- itojun@cvs.openbsd.org 2002/09/09 06:48:06
[auth1.c auth.h auth-krb5.c monitor.c monitor.h]
[monitor_wrap.c monitor_wrap.h]
kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus
diff --git a/monitor.c b/monitor.c
index e039f7a..562efca 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.24 2002/08/29 15:57:25 stevesk Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.25 2002/09/09 06:48:06 itojun Exp $");
#include <openssl/dh.h>
@@ -120,6 +120,10 @@
int mm_answer_pam_start(int, Buffer *);
#endif
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
+
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
@@ -199,6 +203,9 @@
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
#endif
+#ifdef KRB5
+ {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
{0, 0, NULL}
};
@@ -1277,6 +1284,42 @@
return (success);
}
+
+#ifdef KRB5
+int
+mm_answer_krb5(int socket, Buffer *m)
+{
+ krb5_data tkt, reply;
+ char *client_user;
+ u_int len;
+ int success;
+
+ /* use temporary var to avoid size issues on 64bit arch */
+ tkt.data = buffer_get_string(m, &len);
+ tkt.length = len;
+
+ success = auth_krb5(authctxt, &tkt, &client_user, &reply);
+
+ if (tkt.length)
+ xfree(tkt.data);
+
+ buffer_clear(m);
+ buffer_put_int(m, success);
+
+ if (success) {
+ buffer_put_cstring(m, client_user);
+ buffer_put_string(m, reply.data, reply.length);
+ if (client_user)
+ xfree(client_user);
+ if (reply.length)
+ xfree(reply.data);
+ }
+ mm_request_send(socket, MONITOR_ANS_KRB5, m);
+
+ return success;
+}
+#endif
+
int
mm_answer_term(int socket, Buffer *req)
{