search for: krb5_ctx

...th_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache); if (problem) goto out; - problem = krb5_cc_initialize(authctxt->krb5_ctx, - authctxt->krb5_fwd_ccache, authctxt->krb5_user); + proble...

...ar *ccname; + debug("session_krb5_use_ccache called"); + if (authctxt->krb5_fwd_ccache) + return; + ccname = getenv("KRB5CCNAME"); + if (!ccname) + return; + debug("using ccname=%.100s", ccname); + if (krb5_init(authctxt)) + return; + krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);} + void krb5_cleanup_proc(Authctxt *authctxt) { --- orig/auth.h +++ mod/auth.h @@ -120,6 +120,7 @@ int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Aut...

...erver; - krb5_data reply; krb5_ticket *ticket; int fd, ret; ret = 0; server = NULL; ticket = NULL; - reply.length = 0; + reply->length = 0; problem = krb5_init(authctxt); if (problem) @@ -131,7 +130,7 @@ /* if client wants mutual auth */ problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, - &reply); + reply); if (problem) goto err; @@ -144,19 +143,16 @@ krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, client); - packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) reply.data, reply.len...

...# Kerberos TGT Passing does only work with the AFS kaserver KerberosTgtPassing no I'm using MIT Kerberos. As far as I can tell (after scanning the code for a few hours and I'm not a programmer) the problem is in auth_krb5_password. 244 problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", 245 &authctxt->krb5_fwd_ccache); the name "MEMORY:" seems to cause krb5_cc_get_name at 287 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt-> krb5_ctx, authctxt->krb5_fwd_ccache); to return "&qu...

...ocketname, MAXHOSTNAMELEN); + xfree(socketname); + } else if (gethostname(localname, MAXHOSTNAMELEN)) { + problem = -1; + goto out; + } + problem = krb5_init(authctxt); if (problem) goto out; @@ -123,7 +135,7 @@ if (problem) goto out; - problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, + problem = krb5_sname_to_principal(authctxt->krb5_ctx, localname, NULL, KRB5_NT_SRV_HST, &server); if (problem) goto out; diff -u -r src.old/gss-genr.c src/gss-genr.c --- src.old/gss-genr.c Thu Oct 30 15:02:46 2003 +++ src/gss-genr.c Thu Oct 30 15:02:44 2003 @@ -30,6...

...;mkstemp(): %.100s", strerror(errno)); - problem = errno; - goto out; - } - - if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); - close(tmpfd); - problem = errno; - goto out; - } - close(tmpfd); - - problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); - if (problem) - goto out; + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, authctxt->krb5_user); @@ -234,4 +210,31...

...Created attachment 2179 --> https://bugzilla.mindrot.org/attachment.cgi?id=2179&action=edit Patch Hi Darren Apparently, I made a small mistake when implementing #1583 back in 5.4p1 @@ -146,7 +146,7 @@ if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } The krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client) call verifies if pr...

...ault realm for kerberos password authentication. However gssapi access works with multiple default realms, at least for HEIMDAL. It should be fine if sshd uses all default realms or all realms defined in /etc/krb5.conf. For HEIMDAL I replaced the line "problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL);" by a line "problem = krb5_verify_user_lrealm(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL);" in the file auth-krb5.c and the Kerberos password authentication takes into account all locally defined re...

...de <krb5.h> *************** *** 80,85 **** --- 81,87 ---- krb5_data reply; krb5_ticket *ticket; int fd, ret; + char *localname; ret = 0; server = NULL; *************** *** 108,114 **** if (problem) goto err; ! problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL , KRB5_NT_SRV_HST, &server); if (problem) goto err; --- 110,118 ---- if (problem) goto err; ! localname=get_local_hostname(fd); ! ! problem = krb5_sname_to_principal(authctxt->krb5_ctx, localname, NULL , KRB5_NT_SRV_HST, &serve...

...ed(struct passwd *, Key *); static int krb5_init(void *context) @@ -52,6 +53,8 @@ krb5_principal server; krb5_data reply; krb5_ticket *ticket; + Key k; + char *client_name; int fd, ret; ret = 0; @@ -95,14 +98,30 @@ if (problem) goto err; + if (!krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, + &client_name)) + goto err; + /* Check .k5login authorization now. */ - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->pw->pw_name)) + k.type = KEY_NAME; + k.name = client_name; + k.name_type = "krb5"; + + ret = us...

