fix typo on last checkin

[gssapi-openssh.git] / openssh / gss-serv.c

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index f5bfa03f3108b25bc3441935ff0a2dcb467aa883..79c86e88f850de4ab7aeb715752678162e8f48dd 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -57,25 +57,25 @@ ssh_gssapi_mech gssapi_null_mech =
 
 #ifdef KRB5
 extern ssh_gssapi_mech gssapi_kerberos_mech;
-extern ssh_gssapi_mech gssapi_kerberos_mech_old;
 #endif
 #ifdef GSI
 extern ssh_gssapi_mech gssapi_gsi_mech;
-extern ssh_gssapi_mech gssapi_gsi_mech_old;
 #endif
 
 ssh_gssapi_mech* supported_mechs[]= {
 #ifdef KRB5
        &gssapi_kerberos_mech,
-       &gssapi_kerberos_mech_old, /* Support for legacy clients */
 #endif
 #ifdef GSI
        &gssapi_gsi_mech,
-       &gssapi_gsi_mech_old,   /* Support for legacy clients */
 #endif
        &gssapi_null_mech,
 };
 
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+static int limited = 0;
+#endif
+
 /* Unpriviledged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
@@ -86,7 +86,8 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_OID_set supported;
 
        gss_create_empty_oid_set(&min_status, oidset);
-       gss_indicate_mechs(&min_status, &supported);
+       /* Ask priviledged process what mechanisms it supports. */
+       PRIVSEP(gss_indicate_mechs(&min_status, &supported));
 
        while (supported_mechs[i]->name != NULL) {
                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
@@ -136,6 +137,10 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
            (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
                if (ssh_gssapi_getclient(ctx, &gssapi_client))
                        fatal("Couldn't convert client name");
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+               if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG))
+                       limited=1;
+#endif
        }
 
        return (status);
@@ -306,6 +311,12 @@ ssh_gssapi_userok(char *user)
                debug("No suitable client data");
                return 0;
        }
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+       if (limited) {
+               debug("limited proxy not acceptable for remote login");
+               return 0;
+       }
+#endif
        if (gssapi_client.mech && gssapi_client.mech->userok)
                return ((*gssapi_client.mech->userok)(&gssapi_client, user));
        else
@@ -341,8 +352,6 @@ ssh_gssapi_server_mechanisms() {
        int             present;
        char *          mechs;
 
-       if (datafellows & SSH_OLD_GSSAPI) return NULL;
-       
        ssh_gssapi_supported_oids(&supported);
        
        buffer_init(&buf);
@@ -386,10 +395,12 @@ ssh_gssapi_server_mechanisms() {
        mechs=xmalloc(buffer_len(&buf));
        buffer_get(&buf,mechs,buffer_len(&buf));
        buffer_free(&buf);
-       if (strlen(mechs)==0)
-          return(NULL);
-       else
-          return(mechs);
+       if (strlen(mechs)==0) {
+           options.gss_authentication = 0; /* no mechs. skip gss auth. */
+           return(NULL);
+       } else {
+           return(mechs);
+       }
 }
 
 /* Return the OID that corresponds to the given context name */