Do not export KRBCCNAME if the default path is used (#1199363)

2017-09-11 15:54:31 +02:00 · 2017-09-11 15:54:31 +02:00 · 8c9e97e65a
commit 8c9e97e65a
parent ce1afcf244
2 changed files with 262 additions and 0 deletions
--- a/openssh-7.5p1-gss-environment.patch
+++ b/openssh-7.5p1-gss-environment.patch
@ -0,0 +1,259 @@
+diff --git a/auth-krb5.c b/auth-krb5.c
+index 09ed151..282fcca 100644
+--- a/auth-krb5.c
+++ b/auth-krb5.c
+@@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+ 		goto out;
+ 	}
+ 
+-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
+	    &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
+ 	if (problem)
+ 		goto out;
+ 
+@@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+ 
+ 
+ #ifdef USE_PAM
+-	if (options.use_pam)
+	if (options.use_pam && authctxt->krb5_set_env)
+ 		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
+ #endif
+ 
+@@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ 
+ #ifndef HEIMDAL
+ krb5_error_code
+-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ 	int tmpfd, ret, oerrno;
+ 	char *ccname;
+ #ifdef USE_CCAPI
+@@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ 
+ #endif
+ 
+	if (need_environment)
+		*need_environment = 0;
+ 	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
+-
+	/* fallback to the ccache in /tmp */
+ 	if (ret) {
+ 		ret = asprintf(&ccname, cctemplate, geteuid());
+ 		if (ret == -1)
+@@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+ 			close(tmpfd);
+ 			return oerrno;
+ 		}
+		/* make sure the KRBCCNAME is set for non-standard location */
+		if (need_environment)
+			*need_environment = 1;
+ 		close(tmpfd);
+ 	}
+ 	debug("%s: Setting ccname to %s", __func__, ccname);
+diff --git a/auth.h b/auth.h
+index 954a0dd..0819483 100644
+--- a/auth.h
+++ b/auth.h
+@@ -78,6 +78,7 @@ struct Authctxt {
+ 	krb5_principal	 krb5_user;
+ 	char		*krb5_ticket_file;
+ 	char		*krb5_ccname;
+	int		 krb5_set_env;
+ #endif
+ 	Buffer		*loginmsg;
+ 	void		*methoddata;
+@@ -220,7 +221,7 @@ int	 sys_auth_passwd(Authctxt *, const char *);
+ 
+ #if defined(KRB5) && !defined(HEIMDAL)
+ #include <krb5.h>
+-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *);
+ krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
+ 	char **k5login_directory);
+ #endif
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 0fa3838..4127245 100644
+--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
+@@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+ /* This writes out any forwarded credentials from the structure populated
+  * during userauth. Called after we have setuid to the user */
+ 
+-static void
+static int
+ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ {
+ 	krb5_ccache ccache;
+@@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 	OM_uint32 maj_status, min_status;
+ 	const char *new_ccname, *new_cctype;
+ 	const char *errmsg;
+	int set_env = 0;
+ 
+ 	if (client->creds == NULL) {
+ 		debug("No credentials stored");
+-		return;
+		return 0;
+ 	}
+ 
+ 	if (ssh_gssapi_krb5_init() == 0)
+-		return;
+		return 0;
+ 
+ #ifdef HEIMDAL
+ # ifdef HAVE_KRB5_CC_NEW_UNIQUE
+@@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 		krb5_get_err_text(krb_context, problem));
+ # endif
+ 		krb5_free_error_message(krb_context, errmsg);
+-		return;
+		return 0;
+ 	}
+ #else
+-	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
+	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) {
+ 		errmsg = krb5_get_error_message(krb_context, problem);
+ 		logit("ssh_krb5_cc_gen(): %.100s", errmsg);
+ 		krb5_free_error_message(krb_context, errmsg);
+-		return;
+		return 0;
+ 	}
+ #endif	/* #ifdef HEIMDAL */
+ 
+@@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 		errmsg = krb5_get_error_message(krb_context, problem);
+ 		logit("krb5_parse_name(): %.100s", errmsg);
+ 		krb5_free_error_message(krb_context, errmsg);
+-		return;
+		return 0;
+ 	}
+ 
+ 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
+@@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 		krb5_free_error_message(krb_context, errmsg);
+ 		krb5_free_principal(krb_context, princ);
+ 		krb5_cc_destroy(krb_context, ccache);
+-		return;
+		return 0;
+ 	}
+ 
+ 	krb5_free_principal(krb_context, princ);
+@@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 	    client->creds, ccache))) {
+ 		logit("gss_krb5_copy_ccache() failed");
+ 		krb5_cc_destroy(krb_context, ccache);
+-		return;
+		return 0;
+ 	}
+ 
+ 	new_cctype = krb5_cc_get_type(krb_context, ccache);
+@@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ #endif
+ 
+ #ifdef USE_PAM
+-	if (options.use_pam)
+	if (options.use_pam && set_env)
+ 		do_pam_putenv(client->store.envvar, client->store.envval);
+ #endif
+ 
+@@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+ 
+ 	client->store.data = krb_context;
+ 
+-	return;
+	return set_env;
+ }
+ 
+ int
+diff --git a/gss-serv.c b/gss-serv.c
+index 681847a..2a02dae 100644
+--- a/gss-serv.c
+++ b/gss-serv.c
+@@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void)
+ 			debug("%s: krb5_cc_resolve(): %.100s", __func__,
+ 				krb5_get_err_text(gssapi_client.store.data, problem));
+ 		} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
+-			debug("%s: krb5_cc_resolve(): %.100s", __func__,
+			debug("%s: krb5_cc_destroy(): %.100s", __func__,
+ 				krb5_get_err_text(gssapi_client.store.data, problem));
+ 		} else {
+ 			krb5_free_context(gssapi_client.store.data);
+@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void)
+ }
+ 
+ /* As user */
+-void
+int
+ ssh_gssapi_storecreds(void)
+ {
+ 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+-		(*gssapi_client.mech->storecreds)(&gssapi_client);
+		return (*gssapi_client.mech->storecreds)(&gssapi_client);
+ 	} else
+ 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+	return 0;
+ }
+ 
+ /* This allows GSSAPI methods to do things to the childs environment based
+diff --git a/session.c b/session.c
+index df4985a..b7a6a57 100644
+--- a/session.c
+++ b/session.c
+@@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell)
+ 	/* Allow any GSSAPI methods that we've used to alter
+ 	 * the childs environment as they see fit
+ 	 */
+-	ssh_gssapi_do_child(&env, &envsize);
+	if (s->authctxt->krb5_set_env)
+		ssh_gssapi_do_child(&env, &envsize);
+ #endif
+ 
+ 	/* Set basic environment. */
+@@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell)
+ 	}
+ #endif
+ #ifdef KRB5
+-	if (s->authctxt->krb5_ccname)
+	if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
+ 		child_set_env(&env, &envsize, "KRB5CCNAME",
+ 		    s->authctxt->krb5_ccname);
+ #endif
+diff --git a/ssh-gss.h b/ssh-gss.h
+index 6f2b0ac..73ef2c2 100644
+--- a/ssh-gss.h
+++ b/ssh-gss.h
+@@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct {
+ 	int (*dochild) (ssh_gssapi_client *);
+ 	int (*userok) (ssh_gssapi_client *, char *);
+ 	int (*localname) (ssh_gssapi_client *, char **);
+-	void (*storecreds) (ssh_gssapi_client *);
+	int (*storecreds) (ssh_gssapi_client *);
+ 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
+ } ssh_gssapi_mech;
+ 
+@@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void);
+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_do_child(char ***, u_int *);
+ void ssh_gssapi_cleanup_creds(void);
+-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
+ 
+ char *ssh_gssapi_server_mechanisms(void);
+ int ssh_gssapi_oid_table_ok();
+diff --git a/sshd.c b/sshd.c
+index ce2e374..3c4e13e 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2221,7 +2221,7 @@ main(int ac, char **av)
+ #ifdef GSSAPI
+ 	if (options.gss_authentication) {
+ 		temporarily_use_uid(authctxt->pw);
+-		ssh_gssapi_storecreds();
+		authctxt->krb5_set_env = ssh_gssapi_storecreds();
+ 		restore_uid();
+ 	}
+ #endif
+
--- a/openssh.spec
+++ b/openssh.spec
@ -185,6 +185,8 @@ Patch803: openssh-7.1p1-gssapi-documentation.patch
 Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
 # Respect k5login_directory option in krk5.conf (#1328243)
 Patch805: openssh-7.2p2-k5login_directory.patch
+# Do not export KRBCCNAME if the default path is used (#1199363)
+Patch806: openssh-7.5p1-gss-environment.patch

 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
@ -428,6 +430,7 @@ popd
 %patch803 -p1 -b .gss-docs
 %patch804 -p1 -b .ccache_name
 %patch805 -p1 -b .k5login
+%patch806 -p1 -b .gss-env
 # 
 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok