Commit d4a8b7e3 authored by Damien Miller's avatar Damien Miller

Initial revision

parents
This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
COPYING POLICY AND OTHER LEGAL ISSUES
As far as I am concerned, the code I have written for this software
can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and if the derived work is
incompatible with the protocol description in the RFC file, it must be
called by a name other than "ssh" or "Secure Shell".
However, I am not implying to give any licenses to any patents or
copyrights held by third parties, and the software includes parts that
are not under my direct control. As far as I know, all included
source code is used in accordance with the relevant license agreements
and can be used freely for any purpose (the GNU license being the most
restrictive); see below for details.
[ RSA is no longer included. ]
[ IDEA is no longer included. ]
[ DES is now external. ]
[ GMP is now external. No more GNU licence. ]
[ Zlib is now external. ]
[ The make-ssh-known-hosts script is no longer included. ]
[ TSS has been removed. ]
[ MD5 is now external. ]
[ RC4 support has been removed. ]
[ Blowfish is now external. ]
The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
Comments in the file indicate it may be used for any purpose without
restrictions.
The 32-bit CRC compensation attack detector in deattack.c was
contributed by CORE SDI S.A. under a BSD-style license. See
http://www.core-sdi.com/english/ssh/ for details.
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
This diff is collapsed.
19991027
- Adapted PAM patch.
- Released 1.0pre2
- Excised my buggy replacements for strlcpy and mkdtemp
- Imported correct OpenBSD strlcpy and mkdtemp routines.
- Reduced arc4random_stir entropy read to 32 bytes (256 bits)
- Picked up correct version number from OpenBSD
- Added sshd.pam PAM configuration file
- Added sshd.init Redhat init script
- Added openssh.spec RPM spec file
- Released 1.2pre3
19991026
- Fixed include paths of OpenSSL functions
- Use OpenSSL MD5 routines
- Imported RC4 code from nanocrypt
- Wrote replacements for OpenBSD arc4random* functions
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
# $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $
.include <bsd.own.mk>
SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp
distribution:
install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
${DESTDIR}/etc/ssh_config
install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
${DESTDIR}/etc/sshd_config
.include <bsd.subdir.mk>
OPT_FLAGS=-g
CFLAGS=$(OPT_FLAGS) -Wall -DETCDIR=\"/etc/ssh\" -DHAVE_PAM
TARGETS=bin/libssh.a bin/ssh bin/sshd bin/ssh-add bin/ssh-keygen bin/ssh-agent bin/scp
LFLAGS=-L./bin
LIBS=-lssh -lcrypto -lz -lutil -lpam -ldl
AR=ar
RANLIB=ranlib
OBJS= authfd.o authfile.o auth-passwd.o auth-rhosts.o auth-rh-rsa.o \
auth-rsa.o bufaux.o buffer.o canohost.o channels.o cipher.o \
clientloop.o compress.o crc32.o deattack.o hostfile.o \
log-client.o login.o log-server.o match.o mpaux.o packet.o pty.o \
readconf.o readpass.o rsa.o servconf.o serverloop.o \
sshconnect.o tildexpand.o ttymodes.o uidswap.o xmalloc.o \
helper.o mktemp.o strlcpy.o rc4.o
all: $(OBJS) $(TARGETS)
bin/libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o mktemp.o strlcpy.o
[ -d bin ] || mkdir bin
$(AR) rv $@ $^
$(RANLIB) $@
bin/ssh: ssh.o sshconnect.o log-client.o readconf.o clientloop.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
bin/sshd: sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
bin/scp: scp.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
bin/ssh-add: ssh-add.o log-client.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
bin/ssh-agent: ssh-agent.o log-client.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
bin/ssh-keygen: ssh-keygen.o log-client.o
[ -d bin ] || mkdir bin
$(CC) -o $@ $^ $(LFLAGS) $(LIBS)
clean:
rm -f *.o core bin/*
CFLAGS+= -I${.CURDIR}/..
