Do not export KRBCCNAME if the default path is used (#1199363)
This commit is contained in:
parent
ce1afcf244
commit
8c9e97e65a
259
openssh-7.5p1-gss-environment.patch
Normal file
259
openssh-7.5p1-gss-environment.patch
Normal file
@ -0,0 +1,259 @@
|
|||||||
|
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||||
|
index 09ed151..282fcca 100644
|
||||||
|
--- a/auth-krb5.c
|
||||||
|
+++ b/auth-krb5.c
|
||||||
|
@@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
||||||
|
+ problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
|
||||||
|
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
@@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
- if (options.use_pam)
|
||||||
|
+ if (options.use_pam && authctxt->krb5_set_env)
|
||||||
|
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||||
|
|
||||||
|
#ifndef HEIMDAL
|
||||||
|
krb5_error_code
|
||||||
|
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
||||||
|
int tmpfd, ret, oerrno;
|
||||||
|
char *ccname;
|
||||||
|
#ifdef USE_CCAPI
|
||||||
|
@@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ if (need_environment)
|
||||||
|
+ *need_environment = 0;
|
||||||
|
ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
|
-
|
||||||
|
+ /* fallback to the ccache in /tmp */
|
||||||
|
if (ret) {
|
||||||
|
ret = asprintf(&ccname, cctemplate, geteuid());
|
||||||
|
if (ret == -1)
|
||||||
|
@@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
close(tmpfd);
|
||||||
|
return oerrno;
|
||||||
|
}
|
||||||
|
+ /* make sure the KRBCCNAME is set for non-standard location */
|
||||||
|
+ if (need_environment)
|
||||||
|
+ *need_environment = 1;
|
||||||
|
close(tmpfd);
|
||||||
|
}
|
||||||
|
debug("%s: Setting ccname to %s", __func__, ccname);
|
||||||
|
diff --git a/auth.h b/auth.h
|
||||||
|
index 954a0dd..0819483 100644
|
||||||
|
--- a/auth.h
|
||||||
|
+++ b/auth.h
|
||||||
|
@@ -78,6 +78,7 @@ struct Authctxt {
|
||||||
|
krb5_principal krb5_user;
|
||||||
|
char *krb5_ticket_file;
|
||||||
|
char *krb5_ccname;
|
||||||
|
+ int krb5_set_env;
|
||||||
|
#endif
|
||||||
|
Buffer *loginmsg;
|
||||||
|
void *methoddata;
|
||||||
|
@@ -220,7 +221,7 @@ int sys_auth_passwd(Authctxt *, const char *);
|
||||||
|
|
||||||
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
|
#include <krb5.h>
|
||||||
|
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||||
|
+krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *);
|
||||||
|
krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
||||||
|
char **k5login_directory);
|
||||||
|
#endif
|
||||||
|
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||||
|
index 0fa3838..4127245 100644
|
||||||
|
--- a/gss-serv-krb5.c
|
||||||
|
+++ b/gss-serv-krb5.c
|
||||||
|
@@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||||
|
/* This writes out any forwarded credentials from the structure populated
|
||||||
|
* during userauth. Called after we have setuid to the user */
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
{
|
||||||
|
krb5_ccache ccache;
|
||||||
|
@@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
OM_uint32 maj_status, min_status;
|
||||||
|
const char *new_ccname, *new_cctype;
|
||||||
|
const char *errmsg;
|
||||||
|
+ int set_env = 0;
|
||||||
|
|
||||||
|
if (client->creds == NULL) {
|
||||||
|
debug("No credentials stored");
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ssh_gssapi_krb5_init() == 0)
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
#ifdef HEIMDAL
|
||||||
|
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
|
||||||
|
@@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
krb5_get_err_text(krb_context, problem));
|
||||||
|
# endif
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
|
||||||
|
+ if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) {
|
||||||
|
errmsg = krb5_get_error_message(krb_context, problem);
|
||||||
|
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#endif /* #ifdef HEIMDAL */
|
||||||
|
|
||||||
|
@@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
errmsg = krb5_get_error_message(krb_context, problem);
|
||||||
|
logit("krb5_parse_name(): %.100s", errmsg);
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
|
||||||
|
@@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
krb5_free_principal(krb_context, princ);
|
||||||
|
krb5_cc_destroy(krb_context, ccache);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_free_principal(krb_context, princ);
|
||||||
|
@@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
client->creds, ccache))) {
|
||||||
|
logit("gss_krb5_copy_ccache() failed");
|
||||||
|
krb5_cc_destroy(krb_context, ccache);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
new_cctype = krb5_cc_get_type(krb_context, ccache);
|
||||||
|
@@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
- if (options.use_pam)
