GSSAPI patch sync from OpenBSD to Portable

sxw at inf.ed.ac.uk sxw at inf.ed.ac.uk
Sat Aug 23 07:23:00 EST 2003


> I'm working on a forward port of my portable stuff, just testing ATM. It
> covers a couple of areas missing from Steven's one (PAM support, some
> header file inclusion). I've KNF'd the code as much as I can see ...

Replying to my own mail. Attached is a patch to add MIT/portable support
to the GSSAPI code. Tested against both my 3.6.1 patches, and a current
snapshot running the OpenBSD code.

The patch adds PAM support by moving credentials storage before PAM
execution, and by adding pam_putenv calls. It factors out the definition
of krb5_err_text() to one location, adds support for MIT style
credentials cache creation, and includes some MIT specific header files if
we're not using HEIMDAL.

Hope this is of use!

Cheers,

Simon.


-------------- next part --------------
Index: Makefile.in
===================================================================
RCS file: /disk/cvs/dice/openssh/Makefile.in,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 Makefile.in
--- Makefile.in	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ Makefile.in	22 Aug 2003 21:13:52 -0000
@@ -68,7 +68,7 @@
 	key.o dispatch.o kex.o mac.o uuencode.o misc.o \
 	rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
 	kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
-	entropy.o scard-opensc.o 
+	entropy.o scard-opensc.o gss-genr.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@
 	monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
 	kexdhs.o kexgexs.o \
 	auth-krb5.o auth2-krb5.o \
+	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-sia.o md5crypt.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
Index: acconfig.h
===================================================================
RCS file: /disk/cvs/dice/openssh/acconfig.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 acconfig.h
--- acconfig.h	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ acconfig.h	22 Aug 2003 21:13:52 -0000
@@ -232,6 +232,9 @@
 /* Define if compiler implements __func__ */
 #undef HAVE___func__
 
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 
Index: auth-krb5.c
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-krb5.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 auth-krb5.c
--- auth-krb5.c	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ auth-krb5.c	22 Aug 2003 21:13:52 -0000
@@ -42,9 +42,6 @@
 #ifdef KRB5
 
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 
 extern ServerOptions	 options;
 
Index: auth-pam.c
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-pam.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 auth-pam.c
--- auth-pam.c	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ auth-pam.c	22 Aug 2003 21:13:52 -0000
@@ -648,6 +648,29 @@
 		    pam_strerror(sshpam_handle, sshpam_err));
 }
 
+/* 
+ * Set a PAM environment string. We need to do this so that the session
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
+
+int
+do_pam_putenv(char *name, char *value) 
+{
+	char *compound;
+	int ret = 1;
+
+#ifdef HAVE_PAM_PUTENV	
+	compound = xmalloc(strlen(name)+strlen(value)+2);
+	if (compound) {
+		sprintf(compound,"%s=%s",name,value);
+		ret = pam_putenv(sshpam_handle,compound);
+		xfree(compound);
+	}
+#endif
+	return (ret);
+}
+
 void
 print_pam_messages(void)
 {
Index: auth-pam.h
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-pam.h,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 auth-pam.h
--- auth-pam.h	29 May 2003 20:11:14 -0000	1.1.1.1
+++ auth-pam.h	22 Aug 2003 21:13:52 -0000
@@ -38,6 +38,7 @@
 void do_pam_setcred(int );
 int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);
+int do_pam_putenv(char *, char *);
 void print_pam_messages(void);
 char ** fetch_pam_environment(void);
 void free_pam_environment(char **);
Index: configure.ac
===================================================================
RCS file: /disk/cvs/dice/openssh/configure.ac,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 configure.ac
--- configure.ac	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ configure.ac	22 Aug 2003 21:13:52 -0000
@@ -820,6 +820,7 @@
 			AC_CHECK_LIB(dl, dlopen, , )
 			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
 			AC_CHECK_FUNCS(pam_getenvlist)
+			AC_CHECK_FUNCS(pam_putenv)
 
 			disable_shadow=yes
 			PAM_MSG="yes"
@@ -1934,6 +1935,31 @@
                                 blibpath="$blibpath:${KRB5ROOT}/lib"
                         fi
 			AC_SEARCH_LIBS(dn_expand, resolv)
+
+			AC_CHECK_LIB(gssapi,gss_init_sec_context,
+				[ AC_DEFINE(GSSAPI)
+				  K5LIBS="-lgssapi $K5LIBS" ],
+				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+					[ AC_DEFINE(GSSAPI)
+				  	  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+					AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+					$K5LIBS)
+				],
+				$K5LIBS)
+			
+			AC_CHECK_HEADER(gssapi.h, ,
+				[ unset ac_cv_header_gssapi_h
+				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" 
+				  AC_CHECK_HEADERS(gssapi.h, ,
+					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+				  ) 
+				]
+			)
+
+			oldCPP="$CPPFLAGS"
+			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+			AC_CHECK_HEADER(gssapi_krb5.h, ,
+					[ CPPFLAGS="$oldCPP" ])
 
                         KRB5=yes
                 fi
Index: defines.h
===================================================================
RCS file: /disk/cvs/dice/openssh/defines.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 defines.h
--- defines.h	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ defines.h	22 Aug 2003 21:13:52 -0000
@@ -504,6 +504,10 @@
 #  define __func__ ""
 #endif
 
+#if defined(KRB5) && !defined(HEIMDAL)
+#  define krb5_get_err_text(context,code) error_message(code)
+#endif
+
 /*
  * Define this to use pipes instead of socketpairs for communicating with the
  * client program.  Socketpairs do not seem to work on all systems.
Index: gss-serv-krb5.c
===================================================================
RCS file: /disk/cvs/dice/openssh/gss-serv-krb5.c,v
retrieving revision 1.2
diff -u -r1.2 gss-serv-krb5.c
--- gss-serv-krb5.c	22 Aug 2003 20:00:49 -0000	1.2
+++ gss-serv-krb5.c	22 Aug 2003 21:13:52 -0000
@@ -38,7 +38,11 @@
 
 extern ServerOptions options;
 
+#ifdef HEIMDAL
 #include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
 
 static krb5_context krb_context = NULL;
 
@@ -113,11 +117,39 @@
 	if (ssh_gssapi_krb5_init() == 0)
 		return;
 
+#ifdef HEIMDAL
 	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 		logit("krb5_cc_gen_new(): %.100s",
 		    krb5_get_err_text(krb_context, problem));
 		return;
 	}
+#else
+{
+	int tmpfd;
+	char ccname[40];
+    
+	snprintf(ccname, sizeof(ccname), 
+	    "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+    
+	if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+		logit("mkstemp(): %.100s", strerror(errno));
+		problem = errno;
+		return;
+	}
+	if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+		logit("fchmod(): %.100s", strerror(errno));
+		close(tmpfd);
+		problem = errno;
+		return;
+	}
+	close(tmpfd);
+	if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+		logit("krb5_cc_resolve(): %.100s",
+		    krb5_get_err_text(krb_context, problem));
+		return;
+	}
+}
+#endif	/* #ifdef HEIMDAL */
 
 	if ((problem = krb5_parse_name(krb_context, 
 	    client->exportedname.value, &princ))) {
@@ -147,6 +179,10 @@
 	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
 	client->store.envvar = "KRB5CCNAME";
 	client->store.envval = xstrdup(client->store.filename);
+
+#ifdef USE_PAM
+	do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
 
 	krb5_cc_close(krb_context, ccache);
 
Index: session.c
===================================================================
RCS file: /disk/cvs/dice/openssh/session.c,v
retrieving revision 1.2
diff -u -r1.2 session.c
--- session.c	22 Aug 2003 19:45:36 -0000	1.2
+++ session.c	22 Aug 2003 21:13:52 -0000
@@ -418,6 +418,12 @@
 
 	session_proctitle(s);
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@
 	}
 #endif /* USE_PAM */
 
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		fatal_remove_all_cleanups();
@@ -553,17 +553,17 @@
 	ptyfd = s->ptyfd;
 	ttyfd = s->ttyfd;
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, s->tty);
 		do_pam_setcred(1);
 	}
-#endif
-
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
 #endif
 
 	/* Fork the child. */
Index: ssh-gss.h
===================================================================
RCS file: /disk/cvs/dice/openssh/ssh-gss.h,v
retrieving revision 1.2
diff -u -r1.2 ssh-gss.h
--- ssh-gss.h	22 Aug 2003 20:00:49 -0000	1.2
+++ ssh-gss.h	22 Aug 2003 21:13:52 -0000
@@ -31,6 +31,18 @@
 
 #include <gssapi.h>
 
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+/* It seems to be defined in gssapi_krb5.h -dtucker */
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
 /* draft-ietf-secsh-gsskeyex-06 */
 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE		60
 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN			61
Index: sshconnect1.c
===================================================================
RCS file: /disk/cvs/dice/openssh/sshconnect1.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 sshconnect1.c
--- sshconnect1.c	22 Aug 2003 18:17:03 -0000	1.1.1.2
+++ sshconnect1.c	22 Aug 2003 21:13:52 -0000
@@ -20,9 +20,6 @@
 
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 #endif
 
 #include "ssh.h"
Index: sshconnect2.c
===================================================================
RCS file: /disk/cvs/dice/openssh/sshconnect2.c,v
retrieving revision 1.2
diff -u -r1.2 sshconnect2.c
--- sshconnect2.c	22 Aug 2003 19:45:36 -0000	1.2
+++ sshconnect2.c	22 Aug 2003 21:13:52 -0000
@@ -27,9 +27,6 @@
 
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 #endif
 
 #include "openbsd-compat/sys-queue.h"


More information about the openssh-unix-dev mailing list