krb5_principal server;
char ccname[40];
int tmpfd;
-#endif
+#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
goto out;
restore_uid();
-
+
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
ccache, password, 1, NULL);
-
+
temporarily_use_uid(authctxt->pw);
if (problem)
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
-
+
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
authctxt->pw->pw_name)) {
problem = -1;
}
snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-
+
if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
goto out;
}
-
+
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
authctxt->krb5_user);
if (problem)
goto out;
-
+
problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out;
-#endif
+#endif
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
pthread_exit(NULL);
-
+
return (NULL); /* Avoid warning for non-pthread case */
}
{
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
-
+
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
return (0);
do_pam_putenv(char *name, char *value)
{
int ret = 1;
-#ifdef HAVE_PAM_PUTENV
+#ifdef HAVE_PAM_PUTENV
char *compound;
size_t len;
(char *)get_canonical_hostname(options.use_dns);
authsuccess = 1;
- aix_remove_embedded_newlines(authmsg);
+ aix_remove_embedded_newlines(authmsg);
debug3("AIX/authenticate succeeded for user %s: %.100s",
pw->pw_name, authmsg);
if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
fatal("Couldn't launch session for %s from %s",
pw->pw_name, host);
-
+
sia_ses_release(&ent);
if (setreuid(geteuid(), geteuid()) < 0)
memset(&fake, 0, sizeof(fake));
fake.pw_name = "NOUSER";
fake.pw_passwd =
- "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
+ "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
fake.pw_gecos = "NOUSER";
fake.pw_uid = -1;
fake.pw_gid = -1;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-
+
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
-
+
gssctxt = authctxt->methoddata;
-
+
mic.value = packet_get_string(&len);
mic.length = len;
-
+
ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
"gssapi-with-mic");
-
+
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
-
+
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
else
buffer_free(&b);
xfree(mic.value);
-
+
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
buffer_put_char(&msg, type);
buffer_put_cstring(&msg, reader_id);
buffer_put_cstring(&msg, pin);
-
+
if (constrained) {
if (life != 0) {
buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
goto restart;
}
/* Increase the size of the buffer and retry. */
-
+
newlen = buffer->alloc + len + 32768;
if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL)
return -1;
c->host_port = ntohs(dest_port);
-
+
debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
c->self, c->path, c->host_port, s5_req.command);
(long int)original_uid, strerror(errno));
_exit(1);
}
-
+
execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL);
fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n",
SSH_RAND_HELPER, strerror(errno));
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
-
+
return (ctx->major);
}
void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
-{
+{
buffer_init(b);
buffer_put_string(b, session_id2, session_id2_len);
buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST);
*s++ = itoa64[v&0x3f];
v >>= 6;
}
-
+
return (buf);
}
time(&time_now);
gtm = gmtime(&time_now);
-
+
res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ",
gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday,
gtm->tm_hour, gtm->tm_min, gtm->tm_sec,
count_in);
continue;
}
-
+
/*
* q is possibly prime, so go ahead and really make sure
* that p is prime. If it is, then we can go back and do
mm_answer_pam_start(int socket, Buffer *m)
{
char *user;
-
+
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
mm_answer_pam_account(int socket, Buffer *m)
{
u_int ret;
-
+
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
gss_buffer_desc gssbuf, mic;
OM_uint32 ret;
u_int len;
-
+
