merging OPENSSH_5_2P1_SIMON_20090726_HPN13V6 to trunk:

[gssapi-openssh.git] / openssh / gss-serv-krb5.c

diff --git a/openssh/gss-serv-krb5.c b/openssh/gss-serv-krb5.c
index e7170ee415a151a491a2cdbb468e34498a204a57..a439393756bb988782a808b907f40ba1292d2c3f 100644 (file)
--- a/openssh/gss-serv-krb5.c
+++ b/openssh/gss-serv-krb5.c
@@ -48,7 +48,7 @@ extern ServerOptions options;
 
 #ifdef HEIMDAL
 # include <krb5.h>
-#else
+#elif !defined(MECHGLUE)
 # ifdef HAVE_GSSAPI_KRB5_H
 #  include <gssapi_krb5.h>
 # elif HAVE_GSSAPI_GSSAPI_KRB5_H
@@ -57,6 +57,21 @@ extern ServerOptions options;
 #endif
 
 static krb5_context krb_context = NULL;
+static int ssh_gssapi_krb5_init();
+static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
+static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
+static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
+
+ssh_gssapi_mech gssapi_kerberos_mech = {
+       "toWM5Slw5Ew8Mqkay+al2g==",
+       "Kerberos",
+       {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
+       NULL,
+       &ssh_gssapi_krb5_userok,
+       &ssh_gssapi_krb5_localname,
+       &ssh_gssapi_krb5_storecreds,
+       &ssh_gssapi_krb5_updatecreds
+};
 
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
 
@@ -109,6 +124,35 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 }
 
 
+/* Retrieve the local username associated with a set of Kerberos 
+ * credentials. Hopefully we can use this for the 'empty' username
+ * logins discussed in the draft  */
+static int
+ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
+       krb5_principal princ;
+       int retval;
+       
+       if (ssh_gssapi_krb5_init() == 0)
+               return 0;
+
+       if ((retval=krb5_parse_name(krb_context, client->displayname.value, 
+                                   &princ))) {
+               logit("krb5_parse_name(): %.100s", 
+                       krb5_get_err_text(krb_context,retval));
+               return 0;
+       }
+       
+       /* We've got to return a malloc'd string */
+       *user = (char *)xmalloc(256);
+       if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
+               xfree(*user);
+               *user = NULL;
+               return(0);
+       }
+       
+       return(1);
+}
+       
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
 
@@ -119,6 +163,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
        krb5_error_code problem;
        krb5_principal princ;
        OM_uint32 maj_status, min_status;
+       gss_cred_id_t krb5_cred_handle;
        int len;
        const char *new_ccname;
 
@@ -162,8 +207,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 
        krb5_free_principal(krb_context, princ);
 
-       if ((maj_status = gss_krb5_copy_ccache(&min_status,
-           client->creds, ccache))) {
+#ifdef MECHGLUE
+       krb5_cred_handle =
+           __gss_get_mechanism_cred(client->creds,
+                                    &(gssapi_kerberos_mech.oid));
+#else
+       krb5_cred_handle = client->creds;
+#endif
+
+       if ((maj_status = gss_krb5_copy_ccache(&min_status, 
+           krb5_cred_handle, ccache))) {
                logit("gss_krb5_copy_ccache() failed");
                krb5_cc_destroy(krb_context, ccache);
                return;
@@ -255,17 +308,6 @@ ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
        return 1;
 }
 
-ssh_gssapi_mech gssapi_kerberos_mech = {
-       "toWM5Slw5Ew8Mqkay+al2g==",
-       "Kerberos",
-       {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
-       NULL,
-       &ssh_gssapi_krb5_userok,
-       NULL,
-       &ssh_gssapi_krb5_storecreds,
-       &ssh_gssapi_krb5_updatecreds
-};
-
 #endif /* KRB5 */
 
 #endif /* GSSAPI */