1 From 96ebc88bdb00bcf381a700049ad324ad0b0064b0 Mon Sep 17 00:00:00 2001
2 From: oracle <solaris@oracle.com>
3 Date: Mon, 3 Aug 2015 14:35:34 -0700
4 Subject: [PATCH 08/36] GSS store creds for Solaris
5
6 ---
7 configure.ac | 3 +++
8 gss-serv-krb5.c | 7 ++++++-
9 gss-serv.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
10 servconf.c | 4 ++++
11 sshd.c | 14 ++++++++++++++
12 5 files changed, 71 insertions(+), 1 deletion(-)
13
14 diff --git a/configure.ac b/configure.ac
15 index b06cede..2985819 100644
16 --- a/configure.ac
17 +++ b/configure.ac
18 @@ -939,6 +939,9 @@ mips-sony-bsd|mips-sony-newsos4)
19 ],
20 )
21 TEST_SHELL=$SHELL # let configure find us a capable shell
22 + AC_DEFINE([USE_GSS_STORE_CRED], [1], [Use the Solaris-style GSS cred store])
23 + AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID], [1], [GSSAPI storecreds needs ruid])
24 + AC_DEFINE([HAVE_PAM_AUSER], [1], [pam_auser])
25 ;;
26 *-*-sunos4*)
27 CPPFLAGS="$CPPFLAGS -DSUNOS4"
28 diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
29 index 795992d..6e6cff7 100644
30 --- a/gss-serv-krb5.c
31 +++ b/gss-serv-krb5.c
32 @@ -110,7 +110,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
33 return retval;
34 }
35
36 -
37 +#ifndef USE_GSS_STORE_CRED
38 /* This writes out any forwarded credentials from the structure populated
39 * during userauth. Called after we have setuid to the user */
40
41 @@ -196,6 +196,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
42
43 return;
44 }
45 +#endif /* #ifndef USE_GSS_STORE_CRED */
46
47 ssh_gssapi_mech gssapi_kerberos_mech = {
48 "toWM5Slw5Ew8Mqkay+al2g==",
49 @@ -204,7 +205,11 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
50 NULL,
51 &ssh_gssapi_krb5_userok,
52 NULL,
53 +#ifdef USE_GSS_STORE_CRED
54 + NULL
55 +#else
56 &ssh_gssapi_krb5_storecreds
57 +#endif
58 };
59
60 #endif /* KRB5 */
61 diff --git a/gss-serv.c b/gss-serv.c
62 index 53993d6..209ffe8 100644
63 --- a/gss-serv.c
64 +++ b/gss-serv.c
65 @@ -320,22 +320,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
66 void
67 ssh_gssapi_cleanup_creds(void)
68 {
69 +#ifdef USE_GSS_STORE_CRED
70 + debug("removing gssapi cred file not implemented");
71 +#else
72 if (gssapi_client.store.filename != NULL) {
73 /* Unlink probably isn't sufficient */
74 debug("removing gssapi cred file\"%s\"",
75 gssapi_client.store.filename);
76 unlink(gssapi_client.store.filename);
77 }
78 +#endif /* USE_GSS_STORE_CRED */
79 }
80
81 /* As user */
82 void
83 ssh_gssapi_storecreds(void)
84 {
85 +#ifdef USE_GSS_STORE_CRED
86 + OM_uint32 maj_status, min_status;
87 +
88 + if (gssapi_client.creds == NULL) {
89 + debug("No credentials stored");
90 + return;
91 + }
92 +
93 + maj_status = gss_store_cred(&min_status, gssapi_client.creds,
94 + GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL);
95 +
96 + if (GSS_ERROR(maj_status)) {
97 + Buffer b;
98 + gss_buffer_desc msg;
99 + OM_uint32 lmin;
100 + OM_uint32 more = 0;
101 + buffer_init(&b);
102 + /* GSS-API error */
103 + do {
104 + gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE,
105 + GSS_C_NULL_OID, &more, &msg);
106 + buffer_append(&b, msg.value, msg.length);
107 + buffer_put_char(&b, '\n');
108 + gss_release_buffer(&lmin, &msg);
109 + } while (more != 0);
110 + /* Mechanism specific error */
111 + do {
112 + gss_display_status(&lmin, min_status, GSS_C_MECH_CODE,
113 + &gssapi_client.mech->oid, &more, &msg);
114 + buffer_append(&b, msg.value, msg.length);
115 + buffer_put_char(&b, '\n');
116 + gss_release_buffer(&lmin, &msg);
117 + } while (more != 0);
118 + buffer_put_char(&b, '\0');
119 + error("GSS-API error while storing delegated credentials: %s",
120 + buffer_ptr(&b));
121 + buffer_free(&b);
122 + }
123 +#else /* #ifdef USE_GSS_STORE_CRED */
124 if (gssapi_client.mech && gssapi_client.mech->storecreds) {
125 (*gssapi_client.mech->storecreds)(&gssapi_client);
126 } else
127 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
128 +#endif /* #ifdef USE_GSS_STORE_CRED */
129 }
130
131 /* This allows GSSAPI methods to do things to the childs environment based
132 diff --git a/servconf.c b/servconf.c
133 index 4ec6b57..ad884ec 100644
134 --- a/servconf.c
135 +++ b/servconf.c
136 @@ -489,7 +489,11 @@ static struct {
137 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
138 #ifdef GSSAPI
139 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
140 +#ifdef USE_GSS_STORE_CRED
141 + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
142 +#else /* USE_GSS_STORE_CRED */
143 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
144 +#endif /* USE_GSS_STORE_CRED */
145 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
146 #else
147 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
148 diff --git a/sshd.c b/sshd.c
149 index 43d4650..84e1dee 100644
150 --- a/sshd.c
151 +++ b/sshd.c
152 @@ -2234,9 +2234,23 @@ main(int ac, char **av)
153
154 #ifdef GSSAPI
155 if (options.gss_authentication) {
156 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID
157 + if (setreuid(authctxt->pw->pw_uid, -1) != 0) {
158 + debug("setreuid %u: %.100s",
159 + (u_int) authctxt->pw->pw_uid, strerror(errno));
160 + goto bail_storecred;
161 + }
162 +#endif
163 temporarily_use_uid(authctxt->pw);
164 ssh_gssapi_storecreds();
165 restore_uid();
166 +#ifdef GSSAPI_STORECREDS_NEEDS_RUID
167 + if (setuid(geteuid()) != 0) {
168 + fatal("setuid %u: %.100s", (u_int) geteuid(),
169 + strerror(errno));
170 + }
171 + bail_storecred: ;
172 +#endif
173 }
174 #endif
175 #ifdef USE_PAM
176 --
177 2.5.4 (Apple Git-61)
178