Bugzilla – Attachment 50 Details for
Bug 55
[PATCH] Kerberos v5 support in portable
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch, with fixes from reviewers
openssh-mit-krb5-20020319.diff (text/plain), 13.64 KB, created by
Simon Wilkinson
on 2002-03-20 07:39:10 AEDT
(
hide
)
Description:
Updated patch, with fixes from reviewers
Filename:
MIME Type:
Creator:
Simon Wilkinson
Created:
2002-03-20 07:39:10 AEDT
Size:
13.64 KB
patch
obsolete
>Index: Makefile.in >=================================================================== >RCS file: /cvs/openssh/Makefile.in,v >retrieving revision 1.199 >diff -c -3 -r1.199 Makefile.in >*** Makefile.in 13 Mar 2002 02:19:42 -0000 1.199 >--- Makefile.in 19 Mar 2002 20:02:00 -0000 >*************** >*** 54,60 **** > > SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o > >! SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 >--- 54,60 ---- > > SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o > >! SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 >Index: acconfig.h >=================================================================== >RCS file: /cvs/openssh/acconfig.h,v >retrieving revision 1.122 >diff -c -3 -r1.122 acconfig.h >*** acconfig.h 26 Feb 2002 16:40:49 -0000 1.122 >--- acconfig.h 19 Mar 2002 20:02:05 -0000 >*************** >*** 178,183 **** >--- 178,189 ---- > /* Define if libc defines __progname */ > #undef HAVE___PROGNAME > >+ /* Define if you want Kerberos 5 support */ >+ #undef KRB5 >+ >+ /* Define this if you are using Heimdal version of Kerberos V5 */ >+ #undef HEIMDAL >+ > /* Define if you want Kerberos 4 support */ > #undef KRB4 > >Index: auth-krb5.c >=================================================================== >RCS file: /cvs/openssh/auth-krb5.c,v >retrieving revision 1.5 >diff -c -3 -r1.5 auth-krb5.c >*** auth-krb5.c 5 Mar 2002 01:53:04 -0000 1.5 >--- auth-krb5.c 19 Mar 2002 20:02:10 -0000 >*************** >*** 18,23 **** >--- 18,26 ---- > > #ifdef KRB5 > #include <krb5.h> >+ #ifndef HEIMDAL >+ #define krb5_get_err_text(context,code) error_message(code) >+ #endif /* !HEIMDAL */ > > extern ServerOptions options; > >*************** >*** 70,77 **** >--- 73,87 ---- > goto err; > > fd = packet_get_connection_in(); >+ #ifdef HEIMDAL > problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, > authctxt->krb5_auth_ctx, &fd); >+ #else >+ problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, >+ authctxt->krb5_auth_ctx,fd, >+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | >+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); >+ #endif > if (problem) > goto err; > >*************** >*** 85,92 **** >--- 95,108 ---- > if (problem) > goto err; > >+ #ifdef HEIMDAL > problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, > &authctxt->krb5_user); >+ #else >+ problem = krb5_copy_principal(authctxt->krb5_ctx, >+ ticket->enc_part2->client, >+ &authctxt->krb5_user); >+ #endif > if (problem) > goto err; > >*************** >*** 137,149 **** >--- 153,189 ---- > krb5_error_code problem; > krb5_ccache ccache = NULL; > char *pname; >+ krb5_creds **creds; > > if (authctxt->pw == NULL || authctxt->krb5_user == NULL) > return (0); > > temporarily_use_uid(authctxt->pw); > >+ #ifdef HEIMDAL > problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); >+ #else >+ { >+ char ccname[40]; >+ int tmpfd; >+ >+ snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); >+ >+ if ((tmpfd = mkstemp(ccname))==-1) { >+ log("mkstemp(): %.100s", strerror(errno)); >+ problem = errno; >+ goto fail; >+ } >+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { >+ log("fchmod(): %.100s", strerror(errno)); >+ close(tmpfd); >+ problem = errno; >+ goto fail; >+ } >+ close(tmpfd); >+ problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); >+ } >+ #endif > if (problem) > goto fail; > >*************** >*** 152,161 **** >--- 192,211 ---- > if (problem) > goto fail; > >+ #ifdef HEIMDAL > problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, > ccache, tgt); > if (problem) > goto fail; >+ #else >+ problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, >+ tgt, &creds, NULL); >+ if (problem) >+ goto fail; >+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); >+ if (problem) >+ goto fail; >+ #endif > > authctxt->krb5_fwd_ccache = ccache; > ccache = NULL; >*************** >*** 188,193 **** >--- 238,247 ---- > int > auth_krb5_password(Authctxt *authctxt, const char *password) > { >+ #ifndef HEIMDAL >+ krb5_creds creds; >+ krb5_principal server; >+ #endif > krb5_error_code problem; > > if (authctxt->pw == NULL) >*************** >*** 204,211 **** >--- 258,270 ---- > if (problem) > goto out; > >+ #ifdef HEIMDAL > problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, > &authctxt->krb5_fwd_ccache); >+ #else >+ problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", >+ &authctxt->krb5_fwd_ccache); >+ #endif > if (problem) > goto out; > >*************** >*** 215,222 **** >--- 274,319 ---- > goto out; > > restore_uid(); >+ >+ #ifdef HEIMDAL > problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, > authctxt->krb5_fwd_ccache, password, 1, NULL); >+ if (problem) { >+ temporarily_use_uid(authctxt->pw); >+ goto out; >+ } >+ #else >+ problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, >+ authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL); >+ if (problem) { >+ temporarily_use_uid(authctxt->pw); >+ goto out; >+ } >+ >+ problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, >+ KRB5_NT_SRV_HST, &server); >+ if (problem) { >+ temporarily_use_uid(authctxt->pw); >+ goto out; >+ } >+ >+ problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, >+ NULL, NULL, NULL); >+ >+ krb5_free_principal(authctxt->krb5_ctx, server); >+ >+ temporarily_use_uid(authctxt->pw); >+ if (problem) { >+ goto out; >+ } >+ >+ problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, >+ &creds); >+ if (problem) { >+ temporarily_use_uid(authctxt->pw); >+ goto out; >+ } >+ #endif > temporarily_use_uid(authctxt->pw); > > if (problem) >Index: configure.ac >=================================================================== >RCS file: /cvs/openssh/configure.ac,v >retrieving revision 1.26 >diff -c -3 -r1.26 configure.ac >*** configure.ac 17 Mar 2002 20:17:35 -0000 1.26 >--- configure.ac 19 Mar 2002 20:02:42 -0000 >*************** >*** 1656,1662 **** > ] > ) > >! # Check whether user wants Kerberos support > KRB4_MSG="no" > AC_ARG_WITH(kerberos4, > [ --with-kerberos4=PATH Enable Kerberos 4 support], >--- 1656,1698 ---- > ] > ) > >! # Check whether user wants Kerberos 5 support >! AC_ARG_WITH(kerberos5, >! [ --with-kerberos5=PATH Enable Kerberos 5 support], >! [ >! if test "x$withval" != "xno" ; then >! if test "x$withval" = "xyes" ; then >! KRB5ROOT="/usr/local" >! else >! KRB5ROOT=${withval} >! fi >! CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" >! LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" >! AC_DEFINE(KRB5) >! AC_MSG_CHECKING(whether we are using Heimdal) >! AC_TRY_COMPILE([ #include <krb5.h> ], >! [ char *tmp = heimdal_version; ], >! [ AC_MSG_RESULT(yes) >! AC_DEFINE(HEIMDAL) >! K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" >! ], >! [ AC_MSG_RESULT(no) >! K5LIBS="-lkrb5 -lk5crypto -lcom_err" >! ] >! ) >! if test ! -z "$need_dash_r" ; then >! LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" >! fi >! if test ! -z "$blibpath" ; then >! blibpath="$blibpath:${KRB5ROOT}/lib" >! fi >! AC_CHECK_LIB(resolv, dn_expand, , ) >! >! KRB5=yes >! fi >! ] >! ) >! # Check whether user wants Kerberos 4 support > KRB4_MSG="no" > AC_ARG_WITH(kerberos4, > [ --with-kerberos4=PATH Enable Kerberos 4 support], >*************** >*** 1736,1742 **** > fi > ] > ) >! LIBS="$LIBS $KLIBS" > > # Looking for programs, paths and files > AC_ARG_WITH(rsh, >--- 1772,1778 ---- > fi > ] > ) >! LIBS="$LIBS $KLIBS $K5LIBS" > > # Looking for programs, paths and files > AC_ARG_WITH(rsh, >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.79 >diff -c -3 -r1.79 servconf.c >*** servconf.c 13 Mar 2002 02:19:43 -0000 1.79 >--- servconf.c 19 Mar 2002 20:02:57 -0000 >*************** >*** 12,19 **** > #include "includes.h" > RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $"); > >! #if defined(KRB4) || defined(KRB5) > #include <krb.h> > #endif > #ifdef AFS > #include <kafs.h> >--- 12,28 ---- > #include "includes.h" > RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $"); > >! #if defined(KRB4) > #include <krb.h> >+ #endif >+ #if defined(KRB5) >+ #ifdef HEIMDAL >+ #include <krb.h> >+ #else >+ /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V >+ * keytab */ >+ #define KEYFILE "/etc/krb5.keytab" >+ #endif > #endif > #ifdef AFS > #include <kafs.h> >Index: sshconnect1.c >=================================================================== >RCS file: /cvs/openssh/sshconnect1.c,v >retrieving revision 1.46 >diff -c -3 -r1.46 sshconnect1.c >*** sshconnect1.c 13 Feb 2002 02:54:29 -0000 1.46 >--- sshconnect1.c 19 Mar 2002 20:03:17 -0000 >*************** >*** 23,28 **** >--- 23,31 ---- > #endif > #ifdef KRB5 > #include <krb5.h> >+ #ifndef HEIMDAL >+ #define krb5_get_err_text(context,code) error_message(code) >+ #endif /* !HEIMDAL */ > #endif > #ifdef AFS > #include <kafs.h> >*************** >*** 519,524 **** >--- 522,544 ---- > ret = 0; > goto out; > } >+ >+ problem = krb5_auth_con_init(*context, auth_context); >+ if (problem) { >+ debug("Kerberos v5: krb5_auth_con_init failed"); >+ ret = 0; >+ goto out; >+ } >+ >+ #ifndef HEIMDAL >+ problem = krb5_auth_con_setflags(*context, *auth_context, >+ KRB5_AUTH_CONTEXT_RET_TIME); >+ if (problem) { >+ debug("Keberos v5: krb5_auth_con_setflags failed"); >+ ret = 0; >+ goto out; >+ } >+ #endif > > tkfile = krb5_cc_default_name(*context); > if (strncmp(tkfile, "FILE:", 5) == 0) >*************** >*** 595,601 **** >--- 615,625 ---- > if (reply != NULL) > krb5_free_ap_rep_enc_part(*context, reply); > if (ap.length > 0) >+ #ifdef HEIMDAL > krb5_data_free(&ap); >+ #else >+ krb5_free_data_contents(*context, &ap); >+ #endif > > return (ret); > } >*************** >*** 608,614 **** >--- 632,642 ---- > krb5_data outbuf; > krb5_ccache ccache = NULL; > krb5_creds creds; >+ #ifdef HEIMDAL > krb5_kdc_flags flags; >+ #else >+ int forwardable; >+ #endif > const char *remotehost; > > memset(&creds, 0, sizeof(creds)); >*************** >*** 616,622 **** >--- 644,656 ---- > > fd = packet_get_connection_in(); > >+ #ifdef HEIMDAL > problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); >+ #else >+ problem = krb5_auth_con_genaddrs(context, auth_context, fd, >+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | >+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); >+ #endif > if (problem) > goto out; > >*************** >*** 628,650 **** > if (problem) > goto out; > > problem = krb5_build_principal(context, &creds.server, > strlen(creds.client->realm), creds.client->realm, > "krbtgt", creds.client->realm, NULL); > if (problem) > goto out; > > creds.times.endtime = 0; > > flags.i = 0; > flags.b.forwarded = 1; > flags.b.forwardable = krb5_config_get_bool(context, NULL, > "libdefaults", "forwardable", NULL); >- >- remotehost = get_canonical_hostname(1); >- > problem = krb5_get_forwarded_creds(context, auth_context, > ccache, flags.i, remotehost, &creds, &outbuf); > if (problem) > goto out; > >--- 662,696 ---- > if (problem) > goto out; > >+ remotehost = get_canonical_hostname(1); >+ >+ #ifdef HEIMDAL > problem = krb5_build_principal(context, &creds.server, > strlen(creds.client->realm), creds.client->realm, > "krbtgt", creds.client->realm, NULL); >+ #else >+ problem = krb5_build_principal(context, &creds.server, >+ creds.client->realm.length, creds.client->realm.data, >+ "host", remotehost, NULL); >+ #endif > if (problem) > goto out; > > creds.times.endtime = 0; > >+ #ifdef HEIMDAL > flags.i = 0; > flags.b.forwarded = 1; > flags.b.forwardable = krb5_config_get_bool(context, NULL, > "libdefaults", "forwardable", NULL); > problem = krb5_get_forwarded_creds(context, auth_context, > ccache, flags.i, remotehost, &creds, &outbuf); >+ #else >+ forwardable = 1; >+ problem = krb5_fwd_tgt_creds(context, auth_context, remotehost, >+ creds.client, creds.server, ccache, forwardable, &outbuf); >+ #endif >+ > if (problem) > goto out; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=50">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 55
:
6
| 50 |
54
|
72