20030802
- (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2003/07/22 13:35:22
+ [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
+ monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
+ ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
+ remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
+ test+ok henning@
+ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
+ - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
20030730
- (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
compat.o compress.o crc32.o deattack.o fatal.o \
- hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o \
+ hostfile.o log.o match.o mpaux.o nchan.o packet.o \
readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
- auth-krb5.o auth2-krb5.o auth-krb4.o \
+ auth-krb5.o auth2-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
/* Define this if you are using the Heimdal version of Kerberos V5 */
#undef HEIMDAL
-/* Define if you want Kerberos 4 support */
-#undef KRB4
-
-/* Define if you want AFS support */
-#undef AFS
-
/* Define if you want S/Key support */
#undef SKEY
+++ /dev/null
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
-
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "auth.h"
-
-#ifdef AFS
-#include "radix.h"
-#endif
-
-#ifdef KRB4
-extern ServerOptions options;
-
-static int
-krb4_init(void *context)
-{
- static int cleanup_registered = 0;
- Authctxt *authctxt = (Authctxt *)context;
- const char *tkt_root = TKT_ROOT;
- struct stat st;
- int fd;
-
- if (!authctxt->krb4_ticket_file) {
- /* Set unique ticket string manually since we're still root. */
- authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
-#ifdef AFS
- if (lstat("/ticket", &st) != -1)
- tkt_root = "/ticket/";
-#endif /* AFS */
- snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
- tkt_root, authctxt->pw->pw_uid, (long)getpid());
- krb_set_tkt_string(authctxt->krb4_ticket_file);
- }
- /* Register ticket cleanup in case of fatal error. */
- if (!cleanup_registered) {
- fatal_add_cleanup(krb4_cleanup_proc, authctxt);
- cleanup_registered = 1;
- }
- /* Try to create our ticket file. */
- if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
- close(fd);
- return (1);
- }
- /* Ticket file exists - make sure user owns it (just passed ticket). */
- if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
- if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
- st.st_uid == authctxt->pw->pw_uid)
- return (1);
- }
- /* Failure - cancel cleanup function, leaving ticket for inspection. */
- logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
-
- fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
- cleanup_registered = 0;
-
- xfree(authctxt->krb4_ticket_file);
- authctxt->krb4_ticket_file = NULL;
-
- return (0);
-}
-
-/*
- * try krb4 authentication,
- * return 1 on success, 0 on failure, -1 if krb4 is not available
- */
-int
-auth_krb4_password(Authctxt *authctxt, const char *password)
-{
- AUTH_DAT adata;
- KTEXT_ST tkt;
- struct hostent *hp;
- struct passwd *pw;
- char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
- u_int32_t faddr;
- int r;
-
- if ((pw = authctxt->pw) == NULL)
- return (0);
-
- /*
- * Try Kerberos password authentication only for non-root
- * users and only if Kerberos is installed.
- */
- if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
- /* Set up our ticket file. */
- if (!krb4_init(authctxt)) {
- logit("Couldn't initialize Kerberos ticket file for %s!",
- pw->pw_name);
- goto failure;
- }
- /* Try to get TGT using our password. */
- r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
- "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
- if (r != INTK_OK) {
- debug("Kerberos v4 password authentication for %s "
- "failed: %s", pw->pw_name, krb_err_txt[r]);
- goto failure;
- }
- /* Successful authentication. */
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
- /*
- * Now that we have a TGT, try to get a local
- * "rcmd" ticket to ensure that we are not talking
- * to a bogus Kerberos server.
- */
- gethostname(localhost, sizeof(localhost));
- strlcpy(phost, (char *)krb_get_phost(localhost),
- sizeof(phost));
- r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
- if (r == KSUCCESS) {
- if ((hp = gethostbyname(localhost)) == NULL) {
- logit("Couldn't get local host address!");
- goto failure;
- }
- memmove((void *)&faddr, (void *)hp->h_addr,
- sizeof(faddr));
-
- /* Verify our "rcmd" ticket. */
- r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
- faddr, &adata, "");
- if (r == RD_AP_UNDEC) {
- /*
- * Probably didn't have a srvtab on
- * localhost. Disallow login.
- */
- logit("Kerberos v4 TGT for %s unverifiable, "
- "no srvtab installed? krb_rd_req: %s",
- pw->pw_name, krb_err_txt[r]);
- goto failure;
- } else if (r != KSUCCESS) {
- logit("Kerberos v4 %s ticket unverifiable: %s",
- KRB4_SERVICE_NAME, krb_err_txt[r]);
- goto failure;
- }
- } else if (r == KDC_PR_UNKNOWN) {
- /*
- * Disallow login if no rcmd service exists, and
- * log the error.
- */
- logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
- "not registered, or srvtab is wrong?", pw->pw_name,
- krb_err_txt[r], KRB4_SERVICE_NAME, phost);
- goto failure;
- } else {
- /*
- * TGT is bad, forget it. Possibly spoofed!
- */
- debug("WARNING: Kerberos v4 TGT possibly spoofed "
- "for %s: %s", pw->pw_name, krb_err_txt[r]);
- goto failure;
- }
- /* Authentication succeeded. */
- return (1);
- } else
- /* Logging in as root or no local Kerberos realm. */
- debug("Unable to authenticate to Kerberos.");
-
- failure:
- krb4_cleanup_proc(authctxt);
-
- if (!options.kerberos_or_local_passwd)
- return (0);
-
- /* Fall back to ordinary passwd authentication. */
- return (-1);
-}
-
-void
-krb4_cleanup_proc(void *context)
-{
- Authctxt *authctxt = (Authctxt *)context;
- debug("krb4_cleanup_proc called");
- if (authctxt->krb4_ticket_file) {
- (void) dest_tkt();
- xfree(authctxt->krb4_ticket_file);
- authctxt->krb4_ticket_file = NULL;
- }
-}
-
-int
-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
-{
- AUTH_DAT adat = {0};
- Key_schedule schedule;
- struct sockaddr_in local, foreign;
- char instance[INST_SZ];
- socklen_t slen;
- u_int cksum;
- int r, s;
-
- s = packet_get_connection_in();
-
- slen = sizeof(local);
- memset(&local, 0, sizeof(local));
- if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
- debug("getsockname failed: %.100s", strerror(errno));
- slen = sizeof(foreign);
- memset(&foreign, 0, sizeof(foreign));
- if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
- debug("getpeername failed: %.100s", strerror(errno));
- fatal_cleanup();
- }
- instance[0] = '*';
- instance[1] = 0;
-
- /* Get the encrypted request, challenge, and session key. */
- if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
- 0, &adat, ""))) {
- debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
- return (0);
- }
- des_key_sched((des_cblock *) adat.session, schedule);
-
- *client = xmalloc(MAX_K_NAME_SZ);
- (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
- *adat.pinst ? "." : "", adat.pinst, adat.prealm);
-
- /* Check ~/.klogin authorization now. */
- if (kuserok(&adat, authctxt->user) != KSUCCESS) {
- logit("Kerberos v4 .klogin authorization failed for %s to "
- "account %s", *client, authctxt->user);
- xfree(*client);
- *client = NULL;
- return (0);
- }
- /* Increment the checksum, and return it encrypted with the
- session key. */
- cksum = adat.checksum + 1;
- cksum = htonl(cksum);
-
- /* If we can't successfully encrypt the checksum, we send back an
- empty message, admitting our failure. */
- if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
- schedule, &adat.session, &local, &foreign)) < 0) {
- debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
- reply->dat[0] = 0;
- reply->length = 0;
- } else
- reply->length = r;
-
- /* Clear session key. */
- memset(&adat.session, 0, sizeof(adat.session));
- return (1);
-}
-#endif /* KRB4 */
-
-#ifdef AFS
-int
-auth_krb4_tgt(Authctxt *authctxt, const char *string)
-{
- CREDENTIALS creds;
- struct passwd *pw;
-
- if ((pw = authctxt->pw) == NULL)
- goto failure;
-
- temporarily_use_uid(pw);
-
- if (!radix_to_creds(string, &creds)) {
- logit("Protocol error decoding Kerberos v4 TGT");
- goto failure;
- }
- if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
- strlcpy(creds.service, "krbtgt", sizeof creds.service);
-
- if (strcmp(creds.service, "krbtgt")) {
- logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
- creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
- creds.realm, pw->pw_name);
- goto failure;
- }
- if (!krb4_init(authctxt))
- goto failure;
-
- if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
- goto failure;
-
- if (save_credentials(creds.service, creds.instance, creds.realm,
- creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
- creds.issue_date) != KSUCCESS) {
- debug("Kerberos v4 TGT refused: couldn't save credentials");
- goto failure;
- }
- /* Successful authentication, passed all checks. */
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
- debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
- creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
- memset(&creds, 0, sizeof(creds));
-
- restore_uid();
-
- return (1);
-
- failure:
- krb4_cleanup_proc(authctxt);
- memset(&creds, 0, sizeof(creds));
- restore_uid();
-
- return (0);
-}
-
-int
-auth_afs_token(Authctxt *authctxt, const char *token_string)
-{
