Bugzilla – Attachment 715 Details for
Bug 928
Kerberos/GSSAPI authentication does not work with multihomed hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add an option to select the gss_import hostname
openssh-3.9p1-gss-import.patch (text/plain), 5.82 KB, created by
Markus Moeller
on 2004-09-17 20:49:01 AEST
(
hide
)
Description:
Add an option to select the gss_import hostname
Filename:
MIME Type:
Creator:
Markus Moeller
Created:
2004-09-17 20:49:01 AEST
Size:
5.82 KB
patch
obsolete
>diff -u -N -r openssh-3.9p1/gss-genr.c openssh-3.9p1-n/gss-genr.c >--- openssh-3.9p1/gss-genr.c 2003-11-21 12:56:47.000000000 +0000 >+++ openssh-3.9p1-n/gss-genr.c 2004-09-17 11:44:34.000000000 +0100 >@@ -37,6 +37,10 @@ > > #include "ssh-gss.h" > >+#include "servconf.h" >+/* import */ >+extern ServerOptions options; >+ > extern u_char *session_id2; > extern u_int session_id2_len; > >@@ -206,15 +210,18 @@ > { > gss_buffer_desc gssbuf; > >- gssbuf.length = sizeof("host@") + strlen(host); >- gssbuf.value = xmalloc(gssbuf.length); >- snprintf(gssbuf.value, gssbuf.length, "host@%s", host); >+ if ( host ) { >+ gssbuf.length = sizeof("host@") + strlen(host); >+ gssbuf.value = xmalloc(gssbuf.length); >+ snprintf(gssbuf.value, gssbuf.length, "host@%s", host); >+ >+ if ((ctx->major = gss_import_name(&ctx->minor, >+ &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) >+ ssh_gssapi_error(ctx); > >- if ((ctx->major = gss_import_name(&ctx->minor, >- &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) >- ssh_gssapi_error(ctx); >+ xfree(gssbuf.value); >+ } > >- xfree(gssbuf.value); > return (ctx->major); > } > >@@ -227,14 +234,23 @@ > ssh_gssapi_acquire_cred(Gssctxt *ctx) > { > OM_uint32 status; >- char lname[MAXHOSTNAMELEN]; >+ char *lname; > gss_OID_set oidset; > > gss_create_empty_oid_set(&status, &oidset); > gss_add_oid_set_member(&status, ctx->oid, &oidset); > >- if (gethostname(lname, MAXHOSTNAMELEN)) >- return (-1); >+ if ( options.gss_import_hostname == GSS_IMPORT_HOSTNAME ) { >+ lname=xmalloc(MAXHOSTNAMELEN+1); >+ if (gethostname(lname, MAXHOSTNAMELEN)) >+ return (-1); >+ } else if ( options.gss_import_hostname == GSS_IMPORT_CONNECTION_IP ) { >+ lname = get_local_name(packet_get_connection_in()); >+ } else { >+ lname = NULL; >+ } >+ >+ debug("Import local hostname %s", lname?lname:"NULL"); > > if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) > return (ctx->major); >diff -u -N -r openssh-3.9p1/servconf.c openssh-3.9p1-n/servconf.c >--- openssh-3.9p1/servconf.c 2004-08-13 12:30:24.000000000 +0100 >+++ openssh-3.9p1-n/servconf.c 2004-09-17 10:52:03.000000000 +0100 >@@ -74,6 +74,7 @@ > options->kerberos_get_afs_token = -1; > options->gss_authentication=-1; > options->gss_cleanup_creds = -1; >+ options->gss_import_hostname = -1; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >@@ -187,6 +188,8 @@ > options->kerberos_get_afs_token = 0; > if (options->gss_authentication == -1) > options->gss_authentication = 0; >+ if (options->gss_import_hostname == -1) >+ options->gss_import_hostname = GSS_IMPORT_HOSTNAME; > if (options->gss_cleanup_creds == -1) > options->gss_cleanup_creds = 1; > if (options->password_authentication == -1) >@@ -270,7 +273,7 @@ > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, >+ sGssAuthentication, sGssCleanupCreds, sGssImportHostname, sAcceptEnv, > sUsePrivilegeSeparation, > sDeprecated, sUnsupported > } ServerOpCodes; >@@ -325,9 +328,11 @@ > #ifdef GSSAPI > { "gssapiauthentication", sGssAuthentication }, > { "gssapicleanupcredentials", sGssCleanupCreds }, >+ { "gssapiimporthostname", sGssImportHostname}, > #else > { "gssapiauthentication", sUnsupported }, > { "gssapicleanupcredentials", sUnsupported }, >+ { "gssapiimporthostname", sUnsupported}, > #endif > { "passwordauthentication", sPasswordAuthentication }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, >@@ -658,6 +663,28 @@ > intptr = &options->gss_cleanup_creds; > goto parse_flag; > >+ case sGssImportHostname: >+ intptr = &options->gss_import_hostname; >+ arg = strdelim(&cp); >+ if (!arg || *arg == '\0') >+ fatal("%s line %d: missing hostname/" >+ "connection-ip/gss-c-no-name " >+ "argument.", filename, linenum); >+ value = 0; /* silence compiler */ >+ if (strcmp(arg, "hostname") == 0) >+ value = GSS_IMPORT_HOSTNAME; >+ else if (strcmp(arg, "connection-ip") == 0) >+ value = GSS_IMPORT_CONNECTION_IP; >+ else if (strcmp(arg, "gss-c-no-name") == 0) >+ value = GSS_IMPORT_NO_NAME; >+ else >+ fatal("%s line %d: Bad hostname/" >+ "connection-ip/gss-c-no-name " >+ "argument: %s", filename, linenum, arg); >+ if (*intptr == -1) >+ *intptr = value; >+ break; >+ > case sPasswordAuthentication: > intptr = &options->password_authentication; > goto parse_flag; >diff -u -N -r openssh-3.9p1/servconf.h openssh-3.9p1-n/servconf.h >--- openssh-3.9p1/servconf.h 2004-06-25 04:33:20.000000000 +0100 >+++ openssh-3.9p1-n/servconf.h 2004-09-17 10:52:53.000000000 +0100 >@@ -37,6 +37,12 @@ > > #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ > >+/* gss_import_hostname flags */ >+#define GSS_IMPORT_HOSTNAME 0 >+#define GSS_IMPORT_CONNECTION_IP 1 >+#define GSS_IMPORT_NO_NAME 2 >+ >+ > typedef struct { > u_int num_ports; > u_int ports_from_cmdline; >@@ -88,6 +94,7 @@ > * authenticated with Kerberos. */ > int gss_authentication; /* If true, permit GSSAPI authentication */ > int gss_cleanup_creds; /* If true, destroy cred cache on logout */ >+ int gss_import_hostname; /* Possible values 0,1,2 */ > int password_authentication; /* If true, permit password > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=715">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 928
:
715
|
1182
|
1775
|
2571