Bugzilla – Attachment 128 Details for
Bug 324
privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
KRB4/5 auth with privsep
patch-openssh-privsep-krbafs (text/plain), 11.86 KB, created by
Jan Iven
on 2002-07-03 19:56:04 AEST
(
hide
)
Description:
KRB4/5 auth with privsep
Filename:
MIME Type:
Creator:
Jan Iven
Created:
2002-07-03 19:56:04 AEST
Size:
11.86 KB
patch
obsolete
>--- openssh-3.4p1/auth-krb5.c Sun Jun 9 21:41:48 2002 >+++ openssh-3.4p1.CERN/auth-krb5.c Sat Jun 29 22:57:35 2002 >@@ -70,21 +70,19 @@ > /* > * Try krb5 authentication. server_user is passed for logging purposes > * only, in auth is received ticket, in client is returned principal >- * from the ticket >+ * from the ticket, put things to send back in reply. > */ > int >-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) >+auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) > { > krb5_error_code problem; > krb5_principal server; >- krb5_data reply; > krb5_ticket *ticket; > int fd, ret; > > ret = 0; > server = NULL; > ticket = NULL; >- reply.length = 0; > > problem = krb5_init(authctxt); > if (problem) >@@ -131,7 +129,7 @@ > > /* if client wants mutual auth */ > problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, >- &reply); >+ reply); > if (problem) > goto err; > >@@ -144,10 +142,7 @@ > krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, > client); > >- packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); >- packet_put_string((char *) reply.data, reply.length); >- packet_send(); >- packet_write_wait(); >+ /* sending reply in caller */ > > ret = 1; > err: >@@ -155,8 +150,6 @@ > krb5_free_principal(authctxt->krb5_ctx, server); > if (ticket) > krb5_free_ticket(authctxt->krb5_ctx, ticket); >- if (reply.length) >- xfree(reply.data); > > if (problem) { > if (authctxt->krb5_ctx != NULL) >--- openssh-3.4p1/sshconnect1.c Thu Jun 6 21:57:34 2002 >+++ openssh-3.4p1.CERN/sshconnect1.c Fri Jun 28 15:26:13 2002 >@@ -398,9 +398,10 @@ > struct stat st; > > /* Don't do anything if we don't have any tickets. */ >- if (stat(tkt_string(), &st) < 0) >+ if (stat(tkt_string(), &st) < 0) { >+ debug("Kerberos v4: no ticket file %s",tkt_string()); > return 0; >- >+ } > strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)), > INST_SZ); > >--- openssh-3.4p1/auth1.c Fri Jun 21 08:21:11 2002 >+++ openssh-3.4p1.CERN/auth1.c Sat Jun 29 22:57:55 2002 >@@ -119,13 +119,19 @@ > if (kdata[0] == 4) { /* KRB_PROT_VERSION */ > #ifdef KRB4 > KTEXT_ST tkt; >- >+ KTEXT_ST reply; > tkt.length = dlen; > if (tkt.length < MAX_KTXT_LEN) > memcpy(tkt.dat, kdata, tkt.length); > >- if (auth_krb4(authctxt, &tkt, &client_user)) { >+ if (PRIVSEP(auth_krb4(authctxt, &tkt, &client_user, &reply))) { > authenticated = 1; >+ >+ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); >+ packet_put_string((char *) reply.dat, reply.length); >+ packet_send(); >+ packet_write_wait(); >+ > snprintf(info, sizeof(info), > " tktuser %.100s", > client_user); >@@ -133,16 +139,25 @@ > #endif /* KRB4 */ > } else { > #ifdef KRB5 >- krb5_data tkt; >+ krb5_data tkt, reply; > tkt.length = dlen; > tkt.data = kdata; >+ reply.length = 0; > >- if (auth_krb5(authctxt, &tkt, &client_user)) { >+ if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) { > authenticated = 1; >+ >+ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); >+ packet_put_string((char *) reply.data, reply.length); >+ packet_send(); >+ packet_write_wait(); > snprintf(info, sizeof(info), > " tktuser %.100s", > client_user); > } >+ if (reply.length) >+ xfree(reply.data); >+ > #endif /* KRB5 */ > } > xfree(kdata); >--- openssh-3.4p1/auth-krb4.c Tue Jun 11 18:42:49 2002 >+++ openssh-3.4p1.CERN/auth-krb4.c Sat Jun 29 23:53:10 2002 >@@ -210,10 +210,9 @@ > } > > int >-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client) >+auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) > { > AUTH_DAT adat = {0}; >- KTEXT_ST reply; > Key_schedule schedule; > struct sockaddr_in local, foreign; > char instance[INST_SZ]; >@@ -263,21 +262,16 @@ > > /* If we can't successfully encrypt the checksum, we send back an > empty message, admitting our failure. */ >- if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1, >+ if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, > schedule, &adat.session, &local, &foreign)) < 0) { > debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); >- reply.dat[0] = 0; >- reply.length = 0; >+ reply->dat[0] = 0; >+ reply->length = 0; > } else >- reply.length = r; >+ reply->length = r; > > /* Clear session key. */ > memset(&adat.session, 0, sizeof(&adat.session)); >- >- packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); >- packet_put_string((char *) reply.dat, reply.length); >- packet_send(); >- packet_write_wait(); > return (1); > } > #endif /* KRB4 */ >--- openssh-3.4p1/monitor.h Tue Jun 11 18:42:49 2002 >+++ openssh-3.4p1.CERN/monitor.h Sun Jun 30 00:01:48 2002 >@@ -33,6 +33,12 @@ > MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, > MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, > MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, >+#ifdef KRB4 >+ MONITOR_REQ_AUTHKRB4, MONITOR_ANS_AUTHKRB4, >+#endif >+#ifdef KRB5 >+ MONITOR_REQ_AUTHKRB5, MONITOR_ANS_AUTHKRB5, >+#endif > MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, > MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, > MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, >--- openssh-3.4p1/monitor_wrap.c Fri Jun 21 02:43:43 2002 >+++ openssh-3.4p1.CERN/monitor_wrap.c Sun Jun 30 00:04:19 2002 >@@ -268,6 +268,75 @@ > return (authenticated); > } > >+/* do Kerberos4 .klogin authentication */ >+#ifdef KRB4 >+int >+mm_auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) >+{ >+ Buffer m; >+ int rlen; >+ int authenticated = 0; >+ char* reply_tmp; >+ >+ debug3("%s entering", __func__); >+ >+ buffer_init(&m); >+ buffer_put_string(&m, auth->dat, auth->length); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHKRB4, &m); >+ >+ debug3("%s: waiting for MONITOR_ANS_AUTHKRB4", __func__); >+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHKRB4, &m); >+ >+ authenticated = buffer_get_int(&m); >+ if(authenticated) { >+ *client = buffer_get_string(&m, NULL); >+ reply_tmp = buffer_get_string(&m, &rlen); >+ /* have to get the string back into the fixed char field */ >+ if(rlen >= MAX_KTXT_LEN) >+ fatal("%s: received too large KRB4 reply from monitor", __func__); >+ memcpy(reply->dat, reply_tmp, rlen); >+ reply->length = rlen; >+ memset(reply_tmp,0, rlen); >+ xfree(reply_tmp); >+ } >+ buffer_free(&m); >+ >+ debug3("%s: user %s %sauthenticated", >+ __func__, *client, authenticated ? "" : "not "); >+ return (authenticated); >+} >+#endif /* KRB4 */ >+ >+/* do Kerberos5 .klogin authentication */ >+#ifdef KRB5 >+int >+mm_auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) >+{ >+ Buffer m; >+ int authenticated = 0; >+ >+ debug3("%s entering", __func__); >+ >+ buffer_init(&m); >+ buffer_put_string(&m, auth->data, auth->length); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHKRB5, &m); >+ >+ debug3("%s: waiting for MONITOR_ANS_AUTHKRB5", __func__); >+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHKRB5, &m); >+ >+ authenticated = buffer_get_int(&m); >+ if(authenticated) { >+ *client = buffer_get_string(&m, NULL); >+ reply->data = buffer_get_string(&m, &(reply->length)); >+ } >+ buffer_free(&m); >+ >+ debug3("%s: user %s %sauthenticated", >+ __func__, *client, authenticated ? "" : "not "); >+ return (authenticated); >+} >+#endif /* KRB5 */ >+ > int > mm_user_key_allowed(struct passwd *pw, Key *key) > { >--- openssh-3.4p1/auth.h Thu Jun 6 22:52:37 2002 >+++ openssh-3.4p1.CERN/auth.h Sun Jun 30 00:07:33 2002 >@@ -113,20 +113,20 @@ > > #ifdef KRB4 > #include <krb.h> >-int auth_krb4(Authctxt *, KTEXT, char **); >+int auth_krb4(Authctxt *, KTEXT, char **, KTEXT); > int auth_krb4_password(Authctxt *, const char *); > void krb4_cleanup_proc(void *); > > #ifdef AFS > #include <kafs.h> > int auth_krb4_tgt(Authctxt *, const char *); > int auth_afs_token(Authctxt *, const char *); > #endif /* AFS */ > > #endif /* KRB4 */ > > #ifdef KRB5 >-int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client); >+int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply); > int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); > int auth_krb5_password(Authctxt *authctxt, const char *password); > void krb5_cleanup_proc(void *authctxt); >--- openssh-3.4p1/monitor.c Wed Jun 26 15:27:11 2002 >+++ openssh-3.4p1.CERN/monitor.c Tue Jul 2 11:19:19 2002 >@@ -101,6 +101,12 @@ > int mm_answer_auth2_read_banner(int, Buffer *); > int mm_answer_authserv(int, Buffer *); > int mm_answer_authpassword(int, Buffer *); >+#ifdef KRB4 >+int mm_answer_authkrb4(int, Buffer *); >+#endif >+#ifdef KRB5 >+int mm_answer_authkrb5(int, Buffer *); >+#endif > int mm_answer_bsdauthquery(int, Buffer *); > int mm_answer_bsdauthrespond(int, Buffer *); > int mm_answer_skeyquery(int, Buffer *); >@@ -188,6 +199,12 @@ > {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, > {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, > {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, >+#ifdef KRB4 >+ {MONITOR_REQ_AUTHKRB4, MON_AUTH, mm_answer_authkrb4}, >+#endif >+#ifdef KRB5 >+ {MONITOR_REQ_AUTHKRB5, MON_AUTH, mm_answer_authkrb5}, >+#endif > #ifdef BSD_AUTH > {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, > {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, >@@ -719,6 +746,87 @@ > } > #endif > >+#ifdef KRB4 >+int >+mm_answer_authkrb4(int socket, Buffer *m) >+{ >+ KTEXT_ST auth; >+ KTEXT_ST reply; >+ char *localuser, *auth_tmp; >+ int authenticated, authlen; >+ >+ auth_tmp = buffer_get_string(m, &authlen); >+ if (authlen >= MAX_KTXT_LEN) >+ fatal("%s: received too large KRB4 auth from privsep", __func__); >+ memcpy(auth.dat, auth_tmp, authlen); >+ auth.length = authlen; >+ memset(auth_tmp,0, authlen); >+ xfree(auth_tmp); >+ /* Only authenticate if the context is valid */ >+ authenticated = options.kerberos_authentication && >+ authctxt->valid && >+ auth_krb4(authctxt, &auth, &localuser, &reply); >+ >+ memset(auth.dat, 0, authlen); >+ >+ buffer_clear(m); >+ buffer_put_int(m, authenticated); >+ if(authenticated) { >+ buffer_put_cstring(m, localuser); >+ buffer_put_string(m, reply.dat, reply.length); >+ } >+ >+ memset(reply.dat, 0, reply.length); >+ >+ debug3("%s: sending result %d", __func__, authenticated); >+ mm_request_send(socket, MONITOR_ANS_AUTHKRB4, m); >+ >+ auth_method = "KRB4.klogin"; >+ >+ /* Causes monitor loop to terminate if authenticated */ >+ return (authenticated); >+} >+#endif /* KRB4 */ >+ >+#ifdef KRB5 >+int >+mm_answer_authkrb5(int socket, Buffer *m) >+{ >+ krb5_data auth; >+ krb5_data reply; >+ char *localuser; >+ int authenticated; >+ >+ auth.data = buffer_get_string(m, &auth.length); >+ >+ /* Only authenticate if the context is valid */ >+ authenticated = options.kerberos_authentication && >+ authctxt->valid && >+ auth_krb5(authctxt, &auth, &localuser, &reply); >+ >+ memset(auth.data, 0, auth.length); >+ xfree(auth.data); >+ >+ buffer_clear(m); >+ buffer_put_int(m, authenticated); >+ if(authenticated) { >+ buffer_put_cstring(m, localuser); >+ buffer_put_string(m, reply.data, reply.length); >+ } >+ >+ memset(reply.data, 0, reply.length); >+ xfree(reply.data); >+ >+ debug3("%s: sending result %d", __func__, authenticated); >+ mm_request_send(socket, MONITOR_ANS_AUTHKRB5, m); >+ >+ auth_method = "KRB5.klogin"; >+ >+ /* Causes monitor loop to terminate if authenticated */ >+ return (authenticated); >+} >+#endif /* KRB5 */ >+ > #ifdef USE_PAM > int > mm_answer_pam_start(int socket, Buffer *m) >--- openssh-3.4p1/monitor_wrap.h Mon May 13 03:07:42 2002 >+++ openssh-3.4p1.CERN/monitor_wrap.h Sun Jun 30 00:52:23 2002 >@@ -30,6 +30,14 @@ > #include "key.h" > #include "buffer.h" > >+#ifdef KRB4 >+#include <krb.h> >+#endif >+ >+#ifdef KRB5 >+#include <krb5.h> >+#endif >+ > extern int use_privsep; > #define PRIVSEP(x) (use_privsep ? mm_##x : x) > >@@ -59,6 +67,18 @@ > void mm_start_pam(char *); > #endif > >+#ifdef KRB4 >+int mm_auth_krb4(struct Authctxt *, KTEXT , char **, KTEXT ); >+#endif >+ >+#ifdef AFS >+int mm_auth_krb4_tgt(struct Authctxt *, const char *, const int); >+#endif >+ >+#ifdef KRB5 >+int mm_auth_krb5(struct Authctxt *, krb5_data *, char **, krb5_data *); >+#endif >+ > void mm_terminate(void); > int mm_pty_allocate(int *, int *, char *, int); > void mm_session_pty_cleanup2(void *);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=128">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 324
:
125
| 128 |
130