1 files changed, 192 insertions, 28 deletions
diff --git a/gss-serv.c b/gss-serv.c
index c719c1306..380895ea5 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -45,15 +45,20 @@
 #include "channels.h"
 #include "session.h"
 #include "misc.h"
+#include "servconf.h"
+#include "uidswap.h"
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
+extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};
 ssh_gssapi_mech gssapi_null_mech =
-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
+    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
 #ifdef KRB5
 extern ssh_gssapi_mech gssapi_kerberos_mech;
@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
        char lname[MAXHOSTNAMELEN];
        gss_OID_set oidset;
-        gss_create_empty_oid_set(&status, &oidset);
+        if (options.gss_strict_acceptor) {
-        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
-        if (gethostname(lname, MAXHOSTNAMELEN)) {
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
-                gss_release_oid_set(&status, &oidset);
+                        gss_release_oid_set(&status, &oidset);
-                return (-1);
+                        return (-1);
-        }
+                }
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
-        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
                gss_release_oid_set(&status, &oidset);
                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
        }
+        return GSS_S_COMPLETE;
-        if ((ctx->major = gss_acquire_cred(&ctx->minor,
-            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-                ssh_gssapi_error(ctx);
-        gss_release_oid_set(&status, &oidset);
-        return (ctx->major);
 }
 /* Privileged */
@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 }
 /* Unprivileged */
+char *
+ssh_gssapi_server_mechanisms() {
+        gss_OID_set     supported;
+        ssh_gssapi_supported_oids(&supported);
+        return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
+            NULL, NULL));
+}
+/* Unprivileged */
+int
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,
+    const char *dummy) {
+        Gssctxt *ctx = NULL;
+        int res;
+ 
+        res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
+        ssh_gssapi_delete_ctx(&ctx);
+        return (res);
+}
+/* Unprivileged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_OID_set supported;
        gss_create_empty_oid_set(&min_status, oidset);
-        gss_indicate_mechs(&min_status, &supported);
+        if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
+                return;
        while (supported_mechs[i]->name != NULL) {
                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
@@ -249,8 +286,48 @@ OM_uint32
 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 {
        int i = 0;
+        int equal = 0;
+        gss_name_t new_name = GSS_C_NO_NAME;
+        gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
+        if (options.gss_store_rekey && client->used && ctx->client_creds) {
+                if (client->mech->oid.length != ctx->oid->length ||
+                    (memcmp(client->mech->oid.elements,
+                     ctx->oid->elements, ctx->oid->length) !=0)) {
+                        debug("Rekeyed credentials have different mechanism");
+                        return GSS_S_COMPLETE;
+                }
+                if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, 
+                    ctx->client_creds, ctx->oid, &new_name, 
+                    NULL, NULL, NULL))) {
+                        ssh_gssapi_error(ctx);
+                        return (ctx->major);
+                }
+                ctx->major = gss_compare_name(&ctx->minor, client->name, 
+                    new_name, &equal);
-        gss_buffer_desc ename;
+                if (GSS_ERROR(ctx->major)) {
+                        ssh_gssapi_error(ctx);
+                        return (ctx->major);
+                }
+ 
+                if (!equal) {
+                        debug("Rekeyed credentials have different name");
+                        return GSS_S_COMPLETE;
+                }
+                debug("Marking rekeyed credentials for export");
+                gss_release_name(&ctx->minor, &client->name);
+                gss_release_cred(&ctx->minor, &client->creds);
+                client->name = new_name;
+                client->creds = ctx->client_creds;
+                ctx->client_creds = GSS_C_NO_CREDENTIAL;
+                client->updated = 1;
+                return GSS_S_COMPLETE;
+        }
        client->mech = NULL;
@@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
        if (client->mech == NULL)
                return GSS_S_FAILURE;
+        if (ctx->client_creds &&
+            (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
+             ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {
+                ssh_gssapi_error(ctx);
+                return (ctx->major);
+        }
        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
            &client->displayname, NULL))) {
                ssh_gssapi_error(ctx);
@@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
                return (ctx->major);
        }
+        gss_release_buffer(&ctx->minor, &ename);
        /* We can't copy this structure, so we just move the pointer to it */
        client->creds = ctx->client_creds;
        ctx->client_creds = GSS_C_NO_CREDENTIAL;
@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
 /* Privileged */
 int
-ssh_gssapi_userok(char *user)
+ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        OM_uint32 lmin;
@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
                return 0;
        }
        if (gssapi_client.mech && gssapi_client.mech->userok)
-                if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+                if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
+                        gssapi_client.used = 1;
+                        gssapi_client.store.owner = pw;
                        return 1;
-                else {
+                } else {
                        /* Destroy delegated credentials if userok fails */
                        gss_release_buffer(&lmin, &gssapi_client.displayname);
                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
        return (0);
 }
-/* Privileged */
+/* These bits are only used for rekeying. The unpriviledged child is running 
-OM_uint32
+ * as the user, the monitor is root.
