Attachment #576 for bug #819

Lines 256-261 Link Here

(-)openssh-3.8p1/acconfig.h (+3 lines)
256	/* Define if you want Kerberos 5 support */	256	/* Define if you want Kerberos 5 support */
257	#undef KRB5	257	#undef KRB5
258		258
		259	/* Full path of your "kpasswd" program */
		260	#undef _PATH_KPASSWD_PROG
		261
259	/* Define this if you are using the Heimdal version of Kerberos V5 */	262	/* Define this if you are using the Heimdal version of Kerberos V5 */
260	#undef HEIMDAL	263	#undef HEIMDAL
261		264

Lines 42-47 Link Here

(-)openssh-3.8p1/auth-krb5.c.orig (+77 lines)
42	#ifdef KRB5	42	#ifdef KRB5
43	#include <krb5.h>	43	#include <krb5.h>
44		44
		45	#ifdef HEIMDAL
		46	#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
		47	#endif
		48
45	extern ServerOptions options;	49	extern ServerOptions options;
46		50
47	static int	51	static int
Lines 59-64 Link Here
59	return (0);	63	return (0);
60	}	64	}
61		65
		66	static int
		67	try_get_cpw_ticket(Authctxt authctxt, const char password)
		68	{
		69	char *realm;
		70	size_t cpwprinclen;
		71	char *cpwprinc;
		72	krb5_error_code problem;
		73	krb5_creds creds;
		74	memset(&creds, 0, sizeof(creds));
		75	problem = krb5_get_default_realm(authctxt->krb5_ctx, &realm);
		76	if (problem)
		77	return (problem);
		78	cpwprinclen = strlen("kadmin/changepw") + 1 + strlen(realm) + 1;
		79	cpwprinc = (char *)xmalloc(cpwprinclen);
		80	strlcpy(cpwprinc, "kadmin/changepw", cpwprinclen);
		81	strlcat(cpwprinc, "@", cpwprinclen);
		82	strlcat(cpwprinc, realm, cpwprinclen);
		83	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		84	authctxt->krb5_user,
		85	(char *)password,
		86	NULL, NULL, 0, cpwprinc, NULL);
		87	free(cpwprinc);
		88	free(realm);
		89	if (problem) {
		90	return (problem);
		91	}
		92	krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
		93	disable_forwarding();
		94	authctxt->force_pwchange = 1;
		95	authctxt->krb5_force_pwchange = 1;
		96	return (0);
		97	}
		98
62	int	99	int
63	auth_krb5_password(Authctxt authctxt, const char password)	100	auth_krb5_password(Authctxt authctxt, const char password)
64	{	101	{
Lines 102-107 Link Here
102		139
103	temporarily_use_uid(authctxt->pw);	140	temporarily_use_uid(authctxt->pw);
104		141
		142	#ifdef _PATH_KPASSWD_PROG
		143	if (problem == KRB5KDC_ERR_KEY_EXP) {
		144	}
		145	else {
		146	krb5_creds creds;
		147	int kret = krb5_get_init_creds_password(authctxt->krb5_ctx,
		148	&creds,
		149	authctxt->krb5_user,
		150	(char *)password,
		151	NULL, NULL, 0,
		152	NULL, NULL);
		153	if (!kret) { /* ?!?!!? */
		154	krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
		155	goto not_expired;
		156	}
		157	else if (kret != KRB5KDC_ERR_KEY_EXP)
		158	goto not_expired;
		159	}
		160
		161	problem = try_get_cpw_ticket(authctxt, password);
		162	/* if that worked, flag for special handling below */
		163	if (!problem)
		164	problem = KRB5KDC_ERR_KEY_EXP;
		165
		166	not_expired:
		167	#endif /* _PATH_KPASSWD_PROG */
		168
105	if (problem)	169	if (problem)
106	goto out;	170	goto out;
107		171
Lines 120-125 Link Here
120	#else	184	#else
121	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,	185	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
122	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);	186	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
		187	#ifdef _PATH_KPASSWD_PROG
		188	if (problem == KRB5KDC_ERR_KEY_EXP) {
		189	problem = try_get_cpw_ticket(authctxt, password);
		190	/* if that worked, flag for special handling below */
		191	if (!problem)
		192	problem = KRB5KDC_ERR_KEY_EXP;
		193	}
		194	#endif /* _PATH_KPASSWD_PROG */
123	if (problem)	195	if (problem)
124	goto out;	196	goto out;
125		197
Lines 191-197 Link Here
191		263
192	krb5_cleanup_proc(authctxt);	264	krb5_cleanup_proc(authctxt);
193		265
		266	if (problem == KRB5KDC_ERR_KEY_EXP)
		267	/* return with authctxt->force_pwchange set, so we
		268	* drop straight into kpasswd */
		269	return (1);
194	if (options.kerberos_or_local_passwd)	270	if (options.kerberos_or_local_passwd)
		271
195	return (-1);	272	return (-1);
196	else	273	else
197	return (0);	274	return (0);

Lines 67-72 Link Here

(-)openssh-3.8p1/auth.h (+3 lines)
67	krb5_ccache krb5_fwd_ccache;	67	krb5_ccache krb5_fwd_ccache;
68	krb5_principal krb5_user;	68	krb5_principal krb5_user;
69	char *krb5_ticket_file;	69	char *krb5_ticket_file;
		70	#ifdef _PATH_KPASSWD_PROG
		71	int krb5_force_pwchange;
		72	#endif /* _PATH_KPASSWD_PROG */
70	#endif	73	#endif
71	void *methoddata;	74	void *methoddata;
72	};	75	};

Lines 2079-2084 Link Here

(-)openssh-3.8p1/configure.ac (+7 lines)
2079	AC_DEFINE(KRB5)	2079	AC_DEFINE(KRB5)
2080	KRB5_MSG="yes"	2080	KRB5_MSG="yes"
2081		2081
		2082	TestPath="${KRB5ROOT}/bin${PATH_SEPARATOR}$PATH"
		2083
		2084	AC_PATH_PROG(PATH_KPASSWD_PROG, kpasswd,, $TestPath)
		2085	if test ! -z "$PATH_KPASSWD_PROG" ; then
		2086	AC_DEFINE_UNQUOTED(_PATH_KPASSWD_PROG, "$PATH_KPASSWD_PROG")
		2087	fi
		2088
2082	AC_MSG_CHECKING(for krb5-config)	2089	AC_MSG_CHECKING(for krb5-config)
2083	if test -x $KRB5ROOT/bin/krb5-config ; then	2090	if test -x $KRB5ROOT/bin/krb5-config ; then
2084	KRB5CONF=$KRB5ROOT/bin/krb5-config	2091	KRB5CONF=$KRB5ROOT/bin/krb5-config

Lines 1306-1312 Link Here

(-)openssh-3.8p1/session.c (-1 / +7 lines)
1306	if (s->ttyfd != -1) {	1306	if (s->ttyfd != -1) {
1307	fprintf(stderr,	1307	fprintf(stderr,
1308	"You must change your password now and login again!\n");	1308	"You must change your password now and login again!\n");
1309	execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);	1309	#ifdef _PATH_KPASSWD_PROG
		1310	if (options.kerberos_authentication == 1 &&
		1311	s->authctxt->krb5_force_pwchange)
		1312	execl(_PATH_KPASSWD_PROG, "kpasswd", (char *)NULL);
		1313	else
		1314	#endif /* _PATH_KPASSWD_PROG */
		1315	execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
1310	perror("passwd");	1316	perror("passwd");
1311	} else {	1317	} else {
1312	fprintf(stderr,	1318	fprintf(stderr,

Return to bug 819