summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2003-09-02 22:51:17 +1000
committerDamien Miller <djm@mindrot.org>2003-09-02 22:51:17 +1000
commit1a0c0b96219b037865d624079a81ab7d88bbccc1 (patch)
treead24303a17d1f49c98b66d5bfe014103019411af
parent55c47edc81accd3118fc0fda2c37765631c0aef0 (diff)
- markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
-rw-r--r--ChangeLog8
-rw-r--r--auth-krb5.c194
-rw-r--r--auth.h3
-rw-r--r--auth1.c57
-rw-r--r--monitor.c50
-rw-r--r--monitor.h3
-rw-r--r--monitor_wrap.c37
-rw-r--r--monitor_wrap.h9
-rw-r--r--readconf.c7
-rw-r--r--servconf.c5
-rw-r--r--session.c26
-rw-r--r--ssh_config.514
-rw-r--r--sshconnect1.c265
-rw-r--r--sshd.c16
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.512
16 files changed, 25 insertions, 684 deletions
diff --git a/ChangeLog b/ChangeLog
index 91e72719..b6cc5533 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
- deraadt@cvs.openbsd.org 2003/08/24 17:36:51
[auth2-gss.c]
64 bit cleanups; markus ok
+ - markus@cvs.openbsd.org 2003/08/28 12:54:34
+ [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
+ [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
+ [sshconnect1.c sshd.c sshd_config sshd_config.5]
+ remove kerberos support from ssh1, since it has been replaced with GSSAPI;
+ but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
20030829
- (bal) openbsd-compat/ clean up. Considate headers, add in Id on our
@@ -918,4 +924,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.2920 2003/09/02 12:14:07 djm Exp $
+$Id: ChangeLog,v 1.2921 2003/09/02 12:51:17 djm Exp $
diff --git a/auth-krb5.c b/auth-krb5.c
index b9eeb5ba..0aa5195b 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -65,193 +65,6 @@ krb5_init(void *context)
return (0);
}
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
- krb5_error_code problem;
- krb5_principal server;
- krb5_ticket *ticket;
- int fd, ret;
-
- ret = 0;
- server = NULL;
- ticket = NULL;
- reply->length = 0;
-
- problem = krb5_init(authctxt);
- if (problem)
- goto err;
-
- problem = krb5_auth_con_init(authctxt->krb5_ctx,
- &authctxt->krb5_auth_ctx);
- if (problem)
- goto err;
-
- fd = packet_get_connection_in();
-#ifdef HEIMDAL
- problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
- authctxt->krb5_auth_ctx, &fd);
-#else
- problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
- authctxt->krb5_auth_ctx,fd,
- KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
- KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
- if (problem)
- goto err;
-
- problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
- KRB5_NT_SRV_HST, &server);
- if (problem)
- goto err;
-
- problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
- auth, server, NULL, NULL, &ticket);
- if (problem)
- goto err;
-
-#ifdef HEIMDAL
- problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
- &authctxt->krb5_user);
-#else
- problem = krb5_copy_principal(authctxt->krb5_ctx,
- ticket->enc_part2->client,
- &authctxt->krb5_user);
-#endif
- if (problem)
- goto err;
-
- /* if client wants mutual auth */
- problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
- reply);
- if (problem)
- goto err;
-
- /* Check .k5login authorization now. */
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name))
- goto err;
-
- if (client)
- krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
- client);
-
- ret = 1;
- err:
- if (server)
- krb5_free_principal(authctxt->krb5_ctx, server);
- if (ticket)
- krb5_free_ticket(authctxt->krb5_ctx, ticket);
- if (!ret && reply->length) {
- xfree(reply->data);
- memset(reply, 0, sizeof(*reply));
- }
-
- if (problem) {
- if (authctxt->krb5_ctx != NULL)
- debug("Kerberos v5 authentication failed: %s",
- krb5_get_err_text(authctxt->krb5_ctx, problem));
- else
- debug("Kerberos v5 authentication failed: %d",
- problem);
- }
-
- return (ret);
-}
-
-int
-auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
-{
- krb5_error_code problem;
- krb5_ccache ccache = NULL;
- char *pname;
- krb5_creds **creds;
-
- if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
- return (0);
-
- temporarily_use_uid(authctxt->pw);
-
-#ifdef HEIMDAL
- problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
-#else
-{
- char ccname[40];
- int tmpfd;
-
- snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-
- if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
- logit("mkstemp(): %.100s", strerror(errno));
- problem = errno;
- goto fail;
- }
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
- problem = errno;
- goto fail;
- }
- close(tmpfd);
- problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
-}
-#endif
- if (problem)
- goto fail;
-
- problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
- authctxt->krb5_user);
- if (problem)
- goto fail;
-
-#ifdef HEIMDAL
- problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
- ccache, tgt);
- if (problem)
- goto fail;
-#else
- problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
- tgt, &creds, NULL);
- if (problem)
- goto fail;
- problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
- if (problem)
- goto fail;
-#endif
-
- authctxt->krb5_fwd_ccache = ccache;
- ccache = NULL;
-
- authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
- problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
- &pname);
- if (problem)
- goto fail;
-
- debug("Kerberos v5 TGT accepted (%s)", pname);
-
- restore_uid();
-
- return (1);
-
- fail:
- if (problem)
- debug("Kerberos v5 TGT passing failed: %s",
- krb5_get_err_text(authctxt->krb5_ctx, problem));
- if (ccache)
- krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-
- restore_uid();
-
- return (0);
-}
-
int
auth_krb5_password(Authctxt *authctxt, const char *password)
{
@@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL;
}
- if (authctxt->krb5_auth_ctx) {
- krb5_auth_con_free(authctxt->krb5_ctx,
- authctxt->krb5_auth_ctx);
- authctxt->krb5_auth_ctx = NULL;
- }
if (authctxt->krb5_ctx) {
krb5_free_context(authctxt->krb5_ctx);
authctxt->krb5_ctx = NULL;
diff --git a/auth.h b/auth.h
index 6beff7cc..358f26b7 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.44 2003/08/22 10:56:08 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -62,7 +62,6 @@ struct Authctxt {
#endif
#ifdef KRB5
krb5_context krb5_ctx;
- krb5_auth_context krb5_auth_ctx;
krb5_ccache krb5_fwd_ccache;
krb5_principal krb5_user;
char *krb5_ticket_file;
diff --git a/auth1.c b/auth1.c
index d8b5836b..5b1922a1 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.50 2003/08/13 08:46:30 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
-#ifdef KRB5
- case SSH_CMSG_AUTH_KERBEROS:
- return "kerberos";
-#endif
}
snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
return buf;
@@ -119,47 +115,6 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */
switch (type) {
-
-#ifdef KRB5
- case SSH_CMSG_AUTH_KERBEROS:
- if (!options.kerberos_authentication) {
- verbose("Kerberos authentication disabled.");
- } else {
- char *kdata = packet_get_string(&dlen);
- packet_check_eom();
-
- if (kdata[0] != 4) { /* KRB_PROT_VERSION */
- krb5_data tkt, reply;
- tkt.length = dlen;
- tkt.data = kdata;
-
- if (PRIVSEP(auth_krb5(authctxt, &tkt,
- &client_user, &reply))) {
- authenticated = 1;
- snprintf(info, sizeof(info),
- " tktuser %.100s",
- client_user);
-
- /* Send response to client */
- packet_start(
- SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- packet_put_string((char *)
- reply.data, reply.length);
- packet_send();
- packet_write_wait();
-
- if (reply.length)
- xfree(reply.data);
- }
- }
- xfree(kdata);
- }
- break;
- case SSH_CMSG_HAVE_KERBEROS_TGT:
- packet_send_debug("Kerberos TGT passing disabled before authentication.");
- break;
-#endif
-
case SSH_CMSG_AUTH_RHOSTS_RSA:
if (!options.rhosts_rsa_authentication) {
verbose("Rhosts with RSA authentication disabled.");
@@ -337,16 +292,6 @@ do_authentication(void)
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
-#ifdef KRB5
- /* XXX - SSH.com Kerberos v5 braindeath. */
- if ((datafellows & SSH_BUG_K5USER) &&
- options.kerberos_authentication) {
- char *p;
- if ((p = strchr(user, '@')) != NULL)
- *p = '\0';
- }
-#endif
-
authctxt = authctxt_new();
authctxt->user = user;
authctxt->style = style;
diff --git a/monitor.c b/monitor.c
index e08181f7..9ea7b93b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.47 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
#include <openssl/dh.h>
@@ -130,9 +130,6 @@ int mm_answer_pam_respond(int, Buffer *);
int mm_answer_pam_free_ctx(int, Buffer *);
#endif
-#ifdef KRB5
-int mm_answer_krb5(int, Buffer *);
-#endif
#ifdef GSSAPI
int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
@@ -192,9 +189,6 @@ struct mon_table mon_dispatch_proto20[] = {
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
-#ifdef KRB5
- {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
#ifdef GSSAPI
{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@@ -237,9 +231,6 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
-#ifdef KRB5
- {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
{0, 0, NULL}
};
@@ -1470,45 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
-#ifdef KRB5
-int
-mm_answer_krb5(int socket, Buffer *m)
-{
- krb5_data tkt, reply;
