[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Douglas E. Engert
deengert at anl.gov
Fri Feb 27 23:21:33 EST 2004
Sergio Gelato wrote:
>
> Here is a patch I just wrote and tested which may be of interest to
> those who wish to use KerberosGetAFSToken (currently requires Heimdal
> libkafs) in combination with GSSAPIDelegateCredentials. The patch is
> in the public domain and comes with no warranty whatsoever. Applies
> to pristine 3.8p1. Works for me on Solaris and Tru64.
>
> I'd probably have used Doug Engert's patch from 2004-01-30 if Heimdal's
> afslog command supported -setpag; although to be honest I don't really
> like the idea of children being able to change their parent's PAG.
I have backed off on using the -setpag option, and added syscall(setpag...)
code to the get_afs_token routine. I am also looking at making this a
dynamic link, which would mean it could work with any Kerberos, does not
require kafs, could always be compiled in and run on a system with or
without AFS.
>
> * modified files
>
> ./auth-krb5.c
> ./auth.h
> ./session.c
>
> * file diffs
>
> --- orig/auth-krb5.c
> +++ mod/auth-krb5.c
> @@ -199,6 +199,25 @@
> return (1);
> }
>
> +/*
> + * Mainly useful with GSSAPI Kerberos 5 forwarded credentials.
> + * Called after we have setuid to the user.
> + */
> +void
> +session_krb5_use_ccache(Authctxt *authctxt)
> +{
> + char *ccname;
> + debug("session_krb5_use_ccache called");
> + if (authctxt->krb5_fwd_ccache)
> + return;
> + ccname = getenv("KRB5CCNAME");
> + if (!ccname)
> + return;
> + debug("using ccname=%.100s", ccname);
> + if (krb5_init(authctxt))
> + return;
> + krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);}
> +
> void
> krb5_cleanup_proc(Authctxt *authctxt)
> {
>
> --- orig/auth.h
> +++ mod/auth.h
> @@ -120,6 +120,7 @@
> int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
> int auth_krb5_password(Authctxt *authctxt, const char *password);
> void krb5_cleanup_proc(Authctxt *authctxt);
> +void session_krb5_use_ccache(Authctxt *authctxt);
> #endif /* KRB5 */
>
> #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
>
> --- orig/session.c
> +++ mod/session.c
> @@ -1462,20 +1462,22 @@
> * home directory is in AFS and it's not world-readable.
> */
>
> - if (options.kerberos_get_afs_token && k_hasafs() &&
> - (s->authctxt->krb5_ctx != NULL)) {
> - char cell[64];
> + if (options.kerberos_get_afs_token && k_hasafs()) {
> + session_krb5_use_ccache(s->authctxt);
> + if (s->authctxt->krb5_ctx != NULL) {
> + char cell[64];
>
> - debug("Getting AFS token");
> + debug("Getting AFS token");
>
> - k_setpag();
> + k_setpag();
>
> - if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
> - krb5_afslog(s->authctxt->krb5_ctx,
> - s->authctxt->krb5_fwd_ccache, cell, NULL);
> + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
> + krb5_afslog(s->authctxt->krb5_ctx,
> + s->authctxt->krb5_fwd_ccache, cell, NULL);
>
> - krb5_afslog_home(s->authctxt->krb5_ctx,
> - s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
> + krb5_afslog_home(s->authctxt->krb5_ctx,
> + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
> + }
> }
> #endif
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list