remove kerberos support from ssh1, since it has been replaced with GSSAPI;

but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...

15 files changed, 20 insertions, 595 deletions

diff --git a/usr.bin/ssh/auth-krb5.c b/usr.bin/ssh/auth-krb5.c
index 5162732c46c..86f13359f3b 100644
--- a/usr.bin/ssh/auth-krb5.c
+++ b/usr.bin/ssh/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -64,146 +64,6 @@ krb5_init(void *context)
 	return (0);
 }
 
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
-	krb5_error_code problem;
-	krb5_principal server;
-	krb5_ticket *ticket;
-	int fd, ret;
-
-	ret = 0;
-	server = NULL;
-	ticket = NULL;
-	reply->length = 0;
-
-	problem = krb5_init(authctxt);
-	if (problem)
-		goto err;
-
-	problem = krb5_auth_con_init(authctxt->krb5_ctx,
-	    &authctxt->krb5_auth_ctx);
-	if (problem)
-		goto err;
-
-	fd = packet_get_connection_in();
-	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
-	    authctxt->krb5_auth_ctx, &fd);
-	if (problem)
-		goto err;
-
-	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-	    KRB5_NT_SRV_HST, &server);
-	if (problem)
-		goto err;
-
-	problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
-	    auth, server, NULL, NULL, &ticket);
-	if (problem)
-		goto err;
-
-	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
-	    &authctxt->krb5_user);
-	if (problem)
-		goto err;
-
-	/* if client wants mutual auth */
-	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-	    reply);
-	if (problem)
-		goto err;
-
-	/* Check .k5login authorization now. */
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-	    authctxt->pw->pw_name))
-		goto err;
-
-	if (client)
-		krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-		    client);
-
-	ret = 1;
- err:
-	if (server)
-		krb5_free_principal(authctxt->krb5_ctx, server);
-	if (ticket)
-		krb5_free_ticket(authctxt->krb5_ctx, ticket);
-	if (!ret && reply->length) {
-		xfree(reply->data);
-		memset(reply, 0, sizeof(*reply));
-	}
-
-	if (problem) {
-		if (authctxt->krb5_ctx != NULL)
-			debug("Kerberos v5 authentication failed: %s",
-			    krb5_get_err_text(authctxt->krb5_ctx, problem));
-		else
-			debug("Kerberos v5 authentication failed: %d",
-			    problem);
-	}
-
-	return (ret);
-}
-
-int
-auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
-{
-	krb5_error_code problem;
-	krb5_ccache ccache = NULL;
-	char *pname;
-
-	if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
-		return (0);
-
-	temporarily_use_uid(authctxt->pw);
-
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
-	if (problem)
-		goto fail;
-
-	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-	    authctxt->krb5_user);
-	if (problem)
-		goto fail;
-
-	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-	    ccache, tgt);
-	if (problem)
-		goto fail;
-
-	authctxt->krb5_fwd_ccache = ccache;
-	ccache = NULL;
-
-	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
-	problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-	    &pname);
-	if (problem)
-		goto fail;
-
-	debug("Kerberos v5 TGT accepted (%s)", pname);
-
-	restore_uid();
-
-	return (1);
-
- fail:
-	if (problem)
-		debug("Kerberos v5 TGT passing failed: %s",
-		    krb5_get_err_text(authctxt->krb5_ctx, problem));
-	if (ccache)
-		krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-
-	restore_uid();
-
-	return (0);
-}
-
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
@@ -255,7 +115,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
+	    authctxt->krb5_fwd_ccache);
 
  out:
 	restore_uid();
@@ -295,11 +156,6 @@ krb5_cleanup_proc(void *context)
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 		authctxt->krb5_user = NULL;
 	}
-	if (authctxt->krb5_auth_ctx) {
-		krb5_auth_con_free(authctxt->krb5_ctx,
-		    authctxt->krb5_auth_ctx);
-		authctxt->krb5_auth_ctx = NULL;
-	}
 	if (authctxt->krb5_ctx) {
 		krb5_free_context(authctxt->krb5_ctx);
 		authctxt->krb5_ctx = NULL;
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index 14d66d23c01..2fbb42143b4 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.h,v 1.45 2003/08/26 09:58:43 markus Exp $	*/
+/*	$OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -62,7 +62,6 @@ struct Authctxt {
 #endif
 #ifdef KRB5
 	krb5_context	 krb5_ctx;
-	krb5_auth_context krb5_auth_ctx;
 	krb5_ccache	 krb5_fwd_ccache;
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index bcd4ab01411..6554afbfa70 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.51 2003/08/26 09:58:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
 	case SSH_CMSG_AUTH_TIS:
 	case SSH_CMSG_AUTH_TIS_RESPONSE:
 		return "challenge-response";
-#ifdef KRB5
-	case SSH_CMSG_AUTH_KERBEROS:
-		return "kerberos";
-#endif
 	}
 	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
 	return buf;
@@ -105,48 +101,6 @@ do_authloop(Authctxt *authctxt)
 
