Bugzilla – Attachment 1207 Details for
Bug 1100
GSSAPI-with-mic doesn't handle empty usernames
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to support empty usernames with gssapi-with-mic
gssapi-empty-username.patch (text/plain), 12.49 KB, created by
Jim Basney
on 2006-11-15 11:17:46 AEDT
(
hide
)
Description:
patch to support empty usernames with gssapi-with-mic
Filename:
MIME Type:
Creator:
Jim Basney
Created:
2006-11-15 11:17:46 AEDT
Size:
12.49 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.123 >diff -u -r1.123 auth.c >--- auth.c 27 Oct 2006 15:10:16 -0000 1.123 >+++ auth.c 15 Nov 2006 00:07:57 -0000 >@@ -268,7 +268,8 @@ > authmsg, > method, > authctxt->valid ? "" : "invalid user ", >- authctxt->user, >+ (authctxt->user && authctxt->user[0]) ? >+ authctxt->user : "unknown", > get_remote_ipaddr(), > get_remote_port(), > info); >@@ -487,7 +488,8 @@ > pw = getpwnam(user); > if (pw == NULL) { > logit("Invalid user %.100s from %.100s", >- user, get_remote_ipaddr()); >+ (user && user[0]) ? user : "unknown", >+ get_remote_ipaddr()); > #ifdef CUSTOM_FAILED_LOGIN > record_failed_login(user, > get_canonical_hostname(options.use_dns), "ssh"); >Index: auth2-gss.c >=================================================================== >RCS file: /cvs/openssh/auth2-gss.c,v >retrieving revision 1.18 >diff -u -r1.18 auth2-gss.c >--- auth2-gss.c 1 Sep 2006 05:38:36 -0000 1.18 >+++ auth2-gss.c 15 Nov 2006 00:07:58 -0000 >@@ -68,7 +68,10 @@ > u_int len; > u_char *doid = NULL; > >- if (!authctxt->valid || authctxt->user == NULL) >+ /* authctxt->valid may be 0 if we haven't yet determined >+ username from gssapi context. */ >+ >+ if (authctxt->user == NULL) > return (0); > > mechs = packet_get_int(); >@@ -217,6 +220,32 @@ > gss_release_buffer(&maj_status, &send_tok); > } > >+static void >+gssapi_set_username(Authctxt *authctxt) >+{ >+ char *lname = NULL; >+ >+ if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) { >+ PRIVSEP(ssh_gssapi_localname(&lname)); >+ if (lname && lname[0] != '\0') { >+ if (authctxt->user) xfree(authctxt->user); >+ authctxt->user = lname; >+ debug("set username to %s from gssapi context", lname); >+ authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user)); >+ if (authctxt->pw) { >+ authctxt->valid = 1; >+#ifdef USE_PAM >+ if (options.use_pam) >+ PRIVSEP(start_pam(authctxt)); >+#endif >+ } >+ } else { >+ debug("failed to set username from gssapi context"); >+ packet_send_debug("failed to set username from gssapi context"); >+ } >+ } >+} >+ > /* > * This is called when the client thinks we've completed authentication. > * It should only be enabled in the dispatch handler by the function above, >@@ -275,6 +304,8 @@ > > gssbuf.value = buffer_ptr(&b); > gssbuf.length = buffer_len(&b); >+ >+ gssapi_set_username(authctxt); > > if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) > authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); >Index: auth2.c >=================================================================== >RCS file: /cvs/openssh/auth2.c,v >retrieving revision 1.142 >diff -u -r1.142 auth2.c >--- auth2.c 5 Aug 2006 02:39:39 -0000 1.142 >+++ auth2.c 15 Nov 2006 00:07:58 -0000 >@@ -160,11 +160,31 @@ > if ((style = strchr(user, ':')) != NULL) > *style++ = 0; > >- if (authctxt->attempt++ == 0) { >- /* setup auth context */ >+ /* If first time or username changed or empty username, >+ setup/reset authentication context. */ >+ if ((authctxt->attempt++ == 0) || >+ (strcmp(user, authctxt->user) != 0) || >+ (strcmp(user, "") == 0)) { >+ if (authctxt->user) { >+ xfree(authctxt->user); >+ authctxt->user = NULL; >+ } >+ authctxt->valid = 0; >+ authctxt->user = xstrdup(user); >+ if (strcmp(service, "ssh-connection") != 0) { >+ packet_disconnect("Unsupported service %s", service); >+ } >+#ifdef GSSAPI >+ /* If we're going to set the username based on the >+ GSSAPI context later, then wait until then to >+ verify it. Just put in placeholders for now. */ >+ if ((strcmp(user, "") == 0) && >+ (strcmp(method, "gssapi-with-mic") == 0)) { >+ authctxt->pw = fakepw(); >+ } else { >+#endif > authctxt->pw = PRIVSEP(getpwnamallow(user)); >- authctxt->user = xstrdup(user); >- if (authctxt->pw && strcmp(service, "ssh-connection")==0) { >+ if (authctxt->pw) { > authctxt->valid = 1; > debug2("input_userauth_request: setting up authctxt for %s", user); > } else { >@@ -178,15 +198,20 @@ > if (options.use_pam) > PRIVSEP(start_pam(authctxt)); > #endif >+#ifdef GSSAPI >+ } /* endif for setting username based on GSSAPI context */ >+#endif > setproctitle("%s%s", authctxt->valid ? user : "unknown", > use_privsep ? " [net]" : ""); >- authctxt->service = xstrdup(service); >- authctxt->style = style ? xstrdup(style) : NULL; >- if (use_privsep) >- mm_inform_authserv(service, style); >- } else if (strcmp(user, authctxt->user) != 0 || >- strcmp(service, authctxt->service) != 0) { >- packet_disconnect("Change of username or service not allowed: " >+ if (authctxt->attempt == 1) { >+ authctxt->service = xstrdup(service); >+ authctxt->style = style ? xstrdup(style) : NULL; >+ if (use_privsep) >+ mm_inform_authserv(service, style); >+ } >+ } >+ if (strcmp(service, authctxt->service) != 0) { >+ packet_disconnect("Change of service not allowed: " > "(%s,%s) -> (%s,%s)", > authctxt->user, authctxt->service, user, service); > } >Index: gss-serv-krb5.c >=================================================================== >RCS file: /cvs/openssh/gss-serv-krb5.c,v >retrieving revision 1.17 >diff -u -r1.17 gss-serv-krb5.c >--- gss-serv-krb5.c 1 Sep 2006 05:38:36 -0000 1.17 >+++ gss-serv-krb5.c 15 Nov 2006 00:07:58 -0000 >@@ -109,6 +109,35 @@ > } > > >+/* Retrieve the local username associated with a set of Kerberos >+ * credentials. Hopefully we can use this for the 'empty' username >+ * logins discussed in the draft */ >+static int >+ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) { >+ krb5_principal princ; >+ int retval; >+ >+ if (ssh_gssapi_krb5_init() == 0) >+ return 0; >+ >+ if ((retval=krb5_parse_name(krb_context, client->displayname.value, >+ &princ))) { >+ logit("krb5_parse_name(): %.100s", >+ krb5_get_err_text(krb_context,retval)); >+ return 0; >+ } >+ >+ /* We've got to return a malloc'd string */ >+ *user = (char *)xmalloc(256); >+ if (krb5_aname_to_localname(krb_context, princ, 256, *user)) { >+ xfree(*user); >+ *user = NULL; >+ return(0); >+ } >+ >+ return(1); >+} >+ > /* This writes out any forwarded credentials from the structure populated > * during userauth. Called after we have setuid to the user */ > >@@ -190,7 +219,7 @@ > {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, > NULL, > &ssh_gssapi_krb5_userok, >- NULL, >+ &ssh_gssapi_krb5_localname, > &ssh_gssapi_krb5_storecreds > }; > >Index: gss-serv.c >=================================================================== >RCS file: /cvs/openssh/gss-serv.c,v >retrieving revision 1.22 >diff -u -r1.22 gss-serv.c >--- gss-serv.c 1 Sep 2006 05:38:36 -0000 1.22 >+++ gss-serv.c 15 Nov 2006 00:07:58 -0000 >@@ -313,4 +313,22 @@ > return (ctx->major); > } > >+/* Priviledged */ >+int >+ssh_gssapi_localname(char **user) >+{ >+ *user = NULL; >+ if (gssapi_client.displayname.length==0 || >+ gssapi_client.displayname.value==NULL) { >+ debug("No suitable client data"); >+ return(0);; >+ } >+ if (gssapi_client.mech && gssapi_client.mech->localname) { >+ return((*gssapi_client.mech->localname)(&gssapi_client,user)); >+ } else { >+ debug("Unknown client authentication type"); >+ } >+ return(0); >+} >+ > #endif >Index: monitor.c >=================================================================== >RCS file: /cvs/openssh/monitor.c,v >retrieving revision 1.121 >diff -u -r1.121 monitor.c >--- monitor.c 7 Nov 2006 12:16:08 -0000 1.121 >+++ monitor.c 15 Nov 2006 00:07:58 -0000 >@@ -162,6 +162,7 @@ > int mm_answer_gss_setup_ctx(int, Buffer *); > int mm_answer_gss_accept_ctx(int, Buffer *); > int mm_answer_gss_userok(int, Buffer *); >+int mm_answer_gss_localname(int, Buffer *); > int mm_answer_gss_checkmic(int, Buffer *); > #endif > >@@ -202,12 +203,12 @@ > struct mon_table mon_dispatch_proto20[] = { > {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, > {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, >- {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, >+ {MONITOR_REQ_PWNAM, MON_AUTH, mm_answer_pwnamallow}, > {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, > {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, > {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, > #ifdef USE_PAM >- {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, >+ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, > {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, > {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, > {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, >@@ -231,6 +232,7 @@ > {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, > {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, > {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, >+ {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname}, > {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, > #endif > {0, 0, NULL} >@@ -609,13 +611,11 @@ > > debug3("%s", __func__); > >- if (authctxt->attempt++ != 0) >- fatal("%s: multiple attempts for getpwnam", __func__); >- > username = buffer_get_string(m, NULL); > > pwent = getpwnamallow(username); > >+ if (authctxt->user) xfree(authctxt->user); > authctxt->user = xstrdup(username); > setproctitle("%s [priv]", pwent ? username : "unknown"); > xfree(username); >@@ -1950,5 +1950,26 @@ > > /* Monitor loop will terminate if authenticated */ > return (authenticated); >+} >+ >+int >+mm_answer_gss_localname(int socket, Buffer *m) { >+ char *name; >+ >+ ssh_gssapi_localname(&name); >+ >+ buffer_clear(m); >+ if (name) { >+ buffer_put_cstring(m, name); >+ debug3("%s: sending result %s", __func__, name); >+ xfree(name); >+ } else { >+ buffer_put_cstring(m, ""); >+ debug3("%s: sending result \"\"", __func__); >+ } >+ >+ mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m); >+ >+ return(0); > } > #endif /* GSSAPI */ >Index: monitor.h >=================================================================== >RCS file: /cvs/openssh/monitor.h,v >retrieving revision 1.21 >diff -u -r1.21 monitor.h >--- monitor.h 26 Mar 2006 03:30:02 -0000 1.21 >+++ monitor.h 15 Nov 2006 00:07:59 -0000 >@@ -52,6 +52,7 @@ > MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, > MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, > MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, >+ MONITOR_REQ_GSSLOCALNAME, MONITOR_ANS_GSSLOCALNAME, > MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, > MONITOR_REQ_PAM_START, > MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, >Index: monitor_wrap.c >=================================================================== >RCS file: /cvs/openssh/monitor_wrap.c,v >retrieving revision 1.70 >diff -u -r1.70 monitor_wrap.c >--- monitor_wrap.c 1 Sep 2006 05:38:37 -0000 1.70 >+++ monitor_wrap.c 15 Nov 2006 00:07:59 -0000 >@@ -1224,4 +1224,28 @@ > debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); > return (authenticated); > } >+ >+int >+mm_ssh_gssapi_localname(char **lname) >+{ >+ Buffer m; >+ >+ buffer_init(&m); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSLOCALNAME, &m); >+ >+ debug3("%s: waiting for MONITOR_ANS_GSSLOCALNAME", __func__); >+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSLOCALNAME, >+ &m); >+ >+ *lname = buffer_get_string(&m, NULL); >+ >+ buffer_free(&m); >+ if (lname[0] == '\0') { >+ debug3("%s: gssapi identity mapping failed", __func__); >+ } else { >+ debug3("%s: gssapi identity mapped to %s", __func__, *lname); >+ } >+ >+ return(0); >+} > #endif /* GSSAPI */ >Index: monitor_wrap.h >=================================================================== >RCS file: /cvs/openssh/monitor_wrap.h,v >retrieving revision 1.27 >diff -u -r1.27 monitor_wrap.h >--- monitor_wrap.h 5 Aug 2006 02:39:40 -0000 1.27 >+++ monitor_wrap.h 15 Nov 2006 00:07:59 -0000 >@@ -58,6 +58,7 @@ > OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, > gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); > int mm_ssh_gssapi_userok(char *user); >+int mm_ssh_gssapi_localname(char **user); > OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); > #endif > >Index: ssh-gss.h >=================================================================== >RCS file: /cvs/openssh/ssh-gss.h,v >retrieving revision 1.11 >diff -u -r1.11 ssh-gss.h >--- ssh-gss.h 18 Aug 2006 14:46:44 -0000 1.11 >+++ ssh-gss.h 15 Nov 2006 00:07:59 -0000 >@@ -122,6 +122,7 @@ > > /* In the server */ > int ssh_gssapi_userok(char *name); >+int ssh_gssapi_localname(char **name); > OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); > void ssh_gssapi_do_child(char ***, u_int *); > void ssh_gssapi_cleanup_creds(void);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1207">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1100
: 1207