Add code for being compatible with ssh.com's krb5 authentication.

It is done by using the same ssh messages for v4 and v5 authentication
(since the ssh.com does not now anything about v4) and looking at the
contents after unpacking it to see if it is v4 or v5.
Based on code from Björn Grönvall <bg@sics.se>

PR:		misc/20504

crypto/openssh/auth-krb4.c

@@ -267,7 +267,7 @@ auth_krb4(const char *server_user, KTEXT auth, char **client)
 	/* Clear session key. */
 	memset(&adat.session, 0, sizeof(&adat.session));
 
-	packet_start(SSH_SMSG_AUTH_KRB4_RESPONSE);
+	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 	packet_put_string((char *) reply.dat, reply.length);
 	packet_send();
 	packet_write_wait();

crypto/openssh/auth-krb5.c

@@ -79,7 +79,7 @@ auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client)
 	
 	*client = tkt_client;
 	
-	packet_start(SSH_SMSG_AUTH_KRB5_RESPONSE);
+	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 	packet_put_string((char *) reply.data, reply.length);
 	packet_send();
 	packet_write_wait();

crypto/openssh/auth-passwd.c

@@ -94,7 +94,7 @@ auth_password(struct passwd * pw, const char *password)
 	}
 #endif
 #ifdef KRB5
-	if (options.krb5_authentication == 1) {
+	if (options.kerberos_authentication == 1) {
 	  	if (auth_krb5_password(pw, password))
 		  	return 1;
 		/* Fall back to ordinary passwd authentication. */
@@ -102,7 +102,7 @@ auth_password(struct passwd * pw, const char *password)
 
 #endif /* KRB5 */
 #ifdef KRB4
-	if (options.krb4_authentication == 1) {
+	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb4_password(pw, password);
 		if (ret == 1 || ret == 0)
 			return ret;

crypto/openssh/auth1.c

@@ -52,14 +52,10 @@ get_authname(int type)
 		return "rhosts-rsa";
 	case SSH_CMSG_AUTH_RHOSTS:
 		return "rhosts";
-#ifdef KRB4
-	case SSH_CMSG_AUTH_KRB4:
-		return "kerberosV4";
+#if defined(KRB4) || defined(KRB5)
+	case SSH_CMSG_AUTH_KERBEROS:
+		return "kerberos";
 #endif
-#ifdef KRB5
-	case SSH_CMSG_AUTH_KRB5:
-		return "kerberosV5";
-#endif /* KRB5 */
 #ifdef SKEY
 	case SSH_CMSG_AUTH_TIS_RESPONSE:
 		return "s/key";
@@ -136,6 +132,7 @@ do_authloop(struct passwd * pw, char *luser)
 		/* Process the packet. */
 		switch (type) {
 #ifdef AFS
+#ifndef KRB5
 		case SSH_CMSG_HAVE_KRB4_TGT:
 			if (!options.krb4_tgt_passing) {
 				/* packet_get_all(); */
@@ -150,7 +147,7 @@ do_authloop(struct passwd * pw, char *luser)
 				xfree(tgt);
 			}
 			continue;
-
+#endif /* !KRB5 */
 		case SSH_CMSG_HAVE_AFS_TOKEN:
 			if (!options.afs_token_passing || !k_hasafs()) {
 				verbose("AFS token passing disabled.");
@@ -165,63 +162,61 @@ do_authloop(struct passwd * pw, char *luser)
 			}
 			continue;
 #endif /* AFS */
-#ifdef KRB4
-		case SSH_CMSG_AUTH_KRB4:
-			if (!options.krb4_authentication) {
-				/* packet_get_all(); */
-				verbose("Kerberos v4 authentication disabled.");
-				break;
-			} else {
-				/* Try Kerberos v4 authentication. */
-				KTEXT_ST auth;
-				char *tkt_user = NULL;
-				char *kdata = packet_get_string((unsigned int *) &auth.length);
-				packet_integrity_check(plen, 4 + auth.length, type);
+#if defined(KRB4) || defined(KRB5)
+		case SSH_CMSG_AUTH_KERBEROS:
+			if (!options.kerberos_authentication) {
+				verbose("Kerberos authentication disabled.");
+  			} else {
+				unsigned int length;
+				char *kdata = packet_get_string(&length);
+				packet_integrity_check(plen, 4 + length, type);
 