 		/* Process the packet. */
 		switch (type) {
-
-#ifdef KRB5
-		case SSH_CMSG_AUTH_KERBEROS:
-			if (!options.kerberos_authentication) {
-				verbose("Kerberos authentication disabled.");
-			} else {
-				char *kdata = packet_get_string(&dlen);
-				packet_check_eom();
-
-				if (kdata[0] != 4) { /* KRB_PROT_VERSION */
- 					krb5_data tkt, reply;
-					tkt.length = dlen;
-					tkt.data = kdata;
-
-					if (PRIVSEP(auth_krb5(authctxt, &tkt,
-					    &client_user, &reply))) {
-						authenticated = 1;
-						snprintf(info, sizeof(info),
-						    " tktuser %.100s",
-						    client_user);
-
- 						/* Send response to client */
- 						packet_start(
-						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- 						packet_put_string((char *)
-						    reply.data, reply.length);
- 						packet_send();
- 						packet_write_wait();
-
- 						if (reply.length)
- 							xfree(reply.data);
-						xfree(client_user);
-					}
-				}
-				xfree(kdata);
-			}
-			break;
-		case SSH_CMSG_HAVE_KERBEROS_TGT:
-			packet_send_debug("Kerberos TGT passing disabled before authentication.");
-			break;
-#endif
-
 		case SSH_CMSG_AUTH_RHOSTS_RSA:
 			if (!options.rhosts_rsa_authentication) {
 				verbose("Rhosts with RSA authentication disabled.");
@@ -298,16 +252,6 @@ do_authentication(void)
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 
-#ifdef KRB5
-	/* XXX - SSH.com Kerberos v5 braindeath. */
-	if ((datafellows & SSH_BUG_K5USER) &&
-	    options.kerberos_authentication) {
-		char *p;
-		if ((p = strchr(user, '@')) != NULL)
-			*p = '\0';
-	}
-#endif
-
 	authctxt = authctxt_new();
 	authctxt->user = user;
 	authctxt->style = style;
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index 9b16c4d2f1e..6fe2abee8fe 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.48 2003/08/26 09:58:43 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -121,9 +121,6 @@ int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
 
-#ifdef KRB5
-int mm_answer_krb5(int, Buffer *);
-#endif
 #ifdef GSSAPI
 int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
@@ -175,9 +172,6 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
-#ifdef KRB5
-    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
 #ifdef GSSAPI
     {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
@@ -212,9 +206,6 @@ struct mon_table mon_dispatch_proto15[] = {
     {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
     {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
 #endif
-#ifdef KRB5
-    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
-#endif
     {0, 0, NULL}
 };
 
@@ -1292,45 +1283,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
 	return (success);
 }
 
-#ifdef KRB5
-int
-mm_answer_krb5(int socket, Buffer *m)
-{
-	krb5_data tkt, reply;
-	char *client_user;
-	u_int len;
-	int success;
-
-	/* use temporary var to avoid size issues on 64bit arch */
-	tkt.data = buffer_get_string(m, &len);
-	tkt.length = len;
-
-	success = options.kerberos_authentication &&
-	    authctxt->valid &&
-	    auth_krb5(authctxt, &tkt, &client_user, &reply);
-
-	if (tkt.length)
-		xfree(tkt.data);
-
-	buffer_clear(m);
-	buffer_put_int(m, success);
-
-	if (success) {
-		buffer_put_cstring(m, client_user);
-		buffer_put_string(m, reply.data, reply.length);
-		if (client_user)
-			xfree(client_user);
-		if (reply.length)
-			xfree(reply.data);
-	}
-	mm_request_send(socket, MONITOR_ANS_KRB5, m);
-
-	auth_method = "kerberos";
-
-	return success;
-}
-#endif
-
 int
 mm_answer_term(int socket, Buffer *req)
 {
diff --git a/usr.bin/ssh/monitor.h b/usr.bin/ssh/monitor.h
index 193adda73d8..c0ef143fbdd 100644
--- a/usr.bin/ssh/monitor.h
+++ b/usr.bin/ssh/monitor.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: monitor.h,v 1.10 2003/08/22 10:56:09 markus Exp $	*/
+/*	$OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,7 +49,6 @@ enum monitor_reqtype {
 	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
-	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
 	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
 	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
 	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c
index 6686c9de383..4edd4c04bd7 100644
--- a/usr.bin/ssh/monitor_wrap.c
+++ b/usr.bin/ssh/monitor_wrap.c
@@ -25,7 +25,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.30 2003/08/24 17:36:52 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -942,41 +942,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
 	return (success);
 }
 
