diff options
author | Niels Provos <provos@cvs.openbsd.org> | 2000-08-02 17:27:05 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 2000-08-02 17:27:05 +0000 |
commit | 43ab6e433aad55cf3930f0db106d23e929504bcf (patch) | |
tree | 840d28f3b57c9d21994d8dace470a1b06548abfb /usr.bin/ssh | |
parent | 0f753be3f4ac9cc6889da1a7b2f81deea284183d (diff) |
disallow kerberos authentication if we can't verify the TGT; from
dugsong@
kerberos authentication is on by default only if you have a srvtab.
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/auth-krb4.c | 8 | ||||
-rw-r--r-- | usr.bin/ssh/readconf.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.8 | 4 |
3 files changed, 9 insertions, 7 deletions
diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c index e32089b7437..ae2b2a3d892 100644 --- a/usr.bin/ssh/auth-krb4.c +++ b/usr.bin/ssh/auth-krb4.c @@ -9,7 +9,7 @@ #include "ssh.h" #include "servconf.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.15 2000/06/22 23:54:59 djm Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.16 2000/08/02 17:27:04 provos Exp $"); #ifdef KRB4 char *ticket = NULL; @@ -82,11 +82,12 @@ auth_krb4_password(struct passwd * pw, const char *password) if (r == RD_AP_UNDEC) { /* * Probably didn't have a srvtab on - * localhost. Allow login. + * localhost. Disallow login. */ log("Kerberos V4 TGT for %s unverifiable, " "no srvtab installed? krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); + goto kerberos_auth_failure; } else if (r != KSUCCESS) { log("Kerberos V4 %s ticket unverifiable: %s", KRB4_SERVICE_NAME, krb_err_txt[r]); @@ -94,12 +95,13 @@ auth_krb4_password(struct passwd * pw, const char *password) } } else if (r == KDC_PR_UNKNOWN) { /* - * Allow login if no rcmd service exists, but + * Disallow login if no rcmd service exists, and * log the error. */ log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " "not registered, or srvtab is wrong?", pw->pw_name, krb_err_txt[r], KRB4_SERVICE_NAME, phost); + goto kerberos_auth_failure; } else { /* * TGT is bad, forget it. Possibly spoofed! diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index b44ea3652d3..f31b1c4e653 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.44 2000/08/02 16:27:16 provos Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.45 2000/08/02 17:27:04 provos Exp $"); #include "ssh.h" #include "cipher.h" @@ -724,7 +724,7 @@ fill_default_options(Options * options) options->skey_authentication = 0; #ifdef KRB4 if (options->kerberos_authentication == -1) - options->kerberos_authentication = 0; + options->kerberos_authentication = 1; #endif /* KRB4 */ #ifdef AFS if (options->kerberos_tgt_passing == -1) diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index e5c6f28364c..899f227a9c6 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: sshd.8,v 1.59 2000/08/02 16:27:16 provos Exp $ +.\" $Id: sshd.8,v 1.60 2000/08/02 17:27:04 provos Exp $ .\" .Dd September 25, 1999 .Dt SSHD 8 @@ -386,7 +386,7 @@ is yes, the password provided by the user will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. Default is -.Dq no . +.Dq yes . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism |