Attachment #72 for bug #55

Lines 54-60 Link Here

(-)Makefile.in (-1 / +1 lines)
54		54
55	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o	55	SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
56		56
57	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o	57	SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
58		58
59	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out	59	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
60	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1	60	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1

Lines 192-197 Link Here

(-)acconfig.h (+6 lines)
192	/* Define if compiler implements __func__ */	192	/* Define if compiler implements __func__ */
193	#undef HAVE___func__	193	#undef HAVE___func__
194		194
		195	/* Define if you want Kerberos 5 support */
		196	#undef KRB5
		197
		198	/* Define this if you are using the Heimdal version of Kerberos V5 */
		199	#undef HEIMDAL
		200
195	/* Define if you want Kerberos 4 support */	201	/* Define if you want Kerberos 4 support */
196	#undef KRB4	202	#undef KRB4
197		203

Lines 41-46 Link Here

(-)auth-krb5.c (-1 / +114 lines)
41		41
42	#ifdef KRB5	42	#ifdef KRB5
43	#include <krb5.h>	43	#include <krb5.h>
		44	#ifndef HEIMDAL
		45	#define krb5_get_err_text(context,code) error_message(code)
		46	#endif /* !HEIMDAL */
44		47
45	extern ServerOptions options;	48	extern ServerOptions options;
46		49
Lines 93-100 Link Here
93	goto err;	96	goto err;
94		97
95	fd = packet_get_connection_in();	98	fd = packet_get_connection_in();
		99	#ifdef HEIMDAL
96	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,	100	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
97	authctxt->krb5_auth_ctx, &fd);	101	authctxt->krb5_auth_ctx, &fd);
		102	#else
		103	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
		104	authctxt->krb5_auth_ctx,fd,
		105	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		106	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		107	#endif
98	if (problem)	108	if (problem)
99	goto err;	109	goto err;
100		110
Lines 108-115 Link Here
108	if (problem)	118	if (problem)
109	goto err;	119	goto err;
110		120
		121	#ifdef HEIMDAL
111	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,	122	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
112	&authctxt->krb5_user);	123	&authctxt->krb5_user);
		124	#else
		125	problem = krb5_copy_principal(authctxt->krb5_ctx,
		126	ticket->enc_part2->client,
		127	&authctxt->krb5_user);
		128	#endif
113	if (problem)	129	if (problem)
114	goto err;	130	goto err;
115		131
Lines 160-172 Link Here
160	krb5_error_code problem;	176	krb5_error_code problem;
161	krb5_ccache ccache = NULL;	177	krb5_ccache ccache = NULL;
162	char *pname;	178	char *pname;
		179	krb5_creds **creds;
163		180
164	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)	181	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
165	return (0);	182	return (0);
166		183
167	temporarily_use_uid(authctxt->pw);	184	temporarily_use_uid(authctxt->pw);
168		185
		186	#ifdef HEIMDAL
169	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);	187	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
		188	#else
		189	{
		190	char ccname[40];
		191	int tmpfd;
		192
		193	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		194
		195	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		196	log("mkstemp(): %.100s", strerror(errno));
		197	problem = errno;
		198	goto fail;
		199	}
		200	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		201	log("fchmod(): %.100s", strerror(errno));
		202	close(tmpfd);
		203	problem = errno;
		204	goto fail;
		205	}
		206	close(tmpfd);
		207	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
		208	}
		209	#endif
170	if (problem)	210	if (problem)
171	goto fail;	211	goto fail;
172		212
Lines 175-184 Link Here
175	if (problem)	215	if (problem)
176	goto fail;	216	goto fail;
177		217
		218	#ifdef HEIMDAL
178	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,	219	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
179	ccache, tgt);	220	ccache, tgt);
180	if (problem)	221	if (problem)
181	goto fail;	222	goto fail;
		223	#else
		224	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
		225	tgt, &creds, NULL);
		226	if (problem)
		227	goto fail;
		228	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
		229	if (problem)
		230	goto fail;
		231	#endif
182		232
183	authctxt->krb5_fwd_ccache = ccache;	233	authctxt->krb5_fwd_ccache = ccache;
184	ccache = NULL;	234	ccache = NULL;
Lines 211-216 Link Here
211	int	261	int
212	auth_krb5_password(Authctxt authctxt, const char password)	262	auth_krb5_password(Authctxt authctxt, const char password)
213	{	263	{
		264	#ifndef HEIMDAL
		265	krb5_creds creds;
		266	krb5_principal server;
		267	char ccname[40];
		268	int tmpfd;
		269	#endif
214	krb5_error_code problem;	270	krb5_error_code problem;
215		271
216	if (authctxt->pw == NULL)	272	if (authctxt->pw == NULL)
Lines 227-232 Link Here
227	if (problem)	283	if (problem)
228	goto out;	284	goto out;
229		285
		286	#ifdef HEIMDAL
230	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,	287	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
231	&authctxt->krb5_fwd_ccache);	288	&authctxt->krb5_fwd_ccache);
232	if (problem)	289	if (problem)
Lines 245-257 Link Here
245	if (problem)	302	if (problem)
246	goto out;	303	goto out;
247		304
		305	#else
		306	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		307	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
		308	if (problem)
		309	goto out;
		310
		311	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
		312	KRB5_NT_SRV_HST, &server);
		313	if (problem)
		314	goto out;
		315
		316	restore_uid();
		317	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
		318	NULL, NULL, NULL);
		319	krb5_free_principal(authctxt->krb5_ctx, server);
		320	temporarily_use_uid(authctxt->pw);
		321	if (problem)
		322	goto out;
		323
		324	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
		325	authctxt->pw->pw_name)) {
		326	problem = -1;
		327	goto out;
		328	}
		329
		330	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		331
		332	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		333	log("mkstemp(): %.100s", strerror(errno));
		334	problem = errno;
		335	goto out;
		336	}
		337
		338	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		339	log("fchmod(): %.100s", strerror(errno));
		340	close(tmpfd);
		341	problem = errno;
		342	goto out;
		343	}
		344	close(tmpfd);
		345
		346	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
		347	if (problem)
		348	goto out;
		349
		350	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		351	authctxt->krb5_user);
		352	if (problem)
		353	goto out;
		354
		355	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		356	&creds);
		357	if (problem)
		358	goto out;
		359	#endif
		360
248	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	361	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
249		362
250	out:	363	out:
251	restore_uid();	364	restore_uid();
252		365
253	if (problem) {	366	if (problem) {
254	if (authctxt->krb5_ctx != NULL)	367	if (authctxt->krb5_ctx != NULL && problem!=-1)
255	debug("Kerberos password authentication failed: %s",	368	debug("Kerberos password authentication failed: %s",
256	krb5_get_err_text(authctxt->krb5_ctx, problem));	369	krb5_get_err_text(authctxt->krb5_ctx, problem));
257	else	370	else




