Bugzilla – Attachment 1192 Details for
Bug 958
patch to support GSI GSSAPI mechanism
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to add GSI GSSAPI support to OpenSSH 4.4p1
openssh-4.4p1-gssapi-gsi.patch (text/plain), 9.74 KB, created by
Jim Basney
on 2006-09-30 02:12:08 AEST
(
hide
)
Description:
patch to add GSI GSSAPI support to OpenSSH 4.4p1
Filename:
MIME Type:
Creator:
Jim Basney
Created:
2006-09-30 02:12:08 AEST
Size:
9.74 KB
patch
obsolete
>Index: Makefile.in >=================================================================== >RCS file: /cvs/openssh/Makefile.in,v >retrieving revision 1.282 >diff -u -r1.282 Makefile.in >--- Makefile.in 12 Sep 2006 11:54:10 -0000 1.282 >+++ Makefile.in 29 Sep 2006 16:01:34 -0000 >@@ -86,7 +86,7 @@ > auth2-none.o auth2-passwd.o auth2-pubkey.o \ > monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ > auth-krb5.o \ >- auth2-gss.o gss-serv.o gss-serv-krb5.o \ >+ auth2-gss.o gss-serv.o gss-serv-krb5.o gss-serv-gsi.o \ > loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ > audit.o audit-bsm.o platform.o > >Index: auth2-gss.c >=================================================================== >RCS file: /cvs/openssh/auth2-gss.c,v >retrieving revision 1.18 >diff -u -r1.18 auth2-gss.c >--- auth2-gss.c 1 Sep 2006 05:38:36 -0000 1.18 >+++ auth2-gss.c 29 Sep 2006 16:01:34 -0000 >@@ -136,7 +136,7 @@ > Gssctxt *gssctxt; > gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; > gss_buffer_desc recv_tok; >- OM_uint32 maj_status, min_status, flags; >+ OM_uint32 maj_status, min_status, flags=0; > u_int len; > > if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) >Index: configure.ac >=================================================================== >RCS file: /cvs/openssh/configure.ac,v >retrieving revision 1.367 >diff -u -r1.367 configure.ac >--- configure.ac 24 Sep 2006 19:08:59 -0000 1.367 >+++ configure.ac 29 Sep 2006 16:01:37 -0000 >@@ -1028,6 +1028,83 @@ > ] > ) > >+# Check whether the user wants GSI (Globus) support >+GSI_MSG="no" >+AC_ARG_WITH(gsi, >+ [ --with-gsi Enable Globus GSI authentication support], >+ [ >+ if test "x$withval" != "xno" ; then >+ AC_MSG_CHECKING(for Globus GSI) >+ AC_DEFINE(GSI, 1, >+ [Define if you want GSI/Globus authentication support.]) >+ AC_DEFINE(GSSAPI) >+ GSI_MSG="yes" >+ >+ # $GLOBUS_LOCATION is root of GSI installation >+ if test -z "$GLOBUS_LOCATION" ; then >+ AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .) >+ fi >+ if test ! -d "$GLOBUS_LOCATION" ; then >+ AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.) >+ fi >+ >+ # Get Globus library "flavor" >+ AC_ARG_WITH(globus-flavor, >+ [ --with-globus-flavor=TYPE Specify Globus flavor type (ex: gcc32dbg)], >+ [ >+ globus_flavor="$withval" >+ if test "x$globus_flavor" = "xyes" ; then >+ AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type) >+ fi >+ ], >+ [ >+ AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified) >+ ] >+ ) >+ >+ # Add directory for GSI headers >+ GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}" >+ if test ! -d "$GLOBUS_INCLUDE" ; then >+ AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE}) >+ fi >+ GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}" >+ >+ # Use globus-makefile-header tool to add needed libs >+ if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then >+ AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist) >+ fi >+ GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'` >+ if test -z "$GSI_LIBS" ; then >+ AC_MSG_ERROR(globus-makefile-header failed) >+ fi >+ >+ if test -n "${need_dash_r}"; then >+ GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib" >+ else >+ GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib" >+ fi >+ >+ AC_DEFINE(HAVE_GSSAPI_H) >+ >+ LIBS="$LIBS $GSI_LIBS" >+ LDFLAGS="$LDFLAGS $GSI_LDFLAGS" >+ CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS" >+ >+ # test that we got the libraries OK >+ AC_TRY_LINK( >+ [], >+ [], >+ [ >+ AC_MSG_RESULT(yes) >+ ], >+ [ >+ AC_MSG_ERROR(link with GSI libraries failed) >+ ] >+ ) >+ fi >+ ] >+) >+ > AC_MSG_CHECKING([for /proc/pid/fd directory]) > if test -d "/proc/$$/fd" ; then > AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd]) >@@ -1766,7 +1843,10 @@ > fi > ] > ) >-LIBS="-lcrypto $LIBS" >+# If using GSI libraries, libcrypto is already in LIBS >+if test -z "$GSI_LIBS" ; then >+ LIBS="-lcrypto $LIBS" >+fi > AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1, > [Define if your ssl headers are included > with #include <openssl/header.h>]), >@@ -3962,6 +4042,7 @@ > echo " PAM support: $PAM_MSG" > echo " OSF SIA support: $SIA_MSG" > echo " KerberosV support: $KRB5_MSG" >+echo " GSI support: $GSI_MSG" > echo " SELinux support: $SELINUX_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" >Index: gss-serv-gsi.c >=================================================================== >RCS file: gss-serv-gsi.c >diff -N gss-serv-gsi.