- char *client_user;
- u_int len;
- int success;
-
- /* use temporary var to avoid size issues on 64bit arch */
- tkt.data = buffer_get_string(m, &len);
- tkt.length = len;
-
- success = options.kerberos_authentication &&
- authctxt->valid &&
- auth_krb5(authctxt, &tkt, &client_user, &reply);
-
- if (tkt.length)
- xfree(tkt.data);
-
- buffer_clear(m);
- buffer_put_int(m, success);
-
- if (success) {
- buffer_put_cstring(m, client_user);
- buffer_put_string(m, reply.data, reply.length);
- if (client_user)
- xfree(client_user);
- if (reply.length)
- xfree(reply.data);
- }
- mm_request_send(socket, MONITOR_ANS_KRB5, m);
-
- auth_method = "kerberos";
-
- return success;
-}
-#endif
-
int
mm_answer_term(int socket, Buffer *req)
{
diff --git a/monitor.h b/monitor.h
index da33ed61..2461156c 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */
+/* $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,7 +49,6 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
- MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 82649a7c..4034d569 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -1071,41 +1071,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
-#ifdef KRB5
-int
-mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
-{
- krb5_data *tkt, *reply;
- Buffer m;
- int success;
-
- debug3("%s entering", __func__);
- tkt = (krb5_data *) argp;
- reply = (krb5_data *) resp;
-
- buffer_init(&m);
- buffer_put_string(&m, tkt->data, tkt->length);
-
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
- mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
-
- success = buffer_get_int(&m);
- if (success) {
- u_int len;
-
- *userp = buffer_get_string(&m, NULL);
- reply->data = buffer_get_string(&m, &len);
- reply->length = len;
- } else {
- memset(reply, 0, sizeof(*reply));
- *userp = NULL;
- }
-
- buffer_free(&m);
- return (success);
-}
-#endif /* KRB5 */
-
#ifdef GSSAPI
OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index c6251924..5e033458 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -96,13 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
-/* auth_krb */
-#ifdef KRB5
-/* auth and reply are really krb5_data objects, but we don't want to
- * include all of the krb5 headers here */
-int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
-#endif
-
/* zlib allocation hooks */
void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/readconf.c b/readconf.c
index 9447cb55..281b6687 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -132,13 +132,8 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
-#ifdef KRB5
- { "kerberosauthentication", oKerberosAuthentication },
- { "kerberostgtpassing", oKerberosTgtPassing },
-#else
{ "kerberosauthentication", oUnsupported },
{ "kerberostgtpassing", oUnsupported },
-#endif
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
diff --git a/servconf.c b/servconf.c
index e1330938..6051918c 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "log.h"
@@ -304,13 +304,12 @@ static struct {
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
- { "kerberostgtpassing", sKerberosTgtPassing },
#else
{ "kerberosauthentication", sUnsupported },
{ "kerberosorlocalpasswd", sUnsupported },
{ "kerberosticketcleanup", sUnsupported },
- { "kerberostgtpassing", sUnsupported },
#endif
+ { "kerberostgtpassing", sUnsupported },
{ "afstokenpassing", sUnsupported },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication },
diff --git a/session.c b/session.c
index 6ba0233e..351b40c1 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -332,30 +332,6 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
break;
-#ifdef KRB5
- case SSH_CMSG_HAVE_KERBEROS_TGT:
- if (!options.kerberos_tgt_passing) {
- verbose("Kerberos TGT passing disabled.");
- } else {
- char *kdata = packet_get_string(&dlen);
- packet_check_eom();
-
- /* XXX - 0x41, used for AFS */
- if (kdata[0] != 0x41) {
- krb5_data tgt;
- tgt.data = kdata;
- tgt.length = dlen;
-
- if (auth_krb5_tgt(s->authctxt, &tgt))
- success = 1;
- else
- verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
- }
- xfree(kdata);
- }
- break;
-#endif
-
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
if (type == SSH_CMSG_EXEC_CMD) {
diff --git a/ssh_config.5 b/ssh_config.5
index f99562b9..b20452ce 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
.Pp
To disable keepalives, the value should be set to
.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
.It Cm LocalForward
Specifies that a TCP/IP port on the local machine be forwarded over
the secure channel to the specified host and port from the remote machine.
