X-Git-Url: http://www.project-moonshot.org/gitweb/?p=openssh.git;a=blobdiff_plain;f=auth2-gss.c;h=3967961bccfa877fd3440c99b1465ba0256e3967;hp=a192d282fdf80de169f1d0d6b4a05e83d97306c8;hb=c58af0369df352cd2bfddf972c0a43713cda1233;hpb=c4431b13b468d93eabfdb2a7e9c4a245678067a5

diff --git a/auth2-gss.c b/auth2-gss.c
index a192d28..3967961 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -51,6 +51,7 @@ static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
+static void gssapi_set_username(Authctxt *authctxt);
 
 /* 
  * The 'gssapi_keyex' userauth mechanism.
@@ -74,6 +75,8 @@ userauth_gsskeyex(Authctxt *authctxt)
 	gssbuf.value = buffer_ptr(&b);
 	gssbuf.length = buffer_len(&b);
 
+	gssapi_set_username(authctxt);
+
 	/* gss_kex_context is NULL with privsep, so we can't check it here */
 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
 	    &gssbuf, &mic))))
@@ -102,7 +105,10 @@ userauth_gssapi(Authctxt *authctxt)
 	u_int len;
 	u_char *doid = NULL;
 
-	if (!authctxt->valid || authctxt->user == NULL)
+	/* authctxt->valid may be 0 if we haven't yet determined
+	   username from gssapi context. */
+
+	if (authctxt->user == NULL)
 		return (0);
 
 	mechs = packet_get_int();
@@ -253,6 +259,32 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 	gss_release_buffer(&maj_status, &send_tok);
 }
 
+static void
+gssapi_set_username(Authctxt *authctxt)
+{
+    char *lname = NULL;
+
+    if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
+        PRIVSEP(ssh_gssapi_localname(&lname));
+        if (lname && lname[0] != '\0') {
+            if (authctxt->user) xfree(authctxt->user);
+            authctxt->user = lname;
+            debug("set username to %s from gssapi context", lname);
+            authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
+            if (authctxt->pw) {
+                authctxt->valid = 1;
+#ifdef USE_PAM
+                if (options.use_pam)
+                    PRIVSEP(start_pam(authctxt));
+#endif
+            }
+        } else {
+            debug("failed to set username from gssapi context");
+            packet_send_debug("failed to set username from gssapi context");
+        }
+    }
+}
+
 /*
  * This is called when the client thinks we've completed authentication.
  * It should only be enabled in the dispatch handler by the function above,
@@ -313,6 +345,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
 	gssbuf.value = buffer_ptr(&b);
 	gssbuf.length = buffer_len(&b);
 
+	gssapi_set_username(authctxt);
+
 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
 		authenticated = 
 		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));