summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ssh/auth-krb4.c368
-rw-r--r--usr.bin/ssh/auth-passwd.c10
-rw-r--r--usr.bin/ssh/auth.h19
-rw-r--r--usr.bin/ssh/auth1.c47
-rw-r--r--usr.bin/ssh/monitor.c54
-rw-r--r--usr.bin/ssh/monitor.h3
-rw-r--r--usr.bin/ssh/monitor_wrap.c38
-rw-r--r--usr.bin/ssh/monitor_wrap.h5
-rw-r--r--usr.bin/ssh/radix.c158
-rw-r--r--usr.bin/ssh/radix.h28
-rw-r--r--usr.bin/ssh/readconf.c17
-rw-r--r--usr.bin/ssh/readconf.h3
-rw-r--r--usr.bin/ssh/servconf.c24
-rw-r--r--usr.bin/ssh/servconf.h3
-rw-r--r--usr.bin/ssh/session.c57
-rw-r--r--usr.bin/ssh/ssh.14
-rw-r--r--usr.bin/ssh/ssh.c9
-rw-r--r--usr.bin/ssh/ssh.h5
-rw-r--r--usr.bin/ssh/ssh_config.510
-rw-r--r--usr.bin/ssh/sshconnect1.c287
-rw-r--r--usr.bin/ssh/sshd.c21
-rw-r--r--usr.bin/ssh/sshd_config.59
22 files changed, 37 insertions, 1142 deletions
diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c
deleted file mode 100644
index 9e1c800bee9..00000000000
--- a/usr.bin/ssh/auth-krb4.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.30 2003/04/08 20:21:28 itojun Exp $");
-
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "auth.h"
-
-#ifdef AFS
-#include "radix.h"
-#endif
-
-#ifdef KRB4
-extern ServerOptions options;
-
-static int
-krb4_init(void *context)
-{
- static int cleanup_registered = 0;
- Authctxt *authctxt = (Authctxt *)context;
- const char *tkt_root = TKT_ROOT;
- struct stat st;
- int fd;
-
- if (!authctxt->krb4_ticket_file) {
- /* Set unique ticket string manually since we're still root. */
- authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
-#ifdef AFS
- if (lstat("/ticket", &st) != -1)
- tkt_root = "/ticket/";
-#endif /* AFS */
- snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
- tkt_root, authctxt->pw->pw_uid, (long)getpid());
- krb_set_tkt_string(authctxt->krb4_ticket_file);
- }
- /* Register ticket cleanup in case of fatal error. */
- if (!cleanup_registered) {
- fatal_add_cleanup(krb4_cleanup_proc, authctxt);
- cleanup_registered = 1;
- }
- /* Try to create our ticket file. */
- if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
- close(fd);
- return (1);
- }
- /* Ticket file exists - make sure user owns it (just passed ticket). */
- if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
- if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
- st.st_uid == authctxt->pw->pw_uid)
- return (1);
- }
- /* Failure - cancel cleanup function, leaving ticket for inspection. */
- logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
-
- fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
- cleanup_registered = 0;
-
- xfree(authctxt->krb4_ticket_file);
- authctxt->krb4_ticket_file = NULL;
-
- return (0);
-}
-
-/*
- * try krb4 authentication,
- * return 1 on success, 0 on failure, -1 if krb4 is not available
- */
-int
-auth_krb4_password(Authctxt *authctxt, const char *password)
-{
- AUTH_DAT adata;
- KTEXT_ST tkt;
- struct hostent *hp;
- struct passwd *pw;
- char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
- u_int32_t faddr;
- int r;
-
- if ((pw = authctxt->pw) == NULL)
- return (0);
-
- /*
- * Try Kerberos password authentication only for non-root
- * users and only if Kerberos is installed.
- */
- if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
- /* Set up our ticket file. */
- if (!krb4_init(authctxt)) {
- logit("Couldn't initialize Kerberos ticket file for %s!",
- pw->pw_name);
- goto failure;
- }
- /* Try to get TGT using our password. */
- r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
- "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
- if (r != INTK_OK) {
- debug("Kerberos v4 password authentication for %s "
- "failed: %s", pw->pw_name, krb_err_txt[r]);
- goto failure;
- }
- /* Successful authentication. */
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
- /*
- * Now that we have a TGT, try to get a local
- * "rcmd" ticket to ensure that we are not talking
- * to a bogus Kerberos server.
- */
- gethostname(localhost, sizeof(localhost));
- strlcpy(phost, (char *)krb_get_phost(localhost),
- sizeof(phost));
- r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
- if (r == KSUCCESS) {
- if ((hp = gethostbyname(localhost)) == NULL) {
- logit("Couldn't get local host address!");
- goto failure;
- }
- memmove((void *)&faddr, (void *)hp->h_addr,
- sizeof(faddr));
-
- /* Verify our "rcmd" ticket. */
- r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
- faddr, &adata, "");
- if (r == RD_AP_UNDEC) {
- /*
- * Probably didn't have a srvtab on
- * localhost. Disallow login.
