-/* $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#ifdef GSSAPI
-#include "ssh.h"
-#include "ssh2.h"
#include "buffer.h"
#include "bufaux.h"
-#include "packet.h"
#include "compat.h"
#include <openssl/evp.h>
-#include "cipher.h"
#include "kex.h"
#include "auth.h"
#include "log.h"
#include "channels.h"
#include "session.h"
-#include "dispatch.h"
#include "servconf.h"
-#include "compat.h"
#include "monitor_wrap.h"
#include "xmalloc.h"
#include "getput.h"
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
-extern ssh_gssapi_mech gssapi_kerberos_mech_old;
#endif
#ifdef GSI
extern ssh_gssapi_mech gssapi_gsi_mech;
-extern ssh_gssapi_mech gssapi_gsi_mech_old;
#endif
ssh_gssapi_mech* supported_mechs[]= {
#ifdef KRB5
&gssapi_kerberos_mech,
- &gssapi_kerberos_mech_old, /* Support for legacy clients */
#endif
#ifdef GSI
&gssapi_gsi_mech,
- &gssapi_gsi_mech_old, /* Support for legacy clients */
#endif
&gssapi_null_mech,
};
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+static int limited = 0;
+#endif
+
/* Unpriviledged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
- gss_indicate_mechs(&min_status, &supported);
+ /* Ask priviledged process what mechanisms it supports. */
+ PRIVSEP(gss_indicate_mechs(&min_status, &supported));
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+ if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG))
+ limited=1;
+#endif
}
return (status);
static OM_uint32
ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
{
- char *tok;
+ u_char *tok;
OM_uint32 offset;
OM_uint32 oidl;
*/
if (tok[4] != 0x06 || tok[5] != oidl ||
ename->length < oidl+6 ||
- !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+ !ssh_gssapi_check_oid(ctx,tok+6,oidl))
return GSS_S_FAILURE;
offset = oidl+6;
return (ctx->major);
}
-/* As user - called through fatal cleanup hook */
+/* As user - called on fatal/exit */
void
-ssh_gssapi_cleanup_creds(void *ignored)
+ssh_gssapi_cleanup_creds(void)
{
if (gssapi_client.store.filename != NULL) {
/* Unlink probably isn't sufficient */
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
(*gssapi_client.mech->storecreds)(&gssapi_client);
- if (options.gss_cleanup_creds)
- fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
}
debug("Setting %s to %s", gssapi_client.store.envvar,
gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
- gssapi_client.store.envval);
+ gssapi_client.store.envval);
}
}
int
ssh_gssapi_userok(char *user)
{
+ OM_uint32 lmin;
+
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+ if (limited) {
+ debug("limited proxy not acceptable for remote login");
+ return 0;
+ }
+#endif
if (gssapi_client.mech && gssapi_client.mech->userok)
- return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+ if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+ return 1;
+ else {
+ /* Destroy delegated credentials if userok fails */
+ gss_release_buffer(&lmin, &gssapi_client.displayname);
+ gss_release_buffer(&lmin, &gssapi_client.exportedname);
+ gss_release_cred(&lmin, &gssapi_client.creds);
+ memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+ return 0;
+ }
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);
int present;
char * mechs;
- if (datafellows & SSH_OLD_GSSAPI) return NULL;
-
ssh_gssapi_supported_oids(&supported);
buffer_init(&buf);
mechs=xmalloc(buffer_len(&buf));
buffer_get(&buf,mechs,buffer_len(&buf));
buffer_free(&buf);
- if (strlen(mechs)==0)
- return(NULL);
- else
- return(mechs);
+ if (strlen(mechs)==0) {
+ options.gss_authentication = 0; /* no mechs. skip gss auth. */
+ return(NULL);
+ } else {
+ return(mechs);
+ }
}
/* Return the OID that corresponds to the given context name */
}
return(0);
}
+
+/* Priviledged */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+ ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+ gssbuf, gssmic, NULL);
+
+ return (ctx->major);
+}
+
#endif