thr3ads.net - openssh unix dev - privsep+kerb5+ssh1 [Jul 2002]

If this information is useful, please help other people find it:
Share via:

Markus Friedl

2002-Jul-31 10:45 UTC

privsep+kerb5+ssh1

please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.

i'd like to see this in the next release. thx

-m
-------------- next part --------------
--- openssh-3.4p1/auth-krb5.c.krb	Sun Jun  9 21:41:48 2002
+++ openssh-3.4p1/auth-krb5.c	Tue Jul 23 15:15:43 2002
@@ -73,18 +73,17 @@
  * from the ticket
  */
 int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
+auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
 {
 	krb5_error_code problem;
 	krb5_principal server;
-	krb5_data reply;
 	krb5_ticket *ticket;
 	int fd, ret;
 
 	ret = 0;
 	server = NULL;
 	ticket = NULL;
-	reply.length = 0;
+	reply->length = 0;
 
 	problem = krb5_init(authctxt);
 	if (problem)
@@ -131,7 +130,7 @@
 
 	/* if client wants mutual auth */
 	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-	    &reply);
+	    reply);
 	if (problem)
 		goto err;
 
@@ -144,19 +143,16 @@
 		krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 		    client);
 
-	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-	packet_put_string((char *) reply.data, reply.length);
-	packet_send();
-	packet_write_wait();
-
 	ret = 1;
  err:
 	if (server)
 		krb5_free_principal(authctxt->krb5_ctx, server);
 	if (ticket)
 		krb5_free_ticket(authctxt->krb5_ctx, ticket);
-	if (reply.length)
-		xfree(reply.data);
+	if (!ret && reply->length) {
+		xfree(reply->data);
+		memset(reply, 0, sizeof(*reply));
+	}
 
 	if (problem) {
 		if (authctxt->krb5_ctx != NULL)
--- openssh-3.4p1/auth1.c.krb	Fri Jun 21 08:21:11 2002
+++ openssh-3.4p1/auth1.c	Tue Jul 23 15:15:43 2002
@@ -133,15 +133,23 @@
 #endif /* KRB4 */
 				} else {
 #ifdef KRB5
-					krb5_data tkt;
+					krb5_data tkt, reply;
 					tkt.length = dlen;
 					tkt.data = kdata;
 
-					if (auth_krb5(authctxt, &tkt, &client_user)) {
+					if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply)))
{
 						authenticated = 1;
 						snprintf(info, sizeof(info),
 						    " tktuser %.100s",
 						    client_user);
+
+						/* Send response to client */
+						packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+						packet_put_string((char *) reply.data, reply.length);
+						packet_send();
+						packet_write_wait();
+						if (reply.length)
+							xfree(reply.data);
 					}
 #endif /* KRB5 */
 				}
--- openssh-3.4p1/monitor.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.c	Tue Jul 23 15:15:43 2002
@@ -121,6 +121,10 @@
 int mm_answer_pam_chauthtok(int, Buffer *);
 #endif
 
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
 
@@ -201,6 +205,9 @@
 #ifdef USE_PAM
     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
+#ifdef KRB5
+    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
     {0, 0, NULL}
 };
 
@@ -1333,6 +1340,42 @@
 	return (success);
 }
 
+
+#ifdef KRB5
+int
+mm_answer_krb5(int socket, Buffer *m)
+{
+	krb5_data tkt, reply;
+	char *client_user;
+	unsigned int len;
+	int success;
+
+	/* use temporary var to avoid size issues on 64bit arch */
+	tkt.data = buffer_get_string(m, &len);
+	tkt.length = len;
+
+	success = auth_krb5(authctxt, &tkt, &client_user, &reply);
+
+	if (tkt.length)
+		xfree(tkt.data);
+
+	buffer_clear(m);
+	buffer_put_int(m, success);
+
+	if (success) {
+		buffer_put_cstring(m, client_user);
+		buffer_put_string(m, reply.data, reply.length);
+		if (client_user)
+			xfree(client_user);
+		if (reply.length)
+			xfree(reply.data);
+	}
+	mm_request_send(socket, MONITOR_ANS_KRB5, m);
+
+	return success;
+}
+#endif
+
 int
 mm_answer_term(int socket, Buffer *req)
 {
--- openssh-3.4p1/monitor.h.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor.h	Tue Jul 23 15:15:43 2002
@@ -51,6 +51,7 @@
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK,
+	MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
 	MONITOR_REQ_TERM
 };
 
