GSSAPI patch sync from OpenBSD to Portable
sxw at inf.ed.ac.uk
sxw at inf.ed.ac.uk
Sat Aug 23 07:23:00 EST 2003
> I'm working on a forward port of my portable stuff, just testing ATM. It
> covers a couple of areas missing from Steven's one (PAM support, some
> header file inclusion). I've KNF'd the code as much as I can see ...
Replying to my own mail. Attached is a patch to add MIT/portable support
to the GSSAPI code. Tested against both my 3.6.1 patches, and a current
snapshot running the OpenBSD code.
The patch adds PAM support by moving credentials storage before PAM
execution, and by adding pam_putenv calls. It factors out the definition
of krb5_err_text() to one location, adds support for MIT style
credentials cache creation, and includes some MIT specific header files if
we're not using HEIMDAL.
Hope this is of use!
Cheers,
Simon.
-------------- next part --------------
Index: Makefile.in
===================================================================
RCS file: /disk/cvs/dice/openssh/Makefile.in,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 Makefile.in
--- Makefile.in 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ Makefile.in 22 Aug 2003 21:13:52 -0000
@@ -68,7 +68,7 @@
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o
+ entropy.o scard-opensc.o gss-genr.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
auth-krb5.o auth2-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
Index: acconfig.h
===================================================================
RCS file: /disk/cvs/dice/openssh/acconfig.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 acconfig.h
--- acconfig.h 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ acconfig.h 22 Aug 2003 21:13:52 -0000
@@ -232,6 +232,9 @@
/* Define if compiler implements __func__ */
#undef HAVE___func__
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
/* Define if you want Kerberos 5 support */
#undef KRB5
Index: auth-krb5.c
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-krb5.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 auth-krb5.c
--- auth-krb5.c 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ auth-krb5.c 22 Aug 2003 21:13:52 -0000
@@ -42,9 +42,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
extern ServerOptions options;
Index: auth-pam.c
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-pam.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 auth-pam.c
--- auth-pam.c 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ auth-pam.c 22 Aug 2003 21:13:52 -0000
@@ -648,6 +648,29 @@
pam_strerror(sshpam_handle, sshpam_err));
}
+/*
+ * Set a PAM environment string. We need to do this so that the session
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
+
+int
+do_pam_putenv(char *name, char *value)
+{
+ char *compound;
+ int ret = 1;
+
+#ifdef HAVE_PAM_PUTENV
+ compound = xmalloc(strlen(name)+strlen(value)+2);
+ if (compound) {
+ sprintf(compound,"%s=%s",name,value);
+ ret = pam_putenv(sshpam_handle,compound);
+ xfree(compound);
+ }
+#endif
+ return (ret);
+}
+
void
print_pam_messages(void)
{
Index: auth-pam.h
===================================================================
RCS file: /disk/cvs/dice/openssh/auth-pam.h,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 auth-pam.h
--- auth-pam.h 29 May 2003 20:11:14 -0000 1.1.1.1
+++ auth-pam.h 22 Aug 2003 21:13:52 -0000
@@ -38,6 +38,7 @@
void do_pam_setcred(int );
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
+int do_pam_putenv(char *, char *);
void print_pam_messages(void);
char ** fetch_pam_environment(void);
void free_pam_environment(char **);
Index: configure.ac
===================================================================
RCS file: /disk/cvs/dice/openssh/configure.ac,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 configure.ac
--- configure.ac 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ configure.ac 22 Aug 2003 21:13:52 -0000
@@ -820,6 +820,7 @@
AC_CHECK_LIB(dl, dlopen, , )
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
AC_CHECK_FUNCS(pam_getenvlist)
+ AC_CHECK_FUNCS(pam_putenv)
disable_shadow=yes
PAM_MSG="yes"
@@ -1934,6 +1935,31 @@
blibpath="$blibpath:${KRB5ROOT}/lib"
fi
AC_SEARCH_LIBS(dn_expand, resolv)
+
+ AC_CHECK_LIB(gssapi,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi $K5LIBS" ],
+ [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+ $K5LIBS)
+ ],
+ $K5LIBS)
+
+ AC_CHECK_HEADER(gssapi.h, ,
+ [ unset ac_cv_header_gssapi_h
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADERS(gssapi.h, ,
+ AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+ )
+ ]
+ )
+
+ oldCPP="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADER(gssapi_krb5.h, ,
+ [ CPPFLAGS="$oldCPP" ])
KRB5=yes
fi
Index: defines.h
===================================================================
RCS file: /disk/cvs/dice/openssh/defines.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 defines.h
--- defines.h 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ defines.h 22 Aug 2003 21:13:52 -0000
@@ -504,6 +504,10 @@
# define __func__ ""
#endif
+#if defined(KRB5) && !defined(HEIMDAL)
+# define krb5_get_err_text(context,code) error_message(code)
+#endif
+
/*
* Define this to use pipes instead of socketpairs for communicating with the
* client program. Socketpairs do not seem to work on all systems.
