diff --git a/crypto/openssh/auth-krb4.c b/crypto/openssh/auth-krb4.c index a7bce5f7c6cb..8279a47a053b 100644 --- a/crypto/openssh/auth-krb4.c +++ b/crypto/openssh/auth-krb4.c @@ -267,7 +267,7 @@ auth_krb4(const char *server_user, KTEXT auth, char **client) /* Clear session key. */ memset(&adat.session, 0, sizeof(&adat.session)); - packet_start(SSH_SMSG_AUTH_KRB4_RESPONSE); + packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); packet_put_string((char *) reply.dat, reply.length); packet_send(); packet_write_wait(); diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c index b5205ec00775..0fb0ea21b9af 100644 --- a/crypto/openssh/auth-krb5.c +++ b/crypto/openssh/auth-krb5.c @@ -79,7 +79,7 @@ auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client) *client = tkt_client; - packet_start(SSH_SMSG_AUTH_KRB5_RESPONSE); + packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); packet_put_string((char *) reply.data, reply.length); packet_send(); packet_write_wait(); diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c index c579af350291..fdda41cfcf0d 100644 --- a/crypto/openssh/auth-passwd.c +++ b/crypto/openssh/auth-passwd.c @@ -94,7 +94,7 @@ auth_password(struct passwd * pw, const char *password) } #endif #ifdef KRB5 - if (options.krb5_authentication == 1) { + if (options.kerberos_authentication == 1) { if (auth_krb5_password(pw, password)) return 1; /* Fall back to ordinary passwd authentication. */ @@ -102,7 +102,7 @@ auth_password(struct passwd * pw, const char *password) #endif /* KRB5 */ #ifdef KRB4 - if (options.krb4_authentication == 1) { + if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(pw, password); if (ret == 1 || ret == 0) return ret; diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c index 3c50a16c3b01..3c0e2b6be6cf 100644 --- a/crypto/openssh/auth1.c +++ b/crypto/openssh/auth1.c @@ -52,14 +52,10 @@ get_authname(int type) return "rhosts-rsa"; case SSH_CMSG_AUTH_RHOSTS: return "rhosts"; -#ifdef KRB4 - case SSH_CMSG_AUTH_KRB4: - return "kerberosV4"; +#if defined(KRB4) || defined(KRB5) + case SSH_CMSG_AUTH_KERBEROS: + return "kerberos"; #endif -#ifdef KRB5 - case SSH_CMSG_AUTH_KRB5: - return "kerberosV5"; -#endif /* KRB5 */ #ifdef SKEY case SSH_CMSG_AUTH_TIS_RESPONSE: return "s/key"; @@ -136,6 +132,7 @@ do_authloop(struct passwd * pw, char *luser) /* Process the packet. */ switch (type) { #ifdef AFS +#ifndef KRB5 case SSH_CMSG_HAVE_KRB4_TGT: if (!options.krb4_tgt_passing) { /* packet_get_all(); */ @@ -150,7 +147,7 @@ do_authloop(struct passwd * pw, char *luser) xfree(tgt); } continue; - +#endif /* !KRB5 */ case SSH_CMSG_HAVE_AFS_TOKEN: if (!options.afs_token_passing || !k_hasafs()) { verbose("AFS token passing disabled."); @@ -165,63 +162,61 @@ do_authloop(struct passwd * pw, char *luser) } continue; #endif /* AFS */ -#ifdef KRB4 - case SSH_CMSG_AUTH_KRB4: - if (!options.krb4_authentication) { - /* packet_get_all(); */ - verbose("Kerberos v4 authentication disabled."); - break; - } else { - /* Try Kerberos v4 authentication. */ - KTEXT_ST auth; - char *tkt_user = NULL; - char *kdata = packet_get_string((unsigned int *) &auth.length); - packet_integrity_check(plen, 4 + auth.length, type); +#if defined(KRB4) || defined(KRB5) + case SSH_CMSG_AUTH_KERBEROS: + if (!options.kerberos_authentication) { + verbose("Kerberos authentication disabled."); + } else { + unsigned int length; + char *kdata = packet_get_string(&length); + packet_integrity_check(plen, 4 + length, type); - if (auth.length < MAX_KTXT_LEN) - memcpy(auth.dat, kdata, auth.length); - xfree(kdata); + /* 4 == KRB_PROT_VERSION */ + if (kdata[0] == 