privsep+kerb5+ssh1
Markus Friedl
markus at openbsd.org
Wed Jul 31 20:45:36 EST 2002
please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.
i'd like to see this in the next release. thx
-m
-------------- next part --------------
--- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002
+++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002
@@ -73,18 +73,17 @@
* from the ticket
*/
int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
+auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
{
krb5_error_code problem;
krb5_principal server;
- krb5_data reply;
krb5_ticket *ticket;
int fd, ret;
ret = 0;
server = NULL;
ticket = NULL;
- reply.length = 0;
+ reply->length = 0;
problem = krb5_init(authctxt);
if (problem)
@@ -131,7 +130,7 @@
/* if client wants mutual auth */
problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
- &reply);
+ reply);
if (problem)
goto err;
@@ -144,19 +143,16 @@
krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
client);
- packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
- packet_put_string((char *) reply.data, reply.length);
- packet_send();
- packet_write_wait();
-
ret = 1;
err:
if (server)
krb5_free_principal(authctxt->krb5_ctx, server);
if (ticket)
krb5_free_ticket(authctxt->krb5_ctx, ticket);
- if (reply.length)
- xfree(reply.data);
+ if (!ret && reply->length) {
+ xfree(reply->data);
+ memset(reply, 0, sizeof(*reply));
+ }
if (problem) {
if (authctxt->krb5_ctx != NULL)
--- openssh-3.4p1/auth1.c.krb Fri Jun 21 08:21:11 2002
+++ openssh-3.4p1/auth1.c Tue Jul 23 15:15:43 2002
@@ -133,15 +133,23 @@
#endif /* KRB4 */
} else {
#ifdef KRB5
- krb5_data tkt;
+ krb5_data tkt, reply;
tkt.length = dlen;
tkt.data = kdata;
- if (auth_krb5(authctxt, &tkt, &client_user)) {
+ if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) {
authenticated = 1;
snprintf(info, sizeof(info),
" tktuser %.100s",
client_user);
+
+ /* Send response to client */
+ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+ packet_put_string((char *) reply.data, reply.length);
+ packet_send();
+ packet_write_wait();
+ if (reply.length)
+ xfree(reply.data);
}
#endif /* KRB5 */
}
--- openssh-3.4p1/monitor.c.krb Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.c Tue Jul 23 15:15:43 2002
@@ -121,6 +121,10 @@
int mm_answer_pam_chauthtok(int, Buffer *);
#endif
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
+
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@@ -201,6 +205,9 @@
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
#endif
+#ifdef KRB5
+ {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
{0, 0, NULL}
};
@@ -1333,6 +1340,42 @@
return (success);
}
+
+#ifdef KRB5
+int
+mm_answer_krb5(int socket, Buffer *m)
+{
+ krb5_data tkt, reply;
+ char *client_user;
+ unsigned int len;
+ int success;
+
+ /* use temporary var to avoid size issues on 64bit arch */
+ tkt.data = buffer_get_string(m, &len);
+ tkt.length = len;
+
+ success = auth_krb5(authctxt, &tkt, &client_user, &reply);
+
+ if (tkt.length)
+ xfree(tkt.data);
+
+ buffer_clear(m);
+ buffer_put_int(m, success);
+
+ if (success) {
+ buffer_put_cstring(m, client_user);
+ buffer_put_string(m, reply.data, reply.length);
+ if (client_user)
+ xfree(client_user);
+ if (reply.length)
+ xfree(reply.data);
+ }
+ mm_request_send(socket, MONITOR_ANS_KRB5, m);
+
+ return success;
+}
+#endif
+
int
mm_answer_term(int socket, Buffer *req)
{
--- openssh-3.4p1/monitor.h.krb Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.h Tue Jul 23 15:15:43 2002
@@ -51,6 +51,7 @@
MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK,
+ MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
MONITOR_REQ_TERM
};
--- openssh-3.4p1/monitor_wrap.c.krb Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.c Tue Jul 23 15:18:23 2002
@@ -1040,3 +1040,38 @@
return (success);
}
+
+#ifdef KRB5
+int
+mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
+{
+ krb5_data *tkt, *reply;
+ Buffer m;
+ int success;
+
+ debug3("%s entering", __func__);
+ tkt = (krb5_data *) argp;
+ reply = (krb5_data *) resp;
+
+ buffer_init(&m);
+ buffer_put_string(&m, tkt->data, tkt->length);
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
+
+ success = buffer_get_int(&m);
+ if (success) {
+ unsigned int len;
+
+ *userp = buffer_get_string(&m, NULL);
+ reply->data = buffer_get_string(&m, &len);
+ reply->length = len;
+ } else {
+ memset(reply, 0, sizeof(*reply));
+ *userp = NULL;
+ }
+
+ buffer_free(&m);
+ return (success);
+}
+#endif
--- openssh-3.4p1/monitor_wrap.h.krb Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.h Tue Jul 23 15:19:00 2002
@@ -84,6 +84,13 @@
int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
+/* auth_krb5 */
+#ifdef KRB5
+/* auth and reply are really krb5_data objects, but we don't want to
+ * include all of the krb5 headers here */
+int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
+#endif
+
/* zlib allocation hooks */
void *mm_zalloc(struct mm_master *, u_int, u_int);
--- openssh-3.4p1/servconf.c.krb Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/servconf.c Tue Jul 23 15:15:43 2002
@@ -17,7 +17,7 @@
#endif
#if defined(KRB5)
#ifdef HEIMDAL
-#include <krb.h>
+#include <krb5.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
* keytab */
--- openssh-3.4p1/auth.h.krb Thu Jun 6 22:52:37 2002
+++ openssh-3.4p1/auth.h Tue Jul 23 15:25:35 2002
@@ -126,7 +126,7 @@
#endif /* KRB4 */
#ifdef KRB5
-int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
+int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
int auth_krb5_password(Authctxt *authctxt, const char *password);
void krb5_cleanup_proc(void *authctxt);
More information about the openssh-unix-dev
mailing list