| version 1.5.6.2, 2006/02/03 02:53:44 |
version 1.6, 2005/06/17 02:44:32 |
|
|
| #ifdef GSSAPI |
#ifdef GSSAPI |
| |
|
| #include "bufaux.h" |
#include "bufaux.h" |
| |
#include "compat.h" |
| #include "auth.h" |
#include "auth.h" |
| #include "log.h" |
#include "log.h" |
| #include "channels.h" |
#include "channels.h" |
| #include "session.h" |
#include "session.h" |
| #include "servconf.h" |
#include "servconf.h" |
| |
#include "monitor_wrap.h" |
| #include "xmalloc.h" |
#include "xmalloc.h" |
| #include "getput.h" |
#include "getput.h" |
| |
|
| #include "ssh-gss.h" |
#include "ssh-gss.h" |
| |
|
| |
extern ServerOptions options; |
| |
|
| static ssh_gssapi_client gssapi_client = |
static ssh_gssapi_client gssapi_client = |
| { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
| GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
|
|
| &gssapi_null_mech, |
&gssapi_null_mech, |
| }; |
}; |
| |
|
| /* Unprivileged */ |
/* Unpriviledged */ |
| void |
void |
| ssh_gssapi_supported_oids(gss_OID_set *oidset) |
ssh_gssapi_supported_oids(gss_OID_set *oidset) |
| { |
{ |
|
|
| * oid |
* oid |
| * credentials (from ssh_gssapi_acquire_cred) |
* credentials (from ssh_gssapi_acquire_cred) |
| */ |
*/ |
| /* Privileged */ |
/* Priviledged */ |
| OM_uint32 |
OM_uint32 |
| ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, |
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, |
| gss_buffer_desc *send_tok, OM_uint32 *flags) |
gss_buffer_desc *send_tok, OM_uint32 *flags) |
|
|
| OM_uint32 offset; |
OM_uint32 offset; |
| OM_uint32 oidl; |
OM_uint32 oidl; |
| |
|
| tok = ename->value; |
tok=ename->value; |
| |
|
| /* |
/* |
| * Check that ename is long enough for all of the fixed length |
* Check that ename is long enough for all of the fixed length |
| * header, and that the initial ID bytes are correct |
* header, and that the initial ID bytes are correct |
| */ |
*/ |
| |
|
| if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0) |
if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) |
| return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
| |
|
| /* |
/* |
|
|
| */ |
*/ |
| if (tok[4] != 0x06 || tok[5] != oidl || |
if (tok[4] != 0x06 || tok[5] != oidl || |
| ename->length < oidl+6 || |
ename->length < oidl+6 || |
| !ssh_gssapi_check_oid(ctx, tok+6, oidl)) |
!ssh_gssapi_check_oid(ctx,tok+6,oidl)) |
| return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
| |
|
| offset = oidl+6; |
offset = oidl+6; |
|
|
| return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
| |
|
| name->value = xmalloc(name->length+1); |
name->value = xmalloc(name->length+1); |
| memcpy(name->value, tok+offset,name->length); |
memcpy(name->value,tok+offset,name->length); |
| ((char *)name->value)[name->length] = 0; |
((char *)name->value)[name->length] = 0; |
| |
|
| return GSS_S_COMPLETE; |
return GSS_S_COMPLETE; |
|
|
| /* Extract the client details from a given context. This can only reliably |
/* Extract the client details from a given context. This can only reliably |
| * be called once for a context */ |
* be called once for a context */ |
| |
|
| /* Privileged (called from accept_secure_ctx) */ |
/* Priviledged (called from accept_secure_ctx) */ |
| OM_uint32 |
OM_uint32 |
| ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
| { |
{ |
|
|
| |
|
| if (gssapi_client.store.envvar != NULL && |
if (gssapi_client.store.envvar != NULL && |
| gssapi_client.store.envval != NULL) { |
gssapi_client.store.envval != NULL) { |
| |
|
| debug("Setting %s to %s", gssapi_client.store.envvar, |
debug("Setting %s to %s", gssapi_client.store.envvar, |
| gssapi_client.store.envval); |
gssapi_client.store.envval); |
| child_set_env(envp, envsizep, gssapi_client.store.envvar, |
child_set_env(envp, envsizep, gssapi_client.store.envvar, |
| gssapi_client.store.envval); |
gssapi_client.store.envval); |
| } |
} |
| } |
} |
| |
|
| /* Privileged */ |
/* Priviledged */ |
| int |
int |
| ssh_gssapi_userok(char *user) |
ssh_gssapi_userok(char *user) |
| { |
{ |
| OM_uint32 lmin; |
|
| |
|
| if (gssapi_client.exportedname.length == 0 || |
if (gssapi_client.exportedname.length == 0 || |
| gssapi_client.exportedname.value == NULL) { |
gssapi_client.exportedname.value == NULL) { |
| debug("No suitable client data"); |
debug("No suitable client data"); |
| return 0; |
return 0; |
| } |
} |
| if (gssapi_client.mech && gssapi_client.mech->userok) |
if (gssapi_client.mech && gssapi_client.mech->userok) |
| if ((*gssapi_client.mech->userok)(&gssapi_client, user)) |
return ((*gssapi_client.mech->userok)(&gssapi_client, user)); |
| return 1; |
|
| else { |
|
| /* Destroy delegated credentials if userok fails */ |
|
| gss_release_buffer(&lmin, &gssapi_client.displayname); |
|
| gss_release_buffer(&lmin, &gssapi_client.exportedname); |
|
| gss_release_cred(&lmin, &gssapi_client.creds); |
|
| memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); |
|
| return 0; |
|
| } |
|
| else |
else |
| debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); |
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); |
| return (0); |
return (0); |
| } |
} |
| |
|
| /* Privileged */ |
/* Priviledged */ |
| OM_uint32 |
OM_uint32 |
| ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
| { |
{ |
![[BACK]](/icons/back.gif){kind=icon}
Return to gss-serv.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh