[src/trunk]: src >implement kerberos over ssh2 ("kerberos-2%ssh.com@localhost"); tested...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src >implement kerberos over ssh2 ("kerberos-2%ssh.com@localhost"); tested...
From: itojun <itojun%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 13:06:15 +0000

details:   https://anonhg.NetBSD.org/src/rev/182272cbec19
branches:  trunk
changeset: 547184:182272cbec19
user:      itojun <itojun%NetBSD.org@localhost>
date:      Wed May 14 18:22:07 2003 +0000

description:
>implement kerberos over ssh2 ("kerberos-2%ssh.com@localhost"); tested with jakob@
>server interops with commercial client; ok jakob@ djm@

markus@openbsd

diffstat:

 crypto/dist/ssh/auth2.c       |   10 +++-
 crypto/dist/ssh/monitor.c     |    9 ++-
 crypto/dist/ssh/sshconnect2.c |  103 +++++++++++++++++++++++++++++++++++++++++-
 usr.bin/ssh/sshd/Makefile     |    4 +-
 4 files changed, 118 insertions(+), 8 deletions(-)

diffs (231 lines):

diff -r 8b619e38a190 -r 182272cbec19 crypto/dist/ssh/auth2.c
--- a/crypto/dist/ssh/auth2.c   Wed May 14 18:17:02 2003 +0000
+++ b/crypto/dist/ssh/auth2.c   Wed May 14 18:22:07 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: auth2.c,v 1.21 2003/04/03 06:21:32 itojun Exp $        */
+/*     $NetBSD: auth2.c,v 1.22 2003/05/14 18:22:07 itojun Exp $        */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -24,7 +24,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -51,6 +51,9 @@
 extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
+#ifdef KRB5
+extern Authmethod method_kerberos;
+#endif
 
 Authmethod *authmethods[] = {
        &method_none,
@@ -58,6 +61,9 @@
        &method_passwd,
        &method_kbdint,
        &method_hostbased,
+#ifdef KRB5
+       &method_kerberos,
+#endif
        NULL
 };
 
diff -r 8b619e38a190 -r 182272cbec19 crypto/dist/ssh/monitor.c
--- a/crypto/dist/ssh/monitor.c Wed May 14 18:17:02 2003 +0000
+++ b/crypto/dist/ssh/monitor.c Wed May 14 18:22:07 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: monitor.c,v 1.11 2003/04/03 06:21:33 itojun Exp $      */
+/*     $NetBSD: monitor.c,v 1.12 2003/05/14 18:22:07 itojun Exp $      */
 /*
  * Copyright 2002 Niels Provos <provos%citi.umich.edu@localhost>
  * Copyright 2002 Markus Friedl <markus%openbsd.org@localhost>
@@ -26,7 +26,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.37 2003/04/02 09:48:07 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.39 2003/05/14 02:15:47 markus Exp $");
 
 #include <openssl/dh.h>
 
@@ -168,6 +168,9 @@
 #endif
     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
+#ifdef KRB5
+    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
     {0, 0, NULL}
 };
 
@@ -1345,6 +1348,8 @@
        }
        mm_request_send(socket, MONITOR_ANS_KRB5, m);
 
+       auth_method = "kerberos";
+
        return success;
 }
 #endif
diff -r 8b619e38a190 -r 182272cbec19 crypto/dist/ssh/sshconnect2.c
--- a/crypto/dist/ssh/sshconnect2.c     Wed May 14 18:17:02 2003 +0000
+++ b/crypto/dist/ssh/sshconnect2.c     Wed May 14 18:22:07 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sshconnect2.c,v 1.22 2003/04/03 06:21:36 itojun Exp $  */
+/*     $NetBSD: sshconnect2.c,v 1.23 2003/05/14 18:22:07 itojun Exp $  */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -24,7 +24,11 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.115 2003/04/02 09:48:07 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.118 2003/05/14 02:15:47 markus Exp $");
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
 
 #include "ssh.h"
 #include "ssh2.h"
@@ -185,6 +189,7 @@
 int    userauth_passwd(Authctxt *);
 int    userauth_kbdint(Authctxt *);
 int    userauth_hostbased(Authctxt *);
+int    userauth_kerberos(Authctxt *);
 
 void   userauth(Authctxt *, char *);
 
