updated patch from Matthieu Hautreux for cascading credentials

(https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6785)

diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c
index 1a0c3f963e8aea310c41cea5aad7f7310b983269..bd72536c895af113d6e6b739bc2f5d1fdb880c0a 100644 (file)
--- a/openssh/gss-serv-gsi.c
+++ b/openssh/gss-serv-gsi.c
@@ -225,12 +225,13 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
 }
 
 /*
- * Export updated GSI credential to disk.
+ * Export updated GSI credentials to disk.
  */
-static void
+static int
 ssh_gssapi_gsi_updatecreds(ssh_gssapi_ccache *store,ssh_gssapi_client *client)
 {
        ssh_gssapi_gsi_storecreds(client);
+       return 1;
 }
 
 #endif /* GSI */

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 749ed0f1688e8c043d24e5b9f1157db89886af00..7cbf8e2f89b82b7ad18fcbb88a5c1621e9934a68 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -535,6 +535,7 @@ ssh_gssapi_rekey_creds() {
        pam_handle_t *pamh = NULL;
        struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
        char *envstr;
+       char **p;char **pw;
 #endif
 
        if (gssapi_client.store.filename == NULL && 
@@ -564,6 +565,18 @@ ssh_gssapi_rekey_creds() {
        if (ret)
                return;
 
+       /* Put ssh pam stack env variables in this new pam stack env 
+        * Using pam-pkinit, KRB5CCNAME is set during do_pam_session
+        * this addition enables pam-pkinit to access KRB5CCNAME if used 
+        * in sshd-rekey stack too
+        */
+       pw = p = fetch_pam_environment();
+       while ( *pw != NULL ) {
+               pam_putenv(pamh,*pw);
+               pw++;
+       }
+       free_pam_environment(p);
+
        xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, 
            gssapi_client.store.envval);