rpms / openssh

Clone
Source Code
GIT

Files

  1.   aad4430f1773ba730e4673703099d5c05050acf3
  2.   openssh-7.5p1-gss-environment.patch
Blob Blame History Raw 
diff --git a/auth-krb5.c b/auth-krb5.c
index 09ed151..282fcca 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		goto out;
 	}
 
-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
+	    &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
 	if (problem)
 		goto out;
 
@@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
 
 #ifdef USE_PAM
-	if (options.use_pam)
+	if (options.use_pam && authctxt->krb5_set_env)
 		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
 #endif
 
@@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
 
 #ifndef HEIMDAL
 krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
 	int tmpfd, ret, oerrno;
 	char *ccname;
 #ifdef USE_CCAPI
@@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 
 #endif
 
+	if (need_environment)
+		*need_environment = 0;
 	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
-
+	/* fallback to the ccache in /tmp */
 	if (ret) {
 		ret = asprintf(&ccname, cctemplate, geteuid());
 		if (ret == -1)
@@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 			close(tmpfd);
 			return oerrno;
 		}
+		/* make sure the KRBCCNAME is set for non-standard location */
+		if (need_environment)
+			*need_environment = 1;
 		close(tmpfd);
 	}
 	debug("%s: Setting ccname to %s", __func__, ccname);
diff --git a/auth.h b/auth.h
index 954a0dd..0819483 100644
--- a/auth.h
+++ b/auth.h
@@ -78,6 +78,7 @@ struct Authctxt {
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
 	char		*krb5_ccname;
+	int		 krb5_set_env;
 #endif
 	struct sshbuf	*loginmsg;
 
@@ -220,7 +221,7 @@ int	 sys_auth_passwd(Authctxt *, const char *);
 
 #if defined(KRB5) && !defined(HEIMDAL)
 #include <krb5.h>
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *);
 krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
 	char **k5login_directory);
 #endif
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 0fa3838..4127245 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
 
-static void
+static int
 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 {
 	krb5_ccache ccache;
@@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	OM_uint32 maj_status, min_status;
 	const char *new_ccname, *new_cctype;
 	const char *errmsg;
+	int set_env = 0;
 
 	if (client->creds == NULL) {
 		debug("No credentials stored");
-		return;
+		return 0;
 	}
 
 	if (ssh_gssapi_krb5_init() == 0)
-		return;
+		return 0;
 
 #ifdef HEIMDAL
 # ifdef HAVE_KRB5_CC_NEW_UNIQUE
@@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 		krb5_get_err_text(krb_context, problem));
 # endif
 		krb5_free_error_message(krb_context, errmsg);
-		return;
+		return 0;
 	}
 #else
-	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
+	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) {
 		errmsg = krb5_get_error_message(krb_context, problem);
 		logit("ssh_krb5_cc_gen(): %.100s", errmsg);
 		krb5_free_error_message(krb_context, errmsg);
-		return;
+		return 0;
 	}
 #endif	/* #ifdef HEIMDAL */
 
@@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 		errmsg = krb5_get_error_message(krb_context, problem);
 		logit("krb5_parse_name(): %.100s", errmsg);
 		krb5_free_error_message(krb_context, errmsg);
-		return;
+		return 0;
 	}
 
 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
@@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 		krb5_free_error_message(krb_context, errmsg);
 		krb5_free_principal(krb_context, princ);
 		krb5_cc_destroy(krb_context, ccache);
-		return;
+		return 0;
 	}
 
 	krb5_free_principal(krb_context, princ);
@@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	    client->creds, ccache))) {
 		logit("gss_krb5_copy_ccache() failed");
 		krb5_cc_destroy(krb_context, ccache);
-		return;
+		return 0;
 	}
 
 	new_cctype = krb5_cc_get_type(krb_context, ccache);
@@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 #endif
 
 #ifdef USE_PAM
-	if (options.use_pam)
+	if (options.use_pam && set_env)
 		do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
 
@@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 
 	client->store.data = krb_context;
 
-	return;
+	return set_env;
 }
 
 int
diff --git a/gss-serv.c b/gss-serv.c
index 681847a..2a02dae 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void)
 			debug("%s: krb5_cc_resolve(): %.100s", __func__,
 				krb5_get_err_text(gssapi_client.store.data, problem));
 		} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
-			debug("%s: krb5_cc_resolve(): %.100s", __func__,
+			debug("%s: krb5_cc_destroy(): %.100s", __func__,
 				krb5_get_err_text(gssapi_client.store.data, problem));
 		} else {
 			krb5_free_context(gssapi_client.store.data);
@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void)
 }
 
 /* As user */
-void
+int
 ssh_gssapi_storecreds(void)
 {
 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
-		(*gssapi_client.mech->storecreds)(&gssapi_client);
+		return (*gssapi_client.mech->storecreds)(&gssapi_client);
 	} else
 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+	return 0;
 }
 
 /* This allows GSSAPI methods to do things to the childs environment based
diff --git a/session.c b/session.c
index df4985a..b7a6a57 100644
--- a/session.c
+++ b/session.c
@@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell)
 	/* Allow any GSSAPI methods that we've used to alter
 	 * the childs environment as they see fit
 	 */
-	ssh_gssapi_do_child(&env, &envsize);
+	if (s->authctxt->krb5_set_env)
+		ssh_gssapi_do_child(&env, &envsize);
 #endif
 
 	/* Set basic environment. */
@@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell)
 	}
 #endif
 #ifdef KRB5
-	if (s->authctxt->krb5_ccname)
+	if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
 		child_set_env(&env, &envsize, "KRB5CCNAME",
 		    s->authctxt->krb5_ccname);
 #endif
diff --git a/ssh-gss.h b/ssh-gss.h
index 6f2b0ac..73ef2c2 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct {
 	int (*dochild) (ssh_gssapi_client *);
 	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
-	void (*storecreds) (ssh_gssapi_client *);
+	int (*storecreds) (ssh_gssapi_client *);
 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
 } ssh_gssapi_mech;
 
@@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 
 char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index ce2e374..3c4e13e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2221,7 +2221,7 @@ main(int ac, char **av)
 #ifdef GSSAPI
 	if (options.gss_authentication) {
 		temporarily_use_uid(authctxt->pw);
-		ssh_gssapi_storecreds();
+		authctxt->krb5_set_env = ssh_gssapi_storecreds();
 		restore_uid();
 	}
 #endif
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.