diff -up openssh-7.4p1/auth2.c.gsskex openssh-7.4p1/auth2.c

--- openssh-7.4p1/auth2.c.gsskex	2016-12-23 13:38:53.685300997 +0100

+++ openssh-7.4p1/auth2.c	2016-12-23 13:38:53.725301005 +0100

@@ -70,6 +70,7 @@ extern Authmethod method_passwd;

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 	&method_passwd,

diff -up openssh-7.4p1/auth2-gss.c.gsskex openssh-7.4p1/auth2-gss.c

--- openssh-7.4p1/auth2-gss.c.gsskex	2016-12-23 13:38:53.685300997 +0100

+++ openssh-7.4p1/auth2-gss.c	2016-12-23 13:38:53.725301005 +0100

@@ -31,6 +31,7 @@

 #include <sys/types.h>

 #include <stdarg.h>

+#include <string.h>

 #include "xmalloc.h"

 #include "key.h"

@@ -53,6 +54,40 @@ static int input_gssapi_mic(int type, u_

 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static int input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len;;

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+		    authctxt->pw));

+	

+	buffer_free(&b);

+	free(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -238,7 +273,8 @@ input_gssapi_exchange_complete(int type,

 	packet_check_eom();

-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+	    authctxt->pw));

 	authctxt->postponed = 0;

 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple

 	gssbuf.length = buffer_len(&b);

 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))

-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+		authenticated = 

+		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));

 	else

 		logit("GSSAPI MIC check failed");

@@ -299,6 +336,12 @@ input_gssapi_mic(int type, u_int32_t ple

 	return 0;

 }

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

+

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

 	userauth_gssapi,

diff -up openssh-7.4p1/clientloop.c.gsskex openssh-7.4p1/clientloop.c

--- openssh-7.4p1/clientloop.c.gsskex	2016-12-19 05:59:41.000000000 +0100

+++ openssh-7.4p1/clientloop.c	2016-12-23 13:38:53.725301005 +0100

@@ -113,6 +113,10 @@

 #include "ssherr.h"

 #include "hostfile.h"

+#ifdef GSSAPI

+#include "ssh-gss.h"

+#endif

+

 /* import options */

 extern Options options;

@@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_cha

 			break;

 		/* Do channel operations unless rekeying in progress. */

-		if (!ssh_packet_is_rekeying(active_state))

+		if (!ssh_packet_is_rekeying(active_state)) {

 			channel_after_select(readset, writeset);

+#ifdef GSSAPI

+			if (options.gss_renewal_rekey &&

+			    ssh_gssapi_credentials_updated(NULL)) {

+				debug("credentials updated - forcing rekey");

+				need_rekeying = 1;

+			}

+#endif

+		}

+

 		/* Buffer input from the connection.  */

 		client_process_net_input(readset);

diff -up openssh-7.4p1/configure.ac.gsskex openssh-7.4p1/configure.ac

--- openssh-7.4p1/configure.ac.gsskex	2016-12-23 13:38:53.716301003 +0100

+++ openssh-7.4p1/configure.ac	2016-12-23 13:38:53.726301005 +0100

@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("

 	    [Use tunnel device compatibility to OpenBSD])

 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],

 	    [Prepend the address family to IP tunnel traffic])

+	AC_MSG_CHECKING(if we have the Security Authorization Session API)

+	AC_TRY_COMPILE([#include <Security/AuthSession.h>],

+		[SessionCreate(0, 0);],

+		[ac_cv_use_security_session_api="yes"

+		 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 

+			[platform has the Security Authorization Session API])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)],

+		[ac_cv_use_security_session_api="no"

+		 AC_MSG_RESULT(no)])

+	AC_MSG_CHECKING(if we have an in-memory credentials cache)

+	AC_TRY_COMPILE(

+		[#include <Kerberos/Kerberos.h>],

+		[cc_context_t c;

+		 (void) cc_initialize (&c, 0, NULL, NULL);],

+		[AC_DEFINE(USE_CCAPI, 1, 

+			[platform uses an in-memory credentials cache])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)

