1 | /* |
---|
2 | * Copyright (c) 2001,2002 Simon Wilkinson. All rights reserved. |
---|
3 | * |
---|
4 | * Redistribution and use in source and binary forms, with or without |
---|
5 | * modification, are permitted provided that the following conditions |
---|
6 | * are met: |
---|
7 | * 1. Redistributions of source code must retain the above copyright |
---|
8 | * notice, this list of conditions and the following disclaimer. |
---|
9 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
10 | * notice, this list of conditions and the following disclaimer in the |
---|
11 | * documentation and/or other materials provided with the distribution. |
---|
12 | * |
---|
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR |
---|
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
---|
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
---|
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
---|
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
---|
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
---|
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
---|
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
23 | */ |
---|
24 | |
---|
25 | #include "includes.h" |
---|
26 | |
---|
27 | #ifdef GSSAPI |
---|
28 | |
---|
29 | #include "ssh.h" |
---|
30 | #include "ssh2.h" |
---|
31 | #include "xmalloc.h" |
---|
32 | #include "buffer.h" |
---|
33 | #include "bufaux.h" |
---|
34 | #include "packet.h" |
---|
35 | #include "compat.h" |
---|
36 | #include <openssl/evp.h> |
---|
37 | #include "cipher.h" |
---|
38 | #include "kex.h" |
---|
39 | #include "auth.h" |
---|
40 | #include "log.h" |
---|
41 | #include "channels.h" |
---|
42 | #include "session.h" |
---|
43 | #include "dispatch.h" |
---|
44 | #include "servconf.h" |
---|
45 | #include "compat.h" |
---|
46 | #include "monitor_wrap.h" |
---|
47 | |
---|
48 | #include "ssh-gss.h" |
---|
49 | |
---|
50 | extern ServerOptions options; |
---|
51 | extern u_char *session_id2; |
---|
52 | extern int session_id2_len; |
---|
53 | extern int is_local_acct; |
---|
54 | |
---|
55 | typedef struct ssh_gssapi_cred_cache { |
---|
56 | char *filename; |
---|
57 | char *envvar; |
---|
58 | char *envval; |
---|
59 | void *data; |
---|
60 | } ssh_gssapi_cred_cache; |
---|
61 | |
---|
62 | static struct ssh_gssapi_cred_cache gssapi_cred_store = {NULL,NULL,NULL}; |
---|
63 | |
---|
64 | #ifdef KRB5 |
---|
65 | |
---|
66 | #ifdef HEIMDAL |
---|
67 | #include <krb5.h> |
---|
68 | #else |
---|
69 | #include <gssapi_krb5.h> |
---|
70 | #define krb5_get_err_text(context,code) error_message(code) |
---|
71 | #endif |
---|
72 | |
---|
73 | /* Initialise the krb5 library, so we can use it for those bits that |
---|
74 | * GSSAPI won't do */ |
---|
75 | |
---|
76 | int ssh_gssapi_krb5_init(Authctxt *authctxt) { |
---|
77 | krb5_error_code problem; |
---|
78 | |
---|
79 | if (authctxt->krb5_ctx != NULL) |
---|
80 | return 1; |
---|
81 | |
---|
82 | problem = krb5_init_context(&authctxt->krb5_ctx); |
---|
83 | if (problem) { |
---|
84 | log("Cannot initialize krb5 context"); |
---|
85 | return 0; |
---|
86 | } |
---|
87 | krb5_init_ets(authctxt->krb5_ctx); |
---|
88 | |
---|
89 | return 1; |
---|
90 | } |
---|
91 | |
---|
92 | /* Check if this user is OK to login. This only works with krb5 - other |
---|
93 | * GSSAPI mechanisms will need their own. |
---|
94 | * Returns true if the user is OK to log in, otherwise returns 0 |
---|
95 | */ |
---|
96 | |
---|
97 | int |
---|
98 | ssh_gssapi_krb5_userok(Authctxt *authctxt) { |
---|
99 | krb5_principal princ; |
---|
100 | int retval; |
