summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2002-09-26 11:38:44 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2002-09-26 11:38:44 +0000
commit2dd39ae7ae612cc730dd9fdc7043791c510836a6 (patch)
treeab29328c2562a372ca833e10dd3d5c05a32665d5
parent160abca54701e7899878ea9f52895f2169b908f8 (diff)
krb4 + privsep; ok dugsong@, deraadt@
-rw-r--r--usr.bin/ssh/auth-krb4.c18
-rw-r--r--usr.bin/ssh/auth.h4
-rw-r--r--usr.bin/ssh/auth1.c16
-rw-r--r--usr.bin/ssh/monitor.c53
-rw-r--r--usr.bin/ssh/monitor.h3
-rw-r--r--usr.bin/ssh/monitor_wrap.c38
-rw-r--r--usr.bin/ssh/monitor_wrap.h7
7 files changed, 116 insertions, 23 deletions
diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c
index 1cc528aa0a9..b86ce7e49e5 100644
--- a/usr.bin/ssh/auth-krb4.c
+++ b/usr.bin/ssh/auth-krb4.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.27 2002/06/11 05:46:20 mpech Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -210,10 +210,9 @@ krb4_cleanup_proc(void *context)
}
int
-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
+auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
{
AUTH_DAT adat = {0};
- KTEXT_ST reply;
Key_schedule schedule;
struct sockaddr_in local, foreign;
char instance[INST_SZ];
@@ -263,21 +262,16 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
- if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
+ if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
schedule, &adat.session, &local, &foreign)) < 0) {
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
- reply.dat[0] = 0;
- reply.length = 0;
+ reply->dat[0] = 0;
+ reply->length = 0;
} else
- reply.length = r;
+ reply->length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(&adat.session));
-
- packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- packet_put_string((char *) reply.dat, reply.length);
- packet_send();
- packet_write_wait();
return (1);
}
#endif /* KRB4 */
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index 981bb553136..a31748c14a2 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.40 2002/09/09 06:48:06 itojun Exp $ */
+/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -113,7 +113,7 @@ int user_key_allowed(struct passwd *, Key *);
#ifdef KRB4
#include <krb.h>
-int auth_krb4(Authctxt *, KTEXT, char **);
+int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index 359eeea0d36..7476ad625a0 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -116,17 +116,25 @@ do_authloop(Authctxt *authctxt)
if (kdata[0] == 4) { /* KRB_PROT_VERSION */
#ifdef KRB4
- KTEXT_ST tkt;
-
+ KTEXT_ST tkt, reply;
tkt.length = dlen;
if (tkt.length < MAX_KTXT_LEN)
memcpy(tkt.dat, kdata, tkt.length);
- if (auth_krb4(authctxt, &tkt, &client_user)) {
+ if (PRIVSEP(auth_krb4(authctxt, &tkt,
+ &client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
+
+ packet_start(
+ SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+ packet_put_string((char *)
+ reply.dat, reply.length);
+ packet_send();
+ packet_write_wait();
+
xfree(client_user);
}
#endif /* KRB4 */
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index e055433ee22..423530d54d1 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.28 2002/09/24 08:46:04 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
#include <openssl/dh.h>
@@ -116,6 +116,9 @@ int mm_answer_rsa_response(int, Buffer *);
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
+#ifdef KRB4
+int mm_answer_krb4(int, Buffer *);
+#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
@@ -193,6 +196,9 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif
+#ifdef KRB4
+ {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
+#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
@@ -1250,6 +1256,51 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
+#ifdef KRB4
+int
+mm_answer_krb4(int socket, Buffer *m)
+{
+ KTEXT_ST auth, reply;
+ char *client, *p;
+ int success;
+ u_int alen;
+
+ reply.length = auth.length = 0;
+
+ p = buffer_get_string(m, &alen);
+ if (alen >= MAX_KTXT_LEN)
+ fatal("%s: auth too large", __func__);
+ memcpy(auth.dat, p, alen);
+ auth.length = alen;
+ memset(p, 0, alen);
+ xfree(p);
+
+ success = options.kerberos_authentication &&
+ authctxt->valid &&
+ auth_krb4(authctxt, &auth, &client, &reply);
+
+ memset(auth.dat, 0, alen);
+ buffer_clear(m);
+ buffer_put_int(m, success);
+
+ if (success) {
+ buffer_put_cstring(m, client);
+ buffer_put_string(m, reply.dat, reply.length);
+ if (client)
+ xfree(client);
+ if (reply.length)
+ memset(reply.dat, 0, reply.length);
+ }
+
+ debug3("%s: sending result %d", __func__, success);
+ mm_request_send(socket, MONITOR_ANS_KRB4, m);
+
+ auth_method = "kerberos";
+
+ /* Causes monitor loop to terminate if authenticated */
+ return (success);
+}
+#endif
#ifdef KRB5
int
diff --git a/usr.bin/ssh/monitor.h b/usr.bin/ssh/monitor.h
index fe2f28578eb..abd07300c29 100644
--- a/usr.bin/ssh/monitor.h
+++ b/usr.bin/ssh/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */
+/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,6 +49,7 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+ MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_TERM
};
diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c
index 9ee1ee4e541..11e7020f9e1 100644
--- a/usr.bin/ssh/monitor_wrap.c
+++ b/usr.bin/ssh/monitor_wrap.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.18 2002/09/09 14:54:15 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -918,6 +918,42 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
+#ifdef KRB4
+int
+mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
+{
+ KTEXT auth, reply;
+ Buffer m;
+ u_int rlen;
+ int success = 0;
+ char *p;
+
+ debug3("%s entering", __func__);
+ auth = _auth;
+ reply = _reply;
+
+ buffer_init(&m);
+ buffer_put_string(&m, auth->dat, auth->length);
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
+
+ success = buffer_get_int(&m);
+ if (success) {
+ *client = buffer_get_string(&m, NULL);
+ p = buffer_get_string(&m, &rlen);
+ if (rlen >= MAX_KTXT_LEN)
+ fatal("%s: reply from monitor too large", __func__);
+ reply->length = rlen;
+ memcpy(reply->dat, p, rlen);
+ memset(p, 0, rlen);
+ xfree(p);
+ }
+ buffer_free(&m);
+ return (success);
+}
+#endif
+
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
diff --git a/usr.bin/ssh/monitor_wrap.h b/usr.bin/ssh/monitor_wrap.h
index c3e43ed3fc2..65e0464d507 100644
--- a/usr.bin/ssh/monitor_wrap.h
+++ b/usr.bin/ssh/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -79,7 +79,10 @@ int mm_bsdauth_respond(void *, u_int, char **);
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
-/* auth_krb5 */
+/* auth_krb */
+#ifdef KRB4
+int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
+#endif
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */