- jakob@cvs.openbsd.org 2003/12/23 16:12:10

[servconf.c servconf.h session.c sshd_config]
     implement KerberosGetAFSToken server option. ok markus@, beck@

ChangeLog

@@ -7,6 +7,9 @@
    - markus@cvs.openbsd.org 2003/12/22 20:29:55
      [cipher-3des1.c]
      EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
+   - jakob@cvs.openbsd.org 2003/12/23 16:12:10
+     [servconf.c servconf.h session.c sshd_config]
+     implement KerberosGetAFSToken server option. ok markus@, beck@
 
 20031219
  - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
@@ -1626,4 +1629,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $
+$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
 
 #include "ssh.h"
 #include "log.h"
@@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options)
 	options->kerberos_authentication = -1;
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
+	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
 	options->gss_cleanup_creds = -1;
 	options->password_authentication = -1;
@@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options)
 		options->kerberos_or_local_passwd = 1;
 	if (options->kerberos_ticket_cleanup == -1)
 		options->kerberos_ticket_cleanup = 1;
+	if (options->kerberos_get_afs_token == -1)
+		options->kerberos_get_afs_token = 0;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 	if (options->gss_cleanup_creds == -1)
@@ -250,6 +253,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sKerberosGetAFSToken,
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -301,10 +305,12 @@ static struct {
 	{ "kerberosauthentication", sKerberosAuthentication },
 	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
 	{ "kerberosticketcleanup", sKerberosTicketCleanup },
+	{ "kerberosgetafstoken", sKerberosGetAFSToken },
 #else
 	{ "kerberosauthentication", sUnsupported },
 	{ "kerberosorlocalpasswd", sUnsupported },
 	{ "kerberosticketcleanup", sUnsupported },
+	{ "kerberosgetafstoken", sUnsupported },
 #endif
 	{ "kerberostgtpassing", sUnsupported },
 	{ "afstokenpassing", sUnsupported },
@@ -630,6 +636,10 @@ parse_flag:
 		intptr = &options->kerberos_ticket_cleanup;
 		goto parse_flag;
 
+	case sKerberosGetAFSToken:
+		intptr = &options->kerberos_get_afs_token;
+		goto parse_flag;
+
 	case sGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;

servconf.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -80,6 +80,8 @@ typedef struct {
 						 * /etc/passwd */
 	int     kerberos_ticket_cleanup;	/* If true, destroy ticket
 						 * file on logout. */
+	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
+						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
 	int     password_authentication;	/* If true, permit password

session.c

@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command)
 	 */
 	environ = env;
 
+#ifdef KRB5
+	/*
+	 * At this point, we check to see if AFS is active and if we have
+	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
+	 * if we can (and need to) extend the ticket into an AFS token. If
+	 * we don't do this, we run into potential problems if the user's
+	 * home directory is in AFS and it's not world-readable.
+	 */
+
+	if (options.kerberos_get_afs_token && k_hasafs() &&
+	     (s->authctxt->krb5_ctx != NULL)) {
+		char cell[64];
+
+		debug("Getting AFS token");
+
+		k_setpag();
+
+		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+			krb5_afslog(s->authctxt->krb5_ctx,
+			    s->authctxt->krb5_fwd_ccache, cell, NULL);
+
+		krb5_afslog_home(s->authctxt->krb5_ctx,
+		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+	}
+#endif
+
 	/* Change current directory to the user\'s home directory. */
 	if (chdir(pw->pw_dir) < 0) {
 		fprintf(stderr, "Could not chdir to home directory %s: %s\n",

sshd_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $
+#	$OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -61,6 +61,7 @@
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
+#KerberosGetAFSToken no
 
 # GSSAPI options
 #GSSAPIAuthentication no