Fix AFS and Kerberos interaction
Daniel Kouril
kouril at ics.muni.cz
Thu Jan 24 01:35:40 EST 2002
Hello,
I going to use ssh with Kerberos V5 support along with support for AFS. I
don't want to use Kerberos V4 or AFS token passing. The only thing I need
from AFS is creating an AFS token (using appropriate function from krb5 API)
after user's authentication. It seems to me that such scenario is not much
supported by the current code. Rather it is assumed only Kerberos 4 will be
used with AFS.
Please, could you have a look at the enclosed patch? The main purpose of it
is to enclose those parts dealing with AFS or KRB4 ticket passing between
#ifdef AFS && KRB4 (instead of only AFS as in the current code). The patch is
created against OpenSSH 3.0.2p1, tested with Heimdal implementation of
Kerberos V5.
Would it be possible to add the patch to the standard distribution?
with best regards
--
Daniel Kouril
-------------- next part --------------
--- Makefile.in 2002/01/23 10:09:09 1.1
+++ Makefile.in 2002/01/23 10:10:50
@@ -50,7 +50,7 @@
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
--- auth-krb4.c 2002/01/23 10:50:54 1.1
+++ auth-krb4.c 2002/01/23 10:55:40
@@ -34,11 +34,12 @@
#include "uidswap.h"
#include "auth.h"
+#ifdef KRB4
+
#ifdef AFS
#include "radix.h"
#endif
-#ifdef KRB4
extern ServerOptions options;
static int
@@ -279,9 +280,7 @@
packet_write_wait();
return (1);
}
-#endif /* KRB4 */
-#ifdef AFS
int
auth_krb4_tgt(Authctxt *authctxt, const char *string)
{
@@ -370,4 +369,4 @@
return (1);
}
-#endif /* AFS */
+#endif /* KRB4 */
--- auth.h 2002/01/23 12:01:53 1.1
+++ auth.h 2002/01/23 12:14:19
@@ -102,14 +102,15 @@
int auth_krb4(Authctxt *, KTEXT, char **);
int auth_krb4_password(Authctxt *, const char *);
void krb4_cleanup_proc(void *);
+#endif /* KRB4 */
#ifdef AFS
#include <kafs.h>
+#ifdef KRB4
int auth_krb4_tgt(Authctxt *, const char *);
int auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
#endif /* KRB4 */
+#endif /* AFS */
#ifdef KRB5
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
--- auth1.c 2002/01/23 12:15:49 1.1
+++ auth1.c 2002/01/23 12:17:26
@@ -162,11 +162,11 @@
case SSH_CMSG_HAVE_KERBEROS_TGT:
packet_send_debug("Kerberos TGT passing disabled before authentication.");
break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case SSH_CMSG_HAVE_AFS_TOKEN:
packet_send_debug("AFS token passing disabled before authentication.");
break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
#endif /* AFS || KRB5 */
case SSH_CMSG_AUTH_RHOSTS:
--- radix.c 2002/01/23 10:13:32 1.1
+++ radix.c 2002/01/23 10:27:36
@@ -27,7 +27,7 @@
RCSID("$OpenBSD: radix.c,v 1.16 2001/06/23 15:12:19 itojun Exp $");
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
#include <krb.h>
#include <radix.h>
@@ -211,4 +211,4 @@
return 1;
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
--- readconf.c 2002/01/23 12:18:23 1.1
+++ readconf.c 2002/01/23 12:23:17
@@ -102,7 +102,7 @@
#if defined(AFS) || defined(KRB5)
oKerberosTgtPassing,
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
oAFSTokenPassing,
#endif
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -147,7 +147,7 @@
#if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", oKerberosTgtPassing },
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
{ "afstokenpassing", oAFSTokenPassing },
#endif
{ "fallbacktorsh", oFallBackToRsh },
@@ -368,7 +368,7 @@
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case oAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
@@ -757,7 +757,7 @@
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
options->afs_token_passing = -1;
#endif
options->password_authentication = -1;
@@ -839,7 +839,7 @@
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options->afs_token_passing == -1)
options->afs_token_passing = 1;
#endif
--- readconf.h 2002/01/23 12:18:23 1.1
+++ readconf.h 2002/01/23 12:23:17
@@ -47,7 +47,7 @@
#if defined(AFS) || defined(KRB5)
int kerberos_tgt_passing; /* Try Kerberos TGT passing. */
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
int afs_token_passing; /* Try AFS token passing. */
#endif
int password_authentication; /* Try password
--- servconf.c 2002/01/23 10:56:44 1.1
+++ servconf.c 2002/01/23 11:06:44
@@ -12,9 +12,13 @@
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.91 2001/11/12 18:17:07 markus Exp $");
