summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto/openssh/auth-krb4.c2
-rw-r--r--crypto/openssh/auth-krb5.c2
-rw-r--r--crypto/openssh/auth-passwd.c4
-rw-r--r--crypto/openssh/auth1.c117
-rw-r--r--crypto/openssh/auth2.c4
-rw-r--r--crypto/openssh/readconf.c40
-rw-r--r--crypto/openssh/readconf.h6
-rw-r--r--crypto/openssh/servconf.c46
-rw-r--r--crypto/openssh/servconf.h6
-rw-r--r--crypto/openssh/ssh.h18
-rw-r--r--crypto/openssh/sshconnect.c10
-rw-r--r--crypto/openssh/sshconnect1.c69
-rw-r--r--crypto/openssh/sshd.c19
13 files changed, 165 insertions, 178 deletions
diff --git a/crypto/openssh/auth-krb4.c b/crypto/openssh/auth-krb4.c
index a7bce5f..8279a47 100644
--- a/crypto/openssh/auth-krb4.c
+++ b/crypto/openssh/auth-krb4.c
@@ -267,7 +267,7 @@ auth_krb4(const char *server_user, KTEXT auth, char **client)
/* Clear session key. */
memset(&adat.session, 0, sizeof(&adat.session));
- packet_start(SSH_SMSG_AUTH_KRB4_RESPONSE);
+ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *) reply.dat, reply.length);
packet_send();
packet_write_wait();
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
index b5205ec..0fb0ea2 100644
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@@ -79,7 +79,7 @@ auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client)
*client = tkt_client;
- packet_start(SSH_SMSG_AUTH_KRB5_RESPONSE);
+ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *) reply.data, reply.length);
packet_send();
packet_write_wait();
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
index c579af3..fdda41c 100644
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@@ -94,7 +94,7 @@ auth_password(struct passwd * pw, const char *password)
}
#endif
#ifdef KRB5
- if (options.krb5_authentication == 1) {
+ if (options.kerberos_authentication == 1) {
if (auth_krb5_password(pw, password))
return 1;
/* Fall back to ordinary passwd authentication. */
@@ -102,7 +102,7 @@ auth_password(struct passwd * pw, const char *password)
#endif /* KRB5 */
#ifdef KRB4
- if (options.krb4_authentication == 1) {
+ if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(pw, password);
if (ret == 1 || ret == 0)
return ret;
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index 3c50a16..3c0e2b6 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -52,14 +52,10 @@ get_authname(int type)
return "rhosts-rsa";
case SSH_CMSG_AUTH_RHOSTS:
return "rhosts";
-#ifdef KRB4
- case SSH_CMSG_AUTH_KRB4:
- return "kerberosV4";
+#if defined(KRB4) || defined(KRB5)
+ case SSH_CMSG_AUTH_KERBEROS:
+ return "kerberos";
#endif
-#ifdef KRB5
- case SSH_CMSG_AUTH_KRB5:
- return "kerberosV5";
-#endif /* KRB5 */
#ifdef SKEY
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "s/key";
@@ -136,6 +132,7 @@ do_authloop(struct passwd * pw, char *luser)
/* Process the packet. */
switch (type) {
#ifdef AFS
+#ifndef KRB5
case SSH_CMSG_HAVE_KRB4_TGT:
if (!options.krb4_tgt_passing) {
/* packet_get_all(); */
@@ -150,7 +147,7 @@ do_authloop(struct passwd * pw, char *luser)
xfree(tgt);
}
continue;
-
+#endif /* !KRB5 */
case SSH_CMSG_HAVE_AFS_TOKEN:
if (!options.afs_token_passing || !k_hasafs()) {
verbose("AFS token passing disabled.");
@@ -165,63 +162,61 @@ do_authloop(struct passwd * pw, char *luser)
}
continue;
#endif /* AFS */
-#ifdef KRB4
- case SSH_CMSG_AUTH_KRB4:
- if (!options.krb4_authentication) {
- /* packet_get_all(); */
- verbose("Kerberos v4 authentication disabled.");
- break;
- } else {
- /* Try Kerberos v4 authentication. */
- KTEXT_ST auth;
- char *tkt_user = NULL;
- char *kdata = packet_get_string((unsigned int *) &auth.length);
- packet_integrity_check(plen, 4 + auth.length, type);
