diff options
Diffstat (limited to 'crypto/openssh/sshconnect1.c')
| -rw-r--r-- | crypto/openssh/sshconnect1.c | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c index 4360d72..929581c 100644 --- a/crypto/openssh/sshconnect1.c +++ b/crypto/openssh/sshconnect1.c @@ -6,6 +6,7 @@ * Code to connect to a remote host, and to perform the client side of the * login (authentication) dialog. * + * $FreeBSD$ */ #include "includes.h" @@ -362,7 +363,7 @@ try_rhosts_rsa_authentication(const char *local_user, RSA * host_key) #ifdef KRB4 int -try_kerberos_authentication() +try_krb4_authentication() { KTEXT_ST auth; /* Kerberos data */ char *reply; @@ -405,7 +406,7 @@ try_kerberos_authentication() des_key_sched((des_cblock *) cred.session, schedule); /* Send authentication info to server. */ - packet_start(SSH_CMSG_AUTH_KERBEROS); + packet_start(SSH_CMSG_AUTH_KRB4); packet_put_string((char *) auth.dat, auth.length); packet_send(); packet_write_wait(); @@ -430,13 +431,13 @@ try_kerberos_authentication() type = packet_read(&plen); switch (type) { case SSH_SMSG_FAILURE: - /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ + /* Should really be SSH_SMSG_AUTH_KRB4_FAILURE */ debug("Kerberos V4 authentication failed."); return 0; break; - case SSH_SMSG_AUTH_KERBEROS_RESPONSE: - /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ + case SSH_SMSG_AUTH_KRB4_RESPONSE: + /* SSH_SMSG_AUTH_KRB4_SUCCESS */ debug("Kerberos V4 authentication accepted."); /* Get server's response. */ @@ -479,7 +480,7 @@ try_kerberos_authentication() #ifdef AFS int -send_kerberos_tgt() +send_krb4_tgt() { CREDENTIALS *creds; char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; @@ -508,7 +509,7 @@ send_kerberos_tgt() creds_to_radix(creds, (unsigned char *)buffer, sizeof buffer); xfree(creds); - packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); + packet_start(SSH_CMSG_HAVE_KRB4_TGT); packet_put_string(buffer, strlen(buffer)); packet_send(); packet_write_wait(); @@ -927,11 +928,11 @@ ssh_userauth( #ifdef AFS /* Try Kerberos tgt passing if the server supports it. */ - if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && - options.kerberos_tgt_passing) { + if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) && + options.krb4_tgt_passing) { if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); - (void) send_kerberos_tgt(); + (void) send_krb4_tgt(); } /* Try AFS token passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && @@ -943,10 +944,10 @@ ssh_userauth( #endif /* AFS */ #ifdef KRB4 - if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && - options.kerberos_authentication) { + if ((supported_authentications & (1 << SSH_AUTH_KRB4)) && + options.krb4_authentication) { debug("Trying Kerberos authentication."); - if (try_kerberos_authentication()) { + if (try_krb4_authentication()) { /* The server should respond with success or failure. */ type = packet_read(&payload_len); if (type == SSH_SMSG_SUCCESS) @@ -957,6 +958,35 @@ ssh_userauth( } #endif /* KRB4 */ +#ifdef KRB5 + if ((supported_authentications & (1 << SSH_AUTH_KRB5)) && + options.krb5_authentication){ + krb5_context ssh_context = NULL; + krb5_auth_context auth_context = NULL; + + debug("Trying Kerberos V5 authentication."); + + if (try_krb5_authentication(&ssh_context, &auth_context)) { + type = packet_read(&payload_len); + if (type == SSH_SMSG_SUCCESS) { + if ((supported_authentications & (1 << SSH_PASS_KRB5_TGT)) && + options.krb5_tgt_passing) { + if (options.cipher == SSH_CIPHER_NONE) + log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); + send_krb5_tgt(ssh_context, auth_context); + + } + krb5_auth_con_free(ssh_context, auth_context); + krb5_free_context(ssh_context); + return; + } + if (type != SSH_SMSG_FAILURE) + packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type); + + } + } +#endif /* KRB5 */ + /* * Use rhosts authentication if running in privileged socket and we * do not wish to remain anonymous. |