- */
- logit("Kerberos v4 TGT for %s unverifiable, "
- "no srvtab installed? krb_rd_req: %s",
- pw->pw_name, krb_err_txt[r]);
- goto failure;
- } else if (r != KSUCCESS) {
- logit("Kerberos v4 %s ticket unverifiable: %s",
- KRB4_SERVICE_NAME, krb_err_txt[r]);
- goto failure;
- }
- } else if (r == KDC_PR_UNKNOWN) {
- /*
- * Disallow login if no rcmd service exists, and
- * log the error.
- */
- logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
- "not registered, or srvtab is wrong?", pw->pw_name,
- krb_err_txt[r], KRB4_SERVICE_NAME, phost);
- goto failure;
- } else {
- /*
- * TGT is bad, forget it. Possibly spoofed!
- */
- debug("WARNING: Kerberos v4 TGT possibly spoofed "
- "for %s: %s", pw->pw_name, krb_err_txt[r]);
- goto failure;
- }
- /* Authentication succeeded. */
- return (1);
- } else
- /* Logging in as root or no local Kerberos realm. */
- debug("Unable to authenticate to Kerberos.");
-
- failure:
- krb4_cleanup_proc(authctxt);
-
- if (!options.kerberos_or_local_passwd)
- return (0);
-
- /* Fall back to ordinary passwd authentication. */
- return (-1);
-}
-
-void
-krb4_cleanup_proc(void *context)
-{
- Authctxt *authctxt = (Authctxt *)context;
- debug("krb4_cleanup_proc called");
- if (authctxt->krb4_ticket_file) {
- (void) dest_tkt();
- xfree(authctxt->krb4_ticket_file);
- authctxt->krb4_ticket_file = NULL;
- }
-}
-
-int
-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
-{
- AUTH_DAT adat = {0};
- Key_schedule schedule;
- struct sockaddr_in local, foreign;
- char instance[INST_SZ];
- socklen_t slen;
- u_int cksum;
- int r, s;
-
- s = packet_get_connection_in();
-
- slen = sizeof(local);
- memset(&local, 0, sizeof(local));
- if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
- debug("getsockname failed: %.100s", strerror(errno));
- slen = sizeof(foreign);
- memset(&foreign, 0, sizeof(foreign));
- if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
- debug("getpeername failed: %.100s", strerror(errno));
- fatal_cleanup();
- }
- instance[0] = '*';
- instance[1] = 0;
-
- /* Get the encrypted request, challenge, and session key. */
- if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
- 0, &adat, ""))) {
- debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
- return (0);
- }
- des_key_sched((des_cblock *) adat.session, schedule);
-
- *client = xmalloc(MAX_K_NAME_SZ);
- (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
- *adat.pinst ? "." : "", adat.pinst, adat.prealm);
-
- /* Check ~/.klogin authorization now. */
- if (kuserok(&adat, authctxt->user) != KSUCCESS) {
- logit("Kerberos v4 .klogin authorization failed for %s to "
- "account %s", *client, authctxt->user);
- xfree(*client);
- *client = NULL;
- return (0);
- }
- /* Increment the checksum, and return it encrypted with the
- session key. */
- cksum = adat.checksum + 1;
- cksum = htonl(cksum);
-
- /* If we can't successfully encrypt the checksum, we send back an
- empty message, admitting our failure. */
- if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
- schedule, &adat.session, &local, &foreign)) < 0) {
- debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
- reply->dat[0] = 0;
- reply->length = 0;
- } else
- reply->length = r;
-
- /* Clear session key. */
- memset(&adat.session, 0, sizeof(adat.session));
- return (1);
-}
-#endif /* KRB4 */
-
-#ifdef AFS
-int
-auth_krb4_tgt(Authctxt *authctxt, const char *string)
-{
- CREDENTIALS creds;
- struct passwd *pw;
-
- if ((pw = authctxt->pw) == NULL)
- goto failure;
-
- temporarily_use_uid(pw);
-
- if (!radix_to_creds(string, &creds)) {
- logit("Protocol error decoding Kerberos v4 TGT");
- goto failure;
- }
- if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
- strlcpy(creds.service, "krbtgt", sizeof creds.service);
-
- if (strcmp(creds.service, "krbtgt")) {
- logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
- creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
- creds.realm, pw->pw_name);
- goto failure;
- }
- if (!krb4_init(authctxt))
- goto failure;
-
- if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
- goto failure;
-
- if (save_credentials(creds.service, creds.instance, creds.realm,
- creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
- creds.issue_date) != KSUCCESS) {
- debug("Kerberos v4 TGT refused: couldn't save credentials");
- goto failure;
- }
- /* Successful authentication, passed all checks. */
- chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
- debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
- creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
- memset(&creds, 0, sizeof(creds));
-
- restore_uid();
-
- return (1);
-
- failure:
- krb4_cleanup_proc(authctxt);
- memset(&creds, 0, sizeof(creds));
- restore_uid();
-
- return (0);
-}
-
-int
-auth_afs_token(Authctxt *authctxt, const char *token_string)
-{
- CREDENTIALS creds;
- struct passwd *pw;
- uid_t uid;
-
- if ((pw = authctxt->pw) == NULL)
- return (0);
-
- if (!radix_to_creds(token_string, &creds)) {
- logit("Protocol error decoding AFS token");
- return (0);
- }
- if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
- strlcpy(creds.service, "afs", sizeof creds.service);
-
- if (strncmp(creds.pname, "AFS ID ", 7) == 0)
- uid = atoi(creds.pname + 7);
- else
- uid = pw->pw_uid;
-
- if (kafs_settoken(creds.realm, uid, &creds)) {
- logit("AFS token (%s@%s) rejected for %s",
- creds.pname, creds.realm, pw->pw_name);
- memset(&creds, 0, sizeof(creds));
- return (0);
- }
- debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
- memset(&creds, 0, sizeof(creds));
-
- return (1);
-}
-#endif /* AFS */
diff --git a/usr.bin/ssh/auth-passwd.c b/usr.bin/ssh/auth-passwd.c
index d0295fb5b78..5eb8ac6065e 100644
--- a/usr.bin/ssh/auth-passwd.c
+++ b/usr.bin/ssh/auth-passwd.c
@@ -36,7 +36,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include "packet.h"
#include "log.h"
@@ -70,14 +70,6 @@ auth_password(Authctxt *authctxt, const char *password)
/* Fall back to ordinary passwd authentication. */
}
#endif
-#ifdef KRB4
- if (options.kerberos_authentication == 1) {
- int ret = auth_krb4_password(authctxt, password);
- if (ret == 1 || ret == 0)
- return ret;
- /* Fall back to ordinary passwd authentication. */
- }
-#endif
#ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
diff --git a/usr.bin/ssh/auth.h b/usr.bin/ssh/auth.h
index 75da99db4d9..6e496dd244d 100644
--- a/usr.bin/ssh/auth.h
+++ b/usr.bin/ssh/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.42 2003/04/16 14:35:27 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.43 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -60,9 +60,6 @@ struct Authctxt {
#ifdef BSD_AUTH
auth_session_t *as;
#endif
-#ifdef KRB4
- char *krb4_ticket_file;
-#endif
#ifdef KRB5
krb5_context krb5_ctx;
krb5_auth_context krb5_auth_ctx;
@@ -117,20 +114,6 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *);
-#ifdef KRB4
-#include <krb.h>
-int auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
-int auth_krb4_password(Authctxt *, const char *);
-void krb4_cleanup_proc(void *);
-
-#ifdef AFS
-#include <kafs.h>
-int auth_krb4_tgt(Authctxt *, const char *);
-int auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
-#endif /* KRB4 */
-
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
diff --git a/usr.bin/ssh/auth1.c b/usr.bin/ssh/auth1.c
index 672b5ed5ec0..3dd09a34f3b 100644
--- a/usr.bin/ssh/auth1.c
+++ b/usr.bin/ssh/auth1.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.49 2003/07/22 13:35:22 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -49,7 +49,7 @@ get_authname(int type)
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
return "kerberos";
#endif
@@ -81,7 +81,7 @@ do_authloop(Authctxt *authctxt)
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
PRIVSEP(auth_password(authctxt, ""))) {
@@ -106,7 +106,7 @@ do_authloop(Authctxt *authctxt)
/* Process the packet. */
switch (type) {
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
verbose("Kerberos authentication disabled.");
@@ -114,32 +114,7 @@ do_authloop(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen);
packet_check_eom();
- if (kdata[0] == 4) { /* KRB_PROT_VERSION */
-#ifdef KRB4
- KTEXT_ST tkt, reply;
- tkt.length = dlen;
- if (tkt.length < MAX_KTXT_LEN)
- memcpy(tkt.dat, kdata, tkt.length);
-
- if (PRIVSEP(auth_krb4(authctxt, &tkt,
- &client_user, &reply))) {
- authenticated = 1;
- snprintf(info, sizeof(info),
- " tktuser %.100s",
- client_user);
-
- packet_start(
- SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- packet_put_string((char *)
- reply.dat, reply.length);
- packet_send();
- packet_write_wait();
-
- xfree(client_user);
- }
-#endif /* KRB4 */
- } else {
-#ifdef KRB5
+ if (kdata[0] != 4) { /* KRB_PROT_VERSION */
krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
@@ -163,24 +138,14 @@ do_authloop(Authctxt *authctxt)
xfree(reply.data);
xfree(client_user);
}
-#endif /* KRB5 */
}
xfree(kdata);
}
break;
-#endif /* KRB4 || KRB5 */
-
-#if defined(AFS) || defined(KRB5)
- /* XXX - punt on backward compatibility here. */
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
-#ifdef AFS
- case SSH_CMSG_HAVE_AFS_TOKEN:
- packet_send_debug("AFS token passing disabled before authentication.");
- break;
-#endif /* AFS */
-#endif /* AFS || KRB5 */
+#endif
case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) {
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c
index 61764bb3be7..9fa166b075e 100644
--- a/usr.bin/ssh/monitor.c
+++ b/usr.bin/ssh/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.44 2003/06/24 08:23:46 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
@@ -116,9 +116,6 @@ int mm_answer_rsa_response(int, Buffer *);
int mm_answer_sesskey(int, Buffer *);
int mm_answer_sessid(int, Buffer *);
-#ifdef KRB4
-int mm_answer_krb4(int, Buffer *);
-#endif
#ifdef KRB5
int mm_answer_krb5(int, Buffer *);
#endif
@@ -200,9 +197,6 @@ struct mon_table mon_dispatch_proto15[] = {
{MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif
-#ifdef KRB4
- {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
-#endif
#ifdef KRB5
{MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
#endif
@@ -1284,52 +1278,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
return (success);
}
-#ifdef KRB4
-int
-mm_answer_krb4(int socket, Buffer *m)
-{
- KTEXT_ST auth, reply;
- char *client, *p;
- int success;
- u_int alen;
-
- reply.length = auth.length = 0;
-
- p = buffer_get_string(m, &alen);
- if (alen >= MAX_KTXT_LEN)
- fatal("%s: auth too large", __func__);
- memcpy(auth.dat, p, alen);