Index: gss-serv-krb5.c
===================================================================
RCS file: /disk/cvs/dice/openssh/gss-serv-krb5.c,v
retrieving revision 1.2
diff -u -r1.2 gss-serv-krb5.c
--- gss-serv-krb5.c 22 Aug 2003 20:00:49 -0000 1.2
+++ gss-serv-krb5.c 22 Aug 2003 21:13:52 -0000
@@ -38,7 +38,11 @@
extern ServerOptions options;
+#ifdef HEIMDAL
#include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
static krb5_context krb_context = NULL;
@@ -113,11 +117,39 @@
if (ssh_gssapi_krb5_init() == 0)
return;
+#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
+#else
+{
+ int tmpfd;
+ char ccname[40];
+
+ snprintf(ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+
+ if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+ logit("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ return;
+ }
+ if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ logit("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ return;
+ }
+ close(tmpfd);
+ if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+ logit("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ return;
+ }
+}
+#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
@@ -147,6 +179,10 @@
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
+
+#ifdef USE_PAM
+ do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
krb5_cc_close(krb_context, ccache);
Index: session.c
===================================================================
RCS file: /disk/cvs/dice/openssh/session.c,v
retrieving revision 1.2
diff -u -r1.2 session.c
--- session.c 22 Aug 2003 19:45:36 -0000 1.2
+++ session.c 22 Aug 2003 21:13:52 -0000
@@ -418,6 +418,12 @@
session_proctitle(s);
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@
}
#endif /* USE_PAM */
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
@@ -553,17 +553,17 @@
ptyfd = s->ptyfd;
ttyfd = s->ttyfd;
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, s->tty);
do_pam_setcred(1);
}
-#endif
-
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
#endif
/* Fork the child. */
Index: ssh-gss.h
===================================================================
RCS file: /disk/cvs/dice/openssh/ssh-gss.h,v
retrieving revision 1.2
diff -u -r1.2 ssh-gss.h
--- ssh-gss.h 22 Aug 2003 20:00:49 -0000 1.2
+++ ssh-gss.h 22 Aug 2003 21:13:52 -0000
@@ -31,6 +31,18 @@
#include <gssapi.h>
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+/* It seems to be defined in gssapi_krb5.h -dtucker */
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
/* draft-ietf-secsh-gsskeyex-06 */
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
Index: sshconnect1.c
===================================================================
RCS file: /disk/cvs/dice/openssh/sshconnect1.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 sshconnect1.c
--- sshconnect1.c 22 Aug 2003 18:17:03 -0000 1.1.1.2
+++ sshconnect1.c 22 Aug 2003 21:13:52 -0000
@@ -20,9 +20,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "ssh.h"
Index: sshconnect2.c
===================================================================
RCS file: /disk/cvs/dice/openssh/sshconnect2.c,v
retrieving revision 1.2
diff -u -r1.2 sshconnect2.c
--- sshconnect2.c 22 Aug 2003 19:45:36 -0000 1.2
+++ sshconnect2.c 22 Aug 2003 21:13:52 -0000
@@ -27,9 +27,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "openbsd-compat/sys-queue.h"
More information about the openssh-unix-dev
mailing list