summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--Makefile.in5
-rw-r--r--acconfig.h5
-rw-r--r--auth-krb5.c3
-rw-r--r--auth-pam.c25
-rw-r--r--auth-pam.h3
-rw-r--r--configure.ac28
-rw-r--r--defines.h6
-rw-r--r--gss-serv-krb5.c37
-rw-r--r--session.c24
-rw-r--r--ssh-gss.h12
-rw-r--r--sshconnect1.c3
-rw-r--r--sshconnect2.c3
13 files changed, 130 insertions, 29 deletions
diff --git a/ChangeLog b/ChangeLog
index 142af1b06..042334b01 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,9 @@
10 ssh_config.5 sshconnect2.c sshd_config sshd_config.5] 10 ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
11 support GSS API user authentication; patches from Simon Wilkinson, 11 support GSS API user authentication; patches from Simon Wilkinson,
12 stripped down and tested by Jakob and myself. 12 stripped down and tested by Jakob and myself.
13 - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
14 configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
15 sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
13 16
1420030825 1720030825
15 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from 18 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
@@ -882,4 +885,4 @@
882 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 885 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
883 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 886 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
884 887
885$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $ 888$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index cffefece6..eba34f341 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $ 1# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $
2 2
3# uncomment if you run a non bourne compatable shell. Ie. csh 3# uncomment if you run a non bourne compatable shell. Ie. csh
4#SHELL = @SH@ 4#SHELL = @SH@
@@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
68 key.o dispatch.o kex.o mac.o uuencode.o misc.o \ 68 key.o dispatch.o kex.o mac.o uuencode.o misc.o \
69 rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ 69 rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
70 kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ 70 kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
71 entropy.o scard-opensc.o 71 entropy.o scard-opensc.o gss-genr.o
72 72
73SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 73SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
74 sshconnect.o sshconnect1.o sshconnect2.o 74 sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
82 monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ 82 monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
83 kexdhs.o kexgexs.o \ 83 kexdhs.o kexgexs.o \
84 auth-krb5.o auth2-krb5.o \ 84 auth-krb5.o auth2-krb5.o \
85 auth2-gss.o gss-serv.o gss-serv-krb5.o \
85 loginrec.o auth-pam.o auth-sia.o md5crypt.o 86 loginrec.o auth-pam.o auth-sia.o md5crypt.o
86 87
87MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out 88MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff --git a/acconfig.h b/acconfig.h
index 0e04c65b2..c83a45619 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
1/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */ 1/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -232,6 +232,9 @@
232/* Define if compiler implements __func__ */ 232/* Define if compiler implements __func__ */
233#undef HAVE___func__ 233#undef HAVE___func__
234 234
235/* Define this is you want GSSAPI support in the version 2 protocol */
236#undef GSSAPI
237
235/* Define if you want Kerberos 5 support */ 238/* Define if you want Kerberos 5 support */
236#undef KRB5 239#undef KRB5
237 240
diff --git a/auth-krb5.c b/auth-krb5.c
index b04c6649b..b9eeb5ba6 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
42#ifdef KRB5 42#ifdef KRB5
43 43
44#include <krb5.h> 44#include <krb5.h>
45#ifndef HEIMDAL
46#define krb5_get_err_text(context,code) error_message(code)
47#endif /* !HEIMDAL */
48 45
49extern ServerOptions options; 46extern ServerOptions options;
50 47
diff --git a/auth-pam.c b/auth-pam.c
index c0b6ded12..08b88f0dd 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
31 31
32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ 32/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
33#include "includes.h" 33#include "includes.h"
34RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); 34RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $");
35 35
36#ifdef USE_PAM 36#ifdef USE_PAM
37#include <security/pam_appl.h> 37#include <security/pam_appl.h>
@@ -650,6 +650,29 @@ do_pam_chauthtok(void)
650 pam_strerror(sshpam_handle, sshpam_err)); 650 pam_strerror(sshpam_handle, sshpam_err));
651} 651}
652 652
653/*
654 * Set a PAM environment string. We need to do this so that the session
655 * modules can handle things like Kerberos/GSI credentials that appear
656 * during the ssh authentication process.
657 */
658
659int
660do_pam_putenv(char *name, char *value)
661{
662 char *compound;
663 int ret = 1;
664
665#ifdef HAVE_PAM_PUTENV
666 compound = xmalloc(strlen(name)+strlen(value)+2);
667 if (compound) {
668 sprintf(compound,"%s=%s",name,value);
669 ret = pam_putenv(sshpam_handle,compound);
670 xfree(compound);
671 }
672#endif
673 return (ret);
674}
675
653void 676void
654print_pam_messages(void) 677print_pam_messages(void)
655{ 678{
diff --git a/auth-pam.h b/auth-pam.h
index 7f7c16d2e..03868312c 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
1/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */ 1/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Damien Miller. All rights reserved. 4 * Copyright (c) 2000 Damien Miller. All rights reserved.
@@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *);
38void do_pam_setcred(int ); 38void do_pam_setcred(int );
39int is_pam_password_change_required(void); 39int is_pam_password_change_required(void);
40void do_pam_chauthtok(void); 40void do_pam_chauthtok(void);
41int do_pam_putenv(char *, char *);
41void print_pam_messages(void); 42void print_pam_messages(void);
42char ** fetch_pam_environment(void); 43char ** fetch_pam_environment(void);
43void free_pam_environment(char **); 44void free_pam_environment(char **);
diff --git a/configure.ac b/configure.ac
index 600155ccd..bbc00e703 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $ 1# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $
2 2
3AC_INIT 3AC_INIT
4AC_CONFIG_SRCDIR([ssh.c]) 4AC_CONFIG_SRCDIR([ssh.c])
@@ -831,6 +831,7 @@ AC_ARG_WITH(pam,
831 AC_CHECK_LIB(dl, dlopen, , ) 831 AC_CHECK_LIB(dl, dlopen, , )
832 AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) 832 AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
833 AC_CHECK_FUNCS(pam_getenvlist) 833 AC_CHECK_FUNCS(pam_getenvlist)
834 AC_CHECK_FUNCS(pam_putenv)
834 835
835 disable_shadow=yes 836 disable_shadow=yes
836 PAM_MSG="yes" 837 PAM_MSG="yes"
@@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5,
1946 fi 1947 fi
1947 AC_SEARCH_LIBS(dn_expand, resolv) 1948 AC_SEARCH_LIBS(dn_expand, resolv)
1948 1949
1950 AC_CHECK_LIB(gssapi,gss_init_sec_context,
1951 [ AC_DEFINE(GSSAPI)
1952 K5LIBS="-lgssapi $K5LIBS" ],
1953 [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
1954 [ AC_DEFINE(GSSAPI)
1955 K5LIBS="-lgssapi_krb5 $K5LIBS" ],
1956 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
1957 $K5LIBS)
1958 ],
1959 $K5LIBS)
1960
1961 AC_CHECK_HEADER(gssapi.h, ,
1962 [ unset ac_cv_header_gssapi_h
1963 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
1964 AC_CHECK_HEADERS(gssapi.h, ,
1965 AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
1966 )
1967 ]
1968 )
1969
1970 oldCPP="$CPPFLAGS"
1971 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
1972 AC_CHECK_HEADER(gssapi_krb5.h, ,
1973 [ CPPFLAGS="$oldCPP" ])
1974
1949 KRB5=yes 1975 KRB5=yes
1950 fi 1976 fi
1951 ] 1977 ]
diff --git a/defines.h b/defines.h
index b2ea15d9f..7bff839cc 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
25#ifndef _DEFINES_H 25#ifndef _DEFINES_H
26#define _DEFINES_H 26#define _DEFINES_H
27 27
28/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */ 28/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */
29 29
30 30
31/* Constants */ 31/* Constants */
@@ -521,6 +521,10 @@ struct winsize {
521# define __func__ "" 521# define __func__ ""
522#endif 522#endif
523 523
524#if defined(KRB5) && !defined(HEIMDAL)
525# define krb5_get_err_text(context,code) error_message(code)
526#endif
527
524/* 528/*
525 * Define this to use pipes instead of socketpairs for communicating with the 529 * Define this to use pipes instead of socketpairs for communicating with the
526 * client program. Socketpairs do not seem to work on all systems. 530 * client program. Socketpairs do not seem to work on all systems.
