Attachment #744 for bug #958

Lines 84-90 Link Here

(-)Makefile.in (-1 / +1 lines)
84	auth2-none.o auth2-passwd.o auth2-pubkey.o \	84	auth2-none.o auth2-passwd.o auth2-pubkey.o \
85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
86	auth-krb5.o \	86	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o \	87	auth2-gss.o gss-serv.o gss-serv-krb5.o gss-serv-gsi.o \
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o	88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
89		89
90	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	90	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out

Lines 268-273 Link Here

(-)acconfig.h (+3 lines)
268	/* Define this if you are using the Heimdal version of Kerberos V5 */	268	/* Define this if you are using the Heimdal version of Kerberos V5 */
269	#undef HEIMDAL	269	#undef HEIMDAL
270		270
		271	/* Define if you want GSI/Globus authentication support */
		272	#undef GSI
		273
271	/* Define this if you want to use libkafs' AFS support */	274	/* Define this if you want to use libkafs' AFS support */
272	#undef USE_AFS	275	#undef USE_AFS
273		276

Lines 130-136 Link Here

(-)auth2-gss.c (-1 / +1 lines)
130	Gssctxt *gssctxt;	130	Gssctxt *gssctxt;
131	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;	131	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
132	gss_buffer_desc recv_tok;	132	gss_buffer_desc recv_tok;
133	OM_uint32 maj_status, min_status, flags;	133	OM_uint32 maj_status, min_status, flags=0;
134	u_int len;	134	u_int len;
135		135
136	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))	136	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))




	]
)

# Check whether the user wants GSI (Globus) support
GSI_MSG="no"
AC_ARG_WITH(gsi,
	[  --with-gsi              Enable Globus GSI authentication support],
	[  
		if test "x$withval" != "xno" ; then
			AC_MSG_CHECKING(for Globus GSI)
			AC_DEFINE(GSI)
			AC_DEFINE(GSSAPI)
			GSI_MSG="yes"

			# $GLOBUS_LOCATION is root of GSI installation
			if test -z "$GLOBUS_LOCATION" ; then
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .)
			fi
			if test ! -d "$GLOBUS_LOCATION" ; then
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.)
			fi

			# Get Globus library "flavor"
			AC_ARG_WITH(globus-flavor,
				[  --with-globus-flavor=TYPE  Specify Globus flavor type (ex: gcc32dbg)],
				[
					globus_flavor="$withval"
					if test "x$globus_flavor" = "xyes" ; then
						AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type)
					fi
				],
				[
					AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified)
				]
			)

			# Add directory for GSI headers
			GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}"
			if test ! -d "$GLOBUS_INCLUDE" ; then
				AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE})
			fi
			GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
	
			# Use globus-makefile-header tool to add needed libs
			if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then
				AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist)
			fi
			GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
			if test -z "$GSI_LIBS" ; then
				AC_MSG_ERROR(globus-makefile-header failed)
			fi

			if test -n "${need_dash_r}"; then
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib"
			else
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib"
			fi

			AC_DEFINE(HAVE_GSSAPI_H)

			LIBS="$LIBS $GSI_LIBS"
			LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
			CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"

			# test that we got the libraries OK
			AC_TRY_LINK(
				[],
				[],
				[
					AC_MSG_RESULT(yes)
				],
				[
					AC_MSG_ERROR(link with GSI libraries failed)
				]
			)
		fi
	]
)

AC_MSG_CHECKING([for /proc/pid/fd directory])
if test -d "/proc/$$/fd" ; then
	AC_DEFINE(HAVE_PROC_PID)

		fi
	]
)
# If using GSI libraries, libcrypto is already in LIBS
if test -z "$GSI_LIBS" ; then
	LIBS="-lcrypto $LIBS"
fi
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
	[
		dnl Check default openssl install dir

echo "                    Manpage format: $MANTYPE"
echo "                       PAM support: $PAM_MSG"
echo "                 KerberosV support: $KRB5_MSG"
echo "                       GSI support: $GSI_MSG"
echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"




