diff options
Diffstat (limited to 'security/ssh/patches/patch-at')
| -rw-r--r-- | security/ssh/patches/patch-at | 192 |
1 files changed, 0 insertions, 192 deletions
diff --git a/security/ssh/patches/patch-at b/security/ssh/patches/patch-at deleted file mode 100644 index aa9b64f3701..00000000000 --- a/security/ssh/patches/patch-at +++ /dev/null @@ -1,192 +0,0 @@ -$NetBSD: patch-at,v 1.2 2000/04/18 19:02:21 thorpej Exp $ - ---- auth-passwd.c.orig Wed May 12 04:19:23 1999 -+++ auth-passwd.c Tue Apr 18 11:48:03 2000 -@@ -301,29 +301,25 @@ - static int securid_initialized = 0; - #endif /* HAVE_SECURID */ - --#ifdef KERBEROS --#if defined(KRB5) -+#ifdef KRB5 - #include <krb5.h> - extern krb5_context ssh_context; - extern krb5_auth_context auth_context; --#else --#include <krb.h> - #endif /* KRB5 */ --#endif /* KERBEROS */ - --#ifdef AFS --#include <afs/param.h> --#include <afs/kautils.h> --#endif /* AFS */ -+#ifdef KRB4 -+#include <sys/param.h> -+#include <krb.h> -+#endif /* KRB4 */ - --#if defined(KERBEROS) || defined(AFS_KERBEROS) -+#if defined(KRB4) || defined(KRB5) - extern char *ticket; --#endif /* KERBEROS || AFS_KERBEROS */ -+#endif /* KRB4 || KRB5 */ - - /* Tries to authenticate the user using password. Returns true if - authentication succeeds. */ - --#if defined(KERBEROS) && defined(KRB5) -+#ifdef KRB5 - /* - * This routine with some modification is from the MIT V5B6 appl/bsd/login.c - * -@@ -479,16 +475,16 @@ - 0 }; - #endif - krb5_preauthtype * preauth = preauth_list; --#endif /* KERBEROS */ -+#endif /* KRB5 */ - - /* Tries to authenticate the user using password. Returns true if - authentication succeeds. */ --#ifdef KERBEROS -+#ifdef KRB5 - int auth_password(const char *server_user, const char *password, - krb5_principal client) --#else /* KERBEROS */ -+#else /* KRB5 */ - int auth_password(const char *server_user, const char *password) --#endif /* KERBEROS */ -+#endif /* KRB5 */ - { - #if defined(_AIX) && defined(HAVE_AUTHENTICATE) - char *message; -@@ -505,7 +501,7 @@ - } - #else /* _AIX41 && HAVE_AUTHENTICATE */ - --#ifdef KERBEROS -+#ifdef KRB5 - krb5_error_code problem; - int krb5_options = KDC_OPT_RENEWABLE | KDC_OPT_FORWARDABLE; - krb5_deltat rlife = 0; -@@ -515,7 +511,7 @@ - krb5_ccache ccache; - char ccname[80]; - int results; --#endif /* KERBEROS */ -+#endif /* KRB5 */ - extern ServerOptions options; - extern char *crypt(const char *key, const char *salt); - struct passwd *pw; -@@ -537,10 +533,9 @@ - saved_pw_name = xstrdup(pw->pw_name); - saved_pw_passwd = xstrdup(pw->pw_passwd); - --#if defined(KERBEROS) -- if (options.kerberos_authentication) -- { - #if defined(KRB5) -+ if (options.kerberos_authentication && client != NULL) -+ { - snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_l%d", getpid()); - - if (problem = krb5_cc_resolve(ssh_context, ccname, &ccache)) -@@ -658,9 +653,96 @@ - return 0; - } - } -+ } - #endif /* KRB5 */ -+#ifdef KRB4 -+ if (options.kerberos_authentication) -+ { -+ AUTH_DAT adata; -+ KTEXT_ST tkt; -+ struct hostent *hp; -+ unsigned long faddr; -+ char localhost[MAXHOSTNAMELEN]; /* local host name */ -+ char phost[INST_SZ]; /* host instance */ -+ char realm[REALM_SZ]; /* local Kerberos realm */ -+ int r; -+ -+ /* Try Kerberos password authentication only for non-root -+ users and only if Kerberos is installed. */ -+ if (pw->pw_uid != 0 && krb_get_lrealm(realm, 0) == KSUCCESS) { -+ -+ /* Set up our ticket file. */ -+ if (!ssh_tf_init(pw->pw_uid)) { -+ log_msg("Couldn't initialize Kerberos ticket file for %s!", -+ server_user); -+ goto kerberos_auth_failure; -+ } -+ /* Try to get TGT using our password. */ -+ if ((r = krb_get_pw_in_tkt((char *)server_user, "", realm, "krbtgt", -+ realm, DEFAULT_TKT_LIFE, (char *)password)) != INTK_OK) { -+ packet_send_debug("Kerberos V4 password authentication for %s " -+ "failed: %s", server_user, krb_err_txt[r]); -+ goto kerberos_auth_failure; -+ } -+ /* Successful authentication. */ -+ chown(ticket, pw->pw_uid, pw->pw_gid); -+ -+ (void) gethostname(localhost, sizeof(localhost)); -+ (void) strncpy(phost, (char *)krb_get_phost(localhost), INST_SZ); -+ phost[INST_SZ-1] = 0; -+ -+ /* Now that we have a TGT, try to get a local "rcmd" ticket to -+ ensure that we are not talking to a bogus Kerberos server. */ -+ r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); -+ -+ if (r == KSUCCESS) { -+ if (!(hp = gethostbyname(localhost))) { -+ log_msg("Couldn't get local host address!"); -+ goto kerberos_auth_failure; -+ } -+ memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); -+ -+ /* Verify our "rcmd" ticket. */ -+ r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); -+ if (r == RD_AP_UNDEC) { -+ /* Probably didn't have a srvtab on localhost. Allow login. */ -+ log_msg("Kerberos V4 TGT for %s unverifiable, no srvtab? " -+ "krb_rd_req: %s", server_user, krb_err_txt[r]); -+ } -+ else if (r != KSUCCESS) { -+ log_msg("Kerberos V4 %s ticket unverifiable: %s", -+ KRB4_SERVICE_NAME, krb_err_txt[r]); -+ goto kerberos_auth_failure; -+ } -+ } -+ else if (r == KDC_PR_UNKNOWN) { -+ /* Allow login if no rcmd service exists, but log the error. */ -+ log_msg("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " -+ "not registered, or srvtab is wrong?", server_user, -+ krb_err_txt[r], KRB4_SERVICE_NAME, phost); -+ } -+ else { -+ /* TGT is bad, forget it. Possibly spoofed. */ -+ packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" -+ "%s: %s", server_user, krb_err_txt[r]); -+ goto kerberos_auth_failure; -+ } -+ -+ /* Authentication succeeded. */ -+ return 1; -+ -+ kerberos_auth_failure: -+ (void) dest_tkt(); -+ xfree(ticket); -+ ticket = NULL; -+ if (!options.kerberos_or_local_passwd ) return 0; -+ } -+ else /* Logging in as root or no local Kerberos realm. */ -+ packet_send_debug("Unable to authenticate to Kerberos."); -+ -+ /* Fall back to ordinary passwd authentication. */ - } --#endif /* KERBEROS */ -+#endif /* KRB4 */ - - #ifdef HAVE_SECURID - /* Support for Security Dynamics SecurId card. |