Patches for compatibility with Heimdal's libsia_krb5 SIA module

Sergio Gelato Sergio.Gelato at astro.su.se
Thu Sep 25 01:20:13 EST 2003 

I have found the following patches to be desirable for using sshd on a
Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from
Heimdal.

These patches do the following:

1) preserve context between the password authentication and the session
setup phases. This is necessary because the Heimdal SIA module stores
Kerberos context information as mechanism-specific data in ent->mech[].

2) Allow for the KRB5CCNAME environment variable (potentially set in
session_setup_sia()) to be propagated to the session environment.

Caveat: I have only tested this with the BSD and Heimdal KRB5 modules, 
not with OSFC2 or any other SIA module.

To do:

* clean up the Kerberos credentials cache at session exit. Unfortunately
SIA is not invoked at this time, so this cannot be done in the SIA module.

* review what happens if authentication succeeds but session_setup_sia() is 
not invoked for some reason. Currently the sia_ses_release() clean-up
code will not be invoked in this case. For most SIA modules this shouldn't
matter, as resources will be released at process exit; but it would be
nice to get it right anyway.
-------------- next part --------------
diff -aruN openssh-3.7.1p2.orig/auth-passwd.c openssh-3.7.1p2/auth-passwd.c
--- openssh-3.7.1p2.orig/auth-passwd.c	Thu Sep 18 10:26:48 2003
+++ openssh-3.7.1p2/auth-passwd.c	Wed Sep 24 00:04:40 2003
@@ -42,6 +42,9 @@
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
+#ifdef HAVE_OSF_SIA
+#include "auth-sia.h"
+#endif
 #ifdef WITH_AIXAUTHENTICATE
 # include "buffer.h"
 # include "canohost.h"
diff -aruN openssh-3.7.1p2.orig/auth-sia.c openssh-3.7.1p2/auth-sia.c
--- openssh-3.7.1p2.orig/auth-sia.c	Tue Jun  3 02:25:48 2003
+++ openssh-3.7.1p2/auth-sia.c	Wed Sep 24 00:05:39 2003
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "servconf.h"
 #include "canohost.h"
+#include "xmalloc.h"
 
 #include <sia.h>
 #include <siad.h>
@@ -45,11 +46,12 @@
 extern int saved_argc;
 extern char **saved_argv;
 
+static SIAENTITY *ent = NULL;
+
 int
 auth_sia_password(Authctxt *authctxt, char *pass)
 {
 	int ret;
-	SIAENTITY *ent = NULL;
 	const char *host;
 
 	host = get_canonical_hostname(options.use_dns);
@@ -57,6 +59,12 @@
 	if (!authctxt->user || pass == NULL || pass[0] == '\0')
 		return (0);
 
+	if (ent) {
+		debug("Releasing old SIAENTITY!");
+		sia_ses_release(&ent);
+		ent = NULL;
+	}
+	
 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
 	    NULL, 0, NULL) != SIASUCCESS)
 		return (0);
@@ -64,31 +72,36 @@
 	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
 		error("Couldn't authenticate %s from %s",
 		    authctxt->user, host);
-		if (ret & SIASTOP)
+		if (ret & SIASTOP) {
 			sia_ses_release(&ent);
+			ent = NULL;
+		}
 
 		return (0);
 	}
 
-	sia_ses_release(&ent);
-
 	return (1);
 }
 
 void
 session_setup_sia(struct passwd *pw, char *tty)
 {
-	SIAENTITY *ent = NULL;
 	const char *host;
 
 	host = get_canonical_hostname(options.use_dns);
 
-	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
-	    tty, 0, NULL) != SIASUCCESS)
-		fatal("sia_ses_init failed");
+	if (ent) {
+		if (tty)
+			ent->tty = xstrdup(tty);
+	} else {
+		if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
+	    		tty, 0, NULL) != SIASUCCESS)
+			fatal("sia_ses_init failed");
+	}
 
 	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
 		sia_ses_release(&ent);
+		ent = NULL;
 		fatal("sia_make_entity_pwd failed");
 	}
 
@@ -102,6 +115,7 @@
 		    pw->pw_name, host);
 	
 	sia_ses_release(&ent);
+	ent = NULL;
 
 	if (setreuid(geteuid(), geteuid()) < 0)
 		fatal("setreuid: %s", strerror(errno));
diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.orig/session.c	Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c	Wed Sep 24 00:04:41 2003
@@ -49,6 +49,9 @@
 #include "bufaux.h"
 #include "auth.h"
 #include "auth-options.h"
+#ifdef HAVE_OSF_SIA
+#include "auth-sia.h"
+#endif
 #include "pathnames.h"
 #include "log.h"
 #include "servconf.h"
-------------- next part --------------
diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.orig/session.c	Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c	Wed Sep 24 00:02:15 2003
@@ -1093,6 +1093,14 @@
 		read_environment_file(&env, &envsize, "/etc/environment");
 	}
 #endif
+#ifdef HAVE_OSF_SIA
+	{
+		char *cp;
+
+		if ((cp = getenv("KRB5CCNAME")) != NULL)
+			child_set_env(&env, &envsize, "KRB5CCNAME", cp);
+	}
+#endif
 #ifdef KRB5
 	if (s->authctxt->krb5_ticket_file)
 		child_set_env(&env, &envsize, "KRB5CCNAME",
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030924/cb239059/attachment.bin

More information about the openssh-unix-dev mailing list