diff options
Diffstat (limited to 'crypto/openssh/auth1.c')
-rw-r--r-- | crypto/openssh/auth1.c | 152 |
1 files changed, 136 insertions, 16 deletions
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 38114d8..1af5d67 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -1,6 +1,8 @@ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved + * + * $FreeBSD$ */ #include "includes.h" @@ -39,9 +41,13 @@ get_authname(int type) case SSH_CMSG_AUTH_RHOSTS: return "rhosts"; #ifdef KRB4 - case SSH_CMSG_AUTH_KERBEROS: - return "kerberos"; + case SSH_CMSG_AUTH_KRB4: + return "kerberosV4"; #endif +#ifdef KRB5 + case SSH_CMSG_AUTH_KRB5: + return "kerberosV5"; +#endif /* KRB5 */ #ifdef SKEY case SSH_CMSG_AUTH_TIS_RESPONSE: return "s/key"; @@ -135,6 +141,31 @@ do_authloop(struct passwd * pw) unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; +#ifdef LOGIN_CAP + login_cap_t *lc; +#endif /* LOGIN_CAP */ +#if defined(LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(); + from_ip = get_remote_ipaddr(); +#endif /* LOGIN_CAP || LOGIN_ACCESS */ +#ifdef HAVE_LIBPAM + int pam_retval; +#endif /* HAVE_LIBPAM */ +#if 0 +#ifdef KRB5 + { + krb5_error_code ret; + + ret = krb5_init_context(&ssh_context); + if (ret) + verbose("Error while initializing Kerberos V5."); + krb5_init_ets(ssh_context); + + } +#endif /* KRB5 */ +#endif /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -151,17 +182,17 @@ do_authloop(struct passwd * pw) /* Process the packet. */ switch (type) { #ifdef AFS - case SSH_CMSG_HAVE_KERBEROS_TGT: - if (!options.kerberos_tgt_passing) { + case SSH_CMSG_HAVE_KRB4_TGT: + if (!options.krb4_tgt_passing) { /* packet_get_all(); */ - verbose("Kerberos tgt passing disabled."); + verbose("Kerberos v4 tgt passing disabled."); break; } else { - /* Accept Kerberos tgt. */ + /* Accept Kerberos v4 tgt. */ char *tgt = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); - if (!auth_kerberos_tgt(pw, tgt)) - verbose("Kerberos tgt REFUSED for %s", pw->pw_name); + if (!auth_krb4_tgt(pw, tgt)) + verbose("Kerberos v4 tgt REFUSED for %s", pw->pw_name); xfree(tgt); } continue; @@ -182,11 +213,10 @@ do_authloop(struct passwd * pw) continue; #endif /* AFS */ #ifdef KRB4 - case SSH_CMSG_AUTH_KERBEROS: - if (!options.kerberos_authentication) { + case SSH_CMSG_AUTH_KRB4: + if (!options.krb4_authentication) { /* packet_get_all(); */ - verbose("Kerberos authentication disabled."); - break; + verbose("Kerberos v4 authentication disabled."); } else { /* Try Kerberos v4 authentication. */ KTEXT_ST auth; @@ -207,6 +237,36 @@ do_authloop(struct passwd * pw) } break; #endif /* KRB4 */ +#ifdef KRB5 + case SSH_CMSG_AUTH_KRB5: + if (!options.krb5_authentication) { + verbose("Kerberos v5 authentication disabled."); + break; + } else { + krb5_data k5data; +#if 0 + if (krb5_init_context(&ssh_context)) { + verbose("Error while initializing Kerberos V5."); + break; + } + krb5_init_ets(ssh_context); +#endif + + k5data.data = packet_get_string(&k5data.length); + packet_integrity_check(plen, 4 + k5data.length, type); + if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) { + /* pw->name is passed just for logging purposes + * */ + /* authorize client against .k5login */ + if (krb5_kuserok(ssh_context, + tkt_client, + pw->pw_name)) + authenticated = 1; + } + xfree(k5data.data); + } + break; +#endif /* KRB5 */ case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { @@ -303,7 +363,7 @@ do_authloop(struct passwd * pw) case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.skey_authentication == 1) { - char *skeyinfo = skey_keyinfo(pw->pw_name); + char *skeyinfo = opie_keyinfo(pw->pw_name); if (skeyinfo == NULL) { debug("generating fake skeyinfo for %.100s.", pw->pw_name); skeyinfo = skey_fake_keyinfo(pw->pw_name); @@ -325,8 +385,8 @@ do_authloop(struct passwd * pw) char *response = packet_get_string(&dlen); debug("skey response == '%s'", response); packet_integrity_check(plen, 4 + dlen, type); - authenticated = (skey_haskey(pw->pw_name) == 0 && - skey_passcheck(pw->pw_name, response) != -1); + authenticated = (opie_haskey(pw->pw_name) == 0 && + opie_passverify(pw->pw_name, response) != -1); xfree(response); } break; @@ -336,6 +396,32 @@ do_authloop(struct passwd * pw) log("TIS authentication unsupported."); break; #endif +#ifdef KRB5 + case SSH_CMSG_HAVE_KRB5_TGT: + /* Passing krb5 ticket */ + if (!options.krb5_tgt_passing + /*|| !options.krb5_authentication */) { + + } + + if (tkt_client == NULL) { + /* passing tgt without krb5 authentication */ + } + + { + krb5_data tgt; + tgt.data = packet_get_string(&tgt.length); + + if (!auth_krb5_tgt(pw->pw_name, &tgt, tkt_client)) { + verbose ("Kerberos V5 TGT refused for %.100s", pw->pw_name); + xfree(tgt.data); + goto fail; + } + xfree(tgt.data); + + break; + } +#endif /* KRB5 */ default: /* @@ -359,6 +445,34 @@ do_authloop(struct passwd * pw) log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); } + +#ifdef LOGIN_CAP + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + if (!auth_hostok(lc, from_host, from_ip)) { + log("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + log("LOGIN %.200s REFUSED (TIME) FROM %.200s", + pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); +#endif /* LOGIN_CAP */ +#ifdef LOGIN_ACCESS + if (!login_access(pw->pw_name, from_host)) { + log("Denied connection for %.200s from %.200s [%.200s].", + pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } +#endif /* LOGIN_ACCESS */ + + if (pw->pw_uid == 0) + log("ROOT LOGIN as '%.100s' from %.100s", + pw->pw_name, get_canonical_hostname()); } /* Raise logging level */ @@ -431,6 +545,9 @@ do_authentication() pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_expire = pw->pw_expire; + pwcopy.pw_change = pw->pw_change; pw = &pwcopy; /* @@ -444,8 +561,11 @@ do_authentication() /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && +#ifdef KRB5 + !options.krb5_authentication && +#endif /* KRB5 */ #ifdef KRB4 - (!options.kerberos_authentication || options.kerberos_or_local_passwd) && + (!options.krb4_authentication || options.krb4_or_local_passwd) && #endif /* KRB4 */ auth_password(pw, "")) { /* Authentication with empty password succeeded. */ |