-
- if (auth.length < MAX_KTXT_LEN)
- memcpy(auth.dat, kdata, auth.length);
- xfree(kdata);
+#if defined(KRB4) || defined(KRB5)
+ case SSH_CMSG_AUTH_KERBEROS:
+ if (!options.kerberos_authentication) {
+ verbose("Kerberos authentication disabled.");
+ } else {
+ unsigned int length;
+ char *kdata = packet_get_string(&length);
+ packet_integrity_check(plen, 4 + length, type);
+
+ /* 4 == KRB_PROT_VERSION */
+ if (kdata[0] == 4) {
+#ifndef KRB4
+ verbose("Kerberos v4 authentication disabled.");
+#else
+ char *tkt_user = NULL;
+ KTEXT_ST auth;
+ auth.length = length;
+ if (auth.length < MAX_KTXT_LEN)
+ memcpy(auth.dat, kdata, auth.length);
- if (pw != NULL) {
authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+
if (authenticated) {
snprintf(user, sizeof user, " tktuser %s", tkt_user);
xfree(tkt_user);
}
- }
- }
- break;
-#endif /* KRB4 */
-#ifdef KRB5
- case SSH_CMSG_AUTH_KRB5:
- if (!options.krb5_authentication) {
- verbose("Kerberos v5 authentication disabled.");
- break;
- } else {
- krb5_data k5data;
-#if 0
- if (krb5_init_context(&ssh_context)) {
- verbose("Error while initializing Kerberos V5.");
- break;
- }
- krb5_init_ets(ssh_context);
-#endif
-
- k5data.data = packet_get_string(&k5data.length);
- packet_integrity_check(plen, 4 + k5data.length, type);
- if (auth_krb5(luser, &k5data, &tkt_client)) {
- /* "luser" is passed just for logging purposes
- * */
- /* authorize client against .k5login */
- if (krb5_kuserok(ssh_context,
- tkt_client,
- luser))
- authenticated = 1;
- }
- xfree(k5data.data);
- }
- break;
+ #endif /* KRB4 */
+ } else {
+#ifndef KRB5
+ verbose("Kerberos v5 authentication disabled.");
+#else
+ krb5_data k5data;
+ k5data.length = length;
+ k5data.data = kdata;
+ #if 0
+ if (krb5_init_context(&ssh_context)) {
+ verbose("Error while initializing Kerberos V5.");
+ break;
+ }
+ krb5_init_ets(ssh_context);
+ #endif
+ /* pw->name is passed just for logging purposes */
+ if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) {
+ /* authorize client against .k5login */
+ if (krb5_kuserok(ssh_context,
+ tkt_client,
+ pw->pw_name))
+ authenticated = 1;
+ }
#endif /* KRB5 */
+ }
+ xfree(kdata);
+ }
+ break;
+#endif /* KRB4 || KRB5 */
case SSH_CMSG_AUTH_RHOSTS:
if (!options.rhosts_authentication) {
@@ -389,7 +384,7 @@ do_authloop(struct passwd * pw, char *luser)
break;
#endif
#ifdef KRB5
- case SSH_CMSG_HAVE_KRB5_TGT:
+ case SSH_CMSG_HAVE_KERBEROS_TGT:
/* Passing krb5 ticket */
if (!options.krb5_tgt_passing
/*|| !options.krb5_authentication */) {
@@ -571,10 +566,10 @@ do_authentication()
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
#ifdef KRB5
- !options.krb5_authentication &&
+ !options.kerberos_authentication &&
#endif /* KRB5 */
#ifdef KRB4
- (!options.krb4_authentication || options.krb4_or_local_passwd) &&
+ (!options.kerberos_authentication || options.krb4_or_local_passwd) &&
#endif /* KRB4 */
#ifdef USE_PAM
auth_pam_password(pw, "")
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index a39b6d7..8b13de0 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -120,9 +120,9 @@ do_authentication2()
authctxt->success = 0;
x_authctxt = authctxt; /*XXX*/
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
/* turn off kerberos, not supported by SSH2 */
- options.krb4_authentication = 0;
+ options.kerberos_authentication = 0;
#endif
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index 87f5bc9..d5e21b7 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -91,11 +91,11 @@ typedef enum {
oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
oSkeyAuthentication, oXAuthLocation,
