1 #

     2 # This is to work around an unresloved symbol problem with the Kerberos

     3 # build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function

     4 # is not supported on Solaris, because it violates API abstraction. This

     5 # workaround disables delegated credentials storing on server side.  

     6 #

     7 # The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos

     8 # delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). 

     9 # After that, function gss_krb5_copy_ccache() will be available in Solaris and

    10 # the delegating credentials functionality will be made available using the

    11 # upstream code.

    12 #

    13 diff -ur old/configure new/configure

    14 --- old/configure	2012-10-22 01:40:00.738542671 -0700

    15 +++ new/configure	2012-10-22 02:18:52.991019932 -0700

    16 @@ -15022,6 +15022,12 @@

    17  			fi

    18  			K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"

    19  			K5LIBS="`$KRB5CONF --libs $k5confopts`"

    20 +

    21 +			# Oracle Solaris

    22 +			# OpenSSH is mixed-up gssapi AND krb5 aplication

    23 +			K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"

    24 +			K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"

    25 +

    26  			CPPFLAGS="$CPPFLAGS $K5CFLAGS"

    27  			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5

    28  $as_echo_n "checking whether we are using Heimdal... " >&6; }

    29 diff -ru old/ssh-gss.h new/ssh-gss.h

    30 --- old/ssh-gss.h	2012-10-22 02:42:41.469718263 -0700

    31 +++ new/ssh-gss.h	2012-10-22 02:52:00.222302785 -0700

    32 @@ -45,7 +45,13 @@

    33  /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */

    34  

    35  #ifndef GSS_C_NT_HOSTBASED_SERVICE

    36 +/* 

    37 + * on Solaris in gssapi.h there is: 

    38 + *     extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE; 

    39 + */

    40 +#ifndef KRB5_BUILD_FIX

    41  #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name

    42 +#endif /* KRB5_BUILD_FIX */

    43  #endif /* GSS_C_NT_... */

    44  #endif /* !HEIMDAL */

    45  #endif /* KRB5 */

    46 diff -u -r old/auth2-gss.c new/auth2-gss.c

    47 --- old/auth2-gss.c	2011-05-04 21:04:11.000000000 -0700

    48 +++ new/auth2-gss.c	2012-10-25 02:57:42.332456661 -0700

    49 @@ -47,6 +47,10 @@

    50  

    51  extern ServerOptions options;

    52  

    53 +#ifdef KRB5_BUILD_FIX

    54 +	extern gss_OID_set g_supported;

    55 +#endif

    56 +

    57  static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);

    58  static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);

    59  static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

    60 @@ -77,7 +81,12 @@

    61  		return (0);

    62  	}

    63  

    64 +#ifdef KRB5_BUILD_FIX

    65 +	/* use value obtained in privileged parent */

    66 +	supported = g_supported;

    67 +#else

    68  	ssh_gssapi_supported_oids(&supported);

    69 +#endif

    70  	do {

    71  		mechs--;

    72  

    73 diff -u -r old/sshd.c new/sshd.c

    74 --- old/sshd.c	2012-10-22 01:28:17.260247177 -0700

    75 +++ new/sshd.c	2012-10-25 02:53:41.663248837 -0700

    76 @@ -257,6 +257,11 @@

    77  /* Unprivileged user */

    78  struct passwd *privsep_pw = NULL;

    79  

    80 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)

    81 +/* Temporary storing supported GSS mechs */

    82 +gss_OID_set g_supported;

    83 +#endif

    84 +

    85  /* Prototypes for various functions defined later in this file. */

    86  void destroy_sensitive_data(void);

    87  void demote_sensitive_data(void);

    88 @@ -1351,6 +1356,9 @@

    89  	compat_init_setproctitle(ac, av);

    90  	av = saved_argv;

    91  #endif

    92 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)

    93 +	OM_uint32 ms;

    94 +#endif

    95  

    96  	if (geteuid() == 0 && setgroups(0, NULL) == -1)

    97  		debug("setgroups(): %.200s", strerror(errno));

    98 @@ -1984,6 +1992,11 @@

    99  	buffer_init(&loginmsg);

   100  	auth_debug_reset();

   101  

   102 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)

   103 +	/* collect gss mechs for later use in privsep child */

   104 +	ssh_gssapi_supported_oids(&g_supported);

   105 +#endif

   106 +

   107  	if (use_privsep)

   108  		if (privsep_preauth(authctxt) == 1)

   109  			goto authenticated;

   110 @@ -2018,6 +2031,9 @@

   111  		close(startup_pipe);

   112  		startup_pipe = -1;

   113  	}

   114 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)

   115 +	gss_release_oid_set(&ms, &g_supported);

   116 +#endif 

   117  

   118  #ifdef SSH_AUDIT_EVENTS

   119  	audit_event(SSH_AUTH_SUCCESS);

   120 --- old/gss-serv-krb5.c	2006-08-31 22:38:36.000000000 -0700

   121 +++ new/gss-serv-krb5.c	2012-10-25 03:09:36.080638790 -0700

   122 @@ -126,6 +126,12 @@

   123  		return;

   124  	}

   125  

   126 +#ifdef KRB5_BUILD_FIX

   127 +	/* currently unimplemented - print an error, but continue */

   128 +	error("Delegated credentials storing not implemented.");

   129 +	return;

   130 +#else

   131 +

   132  	if (ssh_gssapi_krb5_init() == 0)

   133  		return;

   134  

   135 @@ -182,6 +188,7 @@

   136  	krb5_cc_close(krb_context, ccache);

   137  

   138  	return;

   139 +#endif /* KRB5_BUILD_FIX */

   140  }

   141  

   142  ssh_gssapi_mech gssapi_kerberos_mech = {