revision: solve the implicit user name problem of

          external-kex and gssapi
          switch back to old username if both fail
auth2.c sshconnect2.c and gss-serv.c are modified
auth2.c defines two new variables to hold the old username
        and recover to old username when both fail
sshconnect2.c send empty usernames to server for
        external-kex and gssapi with implicit username option
gss-serv.c check the username again in the verification

diff --git a/openssh/auth2.c b/openssh/auth2.c
index efe91b08c76cb369120278dd6ffa30844249e77e..968e9415b7e6fdae5cfeb8952aafe0c349912152 100644 (file)
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -57,6 +57,8 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $");
 #include "ssh-gss.h"
 #ifdef GSI
 #include "globus_gss_assist.h"
+char* olduser;
+int  changeuser = 0;
 #endif
 #endif
 
@@ -197,25 +199,43 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        service = packet_get_string(NULL);
        method = packet_get_string(NULL);
 
-        if(strcmp(method,"external-keyx") == 0 && strcmp(user,"") == 0) {
+#ifdef GSSAPI
+#ifdef GSI
+        if(changeuser == 0 && (strcmp(method,"external-keyx") == 0 || strcmp(method,"gssapi") ==0) && strcmp(user,"") == 0) {
                 char *gridmapped_name = NULL;
                 struct passwd *pw = NULL;
-
+                gssapi_setup_env();
                 if(globus_gss_assist_gridmap(gssapi_client_name.value,
                                      &gridmapped_name) == 0) {
                         user = gridmapped_name;
                         debug("I gridmapped and got %s", user);
                         pw = getpwnam(user);
                         if (pw && allowed_user(pw)) {
+                                olduser = authctxt->user;
                                 authctxt->user = user;
                                 authctxt->pw = pwcopy(pw);
                                 authctxt->valid = 1;
+                                changeuser = 1;
                         }
+
                 } else {
                 debug("I gridmapped and got null, reverting to %s", authctxt->user);
                 user = authctxt->user;
                 }
         }
+        else if(changeuser) {
+                struct passwd *pw = NULL;
+                pw = getpwnam(user);
+                if (pw && allowed_user(pw)) {
+                        authctxt->user = olduser;
+                        authctxt->pw = pwcopy(pw);
+                        authctxt->valid = 1;
+                        changeuser = 0;
+                }
+        }
+
+#endif  /* GSI */
+#endif /* GSSAPI */
 
        debug("userauth-request for user %s service %s method %s", user, service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 3c2b3528cbddf31466018a5ffcce9b122f2ab63a..9b70ab8d50309fcc8046c5c137752efd575f43c1 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -597,6 +597,25 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        int authenticated;
+
+       if(strcmp(authctxt->user,"") == 0) {
+               char *user;
+               char *gridmapped_name = NULL;
+               struct passwd *pw = NULL;
+               gssapi_setup_env();
+               if(globus_gss_assist_gridmap(gssapi_client_name.value,
+                           &gridmapped_name) == 0) {
+                               user = gridmapped_name;
+                               debug("I gridmapped and got %s", user);
+                               pw = getpwnam(user);
+                               if (pw && allowed_user(pw)) {
+                               authctxt->user = user;
+                               authctxt->pw = pwcopy(pw);
+                               authctxt->valid = 1;
+                               }
+               }
+       }
+
        
        if (authctxt == NULL || authctxt->methoddata == NULL)
                fatal("No authentication or GSSAPI context");

diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c
index e5b6fda994e739c10cfa2ea26f54d96f4785c82a..860fa3ce00669675ae9a019fe563265665972a13 100644 (file)
--- a/openssh/sshconnect2.c
+++ b/openssh/sshconnect2.c
@@ -626,7 +626,8 @@ userauth_external(Authctxt *authctxt)
                                 
         debug2("userauth_external");
         packet_start(SSH2_MSG_USERAUTH_REQUEST);
-        packet_put_cstring(authctxt->server_user);
+       if(options.implicit) packet_put_cstring(""); 
+        else packet_put_cstring(authctxt->server_user);
         packet_put_cstring(authctxt->service);
         packet_put_cstring(authctxt->method->name);
         packet_send();