-#ifdef KRB4
- oKrb4Authentication,
+#if defined(KRB4) || defined(KRB5)
+ oKerberosAuthentication,
#endif /* KRB4 */
#ifdef KRB5
- oKrb5Authentication, oKrb5TgtPassing,
+ oKrb5TgtPassing,
#endif /* KRB5 */
#ifdef AFS
oKrb4TgtPassing, oAFSTokenPassing,
@@ -128,11 +128,10 @@ static struct {
{ "rsaauthentication", oRSAAuthentication },
{ "dsaauthentication", oDSAAuthentication },
{ "skeyauthentication", oSkeyAuthentication },
-#ifdef KRB4
- { "kerberos4authentication", oKrb4Authentication },
-#endif /* KRB4 */
+#if defined(KRB4) || defined(KRB5)
+ { "kerberosauthentication", oKerberosAuthentication },
+#endif /* KRB4 || KRB5 */
#ifdef KRB5
- { "kerberos5authentication", oKrb5Authentication },
{ "kerberos5tgtpassing", oKrb5TgtPassing },
#endif /* KRB5 */
#ifdef AFS
@@ -324,17 +323,13 @@ parse_flag:
intptr = &options->skey_authentication;
goto parse_flag;
-#ifdef KRB4
- case oKrb4Authentication:
- intptr = &options->krb4_authentication;
+#if defined(KRB4) || defined(KRB5)
+ case oKerberosAuthentication:
+ intptr = &options->kerberos_authentication;
goto parse_flag;
-#endif /* KRB4 */
+#endif /* KRB4 || KRB5 */
#ifdef KRB5
- case oKrb5Authentication:
- intptr = &options->krb5_authentication;
- goto parse_flag;
-
case oKrb5TgtPassing:
intptr = &options->krb5_tgt_passing;
goto parse_flag;
@@ -682,11 +677,10 @@ initialize_options(Options * options)
options->rsa_authentication = -1;
options->dsa_authentication = -1;
options->skey_authentication = -1;
-#ifdef KRB4
- options->krb4_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+ options->kerberos_authentication = -1;
#endif
#ifdef KRB5
- options->krb5_authentication = -1;
options->krb5_tgt_passing = -1;
#endif /* KRB5 */
#ifdef AFS
@@ -754,13 +748,11 @@ fill_default_options(Options * options)
options->dsa_authentication = 1;
if (options->skey_authentication == -1)
options->skey_authentication = 0;
-#ifdef KRB4
- if (options->krb4_authentication == -1)
- options->krb4_authentication = 1;
-#endif /* KRB4 */
+#if defined(KRB4) || defined(KRB5)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication = 1;
+#endif /* KRB4 || KRB5 */
#ifdef KRB5
- if (options->krb5_authentication == -1)
- options->krb5_authentication = 1;
if (options->krb5_tgt_passing == -1)
options->krb5_tgt_passing = 1;
#endif /* KRB5 */
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index 770ee53..6d0199e 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -38,13 +38,11 @@ typedef struct {
int rsa_authentication; /* Try RSA authentication. */
int dsa_authentication; /* Try DSA authentication. */
int skey_authentication; /* Try S/Key or TIS authentication. */
-#ifdef KRB4
- int krb4_authentication; /* Try Kerberos v4
- * authentication. */
+#if defined(KRB4) || defined(KRB5)
+ int kerberos_authentication; /* Try Kerberos authentication. */
#endif
#ifdef KRB5
- int krb5_authentication;
int krb5_tgt_passing;
#endif /* KRB5 */
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 4f291a2..5f3213e 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -52,13 +52,14 @@ initialize_server_options(ServerOptions *options)
options->rhosts_rsa_authentication = -1;
options->rsa_authentication = -1;
options->dsa_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+ options->kerberos_authentication = -1;
+#endif
#ifdef KRB4
- options->krb4_authentication = -1;
options->krb4_or_local_passwd = -1;
options->krb4_ticket_cleanup = -1;
#endif
#ifdef KRB5
- options->krb5_authentication = -1;
options->krb5_tgt_passing = -1;
#endif /* KRB5 */
#ifdef AFS
@@ -141,17 +142,24 @@ fill_default_server_options(ServerOptions *options)