---|
101 | |
---|
102 | if (ssh_gssapi_krb5_init(authctxt) == 0) |
---|
103 | return 0; |
---|
104 | |
---|
105 | /* If this isn't a local account and the user hasn't specified |
---|
106 | * ticket forwarding, fail through to password authentication. |
---|
107 | * The shell the user gets won't be useful without tickets anyway. |
---|
108 | */ |
---|
109 | if (!is_local_acct && !gssapi_client_creds) |
---|
110 | return 0; |
---|
111 | |
---|
112 | if ((retval=krb5_parse_name(authctxt->krb5_ctx, |
---|
113 | gssapi_client_name.value, |
---|
114 | &princ))) { |
---|
115 | log("krb5_parse_name(): %.100s", |
---|
116 | krb5_get_err_text(authctxt->krb5_ctx,retval)); |
---|
117 | return 0; |
---|
118 | } |
---|
119 | if (krb5_kuserok(authctxt->krb5_ctx, princ, authctxt->user)) { |
---|
120 | retval = 1; |
---|
121 | log("Authorized to %s, krb5 principal %s (krb5_kuserok)", |
---|
122 | authctxt->user, (char *)gssapi_client_name.value); |
---|
123 | } |
---|
124 | else |
---|
125 | retval = 0; |
---|
126 | |
---|
127 | krb5_free_principal(authctxt->krb5_ctx, princ); |
---|
128 | return retval; |
---|
129 | } |
---|
130 | |
---|
131 | /* Make sure that this is called _after_ we've setuid to the user */ |
---|
132 | |
---|
133 | /* This writes out any forwarded credentials. Its specific to the Kerberos |
---|
134 | * GSSAPI mechanism |
---|
135 | * |
---|
136 | * We assume that our caller has made sure that the user has selected |
---|
137 | * delegated credentials, and that the client_creds structure is correctly |
---|
138 | * populated. |
---|
139 | */ |
---|
140 | |
---|
141 | void |
---|
142 | ssh_gssapi_krb5_storecreds(Authctxt *authctxt) { |
---|
143 | krb5_ccache ccache; |
---|
144 | krb5_error_code problem; |
---|
145 | krb5_principal princ; |
---|
146 | char ccname[35]; |
---|
147 | static char name[40]; |
---|
148 | int tmpfd; |
---|
149 | OM_uint32 maj_status,min_status; |
---|
150 | |
---|
151 | |
---|
152 | if (gssapi_client_creds==NULL) { |
---|
153 | debug("No credentials stored"); |
---|
154 | return; |
---|
155 | } |
---|
156 | |
---|
157 | if (ssh_gssapi_krb5_init(authctxt) == 0) |
---|
158 | return; |
---|
159 | |
---|
160 | if (options.gss_use_session_ccache) { |
---|
161 | snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_p%d",getpid()); |
---|
162 | |
---|
163 | if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { |
---|
164 | log("fchmod(): %.100s", strerror(errno)); |
---|
165 | close(tmpfd); |
---|
166 | return; |
---|
167 | } |
---|
168 | } else { |
---|
169 | snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_p%d",getpid()); |
---|
170 | tmpfd = open(ccname, O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); |
---|
171 | if (tmpfd == -1) { |
---|
172 | log("open(): %.100s", strerror(errno)); |
---|
173 | return; |
---|
174 | } |
---|
175 | } |
---|
176 | |
---|
177 | close(tmpfd); |
---|
178 | snprintf(name, sizeof(name), "FILE:%s",ccname); |
---|
179 | |
---|
180 | if ((problem = krb5_cc_resolve(authctxt->krb5_ctx, name, &ccache))) { |
---|
181 | log("krb5_cc_default(): %.100s", |
---|
182 | krb5_get_err_text(authctxt->krb5_ctx,problem)); |
---|
183 | return; |
---|
184 | } |
---|
185 | |
---|
186 | if ((problem = krb5_parse_name(authctxt->krb5_ctx, gssapi_client_name.value, |
---|
187 | &princ))) { |
---|
188 | log("krb5_parse_name(): %.100s", |
---|
189 | krb5_get_err_text(authctxt->krb5_ctx,problem)); |
---|
190 | krb5_cc_destroy(authctxt->krb5_ctx,ccache); |
---|
191 | return; |
---|
192 | } |
---|
193 | |
---|