|
||||||
|
+ if (options.use_pam && set_env)
|
||||||
|
do_pam_putenv(client->store.envvar, client->store.envval);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
|
||||||
|
client->store.data = krb_context;
|
||||||
|
|
||||||
|
- return;
|
||||||
|
+ return set_env;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
diff --git a/gss-serv.c b/gss-serv.c
|
||||||
|
index 681847a..2a02dae 100644
|
||||||
|
--- a/gss-serv.c
|
||||||
|
+++ b/gss-serv.c
|
||||||
|
@@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void)
|
||||||
|
debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
||||||
|
krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
|
} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
||||||
|
- debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
||||||
|
+ debug("%s: krb5_cc_destroy(): %.100s", __func__,
|
||||||
|
krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
|
} else {
|
||||||
|
krb5_free_context(gssapi_client.store.data);
|
||||||
|
@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* As user */
|
||||||
|
-void
|
||||||
|
+int
|
||||||
|
ssh_gssapi_storecreds(void)
|
||||||
|
{
|
||||||
|
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||||
|
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
} else
|
||||||
|
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* This allows GSSAPI methods to do things to the childs environment based
|
||||||
|
diff --git a/session.c b/session.c
|
||||||
|
index df4985a..b7a6a57 100644
|
||||||
|
--- a/session.c
|
||||||
|
+++ b/session.c
|
||||||
|
@@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell)
|
||||||
|
/* Allow any GSSAPI methods that we've used to alter
|
||||||
|
* the childs environment as they see fit
|
||||||
|
*/
|
||||||
|
- ssh_gssapi_do_child(&env, &envsize);
|
||||||
|
+ if (s->authctxt->krb5_set_env)
|
||||||
|
+ ssh_gssapi_do_child(&env, &envsize);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Set basic environment. */
|
||||||
|
@@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef KRB5
|
||||||
|
- if (s->authctxt->krb5_ccname)
|
||||||
|
+ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
|
||||||
|
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||||
|
s->authctxt->krb5_ccname);
|
||||||
|
#endif
|
||||||
|
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||||
|
index 6f2b0ac..73ef2c2 100644
|
||||||
|
--- a/ssh-gss.h
|
||||||
|
+++ b/ssh-gss.h
|
||||||
|
@@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct {
|
||||||
|
int (*dochild) (ssh_gssapi_client *);
|
||||||
|
int (*userok) (ssh_gssapi_client *, char *);
|
||||||
|
int (*localname) (ssh_gssapi_client *, char **);
|
||||||
|
- void (*storecreds) (ssh_gssapi_client *);
|
||||||
|
+ int (*storecreds) (ssh_gssapi_client *);
|
||||||
|
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
||||||
|
} ssh_gssapi_mech;
|
||||||
|
|
||||||
|
@@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void);
|
||||||
|
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
|
void ssh_gssapi_do_child(char ***, u_int *);
|
||||||
|
void ssh_gssapi_cleanup_creds(void);
|
||||||
|
-void ssh_gssapi_storecreds(void);
|
||||||
|
+int ssh_gssapi_storecreds(void);
|
||||||
|
|
||||||
|
char *ssh_gssapi_server_mechanisms(void);
|
||||||
|
int ssh_gssapi_oid_table_ok();
|
||||||
|
diff --git a/sshd.c b/sshd.c
|
||||||
|
index ce2e374..3c4e13e 100644
|
||||||
|
--- a/sshd.c
|
||||||
|
+++ b/sshd.c
|
||||||
|
@@ -2221,7 +2221,7 @@ main(int ac, char **av)
|
||||||
|
#ifdef GSSAPI
|
||||||
|
if (options.gss_authentication) {
|
||||||
|
temporarily_use_uid(authctxt->pw);
|
||||||
|
- ssh_gssapi_storecreds();
|
||||||
|
+ authctxt->krb5_set_env = ssh_gssapi_storecreds();
|
||||||
|
restore_uid();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
@ -185,6 +185,8 @@ Patch803: openssh-7.1p1-gssapi-documentation.patch
|
|||||||
Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
||||||
# Respect k5login_directory option in krk5.conf (#1328243)
|
# Respect k5login_directory option in krk5.conf (#1328243)
|
||||||
Patch805: openssh-7.2p2-k5login_directory.patch
|
Patch805: openssh-7.2p2-k5login_directory.patch
|
||||||
|
# Do not export KRBCCNAME if the default path is used (#1199363)
|
||||||
|
Patch806: openssh-7.5p1-gss-environment.patch
|
||||||
|
|
||||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||||
@ -428,6 +430,7 @@ popd
|
|||||||
%patch803 -p1 -b .gss-docs
|
%patch803 -p1 -b .gss-docs
|
||||||
%patch804 -p1 -b .ccache_name
|
%patch804 -p1 -b .ccache_name
|
||||||
%patch805 -p1 -b .k5login
|
%patch805 -p1 -b .k5login
|
||||||
|
%patch806 -p1 -b .gss-env
|
||||||
#
|
#
|
||||||
%patch900 -p1 -b .canohost
|
%patch900 -p1 -b .canohost
|
||||||
%patch901 -p1 -b .kuserok
|
%patch901 -p1 -b .kuserok
|
||||||
|
Loading…
Reference in New Issue
Block a user