diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | servconf.c | 12 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | session.c | 28 | ||||
| -rw-r--r-- | sshd_config | 3 |
5 files changed, 47 insertions, 5 deletions
| @@ -7,6 +7,9 @@ | |||
| 7 | - markus@cvs.openbsd.org 2003/12/22 20:29:55 | 7 | - markus@cvs.openbsd.org 2003/12/22 20:29:55 |
| 8 | [cipher-3des1.c] | 8 | [cipher-3des1.c] |
| 9 | EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr | 9 | EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr |
| 10 | - jakob@cvs.openbsd.org 2003/12/23 16:12:10 | ||
| 11 | [servconf.c servconf.h session.c sshd_config] | ||
| 12 | implement KerberosGetAFSToken server option. ok markus@, beck@ | ||
| 10 | 13 | ||
| 11 | 20031219 | 14 | 20031219 |
| 12 | - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we | 15 | - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we |
| @@ -1626,4 +1629,4 @@ | |||
| 1626 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. | 1629 | - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. |
| 1627 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au | 1630 | Report from murple@murple.net, diagnosis from dtucker@zip.com.au |
| 1628 | 1631 | ||
| 1629 | $Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ | 1632 | $Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ |
diff --git a/servconf.c b/servconf.c index a6824a863..b832c75b3 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); |
| 14 | 14 | ||
| 15 | #include "ssh.h" | 15 | #include "ssh.h" |
| 16 | #include "log.h" | 16 | #include "log.h" |
| @@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options) | |||
| 72 | options->kerberos_authentication = -1; | 72 | options->kerberos_authentication = -1; |
| 73 | options->kerberos_or_local_passwd = -1; | 73 | options->kerberos_or_local_passwd = -1; |
| 74 | options->kerberos_ticket_cleanup = -1; | 74 | options->kerberos_ticket_cleanup = -1; |
| 75 | options->kerberos_get_afs_token = -1; | ||
| 75 | options->gss_authentication=-1; | 76 | options->gss_authentication=-1; |
| 76 | options->gss_cleanup_creds = -1; | 77 | options->gss_cleanup_creds = -1; |
| 77 | options->password_authentication = -1; | 78 | options->password_authentication = -1; |
| @@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 181 | options->kerberos_or_local_passwd = 1; | 182 | options->kerberos_or_local_passwd = 1; |
| 182 | if (options->kerberos_ticket_cleanup == -1) | 183 | if (options->kerberos_ticket_cleanup == -1) |
| 183 | options->kerberos_ticket_cleanup = 1; | 184 | options->kerberos_ticket_cleanup = 1; |
| 185 | if (options->kerberos_get_afs_token == -1) | ||
| 186 | options->kerberos_get_afs_token = 0; | ||
| 184 | if (options->gss_authentication == -1) | 187 | if (options->gss_authentication == -1) |
| 185 | options->gss_authentication = 0; | 188 | options->gss_authentication = 0; |
| 186 | if (options->gss_cleanup_creds == -1) | 189 | if (options->gss_cleanup_creds == -1) |
| @@ -250,6 +253,7 @@ typedef enum { | |||
| 250 | sPermitRootLogin, sLogFacility, sLogLevel, | 253 | sPermitRootLogin, sLogFacility, sLogLevel, |
| 251 | sRhostsRSAAuthentication, sRSAAuthentication, | 254 | sRhostsRSAAuthentication, sRSAAuthentication, |
| 252 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, | 255 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
| 256 | sKerberosGetAFSToken, | ||
| 253 | sKerberosTgtPassing, sChallengeResponseAuthentication, | 257 | sKerberosTgtPassing, sChallengeResponseAuthentication, |
| 254 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, | 258 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
| 255 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 259 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
| @@ -301,10 +305,12 @@ static struct { | |||
| 301 | { "kerberosauthentication", sKerberosAuthentication }, | 305 | { "kerberosauthentication", sKerberosAuthentication }, |
| 302 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, | 306 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
| 303 | { "kerberosticketcleanup", sKerberosTicketCleanup }, | 307 | { "kerberosticketcleanup", sKerberosTicketCleanup }, |
| 308 | { "kerberosgetafstoken", sKerberosGetAFSToken }, | ||
| 304 | #else | 309 | #else |
| 305 | { "kerberosauthentication", sUnsupported }, | 310 | { "kerberosauthentication", sUnsupported }, |
| 306 | { "kerberosorlocalpasswd", sUnsupported }, | 311 | { "kerberosorlocalpasswd", sUnsupported }, |
