14 # directly built in the library and this function is not directly accessible. |
14 # directly built in the library and this function is not directly accessible. |
15 # |
15 # |
16 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED |
16 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED |
17 # and GSSAPI_STORECREDS_NEEDS_RUID macros. |
17 # and GSSAPI_STORECREDS_NEEDS_RUID macros. |
18 # |
18 # |
19 --- orig/config.h.in Fri Mar 21 11:42:17 2014 |
19 diff -pur old/config.h.in new/config.h.in |
20 +++ new/config.h.in Fri Mar 21 11:46:26 2014 |
20 --- old/config.h.in |
21 @@ -1616,6 +1616,12 @@ |
21 +++ new/config.h.in |
|
22 @@ -1623,6 +1623,12 @@ |
22 /* Use btmp to log bad logins */ |
23 /* Use btmp to log bad logins */ |
23 #undef USE_BTMP |
24 #undef USE_BTMP |
24 |
25 |
25 +/* Store delegated credentials in default cred. store using gss_store_cred */ |
26 +/* Store delegated credentials in default cred. store using gss_store_cred */ |
26 +#undef USE_GSS_STORE_CRED |
27 +#undef USE_GSS_STORE_CRED |
29 +#undef GSSAPI_STORECREDS_NEEDS_RUID |
30 +#undef GSSAPI_STORECREDS_NEEDS_RUID |
30 + |
31 + |
31 /* Use libedit for sftp */ |
32 /* Use libedit for sftp */ |
32 #undef USE_LIBEDIT |
33 #undef USE_LIBEDIT |
33 |
34 |
34 --- orig/configure Fri Mar 21 11:42:24 2014 |
35 diff -pur old/configure new/configure |
35 +++ new/configure Fri Mar 21 11:49:51 2014 |
36 --- old/configure |
36 @@ -7797,6 +7797,9 @@ |
37 +++ new/configure |
|
38 @@ -10944,6 +10944,9 @@ fi |
37 |
39 |
38 fi |
40 fi |
39 |
41 |
40 + $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
42 + $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
41 + $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
43 + $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
42 + |
44 + |
43 TEST_SHELL=$SHELL # let configure find us a capable shell |
45 TEST_SHELL=$SHELL # let configure find us a capable shell |
44 ;; |
46 ;; |
45 *-*-sunos4*) |
47 *-*-sunos4*) |
46 --- orig/configure.ac Fri Mar 21 11:42:28 2014 |
48 diff -pur old/configure.ac new/configure.ac |
47 +++ new/configure.ac Fri Mar 21 16:32:28 2014 |
49 --- old/configure.ac |
48 @@ -866,6 +866,8 @@ |
50 +++ new/configure.ac |
|
51 @@ -910,6 +910,8 @@ mips-sony-bsd|mips-sony-newsos4) |
49 ], |
52 ], |
50 ) |
53 ) |
51 TEST_SHELL=$SHELL # let configure find us a capable shell |
54 TEST_SHELL=$SHELL # let configure find us a capable shell |
52 + AC_DEFINE([USE_GSS_STORE_CRED]) |
55 + AC_DEFINE([USE_GSS_STORE_CRED]) |
53 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
56 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
54 ;; |
57 ;; |
55 *-*-sunos4*) |
58 *-*-sunos4*) |
56 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
59 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
57 --- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014 |
60 diff -pur old/gss-serv-krb5.c new/gss-serv-krb5.c |
58 +++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014 |
61 --- old/gss-serv-krb5.c |
59 @@ -109,7 +109,7 @@ |
62 +++ new/gss-serv-krb5.c |
|
63 @@ -110,7 +110,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client |
60 return retval; |
64 return retval; |
61 } |
65 } |
62 |
66 |
63 - |
67 - |
64 +#ifndef USE_GSS_STORE_CRED |
68 +#ifndef USE_GSS_STORE_CRED |
65 /* This writes out any forwarded credentials from the structure populated |
69 /* This writes out any forwarded credentials from the structure populated |
66 * during userauth. Called after we have setuid to the user */ |
70 * during userauth. Called after we have setuid to the user */ |
67 |
71 |
68 @@ -195,6 +195,7 @@ |
72 @@ -196,6 +196,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl |
69 |
73 |
70 return; |
74 return; |
71 } |
75 } |
72 +#endif /* #ifndef USE_GSS_STORE_CRED */ |
76 +#endif /* #ifndef USE_GSS_STORE_CRED */ |
73 |
77 |
74 ssh_gssapi_mech gssapi_kerberos_mech = { |
78 ssh_gssapi_mech gssapi_kerberos_mech = { |
75 "toWM5Slw5Ew8Mqkay+al2g==", |
79 "toWM5Slw5Ew8Mqkay+al2g==", |
76 @@ -203,7 +204,11 @@ |
80 @@ -204,7 +205,11 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
77 NULL, |
81 NULL, |
78 &ssh_gssapi_krb5_userok, |
82 &ssh_gssapi_krb5_userok, |
79 NULL, |
83 NULL, |
80 +#ifdef USE_GSS_STORE_CRED |
84 +#ifdef USE_GSS_STORE_CRED |
81 + NULL |
85 + NULL |
83 &ssh_gssapi_krb5_storecreds |
87 &ssh_gssapi_krb5_storecreds |
84 +#endif |
88 +#endif |
85 }; |
