=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/Attic/auth1.c,v retrieving revision 1.47 retrieving revision 1.47.2.2 diff -u -r1.47 -r1.47.2.2 --- src/usr.bin/ssh/Attic/auth1.c 2003/02/06 21:22:42 1.47 +++ src/usr.bin/ssh/Attic/auth1.c 2004/03/04 18:18:15 1.47.2.2 @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.47.2.2 2004/03/04 18:18:15 brad Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -49,10 +49,6 @@ case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#if defined(KRB4) || defined(KRB5) - case SSH_CMSG_AUTH_KERBEROS: - return "kerberos"; -#endif } snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); return buf; @@ -74,14 +70,13 @@ u_int dlen; u_int ulen; int type = 0; - struct passwd *pw = authctxt->pw; debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { @@ -105,104 +100,6 @@ /* Process the packet. */ switch (type) { - -#if defined(KRB4) || defined(KRB5) - case SSH_CMSG_AUTH_KERBEROS: - if (!options.kerberos_authentication) { - verbose("Kerberos authentication disabled."); - } else { - char *kdata = packet_get_string(&dlen); - packet_check_eom(); - - if (kdata[0] == 4) { /* KRB_PROT_VERSION */ -#ifdef KRB4 - KTEXT_ST tkt, reply; - tkt.length = dlen; - if (tkt.length < MAX_KTXT_LEN) - memcpy(tkt.dat, kdata, tkt.length); - - if (PRIVSEP(auth_krb4(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.dat, reply.length); - packet_send(); - packet_write_wait(); - - xfree(client_user); - } -#endif /* KRB4 */ - } else { -#ifdef KRB5 - krb5_data tkt, reply; - tkt.length = dlen; - tkt.data = kdata; - - if (PRIVSEP(auth_krb5(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - /* Send response to client */ - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.data, reply.length); - packet_send(); - packet_write_wait(); - - if (reply.length) - xfree(reply.data); - xfree(client_user); - } -#endif /* KRB5 */ - } - xfree(kdata); - } - break; -#endif /* KRB4 || KRB5 */ - -#if defined(AFS) || defined(KRB5) - /* XXX - punt on backward compatibility here. */ - case SSH_CMSG_HAVE_KERBEROS_TGT: - packet_send_debug("Kerberos TGT passing disabled before authentication."); - break; -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - packet_send_debug("AFS token passing disabled before authentication."); - break; -#endif /* AFS */ -#endif /* AFS || KRB5 */ - - case SSH_CMSG_AUTH_RHOSTS: - if (!options.rhosts_authentication) { - verbose("Rhosts authentication disabled."); - break; - } - /* - * Get client user name. Note that we just have to - * trust the client; this is one reason why rhosts - * authentication is insecure. (Another is - * IP-spoofing on a local network.) - */ - client_user = packet_get_string(&ulen); - packet_check_eom(); - - /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ - authenticated = auth_rhosts(pw, client_user); - - snprintf(info, sizeof info, " ruser %.100s", client_user); - xfree(client_user); - break; - case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); @@ -227,7 +124,7 @@ BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); - authenticated = auth_rhosts_rsa(pw, client_user, + authenticated = auth_rhosts_rsa(authctxt, client_user, client_host_key); key_free(client_host_key); @@ -245,7 +142,7 @@ fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); - authenticated = auth_rsa(pw, n); + authenticated = auth_rsa(authctxt, n); BN_clear_free(n); break; @@ -300,7 +197,7 @@ * Any unknown messages will be ignored (and failure * returned) during authentication. */ - log("Unknown message during authentication: type %d", type); + logit("Unknown message during authentication: type %d", type); break; } #ifdef BSD_AUTH @@ -337,10 +234,9 @@ * Performs authentication of an incoming connection. Session key has already * been exchanged and encryption is enabled. */ -Authctxt * -do_authentication(void) +void +do_authentication(Authctxt *authctxt) { - Authctxt *authctxt; u_int ulen; char *user, *style = NULL; @@ -354,25 +250,16 @@ if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; -#ifdef KRB5 - /* XXX - SSH.com Kerberos v5 braindeath. */ - if ((datafellows & SSH_BUG_K5USER) && - options.kerberos_authentication) { - char *p; - if ((p = strchr(user, '@')) != NULL) - *p = '\0'; - } -#endif - - authctxt = authctxt_new(); authctxt->user = user; authctxt->style = style; /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) authctxt->valid = 1; - else + else { debug("do_authentication: illegal user %s", user); + authctxt->pw = fakepw(); + } setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); @@ -395,6 +282,4 @@ packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); - - return (authctxt); }