- jakob@cvs.openbsd.org 2003/12/23 16:12:10
[servconf.c servconf.h session.c sshd_config]
implement KerberosGetAFSToken server option. ok markus@, beck@
diff --git a/ChangeLog b/ChangeLog
index c80577e..d325407 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
- markus@cvs.openbsd.org 2003/12/22 20:29:55
[cipher-3des1.c]
EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
+ - jakob@cvs.openbsd.org 2003/12/23 16:12:10
+ [servconf.c servconf.h session.c sshd_config]
+ implement KerberosGetAFSToken server option. ok markus@, beck@
20031219
- (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
@@ -1626,4 +1629,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $
+$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $
diff --git a/servconf.c b/servconf.c
index a6824a8..b832c75 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
#include "ssh.h"
#include "log.h"
@@ -72,6 +72,7 @@
options->kerberos_authentication = -1;
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
+ options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
options->gss_cleanup_creds = -1;
options->password_authentication = -1;
@@ -181,6 +182,8 @@
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
options->kerberos_ticket_cleanup = 1;
+ if (options->kerberos_get_afs_token == -1)
+ options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1)
@@ -250,6 +253,7 @@
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+ sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -301,10 +305,12 @@
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
+ { "kerberosgetafstoken", sKerberosGetAFSToken },
#else
{ "kerberosauthentication", sUnsupported },
{ "kerberosorlocalpasswd", sUnsupported },
{ "kerberosticketcleanup", sUnsupported },
+ { "kerberosgetafstoken", sUnsupported },
#endif
{ "kerberostgtpassing", sUnsupported },
{ "afstokenpassing", sUnsupported },
@@ -630,6 +636,10 @@
intptr = &options->kerberos_ticket_cleanup;
goto parse_flag;
+ case sKerberosGetAFSToken:
+ intptr = &options->kerberos_get_afs_token;
+ goto parse_flag;
+
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 3cf47bf..57c7e5f 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */
+/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -80,6 +80,8 @@
* /etc/passwd */
int kerberos_ticket_cleanup; /* If true, destroy ticket
* file on logout. */
+ int kerberos_get_afs_token; /* If true, try to get AFS token if
+ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int password_authentication; /* If true, permit password
diff --git a/session.c b/session.c
index 00f8785..03a5ec5 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -1415,6 +1415,32 @@
*/
environ = env;
+#ifdef KRB5
+ /*
+ * At this point, we check to see if AFS is active and if we have
+ * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
+ * if we can (and need to) extend the ticket into an AFS token. If
+ * we don't do this, we run into potential problems if the user's
+ * home directory is in AFS and it's not world-readable.
+ */
+
+ if (options.kerberos_get_afs_token && k_hasafs() &&
+ (s->authctxt->krb5_ctx != NULL)) {
+ char cell[64];
+
+ debug("Getting AFS token");
+
+ k_setpag();
+
+ if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+ krb5_afslog(s->authctxt->krb5_ctx,
+ s->authctxt->krb5_fwd_ccache, cell, NULL);
+
+ krb5_afslog_home(s->authctxt->krb5_ctx,
+ s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
+ }
+#endif
+
/* Change current directory to the user\'s home directory. */
if (chdir(pw->pw_dir) < 0) {
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
diff --git a/sshd_config b/sshd_config
index 8dfc772..aaa30f4 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $
+# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -61,6 +61,7 @@
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no