Fix AFS and Kerberos interaction
Daniel Kouril
kouril at ics.muni.cz
Wed Feb 20 20:33:07 EST 2002
On Wed, Jan 23, 2002 at 03:35:40PM +0100, Daniel Kouril wrote:
> Hello,
>
> I going to use ssh with Kerberos V5 support along with support for AFS. I
> don't want to use Kerberos V4 or AFS token passing. The only thing I need
> from AFS is creating an AFS token (using appropriate function from krb5 API)
> after user's authentication. It seems to me that such scenario is not much
> supported by the current code. Rather it is assumed only Kerberos 4 will be
> used with AFS.
>
> Please, could you have a look at the enclosed patch? The main purpose of it
> is to enclose those parts dealing with AFS or KRB4 ticket passing between
> #ifdef AFS && KRB4 (instead of only AFS as in the current code). The patch is
> created against OpenSSH 3.0.2p1, tested with Heimdal implementation of
> Kerberos V5.
>
> Would it be possible to add the patch to the standard distribution?
>
> with best regards
>
> --
> Daniel Kouril
Hi all,
I sent this mail some month ago and haven't received any response yet.
Please, could somebody let me know if the patch is acceptable to be included
in the standard distribution? I think the patch is quite simple but I could
adapt it in any way if required. As I believe I'm not alone who is interested
in using Kerberos V5 along with AFS I think the patch would make our life
much easier. Thank you.
best regards
--
Daniel Kouril
-------------- next part --------------
--- Makefile.in 2002/01/23 10:09:09 1.1
+++ Makefile.in 2002/01/23 10:10:50
@@ -50,7 +50,7 @@
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
--- auth-krb4.c 2002/01/23 10:50:54 1.1
+++ auth-krb4.c 2002/01/23 10:55:40
@@ -34,11 +34,12 @@
#include "uidswap.h"
#include "auth.h"
+#ifdef KRB4
+
#ifdef AFS
#include "radix.h"
#endif
-#ifdef KRB4
extern ServerOptions options;
static int
@@ -279,9 +280,7 @@
packet_write_wait();
return (1);
}
-#endif /* KRB4 */
-#ifdef AFS
int
auth_krb4_tgt(Authctxt *authctxt, const char *string)
{
@@ -370,4 +369,4 @@
return (1);
}
-#endif /* AFS */
+#endif /* KRB4 */
--- auth.h 2002/01/23 12:01:53 1.1
+++ auth.h 2002/01/23 12:14:19
@@ -102,14 +102,15 @@
int auth_krb4(Authctxt *, KTEXT, char **);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);
+#endif /* KRB4 */
#ifdef AFS
#include <kafs.h>
+#ifdef KRB4
int auth_krb4_tgt(Authctxt *, const char *);
int auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
#endif /* KRB4 */
+#endif /* AFS */
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
--- auth1.c 2002/01/23 12:15:49 1.1
+++ auth1.c 2002/01/23 12:17:26
@@ -162,11 +162,11 @@
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case SSH_CMSG_HAVE_AFS_TOKEN:
packet_send_debug("AFS token passing disabled before authentication.");
break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
#endif /* AFS || KRB5 */
case SSH_CMSG_AUTH_RHOSTS:
--- radix.c 2002/01/23 10:13:32 1.1
+++ radix.c 2002/01/23 10:27:36
@@ -27,7 +27,7 @@
RCSID("$OpenBSD: radix.c,v 1.16 2001/06/23 15:12:19 itojun Exp $");
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
#include <krb.h>
#include <radix.h>
@@ -211,4 +211,4 @@
return 1;
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
--- readconf.c 2002/01/23 12:18:23 1.1
+++ readconf.c 2002/01/23 12:23:17
@@ -102,7 +102,7 @@
#if defined(AFS) || defined(KRB5)
oKerberosTgtPassing,
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
oAFSTokenPassing,
#endif
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -147,7 +147,7 @@
#if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", oKerberosTgtPassing },
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
{ "afstokenpassing", oAFSTokenPassing },
#endif
{ "fallbacktorsh", oFallBackToRsh },
@@ -368,7 +368,7 @@
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case oAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
@@ -757,7 +757,7 @@
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
options->afs_token_passing = -1;
#endif
options->password_authentication = -1;
@@ -839,7 +839,7 @@
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options->afs_token_passing == -1)
options->afs_token_passing = 1;
#endif
--- readconf.h 2002/01/23 12:18:23 1.1
+++ readconf.h 2002/01/23 12:23:17
