#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
-extern ssh_gssapi_mech gssapi_kerberos_mech_old;
#endif
#ifdef GSI
extern ssh_gssapi_mech gssapi_gsi_mech;
-extern ssh_gssapi_mech gssapi_gsi_mech_old;
#endif
ssh_gssapi_mech* supported_mechs[]= {
#ifdef KRB5
&gssapi_kerberos_mech,
- &gssapi_kerberos_mech_old, /* Support for legacy clients */
#endif
#ifdef GSI
&gssapi_gsi_mech,
- &gssapi_gsi_mech_old, /* Support for legacy clients */
#endif
&gssapi_null_mech,
};
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+static int limited = 0;
+#endif
+
/* Unpriviledged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
- gss_indicate_mechs(&min_status, &supported);
+ /* Ask priviledged process what mechanisms it supports. */
+ PRIVSEP(gss_indicate_mechs(&min_status, &supported));
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+ if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG))
+ limited=1;
+#endif
}
return (status);
debug("No suitable client data");
return 0;
}
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+ if (limited) {
+ debug("limited proxy not acceptable for remote login");
+ return 0;
+ }
+#endif
if (gssapi_client.mech && gssapi_client.mech->userok)
return ((*gssapi_client.mech->userok)(&gssapi_client, user));
else
int present;
char * mechs;
- if (datafellows & SSH_OLD_GSSAPI) return NULL;
-
ssh_gssapi_supported_oids(&supported);
buffer_init(&buf);
mechs=xmalloc(buffer_len(&buf));
buffer_get(&buf,mechs,buffer_len(&buf));
buffer_free(&buf);
- if (strlen(mechs)==0)
- return(NULL);
- else
- return(mechs);
+ if (strlen(mechs)==0) {
+ options.gss_authentication = 0; /* no mechs. skip gss auth. */
+ return(NULL);
+ } else {
+ return(mechs);
+ }
}
/* Return the OID that corresponds to the given context name */