/*
 * Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI
#ifdef GSI

#include "auth.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"

#include "ssh-gss.h"

#include <globus_gss_assist.h>

extern ServerOptions options;

static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);

ssh_gssapi_mech gssapi_gsi_mech = {
	"dZuIebMjgUqaxvbF7hDbAw==",
	"GSI",
	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
	NULL,
	&ssh_gssapi_gsi_userok,
	NULL,
	&ssh_gssapi_gsi_storecreds
};

/* Initialize the GSI library */

static int
ssh_gssapi_gsi_init(void)
{
	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
		return 0;
	}

	return 1;
}

/*
 * Check if this user is OK to login under GSI. User has been authenticated
 * as identity in global 'client_name.value' and is trying to log in as passed
 * username in 'name'.
 * Returns true if the user is OK to log in, otherwise returns 0.
 */

static int
ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
{
	int retval;
    
	if (ssh_gssapi_gsi_init() == 0)
		return 0;

	/* globus_gss_assist_userok() returns 0 on success */
	if (globus_gss_assist_userok(client->displayname.value,
				     name)) {
		retval = 0;
	} else {
		retval = 1;
		logit("GSI user %s is authorized as target user %s",
		      (char *) client->displayname.value, name);
	}
    
	return retval;
}

/* This writes out any forwarded credentials from the structure populated
 * during userauth. Called after we have setuid to the user */

static void
ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
{
	OM_uint32	major_status;
	OM_uint32	minor_status;
	gss_buffer_desc	export_cred = GSS_C_EMPTY_BUFFER;
	char *		p;
	
	if (client->creds == NULL) {
		debug("No credentials stored");
		return;
	}

	if (ssh_gssapi_gsi_init() == 0)
		return;

	major_status = gss_export_cred(&minor_status,
				       client->creds,
				       GSS_C_NO_OID,
				       1,
				       &export_cred);
	if (GSS_ERROR(major_status)) {
		Gssctxt *ctx;
		ssh_gssapi_build_ctx(&ctx);
		ctx->major = major_status;
		ctx->minor = minor_status;
		ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
		ssh_gssapi_error(ctx);
		ssh_gssapi_delete_ctx(&ctx);
		return;
	}
	
	p = strchr((char *) export_cred.value, '=');
	if (p == NULL) {
		logit("Failed to parse exported credentials string '%.100s'",
		      (char *)export_cred.value);
		gss_release_buffer(&minor_status, &export_cred);
		return;
	}
	*p++ = '\0';
	if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
		client->store.envvar = strdup("X509_USER_PROXY");
	} else {
		client->store.envvar = strdup((char *)export_cred.value);
	}
	client->store.envval = strdup(p);
#ifdef USE_PAM
	if (options.use_pam)
		do_pam_putenv(client->store.envvar, client->store.envval);
#endif
	if (access(p, R_OK) == 0) {
		client->store.filename = strdup(p);
	}
	gss_release_buffer(&minor_status, &export_cred);

	return;
}

#endif /* GSI */

#endif /* GSSAPI */

Lines 53-62 Link Here

(-)gss-serv.c (+6 lines)
53	#ifdef KRB5	53	#ifdef KRB5
54	extern ssh_gssapi_mech gssapi_kerberos_mech;	54	extern ssh_gssapi_mech gssapi_kerberos_mech;
55	#endif	55	#endif
		56	#ifdef GSI
		57	extern ssh_gssapi_mech gssapi_gsi_mech;
		58	#endif
56		59
57	ssh_gssapi_mech* supported_mechs[]= {	60	ssh_gssapi_mech* supported_mechs[]= {
58	#ifdef KRB5	61	#ifdef KRB5
59	&gssapi_kerberos_mech,	62	&gssapi_kerberos_mech,
		63	#endif
		64	#ifdef GSI
		65	&gssapi_gsi_mech,
60	#endif	66	#endif
61	&gssapi_null_mech,	67	&gssapi_null_mech,
62	};	68	};

Return to bug 958

Lines 747-752 Link Here

(-)configure.ac (-1 / +81 lines)
747	]	747	]
748	)	748	)
749		749
		750	# Check whether the user wants GSI (Globus) support
		751	GSI_MSG="no"
		752	AC_ARG_WITH(gsi,
		753	[ --with-gsi Enable Globus GSI authentication support],
		754	[
		755	if test "x$withval" != "xno" ; then
		756	AC_MSG_CHECKING(for Globus GSI)
		757	AC_DEFINE(GSI)
		758	AC_DEFINE(GSSAPI)
		759	GSI_MSG="yes"
		760
		761	# $GLOBUS_LOCATION is root of GSI installation
		762	if test -z "$GLOBUS_LOCATION" ; then
		763	AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .)
		764	fi
		765	if test ! -d "$GLOBUS_LOCATION" ; then
		766	AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.)
		767	fi
		768
		769	# Get Globus library "flavor"
		770	AC_ARG_WITH(globus-flavor,
		771	[ --with-globus-flavor=TYPE Specify Globus flavor type (ex: gcc32dbg)],
		772	[
		773	globus_flavor="$withval"
		774	if test "x$globus_flavor" = "xyes" ; then
		775	AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type)
		776	fi
		777	],
		778	[
		779	AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified)
		780	]
		781	)
		782
		783	# Add directory for GSI headers
		784	GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}"
		785	if test ! -d "$GLOBUS_INCLUDE" ; then
		786	AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE})
		787	fi
		788	GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
		789
		790	# Use globus-makefile-header tool to add needed libs
		791	if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then
		792	AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist)
		793	fi
		794	GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist \| perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
		795	if test -z "$GSI_LIBS" ; then
		796	AC_MSG_ERROR(globus-makefile-header failed)
		797	fi
		798
		799	if test -n "${need_dash_r}"; then
		800	GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib"
		801	else
		802	GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib"
		803	fi
		804
		805	AC_DEFINE(HAVE_GSSAPI_H)
		806
		807	LIBS="$LIBS $GSI_LIBS"
		808	LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
		809	CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"
		810
		811	# test that we got the libraries OK
		812	AC_TRY_LINK(
		813	[],
814	[],
815	[
816	AC_MSG_RESULT(yes)
817	],
818	[
819	AC_MSG_ERROR(link with GSI libraries failed)
820	]
821	)
822	fi
823	]
824	)
825
750	AC_MSG_CHECKING([for /proc/pid/fd directory])	826	AC_MSG_CHECKING([for /proc/pid/fd directory])
751	if test -d "/proc/$$/fd" ; then	827	if test -d "/proc/$$/fd" ; then
752	AC_DEFINE(HAVE_PROC_PID)	828	AC_DEFINE(HAVE_PROC_PID)
Lines 1240-1246 Link Here
1240	fi	1316	fi
1241	]	1317	]
1242	)	1318	)
1243	LIBS="-lcrypto $LIBS"	1319	# If using GSI libraries, libcrypto is already in LIBS
		1320	if test -z "$GSI_LIBS" ; then
		1321	LIBS="-lcrypto $LIBS"
		1322	fi
1244	AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),	1323	AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
1245	[	1324	[
1246	dnl Check default openssl install dir	1325	dnl Check default openssl install dir
Lines 3058-3063 Link Here
3058	echo " Manpage format: $MANTYPE"	3137	echo " Manpage format: $MANTYPE"
3059	echo " PAM support: $PAM_MSG"	3138	echo " PAM support: $PAM_MSG"
3060	echo " KerberosV support: $KRB5_MSG"	3139	echo " KerberosV support: $KRB5_MSG"
		3140	echo " GSI support: $GSI_MSG"
3061	echo " Smartcard support: $SCARD_MSG"	3141	echo " Smartcard support: $SCARD_MSG"
3062	echo " S/KEY support: $SKEY_MSG"	3142	echo " S/KEY support: $SKEY_MSG"
3063	echo " TCP Wrappers support: $TCPW_MSG"	3143	echo " TCP Wrappers support: $TCPW_MSG"