- auth.length = alen;
- memset(p, 0, alen);
- xfree(p);
-
- success = options.kerberos_authentication &&
- authctxt->valid &&
- auth_krb4(authctxt, &auth, &client, &reply);
-
- memset(auth.dat, 0, alen);
- buffer_clear(m);
- buffer_put_int(m, success);
-
- if (success) {
- buffer_put_cstring(m, client);
- buffer_put_string(m, reply.dat, reply.length);
- if (client)
- xfree(client);
- if (reply.length)
- memset(reply.dat, 0, reply.length);
- }
-
- debug3("%s: sending result %d", __func__, success);
- mm_request_send(socket, MONITOR_ANS_KRB4, m);
-
- auth_method = "kerberos";
-
- /* Causes monitor loop to terminate if authenticated */
- return (success);
-}
-#endif
-
#ifdef KRB5
int
mm_answer_krb5(int socket, Buffer *m)
diff --git a/usr.bin/ssh/monitor.h b/usr.bin/ssh/monitor.h
index abd07300c29..0d920308b89 100644
--- a/usr.bin/ssh/monitor.h
+++ b/usr.bin/ssh/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/* $OpenBSD: monitor.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,7 +49,6 @@ enum monitor_reqtype {
MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
- MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_TERM
};
diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c
index 8538e5ea3b5..0fd5fd78644 100644
--- a/usr.bin/ssh/monitor_wrap.c
+++ b/usr.bin/ssh/monitor_wrap.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.27 2003/06/28 16:23:06 deraadt Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.28 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@@ -938,42 +938,6 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
return (success);
}
-#ifdef KRB4
-int
-mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
-{
- KTEXT auth, reply;
- Buffer m;
- u_int rlen;
- int success = 0;
- char *p;
-
- debug3("%s entering", __func__);
- auth = _auth;
- reply = _reply;
-
- buffer_init(&m);
- buffer_put_string(&m, auth->dat, auth->length);
-
- mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
- mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
-
- success = buffer_get_int(&m);
- if (success) {
- *client = buffer_get_string(&m, NULL);
- p = buffer_get_string(&m, &rlen);
- if (rlen >= MAX_KTXT_LEN)
- fatal("%s: reply from monitor too large", __func__);
- reply->length = rlen;
- memcpy(reply->dat, p, rlen);
- memset(p, 0, rlen);
- xfree(p);
- }
- buffer_free(&m);
- return (success);
-}
-#endif
-
#ifdef KRB5
int
mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
diff --git a/usr.bin/ssh/monitor_wrap.h b/usr.bin/ssh/monitor_wrap.h
index 65e0464d507..68e7e7b86d1 100644
--- a/usr.bin/ssh/monitor_wrap.h
+++ b/usr.bin/ssh/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.9 2003/07/22 13:35:22 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -80,9 +80,6 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* auth_krb */
-#ifdef KRB4
-int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
-#endif
#ifdef KRB5
/* auth and reply are really krb5_data objects, but we don't want to
* include all of the krb5 headers here */
diff --git a/usr.bin/ssh/radix.c b/usr.bin/ssh/radix.c
deleted file mode 100644
index c680d6bf3f6..00000000000
--- a/usr.bin/ssh/radix.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- * Copyright (c) 2002 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#include "uuencode.h"
-
-RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
-
-#ifdef AFS
-#include <krb.h>
-
-#include <radix.h>
-#include "bufaux.h"
-
-int
-creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
-{
- Buffer b;
- int ret;
-
- buffer_init(&b);
-
- buffer_put_char(&b, 1); /* version */
-
- buffer_append(&b, creds->service, strlen(creds->service));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->instance, strlen(creds->instance));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->realm, strlen(creds->realm));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->pname, strlen(creds->pname));
- buffer_put_char(&b, '\0');
- buffer_append(&b, creds->pinst, strlen(creds->pinst));
- buffer_put_char(&b, '\0');
-
- /* Null string to repeat the realm. */
- buffer_put_char(&b, '\0');
-
- buffer_put_int(&b, creds->issue_date);
- buffer_put_int(&b, krb_life_to_time(creds->issue_date,
- creds->lifetime));
- buffer_append(&b, creds->session, sizeof(creds->session));
- buffer_put_short(&b, creds->kvno);
-
- /* 32 bit size + data */
- buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
-
- ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
-
- buffer_free(&b);
- return ret;
-}
-
-#define GETSTRING(b, t, tlen) \
- do { \
- int i, found = 0; \
- for (i = 0; i < tlen; i++) { \
- if (buffer_len(b) == 0) \
- goto done; \
- t[i] = buffer_get_char(b); \
- if (t[i] == '\0') { \
- found = 1; \
- break; \
- } \
- } \
- if (!found) \
- goto done; \
- } while(0)
-
-int
-radix_to_creds(const char *buf, CREDENTIALS *creds)
-{
- Buffer b;
- u_char *space;
- char c, version, *p;
- u_int endTime, len;
- int blen, ret;
-
- ret = 0;
- blen = strlen(buf);
-
- /* sanity check for size */
- if (blen > 8192)
- return 0;
-
- buffer_init(&b);
- space = buffer_append_space(&b, blen);
-
- /* check version and length! */
- len = uudecode(buf, space, blen);
- if (len < 1)
- goto done;
-
- version = buffer_get_char(&b);
-
- GETSTRING(&b, creds->service, sizeof creds->service);
- GETSTRING(&b, creds->instance, sizeof creds->instance);
- GETSTRING(&b, creds->realm, sizeof creds->realm);
- GETSTRING(&b, creds->pname, sizeof creds->pname);
- GETSTRING(&b, creds->pinst, sizeof creds->pinst);
-
- if (buffer_len(&b) == 0)
- goto done;
-
- /* Ignore possibly different realm. */
- while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
- ;
-
- if (buffer_len(&b) == 0)
- goto done;
-
- creds->issue_date = buffer_get_int(&b);
-
- endTime = buffer_get_int(&b);
- creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
-
- len = buffer_len(&b);
- if (len < sizeof(creds->session))
- goto done;
- memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
- buffer_consume(&b, sizeof(creds->session));
-
- creds->kvno = buffer_get_short(&b);
-
- p = buffer_get_string(&b, &len);
- if (len < 0 || len > sizeof(creds->ticket_st.dat))
- goto done;
- memcpy(&creds->ticket_st.dat, p, len);
- creds->ticket_st.length = len;
-
- ret = 1;
-done:
- buffer_free(&b);
- return ret;
-}
-#endif /* AFS */
diff --git a/usr.bin/ssh/radix.h b/usr.bin/ssh/radix.h
deleted file mode 100644
index e94e4acc6ad..00000000000
--- a/usr.bin/ssh/radix.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
-
-/*
- * Copyright (c) 1999 Dug Song. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-int creds_to_radix(CREDENTIALS *, u_char *, size_t);
-int radix_to_creds(const char *, CREDENTIALS *);
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index e4d92289855..f4e0dcadefb 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.115 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -94,7 +94,7 @@ typedef enum {
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
- oKerberosAuthentication, oKerberosTgtPassing, oAFSTokenPassing,
+ oKerberosAuthentication, oKerberosTgtPassing,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
@@ -134,18 +134,14 @@ static struct {
{ "challengeresponseauthentication", oChallengeResponseAuthentication },
{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
{ "kerberosauthentication", oKerberosAuthentication },
{ "kerberostgtpassing", oKerberosTgtPassing },
#else
{ "kerberosauthentication", oUnsupported },
{ "kerberostgtpassing", oUnsupported },
#endif
-#if defined(AFS)
- { "afstokenpassing", oAFSTokenPassing },
-#else
{ "afstokenpassing", oUnsupported },
-#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
@@ -397,10 +393,6 @@ parse_flag:
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
- case oAFSTokenPassing:
- intptr = &options->afs_token_passing;
- goto parse_flag;
-
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -826,7 +818,6 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->kerberos_authentication = -1;
options->kerberos_tgt_passing = -1;
- options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -903,8 +894,6 @@ fill_default_options(Options * options)
options->kerberos_authentication = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1;
- if (options->afs_token_passing == -1)
- options->afs_token_passing = 1;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 4e0b7431888..cc94253e6ac 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.52 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -43,7 +43,6 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int kerberos_authentication; /* Try Kerberos authentication. */
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
- int afs_token_passing; /* Try AFS token passing. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 09a7be6c7c7..d57a221cb56 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,14 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
-
-#if defined(KRB4)
-#include <krb.h>
-#endif
-#ifdef AFS
-#include <kafs.h>
-#endif
+RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "log.h"
@@ -76,7 +69,6 @@ initialize_server_options(ServerOptions *options)
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
options->kerberos_tgt_passing = -1;
- options->afs_token_passing = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -183,8 +175,6 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
- if (options->afs_token_passing == -1)
- options->afs_token_passing = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -237,7 +227,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
+ sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -275,7 +265,7 @@ static struct {
{ "rsaauthentication", sRSAAuthentication },
{ "pubkeyauthentication", sPubkeyAuthentication },
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
@@ -286,11 +276,7 @@ static struct {
{ "kerberosticketcleanup", sUnsupported },
{ "kerberostgtpassing", sUnsupported },
#endif
-#if defined(AFS)
- { "afstokenpassing", sAFSTokenPassing },
-#else
{ "afstokenpassing", sUnsupported },
-#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
{ "challengeresponseauthentication", sChallengeResponseAuthentication },
@@ -607,10 +593,6 @@ parse_flag:
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
- case sAFSTokenPassing:
- intptr = &options->afs_token_passing;
- goto parse_flag;
-
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 4744a6ec4c2..13b6e32fff5 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
