Attachment #54 for bug #55

Lines 54-60 Link Here

(-)Makefile.in (-1 / +1 lines)
54		54
55	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o	55	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
56		56
57	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o	57	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
58		58
59	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out	59	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
60	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1	60	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1

Lines 178-183 Link Here

(-)acconfig.h (+6 lines)
178	/* Define if libc defines __progname */	178	/* Define if libc defines __progname */
179	#undef HAVE___PROGNAME	179	#undef HAVE___PROGNAME
180		180
		181	/* Define if you want Kerberos 5 support */
		182	#undef KRB5
		183
		184	/* Define this if you are using Heimdal version of Kerberos V5 */
		185	#undef HEIMDAL
		186
181	/* Define if you want Kerberos 4 support */	187	/* Define if you want Kerberos 4 support */
182	#undef KRB4	188	#undef KRB4
183		189

Lines 18-23 Link Here

(-)auth-krb5.c (-1 / +114 lines)
18		18
19	#ifdef KRB5	19	#ifdef KRB5
20	#include <krb5.h>	20	#include <krb5.h>
		21	#ifndef HEIMDAL
		22	#define krb5_get_err_text(context,code) error_message(code)
		23	#endif /* !HEIMDAL */
21		24
22	extern ServerOptions options;	25	extern ServerOptions options;
23		26
Lines 70-77 Link Here
70	goto err;	73	goto err;
71		74
72	fd = packet_get_connection_in();	75	fd = packet_get_connection_in();
		76	#ifdef HEIMDAL
73	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,	77	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
74	authctxt->krb5_auth_ctx, &fd);	78	authctxt->krb5_auth_ctx, &fd);
		79	#else
		80	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
		81	authctxt->krb5_auth_ctx,fd,
		82	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		83	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		84	#endif
75	if (problem)	85	if (problem)
76	goto err;	86	goto err;
77		87
Lines 85-92 Link Here
85	if (problem)	95	if (problem)
86	goto err;	96	goto err;
87		97
		98	#ifdef HEIMDAL
88	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,	99	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
89	&authctxt->krb5_user);	100	&authctxt->krb5_user);
		101	#else
		102	problem = krb5_copy_principal(authctxt->krb5_ctx,
		103	ticket->enc_part2->client,
		104	&authctxt->krb5_user);
		105	#endif
90	if (problem)	106	if (problem)
91	goto err;	107	goto err;
92		108
Lines 137-149 Link Here
137	krb5_error_code problem;	153	krb5_error_code problem;
138	krb5_ccache ccache = NULL;	154	krb5_ccache ccache = NULL;
139	char *pname;	155	char *pname;
		156	krb5_creds **creds;
140		157
141	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)	158	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
142	return (0);	159	return (0);
143		160
144	temporarily_use_uid(authctxt->pw);	161	temporarily_use_uid(authctxt->pw);
145		162
		163	#ifdef HEIMDAL
146	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);	164	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
		165	#else
		166	{
		167	char ccname[40];
		168	int tmpfd;
		169
		170	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		171
		172	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		173	log("mkstemp(): %.100s", strerror(errno));
		174	problem = errno;
		175	goto fail;
		176	}
		177	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		178	log("fchmod(): %.100s", strerror(errno));
		179	close(tmpfd);
		180	problem = errno;
		181	goto fail;
		182	}
		183	close(tmpfd);
		184	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
		185	}
		186	#endif
147	if (problem)	187	if (problem)
148	goto fail;	188	goto fail;
149		189
Lines 152-161 Link Here
152	if (problem)	192	if (problem)
153	goto fail;	193	goto fail;
154		194
		195	#ifdef HEIMDAL
155	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,	196	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
156	ccache, tgt);	197	ccache, tgt);
157	if (problem)	198	if (problem)
158	goto fail;	199	goto fail;
		200	#else
		201	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
		202	tgt, &creds, NULL);
		203	if (problem)
		204	goto fail;
		205	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
		206	if (problem)
		207	goto fail;
		208	#endif
159		209
160	authctxt->krb5_fwd_ccache = ccache;	210	authctxt->krb5_fwd_ccache = ccache;
161	ccache = NULL;	211	ccache = NULL;
Lines 188-193 Link Here
188	int	238	int
189	auth_krb5_password(Authctxt authctxt, const char password)	239	auth_krb5_password(Authctxt authctxt, const char password)
190	{	240	{
		241	#ifndef HEIMDAL
		242	krb5_creds creds;
		243	krb5_principal server;
		244	char ccname[40];
		245	int tmpfd;
		246	#endif
191	krb5_error_code problem;	247	krb5_error_code problem;
192		248
193	if (authctxt->pw == NULL)	249	if (authctxt->pw == NULL)
Lines 204-209 Link Here
204	if (problem)	260	if (problem)
205	goto out;	261	goto out;
206		262
		263	#ifdef HEIMDAL
207	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,	264	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
208	&authctxt->krb5_fwd_ccache);	265	&authctxt->krb5_fwd_ccache);
209	if (problem)	266	if (problem)
Lines 222-234 Link Here
222	if (problem)	279	if (problem)
223	goto out;	280	goto out;
224		281
		282	#else
		283	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		284	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
		285	if (problem)
		286	goto out;
		287
		288	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
		289	KRB5_NT_SRV_HST, &server);
		290	if (problem)
		291	goto out;
		292
		293	restore_uid();
		294	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
		295	NULL, NULL, NULL);
		296	krb5_free_principal(authctxt->krb5_ctx, server);
		297	temporarily_use_uid(authctxt->pw);
		298	if (problem)
		299	goto out;
		300
		301	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
		302	authctxt->pw->pw_name)) {
		303	problem = -1;
		304	goto out;
		305	}
		306
		307	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		308
		309	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		310	log("mkstemp(): %.100s", strerror(errno));
		311	problem = errno;
		312	goto out;
		313	}
		314
		315	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		316	log("fchmod(): %.100s", strerror(errno));
		317	close(tmpfd);
		318	problem = errno;
		319	goto out;
		320	}
		321	close(tmpfd);
		322
		323	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
		324	if (problem)
		325	goto out;
		326
		327	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		328	authctxt->krb5_user);
		329	if (problem)
		330	goto out;
		331
		332	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		333	&creds);
		334	if (problem)
		335	goto out;
		336	#endif
		337
225	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	338	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
226		339
227	out:	340	out:
228	restore_uid();	341	restore_uid();
229		342
230	if (problem) {	343	if (problem) {
231	if (authctxt->krb5_ctx != NULL)	344	if (authctxt->krb5_ctx != NULL && problem!=-1)
232	debug("Kerberos password authentication failed: %s",	345	debug("Kerberos password authentication failed: %s",
233	krb5_get_err_text(authctxt->krb5_ctx, problem));	346	krb5_get_err_text(authctxt->krb5_ctx, problem));
234	else	347	else




