[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT

Sergio Gelato Sergio.Gelato at astro.su.se
Fri Feb 27 11:59:32 EST 2004


Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.

I'd probably have used Doug Engert's patch from 2004-01-30 if Heimdal's
afslog command supported -setpag; although to be honest I don't really
like the idea of children being able to change their parent's PAG.

* modified files

    ./auth-krb5.c
    ./auth.h
    ./session.c

* file diffs

--- orig/auth-krb5.c
+++ mod/auth-krb5.c
@@ -199,6 +199,25 @@
 	return (1);
 }
 
+/*
+ * Mainly useful with GSSAPI Kerberos 5 forwarded credentials.
+ * Called after we have setuid to the user.
+ */
+void
+session_krb5_use_ccache(Authctxt *authctxt)
+{
+	char *ccname;
+	debug("session_krb5_use_ccache called");
+	if (authctxt->krb5_fwd_ccache)
+		return;
+	ccname = getenv("KRB5CCNAME");
+	if (!ccname)
+		return;
+	debug("using ccname=%.100s", ccname);
+	if (krb5_init(authctxt))
+		return;
+	krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);}
+
 void
 krb5_cleanup_proc(Authctxt *authctxt)
 {


--- orig/auth.h
+++ mod/auth.h
@@ -120,6 +120,7 @@
 int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 int	auth_krb5_password(Authctxt *authctxt, const char *password);
 void	krb5_cleanup_proc(Authctxt *authctxt);
+void	session_krb5_use_ccache(Authctxt *authctxt);
 #endif /* KRB5 */
 
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)


--- orig/session.c
+++ mod/session.c
@@ -1462,20 +1462,22 @@
 	 * home directory is in AFS and it's not world-readable.
 	 */
 
-	if (options.kerberos_get_afs_token && k_hasafs() &&
-	     (s->authctxt->krb5_ctx != NULL)) {
-		char cell[64];
+	if (options.kerberos_get_afs_token && k_hasafs()) {
+		session_krb5_use_ccache(s->authctxt);
+		if (s->authctxt->krb5_ctx != NULL) {
+			char cell[64];
 
-		debug("Getting AFS token");
+			debug("Getting AFS token");
 
-		k_setpag();
+			k_setpag();
 
-		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
-			krb5_afslog(s->authctxt->krb5_ctx,
-			    s->authctxt->krb5_fwd_ccache, cell, NULL);
+			if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+				krb5_afslog(s->authctxt->krb5_ctx,
+				    s->authctxt->krb5_fwd_ccache, cell, NULL);
 
-		krb5_afslog_home(s->authctxt->krb5_ctx,
-		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+			krb5_afslog_home(s->authctxt->krb5_ctx,
+			    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+		}
 	}
 #endif
 





More information about the openssh-unix-dev mailing list