add GssapiCredentialsPath option for sshd_config as requested in

author jbasney <jbasney>

Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)

committer jbasney <jbasney>

Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)
author jbasney <jbasney>
Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)
committer jbasney <jbasney>
Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)
diff --git a/openssh/auth.c b/openssh/auth.c

index 1b060eaa8ca4befcb0b0b6fa98c31febfbbad5c7..c74509862175551f87cd118dce7d3b9988b73490 100644 (file)
--- a/openssh/auth.c
+++ b/openssh/auth.c
@@ -325,7 +325,7 @@ auth_root_allowed(char *method)
   *
   * This returns a buffer allocated by xmalloc.
   */
   *
   * This returns a buffer allocated by xmalloc.
   */
-static char *
+char *
  expand_authorized_keys(const char *filename, struct passwd *pw)
  {
         char *file, ret[MAXPATHLEN];
  expand_authorized_keys(const char *filename, struct passwd *pw)
  {
         char *file, ret[MAXPATHLEN];
diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c

index 9fdd9254df10cb21cd08599a146ce0803ef03cfa..7eec0548548760c727a97736f49f878ef63a32f6 100644 (file)
--- a/openssh/gss-serv-gsi.c
+++ b/openssh/gss-serv-gsi.c
@@ -199,17 +199,25 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
         } else {
             client->store.envvar = strdup((char *)export_cred.value);
         }
         } else {
             client->store.envvar = strdup((char *)export_cred.value);
         }
+       if (access(p, R_OK) == 0) {
+        if (client->store.filename) {
+            if (rename(p, client->store.filename) < 0) {
+                logit("Failed to rename %s to %s: %s", p,
+                      client->store.filename, strerror(errno));
+                xfree(client->store.filename);
+                client->store.filename = strdup(p);
+            } else {
+                p = client->store.filename;
+            }
+        } else {
+            client->store.filename = strdup(p);
+        }
+       }
         client->store.envval = strdup(p);
  #ifdef USE_PAM
         if (options.use_pam)
             do_pam_putenv(client->store.envvar, client->store.envval);
  #endif
         client->store.envval = strdup(p);
  #ifdef USE_PAM
         if (options.use_pam)
             do_pam_putenv(client->store.envvar, client->store.envval);
  #endif
-       if (strncmp(p, "FILE:", 5) == 0) {
-           p += 5;
-       }
-       if (access(p, R_OK) == 0) {
-           client->store.filename = strdup(p);
-       }
         gss_release_buffer(&minor_status, &export_cred);
  }
  
         gss_release_buffer(&minor_status, &export_cred);
  }
  
diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c

index 157b8aae1cc98104f70c6e35e43f8f0d327813f4..39184d72055583e99e3527c3055ab8e7e6683417 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -50,6 +50,7 @@
  #include "monitor_wrap.h"
  
  extern ServerOptions options;
  #include "monitor_wrap.h"
  
  extern ServerOptions options;
+extern Authctxt *the_authctxt;
  
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
  
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -361,6 +362,11 @@ void
  ssh_gssapi_storecreds(void)
  {
         if (gssapi_client.mech && gssapi_client.mech->storecreds) {
  ssh_gssapi_storecreds(void)
  {
         if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+        if (options.gss_creds_path) {
+            gssapi_client.store.filename =
+                expand_authorized_keys(options.gss_creds_path,
+                                       the_authctxt->pw);
+        }
                 (*gssapi_client.mech->storecreds)(&gssapi_client);
         } else
                 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
                 (*gssapi_client.mech->storecreds)(&gssapi_client);
         } else
                 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
diff --git a/openssh/servconf.c b/openssh/servconf.c

index d6e421868f2aa29dc63c5ef64a33a627bcdff0a3..0dc28e32354e863b631baa235c8d65284d8bd481 100644 (file)
--- a/openssh/servconf.c
+++ b/openssh/servconf.c
@@ -330,6 +330,7 @@ typedef enum {
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
         sGssKeyEx, 
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
         sGssKeyEx, 
+    sGssCredsPath,
         sGsiAllowLimitedProxy,
      sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand,
         sGsiAllowLimitedProxy,
      sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand,
@@ -394,6 +395,7 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+       { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
  #ifdef GSI
         { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
  #ifdef GSI
@@ -402,6 +404,7 @@ static struct {
  #else
         { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
  #else
         { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSI
         { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSI
@@ -958,8 +961,13 @@ parse_flag:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
  
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
  
+       case sGssCredsPath:
+               charptr = &options->gss_creds_path;
+               goto parse_filename;
+
         case sGssStrictAcceptor:
                 intptr = &options->gss_strict_acceptor;
         case sGssStrictAcceptor:
                 intptr = &options->gss_strict_acceptor;
+               goto parse_flag;
  
         case sGsiAllowLimitedProxy:
                 intptr = &options->gsi_allow_limited_proxy;
  
         case sGsiAllowLimitedProxy:
                 intptr = &options->gsi_allow_limited_proxy;
diff --git a/openssh/servconf.h b/openssh/servconf.h

index 82b6ad2fb18a5a8f2f5280ef9f54787cd280868f..6fffff4dcf802d59991eccf07fcef4f396958b78 100644 (file)
--- a/openssh/servconf.h
+++ b/openssh/servconf.h
@@ -94,6 +94,7 @@ typedef struct {
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
         int     gss_keyex;              /* If true, permit GSSAPI key exchange */
         int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
         int     gss_keyex;              /* If true, permit GSSAPI key exchange */
         int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+       char*   gss_creds_path; /* If true, destroy cred cache on logout */
         int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
         int     gsi_allow_limited_proxy;        /* If true, accept limited proxies */
         int     password_authentication;        /* If true, permit password
         int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
         int     gsi_allow_limited_proxy;        /* If true, accept limited proxies */
         int     password_authentication;        /* If true, permit password
diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5

index b3c97974ba2816711abe854053af4757a2176fd2..c90bac7ec1122e6198c064b40375a136e9c8dc95 100644 (file)
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -349,6 +349,17 @@ Note that this option applies only to protocol version 2 GSSAPI connections,
  and setting it to 
  .Dq no
  may only work with recent Kerberos GSSAPI libraries.
  and setting it to 
  .Dq no
  may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPICredentialsPath
+If specified, the delegated GSSAPI credential is stored in the
+given path, overwriting any existing credentials.  
+Paths can be specified with syntax similar to the AuthorizedKeysFile 
+option (i.e., accepting %h and %u tokens).  
+When using this option,
+setting 'GssapiCleanupCredentials no' is recommended,
+so logging out of one session
+doesn't remove the credentials in use by another session of
+the same user.
+Currently only implemented for the GSI mechanism.
  .It Cm GSIAllowLimitedProxy
  Specifies whether to accept limited proxy credentials for
  authentication.
  .It Cm GSIAllowLimitedProxy
  Specifies whether to accept limited proxy credentials for
  authentication.
author	jbasney <jbasney>
	Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)
committer	jbasney <jbasney>
	Sat, 10 Feb 2007 21:43:22 +0000 (21:43 +0000)
openssh/auth.c		patch \| blob \| blame \| history
openssh/gss-serv-gsi.c		patch \| blob \| blame \| history
openssh/gss-serv.c		patch \| blob \| blame \| history
openssh/servconf.c		patch \| blob \| blame \| history
openssh/servconf.h		patch \| blob \| blame \| history
openssh/sshd_config.5		patch \| blob \| blame \| history