| 307 | { "kerberosticketcleanup", sUnsupported }, | 312 | { "kerberosticketcleanup", sUnsupported }, |
| 313 | { "kerberosgetafstoken", sUnsupported }, | ||
| 308 | #endif | 314 | #endif |
| 309 | { "kerberostgtpassing", sUnsupported }, | 315 | { "kerberostgtpassing", sUnsupported }, |
| 310 | { "afstokenpassing", sUnsupported }, | 316 | { "afstokenpassing", sUnsupported }, |
| @@ -630,6 +636,10 @@ parse_flag: | |||
| 630 | intptr = &options->kerberos_ticket_cleanup; | 636 | intptr = &options->kerberos_ticket_cleanup; |
| 631 | goto parse_flag; | 637 | goto parse_flag; |
| 632 | 638 | ||
| 639 | case sKerberosGetAFSToken: | ||
| 640 | intptr = &options->kerberos_get_afs_token; | ||
| 641 | goto parse_flag; | ||
| 642 | |||
| 633 | case sGssAuthentication: | 643 | case sGssAuthentication: |
| 634 | intptr = &options->gss_authentication; | 644 | intptr = &options->gss_authentication; |
| 635 | goto parse_flag; | 645 | goto parse_flag; |
diff --git a/servconf.h b/servconf.h index 3cf47bf2f..57c7e5fab 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -80,6 +80,8 @@ typedef struct { | |||
| 80 | * /etc/passwd */ | 80 | * /etc/passwd */ |
| 81 | int kerberos_ticket_cleanup; /* If true, destroy ticket | 81 | int kerberos_ticket_cleanup; /* If true, destroy ticket |
| 82 | * file on logout. */ | 82 | * file on logout. */ |
| 83 | int kerberos_get_afs_token; /* If true, try to get AFS token if | ||
| 84 | * authenticated with Kerberos. */ | ||
| 83 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 85 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
| 84 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | 86 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
| 85 | int password_authentication; /* If true, permit password | 87 | int password_authentication; /* If true, permit password |
| @@ -33,7 +33,7 @@ | |||
| 33 | */ | 33 | */ |
| 34 | 34 | ||
| 35 | #include "includes.h" | 35 | #include "includes.h" |
| 36 | RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); |
| 37 | 37 | ||
| 38 | #include "ssh.h" | 38 | #include "ssh.h" |
| 39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
| @@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command) | |||
| 1415 | */ | 1415 | */ |
| 1416 | environ = env; | 1416 | environ = env; |
| 1417 | 1417 | ||
| 1418 | #ifdef KRB5 | ||
| 1419 | /* | ||
| 1420 | * At this point, we check to see if AFS is active and if we have | ||
| 1421 | * a valid Kerberos 5 TGT. If so, it seems like a good idea to see | ||
| 1422 | * if we can (and need to) extend the ticket into an AFS token. If | ||
| 1423 | * we don't do this, we run into potential problems if the user's | ||
| 1424 | * home directory is in AFS and it's not world-readable. | ||
| 1425 | */ | ||
| 1426 | |||
| 1427 | if (options.kerberos_get_afs_token && k_hasafs() && | ||
| 1428 | (s->authctxt->krb5_ctx != NULL)) { | ||
| 1429 | char cell[64]; | ||
| 1430 | |||
| 1431 | debug("Getting AFS token"); | ||
| 1432 | |||
| 1433 | k_setpag(); | ||
| 1434 | |||
| 1435 | if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) | ||
| 1436 | krb5_afslog(s->authctxt->krb5_ctx, | ||
| 1437 | s->authctxt->krb5_fwd_ccache, cell, NULL); | ||
| 1438 | |||
| 1439 | krb5_afslog_home(s->authctxt->krb5_ctx, | ||
| 1440 | s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); | ||
| 1441 | } | ||
| 1442 | #endif | ||
| 1443 | |||
| 1418 | /* Change current directory to the user\'s home directory. */ | 1444 | /* Change current directory to the user\'s home directory. */ |
| 1419 | if (chdir(pw->pw_dir) < 0) { | 1445 | if (chdir(pw->pw_dir) < 0) { |
| 1420 | fprintf(stderr, "Could not chdir to home directory %s: %s\n", | 1446 | fprintf(stderr, "Could not chdir to home directory %s: %s\n", |
diff --git a/sshd_config b/sshd_config index 8dfc772e8..aaa30f4ba 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ | 1 | # $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ |
| 2 | 2 | ||
| 3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
| 4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
| @@ -61,6 +61,7 @@ | |||
| 61 | #KerberosAuthentication no | 61 | #KerberosAuthentication no |
| 62 | #KerberosOrLocalPasswd yes | 62 | #KerberosOrLocalPasswd yes |
| 63 | #KerberosTicketCleanup yes | 63 | #KerberosTicketCleanup yes |
| 64 | #KerberosGetAFSToken no | ||
| 64 | 65 | ||
| 65 | # GSSAPI options | 66 | # GSSAPI options |
| 66 | #GSSAPIAuthentication no | 67 | #GSSAPIAuthentication no |