View | Details | Raw Unified | Return to bug 958 | Differences between
and this patch

Collapse All | Expand All

(-)Makefile.in (-1 / +1 lines)
Lines 84-90 Link Here
84
	auth2-none.o auth2-passwd.o auth2-pubkey.o \
84
	auth2-none.o auth2-passwd.o auth2-pubkey.o \
85
	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
85
	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
86
	auth-krb5.o \
86
	auth-krb5.o \
87
	auth2-gss.o gss-serv.o gss-serv-krb5.o \
87
	auth2-gss.o gss-serv.o gss-serv-krb5.o gss-serv-gsi.o \
88
	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
88
	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
89
89
90
MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
90
MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
(-)acconfig.h (+3 lines)
Lines 268-273 Link Here
268
/* Define this if you are using the Heimdal version of Kerberos V5 */
268
/* Define this if you are using the Heimdal version of Kerberos V5 */
269
#undef HEIMDAL
269
#undef HEIMDAL
270
270
271
/* Define if you want GSI/Globus authentication support */
272
#undef GSI
273
271
/* Define this if you want to use libkafs' AFS support */
274
/* Define this if you want to use libkafs' AFS support */
272
#undef USE_AFS
275
#undef USE_AFS
273
276
(-)auth2-gss.c (-1 / +1 lines)
Lines 130-136 Link Here
130
	Gssctxt *gssctxt;
130
	Gssctxt *gssctxt;
131
	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
131
	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
132
	gss_buffer_desc recv_tok;
132
	gss_buffer_desc recv_tok;
133
	OM_uint32 maj_status, min_status, flags;
133
	OM_uint32 maj_status, min_status, flags=0;
134
	u_int len;
134
	u_int len;
135
135
136
	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
136
	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
(-)configure.ac (-1 / +81 lines)
Lines 747-752 Link Here
747
	]
747
	]
748
)
748
)
749
749
750
# Check whether the user wants GSI (Globus) support
751
GSI_MSG="no"
752
AC_ARG_WITH(gsi,
753
	[  --with-gsi              Enable Globus GSI authentication support],
754
	[  
755
		if test "x$withval" != "xno" ; then
756
			AC_MSG_CHECKING(for Globus GSI)
757
			AC_DEFINE(GSI)
758
			AC_DEFINE(GSSAPI)
759
			GSI_MSG="yes"
760
761
			# $GLOBUS_LOCATION is root of GSI installation
762
			if test -z "$GLOBUS_LOCATION" ; then
763
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .)
764
			fi
765
			if test ! -d "$GLOBUS_LOCATION" ; then
766
				AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.)
767
			fi
768
769
			# Get Globus library "flavor"
770
			AC_ARG_WITH(globus-flavor,
771
				[  --with-globus-flavor=TYPE  Specify Globus flavor type (ex: gcc32dbg)],
772
				[
773
					globus_flavor="$withval"
774
					if test "x$globus_flavor" = "xyes" ; then
775
						AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type)
776
					fi
777
				],
778
				[
779
					AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified)
780
				]
781
			)
782
783
			# Add directory for GSI headers
784
			GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}"
785
			if test ! -d "$GLOBUS_INCLUDE" ; then
786
				AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE})
787
			fi
788
			GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}"
789
	
790
			# Use globus-makefile-header tool to add needed libs
791
			if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then
792
				AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist)
793
			fi
794
			GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'`
795
			if test -z "$GSI_LIBS" ; then
796
				AC_MSG_ERROR(globus-makefile-header failed)
797
			fi
798
799
			if test -n "${need_dash_r}"; then
800
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib"
801
			else
802
				GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib"
803
			fi
804
805
			AC_DEFINE(HAVE_GSSAPI_H)
806
807
			LIBS="$LIBS $GSI_LIBS"
808
			LDFLAGS="$LDFLAGS $GSI_LDFLAGS"
809
			CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS"
810
811
			# test that we got the libraries OK
812
			AC_TRY_LINK(
813
				[],
814
				[],
815
				[
816
					AC_MSG_RESULT(yes)
817
				],
818
				[
819
					AC_MSG_ERROR(link with GSI libraries failed)
820
				]
821
			)
822
		fi
823
	]
824
)
825
750
AC_MSG_CHECKING([for /proc/pid/fd directory])
826
AC_MSG_CHECKING([for /proc/pid/fd directory])
751
if test -d "/proc/$$/fd" ; then
827
if test -d "/proc/$$/fd" ; then
752
	AC_DEFINE(HAVE_PROC_PID)
828
	AC_DEFINE(HAVE_PROC_PID)
Lines 1240-1246 Link Here
1240
		fi
1316
		fi
1241
	]
1317
	]
1242
)
1318
)
1243
LIBS="-lcrypto $LIBS"
1319
# If using GSI libraries, libcrypto is already in LIBS
1320
if test -z "$GSI_LIBS" ; then
1321
	LIBS="-lcrypto $LIBS"
1322
fi
1244
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
1323
AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
1245
	[
1324
	[
1246
		dnl Check default openssl install dir
1325
		dnl Check default openssl install dir
Lines 3058-3063 Link Here
3058
echo "                    Manpage format: $MANTYPE"
3137
echo "                    Manpage format: $MANTYPE"
3059
echo "                       PAM support: $PAM_MSG"
3138
echo "                       PAM support: $PAM_MSG"
3060
echo "                 KerberosV support: $KRB5_MSG"
3139
echo "                 KerberosV support: $KRB5_MSG"
3140
echo "                       GSI support: $GSI_MSG"
3061
echo "                 Smartcard support: $SCARD_MSG"
3141
echo "                 Smartcard support: $SCARD_MSG"
3062
echo "                     S/KEY support: $SKEY_MSG"
3142
echo "                     S/KEY support: $SKEY_MSG"
3063
echo "              TCP Wrappers support: $TCPW_MSG"
3143
echo "              TCP Wrappers support: $TCPW_MSG"
(-)gss-serv-gsi.c (+157 lines)
Added Link Here
1
/*
2
 * Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved.
3
 *
4
 * Redistribution and use in source and binary forms, with or without
5
 * modification, are permitted provided that the following conditions
6
 * are met:
7
 * 1. Redistributions of source code must retain the above copyright
8
 *    notice, this list of conditions and the following disclaimer.
9
 * 2. Redistributions in binary form must reproduce the above copyright
10
 *    notice, this list of conditions and the following disclaimer in the
11
 *    documentation and/or other materials provided with the distribution.
12
 *
13
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
14
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23
 */
24
25
#include "includes.h"
26
27
#ifdef GSSAPI
28
#ifdef GSI
29
30
#include "auth.h"
31
#include "xmalloc.h"
32
#include "log.h"
33
#include "servconf.h"
34
35
#include "ssh-gss.h"
36
37
#include <globus_gss_assist.h>
38
39
extern ServerOptions options;
40
41
static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name);
42
static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client);
43
44
ssh_gssapi_mech gssapi_gsi_mech = {
45
	"dZuIebMjgUqaxvbF7hDbAw==",
46
	"GSI",
47
	{9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"},
48
	NULL,
49
	&ssh_gssapi_gsi_userok,
50
	NULL,
51
	&ssh_gssapi_gsi_storecreds
52
};
53
54
/* Initialize the GSI library */
55
56
static int
57
ssh_gssapi_gsi_init(void)
58
{
59
	if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) {
60
		return 0;
61
	}
62
63
	return 1;
64
}
65
66
/*
67
 * Check if this user is OK to login under GSI. User has been authenticated
68
 * as identity in global 'client_name.value' and is trying to log in as passed
69
 * username in 'name'.
70
 * Returns true if the user is OK to log in, otherwise returns 0.
71
 */
72
73
static int
74
ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name)
75
{
76
	int retval;
77
    