options->rsa_authentication = 1;
if (options->dsa_authentication == -1)
options->dsa_authentication = 1;
+#if defined(KRB4) && defined(KRB5)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication =
+ (access(KEYFILE, R_OK) == 0) || (access(krb5_defkeyname, R_OK) == 0);
+#elif defined(KRB4)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+#elif defined(KRB5)
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication = (access(krb5_defkeyname, R_OK) == 0);
+#endif
#ifdef KRB4
- if (options->krb4_authentication == -1)
- options->krb4_authentication = (access(KEYFILE, R_OK) == 0);
if (options->krb4_or_local_passwd == -1)
options->krb4_or_local_passwd = 1;
if (options->krb4_ticket_cleanup == -1)
options->krb4_ticket_cleanup = 1;
#endif /* KRB4 */
#ifdef KRB5
- if (options->krb5_authentication == -1)
- options->krb5_authentication = 1;
if (options->krb5_tgt_passing == -1)
options->krb5_tgt_passing = 1;
#endif /* KRB5 */
@@ -193,11 +201,14 @@ typedef enum {
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+#if defined(KRB4) || defined(KRB5)
+ sKerberosAuthentication,
+#endif
#ifdef KRB4
- sKrb4Authentication, sKrb4OrLocalPasswd, sKrb4TicketCleanup,
+ sKrb4OrLocalPasswd, sKrb4TicketCleanup,
#endif
#ifdef KRB5
- sKrb5Authentication, sKrb5TgtPassing,
+ sKrb5TgtPassing,
#endif /* KRB5 */
#ifdef AFS
sKrb4TgtPassing, sAFSTokenPassing,
@@ -234,13 +245,14 @@ static struct {
{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
{ "rsaauthentication", sRSAAuthentication },
{ "dsaauthentication", sDSAAuthentication },
+#if defined(KRB4) || defined(KRB5)
+ { "kerberosauthentication", sKerberosAuthentication },
+#endif
#ifdef KRB4
- { "kerberos4authentication", sKrb4Authentication },
{ "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
{ "kerberos4ticketcleanup", sKrb4TicketCleanup },
#endif
#ifdef KRB5
- { "kerberos5authentication", sKrb5Authentication },
{ "kerberos5tgtpassing", sKrb5TgtPassing },
#endif /* KRB5 */
#ifdef AFS
@@ -505,11 +517,13 @@ parse_flag:
intptr = &options->dsa_authentication;
goto parse_flag;
-#ifdef KRB4
- case sKrb4Authentication:
- intptr = &options->krb4_authentication;
+#if defined(KRB4) || defined(KRB5)
+ case sKerberosAuthentication:
+ intptr = &options->kerberos_authentication;
goto parse_flag;
-
+#endif
+
+#ifdef KRB4
case sKrb4OrLocalPasswd:
intptr = &options->krb4_or_local_passwd;
goto parse_flag;
@@ -520,10 +534,6 @@ parse_flag:
#endif
#ifdef KRB5
- case sKrb5Authentication:
- intptr = &options->krb5_authentication;
- goto parse_flag;
-
case sKrb5TgtPassing:
intptr = &options->krb5_tgt_passing;
goto parse_flag;
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index 79fe5a0..f4ce52c 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -61,9 +61,10 @@ typedef struct {
* authentication. */
int rsa_authentication; /* If true, permit RSA authentication. */
int dsa_authentication; /* If true, permit DSA authentication. */
+#if defined(KRB4) || defined(KRB5)
+ int kerberos_authentication; /* If true, permit Kerberos auth. */
+#endif /* KRB4 || KRB5 */
#ifdef KRB4
- int krb4_authentication; /* If true, permit Kerberos v4
- * authentication. */
int krb4_or_local_passwd; /* If true, permit kerberos v4
* and any other password
* authentication mechanism,
@@ -73,7 +74,6 @@ typedef struct {
* file on logout. */
#endif
#ifdef KRB5
- int krb5_authentication;
int krb5_tgt_passing;
#endif /* KRB5 */
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
index 82e7eb1..82ed914 100644
--- a/crypto/openssh/ssh.h
+++ b/crypto/openssh/ssh.h
@@ -182,14 +182,11 @@
#define SSH_AUTH_PASSWORD 3
