if (ctx->client_creds)
debug("Received some client credentials");
- else
+ else if (ctx->major == GSS_S_COMPLETE)
debug("Got no client credentials");
status = ctx->major;
* we flag the user as also having been authenticated
*/
- if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
- (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
- if (ssh_gssapi_getclient(ctx, &gssapi_client))
+ if (ctx->major == GSS_S_COMPLETE) {
+ if (options.gss_require_mic &&
+ ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) {
+ debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails.");
+ } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) {
fatal("Couldn't convert client name");
+ }
}
return (status);
debug("No suitable client data");
return 0;
}
- if (!gss_userok(gssapi_client.name, user)) {
+
+ userok = gss_userok(gssapi_client.name, user);
+ if (userok) {
+ gssapi_client.used = 1;
+ gssapi_client.store.owner = pw;
+ } else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_name(&lmin, &gssapi_client.name);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
- return 0;
- }
-
- if (userok) {
- gssapi_client.used = 1;
- gssapi_client.store.owner = pw;
}
return (userok);
}
-#endif
+/* Priviledged */
+OM_uint32
+ssh_gssapi_localname(char **user)
+{
+ OM_uint32 major_status, lmin;
+ uid_t uid;
+ struct passwd *pw;
+
+ major_status = gss_pname_to_uid(&lmin, gssapi_client.name,
+ GSS_C_NO_OID, &uid);
+ if (GSS_ERROR(major_status))
+ return (major_status);
+
+ pw = getpwuid(uid);
+ if (pw == NULL)
+ return (GSS_S_BAD_NAME);
+
+ *user = xstrdup(pw->pw_name);
+
+ return (GSS_S_COMPLETE);
+}
+#endif /* GSSAPI */
projects / openssh.git / blobdiff