194 | if ((problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, princ))) { |
---|
195 | log("krb5_cc_initialize(): %.100s", |
---|
196 | krb5_get_err_text(authctxt->krb5_ctx,problem)); |
---|
197 | krb5_free_principal(authctxt->krb5_ctx,princ); |
---|
198 | krb5_cc_destroy(authctxt->krb5_ctx,ccache); |
---|
199 | return; |
---|
200 | } |
---|
201 | |
---|
202 | krb5_free_principal(authctxt->krb5_ctx,princ); |
---|
203 | |
---|
204 | #ifdef HEIMDAL |
---|
205 | if ((problem = krb5_cc_copy_cache(authctxt->krb5_ctx, |
---|
206 | gssapi_client_creds->ccache, |
---|
207 | ccache))) { |
---|
208 | log("krb5_cc_copy_cache(): %.100s", |
---|
209 | krb5_get_err_text(authctxt->krb5_ctx,problem)); |
---|
210 | krb5_cc_destroy(authctxt->krb5_ctx,ccache); |
---|
211 | return; |
---|
212 | } |
---|
213 | #else |
---|
214 | if ((maj_status = gss_krb5_copy_ccache(&min_status, |
---|
215 | gssapi_client_creds, |
---|
216 | ccache))) { |
---|
217 | log("gss_krb5_copy_ccache() failed"); |
---|
218 | ssh_gssapi_error(maj_status,min_status); |
---|
219 | krb5_cc_destroy(authctxt->krb5_ctx,ccache); |
---|
220 | return; |
---|
221 | } |
---|
222 | #endif |
---|
223 | |
---|
224 | #ifdef USE_PAM |
---|
225 | do_pam_putenv("KRB5CCNAME",name); |
---|
226 | #endif |
---|
227 | |
---|
228 | gssapi_cred_store.filename=strdup(ccname); |
---|
229 | gssapi_cred_store.envvar="KRB5CCNAME"; |
---|
230 | gssapi_cred_store.envval=strdup(name); |
---|
231 | |
---|
232 | /* Populate the Kerberos specific members of the authctxt. |
---|
233 | * We'll need them later. |
---|
234 | */ |
---|
235 | krb5_copy_principal(authctxt->krb5_ctx, princ, &authctxt->krb5_user); |
---|
236 | krb5_free_principal(authctxt->krb5_ctx, princ); |
---|
237 | |
---|
238 | authctxt->krb5_fwd_ccache = ccache; |
---|
239 | authctxt->krb5_ticket_file = |
---|
240 | (char *)krb5_cc_get_name(authctxt->krb5_ctx, |
---|
241 | authctxt->krb5_fwd_ccache); |
---|
242 | |
---|
243 | return; |
---|
244 | } |
---|
245 | |
---|
246 | #endif /* KRB5 */ |
---|
247 | |
---|
248 | #ifdef GSI |
---|
249 | #include <globus_gss_assist.h> |
---|
250 | |
---|
251 | /* |
---|
252 | * Check if this user is OK to login under GSI. User has been authenticated |
---|
253 | * as identity in global 'client_name.value' and is trying to log in as passed |
---|
254 | * username in 'name'. |
---|
255 | * |
---|
256 | * Returns non-zero if user is authorized, 0 otherwise. |
---|
257 | */ |
---|
258 | int |
---|
259 | ssh_gssapi_gsi_userok(char *name) |
---|
260 | { |
---|
261 | int authorized = 0; |
---|
262 | |
---|
263 | /* This returns 0 on success */ |
---|
264 | authorized = (globus_gss_assist_userok(gssapi_client_name.value, |
---|
265 | name) == 0); |
---|
266 | |
---|
267 | debug("GSI user %s is%s authorized as target user %s", |
---|
268 | (char *) gssapi_client_name.value, |
---|
269 | (authorized ? "" : " not"), |
---|
270 | name); |
---|
271 | |
---|
272 | return authorized; |
---|
273 | } |
---|
274 | |
---|
275 | /* |
---|
276 | * Handle setting up child environment for GSI. |
---|
277 | * |
---|
278 | * Make sure that this is called _after_ we've setuid to the user. |
---|
279 | */ |
---|
280 | void |
---|
281 | ssh_gssapi_gsi_storecreds() |
---|
282 | { |
---|
283 | OM_uint32 major_status; |
---|
284 | OM_uint32 minor_status; |
---|
285 | |
---|
286 | |
---|
287 | if (gssapi_client_creds != NULL) |
---|
288 | { |
---|
289 | char *creds_env = NULL; |
---|
290 | |
---|
291 | /* |
---|
292 | * This is the current hack with the GSI gssapi library to |
---|
293 | * export credentials to disk. |
---|
294 | */ |
---|
295 | |
---|
296 | debug("Exporting delegated credentials"); |
---|
297 | |
---|
298 | minor_status = 0xdee0; /* Magic value */ |
---|
299 | major_status = |
---|
300 | gss_inquire_cred(&minor_status, |
---|
301 | gssapi_client_creds, |
---|
302 | (gss_name_t *) &creds_env, |
---|
303 | NULL, |
---|
304 | NULL, |
---|
305 | NULL); |
---|
306 | |
---|
307 | if ((major_status == GSS_S_COMPLETE) && |
---|
308 | (minor_status == 0xdee1) && |
---|
309 | (creds_env != NULL)) |
---|
310 | { |
---|
311 | char *value; |
---|
312 | |
---|
313 | /* |
---|
314 | * String is of the form: |
---|
315 | * X509_USER_DELEG_PROXY=filename |
---|
316 | * so we parse out the filename |
---|
317 | * and then set X509_USER_PROXY |
---|
318 | * to point at it. |
---|
319 | */ |
---|
320 | value = strchr(creds_env, '='); |
---|
321 | |
---|
322 | if (value != NULL) |
---|
323 | { |
---|
324 | *value = '\0'; |
---|
325 | value++; |
---|
326 | #ifdef USE_PAM |
---|
327 | do_pam_putenv("X509_USER_PROXY",value); |
---|
328 | #endif |
---|
329 | gssapi_cred_store.filename=NULL; |
---|
330 | gssapi_cred_store.envvar="X509_USER_PROXY"; |
---|
331 | gssapi_cred_store.envval=strdup(value); |
---|
332 | |
---|
333 | return; |
---|
334 | } |
---|
335 | else |
---|
336 | { |
---|
337 | log("Failed to parse delegated credentials string '%s'", |
---|
338 | creds_env); |
---|
339 | } |
---|
340 | } |
---|
341 | else |
---|
342 | { |
---|
343 | log("Failed to export delegated credentials (error %ld)", |
---|
344 | major_status); |
---|
345 | } |
---|
346 | } |
---|
347 | } |
---|
348 | |
---|
349 | #endif /* GSI */ |
---|
350 | |
---|
351 | void |
---|
352 | ssh_gssapi_cleanup_creds(void *ignored) |
---|
353 | { |
---|
354 | if (gssapi_cred_store.filename!=NULL) { |
---|
355 | /* Unlink probably isn't sufficient */ |
---|
356 | debug("removing gssapi cred file\"%s\"",gssapi_cred_store.filename); |
---|
357 | unlink(gssapi_cred_store.filename); |
---|
358 | } |
---|
359 | } |
---|
360 | |
---|
361 | void |
---|
362 | ssh_gssapi_storecreds(Authctxt *authctxt) |
---|
363 | { |
---|
364 | switch (gssapi_client_type) { |
---|
365 | #ifdef KRB5 |
---|
366 | case GSS_KERBEROS: |
---|
367 | ssh_gssapi_krb5_storecreds(authctxt); |
---|
368 | break; |
---|
369 | #endif |
---|
370 | #ifdef GSI |
---|
371 | case GSS_GSI: |
---|
372 | ssh_gssapi_gsi_storecreds(); |
---|
373 | break; |
---|
374 | #endif /* GSI */ |
---|
375 | case GSS_LAST_ENTRY: |
---|
376 | /* GSSAPI not used in this authentication */ |
---|
377 | debug("No GSSAPI credentials stored"); |
---|
378 | break; |
---|
379 | default: |
---|
380 | log("ssh_gssapi_do_child: Unknown mechanism"); |
---|
381 | |
---|
382 | } |
---|
383 | |
---|
384 | if (options.gss_cleanup_creds) { |
---|
385 | fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL); |
---|
386 | } |
---|
387 | |
---|
388 | } |
---|
389 | |
---|
390 | /* This allows GSSAPI methods to do things to the childs environment based |
---|
391 | * on the passed authentication process and credentials. |
---|
392 | * |
---|
393 | * Question: If we didn't use userauth_external for some reason, should we |
---|
394 | * still delegate credentials? |
---|
395 | */ |
---|
396 | void |
---|
397 | ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
---|
398 | { |
---|
399 | |
---|
400 | if (gssapi_cred_store.envvar!=NULL && |
---|
401 | gssapi_cred_store.envval!=NULL) { |
---|
402 | |
---|
403 | debug("Setting %s to %s", gssapi_cred_store.envvar, |
---|
404 | gssapi_cred_store.envval); |
---|
405 | child_set_env(envp, envsizep, gssapi_cred_store.envvar, |
---|
406 | gssapi_cred_store.envval); |
---|
407 | } |
---|
408 | |
---|
409 | switch(gssapi_client_type) { |
---|
410 | #ifdef KRB5 |
---|
411 | case GSS_KERBEROS: break; |
---|
412 | #endif |
---|
413 | #ifdef GSI |
---|
414 | case GSS_GSI: break; |
---|
415 | #endif |
---|
416 | case GSS_LAST_ENTRY: |
---|
417 | debug("No GSSAPI credentials stored"); |
---|
418 | break; |
---|
419 | default: |
---|
420 | log("ssh_gssapi_do_child: Unknown mechanism"); |
---|
421 | } |
---|
422 | } |
---|
423 | |
---|
424 | int |
---|
425 | ssh_gssapi_userok(Authctxt *authctxt) |
---|
426 | { |
---|
427 | if (gssapi_client_name.length==0 || |
---|
428 | gssapi_client_name.value==NULL) { |
---|
429 | debug("No suitable client data"); |
---|
430 | return 0; |
---|
431 | } |
---|
432 | switch (gssapi_client_type) { |
---|
433 | #ifdef KRB5 |
---|
434 | case GSS_KERBEROS: |
---|
435 | return(ssh_gssapi_krb5_userok(authctxt)); |
---|
436 | break; /* Not reached */ |
---|
437 | #endif |
---|
438 | #ifdef GSI |
---|
439 | case GSS_GSI: |
---|
440 | return(ssh_gssapi_gsi_userok(authctxt->user)); |
---|
441 | break; /* Not reached */ |
---|
442 | #endif /* GSI */ |
---|
443 | case GSS_LAST_ENTRY: |
---|
444 | debug("Client not GSSAPI"); |
---|
445 | break; |
---|
446 | default: |
---|
447 | debug("Unknown client authentication type"); |
---|
448 | } |
---|
449 | return(0); |
---|
450 | } |
---|
451 | |
---|
452 | /* Stuff to play nicely with privsep */ |
---|
453 | |
---|
454 | #if 0 |
---|
455 | extern struct monitor *pmonitor; |
---|
456 | |
---|
457 | OM_uint32 |
---|
458 | mm_ssh_gssapi_server_ctxt(Gssctxt **ctx, gss_OID oid) { |
---|
459 | Buffer m; |
---|
460 | |
---|
461 | /* Client doesn't get to see the context */ |
---|
462 | *ctx=NULL; |
---|
463 | |
---|
464 | buffer_init(&m) |
---|
465 | buffer_put_string(&m,oid->elements,oid->length); |
---|
466 | |
---|
467 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m); |
---|
468 | |
---|
469 | debug3("%s: waiting for MONITOR_ANS_GSSSIGN",__func__); |
---|
470 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); |
---|
471 | major=buffer_get_int(&m); |
---|
472 | |
---|
473 | return(major); |
---|
474 | } |
---|
475 | |
---|
476 | int |
---|
477 | mm_answer_gss_server_ctxt(int socket, Buffer *m) { |
---|
478 | gss_OID_desc oid; |
---|
479 | OM_uint32 major; |
---|
480 | |
---|
481 | oid.elements=buffer_get_string(m,&oid.length); |
---|
482 | |
---|
483 | major=ssh_gssapi_server_ctxt(&gsscontext,&oid); |
---|
484 | |
---|
485 | xfree(oid.elements); |
---|
486 | |
---|
487 | buffer_clear(m); |
---|
488 | buffer_put_int(m,result); |
---|
489 | |
---|
490 | mm_request_send(socket,MONITOR_ANS_GSSSIGN,m); |
---|
491 | |
---|
492 | return(0); |
---|
493 | } |
---|
494 | |
---|
495 | OM_uint32 |
---|
496 | mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, |
---|
497 | gss_buffer_desc *out, OM_uint32 *flags) { |
---|
498 | |
---|
499 | Buffer m; |
---|
500 | OM_uint32, major; |
---|
501 | |
---|
502 | buffer_init(&m); |
---|
503 | buffer_put_string(&m, in->value, in->length); |
---|
504 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m); |
---|
505 | |
---|
506 | debug3("%s: waiting for MONITOR_ANS_GSSSTEP", &m); |
---|
507 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m); |
---|
508 | |
---|
509 | major=buffer_get_int(&m); |
---|
510 | *out->value=buffer->get_string(&m,&out->length); |
---|
511 | flags=buffer_get_int(&m); |
---|
512 | |
---|
513 | return(major); |
---|
514 | } |
---|
515 | |
---|
516 | int |
---|
517 | mm_answer_gss_accept_ctxt(int socket, Buffer *m) { |
---|
518 | gss_buffer_desc in,out; |
---|
519 | OM_uint32 major; |
---|
520 | OM_uint32 flags = 0; /* GSI needs this */ |
---|
521 | |
---|
522 | in.value = buffer_get_string(m,&in.length); |
---|
523 | major=ssh_gssapi_accept_ctxt(gsscontext,&in,&out,&flags); |
---|
524 | xfree(in.value); |
---|
525 | |
---|
526 | buffer_clear(m); |
---|
527 | buffer_put_int(m, major); |
---|
528 | buffer_put_string(m, out.value, out.length); |
---|
529 | buffer_put_int(m, flags); |
---|
530 | mm_request_send(socket,MONITOR_ANS_STEP,m); |
---|
531 | |
---|
532 | gss_release_buffer(out); |
---|
533 | |
---|
534 | return(0); |
---|
535 | } |
---|
536 | |
---|
537 | int |
---|
538 | mm_ssh_gssapi_userok(char *user) { |
---|
539 | Buffer m; |
---|
540 | |
---|
541 | buffer_init(&m); |
---|
542 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m); |
---|
543 | |
---|
544 | debug3("%s: waiting for MONTIOR_ANS_GSSUSEROK", __func__); |
---|
545 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK), |
---|
546 | &m); |
---|
547 | |
---|
548 | authenticated = buffer_get_int(&m); |
---|
549 | |
---|
550 | buffer_free(&m); |
---|
551 | debug3("%s: user %sauthetnicated",__func__, authenticated ? "" : "not "); |
---|
552 | return(authenticated); |
---|
553 | } |
---|
554 | |
---|
555 | int |
---|
556 | mm_answer_gss_userok(int socket, Buffer *m) { |
---|
557 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt); |
---|
558 | |
---|
559 | buffer_clear(m); |
---|
560 | buffer_put_int(m, authenticated); |
---|
561 | |
---|
562 | debug3("%s: sending result %d", __func__, authenticated); |
---|
563 | mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); |
---|
564 | |
---|
565 | /* Monitor loop will terminate if authenticated */ |
---|
566 | return(authenticated); |
---|
567 | } |
---|
568 | |
---|
569 | OM_uint32 |
---|
570 | mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) { |
---|
571 | Buffer m; |
---|
572 | OM_uint32 major, minor; |
---|
573 | |
---|
574 | buffer_init(&m); |
---|
575 | buffer_put_string(&m, data->value, data->length); |
---|
576 | |
---|
577 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); |
---|
578 | |
---|
579 | debug3("%s: waiting for MONITOR_ANS_GSSSIGN",__func__); |
---|
580 | mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); |
---|
581 | major=buffer_get_int(&m); |
---|
582 | *hash->value = buffer_get_string(&m, &hash->length); |
---|
583 | |
---|
584 | return(major); |
---|
585 | } |
---|
586 | |
---|
587 | int |
---|
588 | mm_answer_gss_sign(int socket, Buffer *m) { |
---|
589 | gss_buffer_desc data,hash; |
---|
590 | OM_uint32 major; |
---|
591 | |
---|
592 | data.value = buffer_get_string(m,&data.length); |
---|
593 | if (data.length != 20) |
---|
594 | fatal("%s: data length incorrect: %d", __func__, datlen); |
---|
595 | |
---|
596 | /* Save the session ID - only first time round */ |
---|
597 | if (session_id2_len == 0) { |
---|
598 | session_id2_len=data.length; |
---|
599 | session_id2 = xmalloc(session_id2_len); |
---|
600 | memcpy(session_id2, data.value, session_id2_len); |
---|
601 | } |
---|
602 | major=ssh_gssapi_sign(gsscontext, &data, &hash); |
---|
603 | |
---|
604 | xfree(data.value); |
---|
605 | |
---|
606 | buffer_clear(m); |
---|
607 | buffer_put_int(m, major); |
---|
608 | buffer_put_string(m, hash.value, hash.length); |
---|
609 | |
---|
610 | mm_request_send(socket,MONITOR_ANS_GSSSIGN,m); |
---|
611 | |
---|
612 | gss_release_buffer(hash); |
---|
613 | |
---|
614 | return(0); |
---|
615 | } |
---|
616 | #endif |
---|
617 | #endif /* GSSAPI */ |
---|