4) { +#ifndef KRB4 + verbose("Kerberos v4 authentication disabled."); +#else + char *tkt_user = NULL; + KTEXT_ST auth; + auth.length = length; + if (auth.length < MAX_KTXT_LEN) + memcpy(auth.dat, kdata, auth.length); - if (pw != NULL) { authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); + if (authenticated) { snprintf(user, sizeof user, " tktuser %s", tkt_user); xfree(tkt_user); } - } - } - break; -#endif /* KRB4 */ -#ifdef KRB5 - case SSH_CMSG_AUTH_KRB5: - if (!options.krb5_authentication) { - verbose("Kerberos v5 authentication disabled."); - break; - } else { - krb5_data k5data; -#if 0 - if (krb5_init_context(&ssh_context)) { - verbose("Error while initializing Kerberos V5."); - break; - } - krb5_init_ets(ssh_context); -#endif - - k5data.data = packet_get_string(&k5data.length); - packet_integrity_check(plen, 4 + k5data.length, type); - if (auth_krb5(luser, &k5data, &tkt_client)) { - /* "luser" is passed just for logging purposes - * */ - /* authorize client against .k5login */ - if (krb5_kuserok(ssh_context, - tkt_client, - luser)) - authenticated = 1; - } - xfree(k5data.data); - } - break; + #endif /* KRB4 */ + } else { +#ifndef KRB5 + verbose("Kerberos v5 authentication disabled."); +#else + krb5_data k5data; + k5data.length = length; + k5data.data = kdata; + #if 0 + if (krb5_init_context(&ssh_context)) { + verbose("Error while initializing Kerberos V5."); + break; + } + krb5_init_ets(ssh_context); + #endif + /* pw->name is passed just for logging purposes */ + if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) { + /* authorize client against .k5login */ + if (krb5_kuserok(ssh_context, + tkt_client, + pw->pw_name)) + authenticated = 1; + } #endif /* KRB5 */ + } + xfree(kdata); + } + break; +#endif /* KRB4 || KRB5 */ case SSH_CMSG_AUTH_RHOSTS: if (!options.rhosts_authentication) { @@ -389,7 +384,7 @@ do_authloop(struct passwd * pw, char *luser) break; #endif #ifdef KRB5 - case SSH_CMSG_HAVE_KRB5_TGT: + case SSH_CMSG_HAVE_KERBEROS_TGT: /* Passing krb5 ticket */ if (!options.krb5_tgt_passing /*|| !options.krb5_authentication */) { @@ -571,10 +566,10 @@ do_authentication() /* If the user has no password, accept authentication immediately. */ if (options.password_authentication && #ifdef KRB5 - !options.krb5_authentication && + !options.kerberos_authentication && #endif /* KRB5 */ #ifdef KRB4 - (!options.krb4_authentication || options.krb4_or_local_passwd) && + (!options.kerberos_authentication || options.krb4_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM auth_pam_password(pw, "") diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c index a39b6d742413..8b13de038cf3 100644 --- a/crypto/openssh/auth2.c +++ b/crypto/openssh/auth2.c @@ -120,9 +120,9 @@ do_authentication2() authctxt->success = 0; x_authctxt = authctxt; /*XXX*/ -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) /* turn off kerberos, not supported by SSH2 */ - options.krb4_authentication = 0; + options.kerberos_authentication = 0; #endif dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index 87f5bc98fea2..d5e21b7781f8 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -91,11 +91,11 @@ typedef enum { oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication, oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh, oSkeyAuthentication, oXAuthLocation, -#ifdef KRB4 - oKrb4Authentication, +#if defined(KRB4) || defined(KRB5) + oKerberosAuthentication, #endif /* KRB4 */ #ifdef KRB5 - oKrb5Authentication, oKrb5TgtPassing, + oKrb5TgtPassing, #endif /* KRB5 */ #ifdef AFS oKrb4TgtPassing, oAFSTokenPassing, @@ -128,11 +128,10 @@ static