- CREDENTIALS creds;
- struct passwd *pw;
- uid_t uid;
-
- if ((pw = authctxt->pw) == NULL)
- return (0);
-
- if (!radix_to_creds(token_string, &creds)) {
- logit("Protocol error decoding AFS token");
- return (0);
- }
- if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
- strlcpy(creds.service, "afs", sizeof creds.service);
-
- if (strncmp(creds.pname, "AFS ID ", 7) == 0)
- uid = atoi(creds.pname + 7);
- else
- uid = pw->pw_uid;
-
- if (kafs_settoken(creds.realm, uid, &creds)) {
- logit("AFS token (%s@%s) rejected for %s",
- creds.pname, creds.realm, pw->pw_name);
- memset(&creds, 0, sizeof(creds));
- return (0);
- }
- debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
- memset(&creds, 0, sizeof(creds));
-
- return (1);
-}
-#endif /* AFS */
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include "packet.h"
#include "log.h"
return (authsuccess);
}
# endif
-# ifdef KRB4
- if (options.kerberos_authentication == 1) {
- int ret = auth_krb4_password(authctxt, password);
- if (ret == 1 || ret == 0)
- return ret;
- /* Fall back to ordinary passwd authentication. */
- }
-# endif
# ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
-/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
#ifdef BSD_AUTH
auth_session_t *as;
#endif
-#ifdef KRB4
- char *krb4_ticket_file;
-#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_auth_context krb5_auth_ctx;
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *);
-#ifdef KRB4
-#include <krb.h>
-int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
-int auth_krb4_password(Authctxt *, const char *);
-void krb4_cleanup_proc(void *);
-
-#ifdef AFS
-#include <kafs.h>
-int auth_krb4_tgt(Authctxt *, const char *);
-int auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
-#endif /* KRB4 */
-
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
PRIVSEP(auth_password(authctxt, ""))) {
/* Process the packet. */
switch (type) {
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled.");
char *kdata = packet_get_string(&dlen);
packet_check_eom();
- if (kdata[0] == 4) { /* KRB_PROT_VERSION */
-#ifdef KRB4
- KTEXT_ST tkt, reply;
- tkt.length = dlen;
- if (tkt.length < MAX_KTXT_LEN)
- memcpy(tkt.dat, kdata, tkt.length);
-
- if (PRIVSEP(auth_krb4(authctxt, &tkt,
- &client_user, &reply))) {
- authenticated = 1;
- snprintf(info, sizeof(info),
- " tktuser %.100s",
- client_user);
-
- packet_start(
- SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- packet_put_string((char *)
- reply.dat, reply.length);
- packet_send();
- packet_write_wait();
- }
-#endif /* KRB4 */
- } else {
-#ifdef KRB5
+ if (kdata[0] != 4) { /* KRB_PROT_VERSION */
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
if (reply.length)
xfree(reply.data);
}
-#endif /* KRB5 */
}
xfree(kdata);
}
break;
-#endif /* KRB4 || KRB5 */
-
-#if defined(AFS) || defined(KRB5)
- /* XXX - punt on backward compatibility here. */
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
-#ifdef AFS
- case SSH_CMSG_HAVE_AFS_TOKEN:
- packet_send_debug("AFS token passing disabled before authentication.");
- break;
-#endif /* AFS */
-#endif /* AFS || KRB5 */
+#endif
case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) {
# Check for some target-specific stuff
case "$host" in
*-*-aix*)
- AFS_LIBS="-lld"
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
fi
]
)
-# Check whether user wants Kerberos 4 support
-KRB4_MSG="no"
-AC_ARG_WITH(kerberos4,
- [ --with-kerberos4=PATH Enable Kerberos 4 support],
- [
- if test "x$withval" != "xno" ; then
- if test "x$withval" != "xyes" ; then
- CPPFLAGS="$CPPFLAGS -I${withval}/include"
- LDFLAGS="$LDFLAGS -L${withval}/lib"
- if test ! -z "$need_dash_r" ; then
- LDFLAGS="$LDFLAGS -R${withval}/lib"
- fi
- if test ! -z "$blibpath" ; then
- blibpath="$blibpath:${withval}/lib"
- fi
- else
- if test -d /usr/include/kerberosIV ; then
- CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
- fi
- fi
-
- AC_CHECK_HEADERS(krb.h)
- if test "$ac_cv_header_krb_h" != yes; then
- AC_MSG_WARN([Cannot find krb.h, build may fail])
- fi
- AC_CHECK_LIB(krb, main)
- if test "$ac_cv_lib_krb_main" != yes; then
- AC_CHECK_LIB(krb4, main)
- if test "$ac_cv_lib_krb4_main" != yes; then
- AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
- else
- KLIBS="-lkrb4"
- fi
- else
- KLIBS="-lkrb"
- fi
- AC_CHECK_LIB(des, des_cbc_encrypt)
- if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
- AC_CHECK_LIB(des425, des_cbc_encrypt)
- if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
- AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
- else
- KLIBS="-ldes425"
- fi
- else
- KLIBS="-ldes"
- fi
- AC_CHECK_LIB(resolv, dn_expand, , )
- KRB4=yes
- KRB4_MSG="yes"
- AC_DEFINE(KRB4)
- fi
- ]
-)
-
-# Check whether user wants AFS support
-AFS_MSG="no"
-AC_ARG_WITH(afs,
- [ --with-afs=PATH Enable AFS support],
- [
- if test "x$withval" != "xno" ; then
-
- if test "x$withval" != "xyes" ; then
- CPPFLAGS="$CPPFLAGS -I${withval}/include"
- LDFLAGS="$LDFLAGS -L${withval}/lib"
- fi
-
- if test -z "$KRB4" ; then
- AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
- fi
-
- LIBS="-lkafs $LIBS"
- if test ! -z "$AFS_LIBS" ; then
- LIBS="$LIBS $AFS_LIBS"
- fi
- AC_DEFINE(AFS)
- AFS_MSG="yes"
- fi
- ]
-)
-LIBS="$LIBS $KLIBS $K5LIBS"
+LIBS="$LIBS $K5LIBS"
# Looking for programs, paths and files
echo " Manpage format: $MANTYPE"
echo " DNS support: $DNS_MSG"
echo " PAM support: $PAM_MSG"
-echo " KerberosIV support: $KRB4_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " Smartcard support: $SCARD_MSG"
-echo " AFS support: $AFS_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
-#ifdef KRB4
-int mm_answer_krb4(int, Buffer *);
-#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
-#ifdef KRB4
- {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
-#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
return (success);
}
-#ifdef KRB4
-int
-mm_answer_krb4(int socket, Buffer *m)
-{
- KTEXT_ST auth, reply;
- char *client, *p;
- int success;
- u_int alen;
-
- reply.length = auth.length = 0;
-
- p = buffer_get_string(m, &alen);
- if (alen >= MAX_KTXT_LEN)
- fatal("%s: auth too large", __func__);
- memcpy(auth.dat, p, alen);
- auth.length = alen;
- memset(p, 0, alen);
- xfree(p);
-
- success = options.kerberos_authentication &&
- authctxt->valid &&
- auth_krb4(authctxt, &auth, &client, &reply);
-
- memset(auth.dat, 0, alen);
- buffer_clear(m);
- buffer_put_int(m, success);
-
- if (success) {
- buffer_put_cstring(m, client);
- buffer_put_string(m, reply.dat, reply.length);
- if (client)
- xfree(client);
- if (reply.length)
- memset(reply.dat, 0, reply.length);
- }
-
- debug3("%s: sending result %d", __func__, success);
- mm_request_send(socket, MONITOR_ANS_KRB4, m);
-
- auth_method = "kerberos";
-
- /* Causes monitor loop to terminate if authenticated */
- return (success);
-}
-#endif
-
#ifdef KRB5
int
mm_answer_krb5(int socket, Buffer *m)
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
- MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
return (success);
}
-#ifdef KRB4
-int
-mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
-{
- KTEXT auth, reply;
- Buffer m;
- u_int rlen;
- int success = 0;
- char *p;
-
- debug3("%s entering", __func__);
- auth = _auth;
- reply = _reply;
-
- buffer_init(&m);
- buffer_put_string(&m, auth->dat, auth->length);
-
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
- mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
-
- success = buffer_get_int(&m);
- if (success) {
- *client = buffer_get_string(&m, NULL);
- p = buffer_get_string(&m, &rlen);
- if (rlen >= MAX_KTXT_LEN)
- fatal("%s: reply from monitor too large", __func__);
- reply->length = rlen;
- memcpy(reply->dat, p, rlen);
- memset(p, 0, rlen);
- xfree(p);
- }
- buffer_free(&m);
- return (success);
-}
-#endif
-
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
-/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
int mm_skey_respond(void *, u_int, char **);
/* auth_krb */
-#ifdef KRB4
-int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
-#endif
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */
+++ /dev/null
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- * Copyright (c) 2002 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#include "uuencode.h"
-
-RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
-
-#ifdef AFS
-#include <krb.h>
-
-#include <radix.h>
-#include "bufaux.h"
-
-int
-creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
-{
- Buffer b;
- int ret;
-
- buffer_init(&b);
-
- buffer_put_char(&b, 1); /* version */
-
- buffer_append(&b, creds->service, strlen(creds->service));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->instance, strlen(creds->instance));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->realm, strlen(creds->realm));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->pname, strlen(creds->pname));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->pinst, strlen(creds->pinst));