--- openssh-3.4p1/monitor_wrap.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.c	Tue Jul 23 15:18:23 2002
@@ -1040,3 +1040,38 @@
 
 	return (success);
 }
+
+#ifdef KRB5
+int
+mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
+{
+	krb5_data *tkt, *reply;
+	Buffer m;
+	int success;
+
+	debug3("%s entering", __func__);
+	tkt = (krb5_data *) argp;
+	reply = (krb5_data *) resp;
+
+	buffer_init(&m);
+	buffer_put_string(&m, tkt->data, tkt->length);
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
+
+	success = buffer_get_int(&m);
+	if (success) {
+		unsigned int len;
+
+		*userp = buffer_get_string(&m, NULL);
+		reply->data = buffer_get_string(&m, &len);
+		reply->length = len;
+	} else {
+		memset(reply, 0, sizeof(*reply));
+		*userp = NULL;
+	}
+
+	buffer_free(&m);
+	return (success);
+}
+#endif
--- openssh-3.4p1/monitor_wrap.h.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/monitor_wrap.h	Tue Jul 23 15:19:00 2002
@@ -84,6 +84,13 @@
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 
+/* auth_krb5 */
+#ifdef KRB5
+/* auth and reply are really krb5_data objects, but we don't want to
+ * include all of the krb5 headers here */
+int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
+#endif
+
 /* zlib allocation hooks */
 
 void *mm_zalloc(struct mm_master *, u_int, u_int);
--- openssh-3.4p1/servconf.c.krb	Tue Jul 23 15:15:43 2002
+++ openssh-3.4p1/servconf.c	Tue Jul 23 15:15:43 2002
@@ -17,7 +17,7 @@
 #endif
 #if defined(KRB5)
 #ifdef HEIMDAL
-#include <krb.h>
+#include <krb5.h>
 #else
 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
  * keytab */
--- openssh-3.4p1/auth.h.krb	Thu Jun  6 22:52:37 2002
+++ openssh-3.4p1/auth.h	Tue Jul 23 15:25:35 2002
@@ -126,7 +126,7 @@
 #endif /* KRB4 */
 
 #ifdef KRB5
-int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
+int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void	krb5_cleanup_proc(void *authctxt);

Jan IVEN

2002-Jul-31 15:55 UTC

head link

privsep+kerb5+ssh1

>>>>> "MF" == Markus Friedl <markus at
openbsd.org> writes:
 MF> please test Olaf Kirch's patch. it looks fine to me, but i don't
to K5.
 MF> i'd like to see this in the next release. thx

For what its worth, a similar patch for KRB4+5 is appended to
http://bugzilla.mindrot.org/show_bug.cgi?id=324 -- and I cannot test
the KRB5 part either (therefore neither Olaf's version). KRB4 seems to
work.

I still have some more patches related to KRB4/AFS/SSH1, and would be most
happy to get rid of them. They deal with:

* mkstemp() on RH7.2 (and above, based on glibc-2.2) being very
  restrictive, breaking KRB4 TGT passing. Moving to the XXXXXX format
  seems to cause trouble because the same ticket file is being
  re-used. The patch adds a check for autoconf to use the bsd_compat
  mkstemp().  http://bugzilla.mindrot.org/show_bug.cgi?id=44

* KRB4-TGT forwarding overwrites credentials (AFS token, KRB4 TGT)
  from a successful password auth. This tends to confuse users.. "-k"
  is a workaround, but was not neccessary pre-3.0. The patch disables
  credential forwarding on the server after password auth succeeded.

* an extended version of the KRB4/5+PRIVSEP patch above that enables
  "early" KRB4/AFS credential forwarding (as done by older/non-OpenSSH
  clients). These credentials now get stored and will be used after
  successful authentication.

Unrelated, but useful:

* make ssh/sshd handle unknown configuration options non-fatally --
  ~/.ssh/config files on AFS tend to be used by multiple versions of
  ssh clients, and barfing because the new version does not like old
  options is unfriendly. For the sshd, the problem is less acute due
  to "-t", but it still prevents us from screwing with other
admin's
  config files...

All of them are against 3.4p1, but I would be willing to port them
forward to something more recent if this would get them accepted...

Regards
Jan

Quellyn Snead

2002-Aug-28 16:02 UTC

head link

privsep+kerb5+ssh1

Hi,

We have tested the patch with krb5, and it works with forwardable and 
non-forwardable tickets. Thanks Olaf!

Also, we submitted a short fix for the -k option a few weeks back. Just 
thought you should know that we have tested it with protocol 1 and 2. All 
cases seem to be working.

Quellyn

At 09:50 AM 8/28/2002 -0600, you wrote:>please test Olaf Kirch's patch. it looks fine to me, but i don't to
K5.
>
>i'd like to see this in the next release. thx
>
>-m
*****************************************************************
Quellyn L. Snead
CCN-2 Enterprise Software Management Team
Los Alamos National Laboratory
Schedule B
(505) 667-4185 Office
*****************************************************************

Apparently Analagous Threads

Search for more reasonably related threads

openssh unix dev - Jul 2002 - privsep+kerb5+ssh1

privsep+kerb5+ssh1

privsep+kerb5+ssh1

privsep+kerb5+ssh1

Apparently Analagous Threads