Date: Fri, 13 Jul 2001 15:39:46 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-audit@freebsd.org Subject: Add `ServerPrincipalFromSocket' option to sshd Message-ID: <20010713153946.G67153@madman.nectar.com>
next in thread | raw e-mail | index | archive | help
Our sshd very annoyingly uses the hostname to form the principal it uses for Kerberos authentication. This is especially a problem on machines with multiple IP addresses. The following patch adds a `ServerPrincipalFromSocket' option (which defaults to `no'). When this option is set, sshd will behave as most other Kerberized daemons and use getsockname() to determine what principal name to use. Incidently, I also added a debug message which displays what principal will be used. Index: auth-krb5.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/auth-krb5.c,v retrieving revision 1.8 diff -u -r1.8 auth-krb5.c --- auth-krb5.c 2001/06/12 03:43:47 1.8 +++ auth-krb5.c 2001/07/13 20:26:24 @@ -11,7 +11,7 @@ #include "xmalloc.h" #ifdef KRB5 - +extern ServerOptions options; krb5_context ssh_context = NULL; krb5_auth_context auth_context; krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */ @@ -50,9 +50,14 @@ ret = 0; goto err; } - + + if (options.server_principal_from_socket) { + problem = krb5_sock_to_principal(ssh_context, fd, "host", + KRB5_NT_SRV_HST, &server); + } else { problem = krb5_sname_to_principal(ssh_context, NULL, NULL , KRB5_NT_SRV_HST, &server); + } if (problem) { ret = 0; goto err; Index: servconf.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/servconf.c,v retrieving revision 1.22 diff -u -r1.22 servconf.c --- servconf.c 2001/05/04 04:14:22 1.22 +++ servconf.c 2001/07/13 20:29:55 @@ -80,6 +80,7 @@ #endif #ifdef KRB5 options->krb5_tgt_passing = -1; + options->server_principal_from_socket = -1; #endif /* KRB5 */ #ifdef AFS options->krb4_tgt_passing = -1; @@ -195,6 +196,8 @@ #ifdef KRB5 if (options->krb5_tgt_passing == -1) options->krb5_tgt_passing = 1; + if (options->server_principal_from_socket == -1) + options->server_principal_from_socket = 0; #endif /* KRB5 */ #ifdef AFS if (options->krb4_tgt_passing == -1) @@ -244,6 +247,7 @@ #endif #ifdef KRB5 sKrb5TgtPassing, + sServerPrincipalFromSocket, #endif /* KRB5 */ #ifdef AFS sKrb4TgtPassing, sAFSTokenPassing, @@ -293,6 +297,7 @@ #endif #ifdef KRB5 { "kerberos5tgtpassing", sKrb5TgtPassing }, + { "serverprincipalfromsocket", sServerPrincipalFromSocket }, #endif /* KRB5 */ #ifdef AFS { "kerberos4tgtpassing", sKrb4TgtPassing }, @@ -620,6 +625,10 @@ #ifdef KRB5 case sKrb5TgtPassing: intptr = &options->krb5_tgt_passing; + goto parse_flag; + + case sServerPrincipalFromSocket: + intptr = &options->server_principal_from_socket; goto parse_flag; #endif /* KRB5 */ Index: servconf.h =================================================================== RCS file: /home/ncvs/src/crypto/openssh/servconf.h,v retrieving revision 1.9 diff -u -r1.9 servconf.h --- servconf.h 2001/05/04 04:14:22 1.9 +++ servconf.h 2001/07/13 20:27:28 @@ -88,6 +88,10 @@ #endif #ifdef KRB5 int krb5_tgt_passing; + int server_principal_from_socket; /* If true, use the socket name + instead of the hostname for + the server principal. */ + #endif /* KRB5 */ #ifdef AFS Index: sshconnect.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshconnect.c,v retrieving revision 1.17 diff -u -r1.17 sshconnect.c --- sshconnect.c 2001/05/04 04:37:49 1.17 +++ sshconnect.c 2001/07/13 20:31:22 @@ -739,6 +739,10 @@ int type, payload_len; krb5_ap_rep_enc_part *reply = NULL; int ret; + char **realms; + char *real_hostname; + krb5_principal server; + char sname[128]; memset(&ap, 0, sizeof(ap)); @@ -765,9 +769,29 @@ } remotehost = get_canonical_hostname(1); - - problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, - "host", remotehost, NULL, ccache, &ap); + problem = krb5_expand_hostname_realms(*context, remotehost, &real_hostname, + &realms); + if (problem) { + ret = 0; + goto out; + } + problem = krb5_build_principal(*context, &server, strlen(*realms), *realms, + "host", real_hostname, NULL); + free(real_hostname); + krb5_free_host_realm(*context, realms); + if (problem) { + ret = 0; + goto out; + } + problem = krb5_unparse_name_fixed(*context, server, sname, sizeof(sname)); + if (problem) { + fatal("krb5_unparse_name_fixed failed: %s", + krb5_get_err_text(*context, problem)); + } + debug("Kerberos V5: trying %s.", sname); + + problem = krb5_mk_req_exact(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED, + server, NULL, ccache, &ap); if (problem) { ret = 0; goto out; Index: sshd_config =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd_config,v retrieving revision 1.17 diff -u -r1.17 sshd_config --- sshd_config 2001/05/18 18:10:02 1.17 +++ sshd_config 2001/07/13 20:26:24 @@ -56,6 +56,9 @@ #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no +# Set the following in order to use the socket name rather than the hostname +# for the Kerberos server principal. +#ServerPrincipalFromSocket no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010713153946.G67153>