move skey-auth from auth-passwd.c to auth-skey.c, same for krb4

4 files changed, 156 insertions, 126 deletions

diff --git a/usr.bin/ssh/auth-krb4.c b/usr.bin/ssh/auth-krb4.c
index 9f99533b19b..fb0e20ce21b 100644
--- a/usr.bin/ssh/auth-krb4.c
+++ b/usr.bin/ssh/auth-krb4.c
@@ -7,10 +7,123 @@
 #include "packet.h"
 #include "xmalloc.h"
 #include "ssh.h"
+#include "servconf.h"
 
 #ifdef KRB4
 char *ticket = NULL;
 
+extern ServerOptions options;
+
+/*
+ * try krb4 authentication,
+ * return 1 on success, 0 on failure, -1 if krb4 is not available
+ */
+
+int 
+auth_krb4_password(struct passwd * pw, const char *password)
+{
+	AUTH_DAT adata;
+	KTEXT_ST tkt;
+	struct hostent *hp;
+	unsigned long faddr;
+	char localhost[MAXHOSTNAMELEN];
+	char phost[INST_SZ];
+	char realm[REALM_SZ];
+	int r;
+
+	/*
+	 * Try Kerberos password authentication only for non-root
+	 * users and only if Kerberos is installed.
+	 */
+	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
+
+		/* Set up our ticket file. */
+		if (!krb4_init(pw->pw_uid)) {
+			log("Couldn't initialize Kerberos ticket file for %s!",
+			    pw->pw_name);
+			goto kerberos_auth_failure;
+		}
+		/* Try to get TGT using our password. */
+		r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
+		    realm, "krbtgt", realm,
+		    DEFAULT_TKT_LIFE, (char *) password);
+		if (r != INTK_OK) {
+			packet_send_debug("Kerberos V4 password "
+			    "authentication for %s failed: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+		/* Successful authentication. */
+		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+
+		/*
+		 * Now that we have a TGT, try to get a local
+		 * "rcmd" ticket to ensure that we are not talking
+		 * to a bogus Kerberos server.
+		 */
+		(void) gethostname(localhost, sizeof(localhost));
+		(void) strlcpy(phost, (char *) krb_get_phost(localhost),
+		    INST_SZ);
+		r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+
+		if (r == KSUCCESS) {
+			if (!(hp = gethostbyname(localhost))) {
+				log("Couldn't get local host address!");
+				goto kerberos_auth_failure;
+			}
+			memmove((void *) &faddr, (void *) hp->h_addr,
+			    sizeof(faddr));
+
+			/* Verify our "rcmd" ticket. */
+			r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
+			    faddr, &adata, "");
+			if (r == RD_AP_UNDEC) {
+				/*
+				 * Probably didn't have a srvtab on
+				 * localhost. Allow login.
+				 */
+				log("Kerberos V4 TGT for %s unverifiable, "
+				    "no srvtab installed? krb_rd_req: %s",
+				    pw->pw_name, krb_err_txt[r]);
+			} else if (r != KSUCCESS) {
+				log("Kerberos V4 %s ticket unverifiable: %s",
+				    KRB4_SERVICE_NAME, krb_err_txt[r]);
+				goto kerberos_auth_failure;
+			}
+		} else if (r == KDC_PR_UNKNOWN) {
+			/*
+			 * Allow login if no rcmd service exists, but
+			 * log the error.
+			 */
+			log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+			    "not registered, or srvtab is wrong?", pw->pw_name,
+			krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+		} else {
+			/*
+			 * TGT is bad, forget it. Possibly spoofed!
+			 */
+			packet_send_debug("WARNING: Kerberos V4 TGT "
+			    "possibly spoofed for %s: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+
+		/* Authentication succeeded. */
+		return 1;
+
+kerberos_auth_failure:
+		krb4_cleanup_proc(NULL);
+
+		if (!options.kerberos_or_local_passwd)
+			return 0;
+	} else {
+		/* Logging in as root or no local Kerberos realm. */
+		packet_send_debug("Unable to authenticate to Kerberos.");
+	}
+	/* Fall back to ordinary passwd authentication. */
+	return -1;
+}
+
 void
 krb4_cleanup_proc(void *ignore)
 {
diff --git a/usr.bin/ssh/auth-passwd.c b/usr.bin/ssh/auth-passwd.c
index ca052958536..ae15d39f537 100644
--- a/usr.bin/ssh/auth-passwd.c
+++ b/usr.bin/ssh/auth-passwd.c
@@ -8,7 +8,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-passwd.c,v 1.12 1999/11/24 19:53:43 markus Exp $");
+RCSID("$Id: auth-passwd.c,v 1.13 1999/12/01 16:54:35 markus Exp $");
 
 #include "packet.h"
 #include "ssh.h"
@@ -35,133 +35,20 @@ auth_password(struct passwd * pw, const char *password)
 
 #ifdef SKEY
 	if (options.skey_authentication == 1) {
-		if (strncasecmp(password, "s/key", 5) == 0) {
-			char *skeyinfo = skey_keyinfo(pw->pw_name);
-			if (skeyinfo == NULL) {
-				debug("generating fake skeyinfo for %.100s.",
-				    pw->pw_name);
-				skeyinfo = skey_fake_keyinfo(pw->pw_name);
-			}
-			if (skeyinfo != NULL)
-				packet_send_debug(skeyinfo);
-			/* Try again. */
-			return 0;
-		} else if (skey_haskey(pw->pw_name) == 0 &&
-			   skey_passcheck(pw->pw_name, (char *) password) != -1) {
-			/* Authentication succeeded. */
-			return 1;
-		}
+		int ret = auth_skey_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
 #endif
-
-#if defined(KRB4)
-	/*
-	 * Support for Kerberos v4 authentication
-	 * - Dug Song <dugsong@UMICH.EDU>
-	 */
-	if (options.kerberos_authentication) {
-		AUTH_DAT adata;
-		KTEXT_ST tkt;
-		struct hostent *hp;
-		unsigned long faddr;
-		char localhost[MAXHOSTNAMELEN];
-		char phost[INST_SZ];
-		char realm[REALM_SZ];
-		int r;
-
-		/*
-		 * Try Kerberos password authentication only for non-root
-		 * users and only if Kerberos is installed.
-		 */
-		if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-
-			/* Set up our ticket file. */
-			if (!krb4_init(pw->pw_uid)) {
-				log("Couldn't initialize Kerberos ticket file for %s!",
-				    pw->pw_name);
-				goto kerberos_auth_failure;
-			}
-			/* Try to get TGT using our password. */
-			r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
-			    realm, "krbtgt", realm,
-			    DEFAULT_TKT_LIFE, (char *) password);
-			if (r != INTK_OK) {
-				packet_send_debug("Kerberos V4 password "
-				    "authentication for %s failed: %s",
-				    pw->pw_name, krb_err_txt[r]);
-				goto kerberos_auth_failure;
-			}
-			/* Successful authentication. */
-			chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-
-			/*
-			 * Now that we have a TGT, try to get a local
-			 * "rcmd" ticket to ensure that we are not talking
-			 * to a bogus Kerberos server.
-			 */
-			(void) gethostname(localhost, sizeof(localhost));
-			(void) strlcpy(phost, (char *) krb_get_phost(localhost),
-			    INST_SZ);
-			r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-
-			if (r == KSUCCESS) {
-				if (!(hp = gethostbyname(localhost))) {
-					log("Couldn't get local host address!");
-					goto kerberos_auth_failure;
-				}
-				memmove((void *) &faddr, (void *) hp->h_addr,
-				    sizeof(faddr));
-
-				/* Verify our "rcmd" ticket. */
-				r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
-				    faddr, &adata, "");
-				if (r == RD_AP_UNDEC) {
-					/*
-					 * Probably didn't have a srvtab on
-					 * localhost. Allow login.
-					 */
-					log("Kerberos V4 TGT for %s unverifiable, "
-					    "no srvtab installed? krb_rd_req: %s",
-					    pw->pw_name, krb_err_txt[r]);
-				} else if (r != KSUCCESS) {
-					log("Kerberos V4 %s ticket unverifiable: %s",
-					    KRB4_SERVICE_NAME, krb_err_txt[r]);
-					goto kerberos_auth_failure;
-				}
-			} else if (r == KDC_PR_UNKNOWN) {
-				/*
-				 * Allow login if no rcmd service exists, but
-				 * log the error.
-				 */
-				log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
-				    "not registered, or srvtab is wrong?", pw->pw_name,
-				krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-			} else {
-				/*
-				 * TGT is bad, forget it. Possibly spoofed!
-				 */
-				packet_send_debug("WARNING: Kerberos V4 TGT "
-				    "possibly spoofed for %s: %s",
-				    pw->pw_name, krb_err_txt[r]);
-				goto kerberos_auth_failure;
-			}
-
-			/* Authentication succeeded. */
-			return 1;
-
-	kerberos_auth_failure:
-			krb4_cleanup_proc(NULL);
-
-			if (!options.kerberos_or_local_passwd)
-				return 0;
-		} else {
-			/* Logging in as root or no local Kerberos realm. */
-			packet_send_debug("Unable to authenticate to Kerberos.");
-		}
+#ifdef KRB4
+	if (options.kerberos_authentication == 1) {
+		int ret = auth_krb4_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
-#endif				/* KRB4 */
+#endif
 
 	/* Check for users with no password. */
 	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
diff --git a/usr.bin/ssh/auth-skey.c b/usr.bin/ssh/auth-skey.c
index 16c0b82eda9..9a1cc35a189 100644
--- a/usr.bin/ssh/auth-skey.c
+++ b/usr.bin/ssh/auth-skey.c
@@ -1,11 +1,39 @@
 #include "includes.h"
-RCSID("$Id: auth-skey.c,v 1.3 1999/11/23 22:25:52 markus Exp $");
+RCSID("$Id: auth-skey.c,v 1.4 1999/12/01 16:54:35 markus Exp $");
 
 #include "ssh.h"
+#include "packet.h"
 #include <sha1.h>
 
-/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
+/* 
+ * try skey authentication,
+ * return 1 on success, 0 on failure, -1 if skey is not available 
+ */
+
+int 
+auth_skey_password(struct passwd * pw, const char *password)
+{
+	if (strncasecmp(password, "s/key", 5) == 0) {
+		char *skeyinfo = skey_keyinfo(pw->pw_name);
+		if (skeyinfo == NULL) {
+			debug("generating fake skeyinfo for %.100s.",
+			    pw->pw_name);
+			skeyinfo = skey_fake_keyinfo(pw->pw_name);
+		}
+		if (skeyinfo != NULL)
+			packet_send_debug(skeyinfo);
+		/* Try again. */
+		return 0;
+	} else if (skey_haskey(pw->pw_name) == 0 &&
+		   skey_passcheck(pw->pw_name, (char *) password) != -1) {
+		/* Authentication succeeded. */
+		return 1;
+	}
+	/* Fall back to ordinary passwd authentication. */
+	return -1;
+}
 
+/* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */
 
 #define ROUND(x)   (((x)[0] << 24) + (((x)[1]) << 16) + (((x)[2]) << 8) + \
 		    ((x)[3]))
diff --git a/usr.bin/ssh/ssh.h b/usr.bin/ssh/ssh.h
index 421be61e0fa..59e4af49adb 100644
--- a/usr.bin/ssh/ssh.h
+++ b/usr.bin/ssh/ssh.h
@@ -13,7 +13,7 @@
  * 
  */
 
-/* RCSID("$Id: ssh.h,v 1.27 1999/12/01 13:59:15 markus Exp $"); */
+/* RCSID("$Id: ssh.h,v 1.28 1999/12/01 16:54:35 markus Exp $"); */
 
 #ifndef SSH_H
 #define SSH_H
@@ -685,6 +685,7 @@ struct envstring {
 int     auth_krb4(const char *server_user, KTEXT auth, char **client);
 int     krb4_init(uid_t uid);
 void    krb4_cleanup_proc(void *ignore);
+int	auth_krb4_password(struct passwd * pw, const char *password);
 
 #ifdef AFS
 #include <kafs.h>
@@ -702,6 +703,7 @@ int     radix_to_creds(const char *buf, CREDENTIALS * creds);
 #ifdef SKEY
 #include <skey.h>
 char   *skey_fake_keyinfo(char *username);
+int	auth_skey_password(struct passwd * pw, const char *password);
 #endif				/* SKEY */
 
 #endif				/* SSH_H */