-#ifdef KRB5
-int
-mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
-{
-	krb5_data *tkt, *reply;
-	Buffer m;
-	int success;
-
-	debug3("%s entering", __func__);
-	tkt = (krb5_data *) argp;
-	reply = (krb5_data *) resp;
-
-	buffer_init(&m);
-	buffer_put_string(&m, tkt->data, tkt->length);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
-
-	success = buffer_get_int(&m);
-	if (success) {
-		u_int len;
-
-		*userp = buffer_get_string(&m, NULL);
-		reply->data = buffer_get_string(&m, &len);
-		reply->length = len;
-	} else {
-		memset(reply, 0, sizeof(*reply));
-		*userp = NULL;
-	}
-
-	buffer_free(&m);
-	return (success);
-}
-#endif /* KRB5 */
-
 #ifdef GSSAPI
 OM_uint32
 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
diff --git a/usr.bin/ssh/monitor_wrap.h b/usr.bin/ssh/monitor_wrap.h
index 5eaa3c764b9..92f940a4a72 100644
--- a/usr.bin/ssh/monitor_wrap.h
+++ b/usr.bin/ssh/monitor_wrap.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: monitor_wrap.h,v 1.10 2003/08/22 10:56:09 markus Exp $	*/
+/*	$OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -87,13 +87,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 
-/* auth_krb */
-#ifdef KRB5
-/* auth and reply are really krb5_data objects, but we don't want to
- * include all of the krb5 headers here */
-int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
-#endif
-
 /* zlib allocation hooks */
 
 void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 22b7409fed7..0f3f008d327 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.118 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.119 2003/08/28 12:54:34 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -132,13 +132,8 @@ static struct {
 	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
 	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
 	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
-#ifdef KRB5
-	{ "kerberosauthentication", oKerberosAuthentication },
-	{ "kerberostgtpassing", oKerberosTgtPassing },
-#else
 	{ "kerberosauthentication", oUnsupported },
 	{ "kerberostgtpassing", oUnsupported },
-#endif
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 8a3b3d4ce5a..bfd516b3c2d 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.125 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
 
 #include "ssh.h"
 #include "log.h"
@@ -273,13 +273,12 @@ static struct {
 	{ "kerberosauthentication", sKerberosAuthentication },
 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
 	{ "kerberosticketcleanup", sKerberosTicketCleanup },
-	{ "kerberostgtpassing", sKerberosTgtPassing },
 #else
 	{ "kerberosauthentication", sUnsupported },
 	{ "kerberosorlocalpasswd", sUnsupported },
 	{ "kerberosticketcleanup", sUnsupported },
-	{ "kerberostgtpassing", sUnsupported },
 #endif
+	{ "kerberostgtpassing", sUnsupported },
 	{ "afstokenpassing", sUnsupported },
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication },
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 4823c5f07e1..3e9099f8bca 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.161 2003/08/22 10:56:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.162 2003/08/28 12:54:34 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -327,30 +327,6 @@ do_authenticated1(Authctxt *authctxt)
 				success = 1;
 			break;
 
-#ifdef KRB5
-		case SSH_CMSG_HAVE_KERBEROS_TGT:
-			if (!options.kerberos_tgt_passing) {
-				verbose("Kerberos TGT passing disabled.");
-			} else {
-				char *kdata = packet_get_string(&dlen);
-				packet_check_eom();
-
-				/* XXX - 0x41, used for AFS */
-				if (kdata[0] != 0x41) {
-					krb5_data tgt;
-					tgt.data = kdata;
-					tgt.length = dlen;
-
-					if (auth_krb5_tgt(s->authctxt, &tgt))
-						success = 1;
-					else
-						verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
-				}
-				xfree(kdata);
-			}
-			break;
-#endif
-
 		case SSH_CMSG_EXEC_SHELL:
 		case SSH_CMSG_EXEC_CMD:
 			if (type == SSH_CMSG_EXEC_CMD) {
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index f99562b96a0..b20452ce23e 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.18 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.19 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -407,18 +407,6 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable keepalives, the value should be set to
 .Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index 9cc827b08fd..2f89964eca5 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,15 +13,11 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 
-#ifdef KRB5
-#include <krb5.h>
-#endif
-
 #include "ssh.h"
 #include "ssh1.h"
 #include "xmalloc.h"
@@ -370,190 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
 	return 0;
 }
 
