diff options
Diffstat (limited to 'gss-serv-krb5.c')
| -rw-r--r-- | gss-serv-krb5.c | 84 |
1 files changed, 78 insertions, 6 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 5a625acb8..e7170ee41 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
| 5 | * | 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
| @@ -120,6 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
| 120 | krb5_principal princ; | 120 | krb5_principal princ; |
| 121 | OM_uint32 maj_status, min_status; | 121 | OM_uint32 maj_status, min_status; |
| 122 | int len; | 122 | int len; |
| 123 | const char *new_ccname; | ||
| 123 | 124 | ||
| 124 | if (client->creds == NULL) { | 125 | if (client->creds == NULL) { |
| 125 | debug("No credentials stored"); | 126 | debug("No credentials stored"); |
| @@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
| 168 | return; | 169 | return; |
| 169 | } | 170 | } |
| 170 | 171 | ||
| 171 | client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); | 172 | new_ccname = krb5_cc_get_name(krb_context, ccache); |
| 173 | |||
| 172 | client->store.envvar = "KRB5CCNAME"; | 174 | client->store.envvar = "KRB5CCNAME"; |
| 173 | len = strlen(client->store.filename) + 6; | 175 | #ifdef USE_CCAPI |
| 174 | client->store.envval = xmalloc(len); | 176 | xasprintf(&client->store.envval, "API:%s", new_ccname); |
| 175 | snprintf(client->store.envval, len, "FILE:%s", client->store.filename); | 177 | client->store.filename = NULL; |
| 178 | #else | ||
| 179 | xasprintf(&client->store.envval, "FILE:%s", new_ccname); | ||
| 180 | client->store.filename = xstrdup(new_ccname); | ||
| 181 | #endif | ||
| 176 | 182 | ||
| 177 | #ifdef USE_PAM | 183 | #ifdef USE_PAM |
| 178 | if (options.use_pam) | 184 | if (options.use_pam) |
| @@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | |||
| 184 | return; | 190 | return; |
| 185 | } | 191 | } |
| 186 | 192 | ||
| 193 | int | ||
| 194 | ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, | ||
| 195 | ssh_gssapi_client *client) | ||
| 196 | { | ||
| 197 | krb5_ccache ccache = NULL; | ||
| 198 | krb5_principal principal = NULL; | ||
| 199 | char *name = NULL; | ||
| 200 | krb5_error_code problem; | ||
| 201 | OM_uint32 maj_status, min_status; | ||
| 202 | |||
| 203 | if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { | ||
| 204 | logit("krb5_cc_resolve(): %.100s", | ||
| 205 | krb5_get_err_text(krb_context, problem)); | ||
| 206 | return 0; | ||
| 207 | } | ||
| 208 | |||
| 209 | /* Find out who the principal in this cache is */ | ||
| 210 | if ((problem = krb5_cc_get_principal(krb_context, ccache, | ||
| 211 | &principal))) { | ||
| 212 | logit("krb5_cc_get_principal(): %.100s", | ||
| 213 | krb5_get_err_text(krb_context, problem)); | ||
| 214 | krb5_cc_close(krb_context, ccache); | ||
| 215 | return 0; | ||
| 216 | } | ||
| 217 | |||
| 218 | if ((problem = krb5_unparse_name(krb_context, principal, &name))) { | ||
| 219 | logit("krb5_unparse_name(): %.100s", | ||
| 220 | krb5_get_err_text(krb_context, problem)); | ||
| 221 | krb5_free_principal(krb_context, principal); | ||
| 222 | krb5_cc_close(krb_context, ccache); | ||
| 223 | return 0; | ||
| 224 | } | ||
| 225 | |||
| 226 | |||
| 227 | if (strcmp(name,client->exportedname.value)!=0) { | ||
| 228 | debug("Name in local credentials cache differs. Not storing"); | ||
| 229 | krb5_free_principal(krb_context, principal); | ||
| 230 | krb5_cc_close(krb_context, ccache); | ||
| 231 | krb5_free_unparsed_name(krb_context, name); | ||
| 232 | return 0; | ||
| 233 | } | ||
| 234 | krb5_free_unparsed_name(krb_context, name); | ||
| 235 | |||
| 236 | /* Name matches, so lets get on with it! */ | ||
| 237 | |||
| 238 | if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { | ||
| 239 | logit("krb5_cc_initialize(): %.100s", | ||
| 240 | krb5_get_err_text(krb_context, problem)); | ||
| 241 | krb5_free_principal(krb_context, principal); | ||
| 242 | krb5_cc_close(krb_context, ccache); | ||
| 243 | return 0; | ||
| 244 | } | ||
| 245 | |||
| 246 | krb5_free_principal(krb_context, principal); | ||
| 247 | |||
| 248 | if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, | ||
| 249 | ccache))) { | ||
| 250 | logit("gss_krb5_copy_ccache() failed. Sorry!"); | ||
| 251 | krb5_cc_close(krb_context, ccache); | ||
| 252 | return 0; | ||
| 253 | } | ||
| 254 | |||
| 255 | return 1; | ||
| 256 | } | ||
| 257 | |||
| 187 | ssh_gssapi_mech gssapi_kerberos_mech = { | 258 | ssh_gssapi_mech gssapi_kerberos_mech = { |
| 188 | "toWM5Slw5Ew8Mqkay+al2g==", | 259 | "toWM5Slw5Ew8Mqkay+al2g==", |
| 189 | "Kerberos", | 260 | "Kerberos", |
| @@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | |||
| 191 | NULL, | 262 | NULL, |
| 192 | &ssh_gssapi_krb5_userok, | 263 | &ssh_gssapi_krb5_userok, |
| 193 | NULL, | 264 | NULL, |
| 194 | &ssh_gssapi_krb5_storecreds | 265 | &ssh_gssapi_krb5_storecreds, |
| 266 | &ssh_gssapi_krb5_updatecreds | ||
| 195 | }; | 267 | }; |
| 196 | 268 | ||
| 197 | #endif /* KRB5 */ | 269 | #endif /* KRB5 */ |