#define SSH_AUTH_RHOSTS_RSA 4
#define SSH_AUTH_TIS 5
-#define SSH_AUTH_KRB4 6
-#define SSH_PASS_KRB4_TGT 7
+#define SSH_AUTH_KERBEROS 6
+#define SSH_PASS_KERBEROS_TGT 7
/* 8 to 15 are reserved */
#define SSH_PASS_AFS_TOKEN 21
-#define SSH_AUTH_KRB5 29
-#define SSH_PASS_KRB5_TGT 30
-
/* Protocol flags. These are bit masks. */
#define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */
#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */
@@ -243,14 +240,13 @@
#define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */
#define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */
#define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */
-#define SSH_CMSG_AUTH_KRB4 42 /* (KTEXT) */
-#define SSH_SMSG_AUTH_KRB4_RESPONSE 43 /* (KTEXT) */
-#define SSH_CMSG_HAVE_KRB4_TGT 44 /* credentials (s) */
+#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */
+#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */
+#define SSH_CMSG_HAVE_KERBEROS_TGT 44
#define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */
-#define SSH_CMSG_AUTH_KRB5 110
-#define SSH_SMSG_AUTH_KRB5_RESPONSE 111
-#define SSH_CMSG_HAVE_KRB5_TGT 112
+/* Kerberos IV tickets can't be forwarded. This is an AFS hack! */
+#define SSH_CMSG_HAVE_KRB4_TGT SSH_CMSG_HAVE_KERBEROS_TGT /* credentials (s) */
/*------------ definitions for login.c -------------*/
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
index 367c203..b2906cc 100644
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@@ -742,7 +742,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
goto out;
}
- packet_start(SSH_CMSG_AUTH_KRB5);
+ packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) ap.data, ap.length);
packet_send();
packet_write_wait();
@@ -753,13 +753,13 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
type = packet_read(&payload_len);
switch (type) {
case SSH_SMSG_FAILURE:
- /* Should really be SSH_SMSG_AUTH_KRB5_FAILURE */
+ /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos V5 authentication failed.");
ret = 0;
break;
- case SSH_SMSG_AUTH_KRB5_RESPONSE:
- /* SSH_SMSG_AUTH_KRB5_SUCCESS */
+ case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+ /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos V5 authentication accepted.");
/* Get server's response. */
@@ -870,7 +870,7 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
goto out;
}
- packet_start(SSH_CMSG_HAVE_KRB5_TGT);
+ packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
packet_put_string((char *)outbuf.data, outbuf.length);
packet_send();
packet_write_wait();
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
index 5ae46e0..4d7351b 100644
--- a/crypto/openssh/sshconnect1.c
+++ b/crypto/openssh/sshconnect1.c
@@ -410,7 +410,7 @@ try_krb4_authentication()
des_key_sched((des_cblock *) cred.session, schedule);
/* Send authentication info to server. */
- packet_start(SSH_CMSG_AUTH_KRB4);
+ packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) auth.dat, auth.length);
packet_send();
packet_write_wait();
@@ -435,13 +435,13 @@ try_krb4_authentication()
type = packet_read(&plen);
switch (type) {
case SSH_SMSG_FAILURE:
- /* Should really be SSH_SMSG_AUTH_KRB4_FAILURE */
+ /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos V4 authentication failed.");
return 0;
break;
- case SSH_SMSG_AUTH_KRB4_RESPONSE:
- /* SSH_SMSG_AUTH_KRB4_SUCCESS */
+ case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+ /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos V4 authentication accepted.");
/* Get server's response. */
@@ -924,6 +924,35 @@ ssh_userauth(
packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
