PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
#
# This patch modifies code for storing delegated GSS-API credentials to work
# with Solaris Kerberos.
#
# Default credential cache is used instead of per-session credentials cache
# because on Solaris gssd cannot use credentials from non-default cred store.
# A downside of this solution is, that the default credential cache file
# cannot be deleted upon logout and hence GSSAPICleanupCredentials is
# unsupported for now.
#
# To store the credentials a standardized GSS-API function gss_store_cred() is
# used instead of gss_krb5_copy_ccache(), because (unlike MIT Kerberos
# libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism
# directly built in the library and this function is not directly accessible.
#
# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
# and GSSAPI_STORECREDS_NEEDS_RUID macros.
#
--- orig/config.h.in Fri Mar 21 11:42:17 2014
+++ new/config.h.in Fri Mar 21 11:46:26 2014
@@ -1616,6 +1616,12 @@
/* Use btmp to log bad logins */
#undef USE_BTMP
+/* Store delegated credentials in default cred. store using gss_store_cred */
+#undef USE_GSS_STORE_CRED
+
+/* Set real uid prior to storing delegated credentials */
+#undef GSSAPI_STORECREDS_NEEDS_RUID
+
/* Use libedit for sftp */
#undef USE_LIBEDIT
--- orig/configure Fri Mar 21 11:42:24 2014
+++ new/configure Fri Mar 21 11:49:51 2014
@@ -7797,6 +7797,9 @@
fi
+ $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
+ $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
+
TEST_SHELL=$SHELL # let configure find us a capable shell
;;
*-*-sunos4*)
--- orig/configure.ac Fri Mar 21 11:42:28 2014
+++ new/configure.ac Fri Mar 21 16:32:28 2014
@@ -866,6 +866,8 @@
],
)
TEST_SHELL=$SHELL # let configure find us a capable shell
+ AC_DEFINE([USE_GSS_STORE_CRED])
+ AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
;;
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
--- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014
+++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014
@@ -109,7 +109,7 @@
return retval;
}
-
+#ifndef USE_GSS_STORE_CRED
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
@@ -195,6 +195,7 @@
return;
}
+#endif /* #ifndef USE_GSS_STORE_CRED */
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
@@ -203,7 +204,11 @@
NULL,
&ssh_gssapi_krb5_userok,
NULL,
+#ifdef USE_GSS_STORE_CRED
+ NULL
+#else
&ssh_gssapi_krb5_storecreds
+#endif
};
#endif /* KRB5 */
--- orig/gss-serv.c Fri Mar 21 11:42:53 2014
+++ new/gss-serv.c Fri Mar 21 15:59:43 2014
@@ -292,6 +292,9 @@
void
ssh_gssapi_cleanup_creds(void)
{
+#ifdef USE_GSS_STORE_CRED
+ debug("removing gssapi cred file not implemented");
+#else
if (gssapi_client.store.filename != NULL) {
/* Unlink probably isn't sufficient */
debug("removing gssapi cred file\"%s\"",
@@ -298,6 +301,7 @@
gssapi_client.store.filename);
unlink(gssapi_client.store.filename);
}
+#endif /* USE_GSS_STORE_CRED */
}
/* As user */
@@ -304,10 +308,50 @@
void
ssh_gssapi_storecreds(void)
{
+#ifdef USE_GSS_STORE_CRED
+ OM_uint32 maj_status, min_status;
+
+ if (gssapi_client.creds == NULL) {
+ debug("No credentials stored");
+ return;
+ }
+
+ maj_status = gss_store_cred(&min_status, gssapi_client.creds,
+ GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL);
+
+ if (GSS_ERROR(maj_status)) {
+ Buffer b;
+ gss_buffer_desc msg;
+ OM_uint32 lmin;
+ OM_uint32 more = 0;
+ buffer_init(&b);
+ /* GSS-API error */
+ do {
+ gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE,
+ GSS_C_NULL_OID, &more, &msg);
+ buffer_append(&b, msg.value, msg.length);
+ buffer_put_char(&b, '\n');
+ gss_release_buffer(&lmin, &msg);
+ } while (more != 0);
+ /* Mechanism specific error */
+ do {
+ gss_display_status(&lmin, min_status, GSS_C_MECH_CODE,
+ &gssapi_client.mech->oid, &more, &msg);
+ buffer_append(&b, msg.value, msg.length);
+ buffer_put_char(&b, '\n');
+ gss_release_buffer(&lmin, &msg);
+ } while (more != 0);
+ buffer_put_char(&b, '\0');
+ error("GSS-API error while storing delegated credentials: %s",
+ buffer_ptr(&b));
+ buffer_free(&b);
+ }
+#else /* #ifdef USE_GSS_STORE_CRED */
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
(*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+#endif /* #ifdef USE_GSS_STORE_CRED */
}
/* This allows GSSAPI methods to do things to the childs environment based
--- orig/servconf.c Fri Mar 21 11:43:02 2014
+++ new/servconf.c Fri Mar 21 16:02:54 2014
@@ -409,7 +409,11 @@
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+#ifdef USE_GSS_STORE_CRED
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+#else /* USE_GSS_STORE_CRED */
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+#endif /* USE_GSS_STORE_CRED */
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
--- orig/sshd.c Fri Mar 21 11:43:08 2014
+++ new/sshd.c Mon Mar 24 15:05:30 2014
@@ -2126,9 +2126,23 @@
#ifdef GSSAPI
if (options.gss_authentication) {
+#ifdef GSSAPI_STORECREDS_NEEDS_RUID
+ if (setreuid(authctxt->pw->pw_uid, -1) != 0) {
+ debug("setreuid %u: %.100s",
+ (u_int) authctxt->pw->pw_uid, strerror(errno));
+ goto bail_storecred;
+ }
+#endif
temporarily_use_uid(authctxt->pw);
ssh_gssapi_storecreds();
restore_uid();
+#ifdef GSSAPI_STORECREDS_NEEDS_RUID
+ if (setuid(geteuid()) != 0) {
+ fatal("setuid %u: %.100s", (u_int) geteuid(),
+ strerror(errno));
+ }
+ bail_storecred: ;
+#endif
}
#endif
#ifdef USE_PAM