Attachment #2580 for bug #2063

View | Details | Raw Unified | Return to bug 2063
Collapse All | Expand All

Lines 188-195 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here

(-)a/gss-serv-krb5.c (-1 / +6 lines)
188	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);	188	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
189		189
190	#ifdef USE_PAM	190	#ifdef USE_PAM
191	if (options.use_pam)	191	if (options.use_pam) {
192	do_pam_putenv(client->store.envvar, client->store.envval);	192	do_pam_putenv(client->store.envvar, client->store.envval);
		193	if (options.gss_set_env) {
		194	do_pam_putenv("SSH_GSSAPI_DISPLAYNAME",
		195	client->displayname.value);
		196	}
		197	}
193	#endif	198	#endif
194		199
195	krb5_cc_close(krb_context, ccache);	200	krb5_cc_close(krb_context, ccache);

Lines 44-52 Link Here

(-)a/gss-serv.c (+8 lines)
44	#include "channels.h"	44	#include "channels.h"
45	#include "session.h"	45	#include "session.h"
46	#include "misc.h"	46	#include "misc.h"
		47	#include "servconf.h"
47		48
48	#include "ssh-gss.h"	49	#include "ssh-gss.h"
49		50
		51	extern ServerOptions options;
		52
50	static ssh_gssapi_client gssapi_client =	53	static ssh_gssapi_client gssapi_client =
51	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	54	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
52	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};	55	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
Lines 343-348 ssh_gssapi_do_child(char **envp, u_int envsizep) Link Here
343	child_set_env(envp, envsizep, gssapi_client.store.envvar,	346	child_set_env(envp, envsizep, gssapi_client.store.envvar,
344	gssapi_client.store.envval);	347	gssapi_client.store.envval);
345	}	348	}
		349	if (options.gss_set_env) {
		350	debug("Exporting GSSAPI principal name to child environment");
		351	child_set_env(envp, envsizep, "SSH_GSSAPI_DISPLAYNAME",
		352	gssapi_client.displayname.value);
		353	}
346	}	354	}
347		355
348	/* Privileged */	356	/* Privileged */

Lines 115-120 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (+10 lines)
115	options->kerberos_get_afs_token = -1;	115	options->kerberos_get_afs_token = -1;
116	options->gss_authentication=-1;	116	options->gss_authentication=-1;
117	options->gss_cleanup_creds = -1;	117	options->gss_cleanup_creds = -1;
		118	options->gss_set_env = -1;
118	options->password_authentication = -1;	119	options->password_authentication = -1;
119	options->kbd_interactive_authentication = -1;	120	options->kbd_interactive_authentication = -1;
120	options->challenge_response_authentication = -1;	121	options->challenge_response_authentication = -1;
Lines 271-276 fill_default_server_options(ServerOptions *options) Link Here
271	options->gss_authentication = 0;	272	options->gss_authentication = 0;
272	if (options->gss_cleanup_creds == -1)	273	if (options->gss_cleanup_creds == -1)
273	options->gss_cleanup_creds = 1;	274	options->gss_cleanup_creds = 1;
		275	if (options->gss_set_env == -1)
		276	options->gss_set_env = 0;
274	if (options->password_authentication == -1)	277	if (options->password_authentication == -1)
275	options->password_authentication = 1;	278	options->password_authentication = 1;
276	if (options->kbd_interactive_authentication == -1)	279	if (options->kbd_interactive_authentication == -1)
Lines 392-397 typedef enum { Link Here
392	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	395	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
393	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	396	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
394	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	397	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
		398	sGssSetEnv,
395	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	399	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
396	sUsePrivilegeSeparation, sAllowAgentForwarding,	400	sUsePrivilegeSeparation, sAllowAgentForwarding,
397	sHostCertificate,	401	sHostCertificate,
Lines 462-470 static struct { Link Here
462	#ifdef GSSAPI	466	#ifdef GSSAPI
463	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },	467	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
464	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	468	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
		469	{ "gssapisetenv", sGssSetEnv, SSHCFG_GLOBAL },
465	#else	470	#else
466	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },	471	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
467	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	472	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
		473	{ "gssapisetenv", sUnsupported, SSHCFG_ALL },
468	#endif	474	#endif
469	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },	475	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
470	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },	476	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
Lines 1170-1175 process_server_config_line(ServerOptions options, char line, Link Here
1170	intptr = &options->gss_cleanup_creds;	1176	intptr = &options->gss_cleanup_creds;
1171	goto parse_flag;	1177	goto parse_flag;
1172		1178
		1179	case sGssSetEnv:
		1180	intptr = &options->gss_set_env;
		1181	goto parse_flag;
		1182
1173	case sPasswordAuthentication:	1183	case sPasswordAuthentication:
1174	intptr = &options->password_authentication;	1184	intptr = &options->password_authentication;
1175	goto parse_flag;	1185	goto parse_flag;

Lines 116-121 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
116	* authenticated with Kerberos. */	116	* authenticated with Kerberos. */
117	int gss_authentication; /* If true, permit GSSAPI authentication */	117	int gss_authentication; /* If true, permit GSSAPI authentication */
118	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	118	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
		119	int gss_set_env; /* Set GSS environment variables */
119	int password_authentication; /* If true, permit password	120	int password_authentication; /* If true, permit password
120	* authentication. */	121	* authentication. */
121	int kbd_interactive_authentication; /* If true, permit */	122	int kbd_interactive_authentication; /* If true, permit */

Lines 570-575 on logout. Link Here

(-)a/sshd_config.5 (+8 lines)
570	The default is	570	The default is
571	.Dq yes .	571	.Dq yes .
572	Note that this option applies to protocol version 2 only.	572	Note that this option applies to protocol version 2 only.
		573	.It Cm GSSAPISetEnv
		574	When enabled and GSSAPI authentication is used, set the environment
		575	variable
		576	.Ev SSH_GSSAPI_DISPLAYNAME
		577	to the GSSAPI "display name", as provided by the GSSAPI library.
		578	The default is
		579	.Dq no .
		580	Note that this option applies to protocol version 2 only.
573	.It Cm HostbasedAcceptedKeyTypes	581	.It Cm HostbasedAcceptedKeyTypes
574	Specifies the key types that will be accepted for hostbased authentication	582	Specifies the key types that will be accepted for hostbased authentication
575	as a comma-separated pattern list.	583	as a comma-separated pattern list.

Return to bug 2063