+		 if test "x$ac_cv_use_security_session_api" = "xno"; then

+			AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)

+		fi],

+		[AC_MSG_RESULT(no)]

+	)

 	m4_pattern_allow([AU_IPv])

 	AC_CHECK_DECL([AU_IPv4], [],

 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])

diff -up openssh-7.4p1/gss-genr.c.gsskex openssh-7.4p1/gss-genr.c

--- openssh-7.4p1/gss-genr.c.gsskex	2016-12-19 05:59:41.000000000 +0100

+++ openssh-7.4p1/gss-genr.c	2016-12-23 13:38:53.726301005 +0100

@@ -40,12 +40,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host, const char *client) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host, client));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *host, const char *client) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			free(gss_enc2oid[i].encoded);

+		free(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf;;

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf;;

+

+	if (strlen(mechs) == 0) {

+		free(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+

+	while (gss_enc2oid[i].encoded != NULL &&

+	    strcmp(name, gss_enc2oid[i].encoded) != 0)

+		i++;

+

+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)

+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);

+

+	return gss_enc2oid[i].oid;

+}

+

 /* Check that the OID in a data stream matches that in the context */

 int

 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)

@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de

 	}

 	ctx->major = gss_init_sec_context(&ctx->minor,

-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,

+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,

 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,

 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con

 }

 OM_uint32

+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)

+{

+	gss_buffer_desc gssbuf;

+	gss_name_t gssname;

+	OM_uint32 status;

+	gss_OID_set oidset;

+

+	gssbuf.value = (void *) name;

+	gssbuf.length = strlen(gssbuf.value);

+

+	gss_create_empty_oid_set(&status, &oidset);

+	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+

+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,

+	    GSS_C_NT_USER_NAME, &gssname);

+

+	if (!ctx->major)

+		ctx->major = gss_acquire_cred(&ctx->minor, 

+		    gssname, 0, oidset, GSS_C_INITIATE, 

+		    &ctx->client_creds, NULL, NULL);

+

+	gss_release_name(&status, &gssname);

+	gss_release_oid_set(&status, &oidset);

+

+	if (ctx->major)

+		ssh_gssapi_error(ctx);

+

+	return(ctx->major);

+}

+

+OM_uint32

 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 {

+	if (ctx == NULL) 

+		return -1;

+

 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,

 	    GSS_C_QOP_DEFAULT, buffer, hash)))

 		ssh_gssapi_error(ctx);

@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer

 	return (ctx->major);

 }

+/* Priviledged when used by server */

+OM_uint32

+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+{

+	if (ctx == NULL)

+		return -1;

+

+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

+	    gssbuf, gssmic, NULL);

+

+	return (ctx->major);

+}

+

 void

 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

     const char *context)

@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha

 }

 int

-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 

+    const char *client)

 {

 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;

 	OM_uint32 major, minor;

 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};

+	Gssctxt *intctx = NULL;

+

+	if (ctx == NULL)

+		ctx = &intct;;

 	/* RFC 4462 says we MUST NOT do SPNEGO */

 	if (oid->length == spnego_oid.length && 

@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 	ssh_gssapi_build_ctx(ctx);

 	ssh_gssapi_set_oid(*ctx, oid);

 	major = ssh_gssapi_import_name(*ctx, host);

+

+	if (!GSS_ERROR(major) && client)

+		major = ssh_gssapi_client_identity(*ctx, client);

+

 	if (!GSS_ERROR(major)) {

 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 

 		    NULL);

@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 			    GSS_C_NO_BUFFER);

 	}

-	if (GSS_ERROR(major)) 

+	if (GSS_ERROR(major) || intctx != NULL) 

 		ssh_gssapi_delete_ctx(ctx);

 	return (!GSS_ERROR(major));

 }

+int

+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {

+	static gss_name_t saved_name = GSS_C_NO_NAME;

+	static OM_uint32 saved_lifetime = 0;

+	static gss_OID saved_mech = GSS_C_NO_OID;

+	static gss_name_t name;

+	static OM_uint32 last_call = 0;

+	OM_uint32 lifetime, now, major, minor;

+	int equal;

+	

+	now = time(NULL);

+

+	if (ctxt) {

+		debug("Rekey has happened - updating saved versions");

+

+		if (saved_name != GSS_C_NO_NAME)

+			gss_release_name(&minor, &saved_name);

+

+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,

+		    &saved_name, &saved_lifetime, NULL, NULL);

+

+		if (!GSS_ERROR(major)) {

+			saved_mech = ctxt->oid;

+		        saved_lifetime+= now;

+		} else {

+			/* Handle the error */

+		}

+		return 0;

+	}

+

+	if (now - last_call < 10)

+		return 0;

+

+	last_call = now;

+

+	if (saved_mech == GSS_C_NO_OID)

+		return 0;

+	

+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 

+	    &name, &lifetime, NULL, NULL);

+	if (major == GSS_S_CREDENTIALS_EXPIRED)

+		return 0;

+	else if (GSS_ERROR(major))

+		return 0;

+

+	major = gss_compare_name(&minor, saved_name, name, &equal);

+	gss_release_name(&minor, &name);

+	if (GSS_ERROR(major))

+		return 0;

+

+	if (equal && (saved_lifetime < lifetime + now - 10))

+		return 1;

+

+	return 0;

+}

+

 #endif /* GSSAPI */

diff -up openssh-7.4p1/gss-serv.c.gsskex openssh-7.4p1/gss-serv.c

--- openssh-7.4p1/gss-serv.c.gsskex	2016-12-19 05:59:41.000000000 +0100

+++ openssh-7.4p1/gss-serv.c	2016-12-23 13:38:53.727301005 +0100

@@ -45,17 +45,19 @@

 #include "session.h"

 #include "misc.h"

 #include "servconf.h"

+#include "uidswap.h"

 #include "ssh-gss.h"

+#include "monitor_wrap.h"

 extern ServerOptions options;

 static ssh_gssapi_client gssapi_client =

-    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,

-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};

+    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL,

+    GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};

 ssh_gssapi_mech gssapi_null_mech =

-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};

+    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};

 #ifdef KRB5

 extern ssh_gssapi_mech gssapi_kerberos_mech;

@@ -142,6 +144,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss

 }

 /* Unprivileged */

+char *

+ssh_gssapi_server_mechanisms() {

+	if (supported_oids == NULL)

+		ssh_gssapi_prepare_supported_oids();

+	return (ssh_gssapi_kex_mechs(supported_oids,

+	    &ssh_gssapi_server_check_mech, NULL, NULL));

+}

+

+/* Unprivileged */

+int

+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,

+    const char *dummy) {

+	Gssctxt *ctx = NULL;

+	int res;

+ 

+	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));

+	ssh_gssapi_delete_ctx(&ctx;;

+

+	return (res);

+}

+

+/* Unprivileged */

 void

 ssh_gssapi_supported_oids(gss_OID_set *oidset)

 {

@@ -151,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o

 	gss_OID_set supported;

 	gss_create_empty_oid_set(&min_status, oidset);

-	gss_indicate_mechs(&min_status, &supported);

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))

+		return;

 	while (supported_mechs[i]->name != NULL) {

 		if (GSS_ERROR(gss_test_oid_set_member(&min_status,

@@ -277,8 +304,48 @@ OM_uint32

 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)

 {

 	int i = 0;

+	int equal = 0;

+	gss_name_t new_name = GSS_C_NO_NAME;

+	gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;

+

+	if (options.gss_store_rekey && client->used && ctx->client_creds) {

+		if (client->mech->oid.length != ctx->oid->length ||

+		    (memcmp(client->mech->oid.elements,

+		     ctx->oid->elements, ctx->oid->length) !=0)) {

+			debug("Rekeyed credentials have different mechanism");

+			return GSS_S_COMPLETE;

