|
1 # |
|
2 # This is to work around an unresloved symbol problem with the Kerberos |
|
3 # build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function |
|
4 # is not supported on Solaris, because it violates API abstraction. This |
|
5 # workaround disables delegated credentials storing on server side. |
|
6 # |
|
7 # The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos |
|
8 # delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). |
|
9 # After that, function gss_krb5_copy_ccache() will be available in Solaris and |
|
10 # the delegating credentials functionality will be made available using the |
|
11 # upstream code. |
|
12 # |
|
13 diff -ur old/configure new/configure |
|
14 --- old/configure 2012-10-22 01:40:00.738542671 -0700 |
|
15 +++ new/configure 2012-10-22 02:18:52.991019932 -0700 |
|
16 @@ -15022,6 +15022,12 @@ |
|
17 fi |
|
18 K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" |
|
19 K5LIBS="`$KRB5CONF --libs $k5confopts`" |
|
20 + |
|
21 + # Oracle Solaris |
|
22 + # OpenSSH is mixed-up gssapi AND krb5 aplication |
|
23 + K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`" |
|
24 + K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`" |
|
25 + |
|
26 CPPFLAGS="$CPPFLAGS $K5CFLAGS" |
|
27 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 |
|
28 $as_echo_n "checking whether we are using Heimdal... " >&6; } |
|
29 diff -ru old/ssh-gss.h new/ssh-gss.h |
|
30 --- old/ssh-gss.h 2012-10-22 02:42:41.469718263 -0700 |
|
31 +++ new/ssh-gss.h 2012-10-22 02:52:00.222302785 -0700 |
|
32 @@ -45,7 +45,13 @@ |
|
33 /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ |
|
34 |
|
35 #ifndef GSS_C_NT_HOSTBASED_SERVICE |
|
36 +/* |
|
37 + * on Solaris in gssapi.h there is: |
|
38 + * extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE; |
|
39 + */ |
|
40 +#ifndef KRB5_BUILD_FIX |
|
41 #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name |
|
42 +#endif /* KRB5_BUILD_FIX */ |
|
43 #endif /* GSS_C_NT_... */ |
|
44 #endif /* !HEIMDAL */ |
|
45 #endif /* KRB5 */ |
|
46 diff -u -r old/auth2-gss.c new/auth2-gss.c |
|
47 --- old/auth2-gss.c 2011-05-04 21:04:11.000000000 -0700 |
|
48 +++ new/auth2-gss.c 2012-10-25 02:57:42.332456661 -0700 |
|
49 @@ -47,6 +47,10 @@ |
|
50 |
|
51 extern ServerOptions options; |
|
52 |
|
53 +#ifdef KRB5_BUILD_FIX |
|
54 + extern gss_OID_set g_supported; |
|
55 +#endif |
|
56 + |
|
57 static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
|
58 static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
|
59 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
|
60 @@ -77,7 +81,12 @@ |
|
61 return (0); |
|
62 } |
|
63 |
|
64 +#ifdef KRB5_BUILD_FIX |
|
65 + /* use value obtained in privileged parent */ |
|
66 + supported = g_supported; |
|
67 +#else |
|
68 ssh_gssapi_supported_oids(&supported); |
|
69 +#endif |
|
70 do { |
|
71 mechs--; |
|
72 |
|
73 diff -u -r old/sshd.c new/sshd.c |
|
74 --- old/sshd.c 2012-10-22 01:28:17.260247177 -0700 |
|
75 +++ new/sshd.c 2012-10-25 02:53:41.663248837 -0700 |
|
76 @@ -257,6 +257,11 @@ |
|
77 /* Unprivileged user */ |
|
78 struct passwd *privsep_pw = NULL; |
|
79 |
|
80 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
81 +/* Temporary storing supported GSS mechs */ |
|
82 +gss_OID_set g_supported; |
|
83 +#endif |
|
84 + |
|
85 /* Prototypes for various functions defined later in this file. */ |
|
86 void destroy_sensitive_data(void); |
|
87 void demote_sensitive_data(void); |
|
88 @@ -1351,6 +1356,9 @@ |
|
89 compat_init_setproctitle(ac, av); |
|
90 av = saved_argv; |
|
91 #endif |
|
92 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
93 + OM_uint32 ms; |
|
94 +#endif |
|
95 |
|
96 if (geteuid() == 0 && setgroups(0, NULL) == -1) |
|
97 debug("setgroups(): %.200s", strerror(errno)); |
|
98 @@ -1984,6 +1992,11 @@ |
|
99 buffer_init(&loginmsg); |
|
100 auth_debug_reset(); |
|
101 |
|
102 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
103 + /* collect gss mechs for later use in privsep child */ |
|
104 + ssh_gssapi_supported_oids(&g_supported); |
|
105 +#endif |
|
106 + |
|
107 if (use_privsep) |
|
108 if (privsep_preauth(authctxt) == 1) |
|
109 goto authenticated; |
|
110 @@ -2018,6 +2031,9 @@ |
|
111 close(startup_pipe); |
|
112 startup_pipe = -1; |
|
113 } |
|
114 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
115 + gss_release_oid_set(&ms, &g_supported); |
|
116 +#endif |
|
117 |
|
118 #ifdef SSH_AUDIT_EVENTS |
|
119 audit_event(SSH_AUTH_SUCCESS); |
|
120 --- old/gss-serv-krb5.c 2006-08-31 22:38:36.000000000 -0700 |
|
121 +++ new/gss-serv-krb5.c 2012-10-25 03:09:36.080638790 -0700 |
|
122 @@ -126,6 +126,12 @@ |
|
123 return; |
|
124 } |
|
125 |
|
126 +#ifdef KRB5_BUILD_FIX |
|
127 + /* currently unimplemented - print an error, but continue */ |
|
128 + error("Delegated credentials storing not implemented."); |
|
129 + return; |
|
130 +#else |
|
131 + |
|
132 if (ssh_gssapi_krb5_init() == 0) |
|
133 return; |
|
134 |
|
135 @@ -182,6 +188,7 @@ |
|
136 krb5_cc_close(krb_context, ccache); |
|
137 |
|
138 return; |
|
139 +#endif /* KRB5_BUILD_FIX */ |
|
140 } |
|
141 |
|
142 ssh_gssapi_mech gssapi_kerberos_mech = { |