- (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not

[openssh.git] / session.c

diff --git a/session.c b/session.c
index 00f8785f5d41331e997e70aa921f1290a90f75e0..6a1cb78418e3b0ff3f55f0c4160207ec072c0a08 100644 (file)
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.171 2004/01/13 19:23:15 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -58,6 +58,10 @@ RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $");
 #include "session.h"
 #include "monitor_wrap.h"
 
+#ifdef KRB5
+#include <kafs.h>
+#endif
+
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -1415,6 +1419,32 @@ do_child(Session *s, const char *command)
         */
        environ = env;
 
+#if defined(KRB5) && defined(AFS)
+       /*
+        * At this point, we check to see if AFS is active and if we have
+        * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
+        * if we can (and need to) extend the ticket into an AFS token. If
+        * we don't do this, we run into potential problems if the user's
+        * home directory is in AFS and it's not world-readable.
+        */
+
+       if (options.kerberos_get_afs_token && k_hasafs() &&
+            (s->authctxt->krb5_ctx != NULL)) {
+               char cell[64];
+
+               debug("Getting AFS token");
+
+               k_setpag();
+
+               if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+                       krb5_afslog(s->authctxt->krb5_ctx,
+                           s->authctxt->krb5_fwd_ccache, cell, NULL);
+
+               krb5_afslog_home(s->authctxt->krb5_ctx,
+                   s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+       }
+#endif
+
        /* Change current directory to the user\'s home directory. */
        if (chdir(pw->pw_dir) < 0) {
                fprintf(stderr, "Could not chdir to home directory %s: %s\n",