debug message cleanup:
- removed superfluous display_gssapi_status() function; ssh_gssapi_error()
is better
- if fail to set GSI username from credentials, write debug message that
says so with GSSAPI error text following, so it's clear what's going on
and the GSSAPI errors may not indicate a failure (i.e., Kerberos can
still work)
changes for gssapi mechglue support:
- rename get_gssapi_cred() to get_gsi_cred() and get_gss_our_name() to
get_gsi_name() and try to force the GSI mechanism, because these functions
(for getting the grid-mapfile name for implicit username mapping) are
GSI specific; this needs more work
- fix debug messages to not assume only one gssapi mechanism
- only tell server about those gssapi oids for which we have valid creds
- prefer GSI over Kerberos GSSAPI mech, because we can only choose one
and we can always do regular (non-GSSAPI) Kerberos auth later
don't use the resolver to determine the full hostname of the target
host because DNS resolution of remote hostnames is insecure; instead,
use what was given on the command-line, except switch localhost
to the full localhostname and expand short hostnames according to the
local domainname
- call ssh_gssapi_krb5_init() at the start of ssh_gssapi_krb5_localname()
because the krb_context must be initialized for krb5_aname_to_localname()
to work
- if multiple gssapi mechanisms in ssh_gssapi_mechanisms, separate them
by ',' in the list
- added some debug messages in ssh_gssapi_mechanisms to show which mechs
are chosen and why
- initialize gss_buffer_desc variables to NULL
- avoid calling gss_delete_sec_context() and gss_release_name() with
mechglue because there are problems with name binding between the
different gssapi libraries that cause memory management problems
- fix usage message on --with-mechglue
- list full path to mechglue libgssapi.a on link line rather than using
-L${mechglue_path} because we don't want to pick up some other libgssapi.so
which some linkers will give precendence to
- pass in /bin/true as then case of AC_CHECK_LIB because the default
appends the library to the linker path which isn't what we want
fix implicit username support for gssapi (was working for external-keyx only):
- if method is gssapi, wait until after gssapi exchange before trying to
set the username
- increment authctxt->attempt on each attempt (bug fix)
- only tell the monitor once that we're entering the authentication stage
o Add new messages to print to the user in some odd cases involving the
presence/lack of the pid file. Also update some old messages so that
they are more verbose.
o Modularize startup and shutdown sequences into shell functions.
o Do more robust checking in case the pid file left around is stale
(eg. from a machine crash). If it is, remove it and start the server
up as usual.
o Add better handling of the globus location variable before it gets
placed into the SXXsshd script. AKA clean up the string to avoid
any abnormalities.
o Initialize privilege separation setting at the beginning of the script
for the case where the SSHD configuration file isn't copied, and its
value is still needed for the generic output given to the user at
the end of the script's run.
o Change the check at the beginning of copyPRNGFile() from checking for
the presence of /dev/random to checking for the presence of
$sysconfdir/ssh_prng_cmds. This will allow installations of this
file all the time, since we are now unconditionally installing
ssh-rand-helper.
o Rearrange output of message re: privsep to user.
o Remove check for the mode of the privsep jail.
o Add check to verify root is the owner of the privsep jail.
merged Simon's openssh-3.4p1-gssapi-20020627.diff patch to the trunk:
It adds support for GSSAPI in privilege separation mode.
I needed to re-do the empty username support by adding mapping functions
to the monitor, since the unprivileged child can't access the grid-mapfile
or any of the authentication context.
I also grabbed some fixes from Doug Engert to make GSSAPI work over SSH1
with privilege separation.
jbasney [Thu, 20 Jun 2002 21:58:19 +0000 (21:58 +0000)]
rather than installing gsissh and gsiscp as copies of ssh and scp, just
make symbolic links; also, install gsissh and gsiscp man pages as symlinks
to ssh and scp man pages
jbasney [Wed, 19 Jun 2002 14:24:31 +0000 (14:24 +0000)]
merging OPENSSH_GSSAPI_Protocol1-branch to trunk from tag
OPENSSH_GSSAPI_Protocol1_Complete; official GSI OpenSSH now lives on the
trunk; Simon's patched version of OpenSSH can now be found on
OPENSSH_GSSAPI-branch
cphillip [Fri, 14 Jun 2002 15:43:01 +0000 (15:43 +0000)]
o Add installation of PRNG commands file upon setup.
o Add options to setup script to allow forcing an installation.
o Do more rigorous checking of files before we attempt to read from/write
to them.
o Reorganize order in which functions are called and how the program is
structured.