7463b6
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
190035
index 413b845..54dd383 100644
7463b6
--- a/gss-serv-krb5.c
7463b6
+++ b/gss-serv-krb5.c
Jan F 5b4ccb
@@ -32,7 +32,9 @@
Jan F 5b4ccb
 #include <sys/types.h>
Jan F 5b4ccb
 
Jan F 5b4ccb
 #include <stdarg.h>
Jan F 5b4ccb
+#include <stdio.h>
Jan F 5b4ccb
 #include <string.h>
Jan F 5b4ccb
+#include <unistd.h>
Jan F 5b4ccb
 
Jan F 5b4ccb
 #include "xmalloc.h"
Jan F 5b4ccb
 #include "key.h"
190035
@@ -45,6 +47,7 @@
Jan F 5b4ccb
 #include "buffer.h"
Jan F 5b4ccb
 #include "ssh-gss.h"
Jan F 5b4ccb
 
84822b
+extern Authctxt *the_authctxt;
84822b
 extern ServerOptions options;
84822b
 
Jan F 5b4ccb
 #ifdef HEIMDAL
190035
@@ -56,6 +59,13 @@ extern ServerOptions options;
84822b
 # include <gssapi/gssapi_krb5.h>
Jan F 5b4ccb
 #endif
Jan F 5b4ccb
 
Jan F 5b4ccb
+/* all commands are allowed by default */
Jan F 5b4ccb
+char **k5users_allowed_cmds = NULL;
Jan F 5b4ccb
+
Jan F 5b4ccb
+static int ssh_gssapi_k5login_exists();
Jan F 5b4ccb
+static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
Jan F 5b4ccb
+    int);
Jan F 5b4ccb
+
Jan F 5b4ccb
 static krb5_context krb_context = NULL;
Jan F 5b4ccb
 
Jan F 5b4ccb
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
190035
@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
Jan F 5b4ccb
 	krb5_principal princ;
Jan F 5b4ccb
 	int retval;
84822b
 	const char *errmsg;
Jan F 5b4ccb
+	int k5login_exists;
Jan F 5b4ccb
 
Jan F 5b4ccb
 	if (ssh_gssapi_krb5_init() == 0)
Jan F 5b4ccb
 		return 0;
190035
@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
84822b
 		krb5_free_error_message(krb_context, errmsg);
Jan F 5b4ccb
 		return 0;
Jan F 5b4ccb
 	}
Jan F 5b4ccb
-	if (krb5_kuserok(krb_context, princ, name)) {
Jan F 5b4ccb
+	/* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
Jan F 5b4ccb
+	 * We have to make sure to check .k5users in that case. */
Jan F 5b4ccb
+	k5login_exists = ssh_gssapi_k5login_exists();
Jan F 5b4ccb
+	/* NOTE: .k5login and .k5users must opened as root, not the user,
Jan F 5b4ccb
+	 * because if they are on a krb5-protected filesystem, user credentials
Jan F 5b4ccb
+	 * to access these files aren't available yet. */
84822b
+	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
Jan F 5b4ccb
 		retval = 1;
Jan F 5b4ccb
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
84822b
 		    name, (char *)client->displayname.value);
Jan F 5b4ccb
+	} else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
84822b
+		name, k5login_exists)) {
Jan F 5b4ccb
+		retval = 1;
Jan F 5b4ccb
+		logit("Authorized to %s, krb5 principal %s "
Jan F 5b4ccb
+		    "(ssh_gssapi_krb5_cmdok)",
84822b
+		    name, (char *)client->displayname.value);
Jan F 5b4ccb
 	} else
Jan F 5b4ccb
 		retval = 0;
Jan F 5b4ccb
 
190035
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
Jan F 5b4ccb
 	return retval;
Jan F 5b4ccb
 }
Jan F 5b4ccb
 
Jan F 5b4ccb
+/* Test for existence of .k5login.
Jan F 5b4ccb
+ * We need this as part of our .k5users check, because krb5_kuserok()
Jan F 5b4ccb
+ * returns success if .k5login DNE and user is logging in as himself.
Jan F 5b4ccb
+ * With .k5login absent and .k5users present, we don't want absence
Jan F 5b4ccb
+ * of .k5login to authorize self-login.  (absence of both is required)
Jan F 5b4ccb
+ * Returns 1 if .k5login is available, 0 otherwise.
Jan F 5b4ccb
+ */
Jan F 5b4ccb
+static int
Jan F 5b4ccb
+ssh_gssapi_k5login_exists()
Jan F 5b4ccb
+{
Jan F 5b4ccb
+	char file[MAXPATHLEN];
Jan F 5b4ccb
+	struct passwd *pw = the_authctxt->pw;
Jan F 5b4ccb
+
Jan F 5b4ccb
+	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
Jan F 5b4ccb
+	return access(file, F_OK) == 0;
Jan F 5b4ccb
+}
Jan F 5b4ccb
+
Jan F 5b4ccb
+/* check .k5users for login or command authorization
Jan F 5b4ccb
+ * Returns 1 if principal is authorized, 0 otherwise.
Jan F 5b4ccb
+ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
Jan F 5b4ccb
+ */
Jan F 5b4ccb
+static int
Jan F 5b4ccb
+ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
Jan F 5b4ccb
+    const char *luser, int k5login_exists)
Jan F 5b4ccb
+{
Jan F 5b4ccb
+	FILE *fp;
Jan F 5b4ccb
+	char file[MAXPATHLEN];
580f98
+	char line[BUFSIZ] = "";
Jan F 5b4ccb
+	char kuser[65]; /* match krb5_kuserok() */
Jan F 5b4ccb
+	struct stat st;
Jan F 5b4ccb
+	struct passwd *pw = the_authctxt->pw;
Jan F 5b4ccb
+	int found_principal = 0;
Jan F 5b4ccb
+	int ncommands = 0, allcommands = 0;
Jan F 5b4ccb
+	u_long linenum;
Jan F 5b4ccb
+
Jan F 5b4ccb
+	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
Jan F 5b4ccb
+	/* If both .k5login and .k5users DNE, self-login is ok. */
Jan F 5b4ccb
+	if (!k5login_exists && (access(file, F_OK) == -1)) {
Jan F 5b4ccb
+		return (krb5_aname_to_localname(krb_context, principal,
Jan F 5b4ccb
+		    sizeof(kuser), kuser) == 0) &&
Jan F 5b4ccb
+		    (strcmp(kuser, luser) == 0);
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	if ((fp = fopen(file, "r")) == NULL) {
Jan F 5b4ccb
+		int saved_errno = errno;
Jan F 5b4ccb
+		/* 2nd access check to ease debugging if file perms are wrong.
Jan F 5b4ccb
+		 * But we don't want to report this if .k5users simply DNE. */
Jan F 5b4ccb
+		if (access(file, F_OK) == 0) {
Jan F 5b4ccb
+			logit("User %s fopen %s failed: %s",
Jan F 5b4ccb
+			    pw->pw_name, file, strerror(saved_errno));
Jan F 5b4ccb
+		}
Jan F 5b4ccb
+		return 0;
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	/* .k5users must be owned either by the user or by root */
Jan F 5b4ccb
+	if (fstat(fileno(fp), &st) == -1) {
Jan F 5b4ccb
+		/* can happen, but very wierd error so report it */
Jan F 5b4ccb
+		logit("User %s fstat %s failed: %s",
Jan F 5b4ccb
+		    pw->pw_name, file, strerror(errno));
Jan F 5b4ccb
+		fclose(fp);
Jan F 5b4ccb
+		return 0;
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
Jan F 5b4ccb
+		logit("User %s %s is not owned by root or user",
Jan F 5b4ccb
+		    pw->pw_name, file);
Jan F 5b4ccb
+		fclose(fp);
Jan F 5b4ccb
+		return 0;
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	/* .k5users must be a regular file.  krb5_kuserok() doesn't do this
Jan F 5b4ccb
+	  * check, but we don't want to be deficient if they add a check. */
Jan F 5b4ccb
+	if (!S_ISREG(st.st_mode)) {
Jan F 5b4ccb
+		logit("User %s %s is not a regular file", pw->pw_name, file);
Jan F 5b4ccb
+		fclose(fp);
Jan F 5b4ccb
+		return 0;
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	/* file exists; initialize k5users_allowed_cmds (to none!) */
Jan F 5b4ccb
+	k5users_allowed_cmds = xcalloc(++ncommands,
Jan F 5b4ccb
+	    sizeof(*k5users_allowed_cmds));
Jan F 5b4ccb
+
Jan F 5b4ccb
+	/* Check each line.  ksu allows unlimited length lines.  We don't. */
Jan F 5b4ccb
+	while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
Jan F 5b4ccb
+	    &linenum) != -1) {
Jan F 5b4ccb
+		char *token;
Jan F 5b4ccb
+
Jan F 5b4ccb
+		/* we parse just like ksu, even though we could do better */
4dbe32
+		if ((token = strtok(line, " \t\n")) == NULL)
4dbe32
+			continue;
Jan F 5b4ccb
+		if (strcmp(name, token) == 0) {
Jan F 5b4ccb
+			/* we matched on client principal */
Jan F 5b4ccb
+			found_principal = 1;
Jan F 5b4ccb
+			if ((token = strtok(NULL, " \t\n")) == NULL) {
Jan F 5b4ccb
+				/* only shell is allowed */
Jan F 5b4ccb
+				k5users_allowed_cmds[ncommands-1] =
Jan F 5b4ccb
+				    xstrdup(pw->pw_shell);
Jan F 5b4ccb
+				k5users_allowed_cmds =
535d34
+				    xreallocarray(k5users_allowed_cmds, ++ncommands,
Jan F 5b4ccb
+					sizeof(*k5users_allowed_cmds));
Jan F 5b4ccb
+				break;
Jan F 5b4ccb
+			}
Jan F 5b4ccb
+			/* process the allowed commands */
Jan F 5b4ccb
+			while (token) {
Jan F 5b4ccb
+				if (strcmp(token, "*") == 0) {
Jan F 5b4ccb
+					allcommands = 1;
Jan F 5b4ccb
+					break;
Jan F 5b4ccb
+				}
Jan F 5b4ccb
+				k5users_allowed_cmds[ncommands-1] =
Jan F 5b4ccb
+				    xstrdup(token);
Jan F 5b4ccb
+				k5users_allowed_cmds =
535d34
+				    xreallocarray(k5users_allowed_cmds, ++ncommands,
Jan F 5b4ccb
+					sizeof(*k5users_allowed_cmds));
Jan F 5b4ccb
+				token = strtok(NULL, " \t\n");
Jan F 5b4ccb
+			}
Jan F 5b4ccb
+		}
Jan F 5b4ccb
+       }
Jan F 5b4ccb
+	if (k5users_allowed_cmds) {
Jan F 5b4ccb
+		/* terminate vector */
Jan F 5b4ccb
+		k5users_allowed_cmds[ncommands-1] = NULL;
Jan F 5b4ccb
+		/* if all commands are allowed, free vector */
Jan F 5b4ccb
+		if (allcommands) {
Jan F 5b4ccb
+			int i;
Jan F 5b4ccb
+			for (i = 0; i < ncommands; i++) {
Jan F 5b4ccb
+				free(k5users_allowed_cmds[i]);
Jan F 5b4ccb
+			}
Jan F 5b4ccb
+			free(k5users_allowed_cmds);
Jan F 5b4ccb
+			k5users_allowed_cmds = NULL;
Jan F 5b4ccb
+		}
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+	fclose(fp);
Jan F 5b4ccb
+	return found_principal;
Jan F 5b4ccb
+}
Jan F 5b4ccb
+ 
Jan F 5b4ccb
 