@@ -200,6 +205,12 @@
                userauth_hostbased,
                &options.hostbased_authentication,
                NULL},
+#if KRB5
+       {"kerberos-2%ssh.com@localhost",
+               userauth_kerberos,
+               &options.kerberos_authentication,
+               NULL},
+#endif
        {"publickey",
                userauth_pubkey,
                &options.pubkey_authentication,
@@ -1069,6 +1080,94 @@
        return 1;
 }
 
+#if KRB5
+static int
+ssh_krb5_helper(krb5_data *ap)
+{
+       krb5_context xcontext = NULL;   /* XXX share with ssh1 */
+       krb5_auth_context xauth_context = NULL;
+
+       krb5_context *context;
+       krb5_auth_context *auth_context;
+       krb5_error_code problem;
+       const char *tkfile;
+       struct stat buf;
+       krb5_ccache ccache = NULL;
+       const char *remotehost;
+       int ret;
+
+       memset(ap, 0, sizeof(*ap));
+
+       context = &xcontext;
+       auth_context = &xauth_context;
+
+       problem = krb5_init_context(context);
+       if (problem) {
+               debug("Kerberos v5: krb5_init_context failed");
+               ret = 0;
+               goto out;
+       }
+
+       tkfile = krb5_cc_default_name(*context);
+       if (strncmp(tkfile, "FILE:", 5) == 0)
+               tkfile += 5;
+
+       if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+               debug("Kerberos v5: could not get default ccache (permission denied).");
+               ret = 0;
+               goto out;
+       }
+
+       problem = krb5_cc_default(*context, &ccache);
+       if (problem) {
+               debug("Kerberos v5: krb5_cc_default failed: %s",
+                   krb5_get_err_text(*context, problem));
+               ret = 0;
+               goto out;
+       }
+
+       remotehost = get_canonical_hostname(1);
+
+       problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+           "host", remotehost, NULL, ccache, ap);
+       if (problem) {
+               debug("Kerberos v5: krb5_mk_req failed: %s",
+                   krb5_get_err_text(*context, problem));
+               ret = 0;
+               goto out;
+       }
+       ret = 1;
+
+ out:
+       if (ccache != NULL)
+               krb5_cc_close(*context, ccache);
+       if (*auth_context)
+               krb5_auth_con_free(*context, *auth_context);
+       if (*context)
+               krb5_free_context(*context);
+       return (ret);
+}
+
+int
+userauth_kerberos(Authctxt *authctxt)
+{
+       krb5_data ap;
+
+       if (ssh_krb5_helper(&ap) == 0)
+               return (0);
+
+       packet_start(SSH2_MSG_USERAUTH_REQUEST);
+       packet_put_cstring(authctxt->server_user);
+       packet_put_cstring(authctxt->service);
+       packet_put_cstring(authctxt->method->name);
+       packet_put_string(ap.data, ap.length);
+       packet_send();
+
+       krb5_data_free(&ap);
+       return (1);
+}
+#endif
+
 /* find auth method */
 
 /*
diff -r 8b619e38a190 -r 182272cbec19 usr.bin/ssh/sshd/Makefile
--- a/usr.bin/ssh/sshd/Makefile Wed May 14 18:17:02 2003 +0000
+++ b/usr.bin/ssh/sshd/Makefile Wed May 14 18:22:07 2003 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.14 2003/04/03 06:21:38 itojun Exp $
+#      $NetBSD: Makefile,v 1.15 2003/05/14 18:22:07 itojun Exp $
 
 .include <bsd.own.mk>
 
@@ -18,7 +18,7 @@
 
 .if (${USE_KERBEROS} != "no")
 CPPFLAGS+=-DKRB5 -DAFS -I${DESTDIR}/usr/include/krb5
-SRCS+= auth-krb5.c
+SRCS+= auth-krb5.c auth2-krb5.c
 LDADD+=        -lkrb5 -lkafs -lasn1
 DPADD+=        ${LIBKRB5} ${LIBKAFS} ${LIBASN1}

Prev by Date: [src/trunk]: src/sys/arch/evbarm Move the 7-segment display definitions into ...
Next by Date: [src/trunk]: src/sys/compat Added io_service_close and the io_connect_map_mem...
Previous by Thread: [src/trunk]: src/sys/arch/evbarm Move the 7-segment display definitions into ...
Next by Thread: [src/trunk]: src/sys/compat Added io_service_close and the io_connect_map_mem...
Indexes:

Home | Main Index | Thread Index | Old Index