X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/51f1e7024fd6e7881a0a713868d67861ba97fbfb..97f0f2cce4eeef89047da2228a6bea6274065f1e:/openssh/gss-serv.c diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c index 40148b0..79c86e8 100644 --- a/openssh/gss-serv.c +++ b/openssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -28,22 +28,16 @@ #ifdef GSSAPI -#include "ssh.h" -#include "ssh2.h" #include "buffer.h" #include "bufaux.h" -#include "packet.h" #include "compat.h" #include -#include "cipher.h" #include "kex.h" #include "auth.h" #include "log.h" #include "channels.h" #include "session.h" -#include "dispatch.h" #include "servconf.h" -#include "compat.h" #include "monitor_wrap.h" #include "xmalloc.h" #include "getput.h" @@ -63,25 +57,25 @@ ssh_gssapi_mech gssapi_null_mech = #ifdef KRB5 extern ssh_gssapi_mech gssapi_kerberos_mech; -extern ssh_gssapi_mech gssapi_kerberos_mech_old; #endif #ifdef GSI extern ssh_gssapi_mech gssapi_gsi_mech; -extern ssh_gssapi_mech gssapi_gsi_mech_old; #endif ssh_gssapi_mech* supported_mechs[]= { #ifdef KRB5 &gssapi_kerberos_mech, - &gssapi_kerberos_mech_old, /* Support for legacy clients */ #endif #ifdef GSI &gssapi_gsi_mech, - &gssapi_gsi_mech_old, /* Support for legacy clients */ #endif &gssapi_null_mech, }; +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG +static int limited = 0; +#endif + /* Unpriviledged */ void ssh_gssapi_supported_oids(gss_OID_set *oidset) @@ -92,7 +86,8 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) gss_OID_set supported; gss_create_empty_oid_set(&min_status, oidset); - gss_indicate_mechs(&min_status, &supported); + /* Ask priviledged process what mechanisms it supports. */ + PRIVSEP(gss_indicate_mechs(&min_status, &supported)); while (supported_mechs[i]->name != NULL) { if (GSS_ERROR(gss_test_oid_set_member(&min_status, @@ -142,6 +137,10 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { if (ssh_gssapi_getclient(ctx, &gssapi_client)) fatal("Couldn't convert client name"); +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG + if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG)) + limited=1; +#endif } return (status); @@ -264,9 +263,9 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) return (ctx->major); } -/* As user - called through fatal cleanup hook */ +/* As user - called on fatal/exit */ void -ssh_gssapi_cleanup_creds(void *ignored) +ssh_gssapi_cleanup_creds(void) { if (gssapi_client.store.filename != NULL) { /* Unlink probably isn't sufficient */ @@ -281,8 +280,6 @@ ssh_gssapi_storecreds(void) { if (gssapi_client.mech && gssapi_client.mech->storecreds) { (*gssapi_client.mech->storecreds)(&gssapi_client); - if (options.gss_cleanup_creds) - fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); } @@ -314,6 +311,12 @@ ssh_gssapi_userok(char *user) debug("No suitable client data"); return 0; } +#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG + if (limited) { + debug("limited proxy not acceptable for remote login"); + return 0; + } +#endif if (gssapi_client.mech && gssapi_client.mech->userok) return ((*gssapi_client.mech->userok)(&gssapi_client, user)); else @@ -349,8 +352,6 @@ ssh_gssapi_server_mechanisms() { int present; char * mechs; - if (datafellows & SSH_OLD_GSSAPI) return NULL; - ssh_gssapi_supported_oids(&supported); buffer_init(&buf); @@ -394,10 +395,12 @@ ssh_gssapi_server_mechanisms() { mechs=xmalloc(buffer_len(&buf)); buffer_get(&buf,mechs,buffer_len(&buf)); buffer_free(&buf); - if (strlen(mechs)==0) - return(NULL); - else - return(mechs); + if (strlen(mechs)==0) { + options.gss_authentication = 0; /* no mechs. skip gss auth. */ + return(NULL); + } else { + return(mechs); + } } /* Return the OID that corresponds to the given context name */ @@ -444,4 +447,15 @@ ssh_gssapi_localname(char **user) } return(0); } + +/* Priviledged */ +OM_uint32 +ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +{ + ctx->major = gss_verify_mic(&ctx->minor, ctx->context, + gssbuf, gssmic, NULL); + + return (ctx->major); +} + #endif