diff --git a/sshconnect1.c b/sshconnect1.c
index 5935e8b7..2f89964e 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,15 +13,11 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
-#ifdef KRB5
-#include <krb5.h>
-#endif
-
#include "ssh.h"
#include "ssh1.h"
#include "xmalloc.h"
@@ -370,233 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
return 0;
}
-#ifdef KRB5
-static int
-try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
-{
- krb5_error_code problem;
- const char *tkfile;
- struct stat buf;
- krb5_ccache ccache = NULL;
- const char *remotehost;
- krb5_data ap;
- int type;
- krb5_ap_rep_enc_part *reply = NULL;
- int ret;
-
- memset(&ap, 0, sizeof(ap));
-
- problem = krb5_init_context(context);
- if (problem) {
- debug("Kerberos v5: krb5_init_context failed");
- ret = 0;
- goto out;
- }
-
- problem = krb5_auth_con_init(*context, auth_context);
- if (problem) {
- debug("Kerberos v5: krb5_auth_con_init failed");
- ret = 0;
- goto out;
- }
-
-#ifndef HEIMDAL
- problem = krb5_auth_con_setflags(*context, *auth_context,
- KRB5_AUTH_CONTEXT_RET_TIME);
- if (problem) {
- debug("Keberos v5: krb5_auth_con_setflags failed");
- ret = 0;
- goto out;
- }
-#endif
-
- tkfile = krb5_cc_default_name(*context);
- if (strncmp(tkfile, "FILE:", 5) == 0)
- tkfile += 5;
-
- if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
- debug("Kerberos v5: could not get default ccache (permission denied).");
- ret = 0;
- goto out;
- }
-
- problem = krb5_cc_default(*context, &ccache);
- if (problem) {
- debug("Kerberos v5: krb5_cc_default failed: %s",
- krb5_get_err_text(*context, problem));
- ret = 0;
- goto out;
- }
-
- remotehost = get_canonical_hostname(1);
-
- problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
- "host", remotehost, NULL, ccache, &ap);
- if (problem) {
- debug("Kerberos v5: krb5_mk_req failed: %s",
- krb5_get_err_text(*context, problem));
- ret = 0;
- goto out;
- }
-
- packet_start(SSH_CMSG_AUTH_KERBEROS);
- packet_put_string((char *) ap.data, ap.length);
- packet_send();
- packet_write_wait();
-
- xfree(ap.data);
- ap.length = 0;
-
- type = packet_read();
- switch (type) {
- case SSH_SMSG_FAILURE:
- /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
- debug("Kerberos v5 authentication failed.");
- ret = 0;
- break;
-
- case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
- /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
- debug("Kerberos v5 authentication accepted.");
-
- /* Get server's response. */
- ap.data = packet_get_string((unsigned int *) &ap.length);
- packet_check_eom();
- /* XXX je to dobre? */
-
- problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
- if (problem) {
- ret = 0;
- }
- ret = 1;
- break;
-
- default:
- packet_disconnect("Protocol error on Kerberos v5 response: %d",
- type);
- ret = 0;
- break;
-
- }
-
- out:
- if (ccache != NULL)
- krb5_cc_close(*context, ccache);
- if (reply != NULL)
- krb5_free_ap_rep_enc_part(*context, reply);
- if (ap.length > 0)
-#ifdef HEIMDAL
- krb5_data_free(&ap);
-#else
- krb5_free_data_contents(*context, &ap);
-#endif
-
- return (ret);
-}
-
-static void
-send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
-{
- int fd, type;
- krb5_error_code problem;
- krb5_data outbuf;
- krb5_ccache ccache = NULL;
- krb5_creds creds;
-#ifdef HEIMDAL
- krb5_kdc_flags flags;
-#else
- int forwardable;
-#endif
- const char *remotehost;
-
- memset(&creds, 0, sizeof(creds));
- memset(&outbuf, 0, sizeof(outbuf));
-
- fd = packet_get_connection_in();
-
-#ifdef HEIMDAL
- problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
-#else
- problem = krb5_auth_con_genaddrs(context, auth_context, fd,
- KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
- KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
- if (problem)
- goto out;
-
- problem = krb5_cc_default(context, &ccache);
- if (problem)
- goto out;
-
- problem = krb5_cc_get_principal(context, ccache, &creds.client);
- if (problem)
- goto out;
-
- remotehost = get_canonical_hostname(1);
-
-#ifdef HEIMDAL
- problem = krb5_build_principal(context, &creds.server,
- strlen(creds.client->realm), creds.client->realm,
- "krbtgt", creds.client->realm, NULL);
-#else
- problem = krb5_build_principal(context, &creds.server,
- creds.client->realm.length, creds.client->realm.data,
- "host", remotehost, NULL);
-#endif
- if (problem)
- goto out;
-
- creds.times.endtime = 0;
-
-#ifdef HEIMDAL
- flags.i = 0;
