openssh/gss-serv-gsi.c

   1 /*
   2  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26
  27 #ifdef GSSAPI
  28 #ifdef GSI
  29
  30 #include "auth.h"
  31 #include "auth-pam.h"
  32 #include "xmalloc.h"
  33 #include "log.h"
  34 #include "servconf.h"
  35
  36 #include "ssh-gss.h"
  37
  38 #include <globus_gss_assist.h>
  39
  40 /*
  41  * Check if this user is OK to login under GSI. User has been authenticated
  42  * as identity in global 'client_name.value' and is trying to log in as passed
  43  * username in 'name'.
  44  *
  45  * Returns non-zero if user is authorized, 0 otherwise.
  46  */
  47 static int
  48 ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
  49 {
  50     int authorized = 0;
  51
  52     /* This returns 0 on success */
  53     authorized = (globus_gss_assist_userok(client->name.value,
  54                                            name) == 0);
  55
  56     debug("GSI user %s is%s authorized as target user %s",
  57           (char *) client->name.value,
  58           (authorized ? "" : " not"),
  59           name);
  60
  61     return authorized;
  62 }
  63
  64 /*
  65  * Handle setting up child environment for GSI.
  66  *
  67  * Make sure that this is called _after_ we've setuid to the user.
  68  */
  69 static void
  70 ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
  71 {
  72         OM_uint32       major_status;
  73         OM_uint32       minor_status;
  74
  75
  76         if (client->creds != NULL)
  77         {
  78                 char *creds_env = NULL;
  79
  80                 /*
  81                 * This is the current hack with the GSI gssapi library to
  82                 * export credentials to disk.
  83                 */
  84
  85                 debug("Exporting delegated credentials");
  86
  87                 minor_status = 0xdee0;  /* Magic value */
  88                 major_status =
  89                         gss_inquire_cred(&minor_status,
  90                                         client->creds,
  91                                         (gss_name_t *) &creds_env,
  92                                         NULL,
  93                                         NULL,
  94                                         NULL);
  95
  96                 if ((major_status == GSS_S_COMPLETE) &&
  97                     (minor_status == 0xdee1) &&
  98                     (creds_env != NULL))
  99                 {
 100                         char            *value;
 101
 102                         /*
 103                         * String is of the form:
 104                         * X509_USER_DELEG_PROXY=filename
 105                         * so we parse out the filename
 106                         * and then set X509_USER_PROXY
 107                         * to point at it.
 108                         */
 109                         value = strchr(creds_env, '=');
 110
 111                         if (value != NULL)
 112                         {
 113                                 *value = '\0';
 114                                 value++;
 115 #ifdef USE_PAM
 116                                 do_pam_putenv("X509_USER_PROXY",value);
 117 #endif
 118                                 client->store.filename=NULL;
 119                                 client->store.envvar="X509_USER_PROXY";
 120                                 client->store.envval=strdup(value);
 121
 122                                 return;
 123                         }
 124                         else
 125                         {
 126                                 log("Failed to parse delegated credentials string '%s'",
 127                                     creds_env);
 128                         }
 129                 }
 130                 else
 131                 {
 132                         log("Failed to export delegated credentials (error %ld)",
 133                             major_status);
 134                 }
 135         }
 136 }
 137
 138 ssh_gssapi_mech gssapi_gsi_mech_old = {
 139         "N3+k7/4wGxHyuP8Yxi4RhA==",
 140         "GSI",
 141         {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}
 142         NULL,
 143         &ssh_gssapi_gsi_userok,
 144         NULL,
 145         &ssh_gssapi_gsi_storecreds
 146 };
 147
 148 ssh_gssapi_mech gssapi_gsi_mech = {
 149         "dZuIebMjgUqaxvbF7hDbAw==",
 150         "GSI",
 151         {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}
 152         NULL,
 153         &ssh_gssapi_gsi_userok,
 154         NULL,
 155         &ssh_gssapi_gsi_storecreds
 156 };
 157
 158 #endif /* GSI */
 159 #endif /* GSSAPI */