..._preauth (pmonitor=0x8bec0) at monitor.c:280 #5 0x1aaac in privsep_preauth () at sshd.c:603 #6 0x1d45c in main (ac=3, av=0xffbefaac) at sshd.c:1497 At first, I simply tried to add the stock Kerberos prompter to krb5_get_init_creds_password: problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, authctxt->krb5_user, (char *)password, krb5_prompter_posix, NULL, 0, NULL, NULL); however, this returned KRB5_LIBOS_CANTREADPWD due to the fact that fds 0 and 1 are closed and not connected to a socket.

...s cache permission incorrect) Failed password for <user> from <ip> port <port> ssh2 -- I had a look at the responsible source code in auth-krb5.c. By doing some debugging there I found out that the following code fragment fails: auth-krb5.c:137 --- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } --- When I comment out this if-block then I can login using OpenSSH's internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME. I'm not that involved into kerberos on the coding side...

...e sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the...

...get_afs_token"); + (*get_afs_token)(NULL, env, pw->pw_dir, 1); + } + dlclose(handle); + } + } +#else + #if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have @@ -1477,6 +1503,7 @@ krb5_afslog_home(s->authctxt->krb5_ctx, s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); } +#endif #endif /* Change current directory to the user\'s home directory. */

...58 diff -u -r1.58 auth.h --- usr.bin/ssh/auth.h 2006/08/18 09:15:20 1.58 +++ usr.bin/ssh/auth.h 2006/09/18 09:35:53 @@ -61,6 +61,7 @@ void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; + char **auth_env_mod; /* env changes requested by login script */ #endif #ifdef KRB5 krb5_context krb5_ctx; @@ -122,6 +123,12 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ + +#ifdef BSD_AUTH +int auth_close_do_env(Authctxt *authctxt, auth_session_t *as); +void bsdauth_env_free(Authctxt *authctxt, char **env); +void b...

...bled."); @@ -372,7 +372,7 @@ xfree(token); } break; -#endif /* AFS */ +#endif /* AFS && KRB4 */ case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_CMD: @@ -1370,6 +1370,10 @@ krb_afslog(cell, 0); krb_afslog(0, 0); +#ifdef KRB5 + krb5_afslog(s->authctxt->krb5_ctx, s->authctxt->krb5_fwd_ccache, + NULL, NULL); +#endif } #endif /* AFS */ --- ssh.c 2002/01/23 12:28:10 1.1 +++ ssh.c 2002/01/23 12:30:58 @@ -159,9 +159,9 @@ _PATH_SSH_USER_CONFFILE); fprintf(stderr, " -A Enable authentication agent forwarding.\n"...

...e sent to to the SOMEWHERE realm instead of the default realm DEFAULTREALM, which is listed in the libdefaults section of the krb5.conf configuration file. If I look at the code I can see the following in auth-krb5.c on line 88, which causes this behaviour: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,&authctxt->krb5_user); Since authctxt->pw->pw_name contains only the user name (without a realm), the default realm will be automatically appended according to the documentation of the krb5_parse_name call. Since this isn't the correct realm name (the...

...authkey); return ret; } diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index e7180da1fc6a..794fb3001880 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c @@ -1003,7 +1003,7 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc); crypto_free_shash(hmac); dprintk("%s: returning %d\n", __func__, err); return err; @@ -1079,7 +1079,7 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc...

...authkey); return ret; } diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 6f2d30d7b766..19bb244d2444 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c @@ -1003,7 +1003,7 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc); crypto_free_shash(hmac); dprintk("%s: returning %d\n", __func__, err); return err; @@ -1079,7 +1079,7 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc...

...authkey); return ret; } diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index e7180da1fc6a..794fb3001880 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c @@ -1003,7 +1003,7 @@ krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc); crypto_free_shash(hmac); dprintk("%s: returning %d\n", __func__, err); return err; @@ -1079,7 +1079,7 @@ krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, err = 0; out_err: - kzfree(desc); + kfree_sensitive(desc...