merged OPENSSH_5_2P1_GSSAPI_20090506 to GPT-branch

[gssapi-openssh.git] / openssh / gss-serv-gsi.c
diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c

index 068f056c63821349e84489f84eb21016804b3506..e31d70cda30d5bfa036800219ac148cc66db96c1 100644 (file)
--- a/openssh/gss-serv-gsi.c
+++ b/openssh/gss-serv-gsi.c
@@ -27,12 +27,19 @@
  #ifdef GSSAPI
  #ifdef GSI
  
-#include "auth.h"
-#include "auth-pam.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+
  #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
  #include "log.h"
  #include "servconf.h"
  
+#include "buffer.h"
  #include "ssh-gss.h"
  
  extern ServerOptions options;
@@ -43,16 +50,6 @@ static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
  static int ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user);
  static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
  
-ssh_gssapi_mech gssapi_gsi_mech_old = {
-       "N3+k7/4wGxHyuP8Yxi4RhA==",
-       "GSI",
-       {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
-       NULL,
-       &ssh_gssapi_gsi_userok,
-       &ssh_gssapi_gsi_localname,
-       &ssh_gssapi_gsi_storecreds
-};
-
  ssh_gssapi_mech gssapi_gsi_mech = {
         "dZuIebMjgUqaxvbF7hDbAw==",
         "GSI",
@@ -74,6 +71,10 @@ static int
  ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
  {
      int authorized = 0;
+    globus_result_t res;
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    char lname[256] = "";
+#endif
      
  #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
      if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
@@ -81,9 +82,28 @@ ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
      }
  #endif
  
-    /* This returns 0 on success */
-    authorized = (globus_gss_assist_userok(client->displayname.value,
-                                          name) == 0);
+/* use new globus_gss_assist_map_and_authorize() interface if available */
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    debug("calling globus_gss_assist_map_and_authorize()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_map_and_authorize(client->context, "ssh",
+                                                   name, lname, 256))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+    } else if (lname && lname[0] && strcmp(name, lname) != 0) {
+        debug("GSI user maps to %s, not %s", lname, name);
+    } else {
+        authorized = 1;
+    }
+#else
+    debug("calling globus_gss_assist_userok()");
+    if (GLOBUS_SUCCESS !=
+        (res = (globus_gss_assist_userok(client->displayname.value,
+                                         name)))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+    } else {
+        authorized = 1;
+    }
+#endif
      
      logit("GSI user %s is%s authorized as target user %s",
         (char *) client->displayname.value, (authorized ? "" : " not"), name);
@@ -97,12 +117,42 @@ ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
  int
  ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user)
  {
+    globus_result_t res;
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    char lname[256] = "";
+#endif
+
  #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
      if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
         return 0;
      }
  #endif
-    return(globus_gss_assist_gridmap(client->displayname.value, user) == 0);
+
+/* use new globus_gss_assist_map_and_authorize() interface if available */
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    debug("calling globus_gss_assist_map_and_authorize()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_map_and_authorize(client->context, "ssh",
+                                                   NULL, lname, 256))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+        logit("failed to map GSI user %s", (char *)client->displayname.value);
+        return 0;
+    }
+    *user = strdup(lname);
+#else
+    debug("calling globus_gss_assist_gridmap()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_gridmap(client->displayname.value, user))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+        logit("failed to map GSI user %s", (char *)client->displayname.value);
+        return 0;
+    }
+#endif
+
+    logit("GSI user %s mapped to target user %s",
+          (char *) client->displayname.value, *user);
+
+    return 1;
  }
  
  /*
@@ -149,17 +199,25 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
         } else {
             client->store.envvar = strdup((char *)export_cred.value);
         }
+       if (access(p, R_OK) == 0) {
+        if (client->store.filename) {
+            if (rename(p, client->store.filename) < 0) {
+                logit("Failed to rename %s to %s: %s", p,
+                      client->store.filename, strerror(errno));
+                xfree(client->store.filename);
+                client->store.filename = strdup(p);
+            } else {
+                p = client->store.filename;
+            }
+        } else {
+            client->store.filename = strdup(p);
+        }
+       }
         client->store.envval = strdup(p);
  #ifdef USE_PAM
         if (options.use_pam)
             do_pam_putenv(client->store.envvar, client->store.envval);
  #endif
-       if (strncmp(p, "FILE:", 5) == 0) {
-           p += 5;
-       }
-       if (access(p, R_OK) == 0) {
-           client->store.filename = strdup(p);
-       }
         gss_release_buffer(&minor_status, &export_cred);
  }