summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>2000-08-02 17:27:05 +0000
committerNiels Provos <provos@cvs.openbsd.org>2000-08-02 17:27:05 +0000
commit43ab6e433aad55cf3930f0db106d23e929504bcf (patch)
tree840d28f3b57c9d21994d8dace470a1b06548abfb /usr.bin/ssh
parent0f753be3f4ac9cc6889da1a7b2f81deea284183d (diff)
disallow kerberos authentication if we can't verify the TGT; from
dugsong@ kerberos authentication is on by default only if you have a srvtab.
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/auth-krb4.c8
-rw-r--r--usr.bin/ssh/readconf.c4
-rw-r--r--usr.bin/ssh/sshd.84
3 files changed, 9 insertions, 7 deletions
diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c
index e32089b7437..ae2b2a3d892 100644
--- a/usr.bin/ssh/auth-krb4.c
+++ b/usr.bin/ssh/auth-krb4.c
@@ -9,7 +9,7 @@
#include "ssh.h"
#include "servconf.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.15 2000/06/22 23:54:59 djm Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.16 2000/08/02 17:27:04 provos Exp $");
#ifdef KRB4
char *ticket = NULL;
@@ -82,11 +82,12 @@ auth_krb4_password(struct passwd * pw, const char *password)
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
- * localhost. Allow login.
+ * localhost. Disallow login.
*/
log("Kerberos V4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
+ goto kerberos_auth_failure;
} else if (r != KSUCCESS) {
log("Kerberos V4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
@@ -94,12 +95,13 @@ auth_krb4_password(struct passwd * pw, const char *password)
}
} else if (r == KDC_PR_UNKNOWN) {
/*
- * Allow login if no rcmd service exists, but
+ * Disallow login if no rcmd service exists, and
* log the error.
*/
log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?", pw->pw_name,
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+ goto kerberos_auth_failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index b44ea3652d3..f31b1c4e653 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.44 2000/08/02 16:27:16 provos Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.45 2000/08/02 17:27:04 provos Exp $");
#include "ssh.h"
#include "cipher.h"
@@ -724,7 +724,7 @@ fill_default_options(Options * options)
options->skey_authentication = 0;
#ifdef KRB4
if (options->kerberos_authentication == -1)
- options->kerberos_authentication = 0;
+ options->kerberos_authentication = 1;
#endif /* KRB4 */
#ifdef AFS
if (options->kerberos_tgt_passing == -1)
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index e5c6f28364c..899f227a9c6 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: sshd.8,v 1.59 2000/08/02 16:27:16 provos Exp $
+.\" $Id: sshd.8,v 1.60 2000/08/02 17:27:04 provos Exp $
.\"
.Dd September 25, 1999
.Dt SSHD 8
@@ -386,7 +386,7 @@ is yes, the password provided by the user will be validated through
the Kerberos KDC. To use this option, the server needs a
Kerberos servtab which allows the verification of the KDC's identity.
Default is
-.Dq no .
+.Dq yes .
.It Cm KerberosOrLocalPasswd
If set then if password authentication through Kerberos fails then
the password will be validated via any additional local mechanism