1 files changed, 78 insertions, 7 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index a151bc1e4..ef9beb67c 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        krb5_error_code problem;
        krb5_principal princ;
        OM_uint32 maj_status, min_status;
-        int len;
        const char *errmsg;
+        const char *new_ccname;
        if (client->creds == NULL) {
                debug("No credentials stored");
@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                return;
        }
-        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+        new_ccname = krb5_cc_get_name(krb_context, ccache);
        client->store.envvar = "KRB5CCNAME";
-        len = strlen(client->store.filename) + 6;
+#ifdef USE_CCAPI
-        client->store.envval = xmalloc(len);
+        xasprintf(&client->store.envval, "API:%s", new_ccname);
-        snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+        client->store.filename = NULL;
+#else
+        xasprintf(&client->store.envval, "FILE:%s", new_ccname);
+        client->store.filename = xstrdup(new_ccname);
+#endif
 #ifdef USE_PAM
        if (options.use_pam)
@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
+int
+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
+    ssh_gssapi_client *client)
+{
+        krb5_ccache ccache = NULL;
+        krb5_principal principal = NULL;
+        char *name = NULL;
+        krb5_error_code problem;
+        OM_uint32 maj_status, min_status;
+        if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
+                logit("krb5_cc_resolve(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                return 0;
+        }
+        /* Find out who the principal in this cache is */
+        if ((problem = krb5_cc_get_principal(krb_context, ccache,
+            &principal))) {
+                logit("krb5_cc_get_principal(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
+                logit("krb5_unparse_name(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if (strcmp(name,client->exportedname.value)!=0) {
+                debug("Name in local credentials cache differs. Not storing");
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                krb5_free_unparsed_name(krb_context, name);
+                return 0;
+        }
+        krb5_free_unparsed_name(krb_context, name);
+        /* Name matches, so lets get on with it! */
+        if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
+                logit("krb5_cc_initialize(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        krb5_free_principal(krb_context, principal);
+        if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
+            ccache))) {
+                logit("gss_krb5_copy_ccache() failed. Sorry!");
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        return 1;
+}
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
-        &ssh_gssapi_krb5_storecreds
+        &ssh_gssapi_krb5_storecreds,
+        &ssh_gssapi_krb5_updatecreds
 };
 #endif /* KRB5 */

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index a151bc1e4..ef9beb67c 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */	1	/* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
120	krb5_error_code problem;	120	krb5_error_code problem;
121	krb5_principal princ;	121	krb5_principal princ;
122	OM_uint32 maj_status, min_status;	122	OM_uint32 maj_status, min_status;
123	int len;
124	const char *errmsg;	123	const char *errmsg;
		124	const char *new_ccname;
125		125
126	if (client->creds == NULL) {	126	if (client->creds == NULL) {
127	debug("No credentials stored");	127	debug("No credentials stored");
@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
180	return;	180	return;
181	}	181	}
182		182
183	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));	183	new_ccname = krb5_cc_get_name(krb_context, ccache);
		184
184	client->store.envvar = "KRB5CCNAME";	185	client->store.envvar = "KRB5CCNAME";
185	len = strlen(client->store.filename) + 6;	186	#ifdef USE_CCAPI
186	client->store.envval = xmalloc(len);	187	xasprintf(&client->store.envval, "API:%s", new_ccname);
187	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);	188	client->store.filename = NULL;
		189	#else
		190	xasprintf(&client->store.envval, "FILE:%s", new_ccname);
		191	client->store.filename = xstrdup(new_ccname);
		192	#endif
188		193
189	#ifdef USE_PAM	194	#ifdef USE_PAM
190	if (options.use_pam)	195	if (options.use_pam)
@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
196	return;	201	return;
197	}	202	}
198		203
		204	int
		205	ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
		206	ssh_gssapi_client *client)
		207	{
		208	krb5_ccache ccache = NULL;
		209	krb5_principal principal = NULL;
		210	char *name = NULL;
		211	krb5_error_code problem;
		212	OM_uint32 maj_status, min_status;
		213
		214	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
		215	logit("krb5_cc_resolve(): %.100s",
		216	krb5_get_err_text(krb_context, problem));
		217	return 0;
		218	}
		219
		220	/* Find out who the principal in this cache is */
		221	if ((problem = krb5_cc_get_principal(krb_context, ccache,
		222	&principal))) {
		223	logit("krb5_cc_get_principal(): %.100s",
		224	krb5_get_err_text(krb_context, problem));
		225	krb5_cc_close(krb_context, ccache);
		226	return 0;
		227	}
		228
		229	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
		230	logit("krb5_unparse_name(): %.100s",
		231	krb5_get_err_text(krb_context, problem));
		232	krb5_free_principal(krb_context, principal);
		233	krb5_cc_close(krb_context, ccache);
		234	return 0;
		235	}
		236
		237
		238	if (strcmp(name,client->exportedname.value)!=0) {
		239	debug("Name in local credentials cache differs. Not storing");
		240	krb5_free_principal(krb_context, principal);
		241	krb5_cc_close(krb_context, ccache);
		242	krb5_free_unparsed_name(krb_context, name);
		243	return 0;
		244	}
		245	krb5_free_unparsed_name(krb_context, name);
		246
		247	/* Name matches, so lets get on with it! */
		248
		249	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
		250	logit("krb5_cc_initialize(): %.100s",
		251	krb5_get_err_text(krb_context, problem));
		252	krb5_free_principal(krb_context, principal);
		253	krb5_cc_close(krb_context, ccache);
		254	return 0;
		255	}
		256
		257	krb5_free_principal(krb_context, principal);
		258
		259	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
		260	ccache))) {
		261	logit("gss_krb5_copy_ccache() failed. Sorry!");
		262	krb5_cc_close(krb_context, ccache);
		263	return 0;
		264	}
		265
		266	return 1;
		267	}
		268
199	ssh_gssapi_mech gssapi_kerberos_mech = {	269	ssh_gssapi_mech gssapi_kerberos_mech = {
200	"toWM5Slw5Ew8Mqkay+al2g==",	270	"toWM5Slw5Ew8Mqkay+al2g==",
201	"Kerberos",	271	"Kerberos",
@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
203	NULL,	273	NULL,
204	&ssh_gssapi_krb5_userok,	274	&ssh_gssapi_krb5_userok,
205	NULL,	275	NULL,
206	&ssh_gssapi_krb5_storecreds	276	&ssh_gssapi_krb5_storecreds,
		277	&ssh_gssapi_krb5_updatecreds
207	};	278	};
208		279
209	#endif /* KRB5 */	280	#endif /* KRB5 */