diff options
| -rw-r--r-- | usr.bin/ssh/auth2-krb5.c | 66 | ||||
| -rw-r--r-- | usr.bin/ssh/auth2.c | 8 | ||||
| -rw-r--r-- | usr.bin/ssh/monitor.c | 7 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 101 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd/Makefile | 4 |
5 files changed, 181 insertions, 5 deletions
diff --git a/usr.bin/ssh/auth2-krb5.c b/usr.bin/ssh/auth2-krb5.c new file mode 100644 index 00000000000..ea4d76da042 --- /dev/null +++ b/usr.bin/ssh/auth2-krb5.c @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2003 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$OpenBSD: auth2-krb5.c,v 1.1 2003/05/14 02:15:47 markus Exp $"); + +#include <krb5.h> + +#include "ssh2.h" +#include "xmalloc.h" +#include "packet.h" +#include "log.h" +#include "auth.h" +#include "monitor_wrap.h" +#include "servconf.h" + +/* import */ +extern ServerOptions options; + +static int +userauth_kerberos(Authctxt *authctxt) +{ + krb5_data tkt, reply; + char *client = NULL; + int authenticated = 0; + + tkt.data = packet_get_string(&tkt.length); + packet_check_eom(); + + if (PRIVSEP(auth_krb5(authctxt, &tkt, &client, &reply))) { + authenticated = 1; + if (reply.length) + xfree(reply.data); + } + if (client) + xfree(client); + xfree(tkt.data); + return (authenticated); +} + +Authmethod method_kerberos = { + "kerberos-2@ssh.com", + userauth_kerberos, + &options.kerberos_authentication +}; diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c index 0ca0ead7c15..88d5f6a48fd 100644 --- a/usr.bin/ssh/auth2.c +++ b/usr.bin/ssh/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.97 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -50,6 +50,9 @@ extern Authmethod method_pubkey; extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; +#ifdef KRB5 +extern Authmethod method_kerberos; +#endif Authmethod *authmethods[] = { &method_none, @@ -57,6 +60,9 @@ Authmethod *authmethods[] = { &method_passwd, &method_kbdint, &method_hostbased, +#ifdef KRB5 + &method_kerberos, +#endif NULL }; diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 1618ba55e6e..2156a887983 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.38 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $"); #include <openssl/dh.h> @@ -167,6 +167,9 @@ struct mon_table mon_dispatch_proto20[] = { #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif {0, 0, NULL} }; @@ -1343,6 +1346,8 @@ mm_answer_krb5(int socket, Buffer *m) } mm_request_send(socket, MONITOR_ANS_KRB5, m); + auth_method = "kerberos"; + return success; } #endif diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 7d370214aaa..0b47f4c4dbe 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -23,7 +23,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.117 2003/05/12 16:55:37 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $"); + +#ifdef KRB5 +#include <krb5.h> +#endif #include "ssh.h" #include "ssh2.h" @@ -190,6 +194,7 @@ int userauth_pubkey(Authctxt *); int userauth_passwd(Authctxt *); int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); +int userauth_kerberos(Authctxt *); void userauth(Authctxt *, char *); @@ -208,6 +213,12 @@ Authmethod authmethods[] = { userauth_hostbased, &options.hostbased_authentication, NULL}, +#if KRB5 + {"kerberos-2@ssh.com", + userauth_kerberos, + &options.kerberos_authentication, + NULL}, +#endif {"publickey", userauth_pubkey, &options.pubkey_authentication, @@ -1112,6 +1123,94 @@ userauth_hostbased(Authctxt *authctxt) return 1; } +#if KRB5 +static int +ssh_krb5_helper(krb5_data *ap) +{ + krb5_context xcontext = NULL; /* XXX share with ssh1 */ + krb5_auth_context xauth_context = NULL; + + krb5_context *context; + krb5_auth_context *auth_context; + krb5_error_code problem; + const char *tkfile; + struct stat buf; + krb5_ccache ccache = NULL; + const char *remotehost; + int ret; + + memset(ap, 0, sizeof(*ap)); + + context = &xcontext; + auth_context = &xauth_context; + + problem = krb5_init_context(context); + if (problem) { + debug("Kerberos v5: krb5_init_context failed"); + ret = 0; + goto out; + } + + tkfile = krb5_cc_default_name(*context); + if (strncmp(tkfile, "FILE:", 5) == 0) + tkfile += 5; + + if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { + debug("Kerberos v5: could not get default ccache (permission denied)."); + ret = 0; + goto out; + } + + problem = krb5_cc_default(*context, &ccache); + if (problem) { + debug("Kerberos v5: krb5_cc_default failed: %s", + krb5_get_err_text(*context, problem)); + ret = 0; + goto out; + } + + remotehost = get_canonical_hostname(1); + + problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, + "host", remotehost, NULL, ccache, ap); + if (problem) { + debug("Kerberos v5: krb5_mk_req failed: %s", + krb5_get_err_text(*context, problem)); + ret = 0; + goto out; + } + ret = 1; + + out: + if (ccache != NULL) + krb5_cc_close(*context, ccache); + if (*auth_context) + krb5_auth_con_free(*context, *auth_context); + if (*context) + krb5_free_context(*context); + return (ret); +} + +int +userauth_kerberos(Authctxt *authctxt) +{ + krb5_data ap; + + if (ssh_krb5_helper(&ap) == 0) + return (0); + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_string(ap.data, ap.length); + packet_send(); + + krb5_data_free(&ap); + return (1); +} +#endif + /* find auth method */ /* diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile index 9ee50491347..9e98dfd1f09 100644 --- a/usr.bin/ssh/sshd/Makefile +++ b/usr.bin/ssh/sshd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.54 2003/04/10 00:17:52 pvalchev Exp $ +# $OpenBSD: Makefile,v 1.55 2003/05/14 02:15:48 markus Exp $ .PATH: ${.CURDIR}/.. @@ -22,7 +22,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ .if (${KERBEROS5:L} == "yes") CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV -SRCS+= auth-krb5.c +SRCS+= auth-krb5.c auth2-krb5.c LDADD+= -lkrb5 -lkafs -lkrb -lasn1 -lcom_err DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1} ${LIBCOM_ERR} .endif # KERBEROS5 |