andersk Git - gssapi-openssh.git/blame_incremental

... / ...

Commit	Line	Data
	1	/*
	2	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28	#ifdef GSI
	29
	30	#include <sys/types.h>
	31
	32	#include <stdarg.h>
	33	#include <string.h>
	34
	35	#include "xmalloc.h"
	36	#include "key.h"
	37	#include "hostfile.h"
	38	#include "auth.h"
	39	#include "log.h"
	40	#include "servconf.h"
	41
	42	#include "buffer.h"
	43	#include "ssh-gss.h"
	44
	45	extern ServerOptions options;
	46
	47	#include <globus_gss_assist.h>
	48
	49	static int ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name);
	50	static int ssh_gssapi_gsi_localname(ssh_gssapi_client client, char *user);
	51	static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
	52	static void ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,
	53	ssh_gssapi_client *client);
	54
	55	ssh_gssapi_mech gssapi_gsi_mech = {
	56	"dZuIebMjgUqaxvbF7hDbAw==",
	57	"GSI",
	58	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
	59	NULL,
	60	&ssh_gssapi_gsi_userok,
	61	&ssh_gssapi_gsi_localname,
	62	&ssh_gssapi_gsi_storecreds,
	63	&ssh_gssapi_gsi_updatecreds
	64	};
	65
	66	/*
	67	* Check if this user is OK to login under GSI. User has been authenticated
	68	* as identity in global 'client_name.value' and is trying to log in as passed
	69	* username in 'name'.
	70	*
	71	* Returns non-zero if user is authorized, 0 otherwise.
	72	*/
	73	static int
	74	ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name)
	75	{
	76	int authorized = 0;
	77	globus_result_t res;
	78	#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
	79	char lname[256] = "";
	80	#endif
	81
	82	#ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
	83	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
	84	return 0;
	85	}
	86	#endif
	87
	88	/* use new globus_gss_assist_map_and_authorize() interface if available */
	89	#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
	90	debug("calling globus_gss_assist_map_and_authorize()");
	91	if (GLOBUS_SUCCESS !=
	92	(res = globus_gss_assist_map_and_authorize(client->context, "ssh",
	93	name, lname, 256))) {
	94	debug("%s", globus_error_print_chain(globus_error_get(res)));
	95	} else if (lname && lname[0] && strcmp(name, lname) != 0) {
	96	debug("GSI user maps to %s, not %s", lname, name);
	97	} else {
	98	authorized = 1;
	99	}
	100	#else
	101	debug("calling globus_gss_assist_userok()");
	102	if (GLOBUS_SUCCESS !=
	103	(res = (globus_gss_assist_userok(client->displayname.value,
	104	name)))) {
	105	debug("%s", globus_error_print_chain(globus_error_get(res)));
	106	} else {
	107	authorized = 1;
	108	}
	109	#endif
	110
	111	logit("GSI user %s is%s authorized as target user %s",
	112	(char *) client->displayname.value, (authorized ? "" : " not"), name);
	113
	114	return authorized;
	115	}
	116
	117	/*
	118	* Return the local username associated with the GSI credentials.
	119	*/
	120	int
	121	ssh_gssapi_gsi_localname(ssh_gssapi_client client, char *user)
	122	{
	123	globus_result_t res;
	124	#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
	125	char lname[256] = "";
	126	#endif
	127
	128	#ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
	129	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
	130	return 0;
	131	}
	132	#endif
	133
	134	/* use new globus_gss_assist_map_and_authorize() interface if available */
	135	#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
	136	debug("calling globus_gss_assist_map_and_authorize()");
	137	if (GLOBUS_SUCCESS !=
	138	(res = globus_gss_assist_map_and_authorize(client->context, "ssh",
	139	NULL, lname, 256))) {
	140	debug("%s", globus_error_print_chain(globus_error_get(res)));
	141	logit("failed to map GSI user %s", (char *)client->displayname.value);
	142	return 0;
	143	}
	144	*user = strdup(lname);
	145	#else
	146	debug("calling globus_gss_assist_gridmap()");
	147	if (GLOBUS_SUCCESS !=
	148	(res = globus_gss_assist_gridmap(client->displayname.value, user))) {
	149	debug("%s", globus_error_print_chain(globus_error_get(res)));
	150	logit("failed to map GSI user %s", (char *)client->displayname.value);
	151	return 0;
	152	}
	153	#endif
	154
	155	logit("GSI user %s mapped to target user %s",
	156	(char ) client->displayname.value, user);
	157
	158	return 1;
	159	}
	160
	161	/*
	162	* Export GSI credentials to disk.
	163	*/
	164	static void
	165	ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
	166	{
	167	OM_uint32 major_status;
	168	OM_uint32 minor_status;
	169	gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER;
	170	char * p;
	171
	172	if (!client \|\| !client->creds) {
	173	return;
	174	}
	175
	176	major_status = gss_export_cred(&minor_status,
	177	client->creds,
	178	GSS_C_NO_OID,
	179	1,
	180	&export_cred);
	181	if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) {
	182	Gssctxt *ctx;
	183	ssh_gssapi_build_ctx(&ctx);
	184	ctx->major = major_status;
	185	ctx->minor = minor_status;
	186	ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
	187	ssh_gssapi_error(ctx);
	188	ssh_gssapi_delete_ctx(&ctx);
	189	return;
	190	}
	191
	192	p = strchr((char *) export_cred.value, '=');
	193	if (p == NULL) {
	194	logit("Failed to parse exported credentials string '%.100s'",
	195	(char *)export_cred.value);
	196	gss_release_buffer(&minor_status, &export_cred);
	197	return;
	198	}
	199	*p++ = '\0';
	200	if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
	201	client->store.envvar = strdup("X509_USER_PROXY");
	202	} else {
	203	client->store.envvar = strdup((char *)export_cred.value);
	204	}
	205	if (access(p, R_OK) == 0) {
	206	if (client->store.filename) {
	207	if (rename(p, client->store.filename) < 0) {
	208	logit("Failed to rename %s to %s: %s", p,
	209	client->store.filename, strerror(errno));
	210	xfree(client->store.filename);
	211	client->store.filename = strdup(p);
	212	} else {
	213	p = client->store.filename;
	214	}
	215	} else {
	216	client->store.filename = strdup(p);
	217	}
	218	}
	219	client->store.envval = strdup(p);
	220	#ifdef USE_PAM
	221	if (options.use_pam)
	222	do_pam_putenv(client->store.envvar, client->store.envval);
	223	#endif
	224	gss_release_buffer(&minor_status, &export_cred);
	225	}
	226
	227	/*
	228	* Export updated GSI credentials to disk.
	229	*/
	230	static int
	231	ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache store,ssh_gssapi_client client)
	232	{
	233	ssh_gssapi_gsi_storecreds(client);
	234	return 1;
	235	}
	236
	237	#endif /* GSI */
	238	#endif /* GSSAPI */