+		}

+

+		if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, 

+		    ctx->client_creds, ctx->oid, &new_name, 

+		    NULL, NULL, NULL))) {

+			ssh_gssapi_error(ctx);

+			return (ctx->major);

+		}

-	gss_buffer_desc ename;

+		ctx->major = gss_compare_name(&ctx->minor, client->name, 

+		    new_name, &equal);

+

+		if (GSS_ERROR(ctx->major)) {

+			ssh_gssapi_error(ctx);

+			return (ctx->major);

+		}

+ 

+		if (!equal) {

+			debug("Rekeyed credentials have different name");

+			return GSS_S_COMPLETE;

+		}

+

+		debug("Marking rekeyed credentials for export");

+

+		gss_release_name(&ctx->minor, &client->name);

+		gss_release_cred(&ctx->minor, &client->creds);

+		client->name = new_name;

+		client->creds = ctx->client_creds;

+        	ctx->client_creds = GSS_C_NO_CREDENTIAL;

+		client->updated = 1;

+		return GSS_S_COMPLETE;

+	}

 	client->mech = NULL;

@@ -293,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g

 	if (client->mech == NULL)

 		return GSS_S_FAILURE;

+	if (ctx->client_creds &&

+	    (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,

+	     ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {

+		ssh_gssapi_error(ctx);

+		return (ctx->major);

+	}

+

 	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,

 	    &client->displayname, NULL))) {

 		ssh_gssapi_error(ctx);

@@ -310,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g

 		return (ctx->major);

 	}

+	gss_release_buffer(&ctx->minor, &ename);

+

 	/* We can't copy this structure, so we just move the pointer to it */

 	client->creds = ctx->client_creds;

 	ctx->client_creds = GSS_C_NO_CREDENTIAL;

@@ -320,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g

 void

 ssh_gssapi_cleanup_creds(void)

 {

-	if (gssapi_client.store.filename != NULL) {

-		/* Unlink probably isn't sufficient */

-		debug("removing gssapi cred file\"%s\"",

-		    gssapi_client.store.filename);

-		unlink(gssapi_client.store.filename);

+	krb5_ccache ccache = NULL;

+	krb5_error_code problem;

+

+	if (gssapi_client.store.data != NULL) {

+		if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {

+			debug("%s: krb5_cc_resolve(): %.100s", __func__,

+				krb5_get_err_text(gssapi_client.store.data, problem));

+		} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {

+			debug("%s: krb5_cc_resolve(): %.100s", __func__,

+				krb5_get_err_text(gssapi_client.store.data, problem));

+		} else {

+			krb5_free_context(gssapi_client.store.data);

+			gssapi_client.store.data = NULL;

+		}

 	}

 }

@@ -357,7 +442,7 @@ ssh_gssapi_do_child(char ***envp, u_int

 /* Privileged */

 int

-ssh_gssapi_userok(char *user)

+ssh_gssapi_userok(char *user, struct passwd *pw)

 {

 	OM_uint32 lmin;

@@ -367,9 +452,11 @@ ssh_gssapi_userok(char *user)

 		return 0;

 	}

 	if (gssapi_client.mech && gssapi_client.mech->userok)

-		if ((*gssapi_client.mech->userok)(&gssapi_client, user))

+		if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {

+			gssapi_client.used = 1;

+			gssapi_client.store.owner = pw;

 			return 1;

-		else {

+		} else {

 			/* Destroy delegated credentials if userok fails */

 			gss_release_buffer(&lmin, &gssapi_client.displayname);

 			gss_release_buffer(&lmin, &gssapi_client.exportedname);

@@ -383,14 +470,90 @@ ssh_gssapi_userok(char *user)

 	return (0);

 }

-/* Privileged */

-OM_uint32

-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+/* These bits are only used for rekeying. The unpriviledged child is running 

+ * as the user, the monitor is root.

+ *

+ * In the child, we want to :

+ *    *) Ask the monitor to store our credentials into the store we specify

+ *    *) If it succeeds, maybe do a PAM update

+ */

+

+/* Stuff for PAM */

+

+#ifdef USE_PAM

+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,