Attachment #1192 for bug #958

Lines 86-92 Link Here

(-)Makefile.in (-1 / +1 lines)
86	auth2-none.o auth2-passwd.o auth2-pubkey.o \	86	auth2-none.o auth2-passwd.o auth2-pubkey.o \
87	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	87	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
88	auth-krb5.o \	88	auth-krb5.o \
89	auth2-gss.o gss-serv.o gss-serv-krb5.o \	89	auth2-gss.o gss-serv.o gss-serv-krb5.o gss-serv-gsi.o \
90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
91	audit.o audit-bsm.o platform.o	91	audit.o audit-bsm.o platform.o
92		92

Lines 136-142 Link Here

(-)auth2-gss.c (-1 / +1 lines)
136	Gssctxt *gssctxt;	136	Gssctxt *gssctxt;
137	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;	137	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
138	gss_buffer_desc recv_tok;	138	gss_buffer_desc recv_tok;
139	OM_uint32 maj_status, min_status, flags;	139	OM_uint32 maj_status, min_status, flags=0;
140	u_int len;	140	u_int len;
141		141
142	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))	142	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))




	]
)

# Check whether the user wants GSI (Globus) support
GSI_MSG="no"
AC_ARG_WITH(gsi,
	[  --with-gsi              Enable Globus GSI authentication support],
	[  
		if test "x$withval" != "xno" ; then
			AC_MSG_CHECKING(for Globus GSI)
			AC_DEFINE(GSI, 1,
                [Define if you want GSI/Globus authentication support.])
			AC_DEFINE(GSSAPI)
			GSI_MSG="yes"

			# $GLOBUS_LOCATION is root of GSI installation
			if test -z "$GLOBUS_LOCATION" ; then
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .)
			fi
			if test ! -d "$GLOBUS_LOCATION" ; then
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.)
			fi

			# Get Globus library "flavor"
			AC_ARG_WITH(globus-flavor,
				[  --with-globus-flavor=TYPE  Specify Globus flavor type (ex: gcc32dbg)],
				[
					globus_flavor="$withval"
					if test "x$globus_flavor" = "xyes" ; then
						AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type)
					fi
				],
				[
					AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified)
				]
			)

			# Add directory for GSI headers
			GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}"
			if test ! -d "$GLOBUS_INCLUDE" ; then
				AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE})
			fi
			GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
	
			# Use globus-makefile-header tool to add needed libs
			if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then
				AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist)
			fi
			GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
			if test -z "$GSI_LIBS" ; then
				AC_MSG_ERROR(globus-makefile-header failed)
			fi

			if test -n "${need_dash_r}"; then
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib"
			else
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib"
			fi

			AC_DEFINE(HAVE_GSSAPI_H)

			LIBS="$LIBS $GSI_LIBS"
			LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
			CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"

			# test that we got the libraries OK
			AC_TRY_LINK(
				[],
				[],
				[
					AC_MSG_RESULT(yes)
				],
				[
					AC_MSG_ERROR(link with GSI libraries failed)
				]
			)
		fi
	]
)

AC_MSG_CHECKING([for /proc/pid/fd directory])
if test -d "/proc/$$/fd" ; then
	AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])

		fi
	]
)
# If using GSI libraries, libcrypto is already in LIBS
if test -z "$GSI_LIBS" ; then
	LIBS="-lcrypto $LIBS"
fi
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
	[Define if your ssl headers are included
	with #include <openssl/header.h>]),

echo "                       PAM support: $PAM_MSG"
echo "                   OSF SIA support: $SIA_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                       GSI support: $GSI_MSG"
echo "                   SELinux support: $SELINUX_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"




/*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI
#ifdef GSI

#include <sys/types.h>

#include <stdarg.h>
#include <string.h>

#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "log.h"
#include "servconf.h"

#include "buffer.h"
#include "ssh-gss.h"

extern ServerOptions options;

#include <globus_gss_assist.h>

static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);

ssh_gssapi_mech gssapi_gsi_mech = {
	"dZuIebMjgUqaxvbF7hDbAw==",
	"GSI",
	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
	NULL,
	&ssh_gssapi_gsi_userok,
	NULL,
	&ssh_gssapi_gsi_storecreds
};

/*
 * Check if this user is OK to login under GSI. User has been authenticated
 * as identity in global 'client_name.value' and is trying to log in as passed
 * username in 'name'.
 *
 * Returns non-zero if user is authorized, 0 otherwise.
 */
static int
ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
{
    int authorized = 0;
    globus_result_t res;
    
    if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
        return 0;
    }

    debug("calling globus_gss_assist_userok()");
    if (GLOBUS_SUCCESS !=
        (res = (globus_gss_assist_userok(client->displayname.value,
                                         name)))) {
        debug("%s", globus_error_print_chain(globus_error_get(res)));
    } else {
        authorized = 1;
    }
    
    logit("GSI user %s is%s authorized as target user %s",
	(char *) client->displayname.value, (authorized ? "" : " not"), name);
    
    return authorized;
}

/*
 * Export GSI credentials to disk.
 */
static void
ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
{
	OM_uint32	major_status;
	OM_uint32	minor_status;
	gss_buffer_desc	export_cred = GSS_C_EMPTY_BUFFER;
	char *		p;
	
