- improoved kuserok patch
This commit is contained in:
Jan F
parent
5daee12df3
commit
82036abfa2
@ -1,70 +1,59 @@
|
||||
diff -up openssh-5.6p1/auth-krb5.c.kuserok openssh-5.6p1/auth-krb5.c
|
||||
--- openssh-5.6p1/auth-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/auth-krb5.c 2010-09-15 15:39:48.000000000 +0200
|
||||
@@ -146,9 +146,21 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
--- openssh-5.6p1/auth-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/auth-krb5.c 2010-11-15 10:11:02.000000000 +0100
|
||||
@@ -54,6 +54,20 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
+int
|
||||
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
|
||||
+{
|
||||
+ if (options.use_kuserok)
|
||||
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
|
||||
+ else {
|
||||
+ char kuser[65];
|
||||
+
|
||||
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
|
||||
+ return 0;
|
||||
+ return strcmp(kuser, client) == 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
- problem = -1;
|
||||
- goto out;
|
||||
+ if (options.use_kuserok) {
|
||||
+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
+ problem = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ } else {
|
||||
+ char kuser[65];
|
||||
+ if (krb5_aname_to_localname(authctxt->krb5_ctx, authctxt->krb5_user, sizeof(kuser), kuser)) {
|
||||
+ problem = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (strcmp(kuser, client)) {
|
||||
+ problem = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
||||
diff -up openssh-5.6p1/gss-serv-krb5.c.kuserok openssh-5.6p1/gss-serv-krb5.c
|
||||
--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/gss-serv-krb5.c 2010-09-15 15:49:43.000000000 +0200
|
||||
@@ -97,13 +97,25 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
--- openssh-5.6p1/gss-serv-krb5.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/gss-serv-krb5.c 2010-11-15 10:12:35.000000000 +0100
|
||||
@@ -57,6 +57,7 @@ extern ServerOptions options;
|
||||
#endif
|
||||
|
||||
static krb5_context krb_context = NULL;
|
||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
|
||||
@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
krb5_get_err_text(krb_context, retval));
|
||||
return 0;
|
||||
}
|
||||
- if (krb5_kuserok(krb_context, princ, name)) {
|
||||
- retval = 1;
|
||||
- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
- name, (char *)client->displayname.value);
|
||||
- } else
|
||||
- retval = 0;
|
||||
-
|
||||
+ if (options.use_kuserok) {
|
||||
+ if (krb5_kuserok(krb_context, princ, name)) {
|
||||
+ retval = 1;
|
||||
+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
+ name, (char *)client->displayname.value);
|
||||
+ } else
|
||||
+ retval = 0;
|
||||
+ } else {
|
||||
+ char kuser[65];
|
||||
+ if (krb5_aname_to_localname(krb_context, princ, sizeof(kuser), kuser))
|
||||
+ retval = 0;
|
||||
+ else if (strcmp(kuser, client))
|
||||
+ retval = 0;
|
||||
+ else {
|
||||
+ retval = 1;
|
||||
+ logit("Authorized to %s, krb5 principal %s (krb5)",
|
||||
+ name, (char *)client->displayname.value);
|
||||
+ }
|
||||
+ }
|
||||
krb5_free_principal(krb_context, princ);
|
||||
return retval;
|
||||
}
|
||||
+ if (ssh_krb5_kuserok(krb_context, princ, name)) {
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
--- openssh-5.6p1/servconf.c.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/servconf.c 2010-09-15 15:39:48.000000000 +0200
|
||||
--- openssh-5.6p1/servconf.c.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.c 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
@ -133,8 +122,8 @@ diff -up openssh-5.6p1/servconf.c.kuserok openssh-5.6p1/servconf.c
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
|
||||
--- openssh-5.6p1/servconf.h.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/servconf.h 2010-09-15 15:39:48.000000000 +0200
|
||||
--- openssh-5.6p1/servconf.h.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/servconf.h 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -157,6 +157,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
@ -144,8 +133,8 @@ diff -up openssh-5.6p1/servconf.h.kuserok openssh-5.6p1/servconf.h
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
|
||||
--- openssh-5.6p1/sshd_config.5.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd_config.5 2010-09-15 15:39:48.000000000 +0200
|
||||
--- openssh-5.6p1/sshd_config.5.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config.5 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -564,6 +564,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
@ -166,8 +155,8 @@ diff -up openssh-5.6p1/sshd_config.5.kuserok openssh-5.6p1/sshd_config.5
|
||||
.Cm MaxSessions ,
|
||||
.Cm PubkeyAuthentication ,
|
||||
diff -up openssh-5.6p1/sshd_config.kuserok openssh-5.6p1/sshd_config
|
||||
--- openssh-5.6p1/sshd_config.kuserok 2010-09-15 15:39:48.000000000 +0200
|
||||
+++ openssh-5.6p1/sshd_config 2010-09-15 15:39:48.000000000 +0200
|
||||
--- openssh-5.6p1/sshd_config.kuserok 2010-11-15 10:08:05.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd_config 2010-11-15 10:08:05.000000000 +0100
|
||||
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.6p1
|
||||
%define openssh_rel 16
|
||||
%define openssh_rel 17
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 27
|
||||
|
||||
@ -589,6 +589,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 15 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-17 + 0.9.2-27
|
||||
- improoved kuserok patch
|
||||
|
||||
* Fri Nov 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-16 + 0.9.2-27
|
||||
- add auditing the host based key ussage
|
||||
- repait X11 abstract layer socket (#648896)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user