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+ *
+ * In the child, we want to :
+ *    *) Ask the monitor to store our credentials into the store we specify
+ *    *) If it succeeds, maybe do a PAM update
+ */
+/* Stuff for PAM */
+#ifdef USE_PAM
+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, 
+    struct pam_response **resp, void *data)
 {
-        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+        return (PAM_CONV_ERR);
-            gssbuf, gssmic, NULL);
+}
+#endif
-        return (ctx->major);
+void
+ssh_gssapi_rekey_creds() {
+        int ok;
+        int ret;
+#ifdef USE_PAM
+        pam_handle_t *pamh = NULL;
+        struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
+        char *envstr;
+#endif
+        if (gssapi_client.store.filename == NULL && 
+            gssapi_client.store.envval == NULL &&
+            gssapi_client.store.envvar == NULL)
+                return;
+ 
+        ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
+        if (!ok)
+                return;
+        debug("Rekeyed credentials stored successfully");
+        /* Actually managing to play with the ssh pam stack from here will
+         * be next to impossible. In any case, we may want different options
+         * for rekeying. So, use our own :)
+         */
+#ifdef USE_PAM  
+        if (!use_privsep) {
+                debug("Not even going to try and do PAM with privsep disabled");
+                return;
+        }
+        ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
+            &pamconv, &pamh);
+        if (ret)
+                return;
+        xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, 
+            gssapi_client.store.envval);
+        ret = pam_putenv(pamh, envstr);
+        if (!ret)
+                pam_setcred(pamh, PAM_REINITIALIZE_CRED);
+        pam_end(pamh, PAM_SUCCESS);
+#endif
+}
+int 
+ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
+        int ok = 0;
+        /* Check we've got credentials to store */
+        if (!gssapi_client.updated)
+                return 0;
+        gssapi_client.updated = 0;
+        temporarily_use_uid(gssapi_client.store.owner);
+        if (gssapi_client.mech && gssapi_client.mech->updatecreds)
+                ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client);
+        else
+                debug("No update function for this mechanism");
+        restore_uid();
+        return ok;
 }
 #endif

diff --git a/gss-serv.c b/gss-serv.c index c719c1306..380895ea5 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -45,15 +45,20 @@
45	#include "channels.h"	45	#include "channels.h"
46	#include "session.h"	46	#include "session.h"
47	#include "misc.h"	47	#include "misc.h"
		48	#include "servconf.h"
		49	#include "uidswap.h"
48		50
49	#include "ssh-gss.h"	51	#include "ssh-gss.h"
		52	#include "monitor_wrap.h"
		53
		54	extern ServerOptions options;
50		55
51	static ssh_gssapi_client gssapi_client =	56	static ssh_gssapi_client gssapi_client =
52	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	57	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
53	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};	58	GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
54		59
55	ssh_gssapi_mech gssapi_null_mech =	60	ssh_gssapi_mech gssapi_null_mech =
56	{ NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};	61	{ NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
57		62
58	#ifdef KRB5	63	#ifdef KRB5
59	extern ssh_gssapi_mech gssapi_kerberos_mech;	64	extern ssh_gssapi_mech gssapi_kerberos_mech;
@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
81	char lname[MAXHOSTNAMELEN];	86	char lname[MAXHOSTNAMELEN];
82	gss_OID_set oidset;	87	gss_OID_set oidset;
83		88
84	gss_create_empty_oid_set(&status, &oidset);	89	if (options.gss_strict_acceptor) {
85	gss_add_oid_set_member(&status, ctx->oid, &oidset);	90	gss_create_empty_oid_set(&status, &oidset);
		91	gss_add_oid_set_member(&status, ctx->oid, &oidset);
86		92
87	if (gethostname(lname, MAXHOSTNAMELEN)) {	93	if (gethostname(lname, MAXHOSTNAMELEN)) {
88	gss_release_oid_set(&status, &oidset);	94	gss_release_oid_set(&status, &oidset);
89	return (-1);	95	return (-1);
90	}	96	}
		97
		98	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
		99	gss_release_oid_set(&status, &oidset);
		100	return (ctx->major);
		101	}
		102
