From 8c9e97e65a4ce8837d9e3b8b263815ead12472f9 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Oct 19 2017 14:09:53 +0000 Subject: Do not export KRBCCNAME if the default path is used (#1199363) --- diff --git a/openssh-7.5p1-gss-environment.patch b/openssh-7.5p1-gss-environment.patch new file mode 100644 index 0000000..cba5696 --- /dev/null +++ b/openssh-7.5p1-gss-environment.patch @@ -0,0 +1,259 @@ +diff --git a/auth-krb5.c b/auth-krb5.c +index 09ed151..282fcca 100644 +--- a/auth-krb5.c ++++ b/auth-krb5.c +@@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) + goto out; + } + +- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); ++ problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, ++ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env); + if (problem) + goto out; + +@@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) + + + #ifdef USE_PAM +- if (options.use_pam) ++ if (options.use_pam && authctxt->krb5_set_env) + do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); + #endif + +@@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) { + + #ifndef HEIMDAL + krb5_error_code +-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { ++ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) { + int tmpfd, ret, oerrno; + char *ccname; + #ifdef USE_CCAPI +@@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + + #endif + ++ if (need_environment) ++ *need_environment = 0; + ret = ssh_krb5_get_cctemplate(ctx, &ccname); +- ++ /* fallback to the ccache in /tmp */ + if (ret) { + ret = asprintf(&ccname, cctemplate, geteuid()); + if (ret == -1) +@@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + close(tmpfd); + return oerrno; + } ++ /* make sure the KRBCCNAME is set for non-standard location */ ++ if (need_environment) ++ *need_environment = 1; + close(tmpfd); + } + debug("%s: Setting ccname to %s", __func__, ccname); +diff --git a/auth.h b/auth.h +index 954a0dd..0819483 100644 +--- a/auth.h ++++ b/auth.h +@@ -78,6 +78,7 @@ struct Authctxt { + krb5_principal krb5_user; + char *krb5_ticket_file; + char *krb5_ccname; ++ int krb5_set_env; + #endif + Buffer *loginmsg; + void *methoddata; +@@ -220,7 +221,7 @@ int sys_auth_passwd(Authctxt *, const char *); + + #if defined(KRB5) && !defined(HEIMDAL) + #include +-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); ++krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *); + krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx, + char **k5login_directory); + #endif +diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c +index 0fa3838..4127245 100644 +--- a/gss-serv-krb5.c ++++ b/gss-serv-krb5.c +@@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, + /* This writes out any forwarded credentials from the structure populated + * during userauth. Called after we have setuid to the user */ + +-static void ++static int + ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + { + krb5_ccache ccache; +@@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + OM_uint32 maj_status, min_status; + const char *new_ccname, *new_cctype; + const char *errmsg; ++ int set_env = 0; + + if (client->creds == NULL) { + debug("No credentials stored"); +- return; ++ return 0; + } + + if (ssh_gssapi_krb5_init() == 0) +- return; ++ return 0; + + #ifdef HEIMDAL + # ifdef HAVE_KRB5_CC_NEW_UNIQUE +@@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + krb5_get_err_text(krb_context, problem)); + # endif + krb5_free_error_message(krb_context, errmsg); +- return; ++ return 0; + } + #else +- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { ++ if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) { + errmsg = krb5_get_error_message(krb_context, problem); + logit("ssh_krb5_cc_gen(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); +- return; ++ return 0; + } + #endif /* #ifdef HEIMDAL */ + +@@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + errmsg = krb5_get_error_message(krb_context, problem); + logit("krb5_parse_name(): %.100s", errmsg); + krb5_free_error_message(krb_context, errmsg); +- return; ++ return 0; + } + + if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { +@@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + krb5_free_error_message(krb_context, errmsg); + krb5_free_principal(krb_context, princ); + krb5_cc_destroy(krb_context, ccache); +- return; ++ return 0; + } + + krb5_free_principal(krb_context, princ); +@@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + client->creds, ccache))) { + logit("gss_krb5_copy_ccache() failed"); + krb5_cc_destroy(krb_context, ccache); +- return; ++ return 0; + } + + new_cctype = krb5_cc_get_type(krb_context, ccache); +@@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + #endif + + #ifdef USE_PAM +- if (options.use_pam) ++ if (options.use_pam && set_env) + do_pam_putenv(client->store.envvar, client->store.envval); + #endif + +@@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + + client->store.data = krb_context; + +- return; ++ return set_env; + } + + int +diff --git a/gss-serv.c b/gss-serv.c +index 681847a..2a02dae 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void) + debug("%s: krb5_cc_resolve(): %.100s", __func__, + krb5_get_err_text(gssapi_client.store.data, problem)); + } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) { +- debug("%s: krb5_cc_resolve(): %.100s", __func__, ++ debug("%s: krb5_cc_destroy(): %.100s", __func__, + krb5_get_err_text(gssapi_client.store.data, problem)); + } else { + krb5_free_context(gssapi_client.store.data); +@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void) + } + + /* As user */ +-void ++int + ssh_gssapi_storecreds(void) + { + if (gssapi_client.mech && gssapi_client.mech->storecreds) { +- (*gssapi_client.mech->storecreds)(&gssapi_client); ++ return (*gssapi_client.mech->storecreds)(&gssapi_client); + } else + debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); ++ ++ return 0; + } + + /* This allows GSSAPI methods to do things to the childs environment based +diff --git a/session.c b/session.c +index df4985a..b7a6a57 100644 +--- a/session.c ++++ b/session.c +@@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell) + /* Allow any GSSAPI methods that we've used to alter + * the childs environment as they see fit + */ +- ssh_gssapi_do_child(&env, &envsize); ++ if (s->authctxt->krb5_set_env) ++ ssh_gssapi_do_child(&env, &envsize); + #endif + + /* Set basic environment. */ +@@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell) + } + #endif + #ifdef KRB5 +- if (s->authctxt->krb5_ccname) ++ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env) + child_set_env(&env, &envsize, "KRB5CCNAME", + s->authctxt->krb5_ccname); + #endif +diff --git a/ssh-gss.h b/ssh-gss.h +index 6f2b0ac..73ef2c2 100644 +--- a/ssh-gss.h ++++ b/ssh-gss.h +@@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct { + int (*dochild) (ssh_gssapi_client *); + int (*userok) (ssh_gssapi_client *, char *); + int (*localname) (ssh_gssapi_client *, char **); +- void (*storecreds) (ssh_gssapi_client *); ++ int (*storecreds) (ssh_gssapi_client *); + int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); + } ssh_gssapi_mech; + +@@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void); + OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_do_child(char ***, u_int *); + void ssh_gssapi_cleanup_creds(void); +-void ssh_gssapi_storecreds(void); ++int ssh_gssapi_storecreds(void); + + char *ssh_gssapi_server_mechanisms(void); + int ssh_gssapi_oid_table_ok(); +diff --git a/sshd.c b/sshd.c +index ce2e374..3c4e13e 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2221,7 +2221,7 @@ main(int ac, char **av) + #ifdef GSSAPI + if (options.gss_authentication) { + temporarily_use_uid(authctxt->pw); +- ssh_gssapi_storecreds(); ++ authctxt->krb5_set_env = ssh_gssapi_storecreds(); + restore_uid(); + } + #endif + diff --git a/openssh.spec b/openssh.spec index 060bd41..5859183 100644 --- a/openssh.spec +++ b/openssh.spec @@ -185,6 +185,8 @@ Patch803: openssh-7.1p1-gssapi-documentation.patch Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch # Respect k5login_directory option in krk5.conf (#1328243) Patch805: openssh-7.2p2-k5login_directory.patch +# Do not export KRBCCNAME if the default path is used (#1199363) +Patch806: openssh-7.5p1-gss-environment.patch Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 @@ -428,6 +430,7 @@ popd %patch803 -p1 -b .gss-docs %patch804 -p1 -b .ccache_name %patch805 -p1 -b .k5login +%patch806 -p1 -b .gss-env # %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok