X-Git-Url: http://www.project-moonshot.org/gitweb/?p=openssh.git;a=blobdiff_plain;f=gss-serv.c;h=459cecc35881ca1cbb78fa36ce884180cf9a7145;hp=f1c694dc6b2e3eae57cb47838c0e6cf371844010;hb=c58af0369df352cd2bfddf972c0a43713cda1233;hpb=c4431b13b468d93eabfdb2a7e9c4a245678067a5 diff --git a/gss-serv.c b/gss-serv.c index f1c694d..459cecc 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -166,7 +166,7 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, if (ctx->client_creds) debug("Received some client credentials"); - else + else if (ctx->major == GSS_S_COMPLETE) debug("Got no client credentials"); status = ctx->major; @@ -175,10 +175,13 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, * we flag the user as also having been authenticated */ - if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && - (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { - if (ssh_gssapi_getclient(ctx, &gssapi_client)) + if (ctx->major == GSS_S_COMPLETE) { + if (options.gss_require_mic && + ((flags == NULL) || !(*flags & GSS_C_INTEG_FLAG))) { + debug("GSSAPIRequireMIC true and integrity protection not supported so gssapi-with-mic fails."); + } else if (ssh_gssapi_getclient(ctx, &gssapi_client)) { fatal("Couldn't convert client name"); + } } return (status); @@ -335,23 +338,42 @@ ssh_gssapi_userok(char *user, struct passwd *pw) debug("No suitable client data"); return 0; } - if (GSS_ERROR(gss_userok(&lmin, gssapi_client.name, user, &userok)) || - userok == 0) { + + userok = gss_userok(gssapi_client.name, user); + if (userok) { + gssapi_client.used = 1; + gssapi_client.store.owner = pw; + } else { /* Destroy delegated credentials if userok fails */ gss_release_buffer(&lmin, &gssapi_client.displayname); gss_release_buffer(&lmin, &gssapi_client.exportedname); gss_release_name(&lmin, &gssapi_client.name); gss_release_cred(&lmin, &gssapi_client.creds); memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); - return 0; - } - - if (userok) { - gssapi_client.used = 1; - gssapi_client.store.owner = pw; } return (userok); } -#endif +/* Priviledged */ +OM_uint32 +ssh_gssapi_localname(char **user) +{ + OM_uint32 major_status, lmin; + uid_t uid; + struct passwd *pw; + + major_status = gss_pname_to_uid(&lmin, gssapi_client.name, + GSS_C_NO_OID, &uid); + if (GSS_ERROR(major_status)) + return (major_status); + + pw = getpwuid(uid); + if (pw == NULL) + return (GSS_S_BAD_NAME); + + *user = xstrdup(pw->pw_name); + + return (GSS_S_COMPLETE); +} +#endif /* GSSAPI */