diff --git a/ChangeLog b/ChangeLog index 042334b01..3c32afb87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. + - markus@cvs.openbsd.org 2003/08/22 13:20:03 + [sshconnect2.c] + remove support for "kerberos-2@ssh.com" - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. @@ -885,4 +888,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $ +$Id: ChangeLog,v 1.2909 2003/08/26 02:04:31 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 549853907..558a0a749 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,11 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); - -#ifdef KRB5 -#include -#endif +RCSID("$OpenBSD: sshconnect2.c,v 1.122 2003/08/22 13:20:03 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -235,12 +231,6 @@ Authmethod authmethods[] = { userauth_hostbased, &options.hostbased_authentication, NULL}, -#if KRB5 - {"kerberos-2@ssh.com", - userauth_kerberos, - &options.kerberos_authentication, - NULL}, -#endif {"publickey", userauth_pubkey, &options.pubkey_authentication, @@ -1370,101 +1360,6 @@ userauth_hostbased(Authctxt *authctxt) return 1; } -#if KRB5 -static int -ssh_krb5_helper(krb5_data *ap, krb5_context *context) -{ - krb5_context xcontext = NULL; /* XXX share with ssh1 */ - krb5_auth_context xauth_context = NULL; - krb5_auth_context *auth_context; - krb5_error_code problem; - const char *tkfile; - struct stat buf; - krb5_ccache ccache = NULL; - const char *remotehost; - int ret; - - memset(ap, 0, sizeof(*ap)); - - context = &xcontext; - auth_context = &xauth_context; - - problem = krb5_init_context(context); - if (problem) { - debug("Kerberos v5: krb5_init_context failed"); - ret = 0; - goto out; - } - - tkfile = krb5_cc_default_name(*context); - if (strncmp(tkfile, "FILE:", 5) == 0) - tkfile += 5; - - if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) { - debug("Kerberos v5: could not get default ccache (permission denied)."); - ret = 0; - goto out; - } - - problem = krb5_cc_default(*context, &ccache); - if (problem) { - debug("Kerberos v5: krb5_cc_default failed: %s", - krb5_get_err_text(*context, problem)); - ret = 0; - goto out; - } - - remotehost = get_canonical_hostname(1); - - problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, - "host", remotehost, NULL, ccache, ap); - if (problem) { - debug("Kerberos v5: krb5_mk_req failed: %s", - krb5_get_err_text(*context, problem)); - ret = 0; - goto out; - } - ret = 1; - - out: - if (ccache != NULL) - krb5_cc_close(*context, ccache); - if (*auth_context) - krb5_auth_con_free(*context, *auth_context); - return (ret); -} - -int -userauth_kerberos(Authctxt *authctxt) -{ - krb5_data ap; - krb5_context *context; - int ret = 0; - - if (ssh_krb5_helper(&ap, context) == 0) - goto out; - - packet_start(SSH2_MSG_USERAUTH_REQUEST); - packet_put_cstring(authctxt->server_user); - packet_put_cstring(authctxt->service); - packet_put_cstring(authctxt->method->name); - packet_put_string(ap.data, ap.length); - packet_send(); - -#ifdef HEIMDAL - krb5_data_free(&ap); -#else - krb5_free_data_contents(*context, &ap); -#endif - ret = 1; - -out: - if (*context) - krb5_free_context(*context); - return ret; -} -#endif - /* find auth method */ /*