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ gss-serv-gsi.c 29 Sep 2006 16:01:38 -0000 >@@ -0,0 +1,149 @@ >+/* >+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#include "includes.h" >+ >+#ifdef GSSAPI >+#ifdef GSI >+ >+#include <sys/types.h> >+ >+#include <stdarg.h> >+#include <string.h> >+ >+#include "xmalloc.h" >+#include "key.h" >+#include "hostfile.h" >+#include "auth.h" >+#include "log.h" >+#include "servconf.h" >+ >+#include "buffer.h" >+#include "ssh-gss.h" >+ >+extern ServerOptions options; >+ >+#include <globus_gss_assist.h> >+ >+static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name); >+static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client); >+ >+ssh_gssapi_mech gssapi_gsi_mech = { >+ "dZuIebMjgUqaxvbF7hDbAw==", >+ "GSI", >+ {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}, >+ NULL, >+ &ssh_gssapi_gsi_userok, >+ NULL, >+ &ssh_gssapi_gsi_storecreds >+}; >+ >+/* >+ * Check if this user is OK to login under GSI. User has been authenticated >+ * as identity in global 'client_name.value' and is trying to log in as passed >+ * username in 'name'. >+ * >+ * Returns non-zero if user is authorized, 0 otherwise. >+ */ >+static int >+ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name) >+{ >+ int authorized = 0; >+ globus_result_t res; >+ >+ if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) { >+ return 0; >+ } >+ >+ debug("calling globus_gss_assist_userok()"); >+ if (GLOBUS_SUCCESS != >+ (res = (globus_gss_assist_userok(client->displayname.value, >+ name)))) { >+ debug("%s", globus_error_print_chain(globus_error_get(res))); >+ } else { >+ authorized = 1; >+ } >+ >+ logit("GSI user %s is%s authorized as target user %s", >+ (char *) client->displayname.value, (authorized ? "" : " not"), name); >+ >+ return authorized; >+} >+ >+/* >+ * Export GSI credentials to disk. >+ */ >+static void >+ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client) >+{ >+ OM_uint32 major_status; >+ OM_uint32 minor_status; >+ gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER; >+ char * p; >+ >+ if (!client || !client->creds) { >+ return; >+ } >+ >+ major_status = gss_export_cred(&minor_status, >+ client->creds, >+ GSS_C_NO_OID, >+ 1, >+ &export_cred); >+ if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) { >+ Gssctxt *ctx; >+ ssh_gssapi_build_ctx(&ctx); >+ ctx->major = major_status; >+ ctx->minor = minor_status; >+ ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid); >+ ssh_gssapi_error(ctx); >+ ssh_gssapi_delete_ctx(&ctx); >+ return; >+ } >+ >+ p = strchr((char *) export_cred.value, '='); >+ if (p == NULL) { >+ logit("Failed to parse exported credentials string '%.100s'", >+ (char *)export_cred.value); >+ gss_release_buffer(&minor_status, &export_cred); >+ return; >+ } >+ *p++ = '\0'; >+ client->store.envvar = strdup((char *)export_cred.value); >+ client->store.envval = strdup(p); >+#ifdef USE_PAM >+ if (options.use_pam) >+ do_pam_putenv(client->store.envvar, client->store.envval); >+#endif >+ if (strncmp(p, "FILE:", 5) == 0) { >+ p += 5; >+ } >+ if (access(p, R_OK) == 0) { >+ client->store.filename = strdup(p); >+ } >+ gss_release_buffer(&minor_status, &export_cred); >+} >+ >+#endif /* GSI */ >+#endif /* GSSAPI */ >Index: gss-serv.c >=================================================================== >RCS file: /cvs/openssh/gss-serv.c,v >retrieving revision 1.22 >diff -u -r1.22 gss-serv.c >--- gss-serv.c 1 Sep 2006 05:38:36 -0000 1.22 >+++ gss-serv.c 29 Sep 2006 16:01:38 -0000 >@@ -56,10 +56,16 @@ > #ifdef KRB5 > extern ssh_gssapi_mech gssapi_kerberos_mech; > #endif >+#ifdef GSI >+extern ssh_gssapi_mech gssapi_gsi_mech; >+#endif > > ssh_gssapi_mech* supported_mechs[]= { > #ifdef KRB5 > &gssapi_kerberos_mech, >+#endif >+#ifdef GSI >+ &gssapi_gsi_mech, > #endif > &gssapi_null_mech, > };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1192">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 958
:
744
| 1192