AFS and tokenforwarding

Serge Droz serge.droz at psi.ch
Tue Oct 2 20:47:45 EST 2001 

For some reasons the afs tokenforwarding stuff has changed
siginificantly from v 2.9p2 to 2.9.9p2. 
This makes it impossible to use public key authenticication in a
standart AFS environment. 
I don't know the reasons for these changes. 

In any case attached is a patch which restores the old behaviour.

Regards
Serge


-- 
Serge Droz
Paul Scherrer Institut                mailto:serge.droz at psi.ch
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
                                         Fax: ++41 56 310 3649
-------------- next part --------------
--- openssh-2.9.9p2.orig/sshconnect1.c	Sat Jul 14 04:17:00 2001
+++ openssh-2.9.9p2/sshconnect1.c	Thu Sep 27 09:58:37 2001
@@ -1111,13 +1111,14 @@
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
     Key **keys, int nkeys)
 {
+	
 #ifdef KRB5
 	krb5_context context = NULL;
 	krb5_auth_context auth_context = NULL;
 #endif
 	int i, type;
 	int payload_len;
-	
+
 	if (supported_authentications == 0)
 		fatal("ssh_userauth1: server supports no auth methods");
 
@@ -1139,6 +1140,23 @@
 		goto success;
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
+#ifdef AFS
+	/* Try Kerberos v4 TGT passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+	    options.kerberos_tgt_passing) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		send_krb4_tgt();
+	}
+	/* Try AFS token passing if the server supports it. */
+
+	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+	    options.afs_token_passing && k_hasafs()) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		send_afs_tokens();
+	}
+#endif /* AFS */
 	
 #ifdef KRB5
 	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
@@ -1202,6 +1220,7 @@
 				goto success;
 		}
 	}
+
 	/* Try RSA authentication if the server supports it. */
 	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
 	    options.rsa_authentication) {
@@ -1226,6 +1245,7 @@
 		if (try_challenge_response_authentication())
 			goto success;
 	}
+
 	/* Try password authentication if the server supports it. */
 	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
 	    options.password_authentication && !options.batch_mode) {
@@ -1255,22 +1275,6 @@
 		krb5_free_context(context);
 #endif
 	
-#ifdef AFS
-	/* Try Kerberos v4 TGT passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-	    options.kerberos_tgt_passing) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-		send_krb4_tgt();
-	}
-	/* Try AFS token passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
-	    options.afs_token_passing && k_hasafs()) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
-		send_afs_tokens();
-	}
-#endif /* AFS */
 
 	return;	/* need statement after label */
 }
--- openssh-2.9.9p2.orig/auth1.c	Wed Jul  4 06:21:16 2001
+++ openssh-2.9.9p2/auth1.c	Fri Sep 28 08:53:35 2001
@@ -118,6 +118,22 @@
 		/* Process the packet. */
 		switch (type) {
 
+#ifdef AFS
+		case SSH_CMSG_HAVE_AFS_TOKEN:
+			if (!options.afs_token_passing || !k_hasafs()) {
+				verbose("AFS token passing disabled.");
+				break;
+			} else {
+				/* Accept AFS token. */
+				char *token_string = packet_get_string(&dlen);
+				packet_integrity_check(plen, 4 + dlen, type);
+				if (!auth_afs_token(authctxt, token_string))
+					verbose("AFS token REFUSED for %.100s", authctxt->user);
+				xfree(token_string);
+			}
+			//continue;
+#endif /* AFS */
+
 #if defined(KRB4) || defined(KRB5)
 		case SSH_CMSG_AUTH_KERBEROS:
 			if (!options.kerberos_authentication) {
@@ -169,9 +185,9 @@
 			packet_send_debug("Kerberos TGT passing disabled before authentication.");
 			break;
 #ifdef AFS
-		case SSH_CMSG_HAVE_AFS_TOKEN:
-			packet_send_debug("AFS token passing disabled before authentication.");
-			break;
+//		case SSH_CMSG_HAVE_AFS_TOKEN:
+//			packet_send_debug("AFS token passing disabled before authentication.");
+//			break;
 #endif /* AFS */
 #endif /* AFS || KRB5 */
 			
@@ -440,4 +456,5 @@
 
 	/* Perform session preparation. */
 	do_authenticated(authctxt);
+	
 }

More information about the openssh-unix-dev mailing list