diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2002-09-26 11:38:44 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2002-09-26 11:38:44 +0000 |
commit | 2dd39ae7ae612cc730dd9fdc7043791c510836a6 (patch) | |
tree | ab29328c2562a372ca833e10dd3d5c05a32665d5 | |
parent | 160abca54701e7899878ea9f52895f2169b908f8 (diff) |
krb4 + privsep; ok dugsong@, deraadt@
-rw-r--r-- | usr.bin/ssh/auth-krb4.c | 18 | ||||
-rw-r--r-- | usr.bin/ssh/auth.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/auth1.c | 16 | ||||
-rw-r--r-- | usr.bin/ssh/monitor.c | 53 | ||||
-rw-r--r-- | usr.bin/ssh/monitor.h | 3 | ||||
-rw-r--r-- | usr.bin/ssh/monitor_wrap.c | 38 | ||||
-rw-r--r-- | usr.bin/ssh/monitor_wrap.h | 7 |
7 files changed, 116 insertions, 23 deletions
diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c index 1cc528aa0a9..b86ce7e49e5 100644 --- a/usr.bin/ssh/auth-krb4.c +++ b/usr.bin/ssh/auth-krb4.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.27 2002/06/11 05:46:20 mpech Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -210,10 +210,9 @@ krb4_cleanup_proc(void *context) } int -auth_krb4(Authctxt *authctxt, KTEXT auth, char **client) +auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) { AUTH_DAT adat = {0}; - KTEXT_ST reply; Key_schedule schedule; struct sockaddr_in local, foreign; char instance[INST_SZ]; @@ -263,21 +262,16 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client) /* If we can't successfully encrypt the checksum, we send back an empty message, admitting our failure. */ - if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1, + if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, schedule, &adat.session, &local, &foreign)) < 0) { debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); - reply.dat[0] = 0; - reply.length = 0; + reply->dat[0] = 0; + reply->length = 0; } else - reply.length = r; + reply->length = r; /* Clear session key. */ memset(&adat.session, 0, sizeof(&adat.session)); - - packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) reply.dat, reply.length); - packet_send(); - packet_write_wait(); return (1); } #endif /* KRB4 */ diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h index 981bb553136..a31748c14a2 100644 --- a/usr.bin/ssh/auth.h +++ b/usr.bin/ssh/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.40 2002/09/09 06:48:06 itojun Exp $ */ +/* $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -113,7 +113,7 @@ int user_key_allowed(struct passwd *, Key *); #ifdef KRB4 #include <krb.h> -int auth_krb4(Authctxt *, KTEXT, char **); +int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); int auth_krb4_password(Authctxt *, const char *); void krb4_cleanup_proc(void *); diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c index 359eeea0d36..7476ad625a0 100644 --- a/usr.bin/ssh/auth1.c +++ b/usr.bin/ssh/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -116,17 +116,25 @@ do_authloop(Authctxt *authctxt) if (kdata[0] == 4) { /* KRB_PROT_VERSION */ #ifdef KRB4 - KTEXT_ST tkt; - + KTEXT_ST tkt, reply; tkt.length = dlen; if (tkt.length < MAX_KTXT_LEN) memcpy(tkt.dat, kdata, tkt.length); - if (auth_krb4(authctxt, &tkt, &client_user)) { + if (PRIVSEP(auth_krb4(authctxt, &tkt, + &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); + + packet_start( + SSH_SMSG_AUTH_KERBEROS_RESPONSE); + packet_put_string((char *) + reply.dat, reply.length); + packet_send(); + packet_write_wait(); + xfree(client_user); } #endif /* KRB4 */ diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index e055433ee22..423530d54d1 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.28 2002/09/24 08:46:04 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $"); #include <openssl/dh.h> @@ -116,6 +116,9 @@ int mm_answer_rsa_response(int, Buffer *); int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +#ifdef KRB4 +int mm_answer_krb4(int, Buffer *); +#endif #ifdef KRB5 int mm_answer_krb5(int, Buffer *); #endif @@ -193,6 +196,9 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif +#ifdef KRB4 + {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, +#endif #ifdef KRB5 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, #endif @@ -1250,6 +1256,51 @@ mm_answer_rsa_response(int socket, Buffer *m) return (success); } +#ifdef KRB4 +int +mm_answer_krb4(int socket, Buffer *m) +{ + KTEXT_ST auth, reply; + char *client, *p; + int success; + u_int alen; + + reply.length = auth.length = 0; + + p = buffer_get_string(m, &alen); + if (alen >= MAX_KTXT_LEN) + fatal("%s: auth too large", __func__); + memcpy(auth.dat, p, alen); + auth.length = alen; + memset(p, 0, alen); + xfree(p); + + success = options.kerberos_authentication && + authctxt->valid && + auth_krb4(authctxt, &auth, &client, &reply); + + memset(auth.dat, 0, alen); + buffer_clear(m); + buffer_put_int(m, success); + + if (success) { + buffer_put_cstring(m, client); + buffer_put_string(m, reply.dat, reply.length); + if (client) + xfree(client); + if (reply.length) + memset(reply.dat, 0, reply.length); + } + + debug3("%s: sending result %d", __func__, success); + mm_request_send(socket, MONITOR_ANS_KRB4, m); + + auth_method = "kerberos"; + + /* Causes monitor loop to terminate if authenticated */ + return (success); +} +#endif #ifdef KRB5 int diff --git a/usr.bin/ssh/monitor.h b/usr.bin/ssh/monitor.h index fe2f28578eb..abd07300c29 100644 --- a/usr.bin/ssh/monitor.h +++ b/usr.bin/ssh/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */ +/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -49,6 +49,7 @@ enum monitor_reqtype { MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, + MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_TERM }; diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c index 9ee1ee4e541..11e7020f9e1 100644 --- a/usr.bin/ssh/monitor_wrap.c +++ b/usr.bin/ssh/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.18 2002/09/09 14:54:15 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $"); #include <openssl/bn.h> #include <openssl/dh.h> @@ -918,6 +918,42 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } +#ifdef KRB4 +int +mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply) +{ + KTEXT auth, reply; + Buffer m; + u_int rlen; + int success = 0; + char *p; + + debug3("%s entering", __func__); + auth = _auth; + reply = _reply; + + buffer_init(&m); + buffer_put_string(&m, auth->dat, auth->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m); + + success = buffer_get_int(&m); + if (success) { + *client = buffer_get_string(&m, NULL); + p = buffer_get_string(&m, &rlen); + if (rlen >= MAX_KTXT_LEN) + fatal("%s: reply from monitor too large", __func__); + reply->length = rlen; + memcpy(reply->dat, p, rlen); + memset(p, 0, rlen); + xfree(p); + } + buffer_free(&m); + return (success); +} +#endif + #ifdef KRB5 int mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) diff --git a/usr.bin/ssh/monitor_wrap.h b/usr.bin/ssh/monitor_wrap.h index c3e43ed3fc2..65e0464d507 100644 --- a/usr.bin/ssh/monitor_wrap.h +++ b/usr.bin/ssh/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.7 2002/09/09 06:48:06 itojun Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -79,7 +79,10 @@ int mm_bsdauth_respond(void *, u_int, char **); int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); -/* auth_krb5 */ +/* auth_krb */ +#ifdef KRB4 +int mm_auth_krb4(struct Authctxt *, void *, char **, void *); +#endif #ifdef KRB5 /* auth and reply are really krb5_data objects, but we don't want to * include all of the krb5 headers here */ |