- buffer_put_char(&b, '\0');
-
- /* Null string to repeat the realm. */
- buffer_put_char(&b, '\0');
-
- buffer_put_int(&b, creds->issue_date);
- buffer_put_int(&b, krb_life_to_time(creds->issue_date,
- creds->lifetime));
- buffer_append(&b, creds->session, sizeof(creds->session));
- buffer_put_short(&b, creds->kvno);
-
- /* 32 bit size + data */
- buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
-
- ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
-
- buffer_free(&b);
- return ret;
-}
-
-#define GETSTRING(b, t, tlen) \
- do { \
- int i, found = 0; \
- for (i = 0; i < tlen; i++) { \
- if (buffer_len(b) == 0) \
- goto done; \
- t[i] = buffer_get_char(b); \
- if (t[i] == '\0') { \
- found = 1; \
- break; \
- } \
- } \
- if (!found) \
- goto done; \
- } while(0)
-
-int
-radix_to_creds(const char *buf, CREDENTIALS *creds)
-{
- Buffer b;
- u_char *space;
- char c, version, *p;
- u_int endTime, len;
- int blen, ret;
-
- ret = 0;
- blen = strlen(buf);
-
- /* sanity check for size */
- if (blen > 8192)
- return 0;
-
- buffer_init(&b);
- space = buffer_append_space(&b, blen);
-
- /* check version and length! */
- len = uudecode(buf, space, blen);
- if (len < 1)
- goto done;
-
- version = buffer_get_char(&b);
-
- GETSTRING(&b, creds->service, sizeof creds->service);
- GETSTRING(&b, creds->instance, sizeof creds->instance);
- GETSTRING(&b, creds->realm, sizeof creds->realm);
- GETSTRING(&b, creds->pname, sizeof creds->pname);
- GETSTRING(&b, creds->pinst, sizeof creds->pinst);
-
- if (buffer_len(&b) == 0)
- goto done;
-
- /* Ignore possibly different realm. */
- while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
- ;
-
- if (buffer_len(&b) == 0)
- goto done;
-
- creds->issue_date = buffer_get_int(&b);
-
- endTime = buffer_get_int(&b);
- creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
-
- len = buffer_len(&b);
- if (len < sizeof(creds->session))
- goto done;
- memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
- buffer_consume(&b, sizeof(creds->session));
-
- creds->kvno = buffer_get_short(&b);
-
- p = buffer_get_string(&b, &len);
- if (len < 0 || len > sizeof(creds->ticket_st.dat))
- goto done;
- memcpy(&creds->ticket_st.dat, p, len);
- creds->ticket_st.length = len;
-
- ret = 1;
-done:
- buffer_free(&b);
- return ret;
-}
-#endif /* AFS */
+++ /dev/null
-/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
-
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-int creds_to_radix(CREDENTIALS *, u_char *, size_t);
-int radix_to_creds(const char *, CREDENTIALS *);
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
- oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing,
+ oKerberosAuthentication, oKerberosTgtPassing,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
{ "kerberosauthentication", oKerberosAuthentication },
{ "kerberostgtpassing", oKerberosTgtPassing },
#else
{ "kerberosauthentication", oUnsupported },
{ "kerberostgtpassing", oUnsupported },
#endif
-#if defined(AFS)
- { "afstokenpassing", oAFSTokenPassing },
-#else
{ "afstokenpassing", oUnsupported },
-#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
- case oAFSTokenPassing:
- intptr = &options->afs_token_passing;
- goto parse_flag;
-
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
options->challenge_response_authentication = -1;
options->kerberos_authentication = -1;
options->kerberos_tgt_passing = -1;
- options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
options->kerberos_authentication = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1;
- if (options->afs_token_passing == -1)
- options->afs_token_passing = 1;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/* Try S/Key or TIS, authentication. */
int kerberos_authentication; /* Try Kerberos authentication. */
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
- int afs_token_passing; /* Try AFS token passing. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
-
-#if defined(KRB4)
-#include <krb.h>
-#endif
-
-#ifdef AFS
-#include <kafs.h>
-#endif
+RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "log.h"
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
options->kerberos_tgt_passing = -1;
- options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
- if (options->afs_token_passing == -1)
- options->afs_token_passing = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
+ sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
{ "rsaauthentication", sRSAAuthentication },
{ "pubkeyauthentication", sPubkeyAuthentication },
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
{ "kerberosticketcleanup", sUnsupported },
{ "kerberostgtpassing", sUnsupported },
#endif
-#if defined(AFS)
- { "afstokenpassing", sAFSTokenPassing },
-#else
{ "afstokenpassing", sUnsupported },
-#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
- case sAFSTokenPassing:
- intptr = &options->afs_token_passing;
- goto parse_flag;
-
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
+/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* file on logout. */
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */
- int afs_token_passing; /* If true, permit AFS token passing. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
/* remove agent socket */
if (auth_sock_name != NULL)
auth_sock_cleanup_proc(authctxt->pw);
-#ifdef KRB4
- if (options.kerberos_ticket_cleanup)
- krb4_cleanup_proc(authctxt);
-#endif
#ifdef KRB5
if (options.kerberos_ticket_cleanup)
krb5_cleanup_proc(authctxt);
success = 1;
break;
-#if defined(AFS) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_HAVE_KERBEROS_TGT:
if (!options.kerberos_tgt_passing) {
verbose("Kerberos TGT passing disabled.");
char *kdata = packet_get_string(&dlen);
packet_check_eom();
- /* XXX - 0x41, see creds_to_radix version */
+ /* XXX - 0x41, used for AFS */
if (kdata[0] != 0x41) {
-#ifdef KRB5
krb5_data tgt;
tgt.data = kdata;
tgt.length = dlen;
success = 1;
else
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
-#endif /* KRB5 */
- } else {
-#ifdef AFS
- if (auth_krb4_tgt(s->authctxt, kdata))
- success = 1;
- else
- verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
}
xfree(kdata);
}
break;
-#endif /* AFS || KRB5 */
-
-#ifdef AFS
- case SSH_CMSG_HAVE_AFS_TOKEN:
- if (!options.afs_token_passing || !k_hasafs()) {
- verbose("AFS token passing disabled.");
- } else {
- /* Accept AFS token. */
- char *token = packet_get_string(&dlen);
- packet_check_eom();
-
- if (auth_afs_token(s->authctxt, token))
- success = 1;
- else
- verbose("AFS token refused for %.100s",
- s->authctxt->user);
- xfree(token);
- }
- break;
-#endif /* AFS */
+#endif
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
read_environment_file(&env, &envsize, "/etc/environment");
}
#endif
-#ifdef KRB4
- if (s->authctxt->krb4_ticket_file)
- child_set_env(&env, &envsize, "KRBTKFILE",
- s->authctxt->krb4_ticket_file);
-#endif
#ifdef KRB5
if (s->authctxt->krb5_ticket_file)
child_set_env(&env, &envsize, "KRB5CCNAME",
*/
environ = env;
-#ifdef AFS
- /* Try to get AFS tokens for the local cell. */
- if (k_hasafs()) {
- char cell[64];
-
- if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
- krb_afslog(cell, 0);
-
- krb_afslog(0, 0);
- }
-#endif /* AFS */
-
/* Change current directory to the user\'s home directory. */
if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
should use to communicate with a smartcard used for storing the user's
private RSA key.
.It Fl k
-Disables forwarding of Kerberos tickets and AFS tokens.
+Disables forwarding of Kerberos tickets.
This may also be specified on a per-host basis in the configuration file.
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
_PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
-#ifdef AFS
- fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
-#endif /* AFS */
+ fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
case 'A':
options.forward_agent = 1;
break;
-#ifdef AFS
case 'k':
options.kerberos_tgt_passing = 0;
- options.afs_token_passing = 0;
break;
-#endif
case 'i':
if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s "
-/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */
+/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
*/
#define SSH_SESSION_KEY_LENGTH 32
-/* Name of Kerberos service for SSH to use. */
-#define KRB4_SERVICE_NAME "rcmd"
-
/* Used to identify ``EscapeChar none'' */
#define SSH_ESCAPECHAR_NONE -2
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
(Use IPv4 only) or
.Dq inet6
(Use IPv6 only.)
-.It Cm AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option applies to protocol version 1 only.
.It Cm BatchMode
If set to
.Dq yes ,
.Dq no .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server.
-This will only work if the Kerberos server is actually an AFS kaserver.
The argument to this keyword must be
.Dq yes
or
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
-#ifdef KRB4
-#include <krb.h>
-#endif
#ifdef KRB5
#include <krb5.h>
#ifndef HEIMDAL
#define krb5_get_err_text(context,code) error_message(code)
#endif /* !HEIMDAL */
#endif
-#ifdef AFS
-#include <kafs.h>
-#include "radix.h"
-#endif
#include "ssh.h"
#include "ssh1.h"
return 0;
}
-#ifdef KRB4
-static int
-try_krb4_authentication(void)
-{
- KTEXT_ST auth; /* Kerberos data */
- char *reply;
- char inst[INST_SZ];
- char *realm;
- CREDENTIALS cred;
- int r, type;
- socklen_t slen;
- Key_schedule schedule;
- u_long checksum, cksum;
- MSG_DAT msg_data;
- struct sockaddr_in local, foreign;
- struct stat st;
-
- /* Don't do anything if we don't have any tickets. */
- if (stat(tkt_string(), &st) < 0)
- return 0;
-
- strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
- INST_SZ);
-
- realm = (char *)krb_realmofhost(get_canonical_hostname(1));
- if (!realm) {
- debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
- return 0;
- }
- /* This can really be anything. */
- checksum = (u_long)getpid();
-
- r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
- if (r != KSUCCESS) {
- debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
- return 0;
- }
- /* Get session key to decrypt the server's reply with. */
- r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
- if (r != KSUCCESS) {
- debug("get_cred failed: %s", krb_err_txt[r]);
- return 0;
- }
- des_key_sched((des_cblock *) cred.session, schedule);
-
- /* Send authentication info to server. */
- packet_start(SSH_CMSG_AUTH_KERBEROS);
- packet_put_string((char *) auth.dat, auth.length);
- packet_send();
- packet_write_wait();
-
- /* Zero the buffer. */
- (void) memset(auth.dat, 0, MAX_KTXT_LEN);
-
- slen = sizeof(local);
- memset(&local, 0, sizeof(local));
- if (getsockname(packet_get_connection_in(),
- (struct sockaddr *)&local, &slen) < 0)
- debug("getsockname failed: %s", strerror(errno));
-
- slen = sizeof(foreign);
- memset(&foreign, 0, sizeof(foreign));
- if (getpeername(packet_get_connection_in(),
- (struct sockaddr *)&foreign, &slen) < 0) {
- debug("getpeername failed: %s", strerror(errno));
- fatal_cleanup();
- }
- /* Get server reply. */
- type = packet_read();
- switch (type) {
- case SSH_SMSG_FAILURE:
- /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
- debug("Kerberos v4 authentication failed.");
- return 0;
- break;
-
- case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
- /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
- debug("Kerberos v4 authentication accepted.");
-
- /* Get server's response. */
- reply = packet_get_string((u_int *) &auth.length);
- if (auth.length >= MAX_KTXT_LEN)
- fatal("Kerberos v4: Malformed response from server");
- memcpy(auth.dat, reply, auth.length);
- xfree(reply);
-
- packet_check_eom();
-
- /*
- * If his response isn't properly encrypted with the session
- * key, and the decrypted checksum fails to match, he's
- * bogus. Bail out.
- */
- r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
- &foreign, &local, &msg_data);
- if (r != KSUCCESS) {
- debug("Kerberos v4 krb_rd_priv failed: %s",
- krb_err_txt[r]);
- packet_disconnect("Kerberos v4 challenge failed!");
- }
- /* Fetch the (incremented) checksum that we supplied in the request. */
- memcpy((char *)&cksum, (char *)msg_data.app_data,
- sizeof(cksum));
- cksum = ntohl(cksum);
-
- /* If it matches, we're golden. */
- if (cksum == checksum + 1) {
- debug("Kerberos v4 challenge successful.");
- return 1;
- } else
- packet_disconnect("Kerberos v4 challenge failed!");
- break;
-
- default:
- packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
- }
- return 0;
-}
-
-#endif /* KRB4 */
-
#ifdef KRB5
static int
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
}
#endif /* KRB5 */
-#ifdef AFS
-static void
-send_krb4_tgt(void)
-{
- CREDENTIALS *creds;
- struct stat st;
- char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
- int problem, type;
-
- /* Don't do anything if we don't have any tickets. */
- if (stat(tkt_string(), &st) < 0)
- return;
-
- creds = xmalloc(sizeof(*creds));
-
- problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
- if (problem)
- goto out;
-
- problem = krb_get_cred("krbtgt", prealm, prealm, creds);
- if (problem)
- goto out;
-
- if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
- problem = RD_AP_EXP;
- goto out;
- }
- creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
-
- packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