Added Link Here

(-)gss-serv-gsi.c (+157 lines)
1	/*
2	* Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include "includes.h"
26
27	#ifdef GSSAPI
28	#ifdef GSI
29
30	#include "auth.h"
31	#include "xmalloc.h"
32	#include "log.h"
33	#include "servconf.h"
34
35	#include "ssh-gss.h"
36
37	#include <globus_gss_assist.h>
38
39	extern ServerOptions options;
40
41	static int ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name);
42	static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
43
44	ssh_gssapi_mech gssapi_gsi_mech = {
45	"dZuIebMjgUqaxvbF7hDbAw==",
46	"GSI",
47	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
48	NULL,
49	&ssh_gssapi_gsi_userok,
50	NULL,
51	&ssh_gssapi_gsi_storecreds
52	};
53
54	/* Initialize the GSI library */
55
56	static int
57	ssh_gssapi_gsi_init(void)
58	{
59	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
60	return 0;
61	}
62
63	return 1;
64	}
65
66	/*
67	* Check if this user is OK to login under GSI. User has been authenticated
68	* as identity in global 'client_name.value' and is trying to log in as passed
69	* username in 'name'.
70	* Returns true if the user is OK to log in, otherwise returns 0.
71	*/
72
73	static int
74	ssh_gssapi_gsi_userok(ssh_gssapi_client client, char name)
75	{
76	int retval;
77
78	if (ssh_gssapi_gsi_init() == 0)
79	return 0;
80
81	/* globus_gss_assist_userok() returns 0 on success */
82	if (globus_gss_assist_userok(client->displayname.value,
83	name)) {
84	retval = 0;
85	} else {
86	retval = 1;
87	logit("GSI user %s is authorized as target user %s",
88	(char *) client->displayname.value, name);
89	}
90
91	return retval;
92	}
93
94	/* This writes out any forwarded credentials from the structure populated
95	* during userauth. Called after we have setuid to the user */
96
97	static void
98	ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
99	{
100	OM_uint32 major_status;
101	OM_uint32 minor_status;
102	gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER;
103	char * p;
104
105	if (client->creds == NULL) {
106	debug("No credentials stored");
107	return;
108	}
109
110	if (ssh_gssapi_gsi_init() == 0)
111	return;
112
113	major_status = gss_export_cred(&minor_status,
114	client->creds,
115	GSS_C_NO_OID,
116	1,
117	&export_cred);
118	if (GSS_ERROR(major_status)) {
119	Gssctxt *ctx;
120	ssh_gssapi_build_ctx(&ctx);
121	ctx->major = major_status;
122	ctx->minor = minor_status;
123	ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
124	ssh_gssapi_error(ctx);
125	ssh_gssapi_delete_ctx(&ctx);
126	return;
127	}
128
129	p = strchr((char *) export_cred.value, '=');
130	if (p == NULL) {
131	logit("Failed to parse exported credentials string '%.100s'",
132	(char *)export_cred.value);
133	gss_release_buffer(&minor_status, &export_cred);
134	return;
135	}
136	*p++ = '\0';
137	if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
138	client->store.envvar = strdup("X509_USER_PROXY");
139	} else {
140	client->store.envvar = strdup((char *)export_cred.value);
141	}
142	client->store.envval = strdup(p);
143	#ifdef USE_PAM
144	if (options.use_pam)
145	do_pam_putenv(client->store.envvar, client->store.envval);
146	#endif
147	if (access(p, R_OK) == 0) {
148	client->store.filename = strdup(p);
149	}
150	gss_release_buffer(&minor_status, &export_cred);
151
152	return;
153	}
154
155	#endif /* GSI */
156
157	#endif /* GSSAPI */