summaryrefslogtreecommitdiff
path: root/auth1.c
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2001-07-04 04:21:14 +0000
committerBen Lindstrom <mouring@eviladmin.org>2001-07-04 04:21:14 +0000
commitec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch)
tree91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth1.c
parentb4c774cf8878d9100fde92ff4e938671c3b0301b (diff)
- dugsong@cvs.openbsd.org 2001/06/26 16:15:25
[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h servconf.c servconf.h session.c sshconnect1.c sshd.c] Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Diffstat (limited to 'auth1.c')
-rw-r--r--auth1.c109
1 files changed, 58 insertions, 51 deletions
diff --git a/auth1.c b/auth1.c
index d5b7fa7c..da2c23e5 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.25 2001/06/26 16:15:23 dugsong Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -24,6 +24,7 @@ RCSID("$OpenBSD: auth1.c,v 1.24 2001/06/23 15:12:17 itojun Exp $");
#include "auth.h"
#include "session.h"
#include "misc.h"
+#include "uidswap.h"
/* import */
extern ServerOptions options;
@@ -51,7 +52,7 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
@@ -84,7 +85,7 @@ do_authloop(Authctxt *authctxt)
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
#ifdef USE_PAM
@@ -116,62 +117,64 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */
switch (type) {
-#ifdef AFS
- case SSH_CMSG_HAVE_KERBEROS_TGT:
- if (!options.kerberos_tgt_passing) {
- verbose("Kerberos tgt passing disabled.");
- break;
- } else {
- /* Accept Kerberos tgt. */
- char *tgt = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
- if (!auth_kerberos_tgt(pw, tgt))
- verbose("Kerberos tgt REFUSED for %.100s", authctxt->user);
- xfree(tgt);
- }
- continue;
- case SSH_CMSG_HAVE_AFS_TOKEN:
- if (!options.afs_token_passing || !k_hasafs()) {
- verbose("AFS token passing disabled.");
- break;
- } else {
- /* Accept AFS token. */
- char *token_string = packet_get_string(&dlen);
- packet_integrity_check(plen, 4 + dlen, type);
- if (!auth_afs_token(pw, token_string))
- verbose("AFS token REFUSED for %.100s", authctxt->user);
- xfree(token_string);
- }
- continue;
-#endif /* AFS */
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled.");
- break;
} else {
- /* Try Kerberos v4 authentication. */
- KTEXT_ST auth;
- char *tkt_user = NULL;
- char *kdata = packet_get_string((u_int *) &auth.length);
- packet_integrity_check(plen, 4 + auth.length, type);
-
- if (authctxt->valid) {
- if (auth.length < MAX_KTXT_LEN)
- memcpy(auth.dat, kdata, auth.length);
- authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
- if (authenticated) {
- snprintf(info, sizeof info,
- " tktuser %.100s", tkt_user);
- xfree(tkt_user);
+ char *kdata = packet_get_string(&dlen);
+
+ packet_integrity_check(plen, 4 + dlen, type);
+
+ if (kdata[0] == 4) { /* KRB_PROT_VERSION */
+#ifdef KRB4
+ KTEXT_ST tkt;
+
+ tkt.length = dlen;
+ if (tkt.length < MAX_KTXT_LEN)
+ memcpy(tkt.dat, kdata, tkt.length);
+
+ if (auth_krb4(authctxt, &tkt, &client_user)) {
+ authenticated = 1;
+ snprintf(info, sizeof(info),
+ " tktuser %.100s",
+ client_user);
+ xfree(client_user);
}
+#endif /* KRB4 */
+ } else {
+#ifdef KRB5
+ krb5_data tkt;
+ tkt.length = dlen;
+ tkt.data = kdata;
+
+ if (auth_krb5(authctxt, &tkt, &client_user)) {
+ authenticated = 1;
+ snprintf(info, sizeof(info),
+ " tktuser %.100s",
+ client_user);
+ xfree(client_user);
+ }
+#endif /* KRB5 */
}
xfree(kdata);
}
break;
-#endif /* KRB4 */
-
+#endif /* KRB4 || KRB5 */
+
+#if defined(AFS) || defined(KRB5)
+ /* XXX - punt on backward compatibility here. */
+ case SSH_CMSG_HAVE_KERBEROS_TGT:
+ packet_send_debug("Kerberos TGT passing disabled before authentication.");
+ break;
+#ifdef AFS
+ case SSH_CMSG_HAVE_AFS_TOKEN:
+ packet_send_debug("AFS token passing disabled before authentication.");
+ break;
+#endif /* AFS */
+#endif /* AFS || KRB5 */
+
case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) {
verbose("Rhosts authentication disabled.");
@@ -369,7 +372,7 @@ do_authentication()
struct passwd *pw;
int plen;
u_int ulen;
- char *user, *style = NULL;
+ char *p, *user, *style = NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(&plen, SSH_CMSG_USER);
@@ -379,8 +382,12 @@ do_authentication()
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
if ((style = strchr(user, ':')) != NULL)
- *style++ = 0;
+ *style++ = '\0';
+ /* XXX - SSH.com Kerberos v5 braindeath. */
+ if ((p = strchr(user, '@')) != NULL)
+ *p = '\0';
+
authctxt = authctxt_new();
authctxt->user = user;
authctxt->style = style;