updated gssapi diff
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Aug 12 08:12:58 EST 2003
Please actually test again --current instead of 3.6.1pX tree.
log() was changed to logit() to avoid the clash with log() from -lm.
- Ben
On Mon, 11 Aug 2003, Douglas E. Engert wrote:
>
>
> Jakob Schlyter wrote:
> >
> > this is the proposed gssapi diff against OpenSSH-current (non-portable).
> >
> > note: if this goes in, the old krb5 auth (ssh.com compatible) will be
> > removed.
> >
> > please comment.
> >
> > jakob
>
> Looks good!
>
> I took the patch, and applied it against Portable OpenSSH-3.6.1p2. This
> took some minor tweaking, as the source is slightly different. I hand
> edited the Makefile to compile the extra source files, and used the
> CPPFLAGS and LDFLAGS to point at the MIT 1.2.8 Kerberos GSSAPI.
>
> Initial testing against the 3.6.1p2 with Simon's previous patch, and
> SecureCRT indicates that it works.
>
>
> I did need to add this additional code which was in Simon's original patch
> to get it to work with MIT. This will also allow for the session caches.
> I would ask you to consider adding this MIT support.
>
> The "logit" needed to be changed to "log" as well, I assume this is an
> upcoming change.
>
>
>
>
> *** ,gss-serv-krb5.c Mon Aug 11 13:06:29 2003
> --- gss-serv-krb5.c Mon Aug 11 16:11:48 2003
> ***************
> *** 40,45 ****
> --- 40,50 ----
>
> #include <krb5.h>
>
> + #ifndef HEIMDAL
> + #include <gssapi_krb5.h>
> + #define krb5_get_err_text(context,code) error_message(code)
> + #endif
> +
> static krb5_context krb_context = NULL;
>
> /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
> ***************
> *** 54,60 ****
>
> problem = krb5_init_context(&krb_context);
> if (problem) {
> ! logit("Cannot initialize krb5 context");
> return 0;
> }
> krb5_init_ets(krb_context);
> --- 59,65 ----
>
> problem = krb5_init_context(&krb_context);
> if (problem) {
> ! log("Cannot initialize krb5 context");
> return 0;
> }
> krb5_init_ets(krb_context);
> ***************
> *** 78,90 ****
>
> if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
> &princ))) {
> ! logit("krb5_parse_name(): %.100s",
> krb5_get_err_text(krb_context, retval));
> return 0;
> }
> if (krb5_kuserok(krb_context, princ, name)) {
> retval = 1;
> ! logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
> name, (char *)client->displayname.value);
> } else
> retval = 0;
> --- 83,95 ----
>
> if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
> &princ))) {
> ! log("krb5_parse_name(): %.100s",
> krb5_get_err_text(krb_context, retval));
> return 0;
> }
> if (krb5_kuserok(krb_context, princ, name)) {
> retval = 1;
> ! log("Authorized to %s, krb5 principal %s (krb5_kuserok)",
> name, (char *)client->displayname.value);
> } else
> retval = 0;
> ***************
> *** 113,134 ****
> if (ssh_gssapi_krb5_init() == 0)
> return;
>
> ! if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
> ! logit("krb5_cc_gen_new(): %.100s",
> krb5_get_err_text(krb_context, problem));
> return;
> }
>
> if ((problem = krb5_parse_name(krb_context,
> client->exportedname.value, &princ))) {
> ! logit("krb5_parse_name(): %.100s",
> krb5_get_err_text(krb_context, problem));
> krb5_cc_destroy(krb_context, ccache);
> return;
> }
>
> if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> ! logit("krb5_cc_initialize(): %.100s",
> krb5_get_err_text(krb_context, problem));
> krb5_free_principal(krb_context, princ);
> krb5_cc_destroy(krb_context, ccache);
> --- 118,164 ----
> if (ssh_gssapi_krb5_init() == 0)
> return;
>
> ! #ifdef HEIMDAL
> ! problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache);
> ! #else
> ! {
> ! char ccname[40];
> ! int tmpfd;
> !
> ! snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
> !
> ! if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
> ! log("mkstemp(): %.100s", strerror(errno));
> ! problem = errno;
> ! return;
> ! }
> ! if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
> ! log("fchmod(): %.100s", strerror(errno));
> ! close(tmpfd);
> ! problem = errno;
> ! return;
> ! }
> ! close(tmpfd);
> ! problem = krb5_cc_resolve(krb_context, ccname, &ccache);
> ! }
> ! #endif
> !
> ! if (problem) {
> ! log("krb5_cc_gen_new(): %.100s",
> krb5_get_err_text(krb_context, problem));
> return;
> }
>
> if ((problem = krb5_parse_name(krb_context,
> client->exportedname.value, &princ))) {
> ! log("krb5_parse_name(): %.100s",
> krb5_get_err_text(krb_context, problem));
> krb5_cc_destroy(krb_context, ccache);
> return;
> }
>
> if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> ! log("krb5_cc_initialize(): %.100s",
> krb5_get_err_text(krb_context, problem));
> krb5_free_principal(krb_context, princ);
> krb5_cc_destroy(krb_context, ccache);
> ***************
> *** 139,145 ****
>
> if ((maj_status = gss_krb5_copy_ccache(&min_status,
> client->creds, ccache))) {
> ! logit("gss_krb5_copy_ccache() failed");
> krb5_cc_destroy(krb_context, ccache);
> return;
> }
> --- 169,175 ----
>
> if ((maj_status = gss_krb5_copy_ccache(&min_status,
> client->creds, ccache))) {
> ! log("gss_krb5_copy_ccache() failed");
> krb5_cc_destroy(krb_context, ccache);
> return;
> }
>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list