Date: Fri, 13 Jul 2001 15:39:46 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-audit@freebsd.org Subject: Add `ServerPrincipalFromSocket' option to sshd Message-ID: <20010713153946.G67153@madman.nectar.com>
next in thread | raw e-mail | index | archive | help
Our sshd very annoyingly uses the hostname to form the principal it
uses for Kerberos authentication. This is especially a problem on
machines with multiple IP addresses.
The following patch adds a `ServerPrincipalFromSocket' option (which
defaults to `no'). When this option is set, sshd will behave as most
other Kerberized daemons and use getsockname() to determine what
principal name to use.
Incidently, I also added a debug message which displays what principal
will be used.
Index: auth-krb5.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/auth-krb5.c,v
retrieving revision 1.8
diff -u -r1.8 auth-krb5.c
--- auth-krb5.c 2001/06/12 03:43:47 1.8
+++ auth-krb5.c 2001/07/13 20:26:24
@@ -11,7 +11,7 @@
#include "xmalloc.h"
#ifdef KRB5
-
+extern ServerOptions options;
krb5_context ssh_context = NULL;
krb5_auth_context auth_context;
krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */
@@ -50,9 +50,14 @@
ret = 0;
goto err;
}
-
+
+ if (options.server_principal_from_socket) {
+ problem = krb5_sock_to_principal(ssh_context, fd, "host",
+ KRB5_NT_SRV_HST, &server);
+ } else {
problem = krb5_sname_to_principal(ssh_context, NULL, NULL ,
KRB5_NT_SRV_HST, &server);
+ }
if (problem) {
ret = 0;
goto err;
Index: servconf.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/servconf.c,v
retrieving revision 1.22
diff -u -r1.22 servconf.c
--- servconf.c 2001/05/04 04:14:22 1.22
+++ servconf.c 2001/07/13 20:29:55
@@ -80,6 +80,7 @@
#endif
#ifdef KRB5
options->krb5_tgt_passing = -1;
+ options->server_principal_from_socket = -1;
#endif /* KRB5 */
#ifdef AFS
options->krb4_tgt_passing = -1;
@@ -195,6 +196,8 @@
#ifdef KRB5
if (options->krb5_tgt_passing == -1)
options->krb5_tgt_passing = 1;
+ if (options->server_principal_from_socket == -1)
+ options->server_principal_from_socket = 0;
#endif /* KRB5 */
#ifdef AFS
if (options->krb4_tgt_passing == -1)
@@ -244,6 +247,7 @@
#endif
#ifdef KRB5
sKrb5TgtPassing,
+ sServerPrincipalFromSocket,
#endif /* KRB5 */
#ifdef AFS
sKrb4TgtPassing, sAFSTokenPassing,
@@ -293,6 +297,7 @@
#endif
#ifdef KRB5
{ "kerberos5tgtpassing", sKrb5TgtPassing },
+ { "serverprincipalfromsocket", sServerPrincipalFromSocket },
#endif /* KRB5 */
#ifdef AFS
{ "kerberos4tgtpassing", sKrb4TgtPassing },
@@ -620,6 +625,10 @@
#ifdef KRB5
case sKrb5TgtPassing:
intptr = &options->krb5_tgt_passing;
+ goto parse_flag;
+
+ case sServerPrincipalFromSocket:
+ intptr = &options->server_principal_from_socket;
goto parse_flag;
#endif /* KRB5 */
Index: servconf.h
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/servconf.h,v
retrieving revision 1.9
diff -u -r1.9 servconf.h
--- servconf.h 2001/05/04 04:14:22 1.9
+++ servconf.h 2001/07/13 20:27:28
@@ -88,6 +88,10 @@
#endif
#ifdef KRB5
int krb5_tgt_passing;
+ int server_principal_from_socket; /* If true, use the socket name
+ instead of the hostname for
+ the server principal. */
+
#endif /* KRB5 */
#ifdef AFS
Index: sshconnect.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshconnect.c,v
retrieving revision 1.17
diff -u -r1.17 sshconnect.c
--- sshconnect.c 2001/05/04 04:37:49 1.17
+++ sshconnect.c 2001/07/13 20:31:22
@@ -739,6 +739,10 @@
int type, payload_len;
krb5_ap_rep_enc_part *reply = NULL;
int ret;
+ char **realms;
+ char *real_hostname;
+ krb5_principal server;
+ char sname[128];
memset(&ap, 0, sizeof(ap));
@@ -765,9 +769,29 @@
}
remotehost = get_canonical_hostname(1);
-
- problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
- "host", remotehost, NULL, ccache, &ap);
+ problem = krb5_expand_hostname_realms(*context, remotehost, &real_hostname,
+ &realms);
+ if (problem) {
+ ret = 0;
+ goto out;
+ }
+ problem = krb5_build_principal(*context, &server, strlen(*realms), *realms,
+ "host", real_hostname, NULL);
+ free(real_hostname);
+ krb5_free_host_realm(*context, realms);
+ if (problem) {
+ ret = 0;
+ goto out;
+ }
+ problem = krb5_unparse_name_fixed(*context, server, sname, sizeof(sname));
+ if (problem) {
+ fatal("krb5_unparse_name_fixed failed: %s",
+ krb5_get_err_text(*context, problem));
+ }
+ debug("Kerberos V5: trying %s.", sname);
+
+ problem = krb5_mk_req_exact(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+ server, NULL, ccache, &ap);
if (problem) {
ret = 0;
goto out;
Index: sshd_config
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v
retrieving revision 1.17
diff -u -r1.17 sshd_config
--- sshd_config 2001/05/18 18:10:02 1.17
+++ sshd_config 2001/07/13 20:26:24
@@ -56,6 +56,9 @@
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
+# Set the following in order to use the socket name rather than the hostname
+# for the Kerberos server principal.
+#ServerPrincipalFromSocket no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010713153946.G67153>