|
1 # |
|
2 # This patch modifies code for storing delegated GSS-API credentials to work |
|
3 # with Solaris Kerberos. |
|
4 # |
|
5 # Default credential cache is used instead of per-session credentials cache |
|
6 # because on Solaris gssd cannot use credentials from non-default cred store. |
|
7 # A downside of this solution is, that the default credential cache file |
|
8 # cannot be deleted upon logout and hence GSSAPICleanupCredentials is |
|
9 # unsupported for now. |
|
10 # |
|
11 # To store the credentials a standardized GSS-API function gss_store_cred() is |
|
12 # used instead of gss_krb5_copy_ccache(), because (unlike MIT Kerberos |
|
13 # libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism |
|
14 # directly built in the library and this function is not directly accessible. |
|
15 # |
|
16 # The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED |
|
17 # and GSSAPI_STORECREDS_NEEDS_RUID macros. |
|
18 # |
|
19 --- orig/config.h.in Fri Mar 21 11:42:17 2014 |
|
20 +++ new/config.h.in Fri Mar 21 11:46:26 2014 |
|
21 @@ -1616,6 +1616,12 @@ |
|
22 /* Use btmp to log bad logins */ |
|
23 #undef USE_BTMP |
|
24 |
|
25 +/* Store delegated credentials in default cred. store using gss_store_cred */ |
|
26 +#undef USE_GSS_STORE_CRED |
|
27 + |
|
28 +/* Set real uid prior to storing delegated credentials */ |
|
29 +#undef GSSAPI_STORECREDS_NEEDS_RUID |
|
30 + |
|
31 /* Use libedit for sftp */ |
|
32 #undef USE_LIBEDIT |
|
33 |
|
34 --- orig/configure Fri Mar 21 11:42:24 2014 |
|
35 +++ new/configure Fri Mar 21 11:49:51 2014 |
|
36 @@ -7797,6 +7797,9 @@ |
|
37 |
|
38 fi |
|
39 |
|
40 + $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h |
|
41 + $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h |
|
42 + |
|
43 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
44 ;; |
|
45 *-*-sunos4*) |
|
46 --- orig/configure.ac Fri Mar 21 11:42:28 2014 |
|
47 +++ new/configure.ac Fri Mar 21 16:32:28 2014 |
|
48 @@ -866,6 +866,8 @@ |
|
49 ], |
|
50 ) |
|
51 TEST_SHELL=$SHELL # let configure find us a capable shell |
|
52 + AC_DEFINE([USE_GSS_STORE_CRED]) |
|
53 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID]) |
|
54 ;; |
|
55 *-*-sunos4*) |
|
56 CPPFLAGS="$CPPFLAGS -DSUNOS4" |
|
57 --- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014 |
|
58 +++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014 |
|
59 @@ -109,7 +109,7 @@ |
|
60 return retval; |
|
61 } |
|
62 |
|
63 - |
|
64 +#ifndef USE_GSS_STORE_CRED |
|
65 /* This writes out any forwarded credentials from the structure populated |
|
66 * during userauth. Called after we have setuid to the user */ |
|
67 |
|
68 @@ -195,6 +195,7 @@ |
|
69 |
|
70 return; |
|
71 } |
|
72 +#endif /* #ifndef USE_GSS_STORE_CRED */ |
|
73 |
|
74 ssh_gssapi_mech gssapi_kerberos_mech = { |
|
75 "toWM5Slw5Ew8Mqkay+al2g==", |
|
76 @@ -203,7 +204,11 @@ |
|
77 NULL, |
|
78 &ssh_gssapi_krb5_userok, |
|
79 NULL, |
|
80 +#ifdef USE_GSS_STORE_CRED |
|
81 + NULL |
|
82 +#else |
|
83 &ssh_gssapi_krb5_storecreds |
|
84 +#endif |
|
85 }; |
|
86 |
|
87 #endif /* KRB5 */ |
|
88 --- orig/gss-serv.c Fri Mar 21 11:42:53 2014 |
|
89 +++ new/gss-serv.c Fri Mar 21 15:59:43 2014 |
|
90 @@ -292,6 +292,9 @@ |
|
91 void |
|
92 ssh_gssapi_cleanup_creds(void) |
|
93 { |
|
94 +#ifdef USE_GSS_STORE_CRED |
|
95 + debug("removing gssapi cred file not implemented"); |
|
96 +#else |
|
97 if (gssapi_client.store.filename != NULL) { |
|
98 /* Unlink probably isn't sufficient */ |
|
99 debug("removing gssapi cred file\"%s\"", |
|
100 @@ -298,6 +301,7 @@ |
|
101 gssapi_client.store.filename); |
|
102 unlink(gssapi_client.store.filename); |
|
103 } |
|
104 +#endif /* USE_GSS_STORE_CRED */ |
|
105 } |
|
106 |
|
107 /* As user */ |
|
108 @@ -304,10 +308,50 @@ |
|
109 void |
|
110 ssh_gssapi_storecreds(void) |
|
111 { |
|
112 +#ifdef USE_GSS_STORE_CRED |
|
113 + OM_uint32 maj_status, min_status; |
|
114 + |
|
115 + if (gssapi_client.creds == NULL) { |
|
116 + debug("No credentials stored"); |
|
117 + return; |
|
118 + } |
|
119 + |
|
120 + maj_status = gss_store_cred(&min_status, gssapi_client.creds, |
|
121 + GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL); |
|
122 + |
|
123 + if (GSS_ERROR(maj_status)) { |
|
124 + Buffer b; |
|
125 + gss_buffer_desc msg; |
|
126 + OM_uint32 lmin; |
|
127 + OM_uint32 more = 0; |
|
128 + buffer_init(&b); |
|
129 + /* GSS-API error */ |
|
130 + do { |
|
131 + gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE, |
|
132 + GSS_C_NULL_OID, &more, &msg); |
|
133 + buffer_append(&b, msg.value, msg.length); |
|
134 + buffer_put_char(&b, '\n'); |
|
135 + gss_release_buffer(&lmin, &msg); |
|
136 + } while (more != 0); |
|
137 + /* Mechanism specific error */ |
|
138 + do { |
|
139 + gss_display_status(&lmin, min_status, GSS_C_MECH_CODE, |
|
140 + &gssapi_client.mech->oid, &more, &msg); |
|
141 + buffer_append(&b, msg.value, msg.length); |
|
142 + buffer_put_char(&b, '\n'); |
|
143 + gss_release_buffer(&lmin, &msg); |
|
144 + } while (more != 0); |
|
145 + buffer_put_char(&b, '\0'); |
|
146 + error("GSS-API error while storing delegated credentials: %s", |
|
147 + buffer_ptr(&b)); |
|
148 + buffer_free(&b); |
|
149 + } |
|
150 +#else /* #ifdef USE_GSS_STORE_CRED */ |
|
151 if (gssapi_client.mech && gssapi_client.mech->storecreds) { |
|
152 (*gssapi_client.mech->storecreds)(&gssapi_client); |
|
153 } else |
|
154 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); |
|
155 +#endif /* #ifdef USE_GSS_STORE_CRED */ |
|
156 } |
|
157 |
|
158 /* This allows GSSAPI methods to do things to the childs environment based |
|
159 --- orig/servconf.c Fri Mar 21 11:43:02 2014 |
|
160 +++ new/servconf.c Fri Mar 21 16:02:54 2014 |
|
161 @@ -409,7 +409,11 @@ |
|
162 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
|
163 #ifdef GSSAPI |
|
164 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
|
165 +#ifdef USE_GSS_STORE_CRED |
|
166 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
|
167 +#else /* USE_GSS_STORE_CRED */ |
|
168 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
|
169 +#endif /* USE_GSS_STORE_CRED */ |
|
170 #else |
|
171 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
|
172 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
|
173 --- orig/sshd.c Fri Mar 21 11:43:08 2014 |
|
174 +++ new/sshd.c Mon Mar 24 15:05:30 2014 |
|
175 @@ -2126,9 +2126,23 @@ |
|
176 |
|
177 #ifdef GSSAPI |
|
178 if (options.gss_authentication) { |
|
179 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
|
180 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { |
|
181 + debug("setreuid %u: %.100s", |
|
182 + (u_int) authctxt->pw->pw_uid, strerror(errno)); |
|
183 + goto bail_storecred; |
|
184 + } |
|
185 +#endif |
|
186 temporarily_use_uid(authctxt->pw); |
|
187 ssh_gssapi_storecreds(); |
|
188 restore_uid(); |
|
189 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID |
|
190 + if (setuid(geteuid()) != 0) { |
|
191 + fatal("setuid %u: %.100s", (u_int) geteuid(), |
|
192 + strerror(errno)); |
|
193 + } |
|
194 + bail_storecred: ; |
|
195 +#endif |
|
196 } |
|
197 #endif |
|
198 #ifdef USE_PAM |