Add server-side GSSAPIDelegateCredentials option, enabled for use with

the Match keyword, to control delegation on a per-user basis:
http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=376

diff --git a/openssh/servconf.c b/openssh/servconf.c
index 54ab140faf61fee789b9411432e7c42a1c1015a6..f906e10d193c750e22fdd498d7e72f7e73efdf33 100644 (file)
--- a/openssh/servconf.c
+++ b/openssh/servconf.c
@@ -94,7 +94,8 @@ initialize_server_options(ServerOptions *options)
         options->session_hooks_shutdown_cmd = NULL;
 #endif
        options->kerberos_get_afs_token = -1;
-       options->gss_authentication=-1;
+       options->gss_authentication = -1;
+       options->gss_deleg_creds = -1;
        options->gss_keyex = -1;
        options->gss_cleanup_creds = -1;
        options->gss_strict_acceptor = -1;
@@ -221,6 +222,8 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 1;
+       if (options->gss_deleg_creds == -1)
+               options->gss_deleg_creds = 1;
        if (options->gss_keyex == -1)
                options->gss_keyex = 1;
        if (options->gss_cleanup_creds == -1)
@@ -353,6 +356,7 @@ typedef enum {
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
        sGssAuthentication, sGssCleanupCreds,
+    sGssDelegateCreds,
     sGssStrictAcceptor,
        sGssKeyEx, 
     sGssCredsPath,
@@ -418,6 +422,7 @@ static struct {
        { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+       { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
        { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
@@ -427,6 +432,7 @@ static struct {
 #endif
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+       { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
        { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
@@ -980,6 +986,10 @@ parse_flag:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
+       case sGssDelegateCreds:
+               intptr = &options->gss_deleg_creds;
+               goto parse_flag;
+
        case sGssKeyEx:
                intptr = &options->gss_keyex;
                goto parse_flag;
@@ -1498,6 +1508,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 {
        M_CP_INTOPT(password_authentication);
        M_CP_INTOPT(gss_authentication);
+       M_CP_INTOPT(gss_deleg_creds);
        M_CP_INTOPT(rsa_authentication);
        M_CP_INTOPT(pubkey_authentication);
        M_CP_INTOPT(kerberos_authentication);

diff --git a/openssh/servconf.h b/openssh/servconf.h
index 26dfd2e0c9028958e71317540233afcb80319d83..a0bc8341943436ca01d1fff01376da64c4ad0557 100644 (file)
--- a/openssh/servconf.h
+++ b/openssh/servconf.h
@@ -95,6 +95,7 @@ typedef struct {
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
+       int     gss_deleg_creds;        /* If true, store delegated GSSAPI credentials*/
        int     gss_keyex;              /* If true, permit GSSAPI key exchange */
        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */

diff --git a/openssh/sshd.c b/openssh/sshd.c
index f5fd963abe3a45c41825a36513664b54228d3de3..f0c0a2ff982eadc9177d0f065a58b45afcae1afd 100644 (file)
--- a/openssh/sshd.c
+++ b/openssh/sshd.c
@@ -1929,7 +1929,7 @@ main(int ac, char **av)
 #endif
 
 #ifdef GSSAPI
-       if (options.gss_authentication) {
+       if (options.gss_authentication && options.gss_deleg_creds) {
                temporarily_use_uid(authctxt->pw);
                ssh_gssapi_storecreds();
                restore_uid();

diff --git a/openssh/sshd_config b/openssh/sshd_config
index 6b584e570eb971051d4dd81d0796e154c4453846..d096785b50c906dae6bdda9a85285af26fe50ca1 100644 (file)
--- a/openssh/sshd_config
+++ b/openssh/sshd_config
@@ -76,6 +76,7 @@ Protocol 2
 
 # GSSAPI options
 #GSSAPIAuthentication yes
+#GSSAPIDelegateCredentials yes
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange yes

diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5
index e07eb3b1e3dd03b7a4b131fc0b33214509554464..98d2e07d5dac28640b21015bb3adb403923d778b 100644 (file)
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -365,6 +365,10 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIDelegateCredentials
+Specifies whether delegated credentials are stored in the user's environment.
+The default is
+.Dq yes .
 .It Cm GSSAPIKeyExchange
 Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
 doesn't rely on ssh keys to verify host identity.