struct { { "rsaauthentication", oRSAAuthentication }, { "dsaauthentication", oDSAAuthentication }, { "skeyauthentication", oSkeyAuthentication }, -#ifdef KRB4 - { "kerberos4authentication", oKrb4Authentication }, -#endif /* KRB4 */ +#if defined(KRB4) || defined(KRB5) + { "kerberosauthentication", oKerberosAuthentication }, +#endif /* KRB4 || KRB5 */ #ifdef KRB5 - { "kerberos5authentication", oKrb5Authentication }, { "kerberos5tgtpassing", oKrb5TgtPassing }, #endif /* KRB5 */ #ifdef AFS @@ -324,17 +323,13 @@ process_config_line(Options *options, const char *host, intptr = &options->skey_authentication; goto parse_flag; -#ifdef KRB4 - case oKrb4Authentication: - intptr = &options->krb4_authentication; +#if defined(KRB4) || defined(KRB5) + case oKerberosAuthentication: + intptr = &options->kerberos_authentication; goto parse_flag; -#endif /* KRB4 */ +#endif /* KRB4 || KRB5 */ #ifdef KRB5 - case oKrb5Authentication: - intptr = &options->krb5_authentication; - goto parse_flag; - case oKrb5TgtPassing: intptr = &options->krb5_tgt_passing; goto parse_flag; @@ -682,11 +677,10 @@ initialize_options(Options * options) options->rsa_authentication = -1; options->dsa_authentication = -1; options->skey_authentication = -1; -#ifdef KRB4 - options->krb4_authentication = -1; +#if defined(KRB4) || defined(KRB5) + options->kerberos_authentication = -1; #endif #ifdef KRB5 - options->krb5_authentication = -1; options->krb5_tgt_passing = -1; #endif /* KRB5 */ #ifdef AFS @@ -754,13 +748,11 @@ fill_default_options(Options * options) options->dsa_authentication = 1; if (options->skey_authentication == -1) options->skey_authentication = 0; -#ifdef KRB4 - if (options->krb4_authentication == -1) - options->krb4_authentication = 1; -#endif /* KRB4 */ +#if defined(KRB4) || defined(KRB5) + if (options->kerberos_authentication == -1) + options->kerberos_authentication = 1; +#endif /* KRB4 || KRB5 */ #ifdef KRB5 - if (options->krb5_authentication == -1) - options->krb5_authentication = 1; if (options->krb5_tgt_passing == -1) options->krb5_tgt_passing = 1; #endif /* KRB5 */ diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h index 770ee535c549..6d0199e53311 100644 --- a/crypto/openssh/readconf.h +++ b/crypto/openssh/readconf.h @@ -38,13 +38,11 @@ typedef struct { int rsa_authentication; /* Try RSA authentication. */ int dsa_authentication; /* Try DSA authentication. */ int skey_authentication; /* Try S/Key or TIS authentication. */ -#ifdef KRB4 - int krb4_authentication; /* Try Kerberos v4 - * authentication. */ +#if defined(KRB4) || defined(KRB5) + int kerberos_authentication; /* Try Kerberos authentication. */ #endif #ifdef KRB5 - int krb5_authentication; int krb5_tgt_passing; #endif /* KRB5 */ diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 4f291a2ccd9a..5f3213e832af 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -52,13 +52,14 @@ initialize_server_options(ServerOptions *options) options->rhosts_rsa_authentication = -1; options->rsa_authentication = -1; options->dsa_authentication = -1; +#if defined(KRB4) || defined(KRB5) + options->kerberos_authentication = -1; +#endif #ifdef KRB4 - options->krb4_authentication = -1; options->krb4_or_local_passwd = -1; options->krb4_ticket_cleanup = -1; #endif #ifdef KRB5 - options->krb5_authentication = -1; options->krb5_tgt_passing = -1; #endif /* KRB5 */ #ifdef AFS @@ -141,17 +142,24 @@ fill_default_server_options(ServerOptions *options) options->rsa_authentication = 1; if (options->dsa_authentication == -1) options->dsa_authentication = 1; +#if defined(KRB4) && defined(KRB5) + if (options->kerberos_authentication == -1) + options->kerberos_authentication = + (access(KEYFILE, R_OK) == 0) || (access(krb5_defkeyname, R_OK) == 0); +#elif defined(KRB4) + if (options->kerberos_authentication == -1) + options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); +#elif defined(KRB5) + if (options->kerberos_authentication == -1) + options->kerberos_authentication = (access(krb5_defkeyname, R_OK) == 0); +#endif #ifdef KRB4 - if (options->krb4_authentication == -1) - options->krb4_authentication = (access(KEYFILE, R_OK) == 0); if (options->krb4_or_local_passwd == -1) options->krb4_or_local_passwd = 1; if (options->krb4_ticket_cleanup == -1) options->krb4_ticket_cleanup = 1; #endif /* KRB4 */ #ifdef KRB5 - if (options->krb5_authentication == -1) - options->krb5_authentication = 1; if (options->krb5_tgt_passing == -1) options->krb5_tgt_passing = 1; #endif /* KRB5 */ @@ -193,11 +201,14 @@ typedef enum { sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, +#if defined(KRB4) || defined(KRB5) + sKerberosAuthentication, +#endif #ifdef KRB4 - sKrb4Authentication, sKrb4OrLocalPasswd, sKrb4TicketCleanup, + sKrb4OrLocalPasswd, sKrb4TicketCleanup, #endif #ifdef KRB5 - sKrb5Authentication, sKrb5TgtPassing, + sKrb5TgtPassing, #endif /* KRB5 */ #ifdef AFS sKrb4TgtPassing, sAFSTokenPassing, @@ -234,13 +245,14 @@ static struct { { "rhostsrsaauthentication", sRhostsRSAAuthentication }, { "rsaauthentication", sRSAAuthentication }, { "dsaauthentication", sDSAAuthentication }, +#if defined(KRB4) || defined(KRB5) + { "kerberosauthentication", sKerberosAuthentication }, +#endif #ifdef KRB4 - { "kerberos4authentication", sKrb4Authentication }, { "kerberos4orlocalpasswd", sKrb4OrLocalPasswd }, { "kerberos4ticketcleanup", sKrb4TicketCleanup }, #endif #ifdef KRB5 - { "kerberos5authentication", sKrb5Authentication }, { "kerberos5tgtpassing", sKrb5TgtPassing }, #endif /* KRB5 */ #ifdef AFS @@ -505,11 +517,13 @@ read_server_config(ServerOptions *options, const char *filename) intptr = &options->dsa_authentication; goto parse_flag; -#ifdef KRB4 - case sKrb4Authentication: - intptr = &options->krb4_authentication; +#if defined(KRB4) || defined(KRB5) + case sKerberosAuthentication: + intptr = &options->kerberos_authentication; goto parse_flag; - +#endif + +#ifdef KRB4 case sKrb4OrLocalPasswd: intptr = &options->krb4_or_local_passwd; goto parse_flag; @@ -520,10 +534,6 @@ read_server_config(ServerOptions *options, const char *filename) #endif #ifdef KRB5 - case sKrb5Authentication: - intptr = &options->krb5_authentication; - goto parse_flag; - case sKrb5TgtPassing: intptr = &options->krb5_tgt_passing; goto parse_flag; diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h index 79fe5a047433..f4ce52cd250c 100644 --- a/crypto/openssh/servconf.h +++ b/crypto/openssh/servconf.h @@ -61,9 +61,10 @@ typedef struct { * authentication. */ int rsa_authentication; /* If true, permit RSA authentication. */ int dsa_authentication; /* If true, permit DSA authentication. */ +#if defined(KRB4) || defined(KRB5) + int kerberos_authentication; /* If true, permit Kerberos auth. */ +#endif /* KRB4 || KRB5 */ #ifdef KRB4 - int krb4_authentication; /* If true, permit Kerberos v4 - * authentication. */ int krb4_or_local_passwd; /* If true, permit kerberos v4 * and any other password * authentication mechanism, @@ -73,7 +74,6 @@ typedef struct { * file on logout. */ #endif #ifdef KRB5 - int krb5_authentication; int krb5_tgt_passing; #endif /* KRB5 */ diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h index 82e7eb180a80..82ed9141cdac 100644 --- a/crypto/openssh/ssh.h +++ b/crypto/openssh/ssh.h @@ -182,14 +182,11 @@ #define SSH_AUTH_PASSWORD 3 #define SSH_AUTH_RHOSTS_RSA 4 #define SSH_AUTH_TIS 5 -#define SSH_AUTH_KRB4 6 -#define SSH_PASS_KRB4_TGT 7 +#define SSH_AUTH_KERBEROS 6 +#define SSH_PASS_KERBEROS_TGT 7 /* 8 to 15 are reserved */ #define SSH_PASS_AFS_TOKEN 21 -#define SSH_AUTH_KRB5 29 -#define SSH_PASS_KRB5_TGT 30 - /* Protocol flags. These are bit masks. */ #define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */ #define SSH_PROTOFLAG_HOST_IN_FWD_OPEN 2 /* forwarding opens contain host */ @@ -243,14 +240,13 @@ #define SSH_CMSG_AUTH_TIS 39 /* we use this for s/key */ #define SSH_SMSG_AUTH_TIS_CHALLENGE 40 /* challenge (string) */ #define SSH_CMSG_AUTH_TIS_RESPONSE 41 /* response (string) */ -#define SSH_CMSG_AUTH_KRB4 42 /* (KTEXT) */ -#define SSH_SMSG_AUTH_KRB4_RESPONSE 43 /* (KTEXT) */ -#define SSH_CMSG_HAVE_KRB4_TGT 44 /* credentials (s) */ +#define SSH_CMSG_AUTH_KERBEROS 42 /* (KTEXT) */ +#define SSH_SMSG_AUTH_KERBEROS_RESPONSE 43 /* (KTEXT) */ +#define SSH_CMSG_HAVE_KERBEROS_TGT 44 #define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ -#define SSH_CMSG_AUTH_KRB5 110 -#define SSH_SMSG_AUTH_KRB5_RESPONSE 111 -#define SSH_CMSG_HAVE_KRB5_TGT 112 +/* Kerberos IV tickets can't be forwarded. This is an AFS hack! */ +#define SSH_CMSG_HAVE_KRB4_TGT SSH_CMSG_HAVE_KERBEROS_TGT /* credentials (s) */ /*------------ definitions for login.c -------------*/ diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index 367c203f0453..b2906cccf726 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -742,7 +742,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) goto out; } - packet_start(SSH_CMSG_AUTH_KRB5); + packet_start(SSH_CMSG_AUTH_KERBEROS); packet_put_string((char *) ap.data, ap.length); packet_send(); packet_write_wait(); @@ -753,13 +753,13 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context) type = packet_read(&payload_len); switch (type) { case SSH_SMSG_FAILURE: - /* Should really be SSH_SMSG_AUTH_KRB5_FAILURE */ + /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ debug("Kerberos V5 authentication failed."); ret = 0; break; - case SSH_SMSG_AUTH_KRB5_RESPONSE: - /* SSH_SMSG_AUTH_KRB5_SUCCESS */ + case SSH_SMSG_AUTH_KERBEROS_RESPONSE: + /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ debug("Kerberos V5 authentication accepted."); /* Get server's response. */ @@ -870,7 +870,7 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) goto out; } - packet_start(SSH_CMSG_HAVE_KRB5_TGT); + packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); packet_put_string((char *)outbuf.data, outbuf.length); packet_send(); packet_write_wait(); diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c index 5ae46e0fa0a5..4d7351ba58eb 100644 --- a/crypto/openssh/sshconnect1.c +++ b/crypto/openssh/sshconnect1.c @@ -410,7 +410,7 @@ try_krb4_authentication() des_key_sched((des_cblock *) cred.session, schedule); /* Send authentication info to server. */ - packet_start(SSH_CMSG_AUTH_KRB4); + packet_start(SSH_CMSG_AUTH_KERBEROS); packet_put_string((char *) auth.dat, auth.length); packet_send(); packet_write_wait(); @@ -435,13 +435,13 @@ try_krb4_authentication() type = packet_read(&plen); switch (type) { case SSH_SMSG_FAILURE: - /* Should really be SSH_SMSG_AUTH_KRB4_FAILURE */ + /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ debug("Kerberos V4 authentication failed."); return 0; break; - case SSH_SMSG_AUTH_KRB4_RESPONSE: - /* SSH_SMSG_AUTH_KRB4_SUCCESS */ + case SSH_SMSG_AUTH_KERBEROS_RESPONSE: + /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ debug("Kerberos V4 authentication accepted."); /* Get server's