Sergio Gelato
2004-Feb-27 00:59 UTC
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.
I'd probably have used Doug Engert's patch from 2004-01-30 if
Heimdal's
afslog command supported -setpag; although to be honest I don't really
like the idea of children being able to change their parent's PAG.
* modified files
./auth-krb5.c
./auth.h
./session.c
* file diffs
--- orig/auth-krb5.c
+++ mod/auth-krb5.c
@@ -199,6 +199,25 @@
return (1);
}
+/*
+ * Mainly useful with GSSAPI Kerberos 5 forwarded credentials.
+ * Called after we have setuid to the user.
+ */
+void
+session_krb5_use_ccache(Authctxt *authctxt)
+{
+ char *ccname;
+ debug("session_krb5_use_ccache called");
+ if (authctxt->krb5_fwd_ccache)
+ return;
+ ccname = getenv("KRB5CCNAME");
+ if (!ccname)
+ return;
+ debug("using ccname=%.100s", ccname);
+ if (krb5_init(authctxt))
+ return;
+ krb5_cc_resolve(authctxt->krb5_ctx, ccname,
&authctxt->krb5_fwd_ccache);}
+
void
krb5_cleanup_proc(Authctxt *authctxt)
{
--- orig/auth.h
+++ mod/auth.h
@@ -120,6 +120,7 @@
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
int auth_krb5_password(Authctxt *authctxt, const char *password);
void krb5_cleanup_proc(Authctxt *authctxt);
+void session_krb5_use_ccache(Authctxt *authctxt);
#endif /* KRB5 */
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
--- orig/session.c
+++ mod/session.c
@@ -1462,20 +1462,22 @@
* home directory is in AFS and it's not world-readable.
*/
- if (options.kerberos_get_afs_token && k_hasafs() &&
- (s->authctxt->krb5_ctx != NULL)) {
- char cell[64];
+ if (options.kerberos_get_afs_token && k_hasafs()) {
+ session_krb5_use_ccache(s->authctxt);
+ if (s->authctxt->krb5_ctx != NULL) {
+ char cell[64];
- debug("Getting AFS token");
+ debug("Getting AFS token");
- k_setpag();
+ k_setpag();
- if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
- krb5_afslog(s->authctxt->krb5_ctx,
- s->authctxt->krb5_fwd_ccache, cell, NULL);
+ if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+ krb5_afslog(s->authctxt->krb5_ctx,
+ s->authctxt->krb5_fwd_ccache, cell, NULL);
- krb5_afslog_home(s->authctxt->krb5_ctx,
- s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+ krb5_afslog_home(s->authctxt->krb5_ctx,
+ s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+ }
}
#endif
Douglas E. Engert
2004-Feb-27 12:21 UTC
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Sergio Gelato wrote:> > Here is a patch I just wrote and tested which may be of interest to > those who wish to use KerberosGetAFSToken (currently requires Heimdal > libkafs) in combination with GSSAPIDelegateCredentials. The patch is > in the public domain and comes with no warranty whatsoever. Applies > to pristine 3.8p1. Works for me on Solaris and Tru64. > > I'd probably have used Doug Engert's patch from 2004-01-30 if Heimdal's > afslog command supported -setpag; although to be honest I don't really > like the idea of children being able to change their parent's PAG.I have backed off on using the -setpag option, and added syscall(setpag...) code to the get_afs_token routine. I am also looking at making this a dynamic link, which would mean it could work with any Kerberos, does not require kafs, could always be compiled in and run on a system with or without AFS.> > * modified files > > ./auth-krb5.c > ./auth.h > ./session.c > > * file diffs > > --- orig/auth-krb5.c > +++ mod/auth-krb5.c > @@ -199,6 +199,25 @@ > return (1); > } > > +/* > + * Mainly useful with GSSAPI Kerberos 5 forwarded credentials. > + * Called after we have setuid to the user. > + */ > +void > +session_krb5_use_ccache(Authctxt *authctxt) > +{ > + char *ccname; > + debug("session_krb5_use_ccache called"); > + if (authctxt->krb5_fwd_ccache) > + return; > + ccname = getenv("KRB5CCNAME"); > + if (!ccname) > + return; > + debug("using ccname=%.100s", ccname); > + if (krb5_init(authctxt)) > + return; > + krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);} > + > void > krb5_cleanup_proc(Authctxt *authctxt) > { > > --- orig/auth.h > +++ mod/auth.h > @@ -120,6 +120,7 @@ > int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); > int auth_krb5_password(Authctxt *authctxt, const char *password); > void krb5_cleanup_proc(Authctxt *authctxt); > +void session_krb5_use_ccache(Authctxt *authctxt); > #endif /* KRB5 */ > > #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) > > --- orig/session.c > +++ mod/session.c > @@ -1462,20 +1462,22 @@ > * home directory is in AFS and it's not world-readable. > */ > > - if (options.kerberos_get_afs_token && k_hasafs() && > - (s->authctxt->krb5_ctx != NULL)) { > - char cell[64]; > + if (options.kerberos_get_afs_token && k_hasafs()) { > + session_krb5_use_ccache(s->authctxt); > + if (s->authctxt->krb5_ctx != NULL) { > + char cell[64]; > > - debug("Getting AFS token"); > + debug("Getting AFS token"); > > - k_setpag(); > + k_setpag(); > > - if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) > - krb5_afslog(s->authctxt->krb5_ctx, > - s->authctxt->krb5_fwd_ccache, cell, NULL); > + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) > + krb5_afslog(s->authctxt->krb5_ctx, > + s->authctxt->krb5_fwd_ccache, cell, NULL); > > - krb5_afslog_home(s->authctxt->krb5_ctx, > - s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); > + krb5_afslog_home(s->authctxt->krb5_ctx, > + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); > + } > } > #endif > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444