updated gssapi diff
Douglas E. Engert
deengert at anl.gov
Tue Aug 12 07:25:19 EST 2003
Jakob Schlyter wrote:
>
> this is the proposed gssapi diff against OpenSSH-current (non-portable).
>
> note: if this goes in, the old krb5 auth (ssh.com compatible) will be
> removed.
>
> please comment.
>
> jakob
Looks good!
I took the patch, and applied it against Portable OpenSSH-3.6.1p2. This
took some minor tweaking, as the source is slightly different. I hand
edited the Makefile to compile the extra source files, and used the
CPPFLAGS and LDFLAGS to point at the MIT 1.2.8 Kerberos GSSAPI.
Initial testing against the 3.6.1p2 with Simon's previous patch, and
SecureCRT indicates that it works.
I did need to add this additional code which was in Simon's original patch
to get it to work with MIT. This will also allow for the session caches.
I would ask you to consider adding this MIT support.
The "logit" needed to be changed to "log" as well, I assume this is an
upcoming change.
*** ,gss-serv-krb5.c Mon Aug 11 13:06:29 2003
--- gss-serv-krb5.c Mon Aug 11 16:11:48 2003
***************
*** 40,45 ****
--- 40,50 ----
#include <krb5.h>
+ #ifndef HEIMDAL
+ #include <gssapi_krb5.h>
+ #define krb5_get_err_text(context,code) error_message(code)
+ #endif
+
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
***************
*** 54,60 ****
problem = krb5_init_context(&krb_context);
if (problem) {
! logit("Cannot initialize krb5 context");
return 0;
}
krb5_init_ets(krb_context);
--- 59,65 ----
problem = krb5_init_context(&krb_context);
if (problem) {
! log("Cannot initialize krb5 context");
return 0;
}
krb5_init_ets(krb_context);
***************
*** 78,90 ****
if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
&princ))) {
! logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, retval));
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
retval = 1;
! logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
} else
retval = 0;
--- 83,95 ----
if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
&princ))) {
! log("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, retval));
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
retval = 1;
! log("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
} else
retval = 0;
***************
*** 113,134 ****
if (ssh_gssapi_krb5_init() == 0)
return;
! if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
! logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
! logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
! logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
--- 118,164 ----
if (ssh_gssapi_krb5_init() == 0)
return;
! #ifdef HEIMDAL
! problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache);
! #else
! {
! char ccname[40];
! int tmpfd;
!
! snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
!
! if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
! log("mkstemp(): %.100s", strerror(errno));
! problem = errno;
! return;
! }
! if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
! log("fchmod(): %.100s", strerror(errno));
! close(tmpfd);
! problem = errno;
! return;
! }
! close(tmpfd);
! problem = krb5_cc_resolve(krb_context, ccname, &ccache);
! }
! #endif
!
! if (problem) {
! log("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
! log("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
! log("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
***************
*** 139,145 ****
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
! logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
--- 169,175 ----
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
! log("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list