Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ssh Somewhat crude hack to make Kerberos 5 crede...
details: https://anonhg.NetBSD.org/src/rev/29158473d2ee
branches: trunk
changeset: 507638:29158473d2ee
user: thorpej <thorpej%NetBSD.org@localhost>
date: Wed Mar 28 03:02:51 2001 +0000
description:
Somewhat crude hack to make Kerberos 5 credential forwarding work.
diffstat:
crypto/dist/ssh/auth1.c | 38 ++++++++++++--------------------------
crypto/dist/ssh/session.c | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 26 deletions(-)
diffs (121 lines):
diff -r 8cff34d275c8 -r 29158473d2ee crypto/dist/ssh/auth1.c
--- a/crypto/dist/ssh/auth1.c Wed Mar 28 01:55:55 2001 +0000
+++ b/crypto/dist/ssh/auth1.c Wed Mar 28 03:02:51 2001 +0000
@@ -31,6 +31,11 @@
Also is used as an indication of succesful krb5 authentization. */
#endif
+#if defined(KRB4) || defined(KRB5)
+int ssh_krb_auth; /* 4 or 5 indicates krb version we authenticated with */
+char *ssh_krb_user;
+#endif
+
/* import */
extern ServerOptions options;
@@ -168,6 +173,8 @@
memcpy(auth.dat, kdata, auth.length);
authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
if (authenticated) {
+ ssh_krb_auth = 4;
+ ssh_krb_user = strdup(authctxt->user);
snprintf(info, sizeof info,
" tktuser %.100s", tkt_user);
xfree(tkt_user);
@@ -194,8 +201,12 @@
/* authorize client against .k5login */
if (krb5_kuserok(ssh_context,
tkt_client,
- pw->pw_name))
+ pw->pw_name)) {
+ ssh_krb_user =
+ strdup(authctxt->user);
+ ssh_krb_auth = 5;
authenticated = 1;
+ }
}
#endif /* KRB5 */
}
@@ -320,31 +331,6 @@
}
break;
-#ifdef KRB5
- case SSH_CMSG_HAVE_KERBEROS_TGT:
- /* Passing krb5 ticket */
- if (!options.krb5_tgt_passing
- /*|| !options.krb5_authentication */) {
-
- }
-
- if (tkt_client == NULL) {
- /* passing tgt without krb5 authentication */
- }
-
- {
- krb5_data tgt;
- u_int tgtlen;
- tgt.data = packet_get_string(&tgtlen);
- tgt.length = tgtlen;
-
- if (!auth_krb5_tgt(authctxt->user, &tgt, tkt_client))
- verbose ("Kerberos V5 TGT refused for %.100s", authctxt->user);
- xfree(tgt.data);
-
- break;
- }
-#endif /* KRB5 */
default:
/*
* Any unknown messages will be ignored (and failure
diff -r 8cff34d275c8 -r 29158473d2ee crypto/dist/ssh/session.c
--- a/crypto/dist/ssh/session.c Wed Mar 28 01:55:55 2001 +0000
+++ b/crypto/dist/ssh/session.c Wed Mar 28 03:02:51 2001 +0000
@@ -369,6 +369,47 @@
success = 1;
break;
+#if defined(KRB4) || defined(KRB5)
+ /*
+ * Sucks to do this here, but we're authenticated
+ * by the time this happens.
+ *
+ * XXX Add Krb4 TGT and AFS Token passing.
+ */
+ case SSH_CMSG_HAVE_KERBEROS_TGT:
+ {
+ extern int ssh_krb_auth;
+
+#ifdef KRB5
+ if (ssh_krb_auth == 5) {
+ extern krb5_principal tkt_client;
+ extern char *ssh_krb_user;
+ krb5_data tgt;
+ u_int tgtlen;
+
+ if (options.krb5_tgt_passing == 0) {
+ log("Kerberos 5 TGT passing disabled\n");
+ break;
+ }
+
+ tgt.data = packet_get_string(&tgtlen);
+ tgt.length = tgtlen;
+
+ if (!auth_krb5_tgt(ssh_krb_user, &tgt,
+ tkt_client))
+ verbose("Kerberos 5 TGT refused for %.100s", ssh_krb_user);
+ else
+ success = 1;
+
+ xfree(tgt.data);
+ }
+#endif /* KRB5 */
+ else
+ log("Got TGT but didn't use Kerberos\n");
+ break;
+ }
+#endif /* KRB4 || KRB5 */
+
case SSH_CMSG_EXEC_SHELL:
case SSH_CMSG_EXEC_CMD:
if (type == SSH_CMSG_EXEC_CMD) {
Home |
Main Index |
Thread Index |
Old Index