		103	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		104	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		105	NULL, NULL)))
		106	ssh_gssapi_error(ctx);
91		107
92	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
93	gss_release_oid_set(&status, &oidset);	108	gss_release_oid_set(&status, &oidset);
94	return (ctx->major);	109	return (ctx->major);
		110	} else {
		111	ctx->name = GSS_C_NO_NAME;
		112	ctx->creds = GSS_C_NO_CREDENTIAL;
95	}	113	}
96		114	return GSS_S_COMPLETE;
97	if ((ctx->major = gss_acquire_cred(&ctx->minor,
98	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
99	ssh_gssapi_error(ctx);
100
101	gss_release_oid_set(&status, &oidset);
102	return (ctx->major);
103	}	115	}
104		116
105	/* Privileged */	117	/* Privileged */
@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
114	}	126	}
115		127
116	/* Unprivileged */	128	/* Unprivileged */
		129	char *
		130	ssh_gssapi_server_mechanisms() {
		131	gss_OID_set supported;
		132
		133	ssh_gssapi_supported_oids(&supported);
		134	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
		135	NULL, NULL));
		136	}
		137
		138	/* Unprivileged */
		139	int
		140	ssh_gssapi_server_check_mech(Gssctxt *dum, gss_OID oid, const char data,
		141	const char *dummy) {
		142	Gssctxt *ctx = NULL;
		143	int res;
		144
		145	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
		146	ssh_gssapi_delete_ctx(&ctx);
		147
		148	return (res);
		149	}
		150
		151	/* Unprivileged */
117	void	152	void
118	ssh_gssapi_supported_oids(gss_OID_set *oidset)	153	ssh_gssapi_supported_oids(gss_OID_set *oidset)
119	{	154	{
@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
123	gss_OID_set supported;	158	gss_OID_set supported;
124		159
125	gss_create_empty_oid_set(&min_status, oidset);	160	gss_create_empty_oid_set(&min_status, oidset);
126	gss_indicate_mechs(&min_status, &supported);	161
		162	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
		163	return;
127		164
128	while (supported_mechs[i]->name != NULL) {	165	while (supported_mechs[i]->name != NULL) {
129	if (GSS_ERROR(gss_test_oid_set_member(&min_status,	166	if (GSS_ERROR(gss_test_oid_set_member(&min_status,
@@ -249,8 +286,48 @@ OM_uint32
249	ssh_gssapi_getclient(Gssctxt ctx, ssh_gssapi_client client)	286	ssh_gssapi_getclient(Gssctxt ctx, ssh_gssapi_client client)
250	{	287	{
251	int i = 0;	288	int i = 0;
		289	int equal = 0;
		290	gss_name_t new_name = GSS_C_NO_NAME;
		291	gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
		292
		293	if (options.gss_store_rekey && client->used && ctx->client_creds) {
		294	if (client->mech->oid.length != ctx->oid->length \|\|
		295	(memcmp(client->mech->oid.elements,
		296	ctx->oid->elements, ctx->oid->length) !=0)) {
		297	debug("Rekeyed credentials have different mechanism");
		298	return GSS_S_COMPLETE;
		299	}
		300
		301	if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
		302	ctx->client_creds, ctx->oid, &new_name,
		303	NULL, NULL, NULL))) {
		304	ssh_gssapi_error(ctx);
		305	return (ctx->major);
		306	}
		307
		308	ctx->major = gss_compare_name(&ctx->minor, client->name,
		309	new_name, &equal);
252		310
253	gss_buffer_desc ename;	311	if (GSS_ERROR(ctx->major)) {
		312	ssh_gssapi_error(ctx);
		313	return (ctx->major);
		314	}
		315
		316	if (!equal) {
		317	debug("Rekeyed credentials have different name");
		318	return GSS_S_COMPLETE;
		319	}
		320
		321	debug("Marking rekeyed credentials for export");
		322
		323	gss_release_name(&ctx->minor, &client->name);
		324	gss_release_cred(&ctx->minor, &client->creds);
		325	client->name = new_name;
		326	client->creds = ctx->client_creds;
		327	ctx->client_creds = GSS_C_NO_CREDENTIAL;
		328	client->updated = 1;
		329	return GSS_S_COMPLETE;
		330	}
254		331
255	client->mech = NULL;	332	client->mech = NULL;
256		333
@@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt ctx, ssh_gssapi_client client)
265	if (client->mech == NULL)	342	if (client->mech == NULL)
266	return GSS_S_FAILURE;	343	return GSS_S_FAILURE;
267		344
		345	if (ctx->client_creds &&
		346	(ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
		347	ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {
		348	ssh_gssapi_error(ctx);
		349	return (ctx->major);
		350	}
		351
268	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,	352	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
269	&client->displayname, NULL))) {	353	&client->displayname, NULL))) {
