X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/51f1e7024fd6e7881a0a713868d67861ba97fbfb..06816bdd4f3738c71a6bc698a1a487ef0c91efcc:/openssh/gss-serv.c diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c index 40148b0..9b6b4c2 100644 --- a/openssh/gss-serv.c +++ b/openssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -28,22 +28,16 @@ #ifdef GSSAPI -#include "ssh.h" -#include "ssh2.h" #include "buffer.h" #include "bufaux.h" -#include "packet.h" #include "compat.h" #include -#include "cipher.h" #include "kex.h" #include "auth.h" #include "log.h" #include "channels.h" #include "session.h" -#include "dispatch.h" #include "servconf.h" -#include "compat.h" #include "monitor_wrap.h" #include "xmalloc.h" #include "getput.h" @@ -63,25 +57,25 @@ ssh_gssapi_mech gssapi_null_mech = #ifdef KRB5 extern ssh_gssapi_mech gssapi_kerberos_mech; -extern ssh_gssapi_mech gssapi_kerberos_mech_old; #endif #ifdef GSI extern ssh_gssapi_mech gssapi_gsi_mech; -extern ssh_gssapi_mech gssapi_gsi_mech_old; #endif ssh_gssapi_mech* supported_mechs[]= { #ifdef KRB5 &gssapi_kerberos_mech, - &gssapi_kerberos_mech_old, /* Support for legacy clients */ #endif #ifdef GSI &gssapi_gsi_mech, - &gssapi_gsi_mech_old, /* Support for legacy clients */ #endif &gssapi_null_mech, }; +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG +static int limited = 0; +#endif + /* Unpriviledged */ void ssh_gssapi_supported_oids(gss_OID_set *oidset) @@ -92,7 +86,8 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) gss_OID_set supported; gss_create_empty_oid_set(&min_status, oidset); - gss_indicate_mechs(&min_status, &supported); + /* Ask priviledged process what mechanisms it supports. */ + PRIVSEP(gss_indicate_mechs(&min_status, &supported)); while (supported_mechs[i]->name != NULL) { if (GSS_ERROR(gss_test_oid_set_member(&min_status, @@ -142,6 +137,10 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { if (ssh_gssapi_getclient(ctx, &gssapi_client)) fatal("Couldn't convert client name"); +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG + if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG)) + limited=1; +#endif } return (status); @@ -155,7 +154,7 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, static OM_uint32 ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) { - char *tok; + u_char *tok; OM_uint32 offset; OM_uint32 oidl; @@ -196,7 +195,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) */ if (tok[4] != 0x06 || tok[5] != oidl || ename->length < oidl+6 || - !ssh_gssapi_check_oid(ctx,tok+6,oidl)) + !ssh_gssapi_check_oid(ctx,tok+6,oidl)) return GSS_S_FAILURE; offset = oidl+6; @@ -264,9 +263,9 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) return (ctx->major); } -/* As user - called through fatal cleanup hook */ +/* As user - called on fatal/exit */ void -ssh_gssapi_cleanup_creds(void *ignored) +ssh_gssapi_cleanup_creds(void) { if (gssapi_client.store.filename != NULL) { /* Unlink probably isn't sufficient */ @@ -281,8 +280,6 @@ ssh_gssapi_storecreds(void) { if (gssapi_client.mech && gssapi_client.mech->storecreds) { (*gssapi_client.mech->storecreds)(&gssapi_client); - if (options.gss_cleanup_creds) - fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); } @@ -301,7 +298,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) debug("Setting %s to %s", gssapi_client.store.envvar, gssapi_client.store.envval); child_set_env(envp, envsizep, gssapi_client.store.envvar, - gssapi_client.store.envval); + gssapi_client.store.envval); } } @@ -309,13 +306,30 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) int ssh_gssapi_userok(char *user) { + OM_uint32 lmin; + if (gssapi_client.exportedname.length == 0 || gssapi_client.exportedname.value == NULL) { debug("No suitable client data"); return 0; } +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG + if (limited) { + debug("limited proxy not acceptable for remote login"); + return 0; + } +#endif if (gssapi_client.mech && gssapi_client.mech->userok) - return ((*gssapi_client.mech->userok)(&gssapi_client, user)); + if ((*gssapi_client.mech->userok)(&gssapi_client, user)) + return 1; + else { + /* Destroy delegated credentials if userok fails */ + gss_release_buffer(&lmin, &gssapi_client.displayname); + gss_release_buffer(&lmin, &gssapi_client.exportedname); + gss_release_cred(&lmin, &gssapi_client.creds); + memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); + return 0; + } else debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); return (0); @@ -349,8 +363,6 @@ ssh_gssapi_server_mechanisms() { int present; char * mechs; - if (datafellows & SSH_OLD_GSSAPI) return NULL; - ssh_gssapi_supported_oids(&supported); buffer_init(&buf); @@ -394,10 +406,12 @@ ssh_gssapi_server_mechanisms() { mechs=xmalloc(buffer_len(&buf)); buffer_get(&buf,mechs,buffer_len(&buf)); buffer_free(&buf); - if (strlen(mechs)==0) - return(NULL); - else - return(mechs); + if (strlen(mechs)==0) { + options.gss_authentication = 0; /* no mechs. skip gss auth. */ + return(NULL); + } else { + return(mechs); + } } /* Return the OID that corresponds to the given context name */ @@ -444,4 +458,15 @@ ssh_gssapi_localname(char **user) } return(0); } + +/* Priviledged */ +OM_uint32 +ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +{ + ctx->major = gss_verify_mic(&ctx->minor, ctx->context, + gssbuf, gssmic, NULL); + + return (ctx->major); +} + #endif