Attachment #581 for bug #819

Lines 256-261 Link Here

(-)openssh-3.8p1/acconfig.h (+3 lines)
256	/* Define if you want Kerberos 5 support */	256	/* Define if you want Kerberos 5 support */
257	#undef KRB5	257	#undef KRB5
258		258
		259	/* Full path of your "kpasswd" program */
		260	#undef _PATH_KPASSWD_PROG
		261
259	/* Define this if you are using the Heimdal version of Kerberos V5 */	262	/* Define this if you are using the Heimdal version of Kerberos V5 */
260	#undef HEIMDAL	263	#undef HEIMDAL
261		264

Lines 42-47 Link Here

(-)openssh-3.8p1/auth-krb5.c (+90 lines)
42	#ifdef KRB5	42	#ifdef KRB5
43	#include <krb5.h>	43	#include <krb5.h>
44		44
		45	#ifdef HEIMDAL
		46	#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
		47	#endif
		48
45	extern ServerOptions options;	49	extern ServerOptions options;
46		50
47	static int	51	static int
Lines 59-64 Link Here
59	return (0);	63	return (0);
60	}	64	}
61		65
		66	static int
		67	try_get_cpw_ticket(Authctxt authctxt, const char password)
		68	{
		69	char *realm;
		70	size_t cpwprinclen;
		71	char *cpwprinc;
		72	krb5_error_code problem;
		73	krb5_creds creds;
		74	krb5_get_init_creds_opt opts;
		75	memset(&creds, 0, sizeof(creds));
		76	problem = krb5_get_default_realm(authctxt->krb5_ctx, &realm);
		77	if (problem)
		78	return (problem);
		79	cpwprinclen = strlen("kadmin/changepw") + 1 + strlen(realm) + 1;
		80	cpwprinc = (char *)xmalloc(cpwprinclen);
		81	strlcpy(cpwprinc, "kadmin/changepw", cpwprinclen);
		82	strlcat(cpwprinc, "@", cpwprinclen);
		83	strlcat(cpwprinc, realm, cpwprinclen);
		84	/* the MIT libraries seem to require that options incompatible
		85	* with a password-change-service ticket request be reset,
		86	* whereas Heimdal seems to figure this out for itself if
		87	* given a NULL options argument. anyway, do what should work
		88	* for both, now and into the future (hopefully), as MIT's
		89	* kpasswd does */
		90	krb5_get_init_creds_opt_init(&opts);
		91	krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
		92	krb5_get_init_creds_opt_set_renew_life(&opts, 0);
		93	krb5_get_init_creds_opt_set_forwardable(&opts, 0);
		94	krb5_get_init_creds_opt_set_proxiable(&opts, 0);
		95
		96	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		97	authctxt->krb5_user,
		98	(char *)password,
		99	NULL, NULL, 0, cpwprinc, &opts);
		100	free(cpwprinc);
		101	free(realm);
		102	if (problem) {
		103	return (problem);
		104	}
		105	krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
		106	disable_forwarding();
		107	authctxt->force_pwchange = 1;
		108	authctxt->krb5_force_pwchange = 1;
		109	return (0);
		110	}
		111
62	int	112	int
63	auth_krb5_password(Authctxt authctxt, const char password)	113	auth_krb5_password(Authctxt authctxt, const char password)
64	{	114	{
Lines 102-107 Link Here
102		152
103	temporarily_use_uid(authctxt->pw);	153	temporarily_use_uid(authctxt->pw);
104		154
		155	#ifdef _PATH_KPASSWD_PROG
		156	if (problem == KRB5KDC_ERR_KEY_EXP) {
		157	}
		158	else {
		159	krb5_creds creds;
		160	int kret = krb5_get_init_creds_password(authctxt->krb5_ctx,
		161	&creds,
		162	authctxt->krb5_user,
		163	(char *)password,
		164	NULL, NULL, 0,
		165	NULL, NULL);
		166	if (!kret) { /* ?!?!!? */
		167	krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
		168	goto not_expired;
		169	}
		170	else if (kret != KRB5KDC_ERR_KEY_EXP)
		171	goto not_expired;
		172	}
		173
		174	problem = try_get_cpw_ticket(authctxt, password);
		175	/* if that worked, flag for special handling below */
		176	if (!problem)
		177	problem = KRB5KDC_ERR_KEY_EXP;
		178
		179	not_expired:
		180	#endif /* _PATH_KPASSWD_PROG */
		181
105	if (problem)	182	if (problem)
106	goto out;	183	goto out;
107		184
Lines 120-125 Link Here
120	#else	197	#else
121	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,	198	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
122	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);	199	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
		200	#ifdef _PATH_KPASSWD_PROG
		201	if (problem == KRB5KDC_ERR_KEY_EXP) {
		202	problem = try_get_cpw_ticket(authctxt, password);
		203	/* if that worked, flag for special handling below */
		204	if (!problem)
		205	problem = KRB5KDC_ERR_KEY_EXP;
		206	}
		207	#endif /* _PATH_KPASSWD_PROG */
123	if (problem)	208	if (problem)
124	goto out;	209	goto out;
125		210
Lines 191-197 Link Here
191		276
192	krb5_cleanup_proc(authctxt);	277	krb5_cleanup_proc(authctxt);
193		278
		279	if (problem == KRB5KDC_ERR_KEY_EXP)
		280	/* return with authctxt->force_pwchange set, so we
		281	* drop straight into kpasswd */
		282	return (1);
194	if (options.kerberos_or_local_passwd)	283	if (options.kerberos_or_local_passwd)
		284
195	return (-1);	285	return (-1);
196	else	286	else
197	return (0);	287	return (0);

