[BACK]Return to auth-krb4.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/Attic/auth-krb4.c between version 1.5 and 1.6

version 1.5, 1999/11/02 19:10:14 version 1.6, 1999/11/10 22:24:01
Line 15 
Line 15 
 #include "ssh.h"  #include "ssh.h"
   
 #ifdef KRB4  #ifdef KRB4
 int ssh_tf_init(uid_t uid)  char *ticket = NULL;
   
   void
   krb4_cleanup_proc(void *ignore)
 {  {
   extern char *ticket;    debug("krb4_cleanup_proc called");
   
     if (ticket) {
       (void) dest_tkt();
       xfree(ticket);
       ticket = NULL;
     }
   }
   
   int krb4_init(uid_t uid)
   {
     static int cleanup_registered = 0;
   char *tkt_root = TKT_ROOT;    char *tkt_root = TKT_ROOT;
   struct stat st;    struct stat st;
   int fd;    int fd;
   
   /* Set unique ticket string manually since we're still root. */    if (!ticket) {
   ticket = xmalloc(MAXPATHLEN);      /* Set unique ticket string manually since we're still root. */
       ticket = xmalloc(MAXPATHLEN);
 #ifdef AFS  #ifdef AFS
   if (lstat("/ticket", &st) != -1)      if (lstat("/ticket", &st) != -1)
     tkt_root = "/ticket/";        tkt_root = "/ticket/";
 #endif /* AFS */  #endif /* AFS */
   snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());      snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
   (void) krb_set_tkt_string(ticket);      (void) krb_set_tkt_string(ticket);
   
   /* Make sure we own this ticket file, and we created it. */  
   if (lstat(ticket, &st) == -1 && errno == ENOENT) {  
     /* good, no ticket file exists. create it. */  
     if ((fd = open(ticket, O_RDWR|O_CREAT|O_EXCL, 0600)) != -1) {  
       close(fd);  
       return 1;  
     }  
   }    }
   else {    /* Register ticket cleanup in case of fatal error. */
     /* file exists. make sure server_user owns it (e.g. just passed ticket),    if (!cleanup_registered) {
        and that it isn't a symlink, and that it is mode 600. */      fatal_add_cleanup(krb4_cleanup_proc, NULL);
       cleanup_registered = 1;
     }
     /* Try to create our ticket file. */
     if ((fd = mkstemp(ticket)) != -1) {
       close(fd);
       return 1;
     }
     /* Ticket file exists - make sure user owns it (just passed ticket). */
     if (lstat(ticket, &st) != -1) {
     if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid)      if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid)
       return 1;        return 1;
   }    }
   /* Failure. */    /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
   log("WARNING: bad ticket file %s", ticket);    log("WARNING: bad ticket file %s", ticket);
     fatal_remove_cleanup(krb4_cleanup_proc, NULL);
     cleanup_registered = 0;
     xfree(ticket);
     ticket = NULL;
   
   return 0;    return 0;
 }  }
   
Line 103 
Line 124 
     reply.dat[0] = 0;      reply.dat[0] = 0;
     reply.length = 0;      reply.length = 0;
   }    }
   else    else reply.length = r;
     reply.length = r;  
   
   /* Clear session key. */    /* Clear session key. */
   memset(&adat.session, 0, sizeof(&adat.session));    memset(&adat.session, 0, sizeof(&adat.session));
Line 121 
Line 141 
 int auth_kerberos_tgt(struct passwd *pw, const char *string)  int auth_kerberos_tgt(struct passwd *pw, const char *string)
 {  {
   CREDENTIALS creds;    CREDENTIALS creds;
   extern char *ticket;  
   int r;  
   
   if (!radix_to_creds(string, &creds)) {    if (!radix_to_creds(string, &creds)) {
     log("Protocol error decoding Kerberos V4 tgt");      log("Protocol error decoding Kerberos V4 tgt");
Line 133 
Line 151 
     strlcpy(creds.service, "krbtgt", sizeof creds.service);      strlcpy(creds.service, "krbtgt", sizeof creds.service);
   
   if (strcmp(creds.service, "krbtgt")) {    if (strcmp(creds.service, "krbtgt")) {
     log("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d",      log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
         creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm,          creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name);
         pw->pw_uid);      packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
     packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d",  
                       creds.pname, creds.pinst[0] ? "." : "", creds.pinst,                        creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
                       creds.realm, pw->pw_uid);                        creds.realm, pw->pw_name);
     goto auth_kerberos_tgt_failure;      goto auth_kerberos_tgt_failure;
   }    }
   if (!ssh_tf_init(pw->pw_uid) ||    if (!krb4_init(pw->pw_uid))
       (r = in_tkt(creds.pname, creds.pinst)) ||      goto auth_kerberos_tgt_failure;
       (r = save_credentials(creds.service, creds.instance, creds.realm,  
                             creds.session, creds.lifetime, creds.kvno,    if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
                             &creds.ticket_st, creds.issue_date))) {      goto auth_kerberos_tgt_failure;
     xfree(ticket);  
     ticket = NULL;    if (save_credentials(creds.service, creds.instance, creds.realm,
                          creds.session, creds.lifetime, creds.kvno,
                          &creds.ticket_st, creds.issue_date) != KSUCCESS) {
     packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");      packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
     goto auth_kerberos_tgt_failure;      goto auth_kerberos_tgt_failure;
   }    }
   /* Successful authentication, passed all checks. */    /* Successful authentication, passed all checks. */
   chown(ticket, pw->pw_uid, pw->pw_gid);    chown(tkt_string(), pw->pw_uid, pw->pw_gid);
   packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",  
                     creds.service, creds.instance, creds.realm,  
                     creds.pname, creds.pinst[0] ? "." : "",  
                     creds.pinst, creds.realm);  
   
     packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
                       creds.service, creds.instance, creds.realm, creds.pname,
                       creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
     memset(&creds, 0, sizeof(creds));
   packet_start(SSH_SMSG_SUCCESS);    packet_start(SSH_SMSG_SUCCESS);
   packet_send();    packet_send();
   packet_write_wait();    packet_write_wait();
   return 1;    return 1;
   
 auth_kerberos_tgt_failure:   auth_kerberos_tgt_failure:
     krb4_cleanup_proc(NULL);
   memset(&creds, 0, sizeof(creds));    memset(&creds, 0, sizeof(creds));
   packet_start(SSH_SMSG_FAILURE);    packet_start(SSH_SMSG_FAILURE);
   packet_send();    packet_send();
Line 191 
Line 211 
     uid = atoi(creds.pname + 7);      uid = atoi(creds.pname + 7);
   
   if (kafs_settoken(creds.realm, uid, &creds)) {    if (kafs_settoken(creds.realm, uid, &creds)) {
     log("AFS token (%s@%s) rejected for uid %d", creds.pname,      log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
         creds.realm, uid);          pw->pw_name);
     packet_send_debug("AFS token (%s@%s) rejected for uid %d", creds.pname,      packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
                       creds.realm, uid);                        creds.realm, pw->pw_name);
       memset(&creds, 0, sizeof(creds));
     packet_start(SSH_SMSG_FAILURE);      packet_start(SSH_SMSG_FAILURE);
     packet_send();      packet_send();
     packet_write_wait();      packet_write_wait();
Line 202 
Line 223 
   }    }
   packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,    packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
                     creds.realm, creds.pname, creds.realm);                      creds.realm, creds.pname, creds.realm);
     memset(&creds, 0, sizeof(creds));
   packet_start(SSH_SMSG_SUCCESS);    packet_start(SSH_SMSG_SUCCESS);
   packet_send();    packet_send();
   packet_write_wait();    packet_write_wait();
Legend:
Removed from v.1.5  
changed lines
  Added in v.1.6