From: jbasney Date: Sat, 10 Feb 2007 21:43:22 +0000 (+0000) Subject: add GssapiCredentialsPath option for sshd_config as requested in X-Git-Tag: OPENSSH_4_5P1_20070215~8 X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/commitdiff_plain/ae82558bfb0b9500c4739e0b867bec6574437e7e add GssapiCredentialsPath option for sshd_config as requested in http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=348 --- diff --git a/openssh/auth.c b/openssh/auth.c index 1b060ea..c745098 100644 --- a/openssh/auth.c +++ b/openssh/auth.c @@ -325,7 +325,7 @@ auth_root_allowed(char *method) * * This returns a buffer allocated by xmalloc. */ -static char * +char * expand_authorized_keys(const char *filename, struct passwd *pw) { char *file, ret[MAXPATHLEN]; diff --git a/openssh/gss-serv-gsi.c b/openssh/gss-serv-gsi.c index 9fdd925..7eec054 100644 --- a/openssh/gss-serv-gsi.c +++ b/openssh/gss-serv-gsi.c @@ -199,17 +199,25 @@ ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client) } else { client->store.envvar = strdup((char *)export_cred.value); } + if (access(p, R_OK) == 0) { + if (client->store.filename) { + if (rename(p, client->store.filename) < 0) { + logit("Failed to rename %s to %s: %s", p, + client->store.filename, strerror(errno)); + xfree(client->store.filename); + client->store.filename = strdup(p); + } else { + p = client->store.filename; + } + } else { + client->store.filename = strdup(p); + } + } client->store.envval = strdup(p); #ifdef USE_PAM if (options.use_pam) do_pam_putenv(client->store.envvar, client->store.envval); #endif - if (strncmp(p, "FILE:", 5) == 0) { - p += 5; - } - if (access(p, R_OK) == 0) { - client->store.filename = strdup(p); - } gss_release_buffer(&minor_status, &export_cred); } diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c index 157b8aa..39184d7 100644 --- a/openssh/gss-serv.c +++ b/openssh/gss-serv.c @@ -50,6 +50,7 @@ #include "monitor_wrap.h" extern ServerOptions options; +extern Authctxt *the_authctxt; static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, @@ -361,6 +362,11 @@ void ssh_gssapi_storecreds(void) { if (gssapi_client.mech && gssapi_client.mech->storecreds) { + if (options.gss_creds_path) { + gssapi_client.store.filename = + expand_authorized_keys(options.gss_creds_path, + the_authctxt->pw); + } (*gssapi_client.mech->storecreds)(&gssapi_client); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); diff --git a/openssh/servconf.c b/openssh/servconf.c index d6e4218..0dc28e3 100644 --- a/openssh/servconf.c +++ b/openssh/servconf.c @@ -330,6 +330,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssKeyEx, + sGssCredsPath, sGsiAllowLimitedProxy, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, @@ -394,6 +395,7 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, #ifdef GSI @@ -402,6 +404,7 @@ static struct { #else { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, + { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSI @@ -958,8 +961,13 @@ parse_flag: intptr = &options->gss_cleanup_creds; goto parse_flag; + case sGssCredsPath: + charptr = &options->gss_creds_path; + goto parse_filename; + case sGssStrictAcceptor: intptr = &options->gss_strict_acceptor; + goto parse_flag; case sGsiAllowLimitedProxy: intptr = &options->gsi_allow_limited_proxy; diff --git a/openssh/servconf.h b/openssh/servconf.h index 82b6ad2..6fffff4 100644 --- a/openssh/servconf.h +++ b/openssh/servconf.h @@ -94,6 +94,7 @@ typedef struct { int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + char* gss_creds_path; /* If true, destroy cred cache on logout */ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ int gsi_allow_limited_proxy; /* If true, accept limited proxies */ int password_authentication; /* If true, permit password diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5 index b3c9797..c90bac7 100644 --- a/openssh/sshd_config.5 +++ b/openssh/sshd_config.5 @@ -349,6 +349,17 @@ Note that this option applies only to protocol version 2 GSSAPI connections, and setting it to .Dq no may only work with recent Kerberos GSSAPI libraries. +.It Cm GSSAPICredentialsPath +If specified, the delegated GSSAPI credential is stored in the +given path, overwriting any existing credentials. +Paths can be specified with syntax similar to the AuthorizedKeysFile +option (i.e., accepting %h and %u tokens). +When using this option, +setting 'GssapiCleanupCredentials no' is recommended, +so logging out of one session +doesn't remove the credentials in use by another session of +the same user. +Currently only implemented for the GSI mechanism. .It Cm GSIAllowLimitedProxy Specifies whether to accept limited proxy credentials for authentication.