===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/Attic/auth1.c,v
retrieving revision 1.47.2.2
retrieving revision 1.48
diff -u -r1.47.2.2 -r1.48
--- src/usr.bin/ssh/Attic/auth1.c	2004/03/04 18:18:15	1.47.2.2
+++ src/usr.bin/ssh/Attic/auth1.c	2003/04/08 20:21:28	1.48
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.47.2.2 2004/03/04 18:18:15 brad Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,6 +49,10 @@
 	case SSH_CMSG_AUTH_TIS:
 	case SSH_CMSG_AUTH_TIS_RESPONSE:
 		return "challenge-response";
+#if defined(KRB4) || defined(KRB5)
+	case SSH_CMSG_AUTH_KERBEROS:
+		return "kerberos";
+#endif
 	}
 	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
 	return buf;
@@ -70,13 +74,14 @@
 	u_int dlen;
 	u_int ulen;
 	int type = 0;
+	struct passwd *pw = authctxt->pw;
 
 	debug("Attempting authentication for %s%.100s.",
 	    authctxt->valid ? "" : "illegal user ", authctxt->user);
 
 	/* If the user has no password, accept authentication immediately. */
 	if (options.password_authentication &&
-#ifdef KRB5
+#if defined(KRB4) || defined(KRB5)
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
 	    PRIVSEP(auth_password(authctxt, ""))) {
@@ -100,6 +105,104 @@
 
 		/* Process the packet. */
 		switch (type) {
+
+#if defined(KRB4) || defined(KRB5)
+		case SSH_CMSG_AUTH_KERBEROS:
+			if (!options.kerberos_authentication) {
+				verbose("Kerberos authentication disabled.");
+			} else {
+				char *kdata = packet_get_string(&dlen);
+				packet_check_eom();
+
+				if (kdata[0] == 4) { /* KRB_PROT_VERSION */
+#ifdef KRB4
+					KTEXT_ST tkt, reply;
+					tkt.length = dlen;
+					if (tkt.length < MAX_KTXT_LEN)
+						memcpy(tkt.dat, kdata, tkt.length);
+
+					if (PRIVSEP(auth_krb4(authctxt, &tkt,
+					    &client_user, &reply))) {
+						authenticated = 1;
+						snprintf(info, sizeof(info),
+						    " tktuser %.100s",
+						    client_user);
+
+						packet_start(
+						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+						packet_put_string((char *)
+						    reply.dat, reply.length);
+						packet_send();
+						packet_write_wait();
+
+						xfree(client_user);
+					}
+#endif /* KRB4 */
+				} else {
+#ifdef KRB5
+ 					krb5_data tkt, reply;
+					tkt.length = dlen;
+					tkt.data = kdata;
+
+					if (PRIVSEP(auth_krb5(authctxt, &tkt,
+					    &client_user, &reply))) {
+						authenticated = 1;
+						snprintf(info, sizeof(info),
+						    " tktuser %.100s",
+						    client_user);
+
+ 						/* Send response to client */
+ 						packet_start(
+						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+ 						packet_put_string((char *)
+						    reply.data, reply.length);
+ 						packet_send();
+ 						packet_write_wait();
+
+ 						if (reply.length)
+ 							xfree(reply.data);
+						xfree(client_user);
+					}
+#endif /* KRB5 */
+				}
+				xfree(kdata);
+			}
+			break;
+#endif /* KRB4 || KRB5 */
+
+#if defined(AFS) || defined(KRB5)
+			/* XXX - punt on backward compatibility here. */
+		case SSH_CMSG_HAVE_KERBEROS_TGT:
+			packet_send_debug("Kerberos TGT passing disabled before authentication.");
+			break;
+#ifdef AFS
+		case SSH_CMSG_HAVE_AFS_TOKEN:
+			packet_send_debug("AFS token passing disabled before authentication.");
+			break;
+#endif /* AFS */
+#endif /* AFS || KRB5 */
+
+		case SSH_CMSG_AUTH_RHOSTS:
+			if (!options.rhosts_authentication) {
+				verbose("Rhosts authentication disabled.");
+				break;
+			}
+			/*
+			 * Get client user name.  Note that we just have to
+			 * trust the client; this is one reason why rhosts
+			 * authentication is insecure. (Another is
+			 * IP-spoofing on a local network.)
+			 */
+			client_user = packet_get_string(&ulen);
+			packet_check_eom();
+
+			/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
+			authenticated = auth_rhosts(pw, client_user);
+
+			snprintf(info, sizeof info, " ruser %.100s", client_user);
+			xfree(client_user);
+			break;
+
 		case SSH_CMSG_AUTH_RHOSTS_RSA:
 			if (!options.rhosts_rsa_authentication) {
 				verbose("Rhosts with RSA authentication disabled.");
@@ -124,7 +227,7 @@
 				    BN_num_bits(client_host_key->rsa->n), bits);
 			packet_check_eom();
 
-			authenticated = auth_rhosts_rsa(authctxt, client_user,
+			authenticated = auth_rhosts_rsa(pw, client_user,
 			    client_host_key);
 			key_free(client_host_key);
 
@@ -142,7 +245,7 @@
 				fatal("do_authloop: BN_new failed");
 			packet_get_bignum(n);
 			packet_check_eom();
-			authenticated = auth_rsa(authctxt, n);
+			authenticated = auth_rsa(pw, n);
 			BN_clear_free(n);
 			break;
 
@@ -234,9 +337,10 @@
  * Performs authentication of an incoming connection.  Session key has already
  * been exchanged and encryption is enabled.
  */
-void
-do_authentication(Authctxt *authctxt)
+Authctxt *
+do_authentication(void)
 {
+	Authctxt *authctxt;
 	u_int ulen;
 	char *user, *style = NULL;
 
@@ -250,16 +354,25 @@
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
 
+#ifdef KRB5
+	/* XXX - SSH.com Kerberos v5 braindeath. */
+	if ((datafellows & SSH_BUG_K5USER) &&
+	    options.kerberos_authentication) {
+		char *p;
+		if ((p = strchr(user, '@')) != NULL)
+			*p = '\0';
+	}
+#endif
+
+	authctxt = authctxt_new();
 	authctxt->user = user;
 	authctxt->style = style;
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 		authctxt->valid = 1;
-	else {
+	else
 		debug("do_authentication: illegal user %s", user);
-		authctxt->pw = fakepw();
-	}
 
 	setproctitle("%s%s", authctxt->pw ? user : "unknown",
 	    use_privsep ? " [net]" : "");
@@ -282,4 +395,6 @@
 	packet_start(SSH_SMSG_SUCCESS);
 	packet_send();
 	packet_write_wait();
+
+	return (authctxt);
 }