- (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]

   Bug #1583: Use system's kerberos principal name on AIX if it's available.
   Based on a patch from and tested by Miguel Sanders.

6 files changed, 59 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 7f95697f4..677a6af1e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20091221
+ - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
+   Bug #1583: Use system's kerberos principal name on AIX if it's available.
+   Based on a patch from and tested by Miguel Sanders 
+
 20091208
  - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
    based on a patch from Vaclav Ovsik and Colin Watson.  ok djm.
diff --git a/auth-krb5.c b/auth-krb5.c
index 868288126..d019fe202 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -78,6 +78,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         krb5_error_code problem;
         krb5_ccache ccache = NULL;
         int len;
+        char *client, *platform_client;
+
+        /* get platform-specific kerberos client principal name (if it exists) */
+        platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
+        client = platform_client ? platform_client : authctxt->pw->pw_name;
 
         temporarily_use_uid(authctxt->pw);
 
@@ -85,7 +90,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         if (problem)
                 goto out;
 
-        problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
+        problem = krb5_parse_name(authctxt->krb5_ctx, client,
                     &authctxt->krb5_user);
         if (problem)
                 goto out;
@@ -141,8 +146,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         if (problem)
                 goto out;
 
-        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-                          authctxt->pw->pw_name)) {
+        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
                 problem = -1;
                 goto out;
         }
@@ -176,6 +180,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
  out:
         restore_uid();
+        
+        if (platform_client != NULL)
+                xfree(platform_client);
 
         if (problem) {
                 if (ccache)
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index d9c0876f3..0bdefbf6d 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -374,6 +374,31 @@ aix_restoreauthdb(void)
 
 # endif /* WITH_AIXAUTHENTICATE */
 
+# ifdef USE_AIX_KRB_NAME
+/*
+ * aix_krb5_get_principal_name: returns the user's kerberos client principal name if
+ * configured, otherwise NULL.  Caller must free returned string.
+ */
+char *
+aix_krb5_get_principal_name(char *pw_name)
+{
+        char *authname = NULL, *authdomain = NULL, *principal = NULL;
+
+        setuserdb(S_READ);
+        if (getuserattr(pw_name, S_AUTHDOMAIN, &authdomain, SEC_CHAR) != 0)
+                debug("AIX getuserattr S_AUTHDOMAIN: %s", strerror(errno));
+        if (getuserattr(pw_name, S_AUTHNAME, &authname, SEC_CHAR) != 0)
+                debug("AIX getuserattr S_AUTHNAME: %s", strerror(errno));
+
+        if (authdomain != NULL)
+                xasprintf(&principal, "%s@%s", authname ? authname : pw_name, authdomain);
+        else if (authname != NULL)
+                principal = xstrdup(authname);
+        enduserdb();
+        return principal;
+}
+# endif /* USE_AIX_KRB_NAME */
+
 # if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
 # undef getnameinfo
 /*
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 3ac76ae15..53e4e88a0 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.32 2009/12/20 23:49:22 dtucker Exp $ */
 
 /*
  *
@@ -95,6 +95,10 @@ int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
 # define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
 char *sys_auth_get_lastlogin_msg(const char *, uid_t);
 # define CUSTOM_FAILED_LOGIN 1
+# if defined(S_AUTHDOMAIN)  && defined (S_AUTHNAME)
+# define USE_AIX_KRB_NAME
+char *aix_krb5_get_principal_name(char *);
+# endif
 #endif
 
 void aix_setauthdb(const char *);
diff --git a/platform.c b/platform.c
index 2dc4352f4..e3a428aaa 100644
--- a/platform.c
+++ b/platform.c
@@ -1,4 +1,4 @@
-/* $Id: platform.c,v 1.2 2009/12/08 02:39:48 dtucker Exp $ */
+/* $Id: platform.c,v 1.3 2009/12/20 23:49:22 dtucker Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -56,3 +56,13 @@ platform_post_fork_child(void)
         oom_adjust_restore();
 #endif
 }
+
+char *
+platform_krb5_get_principal_name(const char *pw_name)
+{
+#ifdef USE_AIX_KRB_NAME
+        return aix_krb5_get_principal_name(pw_name);
+#else
+        return NULL;
+#endif
+}
diff --git a/platform.h b/platform.h
index 8a34e364e..07ae3ad85 100644
--- a/platform.h
+++ b/platform.h
@@ -1,4 +1,4 @@
-/* $Id: platform.h,v 1.2 2009/12/08 02:39:48 dtucker Exp $ */
+/* $Id: platform.h,v 1.3 2009/12/20 23:49:22 dtucker Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -22,3 +22,5 @@ void platform_pre_listen(void);
 void platform_pre_fork(void);
 void platform_post_fork_parent(pid_t child_pid);
 void platform_post_fork_child(void);
+char * platform_get_krb5_client(const char *);
+