.include <bsd.obj.mk>
.if exists(${.CURDIR}/../lib/${__objdir})
LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh
DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a
.else
LDADD+= -L${.CURDIR}/../lib -lssh
DPADD+= ${.CURDIR}/../lib/libssh.a
.endif
This document is inteded for those who wish to read the ssh source
code. This tries to give an overview of the structure of the code.
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
Updated 17 Nov 1995.
Updated 19 Oct 1999 for OpenSSH-1.2
The software consists of ssh (client), sshd (server), scp, sdist, and
the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
make-ssh-known-hosts. The main program for each of these is in a .c
file with the same name.
There are some subsystems/abstractions that are used by a number of
these programs.
Buffer manipulation routines
- These provide an arbitrary size buffer, where data can be appended.
Data can be consumed from either end. The code is used heavily
throughout ssh. The basic buffer manipulation functions are in
buffer.c (header buffer.h), and additional code to manipulate specific
data types is in bufaux.c.
Compression Library
- Ssh uses the GNU GZIP compression library (ZLIB).
Encryption/Decryption
- Ssh contains several encryption algorithms. These are all
accessed through the cipher.h interface. The interface code is
in cipher.c, and the implementations are in libc.
Multiple Precision Integer Library
- Uses the SSLeay BIGNUM sublibrary.
- Some auxiliary functions for mp-int manipulation are in mpaux.c.
Random Numbers
- Uses arc4random() and such.
RSA key generation, encryption, decryption
- Ssh uses the RSA routines in libssl.
RSA key files
- RSA keys are stored in files with a special format. The code to
read/write these files is in authfile.c. The files are normally
encrypted with a passphrase. The functions to read passphrases
are in readpass.c (the same code is used to read passwords).
Binary packet protocol
- The ssh binary packet protocol is implemented in packet.c. The
code in packet.c does not concern itself with packet types or their
execution; it contains code to build packets, to receive them and
extract data from them, and the code to compress and/or encrypt
packets. CRC code comes from crc32.c.
- The code in packet.c calls the buffer manipulation routines
(buffer.c, bufaux.c), compression routines (compress.c, zlib),
and the encryption routines.
X11, TCP/IP, and Agent forwarding
- Code for various types of channel forwarding is in channels.c.
The file defines a generic framework for arbitrary communication
channels inside the secure channel, and uses this framework to
implement X11 forwarding, TCP/IP forwarding, and authentication
agent forwarding.
The new, Protocol 1.5, channel close implementation is in nchan.c
Authentication agent
- Code to communicate with the authentication agent is in authfd.c.
Authentication methods
- Code for various authentication methods resides in auth-*.c
(auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c). This
code is linked into the server. The routines also manipulate
known hosts files using code in hostfile.c. Code in canohost.c
is used to retrieve the canonical host name of the remote host.
Code in match.c is used to match host names.
- In the client end, authentication code is in sshconnect.c. It
reads Passwords/passphrases using code in readpass.c. It reads
RSA key files with authfile.c. It communicates the
authentication agent using authfd.c.
The ssh client
- The client main program is in ssh.c. It first parses arguments
and reads configuration (readconf.c), then calls ssh_connect (in
sshconnect.c) to open a connection to the server (possibly via a
proxy), and performs authentication (ssh_login in sshconnect.c).
It then makes any pty, forwarding, etc. requests. It may call
code in ttymodes.c to encode current tty modes. Finally it
calls client_loop in clientloop.c. This does the real work for
the session.
- The client is suid root. It tries to temporarily give up this
rights while reading the configuration data. The root
privileges are only used to make the connection (from a
privileged socket). Any extra privileges are dropped before
calling ssh_login.
Pseudo-tty manipulation and tty modes
- Code to allocate and use a pseudo tty is in pty.c. Code to
encode and set terminal modes is in ttymodes.c.
Logging in (updating utmp, lastlog, etc.)
- The code to do things that are done when a user logs in are in
login.c. This includes things such as updating the utmp, wtmp,
and lastlog files. Some of the code is in sshd.c.
Writing to the system log and terminal
- The programs use the functions fatal(), log(), debug(), error()
in many places to write messages to system log or user's
terminal. The implementation that logs to system log is in
log-server.c; it is used in the server program. The other
programs use an implementation that sends output to stderr; it
is in log-client.c. The definitions are in ssh.h.
The sshd server (daemon)
- The sshd daemon starts by processing arguments and reading the
configuration file (servconf.c). It then reads the host key,
starts listening for connections, and generates the server key.
The server key will be regenerated every hour by an alarm.
- When the server receives a connection, it forks, disables the
regeneration alarm, and starts communicating with the client.
They first perform identification string exchange, then
negotiate encryption, then perform authentication, preparatory
operations, and finally the server enters the normal session
mode by calling server_loop in serverloop.c. This does the real
work, calling functions in other modules.
- The code for the server is in sshd.c. It contains a lot of
stuff, including:
- server main program
- waiting for connections
- processing new connection
- authentication
- preparatory operations
- building up the execution environment for the user program
- starting the user program.
Auxiliary files
- There are several other files in the distribution that contain
various auxiliary routines:
ssh.h the main header file for ssh (various definitions)
getput.h byte-order independent storage of integers
includes.h includes most system headers. Lots of #ifdefs.
tildexpand.c expand tilde in file names
uidswap.c uid-swapping
xmalloc.c "safe" malloc routines
This diff is collapsed.
This is a Linux port of OpenBSD's excellent OpenSSH.
OpenSSH is based on the last free version of Tatu Ylonen's SSH with all
patent-encumbered algorithms removed, all known security bugs fixed, new
features reintroduced and many other clean-ups.
This Linux port basically consists of a few fixes to deal with the way that
OpenSSL is usually installed on Linux systems, a few replacements for
OpenBSD library functions and the introduction of partial PAM support.
The PAM support is less than optimal - it is only used when password
authentication is requested, so things like pam_limits will not apply if a
user authenticates with a RSA key. OTOH this is exactly the level of support
that the popular Linux SSH packages have. Perhaps a PAM hacker can rectify
this?
All new code is released under a XFree style license, which is very liberal.
This code is released with no warranties of any kind, neither I nor my
employer (Internet Business Solutions) will take any responsibility for
any loss, damage or liability arising from the use or abuse of this software.
OpenSSH depends on Zlib, OpenSSL and PAM. Use the Makefile.GNU to build it.
Damien Miller <djm@ibs.com.au>
Internet Business Solutions
Credits -
The OpenBSD team
'jonchen' - the original author of PAM support of SSH
Miscellania -
This version of SSH is based upon code retrieved from the OpenBSD CVS
repository on 1999-10-26, which in turn was based on the last free
version of SSH released by Tatu Ylonen.
Code in helper.[ch] is Copyright 1999 Internet Business Solutions and
is released under a X11-style license (see source file for details).
(A)RC4 code in rc4.[ch] is Copyright 1999 Damien Miller. It too is
under a X11-style license (see source file for details).
This diff is collapsed.
/*
auth-kerberos.c
Dug Song <dugsong@UMICH.EDU>
Kerberos v4 authentication and ticket-passing routines.
