зеркало из https://github.com/Azure/sonic-openssh.git
- jakob@cvs.openbsd.org 2003/12/23 16:12:10
[servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@
This commit is contained in:
Родитель
a32e19c637
Коммит
22ef508754
|
@ -7,6 +7,9 @@
|
|||
- markus@cvs.openbsd.org 2003/12/22 20:29:55
|
||||
[cipher-3des1.c]
|
||||
EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
|
||||
- jakob@cvs.openbsd.org 2003/12/23 16:12:10
|
||||
[servconf.c servconf.h session.c sshd_config]
|
||||
implement KerberosGetAFSToken server option. ok markus@, beck@
|
||||
|
||||
20031219
|
||||
- (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
|
||||
|
@ -1626,4 +1629,4 @@
|
|||
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
|
||||
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
|
||||
|
||||
$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $
|
||||
$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $
|
||||
|
|
12
servconf.c
12
servconf.c
|
@ -10,7 +10,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
|
@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->kerberos_authentication = -1;
|
||||
options->kerberos_or_local_passwd = -1;
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->password_authentication = -1;
|
||||
|
@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->kerberos_or_local_passwd = 1;
|
||||
if (options->kerberos_ticket_cleanup == -1)
|
||||
options->kerberos_ticket_cleanup = 1;
|
||||
if (options->kerberos_get_afs_token == -1)
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
|
@ -250,6 +253,7 @@ typedef enum {
|
|||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
sKerberosGetAFSToken,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
|
@ -301,10 +305,12 @@ static struct {
|
|||
{ "kerberosauthentication", sKerberosAuthentication },
|
||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
|
||||
{ "kerberosticketcleanup", sKerberosTicketCleanup },
|
||||
{ "kerberosgetafstoken", sKerberosGetAFSToken },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported },
|
||||
{ "kerberosorlocalpasswd", sUnsupported },
|
||||
{ "kerberosticketcleanup", sUnsupported },
|
||||
{ "kerberosgetafstoken", sUnsupported },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported },
|
||||
{ "afstokenpassing", sUnsupported },
|
||||
|
@ -630,6 +636,10 @@ parse_flag:
|
|||
intptr = &options->kerberos_ticket_cleanup;
|
||||
goto parse_flag;
|
||||
|
||||
case sKerberosGetAFSToken:
|
||||
intptr = &options->kerberos_get_afs_token;
|
||||
goto parse_flag;
|
||||
|
||||
case sGssAuthentication:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -80,6 +80,8 @@ typedef struct {
|
|||
* /etc/passwd */
|
||||
int kerberos_ticket_cleanup; /* If true, destroy ticket
|
||||
* file on logout. */
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
int password_authentication; /* If true, permit password
|
||||
|
|
28
session.c
28
session.c
|
@ -33,7 +33,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
|
@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command)
|
|||
*/
|
||||
environ = env;
|
||||
|
||||
#ifdef KRB5
|
||||
/*
|
||||
* At this point, we check to see if AFS is active and if we have
|
||||
* a valid Kerberos 5 TGT. If so, it seems like a good idea to see
|
||||
* if we can (and need to) extend the ticket into an AFS token. If
|
||||
* we don't do this, we run into potential problems if the user's
|
||||
* home directory is in AFS and it's not world-readable.
|
||||
*/
|
||||
|
||||
if (options.kerberos_get_afs_token && k_hasafs() &&
|
||||
(s->authctxt->krb5_ctx != NULL)) {
|
||||
char cell[64];
|
||||
|
||||
debug("Getting AFS token");
|
||||
|
||||
k_setpag();
|
||||
|
||||
if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
|
||||
krb5_afslog(s->authctxt->krb5_ctx,
|
||||
s->authctxt->krb5_fwd_ccache, cell, NULL);
|
||||
|
||||
krb5_afslog_home(s->authctxt->krb5_ctx,
|
||||
s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Change current directory to the user\'s home directory. */
|
||||
if (chdir(pw->pw_dir) < 0) {
|
||||
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $
|
||||
# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
@ -61,6 +61,7 @@
|
|||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
|
|
Загрузка…
Ссылка в новой задаче