Sergio Gelato
2003-Sep-24 15:20 UTC
Patches for compatibility with Heimdal's libsia_krb5 SIA module
I have found the following patches to be desirable for using sshd on a
Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from
Heimdal.
These patches do the following:
1) preserve context between the password authentication and the session
setup phases. This is necessary because the Heimdal SIA module stores
Kerberos context information as mechanism-specific data in ent->mech[].
2) Allow for the KRB5CCNAME environment variable (potentially set in
session_setup_sia()) to be propagated to the session environment.
Caveat: I have only tested this with the BSD and Heimdal KRB5 modules,
not with OSFC2 or any other SIA module.
To do:
* clean up the Kerberos credentials cache at session exit. Unfortunately
SIA is not invoked at this time, so this cannot be done in the SIA module.
* review what happens if authentication succeeds but session_setup_sia() is
not invoked for some reason. Currently the sia_ses_release() clean-up
code will not be invoked in this case. For most SIA modules this shouldn't
matter, as resources will be released at process exit; but it would be
nice to get it right anyway.
-------------- next part --------------
diff -aruN openssh-3.7.1p2.orig/auth-passwd.c openssh-3.7.1p2/auth-passwd.c
--- openssh-3.7.1p2.orig/auth-passwd.c Thu Sep 18 10:26:48 2003
+++ openssh-3.7.1p2/auth-passwd.c Wed Sep 24 00:04:40 2003
@@ -42,6 +42,9 @@
#include "log.h"
#include "servconf.h"
#include "auth.h"
+#ifdef HAVE_OSF_SIA
+#include "auth-sia.h"
+#endif
#ifdef WITH_AIXAUTHENTICATE
# include "buffer.h"
# include "canohost.h"
diff -aruN openssh-3.7.1p2.orig/auth-sia.c openssh-3.7.1p2/auth-sia.c
--- openssh-3.7.1p2.orig/auth-sia.c Tue Jun 3 02:25:48 2003
+++ openssh-3.7.1p2/auth-sia.c Wed Sep 24 00:05:39 2003
@@ -31,6 +31,7 @@
#include "log.h"
#include "servconf.h"
#include "canohost.h"
+#include "xmalloc.h"
#include <sia.h>
#include <siad.h>
@@ -45,11 +46,12 @@
extern int saved_argc;
extern char **saved_argv;
+static SIAENTITY *ent = NULL;
+
int
auth_sia_password(Authctxt *authctxt, char *pass)
{
int ret;
- SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.use_dns);
@@ -57,6 +59,12 @@
if (!authctxt->user || pass == NULL || pass[0] == '\0')
return (0);
+ if (ent) {
+ debug("Releasing old SIAENTITY!");
+ sia_ses_release(&ent);
+ ent = NULL;
+ }
+
if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
NULL, 0, NULL) != SIASUCCESS)
return (0);
@@ -64,31 +72,36 @@
if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
error("Couldn't authenticate %s from %s",
authctxt->user, host);
- if (ret & SIASTOP)
+ if (ret & SIASTOP) {
sia_ses_release(&ent);
+ ent = NULL;
+ }
return (0);
}
- sia_ses_release(&ent);
-
return (1);
}
void
session_setup_sia(struct passwd *pw, char *tty)
{
- SIAENTITY *ent = NULL;
const char *host;
host = get_canonical_hostname(options.use_dns);
- if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
- tty, 0, NULL) != SIASUCCESS)
- fatal("sia_ses_init failed");
+ if (ent) {
+ if (tty)
+ ent->tty = xstrdup(tty);
+ } else {
+ if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
+ tty, 0, NULL) != SIASUCCESS)
+ fatal("sia_ses_init failed");
+ }
if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
sia_ses_release(&ent);
+ ent = NULL;
fatal("sia_make_entity_pwd failed");
}
@@ -102,6 +115,7 @@
pw->pw_name, host);
sia_ses_release(&ent);
+ ent = NULL;
if (setreuid(geteuid(), geteuid()) < 0)
fatal("setreuid: %s", strerror(errno));
diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.orig/session.c Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c Wed Sep 24 00:04:41 2003
@@ -49,6 +49,9 @@
#include "bufaux.h"
#include "auth.h"
#include "auth-options.h"
+#ifdef HAVE_OSF_SIA
+#include "auth-sia.h"
+#endif
#include "pathnames.h"
#include "log.h"
#include "servconf.h"
-------------- next part --------------
diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.orig/session.c Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c Wed Sep 24 00:02:15 2003
@@ -1093,6 +1093,14 @@
read_environment_file(&env, &envsize, "/etc/environment");
}
#endif
+#ifdef HAVE_OSF_SIA
+ {
+ char *cp;
+
+ if ((cp = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env, &envsize, "KRB5CCNAME", cp);
+ }
+#endif
#ifdef KRB5
if (s->authctxt->krb5_ticket_file)
child_set_env(&env, &envsize, "KRB5CCNAME",
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030924/cb239059/attachment.bin
Ben Lindstrom
2003-Sep-25 00:04 UTC
Patches for compatibility with Heimdal's libsia_krb5 SIA module
Is SIA used on any other platform besides Tru64/OSF? I'm thinking if not it should be moved to openbsd-compat/port-osf.[ch] and the two definitions put into openbsd-compat/openbsd-compat.h. - Ben On Wed, 24 Sep 2003, Sergio Gelato wrote:> I have found the following patches to be desirable for using sshd on a > Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from > Heimdal. > > These patches do the following: > > 1) preserve context between the password authentication and the session > setup phases. This is necessary because the Heimdal SIA module stores > Kerberos context information as mechanism-specific data in ent->mech[]. > > 2) Allow for the KRB5CCNAME environment variable (potentially set in > session_setup_sia()) to be propagated to the session environment. > > Caveat: I have only tested this with the BSD and Heimdal KRB5 modules, > not with OSFC2 or any other SIA module. > > To do: > > * clean up the Kerberos credentials cache at session exit. Unfortunately > SIA is not invoked at this time, so this cannot be done in the SIA module. > > * review what happens if authentication succeeds but session_setup_sia() is > not invoked for some reason. Currently the sia_ses_release() clean-up > code will not be invoked in this case. For most SIA modules this shouldn't > matter, as resources will be released at process exit; but it would be > nice to get it right anyway. >