$Id: auth-krb4.c,v 1.1 1999/10/27 03:42:43 damien Exp $
*/
#include "includes.h"
#include "packet.h"
#include "xmalloc.h"
#include "ssh.h"
#ifdef KRB4
int ssh_tf_init(uid_t uid)
{
extern char *ticket;
char *tkt_root = TKT_ROOT;
struct stat st;
int fd;
/* Set unique ticket string manually since we're still root. */
ticket = xmalloc(MAXPATHLEN);
#ifdef AFS
if (lstat("/ticket", &st) != -1)
tkt_root = "/ticket/";
#endif /* AFS */
snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
(void) krb_set_tkt_string(ticket);
/* Make sure we own this ticket file, and we created it. */
if (lstat(ticket, &st) == -1 && errno == ENOENT) {
/* good, no ticket file exists. create it. */
if ((fd = open(ticket, O_RDWR|O_CREAT|O_EXCL, 0600)) != -1) {
close(fd);
return 1;
}
}
else {
/* file exists. make sure server_user owns it (e.g. just passed ticket),
and that it isn't a symlink, and that it is mode 600. */
if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid)
return 1;
}
/* Failure. */
log("WARNING: bad ticket file %s", ticket);
return 0;
}
int auth_krb4(const char *server_user, KTEXT auth, char **client)
{
AUTH_DAT adat = { 0 };
KTEXT_ST reply;
char instance[INST_SZ];
int r, s;
u_int cksum;
Key_schedule schedule;
struct sockaddr_in local, foreign;
s = packet_get_connection_in();
r = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(s, (struct sockaddr *) &local, &r) < 0)
debug("getsockname failed: %.100s", strerror(errno));
r = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0)
debug("getpeername failed: %.100s", strerror(errno));
instance[0] = '*'; instance[1] = 0;
/* Get the encrypted request, challenge, and session key. */
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
return 0;
}
des_key_sched((des_cblock *)adat.session, schedule);
*client = xmalloc(MAX_K_NAME_SZ);
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
/* Check ~/.klogin authorization now. */
if (kuserok(&adat, (char *)server_user) != KSUCCESS) {
packet_send_debug("Kerberos V4 .klogin authorization failed!");
log("Kerberos V4 .klogin authorization failed for %s to account %s",
*client, server_user);
return 0;
}
/* Increment the checksum, and return it encrypted with the session key. */
cksum = adat.checksum + 1;
cksum = htonl(cksum);
/* If we can't successfully encrypt the checksum, we send back an empty
message, admitting our failure. */
if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1,
schedule, &adat.session, &local, &foreign)) < 0) {
packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
reply.dat[0] = 0;
reply.length = 0;
}
else
reply.length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(&adat.session));
packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
packet_put_string((char *) reply.dat, reply.length);
packet_send();
packet_write_wait();
return 1;
}
#endif /* KRB4 */
#ifdef AFS
int auth_kerberos_tgt(struct passwd *pw, const char *string)
{
CREDENTIALS creds;
extern char *ticket;
int r;
if (!radix_to_creds(string, &creds)) {
log("Protocol error decoding Kerberos V4 tgt");
packet_send_debug("Protocol error decoding Kerberos V4 tgt");
goto auth_kerberos_tgt_failure;
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "krbtgt", sizeof creds.service);
if (strcmp(creds.service, "krbtgt")) {
log("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
pw->pw_uid);
packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
creds.realm, pw->pw_uid);
goto auth_kerberos_tgt_failure;
}
if (!ssh_tf_init(pw->pw_uid) ||
(r = in_tkt(creds.pname, creds.pinst)) ||
(r = save_credentials(creds.service, creds.instance, creds.realm,
creds.session, creds.lifetime, creds.kvno,
&creds.ticket_st, creds.issue_date))) {
xfree(ticket);
ticket = NULL;
packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
goto auth_kerberos_tgt_failure;
}
/* Successful authentication, passed all checks. */
chown(ticket, pw->pw_uid, pw->pw_gid);
packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
creds.service, creds.instance, creds.realm,
creds.pname, creds.pinst[0] ? "." : "",
creds.pinst, creds.realm);
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
return 1;
auth_kerberos_tgt_failure:
memset(&creds, 0, sizeof(creds));
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
return 0;
}
int auth_afs_token(char *server_user, uid_t uid, const char *string)
{
CREDENTIALS creds;
if (!radix_to_creds(string, &creds)) {
log("Protocol error decoding AFS token");
packet_send_debug("Protocol error decoding AFS token");
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
return 0;
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "afs", sizeof creds.service);
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
uid = atoi(creds.pname + 7);
if (kafs_settoken(creds.realm, uid, &creds)) {
log("AFS token (%s@%s) rejected for uid %d", creds.pname,
creds.realm, uid);
packet_send_debug("AFS token (%s@%s) rejected for uid %d", creds.pname,
creds.realm, uid);
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
return 0;
}
packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
creds.realm, creds.pname, creds.realm);
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
return 1;
}
#endif /* AFS */
/*
auth-passwd.c
Author: Tatu Ylonen <ylo@cs.hut.fi>
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
All rights reserved
Created: Sat Mar 18 05:11:38 1995 ylo
Password authentication. This file contains the functions to check whether
the password is valid for the user.
*/
#include "includes.h"
RCSID("$Id: auth-passwd.c,v 1.1 1999/10/27 03:42:43 damien Exp $");
#include "packet.h"
#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
#ifdef KRB4
extern char *ticket;
#endif /* KRB4 */
#ifdef HAVE_PAM
#include <security/pam_appl.h>
extern pam_handle_t *pamh;
extern int retval;
extern char* pampasswd;
extern int origretval;
#endif /* HAVE_PAM */
/* Tries to authenticate the user using password. Returns true if
authentication succeeds. */
int auth_password(struct passwd *pw, const char *password)
{
extern ServerOptions options;
char *encrypted_password;
if (pw->pw_uid == 0 && options.permit_root_login == 2)
{
/*packet_send_debug("Server does not permit root login with password.");*/
return 0;
}
if (*password == '\0' && options.permit_empty_passwd == 0)
{
/*packet_send_debug("Server does not permit empty password login.");*/
return 0;
}
/* deny if no user. */
if (pw == NULL)
return 0;
#ifdef HAVE_PAM
retval = origretval;
pampasswd = xstrdup(password);
if (retval == PAM_SUCCESS)
retval = pam_authenticate ((pam_handle_t *)pamh, 0);
if (retval == PAM_SUCCESS)
retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
xfree(pampasswd);
if (retval == PAM_SUCCESS)
retval = pam_open_session ((pam_handle_t *)pamh, 0);
return (retval == PAM_SUCCESS);
#else /* HAVE_PAM */
#ifdef SKEY
if (options.skey_authentication == 1) {
if (strncasecmp(password, "s/key", 5) == 0) {
char *skeyinfo = skey_keyinfo(pw->pw_name);
if(skeyinfo == NULL){
debug("generating fake skeyinfo for %.100s.", pw->pw_name);
skeyinfo = skey_fake_keyinfo(pw->pw_name);
}
if(skeyinfo != NULL)
packet_send_debug(skeyinfo);
/* Try again. */
return 0;
}
else if (skey_haskey(pw->pw_name) == 0 &&
skey_passcheck(pw->pw_name, (char *)password) != -1) {
/* Authentication succeeded. */
return 1;
}
/* Fall back to ordinary passwd authentication. */
}
#endif
#if defined(KRB4)
/* Support for Kerberos v4 authentication - Dug Song <dugsong@UMICH.EDU> */
if (options.kerberos_authentication)
{
AUTH_DAT adata;
KTEXT_ST tkt;
struct hostent *hp;
unsigned long faddr;
char localhost[MAXHOSTNAMELEN]; /* local host name */
char phost[INST_SZ]; /* host instance */
char realm[REALM_SZ]; /* local Kerberos realm */
int r;
/* Try Kerberos password authentication only for non-root
users and only if Kerberos is installed. */
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
/* Set up our ticket file. */
if (!ssh_tf_init(pw->pw_uid)) {
log("Couldn't initialize Kerberos ticket file for %s!",
pw->pw_name);
goto kerberos_auth_failure;
}
/* Try to get TGT using our password. */
r = krb_get_pw_in_tkt((char *)pw->pw_name, "", realm, "krbtgt", realm,
DEFAULT_TKT_LIFE, (char *)password);
if (r != INTK_OK) {
packet_send_debug("Kerberos V4 password authentication for %s "
"failed: %s", pw->pw_name, krb_err_txt[r]);
goto kerberos_auth_failure;
}
/* Successful authentication. */
chown(ticket, pw->pw_uid, pw->pw_gid);