kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Petr Šabata 81d24c
diff --git a/auth-krb5.c b/auth-krb5.c
Petr Šabata 81d24c
index 2b02a04..19b9364 100644
Petr Šabata 81d24c
--- a/auth-krb5.c
Petr Šabata 81d24c
+++ b/auth-krb5.c
Petr Šabata 81d24c
@@ -375,5 +375,21 @@ cleanup:
Petr Šabata 81d24c
 		return (krb5_cc_resolve(ctx, ccname, ccache));
Petr Šabata 81d24c
 	}
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+/*
Petr Šabata 81d24c
+ * Reads  k5login_directory  option from the  krb5.conf
Petr Šabata 81d24c
+ */
Petr Šabata 81d24c
+krb5_error_code
Petr Šabata 81d24c
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
Petr Šabata 81d24c
+	profile_t p;
Petr Šabata 81d24c
+	int ret = 0;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	ret = krb5_get_profile(ctx, &p);
Petr Šabata 81d24c
+	if (ret)
Petr Šabata 81d24c
+		return ret;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
Petr Šabata 81d24c
+		k5login_directory);
Petr Šabata 81d24c
+}
Petr Šabata 81d24c
 #endif /* !HEIMDAL */
Petr Šabata 81d24c
 #endif /* KRB5 */
Petr Šabata 81d24c
diff --git a/auth.h b/auth.h
Petr Šabata 81d24c
index f9d191c..c432d2f 100644
Petr Šabata 81d24c
--- a/auth.h
Petr Šabata 81d24c
+++ b/auth.h
Petr Šabata 81d24c
@@ -222,6 +222,8 @@ int	 sys_auth_passwd(Authctxt *, const char *);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 #if defined(KRB5) && !defined(HEIMDAL)
Petr Šabata 81d24c
 krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
Petr Šabata 81d24c
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
Petr Šabata 81d24c
+	char **k5login_directory);
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
 
Petr Šabata 81d24c
 #endif /* AUTH_H */
Petr Šabata 81d24c
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
Petr Šabata 81d24c
index a7c0c5f..df8cc9a 100644
Petr Šabata 81d24c
--- a/gss-serv-krb5.c
Petr Šabata 81d24c
+++ b/gss-serv-krb5.c
Petr Šabata 81d24c
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
Petr Šabata 81d24c
 {
Petr Šabata 81d24c
 	char file[MAXPATHLEN];
Petr Šabata 81d24c
 	struct passwd *pw = the_authctxt->pw;
Petr Šabata 81d24c
+	char *k5login_directory = NULL;
Petr Šabata 81d24c
+	int ret = 0;
Petr Šabata 81d24c
+
Petr Šabata 81d24c
+	ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
Petr Šabata 81d24c
+	debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
Petr Šabata 81d24c
+	if (k5login_directory == NULL || ret != 0) {
Petr Šabata 81d24c
+		/* If not set, the library will look for  k5login
Petr Šabata 81d24c
+		 * files in the user's home directory, with the filename  .k5login.
Petr Šabata 81d24c
+		 */
Petr Šabata 81d24c
+		snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
Petr Šabata 81d24c
+	} else {
Petr Šabata 81d24c
+		/* If set, the library will look for a local user's k5login file
Petr Šabata 81d24c
+		 * within the named directory, with a filename corresponding to the
Petr Šabata 81d24c
+		 * local username.
Petr Šabata 81d24c
+		 */
Petr Šabata 81d24c
+		snprintf(file, sizeof(file), "%s%s%s", k5login_directory, 
Petr Šabata 81d24c
+			k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
Petr Šabata 81d24c
+			pw->pw_name);
Petr Šabata 81d24c
+	}
Petr Šabata 81d24c
+	debug("%s: Checking existence of file %s", __func__, file);
Petr Šabata 81d24c
 
Petr Šabata 81d24c
-	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
Petr Šabata 81d24c
 	return access(file, F_OK) == 0;
Petr Šabata 81d24c
 }
Petr Šabata 81d24c
 
Petr Šabata 81d24c
diff --git a/sshd.8 b/sshd.8
Petr Šabata 81d24c
index 5c4f15b..135e290 100644
Petr Šabata 81d24c
--- a/sshd.8
Petr Šabata 81d24c
+++ b/sshd.8
Petr Šabata 81d24c
@@ -806,6 +806,10 @@ rlogin/rsh.
Petr Šabata 81d24c
 These files enforce GSSAPI/Kerberos authentication access control.
Petr Šabata 81d24c
 Further details are described in
Petr Šabata 81d24c
 .Xr ksu 1 .
Petr Šabata 81d24c
+The location of the k5login file depends on the configuration option
Petr Šabata 81d24c
+.Cm k5login_directory
Petr Šabata 81d24c
+in the
Petr Šabata 81d24c
+.Xr krb5.conf 5 .
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 .It Pa ~/.ssh/
Petr Šabata 81d24c
 This directory is the default location for all user-specific configuration