X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/7364bd04fc18484f99f74b901c4581795bcf2787..cdfbc8299cfe8754522579b641440aee9cde44cf:/sshconnect2.c?ds=sidebyside

diff --git a/sshconnect2.c b/sshconnect2.c
index c71ad506..5bb77236 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshconnect2.c,v 1.165 2008/01/19 23:09:49 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -23,25 +24,31 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $");
 
-#ifdef KRB5
-#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
-#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
 
 #include "openbsd-compat/sys-queue.h"
 
+#include "xmalloc.h"
 #include "ssh.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "buffer.h"
 #include "packet.h"
 #include "compat.h"
-#include "bufaux.h"
 #include "cipher.h"
+#include "key.h"
 #include "kex.h"
 #include "myproposal.h"
 #include "sshconnect.h"
@@ -50,12 +57,13 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $");
 #include "authfd.h"
 #include "log.h"
 #include "readconf.h"
-#include "readpass.h"
+#include "misc.h"
 #include "match.h"
 #include "dispatch.h"
 #include "canohost.h"
 #include "msg.h"
 #include "pathnames.h"
+#include "uidswap.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -108,10 +116,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
 	if (options.compression) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
 	} else {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
 	}
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -122,12 +130,14 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 		    options.hostkeyalgorithms;
 
 	if (options.rekey_limit)
-		packet_set_rekey_limit(options.rekey_limit);
+		packet_set_rekey_limit((u_int32_t)options.rekey_limit);
 
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
+	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
+	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
 	kex->verify_host_key=&verify_host_key_callback;
@@ -229,7 +239,7 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
-	{"gssapi",
+	{"gssapi-with-mic",
 		userauth_gssapi,
 		&options.gss_authentication,
 		NULL},
@@ -238,12 +248,6 @@ Authmethod authmethods[] = {
 		userauth_hostbased,
 		&options.hostbased_authentication,
 		NULL},
-#if KRB5
-	{"kerberos-2@ssh.com",
-		userauth_kerberos,
-		&options.kerberos_authentication,
-		NULL},
-#endif
 	{"publickey",
 		userauth_pubkey,
 		&options.pubkey_authentication,
@@ -364,17 +368,19 @@ void
 input_userauth_error(int type, u_int32_t seq, void *ctxt)
 {
 	fatal("input_userauth_error: bad message during authentication: "
-	   "type %d", type);
+	    "type %d", type);
 }
 
 void
 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 {
 	char *msg, *lang;
+
 	debug3("input_userauth_banner");
 	msg = packet_get_string(NULL);
 	lang = packet_get_string(NULL);
-	fprintf(stderr, "%s", msg);
+	if (options.log_level >= SYSLOG_LEVEL_INFO)
+		fprintf(stderr, "%s", msg);
 	xfree(msg);
 	xfree(lang);
 }
@@ -385,10 +391,14 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
 	Authctxt *authctxt = ctxt;
 	if (authctxt == NULL)
 		fatal("input_userauth_success: no authentication context");
-	if (authctxt->authlist)
+	if (authctxt->authlist) {
 		xfree(authctxt->authlist);
-	if (authctxt->methoddata)
+		authctxt->authlist = NULL;
+	}
+	if (authctxt->methoddata) {
 		xfree(authctxt->methoddata);
+		authctxt->methoddata = NULL;
+	}
 	authctxt->success = 1;			/* break out */
 }
 
@@ -460,7 +470,12 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 	debug2("input_userauth_pk_ok: fp %s", fp);
 	xfree(fp);
 
-	TAILQ_FOREACH(id, &authctxt->keys, next) {
+	/*
+	 * search keys in the reverse order, because last candidate has been
+	 * moved to the end of the queue.  this also avoids confusion by
+	 * duplicate keys
+	 */
+	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
 		if (key_equal(key, id->key)) {
 			sent = sign_and_send_pubkey(authctxt, id);
 			break;
@@ -478,39 +493,35 @@ done:
 }
 
