11 # To store the credentials a standardized GSS-API function gss_store_cred() is |
11 # To store the credentials a standardized GSS-API function gss_store_cred() is |
12 # used instead of gss_krb5_copy_ccache(), because (unlike MIT Kerberos |
12 # used instead of gss_krb5_copy_ccache(), because (unlike MIT Kerberos |
13 # libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism |
13 # libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism |
14 # directly built in the library and this function is not directly accessible. |
14 # directly built in the library and this function is not directly accessible. |
15 # |
15 # |
16 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED |
16 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED |
17 # and GSSAPI_STORECREDS_NEEDS_RUID macros. |
17 # and GSSAPI_STORECREDS_NEEDS_RUID macros. |
18 # |
18 # |
19 diff -ur old/config.h.in new/config.h.in |
19 --- orig/config.h.in Fri Mar 21 11:42:17 2014 |
20 --- old/config.h.in 2012-04-19 22:03:32.000000000 -0700 |
20 +++ new/config.h.in Fri Mar 21 11:46:26 2014 |
21 +++ new/config.h.in 2014-03-12 06:47:38.667166593 -0700 |
21 @@ -1616,6 +1616,12 @@ |
22 @@ -1465,6 +1465,12 @@ |
|
23 /* Use btmp to log bad logins */ |
22 /* Use btmp to log bad logins */ |
24 #undef USE_BTMP |
23 #undef USE_BTMP |
25 |
24 |
26 +/* Store delegated credentials in default cred. store using gss_store_cred */ |
25 +/* Store delegated credentials in default cred. store using gss_store_cred */ |
27 +#undef USE_GSS_STORE_CRED |
26 +#undef USE_GSS_STORE_CRED |
30 +#undef GSSAPI_STORECREDS_NEEDS_RUID |
29 +#undef GSSAPI_STORECREDS_NEEDS_RUID |
31 + |
30 + |
32 /* Use libedit for sftp */ |
31 /* Use libedit for sftp */ |
33 #undef USE_LIBEDIT |
32 #undef USE_LIBEDIT |
34 |
33 |
35 diff -ur old/configure new/configure |
34 --- orig/configure Fri Mar 21 11:42:24 2014 |
36 --- old/configure 2014-03-12 04:01:33.320409426 -0700 |
35 +++ new/configure Fri Mar 21 11:49:51 2014 |
37 +++ new/configure 2014-03-12 06:47:48.510155481 -0700 |
36 @@ -7797,6 +7797,9 @@ |
38 @@ -7201,6 +7201,9 @@ |
|
39 |
37 |
40 fi |
38 fi |
41 |
39 |
42 + $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
40 + $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
43 + $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
41 + $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
44 + |
42 + |
|
43 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
44 ;; |
|
45 *-*-sunos4*) |
|
46 --- orig/configure.ac Fri Mar 21 11:42:28 2014 |
|
47 +++ new/configure.ac Fri Mar 21 16:32:28 2014 |
|
48 @@ -866,6 +866,8 @@ |
|
49 ], |
|
50 ) |
|
51 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
52 + AC_DEFINE([USE_GSS_STORE_CRED]) |
|
53 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
45 ;; |
54 ;; |
46 *-*-sunos4*) |
55 *-*-sunos4*) |
47 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
56 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
48 diff -ur old/configure.ac new/configure.ac |
57 --- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014 |
49 --- old/configure.ac 2014-03-12 04:01:33.310743659 -0700 |
58 +++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014 |
50 +++ new/configure.ac 2014-03-12 06:47:59.218730468 -0700 |
59 @@ -109,7 +109,7 @@ |
51 @@ -802,6 +802,8 @@ |
60 return retval; |
52 SP_MSG="yes" ], ) |
|
53 ], |
|
54 ) |
|
55 + AC_DEFINE([USE_GSS_STORE_CRED]) |
|
56 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
|
57 ;; |
|
58 *-*-sunos4*) |
|
59 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
|
60 diff -ur old/gss-serv-krb5.c new/gss-serv-krb5.c |
|
61 --- old/gss-serv-krb5.c 2006-08-31 22:38:36.000000000 -0700 |
|
62 +++ new/gss-serv-krb5.c 2014-03-17 06:25:36.218227736 -0700 |
|
63 @@ -109,6 +109,7 @@ |
|
64 } |
61 } |
65 |
62 |
66 |
63 - |
67 +#ifndef USE_GSS_STORE_CRED |
64 +#ifndef USE_GSS_STORE_CRED |
68 /* This writes out any forwarded credentials from the structure populated |
65 /* This writes out any forwarded credentials from the structure populated |
69 * during userauth. Called after we have setuid to the user */ |
66 * during userauth. Called after we have setuid to the user */ |
70 |
67 |
71 @@ -183,6 +184,7 @@ |
68 @@ -195,6 +195,7 @@ |
72 |
69 |
73 return; |
70 return; |
74 } |
71 } |
75 +#endif /* #ifndef USE_GSS_STORE_CRED */ |
72 +#endif /* #ifndef USE_GSS_STORE_CRED */ |
76 |
73 |
77 ssh_gssapi_mech gssapi_kerberos_mech = { |