- packet_put_cstring(buffer);
- packet_send();
- packet_write_wait();
-
- type = packet_read();
-
- if (type == SSH_SMSG_SUCCESS)
- debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
- creds->pname, creds->pinst[0] ? "." : "",
- creds->pinst, creds->realm);
- else
- debug("Kerberos v4 TGT rejected.");
-
- xfree(creds);
- return;
-
- out:
- debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
- xfree(creds);
-}
-
-static void
-send_afs_tokens(void)
-{
- CREDENTIALS creds;
- struct ViceIoctl parms;
- struct ClearToken ct;
- int i, type, len;
- char buf[2048], *p, *server_cell;
- char buffer[8192];
-
- /* Move over ktc_GetToken, here's something leaner. */
- for (i = 0; i < 100; i++) { /* just in case */
- parms.in = (char *) &i;
- parms.in_size = sizeof(i);
- parms.out = buf;
- parms.out_size = sizeof(buf);
- if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
- break;
- p = buf;
-
- /* Get secret token. */
- memcpy(&creds.ticket_st.length, p, sizeof(u_int));
- if (creds.ticket_st.length > MAX_KTXT_LEN)
- break;
- p += sizeof(u_int);
- memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
- p += creds.ticket_st.length;
-
- /* Get clear token. */
- memcpy(&len, p, sizeof(len));
- if (len != sizeof(struct ClearToken))
- break;
- p += sizeof(len);
- memcpy(&ct, p, len);
- p += len;
- p += sizeof(len); /* primary flag */
- server_cell = p;
-
- /* Flesh out our credentials. */
- strlcpy(creds.service, "afs", sizeof(creds.service));
- creds.instance[0] = '\0';
- strlcpy(creds.realm, server_cell, REALM_SZ);
- memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
- creds.issue_date = ct.BeginTimestamp;
- creds.lifetime = krb_time_to_life(creds.issue_date,
- ct.EndTimestamp);
- creds.kvno = ct.AuthHandle;
- snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
- creds.pinst[0] = '\0';
-
- /* Encode token, ship it off. */
- if (creds_to_radix(&creds, (u_char *)buffer,
- sizeof(buffer)) <= 0)
- break;
- packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
- packet_put_cstring(buffer);
- packet_send();
- packet_write_wait();
-
- /* Roger, Roger. Clearance, Clarence. What's your vector,
- Victor? */
- type = packet_read();
-
- if (type == SSH_SMSG_FAILURE)
- debug("AFS token for cell %s rejected.", server_cell);
- else if (type != SSH_SMSG_SUCCESS)
- packet_disconnect("Protocol error on AFS token response: %d", type);
- }
-}
-
-#endif /* AFS */
-
/*
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
}
#endif /* KRB5 */
-#ifdef KRB4
- if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
- options.kerberos_authentication) {
- debug("Trying Kerberos v4 authentication.");
-
- if (try_krb4_authentication()) {
- type = packet_read();
- if (type == SSH_SMSG_SUCCESS)
- goto success;
- if (type != SSH_SMSG_FAILURE)
- packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
- }
- }
-#endif /* KRB4 */
-
/*
* Use rhosts authentication if running in privileged socket and we
* do not wish to remain anonymous.
if (context)
krb5_free_context(context);
#endif
-
-#ifdef AFS
- /* Try Kerberos v4 TGT passing if the server supports it. */
- if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
- options.kerberos_tgt_passing) {
- if (options.cipher == SSH_CIPHER_NONE)
- logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
- send_krb4_tgt();
- }
- /* Try AFS token passing if the server supports it. */
- if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
- options.afs_token_passing && k_hasafs()) {
- if (options.cipher == SSH_CIPHER_NONE)
- logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
- send_afs_tokens();
- }
-#endif /* AFS */
-
return; /* need statement after label */
}
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
"originating port %d not trusted.", remote_port);
options.rhosts_authentication = 0;
}
-#if defined(KRB4) && !defined(KRB5)
+#ifdef KRB5
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
-#endif /* KRB4 && !KRB5 */
-#ifdef AFS
- /* If machine has AFS, set process authentication group. */
- if (k_hasafs()) {
- k_setpag();
- k_unlog();
- }
-#endif /* AFS */
+#endif
packet_set_nonblocking();
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
if (options.kerberos_authentication)
auth_mask |= 1 << SSH_AUTH_KERBEROS;
-#endif
-#if defined(AFS) || defined(KRB5)
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
-#endif
-#ifdef AFS
- if (options.afs_token_passing)
- auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
+.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.
andersk / openssh.git / commitdiff
