Attachment #1207 for bug #1100

View | Details | Raw Unified | Return to bug 1100
Collapse All | Expand All




	    authmsg,
	    method,
	    authctxt->valid ? "" : "invalid user ",
	    (authctxt->user && authctxt->user[0]) ?
		authctxt->user : "unknown",
	    get_remote_ipaddr(),
	    get_remote_port(),
	    info);

	pw = getpwnam(user);
	if (pw == NULL) {
		logit("Invalid user %.100s from %.100s",
		      (user && user[0]) ? user : "unknown",
		      get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
		record_failed_login(user,
		    get_canonical_hostname(options.use_dns), "ssh");

Lines 68-74 Link Here

(-)auth2-gss.c (-1 / +32 lines)
68	u_int len;	68	u_int len;
69	u_char *doid = NULL;	69	u_char *doid = NULL;
70		70
71	if (!authctxt->valid \|\| authctxt->user == NULL)	71	/* authctxt->valid may be 0 if we haven't yet determined
		72	username from gssapi context. */
		73
		74	if (authctxt->user == NULL)
72	return (0);	75	return (0);
73		76
74	mechs = packet_get_int();	77	mechs = packet_get_int();
Lines 217-222 Link Here
217	gss_release_buffer(&maj_status, &send_tok);	220	gss_release_buffer(&maj_status, &send_tok);
218	}	221	}
219		222
		223	static void
		224	gssapi_set_username(Authctxt *authctxt)
		225	{
		226	char *lname = NULL;
		227
		228	if ((authctxt->user == NULL) \|\| (authctxt->user[0] == '\0')) {
		229	PRIVSEP(ssh_gssapi_localname(&lname));
		230	if (lname && lname[0] != '\0') {
		231	if (authctxt->user) xfree(authctxt->user);
		232	authctxt->user = lname;
		233	debug("set username to %s from gssapi context", lname);
		234	authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
		235	if (authctxt->pw) {
		236	authctxt->valid = 1;
		237	#ifdef USE_PAM
		238	if (options.use_pam)
		239	PRIVSEP(start_pam(authctxt));
		240	#endif
		241	}
		242	} else {
		243	debug("failed to set username from gssapi context");
		244	packet_send_debug("failed to set username from gssapi context");
		245	}
		246	}
		247	}
		248
220	/*	249	/*
221	* This is called when the client thinks we've completed authentication.	250	* This is called when the client thinks we've completed authentication.
222	* It should only be enabled in the dispatch handler by the function above,	251	* It should only be enabled in the dispatch handler by the function above,
Lines 275-280 Link Here
275		304
276	gssbuf.value = buffer_ptr(&b);	305	gssbuf.value = buffer_ptr(&b);
277	gssbuf.length = buffer_len(&b);	306	gssbuf.length = buffer_len(&b);
		307
		308	gssapi_set_username(authctxt);
278		309
279	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))	310	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
280	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	311	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));




	if ((style = strchr(user, ':')) != NULL)
		*style++ = 0;

	/* If first time or username changed or empty username,
	   setup/reset authentication context. */
	if ((authctxt->attempt++ == 0) ||
	    (strcmp(user, authctxt->user) != 0) ||
	    (strcmp(user, "") == 0)) {
		if (authctxt->user) {
		    xfree(authctxt->user);
		    authctxt->user = NULL;
		}
		authctxt->valid = 0;
        authctxt->user = xstrdup(user);
        if (strcmp(service, "ssh-connection") != 0) {
            packet_disconnect("Unsupported service %s", service);
        }
#ifdef GSSAPI
		/* If we're going to set the username based on the
		   GSSAPI context later, then wait until then to
		   verify it. Just put in placeholders for now. */
		if ((strcmp(user, "") == 0) &&
		    (strcmp(method, "gssapi-with-mic") == 0)) {
			authctxt->pw = fakepw();
		} else {
#endif
		authctxt->pw = PRIVSEP(getpwnamallow(user));
		if (authctxt->pw) {
		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
			authctxt->valid = 1;
			debug2("input_userauth_request: setting up authctxt for %s", user);
		} else {

		if (options.use_pam)
			PRIVSEP(start_pam(authctxt));
#endif
#ifdef GSSAPI
		} /* endif for setting username based on GSSAPI context */
#endif
		setproctitle("%s%s", authctxt->valid ? user : "unknown",
		    use_privsep ? " [net]" : "");
		if (authctxt->attempt == 1) {
            authctxt->service = xstrdup(service);
            authctxt->style = style ? xstrdup(style) : NULL;
            if (use_privsep)
                mm_inform_authserv(service, style);
		}
	}
	if (strcmp(service, authctxt->service) != 0) {
		packet_disconnect("Change of service not allowed: "
		    "(%s,%s) -> (%s,%s)",
		    authctxt->user, authctxt->service, user, service);
	}




}


/* Retrieve the local username associated with a set of Kerberos 
 * credentials. Hopefully we can use this for the 'empty' username
 * logins discussed in the draft  */
static int
ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
	krb5_principal princ;
	int retval;
	
	if (ssh_gssapi_krb5_init() == 0)
		return 0;

	if ((retval=krb5_parse_name(krb_context, client->displayname.value, 
				    &princ))) {
		logit("krb5_parse_name(): %.100s", 
			krb5_get_err_text(krb_context,retval));
		return 0;
	}
	
	/* We've got to return a malloc'd string */
	*user = (char *)xmalloc(256);
	if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
		xfree(*user);
		*user = NULL;
		return(0);
	}
	
	return(1);
}
	
/* This writes out any forwarded credentials from the structure populated
 * during userauth. Called after we have setuid to the user */


	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
	NULL,
	&ssh_gssapi_krb5_userok,
	&ssh_gssapi_krb5_localname,
	&ssh_gssapi_krb5_storecreds
};





	return (ctx->major);
}

/* Priviledged */
int
ssh_gssapi_localname(char **user)
{
    	*user = NULL;
	if (gssapi_client.displayname.length==0 || 
	    gssapi_client.displayname.value==NULL) {
		debug("No suitable client data");
		return(0);;
	}
	if (gssapi_client.mech && gssapi_client.mech->localname) {
		return((*gssapi_client.mech->localname)(&gssapi_client,user));
	} else {
		debug("Unknown client authentication type");
	}
	return(0);
}

#endif




int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_localname(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
#endif


struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
    {MONITOR_REQ_PWNAM, MON_AUTH, mm_answer_pwnamallow},
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},

    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
#endif
    {0, 0, NULL}


	debug3("%s", __func__);

	if (authctxt->attempt++ != 0)
		fatal("%s: multiple attempts for getpwnam", __func__);

	username = buffer_get_string(m, NULL);

	pwent = getpwnamallow(username);

	if (authctxt->user) xfree(authctxt->user);
	authctxt->user = xstrdup(username);
	setproctitle("%s [priv]", pwent ? username : "unknown");
	xfree(username);


	/* Monitor loop will terminate if authenticated */
	return (authenticated);
}

int
mm_answer_gss_localname(int socket, Buffer *m) {
	char *name;

	ssh_gssapi_localname(&name);

    buffer_clear(m);
	if (name) {
	    buffer_put_cstring(m, name);
	    debug3("%s: sending result %s", __func__, name);
	    xfree(name);
	} else {
	    buffer_put_cstring(m, "");
	    debug3("%s: sending result \"\"", __func__);
	}

    mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m);

    return(0);
}
#endif /* GSSAPI */

Lines 52-57 Link Here

(-)monitor.h (+1 lines)
52	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,	52	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
53	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,	53	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
54	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,	54	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
		55	MONITOR_REQ_GSSLOCALNAME, MONITOR_ANS_GSSLOCALNAME,
55	MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,	56	MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
56	MONITOR_REQ_PAM_START,	57	MONITOR_REQ_PAM_START,
57	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,	58	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,




	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
	return (authenticated);
}

int
mm_ssh_gssapi_localname(char **lname)
{
        Buffer m;

	buffer_init(&m);
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m);

        debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__);
        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME,
                                  &m);

	*lname = buffer_get_string(&m, NULL);

        buffer_free(&m);
	if (lname[0] == '\0') {
	    debug3("%s: gssapi identity mapping failed", __func__);
	} else {
	    debug3("%s: gssapi identity mapped to %s", __func__, *lname);
	}
	
        return(0);
}	
#endif /* GSSAPI */

Lines 58-63 Link Here

(-)monitor_wrap.h (+1 lines)
58	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,	58	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
59	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);	59	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);
60	int mm_ssh_gssapi_userok(char *user);	60	int mm_ssh_gssapi_userok(char *user);
		61	int mm_ssh_gssapi_localname(char **user);
61	OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	62	OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
62	#endif	63	#endif
63		64

Lines 122-127 Link Here

(-)ssh-gss.h (+1 lines)
122		122
123	/* In the server */	123	/* In the server */
124	int ssh_gssapi_userok(char *name);	124	int ssh_gssapi_userok(char *name);
		125	int ssh_gssapi_localname(char **name);
125	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	126	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
126	void ssh_gssapi_do_child(char **, u_int );	127	void ssh_gssapi_do_child(char **, u_int );
127	void ssh_gssapi_cleanup_creds(void);	128	void ssh_gssapi_cleanup_creds(void);

Return to bug 1100

Lines 268-274 Link Here

(-)auth.c (-2 / +4 lines)
268	authmsg,	268	authmsg,
269	method,	269	method,
270	authctxt->valid ? "" : "invalid user ",	270	authctxt->valid ? "" : "invalid user ",
271	authctxt->user,	271	(authctxt->user && authctxt->user[0]) ?
		272	authctxt->user : "unknown",
272	get_remote_ipaddr(),	273	get_remote_ipaddr(),
273	get_remote_port(),	274	get_remote_port(),
274	info);	275	info);
Lines 487-493 Link Here
487	pw = getpwnam(user);	488	pw = getpwnam(user);
488	if (pw == NULL) {	489	if (pw == NULL) {
489	logit("Invalid user %.100s from %.100s",	490	logit("Invalid user %.100s from %.100s",
490	user, get_remote_ipaddr());	491	(user && user[0]) ? user : "unknown",
		492	get_remote_ipaddr());
491	#ifdef CUSTOM_FAILED_LOGIN	493	#ifdef CUSTOM_FAILED_LOGIN
492	record_failed_login(user,	494	record_failed_login(user,
493	get_canonical_hostname(options.use_dns), "ssh");	495	get_canonical_hostname(options.use_dns), "ssh");

Lines 160-170 Link Here

(-)auth2.c (-11 / +36 lines)
160	if ((style = strchr(user, ':')) != NULL)	160	if ((style = strchr(user, ':')) != NULL)
161	*style++ = 0;	161	*style++ = 0;
162		162
163	if (authctxt->attempt++ == 0) {	163	/* If first time or username changed or empty username,
164	/* setup auth context */	164	setup/reset authentication context. */
		165	if ((authctxt->attempt++ == 0) \|\|
		166	(strcmp(user, authctxt->user) != 0) \|\|
		167	(strcmp(user, "") == 0)) {
		168	if (authctxt->user) {
		169	xfree(authctxt->user);
		170	authctxt->user = NULL;
		171	}
		172	authctxt->valid = 0;
		173	authctxt->user = xstrdup(user);
		174	if (strcmp(service, "ssh-connection") != 0) {
		175	packet_disconnect("Unsupported service %s", service);
		176	}
		177	#ifdef GSSAPI
		178	/* If we're going to set the username based on the
		179	GSSAPI context later, then wait until then to
		180	verify it. Just put in placeholders for now. */
		181	if ((strcmp(user, "") == 0) &&
		182	(strcmp(method, "gssapi-with-mic") == 0)) {
		183	authctxt->pw = fakepw();
		184	} else {
		185	#endif
165	authctxt->pw = PRIVSEP(getpwnamallow(user));	186	authctxt->pw = PRIVSEP(getpwnamallow(user));
166	authctxt->user = xstrdup(user);	187	if (authctxt->pw) {
167	if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
168	authctxt->valid = 1;	188	authctxt->valid = 1;
169	debug2("input_userauth_request: setting up authctxt for %s", user);	189	debug2("input_userauth_request: setting up authctxt for %s", user);
170	} else {	190	} else {
Lines 178-192 Link Here
178	if (options.use_pam)	198	if (options.use_pam)
179	PRIVSEP(start_pam(authctxt));	199	PRIVSEP(start_pam(authctxt));
180	#endif	200	#endif
		201	#ifdef GSSAPI
		202	} /* endif for setting username based on GSSAPI context */
		203	#endif
181	setproctitle("%s%s", authctxt->valid ? user : "unknown",	204	setproctitle("%s%s", authctxt->valid ? user : "unknown",
182	use_privsep ? " [net]" : "");	205	use_privsep ? " [net]" : "");
183	authctxt->service = xstrdup(service);	206	if (authctxt->attempt == 1) {
184	authctxt->style = style ? xstrdup(style) : NULL;	207	authctxt->service = xstrdup(service);
185	if (use_privsep)	208	authctxt->style = style ? xstrdup(style) : NULL;
186	mm_inform_authserv(service, style);	209	if (use_privsep)
187	} else if (strcmp(user, authctxt->user) != 0 \|\|	210	mm_inform_authserv(service, style);
188	strcmp(service, authctxt->service) != 0) {	211	}
189	packet_disconnect("Change of username or service not allowed: "	212	}
		213	if (strcmp(service, authctxt->service) != 0) {
		214	packet_disconnect("Change of service not allowed: "
190	"(%s,%s) -> (%s,%s)",	215	"(%s,%s) -> (%s,%s)",
191	authctxt->user, authctxt->service, user, service);	216	authctxt->user, authctxt->service, user, service);
192	}	217	}

Lines 313-316 Link Here

(-)gss-serv.c (+18 lines)
313	return (ctx->major);	313	return (ctx->major);
314	}	314	}
315		315
		316	/* Priviledged */
		317	int
		318	ssh_gssapi_localname(char **user)
		319	{
		320	*user = NULL;
		321	if (gssapi_client.displayname.length==0 \|\|
		322	gssapi_client.displayname.value==NULL) {
		323	debug("No suitable client data");
		324	return(0);;
		325	}
		326	if (gssapi_client.mech && gssapi_client.mech->localname) {
		327	return((*gssapi_client.mech->localname)(&gssapi_client,user));
		328	} else {
		329	debug("Unknown client authentication type");
		330	}
		331	return(0);
		332	}
		333
316	#endif	334	#endif

Lines 162-167 Link Here

(-)monitor.c (-5 / +26 lines)
162	int mm_answer_gss_setup_ctx(int, Buffer *);	162	int mm_answer_gss_setup_ctx(int, Buffer *);
163	int mm_answer_gss_accept_ctx(int, Buffer *);	163	int mm_answer_gss_accept_ctx(int, Buffer *);
164	int mm_answer_gss_userok(int, Buffer *);	164	int mm_answer_gss_userok(int, Buffer *);
		165	int mm_answer_gss_localname(int, Buffer *);
165	int mm_answer_gss_checkmic(int, Buffer *);	166	int mm_answer_gss_checkmic(int, Buffer *);
166	#endif	167	#endif
167		168
Lines 202-213 Link Here
202	struct mon_table mon_dispatch_proto20[] = {	203	struct mon_table mon_dispatch_proto20[] = {
203	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},	204	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
204	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	205	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	206	{MONITOR_REQ_PWNAM, MON_AUTH, mm_answer_pwnamallow},
206	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	207	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
207	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	208	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
208	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	209	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
209	#ifdef USE_PAM	210	#ifdef USE_PAM
210	{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},	211	{MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
211	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},	212	{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
212	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},	213	{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
213	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},	214	{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
Lines 231-236 Link Here
231	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},	232	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
232	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	233	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
233	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	234	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
		235	{MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname},
234	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	236	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
235	#endif	237	#endif
236	{0, 0, NULL}	238	{0, 0, NULL}
Lines 609-621 Link Here
609		611
610	debug3("%s", __func__);	612	debug3("%s", __func__);
611		613
612	if (authctxt->attempt++ != 0)
613	fatal("%s: multiple attempts for getpwnam", __func__);
614
615	username = buffer_get_string(m, NULL);	614	username = buffer_get_string(m, NULL);
616		615
617	pwent = getpwnamallow(username);	616	pwent = getpwnamallow(username);
618		617
		618	if (authctxt->user) xfree(authctxt->user);
619	authctxt->user = xstrdup(username);	619	authctxt->user = xstrdup(username);
620	setproctitle("%s [priv]", pwent ? username : "unknown");	620	setproctitle("%s [priv]", pwent ? username : "unknown");
621	xfree(username);	621	xfree(username);
Lines 1950-1954 Link Here
1950		1950
1951	/* Monitor loop will terminate if authenticated */	1951	/* Monitor loop will terminate if authenticated */
1952	return (authenticated);	1952	return (authenticated);
		1953	}
		1954
		1955	int
		1956	mm_answer_gss_localname(int socket, Buffer *m) {
		1957	char *name;
		1958
		1959	ssh_gssapi_localname(&name);
		1960
		1961	buffer_clear(m);
		1962	if (name) {
		1963	buffer_put_cstring(m, name);
		1964	debug3("%s: sending result %s", __func__, name);
		1965	xfree(name);
		1966	} else {
		1967	buffer_put_cstring(m, "");
		1968	debug3("%s: sending result \"\"", __func__);
		1969	}
		1970
		1971	mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m);
		1972
		1973	return(0);
1953	}	1974	}
1954	#endif /* GSSAPI */	1975	#endif /* GSSAPI */

Lines 1224-1227 Link Here

(-)monitor_wrap.c (+24 lines)
1224	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1224	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1225	return (authenticated);	1225	return (authenticated);
1226	}	1226	}
		1227
		1228	int
		1229	mm_ssh_gssapi_localname(char **lname)
		1230	{
		1231	Buffer m;
		1232
		1233	buffer_init(&m);
		1234	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m);
		1235
		1236	debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__);
		1237	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME,
		1238	&m);
		1239
		1240	*lname = buffer_get_string(&m, NULL);
		1241
		1242	buffer_free(&m);
		1243	if (lname[0] == '\0') {
		1244	debug3("%s: gssapi identity mapping failed", __func__);
		1245	} else {
		1246	debug3("%s: gssapi identity mapped to %s", __func__, *lname);
		1247	}
		1248
		1249	return(0);
		1250	}
1227	#endif /* GSSAPI */	1251	#endif /* GSSAPI */

Lines 109-114 Link Here

(-)gss-serv-krb5.c (-1 / +30 lines)
109	}	109	}
110		110
111		111
		112	/* Retrieve the local username associated with a set of Kerberos
		113	* credentials. Hopefully we can use this for the 'empty' username
		114	* logins discussed in the draft */
		115	static int
		116	ssh_gssapi_krb5_localname(ssh_gssapi_client client, char *user) {
		117	krb5_principal princ;
		118	int retval;
		119
		120	if (ssh_gssapi_krb5_init() == 0)
		121	return 0;
		122
		123	if ((retval=krb5_parse_name(krb_context, client->displayname.value,
		124	&princ))) {
		125	logit("krb5_parse_name(): %.100s",
		126	krb5_get_err_text(krb_context,retval));
		127	return 0;
		128	}
		129
		130	/* We've got to return a malloc'd string */
		131	user = (char )xmalloc(256);
		132	if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
		133	xfree(*user);
		134	*user = NULL;
		135	return(0);
		136	}
		137
		138	return(1);
		139	}
		140
112	/* This writes out any forwarded credentials from the structure populated	141	/* This writes out any forwarded credentials from the structure populated
113	* during userauth. Called after we have setuid to the user */	142	* during userauth. Called after we have setuid to the user */
114		143
Lines 190-196 Link Here
190	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},	219	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
191	NULL,	220	NULL,
192	&ssh_gssapi_krb5_userok,	221	&ssh_gssapi_krb5_userok,
193	NULL,	222	&ssh_gssapi_krb5_localname,
194	&ssh_gssapi_krb5_storecreds	223	&ssh_gssapi_krb5_storecreds
195	};	224	};
196		225