 #ifdef GSSAPI
-int 
+int
 userauth_gssapi(Authctxt *authctxt)
 {
 	Gssctxt *gssctxt = NULL;
-	static gss_OID_set supported = NULL;
-	static int mech = 0;
+	static gss_OID_set gss_supported = NULL;
+	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
 
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
 
-	if (supported == NULL)
-		gss_indicate_mechs(&min, &supported);
+	if (gss_supported == NULL)
+		gss_indicate_mechs(&min, &gss_supported);
 
 	/* Check to see if the mechanism is usable before we offer it */
-	while (mech<supported->count && !ok) {
-		if (gssctxt)
-			ssh_gssapi_delete_ctx(&gssctxt);
-		ssh_gssapi_build_ctx(&gssctxt);
-		ssh_gssapi_set_oid(gssctxt, &supported->elements[mech]);
-
+	while (mech < gss_supported->count && !ok) {
 		/* My DER encoding requires length<128 */
-		if (supported->elements[mech].length < 128 &&
-		    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
-		    authctxt->host))) {
+		if (gss_supported->elements[mech].length < 128 &&
+		    ssh_gssapi_check_mechanism(&gssctxt, 
+		    &gss_supported->elements[mech], authctxt->host)) {
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
 		}
 	}
 
-	if (!ok) return 0;
+	if (!ok)
+		return 0;
 
 	authctxt->methoddata=(void *)gssctxt;
 
@@ -521,17 +532,11 @@ userauth_gssapi(Authctxt *authctxt)
 
 	packet_put_int(1);
 
-	/* Some servers encode the OID incorrectly (as we used to) */
-	if (datafellows & SSH_BUG_GSSAPI_BER) {
-		packet_put_string(supported->elements[mech].elements,
-		    supported->elements[mech].length);
-	} else {
-		packet_put_int((supported->elements[mech].length)+2);
-		packet_put_char(SSH_GSS_OIDTYPE);
-		packet_put_char(supported->elements[mech].length);
-		packet_put_raw(supported->elements[mech].elements,
-		    supported->elements[mech].length);
-	}
+	packet_put_int((gss_supported->elements[mech].length) + 2);
+	packet_put_char(SSH_GSS_OIDTYPE);
+	packet_put_char(gss_supported->elements[mech].length);
+	packet_put_raw(gss_supported->elements[mech].elements,
+	    gss_supported->elements[mech].length);
 
 	packet_send();
 
@@ -545,15 +550,67 @@ userauth_gssapi(Authctxt *authctxt)
 	return 1;
 }
 
+static OM_uint32
+process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
+{
+	Authctxt *authctxt = ctxt;
+	Gssctxt *gssctxt = authctxt->methoddata;
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc gssbuf;
+	OM_uint32 status, ms, flags;
+	Buffer b;
+
+	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
+	    recv_tok, &send_tok, &flags);
+
+	if (send_tok.length > 0) {
+		if (GSS_ERROR(status))
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
+		else
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
+
+		packet_put_string(send_tok.value, send_tok.length);
+		packet_send();
+		gss_release_buffer(&ms, &send_tok);
+	}
+
+	if (status == GSS_S_COMPLETE) {
+		/* send either complete or MIC, depending on mechanism */
+		if (!(flags & GSS_C_INTEG_FLAG)) {
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+			packet_send();
+		} else {
+			ssh_gssapi_buildmic(&b, authctxt->server_user,
+			    authctxt->service, "gssapi-with-mic");
+
+			gssbuf.value = buffer_ptr(&b);
+			gssbuf.length = buffer_len(&b);
+
+			status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
+
+			if (!GSS_ERROR(status)) {
+				packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
+				packet_put_string(mic.value, mic.length);
+
+				packet_send();
+			}
+
+			buffer_free(&b);
+			gss_release_buffer(&ms, &mic);
+		}
+	}
+
+	return status;
+}
+
 void
 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
-	OM_uint32 status, ms;
 	int oidlen;
 	char *oidv;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
@@ -562,94 +619,55 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 	/* Setup our OID */
 	oidv = packet_get_string(&oidlen);
 
