fail gss userauth if we received a limited globus proxy

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 84de210fef347de1601bd66c75d96ef2567374b4..2c26762d208e6f0b4eb784f05ab23b03ae8279ea 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -76,6 +76,10 @@ ssh_gssapi_mech* supported_mechs[]= {
        &gssapi_null_mech,
 };
 
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+static int limited = 0;
+#endif
+
 /* Unpriviledged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
@@ -137,6 +141,10 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
            (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
                if (ssh_gssapi_getclient(ctx, &gssapi_client))
                        fatal("Couldn't convert client name");
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+               if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG))
+                       limited=1;
+#endif
        }
 
        return (status);
@@ -307,6 +315,12 @@ ssh_gssapi_userok(char *user)
                debug("No suitable client data");
                return 0;
        }
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+       if (limited) {
+               debug("limited proxy not acceptable for remote login");
+               return 0;
+       }
+#endif
        if (gssapi_client.mech && gssapi_client.mech->userok)
                return ((*gssapi_client.mech->userok)(&gssapi_client, user));
        else