	if (!client || !client->creds) {
	    return;
	}

	major_status = gss_export_cred(&minor_status,
				       client->creds,
				       GSS_C_NO_OID,
				       1,
				       &export_cred);
	if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) {
	    Gssctxt *ctx;
	    ssh_gssapi_build_ctx(&ctx);
	    ctx->major = major_status;
	    ctx->minor = minor_status;
	    ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
	    ssh_gssapi_error(ctx);
	    ssh_gssapi_delete_ctx(&ctx);
	    return;
	}
	
	p = strchr((char *) export_cred.value, '=');
	if (p == NULL) {
	    logit("Failed to parse exported credentials string '%.100s'",
		(char *)export_cred.value);
	    gss_release_buffer(&minor_status, &export_cred);
	    return;
	}
	*p++ = '\0';
    client->store.envvar = strdup((char *)export_cred.value);
	client->store.envval = strdup(p);
#ifdef USE_PAM
	if (options.use_pam)
	    do_pam_putenv(client->store.envvar, client->store.envval);
#endif
	if (strncmp(p, "FILE:", 5) == 0) {
	    p += 5;
	}
	if (access(p, R_OK) == 0) {
	    client->store.filename = strdup(p);
	}
	gss_release_buffer(&minor_status, &export_cred);
}

#endif /* GSI */
#endif /* GSSAPI */

Lines 56-65 Link Here

(-)gss-serv.c (+6 lines)
56	#ifdef KRB5	56	#ifdef KRB5
57	extern ssh_gssapi_mech gssapi_kerberos_mech;	57	extern ssh_gssapi_mech gssapi_kerberos_mech;
58	#endif	58	#endif
		59	#ifdef GSI
		60	extern ssh_gssapi_mech gssapi_gsi_mech;
		61	#endif
59		62
60	ssh_gssapi_mech* supported_mechs[]= {	63	ssh_gssapi_mech* supported_mechs[]= {
61	#ifdef KRB5	64	#ifdef KRB5
62	&gssapi_kerberos_mech,	65	&gssapi_kerberos_mech,
		66	#endif
		67	#ifdef GSI
		68	&gssapi_gsi_mech,
63	#endif	69	#endif
64	&gssapi_null_mech,	70	&gssapi_null_mech,
65	};	71	};

Return to bug 958

Lines 1028-1033 Link Here

(-)configure.ac (-1 / +82 lines)
1028	]	1028	]
1029	)	1029	)
1030		1030
		1031	# Check whether the user wants GSI (Globus) support
		1032	GSI_MSG="no"
		1033	AC_ARG_WITH(gsi,
		1034	[ --with-gsi Enable Globus GSI authentication support],
		1035	[
		1036	if test "x$withval" != "xno" ; then
		1037	AC_MSG_CHECKING(for Globus GSI)
		1038	AC_DEFINE(GSI, 1,
		1039	[Define if you want GSI/Globus authentication support.])
		1040	AC_DEFINE(GSSAPI)
		1041	GSI_MSG="yes"
		1042
		1043	# $GLOBUS_LOCATION is root of GSI installation
		1044	if test -z "$GLOBUS_LOCATION" ; then
		1045	AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .)
		1046	fi
		1047	if test ! -d "$GLOBUS_LOCATION" ; then
		1048	AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.)
		1049	fi
		1050
		1051	# Get Globus library "flavor"
		1052	AC_ARG_WITH(globus-flavor,
		1053	[ --with-globus-flavor=TYPE Specify Globus flavor type (ex: gcc32dbg)],
		1054	[
		1055	globus_flavor="$withval"
		1056	if test "x$globus_flavor" = "xyes" ; then
		1057	AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type)
		1058	fi
		1059	],
		1060	[
		1061	AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified)
		1062	]
		1063	)
		1064
		1065	# Add directory for GSI headers
		1066	GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}"
		1067	if test ! -d "$GLOBUS_INCLUDE" ; then
		1068	AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE})
		1069	fi
		1070	GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
		1071
		1072	# Use globus-makefile-header tool to add needed libs
		1073	if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then
		1074	AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist)
		1075	fi
		1076	GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist \| perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
		1077	if test -z "$GSI_LIBS" ; then
		1078	AC_MSG_ERROR(globus-makefile-header failed)
		1079	fi
		1080
		1081	if test -n "${need_dash_r}"; then
		1082	GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib"
		1083	else
		1084	GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib"
		1085	fi
		1086
		1087	AC_DEFINE(HAVE_GSSAPI_H)
		1088
		1089	LIBS="$LIBS $GSI_LIBS"
		1090	LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
		1091	CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"
		1092
		1093	# test that we got the libraries OK
		1094	AC_TRY_LINK(
1095	[],
1096	[],
1097	[
1098	AC_MSG_RESULT(yes)
1099	],
1100	[
1101	AC_MSG_ERROR(link with GSI libraries failed)
1102	]
1103	)
1104	fi
1105	]
1106	)
1107
1031	AC_MSG_CHECKING([for /proc/pid/fd directory])	1108	AC_MSG_CHECKING([for /proc/pid/fd directory])
1032	if test -d "/proc/$$/fd" ; then	1109	if test -d "/proc/$$/fd" ; then
1033	AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])	1110	AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])
Lines 1766-1772 Link Here
1766	fi	1843	fi
1767	]	1844	]
1768	)	1845	)
1769	LIBS="-lcrypto $LIBS"	1846	# If using GSI libraries, libcrypto is already in LIBS
		1847	if test -z "$GSI_LIBS" ; then
		1848	LIBS="-lcrypto $LIBS"
		1849	fi
1770	AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,	1850	AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
1771	[Define if your ssl headers are included	1851	[Define if your ssl headers are included
1772	with #include <openssl/header.h>]),	1852	with #include <openssl/header.h>]),
Lines 3962-3967 Link Here
3962	echo " PAM support: $PAM_MSG"	4042	echo " PAM support: $PAM_MSG"
3963	echo " OSF SIA support: $SIA_MSG"	4043	echo " OSF SIA support: $SIA_MSG"
3964	echo " KerberosV support: $KRB5_MSG"	4044	echo " KerberosV support: $KRB5_MSG"
		4045	echo " GSI support: $GSI_MSG"
3965	echo " SELinux support: $SELINUX_MSG"	4046	echo " SELinux support: $SELINUX_MSG"
3966	echo " Smartcard support: $SCARD_MSG"	4047	echo " Smartcard support: $SCARD_MSG"
3967	echo " S/KEY support: $SKEY_MSG"	4048	echo " S/KEY support: $SKEY_MSG"

Added Link Here

(-)gss-serv-gsi.c (+149 lines)
1	/*
2	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include "includes.h"
26
27	#ifdef GSSAPI
28	#ifdef GSI
29
30	#include <sys/types.h>
31
32	#include <stdarg.h>
33	#include <string.h>
34
35	#include "xmalloc.h"
36	#include "key.h"
37	#include "hostfile.h"
38	#include "auth.h"
39	#include "log.h"
40	#include "servconf.h"
41
42	#include "buffer.h"
43	#include "ssh-gss.h"
44
45	extern ServerOptions options;
46
47	#include <globus_gss_assist.h>
48
49	static int ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name);
50	static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
51
52	ssh_gssapi_mech gssapi_gsi_mech = {
53	"dZuIebMjgUqaxvbF7hDbAw==",
54	"GSI",
55	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
56	NULL,
57	&ssh_gssapi_gsi_userok,
58	NULL,
59	&ssh_gssapi_gsi_storecreds
60	};
61
62	/*
63	* Check if this user is OK to login under GSI. User has been authenticated
64	* as identity in global 'client_name.value' and is trying to log in as passed
65	* username in 'name'.
66	*
67	* Returns non-zero if user is authorized, 0 otherwise.
68	*/
69	static int
70	ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name)
71	{
72	int authorized = 0;
73	globus_result_t res;
74
75	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
76	return 0;
77	}
78
79	debug("calling globus_gss_assist_userok()");
80	if (GLOBUS_SUCCESS !=
81	(res = (globus_gss_assist_userok(client->displayname.value,
82	name)))) {
83	debug("%s", globus_error_print_chain(globus_error_get(res)));
84	} else {
85	authorized = 1;
86	}
87
88	logit("GSI user %s is%s authorized as target user %s",
89	(char *) client->displayname.value, (authorized ? "" : " not"), name);
90
91	return authorized;
92	}
93
94	/*
95	* Export GSI credentials to disk.
96	*/
97	static void
98	ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
99	{
100	OM_uint32 major_status;
101	OM_uint32 minor_status;
102	gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER;
103	char * p;
104
105	if (!client \|\| !client->creds) {
106	return;
107	}
108
109	major_status = gss_export_cred(&minor_status,
110	client->creds,
111	GSS_C_NO_OID,
112	1,
113	&export_cred);
114	if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) {
115	Gssctxt *ctx;
116	ssh_gssapi_build_ctx(&ctx);
117	ctx->major = major_status;
118	ctx->minor = minor_status;
119	ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
120	ssh_gssapi_error(ctx);
121	ssh_gssapi_delete_ctx(&ctx);
122	return;
123	}
124
125	p = strchr((char *) export_cred.value, '=');
126	if (p == NULL) {
127	logit("Failed to parse exported credentials string '%.100s'",
128	(char *)export_cred.value);
129	gss_release_buffer(&minor_status, &export_cred);
130	return;
131	}
132	*p++ = '\0';
133	client->store.envvar = strdup((char *)export_cred.value);
134	client->store.envval = strdup(p);
135	#ifdef USE_PAM
136	if (options.use_pam)
137	do_pam_putenv(client->store.envvar, client->store.envval);
138	#endif
139	if (strncmp(p, "FILE:", 5) == 0) {
140	p += 5;
141	}
142	if (access(p, R_OK) == 0) {
143	client->store.filename = strdup(p);
144	}
145	gss_release_buffer(&minor_status, &export_cred);
146	}
147
148	#endif /* GSI */
149	#endif /* GSSAPI */