search for: k_hasafs

...5_use_ccache(Authctxt *authctxt); #endif /* KRB5 */ #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) --- orig/session.c +++ mod/session.c @@ -1462,20 +1462,22 @@ * home directory is in AFS and it's not world-readable. */ - if (options.kerberos_get_afs_token && k_hasafs() && - (s->authctxt->krb5_ctx != NULL)) { - char cell[64]; + if (options.kerberos_get_afs_token && k_hasafs()) { + session_krb5_use_ccache(s->authctxt); + if (s->authctxt->krb5_ctx != NULL) { + char cell[64]; - debug("Getting AFS token"); + de...

...og("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); + send_krb4_tgt(); + } + /* Try AFS token passing if the server supports it. */ + + if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && + options.afs_token_passing && k_hasafs()) { + if (options.cipher == SSH_CIPHER_NONE) + log("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); + send_afs_tokens(); + } +#endif /* AFS */ #ifdef KRB5 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && @@ -1202,6 +122...

...c.orig Tue May 9 16:28:50 2000 +++ auth1.c Tue May 9 17:38:13 2000 @@ -183,6 +183,11 @@ /* Accept AFS token. */ char *token_string = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); + /* If machine has AFS, set process authentication group. */ + if (k_hasafs()) { + k_setpag(); + k_unlog(); + } if (!auth_afs_token(pw, token_string)) verbose("AFS token REFUSED for %s", pw->pw_name); xfree(token_string); @@ -441,14 +446,6 @@ packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); setproctitle("%s",...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...#endif options->password_authentication = -1; @@ -190,7 +194,7 @@ if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; #endif -#ifdef AFS +#if defined(AFS) && defined(KRB4) if (options->afs_token_passing == -1) options->afs_token_passing = k_hasafs(); #endif @@ -246,7 +250,7 @@ #if defined(AFS) || defined(KRB5) sKerberosTgtPassing, #endif -#ifdef AFS +#if defined(AFS) && defined(KRB4) sAFSTokenPassing, #endif sChallengeResponseAuthentication, @@ -297,7 +301,7 @@ #if defined(AFS) || defined(KRB5) { "kerberostgtpassing...

...ROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1122,7 +1148,6 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - #ifdef AFS /* Try to get AFS tokens for the local cell. */ if (k_hasafs()) { -------------- next part -------------- diff -u openssh-2.3.0p1/acconfig.h openssh-2.3.0p1-chroot/acconfig.h --- openssh-2.3.0p1/acconfig.h Wed Oct 18 14:11:44 2000 +++ openssh-2.3.0p1-chroot/acconfig.h Wed Jan 3 19:23:48 2001 @@ -199,6 +199,9 @@ /* Define if you want to allow MD5 passwords...

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

...-o sshd [snip objs] -L. -Lopenbsd-compat/ -L/usr/kerberos/lib -lssh -lopenbsd-compat -lwrap -lresolv -lskey -lutil -lz -lnsl -lcrypto -lcrypt -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err session.o: In function `do_child?: /home/builder/gate/openssh-tinderbox/session.c:1427: undefined reference to `k_hasafs? /home/builder/gate/openssh-tinderbox/session.c:1433: undefined reference to `k_setpag? /home/builder/gate/openssh-tinderbox/session.c:1435: undefined reference to `k_afs_cell_of_file? /home/builder/gate/openssh-tinderbox/session.c:1436: undefined reference to `krb5_afslog? /home/builder/gate/opens...

...s no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver KerberosTgtPassing yes # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationV...

comments? -------------- next part -------------- An embedded message was scrubbed... From: Charles Clancy <mgrtcc at cs.rose-hulman.edu> Subject: Problems on Sparcs Date: Wed, 6 Dec 2000 09:55:41 -0500 (EST) Size: 2913 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001206/c7cb5d2a/attachment.mht

...words no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbd...

...words no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbd...

...quot;, user); + /* Do the authentication. */ do_authentication(user); } *************** *** 1084,1089 **** --- 1090,1099 ---- { struct passwd *pw, pwcopy; + #ifdef _AIX + char *loginmsg; + #endif + #ifdef AFS /* If machine has AFS, set process authentication group. */ if (k_hasafs()) { *************** *** 1092,1097 **** --- 1102,1109 ---- } #endif /* AFS */ + pw = (struct passwd *) malloc (sizeof(struct passwd)); + /* Verify that the user is a valid user. */ pw = getpwnam(user); if (!pw || !allowed_user(pw)) *************** *** 1133,1138 **** --- 1145,1151...

...ROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1024,7 +1048,6 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - #ifdef AFS /* Try to get AFS tokens for the local cell. */ if (k_hasafs()) { -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001004/0a0ea6b3/attachment.bin