Jan F 5b4ccb
 /* This writes out any forwarded credentials from the structure populated
Jan F 5b4ccb
  * during userauth. Called after we have setuid to the user */
7463b6
diff --git a/session.c b/session.c
190035
index 28659ec..9c94d8e 100644
7463b6
--- a/session.c
7463b6
+++ b/session.c
190035
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
7463b6
 		command = forced_command;
7463b6
 		forced = "(key-option)";
Jan F 5b4ccb
 	}
Jan F 5b4ccb
+#ifdef GSSAPI
Jan F 5b4ccb
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
Jan F 5b4ccb
+	else if (k5users_allowed_cmds) {
Jan F 5b4ccb
+		const char *match = command;
Jan F 5b4ccb
+		int allowed = 0, i = 0;
7463b6
+
Jan F 5b4ccb
+		if (!match)
Jan F 5b4ccb
+			match = s->pw->pw_shell;
Jan F 5b4ccb
+		while (k5users_allowed_cmds[i]) {
Jan F 5b4ccb
+			if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
Jan F 5b4ccb
+				debug("Allowed command '%.900s'", match);
Jan F 5b4ccb
+				allowed = 1;
Jan F 5b4ccb
+				break;
Jan F 5b4ccb
+			}
Jan F 5b4ccb
+		}
Jan F 5b4ccb
+		if (!allowed) {
Jan F 5b4ccb
+			debug("command '%.900s' not allowed", match);
Jan F 5b4ccb
+			return 1;
Jan F 5b4ccb
+		}
Jan F 5b4ccb
+	}
Jan F 5b4ccb
+#endif
Jan F 5b4ccb
+#endif
Jan F 5b4ccb
+
7463b6
 	if (forced != NULL) {
7463b6
 		if (IS_INTERNAL_SFTP(command)) {
7463b6
 			s->is_subsystem = s->is_subsystem ?
7463b6
diff --git a/ssh-gss.h b/ssh-gss.h
7463b6
index 0374c88..509109a 100644
7463b6
--- a/ssh-gss.h
7463b6
+++ b/ssh-gss.h
84822b
@@ -49,6 +49,10 @@
84822b
 #  endif /* !HAVE_DECL_GSS_C_NT_... */
84822b
 
84822b
 # endif /* !HEIMDAL */
84822b
+
84822b
+/* .k5users support */
84822b
+extern char **k5users_allowed_cmds;
84822b
+
84822b
 #endif /* KRB5 */
84822b
 
84822b
 /* draft-ietf-secsh-gsskeyex-06 */
7463b6
diff --git a/sshd.8 b/sshd.8
190035
index adcaaf9..824163b 100644
7463b6
--- a/sshd.8
7463b6
+++ b/sshd.8
190035
@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
Jan F 5b4ccb
 The client tries to authenticate itself using
Jan F 5b4ccb
 host-based authentication,
Jan F 5b4ccb
 public key authentication,
Jan F 5b4ccb
+GSSAPI authentication,
Jan F 5b4ccb
 challenge-response authentication,
Jan F 5b4ccb
 or password authentication.
Jan F 5b4ccb
 .Pp
7463b6
@@ -800,6 +801,12 @@ This file is used in exactly the same way as
Jan F 5b4ccb
 but allows host-based authentication without permitting login with
Jan F 5b4ccb
 rlogin/rsh.
Jan F 5b4ccb
 .Pp
Jan F 5b4ccb
+.It Pa ~/.k5login
Jan F 5b4ccb
+.It Pa ~/.k5users
Jan F 5b4ccb
+These files enforce GSSAPI/Kerberos authentication access control.
Jan F 5b4ccb
+Further details are described in
Jan F 5b4ccb
+.Xr ksu 1 .
Jan F 5b4ccb
+.Pp
Jan F 5b4ccb
 .It Pa ~/.ssh/
Jan F 5b4ccb
 This directory is the default location for all user-specific configuration
Jan F 5b4ccb
 and authentication information.