gss-serv.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include "includes.h"
#ifdef GSSAPI
#pragma ident "%Z%%M% %I% %E% SMI"
#include "includes.h"
#include "ssh.h"
#include "ssh2.h"
#include "xmalloc.h"
#include "buffer.h"
#include "bufaux.h"
#include "packet.h"
#include "compat.h"
#include "cipher.h"
#include "kex.h"
#include "auth.h"
#include "log.h"
#include "channels.h"
#include "session.h"
#include "dispatch.h"
#include "servconf.h"
#include "uidswap.h"
#include "compat.h"
#include "monitor_wrap.h"
#include <pwd.h>
#include "ssh-gss.h"
extern char **environ;
extern ServerOptions options;
extern u_char *session_id2;
extern int session_id2_len;
void
{
}
void
{
int i;
if (!mechs) {
return;
}
if (supported != GSS_C_NULL_OID_SET) {
return;
}
debug("Could not allocate GSS-API resources (%s)",
return;
}
debug("No GSS-API mechanisms are installed");
return;
}
debug("Failed to acquire GSS-API credentials for any "
"mechanisms (%s)",
return;
continue;
debug("Could not allocate GSS-API resources (%s)",
return;
}
}
if (s->count) {
supported = s;
*mechs = s;
}
}
/* Wrapper around accept_sec_context
* Requires that the context contains:
* oid
* credentials (from ssh_gssapi_acquire_cred)
*/
/* Priviledged */
{
/*
* Acquiring a cred for the ctx->desired_mech for GSS_C_NO_NAME
* may well be probably better than using GSS_C_NO_CREDENTIAL
* and then checking that ctx->desired_mech agrees with
* ctx->actual_mech...
*/
&ctx->actual_mech,
NULL,
&ctx->deleg_creds);
fatal("Zero length GSS context token output when continue needed");
debug2("Zero length GSS context error token output");
int present = 0;
debug("The client did not use the GSS-API mechanism it asked for");
/* Let it slide as long as the mech is supported */
if (supported != GSS_C_NULL_OID_SET)
(void) gss_test_oid_set_member(&min,
if (!present)
}
if (ctx->deleg_creds)
debug("Received delegated GSS credentials");
}
xxx_gssctxt = ctx;
}
}
/* As user - called through fatal cleanup hook */
void
{
#ifdef HAVE_GSS_STORE_CRED
/* pam_setcred() will take care of this */
return;
#else
return;
/*#error "Portability broken in cleanup of stored creds"*/
#endif /* HAVE_GSS_STORE_CRED */
}
void
{
#ifdef USE_PAM
#endif /* USE_PAM */
error("Missing context while storing GSS-API credentials");
return;
}
return;
ctx = xxx_gssctxt;
if (!options.gss_cleanup_creds ||
debug3("Not storing delegated GSS credentials"
" (none delegated)");
return;
}
debug3("Not storing delegated GSS credentials"
" for invalid user");
return;
}
debug("Storing delegated GSS-API credentials");
/*
* The GSS-API has a flaw in that it does not provide a
* mechanism by which delegated credentials can be made
* available for acquisition by GSS_Acquire_cred() et. al.;
* gss_store_cred() is the proposed GSS-API extension for
* generically storing delegated credentials.
*
* gss_store_cred() does not speak to how credential stores are
* referenced. Generically this may be done by switching to the
* user context of the user in whose default credential store we
* wish to place delegated credentials. But environment
* variables could conceivably affect the choice of credential
* store as well, and perhaps in a mechanism-specific manner.
*
* SUNW -- On Solaris the euid selects the current credential
* store, but PAM modules could select alternate stores by
* setting, for example, KRB5CCNAME, so we also use the PAM
* environment temporarily.
*/
#ifdef HAVE_GSS_STORE_CRED
#ifdef USE_PAM
/*
* PAM may have set mechanism-specific variables (e.g.,
* KRB5CCNAME). fetch_pam_environment() protects against LD_*
* and other environment variables.
*/
#endif /* USE_PAM */
restore_uid();
} else {
/* only when logging in as the privileged user used by sshd */
}
#ifdef USE_PAM
#endif /* USE_PAM */
#else
#ifdef KRB5_GSS
#endif /* KRB5_GSS */
#ifdef GSI_GSS
#error "GSI krb5-specific code missing in ssh_gssapi_storecreds()"
#endif /* GSI_GSS */
/*#error "Mechanism-specific code missing in ssh_gssapi_storecreds()"*/
return;
#endif /* HAVE_GSS_STORE_CRED */
}
void
{
/*
*
* On Solaris there's nothing to do here as the GSS store and
* related environment variables are to be set by PAM, if at all
* (no environment variables are needed to address the default
* credential store -- the euid does that).
*/
#ifdef KRB5_GSS
#endif /* KRB5_GSS */
#ifdef GSI_GSS
#error "GSI krb5-specific code missing in ssh_gssapi_storecreds()"
#endif /* GSI_GSS */
return;
}
int
{
return (0);
}
return (0);
#ifdef HAVE___GSS_USEROK
{
int user_ok = 0;
&user_ok);
debug2("__GSS_userok() failed");
return (0);
}
if (user_ok)
return (1);
/* fall through */
}
#else
#ifdef GSSAPI_SIMPLE_USEROK
{
/* Mechanism-generic */
int eql;
GSS_C_NULL_OID, &iname);
"importing name for authorizing initiator");
goto failed_simple_userok;
}
goto failed_simple_userok;
}
goto failed_simple_userok;
}
&ename2);
"exporting client principal name");
goto failed_simple_userok;
}
if (eql)
return (1);
/* fall through */
}
#endif /* GSSAPI_SIMPLE_USEROK */
#ifdef HAVE_GSSCRED_API
{
/* Mechanism-generic, Solaris-specific */
return (1);
/* fall through */
}
#endif /* HAVE_GSSCRED_API */
#ifdef KRB5_GSS
return (1);
#endif /* KRB5_GSS */
#ifdef GSI_GSS
return (1);
#endif /* GSI_GSS */
#endif /* HAVE___GSS_USEROK */
/* default to not authorized */
return (0);
}
char *
{
return (NULL);
}
debug2("Mapping initiator GSS-API principal to local username");
#ifdef HAVE_GSSCRED_API
{
/* Mechanism-generic, Solaris-specific */
goto failed_gsscred_localname;
goto failed_gsscred_localname;
goto failed_gsscred_localname;
}
#endif /* HAVE_GSSCRED_API */
#ifdef KRB5_GSS
#error "ssh_gssapi_krb5_localname() not implemented"
#endif /* KRB5_GSS */
#ifdef GSI_GSS
#error "ssh_gssapi_gsi_localname() not implemented"
#endif /* GSI_GSS */
return (NULL);
}
#endif /*GSSAPI */