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index d86872258..f48e09911 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -38,7 +38,11 @@
38 38
39extern ServerOptions options; 39extern ServerOptions options;
40 40
41#ifdef HEIMDAL
41#include <krb5.h> 42#include <krb5.h>
43#else
44#include <gssapi_krb5.h>
45#endif
42 46
43static krb5_context krb_context = NULL; 47static krb5_context krb_context = NULL;
44 48
@@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
113 if (ssh_gssapi_krb5_init() == 0) 117 if (ssh_gssapi_krb5_init() == 0)
114 return; 118 return;
115 119
120#ifdef HEIMDAL
116 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { 121 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
117 logit("krb5_cc_gen_new(): %.100s", 122 logit("krb5_cc_gen_new(): %.100s",
118 krb5_get_err_text(krb_context, problem)); 123 krb5_get_err_text(krb_context, problem));
119 return; 124 return;
120 } 125 }
126#else
127 {
128 int tmpfd;
129 char ccname[40];
130
131 snprintf(ccname, sizeof(ccname),
132 "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
133
134 if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
135 logit("mkstemp(): %.100s", strerror(errno));
136 problem = errno;
137 return;
138 }
139 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
140 logit("fchmod(): %.100s", strerror(errno));
141 close(tmpfd);
142 problem = errno;
143 return;
144 }
145 close(tmpfd);
146 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
147 logit("krb5_cc_resolve(): %.100s",
148 krb5_get_err_text(krb_context, problem));
149 return;
150 }
151 }
152#endif /* #ifdef HEIMDAL */
121 153
122 if ((problem = krb5_parse_name(krb_context, 154 if ((problem = krb5_parse_name(krb_context,
123 client->exportedname.value, &princ))) { 155 client->exportedname.value, &princ))) {
@@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
148 client->store.envvar = "KRB5CCNAME"; 180 client->store.envvar = "KRB5CCNAME";
149 client->store.envval = xstrdup(client->store.filename); 181 client->store.envval = xstrdup(client->store.filename);
150 182
183#ifdef USE_PAM
184 if (options.use_pam)
185 do_pam_putenv(client->store.envvar,client->store.envval);
186#endif
187
151 krb5_cc_close(krb_context, ccache); 188 krb5_cc_close(krb_context, ccache);
152 189
153 return; 190 return;
diff --git a/session.c b/session.c
index 3593a3ff5..6ba0233e5 100644
--- a/session.c
+++ b/session.c
@@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command)
418 418
419 session_proctitle(s); 419 session_proctitle(s);
420 420
421#ifdef GSSAPI
422 temporarily_use_uid(s->pw);
423 ssh_gssapi_storecreds();
424 restore_uid();
425#endif
426
421#if defined(USE_PAM) 427#if defined(USE_PAM)
422 if (options.use_pam) { 428 if (options.use_pam) {
423 do_pam_session(s->pw->pw_name, NULL); 429 do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command)
428 } 434 }
429#endif /* USE_PAM */ 435#endif /* USE_PAM */
430 436
431#ifdef GSSAPI
432 temporarily_use_uid(s->pw);
433 ssh_gssapi_storecreds();
434 restore_uid();
435#endif
436
437 /* Fork the child. */ 437 /* Fork the child. */
438 if ((pid = fork()) == 0) { 438 if ((pid = fork()) == 0) {
439 fatal_remove_all_cleanups(); 439 fatal_remove_all_cleanups();
@@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command)
553 ptyfd = s->ptyfd; 553 ptyfd = s->ptyfd;
554 ttyfd = s->ttyfd; 554 ttyfd = s->ttyfd;
555 555
556#ifdef GSSAPI
557 temporarily_use_uid(s->pw);
558 ssh_gssapi_storecreds();
559 restore_uid();
560#endif
561
556#if defined(USE_PAM) 562#if defined(USE_PAM)
557 if (options.use_pam) { 563 if (options.use_pam) {
558 do_pam_session(s->pw->pw_name, s->tty); 564 do_pam_session(s->pw->pw_name, s->tty);
@@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command)
560 } 566 }
561#endif 567#endif
562 568
563#ifdef GSSAPI
564 temporarily_use_uid(s->pw);
565 ssh_gssapi_storecreds();
566 restore_uid();
567#endif
568
569 /* Fork the child. */ 569 /* Fork the child. */
570 if ((pid = fork()) == 0) { 570 if ((pid = fork()) == 0) {
571 fatal_remove_all_cleanups(); 571 fatal_remove_all_cleanups();
diff --git a/ssh-gss.h b/ssh-gss.h
index 263e51b94..6b58adb3a 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -31,6 +31,18 @@
31 31
32#include <gssapi.h> 32#include <gssapi.h>
33 33
34#ifdef KRB5
35#ifndef HEIMDAL
36#include <gssapi_generic.h>
37
38/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
39
40#ifndef GSS_C_NT_HOSTBASED_SERVICE
41#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
42#endif /* GSS_C_NT_... */
43#endif /* !HEIMDAL */
44#endif /* KRB5 */
45
34/* draft-ietf-secsh-gsskeyex-06 */ 46/* draft-ietf-secsh-gsskeyex-06 */
35#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 47#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
36#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 48#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
diff --git a/sshconnect1.c b/sshconnect1.c
index 5e1802b10..5935e8b77 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
20 20
21#ifdef KRB5 21#ifdef KRB5
22#include <krb5.h> 22#include <krb5.h>
23#ifndef HEIMDAL
24#define krb5_get_err_text(context,code) error_message(code)
25#endif /* !HEIMDAL */
26#endif 23#endif
27 24
28#include "ssh.h" 25#include "ssh.h"
diff --git a/sshconnect2.c b/sshconnect2.c
index c71ad506b..549853907 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $");
27 27
28#ifdef KRB5 28#ifdef KRB5
29#include <krb5.h> 29#include <krb5.h>
30#ifndef HEIMDAL
31#define krb5_get_err_text(context,code) error_message(code)
32#endif /* !HEIMDAL */
33#endif 30#endif
34 31
35#include "openbsd-compat/sys-queue.h" 32#include "openbsd-compat/sys-queue.h"
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-27 07:44:41 +0000