-				if (auth.length < MAX_KTXT_LEN)
-					memcpy(auth.dat, kdata, auth.length);
-				xfree(kdata);
+				/* 4 == KRB_PROT_VERSION */
+				if (kdata[0] == 4) {
+#ifndef KRB4
+					verbose("Kerberos v4 authentication disabled.");
+#else
+					char *tkt_user = NULL;
+					KTEXT_ST auth;
+					auth.length = length;
+					if (auth.length < MAX_KTXT_LEN)
+						memcpy(auth.dat, kdata, auth.length);
 
-				if (pw != NULL) {
 					authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+
 					if (authenticated) {
 						snprintf(user, sizeof user, " tktuser %s", tkt_user);
 						xfree(tkt_user);
 					}
-				}
-			}
-			break;
-#endif /* KRB4 */
-#ifdef KRB5
-		case SSH_CMSG_AUTH_KRB5:
-			if (!options.krb5_authentication) {
-			  	verbose("Kerberos v5 authentication disabled.");
-				break;
-			} else {
-			  	krb5_data k5data; 
-#if 0	
-				if (krb5_init_context(&ssh_context)) {
-				  verbose("Error while initializing Kerberos V5.");
-				  break;
-				}
-				krb5_init_ets(ssh_context);
-#endif
-				
-				k5data.data = packet_get_string(&k5data.length);
-				packet_integrity_check(plen, 4 + k5data.length, type);
-				if (auth_krb5(luser, &k5data, &tkt_client)) {
-				  /* "luser" is passed just for logging purposes
-				   * */
-				  	/* authorize client against .k5login */
-				  	if (krb5_kuserok(ssh_context,
-					      tkt_client,
-					      luser))
-					  	authenticated = 1;
-				}
-				xfree(k5data.data);
-			}
-			break;
+  #endif /* KRB4 */
+				} else {
+#ifndef KRB5
+					verbose("Kerberos v5 authentication disabled.");
+#else
+				  	krb5_data k5data; 
+					k5data.length = length;
+					k5data.data = kdata;
+  #if 0	
+					if (krb5_init_context(&ssh_context)) {
+						verbose("Error while initializing Kerberos V5.");
+						break;
+					}
+					krb5_init_ets(ssh_context);
+  #endif
+					/* pw->name is passed just for logging purposes */
+					if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) {
+					  	/* authorize client against .k5login */
+					  	if (krb5_kuserok(ssh_context,
+						      tkt_client,
+						      pw->pw_name))
+						  	authenticated = 1;
+					}
 #endif /* KRB5 */
+  				}
+				xfree(kdata);
+  			}
+  			break;
+#endif /* KRB4 || KRB5 */
 
 		case SSH_CMSG_AUTH_RHOSTS:
 			if (!options.rhosts_authentication) {
@@ -389,7 +384,7 @@ do_authloop(struct passwd * pw, char *luser)
 			break;
 #endif
 #ifdef KRB5
-		case SSH_CMSG_HAVE_KRB5_TGT:
+		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			/* Passing krb5 ticket */
 			if (!options.krb5_tgt_passing 
                             /*|| !options.krb5_authentication */) {
@@ -571,10 +566,10 @@ do_authentication()
 	/* If the user has no password, accept authentication immediately. */
 	if (options.password_authentication &&
 #ifdef KRB5
-	    !options.krb5_authentication &&
+	    !options.kerberos_authentication &&
 #endif /* KRB5 */
 #ifdef KRB4
-	    (!options.krb4_authentication || options.krb4_or_local_passwd) &&
+	    (!options.kerberos_authentication || options.krb4_or_local_passwd) &&
 #endif /* KRB4 */
 #ifdef USE_PAM
 	    auth_pam_password(pw, "")

crypto/openssh/auth2.c

@@ -120,9 +120,9 @@ do_authentication2()
 	authctxt->success = 0;
 	x_authctxt = authctxt;		/*XXX*/
 
-#ifdef KRB4
+#if defined(KRB4) || defined(KRB5)
 	/* turn off kerberos, not supported by SSH2 */
-	options.krb4_authentication = 0;
+	options.kerberos_authentication = 0;
 #endif
 	dispatch_init(&protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);

crypto/openssh/readconf.c

@@ -91,11 +91,11 @@ typedef enum {
 	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
 	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
 	oSkeyAuthentication, oXAuthLocation,
-#ifdef KRB4
-	oKrb4Authentication,
+#if defined(KRB4) || defined(KRB5)
+	oKerberosAuthentication,
 #endif /* KRB4 */
 #ifdef KRB5
-	oKrb5Authentication, oKrb5TgtPassing,
+	oKrb5TgtPassing,
 #endif /* KRB5 */
 #ifdef AFS
 	oKrb4TgtPassing, oAFSTokenPassing,
@@ -128,11 +128,10 @@ static struct {
 	{ "rsaauthentication", oRSAAuthentication },
 	{ "dsaauthentication", oDSAAuthentication },
 	{ "skeyauthentication", oSkeyAuthentication },
-#ifdef KRB4
-	{ "kerberos4authentication", oKrb4Authentication },
-#endif /* KRB4 */
+#if defined(KRB4) || defined(KRB5)
+	{ "kerberosauthentication", oKerberosAuthentication },
+#endif /* KRB4 || KRB5 */
 #ifdef KRB5
-	{ "kerberos5authentication", oKrb5Authentication },
 	{ "kerberos5tgtpassing", oKrb5TgtPassing },
 #endif /* KRB5 */
 #ifdef AFS
@@ -324,17 +323,13 @@ parse_flag:
 		intptr = &options->skey_authentication;
 		goto parse_flag;
 
-#ifdef KRB4
-	case oKrb4Authentication:
-		intptr = &options->krb4_authentication;
+#if defined(KRB4) || defined(KRB5)
+	case oKerberosAuthentication:
+		intptr = &options->kerberos_authentication;
 		goto parse_flag;
-#endif /* KRB4 */
+#endif /* KRB4 || KRB5 */
 
 #ifdef KRB5
-	case oKrb5Authentication:
-		intptr = &options->krb5_authentication;
-		goto parse_flag;
-
 	case oKrb5TgtPassing:
 		intptr = &options->krb5_tgt_passing;
 		goto parse_flag;
@@ -682,11 +677,10 @@ initialize_options(Options * options)
 	options->rsa_authentication = -1;
 	options->dsa_authentication = -1;
 	options->skey_authentication = -1;
-#ifdef KRB4
-	options->krb4_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+	options->kerberos_authentication = -1;
 #endif
 #ifdef KRB5
-	options->krb5_authentication = -1;
 	options->krb5_tgt_passing = -1;
 #endif /* KRB5 */
 #ifdef AFS
@@ -754,13 +748,11 @@ fill_default_options(Options * options)
 		options->dsa_authentication = 1;
 	if (options->skey_authentication == -1)
 		options->skey_authentication = 0;
-#ifdef KRB4
-	if (options->krb4_authentication == -1)
-		options->krb4_authentication = 1;
-#endif /* KRB4 */
+#if defined(KRB4) || defined(KRB5)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication = 1;
+#endif /* KRB4 || KRB5 */
 #ifdef KRB5
-	if (options->krb5_authentication == -1)
-		options->krb5_authentication = 1;
 	if (options->krb5_tgt_passing == -1)
 		options->krb5_tgt_passing = 1;
 #endif /* KRB5 */

crypto/openssh/readconf.h

@@ -38,13 +38,11 @@ typedef struct {
 	int     rsa_authentication;	/* Try RSA authentication. */
 	int     dsa_authentication;	/* Try DSA authentication. */
 	int     skey_authentication;	/* Try S/Key or TIS authentication. */
-#ifdef KRB4
-	int     krb4_authentication;		/* Try Kerberos v4
-						 * authentication. */
+#if defined(KRB4) || defined(KRB5)
+	int     kerberos_authentication; /* Try Kerberos authentication. */
 #endif
 
 #ifdef KRB5
-	int	krb5_authentication;
 	int	krb5_tgt_passing;
 #endif /* KRB5 */
 

