From: jbasney <jbasney>
Date: Tue, 29 Jun 2004 02:59:04 +0000 (+0000)
Subject: fail gss userauth if we received a limited globus proxy
X-Git-Tag: OPENSSH_3_8_1P1_GSSAPI_20040629
X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/commitdiff_plain/b4cfa38637ea9321a50e6814a9af4b970e80e256

fail gss userauth if we received a limited globus proxy
---

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 84de210..2c26762 100644
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -76,6 +76,10 @@ ssh_gssapi_mech* supported_mechs[]= {
 	&gssapi_null_mech,
 };
 
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+static int limited = 0;
+#endif
+
 /* Unpriviledged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
@@ -137,6 +141,10 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
 	    (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
 		if (ssh_gssapi_getclient(ctx, &gssapi_client))
 			fatal("Couldn't convert client name");
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+		if (flags && (*flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG))
+			limited=1;
+#endif
 	}
 
 	return (status);
@@ -307,6 +315,12 @@ ssh_gssapi_userok(char *user)
 		debug("No suitable client data");
 		return 0;
 	}
+#ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
+	if (limited) {
+		debug("limited proxy not acceptable for remote login");
+		return 0;
+	}
+#endif
 	if (gssapi_client.mech && gssapi_client.mech->userok)
 		return ((*gssapi_client.mech->userok)(&gssapi_client, user));
 	else