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
mic.length = len;
-
+
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
-
+
xfree(gssbuf.value);
xfree(mic.value);
-
+
buffer_clear(m);
buffer_put_int(m, ret);
-
+
mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m);
-
+
if (!GSS_ERROR(ret))
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
-
+
return (0);
}
ret = buffer_get_int(&m);
buffer_free(&m);
-
+
debug3("%s returning %d", __func__, ret);
return (ret);
int r;
if (padding != RSA_PKCS1_PADDING)
- return -1;
+ return -1;
r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
if (r)
return -1;
convert_rsa_to_rsa1(Key * in, Key * out)
{
struct sc_priv_data *priv;
-
+
out->rsa->flags = in->rsa->flags;
out->flags = in->flags;
RSA_set_method(out->rsa, RSA_get_method(in->rsa));
EVP_PKEY *pubkey = NULL;
u8 *p;
char *tmp;
-
+
debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
if (r) {
tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
debug("fingerprint %d %s", key_size(k), tmp);
xfree(tmp);
-
+
return 0;
err:
if (cert)
cp += j;
statbytes += j;
} while (amt > 0);
-
+
if (limitbw)
bwlimit(4096);
var = child_get_env(tmpenv, "PATH");
if (var != NULL)
child_set_env(env, envsize, "PATH", var);
-
+
if ((var = child_get_env(tmpenv, "UMASK")) != NULL)
if (sscanf(var, "%5lo", &mask) == 1)
umask((mode_t)mask);
-
+
for (i = 0; tmpenv[i] != NULL; i++)
xfree(tmpenv[i]);
xfree(tmpenv);
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
-
+
xfree(var_name);
}
}
*/
if (options.use_pam) {
char **p;
-
+
p = fetch_pam_child_environment();
copy_environment(p, &env, &envsize);
free_pam_environment(p);
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (s->used && s->ttyfd != -1) {
-
+
if (strncmp(s->tty, "/dev/", 5) != 0) {
cp = strrchr(s->tty, '/');
cp = (cp == NULL) ? s->tty : cp + 1;
} else
cp = s->tty + 5;
-
+
if (buf[0] != '\0')
strlcat(buf, ",", sizeof buf);
strlcat(buf, cp, sizeof buf);
#ifdef __GNU_LIBRARY__
static int inum = 1;
#endif /* __GNU_LIBRARY__ */
-
+
if (od->dir[od->offset] == NULL)
return(NULL);
fail:
xfree(*path);
- *path = NULL;
+ *path = NULL;
return (-1);
}
if (!(lflag & SHORT_VIEW)) {
int m = 0, width = 80;
- struct winsize ws;
+ struct winsize ws;
/* Count entries for sort and find longest filename */
for (i = 0; g.gl_pathv[i]; i++)
*iflag = 1;
cp++;
}
-
+
/* Figure out which command we have */
for (i = 0; cmds[i].c; i++) {
int cmdlen = strlen(cmds[i].c);
if (do_gen_candidates) {
FILE *out = fopen(out_file, "w");
-
+
if (out == NULL) {
error("Couldn't open modulus candidate file \"%s\": %s",
out_file, strerror(errno));
/* Don't write binary data to a tty, unless we are forced to */
if (isatty(STDOUT_FILENO))
output_hex = 1;
-
+
while ((ch = getopt(argc, argv, "vxXhb:")) != -1) {
switch (ch) {
case 'v':
}
log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
-
+
#ifdef USE_SEED_FILES
prng_read_seedfile();
#endif
/*
* Seed the RNG from wherever we can
*/
-
+
/* Take whatever is on the stack, but don't credit it */
RAND_add(buf, bytes, 0);
printf("\n");
} else
ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes);
-
+
memset(buf, '\0', bytes);
xfree(buf);
-
+
return ret == bytes ? 0 : 1;
}
gss_buffer_desc gssbuf, mic;
OM_uint32 status, ms, flags;
Buffer b;
-
+
status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
recv_tok, &send_tok, &flags);
packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
else
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-
+
packet_put_string(send_tok.value, send_tok.length);
packet_send();
gss_release_buffer(&ms, &send_tok);
}
-
+
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
if (!(flags & GSS_C_INTEG_FLAG)) {
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
-
+
status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
-
+
if (!GSS_ERROR(status)) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
packet_put_string(mic.value, mic.length);
-
+
packet_send();
}
-
+
buffer_free(&b);
gss_release_buffer(&ms, &mic);
- }
+ }
}
-
+
return status;
}