jbasney [Tue, 8 Oct 2002 17:18:32 +0000 (17:18 +0000)]
segv bug fix: gss_accept_sec_context() returns a read-only pointer to the
mech OID, so we shouldn't stash it in our Gssctxt object where we expect
a pointer to an xmalloc'ed object
jbasney [Mon, 7 Oct 2002 18:34:56 +0000 (18:34 +0000)]
for privilege separation, send gss_indicate_mechs() and gss_display_status()
to privileged process, which has the GSSAPI libraries loaded and has the
GSSAPI state, rather than calling them in the unprivileged process, which
can't load teh GSSAPI libraries and doesn't have the GSSAPI state
jbasney [Mon, 7 Oct 2002 18:24:15 +0000 (18:24 +0000)]
ctxt may be NULL when using privsep, so either avoid using it to get the oid
(if we already have it stashed in a local variable) or use GSS_C_NO_OID
instead
jbasney [Mon, 7 Oct 2002 18:23:18 +0000 (18:23 +0000)]
remove explicit call to gss_initialize(); instead, we make sure the
unprivileged child process doesn't call any mechanism-specific GSSAPI
functions (i.e., gss_display_status() and gss_indicate_mechs()) so
mechglue library doesn't need to initialize other GSSAPI libraries in
the unprivileged child process
jbasney [Wed, 2 Oct 2002 14:20:23 +0000 (14:20 +0000)]
add an explicit call to gss_initialize() at sshd startup when using mechglue
because otherwise, we'll have problems initializing later on if
privilege separation is enabled
if gss_accept_sec_context() fails with a packet to send back to the client,
send the GSS packet first before sending the SSH failure message rather
than the other way around so the client will handle the GSS packet before
tearing down its GSS context
debug message cleanup:
- removed superfluous display_gssapi_status() function; ssh_gssapi_error()
is better
- if fail to set GSI username from credentials, write debug message that
says so with GSSAPI error text following, so it's clear what's going on
and the GSSAPI errors may not indicate a failure (i.e., Kerberos can
still work)
changes for gssapi mechglue support:
- rename get_gssapi_cred() to get_gsi_cred() and get_gss_our_name() to
get_gsi_name() and try to force the GSI mechanism, because these functions
(for getting the grid-mapfile name for implicit username mapping) are
GSI specific; this needs more work
- fix debug messages to not assume only one gssapi mechanism
- only tell server about those gssapi oids for which we have valid creds
- prefer GSI over Kerberos GSSAPI mech, because we can only choose one
and we can always do regular (non-GSSAPI) Kerberos auth later
don't use the resolver to determine the full hostname of the target
host because DNS resolution of remote hostnames is insecure; instead,
use what was given on the command-line, except switch localhost
to the full localhostname and expand short hostnames according to the
local domainname
- call ssh_gssapi_krb5_init() at the start of ssh_gssapi_krb5_localname()
because the krb_context must be initialized for krb5_aname_to_localname()
to work
- if multiple gssapi mechanisms in ssh_gssapi_mechanisms, separate them
by ',' in the list
- added some debug messages in ssh_gssapi_mechanisms to show which mechs
are chosen and why
- initialize gss_buffer_desc variables to NULL
- avoid calling gss_delete_sec_context() and gss_release_name() with
mechglue because there are problems with name binding between the
different gssapi libraries that cause memory management problems
- fix usage message on --with-mechglue
- list full path to mechglue libgssapi.a on link line rather than using
-L${mechglue_path} because we don't want to pick up some other libgssapi.so
which some linkers will give precendence to
- pass in /bin/true as then case of AC_CHECK_LIB because the default
appends the library to the linker path which isn't what we want
fix implicit username support for gssapi (was working for external-keyx only):
- if method is gssapi, wait until after gssapi exchange before trying to
set the username
- increment authctxt->attempt on each attempt (bug fix)
- only tell the monitor once that we're entering the authentication stage
o Add new messages to print to the user in some odd cases involving the
presence/lack of the pid file. Also update some old messages so that
they are more verbose.
o Modularize startup and shutdown sequences into shell functions.
o Do more robust checking in case the pid file left around is stale
(eg. from a machine crash). If it is, remove it and start the server
up as usual.
o Add better handling of the globus location variable before it gets
placed into the SXXsshd script. AKA clean up the string to avoid
any abnormalities.
o Initialize privilege separation setting at the beginning of the script
for the case where the SSHD configuration file isn't copied, and its
value is still needed for the generic output given to the user at
the end of the script's run.
o Change the check at the beginning of copyPRNGFile() from checking for
the presence of /dev/random to checking for the presence of
$sysconfdir/ssh_prng_cmds. This will allow installations of this
file all the time, since we are now unconditionally installing
ssh-rand-helper.
o Rearrange output of message re: privsep to user.
o Remove check for the mode of the privsep jail.
o Add check to verify root is the owner of the privsep jail.
merged Simon's openssh-3.4p1-gssapi-20020627.diff patch to the trunk:
It adds support for GSSAPI in privilege separation mode.
I needed to re-do the empty username support by adding mapping functions
to the monitor, since the unprivileged child can't access the grid-mapfile
or any of the authentication context.
I also grabbed some fixes from Doug Engert to make GSSAPI work over SSH1
with privilege separation.
jbasney [Thu, 20 Jun 2002 21:58:19 +0000 (21:58 +0000)]
rather than installing gsissh and gsiscp as copies of ssh and scp, just
make symbolic links; also, install gsissh and gsiscp man pages as symlinks
to ssh and scp man pages
jbasney [Wed, 19 Jun 2002 14:24:31 +0000 (14:24 +0000)]
merging OPENSSH_GSSAPI_Protocol1-branch to trunk from tag
OPENSSH_GSSAPI_Protocol1_Complete; official GSI OpenSSH now lives on the
trunk; Simon's patched version of OpenSSH can now be found on
OPENSSH_GSSAPI-branch