#endif /* lint */
/*-
- * Copyright (c) 1991 The Regents of the University of California.
- * All rights reserved.
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
*/
#ifndef lint
-static char sccsid[] = "@(#)kerberos5.c 5.3 (Berkeley) 12/18/92";
+static char sccsid[] = "@(#)kerberos5.c 8.1 (Berkeley) 6/4/93";
#endif /* not lint */
/*
#include <netdb.h>
#include <ctype.h>
+#define FORWARD /* Do credentials forwarding.... */
/* kerberos 5 include files (ext-proto.h) will get an appropriate stdlib.h
and string.h/strings.h */
#include "misc.h"
extern auth_debug_mode;
+
+#ifdef FORWARD
int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
/* These values need to be the same as those defined in telnet/main.c. */
#define OPTS_FORWARD_CREDS 0x00000002
#define OPTS_FORWARDABLE_CREDS 0x00000001
+void kerberos5_forward();
+
+#endif /* FORWARD */
+
static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
AUTHTYPE_KERBEROS_V5, };
/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
#define KRB_REJECT 1 /* Rejected (reason might follow) */
#define KRB_ACCEPT 2 /* Accepted */
#define KRB_RESPONSE 3 /* Response for mutual auth. */
+
+#ifdef FORWARD
#define KRB_FORWARD 4 /* Forwarded credentials follow */
#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
+#endif /* FORWARD */
static krb5_data auth;
/* telnetd gets session key from here */
/* telnet matches the AP_REQ and AP_REP with this */
static krb5_authenticator authenticator;
-void kerberos5_forward();
-
/* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
which is either void * or char *, depending on the compiler. */
extern krb5_flags krb5_kdc_default_options;
int ap_opts;
-#if defined(ENCRYPTION)
+#ifdef ENCRYPTION
krb5_keyblock *newkey = 0;
-#endif
+#endif /* ENCRYPTION */
ksum.checksum_type = CKSUMTYPE_CRC32;
ksum.contents = sum;
ap_opts = 0;
r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0,
-#if defined(ENCRYPTION)
+#ifdef ENCRYPTION
&newkey,
-#else
+#else /* ENCRYPTION */
0,
-#endif
+#endif /* ENCRYPTION */
ccache, &creds, &authenticator, &auth);
/* don't let the key get freed if we clean up the authenticator */
authenticator.subkey = 0;
free(name);
krb5_free_host_realm(realms);
krb5_free_principal(server);
-#if defined(ENCRYPTION)
+#ifdef ENCRYPTION
if (newkey) {
/* keep the key in our private storage, but don't use it
yet---see kerberos5_reply() below */
}
krb5_free_keyblock(newkey);
}
-#endif
+#endif /* ENCRYPTION */
if (r) {
if (auth_debug_mode) {
printf("Kerberos V5: mk_req failed (%s)\r\n",
encrypt_session_key(&skey, 1);
#endif
break;
+#ifdef FORWARD
case KRB_FORWARD:
inbuf.data = (char *)data;
inbuf.length = cnt;
if (auth_debug_mode)
printf("Forwarded credentials obtained\r\n");
break;
+#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
else
printf("[ Kerberos V5 accepts you ]\n");
auth_finished(ap, AUTH_USER);
+#ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward(ap);
+#endif /* FORWARD */
break;
case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
return;
}
krb5_free_ap_rep_enc_part(reply);
-#if defined(ENCRYPTION)
+#ifdef ENCRYPTION
skey.type = SK_DES;
skey.length = 8;
skey.data = session_key;
encrypt_session_key(&skey, 0);
-#endif
+#endif /* ENCRYPTION */
mutual_complete = 1;
}
return;
+#ifdef FORWARD
case KRB_FORWARD_ACCEPT:
printf("[ Kerberos V5 accepted forwarded credentials ]\n");
return;
printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
cnt, data);
return;
+#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
strncpy((char *)buf, " RESPONSE", buflen);
goto common2;
+#ifdef FORWARD
case KRB_FORWARD: /* Forwarded credentials follow */
strncpy((char *)buf, " FORWARD", buflen);
goto common2;
/* (reason might follow) */
strncpy((char *)buf, " FORWARD_REJECT", buflen);
goto common2;
+#endif /* FORWARD */
default:
sprintf(lbuf, " %d (unknown)", data[3]);
}
}
+#ifdef FORWARD
void
kerberos5_forward(ap)
Authenticator *ap;
krb5_free_creds(local_creds);
}
+#endif /* FORWARD */
#endif /* KRB5 */