Bugzilla – Attachment 744 Details for
Bug 958
patch to support GSI GSSAPI mechanism
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to add GSI GSSAPI support to OpenSSH
openssh-gssapi-gsi.patch (text/plain), 10.25 KB, created by
Jim Basney
on 2004-12-03 03:29:07 AEDT
(
hide
)
Description:
patch to add GSI GSSAPI support to OpenSSH
Filename:
MIME Type:
Creator:
Jim Basney
Created:
2004-12-03 03:29:07 AEDT
Size:
10.25 KB
patch
obsolete
>Index: Makefile.in >=================================================================== >RCS file: /cvs/openssh/Makefile.in,v >retrieving revision 1.266 >diff -u -r1.266 Makefile.in >--- Makefile.in 7 Nov 2004 09:14:34 -0000 1.266 >+++ Makefile.in 2 Dec 2004 16:08:19 -0000 >@@ -84,7 +84,7 @@ > auth2-none.o auth2-passwd.o auth2-pubkey.o \ > monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ > auth-krb5.o \ >- auth2-gss.o gss-serv.o gss-serv-krb5.o \ >+ auth2-gss.o gss-serv.o gss-serv-krb5.o gss-serv-gsi.o \ > loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out >Index: acconfig.h >=================================================================== >RCS file: /cvs/openssh/acconfig.h,v >retrieving revision 1.180 >diff -u -r1.180 acconfig.h >--- acconfig.h 16 Aug 2004 13:12:06 -0000 1.180 >+++ acconfig.h 2 Dec 2004 16:08:19 -0000 >@@ -268,6 +268,9 @@ > /* Define this if you are using the Heimdal version of Kerberos V5 */ > #undef HEIMDAL > >+/* Define if you want GSI/Globus authentication support */ >+#undef GSI >+ > /* Define this if you want to use libkafs' AFS support */ > #undef USE_AFS > >Index: auth2-gss.c >=================================================================== >RCS file: /cvs/openssh/auth2-gss.c,v >retrieving revision 1.9 >diff -u -r1.9 auth2-gss.c >--- auth2-gss.c 22 Jun 2004 02:56:02 -0000 1.9 >+++ auth2-gss.c 2 Dec 2004 16:08:19 -0000 >@@ -130,7 +130,7 @@ > Gssctxt *gssctxt; > gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; > gss_buffer_desc recv_tok; >- OM_uint32 maj_status, min_status, flags; >+ OM_uint32 maj_status, min_status, flags=0; > u_int len; > > if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) >Index: configure.ac >=================================================================== >RCS file: /cvs/openssh/configure.ac,v >retrieving revision 1.233 >diff -u -r1.233 configure.ac >--- configure.ac 7 Nov 2004 09:14:34 -0000 1.233 >+++ configure.ac 2 Dec 2004 16:08:19 -0000 >@@ -747,6 +747,82 @@ > ] > ) > >+# Check whether the user wants GSI (Globus) support >+GSI_MSG="no" >+AC_ARG_WITH(gsi, >+ [ --with-gsi Enable Globus GSI authentication support], >+ [ >+ if test "x$withval" != "xno" ; then >+ AC_MSG_CHECKING(for Globus GSI) >+ AC_DEFINE(GSI) >+ AC_DEFINE(GSSAPI) >+ GSI_MSG="yes" >+ >+ # $GLOBUS_LOCATION is root of GSI installation >+ if test -z "$GLOBUS_LOCATION" ; then >+ AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set .) >+ fi >+ if test ! -d "$GLOBUS_LOCATION" ; then >+ AC_MSG_ERROR(GLOBUS_LOCATION environment variable must be set to Globus install directory path.) >+ fi >+ >+ # Get Globus library "flavor" >+ AC_ARG_WITH(globus-flavor, >+ [ --with-globus-flavor=TYPE Specify Globus flavor type (ex: gcc32dbg)], >+ [ >+ globus_flavor="$withval" >+ if test "x$globus_flavor" = "xyes" ; then >+ AC_MSG_ERROR(--with-globus-flavor=TYPE must specify a flavor type) >+ fi >+ ], >+ [ >+ AC_MSG_ERROR(--with-globus-flavor=TYPE must be specified) >+ ] >+ ) >+ >+ # Add directory for GSI headers >+ GLOBUS_INCLUDE="${GLOBUS_LOCATION}/include/${globus_flavor}" >+ if test ! -d "$GLOBUS_INCLUDE" ; then >+ AC_MSG_ERROR(Cannot find Globus flavor-specific include directory: ${GLOBUS_INCLUDE}) >+ fi >+ GSI_CPPFLAGS="-I${GLOBUS_INCLUDE}" >+ >+ # Use globus-makefile-header tool to add needed libs >+ if test ! -x "${GLOBUS_LOCATION}/bin/globus-makefile-header" ; then >+ AC_MSG_ERROR(${GLOBUS_LOCATION}/bin/globus-makefile-header does not exist) >+ fi >+ GSI_LIBS=`${GLOBUS_LOCATION}/bin/globus-makefile-header --flavor=${globus_flavor} globus_gss_assist | perl -n -e 'if (/GLOBUS_PKG_LIBS = (.*)/){print $1;}'` >+ if test -z "$GSI_LIBS" ; then >+ AC_MSG_ERROR(globus-makefile-header failed) >+ fi >+ >+ if test -n "${need_dash_r}"; then >+ GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib -R{GLOBUS_LOCATION}/lib" >+ else >+ GSI_LDFLAGS="-L${GLOBUS_LOCATION}/lib" >+ fi >+ >+ AC_DEFINE(HAVE_GSSAPI_H) >+ >+ LIBS="$LIBS $GSI_LIBS" >+ LDFLAGS="$LDFLAGS $GSI_LDFLAGS" >+ CPPFLAGS="$CPPFLAGS $GSI_CPPFLAGS" >+ >+ # test that we got the libraries OK >+ AC_TRY_LINK( >+ [], >+ [], >+ [ >+ AC_MSG_RESULT(yes) >+ ], >+ [ >+ AC_MSG_ERROR(link with GSI libraries failed) >+ ] >+ ) >+ fi >+ ] >+) >+ > AC_MSG_CHECKING([for /proc/pid/fd directory]) > if test -d "/proc/$$/fd" ; then > AC_DEFINE(HAVE_PROC_PID) >@@ -1240,7 +1316,10 @@ > fi > ] > ) >-LIBS="-lcrypto $LIBS" >+# If using GSI libraries, libcrypto is already in LIBS >+if test -z "$GSI_LIBS" ; then >+ LIBS="-lcrypto $LIBS" >+fi > AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), > [ > dnl Check default openssl install dir >@@ -3058,6 +3137,7 @@ > echo " Manpage format: $MANTYPE" > echo " PAM support: $PAM_MSG" > echo " KerberosV support: $KRB5_MSG" >+echo " GSI support: $GSI_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" > echo " TCP Wrappers support: $TCPW_MSG" >Index: gss-serv-gsi.c >=================================================================== >RCS file: gss-serv-gsi.c >diff -N gss-serv-gsi.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ gss-serv-gsi.c 2 Dec 2004 16:08:19 -0000 >@@ -0,0 +1,157 @@ >+/* >+ * Copyright (c) 2001-2004 Simon Wilkinson. All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#include "includes.h" >+ >+#ifdef GSSAPI >+#ifdef GSI >+ >+#include "auth.h" >+#include "xmalloc.h" >+#include "log.h" >+#include "servconf.h" >+ >+#include "ssh-gss.h" >+ >+#include <globus_gss_assist.h> >+ >+extern ServerOptions options; >+ >+static int ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name); >+static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client); >+ >+ssh_gssapi_mech gssapi_gsi_mech = { >+ "dZuIebMjgUqaxvbF7hDbAw==", >+ "GSI", >+ {9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"}, >+ NULL, >+ &ssh_gssapi_gsi_userok, >+ NULL, >+ &ssh_gssapi_gsi_storecreds >+}; >+ >+/* Initialize the GSI library */ >+ >+static int >+ssh_gssapi_gsi_init(void) >+{ >+ if (globus_module_activate(GLOBUS_GSI_GSS_ASSIST_MODULE) != 0) { >+ return 0; >+ } >+ >+ return 1; >+} >+ >+/* >+ * Check if this user is OK to login under GSI. User has been authenticated >+ * as identity in global 'client_name.value' and is trying to log in as passed >+ * username in 'name'. >+ * Returns true if the user is OK to log in, otherwise returns 0. >+ */ >+ >+static int >+ssh_gssapi_gsi_userok(ssh_gssapi_client *client, char *name) >+{ >+ int retval; >+ >+ if (ssh_gssapi_gsi_init() == 0) >+ return 0; >+ >+ /* globus_gss_assist_userok() returns 0 on success */ >+ if (globus_gss_assist_userok(client->displayname.value, >+ name)) { >+ retval = 0; >+ } else { >+ retval = 1; >+ logit("GSI user %s is authorized as target user %s", >+ (char *) client->displayname.value, name); >+ } >+ >+ return retval; >+} >+ >+/* This writes out any forwarded credentials from the structure populated >+ * during userauth. Called after we have setuid to the user */ >+ >+static void >+ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client) >+{ >+ OM_uint32 major_status; >+ OM_uint32 minor_status; >+ gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER; >+ char * p; >+ >+ if (client->creds == NULL) { >+ debug("No credentials stored"); >+ return; >+ } >+ >+ if (ssh_gssapi_gsi_init() == 0) >+ return; >+ >+ major_status = gss_export_cred(&minor_status, >+ client->creds, >+ GSS_C_NO_OID, >+ 1, >+ &export_cred); >+ if (GSS_ERROR(major_status)) { >+ Gssctxt *ctx; >+ ssh_gssapi_build_ctx(&ctx); >+ ctx->major = major_status; >+ ctx->minor = minor_status; >+ ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid); >+ ssh_gssapi_error(ctx); >+ ssh_gssapi_delete_ctx(&ctx); >+ return; >+ } >+ >+ p = strchr((char *) export_cred.value, '='); >+ if (p == NULL) { >+ logit("Failed to parse exported credentials string '%.100s'", >+ (char *)export_cred.value); >+ gss_release_buffer(&minor_status, &export_cred); >+ return; >+ } >+ *p++ = '\0'; >+ if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) { >+ client->store.envvar = strdup("X509_USER_PROXY"); >+ } else { >+ client->store.envvar = strdup((char *)export_cred.value); >+ } >+ client->store.envval = strdup(p); >+#ifdef USE_PAM >+ if (options.use_pam) >+ do_pam_putenv(client->store.envvar, client->store.envval); >+#endif >+ if (access(p, R_OK) == 0) { >+ client->store.filename = strdup(p); >+ } >+ gss_release_buffer(&minor_status, &export_cred); >+ >+ return; >+} >+ >+#endif /* GSI */ >+ >+#endif /* GSSAPI */ >Index: gss-serv.c >=================================================================== >RCS file: /cvs/openssh/gss-serv.c,v >retrieving revision 1.5 >diff -u -r1.5 gss-serv.c >--- gss-serv.c 17 Nov 2003 11:18:22 -0000 1.5 >+++ gss-serv.c 2 Dec 2004 16:08:20 -0000 >@@ -53,10 +53,16 @@ > #ifdef KRB5 > extern ssh_gssapi_mech gssapi_kerberos_mech; > #endif >+#ifdef GSI >+extern ssh_gssapi_mech gssapi_gsi_mech; >+#endif > > ssh_gssapi_mech* supported_mechs[]= { > #ifdef KRB5 > &gssapi_kerberos_mech, >+#endif >+#ifdef GSI >+ &gssapi_gsi_mech, > #endif > &gssapi_null_mech, > };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=744">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 958
:
744
|
1192