merging OPENSSH_5_2P1_SIMON_20090726_HPN13V6 to trunk:

[gssapi-openssh.git] / openssh / auth2-gss.c
diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c

index fab7cc239964b6c759f26f64558638763a5c023a..1db62c438bad6e035735e5522ccb8ae31ce9ed82 100644 (file)
--- a/openssh/auth2-gss.c
+++ b/openssh/auth2-gss.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
  
  /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
@@ -62,7 +62,7 @@ userauth_external(Authctxt *authctxt)
          packet_check_eom();
  
         if (authctxt->valid && authctxt->user && authctxt->user[0]) {
-               return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
+               return(PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)));
         }
         return 0;
  }
@@ -102,7 +102,8 @@ userauth_gsskeyex(Authctxt *authctxt)
             !GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
                                                    &gssbuf2, &mic)))) {
             if (authctxt->valid && authctxt->user && authctxt->user[0]) {
-               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+            authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                                                      authctxt->pw));
             }
         }
         
@@ -287,29 +288,28 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
  }
  
  static void
-gssapi_set_implicit_username(Authctxt *authctxt)
+gssapi_set_username(Authctxt *authctxt)
  {
+    char *lname = NULL;
+
      if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
-       char *lname = NULL;
-       PRIVSEP(ssh_gssapi_localname(&lname));
-       if (lname && lname[0] != '\0') {
-           if (authctxt->user) xfree(authctxt->user);
-           authctxt->user = lname;
-           debug("set username to %s from gssapi context", lname);
-           authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
-           if (authctxt->pw) {
-               authctxt->valid = 1;
-           }
-       } else {
-           debug("failed to set username from gssapi context");
-           packet_send_debug("failed to set username from gssapi context");
-       }
-    }
-    if (authctxt->pw) {
+        PRIVSEP(ssh_gssapi_localname(&lname));
+        if (lname && lname[0] != '\0') {
+            if (authctxt->user) xfree(authctxt->user);
+            authctxt->user = lname;
+            debug("set username to %s from gssapi context", lname);
+            authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
+            if (authctxt->pw) {
+                authctxt->valid = 1;
  #ifdef USE_PAM
-       if (options.use_pam)
-               PRIVSEP(start_pam(authctxt));
+                if (options.use_pam)
+                    PRIVSEP(start_pam(authctxt));
  #endif
+            }
+        } else {
+            debug("failed to set username from gssapi context");
+            packet_send_debug("failed to set username from gssapi context");
+        }
      }
  }
  
@@ -329,7 +329,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
         if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                 fatal("No authentication or GSSAPI context");
  
-       gssapi_set_implicit_username(authctxt);
+       gssapi_set_username(authctxt);
  
         gssctxt = authctxt->methoddata;
  
@@ -342,7 +342,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
  
         /* user should be set if valid but we double-check here */
         if (authctxt->valid && authctxt->user && authctxt->user[0]) {
-           authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+           authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                                                  authctxt->pw));
         } else {
             authenticated = 0;
         }
@@ -383,8 +384,6 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                 fatal("No authentication or GSSAPI context");
  
-       gssapi_set_implicit_username(authctxt);
-
         gssctxt = authctxt->methoddata;
  
         mic.value = packet_get_string(&len);
@@ -396,11 +395,14 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         gssbuf.value = buffer_ptr(&b);
         gssbuf.length = buffer_len(&b);
  
+    gssapi_set_username(authctxt);
+
         if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
             if (authctxt->valid && authctxt->user && authctxt->user[0]) {
-               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+            authenticated =
+                PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
             } else {
-               authenticated = 0;
+            authenticated = 0;
             }
         else
                 logit("GSSAPI MIC check failed");