diff --git a/auth-krb5.c b/auth-krb5.c index 09ed151..282fcca 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; } - problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, + &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env); if (problem) goto out; @@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #ifdef USE_PAM - if (options.use_pam) + if (options.use_pam && authctxt->krb5_set_env) do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); #endif @@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) { #ifndef HEIMDAL krb5_error_code -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { +ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) { int tmpfd, ret, oerrno; char *ccname; #ifdef USE_CCAPI @@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { #endif + if (need_environment) + *need_environment = 0; ret = ssh_krb5_get_cctemplate(ctx, &ccname); - + /* fallback to the ccache in /tmp */ if (ret) { ret = asprintf(&ccname, cctemplate, geteuid()); if (ret == -1) @@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { close(tmpfd); return oerrno; } + /* make sure the KRBCCNAME is set for non-standard location */ + if (need_environment) + *need_environment = 1; close(tmpfd); } debug("%s: Setting ccname to %s", __func__, ccname); diff --git a/auth.h b/auth.h index 954a0dd..0819483 100644 --- a/auth.h +++ b/auth.h @@ -78,6 +78,7 @@ struct Authctxt { krb5_principal krb5_user; char *krb5_ticket_file; char *krb5_ccname; + int krb5_set_env; #endif struct sshbuf *loginmsg; @@ -220,7 +221,7 @@ int sys_auth_passwd(Authctxt *, const char *); #if defined(KRB5) && !defined(HEIMDAL) #include -krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); +krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *); krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory); #endif diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 0fa3838..4127245 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ -static void +static int ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { krb5_ccache ccache; @@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) OM_uint32 maj_status, min_status; const char *new_ccname, *new_cctype; const char *errmsg; + int set_env = 0; if (client->creds == NULL) { debug("No credentials stored"); - return; + return 0; } if (ssh_gssapi_krb5_init() == 0) - return; + return 0; #ifdef HEIMDAL # ifdef HAVE_KRB5_CC_NEW_UNIQUE @@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_get_err_text(krb_context, problem)); # endif krb5_free_error_message(krb_context, errmsg); - return; + return 0; } #else - if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { + if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) { errmsg = krb5_get_error_message(krb_context, problem); logit("ssh_krb5_cc_gen(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); - return; + return 0; } #endif /* #ifdef HEIMDAL */ @@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_parse_name(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); - return; + return 0; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { @@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); - return; + return 0; } krb5_free_principal(krb_context, princ); @@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->creds, ccache))) { logit("gss_krb5_copy_ccache() failed"); krb5_cc_destroy(krb_context, ccache); - return; + return 0; } new_cctype = krb5_cc_get_type(krb_context, ccache); @@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) #endif #ifdef USE_PAM - if (options.use_pam) + if (options.use_pam && set_env) do_pam_putenv(client->store.envvar, client->store.envval); #endif @@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->store.data = krb_context; - return; + return set_env; } int diff --git a/gss-serv.c b/gss-serv.c index 681847a..2a02dae 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void) debug("%s: krb5_cc_resolve(): %.100s", __func__, krb5_get_err_text(gssapi_client.store.data, problem)); } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) { - debug("%s: krb5_cc_resolve(): %.100s", __func__, + debug("%s: krb5_cc_destroy(): %.100s", __func__, krb5_get_err_text(gssapi_client.store.data, problem)); } else { krb5_free_context(gssapi_client.store.data); @@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void) } /* As user */ -void +int ssh_gssapi_storecreds(void) { if (gssapi_client.mech && gssapi_client.mech->storecreds) { - (*gssapi_client.mech->storecreds)(&gssapi_client); + return (*gssapi_client.mech->storecreds)(&gssapi_client); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); + + return 0; } /* This allows GSSAPI methods to do things to the childs environment based diff --git a/session.c b/session.c index df4985a..b7a6a57 100644 --- a/session.c +++ b/session.c @@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell) /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit */ - ssh_gssapi_do_child(&env, &envsize); + if (s->authctxt->krb5_set_env) + ssh_gssapi_do_child(&env, &envsize); #endif /* Set basic environment. */ @@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell) } #endif #ifdef KRB5 - if (s->authctxt->krb5_ccname) + if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ccname); #endif diff --git a/ssh-gss.h b/ssh-gss.h index 6f2b0ac..73ef2c2 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct { int (*dochild) (ssh_gssapi_client *); int (*userok) (ssh_gssapi_client *, char *); int (*localname) (ssh_gssapi_client *, char **); - void (*storecreds) (ssh_gssapi_client *); + int (*storecreds) (ssh_gssapi_client *); int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); } ssh_gssapi_mech; @@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void); OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_do_child(char ***, u_int *); void ssh_gssapi_cleanup_creds(void); -void ssh_gssapi_storecreds(void); +int ssh_gssapi_storecreds(void); const char *ssh_gssapi_displayname(void); char *ssh_gssapi_server_mechanisms(void); diff --git a/sshd.c b/sshd.c index ce2e374..3c4e13e 100644 --- a/sshd.c +++ b/sshd.c @@ -2221,7 +2221,7 @@ main(int ac, char **av) #ifdef GSSAPI if (options.gss_authentication) { temporarily_use_uid(authctxt->pw); - ssh_gssapi_storecreds(); + authctxt->krb5_set_env = ssh_gssapi_storecreds(); restore_uid(); } #endif