[BACK]Return to auth-krb4.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/Attic/auth-krb4.c between version 1.14 and 1.14.2.4

version 1.14, 2000/04/14 10:30:29 version 1.14.2.4, 2001/03/21 18:52:32
Line 1 
Line 1 
 /*  /*
  *    Dug Song <dugsong@UMICH.EDU>   * Copyright (c) 1999 Dug Song.  All rights reserved.
  *    Kerberos v4 authentication and ticket-passing routines.   *
    * Redistribution and use in source and binary forms, with or without
    * modification, are permitted provided that the following conditions
    * are met:
    * 1. Redistributions of source code must retain the above copyright
    *    notice, this list of conditions and the following disclaimer.
    * 2. Redistributions in binary form must reproduce the above copyright
    *    notice, this list of conditions and the following disclaimer in the
    *    documentation and/or other materials provided with the distribution.
    *
    * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
    * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
    * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
    * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
    * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
    * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
    * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
    * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */   */
   
 #include "includes.h"  #include "includes.h"
   RCSID("$OpenBSD$");
   
   #include "ssh.h"
   #include "ssh1.h"
 #include "packet.h"  #include "packet.h"
 #include "xmalloc.h"  #include "xmalloc.h"
 #include "ssh.h"  #include "log.h"
 #include "servconf.h"  #include "servconf.h"
   #include "auth.h"
   
   #ifdef AFS
   #include "radix.h"
   #endif
   
 #ifdef KRB4  #ifdef KRB4
 char *ticket = NULL;  char *ticket = NULL;
   
Line 25 
Line 53 
         AUTH_DAT adata;          AUTH_DAT adata;
         KTEXT_ST tkt;          KTEXT_ST tkt;
         struct hostent *hp;          struct hostent *hp;
         unsigned long faddr;          u_long faddr;
         char localhost[MAXHOSTNAMELEN];          char localhost[MAXHOSTNAMELEN];
         char phost[INST_SZ];          char phost[INST_SZ];
         char realm[REALM_SZ];          char realm[REALM_SZ];
Line 80 
Line 108 
                         if (r == RD_AP_UNDEC) {                          if (r == RD_AP_UNDEC) {
                                 /*                                  /*
                                  * Probably didn't have a srvtab on                                   * Probably didn't have a srvtab on
                                  * localhost. Allow login.                                   * localhost. Disallow login.
                                  */                                   */
                                 log("Kerberos V4 TGT for %s unverifiable, "                                  log("Kerberos V4 TGT for %s unverifiable, "
                                     "no srvtab installed? krb_rd_req: %s",                                      "no srvtab installed? krb_rd_req: %s",
                                     pw->pw_name, krb_err_txt[r]);                                      pw->pw_name, krb_err_txt[r]);
                                   goto kerberos_auth_failure;
                         } else if (r != KSUCCESS) {                          } else if (r != KSUCCESS) {
                                 log("Kerberos V4 %s ticket unverifiable: %s",                                  log("Kerberos V4 %s ticket unverifiable: %s",
                                     KRB4_SERVICE_NAME, krb_err_txt[r]);                                      KRB4_SERVICE_NAME, krb_err_txt[r]);
Line 92 
Line 121 
                         }                          }
                 } else if (r == KDC_PR_UNKNOWN) {                  } else if (r == KDC_PR_UNKNOWN) {
                         /*                          /*
                          * Allow login if no rcmd service exists, but                           * Disallow login if no rcmd service exists, and
                          * log the error.                           * log the error.
                          */                           */
                         log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "                          log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
                             "not registered, or srvtab is wrong?", pw->pw_name,                              "not registered, or srvtab is wrong?", pw->pw_name,
                         krb_err_txt[r], KRB4_SERVICE_NAME, phost);                          krb_err_txt[r], KRB4_SERVICE_NAME, phost);
                           goto kerberos_auth_failure;
                 } else {                  } else {
                         /*                          /*
                          * TGT is bad, forget it. Possibly spoofed!                           * TGT is bad, forget it. Possibly spoofed!
Line 150 
Line 180 
                 if (lstat("/ticket", &st) != -1)                  if (lstat("/ticket", &st) != -1)
                         tkt_root = "/ticket/";                          tkt_root = "/ticket/";
 #endif /* AFS */  #endif /* AFS */
                 snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());                  snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid());
                 (void) krb_set_tkt_string(ticket);                  (void) krb_set_tkt_string(ticket);
         }          }
         /* Register ticket cleanup in case of fatal error. */          /* Register ticket cleanup in case of fatal error. */
Line 257 
Line 287 
 {  {
         CREDENTIALS creds;          CREDENTIALS creds;
   
           if (pw == NULL)
                   goto auth_kerberos_tgt_failure;
         if (!radix_to_creds(string, &creds)) {          if (!radix_to_creds(string, &creds)) {
                 log("Protocol error decoding Kerberos V4 tgt");                  log("Protocol error decoding Kerberos V4 tgt");
                 packet_send_debug("Protocol error decoding Kerberos V4 tgt");                  packet_send_debug("Protocol error decoding Kerberos V4 tgt");
Line 311 
Line 343 
 auth_afs_token(struct passwd *pw, const char *token_string)  auth_afs_token(struct passwd *pw, const char *token_string)
 {  {
         CREDENTIALS creds;          CREDENTIALS creds;
         uid_t uid = pw->pw_uid;          uid_t uid;
   
           if (pw == NULL) {
                   /* XXX fake protocol error */
                   packet_send_debug("Protocol error decoding AFS token");
                   packet_start(SSH_SMSG_FAILURE);
                   packet_send();
                   packet_write_wait();
                   return 0;
           }
         if (!radix_to_creds(token_string, &creds)) {          if (!radix_to_creds(token_string, &creds)) {
                 log("Protocol error decoding AFS token");                  log("Protocol error decoding AFS token");
                 packet_send_debug("Protocol error decoding AFS token");                  packet_send_debug("Protocol error decoding AFS token");
Line 326 
Line 366 
   
         if (strncmp(creds.pname, "AFS ID ", 7) == 0)          if (strncmp(creds.pname, "AFS ID ", 7) == 0)
                 uid = atoi(creds.pname + 7);                  uid = atoi(creds.pname + 7);
           else
                   uid = pw->pw_uid;
   
         if (kafs_settoken(creds.realm, uid, &creds)) {          if (kafs_settoken(creds.realm, uid, &creds)) {
                 log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,                  log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
Legend:
Removed from v.1.14  
changed lines
  Added in v.1.14.2.4