GSSAPI patch sync from OpenBSD to Portable
Darren Tucker
dtucker at zip.com.au
Sat Aug 23 10:37:05 EST 2003
Steven Michaud wrote:
> Shouldn't the last hunk of gss-serv-krb5.c be this:
> +#ifdef USE_PAM
> + if (options.use_pam)
> + do_pam_putenv(client->store.envvar, client->store.envval);
> +#endif
Yes.
Patch attached is based on Simon's, with that and the retabbifying Ben
mentioned.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/Makefile.in ./Makefile.in
--- ../openssh-gssapi/Makefile.in 2003-08-20 23:23:34.000000000 +1000
+++ ./Makefile.in 2003-08-23 09:51:41.000000000 +1000
@@ -68,7 +68,7 @@
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o
+ entropy.o scard-opensc.o gss-genr.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
auth-krb5.o auth2-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/acconfig.h ./acconfig.h
--- ../openssh-gssapi/acconfig.h 2003-08-20 23:23:34.000000000 +1000
+++ ./acconfig.h 2003-08-23 09:51:41.000000000 +1000
@@ -232,6 +232,9 @@
/* Define if compiler implements __func__ */
#undef HAVE___func__
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
/* Define if you want Kerberos 5 support */
#undef KRB5
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/auth-krb5.c ./auth-krb5.c
--- ../openssh-gssapi/auth-krb5.c 2003-08-20 23:23:34.000000000 +1000
+++ ./auth-krb5.c 2003-08-23 09:51:41.000000000 +1000
@@ -42,9 +42,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
extern ServerOptions options;
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/auth-pam.c ./auth-pam.c
--- ../openssh-gssapi/auth-pam.c 2003-08-20 23:23:34.000000000 +1000
+++ ./auth-pam.c 2003-08-23 09:51:41.000000000 +1000
@@ -648,6 +648,29 @@
pam_strerror(sshpam_handle, sshpam_err));
}
+/*
+ * Set a PAM environment string. We need to do this so that the session
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
+
+int
+do_pam_putenv(char *name, char *value)
+{
+ char *compound;
+ int ret = 1;
+
+#ifdef HAVE_PAM_PUTENV
+ compound = xmalloc(strlen(name)+strlen(value)+2);
+ if (compound) {
+ sprintf(compound,"%s=%s",name,value);
+ ret = pam_putenv(sshpam_handle,compound);
+ xfree(compound);
+ }
+#endif
+ return (ret);
+}
+
void
print_pam_messages(void)
{
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/auth-pam.h ./auth-pam.h
--- ../openssh-gssapi/auth-pam.h 2003-08-20 23:23:34.000000000 +1000
+++ ./auth-pam.h 2003-08-23 09:51:41.000000000 +1000
@@ -38,6 +38,7 @@
void do_pam_setcred(int );
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
+int do_pam_putenv(char *, char *);
void print_pam_messages(void);
char ** fetch_pam_environment(void);
void free_pam_environment(char **);
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/configure.ac ./configure.ac
--- ../openssh-gssapi/configure.ac 2003-08-21 18:01:42.000000000 +1000
+++ ./configure.ac 2003-08-23 09:51:41.000000000 +1000
@@ -822,6 +822,7 @@
AC_CHECK_LIB(dl, dlopen, , )
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
AC_CHECK_FUNCS(pam_getenvlist)
+ AC_CHECK_FUNCS(pam_putenv)
disable_shadow=yes
PAM_MSG="yes"
@@ -1937,6 +1938,31 @@
fi
AC_SEARCH_LIBS(dn_expand, resolv)
+ AC_CHECK_LIB(gssapi,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi $K5LIBS" ],
+ [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+ $K5LIBS)
+ ],
+ $K5LIBS)
+
+ AC_CHECK_HEADER(gssapi.h, ,
+ [ unset ac_cv_header_gssapi_h
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADERS(gssapi.h, ,
+ AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+ )
+ ]
+ )
+
+ oldCPP="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADER(gssapi_krb5.h, ,
+ [ CPPFLAGS="$oldCPP" ])
+
KRB5=yes
fi
]
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/defines.h ./defines.h
--- ../openssh-gssapi/defines.h 2003-08-21 17:32:50.000000000 +1000
+++ ./defines.h 2003-08-23 09:51:41.000000000 +1000
@@ -521,6 +521,10 @@
# define __func__ ""
#endif
+#if defined(KRB5) && !defined(HEIMDAL)
+# define krb5_get_err_text(context,code) error_message(code)
+#endif
+
/*
* Define this to use pipes instead of socketpairs for communicating with the
* client program. Socketpairs do not seem to work on all systems.
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/gss-serv-krb5.c ./gss-serv-krb5.c
--- ../openssh-gssapi/gss-serv-krb5.c 2003-08-23 09:48:10.000000000 +1000
+++ ./gss-serv-krb5.c 2003-08-23 10:03:18.000000000 +1000
@@ -38,7 +38,11 @@
extern ServerOptions options;
+#ifdef HEIMDAL
#include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
static krb5_context krb_context = NULL;
@@ -113,11 +117,39 @@
if (ssh_gssapi_krb5_init() == 0)
return;
+#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
+#else
+ {
+ int tmpfd;
+ char ccname[40];
+
+ snprintf(ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+
+ if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+ logit("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ return;
+ }
+ if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ logit("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ return;
+ }
+ close(tmpfd);
+ if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+ logit("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ return;
+ }
+ }
+#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
@@ -148,6 +180,11 @@
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
+#ifdef USE_PAM
+ if (options.use_pam)
+ do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
+
krb5_cc_close(krb_context, ccache);
return;
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/session.c ./session.c
--- ../openssh-gssapi/session.c 2003-08-23 09:48:10.000000000 +1000
+++ ./session.c 2003-08-23 09:51:41.000000000 +1000
@@ -418,6 +418,12 @@
session_proctitle(s);
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@
}
#endif /* USE_PAM */
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
@@ -553,6 +553,12 @@
ptyfd = s->ptyfd;
ttyfd = s->ttyfd;
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, s->tty);
@@ -560,12 +566,6 @@
}
#endif
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/ssh-gss.h ./ssh-gss.h
--- ../openssh-gssapi/ssh-gss.h 2003-08-23 09:48:10.000000000 +1000
+++ ./ssh-gss.h 2003-08-23 10:09:44.000000000 +1000
@@ -31,6 +31,18 @@
#include <gssapi.h>
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
/* draft-ietf-secsh-gsskeyex-06 */
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/sshconnect1.c ./sshconnect1.c
--- ../openssh-gssapi/sshconnect1.c 2003-08-20 23:23:35.000000000 +1000
+++ ./sshconnect1.c 2003-08-23 09:51:41.000000000 +1000
@@ -20,9 +20,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "ssh.h"
diff -ru --new-file --exclude=CVS --exclude=configure --exclude=linux --exclude=autom4te-2.53.cache --exclude=config.h.in --exclude='config.h.in~' ../openssh-gssapi/sshconnect2.c ./sshconnect2.c
--- ../openssh-gssapi/sshconnect2.c 2003-08-23 09:48:10.000000000 +1000
+++ ./sshconnect2.c 2003-08-23 09:51:41.000000000 +1000
@@ -27,9 +27,6 @@
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "openbsd-compat/sys-queue.h"
More information about the openssh-unix-dev
mailing list