89 }; |
86 |
90 |
87 #endif /* KRB5 */ |
91 #endif /* KRB5 */ |
88 --- orig/gss-serv.c Fri Mar 21 11:42:53 2014 |
92 diff -pur old/gss-serv.c new/gss-serv.c |
89 +++ new/gss-serv.c Fri Mar 21 15:59:43 2014 |
93 --- old/gss-serv.c |
90 @@ -292,6 +292,9 @@ |
94 +++ new/gss-serv.c |
|
95 @@ -320,22 +320,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g |
91 void |
96 void |
92 ssh_gssapi_cleanup_creds(void) |
97 ssh_gssapi_cleanup_creds(void) |
93 { |
98 { |
94 +#ifdef USE_GSS_STORE_CRED |
99 +#ifdef USE_GSS_STORE_CRED |
95 + debug("removing gssapi cred file not implemented"); |
100 + debug("removing gssapi cred file not implemented"); |
96 +#else |
101 +#else |
97 if (gssapi_client.store.filename != NULL) { |
102 if (gssapi_client.store.filename != NULL) { |
98 /* Unlink probably isn't sufficient */ |
103 /* Unlink probably isn't sufficient */ |
99 debug("removing gssapi cred file\"%s\"", |
104 debug("removing gssapi cred file\"%s\"", |
100 @@ -298,6 +301,7 @@ |
|
101 gssapi_client.store.filename); |
105 gssapi_client.store.filename); |
102 unlink(gssapi_client.store.filename); |
106 unlink(gssapi_client.store.filename); |
103 } |
107 } |
104 +#endif /* USE_GSS_STORE_CRED */ |
108 +#endif /* USE_GSS_STORE_CRED */ |
105 } |
109 } |
106 |
110 |
107 /* As user */ |
111 /* As user */ |
108 @@ -304,10 +308,50 @@ |
|
109 void |
112 void |
110 ssh_gssapi_storecreds(void) |
113 ssh_gssapi_storecreds(void) |
111 { |
114 { |
112 +#ifdef USE_GSS_STORE_CRED |
115 +#ifdef USE_GSS_STORE_CRED |
113 + OM_uint32 maj_status, min_status; |
116 + OM_uint32 maj_status, min_status; |
154 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); |
157 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); |
155 +#endif /* #ifdef USE_GSS_STORE_CRED */ |
158 +#endif /* #ifdef USE_GSS_STORE_CRED */ |
156 } |
159 } |
157 |
160 |
158 /* This allows GSSAPI methods to do things to the childs environment based |
161 /* This allows GSSAPI methods to do things to the childs environment based |
159 --- orig/servconf.c Fri Mar 21 11:43:02 2014 |
162 diff -pur old/servconf.c new/servconf.c |
160 +++ new/servconf.c Fri Mar 21 16:02:54 2014 |
163 --- old/servconf.c |
161 @@ -409,7 +409,11 @@ |
164 +++ new/servconf.c |
|
165 @@ -489,7 +489,11 @@ static struct { |
162 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
166 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
163 #ifdef GSSAPI |
167 #ifdef GSSAPI |
164 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
168 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
|
169 - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
165 +#ifdef USE_GSS_STORE_CRED |
170 +#ifdef USE_GSS_STORE_CRED |
166 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
171 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
167 +#else /* USE_GSS_STORE_CRED */ |
172 +#else /* USE_GSS_STORE_CRED */ |
168 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
173 + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
169 +#endif /* USE_GSS_STORE_CRED */ |
174 +#endif /* USE_GSS_STORE_CRED */ |
|
175 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
170 #else |
176 #else |
171 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
177 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
172 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
178 @@ -2264,7 +2268,9 @@ dump_config(ServerOptions *o) |
173 --- orig/sshd.c Fri Mar 21 11:43:08 2014 |
179 #endif |
174 +++ new/sshd.c Mon Mar 24 15:05:30 2014 |
180 #ifdef GSSAPI |
175 @@ -2126,9 +2126,23 @@ |
181 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
|
182 +#ifndef USE_GSS_STORE_CRED |
|
183 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
|
184 +#endif /* !USE_GSS_STORE_CRED */ |
|
185 #endif |
|
186 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
|
187 dump_cfg_fmtint(sKbdInteractiveAuthentication, |
|
188 diff -pur old/sshd.c new/sshd.c |
|
189 --- old/sshd.c |
|
190 +++ new/sshd.c |
|
191 @@ -2228,9 +2228,23 @@ main(int ac, char **av) |
176 |
192 |
177 #ifdef GSSAPI |
193 #ifdef GSSAPI |
178 if (options.gss_authentication) { |
194 if (options.gss_authentication) { |
179 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
195 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
180 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { |
196 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { |