--- hpn-ssh-hpn-18.4.2/configure.ac.orig +++ hpn-ssh-hpn-18.4.2/configure.ac @@ -1169,6 +1169,9 @@ ], ) TEST_SHELL=$SHELL # let configure find us a capable shell + AC_DEFINE([USE_GSS_STORE_CRED], [1], [Use the Solaris-style GSS cred store]) + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID], [1], [GSSAPI storecreds needs ruid]) + AC_DEFINE([HAVE_PAM_AUSER], [1], [pam_auser]) ;; *-*-sunos4*) CPPFLAGS="$CPPFLAGS -DSUNOS4" --- hpn-ssh-hpn-18.4.2/gss-serv-krb5.c.orig +++ hpn-ssh-hpn-18.4.2/gss-serv-krb5.c @@ -109,7 +109,7 @@ return retval; } - +#ifndef USE_GSS_STORE_CRED /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ @@ -195,6 +195,7 @@ return; } +#endif /* #ifndef USE_GSS_STORE_CRED */ ssh_gssapi_mech gssapi_kerberos_mech = { "toWM5Slw5Ew8Mqkay+al2g==", @@ -203,7 +204,11 @@ NULL, &ssh_gssapi_krb5_userok, NULL, +#ifdef USE_GSS_STORE_CRED + NULL +#else &ssh_gssapi_krb5_storecreds +#endif }; #endif /* KRB5 */ --- hpn-ssh-hpn-18.4.2/gss-serv.c.orig +++ hpn-ssh-hpn-18.4.2/gss-serv.c @@ -44,6 +44,7 @@ #include "session.h" #include "misc.h" #include "servconf.h" +#include "sshbuf.h" #include "ssh-gss.h" @@ -319,22 +320,66 @@ void ssh_gssapi_cleanup_creds(void) { +#ifdef USE_GSS_STORE_CRED + debug("removing gssapi cred file not implemented"); +#else if (gssapi_client.store.filename != NULL) { /* Unlink probably isn't sufficient */ debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); unlink(gssapi_client.store.filename); } +#endif /* USE_GSS_STORE_CRED */ } /* As user */ void ssh_gssapi_storecreds(void) { +#ifdef USE_GSS_STORE_CRED + OM_uint32 maj_status, min_status; + + if (gssapi_client.creds == NULL) { + debug("No credentials stored"); + return; + } + + maj_status = gss_store_cred(&min_status, gssapi_client.creds, + GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL); + + if (GSS_ERROR(maj_status)) { + struct sshbuf *b; + gss_buffer_desc msg; + OM_uint32 lmin; + OM_uint32 more = 0; + if ((b = sshbuf_new()) == NULL) fatal("malloc"); + /* GSS-API error */ + do { + gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE, + GSS_C_NULL_OID, &more, &msg); + sshbuf_put(b, msg.value, msg.length); + sshbuf_put(b, "\n", 1); + gss_release_buffer(&lmin, &msg); + } while (more != 0); + /* Mechanism specific error */ + do { + gss_display_status(&lmin, min_status, GSS_C_MECH_CODE, + &gssapi_client.mech->oid, &more, &msg); + sshbuf_put(b, msg.value, msg.length); + sshbuf_put(b, "\n", 1); + gss_release_buffer(&lmin, &msg); + } while (more != 0); + sshbuf_put(b, "\0", 1); + error("GSS-API error while storing delegated credentials: %s", + sshbuf_ptr(b)); + sshbuf_free(b); + } +#else /* #ifdef USE_GSS_STORE_CRED */ if (gssapi_client.mech && gssapi_client.mech->storecreds) { (*gssapi_client.mech->storecreds)(&gssapi_client); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); +#endif /* #ifdef USE_GSS_STORE_CRED */ } /* This allows GSSAPI methods to do things to the child's environment based --- hpn-ssh-hpn-18.4.2/servconf.c.orig +++ hpn-ssh-hpn-18.4.2/servconf.c @@ -620,7 +620,11 @@ { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, +#ifdef USE_GSS_STORE_CRED + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, +#else /* USE_GSS_STORE_CRED */ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, +#endif /* USE_GSS_STORE_CRED */ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, --- hpn-ssh-hpn-18.4.2/sshd.c.orig +++ hpn-ssh-hpn-18.4.2/sshd.c @@ -2313,9 +2313,23 @@ #ifdef GSSAPI if (options.gss_authentication) { +#ifdef GSSAPI_STORECREDS_NEEDS_RUID + if (setreuid(authctxt->pw->pw_uid, -1) != 0) { + debug("setreuid %u: %.100s", + (u_int) authctxt->pw->pw_uid, strerror(errno)); + goto bail_storecred; + } +#endif temporarily_use_uid(authctxt->pw); ssh_gssapi_storecreds(); restore_uid(); +#ifdef GSSAPI_STORECREDS_NEEDS_RUID + if (setuid(geteuid()) != 0) { + fatal("setuid %u: %.100s", (u_int) geteuid(), + strerror(errno)); + } + bail_storecred: ; +#endif } #endif #ifdef USE_PAM