AFS Token Passing before Auth

Serge Droz serge.droz at psi.ch
Fri Oct 12 20:17:40 EST 2001 

Hello, 

after the discussion about when to send AFS tokens I've created a pacthc
which includes a new option to ssh and sshd:
If AFSPassTokenBeforeAuth is set to yes (default no)
tokens are passed as they where in releases < 2.9.9p2.

So now the admin has the choice.

Cheers
Serge



-- 
Serge Droz
Paul Scherrer Institut                mailto:serge.droz at psi.ch
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
-------------- next part --------------
diff -u openssh.orig/auth1.c openssh/auth1.c
--- openssh.orig/auth1.c	Wed Jul  4 06:21:16 2001
+++ openssh/auth1.c	Fri Oct 12 11:57:52 2001
@@ -118,6 +118,24 @@
 		/* Process the packet. */
 		switch (type) {
 
+#ifdef AFS
+	   case SSH_CMSG_HAVE_AFS_TOKEN:
+	       if ( options.afs_pass_token_before_auth ) {
+			   if (!options.afs_token_passing || !k_hasafs()) {
+				   verbose("AFS token passing disabled.");
+				   break;
+			   } else {
+				   /* Accept AFS token. */
+				   char *token_string = packet_get_string(&dlen);
+				   packet_integrity_check(plen, 4 + dlen, type);
+				   if (!auth_afs_token(authctxt, token_string))
+					   verbose("AFS token REFUSED for %.100s", authctxt->user);
+				   xfree(token_string);
+			   }
+           } else  packet_send_debug("AFS token passing disabled before authentication.");
+           break;
+#endif /* AFS */
+
 #if defined(KRB4) || defined(KRB5)
 		case SSH_CMSG_AUTH_KERBEROS:
 			if (!options.kerberos_authentication) {
@@ -168,11 +186,11 @@
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			packet_send_debug("Kerberos TGT passing disabled before authentication.");
 			break;
-#ifdef AFS
-		case SSH_CMSG_HAVE_AFS_TOKEN:
-			packet_send_debug("AFS token passing disabled before authentication.");
-			break;
-#endif /* AFS */
+//#ifdef AFS
+//		case SSH_CMSG_HAVE_AFS_TOKEN:
+//		    packet_send_debug("AFS token passing disabled before authentication.");
+//			break;
+//#endif /* AFS */
 #endif /* AFS || KRB5 */
 			
 		case SSH_CMSG_AUTH_RHOSTS:
diff -u openssh.orig/readconf.c openssh/readconf.c
--- openssh.orig/readconf.c	Wed Oct  3 19:39:39 2001
+++ openssh/readconf.c	Fri Oct 12 11:32:50 2001
@@ -103,7 +103,7 @@
 	oKerberosTgtPassing,
 #endif
 #ifdef AFS
-	oAFSTokenPassing,
+	oAFSTokenPassing,oAFSPassTokenBeforeAuth,
 #endif
 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
@@ -149,6 +149,7 @@
 #endif
 #ifdef AFS
 	{ "afstokenpassing", oAFSTokenPassing },
+	{ "afspasstokenbeforeauth", oAFSPassTokenBeforeAuth},
 #endif
 	{ "fallbacktorsh", oFallBackToRsh },
 	{ "usersh", oUseRsh },
@@ -372,6 +373,9 @@
 	case oAFSTokenPassing:
 		intptr = &options->afs_token_passing;
 		goto parse_flag;
+	case oAFSPassTokenBeforeAuth:
+		intptr = &options->afs_pass_token_before_auth;
+		goto parse_flag;
 #endif
 	case oFallBackToRsh:
 		intptr = &options->fallback_to_rsh;
@@ -759,6 +763,7 @@
 #endif
 #ifdef AFS
 	options->afs_token_passing = -1;
+	options->afs_pass_token_before_auth = -1;
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
@@ -842,6 +847,8 @@
 #ifdef AFS
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = 1;
+	if (options->afs_pass_token_before_auth == -1)
+		options->afs_pass_token_before_auth = 0;
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
diff -u openssh.orig/readconf.h openssh/readconf.h
--- openssh.orig/readconf.h	Wed Oct  3 19:39:39 2001
+++ openssh/readconf.h	Fri Oct 12 11:10:56 2001
@@ -49,6 +49,7 @@
 #endif
 #ifdef AFS
 	int     afs_token_passing;	/* Try AFS token passing. */
+	int     afs_pass_token_before_auth;	/* Pass Token before Auth. */
 #endif
 	int     password_authentication;	/* Try password
 						 * authentication. */
diff -u openssh.orig/servconf.c openssh/servconf.c
--- openssh.orig/servconf.c	Wed Sep 12 18:32:15 2001
+++ openssh/servconf.c	Fri Oct 12 11:55:46 2001
@@ -79,6 +79,7 @@
 #endif
 #ifdef AFS
 	options->afs_token_passing = -1;
+	options->afs_pass_token_before_auth = -1;
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
@@ -184,6 +185,8 @@
 #ifdef AFS	
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = k_hasafs();
+	if (options->afs_pass_token_before_auth == -1)
+		options->afs_pass_token_before_auth = 0;  
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
@@ -233,6 +236,7 @@
 #endif
 #ifdef AFS
 	sAFSTokenPassing,
+	sAFSPassTokenBeforeAuth,
 #endif
 	sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@@ -281,6 +285,7 @@
 #endif
 #ifdef AFS
 	{ "afstokenpassing", sAFSTokenPassing },
+	{ "afspasstokenbeforeauth", sAFSPassTokenBeforeAuth },
 #endif
 	{ "passwordauthentication", sPasswordAuthentication },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
@@ -611,6 +616,9 @@
 #ifdef AFS
 		case sAFSTokenPassing:
 			intptr = &options->afs_token_passing;
+			goto parse_flag;
+		case sAFSPassTokenBeforeAuth:
+			intptr = &options->afs_pass_token_before_auth;
 			goto parse_flag;
 #endif
 