Lines 67-72 Link Here

(-)openssh-3.8p1/auth.h (+3 lines)
67	krb5_ccache krb5_fwd_ccache;	67	krb5_ccache krb5_fwd_ccache;
68	krb5_principal krb5_user;	68	krb5_principal krb5_user;
69	char *krb5_ticket_file;	69	char *krb5_ticket_file;
		70	#ifdef _PATH_KPASSWD_PROG
		71	int krb5_force_pwchange;
		72	#endif /* _PATH_KPASSWD_PROG */
70	#endif	73	#endif
71	void *methoddata;	74	void *methoddata;
72	};	75	};

Lines 2079-2084 Link Here

(-)openssh-3.8p1/configure.ac (+7 lines)
2079	AC_DEFINE(KRB5)	2079	AC_DEFINE(KRB5)
2080	KRB5_MSG="yes"	2080	KRB5_MSG="yes"
2081		2081
		2082	TestPath="${KRB5ROOT}/bin${PATH_SEPARATOR}$PATH"
		2083
		2084	AC_PATH_PROG(PATH_KPASSWD_PROG, kpasswd,, $TestPath)
		2085	if test ! -z "$PATH_KPASSWD_PROG" ; then
		2086	AC_DEFINE_UNQUOTED(_PATH_KPASSWD_PROG, "$PATH_KPASSWD_PROG")
		2087	fi
		2088
2082	AC_MSG_CHECKING(for krb5-config)	2089	AC_MSG_CHECKING(for krb5-config)
2083	if test -x $KRB5ROOT/bin/krb5-config ; then	2090	if test -x $KRB5ROOT/bin/krb5-config ; then
2084	KRB5CONF=$KRB5ROOT/bin/krb5-config	2091	KRB5CONF=$KRB5ROOT/bin/krb5-config

Lines 1306-1312 Link Here

(-)openssh-3.8p1/session.c (-1 / +7 lines)
1306	if (s->ttyfd != -1) {	1306	if (s->ttyfd != -1) {
1307	fprintf(stderr,	1307	fprintf(stderr,
1308	"You must change your password now and login again!\n");	1308	"You must change your password now and login again!\n");
1309	execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);	1309	#ifdef _PATH_KPASSWD_PROG
		1310	if (options.kerberos_authentication == 1 &&
		1311	s->authctxt->krb5_force_pwchange)
		1312	execl(_PATH_KPASSWD_PROG, "kpasswd", (char *)NULL);
		1313	else
		1314	#endif /* _PATH_KPASSWD_PROG */
		1315	execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
1310	perror("passwd");	1316	perror("passwd");
1311	} else {	1317	} else {
1312	fprintf(stderr,	1318	fprintf(stderr,

Return to bug 819