Patches for compatibility with Heimdal's libsia_krb5 SIA module

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Sep 25 10:04:00 EST 2003


Is SIA used on any other platform besides Tru64/OSF?  I'm thinking if not
it should be moved to openbsd-compat/port-osf.[ch] and the two definitions
put into openbsd-compat/openbsd-compat.h.

- Ben


On Wed, 24 Sep 2003, Sergio Gelato wrote:

> I have found the following patches to be desirable for using sshd on a
> Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from
> Heimdal.
>
> These patches do the following:
>
> 1) preserve context between the password authentication and the session
> setup phases. This is necessary because the Heimdal SIA module stores
> Kerberos context information as mechanism-specific data in ent->mech[].
>
> 2) Allow for the KRB5CCNAME environment variable (potentially set in
> session_setup_sia()) to be propagated to the session environment.
>
> Caveat: I have only tested this with the BSD and Heimdal KRB5 modules,
> not with OSFC2 or any other SIA module.
>
> To do:
>
> * clean up the Kerberos credentials cache at session exit. Unfortunately
> SIA is not invoked at this time, so this cannot be done in the SIA module.
>
> * review what happens if authentication succeeds but session_setup_sia() is
> not invoked for some reason. Currently the sia_ses_release() clean-up
> code will not be invoked in this case. For most SIA modules this shouldn't
> matter, as resources will be released at process exit; but it would be
> nice to get it right anyway.
>




More information about the openssh-unix-dev mailing list