X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/bfe4994432b3a30a7e74fbf531d4e54ab7a3c228..6df46d40aa90fd7f72e647d1fdb253daec39024c:/openssh/monitor_wrap.c diff --git a/openssh/monitor_wrap.c b/openssh/monitor_wrap.c index 8637e4c..97715e4 100644 --- a/openssh/monitor_wrap.c +++ b/openssh/monitor_wrap.c @@ -1,3 +1,4 @@ +/* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -25,36 +26,54 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $"); + +#include +#include + +#include +#include +#include +#include +#include +#include +#include #include #include +#include "xmalloc.h" #include "ssh.h" #include "dh.h" +#include "buffer.h" +#include "key.h" +#include "cipher.h" #include "kex.h" +#include "hostfile.h" #include "auth.h" #include "auth-options.h" -#include "buffer.h" -#include "bufaux.h" #include "packet.h" #include "mac.h" #include "log.h" +#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */ +#undef TARGET_OS_MAC +#include "zlib.h" +#define TARGET_OS_MAC 1 +#else #include "zlib.h" +#endif #include "monitor.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" -#include "xmalloc.h" #include "atomicio.h" #include "monitor_fdpass.h" -#include "getput.h" +#include "misc.h" +#include "servconf.h" -#include "auth.h" #include "channels.h" #include "session.h" - -#ifdef GSSAPI -#include "ssh-gss.h" -#endif +#include "servconf.h" /* Imports */ extern int compat20; @@ -63,56 +82,65 @@ extern z_stream incoming_stream; extern z_stream outgoing_stream; extern struct monitor *pmonitor; extern Buffer input, output; +extern Buffer loginmsg; +extern ServerOptions options; + +int +mm_is_monitor(void) +{ + /* + * m_pid is only set in the privileged part, and + * points to the unprivileged child. + */ + return (pmonitor && pmonitor->m_pid > 0); +} void -mm_request_send(int socket, enum monitor_reqtype type, Buffer *m) +mm_request_send(int sock, enum monitor_reqtype type, Buffer *m) { u_int mlen = buffer_len(m); u_char buf[5]; debug3("%s entering: type %d", __func__, type); - PUT_32BIT(buf, mlen + 1); + put_u32(buf, mlen + 1); buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */ - if (atomicio(write, socket, buf, sizeof(buf)) != sizeof(buf)) - fatal("%s: write", __func__); - if (atomicio(write, socket, buffer_ptr(m), mlen) != mlen) - fatal("%s: write", __func__); + if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) + fatal("%s: write: %s", __func__, strerror(errno)); + if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen) + fatal("%s: write: %s", __func__, strerror(errno)); } void -mm_request_receive(int socket, Buffer *m) +mm_request_receive(int sock, Buffer *m) { u_char buf[4]; u_int msg_len; - ssize_t res; debug3("%s entering", __func__); - res = atomicio(read, socket, buf, sizeof(buf)); - if (res != sizeof(buf)) { - if (res == 0) - fatal_cleanup(); - fatal("%s: read: %ld", __func__, (long)res); + if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { + if (errno == EPIPE) + cleanup_exit(255); + fatal("%s: read: %s", __func__, strerror(errno)); } - msg_len = GET_32BIT(buf); + msg_len = get_u32(buf); if (msg_len > 256 * 1024) fatal("%s: read: bad msg_len %d", __func__, msg_len); buffer_clear(m); buffer_append_space(m, msg_len); - res = atomicio(read, socket, buffer_ptr(m), msg_len); - if (res != msg_len) - fatal("%s: read: %ld != msg_len", __func__, (long)res); + if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len) + fatal("%s: read: %s", __func__, strerror(errno)); } void -mm_request_receive_expect(int socket, enum monitor_reqtype type, Buffer *m) +mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m) { u_char rtype; debug3("%s entering: type %d", __func__, type); - mm_request_receive(socket, m); + mm_request_receive(sock, m); rtype = buffer_get_char(m); if (rtype != type) fatal("%s: read: rtype %d != type %d", __func__, @@ -176,16 +204,17 @@ mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen) } struct passwd * -mm_getpwnamallow(const char *login) +mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int pwlen; + u_int len; + ServerOptions *newopts; debug3("%s entering", __func__); buffer_init(&m); - buffer_put_cstring(&m, login); + buffer_put_cstring(&m, username); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m); @@ -196,8 +225,8 @@ mm_getpwnamallow(const char *login) buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); - if (pwlen != sizeof(struct passwd)) + pw = buffer_get_string(&m, &len); + if (len != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); @@ -207,12 +236,23 @@ mm_getpwnamallow(const char *login) #endif pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); + + /* copy options block as a Match directive may have changed some */ + newopts = buffer_get_string(&m, &len); + if (len != sizeof(*newopts)) + fatal("%s: option block size mismatch", __func__); + if (newopts->banner != NULL) + newopts->banner = buffer_get_string(&m, NULL); + copy_set_server_options(&options, newopts, 1); + xfree(newopts); + buffer_free(&m); return (pw); } -char *mm_auth2_read_banner(void) +char * +mm_auth2_read_banner(void) { Buffer m; char *banner; @@ -223,10 +263,16 @@ char *mm_auth2_read_banner(void) mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); buffer_clear(&m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_AUTH2_READ_BANNER, &m); banner = buffer_get_string(&m, NULL); buffer_free(&m); + /* treat empty banner as missing banner */ + if (strlen(banner) == 0) { + xfree(banner); + banner = NULL; + } return (banner); } @@ -430,8 +476,8 @@ mm_newkeys_from_blob(u_char *blob, int blen) /* Mac structure */ mac->name = buffer_get_string(&b, NULL); - if (mac->name == NULL || mac_init(mac, mac->name) == -1) - fatal("%s: can not init mac %s", __func__, mac->name); + if (mac->name == NULL || mac_setup(mac, mac->name) == -1) + fatal("%s: can not setup mac %s", __func__, mac->name); mac->enabled = buffer_get_int(&b); mac->key = buffer_get_string(&b, &len); if (len > mac->key_len) @@ -519,11 +565,13 @@ mm_send_kex(Buffer *m, Kex *kex) } void -mm_send_keystate(struct monitor *pmonitor) +mm_send_keystate(struct monitor *monitor) { Buffer m; u_char *blob, *p; u_int bloblen, plen; + u_int32_t seqnr, packets; + u_int64_t blocks; buffer_init(&m); @@ -553,7 +601,7 @@ mm_send_keystate(struct monitor *pmonitor) goto skip; } else { /* Kex for rekeying */ - mm_send_kex(&m, *pmonitor->m_pkex); + mm_send_kex(&m, *monitor->m_pkex); } debug3("%s: Sending new keys: %p %p", @@ -572,8 +620,14 @@ mm_send_keystate(struct monitor *pmonitor) buffer_put_string(&m, blob, bloblen); xfree(blob); - buffer_put_int(&m, packet_get_seqnr(MODE_OUT)); - buffer_put_int(&m, packet_get_seqnr(MODE_IN)); + packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); + buffer_put_int(&m, seqnr); + buffer_put_int64(&m, blocks); + buffer_put_int(&m, packets); + packet_get_state(MODE_IN, &seqnr, &blocks, &packets); + buffer_put_int(&m, seqnr); + buffer_put_int64(&m, blocks); + buffer_put_int(&m, packets); debug3("%s: New keys have been sent", __func__); skip: @@ -599,17 +653,17 @@ mm_send_keystate(struct monitor *pmonitor) buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); + mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); debug3("%s: Finished sending state", __func__); buffer_free(&m); } int -mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) +mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) { Buffer m; - char *p; + char *p, *msg; int success = 0; buffer_init(&m); @@ -625,11 +679,15 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) return (0); } p = buffer_get_string(&m, NULL); + msg = buffer_get_string(&m, NULL); buffer_free(&m); strlcpy(namebuf, p, namebuflen); /* Possible truncation */ xfree(p); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + *ptyfd = mm_receive_fd(pmonitor->m_recvfd); *ttyfd = mm_receive_fd(pmonitor->m_recvfd); @@ -638,9 +696,8 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) } void -mm_session_pty_cleanup2(void *session) +mm_session_pty_cleanup2(Session *s) { - Session *s = session; Buffer m; if (s->ttyfd == -1) @@ -660,19 +717,134 @@ mm_session_pty_cleanup2(void *session) #ifdef USE_PAM void -mm_start_pam(char *user) +mm_start_pam(Authctxt *authctxt) { Buffer m; debug3("%s entering", __func__); + if (!options.use_pam) + fatal("UsePAM=no, but ended up in %s anyway", __func__); buffer_init(&m); - buffer_put_cstring(&m, user); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m); buffer_free(&m); } + +u_int +mm_do_pam_account(void) +{ + Buffer m; + u_int ret; + char *msg; + + debug3("%s entering", __func__); + if (!options.use_pam) + fatal("UsePAM=no, but ended up in %s anyway", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_PAM_ACCOUNT, &m); + ret = buffer_get_int(&m); + msg = buffer_get_string(&m, NULL); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + + buffer_free(&m); + + debug3("%s returning %d", __func__, ret); + + return (ret); +} + +void * +mm_sshpam_init_ctx(Authctxt *authctxt) +{ + Buffer m; + int success; + + debug3("%s", __func__); + buffer_init(&m); + buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); + success = buffer_get_int(&m); + if (success == 0) { + debug3("%s: pam_init_ctx failed", __func__); + buffer_free(&m); + return (NULL); + } + buffer_free(&m); + return (authctxt); +} + +int +mm_sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + Buffer m; + u_int i; + int ret; + + debug3("%s", __func__); + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m); + ret = buffer_get_int(&m); + debug3("%s: pam_query returned %d", __func__, ret); + *name = buffer_get_string(&m, NULL); + *info = buffer_get_string(&m, NULL); + *num = buffer_get_int(&m); + if (*num > PAM_MAX_NUM_MSG) + fatal("%s: recieved %u PAM messages, expected <= %u", + __func__, *num, PAM_MAX_NUM_MSG); + *prompts = xcalloc((*num + 1), sizeof(char *)); + *echo_on = xcalloc((*num + 1), sizeof(u_int)); + for (i = 0; i < *num; ++i) { + (*prompts)[i] = buffer_get_string(&m, NULL); + (*echo_on)[i] = buffer_get_int(&m); + } + buffer_free(&m); + return (ret); +} + +int +mm_sshpam_respond(void *ctx, u_int num, char **resp) +{ + Buffer m; + u_int i; + int ret; + + debug3("%s", __func__); + buffer_init(&m); + buffer_put_int(&m, num); + for (i = 0; i < num; ++i) + buffer_put_cstring(&m, resp[i]); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m); + ret = buffer_get_int(&m); + debug3("%s: pam_respond returned %d", __func__, ret); + buffer_free(&m); + return (ret); +} + +void +mm_sshpam_free_ctx(void *ctxtp) +{ + Buffer m; + + debug3("%s", __func__); + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m); + buffer_free(&m); +} #endif /* USE_PAM */ /* Request process termination */ @@ -714,8 +886,8 @@ mm_chall_setup(char **name, char **infotxt, u_int *numprompts, *name = xstrdup(""); *infotxt = xstrdup(""); *numprompts = 1; - *prompts = xmalloc(*numprompts * sizeof(char *)); - *echo_on = xmalloc(*numprompts * sizeof(u_int)); + *prompts = xcalloc(*numprompts, sizeof(char *)); + *echo_on = xcalloc(*numprompts, sizeof(u_int)); (*echo_on)[0] = 0; } @@ -776,14 +948,14 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses) return ((authok == 0) ? -1 : 0); } +#ifdef SKEY int mm_skey_query(void *ctx, char **name, char **infotxt, u_int *numprompts, char ***prompts, u_int **echo_on) { Buffer m; - int len; u_int success; - char *p, *challenge; + char *challenge; debug3("%s: entering", __func__); @@ -807,11 +979,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt, mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); - len = strlen(challenge) + strlen(SKEY_PROMPT) + 1; - p = xmalloc(len); - strlcpy(p, challenge, len); - strlcat(p, SKEY_PROMPT, len); - (*prompts)[0] = p; + xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT); xfree(challenge); return (0); @@ -839,6 +1007,7 @@ mm_skey_respond(void *ctx, u_int numresponses, char **responses) return ((authok == 0) ? -1 : 0); } +#endif /* SKEY */ void mm_ssh1_session_id(u_char session_id[16]) @@ -952,274 +1121,219 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16]) return (success); } -#ifdef GSSAPI -OM_uint32 -mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { - Buffer m; - OM_uint32 major; - - /* Client doesn't get to see the context */ - *ctx=NULL; - buffer_init(&m); - buffer_put_string(&m,oid->elements,oid->length); +#ifdef SSH_AUDIT_EVENTS +void +mm_audit_event(ssh_audit_event_t event) +{ + Buffer m; - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); + debug3("%s entering", __func__); - debug3("%s: waiting for MONITOR_ANS_GSSSETUP",__func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); - major=buffer_get_int(&m); + buffer_init(&m); + buffer_put_int(&m, event); - return(major); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); + buffer_free(&m); } -OM_uint32 -mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, - gss_buffer_desc *out, OM_uint32 *flags) { - - Buffer m; - OM_uint32 