@@ -47,7 +47,7 @@
#if defined(AFS) || defined(KRB5)
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
int afs_token_passing; /* Try AFS token passing. */
#endif
int password_authentication; /* Try password
--- servconf.c 2002/01/23 10:56:44 1.1
+++ servconf.c 2002/01/23 11:06:44
@@ -12,9 +12,13 @@
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.91 2001/11/12 18:17:07 markus Exp $");
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
#include <krb.h>
#endif
+#ifdef KRB5
+#include <krb5.h>
+#define KEYFILE "/etc/krb5.keytab"
+#endif
#ifdef AFS
#include <kafs.h>
#endif
@@ -82,7 +86,7 @@
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
options->afs_token_passing = -1;
#endif
options->password_authentication = -1;
@@ -190,7 +194,7 @@
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options->afs_token_passing == -1)
options->afs_token_passing = k_hasafs();
#endif
@@ -246,7 +250,7 @@
#if defined(AFS) || defined(KRB5)
sKerberosTgtPassing,
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
sAFSTokenPassing,
#endif
sChallengeResponseAuthentication,
@@ -297,7 +301,7 @@
#if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", sKerberosTgtPassing },
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
{ "afstokenpassing", sAFSTokenPassing },
#endif
{ "passwordauthentication", sPasswordAuthentication },
@@ -632,7 +636,7 @@
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case sAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
--- servconf.h 2002/01/23 10:56:44 1.1
+++ servconf.h 2002/01/23 11:07:37
@@ -87,7 +87,7 @@
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
int afs_token_passing; /* If true, permit AFS token passing. */
#endif
int password_authentication; /* If true, permit password
--- session.c 2002/01/23 11:08:20 1.1
+++ session.c 2002/01/23 12:12:42
@@ -343,19 +343,19 @@
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
#endif /* KRB5 */
} else {
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (auth_krb4_tgt(s->authctxt, kdata))
success = 1;
else
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
+#endif /* AFS && KRB4 */
}
xfree(kdata);
}
break;
#endif /* AFS || KRB5 */
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case SSH_CMSG_HAVE_AFS_TOKEN:
if (!options.afs_token_passing || !k_hasafs()) {
verbose("AFS token passing disabled.");
@@ -372,7 +372,7 @@
xfree(token);
}
break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
@@ -1370,6 +1370,10 @@
krb_afslog(cell, 0);
krb_afslog(0, 0);
+#ifdef KRB5
+ krb5_afslog(s->authctxt->krb5_ctx, s->authctxt->krb5_fwd_ccache,
+ NULL, NULL);
+#endif
}
#endif /* AFS */
--- ssh.c 2002/01/23 12:28:10 1.1
+++ ssh.c 2002/01/23 12:30:58
@@ -159,9 +159,9 @@
_PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
-#ifdef AFS
+#if defined(AFS) || defined(KRB5)
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
-#endif /* AFS */
+#endif /* AFS || KRB5 */
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
@@ -351,10 +351,14 @@
case 'A':
options.forward_agent = 1;
break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case 'k':
options.kerberos_tgt_passing = 0;
options.afs_token_passing = 0;
+ break;
+#elif defined(KRB5)
+ case 'k':
+ options.kerberos_tgt_passing = 0;
break;
#endif
case 'i':
--- sshconnect1.c 2002/01/23 10:28:25 1.1
+++ sshconnect1.c 2002/01/23 12:05:15
@@ -26,8 +26,10 @@
#endif
#ifdef AFS
#include <kafs.h>
+#ifdef KRB4
#include "radix.h"
#endif
+#endif
#include "ssh.h"
#include "ssh1.h"
@@ -685,7 +687,7 @@
}
#endif /* KRB5 */
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
static void
send_krb4_tgt(void)
{
@@ -806,7 +808,7 @@
}
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
/*
* Tries to authenticate with any string-based challenge/response system.
@@ -1255,7 +1257,7 @@
krb5_free_context(context);
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
/* Try Kerberos v4 TGT passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing) {
@@ -1270,7 +1272,7 @@
log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
return; /* need statement after label */
}
--- sshd.c 2002/01/23 10:41:05 1.1
+++ sshd.c 2002/01/23 12:12:42
@@ -1289,7 +1289,7 @@
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
More information about the openssh-unix-dev
mailing list