Kerberos password auth/expiry kbdint patch

James F.Hranicky jfh at
Fri May 2 05:29:08 EST 2003

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos 
password authentication/expiry. It took me a bit to wrap my head 
around privsep, but I think it's working properly (code stolen 
shamelessly from FBSD's PAM implementation :->). 

The hardest part was working out how to get the interaction 
between krb5_get_init_creds_password() (along with the prompter)
to work with the auth2_challenge routines, as the logic between the 
two are very similar. 

I ended up doing the following:

	- using a state machine and some global data to communicate 
	  between the KbdintDevice routines, krb5_g_i_c_p() and the 

	- rolled my own prompts, ignoring those generated by krb5_g_i_c_p()

So far, it seems to work well. My informal tests show:

	- the code (included when --with-kerberos5-kbdint is given as an
	  arg to configure) seems to interact with the existing Kerberos
	  password code with no problems

	- the password expiry works with OpenSSH versions 3.4p1, 3.5p1, 
	  and 3.6p1,'s Windows client, and putty v0.53b (apparently,
	  putty 0.52 has a problem with the kbdint routines, sending 
	  2 responses after the new password has been entered only once, 
	  causing packet_get() to bomb out on the server side)

	- the code seems to work well on Solaris and FreeBSD, but I haven't
	  yet tested it on any other platforms

Possible additions:

	- a Kerberos5ViaKbdInt option

Questions, comments, or improvements welcome.

| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at             |
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-3.6p1.krb5-kbdintdev.patch.txt

More information about the openssh-unix-dev mailing list