diff options
author | des <des@FreeBSD.org> | 2004-01-07 11:16:27 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2004-01-07 11:16:27 +0000 |
commit | 7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866 (patch) | |
tree | 5fffd9d1fcec3a05be383fc9aa81e1eb5e7935de /crypto/openssh/auth1.c | |
parent | b5f9e06a6d8d64c8429e25a1bc1ebfad436bf477 (diff) | |
download | FreeBSD-src-7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866.zip FreeBSD-src-7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866.tar.gz |
Resolve conflicts and remove obsolete files.
Sponsored by: registrar.no
Diffstat (limited to 'crypto/openssh/auth1.c')
-rw-r--r-- | crypto/openssh/auth1.c | 131 |
1 files changed, 12 insertions, 119 deletions
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 18203fe..1ef6eae 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $"); RCSID("$FreeBSD$"); #include "xmalloc.h" @@ -50,10 +50,6 @@ get_authname(int type) case SSH_CMSG_AUTH_TIS: case SSH_CMSG_AUTH_TIS_RESPONSE: return "challenge-response"; -#if defined(KRB4) || defined(KRB5) - case SSH_CMSG_AUTH_KERBEROS: - return "kerberos"; -#endif } snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); return buf; @@ -82,7 +78,7 @@ do_authloop(Authctxt *authctxt) /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { @@ -120,100 +116,6 @@ do_authloop(Authctxt *authctxt) /* Process the packet. */ switch (type) { - -#if defined(KRB4) || defined(KRB5) - case SSH_CMSG_AUTH_KERBEROS: - if (!options.kerberos_authentication) { - verbose("Kerberos authentication disabled."); - } else { - char *kdata = packet_get_string(&dlen); - packet_check_eom(); - - if (kdata[0] == 4) { /* KRB_PROT_VERSION */ -#ifdef KRB4 - KTEXT_ST tkt, reply; - tkt.length = dlen; - if (tkt.length < MAX_KTXT_LEN) - memcpy(tkt.dat, kdata, tkt.length); - - if (PRIVSEP(auth_krb4(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.dat, reply.length); - packet_send(); - packet_write_wait(); - } -#endif /* KRB4 */ - } else { -#ifdef KRB5 - krb5_data tkt, reply; - tkt.length = dlen; - tkt.data = kdata; - - if (PRIVSEP(auth_krb5(authctxt, &tkt, - &client_user, &reply))) { - authenticated = 1; - snprintf(info, sizeof(info), - " tktuser %.100s", - client_user); - - /* Send response to client */ - packet_start( - SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) - reply.data, reply.length); - packet_send(); - packet_write_wait(); - - if (reply.length) - xfree(reply.data); - } -#endif /* KRB5 */ - } - xfree(kdata); - } - break; -#endif /* KRB4 || KRB5 */ - -#if defined(AFS) || defined(KRB5) - /* XXX - punt on backward compatibility here. */ - case SSH_CMSG_HAVE_KERBEROS_TGT: - packet_send_debug("Kerberos TGT passing disabled before authentication."); - break; -#ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - packet_send_debug("AFS token passing disabled before authentication."); - break; -#endif /* AFS */ -#endif /* AFS || KRB5 */ - - case SSH_CMSG_AUTH_RHOSTS: - if (!options.rhosts_authentication) { - verbose("Rhosts authentication disabled."); - break; - } - /* - * Get client user name. Note that we just have to - * trust the client; this is one reason why rhosts - * authentication is insecure. (Another is - * IP-spoofing on a local network.) - */ - client_user = packet_get_string(&ulen); - packet_check_eom(); - - /* Try to authenticate using /etc/hosts.equiv and .rhosts. */ - authenticated = auth_rhosts(pw, client_user); - - snprintf(info, sizeof info, " ruser %.100s", client_user); - break; - case SSH_CMSG_AUTH_RHOSTS_RSA: if (!options.rhosts_rsa_authentication) { verbose("Rhosts with RSA authentication disabled."); @@ -310,7 +212,7 @@ do_authloop(Authctxt *authctxt) * Any unknown messages will be ignored (and failure * returned) during authentication. */ - log("Unknown message during authentication: type %d", type); + logit("Unknown message during authentication: type %d", type); break; } #ifdef BSD_AUTH @@ -324,8 +226,6 @@ do_authloop(Authctxt *authctxt) authctxt->user); #ifdef _UNICOS - if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) - cray_login_failure(authctxt->user, IA_UDBERR); if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); @@ -345,9 +245,10 @@ do_authloop(Authctxt *authctxt) !auth_root_allowed(get_authname(type))) authenticated = 0; #endif + #ifdef USE_PAM - if (!use_privsep && authenticated && - !do_pam_account(pw->pw_name, client_user)) + if (options.use_pam && authenticated && + !PRIVSEP(do_pam_account())) authenticated = 0; #endif @@ -362,9 +263,8 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) { + if (authctxt->failures++ > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); - } packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -393,16 +293,6 @@ do_authentication(void) if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; -#ifdef KRB5 - /* XXX - SSH.com Kerberos v5 braindeath. */ - if ((datafellows & SSH_BUG_K5USER) && - options.kerberos_authentication) { - char *p; - if ((p = strchr(user, '@')) != NULL) - *p = '\0'; - } -#endif - authctxt = authctxt_new(); authctxt->user = user; authctxt->style = style; @@ -410,14 +300,17 @@ do_authentication(void) /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) authctxt->valid = 1; - else + else { debug("do_authentication: illegal user %s", user); + authctxt->pw = fakepw(); + } setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); #ifdef USE_PAM - PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); + if (options.use_pam) + PRIVSEP(start_pam(user)); #endif /* |