- (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h

configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
   sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.

ChangeLog

@@ -10,6 +10,9 @@
      ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
      support GSS API user authentication; patches from Simon Wilkinson,
      stripped down and tested by Jakob and myself.
+ - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
+   configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
+   sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
 
 20030825
  - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from 
@@ -882,4 +885,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2907 2003/08/26 01:49:55 dtucker Exp $
+$Id: ChangeLog,v 1.2908 2003/08/26 01:58:16 dtucker Exp $

Makefile.in

@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.240 2003/08/02 13:51:38 dtucker Exp $
+# $Id: Makefile.in,v 1.241 2003/08/26 01:58:16 dtucker Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -68,7 +68,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
 	key.o dispatch.o kex.o mac.o uuencode.o misc.o \
 	rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
 	kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
-	entropy.o scard-opensc.o 
+	entropy.o scard-opensc.o gss-genr.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
 	kexdhs.o kexgexs.o \
 	auth-krb5.o auth2-krb5.o \
+	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-sia.o md5crypt.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out

acconfig.h

@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.161 2003/08/25 01:51:19 dtucker Exp $ */
+/* $Id: acconfig.h,v 1.162 2003/08/26 01:58:16 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -232,6 +232,9 @@
 /* Define if compiler implements __func__ */
 #undef HAVE___func__
 
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 

auth-krb5.c

@@ -42,9 +42,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
 #ifdef KRB5
 
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 
 extern ServerOptions	 options;
 

auth-pam.c

@@ -31,7 +31,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.67 2003/08/25 03:08:49 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.68 2003/08/26 01:58:16 dtucker Exp $");
 
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -650,6 +650,29 @@ do_pam_chauthtok(void)
 		    pam_strerror(sshpam_handle, sshpam_err));
 }
 
+/* 
+ * Set a PAM environment string. We need to do this so that the session
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
+
+int
+do_pam_putenv(char *name, char *value) 
+{
+	char *compound;
+	int ret = 1;
+
+#ifdef HAVE_PAM_PUTENV	
+	compound = xmalloc(strlen(name)+strlen(value)+2);
+	if (compound) {
+		sprintf(compound,"%s=%s",name,value);
+		ret = pam_putenv(sshpam_handle,compound);
+		xfree(compound);
+	}
+#endif
+	return (ret);
+}
+
 void
 print_pam_messages(void)
 {

auth-pam.h

@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.19 2003/08/25 03:08:49 djm Exp $ */
+/* $Id: auth-pam.h,v 1.20 2003/08/26 01:58:16 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Damien Miller.  All rights reserved.
@@ -38,6 +38,7 @@ void do_pam_session(const char *, const char *);
 void do_pam_setcred(int );
 int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);
+int do_pam_putenv(char *, char *);
 void print_pam_messages(void);
 char ** fetch_pam_environment(void);
 void free_pam_environment(char **);

configure.ac

@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.142 2003/08/25 03:27:40 dtucker Exp $
+# $Id: configure.ac,v 1.143 2003/08/26 01:58:16 dtucker Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -831,6 +831,7 @@ AC_ARG_WITH(pam,
 			AC_CHECK_LIB(dl, dlopen, , )
 			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
 			AC_CHECK_FUNCS(pam_getenvlist)
+			AC_CHECK_FUNCS(pam_putenv)
 
 			disable_shadow=yes
 			PAM_MSG="yes"
@@ -1946,6 +1947,31 @@ AC_ARG_WITH(kerberos5,
                         fi
 			AC_SEARCH_LIBS(dn_expand, resolv)
 
