account(pw->pw_name, client_user))
                        authenticated = 0;
 #endif
 
@@ -322,11 +336,6 @@ do_authloop(Authctxt *authctxt)
                        return;
 
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname(options.verify_reverse_mapping),
-                           "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
 
@@ -345,7 +354,7 @@ do_authentication(void)
 {
        Authctxt *authctxt;
        u_int ulen;
-       char *p, *user, *style = NULL;
+       char *user, *style = NULL;
 
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(SSH_CMSG_USER);
@@ -357,9 +366,15 @@ do_authentication(void)
        if ((style = strchr(user, ':')) != NULL)
                *style++ = '\0';
 
+#ifdef KRB5
        /* XXX - SSH.com Kerberos v5 braindeath. */
-       if ((p = strchr(user, '@')) != NULL)
-               *p = '\0';
+       if ((datafellows & SSH_BUG_K5USER) &&
+           options.kerberos_authentication) {
+               char *p;
+               if ((p = strchr(user, '@')) != NULL)
+                       *p = '\0';
+       }
+#endif
 
        authctxt = authctxt_new();
        authctxt->user = user;
@@ -375,7 +390,7 @@ do_authentication(void)
            use_privsep ? " [net]" : "");
 
 #ifdef USE_PAM
-       start_pam(authctxt->pw == NULL ? "NOUSER" : user);
+       PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
 #endif
 
        /*
git-cvsimport mirror of OpenSSH
This page took 0.075727 seconds and 4 git commands to generate.