check for existence of globus_gss_assist_map_and_authorize()

[gssapi-openssh.git] / openssh / auth-krb5.c

diff --git a/openssh/auth-krb5.c b/openssh/auth-krb5.c
index a728ebac11042735dc259ac40a25073b45459332..bc37675a2486879b5ffdbe6e78556cca0dff092d 100644 (file)
--- a/openssh/auth-krb5.c
+++ b/openssh/auth-krb5.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -54,9 +54,6 @@ krb5_init(void *context)
                problem = krb5_init_context(&authctxt->krb5_ctx);
                if (problem)
                        return (problem);
-#ifdef KRB5_INIT_ETS
-               krb5_init_ets(authctxt->krb5_ctx);
-#endif
        }
        return (0);
 }
@@ -67,16 +64,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 #ifndef HEIMDAL
        krb5_creds creds;
        krb5_principal server;
-       char ccname[40];
-       int tmpfd;
 #endif
        krb5_error_code problem;
        krb5_ccache ccache = NULL;
        int len;
 
-       if (!authctxt->valid)
-               return (0);
-
        temporarily_use_uid(authctxt->pw);
 
        problem = krb5_init(authctxt);
@@ -145,23 +137,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
        }
 
-       snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-
-       if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-               logit("mkstemp(): %.100s", strerror(errno));
-               problem = errno;
-               goto out;
-       }
-
-       if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-               logit("fchmod(): %.100s", strerror(errno));
-               close(tmpfd);
-               problem = errno;
-               goto out;
-       }
-       close(tmpfd);
-
-       problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
+       problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
        if (problem)
                goto out;
 
@@ -180,8 +156,18 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
        len = strlen(authctxt->krb5_ticket_file) + 6;
        authctxt->krb5_ccname = xmalloc(len);
+#ifdef USE_CCAPI
+       snprintf(authctxt->krb5_ccname, len, "API:%s",
+           authctxt->krb5_ticket_file);
+#else
        snprintf(authctxt->krb5_ccname, len, "FILE:%s",
            authctxt->krb5_ticket_file);
+#endif
+
+#ifdef USE_PAM
+       if (options.use_pam)
+               do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
+#endif
 
  out:
        restore_uid();
@@ -204,7 +190,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                else
                        return (0);
        }
-       return (1);
+       return (authctxt->valid ? 1 : 0);
 }
 
 void
@@ -225,4 +211,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
        }
 }
 
+#ifndef HEIMDAL
+krb5_error_code
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+       int ret;
+       char ccname[40];
+       mode_t old_umask;
+#ifdef USE_CCAPI
+       char cctemplate[] = "API:krb5cc_%d";
+#else
+       char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
+       int tmpfd;
+#endif
+
+       ret = snprintf(ccname, sizeof(ccname),
+           cctemplate, geteuid());
+       if (ret < 0 || (size_t)ret >= sizeof(ccname))
+               return ENOMEM;
+
+#ifndef USE_CCAPI
+       old_umask = umask(0177);
+       tmpfd = mkstemp(ccname + strlen("FILE:"));
+       umask(old_umask);
+       if (tmpfd == -1) {
+               logit("mkstemp(): %.100s", strerror(errno));
+               return errno;
+       }
+
+       if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+               logit("fchmod(): %.100s", strerror(errno));
+               close(tmpfd);
+               return errno;
+       }
+       close(tmpfd);
+#endif
+
+       return (krb5_cc_resolve(ctx, ccname, ccache));
+}
+#endif /* !HEIMDAL */
 #endif /* KRB5 */