diff -u openssh.orig/servconf.h openssh/servconf.h
--- openssh.orig/servconf.h	Wed Sep 12 18:40:06 2001
+++ openssh/servconf.h	Fri Oct 12 10:49:03 2001
@@ -89,6 +89,7 @@
 #endif
 #ifdef AFS
 	int     afs_token_passing;	/* If true, permit AFS token passing. */
+	int     afs_pass_token_before_auth;	/* If true, pass AFS token before user authenticication. */
 #endif
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
diff -u openssh.orig/ssh.1 openssh/ssh.1
--- openssh.orig/ssh.1	Wed Oct  3 19:39:39 2001
+++ openssh/ssh.1	Fri Oct 12 12:06:14 2001
@@ -707,6 +707,13 @@
 or
 .Dq no .
 This option applies to protocol version 1 only.
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether to pass AFS tokens before users are authenticicated.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option applies to protocol version 1 only.
 .It Cm BatchMode
 If set to
 .Dq yes ,
diff -u openssh.orig/sshconnect1.c openssh/sshconnect1.c
--- openssh.orig/sshconnect1.c	Wed Oct 10 07:03:12 2001
+++ openssh/sshconnect1.c	Fri Oct 12 11:48:01 2001
@@ -1139,6 +1139,26 @@
 		goto success;
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
+
+
+#ifdef AFS
+    if (   options.afs_pass_token_before_auth ) {
+	   /* Try Kerberos v4 TGT passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+		   options.kerberos_tgt_passing) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		   send_krb4_tgt();
+	   }
+	   /* Try AFS token passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+		   options.afs_token_passing  && k_hasafs()) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		   send_afs_tokens();
+	   }
+	}
+#endif /* AFS */
 	
 #ifdef KRB5
 	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
@@ -1256,19 +1276,21 @@
 #endif
 	
 #ifdef AFS
-	/* Try Kerberos v4 TGT passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-	    options.kerberos_tgt_passing) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-		send_krb4_tgt();
-	}
-	/* Try AFS token passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
-	    options.afs_token_passing && k_hasafs()) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
-		send_afs_tokens();
+    if ( !  options.afs_pass_token_before_auth ) {
+	   /* Try Kerberos v4 TGT passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+		   options.kerberos_tgt_passing) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		   send_krb4_tgt();
+	   }
+	   /* Try AFS token passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+		   options.afs_token_passing  && k_hasafs()) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		   send_afs_tokens();
+	   }
 	}
 #endif /* AFS */
 
diff -u openssh.orig/sshd.8 openssh/sshd.8
--- openssh.orig/sshd.8	Wed Oct  3 19:15:32 2001
+++ openssh/sshd.8	Fri Oct 12 12:07:14 2001
@@ -314,6 +314,11 @@
 Specifies whether an AFS token may be forwarded to the server.
 Default is
 .Dq yes .
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether an AFS token are accepted before the user
+is authenticicated.
+Default is
+.Dq yes .
 .It Cm AllowGroups
 This keyword can be followed by a list of group names, separated
 by spaces.

More information about the openssh-unix-dev mailing list