summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/session.c
diff options
context:
space:
mode:
authorDug Song <dugsong@cvs.openbsd.org>2001-06-26 16:15:27 +0000
committerDug Song <dugsong@cvs.openbsd.org>2001-06-26 16:15:27 +0000
commitd15f7390f22a2c0cb3f0398e4120484ecaa94d1e (patch)
tree4518f2b9aa4d81ccab449c3c8bc4cefc87ceb6d1 /usr.bin/ssh/session.c
parentf43cafe3684913dea70621cbc8f3042cd12caf0c (diff)
Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
Diffstat (limited to 'usr.bin/ssh/session.c')
-rw-r--r--usr.bin/ssh/session.c92
1 files changed, 77 insertions, 15 deletions
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index a934eac6d16..e4276ab8f49 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.95 2001/06/25 08:25:39 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.96 2001/06/26 16:15:24 dugsong Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -64,7 +64,8 @@ typedef struct Session Session;
struct Session {
int used;
int self;
- struct passwd *pw;
+ struct passwd *pw;
+ Authctxt *authctxt;
pid_t pid;
/* tty */
char *term;
@@ -159,6 +160,14 @@ do_authenticated(Authctxt *authctxt)
/* remove agent socket */
if (auth_get_socket_name())
auth_sock_cleanup_proc(authctxt->pw);
+#ifdef KRB4
+ if (options.kerberos_ticket_cleanup)
+ krb4_cleanup_proc(authctxt);
+#endif
+#ifdef KRB5
+ if (options.kerberos_ticket_cleanup)
+ krb5_cleanup_proc(authctxt);
+#endif
}
/*
@@ -177,6 +186,7 @@ do_authenticated1(Authctxt *authctxt)
u_int proto_len, data_len, dlen;
s = session_new();
+ s->authctxt = authctxt;
s->pw = authctxt->pw;
/*
@@ -261,6 +271,58 @@ do_authenticated1(Authctxt *authctxt)
if (packet_set_maxsize(packet_get_int()) > 0)
success = 1;
break;
+
+#if defined(AFS) || defined(KRB5)
+ case SSH_CMSG_HAVE_KERBEROS_TGT:
+ if (!options.kerberos_tgt_passing) {
+ verbose("Kerberos TGT passing disabled.");
+ } else {
+ char *kdata = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+
+ /* XXX - 0x41, see creds_to_radix version */
+ if (kdata[0] != 0x41) {
+#ifdef KRB5
+ krb5_data tgt;
+ tgt.data = kdata;
+ tgt.length = dlen;
+
+ if (auth_krb5_tgt(s->authctxt, &tgt))
+ success = 1;
+ else
+ verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
+#endif /* KRB5 */
+ } else {
+#ifdef AFS
+ if (auth_krb4_tgt(s->authctxt, kdata))
+ success = 1;
+ else
+ verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
+#endif /* AFS */
+ }
+ xfree(kdata);
+ }
+ break;
+#endif /* AFS || KRB5 */
+
+#ifdef AFS
+ case SSH_CMSG_HAVE_AFS_TOKEN:
+ if (!options.afs_token_passing || !k_hasafs()) {
+ verbose("AFS token passing disabled.");
+ } else {
+ /* Accept AFS token. */
+ char *token = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+
+ if (auth_afs_token(s->authctxt, token))
+ success = 1;
+ else
+ verbose("AFS token refused for %.100s",
+ s->authctxt->user);
+ xfree(token);
+ }
+ break;
+#endif /* AFS */
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
@@ -604,7 +666,7 @@ int
check_quietlogin(Session *s, const char *command)
{
char buf[256];
- struct passwd * pw = s->pw;
+ struct passwd *pw = s->pw;
struct stat st;
/* Return 1 if .hushlogin exists or a command given. */
@@ -710,7 +772,7 @@ void
do_child(Session *s, const char *command)
{
const char *shell, *hostname = NULL, *cp = NULL;
- struct passwd * pw = s->pw;
+ struct passwd *pw = s->pw;
char buf[256];
char cmd[1024];
FILE *f = NULL;
@@ -793,10 +855,10 @@ do_child(Session *s, const char *command)
/* Try to get AFS tokens for the local cell. */
if (k_hasafs()) {
char cell[64];
-
+
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, 0);
-
+
krb_afslog(0, 0);
}
#endif /* AFS */
@@ -856,16 +918,16 @@ do_child(Session *s, const char *command)
if (original_command)
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
-
#ifdef KRB4
- {
- extern char *ticket;
-
- if (ticket)
- child_set_env(&env, &envsize, "KRBTKFILE", ticket);
- }
-#endif /* KRB4 */
-
+ if (s->authctxt->krb4_ticket_file)
+ child_set_env(&env, &envsize, "KRBTKFILE",
+ s->authctxt->krb4_ticket_file);
+#endif
+#ifdef KRB5
+ if (s->authctxt->krb5_ticket_file)
+ child_set_env(&env, &envsize, "KRB5CCNAME",
+ s->authctxt->krb5_ticket_file);
+#endif
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());