diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | Makefile.in | 5 | ||||
-rw-r--r-- | acconfig.h | 5 | ||||
-rw-r--r-- | auth-krb5.c | 3 | ||||
-rw-r--r-- | auth-pam.c | 25 | ||||
-rw-r--r-- | auth-pam.h | 3 | ||||
-rw-r--r-- | configure.ac | 28 | ||||
-rw-r--r-- | defines.h | 6 | ||||
-rw-r--r-- | gss-serv-krb5.c | 37 | ||||
-rw-r--r-- | session.c | 24 | ||||
-rw-r--r-- | ssh-gss.h | 12 | ||||
-rw-r--r-- | sshconnect1.c | 3 | ||||
-rw-r--r-- | sshconnect2.c | 3 |
13 files changed, 130 insertions, 29 deletions
@@ -10,6 +10,9 @@ ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself. + - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h + configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c + sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. 20030825 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from @@ -882,4 +885,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $ +$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index cffefece..eba34f34 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $ +# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ - entropy.o scard-opensc.o + entropy.o scard-opensc.o gss-genr.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o @@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ kexdhs.o kexgexs.o \ auth-krb5.o auth2-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -232,6 +232,9 @@ /* Define if compiler implements __func__ */ #undef HAVE___func__ +/* Define this is you want GSSAPI support in the version 2 protocol */ +#undef GSSAPI + /* Define if you want Kerberos 5 support */ #undef KRB5 diff --git a/auth-krb5.c b/auth-krb5.c index b04c6649..b9eeb5ba 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #ifdef KRB5 #include <krb5.h> -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ extern ServerOptions options; @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $"); #ifdef USE_PAM #include <security/pam_appl.h> @@ -650,6 +650,29 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } +/* + * Set a PAM environment string. We need to do this so that the session + * modules can handle things like Kerberos/GSI credentials that appear + * during the ssh authentication process. + */ + +int +do_pam_putenv(char *name, char *value) +{ + char *compound; + int ret = 1; + +#ifdef HAVE_PAM_PUTENV + compound = xmalloc(strlen(name)+strlen(value)+2); + if (compound) { + sprintf(compound,"%s=%s",name,value); + ret = pam_putenv(sshpam_handle,compound); + xfree(compound); + } +#endif + return (ret); +} + void print_pam_messages(void) { @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */ +/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *); void do_pam_setcred(int ); int is_pam_password_change_required(void); void do_pam_chauthtok(void); +int do_pam_putenv(char *, char *); void print_pam_messages(void); char ** fetch_pam_environment(void); void free_pam_environment(char **); diff --git a/configure.ac b/configure.ac index 600155cc..bbc00e70 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $ +# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -831,6 +831,7 @@ AC_ARG_WITH(pam, AC_CHECK_LIB(dl, dlopen, , ) AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing])) AC_CHECK_FUNCS(pam_getenvlist) + AC_CHECK_FUNCS(pam_putenv) disable_shadow=yes PAM_MSG="yes" @@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5, fi AC_SEARCH_LIBS(dn_expand, resolv) + AC_CHECK_LIB(gssapi,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi $K5LIBS" ], + [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, + [ AC_DEFINE(GSSAPI) + K5LIBS="-lgssapi_krb5 $K5LIBS" ], + AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), + $K5LIBS) + ], + $K5LIBS) + + AC_CHECK_HEADER(gssapi.h, , + [ unset ac_cv_header_gssapi_h + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADERS(gssapi.h, , + AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) + ) + ] + ) + + oldCPP="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + AC_CHECK_HEADER(gssapi_krb5.h, , + [ CPPFLAGS="$oldCPP" ]) + KRB5=yes fi ] @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */ +/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */ /* Constants */ @@ -521,6 +521,10 @@ struct winsize { # define __func__ "" #endif +#if defined(KRB5) && !defined(HEIMDAL) +# define krb5_get_err_text(context,code) error_message(code) +#endif + /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index d8687225..f48e0991 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -38,7 +38,11 @@ extern ServerOptions options; +#ifdef HEIMDAL #include <krb5.h> +#else +#include <gssapi_krb5.h> +#endif static krb5_context krb_context = NULL; @@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) if (ssh_gssapi_krb5_init() == 0) return; +#ifdef HEIMDAL if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { logit("krb5_cc_gen_new(): %.100s", krb5_get_err_text(krb_context, problem)); return; } +#else + { + int tmpfd; + char ccname[40]; + + snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid()); + + if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + problem = errno; + return; + } + if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + problem = errno; + return; + } + close(tmpfd); + if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) { + logit("krb5_cc_resolve(): %.100s", + krb5_get_err_text(krb_context, problem)); + return; + } + } +#endif /* #ifdef HEIMDAL */ if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { @@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->store.envvar = "KRB5CCNAME"; client->store.envval = xstrdup(client->store.filename); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv(client->store.envvar,client->store.envval); +#endif + krb5_cc_close(krb_context, ccache); return; @@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, NULL); @@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command) } #endif /* USE_PAM */ -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; +#ifdef GSSAPI + temporarily_use_uid(s->pw); + ssh_gssapi_storecreds(); + restore_uid(); +#endif + #if defined(USE_PAM) if (options.use_pam) { do_pam_session(s->pw->pw_name, s->tty); @@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command) } #endif -#ifdef GSSAPI - temporarily_use_uid(s->pw); - ssh_gssapi_storecreds(); - restore_uid(); -#endif - /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -31,6 +31,18 @@ #include <gssapi.h> +#ifdef KRB5 +#ifndef HEIMDAL +#include <gssapi_generic.h> + +/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ + +#ifndef GSS_C_NT_HOSTBASED_SERVICE +#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +#endif /* GSS_C_NT_... */ +#endif /* !HEIMDAL */ +#endif /* KRB5 */ + /* draft-ietf-secsh-gsskeyex-06 */ #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 diff --git a/sshconnect1.c b/sshconnect1.c index 5e1802b1..5935e8b7 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $"); #ifdef KRB5 #include <krb5.h> -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "ssh.h" diff --git a/sshconnect2.c b/sshconnect2.c index c71ad506..54985390 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $"); #ifdef KRB5 #include <krb5.h> -#ifndef HEIMDAL -#define krb5_get_err_text(context,code) error_message(code) -#endif /* !HEIMDAL */ #endif #include "openbsd-compat/sys-queue.h" |