-#ifdef KRB5
-static int
-try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
-{
-	krb5_error_code problem;
-	const char *tkfile;
-	struct stat buf;
-	krb5_ccache ccache = NULL;
-	const char *remotehost;
-	krb5_data ap;
-	int type;
-	krb5_ap_rep_enc_part *reply = NULL;
-	int ret;
-
-	memset(&ap, 0, sizeof(ap));
-
-	problem = krb5_init_context(context);
-	if (problem) {
-		debug("Kerberos v5: krb5_init_context failed");
-		ret = 0;
-		goto out;
-	}
-
-	tkfile = krb5_cc_default_name(*context);
-	if (strncmp(tkfile, "FILE:", 5) == 0)
-		tkfile += 5;
-
-	if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-		debug("Kerberos v5: could not get default ccache (permission denied).");
-		ret = 0;
-		goto out;
-	}
-
-	problem = krb5_cc_default(*context, &ccache);
-	if (problem) {
-		debug("Kerberos v5: krb5_cc_default failed: %s",
-		    krb5_get_err_text(*context, problem));
-		ret = 0;
-		goto out;
-	}
-
-	remotehost = get_canonical_hostname(1);
-
-	problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-	    "host", remotehost, NULL, ccache, &ap);
-	if (problem) {
-		debug("Kerberos v5: krb5_mk_req failed: %s",
-		    krb5_get_err_text(*context, problem));
-		ret = 0;
-		goto out;
-	}
-
-	packet_start(SSH_CMSG_AUTH_KERBEROS);
-	packet_put_string((char *) ap.data, ap.length);
-	packet_send();
-	packet_write_wait();
-
-	xfree(ap.data);
-	ap.length = 0;
-
-	type = packet_read();
-	switch (type) {
-	case SSH_SMSG_FAILURE:
-		/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-		debug("Kerberos v5 authentication failed.");
-		ret = 0;
-		break;
-
-	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-		/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-		debug("Kerberos v5 authentication accepted.");
-
-		/* Get server's response. */
-		ap.data = packet_get_string((unsigned int *) &ap.length);
-		packet_check_eom();
-		/* XXX je to dobre? */
-
-		problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
-		if (problem) {
-			ret = 0;
-		}
-		ret = 1;
-		break;
-
-	default:
-		packet_disconnect("Protocol error on Kerberos v5 response: %d",
-		    type);
-		ret = 0;
-		break;
-
-	}
-
- out:
-	if (ccache != NULL)
-		krb5_cc_close(*context, ccache);
-	if (reply != NULL)
-		krb5_free_ap_rep_enc_part(*context, reply);
-	if (ap.length > 0)
-		krb5_data_free(&ap);
-
-	return (ret);
-}
-
-static void
-send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
-{
-	int fd, type;
-	krb5_error_code problem;
-	krb5_data outbuf;
-	krb5_ccache ccache = NULL;
-	krb5_creds creds;
-	krb5_kdc_flags flags;
-	const char *remotehost;
-
-	memset(&creds, 0, sizeof(creds));
-	memset(&outbuf, 0, sizeof(outbuf));
-
-	fd = packet_get_connection_in();
-
-	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_default(context, &ccache);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_get_principal(context, ccache, &creds.client);
-	if (problem)
-		goto out;
-
-	problem = krb5_build_principal(context, &creds.server,
-	    strlen(creds.client->realm), creds.client->realm,
-	    "krbtgt", creds.client->realm, NULL);
-	if (problem)
-		goto out;
-
-	creds.times.endtime = 0;
-
-	flags.i = 0;
-	flags.b.forwarded = 1;
-	flags.b.forwardable = krb5_config_get_bool(context,  NULL,
-	    "libdefaults", "forwardable", NULL);
-
-	remotehost = get_canonical_hostname(1);
-
-	problem = krb5_get_forwarded_creds(context, auth_context,
-	    ccache, flags.i, remotehost, &creds, &outbuf);
-	if (problem)
-		goto out;
-
-	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-	packet_put_string((char *)outbuf.data, outbuf.length);
-	packet_send();
-	packet_write_wait();
-
-	type = packet_read();
-
-	if (type == SSH_SMSG_SUCCESS) {
-		char *pname;
-
-		krb5_unparse_name(context, creds.client, &pname);
-		debug("Kerberos v5 TGT forwarded (%s).", pname);
-		xfree(pname);
-	} else
-		debug("Kerberos v5 TGT forwarding failed.");
-
-	return;
-
- out:
-	if (problem)
-		debug("Kerberos v5 TGT forwarding failed: %s",
-		    krb5_get_err_text(context, problem));
-	if (creds.client)
-		krb5_free_principal(context, creds.client);
-	if (creds.server)
-		krb5_free_principal(context, creds.server);
-	if (ccache)
-		krb5_cc_close(context, ccache);
-	if (outbuf.data)
-		xfree(outbuf.data);
-}
-#endif /* KRB5 */
-
 /*
  * Tries to authenticate with any string-based challenge/response system.
  * Note that the client code is not tied to s/key or TIS.
@@ -842,10 +654,6 @@ void
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
     Sensitive *sensitive)
 {
-#ifdef KRB5
-	krb5_context context = NULL;
-	krb5_auth_context auth_context = NULL;
-#endif
 	int i, type;
 