	]
)

# Check whether user wants Kerberos 5 support
AC_ARG_WITH(kerberos5,
        [  --with-kerberos5=PATH   Enable Kerberos 5 support],
        [
                if test "x$withval" != "xno" ; then
                        if test "x$withval" = "xyes" ; then
                                KRB5ROOT="/usr/local"
                        else
                                KRB5ROOT=${withval}
                        fi
			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
                        AC_DEFINE(KRB5)
                        AC_MSG_CHECKING(whether we are using Heimdal)
                        AC_TRY_COMPILE([ #include <krb5.h> ],
                                       [ char *tmp = heimdal_version; ],
                                       [ AC_MSG_RESULT(yes)
                                         AC_DEFINE(HEIMDAL)
                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
                                       ],
                                       [ AC_MSG_RESULT(no)
                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
                                       ]
                        )
                        if test ! -z "$need_dash_r" ; then
                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
                        fi
                        if test ! -z "$blibpath" ; then
                                blibpath="$blibpath:${KRB5ROOT}/lib"
                        fi
                        AC_CHECK_LIB(resolv, dn_expand, , )

                        KRB5=yes
                fi
        ]
)
# Check whether user wants Kerberos 4 support
KRB4_MSG="no" 
AC_ARG_WITH(kerberos4,
	[  --with-kerberos4=PATH   Enable Kerberos 4 support],

		fi
	]
)
LIBS="$LIBS $KLIBS $K5LIBS"

# Looking for programs, paths and files
AC_ARG_WITH(rsh,




#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");

#if defined(KRB4)
#include <krb.h>
#endif
#if defined(KRB5)
#ifdef HEIMDAL
#include <krb.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
 * keytab */
#define KEYFILE "/etc/krb5.keytab"
#endif
#endif
#ifdef AFS
#include <kafs.h>

Lines 23-28 Link Here

(-)sshconnect1.c (-3 / +49 lines)
23	#endif	23	#endif
24	#ifdef KRB5	24	#ifdef KRB5
25	#include <krb5.h>	25	#include <krb5.h>
		26	#ifndef HEIMDAL
		27	#define krb5_get_err_text(context,code) error_message(code)
		28	#endif /* !HEIMDAL */
26	#endif	29	#endif
27	#ifdef AFS	30	#ifdef AFS
28	#include <kafs.h>	31	#include <kafs.h>
Lines 521-526 Link Here
521	ret = 0;	524	ret = 0;
522	goto out;	525	goto out;
523	}	526	}
		527
		528	problem = krb5_auth_con_init(*context, auth_context);
		529	if (problem) {
		530	debug("Kerberos v5: krb5_auth_con_init failed");
		531	ret = 0;
		532	goto out;
		533	}
		534
		535	#ifndef HEIMDAL
		536	problem = krb5_auth_con_setflags(context, auth_context,
		537	KRB5_AUTH_CONTEXT_RET_TIME);
		538	if (problem) {
		539	debug("Keberos v5: krb5_auth_con_setflags failed");
		540	ret = 0;
		541	goto out;
		542	}
		543	#endif
524		544
525	tkfile = krb5_cc_default_name(*context);	545	tkfile = krb5_cc_default_name(*context);
526	if (strncmp(tkfile, "FILE:", 5) == 0)	546	if (strncmp(tkfile, "FILE:", 5) == 0)
Lines 597-603 Link Here
597	if (reply != NULL)	617	if (reply != NULL)
598	krb5_free_ap_rep_enc_part(*context, reply);	618	krb5_free_ap_rep_enc_part(*context, reply);
599	if (ap.length > 0)	619	if (ap.length > 0)
		620	#ifdef HEIMDAL
600	krb5_data_free(&ap);	621	krb5_data_free(&ap);
		622	#else
		623	krb5_free_data_contents(*context, &ap);
		624	#endif
601		625
602	return (ret);	626	return (ret);
603	}	627	}
Lines 610-616 Link Here
610	krb5_data outbuf;	634	krb5_data outbuf;
611	krb5_ccache ccache = NULL;	635	krb5_ccache ccache = NULL;
612	krb5_creds creds;	636	krb5_creds creds;
		637	#ifdef HEIMDAL
613	krb5_kdc_flags flags;	638	krb5_kdc_flags flags;
		639	#else
		640	int forwardable;
		641	#endif
614	const char *remotehost;	642	const char *remotehost;
615		643
616	memset(&creds, 0, sizeof(creds));	644	memset(&creds, 0, sizeof(creds));
Lines 618-624 Link Here
618		646
619	fd = packet_get_connection_in();	647	fd = packet_get_connection_in();
620		648
		649	#ifdef HEIMDAL
621	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);	650	problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
		651	#else
		652	problem = krb5_auth_con_genaddrs(context, auth_context, fd,
		653	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		654	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		655	#endif
622	if (problem)	656	if (problem)
623	goto out;	657	goto out;
624		658
Lines 630-652 Link Here
630	if (problem)	664	if (problem)
631	goto out;	665	goto out;
632		666
		667	remotehost = get_canonical_hostname(1);
		668
		669	#ifdef HEIMDAL
633	problem = krb5_build_principal(context, &creds.server,	670	problem = krb5_build_principal(context, &creds.server,
634	strlen(creds.client->realm), creds.client->realm,	671	strlen(creds.client->realm), creds.client->realm,
635	"krbtgt", creds.client->realm, NULL);	672	"krbtgt", creds.client->realm, NULL);
		673	#else
		674	problem = krb5_build_principal(context, &creds.server,
		675	creds.client->realm.length, creds.client->realm.data,
		676	"host", remotehost, NULL);
		677	#endif
636	if (problem)	678	if (problem)
637	goto out;	679	goto out;
638		680
639	creds.times.endtime = 0;	681	creds.times.endtime = 0;
640		682
		683	#ifdef HEIMDAL
641	flags.i = 0;	684	flags.i = 0;
642	flags.b.forwarded = 1;	685	flags.b.forwarded = 1;
643	flags.b.forwardable = krb5_config_get_bool(context, NULL,	686	flags.b.forwardable = krb5_config_get_bool(context, NULL,
644	"libdefaults", "forwardable", NULL);	687	"libdefaults", "forwardable", NULL);
645
646	remotehost = get_canonical_hostname(1);
647
648	problem = krb5_get_forwarded_creds(context, auth_context,	688	problem = krb5_get_forwarded_creds(context, auth_context,
649	ccache, flags.i, remotehost, &creds, &outbuf);	689	ccache, flags.i, remotehost, &creds, &outbuf);
		690	#else
		691	forwardable = 1;
		692	problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
		693	creds.client, creds.server, ccache, forwardable, &outbuf);
		694	#endif
		695
650	if (problem)	696	if (problem)
651	goto out;	697	goto out;
652		698

Return to bug 55

Lines 1745-1751 Link Here

(-)configure.ac (-2 / +38 lines)
1745	]	1745	]
1746	)	1746	)
1747		1747
1748	# Check whether user wants Kerberos support	1748	# Check whether user wants Kerberos 5 support
		1749	AC_ARG_WITH(kerberos5,
		1750	[ --with-kerberos5=PATH Enable Kerberos 5 support],
		1751	[
		1752	if test "x$withval" != "xno" ; then
		1753	if test "x$withval" = "xyes" ; then
		1754	KRB5ROOT="/usr/local"
		1755	else
		1756	KRB5ROOT=${withval}
		1757	fi
		1758	CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
		1759	LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
		1760	AC_DEFINE(KRB5)
		1761	AC_MSG_CHECKING(whether we are using Heimdal)
		1762	AC_TRY_COMPILE([ #include <krb5.h> ],
		1763	[ char *tmp = heimdal_version; ],
		1764	[ AC_MSG_RESULT(yes)
		1765	AC_DEFINE(HEIMDAL)
		1766	K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
		1767	],
		1768	[ AC_MSG_RESULT(no)
		1769	K5LIBS="-lkrb5 -lk5crypto -lcom_err"
		1770	]
		1771	)
		1772	if test ! -z "$need_dash_r" ; then
		1773	LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
		1774	fi
		1775	if test ! -z "$blibpath" ; then
		1776	blibpath="$blibpath:${KRB5ROOT}/lib"
		1777	fi
		1778	AC_CHECK_LIB(resolv, dn_expand, , )
		1779
		1780	KRB5=yes
		1781	fi
		1782	]
		1783	)
		1784	# Check whether user wants Kerberos 4 support
1749	KRB4_MSG="no"	1785	KRB4_MSG="no"
1750	AC_ARG_WITH(kerberos4,	1786	AC_ARG_WITH(kerberos4,
1751	[ --with-kerberos4=PATH Enable Kerberos 4 support],	1787	[ --with-kerberos4=PATH Enable Kerberos 4 support],
Lines 1825-1831 Link Here
1825	fi	1861	fi
1826	]	1862	]
1827	)	1863	)
1828	LIBS="$LIBS $KLIBS"	1864	LIBS="$LIBS $KLIBS $K5LIBS"
1829		1865
1830	# Looking for programs, paths and files	1866	# Looking for programs, paths and files
1831	AC_ARG_WITH(rsh,	1867	AC_ARG_WITH(rsh,

Lines 12-19 Link Here

(-)servconf.c (-1 / +10 lines)
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");	13	RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");
14		14
15	#if defined(KRB4) \|\| defined(KRB5)	15	#if defined(KRB4)
16	#include <krb.h>	16	#include <krb.h>
		17	#endif
		18	#if defined(KRB5)
		19	#ifdef HEIMDAL
		20	#include <krb.h>
		21	#else
		22	/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
		23	* keytab */
		24	#define KEYFILE "/etc/krb5.keytab"
		25	#endif
17	#endif	26	#endif
18	#ifdef AFS	27	#ifdef AFS
19	#include <kafs.h>	28	#include <kafs.h>