Attachment #874478 for bug #795135

View | Details | Raw Unified | Return to bug 795135
Collapse All | Expand All




#include <unistd.h>
#include <string.h>
#include <krb5.h>
#include <profile.h>

extern ServerOptions	 options;


#endif
	krb5_error_code problem;
	krb5_ccache ccache = NULL;
	char *ticket_name = NULL;
	char *client, *platform_client;
	const char *errmsg;


		goto out;
	}

	problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
	     &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
	if (problem)
		goto out;


		goto out;
#endif

	problem = krb5_cc_get_full_name(authctxt->krb5_ctx,
	    authctxt->krb5_fwd_ccache, &ticket_name);

	authctxt->krb5_ccname = xstrdup(ticket_name);
	krb5_free_string(authctxt->krb5_ctx, ticket_name);
	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
	    authctxt->krb5_ticket_file);

#ifdef USE_PAM
	if (options.use_pam && authctxt->krb5_set_env)
		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif


void
krb5_cleanup_proc(Authctxt *authctxt)
{
	struct stat krb5_ccname_stat;
	char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;

	debug("krb5_cleanup_proc called");
	if (authctxt->krb5_fwd_ccache) {
		krb5_context ctx = authctxt->krb5_ctx;
		krb5_cccol_cursor cursor;
		krb5_ccache ccache;
		int ret;

		krb5_cc_destroy(ctx, authctxt->krb5_fwd_ccache);
		authctxt->krb5_fwd_ccache = NULL;

		ret = krb5_cccol_cursor_new(ctx, &cursor);
		if (ret)
			goto out;

		ret = krb5_cccol_cursor_next(ctx, cursor, &ccache);
		if (ret == 0 && ccache != NULL) {
			/* There is at least one other ccache in collection
			 * we can switch to */
			krb5_cc_switch(ctx, ccache);
		} else if (authctxt->krb5_ccname != NULL) {
			/* Clean up the collection too */
			strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
			krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
			*krb5_ccname_dir_start++ = '\0';
			if (strcmp(krb5_ccname, "DIR") == 0) {

				strcat(krb5_ccname_dir_start, "/primary");

				if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
					if (unlink(krb5_ccname_dir_start) == 0) {
						krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
						*krb5_ccname_dir_end = '\0';
						if (rmdir(krb5_ccname_dir_start) == -1)
							debug("cache dir '%s' remove failed: %s",
							    krb5_ccname_dir_start, strerror(errno));
					}
					else
						debug("cache primary file '%s', remove failed: %s",
						    krb5_ccname_dir_start, strerror(errno));
				}
			}
		}
		krb5_cccol_cursor_free(ctx, &cursor);
	}
out:
	if (authctxt->krb5_user) {
		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
		authctxt->krb5_user = NULL;

	}
}

#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
	int tmpfd, ret, oerrno;
	char ccname[40];
	mode_t old_umask;

#if !defined(HEIMDAL)
int
ssh_asprintf_append(char **dsc, const char *fmt, ...) {
	char *src, *old;
	va_list ap;
	int i;

	va_start(ap, fmt);
	i = vasprintf(&src, fmt, ap);
	va_end(ap);

	if (i == -1 || src == NULL)
		return -1;

	old = *dsc;

	i = asprintf(dsc, "%s%s", *dsc, src);
	if (i == -1 || src == NULL) {
		free(src);
		return -1;
	}

	free(old);
	free(src);

	return i;
}

int
ssh_krb5_expand_template(char **result, const char *template) {
	char *p_n, *p_o, *r, *tmp_template;

	debug3_f("called, template = %s", template);
	if (template == NULL)
		return -1;

	tmp_template = p_n = p_o = xstrdup(template);
	r = xstrdup("");

	while ((p_n = strstr(p_o, "%{")) != NULL) {

		*p_n++ = '\0';
		if (ssh_asprintf_append(&r, "%s", p_o) == -1)
			goto cleanup;

		if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
			strncmp(p_n, "{USERID}", 8) == 0) {
			p_o = strchr(p_n, '}') + 1;
			if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
				goto cleanup;
			continue;
		}
		else if (strncmp(p_n, "{TEMP}", 6) == 0) {
			p_o = strchr(p_n, '}') + 1;
			if (ssh_asprintf_append(&r, "/tmp") == -1)
				goto cleanup;
			continue;
		} else {
			p_o = strchr(p_n, '}') + 1;
			*p_o = '\0';
			debug_f("unsupported token %s in %s", p_n, template);
			/* unknown token, fallback to the default */
			goto cleanup;
		}
	}

	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
		goto cleanup;

	*result = r;
	free(tmp_template);
	return 0;

cleanup:
	free(r);
	free(tmp_template);
	return -1;
}

krb5_error_code
ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
	profile_t p;
	int ret = 0;
	char *value = NULL;

	debug3_f("called");
	ret = krb5_get_profile(ctx, &p);
	if (ret)
		return ret;

	ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
	if (ret || !value)
		return ret;

	ret = ssh_krb5_expand_template(ccname, value);

	debug3_f("returning with ccname = %s", *ccname);
	return ret;
}

krb5_error_code
ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
	int tmpfd, ret, oerrno, type_len;
	char *ccname = NULL;
	mode_t old_umask;
	char *type = NULL, *colon = NULL;

	debug3_f("called");
	if (need_environment)
		*need_environment = 0;
	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
	if (ret || !ccname || options.kerberos_unique_ccache) {
		/* Otherwise, go with the old method */
		if (ccname)
			free(ccname);
		ccname = NULL;

		ret = asprintf(&ccname,
		    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
		if (ret < 0)
			return ENOMEM;

		old_umask = umask(0177);
		tmpfd = mkstemp(ccname + strlen("FILE:"));
		oerrno = errno;
		umask(old_umask);
		if (tmpfd == -1) {
			logit("mkstemp(): %.100s", strerror(oerrno));
			return oerrno;
		}

		if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
			oerrno = errno;
			logit("fchmod(): %.100s", strerror(oerrno));
			close(tmpfd);
			return oerrno;
		}
		/* make sure the KRB5CCNAME is set for non-standard location */
		if (need_environment)
			*need_environment = 1;
		close(tmpfd);
		return oerrno;
	}
	close(tmpfd);

	debug3_f("setting default ccname to %s", ccname);
	/* set the default with already expanded user IDs */
	ret = krb5_cc_set_default_name(ctx, ccname);
	if (ret)
		return ret;

	if ((colon = strstr(ccname, ":")) != NULL) {
		type_len = colon - ccname;
		type = malloc((type_len + 1) * sizeof(char));
		if (type == NULL)
			return ENOMEM;
		strncpy(type, ccname, type_len);
		type[type_len] = 0;
	} else {
		type = strdup(ccname);
	}

	/* If we have a credential cache from krb5.conf, we need to switch
	 * a primary cache for this collection, if it supports that (non-FILE)
	 */
	if (krb5_cc_support_switch(ctx, type)) {
		debug3_f("calling cc_new_unique(%s)", ccname);
		ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
		free(type);
		if (ret)
			return ret;

		debug3_f("calling cc_switch()");
		return krb5_cc_switch(ctx, *ccache);
	} else {
		/* Otherwise, we can not create a unique ccname here (either
		 * it is already unique from above or the type does not support
		 * collections
		 */
		free(type);
		debug3_f("calling cc_resolve(%s)", ccname);
		return (krb5_cc_resolve(ctx, ccname, ccache));
	}
}
#endif /* !HEIMDAL */
#endif /* KRB5 */

Lines 82-87 struct Authctxt { Link Here

(-)a/auth.h (-1 / +2 lines)
82	krb5_principal krb5_user;	82	krb5_principal krb5_user;
83	char *krb5_ticket_file;	83	char *krb5_ticket_file;
84	char *krb5_ccname;	84	char *krb5_ccname;
		85	int krb5_set_env;
85	#endif	86	#endif
86	struct sshbuf *loginmsg;	87	struct sshbuf *loginmsg;
87		88
Lines 241-247 FILE auth_openprincipals(const char , struct passwd *, int); Link Here
241	int sys_auth_passwd(struct ssh , const char );	242	int sys_auth_passwd(struct ssh , const char );
242		243
243	#if defined(KRB5) && !defined(HEIMDAL)	244	#if defined(KRB5) && !defined(HEIMDAL)
244	krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);	245	krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache , int );
245	#endif	246	#endif
246		247
247	#endif /* AUTH_H */	248	#endif /* AUTH_H */




/* This writes out any forwarded credentials from the structure populated
 * during userauth. Called after we have setuid to the user */

static int
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
	krb5_ccache ccache;

	krb5_principal princ;
	OM_uint32 maj_status, min_status;
	int len;
	const char *new_ccname, *new_cctype;
	const char *errmsg;
	int set_env = 0;

	if (client->creds == NULL) {
		debug("No credentials stored");
		return 0;
	}

	if (ssh_gssapi_krb5_init() == 0)
		return 0;

#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE

		krb5_get_err_text(krb_context, problem));
# endif
		krb5_free_error_message(krb_context, errmsg);
		return 0;
	}
#else
	if ((problem = ssh_krb5_cc_new_unique(krb_context, &ccache, &set_env)) != 0) {
		errmsg = krb5_get_error_message(krb_context, problem);
		logit("ssh_krb5_cc_new_unique(): %.100s", errmsg);
		krb5_free_error_message(krb_context, errmsg);
		return 0;
	}
#endif	/* #ifdef HEIMDAL */


		errmsg = krb5_get_error_message(krb_context, problem);
		logit("krb5_parse_name(): %.100s", errmsg);
		krb5_free_error_message(krb_context, errmsg);
		return 0;
	}

	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {

		krb5_free_error_message(krb_context, errmsg);
		krb5_free_principal(krb_context, princ);
		krb5_cc_destroy(krb_context, ccache);
		return 0;
	}

	krb5_free_principal(krb_context, princ);

	    client->creds, ccache))) {
		logit("gss_krb5_copy_ccache() failed");
		krb5_cc_destroy(krb_context, ccache);
		return 0;
	}
	new_cctype = krb5_cc_get_type(krb_context, ccache);
	new_ccname = krb5_cc_get_name(krb_context, ccache);

	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);

	if (set_env) {
		client->store.envvar = "KRB5CCNAME";
	}
	if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
		client->store.filename = xstrdup(new_ccname);

#ifdef USE_PAM
	if (options.use_pam && set_env)
		do_pam_putenv(client->store.envvar, client->store.envval);
#endif

	krb5_cc_close(krb_context, ccache);

	return set_env;
}

ssh_gssapi_mech gssapi_kerberos_mech = {

Lines 328-340 ssh_gssapi_cleanup_creds(void) Link Here

(-)a/gss-serv.c (-2 / +4 lines)
328	}	328	}
329		329
330	/* As user */	330	/* As user */
331	void	331	int
332	ssh_gssapi_storecreds(void)	332	ssh_gssapi_storecreds(void)
333	{	333	{
334	if (gssapi_client.mech && gssapi_client.mech->storecreds) {	334	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
335	(*gssapi_client.mech->storecreds)(&gssapi_client);	335	return (*gssapi_client.mech->storecreds)(&gssapi_client);
336	} else	336	} else
337	debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");	337	debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
		338
		339	return 0;
338	}	340	}
339		341
340	/* This allows GSSAPI methods to do things to the child's environment based	342	/* This allows GSSAPI methods to do things to the child's environment based

Lines 133-138 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +11 lines)
133	options->kerberos_or_local_passwd = -1;	133	options->kerberos_or_local_passwd = -1;
134	options->kerberos_ticket_cleanup = -1;	134	options->kerberos_ticket_cleanup = -1;
135	options->kerberos_get_afs_token = -1;	135	options->kerberos_get_afs_token = -1;
		136	options->kerberos_unique_ccache = -1;
136	options->gss_authentication=-1;	137	options->gss_authentication=-1;
137	options->gss_cleanup_creds = -1;	138	options->gss_cleanup_creds = -1;
138	options->gss_strict_acceptor = -1;	139	options->gss_strict_acceptor = -1;
Lines 356-361 fill_default_server_options(ServerOptions *options) Link Here
356	options->kerberos_ticket_cleanup = 1;	357	options->kerberos_ticket_cleanup = 1;
357	if (options->kerberos_get_afs_token == -1)	358	if (options->kerberos_get_afs_token == -1)
358	options->kerberos_get_afs_token = 0;	359	options->kerberos_get_afs_token = 0;
		360	if (options->kerberos_unique_ccache == -1)
		361	options->kerberos_unique_ccache = 0;
359	if (options->gss_authentication == -1)	362	if (options->gss_authentication == -1)
360	options->gss_authentication = 0;	363	options->gss_authentication = 0;
361	if (options->gss_cleanup_creds == -1)	364	if (options->gss_cleanup_creds == -1)
Lines 503-509 typedef enum { Link Here
503	sPort, sHostKeyFile, sLoginGraceTime,	506	sPort, sHostKeyFile, sLoginGraceTime,
504	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,	507	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
505	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,	508	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
506	sKerberosGetAFSToken, sPasswordAuthentication,	509	sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
507	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,	510	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
508	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	511	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
509	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,	512	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
Lines 589-599 static struct { Link Here
589	#else	592	#else
590	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	593	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
591	#endif	594	#endif
		595	{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
592	#else	596	#else
593	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },	597	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
594	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },	598	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
595	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },	599	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
596	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	600	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
		601	{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
597	#endif	602	#endif
598	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },	603	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
599	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },	604	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
Lines 1645-1650 process_server_config_line_depth(ServerOptions options, char line, Link Here
1645	intptr = &options->kerberos_get_afs_token;	1650	intptr = &options->kerberos_get_afs_token;
1646	goto parse_flag;	1651	goto parse_flag;
1647		1652
		1653	case sKerberosUniqueCCache:
		1654	intptr = &options->kerberos_unique_ccache;
		1655	goto parse_flag;
		1656
1648	case sGssAuthentication:	1657	case sGssAuthentication:
1649	intptr = &options->gss_authentication;	1658	intptr = &options->gss_authentication;
1650	goto parse_flag;	1659	goto parse_flag;
Lines 3027-3032 dump_config(ServerOptions *o) Link Here
3027	# ifdef USE_AFS	3036	# ifdef USE_AFS
3028	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);	3037	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
3029	# endif	3038	# endif
		3039	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
3030	#endif	3040	#endif
3031	#ifdef GSSAPI	3041	#ifdef GSSAPI
3032	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);	3042	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);

Lines 140-145 typedef struct { Link Here

(-)a/servconf.h (+2 lines)
140	* file on logout. */	140	* file on logout. */
141	int kerberos_get_afs_token; /* If true, try to get AFS token if	141	int kerberos_get_afs_token; /* If true, try to get AFS token if
142	* authenticated with Kerberos. */	142	* authenticated with Kerberos. */
		143	int kerberos_unique_ccache; /* If true, the acquired ticket will
		144	* be stored in per-session ccache */
143	int gss_authentication; /* If true, permit GSSAPI authentication */	145	int gss_authentication; /* If true, permit GSSAPI authentication */
144	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	146	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
145	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */	147	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */

Lines 1013-1019 do_setup_env(struct ssh ssh, Session s, const char *shell) Link Here

(-)a/session.c (-2 / +3 lines)
1013	/* Allow any GSSAPI methods that we've used to alter	1013	/* Allow any GSSAPI methods that we've used to alter
1014	* the child's environment as they see fit	1014	* the child's environment as they see fit
1015	*/	1015	*/
1016	ssh_gssapi_do_child(&env, &envsize);	1016	if (s->authctxt->krb5_set_env)
		1017	ssh_gssapi_do_child(&env, &envsize);
1017	#endif	1018	#endif
1018		1019
1019	/* Set basic environment. */	1020	/* Set basic environment. */
Lines 1089-1095 do_setup_env(struct ssh ssh, Session s, const char *shell) Link Here
1089	}	1090	}
1090	#endif	1091	#endif
1091	#ifdef KRB5	1092	#ifdef KRB5
1092	if (s->authctxt->krb5_ccname)	1093	if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
1093	child_set_env(&env, &envsize, "KRB5CCNAME",	1094	child_set_env(&env, &envsize, "KRB5CCNAME",
1094	s->authctxt->krb5_ccname);	1095	s->authctxt->krb5_ccname);
1095	#endif	1096	#endif

Lines 83-89 typedef struct ssh_gssapi_mech_struct { Link Here

(-)a/ssh-gss.h (-2 / +2 lines)
83	int (dochild) (ssh_gssapi_client );	83	int (dochild) (ssh_gssapi_client );
84	int (userok) (ssh_gssapi_client , char *);	84	int (userok) (ssh_gssapi_client , char *);
85	int (localname) (ssh_gssapi_client , char **);	85	int (localname) (ssh_gssapi_client , char **);
86	void (storecreds) (ssh_gssapi_client );	86	int (storecreds) (ssh_gssapi_client );
87	} ssh_gssapi_mech;	87	} ssh_gssapi_mech;
88		88
89	typedef struct {	89	typedef struct {
Lines 131-137 int ssh_gssapi_userok(char *name); Link Here
131	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	131	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
132	void ssh_gssapi_do_child(char **, u_int );	132	void ssh_gssapi_do_child(char **, u_int );
133	void ssh_gssapi_cleanup_creds(void);	133	void ssh_gssapi_cleanup_creds(void);
134	void ssh_gssapi_storecreds(void);	134	int ssh_gssapi_storecreds(void);
135	const char *ssh_gssapi_displayname(void);	135	const char *ssh_gssapi_displayname(void);
136		136
137	#endif /* GSSAPI */	137	#endif /* GSSAPI */

Lines 2292-2298 main(int ac, char **av) Link Here

(-)a/sshd.c (-1 / +1 lines)
2292	#ifdef GSSAPI	2292	#ifdef GSSAPI
2293	if (options.gss_authentication) {	2293	if (options.gss_authentication) {
2294	temporarily_use_uid(authctxt->pw);	2294	temporarily_use_uid(authctxt->pw);
2295	ssh_gssapi_storecreds();	2295	authctxt->krb5_set_env = ssh_gssapi_storecreds();
2296	restore_uid();	2296	restore_uid();
2297	}	2297	}
2298	#endif	2298	#endif

Lines 994-999 Specifies whether to automatically destroy the user's ticket cache Link Here

(-)a/sshd_config.5 (-1 / +8 lines)
994	file on logout.	994	file on logout.
995	The default is	995	The default is
996	.Cm yes .	996	.Cm yes .
		997	.It Cm KerberosUniqueCCache
		998	Specifies whether to store the acquired tickets in the per-session credential
		999	cache under /tmp/ or whether to use per-user credential cache as configured in
		1000	.Pa /etc/krb5.conf .
		1001	The default value
		1002	.Cm no
		1003	can lead to overwriting previous tickets by subseqent connections to the same
		1004	user account.
997	.It Cm KexAlgorithms	1005	.It Cm KexAlgorithms
998	Specifies the available KEX (Key Exchange) algorithms.	1006	Specifies the available KEX (Key Exchange) algorithms.
999	Multiple algorithms must be comma-separated.	1007	Multiple algorithms must be comma-separated.
1000	-

Return to bug 795135

Lines 113-119 ssh_gssapi_krb5_userok(ssh_gssapi_client client, char name) Link Here

(-)a/gss-serv-krb5.c (-17 / +23 lines)
113	/* This writes out any forwarded credentials from the structure populated	113	/* This writes out any forwarded credentials from the structure populated
114	* during userauth. Called after we have setuid to the user */	114	* during userauth. Called after we have setuid to the user */
115		115
116	static void	116	static int
117	ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)	117	ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
118	{	118	{
119	krb5_ccache ccache;	119	krb5_ccache ccache;
Lines 121-135 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here
121	krb5_principal princ;	121	krb5_principal princ;
122	OM_uint32 maj_status, min_status;	122	OM_uint32 maj_status, min_status;
123	int len;	123	int len;
		124	const char new_ccname, new_cctype;
124	const char *errmsg;	125	const char *errmsg;
		126	int set_env = 0;
125		127
126	if (client->creds == NULL) {	128	if (client->creds == NULL) {
127	debug("No credentials stored");	129	debug("No credentials stored");
128	return;	130	return 0;
129	}	131	}
130		132
131	if (ssh_gssapi_krb5_init() == 0)	133	if (ssh_gssapi_krb5_init() == 0)
132	return;	134	return 0;
133		135
134	#ifdef HEIMDAL	136	#ifdef HEIMDAL
135	# ifdef HAVE_KRB5_CC_NEW_UNIQUE	137	# ifdef HAVE_KRB5_CC_NEW_UNIQUE
Lines 143-156 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here
143	krb5_get_err_text(krb_context, problem));	145	krb5_get_err_text(krb_context, problem));
144	# endif	146	# endif
145	krb5_free_error_message(krb_context, errmsg);	147	krb5_free_error_message(krb_context, errmsg);
146	return;	148	return 0;
147	}	149	}
148	#else	150	#else
149	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {	151	if ((problem = ssh_krb5_cc_new_unique(krb_context, &ccache, &set_env)) != 0) {
150	errmsg = krb5_get_error_message(krb_context, problem);	152	errmsg = krb5_get_error_message(krb_context, problem);
151	logit("ssh_krb5_cc_gen(): %.100s", errmsg);	153	logit("ssh_krb5_cc_new_unique(): %.100s", errmsg);
152	krb5_free_error_message(krb_context, errmsg);	154	krb5_free_error_message(krb_context, errmsg);
153	return;	155	return 0;
154	}	156	}
155	#endif /* #ifdef HEIMDAL */	157	#endif /* #ifdef HEIMDAL */
156		158
Lines 159-165 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here
159	errmsg = krb5_get_error_message(krb_context, problem);	161	errmsg = krb5_get_error_message(krb_context, problem);
160	logit("krb5_parse_name(): %.100s", errmsg);	162	logit("krb5_parse_name(): %.100s", errmsg);
161	krb5_free_error_message(krb_context, errmsg);	163	krb5_free_error_message(krb_context, errmsg);
162	return;	164	return 0;
163	}	165	}
164		166
165	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {	167	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
Lines 168-174 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here
168	krb5_free_error_message(krb_context, errmsg);	170	krb5_free_error_message(krb_context, errmsg);
169	krb5_free_principal(krb_context, princ);	171	krb5_free_principal(krb_context, princ);
170	krb5_cc_destroy(krb_context, ccache);	172	krb5_cc_destroy(krb_context, ccache);
171	return;	173	return 0;
172	}	174	}
173		175
174	krb5_free_principal(krb_context, princ);	176	krb5_free_principal(krb_context, princ);
Lines 177-199 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) Link Here
177	client->creds, ccache))) {	179	client->creds, ccache))) {
178	logit("gss_krb5_copy_ccache() failed");	180	logit("gss_krb5_copy_ccache() failed");
179	krb5_cc_destroy(krb_context, ccache);	181	krb5_cc_destroy(krb_context, ccache);
180	return;	182	return 0;
181	}	183	}
		184	new_cctype = krb5_cc_get_type(krb_context, ccache);
		185	new_ccname = krb5_cc_get_name(krb_context, ccache);
182		186
183	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));	187	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
184	client->store.envvar = "KRB5CCNAME";	188
185	len = strlen(client->store.filename) + 6;	189	if (set_env) {
186	client->store.envval = xmalloc(len);	190	client->store.envvar = "KRB5CCNAME";
187	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);	191	}
		192	if ((strcmp(new_cctype, "FILE") == 0) \|\| (strcmp(new_cctype, "DIR") == 0))
		193	client->store.filename = xstrdup(new_ccname);
188		194
189	#ifdef USE_PAM	195	#ifdef USE_PAM
190	if (options.use_pam)	196	if (options.use_pam && set_env)
191	do_pam_putenv(client->store.envvar, client->store.envval);	197	do_pam_putenv(client->store.envvar, client->store.envval);
192	#endif	198	#endif
193		199
194	krb5_cc_close(krb_context, ccache);	200	krb5_cc_close(krb_context, ccache);
195		201
196	return;	202	return set_env;
197	}	203	}
198		204
199	ssh_gssapi_mech gssapi_kerberos_mech = {	205	ssh_gssapi_mech gssapi_kerberos_mech = {

Lines 51-56 Link Here

(-)a/auth-krb5.c (-33 / +228 lines)
51	#include <unistd.h>	51	#include <unistd.h>
52	#include <string.h>	52	#include <string.h>
53	#include <krb5.h>	53	#include <krb5.h>
		54	#include <profile.h>
54		55
55	extern ServerOptions options;	56	extern ServerOptions options;
56		57
Lines 77-83 auth_krb5_password(Authctxt authctxt, const char password) Link Here
77	#endif	78	#endif
78	krb5_error_code problem;	79	krb5_error_code problem;
79	krb5_ccache ccache = NULL;	80	krb5_ccache ccache = NULL;
80	int len;	81	char *ticket_name = NULL;
81	char client, platform_client;	82	char client, platform_client;
82	const char *errmsg;	83	const char *errmsg;
83		84
Lines 163-170 auth_krb5_password(Authctxt authctxt, const char password) Link Here
163	goto out;	164	goto out;
164	}	165	}
165		166
166	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,	167	problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
167	&authctxt->krb5_fwd_ccache);	168	&authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
168	if (problem)	169	if (problem)
169	goto out;	170	goto out;
170		171
Lines 179-193 auth_krb5_password(Authctxt authctxt, const char password) Link Here
179	goto out;	180	goto out;
180	#endif	181	#endif
181		182
182	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	183	problem = krb5_cc_get_full_name(authctxt->krb5_ctx,
		184	authctxt->krb5_fwd_ccache, &ticket_name);
183		185
184	len = strlen(authctxt->krb5_ticket_file) + 6;	186	authctxt->krb5_ccname = xstrdup(ticket_name);
185	authctxt->krb5_ccname = xmalloc(len);	187	krb5_free_string(authctxt->krb5_ctx, ticket_name);
186	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
187	authctxt->krb5_ticket_file);
188		188
189	#ifdef USE_PAM	189	#ifdef USE_PAM
190	if (options.use_pam)	190	if (options.use_pam && authctxt->krb5_set_env)
191	do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);	191	do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
192	#endif	192	#endif
193		193
Lines 223-233 auth_krb5_password(Authctxt authctxt, const char password) Link Here
223	void	223	void
224	krb5_cleanup_proc(Authctxt *authctxt)	224	krb5_cleanup_proc(Authctxt *authctxt)
225	{	225	{
		226	struct stat krb5_ccname_stat;
		227	char krb5_ccname[128], krb5_ccname_dir_start, krb5_ccname_dir_end;
		228
226	debug("krb5_cleanup_proc called");	229	debug("krb5_cleanup_proc called");
227	if (authctxt->krb5_fwd_ccache) {	230	if (authctxt->krb5_fwd_ccache) {
228	krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	231	krb5_context ctx = authctxt->krb5_ctx;
		232	krb5_cccol_cursor cursor;
		233	krb5_ccache ccache;
		234	int ret;
		235
		236	krb5_cc_destroy(ctx, authctxt->krb5_fwd_ccache);
229	authctxt->krb5_fwd_ccache = NULL;	237	authctxt->krb5_fwd_ccache = NULL;
		238
		239	ret = krb5_cccol_cursor_new(ctx, &cursor);
		240	if (ret)
		241	goto out;
		242
		243	ret = krb5_cccol_cursor_next(ctx, cursor, &ccache);
		244	if (ret == 0 && ccache != NULL) {
		245	/* There is at least one other ccache in collection
		246	* we can switch to */
		247	krb5_cc_switch(ctx, ccache);
		248	} else if (authctxt->krb5_ccname != NULL) {
		249	/* Clean up the collection too */
		250	strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
		251	krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
		252	*krb5_ccname_dir_start++ = '\0';
		253	if (strcmp(krb5_ccname, "DIR") == 0) {
		254
		255	strcat(krb5_ccname_dir_start, "/primary");
		256
		257	if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
		258	if (unlink(krb5_ccname_dir_start) == 0) {
		259	krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
		260	*krb5_ccname_dir_end = '\0';
		261	if (rmdir(krb5_ccname_dir_start) == -1)
		262	debug("cache dir '%s' remove failed: %s",
		263	krb5_ccname_dir_start, strerror(errno));
		264	}
		265	else
		266	debug("cache primary file '%s', remove failed: %s",
		267	krb5_ccname_dir_start, strerror(errno));
		268	}
		269	}
		270	}
		271	krb5_cccol_cursor_free(ctx, &cursor);
230	}	272	}
		273	out:
231	if (authctxt->krb5_user) {	274	if (authctxt->krb5_user) {
232	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);	275	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
233	authctxt->krb5_user = NULL;	276	authctxt->krb5_user = NULL;
Lines 238-273 krb5_cleanup_proc(Authctxt *authctxt) Link Here
238	}	281	}
239	}	282	}
240		283
241	#ifndef HEIMDAL
242	krb5_error_code
243	ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
244	int tmpfd, ret, oerrno;
245	char ccname[40];
246	mode_t old_umask;
247		284
248	ret = snprintf(ccname, sizeof(ccname),	285	#if !defined(HEIMDAL)
249	"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());	286	int
250	if (ret < 0 \|\| (size_t)ret >= sizeof(ccname))	287	ssh_asprintf_append(char *dsc, const char fmt, ...) {
251	return ENOMEM;	288	char src, old;
252		289	va_list ap;
253	old_umask = umask(0177);	290	int i;
254	tmpfd = mkstemp(ccname + strlen("FILE:"));	291
255	oerrno = errno;	292	va_start(ap, fmt);
256	umask(old_umask);	293	i = vasprintf(&src, fmt, ap);
257	if (tmpfd == -1) {	294	va_end(ap);
258	logit("mkstemp(): %.100s", strerror(oerrno));	295
259	return oerrno;	296	if (i == -1 \|\| src == NULL)
		297	return -1;
		298
		299	old = *dsc;
		300
		301	i = asprintf(dsc, "%s%s", *dsc, src);
		302	if (i == -1 \|\| src == NULL) {
		303	free(src);
		304	return -1;
		305	}
		306
		307	free(old);
		308	free(src);
		309
		310	return i;
		311	}
		312
		313	int
		314	ssh_krb5_expand_template(char *result, const char template) {
		315	char p_n, p_o, r, tmp_template;
		316
		317	debug3_f("called, template = %s", template);
		318	if (template == NULL)
		319	return -1;
		320
		321	tmp_template = p_n = p_o = xstrdup(template);
		322	r = xstrdup("");
		323
		324	while ((p_n = strstr(p_o, "%{")) != NULL) {
		325
		326	*p_n++ = '\0';
		327	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
		328	goto cleanup;
		329
		330	if (strncmp(p_n, "{uid}", 5) == 0 \|\| strncmp(p_n, "{euid}", 6) == 0 \|\|
		331	strncmp(p_n, "{USERID}", 8) == 0) {
		332	p_o = strchr(p_n, '}') + 1;
		333	if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
		334	goto cleanup;
		335	continue;
		336	}
		337	else if (strncmp(p_n, "{TEMP}", 6) == 0) {
		338	p_o = strchr(p_n, '}') + 1;
		339	if (ssh_asprintf_append(&r, "/tmp") == -1)
		340	goto cleanup;
		341	continue;
		342	} else {
		343	p_o = strchr(p_n, '}') + 1;
		344	*p_o = '\0';
		345	debug_f("unsupported token %s in %s", p_n, template);
		346	/* unknown token, fallback to the default */
		347	goto cleanup;
		348	}
260	}	349	}
261		350
262	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {	351	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
		352	goto cleanup;
		353
		354	*result = r;
		355	free(tmp_template);
		356	return 0;
		357
		358	cleanup:
		359	free(r);
		360	free(tmp_template);
		361	return -1;
		362	}
		363
		364	krb5_error_code
		365	ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
		366	profile_t p;
		367	int ret = 0;
		368	char *value = NULL;
		369
		370	debug3_f("called");
		371	ret = krb5_get_profile(ctx, &p);
		372	if (ret)
		373	return ret;
		374
		375	ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
		376	if (ret \|\| !value)
		377	return ret;
		378
		379	ret = ssh_krb5_expand_template(ccname, value);
		380
		381	debug3_f("returning with ccname = %s", *ccname);
		382	return ret;
		383	}
		384
		385	krb5_error_code
		386	ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache ccache, int need_environment) {
		387	int tmpfd, ret, oerrno, type_len;
		388	char *ccname = NULL;
		389	mode_t old_umask;
		390	char type = NULL, colon = NULL;
		391
		392	debug3_f("called");
		393	if (need_environment)
		394	*need_environment = 0;
		395	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
		396	if (ret \|\| !ccname \|\| options.kerberos_unique_ccache) {
		397	/* Otherwise, go with the old method */
		398	if (ccname)
		399	free(ccname);
		400	ccname = NULL;
		401
		402	ret = asprintf(&ccname,
		403	"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
		404	if (ret < 0)
		405	return ENOMEM;
		406
		407	old_umask = umask(0177);
		408	tmpfd = mkstemp(ccname + strlen("FILE:"));
263	oerrno = errno;	409	oerrno = errno;
264	logit("fchmod(): %.100s", strerror(oerrno));	410	umask(old_umask);
		411	if (tmpfd == -1) {
		412	logit("mkstemp(): %.100s", strerror(oerrno));
		413	return oerrno;
		414	}
		415
		416	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		417	oerrno = errno;
		418	logit("fchmod(): %.100s", strerror(oerrno));
		419	close(tmpfd);
		420	return oerrno;
		421	}
		422	/* make sure the KRB5CCNAME is set for non-standard location */
		423	if (need_environment)
		424	*need_environment = 1;
265	close(tmpfd);	425	close(tmpfd);
266	return oerrno;
267	}	426	}
268	close(tmpfd);
269		427
270	return (krb5_cc_resolve(ctx, ccname, ccache));	428	debug3_f("setting default ccname to %s", ccname);
		429	/* set the default with already expanded user IDs */
		430	ret = krb5_cc_set_default_name(ctx, ccname);
		431	if (ret)
		432	return ret;
		433
		434	if ((colon = strstr(ccname, ":")) != NULL) {
		435	type_len = colon - ccname;
		436	type = malloc((type_len + 1) * sizeof(char));
		437	if (type == NULL)
		438	return ENOMEM;
		439	strncpy(type, ccname, type_len);
		440	type[type_len] = 0;
		441	} else {
		442	type = strdup(ccname);
		443	}
		444
		445	/* If we have a credential cache from krb5.conf, we need to switch
		446	* a primary cache for this collection, if it supports that (non-FILE)
		447	*/
		448	if (krb5_cc_support_switch(ctx, type)) {
		449	debug3_f("calling cc_new_unique(%s)", ccname);
		450	ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
		451	free(type);
		452	if (ret)
		453	return ret;
		454
		455	debug3_f("calling cc_switch()");
		456	return krb5_cc_switch(ctx, *ccache);
		457	} else {
		458	/* Otherwise, we can not create a unique ccname here (either
		459	* it is already unique from above or the type does not support
		460	* collections
		461	*/
		462	free(type);
		463	debug3_f("calling cc_resolve(%s)", ccname);
		464	return (krb5_cc_resolve(ctx, ccname, ccache));
		465	}
271	}	466	}
272	#endif /* !HEIMDAL */	467	#endif /* !HEIMDAL */
273	#endif /* KRB5 */	468	#endif /* KRB5 */