? .kex.h.swp

? .pc

? openssh-5.0p1-gsskex-20080404.patch

? openssh-5.0p1-gssrenew-20080707.patch

? openssh-5.2p1-gsskex-20090726.patch

? openssh-5.2p1-gsskex-all-20090726.patch

? patches

Index: ChangeLog.gssapi

===================================================================

RCS file: ChangeLog.gssapi

diff -N ChangeLog.gssapi

--- /dev/null	1 Jan 1970 00:00:00 -0000

+++ ChangeLog.gssapi	26 Jul 2009 12:21:52 -0000

@@ -0,0 +1,95 @@

+20090615

+  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c

+      sshd.c ]

+    Fix issues identified by Greg Hudson following a code review

+	Check return value of gss_indicate_mechs

+	Protect GSSAPI calls in monitor, so they can only be used if enabled

+	Check return values of bignum functions in key exchange

+	Use BN_clear_free to clear other side's DH value

+	Make ssh_gssapi_id_kex more robust

+	Only configure kex table pointers if GSSAPI is enabled

+	Don't leak mechanism list, or gss mechanism list

+	Cast data.length before printing

+	If serverkey isn't provided, use an empty string, rather than NULL

+

+20090201

+  - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h

+      ssh_config.5 sshconnet2.c ]

+    Add support for the GSSAPIClientIdentity option, which allows the user

+    to specify which GSSAPI identity to use to contact a given server

+

+20080404

+  - [ gss-serv.c ]

+    Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow

+    been omitted from a previous version of this patch. Reported by Borislav

+    Stoichkov

+

+20070317

+  - [ gss-serv-krb5.c ]

+    Remove C99ism, where new_ccname was being declared in the middle of a 

+    function

+

+20061220

+  - [ servconf.c ]

+    Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and 

+    documented, behaviour. Reported by Dan Watson.

+

+20060910

+  - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c

+      ssh-gss.h ]

+    add support for gss-group14-sha1 key exchange mechanisms

+  - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]

+    Add GSSAPIStrictAcceptorCheck option to allow the disabling of

+    acceptor principal checking on multi-homed machines.

+    <Bugzilla #928>

+  - [ sshd_config ssh_config ]

+    Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample

+    configuration files

+  - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]

+    Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()

+    Limit length of error messages displayed by client

+

+20060909

+  - [ gss-genr.c gss-serv.c ]

+    move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server

+    only, where they belong 

+    <Bugzilla #1225>

+

+20060829

+  - [ gss-serv-krb5.c ]

+    Fix CCAPI credentials cache name when creating KRB5CCNAME environment 

+    variable

+

+20060828

+  - [ gss-genr.c ]

+    Avoid Heimdal context freeing problem

+    <Fixed upstream 20060829>

+

+20060818

+  - [ gss-genr.c ssh-gss.h sshconnect2.c ]

+    Make sure that SPENGO is disabled 

+    <Bugzilla #1218 - Fixed upstream 20060818>

+

+20060421

+  - [ gssgenr.c, sshconnect2.c ]

+    a few type changes (signed versus unsigned, int versus size_t) to

+    fix compiler errors/warnings 

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ kexgssc.c, sshconnect2.c ]

+    fix uninitialized variable warnings

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ gssgenr.c ]

+    pass oid to gss_display_status (helpful when using GSSAPI mechglue)

+    (from jbasney AT ncsa.uiuc.edu)

+    <Bugzilla #1220 >

+  - [ gss-serv-krb5.c ]

+    #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H

+    (from jbasney AT ncsa.uiuc.edu)

+    <Fixed upstream 20060304>

+  - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c 

+    add client-side GssapiKeyExchange option

+    (from jbasney AT ncsa.uiuc.edu)

+  - [ sshconnect2.c ]

+    add support for GssapiTrustDns option for gssapi-with-mic

+    (from jbasney AT ncsa.uiuc.edu)

