summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--servconf.c12
-rw-r--r--servconf.h4
-rw-r--r--session.c28
-rw-r--r--sshd_config3
5 files changed, 47 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index c80577e5a..d325407ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
7 - markus@cvs.openbsd.org 2003/12/22 20:29:55 7 - markus@cvs.openbsd.org 2003/12/22 20:29:55
8 [cipher-3des1.c] 8 [cipher-3des1.c]
9 EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr 9 EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
10 - jakob@cvs.openbsd.org 2003/12/23 16:12:10
11 [servconf.c servconf.h session.c sshd_config]
12 implement KerberosGetAFSToken server option. ok markus@, beck@
10 13
1120031219 1420031219
12 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we 15 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
@@ -1626,4 +1629,4 @@
1626 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 1629 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
1627 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 1630 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
1628 1631
1629$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ 1632$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $
diff --git a/servconf.c b/servconf.c
index a6824a863..b832c75b3 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
14 14
15#include "ssh.h" 15#include "ssh.h"
16#include "log.h" 16#include "log.h"
@@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options)
72 options->kerberos_authentication = -1; 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1; 73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1; 74 options->kerberos_ticket_cleanup = -1;
75 options->kerberos_get_afs_token = -1;
75 options->gss_authentication=-1; 76 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1; 77 options->gss_cleanup_creds = -1;
77 options->password_authentication = -1; 78 options->password_authentication = -1;
@@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options)
181 options->kerberos_or_local_passwd = 1; 182 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1) 183 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1; 184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
184 if (options->gss_authentication == -1) 187 if (options->gss_authentication == -1)
185 options->gss_authentication = 0; 188 options->gss_authentication = 0;
186 if (options->gss_cleanup_creds == -1) 189 if (options->gss_cleanup_creds == -1)
@@ -250,6 +253,7 @@ typedef enum {
250 sPermitRootLogin, sLogFacility, sLogLevel, 253 sPermitRootLogin, sLogFacility, sLogLevel,
251 sRhostsRSAAuthentication, sRSAAuthentication, 254 sRhostsRSAAuthentication, sRSAAuthentication,
252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, 255 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
256 sKerberosGetAFSToken,
253 sKerberosTgtPassing, sChallengeResponseAuthentication, 257 sKerberosTgtPassing, sChallengeResponseAuthentication,
254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 258 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
255 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 259 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -301,10 +305,12 @@ static struct {
301 { "kerberosauthentication", sKerberosAuthentication }, 305 { "kerberosauthentication", sKerberosAuthentication },
302 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, 306 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
303 { "kerberosticketcleanup", sKerberosTicketCleanup }, 307 { "kerberosticketcleanup", sKerberosTicketCleanup },
308 { "kerberosgetafstoken", sKerberosGetAFSToken },
304#else 309#else
305 { "kerberosauthentication", sUnsupported }, 310 { "kerberosauthentication", sUnsupported },
306 { "kerberosorlocalpasswd", sUnsupported }, 311 { "kerberosorlocalpasswd", sUnsupported },
307 { "kerberosticketcleanup", sUnsupported }, 312 { "kerberosticketcleanup", sUnsupported },
313 { "kerberosgetafstoken", sUnsupported },
308#endif 314#endif
309 { "kerberostgtpassing", sUnsupported }, 315 { "kerberostgtpassing", sUnsupported },
310 { "afstokenpassing", sUnsupported }, 316 { "afstokenpassing", sUnsupported },
@@ -630,6 +636,10 @@ parse_flag:
630 intptr = &options->kerberos_ticket_cleanup; 636 intptr = &options->kerberos_ticket_cleanup;
631 goto parse_flag; 637 goto parse_flag;
632 638
639 case sKerberosGetAFSToken:
640 intptr = &options->kerberos_get_afs_token;
641 goto parse_flag;
642
633 case sGssAuthentication: 643 case sGssAuthentication:
634 intptr = &options->gss_authentication; 644 intptr = &options->gss_authentication;
635 goto parse_flag; 645 goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 3cf47bf2f..57c7e5fab 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ 1/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -80,6 +80,8 @@ typedef struct {
80 * /etc/passwd */ 80 * /etc/passwd */
81 int kerberos_ticket_cleanup; /* If true, destroy ticket 81 int kerberos_ticket_cleanup; /* If true, destroy ticket
82 * file on logout. */ 82 * file on logout. */
83 int kerberos_get_afs_token; /* If true, try to get AFS token if
84 * authenticated with Kerberos. */
83 int gss_authentication; /* If true, permit GSSAPI authentication */ 85 int gss_authentication; /* If true, permit GSSAPI authentication */
84 int gss_cleanup_creds; /* If true, destroy cred cache on logout */ 86 int gss_cleanup_creds; /* If true, destroy cred cache on logout */
85 int password_authentication; /* If true, permit password 87 int password_authentication; /* If true, permit password
diff --git a/session.c b/session.c
index 00f8785f5..03a5ec570 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); 36RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command)
1415 */ 1415 */
1416 environ = env; 1416 environ = env;
1417 1417
1418#ifdef KRB5
1419 /*
1420 * At this point, we check to see if AFS is active and if we have
1421 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
1422 * if we can (and need to) extend the ticket into an AFS token. If
1423 * we don't do this, we run into potential problems if the user's
1424 * home directory is in AFS and it's not world-readable.
1425 */
1426
1427 if (options.kerberos_get_afs_token && k_hasafs() &&
1428 (s->authctxt->krb5_ctx != NULL)) {
1429 char cell[64];
1430
1431 debug("Getting AFS token");
1432
1433 k_setpag();
1434
1435 if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
1436 krb5_afslog(s->authctxt->krb5_ctx,
1437 s->authctxt->krb5_fwd_ccache, cell, NULL);
1438
1439 krb5_afslog_home(s->authctxt->krb5_ctx,
1440 s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
1441 }
1442#endif
1443
1418 /* Change current directory to the user\'s home directory. */ 1444 /* Change current directory to the user\'s home directory. */
1419 if (chdir(pw->pw_dir) < 0) { 1445 if (chdir(pw->pw_dir) < 0) {
1420 fprintf(stderr, "Could not chdir to home directory %s: %s\n", 1446 fprintf(stderr, "Could not chdir to home directory %s: %s\n",
diff --git a/sshd_config b/sshd_config
index 8dfc772e8..aaa30f4ba 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ 1# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -61,6 +61,7 @@
61#KerberosAuthentication no 61#KerberosAuthentication no
62#KerberosOrLocalPasswd yes 62#KerberosOrLocalPasswd yes
63#KerberosTicketCleanup yes 63#KerberosTicketCleanup yes
64#KerberosGetAFSToken no
64 65
65# GSSAPI options 66# GSSAPI options
66#GSSAPIAuthentication no 67#GSSAPIAuthentication no