From owner-freebsd-audit  Fri Jul 13 13:40:12 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id B718B37B401
	for <freebsd-audit@freebsd.org>; Fri, 13 Jul 2001 13:39:53 -0700 (PDT)
	(envelope-from nectar@nectar.com)
Received: from madman.nectar.com (madman.nectar.com [10.0.1.111])
	by gw.nectar.com (Postfix) with ESMTP id 1735EAF4BF
	for <freebsd-audit@freebsd.org>; Fri, 13 Jul 2001 15:39:53 -0500 (CDT)
Received: (from nectar@localhost)
	by madman.nectar.com (8.11.3/8.11.3) id f6DKdqY68031
	for freebsd-audit@freebsd.org; Fri, 13 Jul 2001 15:39:52 -0500 (CDT)
	(envelope-from nectar)
Date: Fri, 13 Jul 2001 15:39:46 -0500
From: "Jacques A. Vidrine" <n@nectar.com>
To: freebsd-audit@freebsd.org
Subject: Add `ServerPrincipalFromSocket' option to sshd
Message-ID: <20010713153946.G67153@madman.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	freebsd-audit@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Url: http://www.nectar.com/
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

Our sshd  very annoyingly uses the  hostname to form the  principal it
uses for  Kerberos authentication.   This is  especially a  problem on
machines with multiple IP addresses.

The following  patch adds a `ServerPrincipalFromSocket'  option (which
defaults to `no').  When this option  is set, sshd will behave as most
other  Kerberized  daemons and  use  getsockname()  to determine  what
principal name to use.

Incidently, I also added a debug message which displays what principal
will be used.


Index: auth-krb5.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/auth-krb5.c,v
retrieving revision 1.8
diff -u -r1.8 auth-krb5.c
--- auth-krb5.c	2001/06/12 03:43:47	1.8
+++ auth-krb5.c	2001/07/13 20:26:24
@@ -11,7 +11,7 @@
 #include "xmalloc.h"
 
 #ifdef KRB5
-
+extern ServerOptions options;
 krb5_context ssh_context = NULL;
 krb5_auth_context auth_context;
 krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */
@@ -50,9 +50,14 @@
 	 ret = 0;
 	 goto err; 
        }
-	
+
+       if (options.server_principal_from_socket) {
+	 problem = krb5_sock_to_principal(ssh_context, fd, "host",
+					  KRB5_NT_SRV_HST, &server);
+       } else {
 	problem = krb5_sname_to_principal(ssh_context,  NULL, NULL ,
 	    KRB5_NT_SRV_HST, &server);
+       }
 	if (problem) {
 	    ret = 0;
 	    goto err;
Index: servconf.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/servconf.c,v
retrieving revision 1.22
diff -u -r1.22 servconf.c
--- servconf.c	2001/05/04 04:14:22	1.22
+++ servconf.c	2001/07/13 20:29:55
@@ -80,6 +80,7 @@
 #endif
 #ifdef KRB5
 	options->krb5_tgt_passing = -1;
+	options->server_principal_from_socket = -1;
 #endif /* KRB5 */
 #ifdef AFS
 	options->krb4_tgt_passing = -1;
@@ -195,6 +196,8 @@
 #ifdef KRB5
 	if (options->krb5_tgt_passing == -1)
 	  	options->krb5_tgt_passing = 1;
+	if (options->server_principal_from_socket == -1)
+		options->server_principal_from_socket = 0;
 #endif /* KRB5 */
 #ifdef AFS
 	if (options->krb4_tgt_passing == -1)
@@ -244,6 +247,7 @@
 #endif
 #ifdef KRB5
 	sKrb5TgtPassing,
+	sServerPrincipalFromSocket,
 #endif /* KRB5 */
 #ifdef AFS
 	sKrb4TgtPassing, sAFSTokenPassing,
@@ -293,6 +297,7 @@
 #endif
 #ifdef KRB5
 	{ "kerberos5tgtpassing", sKrb5TgtPassing },
+	{ "serverprincipalfromsocket", sServerPrincipalFromSocket },
 #endif /* KRB5 */
 #ifdef AFS
 	{ "kerberos4tgtpassing", sKrb4TgtPassing },
@@ -620,6 +625,10 @@
 #ifdef KRB5
 		case sKrb5TgtPassing:
 			intptr = &options->krb5_tgt_passing;
+			goto parse_flag;
+
+		case sServerPrincipalFromSocket:
+			intptr = &options->server_principal_from_socket;
 			goto parse_flag;
 #endif /* KRB5 */
 
Index: servconf.h
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/servconf.h,v
retrieving revision 1.9
diff -u -r1.9 servconf.h
--- servconf.h	2001/05/04 04:14:22	1.9
+++ servconf.h	2001/07/13 20:27:28
@@ -88,6 +88,10 @@
 #endif
 #ifdef KRB5
 	int     krb5_tgt_passing;
+	int     server_principal_from_socket;  /* If true, use the socket name
+						  instead of the hostname for
+						  the server principal. */
+
 
 #endif /* KRB5 */
 #ifdef AFS
Index: sshconnect.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshconnect.c,v
retrieving revision 1.17
diff -u -r1.17 sshconnect.c
--- sshconnect.c	2001/05/04 04:37:49	1.17
+++ sshconnect.c	2001/07/13 20:31:22
@@ -739,6 +739,10 @@
   int type, payload_len;
   krb5_ap_rep_enc_part *reply = NULL; 
   int ret;
+  char **realms;
+  char *real_hostname;
+  krb5_principal server;
+  char sname[128];
 
   memset(&ap, 0, sizeof(ap));
   
@@ -765,9 +769,29 @@
   }
   
   remotehost = get_canonical_hostname(1);
-  
-  problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-			"host", remotehost, NULL, ccache, &ap);
+  problem = krb5_expand_hostname_realms(*context, remotehost, &real_hostname,
+                                      &realms);
+  if (problem) {
+    ret = 0;
+    goto out;
+  }
+  problem = krb5_build_principal(*context, &server, strlen(*realms), *realms,
+                               "host", real_hostname, NULL);
+  free(real_hostname);
+  krb5_free_host_realm(*context, realms);
+  if (problem) {
+    ret = 0;
+    goto out;
+  }
+  problem = krb5_unparse_name_fixed(*context, server, sname, sizeof(sname));
+  if (problem) {
+    fatal("krb5_unparse_name_fixed failed: %s",
+        krb5_get_err_text(*context, problem));
+  }
+  debug("Kerberos V5: trying %s.", sname);
+
+  problem = krb5_mk_req_exact(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+                            server, NULL, ccache, &ap);
   if (problem) { 
      ret = 0;
      goto out;
Index: sshd_config
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v
retrieving revision 1.17
diff -u -r1.17 sshd_config
--- sshd_config	2001/05/18 18:10:02	1.17
+++ sshd_config	2001/07/13 20:26:24
@@ -56,6 +56,9 @@
 #KerberosOrLocalPasswd yes
 #AFSTokenPassing no
 #KerberosTicketCleanup no
+# Set the following in order to use the socket name rather than the hostname
+# for the Kerberos server principal.
+#ServerPrincipalFromSocket no
 
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message