major; - - buffer_init(&m); - buffer_put_string(&m, in->value, in->length); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); +void +mm_audit_run_command(const char *command) +{ + Buffer m; - debug3("%s: waiting for MONITOR_ANS_GSSSTEP", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); + debug3("%s entering command %s", __func__, command); - major=buffer_get_int(&m); - out->value=buffer_get_string(&m,&out->length); - if (flags) *flags=buffer_get_int(&m); + buffer_init(&m); + buffer_put_cstring(&m, command); - return(major); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); + buffer_free(&m); } +#endif /* SSH_AUDIT_EVENTS */ -int -mm_ssh_gssapi_userok(char *user) { - Buffer m; - int authenticated = 0; +#ifdef GSSAPI +OM_uint32 +mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) +{ + Buffer m; + OM_uint32 major; - buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); + /* Client doesn't get to see the context */ + *ctx = NULL; - debug3("%s: waiting for MONITOR_ANS_GSSUSEROK", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, - &m); + buffer_init(&m); + buffer_put_string(&m, goid->elements, goid->length); - authenticated = buffer_get_int(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m); - buffer_free(&m); - debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); - return(authenticated); + major = buffer_get_int(&m); + + buffer_free(&m); + return (major); } -int -mm_ssh_gssapi_localname(char **lname) +OM_uint32 +mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, + gss_buffer_desc *out, OM_uint32 *flags) { - Buffer m; + Buffer m; + OM_uint32 major; + u_int len; buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m); + buffer_put_string(&m, in->value, in->length); - debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME, - &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); - *lname = buffer_get_string(&m, NULL); + major = buffer_get_int(&m); + out->value = buffer_get_string(&m, &len); + out->length = len; + if (flags) + *flags = buffer_get_int(&m); - buffer_free(&m); - if (lname[0] == '\0') { - debug3("%s: gssapi identity mapping failed", __func__); - } else { - debug3("%s: gssapi identity mapped to %s", __func__, *lname); - } - - return(0); + buffer_free(&m); + + return (major); } OM_uint32 -mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) { - Buffer m; - OM_uint32 major; - - buffer_init(&m); - buffer_put_string(&m, data->value, data->length); +mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +{ + Buffer m; + OM_uint32 major; - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); + buffer_init(&m); + buffer_put_string(&m, gssbuf->value, gssbuf->length); + buffer_put_string(&m, gssmic->value, gssmic->length); - debug3("%s: waiting for MONITOR_ANS_GSSSIGN",__func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); - major=buffer_get_int(&m); - hash->value = buffer_get_string(&m, &hash->length); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, + &m); - return(major); + major = buffer_get_int(&m); + buffer_free(&m); + return(major); } -OM_uint32 -mm_gss_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set) +int +mm_ssh_gssapi_userok(char *user) { - Buffer m; - OM_uint32 major; - int i=0; + Buffer m; + int authenticated = 0; buffer_init(&m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSMECHS, &m); - - debug3("%s: waiting for MONITOR_ANS_GSSMECHS",__func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSMECHS, + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK, &m); - major=buffer_get_int(&m); - *mech_set = xmalloc(sizeof(gss_OID_set_desc)); - (*mech_set)->count=buffer_get_int(&m); - (*mech_set)->elements=xmalloc(sizeof(gss_OID_desc)*(*mech_set)->count); - for (i=0; i < (*mech_set)->count; i++) { - u_int length; - (*mech_set)->elements[i].elements=buffer_get_string(&m, &length); - (*mech_set)->elements[i].length = length; - } - return(major); + authenticated = buffer_get_int(&m); + + buffer_free(&m); + debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + return (authenticated); } OM_uint32 -mm_gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, - int status_type, const gss_OID mech_type, - OM_uint32 *message_context, gss_buffer_t status_string) +mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) { - Buffer m; + Buffer m; OM_uint32 major; + u_int