version 1.121, 2003/08/22 10:56:09 |
version 1.122, 2003/08/22 13:20:03 |
|
|
#include "includes.h" |
#include "includes.h" |
RCSID("$OpenBSD$"); |
RCSID("$OpenBSD$"); |
|
|
#ifdef KRB5 |
|
#include <krb5.h> |
|
#endif |
|
|
|
#include "ssh.h" |
#include "ssh.h" |
#include "ssh2.h" |
#include "ssh2.h" |
#include "xmalloc.h" |
#include "xmalloc.h" |
|
|
userauth_hostbased, |
userauth_hostbased, |
&options.hostbased_authentication, |
&options.hostbased_authentication, |
NULL}, |
NULL}, |
#if KRB5 |
|
{"kerberos-2@ssh.com", |
|
userauth_kerberos, |
|
&options.kerberos_authentication, |
|
NULL}, |
|
#endif |
|
{"publickey", |
{"publickey", |
userauth_pubkey, |
userauth_pubkey, |
&options.pubkey_authentication, |
&options.pubkey_authentication, |
|
|
packet_send(); |
packet_send(); |
return 1; |
return 1; |
} |
} |
|
|
#if KRB5 |
|
static int |
|
ssh_krb5_helper(krb5_data *ap) |
|
{ |
|
krb5_context xcontext = NULL; /* XXX share with ssh1 */ |
|
krb5_auth_context xauth_context = NULL; |
|
|
|
krb5_context *context; |
|
krb5_auth_context *auth_context; |
|
krb5_error_code problem; |
|
const char *tkfile; |
|
struct stat buf; |
|
krb5_ccache ccache = NULL; |
|
const char *remotehost; |
|
int ret; |
|
|
|
memset(ap, 0, sizeof(*ap)); |
|
|
|
context = &xcontext; |
|
auth_context = &xauth_context; |
|
|
|
problem = krb5_init_context(context); |
|
if (problem) { |
|
debug("Kerberos v5: krb5_init_context failed"); |
|
ret = 0; |
|
goto out; |
|
} |
|
|
|
tkfile = krb5_cc_default_name(*context); |
|
if (strncmp(tkfile, "FILE:", 5) == 0) |
|
tkfile += 5; |
|
|
|
if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { |
|
debug("Kerberos v5: could not get default ccache (permission denied)."); |
|
ret = 0; |
|
goto out; |
|
} |
|
|
|
problem = krb5_cc_default(*context, &ccache); |
|
if (problem) { |
|
debug("Kerberos v5: krb5_cc_default failed: %s", |
|
krb5_get_err_text(*context, problem)); |
|
ret = 0; |
|
goto out; |
|
} |
|
|
|
remotehost = get_canonical_hostname(1); |
|
|
|
problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, |
|
"host", remotehost, NULL, ccache, ap); |
|
if (problem) { |
|
debug("Kerberos v5: krb5_mk_req failed: %s", |
|
krb5_get_err_text(*context, problem)); |
|
ret = 0; |
|
goto out; |
|
} |
|
ret = 1; |
|
|
|
out: |
|
if (ccache != NULL) |
|
krb5_cc_close(*context, ccache); |
|
if (*auth_context) |
|
krb5_auth_con_free(*context, *auth_context); |
|
if (*context) |
|
krb5_free_context(*context); |
|
return (ret); |
|
} |
|
|
|
int |
|
userauth_kerberos(Authctxt *authctxt) |
|
{ |
|
krb5_data ap; |
|
|
|
if (ssh_krb5_helper(&ap) == 0) |
|
return (0); |
|
|
|
packet_start(SSH2_MSG_USERAUTH_REQUEST); |
|
packet_put_cstring(authctxt->server_user); |
|
packet_put_cstring(authctxt->service); |
|
packet_put_cstring(authctxt->method->name); |
|
packet_put_string(ap.data, ap.length); |
|
packet_send(); |
|
|
|
krb5_data_free(&ap); |
|
return (1); |
|
} |
|
#endif |
|
|
|
/* find auth method */ |
/* find auth method */ |
|
|