crypto/openssh/servconf.c

@@ -52,13 +52,14 @@ initialize_server_options(ServerOptions *options)
 	options->rhosts_rsa_authentication = -1;
 	options->rsa_authentication = -1;
 	options->dsa_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+	options->kerberos_authentication = -1;
+#endif
 #ifdef KRB4
-	options->krb4_authentication = -1;
 	options->krb4_or_local_passwd = -1;
 	options->krb4_ticket_cleanup = -1;
 #endif
 #ifdef KRB5
-	options->krb5_authentication = -1;
 	options->krb5_tgt_passing = -1;
 #endif /* KRB5 */
 #ifdef AFS
@@ -141,17 +142,24 @@ fill_default_server_options(ServerOptions *options)
 		options->rsa_authentication = 1;
 	if (options->dsa_authentication == -1)
 		options->dsa_authentication = 1;
+#if defined(KRB4) && defined(KRB5)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication =
+		  (access(KEYFILE, R_OK) == 0) || (access(krb5_defkeyname, R_OK) == 0);
+#elif defined(KRB4)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+#elif defined(KRB5)
+	if (options->kerberos_authentication == -1)
+	  	options->kerberos_authentication = (access(krb5_defkeyname, R_OK) == 0);
+#endif
 #ifdef KRB4
-	if (options->krb4_authentication == -1)
-		options->krb4_authentication = (access(KEYFILE, R_OK) == 0);
 	if (options->krb4_or_local_passwd == -1)
 		options->krb4_or_local_passwd = 1;
 	if (options->krb4_ticket_cleanup == -1)
 		options->krb4_ticket_cleanup = 1;
 #endif /* KRB4 */
 #ifdef KRB5
-	if (options->krb5_authentication == -1)
-	  	options->krb5_authentication = 1;
 	if (options->krb5_tgt_passing == -1)
 	  	options->krb5_tgt_passing = 1;
 #endif /* KRB5 */
@@ -193,11 +201,14 @@ typedef enum {
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+#if defined(KRB4) || defined(KRB5)
+	sKerberosAuthentication,
+#endif
 #ifdef KRB4
-	sKrb4Authentication, sKrb4OrLocalPasswd, sKrb4TicketCleanup,
+	sKrb4OrLocalPasswd, sKrb4TicketCleanup,
 #endif
 #ifdef KRB5
-	sKrb5Authentication, sKrb5TgtPassing,
+	sKrb5TgtPassing,
 #endif /* KRB5 */
 #ifdef AFS
 	sKrb4TgtPassing, sAFSTokenPassing,
@@ -234,13 +245,14 @@ static struct {
 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
 	{ "rsaauthentication", sRSAAuthentication },
 	{ "dsaauthentication", sDSAAuthentication },
+#if defined(KRB4) || defined(KRB5)
+	{ "kerberosauthentication", sKerberosAuthentication },
+#endif
 #ifdef KRB4
-	{ "kerberos4authentication", sKrb4Authentication },
 	{ "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
 	{ "kerberos4ticketcleanup", sKrb4TicketCleanup },
 #endif
 #ifdef KRB5
-	{ "kerberos5authentication", sKrb5Authentication },
 	{ "kerberos5tgtpassing", sKrb5TgtPassing },
 #endif /* KRB5 */
 #ifdef AFS
@@ -505,11 +517,13 @@ parse_flag:
 			intptr = &options->dsa_authentication;
 			goto parse_flag;
 
-#ifdef KRB4
-		case sKrb4Authentication:
-			intptr = &options->krb4_authentication;
+#if defined(KRB4) || defined(KRB5)
+		case sKerberosAuthentication:
+			intptr = &options->kerberos_authentication;
 			goto parse_flag;
-
+#endif
+			
+#ifdef KRB4
 		case sKrb4OrLocalPasswd:
 			intptr = &options->krb4_or_local_passwd;
 			goto parse_flag;
@@ -520,10 +534,6 @@ parse_flag:
 #endif
 
 #ifdef KRB5
-		case sKrb5Authentication:
-			intptr = &options->krb5_authentication;
-			goto parse_flag;
-			
 		case sKrb5TgtPassing:
 			intptr = &options->krb5_tgt_passing;
 			goto parse_flag;

crypto/openssh/servconf.h

@@ -61,9 +61,10 @@ typedef struct {
 						 * authentication. */
 	int     rsa_authentication;	/* If true, permit RSA authentication. */
 	int     dsa_authentication;	/* If true, permit DSA authentication. */
+#if defined(KRB4) || defined(KRB5)
+	int     kerberos_authentication; /* If true, permit Kerberos auth. */
+#endif /* KRB4 || KRB5 */
 #ifdef KRB4
-	int     krb4_authentication;		/* If true, permit Kerberos v4
-						 * authentication. */
 	int     krb4_or_local_passwd;		/* If true, permit kerberos v4
 						 * and any other password
 						 * authentication mechanism,
@@ -73,7 +74,6 @@ typedef struct {
 						 * file on logout. */
 #endif
 #ifdef KRB5
-	int     krb5_authentication;
 	int     krb5_tgt_passing;
 
