problem with AFS token forwarding
Jan IVEN
jan.iven at cern.ch
Sat Dec 15 08:47:57 EST 2001
Serge,
I have taken your "early AFS token forwarding" patch and extended it
to cover KRB4 TGTs as well. It also prevents the "failed login" count
from being increased. Maybe you are interested...
A second patch fixes a SEGV during KRB4-based login (double free() on
the client name in case .klogin fails, one in auth-krb4.c, the other
in do_authloop() in auth1.c...)
Best regards
Jan
diff -uw openssh-3.0.1p1/auth1.c openssh-3.0.1p1.bricol/auth1.c
--- openssh-3.0.1p1/auth1.c Tue Nov 13 13:46:19 2001
+++ openssh-3.0.1p1.bricol/auth1.c Fri Dec 14 17:33:12 2001
@@ -114,6 +114,31 @@
/* Process the packet. */
switch (type) {
+#ifdef AFS
+ case SSH_CMSG_HAVE_AFS_TOKEN:
+ if ( options.afs_pass_token_before_auth ) {
+ if (!options.afs_token_passing || !k_hasafs()) {
+ verbose("AFS token passing disabled.");
+ break;
+ } else {
+ /* Accept AFS token. */
+ char *token_string = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+ if (!auth_afs_token(authctxt, token_string))
+ verbose("AFS token REFUSED for %.100s", authctxt->user);
+ else {
+ /* token ok, continue with real authentication */
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
+ continue;
+ }
+ xfree(token_string);
+ }
+ } else packet_send_debug("AFS token passing disabled before authentication.");
+ break;
+#endif /* AFS */
+
#if defined(KRB4) || defined(KRB5)
case SSH_CMSG_AUTH_KERBEROS:
if (!options.kerberos_authentication) {
@@ -160,13 +185,49 @@
#if defined(AFS) || defined(KRB5)
/* XXX - punt on backward compatibility here. */
case SSH_CMSG_HAVE_KERBEROS_TGT:
- packet_send_debug("Kerberos TGT passing disabled before authentication.");
- break;
+ if ( options.afs_pass_token_before_auth ) {
+ if (!options.kerberos_tgt_passing) {
+ verbose("Kerberos TGT passing disabled.");
+ } else {
+ char *kdata = packet_get_string(&dlen);
+ packet_integrity_check(plen, 4 + dlen, type);
+
+ /* XXX - 0x41, see creds_to_radix version */
+ if (kdata[0] != 0x41) {
+#ifdef KRB5
+ krb5_data tgt;
+ tgt.data = kdata;
+ tgt.length = dlen;
+
+ if (!auth_krb5_tgt(authctxt, &tgt))
+ verbose("Kerberos v5 TGT refused for %.100s", authctxt->user);
+ else {
+ /* tgt ok, continue with real authentica\tion */
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
+ continue;
+ }
+#endif /* KRB5 */
+ } else {
#ifdef AFS
- case SSH_CMSG_HAVE_AFS_TOKEN:
- packet_send_debug("AFS token passing disabled before authentication.");
- break;
+ if (!auth_krb4_tgt(authctxt, kdata))
+ verbose("Kerberos v4 TGT refused for %.100s", authctxt->user);
+ else {
+ /* token ok, continue with real authentica\tion */
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
+ continue;
+ }
#endif /* AFS */
+ }
+ xfree(kdata);
+ }
+ } else packet_send_debug("Kerberos TGT passing disabled before authentication.");
+
+ break;
+
#endif /* AFS || KRB5 */
case SSH_CMSG_AUTH_RHOSTS:
diff -uw openssh-3.0.1p1/readconf.c openssh-3.0.1p1.bricol/readconf.c
--- openssh-3.0.1p1/readconf.c Wed Oct 3 19:39:39 2001
+++ openssh-3.0.1p1.bricol/readconf.c Fri Dec 14 08:46:34 2001
@@ -103,7 +103,7 @@
oKerberosTgtPassing,
#endif
#ifdef AFS
- oAFSTokenPassing,
+ oAFSTokenPassing,oAFSPassTokenBeforeAuth,
#endif
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
@@ -149,6 +149,7 @@
#endif
#ifdef AFS
{ "afstokenpassing", oAFSTokenPassing },
+ { "afspasstokenbeforeauth", oAFSPassTokenBeforeAuth},
#endif
{ "fallbacktorsh", oFallBackToRsh },
{ "usersh", oUseRsh },
@@ -372,6 +373,9 @@
case oAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
+ case oAFSPassTokenBeforeAuth:
+ intptr = &options->afs_pass_token_before_auth;
+ goto parse_flag;
#endif
case oFallBackToRsh:
intptr = &options->fallback_to_rsh;
@@ -759,6 +763,7 @@
#endif
#ifdef AFS
options->afs_token_passing = -1;
+ options->afs_pass_token_before_auth = -1;
#endif
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
@@ -842,6 +847,8 @@
#ifdef AFS
if (options->afs_token_passing == -1)
options->afs_token_passing = 1;
+ if (options->afs_pass_token_before_auth == -1)
+ options->afs_pass_token_before_auth = 0;
#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
diff -uw openssh-3.0.1p1/readconf.h openssh-3.0.1p1.bricol/readconf.h
--- openssh-3.0.1p1/readconf.h Wed Oct 3 19:39:39 2001
+++ openssh-3.0.1p1.bricol/readconf.h Fri Dec 14 08:46:34 2001
@@ -49,6 +49,7 @@
#endif
#ifdef AFS
int afs_token_passing; /* Try AFS token passing. */
+ int afs_pass_token_before_auth; /* Pass Token before Auth. */
#endif
int password_authentication; /* Try password
* authentication. */
diff -uw openssh-3.0.1p1/servconf.c openssh-3.0.1p1.bricol/servconf.c
--- openssh-3.0.1p1/servconf.c Tue Nov 13 14:03:15 2001
+++ openssh-3.0.1p1.bricol/servconf.c Fri Dec 14 08:46:34 2001
@@ -84,6 +84,7 @@
#endif
#ifdef AFS
options->afs_token_passing = -1;
+ options->afs_pass_token_before_auth = -1;
#endif
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
@@ -193,6 +194,8 @@
#ifdef AFS
if (options->afs_token_passing == -1)
options->afs_token_passing = k_hasafs();
+ if (options->afs_pass_token_before_auth == -1)
+ options->afs_pass_token_before_auth = 0;
#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
@@ -248,6 +251,7 @@
#endif
#ifdef AFS
sAFSTokenPassing,
+ sAFSPassTokenBeforeAuth,
#endif
sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@@ -299,6 +303,7 @@
#endif
#ifdef AFS
{ "afstokenpassing", sAFSTokenPassing },
+ { "afspasstokenbeforeauth", sAFSPassTokenBeforeAuth },
#endif
{ "passwordauthentication", sPasswordAuthentication },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
@@ -636,6 +641,9 @@
case sAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
+ case sAFSPassTokenBeforeAuth:
+ intptr = &options->afs_pass_token_before_auth;
+ goto parse_flag;
#endif
case sPasswordAuthentication:
diff -uw openssh-3.0.1p1/servconf.h openssh-3.0.1p1.bricol/servconf.h
--- openssh-3.0.1p1/servconf.h Wed Sep 12 18:40:06 2001
+++ openssh-3.0.1p1.bricol/servconf.h Fri Dec 14 08:46:34 2001
@@ -89,6 +89,7 @@
#endif
#ifdef AFS
int afs_token_passing; /* If true, permit AFS token passing. */
+ int afs_pass_token_before_auth; /* If true, pass AFS token before user authenticication. */
#endif
int password_authentication; /* If true, permit password
* authentication. */
diff -uw openssh-3.0.1p1/ssh.1 openssh-3.0.1p1.bricol/ssh.1
--- openssh-3.0.1p1/ssh.1 Mon Nov 12 01:05:49 2001
+++ openssh-3.0.1p1.bricol/ssh.1 Fri Dec 14 18:06:10 2001
@@ -707,6 +707,13 @@
or
.Dq no .
This option applies to protocol version 1 only.
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether to pass AFS tokens or KRB4 TGTs before users are authenticicated.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option applies to protocol version 1 only.
.It Cm BatchMode
If set to
.Dq yes ,
diff -uw openssh-3.0.1p1/sshconnect1.c openssh-3.0.1p1.bricol/sshconnect1.c
--- openssh-3.0.1p1/sshconnect1.c Wed Oct 10 07:03:12 2001
+++ openssh-3.0.1p1.bricol/sshconnect1.c Fri Dec 14 08:46:34 2001
@@ -1140,6 +1140,26 @@
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
+
+#ifdef AFS
+ if ( options.afs_pass_token_before_auth ) {
+ /* Try Kerberos v4 TGT passing if the server supports it. */
+ if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+ options.kerberos_tgt_passing) {
+ if (options.cipher == SSH_CIPHER_NONE)
+ log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+ send_krb4_tgt();
+ }
+ /* Try AFS token passing if the server supports it. */
+ if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+ options.afs_token_passing && k_hasafs()) {
+ if (options.cipher == SSH_CIPHER_NONE)
+ log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+ send_afs_tokens();
+ }
+ }
+#endif /* AFS */
+
#ifdef KRB5
if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
options.kerberos_authentication) {
@@ -1256,6 +1276,7 @@
#endif
#ifdef AFS
+ if ( ! options.afs_pass_token_before_auth ) {
/* Try Kerberos v4 TGT passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing) {
@@ -1270,6 +1291,7 @@
log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
+ }
#endif /* AFS */
return; /* need statement after label */
diff -uw openssh-3.0.1p1/sshd.8 openssh-3.0.1p1.bricol/sshd.8
--- openssh-3.0.1p1/sshd.8 Mon Nov 12 01:04:06 2001
+++ openssh-3.0.1p1.bricol/sshd.8 Fri Dec 14 18:05:39 2001
@@ -314,6 +314,11 @@
Specifies whether an AFS token may be forwarded to the server.
Default is
.Dq yes .
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether AFS tokens or KRB4 TGTs are accepted before the user
+is authenticated.
+Default is
+.Dq yes .
.It Cm AllowGroups
This keyword can be followed by a list of group names, separated
by spaces.
########## auth-krb4.c double xfree() patch ###################################
--- openssh-3.0.2p1/auth-krb4.c~ Wed Jul 4 06:21:15 2001
+++ openssh-3.0.2p1/auth-krb4.c Fri Dec 14 22:15:47 2001
@@ -253,6 +253,7 @@
log("Kerberos v4 .klogin authorization failed for %s to "
"account %s", *client, authctxt->user);
xfree(*client);
+ *client = NULL;
return (0);
}
/* Increment the checksum, and return it encrypted with the
More information about the openssh-unix-dev
mailing list