270	ssh_gssapi_error(ctx);	354	ssh_gssapi_error(ctx);
@@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt ctx, ssh_gssapi_client client)
282	return (ctx->major);	366	return (ctx->major);
283	}	367	}
284		368
		369	gss_release_buffer(&ctx->minor, &ename);
		370
285	/* We can't copy this structure, so we just move the pointer to it */	371	/* We can't copy this structure, so we just move the pointer to it */
286	client->creds = ctx->client_creds;	372	client->creds = ctx->client_creds;
287	ctx->client_creds = GSS_C_NO_CREDENTIAL;	373	ctx->client_creds = GSS_C_NO_CREDENTIAL;
@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char **envp, u_int envsizep)
329		415
330	/* Privileged */	416	/* Privileged */
331	int	417	int
332	ssh_gssapi_userok(char *user)	418	ssh_gssapi_userok(char user, struct passwd pw)
333	{	419	{
334	OM_uint32 lmin;	420	OM_uint32 lmin;
335		421
@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
339	return 0;	425	return 0;
340	}	426	}
341	if (gssapi_client.mech && gssapi_client.mech->userok)	427	if (gssapi_client.mech && gssapi_client.mech->userok)
342	if ((*gssapi_client.mech->userok)(&gssapi_client, user))	428	if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
		429	gssapi_client.used = 1;
		430	gssapi_client.store.owner = pw;
343	return 1;	431	return 1;
344	else {	432	} else {
345	/* Destroy delegated credentials if userok fails */	433	/* Destroy delegated credentials if userok fails */
346	gss_release_buffer(&lmin, &gssapi_client.displayname);	434	gss_release_buffer(&lmin, &gssapi_client.displayname);
347	gss_release_buffer(&lmin, &gssapi_client.exportedname);	435	gss_release_buffer(&lmin, &gssapi_client.exportedname);
@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
354	return (0);	442	return (0);
355	}	443	}
356		444
357	/* Privileged */	445	/* These bits are only used for rekeying. The unpriviledged child is running
358	OM_uint32	446	* as the user, the monitor is root.
359	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)	447	*
		448	* In the child, we want to :
		449	* *) Ask the monitor to store our credentials into the store we specify
		450	* *) If it succeeds, maybe do a PAM update
		451	*/
		452
		453	/* Stuff for PAM */
		454
		455	#ifdef USE_PAM
		456	static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
		457	struct pam_response *resp, void data)
360	{	458	{
361	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,	459	return (PAM_CONV_ERR);
362	gssbuf, gssmic, NULL);	460	}
		461	#endif
363		462
364	return (ctx->major);	463	void
		464	ssh_gssapi_rekey_creds() {
		465	int ok;
		466	int ret;
		467	#ifdef USE_PAM
		468	pam_handle_t *pamh = NULL;
		469	struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
		470	char *envstr;
		471	#endif
		472
		473	if (gssapi_client.store.filename == NULL &&
		474	gssapi_client.store.envval == NULL &&
		475	gssapi_client.store.envvar == NULL)
		476	return;
		477
		478	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
		479
		480	if (!ok)
		481	return;
		482
		483	debug("Rekeyed credentials stored successfully");
		484
		485	/* Actually managing to play with the ssh pam stack from here will
		486	* be next to impossible. In any case, we may want different options
		487	* for rekeying. So, use our own :)
		488	*/
		489	#ifdef USE_PAM
		490	if (!use_privsep) {
		491	debug("Not even going to try and do PAM with privsep disabled");
		492	return;
		493	}
		494
		495	ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
		496	&pamconv, &pamh);
		497	if (ret)
		498	return;
		499
		500	xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
		501	gssapi_client.store.envval);
		502
		503	ret = pam_putenv(pamh, envstr);
		504	if (!ret)
		505	pam_setcred(pamh, PAM_REINITIALIZE_CRED);
		506	pam_end(pamh, PAM_SUCCESS);
		507	#endif
		508	}
		509
		510	int
		511	ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
		512	int ok = 0;
		513
		514	/* Check we've got credentials to store */
		515	if (!gssapi_client.updated)
		516	return 0;
		517
		518	gssapi_client.updated = 0;
		519
		520	temporarily_use_uid(gssapi_client.store.owner);
		521	if (gssapi_client.mech && gssapi_client.mech->updatecreds)
		522	ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client);
		523	else
		524	debug("No update function for this mechanism");
		525
		526	restore_uid();
		527
		528	return ok;
365	}	529	}
366		530
367	#endif	531	#endif