	]
)

# Check whether user wants Kerberos 5 support
AC_ARG_WITH(kerberos5,
        [  --with-kerberos5=PATH   Enable Kerberos 5 support],
        [
                if test "x$withval" != "xno" ; then
                        if test "x$withval" = "xyes" ; then
                                KRB5ROOT="/usr/local"
                        else
                                KRB5ROOT=${withval}
                        fi
			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
                        AC_DEFINE(KRB5)
                        AC_MSG_CHECKING(whether we are using Heimdal)
                        AC_TRY_COMPILE([ #include <krb5.h> ],
                                       [ char *tmp = heimdal_version; ],
                                       [ AC_MSG_RESULT(yes)
                                         AC_DEFINE(HEIMDAL)
                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
                                       ],
                                       [ AC_MSG_RESULT(no)
                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
                                       ]
                        )
                        if test ! -z "$need_dash_r" ; then
                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
                        fi
                        if test ! -z "$blibpath" ; then
                                blibpath="$blibpath:${KRB5ROOT}/lib"
                        fi
                        AC_CHECK_LIB(resolv, dn_expand, , )

                        KRB5=yes
                fi
        ]
)
# Check whether user wants Kerberos 4 support
KRB4_MSG="no" 
AC_ARG_WITH(kerberos4,
	[  --with-kerberos4=PATH   Enable Kerberos 4 support],

		fi
	]
)
LIBS="$LIBS $KLIBS $K5LIBS"

# Looking for programs, paths and files
AC_ARG_WITH(rsh,




#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");

#if defined(KRB4)
#include <krb.h>
#endif
#if defined(KRB5)
#ifdef HEIMDAL
#include <krb.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
 * keytab */
#define KEYFILE "/etc/krb5.keytab"
#endif
#endif
#ifdef AFS
#include <kafs.h>

Lines 23-28 Link Here

(-)sshconnect1.c (-3 / +49 lines)
23	#endif	23	#endif
24	#ifdef KRB5	24	#ifdef KRB5
25	#include <krb5.h>	25	#include <krb5.h>
		26	#ifndef HEIMDAL
		27	#define krb5_get_err_text(context,code) error_message(code)
		28	#endif /* !HEIMDAL */
26	#endif	29	#endif
27	#ifdef AFS	30	#ifdef AFS
28	#include <kafs.h>	31	#include <kafs.h>
Lines 519-524 Link Here
519	ret = 0;	522	ret = 0;
520	goto out;	523	goto out;
521	}	524	}
		525
		526	problem = krb5_auth_con_init(*context, auth_context);
		527	if (problem) {
		528	debug("Kerberos v5: krb5_auth_con_init failed");
		529	ret = 0;
		530	goto out;
		531	}
		532
		533	#ifndef HEIMDAL
		534	problem = krb5_auth_con_setflags(context, auth_context,
		535	KRB5_AUTH_CONTEXT_RET_TIME);
		536	if (problem) {
		537	debug("Keberos v5: krb5_auth_con_setflags failed");
		538	ret = 0;
		539	goto out;
		540	}
		541	#endif
522		542
523	tkfile = krb5_cc_default_name(*context);	543	tkfile = krb5_cc_default_name(*context);
524	if (strncmp(tkfile, "FILE:", 5) == 0)	544	if (strncmp(tkfile, "FILE:", 5) == 0)
Lines 595-601 Link Here
595	if (reply != NULL)	615	if (reply != NULL)
596	krb5_free_ap_rep_enc_part(*context, reply);	616	krb5_free_ap_rep_enc_part(*context, reply);
597	if (ap.length > 0)	617	if (ap.length > 0)
		618	#ifdef HEIMDAL
598	krb5_data_free(&ap);	619	krb5_data_free(&ap);
		620	#else
		621	krb5_free_data_contents(*context, &ap);
		622	#endif
599		623
600	return (ret);	624	return (ret);
601	}	625	}
Lines 608-614 Link Here
608	krb5_data outbuf;	632	krb5_data outbuf;
609	krb5_ccache ccache = NULL;	633	krb5_ccache ccache = NULL;
610	krb5_creds creds;	634	krb5_creds creds;
		635	#ifdef HEIMDAL
611	krb5_kdc_flags flags;	636	krb5_kdc_flags flags;
		637	#else
		638	int forwardable;
		639	#endif
612	const char *remotehost;	640	const char *remotehost;
613		641
614	memset(&creds, 0, sizeof(creds));	642	memset(&creds, 0, sizeof(creds));
Lines 616-622 Link Here
616		644
617	fd = packet_get_connection_in();	645	fd = packet_get_connection_in();
618		646
		647	#ifdef HEIMDAL
619	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);	648	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
		649	#else
		650	problem = krb5_auth_con_genaddrs(context, auth_context, fd,
		651	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		652	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		653	#endif
620	if (problem)	654	if (problem)
621	goto out;	655	goto out;
622		656
Lines 628-650 Link Here
628	if (problem)	662	if (problem)
629	goto out;	663	goto out;
630		664
		665	remotehost = get_canonical_hostname(1);
		666
		667	#ifdef HEIMDAL
631	problem = krb5_build_principal(context, &creds.server,	668	problem = krb5_build_principal(context, &creds.server,
632	strlen(creds.client->realm), creds.client->realm,	669	strlen(creds.client->realm), creds.client->realm,
633	"krbtgt", creds.client->realm, NULL);	670	"krbtgt", creds.client->realm, NULL);
		671	#else
		672	problem = krb5_build_principal(context, &creds.server,
		673	creds.client->realm.length, creds.client->realm.data,
		674	"host", remotehost, NULL);
		675	#endif
634	if (problem)	676	if (problem)
635	goto out;	677	goto out;
636		678
637	creds.times.endtime = 0;	679	creds.times.endtime = 0;
638		680
		681	#ifdef HEIMDAL
639	flags.i = 0;	682	flags.i = 0;
640	flags.b.forwarded = 1;	683	flags.b.forwarded = 1;
641	flags.b.forwardable = krb5_config_get_bool(context, NULL,	684	flags.b.forwardable = krb5_config_get_bool(context, NULL,
642	"libdefaults", "forwardable", NULL);	685	"libdefaults", "forwardable", NULL);
643
644	remotehost = get_canonical_hostname(1);
645
646	problem = krb5_get_forwarded_creds(context, auth_context,	686	problem = krb5_get_forwarded_creds(context, auth_context,
647	ccache, flags.i, remotehost, &creds, &outbuf);	687	ccache, flags.i, remotehost, &creds, &outbuf);
		688	#else
		689	forwardable = 1;
		690	problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
		691	creds.client, creds.server, ccache, forwardable, &outbuf);
		692	#endif
		693
648	if (problem)	694	if (problem)
649	goto out;	695	goto out;
650		696