response. */ @@ -924,6 +924,35 @@ ssh_userauth( packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); +#ifdef KRB5 + if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && + options.kerberos_authentication){ + krb5_context ssh_context = NULL; + krb5_auth_context auth_context = NULL; + + debug("Trying Kerberos V5 authentication."); + + if (try_krb5_authentication(&ssh_context, &auth_context)) { + type = packet_read(&payload_len); + if (type == SSH_SMSG_SUCCESS) { + if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && + options.krb5_tgt_passing) { + if (options.cipher == SSH_CIPHER_NONE) + log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); + send_krb5_tgt(ssh_context, auth_context); + + } + krb5_auth_con_free(ssh_context, auth_context); + krb5_free_context(ssh_context); + return; + } + if (type != SSH_SMSG_FAILURE) + packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type); + + } + } +#endif /* KRB5 */ + #ifdef AFS /* Try Kerberos tgt passing if the server supports it. */ if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) && @@ -942,8 +971,8 @@ ssh_userauth( #endif /* AFS */ #ifdef KRB4 - if ((supported_authentications & (1 << SSH_AUTH_KRB4)) && - options.krb4_authentication) { + if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && + options.kerberos_authentication) { debug("Trying Kerberos authentication."); if (try_krb4_authentication()) { /* The server should respond with success or failure. */ @@ -956,34 +985,6 @@ ssh_userauth( } #endif /* KRB4 */ -#ifdef KRB5 - if ((supported_authentications & (1 << SSH_AUTH_KRB5)) && - options.krb5_authentication){ - krb5_context ssh_context = NULL; - krb5_auth_context auth_context = NULL; - - debug("Trying Kerberos V5 authentication."); - - if (try_krb5_authentication(&ssh_context, &auth_context)) { - type = packet_read(&payload_len); - if (type == SSH_SMSG_SUCCESS) { - if ((supported_authentications & (1 << SSH_PASS_KRB5_TGT)) && - options.krb5_tgt_passing) { - if (options.cipher == SSH_CIPHER_NONE) - log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); - send_krb5_tgt(ssh_context, auth_context); - - } - krb5_auth_con_free(ssh_context, auth_context); - krb5_free_context(ssh_context); - return; - } - if (type != SSH_SMSG_FAILURE) - packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type); - - } - } -#endif /* KRB5 */ /* * Use rhosts authentication if running in privileged socket and we diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 5073465cd992..89fb0ae8cf2c 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1063,11 +1063,11 @@ main(int ac, char **av) options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; } -#ifdef KRB4 +#if defined(KRB4) && !defined(KRB5) if (!packet_connection_is_ipv4() && - options.krb4_authentication) { + options.kerberos_authentication) { debug("Kerberos Authentication disabled, only available for IPv4."); - options.krb4_authentication = 0; + options.kerberos_authentication = 0; } #endif /* KRB4 */ @@ -1164,18 +1164,13 @@ do_ssh1_kex() auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; -#ifdef KRB4 - if (options.krb4_authentication) - auth_mask |= 1 << SSH_AUTH_KRB4; +#if defined(KRB4) || defined(KRB5) + if (options.kerberos_authentication) + auth_mask |= 1 << SSH_AUTH_KERBEROS; #endif #ifdef KRB5 - if (options.krb5_authentication) { - auth_mask |= 1 << SSH_AUTH_KRB5; - /* compatibility with MetaCentre ssh */ - auth_mask |= 1 << SSH_AUTH_KRB4; - } if (options.krb5_tgt_passing) - auth_mask |= 1 << SSH_PASS_KRB5_TGT; + auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; #endif /* KRB5 */ #ifdef AFS