type);
+#ifdef KRB5
+ if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+ options.kerberos_authentication){
+ krb5_context ssh_context = NULL;
+ krb5_auth_context auth_context = NULL;
+
+ debug("Trying Kerberos V5 authentication.");
+
+ if (try_krb5_authentication(&ssh_context, &auth_context)) {
+ type = packet_read(&payload_len);
+ if (type == SSH_SMSG_SUCCESS) {
+ if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+ options.krb5_tgt_passing) {
+ if (options.cipher == SSH_CIPHER_NONE)
+ log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+ send_krb5_tgt(ssh_context, auth_context);
+
+ }
+ krb5_auth_con_free(ssh_context, auth_context);
+ krb5_free_context(ssh_context);
+ return;
+ }
+ if (type != SSH_SMSG_FAILURE)
+ packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
+
+ }
+ }
+#endif /* KRB5 */
+
#ifdef AFS
/* Try Kerberos tgt passing if the server supports it. */
if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) &&
@@ -942,8 +971,8 @@ ssh_userauth(
#endif /* AFS */
#ifdef KRB4
- if ((supported_authentications & (1 << SSH_AUTH_KRB4)) &&
- options.krb4_authentication) {
+ if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+ options.kerberos_authentication) {
debug("Trying Kerberos authentication.");
if (try_krb4_authentication()) {
/* The server should respond with success or failure. */
@@ -956,34 +985,6 @@ ssh_userauth(
}
#endif /* KRB4 */
-#ifdef KRB5
- if ((supported_authentications & (1 << SSH_AUTH_KRB5)) &&
- options.krb5_authentication){
- krb5_context ssh_context = NULL;
- krb5_auth_context auth_context = NULL;
-
- debug("Trying Kerberos V5 authentication.");
-
- if (try_krb5_authentication(&ssh_context, &auth_context)) {
- type = packet_read(&payload_len);
- if (type == SSH_SMSG_SUCCESS) {
- if ((supported_authentications & (1 << SSH_PASS_KRB5_TGT)) &&
- options.krb5_tgt_passing) {
- if (options.cipher == SSH_CIPHER_NONE)
- log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
- send_krb5_tgt(ssh_context, auth_context);
-
- }
- krb5_auth_con_free(ssh_context, auth_context);
- krb5_free_context(ssh_context);
- return;
- }
- if (type != SSH_SMSG_FAILURE)
- packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
-
- }
- }
-#endif /* KRB5 */
/*
* Use rhosts authentication if running in privileged socket and we
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 5073465..89fb0ae 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -1063,11 +1063,11 @@ main(int ac, char **av)
options.rhosts_authentication = 0;
options.rhosts_rsa_authentication = 0;
}
-#ifdef KRB4
+#if defined(KRB4) && !defined(KRB5)
if (!packet_connection_is_ipv4() &&
- options.krb4_authentication) {
+ options.kerberos_authentication) {
debug("Kerberos Authentication disabled, only available for IPv4.");
- options.krb4_authentication = 0;
+ options.kerberos_authentication = 0;
}
#endif /* KRB4 */
@@ -1164,18 +1164,13 @@ do_ssh1_kex()
auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
if (options.rsa_authentication)
auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef KRB4
- if (options.krb4_authentication)
- auth_mask |= 1 << SSH_AUTH_KRB4;
+#if defined(KRB4) || defined(KRB5)
+ if (options.kerberos_authentication)
+ auth_mask |= 1 << SSH_AUTH_KERBEROS;
#endif
#ifdef KRB5
- if (options.krb5_authentication) {
- auth_mask |= 1 << SSH_AUTH_KRB5;
- /* compatibility with MetaCentre ssh */
- auth_mask |= 1 << SSH_AUTH_KRB4;
- }
if (options.krb5_tgt_passing)
- auth_mask |= 1 << SSH_PASS_KRB5_TGT;
+ auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
#endif /* KRB5 */
#ifdef AFS
OpenPOWER on IntegriCloud