74 ssh_gssapi_mech gssapi_kerberos_mech = { |
78 "toWM5Slw5Ew8Mqkay+al2g==", |
75 "toWM5Slw5Ew8Mqkay+al2g==", |
79 @@ -191,7 +193,11 @@ |
76 @@ -203,7 +204,11 @@ |
80 NULL, |
77 NULL, |
81 &ssh_gssapi_krb5_userok, |
78 &ssh_gssapi_krb5_userok, |
82 NULL, |
79 NULL, |
83 +#ifdef USE_GSS_STORE_CRED |
80 +#ifdef USE_GSS_STORE_CRED |
84 + NULL |
81 + NULL |
86 &ssh_gssapi_krb5_storecreds |
83 &ssh_gssapi_krb5_storecreds |
87 +#endif |
84 +#endif |
88 }; |
85 }; |
89 |
86 |
90 #endif /* KRB5 */ |
87 #endif /* KRB5 */ |
91 diff -ur old/gss-serv.c new/gss-serv.c |
88 --- orig/gss-serv.c Fri Mar 21 11:42:53 2014 |
92 --- old/gss-serv.c 2011-08-05 13:16:46.000000000 -0700 |
89 +++ new/gss-serv.c Fri Mar 21 15:59:43 2014 |
93 +++ new/gss-serv.c 2014-03-12 05:55:42.368676287 -0700 |
90 @@ -292,6 +292,9 @@ |
94 @@ -292,22 +292,66 @@ |
|
95 void |
91 void |
96 ssh_gssapi_cleanup_creds(void) |
92 ssh_gssapi_cleanup_creds(void) |
97 { |
93 { |
98 +#ifdef USE_GSS_STORE_CRED |
94 +#ifdef USE_GSS_STORE_CRED |
99 + debug("removing gssapi cred file not implemented"); |
95 + debug("removing gssapi cred file not implemented"); |
100 +#else |
96 +#else |
101 if (gssapi_client.store.filename != NULL) { |
97 if (gssapi_client.store.filename != NULL) { |
102 /* Unlink probably isn't sufficient */ |
98 /* Unlink probably isn't sufficient */ |
103 debug("removing gssapi cred file\"%s\"", |
99 debug("removing gssapi cred file\"%s\"", |
|
100 @@ -298,6 +301,7 @@ |
104 gssapi_client.store.filename); |
101 gssapi_client.store.filename); |
105 unlink(gssapi_client.store.filename); |
102 unlink(gssapi_client.store.filename); |
106 } |
103 } |
107 +#endif /* USE_GSS_STORE_CRED */ |
104 +#endif /* USE_GSS_STORE_CRED */ |
108 } |
105 } |
109 |
106 |
110 /* As user */ |
107 /* As user */ |
|
108 @@ -304,10 +308,50 @@ |
111 void |
109 void |
112 ssh_gssapi_storecreds(void) |
110 ssh_gssapi_storecreds(void) |
113 { |
111 { |
114 +#ifdef USE_GSS_STORE_CRED |
112 +#ifdef USE_GSS_STORE_CRED |
115 + OM_uint32 maj_status, min_status; |
113 + OM_uint32 maj_status, min_status; |
156 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); |
154 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); |
157 +#endif /* #ifdef USE_GSS_STORE_CRED */ |
155 +#endif /* #ifdef USE_GSS_STORE_CRED */ |
158 } |
156 } |
159 |
157 |
160 /* This allows GSSAPI methods to do things to the childs environment based |
158 /* This allows GSSAPI methods to do things to the childs environment based |
161 diff -ur old/servconf.c new/servconf.c |
159 --- orig/servconf.c Fri Mar 21 11:43:02 2014 |
162 --- old/servconf.c 2014-03-12 04:01:33.343205265 -0700 |
160 +++ new/servconf.c Fri Mar 21 16:02:54 2014 |
163 +++ new/servconf.c 2014-03-12 04:01:33.400368192 -0700 |
161 @@ -409,7 +409,11 @@ |
164 @@ -386,7 +386,11 @@ |
|
165 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
162 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
166 #ifdef GSSAPI |
163 #ifdef GSSAPI |
167 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
164 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
168 +#ifdef USE_GSS_STORE_CRED |
165 +#ifdef USE_GSS_STORE_CRED |
169 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
166 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
170 +#else /* USE_GSS_STORE_CRED*/ |
167 +#else /* USE_GSS_STORE_CRED */ |
171 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
168 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
172 +#endif /* USE_GSS_STORE_CRED*/ |
169 +#endif /* USE_GSS_STORE_CRED */ |
173 #else |
170 #else |
174 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
171 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
175 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
172 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
176 diff -ur old/sshd.c new/sshd.c |
173 --- orig/sshd.c Fri Mar 21 11:43:08 2014 |
177 --- old/sshd.c 2014-03-12 04:01:33.321603394 -0700 |
174 +++ new/sshd.c Mon Mar 24 15:05:30 2014 |
178 +++ new/sshd.c 2014-03-12 06:48:16.296909610 -0700 |
175 @@ -2126,9 +2126,23 @@ |
179 @@ -2041,9 +2041,23 @@ |
|
180 |
176 |
181 #ifdef GSSAPI |
177 #ifdef GSSAPI |
182 if (options.gss_authentication) { |
178 if (options.gss_authentication) { |
183 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
179 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
184 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { |
180 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { |