search for: krb_context

...clude "includes.h" + +#ifdef GSSAPI +#ifdef KRB5 + +#include "auth.h" +#include "xmalloc.h" +#include "log.h" +#include "servconf.h" + +#include "ssh-gss.h" + +extern ServerOptions options; + +#include <krb5.h> + +static krb5_context krb_context = NULL; + +/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ + +static int +ssh_gssapi_krb5_init() +{ + krb5_error_code problem; + + if (krb_context != NULL) + return 1; + + problem = krb5_init_context(&krb_context); + if (problem) { + logit("Cannot initialize krb...

...quot;mkstemp(): %.100s", strerror(errno)); - problem = errno; - return; - } - if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); - close(tmpfd); - problem = errno; - return; - } - close(tmpfd); - if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) { - logit("krb5_cc_resolve(): %.100s", - krb5_get_err_text(krb_context, problem)); - return; - } + if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { + logit("ssh_krb5_cc_gen(): %.100s", + krb5_get_err_text(krb_context, problem)...

...ss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -- 2.11.0

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...{ @@ -98,24 +99,39 @@ ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; int retval; + char *by; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; - + + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_type = "krb5"; + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } - if (krb5_kuserok(krb_context, princ, name)) { + + /* Try authorized_keys first */ + by = "authorized_keys"; + retval = user_ke...

...return 0; + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_len = strlen(gssapi_client_name.value); + k.name_type = "krb5"; + + debug3("ssh_gssapi_krb5_userok:"); + debug3("ssh_gssapi_krb5_userok: %s", k.name_type); + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } + + retval2 = user_key_allowed(getpwnam(name), &k); + if (retval2 < 0) { + krb5_free_principal(krb_context, princ); + return 0; +...

...api_krb5_userok(ssh_gssapi_client *client, char *name) >> } else >> retval = 0; >>+#ifdef USE_PAM >>+ if (options.use_pam) >>+ do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); >>+#endif >>+ >> krb5_free_principal(krb_context, princ); >> return retval; >> } >Hello, > >this change request is already tracked as a bug #2063 [1] (with the >related configuration option). Having this working in future releases >would be very nice. > >[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2063 &...

...31.117551679 +0200 +++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200 @@ -104,6 +104,11 @@ } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -------------- next part -------------- A non-text attachment was scrubbed... Name: pubkey_fingerprint.patch Type: text/x-diff Size: 361 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141228/a4082cbc/attachment.bin&g...

...privileged parent, we are calling ssh_gssapi_storecreds() which itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds() makes some memory allocations in order to save the credentials store for the gssapi client. +167 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); +168 client->store.envvar = "KRB5CCNAME"; +169 len = strlen(client->store.filename) + 6; +170 client->store.envval = xmalloc(len); +171 snprintf(client->store.envval, len, "FILE:%s", client->store.filename);...

...end of auth, the creds have been forwarded and sshd is ready to set up the logged in users' envirnment; ten right at the last moment we decide not to allow gss to work - but sshd still stores the creds it has one line fix to this. In ssh_gssapi_krb5_userok, after failure do krb5_free_creds(krb_context, client->creds); this blows the forwarded creds away and so storecreds (called later ) does nothing ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...e privileged parent, we are calling ssh_gssapi_storecreds() which itself calls ssh_gssapi_krb5_storecreds(). ssh_gssapi_krb5_storecreds() makes some memory allocations in order to save the credentials store for the gssapi client. +167 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); +168 client->store.envvar = "KRB5CCNAME"; +169 len = strlen(client->store.filename) + 6; +170 client->store.envval = xmalloc(len); +171 snprintf(client->store.envval, len, "FILE:%s", client->store.filename);...