privsep+kerb5+ssh1

Markus Friedl markus at openbsd.org
Wed Jul 31 20:45:36 EST 2002


please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.

i'd like to see this in the next release. thx

-m
-------------- next part --------------
--- openssh-3.4p1/auth-krb5.c.krb	Sun Jun  9 21:41:48 2002
+++ openssh-3.4p1/auth-krb5.c	Tue Jul 23 15:15:43 2002
@@ -73,18 +73,17 @@
  * from the ticket
  */
 int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
+auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
 {
 	krb5_error_code problem;
 	krb5_principal server;
-	krb5_data reply;
 	krb5_ticket *ticket;
 	int fd, ret;
 
 	ret = 0;
 	server = NULL;
 	ticket = NULL;
-	reply.length = 0;
+	reply->length = 0;
 
 	problem = krb5_init(authctxt);
 	if (problem)
@@ -131,7 +130,7 @@
 
 	/* if client wants mutual auth */
 	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-	    &reply);
+	    reply);
 	if (problem)
 		goto err;
 
@@ -144,19 +143,16 @@
 		krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 		    client);
 
-	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-	packet_put_string((char *) reply.data, reply.length);
-	packet_send();
-	packet_write_wait();
-
 	ret = 1;
  err:
 	if (server)
 		krb5_free_principal(authctxt->krb5_ctx, server);
 	if (ticket)
 		krb5_free_ticket(authctxt->krb5_ctx, ticket);
-	if (reply.length)
-		xfree(reply.data);
+	if (!ret && reply->length) {
+		xfree(reply->data);
+		memset(reply, 0, sizeof(*reply));
+	}
 
 	if (problem) {
 		if (authctxt->krb5_ctx != NULL)
--- openssh-3.4p1/auth1.c.krb	Fri Jun 21 08:21:11 2002
+++ openssh-3.4p1/auth1.c	Tue Jul 23 15:15:43 2002
@@ -133,15 +133,23 @@
 #endif /* KRB4 */
 				} else {
 #ifdef KRB5
-					krb5_data tkt;
+					krb5_data tkt, reply;
 					tkt.length = dlen;
 					tkt.data = kdata;
 
-					if (auth_krb5(authctxt, &tkt, &client_user)) {
+					if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) {
 						authenticated = 1;
 						snprintf(info, sizeof(info),
 						    " tktuser %.100s",
 						    client_user);
+
+						/* Send response to client */
+						packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+						packet_put_string((char *) reply.data, reply.length);
+						packet_send();
+						packet_write_wait();
+						if (reply.length)
+							xfree(reply.data);
 					}
 #endif /* KRB5 */
 				}
--- openssh-3.4p1/monitor.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.c	Tue Jul 23 15:15:43 2002
@@ -121,6 +121,10 @@
 int mm_answer_pam_chauthtok(int, Buffer *);
 #endif
 
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
 
@@ -201,6 +205,9 @@
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
+#ifdef KRB5
+    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
     {0, 0, NULL}
 };
 
@@ -1333,6 +1340,42 @@
 	return (success);
 }
 
+
+#ifdef KRB5
+int
+mm_answer_krb5(int socket, Buffer *m)
+{
+	krb5_data tkt, reply;
+	char *client_user;
+	unsigned int len;
+	int success;
+
+	/* use temporary var to avoid size issues on 64bit arch */
+	tkt.data = buffer_get_string(m, &len);
+	tkt.length = len;
+
+	success = auth_krb5(authctxt, &tkt, &client_user, &reply);
+
+	if (tkt.length)
+		xfree(tkt.data);
+
+	buffer_clear(m);
+	buffer_put_int(m, success);
+
+	if (success) {
+		buffer_put_cstring(m, client_user);
+		buffer_put_string(m, reply.data, reply.length);
+		if (client_user)
+			xfree(client_user);
+		if (reply.length)
+			xfree(reply.data);
+	}
+	mm_request_send(socket, MONITOR_ANS_KRB5, m);
+
+	return success;
+}
+#endif
+
 int
 mm_answer_term(int socket, Buffer *req)
 {
--- openssh-3.4p1/monitor.h.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.h	Tue Jul 23 15:15:43 2002
@@ -51,6 +51,7 @@
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK,
+	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
 	MONITOR_REQ_TERM
 };
 
--- openssh-3.4p1/monitor_wrap.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.c	Tue Jul 23 15:18:23 2002
@@ -1040,3 +1040,38 @@
 
 	return (success);
 }
+
+#ifdef KRB5
+int
+mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
+{
+	krb5_data *tkt, *reply;
+	Buffer m;
+	int success;
+
+	debug3("%s entering", __func__);
+	tkt = (krb5_data *) argp;
+	reply = (krb5_data *) resp;
+
+	buffer_init(&m);
+	buffer_put_string(&m, tkt->data, tkt->length);
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
+
+	success = buffer_get_int(&m);
+	if (success) {
+		unsigned int len;
+
+		*userp = buffer_get_string(&m, NULL);
+		reply->data = buffer_get_string(&m, &len);
+		reply->length = len;
+	} else {
+		memset(reply, 0, sizeof(*reply));
+		*userp = NULL;
+	}
+
+	buffer_free(&m);
+	return (success);
+}
+#endif
--- openssh-3.4p1/monitor_wrap.h.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.h	Tue Jul 23 15:19:00 2002
@@ -84,6 +84,13 @@
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 
+/* auth_krb5 */
+#ifdef KRB5
+/* auth and reply are really krb5_data objects, but we don't want to
+ * include all of the krb5 headers here */
+int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
+#endif
+
 /* zlib allocation hooks */
 
 void *mm_zalloc(struct mm_master *, u_int, u_int);
--- openssh-3.4p1/servconf.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/servconf.c	Tue Jul 23 15:15:43 2002
@@ -17,7 +17,7 @@
 #endif
 #if defined(KRB5)
 #ifdef HEIMDAL
-#include <krb.h>
+#include <krb5.h>
 #else
 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
  * keytab */
--- openssh-3.4p1/auth.h.krb	Thu Jun  6 22:52:37 2002
+++ openssh-3.4p1/auth.h	Tue Jul 23 15:25:35 2002
@@ -126,7 +126,7 @@
 #endif /* KRB4 */
 
 #ifdef KRB5
-int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
+int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void	krb5_cleanup_proc(void *authctxt);


More information about the openssh-unix-dev mailing list