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
#include <krb.h>
#endif
+#ifdef KRB5
+#include <krb5.h>
+#define KEYFILE "/etc/krb5.keytab"
+#endif
#ifdef AFS
#include <kafs.h>
#endif
@@ -82,7 +86,7 @@
#if defined(AFS) || defined(KRB5)
options->kerberos_tgt_passing = -1;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
options->afs_token_passing = -1;
#endif
options->password_authentication = -1;
@@ -190,7 +194,7 @@
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options->afs_token_passing == -1)
options->afs_token_passing = k_hasafs();
#endif
@@ -246,7 +250,7 @@
#if defined(AFS) || defined(KRB5)
sKerberosTgtPassing,
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
sAFSTokenPassing,
#endif
sChallengeResponseAuthentication,
@@ -297,7 +301,7 @@
#if defined(AFS) || defined(KRB5)
{ "kerberostgtpassing", sKerberosTgtPassing },
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
{ "afstokenpassing", sAFSTokenPassing },
#endif
{ "passwordauthentication", sPasswordAuthentication },
@@ -632,7 +636,7 @@
intptr = &options->kerberos_tgt_passing;
goto parse_flag;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case sAFSTokenPassing:
intptr = &options->afs_token_passing;
goto parse_flag;
--- servconf.h 2002/01/23 10:56:44 1.1
+++ servconf.h 2002/01/23 11:07:37
@@ -87,7 +87,7 @@
int kerberos_tgt_passing; /* If true, permit Kerberos TGT
* passing. */
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
int afs_token_passing; /* If true, permit AFS token passing. */
#endif
int password_authentication; /* If true, permit password
--- session.c 2002/01/23 11:08:20 1.1
+++ session.c 2002/01/23 12:12:42
@@ -343,19 +343,19 @@
verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
#endif /* KRB5 */
} else {
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (auth_krb4_tgt(s->authctxt, kdata))
success = 1;
else
verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
+#endif /* AFS && KRB4 */
}
xfree(kdata);
}
break;
#endif /* AFS || KRB5 */
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case SSH_CMSG_HAVE_AFS_TOKEN:
if (!options.afs_token_passing || !k_hasafs()) {
verbose("AFS token passing disabled.");
@@ -372,7 +372,7 @@
xfree(token);
}
break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
@@ -1370,6 +1370,10 @@
krb_afslog(cell, 0);
krb_afslog(0, 0);
+#ifdef KRB5
+ krb5_afslog(s->authctxt->krb5_ctx, s->authctxt->krb5_fwd_ccache,
+ NULL, NULL);
+#endif
}
#endif /* AFS */
--- ssh.c 2002/01/23 12:28:10 1.1
+++ ssh.c 2002/01/23 12:30:58
@@ -159,9 +159,9 @@
_PATH_SSH_USER_CONFFILE);
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
-#ifdef AFS
+#if defined(AFS) || defined(KRB5)
fprintf(stderr, " -k Disable Kerberos ticket and AFS token forwarding.\n");
-#endif /* AFS */
+#endif /* AFS || KRB5 */
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
@@ -351,10 +351,14 @@
case 'A':
options.forward_agent = 1;
break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
case 'k':
options.kerberos_tgt_passing = 0;
options.afs_token_passing = 0;
+ break;
+#elif defined(KRB5)
+ case 'k':
+ options.kerberos_tgt_passing = 0;
break;
#endif
case 'i':
--- sshconnect1.c 2002/01/23 10:28:25 1.1
+++ sshconnect1.c 2002/01/23 12:05:15
@@ -26,8 +26,10 @@
#endif
#ifdef AFS
#include <kafs.h>
+#ifdef KRB4
#include "radix.h"
#endif
+#endif
#include "ssh.h"
#include "ssh1.h"
@@ -685,7 +687,7 @@
}
#endif /* KRB5 */
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
static void
send_krb4_tgt(void)
{
@@ -806,7 +808,7 @@
}
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
/*
* Tries to authenticate with any string-based challenge/response system.
@@ -1255,7 +1257,7 @@
krb5_free_context(context);
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
/* Try Kerberos v4 TGT passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
options.kerberos_tgt_passing) {
@@ -1270,7 +1272,7 @@
log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
send_afs_tokens();
}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
return; /* need statement after label */
}
--- sshd.c 2002/01/23 10:41:05 1.1
+++ sshd.c 2002/01/23 12:12:42
@@ -1289,7 +1289,7 @@
if (options.kerberos_tgt_passing)
auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
if (options.afs_token_passing)
auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
#endif
More information about the openssh-unix-dev
mailing list