added Jim Barlow's aklog patch

diff --git a/openssh/acconfig.h b/openssh/acconfig.h
index 1676a4246ed55c61340d63efce3c970f230a0eec..3bbb02150813b47d392a6e8211aaeeb62c6aaebc 100644 (file)
--- a/openssh/acconfig.h
+++ b/openssh/acconfig.h
@@ -219,6 +219,10 @@
 /* Define if you want AFS support */
 #undef AFS
 
+/* Define this if you want to use AFS/Kerberos 5 option, which runs aklog. */
+#undef AFS_KRB5
+#undef AKLOG_PATH
+
 /* Define if you want GSI/Globus authentication support */
 #undef GSI
 

diff --git a/openssh/configure.ac b/openssh/configure.ac
index 100c7255491f5ab9124f985be16d03ea2823811c..4ea7aa9f8b0d59806738e7c4f2f9c4771696ea11 100644 (file)
--- a/openssh/configure.ac
+++ b/openssh/configure.ac
@@ -2117,6 +2117,33 @@ AC_ARG_WITH(kerberos4,
        ]
 )
 
+# Check whether user wants AFS_KRB5 support
+AFS_KRB5_MSG="no"
+AC_ARG_WITH(afs-krb5,
+       [  --with-afs-krb5[[=AKLOG_PATH]]  Enable aklog to get token (default=/usr/bin/aklog).],
+       [
+               if test "x$withval" != "xno" ; then
+
+                       if test "x$withval" != "xyes" ; then
+                               AC_DEFINE_UNQUOTED(AKLOG_PATH, "$withval")
+                       else
+                               AC_DEFINE_UNQUOTED(AKLOG_PATH, "/usr/bin/aklog")
+                       fi
+
+                       if test -z "$KRB5" ; then
+                               AC_MSG_WARN([AFS_KRB5 requires Kerberos 5 support, build may fail])
+                       fi
+
+                       LIBS="-lkrbafs $LIBS"
+                       if test ! -z "$AFS_LIBS" ; then
+                               LIBS="$LIBS $AFS_LIBS"
+                       fi
+                       AC_DEFINE(AFS_KRB5)
+                       AFS_KRB5_MSG="yes"
+               fi
+       ]
+)
+
 # Check whether user wants AFS support
 AFS_MSG="no" 
 AC_ARG_WITH(afs,

diff --git a/openssh/session.c b/openssh/session.c
index 46d91fb989b6f8b0b7f0f4f68d59be5c23cad2b9..a23ae9dbc47269d3b590bc97e575b392de5e2330 100644 (file)
--- a/openssh/session.c
+++ b/openssh/session.c
@@ -1312,6 +1312,18 @@ do_child(Session *s, const char *command)
        struct passwd *pw = s->pw;
        u_int i;
 
+#ifdef AFS_KRB5
+/* Default place to look for aklog. */
+#ifdef AKLOG_PATH
+#define KPROGDIR AKLOG_PATH
+#else
+#define KPROGDIR "/usr/bin/aklog"
+#endif /* AKLOG_PATH */
+
+       struct stat st;
+       char *aklog_path;
+#endif /* AFS_KRB5 */
+
        /* remove hostkey from the child's memory */
        destroy_sensitive_data();
 
@@ -1394,6 +1406,30 @@ do_child(Session *s, const char *command)
         */
        environ = env;
 
+#ifdef AFS_KRB5
+
+       /* User has authenticated, and if a ticket was going to be
+        * passed we would have it.  KRB5CCNAME should already be set.
+        * Now try to get an AFS token using aklog.
+        */
+       if (k_hasafs()) {  /* Do we have AFS? */
+
+               aklog_path = xstrdup(KPROGDIR);
+
+               /*
+                * Make sure it exists before we try to run it
+                */
+               if (stat(aklog_path, &st) == 0) {
+                       debug("Running %s to get afs token.",aklog_path);
+                       system(aklog_path);
+               } else {
+                       debug("%s does not exist.",aklog_path);
+               }
+
+               xfree(aklog_path);
+       }
+#endif /* AFS_KRB5 */
+
 #ifdef AFS
        /* Try to get AFS tokens for the local cell. */
        if (k_hasafs()) {

diff --git a/openssh/sshd.c b/openssh/sshd.c
index 07de2b5cc210dcd9c44fe45b05340a0d5139dbfb..b43affe41261b8cc1c075a43f858c5f8a150b632 100644 (file)
--- a/openssh/sshd.c
+++ b/openssh/sshd.c
@@ -1496,13 +1496,13 @@ main(int ac, char **av)
                options.kerberos_authentication = 0;
        }
 #endif /* KRB4 && !KRB5 */
-#ifdef AFS
+#if defined(AFS) || defined(AFS_KRB5)
        /* If machine has AFS, set process authentication group. */
        if (k_hasafs()) {
                k_setpag();
                k_unlog();
        }
-#endif /* AFS */
+#endif /* AFS || AFS_KRB5 */
 
        packet_set_nonblocking();