len; buffer_init(&m); + buffer_put_string(&m, data->value, data->length); - buffer_put_int(&m, status_value); - buffer_put_int(&m, status_type); - if (mech_type) { - buffer_put_string(&m, mech_type->elements, mech_type->length); - } else { - buffer_put_string(&m, "", 0); - } - if (message_context) { - buffer_put_int(&m, *message_context); - } else { - buffer_put_int(&m, 0); - } + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTAT, &m); + major = buffer_get_int(&m); + hash->value = buffer_get_string(&m, &len); + hash->length = len; - debug3("%s: waiting for MONITOR_ANS_GSSMECHS",__func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTAT, - &m); - - if (message_context) { - *message_context = buffer_get_int(&m); - } else { - buffer_get_int(&m); - } - status_string->value = buffer_get_string(&m, &status_string->length); + buffer_free(&m); - return major; + return(major); } -#endif /* GSSAPI */ - -#ifdef GSI - -int mm_gsi_gridmap(char *subject_name, char **lname) -{ - Buffer m; +char * +mm_ssh_gssapi_last_error(Gssctxt *ctx, OM_uint32 *major, OM_uint32 *minor) { + Buffer m; + OM_uint32 maj,min; + char *errstr; + buffer_init(&m); - buffer_put_cstring(&m, subject_name); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSIGRIDMAP, &m); - debug3("%s: waiting for MONITOR_ANS_GSIGRIDMAP", __func__); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSIGRIDMAP, - &m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSERR, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSERR, &m); - *lname = buffer_get_string(&m, NULL); + maj = buffer_get_int(&m); + min = buffer_get_int(&m); - buffer_free(&m); - if (lname[0] == '\0') { - debug3("%s: gssapi identity %s mapping failed", __func__, - subject_name); - } else { - debug3("%s: gssapi identity %s mapped to %s", __func__, - subject_name, *lname); - } + if (major) *major=maj; + if (minor) *minor=min; - return(0); - -} + errstr=buffer_get_string(&m,NULL); -#endif /* GSI */ + buffer_free(&m); + + return(errstr); +} -#ifdef KRB4 -int -mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply) +OM_uint32 +mm_gss_indicate_mechs(OM_uint32 *minor_status, gss_OID_set *mech_set) { - KTEXT auth, reply; - Buffer m; - u_int rlen; - int success = 0; - char *p; - - debug3("%s entering", __func__); - auth = _auth; - reply = _reply; + Buffer m; + OM_uint32 major,minor; + int count; + gss_OID_desc oid; + u_int length; buffer_init(&m); - buffer_put_string(&m, auth->dat, auth->length); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m); - - success = buffer_get_int(&m); - if (success) { - *client = buffer_get_string(&m, NULL); - p = buffer_get_string(&m, &rlen); - if (rlen >= MAX_KTXT_LEN) - fatal("%s: reply from monitor too large", __func__); - reply->length = rlen; - memcpy(reply->dat, p, rlen); - memset(p, 0, rlen); - xfree(p); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSMECHS, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSMECHS, + &m); + major=buffer_get_int(&m); + count=buffer_get_int(&m); + + gss_create_empty_oid_set(&minor,mech_set); + while(count-->0) { + oid.elements=buffer_get_string(&m,&length); + oid.length=length; + gss_add_oid_set_member(&minor,&oid,mech_set); } + buffer_free(&m); - return (success); + + return(major); } -#endif -#ifdef KRB5 int -mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) +mm_ssh_gssapi_localname(char **lname) { - krb5_data *tkt, *reply; - Buffer m; - int success; - - debug3("%s entering", __func__); - tkt = (krb5_data *) argp; - reply = (krb5_data *) resp; + Buffer m; buffer_init(&m); - buffer_put_string(&m, tkt->data, tkt->length); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m); - mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m); + debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME, + &m); - success = buffer_get_int(&m); - if (success) { - u_int len; + *lname = buffer_get_string(&m, NULL); - *userp = buffer_get_string(&m, NULL); - reply->data = buffer_get_string(&m, &len); - reply->length = len; + buffer_free(&m); + if (lname[0] == '\0') { + debug3("%s: gssapi identity mapping failed", __func__); } else { - memset(reply, 0, sizeof(*reply)); - *userp = NULL; + debug3("%s: gssapi identity mapped to %s", __func__, *lname); } + + return(0); +} - buffer_free(&m); - return (success); -} -#endif +#endif /* GSSAPI */