search for: auth_krb5_password

> FWIW, here are further patches which allow openssh-3.0p1 to work > with paleo-MIT Kerberos5 1.0.6, more or less (more with tickets > and less with the auth_krb5_password {get,verify}_init_creds stuff). Thanks for these. Unfortunately, your vrs patches seem to be based on an earlier version of my patch than the one you're bundling. In particular, your patch adds back in the incorrect replay cache code (it uses the wrong cache name), and takes out the use_uid ca...

...in a while SIA auth with TCB enhanced security locks the root account. I suppose the problem could be solved at two separate levels, for SIA only in auth-sia.c, or for any password using auth method in auth-passwd.c. I'd prefer a fix just for auth-passwd.c, are there any reasons to try out auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" is set to zero already? Cheers, -Antti Index: auth-passwd.c =================================================================== RCS file: /openssh/openssh_cvs/auth-passwd.c,v retrieving revision 1.86 diff -u -r1.86 auth-passwd.c...

Due to difficulties in getting PAM (with krb5) password expiry working consistently on multiple platforms, I'd like to see if I could hack something into auth-krb5.c to do so. Here's a backtrace when stopped in auth_krb5_password: #0 auth_krb5_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-krb5.c:270 #1 0x274d8 in auth_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-passwd.c:140 #2 0x380fc in mm_answer_authpassword (socket=9, m=0xffbeef28) at monitor.c:608 #3 0x376...

...esult(0); if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + auth_result(0); if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + auth_result(0); #ifdef KRB5 if (options.kerberos_authentication == 1) { - int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + success = auth_krb5_password(authctxt, password); + if (success == 1 || success == 0) + if (auth_result(success) == 1) + return 1; /* Fall back to ordinary passwd authentication. */ } #endif #ifdef BSD_AUTH - if (auth...

...+28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &k...

...;, ccname); + if (krb5_init(authctxt)) + return; + krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);} + void krb5_cleanup_proc(Authctxt *authctxt) { --- orig/auth.h +++ mod/auth.h @@ -120,6 +120,7 @@ int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); +void session_krb5_use_ccache(Authctxt *authctxt); #endif /* KRB5 */ #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) --- orig/session.c +++ mod/session.c @@ -1462,20 +1462,22 @@ * home dir...

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Thanks, Simon for the MIT Kerberos5 patches. FWIW, here are further patches which allow openssh-3.0p1 to work with paleo-MIT Kerberos5 1.0.6, more or less (more with tickets and less with the auth_krb5_password {get,verify}_init_creds stuff). BTW, the patches I pulled out of the archive seemed to have some line wrapping problems; I had to apply several chunks by hand. I'm therefore including Simon's krb5 + auth1.c patches along with my krb5 1.0.6 patches as a uuencoded tarball instead of plain te...

...yes KerberosOrLocalPasswd yes #AFSTokenPassing no KerberosTicketCleanup yes # Kerberos TGT Passing does only work with the AFS kaserver KerberosTgtPassing no I'm using MIT Kerberos. As far as I can tell (after scanning the code for a few hours and I'm not a programmer) the problem is in auth_krb5_password. 244 problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", 245 &authctxt->krb5_fwd_ccache); the name "MEMORY:" seems to cause krb5_cc_get_name at 287 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->...

of the remotely connected socket is in in monitor_read(). The easiest way to pass them in would be to add fields to the Authctxt structure, which gets passed down into auth_krb5_password(), although possibly not the best. Perhaps using a prompter isn't the best way to go, either, I'm not sure. Ultimately, I'm simply looking for any pointers as to the best way to proceed, even if it's "read the code" :-> Thanks, --------------------------------------...

...al=0 ; goto out; + } #endif - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + if (ret == 1 || ret == 0) { + retval=ret ; goto out; + } /* Fall back to ordinary passwd authentication. */ } #endif @@ -138,29 +147,34 @@ if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); - if (hT...

.../ssh/auth.h 2006/08/18 09:15:20 1.58 +++ usr.bin/ssh/auth.h 2006/09/18 09:35:53 @@ -61,6 +61,7 @@ void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; + char **auth_env_mod; /* env changes requested by login script */ #endif #ifdef KRB5 krb5_context krb5_ctx; @@ -122,6 +123,12 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ + +#ifdef BSD_AUTH +int auth_close_do_env(Authctxt *authctxt, auth_session_t *as); +void bsdauth_env_free(Authctxt *authctxt, char **env); +void bsdauth_child_mod_env(Authctxt *authctxt, char...

...4p1/auth.h Tue Jul 23 15:25:35 2002 @@ -126,7 +126,7 @@ #endif /* KRB4 */ #ifdef KRB5 -int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client); +int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(void *authctxt);

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |