Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: openbsd.org > tech > 02 > 120282.html (Request Expert openbsd.org Support)

openssh krb5 password-based auth

From: Buck Huppmann <buckh(at)pobox.com>
Date: Thu Dec 26 2002 - 16:23:44 EST


i'd like to be able to authenticate to sshd with my krb5 password and and have sshd give me a krb5 ``credential cache'' for me to use to go passwordlessly amuck from there--sorta like in a ``portable'' pam_krb5 world. one way to do this is to make the following modification to the KerberosAuthentication-handling:

Index: auth-krb5.c


RCS file: /cvs/src/usr.bin/ssh/auth-krb5.c,v retrieving revision 1.9 
diff -u -w -r1.9 auth-krb5.c
--- auth-krb5.c 9 Sep 2002 06:48:06 -0000       1.9
+++ auth-krb5.c 26 Dec 2002 21:03:16 -0000
@@ -223,7 +223,7 @@
	if (problem)
		goto out;
 
-       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,


+       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,


	    &authctxt->krb5_fwd_ccache);
	if (problem)
		goto out;
@@ -242,6 +242,10 @@
		goto out;
 
	authctxt->krb5_ticket_file = (char
*)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);

+       restore_uid();

+       chown(authctxt->krb5_ticket_file, authctxt->pw->pw_uid,

+           authctxt->pw->pw_gid);


+       temporarily_use_uid(authctxt->pw);


 
  out:
	restore_uid();

which is sorta analogous to what goes on in auth-krb4.c: 

		/* Try to get TGT using our password. */
		r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
		    "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
		if (r != INTK_OK) {
			debug("Kerberos v4 password authentication for %s "
			    "failed: %s", pw->pw_name, krb_err_txt[r]);
			goto failure;
		}
		/* Successful authentication. */
		chown(tkt_string(), pw->pw_uid, pw->pw_gid);

but i'm sure if this were safe (aside from making it optional) it would be that way already, so can somebody explain the folly (apart from the spurious ID switching) of doing this? it looks like the krb5_cc_gen_new(..., &krb5_mcc_ops, ...) call goes back to the original check-in of this file, so do i need to ask the heimdal guys?

thanks for the help Received on Sun Dec 29 20:21:37 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:28 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library