diff options
Diffstat (limited to 'gss-serv-krb5.c')
-rw-r--r-- | gss-serv-krb5.c | 85 |
1 files changed, 78 insertions, 7 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index a151bc1e4..90f8692f5 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ | 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
120 | krb5_error_code problem; | 120 | krb5_error_code problem; |
121 | krb5_principal princ; | 121 | krb5_principal princ; |
122 | OM_uint32 maj_status, min_status; | 122 | OM_uint32 maj_status, min_status; |
123 | int len; | ||
124 | const char *errmsg; | 123 | const char *errmsg; |
124 | const char *new_ccname; | ||
125 | 125 | ||
126 | if (client->creds == NULL) { | 126 | if (client->creds == NULL) { |
127 | debug("No credentials stored"); | 127 | debug("No credentials stored"); |
@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
180 | return; | 180 | return; |
181 | } | 181 | } |
182 | 182 | ||
183 | client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); | 183 | new_ccname = krb5_cc_get_name(krb_context, ccache); |
184 | |||
184 | client->store.envvar = "KRB5CCNAME"; | 185 | client->store.envvar = "KRB5CCNAME"; |
185 | len = strlen(client->store.filename) + 6; | 186 | #ifdef USE_CCAPI |
186 | client->store.envval = xmalloc(len); | 187 | xasprintf(&client->store.envval, "API:%s", new_ccname); |
187 | snprintf(client->store.envval, len, "FILE:%s", client->store.filename); | 188 | client->store.filename = NULL; |
189 | #else | ||
190 | xasprintf(&client->store.envval, "FILE:%s", new_ccname); | ||
191 | client->store.filename = xstrdup(new_ccname); | ||
192 | #endif | ||
188 | 193 | ||
189 | #ifdef USE_PAM | 194 | #ifdef USE_PAM |
190 | if (options.use_pam) | 195 | if (options.use_pam) |
@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
196 | return; | 201 | return; |
197 | } | 202 | } |
198 | 203 | ||
204 | int | ||
205 | ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, | ||
206 | ssh_gssapi_client *client) | ||
207 | { | ||
208 | krb5_ccache ccache = NULL; | ||
209 | krb5_principal principal = NULL; | ||
210 | char *name = NULL; | ||
211 | krb5_error_code problem; | ||
212 | OM_uint32 maj_status, min_status; | ||
213 | |||
214 | if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { | ||
215 | logit("krb5_cc_resolve(): %.100s", | ||
216 | krb5_get_err_text(krb_context, problem)); | ||
217 | return 0; | ||
218 | } | ||
219 | |||
220 | /* Find out who the principal in this cache is */ | ||
221 | if ((problem = krb5_cc_get_principal(krb_context, ccache, | ||
222 | &principal))) { | ||
223 | logit("krb5_cc_get_principal(): %.100s", | ||
224 | krb5_get_err_text(krb_context, problem)); | ||
225 | krb5_cc_close(krb_context, ccache); | ||
226 | return 0; | ||
227 | } | ||
228 | |||
229 | if ((problem = krb5_unparse_name(krb_context, principal, &name))) { | ||
230 | logit("krb5_unparse_name(): %.100s", | ||
231 | krb5_get_err_text(krb_context, problem)); | ||
232 | krb5_free_principal(krb_context, principal); | ||
233 | krb5_cc_close(krb_context, ccache); | ||
234 | return 0; | ||
235 | } | ||
236 | |||
237 | |||
238 | if (strcmp(name,client->exportedname.value)!=0) { | ||
239 | debug("Name in local credentials cache differs. Not storing"); | ||
240 | krb5_free_principal(krb_context, principal); | ||
241 | krb5_cc_close(krb_context, ccache); | ||
242 | krb5_free_unparsed_name(krb_context, name); | ||
243 | return 0; | ||
244 | } | ||
245 | krb5_free_unparsed_name(krb_context, name); | ||
246 | |||
247 | /* Name matches, so lets get on with it! */ | ||
248 | |||
249 | if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { | ||
250 | logit("krb5_cc_initialize(): %.100s", | ||
251 | krb5_get_err_text(krb_context, problem)); | ||
252 | krb5_free_principal(krb_context, principal); | ||
253 | krb5_cc_close(krb_context, ccache); | ||
254 | return 0; | ||
255 | } | ||
256 | |||
257 | krb5_free_principal(krb_context, principal); | ||
258 | |||
259 | if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, | ||
260 | ccache))) { | ||
261 | logit("gss_krb5_copy_ccache() failed. Sorry!"); | ||
262 | krb5_cc_close(krb_context, ccache); | ||
263 | return 0; | ||
264 | } | ||
265 | |||
266 | return 1; | ||
267 | } | ||
268 | |||
199 | ssh_gssapi_mech gssapi_kerberos_mech = { | 269 | ssh_gssapi_mech gssapi_kerberos_mech = { |
200 | "toWM5Slw5Ew8Mqkay+al2g==", | 270 | "toWM5Slw5Ew8Mqkay+al2g==", |
201 | "Kerberos", | 271 | "Kerberos", |
@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | |||
203 | NULL, | 273 | NULL, |
204 | &ssh_gssapi_krb5_userok, | 274 | &ssh_gssapi_krb5_userok, |
205 | NULL, | 275 | NULL, |
206 | &ssh_gssapi_krb5_storecreds | 276 | &ssh_gssapi_krb5_storecreds, |
277 | &ssh_gssapi_krb5_updatecreds | ||
207 | }; | 278 | }; |
208 | 279 | ||
209 | #endif /* KRB5 */ | 280 | #endif /* KRB5 */ |