Attachment #6 for bug #55

Lines 50-56 Link Here

(-)Makefile.in (-1 / +1 lines)
50		50
51	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o	51	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
52		52
53	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o	53	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
54		54
55	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out	55	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
56	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1	56	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1

Lines 181-186 Link Here

(-)acconfig.h (+6 lines)
181	/* Define if libc defines __progname */	181	/* Define if libc defines __progname */
182	#undef HAVE___PROGNAME	182	#undef HAVE___PROGNAME
183		183
		184	/* Define if you want Kerberos 5 support */
		185	#undef KRB5
		186
		187	/* Define this if you are using Heimdal version of Kerberos V5 */
		188	#undef HEIMDAL
		189
184	/* Define if you want Kerberos 4 support */	190	/* Define if you want Kerberos 4 support */
185	#undef KRB4	191	#undef KRB4
186		192

Lines 17-22 Link Here

(-)auth-krb5.c (+71 lines)
17		17
18	#ifdef KRB5	18	#ifdef KRB5
19	#include <krb5.h>	19	#include <krb5.h>
		20	#ifndef HEIMDAL
		21	#define krb5_get_err_text(context,code) error_message(code)
		22	#endif /* !HEIMDAL */
20		23
21	extern ServerOptions options;	24	extern ServerOptions options;
22		25
Lines 69-76 Link Here
69	goto err;	72	goto err;
70		73
71	fd = packet_get_connection_in();	74	fd = packet_get_connection_in();
		75	#ifdef HEIMDAL
72	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,	76	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
73	authctxt->krb5_auth_ctx, &fd);	77	authctxt->krb5_auth_ctx, &fd);
		78	#else
		79	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
		80	authctxt->krb5_auth_ctx,fd,
		81	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		82	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		83	#endif
74	if (problem)	84	if (problem)
75	goto err;	85	goto err;
76		86
Lines 84-91 Link Here
84	if (problem)	94	if (problem)
85	goto err;	95	goto err;
86		96
		97	#ifdef HEIMDAL
87	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,	98	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
88	&authctxt->krb5_user);	99	&authctxt->krb5_user);
		100	#else
		101	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->enc_part2->client,
		102	&authctxt->krb5_user);
		103	#endif
89	if (problem)	104	if (problem)
90	goto err;	105	goto err;
91		106
Lines 131-143 Link Here
131	krb5_error_code problem;	146	krb5_error_code problem;
132	krb5_ccache ccache = NULL;	147	krb5_ccache ccache = NULL;
133	char *pname;	148	char *pname;
		149	krb5_creds **creds;
134		150
135	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)	151	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
136	return (0);	152	return (0);
137		153
138	temporarily_use_uid(authctxt->pw);	154	temporarily_use_uid(authctxt->pw);
139		155
		156	#ifdef HEIMDAL
140	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);	157	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
		158	#else
		159	{
		160	char ccname[35];
		161
		162	snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid);
		163	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
		164	}
		165	#endif
141	if (problem)	166	if (problem)
142	goto fail;	167	goto fail;
143		168
Lines 146-155 Link Here
146	if (problem)	171	if (problem)
147	goto fail;	172	goto fail;
148		173
		174	#ifdef HEIMDAL
149	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,	175	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
150	ccache, tgt);	176	ccache, tgt);
151	if (problem)	177	if (problem)
152	goto fail;	178	goto fail;
		179	#else
		180	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
		181	tgt, &creds, NULL);
		182	if (problem)
		183	goto fail;
		184	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
		185	if (problem)
		186	goto fail;
		187	#endif
153		188
154	authctxt->krb5_fwd_ccache = ccache;	189	authctxt->krb5_fwd_ccache = ccache;
155	ccache = NULL;	190	ccache = NULL;
Lines 182-187 Link Here
182	int	217	int
183	auth_krb5_password(Authctxt authctxt, const char password)	218	auth_krb5_password(Authctxt authctxt, const char password)
184	{	219	{
		220	#ifndef HEIMDAL
		221	krb5_creds creds;
		222	krb5_principal server;
		223	#endif
185	krb5_error_code problem;	224	krb5_error_code problem;
186		225
187	if (authctxt->pw == NULL)	226	if (authctxt->pw == NULL)
Lines 198-205 Link Here
198	if (problem)	237	if (problem)
199	goto out;	238	goto out;
200		239
		240	#ifdef HEIMDAL
201	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,	241	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
202	&authctxt->krb5_fwd_ccache);	242	&authctxt->krb5_fwd_ccache);
		243	#else
		244	problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
		245	&authctxt->krb5_fwd_ccache);
		246	#endif
203	if (problem)	247	if (problem)
204	goto out;	248	goto out;
205		249
Lines 208-218 Link Here
208	if (problem)	252	if (problem)
209	goto out;	253	goto out;
210		254
		255	#ifdef HEIMDAL
211	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,	256	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
212	authctxt->krb5_fwd_ccache, password, 1, NULL);	257	authctxt->krb5_fwd_ccache, password, 1, NULL);
213	if (problem)	258	if (problem)
214	goto out;	259	goto out;
215		260
		261	#else
		262	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		263	authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL);
		264	if (problem)
		265	goto out;
		266
		267	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
		268	KRB5_NT_SRV_HST, &server);
		269	if (problem)
		270	goto out;
		271
		272	restore_uid();
		273	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, NULL, NULL,
		274	NULL);
		275	temporarily_use_uid(authctxt->pw);
		276
		277	krb5_free_principal(authctxt->krb5_ctx, server);
		278	if (problem)
		279	goto out;
		280
		281	problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds);
		282	if (problem)
		283	goto out;
		284
		285	#endif /* HEIMDAL */
		286
216	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	287	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
217		288
218	out:	289	out:




	]
)

# Check whether user wants Kerberos 5 support
AC_ARG_WITH(kerberos5,
        [  --with-kerberos5=PATH   Enable Kerberos 5 support],
        [
                if test "x$withval" != "xno" ; then
                        if test "x$withval" = "xyes" ; then
                                KRB5ROOT="/usr/local"
                        else
                                KRB5ROOT=${withval}
                        fi
			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
                        AC_DEFINE(KRB5)
                        AC_MSG_CHECKING(whether we are using Heimdal)
                        AC_TRY_COMPILE([ #include <krb5.h> ],
                                       [ char *tmp = heimdal_version; ],
                                       [ AC_MSG_RESULT(yes)
                                         AC_DEFINE(HEIMDAL)
                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
                                       ],
                                       [ AC_MSG_RESULT(no)
                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
                                       ]
                        )
                        if test ! -z "$need_dash_r" ; then
                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
                        fi
                        if test ! -z "$blibpath" ; then
                                blibpath="$blibpath:${KRB5ROOT}/lib"
                        fi
                        AC_CHECK_LIB(resolv, dn_expand, , )

                        KRB5=yes
                fi
        ]
)
# Check whether user wants Kerberos 4 support
KRB4_MSG="no" 
AC_ARG_WITH(kerberos4,
	[  --with-kerberos4=PATH   Enable Kerberos 4 support],

		fi
	]
)
LIBS="$LIBS $KLIBS $K5LIBS"

# Looking for programs, paths and files
AC_ARG_WITH(rsh,




#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.94 2001/12/06 13:30:05 markus Exp $");

#if defined(KRB4)
#include <krb.h>
#endif
#if defined(KRB5)
#ifdef HEIMDAL
#include <krb.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
 * keytab */
#define KEYFILE "/etc/krb5.keytab"
#endif
#endif
#ifdef AFS
#include <kafs.h>

Lines 23-28 Link Here

(-)sshconnect1.c (+57 lines)
23	#endif	23	#endif
24	#ifdef KRB5	24	#ifdef KRB5
25	#include <krb5.h>	25	#include <krb5.h>
		26	#ifndef HEIMDAL
		27	#define krb5_get_err_text(context,code) error_message(code)
		28	#endif /* !HEIMDAL */
26	#endif	29	#endif
27	#ifdef AFS	30	#ifdef AFS
28	#include <kafs.h>	31	#include <kafs.h>
Lines 523-528 Link Here
523	goto out;	526	goto out;
524	}	527	}
525		528
		529	problem = krb5_auth_con_init(*context, auth_context);
		530	if (problem) {
		531	debug("Kerberos v5: krb5_auth_con_init failed");
		532	ret = 0;
		533	goto out;
		534	}
		535
		536	#ifndef HEIMDAL
		537	problem = krb5_auth_con_setflags(context, auth_context,
		538	KRB5_AUTH_CONTEXT_RET_TIME);
		539	if (problem) {
		540	debug("Kerberos v5: krb5_auth_con_setflags failed");
		541	ret = 0;
		542	goto out;
		543	}
		544	#endif
		545
526	tkfile = krb5_cc_default_name(*context);	546	tkfile = krb5_cc_default_name(*context);
527	if (strncmp(tkfile, "FILE:", 5) == 0)	547	if (strncmp(tkfile, "FILE:", 5) == 0)
528	tkfile += 5;	548	tkfile += 5;
Lines 599-605 Link Here
599	if (reply != NULL)	619	if (reply != NULL)
600	krb5_free_ap_rep_enc_part(*context, reply);	620	krb5_free_ap_rep_enc_part(*context, reply);
601	if (ap.length > 0)	621	if (ap.length > 0)
		622	#ifdef HEIMDAL
602	krb5_data_free(&ap);	623	krb5_data_free(&ap);
		624	#else
		625	xfree(ap.data);
		626	#endif
603		627
604	return (ret);	628	return (ret);
605	}	629	}
Lines 612-618 Link Here
612	krb5_data outbuf;	636	krb5_data outbuf;
613	krb5_ccache ccache = NULL;	637	krb5_ccache ccache = NULL;
614	krb5_creds creds;	638	krb5_creds creds;
		639	#ifdef HEIMDAL
615	krb5_kdc_flags flags;	640	krb5_kdc_flags flags;
		641	#else
		642	int forwardable;
		643	#endif
616	const char *remotehost;	644	const char *remotehost;
617		645
618	memset(&creds, 0, sizeof(creds));	646	memset(&creds, 0, sizeof(creds));
Lines 620-628 Link Here
620		648
621	fd = packet_get_connection_in();	649	fd = packet_get_connection_in();
622		650
		651	#ifdef HEIMDAL
623	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);	652	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
624	if (problem)	653	if (problem)
625	goto out;	654	goto out;
		655	#else
		656	problem = krb5_auth_con_genaddrs(context, auth_context, fd,
		657	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		658	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		659	if (problem) {
		660	debug("krb5_auth_con_genaddrs: %.100s", error_message(problem));
		661	goto out;
		662	}
		663	#endif
626		664
627	problem = krb5_cc_default(context, &ccache);	665	problem = krb5_cc_default(context, &ccache);
628	if (problem)	666	if (problem)
Lines 632-645 Link Here
632	if (problem)	670	if (problem)
633	goto out;	671	goto out;
634		672
		673	#ifdef HEIMDAL
635	problem = krb5_build_principal(context, &creds.server,	674	problem = krb5_build_principal(context, &creds.server,
636	strlen(creds.client->realm), creds.client->realm,	675	strlen(creds.client->realm), creds.client->realm,
637	"krbtgt", creds.client->realm, NULL);	676	"krbtgt", creds.client->realm, NULL);
		677	#else
		678	problem = krb5_build_principal(context, &creds.server,
		679	creds.client->realm.length, creds.client->realm.data,
		680	"krbtgt", creds.client->realm.data, NULL);
		681	#endif
		682
638	if (problem)	683	if (problem)
639	goto out;	684	goto out;
640		685
641	creds.times.endtime = 0;	686	creds.times.endtime = 0;
642		687
		688	#ifdef HEIMDAL
643	flags.i = 0;	689	flags.i = 0;
644	flags.b.forwarded = 1;	690	flags.b.forwarded = 1;
645	flags.b.forwardable = krb5_config_get_bool(context, NULL,	691	flags.b.forwardable = krb5_config_get_bool(context, NULL,
Lines 651-656 Link Here
651	ccache, flags.i, remotehost, &creds, &outbuf);	697	ccache, flags.i, remotehost, &creds, &outbuf);
652	if (problem)	698	if (problem)
653	goto out;	699	goto out;
		700	#else
		701	forwardable = 1;
		702
		703	remotehost = get_canonical_hostname(1);
		704
		705	problem = krb5_fwd_tgt_creds (context, auth_context,
		706	remotehost, creds.client, creds.server, ccache, forwardable,
		707	&outbuf);
		708	if (problem)
		709	goto out;
		710	#endif
654		711
655	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);	712	packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
656	packet_put_string((char *)outbuf.data, outbuf.length);	713	packet_put_string((char *)outbuf.data, outbuf.length);

Return to bug 55

Lines 1386-1392 Link Here

(-)configure.ac (-2 / +38 lines)
1386	]	1386	]
1387	)	1387	)
1388		1388
1389	# Check whether user wants Kerberos support	1389	# Check whether user wants Kerberos 5 support
		1390	AC_ARG_WITH(kerberos5,
		1391	[ --with-kerberos5=PATH Enable Kerberos 5 support],
		1392	[
		1393	if test "x$withval" != "xno" ; then
		1394	if test "x$withval" = "xyes" ; then
		1395	KRB5ROOT="/usr/local"
		1396	else
		1397	KRB5ROOT=${withval}
		1398	fi
		1399	CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
		1400	LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
		1401	AC_DEFINE(KRB5)
		1402	AC_MSG_CHECKING(whether we are using Heimdal)
		1403	AC_TRY_COMPILE([ #include <krb5.h> ],
		1404	[ char *tmp = heimdal_version; ],
		1405	[ AC_MSG_RESULT(yes)
		1406	AC_DEFINE(HEIMDAL)
		1407	K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
		1408	],
		1409	[ AC_MSG_RESULT(no)
		1410	K5LIBS="-lkrb5 -lk5crypto -lcom_err"
		1411	]
		1412	)
		1413	if test ! -z "$need_dash_r" ; then
		1414	LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
		1415	fi
		1416	if test ! -z "$blibpath" ; then
		1417	blibpath="$blibpath:${KRB5ROOT}/lib"
		1418	fi
		1419	AC_CHECK_LIB(resolv, dn_expand, , )
		1420
		1421	KRB5=yes
		1422	fi
		1423	]
		1424	)
		1425	# Check whether user wants Kerberos 4 support
1390	KRB4_MSG="no"	1426	KRB4_MSG="no"
1391	AC_ARG_WITH(kerberos4,	1427	AC_ARG_WITH(kerberos4,
1392	[ --with-kerberos4=PATH Enable Kerberos 4 support],	1428	[ --with-kerberos4=PATH Enable Kerberos 4 support],
Lines 1466-1472 Link Here
1466	fi	1502	fi
1467	]	1503	]
1468	)	1504	)
1469	LIBS="$LIBS $KLIBS"	1505	LIBS="$LIBS $KLIBS $K5LIBS"
1470		1506
1471	# Looking for programs, paths and files	1507	# Looking for programs, paths and files
1472	AC_ARG_WITH(rsh,	1508	AC_ARG_WITH(rsh,

Lines 12-19 Link Here

(-)servconf.c (-1 / +10 lines)
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: servconf.c,v 1.94 2001/12/06 13:30:05 markus Exp $");	13	RCSID("$OpenBSD: servconf.c,v 1.94 2001/12/06 13:30:05 markus Exp $");
14		14
15	#if defined(KRB4) \|\| defined(KRB5)	15	#if defined(KRB4)
16	#include <krb.h>	16	#include <krb.h>
		17	#endif
		18	#if defined(KRB5)
		19	#ifdef HEIMDAL
		20	#include <krb.h>
		21	#else
		22	/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
		23	* keytab */
		24	#define KEYFILE "/etc/krb5.keytab"
		25	#endif
17	#endif	26	#endif
18	#ifdef AFS	27	#ifdef AFS
19	#include <kafs.h>	28	#include <kafs.h>