patch for OSX

Williams, Nick Nick.Williams at morganstanley.com
Sun Apr 1 21:45:25 EST 2012


Bah, sorry about that. Inline...

>From 4d0c46a8f89bbd3778e4e664cfb94476bc5a770c Mon Sep 17 00:00:00 2001
From: Nick Williams <Nick.Williams at morganstanley.com>
Date: Wed, 28 Mar 2012 12:48:27 +0100
Subject: [PATCH] fix for incorrect boolean logic in OD code (OSX)

The opendirectory lookups in gss-serv-krb5.c, used for OS X had
reversed boolean logic meaning that the code will fail if ever
the OD lookup or the group membership calls returned success.
Obviously this is wrong, but even more so the log messages were
a bit sparse so it was hard to see why the PAM call was being
rejected. This commit fixes the logic and adds in some extra log
messages in the case of failure.
---
 gss-serv-krb5.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index ae4ee1c..879c76a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -91,26 +91,29 @@ od_kuserok(krb5_context context, krb5_principal principal, const char *luser)
        uuid_t krb_uuid, un_uuid;

        ret = krb5_unparse_name(context, principal, &kprinc);
-       if (!ret) {
+       if (ret) {
                logit("od_kuserok - krb5_unparse_name failed: %d", ret);
                goto error;
        }

        ret = mbr_identifier_to_uuid(ID_TYPE_USERNAME, luser, strlen(luser), un_uuid);
-       if (!ret) {
-               logit("od_kuserok - mbr_identifier_to_uuid: %d", ret);
+       if (ret) {
+               logit("od_kuserok - mbr_identifier_to_uuid(%s) failed: %d", luser, ret);
                goto error;
        }

        ret = mbr_identifier_to_uuid(ID_TYPE_KERBEROS, kprinc, strlen(kprinc), krb_uuid);
-       if (!ret) {
+       if (ret) {
+                logit("od_kuserok - mbr_id_to_uuid(%s) failed: %d", kprinc, ret);
                goto error;
        }

        ret = uuid_compare(krb_uuid, un_uuid);
        if (0 == ret)  {
                retval = TRUE;
-       }
+       } else {
+               logit("od_kuserok - uuids do not match, refusing");
+        }

 error:
        if (kprinc)
--
1.7.10-rc2


> -----Original Message-----
> From: Darren Tucker [mailto:dtucker at zip.com.au]
> Sent: 30 March 2012 01:59
> To: Williams, Nick (Enterprise Infrastructure)
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: patch for OSX
> 
> On Wed, Mar 28, 2012 at 01:01:51PM +0100, Williams, Nick wrote:
> > Attached is a patch to make sshd work on OSX when using plain ol'
> > Kerberos authentication as opposed to opendirectory authentication.
> 
> Unfortunately your diff didn't make it to the list (it strips any
> attachments that aren't plain text).  Please resend as text or inline,
> or open a bug at https://bugzilla.mindrot.org and attach it there.
> 
> Thanks.
> 
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--------------------------------------------------------------------------
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.


More information about the openssh-unix-dev mailing list