updated gssapi diff

Ben Lindstrom mouring at etoh.eviladmin.org
Tue Aug 12 08:12:58 EST 2003


Please actually test again --current instead of 3.6.1pX tree.

log() was changed to logit() to avoid the clash with log() from -lm.

- Ben

On Mon, 11 Aug 2003, Douglas E. Engert wrote:

>
>
> Jakob Schlyter wrote:
> >
> > this is the proposed gssapi diff against OpenSSH-current (non-portable).
> >
> > note: if this goes in, the old krb5 auth (ssh.com compatible) will be
> > removed.
> >
> > please comment.
> >
> >         jakob
>
> Looks good!
>
> I took the patch, and applied it against Portable OpenSSH-3.6.1p2. This
> took some minor tweaking, as the source is slightly different. I hand
> edited the Makefile to compile the extra source files, and used the
> CPPFLAGS and LDFLAGS  to point at the MIT 1.2.8 Kerberos GSSAPI.
>
> Initial testing against the 3.6.1p2 with Simon's previous patch, and
> SecureCRT indicates that it works.
>
>
> I did need to add this additional code which was in Simon's original patch
> to get it to work with MIT. This will also allow for the session caches.
> I would ask you to consider adding this MIT support.
>
> The "logit" needed to be changed to "log" as well, I assume this is an
> upcoming change.
>
>
>
>
> *** ,gss-serv-krb5.c    Mon Aug 11 13:06:29 2003
> --- gss-serv-krb5.c     Mon Aug 11 16:11:48 2003
> ***************
> *** 40,45 ****
> --- 40,50 ----
>
>   #include <krb5.h>
>
> + #ifndef HEIMDAL
> + #include <gssapi_krb5.h>
> + #define krb5_get_err_text(context,code) error_message(code)
> + #endif
> +
>   static krb5_context krb_context = NULL;
>
>   /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
> ***************
> *** 54,60 ****
>
>          problem = krb5_init_context(&krb_context);
>          if (problem) {
> !                logit("Cannot initialize krb5 context");
>                  return 0;
>          }
>          krb5_init_ets(krb_context);
> --- 59,65 ----
>
>          problem = krb5_init_context(&krb_context);
>          if (problem) {
> !                log("Cannot initialize krb5 context");
>                  return 0;
>          }
>          krb5_init_ets(krb_context);
> ***************
> *** 78,90 ****
>
>          if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
>              &princ))) {
> !                logit("krb5_parse_name(): %.100s",
>                      krb5_get_err_text(krb_context, retval));
>                  return 0;
>          }
>          if (krb5_kuserok(krb_context, princ, name)) {
>                  retval = 1;
> !                logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
>                      name, (char *)client->displayname.value);
>          } else
>                  retval = 0;
> --- 83,95 ----
>
>          if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
>              &princ))) {
> !                log("krb5_parse_name(): %.100s",
>                      krb5_get_err_text(krb_context, retval));
>                  return 0;
>          }
>          if (krb5_kuserok(krb_context, princ, name)) {
>                  retval = 1;
> !                log("Authorized to %s, krb5 principal %s (krb5_kuserok)",
>                      name, (char *)client->displayname.value);
>          } else
>                  retval = 0;
> ***************
> *** 113,134 ****
>          if (ssh_gssapi_krb5_init() == 0)
>                  return;
>
> !        if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
> !                logit("krb5_cc_gen_new(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  return;
>          }
>
>          if ((problem = krb5_parse_name(krb_context,
>              client->exportedname.value, &princ))) {
> !                logit("krb5_parse_name(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  krb5_cc_destroy(krb_context, ccache);
>                  return;
>          }
>
>          if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> !                logit("krb5_cc_initialize(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  krb5_free_principal(krb_context, princ);
>                  krb5_cc_destroy(krb_context, ccache);
> --- 118,164 ----
>          if (ssh_gssapi_krb5_init() == 0)
>                  return;
>
> ! #ifdef HEIMDAL
> !     problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache);
> ! #else
> ! {
> !     char ccname[40];
> !     int tmpfd;
> !
> !     snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
> !
> !     if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
> !         log("mkstemp(): %.100s", strerror(errno));
> !         problem = errno;
> !         return;
> !     }
> !     if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
> !         log("fchmod(): %.100s", strerror(errno));
> !         close(tmpfd);
> !         problem = errno;
> !         return;
> !     }
> !     close(tmpfd);
> !     problem = krb5_cc_resolve(krb_context, ccname, &ccache);
> ! }
> ! #endif
> !
> !        if (problem) {
> !                log("krb5_cc_gen_new(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  return;
>          }
>
>          if ((problem = krb5_parse_name(krb_context,
>              client->exportedname.value, &princ))) {
> !                log("krb5_parse_name(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  krb5_cc_destroy(krb_context, ccache);
>                  return;
>          }
>
>          if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> !                log("krb5_cc_initialize(): %.100s",
>                      krb5_get_err_text(krb_context, problem));
>                  krb5_free_principal(krb_context, princ);
>                  krb5_cc_destroy(krb_context, ccache);
> ***************
> *** 139,145 ****
>
>          if ((maj_status = gss_krb5_copy_ccache(&min_status,
>              client->creds, ccache))) {
> !                logit("gss_krb5_copy_ccache() failed");
>                  krb5_cc_destroy(krb_context, ccache);
>                  return;
>          }
> --- 169,175 ----
>
>          if ((maj_status = gss_krb5_copy_ccache(&min_status,
>              client->creds, ccache))) {
> !                log("gss_krb5_copy_ccache() failed");
>                  krb5_cc_destroy(krb_context, ccache);
>                  return;
>          }
>
>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list