- flags.b.forwarded = 1;
- flags.b.forwardable = krb5_config_get_bool(context, NULL,
- "libdefaults", "forwardable", NULL);
- problem = krb5_get_forwarded_creds(context, auth_context,
- ccache, flags.i, remotehost, &creds, &outbuf);
-#else
- forwardable = 1;
- problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
- creds.client, creds.server, ccache, forwardable, &outbuf);
-#endif
-
- if (problem)
- goto out;
-
- packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
- packet_put_string((char *)outbuf.data, outbuf.length);
- packet_send();
- packet_write_wait();
-
- type = packet_read();
-
- if (type == SSH_SMSG_SUCCESS) {
- char *pname;
-
- krb5_unparse_name(context, creds.client, &pname);
- debug("Kerberos v5 TGT forwarded (%s).", pname);
- xfree(pname);
- } else
- debug("Kerberos v5 TGT forwarding failed.");
-
- return;
-
- out:
- if (problem)
- debug("Kerberos v5 TGT forwarding failed: %s",
- krb5_get_err_text(context, problem));
- if (creds.client)
- krb5_free_principal(context, creds.client);
- if (creds.server)
- krb5_free_principal(context, creds.server);
- if (ccache)
- krb5_cc_close(context, ccache);
- if (outbuf.data)
- xfree(outbuf.data);
-}
-#endif /* KRB5 */
-
/*
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
@@ -885,10 +654,6 @@ void
ssh_userauth1(const char *local_user, const char *server_user, char *host,
Sensitive *sensitive)
{
-#ifdef KRB5
- krb5_context context = NULL;
- krb5_auth_context auth_context = NULL;
-#endif
int i, type;
if (supported_authentications == 0)
@@ -913,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
-#ifdef KRB5
- if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
- options.kerberos_authentication) {
- debug("Trying Kerberos v5 authentication.");
-
- if (try_krb5_authentication(&context, &auth_context)) {
- type = packet_read();
- if (type == SSH_SMSG_SUCCESS)
- goto success;
- if (type != SSH_SMSG_FAILURE)
- packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
- }
- }
-#endif /* KRB5 */
-
/*
* Try .rhosts or /etc/hosts.equiv authentication with RSA host
* authentication.
@@ -981,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
/* NOTREACHED */
success:
-#ifdef KRB5
- /* Try Kerberos v5 TGT passing. */
- if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
- options.kerberos_tgt_passing && context && auth_context) {
- if (options.cipher == SSH_CIPHER_NONE)
- logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
- send_krb5_tgt(context, auth_context);
- }
- if (auth_context)
- krb5_auth_con_free(context, auth_context);
- if (context)
- krb5_free_context(context);
-#endif
return; /* need statement after label */
}
diff --git a/sshd.c b/sshd.c
index 8d04f6a7..47df9caf 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -1463,14 +1463,6 @@ main(int ac, char **av)
sshd_exchange_identification(sock_in, sock_out);
-#ifdef KRB5
- if (!packet_connection_is_ipv4() &&
- options.kerberos_authentication) {
- debug("Kerberos Authentication disabled, only available for IPv4.");
- options.kerberos_authentication = 0;
- }
-#endif
-
packet_set_nonblocking();
/* prepare buffers to collect authentication messages */
@@ -1634,12 +1626,6 @@ do_ssh1_kex(void)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef KRB5
- if (options.kerberos_authentication)
- auth_mask |= 1 << SSH_AUTH_KERBEROS;
- if (options.kerberos_tgt_passing)
- auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
-#endif
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
diff --git a/sshd_config b/sshd_config
index 29453909..dd53f105 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $
+# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -61,7 +61,6 @@
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
-#KerberosTgtPassing no
# GSSAPI options
#GSSAPIAuthentication no
diff --git a/sshd_config.5 b/sshd_config.5
index 8857c673..577605f3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
To disable keepalives, the value should be set to
.Dq no .
.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
-This can be in the form of a Kerberos ticket, or if
+Specifies whether the password provided by the user for
.Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC.
+will be validated through the Kerberos KDC.
To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
@@ -332,10 +330,6 @@ such as
.Pa /etc/passwd .
Default is
.Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.