1 files changed, 78 insertions, 6 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 759fa104f..959a77e16 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        OM_uint32 maj_status, min_status;
        int len;
        const char *errmsg;
+        const char *new_ccname;
        if (client->creds == NULL) {
                debug("No credentials stored");
@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                return;
        }
-        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+        new_ccname = krb5_cc_get_name(krb_context, ccache);
        client->store.envvar = "KRB5CCNAME";
-        len = strlen(client->store.filename) + 6;
+#ifdef USE_CCAPI
-        client->store.envval = xmalloc(len);
+        xasprintf(&client->store.envval, "API:%s", new_ccname);
-        snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+        client->store.filename = NULL;
+#else
+        xasprintf(&client->store.envval, "FILE:%s", new_ccname);
+        client->store.filename = xstrdup(new_ccname);
+#endif
 #ifdef USE_PAM
        if (options.use_pam)
@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
+int
+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 
+    ssh_gssapi_client *client)
+{
+        krb5_ccache ccache = NULL;
+        krb5_principal principal = NULL;
+        char *name = NULL;
+        krb5_error_code problem;
+        OM_uint32 maj_status, min_status;
+        if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
+                logit("krb5_cc_resolve(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                return 0;
+        }
+        
+        /* Find out who the principal in this cache is */
+        if ((problem = krb5_cc_get_principal(krb_context, ccache, 
+            &principal))) {
+                logit("krb5_cc_get_principal(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
+                logit("krb5_unparse_name(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if (strcmp(name,client->exportedname.value)!=0) {
+                debug("Name in local credentials cache differs. Not storing");
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                krb5_free_unparsed_name(krb_context, name);
+                return 0;
+        }
+        krb5_free_unparsed_name(krb_context, name);
+        /* Name matches, so lets get on with it! */
+        if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
+                logit("krb5_cc_initialize(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        krb5_free_principal(krb_context, principal);
+        if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
+            ccache))) {
+                logit("gss_krb5_copy_ccache() failed. Sorry!");
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        return 1;
+}
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
-        &ssh_gssapi_krb5_storecreds
+        &ssh_gssapi_krb5_storecreds,
+        &ssh_gssapi_krb5_updatecreds
 };
 #endif /* KRB5 */

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 759fa104f..959a77e16 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */	1	/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
122	OM_uint32 maj_status, min_status;	122	OM_uint32 maj_status, min_status;
123	int len;	123	int len;
124	const char *errmsg;	124	const char *errmsg;
		125	const char *new_ccname;
125		126
126	if (client->creds == NULL) {	127	if (client->creds == NULL) {
127	debug("No credentials stored");	128	debug("No credentials stored");
@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
180	return;	181	return;
181	}	182	}
182		183
183	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));	184	new_ccname = krb5_cc_get_name(krb_context, ccache);
		185
184	client->store.envvar = "KRB5CCNAME";	186	client->store.envvar = "KRB5CCNAME";
185	len = strlen(client->store.filename) + 6;	187	#ifdef USE_CCAPI
186	client->store.envval = xmalloc(len);	188	xasprintf(&client->store.envval, "API:%s", new_ccname);
187	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);	189	client->store.filename = NULL;
		190	#else
		191	xasprintf(&client->store.envval, "FILE:%s", new_ccname);
		192	client->store.filename = xstrdup(new_ccname);
		193	#endif
188		194
189	#ifdef USE_PAM	195	#ifdef USE_PAM
190	if (options.use_pam)	196	if (options.use_pam)
@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
196	return;	202	return;
197	}	203	}
198		204
		205	int
		206	ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
		207	ssh_gssapi_client *client)
		208	{
		209	krb5_ccache ccache = NULL;
		210	krb5_principal principal = NULL;
		211	char *name = NULL;
		212	krb5_error_code problem;
		213	OM_uint32 maj_status, min_status;
		214
		215	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
		216	logit("krb5_cc_resolve(): %.100s",
		217	krb5_get_err_text(krb_context, problem));
		218	return 0;
		219	}
		220
		221	/* Find out who the principal in this cache is */
		222	if ((problem = krb5_cc_get_principal(krb_context, ccache,
		223	&principal))) {
		224	logit("krb5_cc_get_principal(): %.100s",
		225	krb5_get_err_text(krb_context, problem));
		226	krb5_cc_close(krb_context, ccache);
		227	return 0;
		228	}
		229
		230	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
		231	logit("krb5_unparse_name(): %.100s",
		232	krb5_get_err_text(krb_context, problem));
		233	krb5_free_principal(krb_context, principal);
		234	krb5_cc_close(krb_context, ccache);
		235	return 0;
		236	}
		237
		238
		239	if (strcmp(name,client->exportedname.value)!=0) {
		240	debug("Name in local credentials cache differs. Not storing");
		241	krb5_free_principal(krb_context, principal);
		242	krb5_cc_close(krb_context, ccache);
		243	krb5_free_unparsed_name(krb_context, name);
		244	return 0;
		245	}
		246	krb5_free_unparsed_name(krb_context, name);
		247
		248	/* Name matches, so lets get on with it! */
		249
		250	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
		251	logit("krb5_cc_initialize(): %.100s",
		252	krb5_get_err_text(krb_context, problem));
		253	krb5_free_principal(krb_context, principal);
		254	krb5_cc_close(krb_context, ccache);
		255	return 0;
		256	}
		257
		258	krb5_free_principal(krb_context, principal);
		259
		260	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
		261	ccache))) {
		262	logit("gss_krb5_copy_ccache() failed. Sorry!");
		263	krb5_cc_close(krb_context, ccache);
		264	return 0;
		265	}
		266
		267	return 1;
		268	}
		269
199	ssh_gssapi_mech gssapi_kerberos_mech = {	270	ssh_gssapi_mech gssapi_kerberos_mech = {
200	"toWM5Slw5Ew8Mqkay+al2g==",	271	"toWM5Slw5Ew8Mqkay+al2g==",
201	"Kerberos",	272	"Kerberos",
@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
203	NULL,	274	NULL,
204	&ssh_gssapi_krb5_userok,	275	&ssh_gssapi_krb5_userok,
205	NULL,	276	NULL,
206	&ssh_gssapi_krb5_storecreds	277	&ssh_gssapi_krb5_storecreds,
		278	&ssh_gssapi_krb5_updatecreds
207	};	279	};
208		280
209	#endif /* KRB5 */	281	#endif /* KRB5 */