1 files changed, 78 insertions, 7 deletions
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 795992d9f..fd8b37183 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        krb5_error_code problem;
        krb5_principal princ;
        OM_uint32 maj_status, min_status;
-        int len;
        const char *errmsg;
+        const char *new_ccname;
        if (client->creds == NULL) {
                debug("No credentials stored");
@@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                return;
        }
-        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+        new_ccname = krb5_cc_get_name(krb_context, ccache);
        client->store.envvar = "KRB5CCNAME";
-        len = strlen(client->store.filename) + 6;
+#ifdef USE_CCAPI
-        client->store.envval = xmalloc(len);
+        xasprintf(&client->store.envval, "API:%s", new_ccname);
-        snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+        client->store.filename = NULL;
+#else
+        xasprintf(&client->store.envval, "FILE:%s", new_ccname);
+        client->store.filename = xstrdup(new_ccname);
+#endif
 #ifdef USE_PAM
        if (options.use_pam)
@@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        return;
 }
+int
+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 
+    ssh_gssapi_client *client)
+{
+        krb5_ccache ccache = NULL;
+        krb5_principal principal = NULL;
+        char *name = NULL;
+        krb5_error_code problem;
+        OM_uint32 maj_status, min_status;
+        if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
+                logit("krb5_cc_resolve(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                return 0;
+        }
+        
+        /* Find out who the principal in this cache is */
+        if ((problem = krb5_cc_get_principal(krb_context, ccache, 
+            &principal))) {
+                logit("krb5_cc_get_principal(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
+                logit("krb5_unparse_name(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        if (strcmp(name,client->exportedname.value)!=0) {
+                debug("Name in local credentials cache differs. Not storing");
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                krb5_free_unparsed_name(krb_context, name);
+                return 0;
+        }
+        krb5_free_unparsed_name(krb_context, name);
+        /* Name matches, so lets get on with it! */
+        if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
+                logit("krb5_cc_initialize(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, principal);
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        krb5_free_principal(krb_context, principal);
+        if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
+            ccache))) {
+                logit("gss_krb5_copy_ccache() failed. Sorry!");
+                krb5_cc_close(krb_context, ccache);
+                return 0;
+        }
+        return 1;
+}
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
        "Kerberos",
@@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
-        &ssh_gssapi_krb5_storecreds
+        &ssh_gssapi_krb5_storecreds,
+        &ssh_gssapi_krb5_updatecreds
 };
 #endif /* KRB5 */

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 795992d9f..fd8b37183 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */	1	/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
121	krb5_error_code problem;	121	krb5_error_code problem;
122	krb5_principal princ;	122	krb5_principal princ;
123	OM_uint32 maj_status, min_status;	123	OM_uint32 maj_status, min_status;
124	int len;
125	const char *errmsg;	124	const char *errmsg;
		125	const char *new_ccname;
126		126
127	if (client->creds == NULL) {	127	if (client->creds == NULL) {
128	debug("No credentials stored");	128	debug("No credentials stored");
@@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
181	return;	181	return;
182	}	182	}
183		183
184	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));	184	new_ccname = krb5_cc_get_name(krb_context, ccache);
		185
185	client->store.envvar = "KRB5CCNAME";	186	client->store.envvar = "KRB5CCNAME";
186	len = strlen(client->store.filename) + 6;	187	#ifdef USE_CCAPI
187	client->store.envval = xmalloc(len);	188	xasprintf(&client->store.envval, "API:%s", new_ccname);
188	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);	189	client->store.filename = NULL;
		190	#else
		191	xasprintf(&client->store.envval, "FILE:%s", new_ccname);
		192	client->store.filename = xstrdup(new_ccname);
		193	#endif
189		194
190	#ifdef USE_PAM	195	#ifdef USE_PAM
191	if (options.use_pam)	196	if (options.use_pam)
@@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
197	return;	202	return;
198	}	203	}
199		204
		205	int
		206	ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
		207	ssh_gssapi_client *client)
		208	{
		209	krb5_ccache ccache = NULL;
		210	krb5_principal principal = NULL;
		211	char *name = NULL;
		212	krb5_error_code problem;
		213	OM_uint32 maj_status, min_status;
		214
		215	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
		216	logit("krb5_cc_resolve(): %.100s",
		217	krb5_get_err_text(krb_context, problem));
		218	return 0;
		219	}
		220
		221	/* Find out who the principal in this cache is */
		222	if ((problem = krb5_cc_get_principal(krb_context, ccache,
		223	&principal))) {
		224	logit("krb5_cc_get_principal(): %.100s",
		225	krb5_get_err_text(krb_context, problem));
		226	krb5_cc_close(krb_context, ccache);
		227	return 0;
		228	}
		229
		230	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
		231	logit("krb5_unparse_name(): %.100s",
		232	krb5_get_err_text(krb_context, problem));
		233	krb5_free_principal(krb_context, principal);
		234	krb5_cc_close(krb_context, ccache);
		235	return 0;
		236	}
		237
		238
		239	if (strcmp(name,client->exportedname.value)!=0) {
		240	debug("Name in local credentials cache differs. Not storing");
		241	krb5_free_principal(krb_context, principal);
		242	krb5_cc_close(krb_context, ccache);
		243	krb5_free_unparsed_name(krb_context, name);
		244	return 0;
		245	}
		246	krb5_free_unparsed_name(krb_context, name);
		247
		248	/* Name matches, so lets get on with it! */
		249
		250	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
		251	logit("krb5_cc_initialize(): %.100s",
		252	krb5_get_err_text(krb_context, problem));
		253	krb5_free_principal(krb_context, principal);
		254	krb5_cc_close(krb_context, ccache);
		255	return 0;
		256	}
		257
		258	krb5_free_principal(krb_context, principal);
		259
		260	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
		261	ccache))) {
		262	logit("gss_krb5_copy_ccache() failed. Sorry!");
		263	krb5_cc_close(krb_context, ccache);
		264	return 0;
		265	}
		266
		267	return 1;
		268	}
		269
200	ssh_gssapi_mech gssapi_kerberos_mech = {	270	ssh_gssapi_mech gssapi_kerberos_mech = {
201	"toWM5Slw5Ew8Mqkay+al2g==",	271	"toWM5Slw5Ew8Mqkay+al2g==",
202	"Kerberos",	272	"Kerberos",
@@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
204	NULL,	274	NULL,
205	&ssh_gssapi_krb5_userok,	275	&ssh_gssapi_krb5_userok,
206	NULL,	276	NULL,
207	&ssh_gssapi_krb5_storecreds	277	&ssh_gssapi_krb5_storecreds,
		278	&ssh_gssapi_krb5_updatecreds
208	};	279	};
209		280
210	#endif /* KRB5 */	281	#endif /* KRB5 */