summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-11-11 10:42:07 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-11-11 10:42:07 +0000
commit7de42a4faf74678c35b2013200466e75b1430524 (patch)
tree3a64d84033aa6deb8208e6b0b000bf0f633ae143 /source3/auth
parent5d152d24a39386a7b595f9fc157d86dff38c39dc (diff)
downloadsamba-7de42a4faf74678c35b2013200466e75b1430524.tar.gz
samba-7de42a4faf74678c35b2013200466e75b1430524.tar.bz2
samba-7de42a4faf74678c35b2013200466e75b1430524.zip
Remove built-in support for clear-text kerberos authentication.
This should remove some confusion from the ./configure, but does not affect the 'real' kerberos support currently residing in smbd/sesssetup.c. This code is vunerable to a spoofed KDC, and is best replaced by --with-pam and the pam_krb5 module. This module includes measures to prevent such spoofing. Andrew Bartlett (This used to be commit 3235880b41ee5dd5ef171195489fb9254f5d89b0)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/pass_check.c126
1 files changed, 3 insertions, 123 deletions
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 44b3b9a237..77839e4bb0 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -26,7 +26,7 @@
/* these are kept here to keep the string_combinations function simple */
static fstring this_user;
-#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH))
+#if !defined(WITH_PAM)
static fstring this_salt;
static fstring this_crypted;
#endif
@@ -370,122 +370,6 @@ void dfs_unlogin(void)
}
#endif
-#ifdef KRB5_AUTH
-
-#include <krb5.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb5_auth(char *user, char *password)
-{
- krb5_data tgtname = {
- 0,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME
- };
- krb5_context kcontext;
- krb5_principal kprinc;
- krb5_principal server;
- krb5_creds kcreds;
- int options = 0;
- krb5_address **addrs = (krb5_address **) 0;
- krb5_preauthtype *preauth = NULL;
- krb5_keytab keytab = NULL;
- krb5_timestamp now;
- krb5_ccache ccache = NULL;
- int retval;
- char *name;
-
- if (retval = krb5_init_context(&kcontext))
- {
- return (False);
- }
-
- if (retval = krb5_timeofday(kcontext, &now))
- {
- return (False);
- }
-
- if (retval = krb5_cc_default(kcontext, &ccache))
- {
- return (False);
- }
-
- if (retval = krb5_parse_name(kcontext, user, &kprinc))
- {
- return (False);
- }
-
- ZERO_STRUCT(kcreds);
-
- kcreds.client = kprinc;
-
- if ((retval = krb5_build_principal_ext(kcontext, &server,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- tgtname.length, tgtname.data,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- 0)))
- {
- return (False);
- }
-
- kcreds.server = server;
-
- retval = krb5_get_in_tkt_with_password(kcontext,
- options,
- addrs,
- NULL,
- preauth,
- password, 0, &kcreds, 0);
-
- if (retval)
- {
- return (False);
- }
-
- return (True);
-}
-#endif /* KRB5_AUTH */
-
-#ifdef KRB4_AUTH
-#include <krb.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb4_auth(char *user, char *password)
-{
- char realm[REALM_SZ];
- char tkfile[MAXPATHLEN];
-
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- {
- (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1);
- }
-
- (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d",
- (int)sys_getpid());
-
- krb_set_tkt_string(tkfile);
- if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS)
- {
- unlink(tkfile);
- return 1;
- }
- unlink(tkfile);
- return 0;
-}
-#endif /* KRB4_AUTH */
-
#ifdef LINUX_BIGCRYPT
/****************************************************************************
an enhanced crypt for Linux to handle password longer than 8 characters
@@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password)
{
#ifdef WITH_PAM
return smb_pam_passcheck(this_user, password);
-#elif defined(KRB5_AUTH)
- return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
-#elif defined(KRB4_AUTH)
- return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
#else
BOOL ret;
@@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return NT_STATUS_LOGON_FAILURE;
-#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)
+#if defined(WITH_PAM)
/*
* If we're using PAM we want to short-circuit all the
@@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
}
}
-#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */
+#endif /* defined(WITH_PAM) */
/* try it as it came to us */
nt_status = password_check(password);