diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | servconf.c | 12 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | session.c | 28 | ||||
| -rw-r--r-- | sshd_config | 3 |
5 files changed, 47 insertions, 5 deletions
@@ -7,6 +7,9 @@ - markus@cvs.openbsd.org 2003/12/22 20:29:55 [cipher-3des1.c] EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr + - jakob@cvs.openbsd.org 2003/12/23 16:12:10 + [servconf.c servconf.h session.c sshd_config] + implement KerberosGetAFSToken server option. ok markus@, beck@ 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1626,4 +1629,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ +$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "log.h" @@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; + options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; options->password_authentication = -1; @@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; + if (options->kerberos_get_afs_token == -1) + options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) @@ -250,6 +253,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -301,10 +305,12 @@ static struct { { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, + { "kerberosgetafstoken", sKerberosGetAFSToken }, #else { "kerberosauthentication", sUnsupported }, { "kerberosorlocalpasswd", sUnsupported }, { "kerberosticketcleanup", sUnsupported }, + { "kerberosgetafstoken", sUnsupported }, #endif { "kerberostgtpassing", sUnsupported }, { "afstokenpassing", sUnsupported }, @@ -630,6 +636,10 @@ parse_flag: intptr = &options->kerberos_ticket_cleanup; goto parse_flag; + case sKerberosGetAFSToken: + intptr = &options->kerberos_get_afs_token; + goto parse_flag; + case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -80,6 +80,8 @@ typedef struct { * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket * file on logout. */ + int kerberos_get_afs_token; /* If true, try to get AFS token if + * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int password_authentication; /* If true, permit password @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command) */ environ = env; +#ifdef KRB5 + /* + * At this point, we check to see if AFS is active and if we have + * a valid Kerberos 5 TGT. If so, it seems like a good idea to see + * if we can (and need to) extend the ticket into an AFS token. If + * we don't do this, we run into potential problems if the user's + * home directory is in AFS and it's not world-readable. + */ + + if (options.kerberos_get_afs_token && k_hasafs() && + (s->authctxt->krb5_ctx != NULL)) { + char cell[64]; + + debug("Getting AFS token"); + + k_setpag(); + + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) + krb5_afslog(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, cell, NULL); + + krb5_afslog_home(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); + } +#endif + /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", diff --git a/sshd_config b/sshd_config index 8dfc772e..aaa30f4b 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ +# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -61,6 +61,7 @@ #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes +#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no |