2 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 #include <globus_gss_assist.h>
41 * Check if this user is OK to login under GSI. User has been authenticated
42 * as identity in global 'client_name.value' and is trying to log in as passed
45 * Returns non-zero if user is authorized, 0 otherwise.
48 ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
52 /* This returns 0 on success */
53 authorized = (globus_gss_assist_userok(client->name.value,
56 debug("GSI user %s is%s authorized as target user %s",
57 (char *) client->name.value,
58 (authorized ? "" : " not"),
65 * Handle setting up child environment for GSI.
67 * Make sure that this is called _after_ we've setuid to the user.
70 ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
72 OM_uint32 major_status;
73 OM_uint32 minor_status;
76 if (client->creds != NULL)
78 char *creds_env = NULL;
81 * This is the current hack with the GSI gssapi library to
82 * export credentials to disk.
85 debug("Exporting delegated credentials");
87 minor_status = 0xdee0; /* Magic value */
89 gss_inquire_cred(&minor_status,
91 (gss_name_t *) &creds_env,
96 if ((major_status == GSS_S_COMPLETE) &&
97 (minor_status == 0xdee1) &&
103 * String is of the form:
104 * X509_USER_DELEG_PROXY=filename
105 * so we parse out the filename
106 * and then set X509_USER_PROXY
109 value = strchr(creds_env, '=');
116 do_pam_putenv("X509_USER_PROXY",value);
118 client->store.filename=NULL;
119 client->store.envvar="X509_USER_PROXY";
120 client->store.envval=strdup(value);
126 log("Failed to parse delegated credentials string '%s'",
132 log("Failed to export delegated credentials (error %ld)",
138 ssh_gssapi_mech gssapi_gsi_mech_old = {
139 "N3+k7/4wGxHyuP8Yxi4RhA==",
141 {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}
143 &ssh_gssapi_gsi_userok,
145 &ssh_gssapi_gsi_storecreds
148 ssh_gssapi_mech gssapi_gsi_mech = {
149 "dZuIebMjgUqaxvbF7hDbAw==",
151 {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}
153 &ssh_gssapi_gsi_userok,
155 &ssh_gssapi_gsi_storecreds