+			AC_CHECK_LIB(gssapi,gss_init_sec_context,
+				[ AC_DEFINE(GSSAPI)
+				  K5LIBS="-lgssapi $K5LIBS" ],
+				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+					[ AC_DEFINE(GSSAPI)
+				  	  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+					AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+					$K5LIBS)
+				],
+				$K5LIBS)
+			
+			AC_CHECK_HEADER(gssapi.h, ,
+				[ unset ac_cv_header_gssapi_h
+				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" 
+				  AC_CHECK_HEADERS(gssapi.h, ,
+					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+				  ) 
+				]
+			)
+
+			oldCPP="$CPPFLAGS"
+			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+			AC_CHECK_HEADER(gssapi_krb5.h, ,
+					[ CPPFLAGS="$oldCPP" ])
+
                         KRB5=yes
                 fi
         ]

defines.h

@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.101 2003/08/21 06:49:41 dtucker Exp $ */
+/* $Id: defines.h,v 1.102 2003/08/26 01:58:16 dtucker Exp $ */
 
 
 /* Constants */
@@ -521,6 +521,10 @@ struct winsize {
 #  define __func__ ""
 #endif
 
+#if defined(KRB5) && !defined(HEIMDAL)
+#  define krb5_get_err_text(context,code) error_message(code)
+#endif
+
 /*
  * Define this to use pipes instead of socketpairs for communicating with the
  * client program.  Socketpairs do not seem to work on all systems.

gss-serv-krb5.c

@@ -38,7 +38,11 @@
 
 extern ServerOptions options;
 
+#ifdef HEIMDAL
 #include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
 
 static krb5_context krb_context = NULL;
 
@@ -113,11 +117,39 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	if (ssh_gssapi_krb5_init() == 0)
 		return;
 
+#ifdef HEIMDAL
 	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 		logit("krb5_cc_gen_new(): %.100s",
 		    krb5_get_err_text(krb_context, problem));
 		return;
 	}
+#else
+	{
+		int tmpfd;
+		char ccname[40];
+    
+		snprintf(ccname, sizeof(ccname), 
+		    "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+    
+		if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+			logit("mkstemp(): %.100s", strerror(errno));
+			problem = errno;
+			return;
+		}
+		if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+			logit("fchmod(): %.100s", strerror(errno));
+			close(tmpfd);
+			problem = errno;
+			return;
+		}
+		close(tmpfd);
+		if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+			logit("krb5_cc_resolve(): %.100s",
+			    krb5_get_err_text(krb_context, problem));
+			return;
+		}
+	}
+#endif	/* #ifdef HEIMDAL */
 
 	if ((problem = krb5_parse_name(krb_context, 
 	    client->exportedname.value, &princ))) {
@@ -148,6 +180,11 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	client->store.envvar = "KRB5CCNAME";
 	client->store.envval = xstrdup(client->store.filename);
 
+#ifdef USE_PAM
+	if (options.use_pam)
+		do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
+
 	krb5_cc_close(krb_context, ccache);
 
 	return;

session.c

@@ -418,6 +418,12 @@ do_exec_no_pty(Session *s, const char *command)
 
 	session_proctitle(s);
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@ do_exec_no_pty(Session *s, const char *command)
 	}
 #endif /* USE_PAM */
 
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		fatal_remove_all_cleanups();
@@ -553,6 +553,12 @@ do_exec_pty(Session *s, const char *command)
 	ptyfd = s->ptyfd;
 	ttyfd = s->ttyfd;
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, s->tty);
@@ -560,12 +566,6 @@ do_exec_pty(Session *s, const char *command)
 	}
 #endif
 
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		fatal_remove_all_cleanups();

ssh-gss.h

@@ -31,6 +31,18 @@
 
 #include <gssapi.h>
 
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
 /* draft-ietf-secsh-gsskeyex-06 */
 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE		60
 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN			61

sshconnect1.c

@@ -20,9 +20,6 @@ RCSID("$OpenBSD: sshconnect1.c,v 1.55 2003/08/13 08:46:31 markus Exp $");
 
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 #endif
 
 #include "ssh.h"

sshconnect2.c

@@ -27,9 +27,6 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.121 2003/08/22 10:56:09 markus Exp $");
 
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 #endif
 
 #include "openbsd-compat/sys-queue.h"