Sergio Gelato
2003-Sep-24 15:20 UTC
Patches for compatibility with Heimdal's libsia_krb5 SIA module
I have found the following patches to be desirable for using sshd on a Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from Heimdal. These patches do the following: 1) preserve context between the password authentication and the session setup phases. This is necessary because the Heimdal SIA module stores Kerberos context information as mechanism-specific data in ent->mech[]. 2) Allow for the KRB5CCNAME environment variable (potentially set in session_setup_sia()) to be propagated to the session environment. Caveat: I have only tested this with the BSD and Heimdal KRB5 modules, not with OSFC2 or any other SIA module. To do: * clean up the Kerberos credentials cache at session exit. Unfortunately SIA is not invoked at this time, so this cannot be done in the SIA module. * review what happens if authentication succeeds but session_setup_sia() is not invoked for some reason. Currently the sia_ses_release() clean-up code will not be invoked in this case. For most SIA modules this shouldn't matter, as resources will be released at process exit; but it would be nice to get it right anyway. -------------- next part -------------- diff -aruN openssh-3.7.1p2.orig/auth-passwd.c openssh-3.7.1p2/auth-passwd.c --- openssh-3.7.1p2.orig/auth-passwd.c Thu Sep 18 10:26:48 2003 +++ openssh-3.7.1p2/auth-passwd.c Wed Sep 24 00:04:40 2003 @@ -42,6 +42,9 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#ifdef HAVE_OSF_SIA +#include "auth-sia.h" +#endif #ifdef WITH_AIXAUTHENTICATE # include "buffer.h" # include "canohost.h" diff -aruN openssh-3.7.1p2.orig/auth-sia.c openssh-3.7.1p2/auth-sia.c --- openssh-3.7.1p2.orig/auth-sia.c Tue Jun 3 02:25:48 2003 +++ openssh-3.7.1p2/auth-sia.c Wed Sep 24 00:05:39 2003 @@ -31,6 +31,7 @@ #include "log.h" #include "servconf.h" #include "canohost.h" +#include "xmalloc.h" #include <sia.h> #include <siad.h> @@ -45,11 +46,12 @@ extern int saved_argc; extern char **saved_argv; +static SIAENTITY *ent = NULL; + int auth_sia_password(Authctxt *authctxt, char *pass) { int ret; - SIAENTITY *ent = NULL; const char *host; host = get_canonical_hostname(options.use_dns); @@ -57,6 +59,12 @@ if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); + if (ent) { + debug("Releasing old SIAENTITY!"); + sia_ses_release(&ent); + ent = NULL; + } + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0); @@ -64,31 +72,36 @@ if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { error("Couldn't authenticate %s from %s", authctxt->user, host); - if (ret & SIASTOP) + if (ret & SIASTOP) { sia_ses_release(&ent); + ent = NULL; + } return (0); } - sia_ses_release(&ent); - return (1); } void session_setup_sia(struct passwd *pw, char *tty) { - SIAENTITY *ent = NULL; const char *host; host = get_canonical_hostname(options.use_dns); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, - tty, 0, NULL) != SIASUCCESS) - fatal("sia_ses_init failed"); + if (ent) { + if (tty) + ent->tty = xstrdup(tty); + } else { + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, + tty, 0, NULL) != SIASUCCESS) + fatal("sia_ses_init failed"); + } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); + ent = NULL; fatal("sia_make_entity_pwd failed"); } @@ -102,6 +115,7 @@ pw->pw_name, host); sia_ses_release(&ent); + ent = NULL; if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c --- openssh-3.7.1p2.orig/session.c Tue Sep 23 10:59:08 2003 +++ openssh-3.7.1p2/session.c Wed Sep 24 00:04:41 2003 @@ -49,6 +49,9 @@ #include "bufaux.h" #include "auth.h" #include "auth-options.h" +#ifdef HAVE_OSF_SIA +#include "auth-sia.h" +#endif #include "pathnames.h" #include "log.h" #include "servconf.h" -------------- next part -------------- diff -aruN openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c --- openssh-3.7.1p2.orig/session.c Tue Sep 23 10:59:08 2003 +++ openssh-3.7.1p2/session.c Wed Sep 24 00:02:15 2003 @@ -1093,6 +1093,14 @@ read_environment_file(&env, &envsize, "/etc/environment"); } #endif +#ifdef HAVE_OSF_SIA + { + char *cp; + + if ((cp = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env, &envsize, "KRB5CCNAME", cp); + } +#endif #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030924/cb239059/attachment.bin
Ben Lindstrom
2003-Sep-25 00:04 UTC
Patches for compatibility with Heimdal's libsia_krb5 SIA module
Is SIA used on any other platform besides Tru64/OSF? I'm thinking if not it should be moved to openbsd-compat/port-osf.[ch] and the two definitions put into openbsd-compat/openbsd-compat.h. - Ben On Wed, 24 Sep 2003, Sergio Gelato wrote:> I have found the following patches to be desirable for using sshd on a > Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from > Heimdal. > > These patches do the following: > > 1) preserve context between the password authentication and the session > setup phases. This is necessary because the Heimdal SIA module stores > Kerberos context information as mechanism-specific data in ent->mech[]. > > 2) Allow for the KRB5CCNAME environment variable (potentially set in > session_setup_sia()) to be propagated to the session environment. > > Caveat: I have only tested this with the BSD and Heimdal KRB5 modules, > not with OSFC2 or any other SIA module. > > To do: > > * clean up the Kerberos credentials cache at session exit. Unfortunately > SIA is not invoked at this time, so this cannot be done in the SIA module. > > * review what happens if authentication succeeds but session_setup_sia() is > not invoked for some reason. Currently the sia_ses_release() clean-up > code will not be invoked in this case. For most SIA modules this shouldn't > matter, as resources will be released at process exit; but it would be > nice to get it right anyway. >