+/* $OpenBSD: servconf.h,v 1.62 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -84,7 +84,6 @@ typedef struct {
* file on logout. */
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */
- int afs_token_passing; /* If true, permit AFS token passing. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 076c508e719..c7f5eb36b85 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.159 2003/07/22 13:35:22 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -211,10 +211,6 @@ do_authenticated(Authctxt *authctxt)
/* remove agent socket */
if (auth_sock_name != NULL)
auth_sock_cleanup_proc(authctxt->pw);
-#ifdef KRB4
- if (options.kerberos_ticket_cleanup)
- krb4_cleanup_proc(authctxt);
-#endif
#ifdef KRB5
if (options.kerberos_ticket_cleanup)
krb5_cleanup_proc(authctxt);
@@ -327,7 +323,7 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
break;
-#if defined(AFS) || defined(KRB5)
+#ifdef KRB5
case SSH_CMSG_HAVE_KERBEROS_TGT:
if (!options.kerberos_tgt_passing) {
verbose("Kerberos TGT passing disabled.");
@@ -335,9 +331,8 @@ do_authenticated1(Authctxt *authctxt)
char *kdata = packet_get_string(&dlen);
packet_check_eom();
- /* XXX - 0x41, see creds_to_radix version */
+ /* XXX - 0x41, used for AFS */
if (kdata[0] != 0x41) {
-#ifdef KRB5
krb5_data tgt;
tgt.data = kdata;
tgt.length = dlen;
@@ -346,38 +341,11 @@ do_authenticated1(Authctxt *authctxt)
success = 1;
else
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
-#endif /* KRB5 */
- } else {
-#ifdef AFS
- if (auth_krb4_tgt(s->authctxt, kdata))
- success = 1;
- else
- verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
}
xfree(kdata);
}
break;
-#endif /* AFS || KRB5 */
-
-#ifdef AFS
- case SSH_CMSG_HAVE_AFS_TOKEN:
- if (!options.afs_token_passing || !k_hasafs()) {
- verbose("AFS token passing disabled.");
- } else {
- /* Accept AFS token. */
- char *token = packet_get_string(&dlen);
- packet_check_eom();
-
- if (auth_afs_token(s->authctxt, token))
- success = 1;
- else
- verbose("AFS token refused for %.100s",
- s->authctxt->user);
- xfree(token);
- }
- break;
-#endif /* AFS */
+#endif
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
@@ -893,11 +861,6 @@ do_setup_env(Session *s, const char *shell)
if (original_command)
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
-#ifdef KRB4
- if (s->authctxt->krb4_ticket_file)
- child_set_env(&env, &envsize, "KRBTKFILE",
- s->authctxt->krb4_ticket_file);
-#endif
#ifdef KRB5
if (s->authctxt->krb5_ticket_file)
child_set_env(&env, &envsize, "KRB5CCNAME",
@@ -1157,18 +1120,6 @@ do_child(Session *s, const char *command)
*/
environ = env;
-#ifdef AFS
- /* Try to get AFS tokens for the local cell. */
- if (k_hasafs()) {
- char cell[64];
-
- if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
- krb_afslog(cell, 0);
-
- krb_afslog(0, 0);
- }
-#endif /* AFS */
-
/* Change current directory to the user\'s home directory. */
if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 8a7d2f42854..c81cb42c67f 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.174 2003/07/02 14:51:16 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -494,7 +494,7 @@ The argument is the device
should use to communicate with a smartcard used for storing the user's
private RSA key.
.It Fl k
-Disables forwarding of Kerberos tickets and AFS tokens.
+Disables forwarding of Kerberos tickets.
This may also be specified on a per-host basis in the configuration file.
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index 921ab7d7afb..1c7960f1704 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.197 2003/07/16 10:34:53 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.198 2003/07/22 13:35:22 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -150,9 +150,7 @@ usage(void)
_PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
-#ifdef AFS
- fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
-#endif /* AFS */
+ fprintf(stderr, " -k Disable Kerberos ticket forwarding.\n");
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
@@ -297,12 +295,9 @@ again:
case 'A':
options.forward_agent = 1;
break;
-#ifdef AFS
case 'k':
options.kerberos_tgt_passing = 0;
- options.afs_token_passing = 0;
break;
-#endif
case 'i':
if (stat(optarg, &st) < 0) {
fprintf(stderr, "Warning: Identity file %s "
diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h
index 01a10f57055..deca5797789 100644
--- a/usr.bin/ssh/ssh.h
+++ b/usr.bin/ssh/ssh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.h,v 1.72 2003/06/28 16:23:06 deraadt Exp $ */
+/* $OpenBSD: ssh.h,v 1.73 2003/07/22 13:35:22 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -79,9 +79,6 @@
*/
#define SSH_SESSION_KEY_LENGTH 32
-/* Name of Kerberos service for SSH to use. */
-#define KRB4_SERVICE_NAME "rcmd"
-
/* Used to identify ``EscapeChar none'' */
#define SSH_ESCAPECHAR_NONE -2
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index 79d05f018ae..3a79af8f072 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.15 2003/07/02 14:51:16 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.16 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -123,13 +123,6 @@ Valid arguments are
(Use IPv4 only) or
.Dq inet6
(Use IPv6 only.)
-.It Cm AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option applies to protocol version 1 only.