 #endif /* KRB5 */

crypto/openssh/ssh.h

@@ -182,14 +182,11 @@
 #define SSH_AUTH_PASSWORD	3
 #define SSH_AUTH_RHOSTS_RSA	4
 #define SSH_AUTH_TIS		5
-#define SSH_AUTH_KRB4		6
-#define SSH_PASS_KRB4_TGT	7
+#define SSH_AUTH_KERBEROS	6
+#define SSH_PASS_KERBEROS_TGT	7
 				/* 8 to 15 are reserved */
 #define SSH_PASS_AFS_TOKEN	21
 
-#define SSH_AUTH_KRB5		29
-#define SSH_PASS_KRB5_TGT	30
-
 /* Protocol flags.  These are bit masks. */
 #define SSH_PROTOFLAG_SCREEN_NUMBER	1	/* X11 forwarding includes screen */
 #define SSH_PROTOFLAG_HOST_IN_FWD_OPEN	2	/* forwarding opens contain host */
@@ -243,14 +240,13 @@
 #define SSH_CMSG_AUTH_TIS			39	/* we use this for s/key */
 #define SSH_SMSG_AUTH_TIS_CHALLENGE		40	/* challenge (string) */
 #define SSH_CMSG_AUTH_TIS_RESPONSE		41	/* response (string) */
-#define SSH_CMSG_AUTH_KRB4			42	/* (KTEXT) */
-#define SSH_SMSG_AUTH_KRB4_RESPONSE		43	/* (KTEXT) */
-#define SSH_CMSG_HAVE_KRB4_TGT			44	/* credentials (s) */
+#define SSH_CMSG_AUTH_KERBEROS			42	/* (KTEXT) */
+#define SSH_SMSG_AUTH_KERBEROS_RESPONSE		43	/* (KTEXT) */
+#define	SSH_CMSG_HAVE_KERBEROS_TGT			44
 #define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
 
-#define SSH_CMSG_AUTH_KRB5			110
-#define SSH_SMSG_AUTH_KRB5_RESPONSE		111
-#define	SSH_CMSG_HAVE_KRB5_TGT			112
+/* Kerberos IV tickets can't be forwarded. This is an AFS hack! */ 
+#define SSH_CMSG_HAVE_KRB4_TGT SSH_CMSG_HAVE_KERBEROS_TGT /* credentials (s) */
 
 /*------------ definitions for login.c -------------*/
 

crypto/openssh/sshconnect.c

@@ -742,7 +742,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
      goto out;
   }
   
-  packet_start(SSH_CMSG_AUTH_KRB5);
+  packet_start(SSH_CMSG_AUTH_KERBEROS);
   packet_put_string((char *) ap.data, ap.length);
   packet_send();
   packet_write_wait();
@@ -753,13 +753,13 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
   type = packet_read(&payload_len);
    switch (type) {
         case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KRB5_FAILURE */
+                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
                 debug("Kerberos V5 authentication failed.");
                 ret = 0;
                 break;
 
-         case SSH_SMSG_AUTH_KRB5_RESPONSE:
-                /* SSH_SMSG_AUTH_KRB5_SUCCESS */
+         case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
                 debug("Kerberos V5 authentication accepted.");
 
                 /* Get server's response. */
@@ -870,7 +870,7 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
      goto out;
   }
   
-  packet_start(SSH_CMSG_HAVE_KRB5_TGT);
+  packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
   packet_put_string((char *)outbuf.data, outbuf.length);
   packet_send();
   packet_write_wait();

crypto/openssh/sshconnect1.c

@@ -410,7 +410,7 @@ try_krb4_authentication()
 	des_key_sched((des_cblock *) cred.session, schedule);
 
 	/* Send authentication info to server. */
-	packet_start(SSH_CMSG_AUTH_KRB4);
+	packet_start(SSH_CMSG_AUTH_KERBEROS);
 	packet_put_string((char *) auth.dat, auth.length);
 	packet_send();
 	packet_write_wait();
@@ -435,13 +435,13 @@ try_krb4_authentication()
 	type = packet_read(&plen);
 	switch (type) {
 	case SSH_SMSG_FAILURE:
-		/* Should really be SSH_SMSG_AUTH_KRB4_FAILURE */
+		/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
 		debug("Kerberos V4 authentication failed.");
 		return 0;
 		break;
 
-	case SSH_SMSG_AUTH_KRB4_RESPONSE:
-		/* SSH_SMSG_AUTH_KRB4_SUCCESS */
+	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+		/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
 		debug("Kerberos V4 authentication accepted.");
 
