updated gssapi diff

Douglas E. Engert deengert at anl.gov
Wed Aug 13 00:23:44 EST 2003 


Ben Lindstrom wrote:
> 
> Please actually test again --current instead of 3.6.1pX tree.

I was testing on Solaris 5.7. I was under the impression that the
mods where for the OpenBSD version and that "current" was OpenBSD only.
So I used what I thought was the most recent portable version. If there
is a newer portable version, let me know. 

The mods also did not include any changes to Makefile.in or configure.ac 
I figured these would come later. So I made no attempt to update these but
edited the Makefile after configuring. 

> 
> log() was changed to logit() to avoid the clash with log() from -lm.

I assume that the OpenBSD source is more up to date then the portable 3.6.1
and that we will see "logit" in the portable version in the future. 

> 
> - Ben
> 
> On Mon, 11 Aug 2003, Douglas E. Engert wrote:
> 
> >
> >
> > Jakob Schlyter wrote:
> > >
> > > this is the proposed gssapi diff against OpenSSH-current (non-portable).
> > >
> > > note: if this goes in, the old krb5 auth (ssh.com compatible) will be
> > > removed.
> > >
> > > please comment.
> > >
> > >         jakob
> >
> > Looks good!
> >
> > I took the patch, and applied it against Portable OpenSSH-3.6.1p2. This
> > took some minor tweaking, as the source is slightly different. I hand
> > edited the Makefile to compile the extra source files, and used the
> > CPPFLAGS and LDFLAGS  to point at the MIT 1.2.8 Kerberos GSSAPI.
> >
> > Initial testing against the 3.6.1p2 with Simon's previous patch, and
> > SecureCRT indicates that it works.
> >
> >
> > I did need to add this additional code which was in Simon's original patch
> > to get it to work with MIT. This will also allow for the session caches.
> > I would ask you to consider adding this MIT support.
> >
> > The "logit" needed to be changed to "log" as well, I assume this is an
> > upcoming change.
> >
> >
> >
> >
> > *** ,gss-serv-krb5.c    Mon Aug 11 13:06:29 2003
> > --- gss-serv-krb5.c     Mon Aug 11 16:11:48 2003
> > ***************
> > *** 40,45 ****
> > --- 40,50 ----
> >
> >   #include <krb5.h>
> >
> > + #ifndef HEIMDAL
> > + #include <gssapi_krb5.h>
> > + #define krb5_get_err_text(context,code) error_message(code)
> > + #endif
> > +
> >   static krb5_context krb_context = NULL;
> >
> >   /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
> > ***************
> > *** 54,60 ****
> >
> >          problem = krb5_init_context(&krb_context);
> >          if (problem) {
> > !                logit("Cannot initialize krb5 context");
> >                  return 0;
> >          }
> >          krb5_init_ets(krb_context);
> > --- 59,65 ----
> >
> >          problem = krb5_init_context(&krb_context);
> >          if (problem) {
> > !                log("Cannot initialize krb5 context");
> >                  return 0;
> >          }
> >          krb5_init_ets(krb_context);
> > ***************
> > *** 78,90 ****
> >
> >          if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
> >              &princ))) {
> > !                logit("krb5_parse_name(): %.100s",
> >                      krb5_get_err_text(krb_context, retval));
> >                  return 0;
> >          }
> >          if (krb5_kuserok(krb_context, princ, name)) {
> >                  retval = 1;
> > !                logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
> >                      name, (char *)client->displayname.value);
> >          } else
> >                  retval = 0;
> > --- 83,95 ----
> >
> >          if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
> >              &princ))) {
> > !                log("krb5_parse_name(): %.100s",
> >                      krb5_get_err_text(krb_context, retval));
> >                  return 0;
> >          }
> >          if (krb5_kuserok(krb_context, princ, name)) {
> >                  retval = 1;
> > !                log("Authorized to %s, krb5 principal %s (krb5_kuserok)",
> >                      name, (char *)client->displayname.value);
> >          } else
> >                  retval = 0;
> > ***************
> > *** 113,134 ****
> >          if (ssh_gssapi_krb5_init() == 0)
> >                  return;
> >
> > !        if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
> > !                logit("krb5_cc_gen_new(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  return;
> >          }
> >
> >          if ((problem = krb5_parse_name(krb_context,
> >              client->exportedname.value, &princ))) {
> > !                logit("krb5_parse_name(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  krb5_cc_destroy(krb_context, ccache);
> >                  return;
> >          }
> >
> >          if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> > !                logit("krb5_cc_initialize(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  krb5_free_principal(krb_context, princ);
> >                  krb5_cc_destroy(krb_context, ccache);
> > --- 118,164 ----
> >          if (ssh_gssapi_krb5_init() == 0)
> >                  return;
> >
> > ! #ifdef HEIMDAL
> > !     problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache);
> > ! #else
> > ! {
> > !     char ccname[40];
> > !     int tmpfd;
> > !
> > !     snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
> > !
> > !     if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
> > !         log("mkstemp(): %.100s", strerror(errno));
> > !         problem = errno;
> > !         return;
> > !     }
> > !     if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
> > !         log("fchmod(): %.100s", strerror(errno));
> > !         close(tmpfd);
> > !         problem = errno;
> > !         return;
> > !     }
> > !     close(tmpfd);
> > !     problem = krb5_cc_resolve(krb_context, ccname, &ccache);
> > ! }
> > ! #endif
> > !
> > !        if (problem) {
> > !                log("krb5_cc_gen_new(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  return;
> >          }
> >
> >          if ((problem = krb5_parse_name(krb_context,
> >              client->exportedname.value, &princ))) {
> > !                log("krb5_parse_name(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  krb5_cc_destroy(krb_context, ccache);
> >                  return;
> >          }
> >
> >          if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
> > !                log("krb5_cc_initialize(): %.100s",
> >                      krb5_get_err_text(krb_context, problem));
> >                  krb5_free_principal(krb_context, princ);
> >                  krb5_cc_destroy(krb_context, ccache);
> > ***************
> > *** 139,145 ****
> >
> >          if ((maj_status = gss_krb5_copy_ccache(&min_status,
> >              client->creds, ccache))) {
> > !                logit("gss_krb5_copy_ccache() failed");
> >                  krb5_cc_destroy(krb_context, ccache);
> >                  return;
> >          }
> > --- 169,175 ----
> >
> >          if ((maj_status = gss_krb5_copy_ccache(&min_status,
> >              client->creds, ccache))) {
> > !                log("gss_krb5_copy_ccache() failed");
> >                  krb5_cc_destroy(krb_context, ccache);
> >                  return;
> >          }
> >
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert at anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list