add support for GsiAllowLimitedProxy option

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 99027d17a08ba8b916b7758fb9df1a876ca14111..52298a6290a4d85af3e2de6bdc9f1e120c5bb81b 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -327,7 +327,7 @@ ssh_gssapi_userok(char *user)
                return 0;
        }
 #ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
-       if (limited) {
+       if (limited && options.gsi_allow_limited_proxy != 1) {
                debug("limited proxy not acceptable for remote login");
                return 0;
        }

diff --git a/openssh/servconf.c b/openssh/servconf.c
index adc8aa9d817dc62a6b80a30ddc510f1471a63cde..60328389873e52417daabbc2fa3e3660d33dd43f 100644 (file)
--- a/openssh/servconf.c
+++ b/openssh/servconf.c
@@ -79,6 +79,7 @@ initialize_server_options(ServerOptions *options)
        options->gss_authentication=-1;
        options->gss_keyex = -1;
        options->gss_cleanup_creds = -1;
+       options->gsi_allow_limited_proxy = -1;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -197,6 +198,8 @@ fill_default_server_options(ServerOptions *options)
                options->gss_keyex = 1;
        if (options->gss_cleanup_creds == -1)
                options->gss_cleanup_creds = 1;
+       if (options->gsi_allow_limited_proxy == -1)
+               options->gsi_allow_limited_proxy = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -286,6 +289,7 @@ typedef enum {
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
        sGssAuthentication, sGssKeyEx, sGssCleanupCreds, 
        sAcceptEnv, sPermitTunnel,
+       sGsiAllowLimitedProxy,
        sUsePrivilegeSeparation,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -341,6 +345,9 @@ static struct {
        { "gssapiauthentication", sGssAuthentication },
        { "gssapikeyexchange", sGssKeyEx },
        { "gssapicleanupcredentials", sGssCleanupCreds },
+#ifdef GSI
+       { "gsiallowlimitedproxy", sGsiAllowLimitedProxy },
+#endif
 #else
        { "gssapiauthentication", sUnsupported },
        { "gssapikeyexchange", sUnsupported },
@@ -700,6 +707,10 @@ parse_flag:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
 
+       case sGsiAllowLimitedProxy:
+               intptr = &options->gsi_allow_limited_proxy;
+               goto parse_flag;
+
 #ifdef SESSION_HOOKS
         case sAllowSessionHooks:
                 intptr = &options->session_hooks_allow;

diff --git a/openssh/servconf.h b/openssh/servconf.h
index 5c784e1622a88daf397cdaa6a712d772182271c8..ac51bf4d2a966b6b7692930b34a7ada4983e4302 100644 (file)
--- a/openssh/servconf.h
+++ b/openssh/servconf.h
@@ -95,6 +95,7 @@ typedef struct {
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
        int     gss_keyex;              /* If true, permit GSSAPI key exchange */
        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+       int     gsi_allow_limited_proxy;        /* If true, accept limited proxies */
        int     password_authentication;        /* If true, permit password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */

diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5
index 6b7724d8a56bd3e24c29fbb1f4fa48ff56484748..31e112f4adc241cf7e8fb4b05abda7b12deda94a 100644 (file)
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -289,6 +289,11 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSIAllowLimitedProxy
+Specifies whether to accept limited proxy credentials for
+authentication.
+The default is
+.Dq no .
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed