Bugzilla – Attachment 2580 Details for
Bug 2063
RFE: export principal which was used for .k5login
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch from openssh-portable tree at commit e7bf3a5eda
openssh-gssapi_set_env.patch (text/plain), 4.81 KB, created by
Karl Kornel
on 2015-04-11 04:51:01 AEST
(
hide
)
Description:
Patch from openssh-portable tree at commit e7bf3a5eda
Filename:
MIME Type:
Creator:
Karl Kornel
Created:
2015-04-11 04:51:01 AEST
Size:
4.81 KB
patch
obsolete
> gss-serv-krb5.c | 7 ++++++- > gss-serv.c | 8 ++++++++ > servconf.c | 10 ++++++++++ > servconf.h | 1 + > sshd_config.5 | 8 ++++++++ > 5 files changed, 33 insertions(+), 1 deletion(-) > >diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c >index 795992d..d07da7c 100644 >--- a/gss-serv-krb5.c >+++ b/gss-serv-krb5.c >@@ -188,8 +188,13 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) > snprintf(client->store.envval, len, "FILE:%s", client->store.filename); > > #ifdef USE_PAM >- if (options.use_pam) >+ if (options.use_pam) { > do_pam_putenv(client->store.envvar, client->store.envval); >+ if (options.gss_set_env) { >+ do_pam_putenv("SSH_GSSAPI_DISPLAYNAME", >+ client->displayname.value); >+ } >+ } > #endif > > krb5_cc_close(krb_context, ccache); >diff --git a/gss-serv.c b/gss-serv.c >index e7b8c52..e3e3d49 100644 >--- a/gss-serv.c >+++ b/gss-serv.c >@@ -44,9 +44,12 @@ > #include "channels.h" > #include "session.h" > #include "misc.h" >+#include "servconf.h" > > #include "ssh-gss.h" > >+extern ServerOptions options; >+ > static ssh_gssapi_client gssapi_client = > { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, > GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; >@@ -343,6 +346,11 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) > child_set_env(envp, envsizep, gssapi_client.store.envvar, > gssapi_client.store.envval); > } >+ if (options.gss_set_env) { >+ debug("Exporting GSSAPI principal name to child environment"); >+ child_set_env(envp, envsizep, "SSH_GSSAPI_DISPLAYNAME", >+ gssapi_client.displayname.value); >+ } > } > > /* Privileged */ >diff --git a/servconf.c b/servconf.c >index 3185462..68655f9 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -115,6 +115,7 @@ initialize_server_options(ServerOptions *options) > options->kerberos_get_afs_token = -1; > options->gss_authentication=-1; > options->gss_cleanup_creds = -1; >+ options->gss_set_env = -1; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >@@ -271,6 +272,8 @@ fill_default_server_options(ServerOptions *options) > options->gss_authentication = 0; > if (options->gss_cleanup_creds == -1) > options->gss_cleanup_creds = 1; >+ if (options->gss_set_env == -1) >+ options->gss_set_env = 0; > if (options->password_authentication == -1) > options->password_authentication = 1; > if (options->kbd_interactive_authentication == -1) >@@ -392,6 +395,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, > sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >+ sGssSetEnv, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sHostCertificate, >@@ -462,9 +466,11 @@ static struct { > #ifdef GSSAPI > { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, > { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, >+ { "gssapisetenv", sGssSetEnv, SSHCFG_GLOBAL }, > #else > { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapisetenv", sUnsupported, SSHCFG_ALL }, > #endif > { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, >@@ -1170,6 +1176,10 @@ process_server_config_line(ServerOptions *options, char *line, > intptr = &options->gss_cleanup_creds; > goto parse_flag; > >+ case sGssSetEnv: >+ intptr = &options->gss_set_env; >+ goto parse_flag; >+ > case sPasswordAuthentication: > intptr = &options->password_authentication; > goto parse_flag; >diff --git a/servconf.h b/servconf.h >index 9922f0c..0d02dca 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -116,6 +116,7 @@ typedef struct { > * authenticated with Kerberos. */ > int gss_authentication; /* If true, permit GSSAPI authentication */ > int gss_cleanup_creds; /* If true, destroy cred cache on logout */ >+ int gss_set_env; /* Set GSS environment variables */ > int password_authentication; /* If true, permit password > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ >diff --git a/sshd_config.5 b/sshd_config.5 >index 6dce0c7..038ec20 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -570,6 +570,14 @@ on logout. > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm GSSAPISetEnv >+When enabled and GSSAPI authentication is used, set the environment >+variable >+.Ev SSH_GSSAPI_DISPLAYNAME >+to the GSSAPI "display name", as provided by the GSSAPI library. >+The default is >+.Dq no . >+Note that this option applies to protocol version 2 only. > .It Cm HostbasedAcceptedKeyTypes > Specifies the key types that will be accepted for hostbased authentication > as a comma-separated pattern list.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2580">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2063
: 2580