78
	if (ssh_gssapi_gsi_init() == 0)
79
		return 0;
80
81
	/* globus_gss_assist_userok() returns 0 on success */
82
	if (globus_gss_assist_userok(client->displayname.value,
83
				     name)) {
84
		retval = 0;
85
	} else {
86
		retval = 1;
87
		logit("GSI user %s is authorized as target user %s",
88
		      (char *) client->displayname.value, name);
89
	}
90
    
91
	return retval;
92
}
93
94
/* This writes out any forwarded credentials from the structure populated
95
 * during userauth. Called after we have setuid to the user */
96
97
static void
98
ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
99
{
100
	OM_uint32	major_status;
101
	OM_uint32	minor_status;
102
	gss_buffer_desc	export_cred = GSS_C_EMPTY_BUFFER;
103
	char *		p;
104
	
105
	if (client->creds == NULL) {
106
		debug("No credentials stored");
107
		return;
108
	}
109
110
	if (ssh_gssapi_gsi_init() == 0)
111
		return;
112
113
	major_status = gss_export_cred(&minor_status,
114
				       client->creds,
115
				       GSS_C_NO_OID,
116
				       1,
117
				       &export_cred);
118
	if (GSS_ERROR(major_status)) {
119
		Gssctxt *ctx;
120
		ssh_gssapi_build_ctx(&ctx);
121
		ctx->major = major_status;
122
		ctx->minor = minor_status;
123
		ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
124
		ssh_gssapi_error(ctx);
125
		ssh_gssapi_delete_ctx(&ctx);
126
		return;
127
	}
128
	
129
	p = strchr((char *) export_cred.value, '=');
130
	if (p == NULL) {
131
		logit("Failed to parse exported credentials string '%.100s'",
132
		      (char *)export_cred.value);
133
		gss_release_buffer(&minor_status, &export_cred);
134
		return;
135
	}
136
	*p++ = '\0';
137
	if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
138
		client->store.envvar = strdup("X509_USER_PROXY");
139
	} else {
140
		client->store.envvar = strdup((char *)export_cred.value);
141
	}
142
	client->store.envval = strdup(p);
143
#ifdef USE_PAM
144
	if (options.use_pam)
145
		do_pam_putenv(client->store.envvar, client->store.envval);
146
#endif
147
	if (access(p, R_OK) == 0) {
148
		client->store.filename = strdup(p);
149
	}
150
	gss_release_buffer(&minor_status, &export_cred);
151
152
	return;
153
}
154
155
#endif /* GSI */
156
157
#endif /* GSSAPI */
(-)gss-serv.c (+6 lines)
Lines 53-62 Link Here
53
#ifdef KRB5
53
#ifdef KRB5
54
extern ssh_gssapi_mech gssapi_kerberos_mech;
54
extern ssh_gssapi_mech gssapi_kerberos_mech;
55
#endif
55
#endif
56
#ifdef GSI
57
extern ssh_gssapi_mech gssapi_gsi_mech;
58
#endif
56
59
57
ssh_gssapi_mech* supported_mechs[]= {
60
ssh_gssapi_mech* supported_mechs[]= {
58
#ifdef KRB5
61
#ifdef KRB5
59
	&gssapi_kerberos_mech,
62
	&gssapi_kerberos_mech,
63
#endif
64
#ifdef GSI
65
	&gssapi_gsi_mech,
60
#endif
66
#endif
61
	&gssapi_null_mech,
67
	&gssapi_null_mech,
62
};
68
};

Return to bug 958