From 22ef5087543839dd14e1591923e669518b5c13e8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:37:34 +1100 Subject: - jakob@cvs.openbsd.org 2003/12/23 16:12:10 [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@ --- session.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'session.c') diff --git a/session.c b/session.c index 00f8785f5..03a5ec570 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command) */ environ = env; +#ifdef KRB5 + /* + * At this point, we check to see if AFS is active and if we have + * a valid Kerberos 5 TGT. If so, it seems like a good idea to see + * if we can (and need to) extend the ticket into an AFS token. If + * we don't do this, we run into potential problems if the user's + * home directory is in AFS and it's not world-readable. + */ + + if (options.kerberos_get_afs_token && k_hasafs() && + (s->authctxt->krb5_ctx != NULL)) { + char cell[64]; + + debug("Getting AFS token"); + + k_setpag(); + + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) + krb5_afslog(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, cell, NULL); + + krb5_afslog_home(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); + } +#endif + /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", -- cgit v1.2.3