ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.
+ - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
+ configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
+ sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
20030825
- (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
key.o dispatch.o kex.o mac.o uuencode.o misc.o \
rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o
+ entropy.o scard-opensc.o gss-genr.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
kexdhs.o kexgexs.o \
auth-krb5.o auth2-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
/* Define if compiler implements __func__ */
#undef HAVE___func__
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
/* Define if you want Kerberos 5 support */
#undef KRB5
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
extern ServerOptions options;
pam_strerror(sshpam_handle, sshpam_err));
}
+/*
+ * Set a PAM environment string. We need to do this so that the session
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
+
+int
+do_pam_putenv(char *name, char *value)
+{
+ char *compound;
+ int ret = 1;
+
+#ifdef HAVE_PAM_PUTENV
+ compound = xmalloc(strlen(name)+strlen(value)+2);
+ if (compound) {
+ sprintf(compound,"%s=%s",name,value);
+ ret = pam_putenv(sshpam_handle,compound);
+ xfree(compound);
+ }
+#endif
+ return (ret);
+}
+
void
print_pam_messages(void)
{
void do_pam_setcred(int );
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
+int do_pam_putenv(char *, char *);
void print_pam_messages(void);
char ** fetch_pam_environment(void);
void free_pam_environment(char **);
AC_CHECK_LIB(dl, dlopen, , )
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
AC_CHECK_FUNCS(pam_getenvlist)
+ AC_CHECK_FUNCS(pam_putenv)
disable_shadow=yes
PAM_MSG="yes"
fi
AC_SEARCH_LIBS(dn_expand, resolv)
+ AC_CHECK_LIB(gssapi,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi $K5LIBS" ],
+ [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+ [ AC_DEFINE(GSSAPI)
+ K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+ AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+ $K5LIBS)
+ ],
+ $K5LIBS)
+
+ AC_CHECK_HEADER(gssapi.h, ,
+ [ unset ac_cv_header_gssapi_h
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADERS(gssapi.h, ,
+ AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+ )
+ ]
+ )
+
+ oldCPP="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+ AC_CHECK_HEADER(gssapi_krb5.h, ,
+ [ CPPFLAGS="$oldCPP" ])
+
KRB5=yes
fi
]
# define __func__ ""
#endif
+#if defined(KRB5) && !defined(HEIMDAL)
+# define krb5_get_err_text(context,code) error_message(code)
+#endif
+
/*
* Define this to use pipes instead of socketpairs for communicating with the
* client program. Socketpairs do not seem to work on all systems.
extern ServerOptions options;
+#ifdef HEIMDAL
#include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
static krb5_context krb_context = NULL;
if (ssh_gssapi_krb5_init() == 0)
return;
+#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
+#else
+ {
+ int tmpfd;
+ char ccname[40];
+
+ snprintf(ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+
+ if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+ logit("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ return;
+ }
+ if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ logit("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ return;
+ }
+ close(tmpfd);
+ if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+ logit("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ return;
+ }
+ }
+#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
+#ifdef USE_PAM
+ if (options.use_pam)
+ do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
+
krb5_cc_close(krb_context, ccache);
return;
session_proctitle(s);
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, NULL);
}
#endif /* USE_PAM */
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
ptyfd = s->ptyfd;
ttyfd = s->ttyfd;
+#ifdef GSSAPI
+ temporarily_use_uid(s->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
+#endif
+
#if defined(USE_PAM)
if (options.use_pam) {
do_pam_session(s->pw->pw_name, s->tty);
}
#endif
-#ifdef GSSAPI
- temporarily_use_uid(s->pw);
- ssh_gssapi_storecreds();
- restore_uid();
-#endif
-
/* Fork the child. */
if ((pid = fork()) == 0) {
fatal_remove_all_cleanups();
#include <gssapi.h>
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
/* draft-ietf-secsh-gsskeyex-06 */
#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "ssh.h"
#ifdef KRB5
#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
#endif
#include "openbsd-compat/sys-queue.h"