updated gssapi diff

Frank Cusack fcusack at fcusack.com
Mon Aug 11 15:55:20 EST 2003


On Sun, Aug 10, 2003 at 04:43:52PM +0200, Jakob Schlyter wrote:
> please comment.

No gsskeyex?  blah!
No per-session ccache option?  blah.

I can't say for sure whether or not gss_indicate_mechs() needs
to be in the monitor, but I will note that you've changed this from
Simon's implementation.  Seems OK to me.

session.c needs to test options.gss_cleanup_creds before unconditionally
cleaning up, here:

--- session.c   10 Aug 2003 14:06:53 -0000      1.1.1.2
+++ session.c   10 Aug 2003 14:25:01 -0000      1.4
@@ -1832,4 +1855,7 @@
 do_authenticated2(Authctxt *authctxt)
 {
        server_loop2(authctxt);
+#if defined(GSSAPI)
+       ssh_gssapi_cleanup_creds(NULL);
+#endif
 }

should be:

if (options.gss_cleanup_creds)
	ssh_gssapi_cleanup_creds(NULL);

It needs docs as well:

8<---
--- openssh.orig/sshd_config.5       2003-06-08 17:20:47.000000000 -0700
+++ openssh/sshd_config.5   2003-06-08 17:19:39.000000000 -0700
@@ -273,7 +273,11 @@
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-
+.It Cm GSSAPICleanUpCreds
+Specifies whether ssh with gssapi will delete the ccache when the session exits, fatal or otherwise.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts

8<---

sshconnect2.c:input_gssapi_error() is too noisy.

8<---
--- openssh.orig/sshconnect2.c  2003-07-09 20:57:32.000000000 -0700
+++ openssh/sshconnect2.c       2003-07-09 21:02:50.000000000 -0700
@@ -723,7 +723,7 @@ input_gssapi_error(int type, u_int32_t p
 
        packet_check_eom();
        
-       fprintf(stderr, "Server GSSAPI Error:\n%s\n", msg);
+       debug("Server GSSAPI Error:\n%s\n", msg);
        xfree(msg);
        xfree(lang);
 }
8<---

/fc




More information about the openssh-unix-dev mailing list