 	if (supported_authentications == 0)
@@ -870,21 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
 
-#ifdef KRB5
-	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-	    options.kerberos_authentication) {
-		debug("Trying Kerberos v5 authentication.");
-
-		if (try_krb5_authentication(&context, &auth_context)) {
-			type = packet_read();
-			if (type == SSH_SMSG_SUCCESS)
-				goto success;
-			if (type != SSH_SMSG_FAILURE)
-				packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
-		}
-	}
-#endif /* KRB5 */
-
 	/*
 	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
 	 * authentication.
@@ -938,18 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
 	/* NOTREACHED */
 
  success:
-#ifdef KRB5
-	/* Try Kerberos v5 TGT passing. */
-	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-	    options.kerberos_tgt_passing && context && auth_context) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-		send_krb5_tgt(context, auth_context);
-	}
-	if (auth_context)
-		krb5_auth_con_free(context, auth_context);
-	if (context)
-		krb5_free_context(context);
-#endif
 	return;	/* need statement after label */
 }
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index fcb0f4983e5..7bdfba462e7 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.275 2003/08/13 08:46:31 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1396,14 +1396,6 @@ main(int ac, char **av)
 
 	sshd_exchange_identification(sock_in, sock_out);
 
-#ifdef KRB5
-	if (!packet_connection_is_ipv4() &&
-	    options.kerberos_authentication) {
-		debug("Kerberos Authentication disabled, only available for IPv4.");
-		options.kerberos_authentication = 0;
-	}
-#endif
-
 	packet_set_nonblocking();
 
 	if (use_privsep)
@@ -1558,12 +1550,6 @@ do_ssh1_kex(void)
 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
 	if (options.rsa_authentication)
 		auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef KRB5
-	if (options.kerberos_authentication)
-		auth_mask |= 1 << SSH_AUTH_KERBEROS;
-	if (options.kerberos_tgt_passing)
-		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
-#endif
 	if (options.challenge_response_authentication == 1)
 		auth_mask |= 1 << SSH_AUTH_TIS;
 	if (options.password_authentication)
diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config
index 82002e28593..9a42f79ff22 100644
--- a/usr.bin/ssh/sshd_config
+++ b/usr.bin/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.64 2003/08/22 10:56:09 markus Exp $
+#	$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -59,7 +59,6 @@
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
-#KerberosTgtPassing no
 
 # GSSAPI options
 #GSSAPIAuthentication no
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 0e247356ae2..5a8b0ab75b9 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.23 2003/08/22 10:56:09 markus Exp $
+.\" $OpenBSD: sshd_config.5,v 1.24 2003/08/28 12:54:34 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -316,11 +316,9 @@ This avoids infinitely hanging sessions.
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
-This can be in the form of a Kerberos ticket, or if
+Specifies whether the password provided by the user for
 .Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
-the Kerberos KDC.
+will be validated through the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
@@ -332,10 +330,6 @@ such as
 .Pa /etc/passwd .
 Default is
 .Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no .
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.