-	if (datafellows & SSH_BUG_GSSAPI_BER) {
-		if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
-			fatal("Server returned different OID than expected");
-	} else {
-		if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) {
-			debug("Badly encoded mechanism OID received");
-			userauth(authctxt, NULL);
-			xfree(oidv);
-			return;
-		}
-		if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2))
-			fatal("Server returned different OID than expected");
+	if (oidlen <= 2 ||
+	    oidv[0] != SSH_GSS_OIDTYPE ||
+	    oidv[1] != oidlen - 2) {
+		xfree(oidv);
+		debug("Badly encoded mechanism OID received");
+		userauth(authctxt, NULL);
+		return;
 	}
 
+	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+		fatal("Server returned different OID than expected");
+
 	packet_check_eom();
 
 	xfree(oidv);
 
-	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    GSS_C_NO_BUFFER, &send_tok, NULL);
-	if (GSS_ERROR(status)) {
-		if (send_tok.length > 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-			gss_release_buffer(&ms, &send_tok);
-		}
+	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
 		/* Start again with next method on list */
 		debug("Trying to start again");
 		userauth(authctxt, NULL);
 		return;
 	}
-
-	/* We must have data to send */
-	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-	packet_put_string(send_tok.value, send_tok.length);
-	packet_send();
-	gss_release_buffer(&ms, &send_tok);
 }
 
 void
 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 	gss_buffer_desc recv_tok;
-	OM_uint32 status, ms;
+	OM_uint32 status;
 	u_int slen;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
-	gssctxt = authctxt->methoddata;
 
 	recv_tok.value = packet_get_string(&slen);
 	recv_tok.length = slen;	/* safe typecast */
 
 	packet_check_eom();
 
-	status=ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    &recv_tok, &send_tok, NULL);
+	status = process_gssapi_token(ctxt, &recv_tok);
 
 	xfree(recv_tok.value);
 
 	if (GSS_ERROR(status)) {
-		if (send_tok.length > 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-			gss_release_buffer(&ms, &send_tok);
-		}
 		/* Start again with the next method in the list */
 		userauth(authctxt, NULL);
 		return;
 	}
-
-	if (send_tok.length > 0) {
-		packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-		packet_put_string(send_tok.value, send_tok.length);
-		packet_send();
-		gss_release_buffer(&ms, &send_tok);
-	}
-
-	if (status == GSS_S_COMPLETE) {
-		/* If that succeeded, send a exchange complete message */
-		packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
-		packet_send();
-	}
 }
 
 void
@@ -660,18 +678,20 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 	gss_buffer_desc recv_tok;
 	OM_uint32 status, ms;
+	u_int len;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
 	gssctxt = authctxt->methoddata;
 
-	recv_tok.value = packet_get_string(&recv_tok.length);
+	recv_tok.value = packet_get_string(&len);
+	recv_tok.length = len;
 
 	packet_check_eom();
 
 	/* Stick it into GSSAPI and see what it says */
 	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-				     &recv_tok, &send_tok, NULL);
+	    &recv_tok, &send_tok, NULL);
 
 	xfree(recv_tok.value);
 	gss_release_buffer(&ms, &send_tok);
@@ -693,7 +713,7 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
 
 	packet_check_eom();
 
-	debug("Server GSSAPI Error:\n%s\n", msg);
+	debug("Server GSSAPI Error:\n%s", msg);
 	xfree(msg);
 	xfree(lang);
 }
@@ -954,14 +974,16 @@ load_identity_file(char *filename)
 {
 	Key *private;
 	char prompt[300], *passphrase;
-	int quit, i;
+	int perm_ok, quit, i;
 	struct stat st;
 
 	if (stat(filename, &st) < 0) {
 		debug3("no such identity: %s", filename);
 		return NULL;
 	}
-	private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
+	private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
+	if (!perm_ok)
+		return NULL;
 	if (private == NULL) {
 		if (options.batch_mode)
 			return NULL;
@@ -970,8 +992,8 @@ load_identity_file(char *filename)
 		for (i = 0; i < options.number_of_password_prompts; i++) {
 			passphrase = read_passphrase(prompt, 0);
 			if (strcmp(passphrase, "") != 0) {
-				private = key_load_private_type(KEY_UNSPEC, filename,
-				    passphrase, NULL);
+				private = key_load_private_type(KEY_UNSPEC,
+				    filename, passphrase, NULL, NULL);
 				quit = 0;
 			} else {
 				debug2("no passphrase given, try next key");
@@ -1014,8 +1036,7 @@ pubkey_prepare(Authctxt *authctxt)
 		if (key && key->type == KEY_RSA1)
 			continue;
 		options.identity_keys[i] = NULL;
-		id = xmalloc(sizeof(*id));
-		memset(id, 0, sizeof(*id));
+		id = xcalloc(1, sizeof(*id));
 		id->key = key;
 		id->filename = xstrdup(options.identity_files[i]);
 		TAILQ_INSERT_TAIL(&files, id, next);
@@ -1027,7 +1048,7 @@ pubkey_prepare(Authctxt *authctxt)
 		    key = ssh_get_next_identity(ac, &comment, 2)) {
 			found = 0;
 			TAILQ_FOREACH(id, &files, next) {
-				/* agent keys from the config file are preferred */ 
+				/* agent keys from the config file are preferred */
 				if (key_equal(key, id->key)) {
 					key_free(key);
 					xfree(comment);
@@ -1038,9 +1059,8 @@ pubkey_prepare(Authctxt *authctxt)
 					break;
 				}
 			}
-			if (!found) {
-				id = xmalloc(sizeof(*id));
-				memset(id, 0, sizeof(*id));
+			if (!found && !options.identities_only) {
+				id = xcalloc(1, sizeof(*id));
 				id->key = key;
 				id->filename = comment;
 				id->ac = ac;
@@ -1091,6 +1111,7 @@ userauth_pubkey(Authctxt *authctxt)
 	while ((id = TAILQ_FIRST(&authctxt->keys))) {
 		if (id->tried++)
 			return (0);
+		/* move key to the end of the queue */
 		TAILQ_REMOVE(&authctxt->keys, id, next);
 		TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
 		/*
@@ -1235,8 +1256,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 		return -1;
 	}
 	if (pid == 0) {
-		seteuid(getuid());
-		setuid(getuid());
+		permanently_drop_suid(getuid());
 		close(from[0]);
 		if (dup2(from[1], STDOUT_FILENO) < 0)
 			fatal("ssh_keysign: dup2: %s", strerror(errno));
@@ -1255,11 +1275,12 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 	buffer_init(&b);
 	buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
 	buffer_put_string(&b, data, datalen);
-	ssh_msg_send(to[1], version, &b);
+	if (ssh_msg_send(to[1], version, &b) == -1)
+		fatal("ssh_keysign: couldn't send request");
 
 	if (ssh_msg_recv(from[0], &b) < 0) {
 		error("ssh_keysign: no reply");
-		buffer_clear(&b);
+		buffer_free(&b);
 		return -1;
 	}
 	close(from[0]);
@@ -1271,11 +1292,11 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 
 	if (buffer_get_char(&b) != version) {
 		error("ssh_keysign: bad version");
-		buffer_clear(&b);
+		buffer_free(&b);
 		return -1;
 	}
 	*sigp = buffer_get_string(&b, lenp);
-	buffer_clear(&b);
+	buffer_free(&b);
 
