updated patch from Matthieu Hautreux for cascading credentials

[gssapi-openssh.git] / openssh / gss-serv-gsi.c

diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c
index c152e79ffd24983f51a2659d8039a2b3377851c1..bd72536c895af113d6e6b739bc2f5d1fdb880c0a 100644 (file)
--- a/openssh/gss-serv-gsi.c
+++ b/openssh/gss-serv-gsi.c
@@ -27,12 +27,19 @@
 #ifdef GSSAPI
 #ifdef GSI
 
-#include "auth.h"
-#include "auth-pam.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "log.h"
 #include "servconf.h"
 
+#include "buffer.h"
 #include "ssh-gss.h"
 
 extern ServerOptions options;
@@ -42,6 +49,8 @@ extern ServerOptions options;
 static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
 static int ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user);
 static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
+static void ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,
+                                      ssh_gssapi_client *client);
 
 ssh_gssapi_mech gssapi_gsi_mech = {
        "dZuIebMjgUqaxvbF7hDbAw==",
@@ -50,7 +59,8 @@ ssh_gssapi_mech gssapi_gsi_mech = {
        NULL,
        &ssh_gssapi_gsi_userok,
        &ssh_gssapi_gsi_localname,
-       &ssh_gssapi_gsi_storecreds
+       &ssh_gssapi_gsi_storecreds,
+       &ssh_gssapi_gsi_updatecreds
 };
 
 /*
@@ -82,7 +92,7 @@ ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
         (res = globus_gss_assist_map_and_authorize(client->context, "ssh",
                                                    name, lname, 256))) {
         debug("%s", globus_error_print_chain(globus_error_get(res)));
-    } else if (strcmp(name, lname) != 0) {
+    } else if (lname && lname[0] && strcmp(name, lname) != 0) {
         debug("GSI user maps to %s, not %s", lname, name);
     } else {
         authorized = 1;
@@ -192,19 +202,37 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
        } else {
            client->store.envvar = strdup((char *)export_cred.value);
        }
+       if (access(p, R_OK) == 0) {
+        if (client->store.filename) {
+            if (rename(p, client->store.filename) < 0) {
+                logit("Failed to rename %s to %s: %s", p,
+                      client->store.filename, strerror(errno));
+                xfree(client->store.filename);
+                client->store.filename = strdup(p);
+            } else {
+                p = client->store.filename;
+            }
+        } else {
+            client->store.filename = strdup(p);
+        }
+       }
        client->store.envval = strdup(p);
 #ifdef USE_PAM
        if (options.use_pam)
            do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
-       if (strncmp(p, "FILE:", 5) == 0) {
-           p += 5;
-       }
-       if (access(p, R_OK) == 0) {
-           client->store.filename = strdup(p);
-       }
        gss_release_buffer(&minor_status, &export_cred);
 }
 
+/*
+ * Export updated GSI credentials to disk.
+ */
+static int
+ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,ssh_gssapi_client *client)
+{
+       ssh_gssapi_gsi_storecreds(client);
+       return 1;
+}
+
 #endif /* GSI */
 #endif /* GSSAPI */