Return to bug 55

Lines 1656-1662 Link Here

(-)configure.ac (-2 / +38 lines)
1656	]	1656	]
1657	)	1657	)
1658		1658
1659	# Check whether user wants Kerberos support	1659	# Check whether user wants Kerberos 5 support
		1660	AC_ARG_WITH(kerberos5,
		1661	[ --with-kerberos5=PATH Enable Kerberos 5 support],
		1662	[
		1663	if test "x$withval" != "xno" ; then
		1664	if test "x$withval" = "xyes" ; then
		1665	KRB5ROOT="/usr/local"
		1666	else
		1667	KRB5ROOT=${withval}
		1668	fi
		1669	CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
		1670	LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
		1671	AC_DEFINE(KRB5)
		1672	AC_MSG_CHECKING(whether we are using Heimdal)
		1673	AC_TRY_COMPILE([ #include <krb5.h> ],
		1674	[ char *tmp = heimdal_version; ],
		1675	[ AC_MSG_RESULT(yes)
		1676	AC_DEFINE(HEIMDAL)
		1677	K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
		1678	],
		1679	[ AC_MSG_RESULT(no)
		1680	K5LIBS="-lkrb5 -lk5crypto -lcom_err"
		1681	]
		1682	)
		1683	if test ! -z "$need_dash_r" ; then
		1684	LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
		1685	fi
		1686	if test ! -z "$blibpath" ; then
		1687	blibpath="$blibpath:${KRB5ROOT}/lib"
		1688	fi
		1689	AC_CHECK_LIB(resolv, dn_expand, , )
		1690
		1691	KRB5=yes
		1692	fi
		1693	]
		1694	)
		1695	# Check whether user wants Kerberos 4 support
1660	KRB4_MSG="no"	1696	KRB4_MSG="no"
1661	AC_ARG_WITH(kerberos4,	1697	AC_ARG_WITH(kerberos4,
1662	[ --with-kerberos4=PATH Enable Kerberos 4 support],	1698	[ --with-kerberos4=PATH Enable Kerberos 4 support],
Lines 1736-1742 Link Here
1736	fi	1772	fi
1737	]	1773	]
1738	)	1774	)
1739	LIBS="$LIBS $KLIBS"	1775	LIBS="$LIBS $KLIBS $K5LIBS"
1740		1776
1741	# Looking for programs, paths and files	1777	# Looking for programs, paths and files
1742	AC_ARG_WITH(rsh,	1778	AC_ARG_WITH(rsh,

Lines 12-19 Link Here

(-)servconf.c (-1 / +10 lines)
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");	13	RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");
14		14
15	#if defined(KRB4) \|\| defined(KRB5)	15	#if defined(KRB4)
16	#include <krb.h>	16	#include <krb.h>
		17	#endif
		18	#if defined(KRB5)
		19	#ifdef HEIMDAL
		20	#include <krb.h>
		21	#else
		22	/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
		23	* keytab */
		24	#define KEYFILE "/etc/krb5.keytab"
		25	#endif
17	#endif	26	#endif
18	#ifdef AFS	27	#ifdef AFS
19	#include <kafs.h>	28	#include <kafs.h>