 		/* Get server's response. */
@@ -924,6 +924,35 @@ ssh_userauth(
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
 				  type);
 
+#ifdef KRB5
+	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+	     options.kerberos_authentication){
+		krb5_context ssh_context = NULL;
+		krb5_auth_context auth_context = NULL;
+
+		debug("Trying Kerberos V5 authentication.");
+
+	if (try_krb5_authentication(&ssh_context, &auth_context)) {
+	  type = packet_read(&payload_len);
+	  if (type == SSH_SMSG_SUCCESS) {
+	     if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+	          options.krb5_tgt_passing) {
+   	                if (options.cipher == SSH_CIPHER_NONE)
+      				log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+   			send_krb5_tgt(ssh_context, auth_context);
+
+	     } 
+	     krb5_auth_con_free(ssh_context, auth_context); 
+	     krb5_free_context(ssh_context); 
+	     return;
+	  }
+	  if (type != SSH_SMSG_FAILURE)
+               	packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
+
+	}
+        }
+#endif /* KRB5 */
+
 #ifdef AFS
 	/* Try Kerberos tgt passing if the server supports it. */
 	if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) &&
@@ -942,8 +971,8 @@ ssh_userauth(
 #endif /* AFS */
 
 #ifdef KRB4
-	if ((supported_authentications & (1 << SSH_AUTH_KRB4)) &&
-	    options.krb4_authentication) {
+	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+	    options.kerberos_authentication) {
 		debug("Trying Kerberos authentication.");
 		if (try_krb4_authentication()) {
 			/* The server should respond with success or failure. */
@@ -956,34 +985,6 @@ ssh_userauth(
 	}
 #endif /* KRB4 */
 
-#ifdef KRB5
-	if ((supported_authentications & (1 << SSH_AUTH_KRB5)) &&
-	     options.krb5_authentication){
-		krb5_context ssh_context = NULL;
-		krb5_auth_context auth_context = NULL;
-
-		debug("Trying Kerberos V5 authentication.");
-
-	if (try_krb5_authentication(&ssh_context, &auth_context)) {
-	  type = packet_read(&payload_len);
-	  if (type == SSH_SMSG_SUCCESS) {
-	     if ((supported_authentications & (1 << SSH_PASS_KRB5_TGT)) &&
-	          options.krb5_tgt_passing) {
-   	                if (options.cipher == SSH_CIPHER_NONE)
-      				log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-   			send_krb5_tgt(ssh_context, auth_context);
-
-	     } 
-	     krb5_auth_con_free(ssh_context, auth_context); 
-	     krb5_free_context(ssh_context); 
-	     return;
-	  }
-	  if (type != SSH_SMSG_FAILURE)
-               	packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
-
-	}
-        }
-#endif /* KRB5 */
 
 	/*
 	 * Use rhosts authentication if running in privileged socket and we

crypto/openssh/sshd.c

@@ -1063,11 +1063,11 @@ main(int ac, char **av)
 		options.rhosts_authentication = 0;
 		options.rhosts_rsa_authentication = 0;
 	}
-#ifdef KRB4
+#if defined(KRB4) && !defined(KRB5)
 	if (!packet_connection_is_ipv4() &&
-	    options.krb4_authentication) {
+	    options.kerberos_authentication) {
 		debug("Kerberos Authentication disabled, only available for IPv4.");
-		options.krb4_authentication = 0;
+		options.kerberos_authentication = 0;
 	}
 #endif /* KRB4 */
 
@@ -1164,18 +1164,13 @@ do_ssh1_kex()
 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
 	if (options.rsa_authentication)
 		auth_mask |= 1 << SSH_AUTH_RSA;
-#ifdef KRB4
-	if (options.krb4_authentication)
-		auth_mask |= 1 << SSH_AUTH_KRB4;
+#if defined(KRB4) || defined(KRB5)
+	if (options.kerberos_authentication)
+		auth_mask |= 1 << SSH_AUTH_KERBEROS;
 #endif
 #ifdef KRB5
-	if (options.krb5_authentication) {
-	  	auth_mask |= 1 << SSH_AUTH_KRB5;
-                /* compatibility with MetaCentre ssh */
-		auth_mask |= 1 << SSH_AUTH_KRB4;
-        }
 	if (options.krb5_tgt_passing)
-	  	auth_mask |= 1 << SSH_PASS_KRB5_TGT;
+	  	auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
 #endif /* KRB5 */
 
 #ifdef AFS