 	return 0;
 }
@@ -1287,7 +1308,7 @@ userauth_hostbased(Authctxt *authctxt)
 	Sensitive *sensitive = authctxt->sensitive;
 	Buffer b;
 	u_char *signature, *blob;
-	char *chost, *pkalg, *p;
+	char *chost, *pkalg, *p, myname[NI_MAXHOST];
 	const char *service;
 	u_int blen, slen;
 	int ok, i, len, found = 0;
@@ -1311,16 +1332,24 @@ userauth_hostbased(Authctxt *authctxt)
 		return 0;
 	}
 	/* figure out a name for the client host */
-	p = get_local_name(packet_get_connection_in());
+	p = NULL;
+	if (packet_connection_is_on_socket())
+		p = get_local_name(packet_get_connection_in());
+	if (p == NULL) {
+		if (gethostname(myname, sizeof(myname)) == -1) {
+			verbose("userauth_hostbased: gethostname: %s", 
+			    strerror(errno));
+		} else
+			p = xstrdup(myname);
+	}
 	if (p == NULL) {
 		error("userauth_hostbased: cannot get local ipaddr/name");
 		key_free(private);
+		xfree(blob);
 		return 0;
 	}
 	len = strlen(p) + 2;
-	chost = xmalloc(len);
-	strlcpy(chost, p, len);
-	strlcat(chost, ".", len);
+	xasprintf(&chost, "%s.", p);
 	debug2("userauth_hostbased: chost %s", chost);
 	xfree(p);
 
@@ -1353,6 +1382,7 @@ userauth_hostbased(Authctxt *authctxt)
 		error("key_sign failed");
 		xfree(chost);
 		xfree(pkalg);
+		xfree(blob);
 		return 0;
 	}
 	packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -1368,106 +1398,12 @@ userauth_hostbased(Authctxt *authctxt)
 	xfree(signature);
 	xfree(chost);
 	xfree(pkalg);
+	xfree(blob);
 
 	packet_send();
 	return 1;
 }
 
-#if KRB5
-static int
-ssh_krb5_helper(krb5_data *ap, krb5_context *context)
-{
-	krb5_context xcontext = NULL;	/* XXX share with ssh1 */
-	krb5_auth_context xauth_context = NULL;
-	krb5_auth_context *auth_context;
-	krb5_error_code problem;
-	const char *tkfile;
-	struct stat buf;
-	krb5_ccache ccache = NULL;
-	const char *remotehost;
-	int ret;
-
-	memset(ap, 0, sizeof(*ap));
-
-	context = &xcontext;
-	auth_context = &xauth_context;
-
-	problem = krb5_init_context(context);
-	if (problem) {
-		debug("Kerberos v5: krb5_init_context failed");
-		ret = 0;
-		goto out;
-	}
-
-	tkfile = krb5_cc_default_name(*context);
-	if (strncmp(tkfile, "FILE:", 5) == 0)
-		tkfile += 5;
-
-	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-		debug("Kerberos v5: could not get default ccache (permission denied).");
-		ret = 0;
-		goto out;
-	}
-
-	problem = krb5_cc_default(*context, &ccache);
-	if (problem) {
-		debug("Kerberos v5: krb5_cc_default failed: %s",
-		    krb5_get_err_text(*context, problem));
-		ret = 0;
-		goto out;
-	}
-
-	remotehost = get_canonical_hostname(1);
-
-	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-	    "host", remotehost, NULL, ccache, ap);
-	if (problem) {
-		debug("Kerberos v5: krb5_mk_req failed: %s",
-		    krb5_get_err_text(*context, problem));
-		ret = 0;
-		goto out;
-	}
-	ret = 1;
-
- out:
-	if (ccache != NULL)
-		krb5_cc_close(*context, ccache);
-	if (*auth_context)
-		krb5_auth_con_free(*context, *auth_context);
-	return (ret);
-}
-
-int
-userauth_kerberos(Authctxt *authctxt)
-{
-	krb5_data ap;
-	krb5_context *context;
-	int ret = 0;
-
-	if (ssh_krb5_helper(&ap, context) == 0)
-		goto out;
-
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_string(ap.data, ap.length);
-	packet_send();
-
-#ifdef HEIMDAL
-	krb5_data_free(&ap);
-#else
-	krb5_free_data_contents(*context, &ap);
-#endif
-	ret = 1;
-
-out:
-	if (*context)
-		krb5_free_context(*context);
-	return ret;
-}
-#endif
-
 /* find auth method */
 
 /*