Commit 49aaf4ad authored by Darren Tucker's avatar Darren Tucker

- (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h

   configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
   sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
parent 0efd155c
......@@ -10,6 +10,9 @@
ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.
- (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
20030825
- (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
......@@ -882,4 +885,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $
$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $
# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $
# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
......@@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
entropy.o scard-opensc.o
entropy.o scard-opensc.o gss-genr.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
......@@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
auth-krb5.o auth2-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
......
/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */
/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
......@@ -232,6 +232,9 @@
/* Define if compiler implements __func__ */
#undef HAVE___func__
/* Define this is you want GSSAPI support in the version 2 protocol */
#undef GSSAPI
/* Define if you want Kerberos 5 support */
#undef KRB5
......
......@@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
#ifdef KRB5
#include <krb5.h>
#ifndef HEIMDAL
#define krb5_get_err_text(context,code) error_message(code)
#endif /* !HEIMDAL */
extern ServerOptions options;
......
......@@ -31,7 +31,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $");
RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $");
#ifdef USE_PAM
#include <security/pam_appl.h>
......@@ -650,6 +650,29 @@ do_pam_chauthtok(void)
pam_strerror(sshpam_handle, sshpam_err));
}
/*
* Set a PAM environment string. We need to do this so that the session
* modules can handle things like Kerberos/GSI credentials that appear
* during the ssh authentication process.
*/
int
do_pam_putenv(char *name, char *value)
{
char *compound;
int ret = 1;
#ifdef HAVE_PAM_PUTENV
compound = xmalloc(strlen(name)+strlen(value)+2);
if (compound) {
sprintf(compound,"%s=%s",name,value);
ret = pam_putenv(sshpam_handle,compound);
xfree(compound);
}
#endif
return (ret);
}
void
print_pam_messages(void)
{
......
/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */
/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */
/*
* Copyright (c) 2000 Damien Miller. All rights reserved.
......@@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *);
void do_pam_setcred(int );
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
int do_pam_putenv(char *, char *);
void print_pam_messages(void);
char ** fetch_pam_environment(void);
void free_pam_environment(char **);
......
# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $
# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
......@@ -831,6 +831,7 @@ AC_ARG_WITH(pam,
AC_CHECK_LIB(dl, dlopen, , )
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
AC_CHECK_FUNCS(pam_getenvlist)
AC_CHECK_FUNCS(pam_putenv)
disable_shadow=yes
PAM_MSG="yes"
......@@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5,
fi
AC_SEARCH_LIBS(dn_expand, resolv)
AC_CHECK_LIB(gssapi,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)
K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)
K5LIBS="-lgssapi_krb5 $K5LIBS" ],
AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
$K5LIBS)
],
$K5LIBS)
AC_CHECK_HEADER(gssapi.h, ,
[ unset ac_cv_header_gssapi_h
CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
AC_CHECK_HEADERS(gssapi.h, ,
AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
)
]
)
oldCPP="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
AC_CHECK_HEADER(gssapi_krb5.h, ,
[ CPPFLAGS="$oldCPP" ])
KRB5=yes
fi
]
......
......@@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */
/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */
/* Constants */
......@@ -521,6 +521,10 @@ struct winsize {
# define __func__ ""
#endif
#if defined(KRB5) && !defined(HEIMDAL)
# define krb5_get_err_text(context,code) error_message(code)
#endif
/*
* Define this to use pipes instead of socketpairs for communicating with the
* client program. Socketpairs do not seem to work on all systems.
......
......@@ -38,7 +38,11 @@
extern ServerOptions options;
#ifdef HEIMDAL
#include <krb5.h>
#else
#include <gssapi_krb5.h>
#endif
static krb5_context krb_context = NULL;
......@@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#else
{
int tmpfd;
char ccname[40];
snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
return;
}
if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
return;
}
close(tmpfd);
if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
......@@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar,client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
......
......@@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command)
session_proctitle(s);
#ifdef GSSAPI
temporarily_use_uid(s->pw);
ssh_gssapi_storecreds();
restore_uid();
#endif
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, NULL);
......@@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command)
}
#endif /* USE_PAM */
#ifdef GSSAPI
temporarily_use_uid(s->pw);
ssh_gssapi_storecreds();
restore_uid();
#endif
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
......@@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command)
ptyfd = s->ptyfd;
ttyfd = s->ttyfd;
#ifdef GSSAPI
temporarily_use_uid(s->pw);
ssh_gssapi_storecreds();
restore_uid();
#endif
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, s->tty);
......@@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command)
}
#endif
#ifdef GSSAPI
temporarily_use_uid(s->pw);
ssh_gssapi_storecreds();
restore_uid();
#endif
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
......
......@@ -31,6 +31,18 @@
#include <gssapi.h>
#ifdef KRB5
#ifndef HEIMDAL
#include <gssapi_generic.h>
/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
#ifndef GSS_C_NT_HOSTBASED_SERVICE
#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
#endif /* GSS_C_NT_... */
#endif /* !HEIMDAL */
#endif /* KRB5 */
/* draft-ietf-secsh-gsskeyex-06 */
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
......
......@@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
#ifdef KRB5
#include <krb5.h>
#ifndef HEIMDAL
#define krb5_get_err_text(context,code) error_message(code)
#endif /* !HEIMDAL */
#endif
#include "ssh.h"
......
......@@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $");
#ifdef KRB5
#include <krb5.h>
#ifndef HEIMDAL
#define krb5_get_err_text(context,code) error_message(code)
#endif /* !HEIMDAL */
#endif
#include "openbsd-compat/sys-queue.h"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment