1 # |
|
2 # This is to work around an unresloved symbol problem with the Kerberos |
|
3 # build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function |
|
4 # is not supported on Solaris, because it violates API abstraction. This |
|
5 # workaround disables delegated credentials storing on server side. |
|
6 # |
|
7 # The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos |
|
8 # delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). |
|
9 # After that, function gss_krb5_copy_ccache() will be available in Solaris and |
|
10 # the delegating credentials functionality will be made available using the |
|
11 # upstream code. |
|
12 # |
|
13 --- orig/auth2-gss.c Fri Mar 21 10:41:03 2014 |
|
14 +++ new/auth2-gss.c Fri Mar 21 11:13:57 2014 |
|
15 @@ -47,6 +47,10 @@ |
|
16 |
|
17 extern ServerOptions options; |
|
18 |
|
19 +#ifdef KRB5_BUILD_FIX |
|
20 + extern gss_OID_set g_supported; |
|
21 +#endif |
|
22 + |
|
23 static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
|
24 static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
|
25 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
|
26 @@ -77,7 +81,13 @@ |
|
27 return (0); |
|
28 } |
|
29 |
|
30 +#ifdef KRB5_BUILD_FIX |
|
31 + /* use value obtained in privileged parent */ |
|
32 + supported = g_supported; |
|
33 +#else |
|
34 ssh_gssapi_supported_oids(&supported); |
|
35 +#endif |
|
36 + |
|
37 do { |
|
38 mechs--; |
|
39 |
|
40 --- orig/configure Fri Mar 21 10:41:03 2014 |
|
41 +++ new/configure Fri Mar 21 11:02:11 2014 |
|
42 @@ -16634,6 +16634,12 @@ |
|
43 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
|
44 $as_echo "no" >&6; } |
|
45 fi |
|
46 + |
|
47 + # Oracle Solaris |
|
48 + # OpenSSH is mixed-up gssapi AND krb5 aplication |
|
49 + K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`" |
|
50 + K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`" |
|
51 + |
|
52 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 |
|
53 $as_echo_n "checking whether we are using Heimdal... " >&6; } |
|
54 cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
|
55 --- orig/sshd.c Fri Mar 21 10:41:03 2014 |
|
56 +++ new/sshd.c Fri Mar 21 11:09:30 2014 |
|
57 @@ -259,6 +259,11 @@ |
|
58 /* Unprivileged user */ |
|
59 struct passwd *privsep_pw = NULL; |
|
60 |
|
61 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
62 +/* Temporary storing supported GSS mechs */ |
|
63 +gss_OID_set g_supported; |
|
64 +#endif |
|
65 + |
|
66 /* Prototypes for various functions defined later in this file. */ |
|
67 void destroy_sensitive_data(void); |
|
68 void demote_sensitive_data(void); |
|
69 @@ -1407,6 +1412,10 @@ |
|
70 av = saved_argv; |
|
71 #endif |
|
72 |
|
73 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
74 + OM_uint32 ms; |
|
75 +#endif |
|
76 + |
|
77 if (geteuid() == 0 && setgroups(0, NULL) == -1) |
|
78 debug("setgroups(): %.200s", strerror(errno)); |
|
79 |
|
80 @@ -2083,6 +2092,11 @@ |
|
81 buffer_init(&loginmsg); |
|
82 auth_debug_reset(); |
|
83 |
|
84 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
85 + /* collect gss mechs for later use in privsep child */ |
|
86 + ssh_gssapi_supported_oids(&g_supported); |
|
87 +#endif |
|
88 + |
|
89 if (use_privsep) { |
|
90 if (privsep_preauth(authctxt) == 1) |
|
91 goto authenticated; |
|
92 @@ -2120,6 +2134,10 @@ |
|
93 startup_pipe = -1; |
|
94 } |
|
95 |
|
96 +#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) |
|
97 + gss_release_oid_set(&ms, &g_supported); |
|
98 +#endif |
|
99 + |
|
100 #ifdef SSH_AUDIT_EVENTS |
|
101 audit_event(SSH_AUTH_SUCCESS); |
|
102 #endif |
|