X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/3b7a70490db775fc0844ab6d32188fdef8d3709e..9f2c8cb950fea61c599edeb9721aca66f4bd61f6:/openssh/gss-serv-gsi.c

diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c
index 068f056..196f4b6 100644
--- a/openssh/gss-serv-gsi.c
+++ b/openssh/gss-serv-gsi.c
@@ -27,12 +27,19 @@
 #ifdef GSSAPI
 #ifdef GSI
 
-#include "auth.h"
-#include "auth-pam.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+
 #include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 #include "log.h"
 #include "servconf.h"
 
+#include "buffer.h"
 #include "ssh-gss.h"
 
 extern ServerOptions options;
@@ -42,16 +49,8 @@ extern ServerOptions options;
 static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
 static int ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user);
 static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
-
-ssh_gssapi_mech gssapi_gsi_mech_old = {
-	"N3+k7/4wGxHyuP8Yxi4RhA==",
-	"GSI",
-	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
-	NULL,
-	&ssh_gssapi_gsi_userok,
-	&ssh_gssapi_gsi_localname,
-	&ssh_gssapi_gsi_storecreds
-};
+static int ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,
+				       ssh_gssapi_client *client);
 
 ssh_gssapi_mech gssapi_gsi_mech = {
 	"dZuIebMjgUqaxvbF7hDbAw==",
@@ -60,7 +59,8 @@ ssh_gssapi_mech gssapi_gsi_mech = {
 	NULL,
 	&ssh_gssapi_gsi_userok,
 	&ssh_gssapi_gsi_localname,
-	&ssh_gssapi_gsi_storecreds
+	&ssh_gssapi_gsi_storecreds,
+	&ssh_gssapi_gsi_updatecreds
 };
 
 /*
@@ -74,6 +74,10 @@ static int
 ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
 {
     int authorized = 0;
+    globus_result_t res;
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    char lname[256] = "";
+#endif
     
 #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
     if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
@@ -81,9 +85,28 @@ ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
     }
 #endif
 
-    /* This returns 0 on success */
-    authorized = (globus_gss_assist_userok(client->displayname.value,
-					   name) == 0);
+/* use new globus_gss_assist_map_and_authorize() interface if available */
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    debug("calling globus_gss_assist_map_and_authorize()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_map_and_authorize(client->context, "ssh",
+                                                   name, lname, 256))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+    } else if (lname && lname[0] && strcmp(name, lname) != 0) {
+        debug("GSI user maps to %s, not %s", lname, name);
+    } else {
+        authorized = 1;
+    }
+#else
+    debug("calling globus_gss_assist_userok()");
+    if (GLOBUS_SUCCESS !=
+        (res = (globus_gss_assist_userok(client->displayname.value,
+                                         name)))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+    } else {
+        authorized = 1;
+    }
+#endif
     
     logit("GSI user %s is%s authorized as target user %s",
 	(char *) client->displayname.value, (authorized ? "" : " not"), name);
@@ -97,12 +120,42 @@ ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
 int
 ssh_gssapi_gsi_localname(ssh_gssapi_client *client, char **user)
 {
+    globus_result_t res;
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    char lname[256] = "";
+#endif
+
 #ifdef GLOBUS_GSI_GSS_ASSIST_MODULE
     if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
 	return 0;
     }
 #endif
-    return(globus_gss_assist_gridmap(client->displayname.value, user) == 0);
+
+/* use new globus_gss_assist_map_and_authorize() interface if available */
+#ifdef HAVE_GLOBUS_GSS_ASSIST_MAP_AND_AUTHORIZE
+    debug("calling globus_gss_assist_map_and_authorize()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_map_and_authorize(client->context, "ssh",
+                                                   NULL, lname, 256))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+        logit("failed to map GSI user %s", (char *)client->displayname.value);
+        return 0;
+    }
+    *user = strdup(lname);
+#else
+    debug("calling globus_gss_assist_gridmap()");
+    if (GLOBUS_SUCCESS !=
+        (res = globus_gss_assist_gridmap(client->displayname.value, user))) {
+        debug("%s", globus_error_print_chain(globus_error_get(res)));
+        logit("failed to map GSI user %s", (char *)client->displayname.value);
+        return 0;
+    }
+#endif
+
+    logit("GSI user %s mapped to target user %s",
+          (char *) client->displayname.value, *user);
+
+    return 1;
 }
 
 /*
@@ -149,19 +202,37 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
 	} else {
 	    client->store.envvar = strdup((char *)export_cred.value);
 	}
+	if (access(p, R_OK) == 0) {
+        if (client->store.filename) {
+            if (rename(p, client->store.filename) < 0) {
+                logit("Failed to rename %s to %s: %s", p,
+                      client->store.filename, strerror(errno));
+                xfree(client->store.filename);
+                client->store.filename = strdup(p);
+            } else {
+                p = client->store.filename;
+            }
+        } else {
+            client->store.filename = strdup(p);
+        }
+	}
 	client->store.envval = strdup(p);
 #ifdef USE_PAM
 	if (options.use_pam)
 	    do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
-	if (strncmp(p, "FILE:", 5) == 0) {
-	    p += 5;
-	}
-	if (access(p, R_OK) == 0) {
-	    client->store.filename = strdup(p);
-	}
 	gss_release_buffer(&minor_status, &export_cred);
 }
 
+/*
+ * Export updated GSI credentials to disk.
+ */
+static int
+ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,ssh_gssapi_client *client)
+{
+	ssh_gssapi_gsi_storecreds(client);
+	return 1;
+}
+
 #endif /* GSI */
 #endif /* GSSAPI */