Bugzilla – Attachment 6 Details for
Bug 55
[PATCH] Kerberos v5 support in portable
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to provide MIT Kerberos support
openssh-mit-krb5.diff (text/plain), 11.48 KB, created by
Simon Wilkinson
on 2001-12-20 04:15:40 AEDT
(
hide
)
Description:
Patch to provide MIT Kerberos support
Filename:
MIME Type:
Creator:
Simon Wilkinson
Created:
2001-12-20 04:15:40 AEDT
Size:
11.48 KB
patch
obsolete
>Index: Makefile.in >=================================================================== >RCS file: /cvs/openssh/Makefile.in,v >retrieving revision 1.190 >diff -u -r1.190 Makefile.in >--- Makefile.in 11 Nov 2001 23:34:23 -0000 1.190 >+++ Makefile.in 19 Dec 2001 17:01:30 -0000 >@@ -50,7 +50,7 @@ > > SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o > >-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o >+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 >Index: acconfig.h >=================================================================== >RCS file: /cvs/openssh/acconfig.h,v >retrieving revision 1.120 >diff -u -r1.120 acconfig.h >--- acconfig.h 7 Dec 2001 17:20:48 -0000 1.120 >+++ acconfig.h 19 Dec 2001 17:01:36 -0000 >@@ -181,6 +181,12 @@ > /* Define if libc defines __progname */ > #undef HAVE___PROGNAME > >+/* Define if you want Kerberos 5 support */ >+#undef KRB5 >+ >+/* Define this if you are using Heimdal version of Kerberos V5 */ >+#undef HEIMDAL >+ > /* Define if you want Kerberos 4 support */ > #undef KRB4 > >Index: auth-krb5.c >=================================================================== >RCS file: /cvs/openssh/auth-krb5.c,v >retrieving revision 1.2 >diff -u -r1.2 auth-krb5.c >--- auth-krb5.c 13 Nov 2001 13:02:11 -0000 1.2 >+++ auth-krb5.c 19 Dec 2001 17:01:42 -0000 >@@ -17,6 +17,9 @@ > > #ifdef KRB5 > #include <krb5.h> >+#ifndef HEIMDAL >+#define krb5_get_err_text(context,code) error_message(code) >+#endif /* !HEIMDAL */ > > extern ServerOptions options; > >@@ -69,8 +72,15 @@ > goto err; > > fd = packet_get_connection_in(); >+#ifdef HEIMDAL > problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, > authctxt->krb5_auth_ctx, &fd); >+#else >+ problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, >+ authctxt->krb5_auth_ctx,fd, >+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | >+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); >+#endif > if (problem) > goto err; > >@@ -84,8 +94,13 @@ > if (problem) > goto err; > >+#ifdef HEIMDAL > problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, > &authctxt->krb5_user); >+#else >+ problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->enc_part2->client, >+ &authctxt->krb5_user); >+#endif > if (problem) > goto err; > >@@ -131,13 +146,23 @@ > krb5_error_code problem; > krb5_ccache ccache = NULL; > char *pname; >+ krb5_creds **creds; > > if (authctxt->pw == NULL || authctxt->krb5_user == NULL) > return (0); > > temporarily_use_uid(authctxt->pw); > >+#ifdef HEIMDAL > problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); >+#else >+{ >+ char ccname[35]; >+ >+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", authctxt->pw->pw_uid); >+ problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); >+} >+#endif > if (problem) > goto fail; > >@@ -146,10 +171,20 @@ > if (problem) > goto fail; > >+#ifdef HEIMDAL > problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, > ccache, tgt); > if (problem) > goto fail; >+#else >+ problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, >+ tgt, &creds, NULL); >+ if (problem) >+ goto fail; >+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); >+ if (problem) >+ goto fail; >+#endif > > authctxt->krb5_fwd_ccache = ccache; > ccache = NULL; >@@ -182,6 +217,10 @@ > int > auth_krb5_password(Authctxt *authctxt, const char *password) > { >+#ifndef HEIMDAL >+ krb5_creds creds; >+ krb5_principal server; >+#endif > krb5_error_code problem; > > if (authctxt->pw == NULL) >@@ -198,8 +237,13 @@ > if (problem) > goto out; > >+#ifdef HEIMDAL > problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, > &authctxt->krb5_fwd_ccache); >+#else >+ problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", >+ &authctxt->krb5_fwd_ccache); >+#endif > if (problem) > goto out; > >@@ -208,11 +252,38 @@ > if (problem) > goto out; > >+#ifdef HEIMDAL > problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, > authctxt->krb5_fwd_ccache, password, 1, NULL); > if (problem) > goto out; > >+#else >+ problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, >+ authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL); >+ if (problem) >+ goto out; >+ >+ problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, >+ KRB5_NT_SRV_HST, &server); >+ if (problem) >+ goto out; >+ >+ restore_uid(); >+ problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, NULL, NULL, >+ NULL); >+ temporarily_use_uid(authctxt->pw); >+ >+ krb5_free_principal(authctxt->krb5_ctx, server); >+ if (problem) >+ goto out; >+ >+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds); >+ if (problem) >+ goto out; >+ >+#endif /* HEIMDAL */ >+ > authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); > > out: >Index: configure.ac >=================================================================== >RCS file: /cvs/openssh/configure.ac,v >retrieving revision 1.6 >diff -u -r1.6 configure.ac >--- configure.ac 7 Dec 2001 17:20:48 -0000 1.6 >+++ configure.ac 19 Dec 2001 17:02:08 -0000 >@@ -1386,7 +1386,43 @@ > ] > ) > >-# Check whether user wants Kerberos support >+# Check whether user wants Kerberos 5 support >+AC_ARG_WITH(kerberos5, >+ [ --with-kerberos5=PATH Enable Kerberos 5 support], >+ [ >+ if test "x$withval" != "xno" ; then >+ if test "x$withval" = "xyes" ; then >+ KRB5ROOT="/usr/local" >+ else >+ KRB5ROOT=${withval} >+ fi >+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" >+ LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" >+ AC_DEFINE(KRB5) >+ AC_MSG_CHECKING(whether we are using Heimdal) >+ AC_TRY_COMPILE([ #include <krb5.h> ], >+ [ char *tmp = heimdal_version; ], >+ [ AC_MSG_RESULT(yes) >+ AC_DEFINE(HEIMDAL) >+ K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" >+ ], >+ [ AC_MSG_RESULT(no) >+ K5LIBS="-lkrb5 -lk5crypto -lcom_err" >+ ] >+ ) >+ if test ! -z "$need_dash_r" ; then >+ LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" >+ fi >+ if test ! -z "$blibpath" ; then >+ blibpath="$blibpath:${KRB5ROOT}/lib" >+ fi >+ AC_CHECK_LIB(resolv, dn_expand, , ) >+ >+ KRB5=yes >+ fi >+ ] >+) >+# Check whether user wants Kerberos 4 support > KRB4_MSG="no" > AC_ARG_WITH(kerberos4, > [ --with-kerberos4=PATH Enable Kerberos 4 support], >@@ -1466,7 +1502,7 @@ > fi > ] > ) >-LIBS="$LIBS $KLIBS" >+LIBS="$LIBS $KLIBS $K5LIBS" > > # Looking for programs, paths and files > AC_ARG_WITH(rsh, >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.70 >diff -u -r1.70 servconf.c >--- servconf.c 6 Dec 2001 18:22:18 -0000 1.70 >+++ servconf.c 19 Dec 2001 17:02:24 -0000 >@@ -12,8 +12,17 @@ > #include "includes.h" > RCSID("$OpenBSD: servconf.c,v 1.94 2001/12/06 13:30:05 markus Exp $"); > >-#if defined(KRB4) || defined(KRB5) >+#if defined(KRB4) > #include <krb.h> >+#endif >+#if defined(KRB5) >+#ifdef HEIMDAL >+#include <krb.h> >+#else >+/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V >+ * keytab */ >+#define KEYFILE "/etc/krb5.keytab" >+#endif > #endif > #ifdef AFS > #include <kafs.h> >Index: sshconnect1.c >=================================================================== >RCS file: /cvs/openssh/sshconnect1.c,v >retrieving revision 1.39 >diff -u -r1.39 sshconnect1.c >--- sshconnect1.c 10 Oct 2001 05:03:12 -0000 1.39 >+++ sshconnect1.c 19 Dec 2001 17:02:42 -0000 >@@ -23,6 +23,9 @@ > #endif > #ifdef KRB5 > #include <krb5.h> >+#ifndef HEIMDAL >+#define krb5_get_err_text(context,code) error_message(code) >+#endif /* !HEIMDAL */ > #endif > #ifdef AFS > #include <kafs.h> >@@ -523,6 +526,23 @@ > goto out; > } > >+ problem = krb5_auth_con_init(*context, auth_context); >+ if (problem) { >+ debug("Kerberos v5: krb5_auth_con_init failed"); >+ ret = 0; >+ goto out; >+ } >+ >+#ifndef HEIMDAL >+ problem = krb5_auth_con_setflags(*context, *auth_context, >+ KRB5_AUTH_CONTEXT_RET_TIME); >+ if (problem) { >+ debug("Kerberos v5: krb5_auth_con_setflags failed"); >+ ret = 0; >+ goto out; >+ } >+#endif >+ > tkfile = krb5_cc_default_name(*context); > if (strncmp(tkfile, "FILE:", 5) == 0) > tkfile += 5; >@@ -599,7 +619,11 @@ > if (reply != NULL) > krb5_free_ap_rep_enc_part(*context, reply); > if (ap.length > 0) >+#ifdef HEIMDAL > krb5_data_free(&ap); >+#else >+ xfree(ap.data); >+#endif > > return (ret); > } >@@ -612,7 +636,11 @@ > krb5_data outbuf; > krb5_ccache ccache = NULL; > krb5_creds creds; >+#ifdef HEIMDAL > krb5_kdc_flags flags; >+#else >+ int forwardable; >+#endif > const char *remotehost; > > memset(&creds, 0, sizeof(creds)); >@@ -620,9 +648,19 @@ > > fd = packet_get_connection_in(); > >+#ifdef HEIMDAL > problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd); > if (problem) > goto out; >+#else >+ problem = krb5_auth_con_genaddrs(context, auth_context, fd, >+ KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | >+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); >+ if (problem) { >+ debug("krb5_auth_con_genaddrs: %.100s", error_message(problem)); >+ goto out; >+ } >+#endif > > problem = krb5_cc_default(context, &ccache); > if (problem) >@@ -632,14 +670,22 @@ > if (problem) > goto out; > >+#ifdef HEIMDAL > problem = krb5_build_principal(context, &creds.server, > strlen(creds.client->realm), creds.client->realm, > "krbtgt", creds.client->realm, NULL); >+#else >+ problem = krb5_build_principal(context, &creds.server, >+ creds.client->realm.length, creds.client->realm.data, >+ "krbtgt", creds.client->realm.data, NULL); >+#endif >+ > if (problem) > goto out; > > creds.times.endtime = 0; > >+#ifdef HEIMDAL > flags.i = 0; > flags.b.forwarded = 1; > flags.b.forwardable = krb5_config_get_bool(context, NULL, >@@ -651,6 +697,17 @@ > ccache, flags.i, remotehost, &creds, &outbuf); > if (problem) > goto out; >+#else >+ forwardable = 1; >+ >+ remotehost = get_canonical_hostname(1); >+ >+ problem = krb5_fwd_tgt_creds (context, auth_context, >+ remotehost, creds.client, creds.server, ccache, forwardable, >+ &outbuf); >+ if (problem) >+ goto out; >+#endif > > packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); > packet_put_string((char *)outbuf.data, outbuf.length);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 55
: 6 |
50
|
54
|
72