#
# This is to work around an unresloved symbol problem with the Kerberos
# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
# is not supported on Solaris, because it violates API abstraction. This
# workaround disables delegated credentials storing on server side.
#
# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
# After that, function gss_krb5_copy_ccache() will be available in Solaris and
# the delegating credentials functionality will be made available using the
# upstream code.
#
--- orig/auth2-gss.c Fri Mar 21 10:41:03 2014
+++ new/auth2-gss.c Fri Mar 21 11:13:57 2014
@@ -47,6 +47,10 @@
extern ServerOptions options;
+#ifdef KRB5_BUILD_FIX
+ extern gss_OID_set g_supported;
+#endif
+
static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
@@ -77,7 +81,13 @@
return (0);
}
+#ifdef KRB5_BUILD_FIX
+ /* use value obtained in privileged parent */
+ supported = g_supported;
+#else
ssh_gssapi_supported_oids(&supported);
+#endif
+
do {
mechs--;
--- orig/configure Fri Mar 21 10:41:03 2014
+++ new/configure Fri Mar 21 11:02:11 2014
@@ -16634,6 +16634,12 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
+
+ # Oracle Solaris
+ # OpenSSH is mixed-up gssapi AND krb5 aplication
+ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
+ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
$as_echo_n "checking whether we are using Heimdal... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--- orig/sshd.c Fri Mar 21 10:41:03 2014
+++ new/sshd.c Fri Mar 21 11:09:30 2014
@@ -259,6 +259,11 @@
/* Unprivileged user */
struct passwd *privsep_pw = NULL;
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+/* Temporary storing supported GSS mechs */
+gss_OID_set g_supported;
+#endif
+
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
@@ -1407,6 +1412,10 @@
av = saved_argv;
#endif
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ OM_uint32 ms;
+#endif
+
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
@@ -2083,6 +2092,11 @@
buffer_init(&loginmsg);
auth_debug_reset();
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ /* collect gss mechs for later use in privsep child */
+ ssh_gssapi_supported_oids(&g_supported);
+#endif
+
if (use_privsep) {
if (privsep_preauth(authctxt) == 1)
goto authenticated;
@@ -2120,6 +2134,10 @@
startup_pipe = -1;
}
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ gss_release_oid_set(&ms, &g_supported);
+#endif
+
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_AUTH_SUCCESS);
#endif