.It Cm BatchMode
If set to
.Dq yes ,
@@ -410,7 +403,6 @@ or
.Dq no .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server.
-This will only work if the Kerberos server is actually an AFS kaserver.
The argument to this keyword must be
.Dq yes
or
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index e82c90ef542..67f0545f606 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,21 +13,14 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.53 2003/04/08 20:21:29 itojun Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.54 2003/07/22 13:35:22 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
-#ifdef KRB4
-#include <krb.h>
-#endif
#ifdef KRB5
#include <krb5.h>
#endif
-#ifdef AFS
-#include <kafs.h>
-#include "radix.h"
-#endif
#include "ssh.h"
#include "ssh1.h"
@@ -377,128 +370,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
return 0;
}
-#ifdef KRB4
-static int
-try_krb4_authentication(void)
-{
- KTEXT_ST auth; /* Kerberos data */
- char *reply;
- char inst[INST_SZ];
- char *realm;
- CREDENTIALS cred;
- int r, type;
- socklen_t slen;
- Key_schedule schedule;
- u_long checksum, cksum;
- MSG_DAT msg_data;
- struct sockaddr_in local, foreign;
- struct stat st;
-
- /* Don't do anything if we don't have any tickets. */
- if (stat(tkt_string(), &st) < 0)
- return 0;
-
- strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
- INST_SZ);
-
- realm = (char *)krb_realmofhost(get_canonical_hostname(1));
- if (!realm) {
- debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
- return 0;
- }
- /* This can really be anything. */
- checksum = (u_long)getpid();
-
- r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
- if (r != KSUCCESS) {
- debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
- return 0;
- }
- /* Get session key to decrypt the server's reply with. */
- r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
- if (r != KSUCCESS) {
- debug("get_cred failed: %s", krb_err_txt[r]);
- return 0;
- }
- des_key_sched((des_cblock *) cred.session, schedule);
-
- /* Send authentication info to server. */
- packet_start(SSH_CMSG_AUTH_KERBEROS);
- packet_put_string((char *) auth.dat, auth.length);
- packet_send();
- packet_write_wait();
-
- /* Zero the buffer. */
- (void) memset(auth.dat, 0, MAX_KTXT_LEN);
-
- slen = sizeof(local);
- memset(&local, 0, sizeof(local));
- if (getsockname(packet_get_connection_in(),
- (struct sockaddr *)&local, &slen) < 0)
- debug("getsockname failed: %s", strerror(errno));
-
- slen = sizeof(foreign);
- memset(&foreign, 0, sizeof(foreign));
- if (getpeername(packet_get_connection_in(),
- (struct sockaddr *)&foreign, &slen) < 0) {
- debug("getpeername failed: %s", strerror(errno));
- fatal_cleanup();
- }
- /* Get server reply. */
- type = packet_read();
- switch (type) {
- case SSH_SMSG_FAILURE:
- /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
- debug("Kerberos v4 authentication failed.");
- return 0;
- break;
-
- case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
- /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
- debug("Kerberos v4 authentication accepted.");
-
- /* Get server's response. */
- reply = packet_get_string((u_int *) &auth.length);
- if (auth.length >= MAX_KTXT_LEN)
- fatal("Kerberos v4: Malformed response from server");
- memcpy(auth.dat, reply, auth.length);
- xfree(reply);
-
- packet_check_eom();
-
- /*
- * If his response isn't properly encrypted with the session
- * key, and the decrypted checksum fails to match, he's
- * bogus. Bail out.
- */
- r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
- &foreign, &local, &msg_data);
- if (r != KSUCCESS) {
- debug("Kerberos v4 krb_rd_priv failed: %s",
- krb_err_txt[r]);
- packet_disconnect("Kerberos v4 challenge failed!");
- }
- /* Fetch the (incremented) checksum that we supplied in the request. */
- memcpy((char *)&cksum, (char *)msg_data.app_data,
- sizeof(cksum));
- cksum = ntohl(cksum);
-
- /* If it matches, we're golden. */
- if (cksum == checksum + 1) {
- debug("Kerberos v4 challenge successful.");
- return 1;
- } else
- packet_disconnect("Kerberos v4 challenge failed!");
- break;
-
- default:
- packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
- }
- return 0;
-}
-
-#endif /* KRB4 */
-
#ifdef KRB5
static int
try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
@@ -683,129 +554,6 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
}
#endif /* KRB5 */
-#ifdef AFS
-static void
-send_krb4_tgt(void)
-{
- CREDENTIALS *creds;
- struct stat st;
- char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
- int problem, type;
-
- /* Don't do anything if we don't have any tickets. */
- if (stat(tkt_string(), &st) < 0)
- return;
-
- creds = xmalloc(sizeof(*creds));
-
- problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
- if (problem)
- goto out;
-
- problem = krb_get_cred("krbtgt", prealm, prealm, creds);
- if (problem)
- goto out;
-
- if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
- problem = RD_AP_EXP;
- goto out;
- }
- creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
-
- packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
- packet_put_cstring(buffer);
- packet_send();
- packet_write_wait();
-
- type = packet_read();
-
- if (type == SSH_SMSG_SUCCESS)
- debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
- creds->pname, creds->pinst[0] ? "." : "",
- creds->pinst, creds->realm);
- else
- debug("Kerberos v4 TGT rejected.");
-
- xfree(creds);
- return;
-
- out:
- debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
- xfree(creds);
-}
-
-static void
-send_afs_tokens(void)
-{
- CREDENTIALS creds;
- struct ViceIoctl parms;
- struct ClearToken ct;
- int i, type, len;
- char buf[2048], *p, *server_cell;
- char buffer[8192];
-
- /* Move over ktc_GetToken, here's something leaner. */
- for (i = 0; i < 100; i++) { /* just in case */
- parms.in = (char *) &i;
- parms.in_size = sizeof(i);
- parms.out = buf;
- parms.out_size = sizeof(buf);
- if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
- break;
- p = buf;
-
- /* Get secret token. */
- memcpy(&creds.ticket_st.length, p, sizeof(u_int));
- if (creds.ticket_st.length > MAX_KTXT_LEN)
- break;
- p += sizeof(u_int);
- memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
- p += creds.ticket_st.length;
-
- /* Get clear token. */
- memcpy(&len, p, sizeof(len));
- if (len != sizeof(struct ClearToken))
- break;
- p += sizeof(len);
- memcpy(&ct, p, len);
- p += len;
- p += sizeof(len); /* primary flag */
- server_cell = p;
-
- /* Flesh out our credentials. */
- strlcpy(creds.service, "afs", sizeof(creds.service));
- creds.instance[0] = '\0';
- strlcpy(creds.realm, server_cell, REALM_SZ);
- memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
- creds.issue_date = ct.BeginTimestamp;
- creds.lifetime = krb_time_to_life(creds.issue_date,
- ct.EndTimestamp);
- creds.kvno = ct.AuthHandle;
- snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
- creds.pinst[0] = '\0';
-
- /* Encode token, ship it off. */
- if (creds_to_radix(&creds, (u_char *)buffer,
- sizeof(buffer)) <= 0)
- break;
- packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
- packet_put_cstring(buffer);
- packet_send();
- packet_write_wait();
-
- /* Roger, Roger. Clearance, Clarence. What's your vector,
- Victor? */
- type = packet_read();
-
- if (type == SSH_SMSG_FAILURE)
- debug("AFS token for cell %s rejected.", server_cell);
- else if (type != SSH_SMSG_SUCCESS)
- packet_disconnect("Protocol error on AFS token response: %d", type);
- }
-}
-
-#endif /* AFS */
-
/*
* Tries to authenticate with any string-based challenge/response system.
* Note that the client code is not tied to s/key or TIS.
@@ -1137,21 +885,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
}
#endif /* KRB5 */
-#ifdef KRB4
- if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
- options.kerberos_authentication) {
- debug("Trying Kerberos v4 authentication.");
-
- if (try_krb4_authentication()) {
- type = packet_read();
- if (type == SSH_SMSG_SUCCESS)
- goto success;
- if (type != SSH_SMSG_FAILURE)
- packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
- }
- }
-#endif /* KRB4 */
-
/*
* Use rhosts authentication if running in privileged socket and we
* do not wish to remain anonymous.
@@ -1238,23 +971,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
if (context)
krb5_free_context(context);
#endif
-
-#ifdef AFS
- /* Try Kerberos v4 TGT passing if the server supports it. */
- if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
- options.kerberos_tgt_passing) {
- if (options.cipher == SSH_CIPHER_NONE)
- logit("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
- send_krb4_tgt();
- }
- /* Try AFS token passing if the server supports it. */
- if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
- options.afs_token_passing && k_hasafs()) {
- if (options.cipher == SSH_CIPHER_NONE)
- logit("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
- send_afs_tokens();
- }
-#endif /* AFS */
-
return; /* need statement after label */
}
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 5bc655f9b96..7db6a6e01ac 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -42,7 +42,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.273 2003/07/16 10:34:53 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.274 2003/07/22 13:35:22 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -1409,20 +1409,13 @@ main(int ac, char **av)
"originating port %d not trusted.", remote_port);
options.rhosts_authentication = 0;
}
-#if defined(KRB4) && !defined(KRB5)
+#ifdef KRB5
if (!packet_connection_is_ipv4() &&
options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
options.kerberos_authentication = 0;
}
-#endif /* KRB4 && !KRB5 */
-#ifdef AFS
- /* If machine has AFS, set process authentication group. */
- if (k_hasafs()) {
- k_setpag();
- k_unlog();
- }
-#endif /* AFS */
+#endif
packet_set_nonblocking();
@@ -1580,18 +1573,12 @@ do_ssh1_kex(void)
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
if (options.kerberos_authentication)
auth_mask |= 1 << SSH_AUTH_KERBEROS;
-#endif
-#if defined(AFS) || defined(KRB5)
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
-#ifdef AFS
- if (options.afs_token_passing)
- auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
-#endif
if (options.challenge_response_authentication == 1)
auth_mask |= 1 << SSH_AUTH_TIS;
if (options.password_authentication)
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 7968f371b99..abf29fd62e4 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.20 2003/06/20 05:47:58 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.21 2003/07/22 13:35:22 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -61,10 +61,6 @@ The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
.Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
.It Cm AllowGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
@@ -327,8 +323,7 @@ Default is
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
+.Dq no .
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.