bmh10 / rpms / openssh

Forked from rpms/openssh 2 days ago
Clone

Blame SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch

f09e2e
diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
f09e2e
--- openssh-6.3p1/auth-krb5.c.ccache_name	2013-10-23 22:03:52.322950759 +0200
f09e2e
+++ openssh-6.3p1/auth-krb5.c	2013-10-23 22:04:24.295799873 +0200
f09e2e
@@ -50,7 +50,9 @@
f09e2e
 #include <errno.h>
f09e2e
 #include <unistd.h>
f09e2e
 #include <string.h>
f09e2e
+#include <sys/stat.h>
f09e2e
 #include <krb5.h>
f09e2e
+#include <profile.h>
f09e2e
 
f09e2e
 extern ServerOptions	 options;
f09e2e
 
f09e2e
@@ -91,6 +93,7 @@ auth_krb5_password(Authctxt *authctxt, c
f09e2e
 #endif
f09e2e
 	krb5_error_code problem;
f09e2e
 	krb5_ccache ccache = NULL;
f09e2e
+	const char *ccache_type;
f09e2e
 	int len;
f09e2e
 	char *client, *platform_client;
f09e2e
 	const char *errmsg;
f09e2e
@@ -191,12 +194,30 @@ auth_krb5_password(Authctxt *authctxt, c
f09e2e
 		goto out;
f09e2e
 #endif
f09e2e
 
f09e2e
+	ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
f09e2e
 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
f09e2e
 
f09e2e
-	len = strlen(authctxt->krb5_ticket_file) + 6;
f09e2e
+	if (authctxt->krb5_ticket_file[0] == ':')
f09e2e
+		authctxt->krb5_ticket_file++;
f09e2e
+
017ff1
+	len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
f09e2e
 	authctxt->krb5_ccname = xmalloc(len);
f09e2e
-	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
f09e2e
+
f09e2e
+#ifdef USE_CCAPI
f09e2e
+	snprintf(authctxt->krb5_ccname, len, "API:%s",
f09e2e
 	    authctxt->krb5_ticket_file);
f09e2e
+#else
f09e2e
+	snprintf(authctxt->krb5_ccname, len, "%s:%s",
f09e2e
+	    ccache_type, authctxt->krb5_ticket_file);
f09e2e
+#endif
f09e2e
+
f09e2e
+	if (strcmp(ccache_type, "DIR") == 0) {
f09e2e
+		char *p;
f09e2e
+		p = strrchr(authctxt->krb5_ccname, '/');
f09e2e
+		if (p)
f09e2e
+			*p = '\0';
f09e2e
+	}
f09e2e
+
f09e2e
 
f09e2e
 #ifdef USE_PAM
f09e2e
 	if (options.use_pam)
58aee2
@@ -235,10 +256,36 @@ auth_krb5_password(Authctxt *authctxt, c
f09e2e
 void
f09e2e
 krb5_cleanup_proc(Authctxt *authctxt)
f09e2e
 {
f09e2e
+	struct stat krb5_ccname_stat;
f09e2e
+	char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
f09e2e
+
f09e2e
 	debug("krb5_cleanup_proc called");
f09e2e
 	if (authctxt->krb5_fwd_ccache) {
f09e2e
 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
f09e2e
 		authctxt->krb5_fwd_ccache = NULL;
f09e2e
+
58aee2
+		if (authctxt->krb5_ccname != NULL) {
58aee2
+			strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
58aee2
+			krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
58aee2
+			*krb5_ccname_dir_start++ = '\0';
58aee2
+			if (strcmp(krb5_ccname, "DIR") == 0) {
f09e2e
+
58aee2
+				strcat(krb5_ccname_dir_start, "/primary");
f09e2e
+
58aee2
+				if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
58aee2
+					if (unlink(krb5_ccname_dir_start) == 0) {
58aee2
+						krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
58aee2
+						*krb5_ccname_dir_end = '\0';
58aee2
+						if (rmdir(krb5_ccname_dir_start) == -1)
58aee2
+							debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
58aee2
+					}
58aee2
+					else
58aee2
+						debug("cache primary file '%s', remove failed: %s",
58aee2
+							krb5_ccname_dir_start, strerror(errno)
58aee2
+							);
f09e2e
+				}
f09e2e
+			}
f09e2e
+		}
f09e2e
 	}
f09e2e
 	if (authctxt->krb5_user) {
f09e2e
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
f09e2e
@@ -250,34 +295,139 @@ krb5_cleanup_proc(Authctxt *authctxt)
f09e2e
 	}
f09e2e
 }
f09e2e
 
f09e2e
+int
f09e2e
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
f09e2e
+	char *src, *old;
f09e2e
+	va_list ap;
f09e2e
+	int i;
f09e2e
+
f09e2e
+	va_start(ap, fmt);
f09e2e
+	i = vasprintf(&src, fmt, ap);
f09e2e
+	va_end(ap);
f09e2e
+
f09e2e
+	if (i == -1 || src == NULL)
f09e2e
+		return -1;
f09e2e
+
f09e2e
+	old = *dsc;
f09e2e
+
f09e2e
+	i = asprintf(dsc, "%s%s", *dsc, src);
f09e2e
+	if (i == -1 || src == NULL) {
f09e2e
+		free(src);
f09e2e
+		return -1;
f09e2e
+	}
f09e2e
+
f09e2e
+	free(old);
f09e2e
+	free(src);
f09e2e
+
f09e2e
+	return i;
f09e2e
+}
f09e2e
+
f09e2e
+int
f09e2e
+ssh_krb5_expand_template(char **result, const char *template) {
f09e2e
+	char *p_n, *p_o, *r, *tmp_template;
f09e2e
+
f09e2e
+	if (template == NULL)
f09e2e
+		return -1;
f09e2e
+
f09e2e
+	tmp_template = p_n = p_o = xstrdup(template);
f09e2e
+	r = xstrdup("");
f09e2e
+
f09e2e
+	while ((p_n = strstr(p_o, "%{")) != NULL) {
f09e2e
+
f09e2e
+		*p_n++ = '\0';
f09e2e
+		if (ssh_asprintf_append(&r, "%s", p_o) == -1)
f09e2e
+			goto cleanup;
f09e2e
+
f09e2e
+		if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
f09e2e
+			strncmp(p_n, "{USERID}", 8) == 0) {
f09e2e
+			p_o = strchr(p_n, '}') + 1;
f09e2e
+			if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
f09e2e
+				goto cleanup;
f09e2e
+			continue;
f09e2e
+		}
f09e2e
+		else if (strncmp(p_n, "{TEMP}", 6) == 0) {
f09e2e
+			p_o = strchr(p_n, '}') + 1;
f09e2e
+			if (ssh_asprintf_append(&r, "/tmp") == -1)
f09e2e
+				goto cleanup;
f09e2e
+			continue;
f09e2e
+		} else {
f09e2e
+			p_o = strchr(p_n, '}') + 1;
f09e2e
+			p_o = '\0';
f09e2e
+			debug("%s: unsupported token %s in %s", __func__, p_n, template);
f09e2e
+			/* unknown token, fallback to the default */
f09e2e
+			goto cleanup;
f09e2e
+		}
f09e2e
+	}
f09e2e
+
f09e2e
+	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
f09e2e
+		goto cleanup;
f09e2e
+
f09e2e
+	*result = r;
f09e2e
+	free(tmp_template);
f09e2e
+	return 0;
f09e2e
+
f09e2e
+cleanup:
f09e2e
+	free(r);
f09e2e
+	free(tmp_template);
f09e2e
+	return -1;
f09e2e
+}
f09e2e
+
f09e2e
+krb5_error_code
f09e2e
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
f09e2e
+	profile_t p;
f09e2e
+	int ret = 0;
f09e2e
+	char *value = NULL;
f09e2e
+
f09e2e
+	ret = krb5_get_profile(ctx, &p);
f09e2e
+	if (ret)
f09e2e
+		return ret;
f09e2e
+
f09e2e
+	ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
f09e2e
+	if (ret)
f09e2e
+		return ret;
f09e2e
+
f09e2e
+	ret = ssh_krb5_expand_template(ccname, value);
f09e2e
+
f09e2e
+	return ret;
f09e2e
+}
f09e2e
+
f09e2e
 #ifndef HEIMDAL
f09e2e
 krb5_error_code
f09e2e
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
f09e2e
 	int tmpfd, ret, oerrno;
f09e2e
-	char ccname[40];
f09e2e
+	char *ccname;
f09e2e
+#ifdef USE_CCAPI
f09e2e
+	char cctemplate[] = "API:krb5cc_%d";
f09e2e
+#else
f09e2e
 	mode_t old_umask;
f09e2e
+	char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
f09e2e
 
f09e2e
-	ret = snprintf(ccname, sizeof(ccname),
f09e2e
-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
f09e2e
-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
f09e2e
-		return ENOMEM;
f09e2e
-
f09e2e
-	old_umask = umask(0177);
f09e2e
-	tmpfd = mkstemp(ccname + strlen("FILE:"));
f09e2e
-	oerrno = errno;
f09e2e
-	umask(old_umask);
f09e2e
-	if (tmpfd == -1) {
f09e2e
-		logit("mkstemp(): %.100s", strerror(oerrno));
f09e2e
-		return oerrno;
f09e2e
-	}
f09e2e
+#endif
f09e2e
+
f09e2e
+	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
f09e2e
 
f09e2e
-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
f09e2e
+	if (ret) {
f09e2e
+		ret = asprintf(&ccname, cctemplate, geteuid());
f09e2e
+		if (ret == -1)
f09e2e
+			return ENOMEM;
f09e2e
+		old_umask = umask(0177);
f09e2e
+		tmpfd = mkstemp(ccname + strlen("FILE:"));
f09e2e
 		oerrno = errno;
f09e2e
-		logit("fchmod(): %.100s", strerror(oerrno));
f09e2e
+		umask(old_umask);
f09e2e
+		if (tmpfd == -1) {
f09e2e
+			logit("mkstemp(): %.100s", strerror(oerrno));
f09e2e
+			return oerrno;
f09e2e
+		}
f09e2e
+
f09e2e
+		if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
f09e2e
+			oerrno = errno;
f09e2e
+			logit("fchmod(): %.100s", strerror(oerrno));
f09e2e
+			close(tmpfd);
f09e2e
+			return oerrno;
f09e2e
+		}
f09e2e
 		close(tmpfd);
f09e2e
-		return oerrno;
f09e2e
 	}
f09e2e
-	close(tmpfd);
f09e2e
+	debug("%s: Setting ccname to %s", __func__, ccname);
f09e2e
 
f09e2e
 	return (krb5_cc_resolve(ctx, ccname, ccache));
f09e2e
 }