head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.50 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.48 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.46 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.44 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.42 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.40 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.38 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.36 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.34 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.32 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.30 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.28 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.26 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.24 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.22 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.20 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.18 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.16 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.14 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.12 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.10 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.2.0.8 pkgsrc-2005Q1-base:1.2 pkgsrc-2004Q4:1.2.0.6 pkgsrc-2004Q4-base:1.2 pkgsrc-2004Q3:1.2.0.4 pkgsrc-2004Q3-base:1.2 pkgsrc-2004Q2:1.2.0.2 pkgsrc-2004Q2-base:1.2 pkgsrc-2004Q1:1.1.0.12 pkgsrc-2004Q1-base:1.1 pkgsrc-2003Q4:1.1.0.10 pkgsrc-2003Q4-base:1.1 netbsd-1-6-1:1.1.0.6 netbsd-1-6-1-base:1.1 netbsd-1-6:1.1.0.8 netbsd-1-6-RELEASE-base:1.1 pkgviews:1.1.0.4 pkgviews-base:1.1 buildlink2:1.1.0.2 buildlink2-base:1.1 netbsd-1-5-PATCH003:1.1 netbsd-1-5-PATCH001:1.1 netbsd-1-5-RELEASE:1.1 netbsd-1-4-PATCH003:1.1 netbsd-1-4-PATCH002:1.1; locks; strict; comment @# @; 1.2 date 2004.06.01.21.50.38; author kristerw; state dead; branches; next 1.1; 1.1 date 99.12.25.05.28.36; author kim; state Exp; branches; next ; desc @@ 1.2 log @Remove obsolete packages, per discussion on tech-pkg. @ text @$NetBSD: patch-as,v 1.1 1999/12/25 05:28:36 kim Exp $ --- auth-kerberos.c.orig Wed May 12 07:19:23 1999 +++ auth-kerberos.c Fri Dec 24 21:50:38 1999 @@@@ -38,14 +38,13 @@@@ #include "xmalloc.h" #include "ssh.h" -#ifdef KERBEROS -#if defined (KRB5) +#ifdef KRB5 #include extern krb5_context ssh_context; extern krb5_auth_context auth_context; -int auth_kerberos(char *server_user, krb5_data *auth, krb5_principal *client) +int auth_krb5(char *server_user, krb5_data *auth, krb5_principal *client) { krb5_error_code problem; krb5_ticket *ticket; @@@@ -163,11 +162,115 @@@@ return 1; } #endif /* KRB5 */ -#endif /* KERBEROS */ -#ifdef KERBEROS_TGT_PASSING -#if defined (KRB5) -int auth_kerberos_tgt( char *server_user, krb5_data *krb5data) +#ifdef KRB4 +#include +#include + +int ssh_tf_init(uid_t uid) +{ + extern char *ticket; + char *tkt_root = TKT_ROOT; + struct stat st; + int fd; + + /* Set unique ticket string manually since we're still root. */ + ticket = xmalloc(MAXPATHLEN); +#ifdef AFS + if (lstat("/ticket", &st) != -1) + tkt_root = "/ticket/"; +#endif /* AFS */ + snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid()); + (void) krb_set_tkt_string(ticket); + + /* Make sure we own this ticket file, and we created it. */ + if (lstat(ticket, &st) < 0 && errno == ENOENT) { + /* good, no ticket file exists. create it. */ + if ((fd = open(ticket, O_RDWR|O_CREAT|O_EXCL, 0600)) != -1) { + close(fd); + return 1; + } + } + else { + /* file exists. make sure server_user owns it (e.g. just passed ticket), + and that it isn't a symlink, and that it is mode 600. */ + if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid) + return 1; + } + /* Failure. */ + log_msg("WARNING: bad ticket file %s", ticket); + return 0; +} + +int auth_krb4(const char *server_user, KTEXT auth, char **client) +{ + AUTH_DAT adat = { 0 }; + KTEXT_ST reply; + char instance[INST_SZ]; + int r, s; + u_long cksum; + Key_schedule schedule; + struct sockaddr_in local, foreign; + + s = packet_get_connection_in(); + + r = sizeof(local); + memset(&local, 0, sizeof(local)); + if (getsockname(s, (struct sockaddr *) &local, &r) < 0) + debug("getsockname failed: %.100s", strerror(errno)); + r = sizeof(foreign); + memset(&foreign, 0, sizeof(foreign)); + if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0) + debug("getpeername failed: %.100s", strerror(errno)); + + instance[0] = '*'; instance[1] = 0; + + /* Get the encrypted request, challenge, and session key. */ + if (r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, "")) { + packet_send_debug("Kerberos V4 krb_rd_req: %s", krb_err_txt[r]); + return 0; + } + des_key_sched((des_cblock *)adat.session, schedule); + + *client = xmalloc(MAX_K_NAME_SZ); + (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@@%s", adat.pname, + *adat.pinst ? "." : "", adat.pinst, adat.prealm); + + /* Check ~/.klogin authorization now. */ + if (kuserok(&adat, (char *)server_user) != KSUCCESS) { + packet_send_debug("Kerberos V4 .klogin authorization failed!"); + log_msg("Kerberos V4 .klogin authorization failed for %s to account %s", + *client, server_user); + return 0; + } + /* Increment the checksum, and return it encrypted with the session key. */ + cksum = adat.checksum + 1; + cksum = htonl(cksum); + + /* If we can't successfully encrypt the checksum, we send back an empty + message, admitting our failure. */ + if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1, + schedule, &adat.session, &local, &foreign)) < 0) { + packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]); + reply.dat[0] = 0; + reply.length = 0; + } + else + reply.length = r; + + /* Clear session key. */ + memset(&adat.session, 0, sizeof(&adat.session)); + + packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); + packet_put_string((char *) reply.dat, reply.length); + packet_send(); + packet_write_wait(); + return 1; +} +#endif /* KRB4 */ + +#ifdef KRB5 +int auth_krb5_tgt( char *server_user, krb5_data *krb5data) { krb5_creds **creds; krb5_error_code retval; @@@@ -177,7 +280,7 @@@@ extern char *ticket; static krb5_principal rcache_server = 0; static krb5_rcache rcache; - struct sockaddr_in local, foreign; + struct sockaddr_storage local, foreign; krb5_address *local_addr, *remote_addr; int s; @@@@ -267,5 +370,97 @@@@ } #endif /* KRB5 */ -#endif /* KERBEROS_TGT_PASSING */ + +#ifdef AFS +#include + +int auth_kerberos_tgt(struct passwd *pw, const char *string) +{ + CREDENTIALS creds; + extern char *ticket; + int r; + + if (!radix_to_creds(string, &creds)) { + log_msg("Protocol error decoding Kerberos V4 tgt"); + packet_send_debug("Protocol error decoding Kerberos V4 tgt"); + goto auth_kerberos_tgt_failure; + } + if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ + strcpy(creds.service, "krbtgt"); + + if (strcmp(creds.service, "krbtgt")) { + log_msg("Kerberos V4 tgt (%s%s%s@@%s) rejected for uid %d", + creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm, + pw->pw_uid); + packet_send_debug("Kerberos V4 tgt (%s%s%s@@%s) rejected for uid %d", + creds.pname, creds.pinst[0] ? "." : "", creds.pinst, + creds.realm, pw->pw_uid); + goto auth_kerberos_tgt_failure; + } + if (!ssh_tf_init(pw->pw_uid) || + (r = in_tkt(creds.pname, creds.pinst)) || + (r = save_credentials(creds.service,creds.instance,creds.realm, + creds.session,creds.lifetime,creds.kvno, + &creds.ticket_st,creds.issue_date))) { + xfree(ticket); + ticket = NULL; + packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials"); + goto auth_kerberos_tgt_failure; + } + /* Successful authentication, passed all checks. */ + chown(ticket, pw->pw_uid, pw->pw_gid); + packet_send_debug("Kerberos V4 tgt accepted (%s.%s@@%s, %s%s%s@@%s)", + creds.service,creds.instance,creds.realm, + creds.pname,creds.pinst[0] ? "." : "", + creds.pinst,creds.realm); + + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); + return 1; + +auth_kerberos_tgt_failure: + memset(&creds, 0, sizeof(creds)); + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + return 0; +} + +int auth_afs_token(char *server_user, uid_t uid, const char *string) +{ + CREDENTIALS creds; + + if (!radix_to_creds(string, &creds)) { + log_msg("Protocol error decoding AFS token"); + packet_send_debug("Protocol error decoding AFS token"); + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + return 0; + } + if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ + strcpy(creds.service, "afs"); + + if (strncmp(creds.pname, "AFS ID ", 7) == 0) + uid = atoi(creds.pname + 7); + + if (kafs_settoken(creds.realm, uid, &creds)) { + log_msg("AFS token (%s@@%s) rejected for uid %d", creds.pname, + creds.realm, uid); + packet_send_debug("AFS token (%s@@%s) rejected for uid %d", creds.pname, + creds.realm, uid); + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + return 0; + } + packet_send_debug("AFS token accepted (%s@@%s, %s@@%s)", creds.service, + creds.realm, creds.pname, creds.realm); + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); + return 1; +} +#endif /* AFS */ @ 1.1 log @Folded in IPv6 and Kerberos IV patches, so that both can be compiled. This also fixes problems with Kerberos IV and V support clashing (you still have to choose one or the other at compile time, though). Compiles and runs on 1.4O -- needs testing on 1.4.2, and also some closer looking at certain patches (e.g. patch-au has a "#if 0" that could maybe be something else). @ text @d1 1 a1 1 $NetBSD$ @