fix implicit username support for gssapi (was working for external-keyx only):
- if method is gssapi, wait until after gssapi exchange before trying to
set the username
- increment authctxt->attempt on each attempt (bug fix)
- only tell the monitor once that we're entering the authentication stage
o Add new messages to print to the user in some odd cases involving the
presence/lack of the pid file. Also update some old messages so that
they are more verbose.
o Modularize startup and shutdown sequences into shell functions.
o Do more robust checking in case the pid file left around is stale
(eg. from a machine crash). If it is, remove it and start the server
up as usual.
o Add better handling of the globus location variable before it gets
placed into the SXXsshd script. AKA clean up the string to avoid
any abnormalities.
o Initialize privilege separation setting at the beginning of the script
for the case where the SSHD configuration file isn't copied, and its
value is still needed for the generic output given to the user at
the end of the script's run.
o Change the check at the beginning of copyPRNGFile() from checking for
the presence of /dev/random to checking for the presence of
$sysconfdir/ssh_prng_cmds. This will allow installations of this
file all the time, since we are now unconditionally installing
ssh-rand-helper.
o Rearrange output of message re: privsep to user.
o Remove check for the mode of the privsep jail.
o Add check to verify root is the owner of the privsep jail.
merged Simon's openssh-3.4p1-gssapi-20020627.diff patch to the trunk:
It adds support for GSSAPI in privilege separation mode.
I needed to re-do the empty username support by adding mapping functions
to the monitor, since the unprivileged child can't access the grid-mapfile
or any of the authentication context.
I also grabbed some fixes from Doug Engert to make GSSAPI work over SSH1
with privilege separation.
jbasney [Thu, 20 Jun 2002 21:58:19 +0000 (21:58 +0000)]
rather than installing gsissh and gsiscp as copies of ssh and scp, just
make symbolic links; also, install gsissh and gsiscp man pages as symlinks
to ssh and scp man pages
jbasney [Wed, 19 Jun 2002 14:24:31 +0000 (14:24 +0000)]
merging OPENSSH_GSSAPI_Protocol1-branch to trunk from tag
OPENSSH_GSSAPI_Protocol1_Complete; official GSI OpenSSH now lives on the
trunk; Simon's patched version of OpenSSH can now be found on
OPENSSH_GSSAPI-branch
cphillip [Fri, 14 Jun 2002 15:43:01 +0000 (15:43 +0000)]
o Add installation of PRNG commands file upon setup.
o Add options to setup script to allow forcing an installation.
o Do more rigorous checking of files before we attempt to read from/write
to them.
o Reorganize order in which functions are called and how the program is
structured.
cphillip [Mon, 10 Jun 2002 20:58:15 +0000 (20:58 +0000)]
o Add moduli, ssh_config, and sshd_config from the mainline gsi_openssh
package.
o Rework setup script to accurately handle parsing sshd_config.in and
writing it to $GL/etc/ssh/sshd_config, along with copying ssh_config
and moduli to $GL/etc/ssh.
o Update version numbers of setup package to reflect these changes.
jbasney [Fri, 7 Jun 2002 19:33:23 +0000 (19:33 +0000)]
add backwards compatibility with old GSI-enabled SSH daemons that didn't handle
empty username strings per the draft specification; the client will now
only send an empty username string if the server is new enough to handle it
jbasney [Thu, 6 Jun 2002 20:32:04 +0000 (20:32 +0000)]
rename getopt exported variables in openbsd-compat library with BSD
prefixes to match the BSD prefix on BSDgetopt() function to avoid
conflicts with getopt in libc
(this code was previously in includes.h)
bhe [Sat, 18 May 2002 22:27:24 +0000 (22:27 +0000)]
revision: solve the implicit user name problem of
external-kex and gssapi
switch back to old username if both fail
auth2.c sshconnect2.c and gss-serv.c are modified
auth2.c defines two new variables to hold the old username
and recover to old username when both fail
sshconnect2.c send empty usernames to server for
external-kex and gssapi with implicit username option
gss-serv.c check the username again in the verification