+    <gssapi-with-mic support is Bugzilla #1008>

Index: Makefile.in

===================================================================

RCS file: /cvs/openssh/Makefile.in,v

retrieving revision 1.298

diff -u -r1.298 Makefile.in

--- Makefile.in	5 Nov 2008 05:20:46 -0000	1.298

+++ Makefile.in	26 Jul 2009 12:21:53 -0000

@@ -71,7 +71,8 @@

 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \

 	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \

-	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o

+	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o \

+	kexgssc.o

 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \

 	sshconnect.o sshconnect1.o sshconnect2.o mux.o

@@ -84,7 +85,7 @@

 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \

 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \

 	auth-krb5.o \

-	auth2-gss.o gss-serv.o gss-serv-krb5.o \

+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\

 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o

Index: auth-krb5.c

===================================================================

RCS file: /cvs/openssh/auth-krb5.c,v

retrieving revision 1.35

diff -u -r1.35 auth-krb5.c

--- auth-krb5.c	5 Aug 2006 02:39:39 -0000	1.35

+++ auth-krb5.c	26 Jul 2009 12:21:53 -0000

@@ -166,8 +166,13 @@

 	len = strlen(authctxt->krb5_ticket_file) + 6;

 	authctxt->krb5_ccname = xmalloc(len);

+#ifdef USE_CCAPI

+	snprintf(authctxt->krb5_ccname, len, "API:%s",

+	    authctxt->krb5_ticket_file);

+#else

 	snprintf(authctxt->krb5_ccname, len, "FILE:%s",

 	    authctxt->krb5_ticket_file);

+#endif

 #ifdef USE_PAM

 	if (options.use_pam)

@@ -219,15 +224,22 @@

 #ifndef HEIMDAL

 krb5_error_code

 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {

-	int tmpfd, ret;

+	int ret;

 	char ccname[40];

 	mode_t old_umask;

+#ifdef USE_CCAPI

+	char cctemplate[] = "API:krb5cc_%d";

+#else

+	char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";

+	int tmpfd;

+#endif

 	ret = snprintf(ccname, sizeof(ccname),

-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());

+	    cctemplate, geteuid());

 	if (ret < 0 || (size_t)ret >= sizeof(ccname))

 		return ENOMEM;

+#ifndef USE_CCAPI

 	old_umask = umask(0177);

 	tmpfd = mkstemp(ccname + strlen("FILE:"));

 	umask(old_umask);

@@ -242,6 +254,7 @@

 		return errno;

 	}

 	close(tmpfd);

+#endif

 	return (krb5_cc_resolve(ctx, ccname, ccache));

 }

Index: auth.h

===================================================================

RCS file: /cvs/openssh/auth.h,v

retrieving revision 1.80

diff -u -r1.80 auth.h

--- auth.h	5 Nov 2008 05:20:46 -0000	1.80

+++ auth.h	26 Jul 2009 12:21:53 -0000

@@ -53,6 +53,7 @@

 	int		 valid;		/* user exists and is allowed to login */

 	int		 attempt;

 	int		 failures;

+	int		 server_caused_failure; 

 	int		 force_pwchange;

 	char		*user;		/* username sent by the client */

 	char		*service;

Index: auth2-gss.c

===================================================================

RCS file: /cvs/openssh/auth2-gss.c,v

retrieving revision 1.19

diff -u -r1.19 auth2-gss.c

--- auth2-gss.c	2 Dec 2007 11:59:45 -0000	1.19

+++ auth2-gss.c	26 Jul 2009 12:21:54 -0000

@@ -1,7 +1,7 @@

 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */

 /*

- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -52,6 +52,40 @@

 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static void input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len;;

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+		    authctxt->pw));

+	

+	buffer_free(&b);

+	xfree(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -102,6 +136,7 @@

 	if (!present) {

 		xfree(doid);

+		authctxt->server_caused_failure = 1;

 		return (0);

 	}

@@ -109,6 +144,7 @@

 		if (ctxt != NULL)

 			ssh_gssapi_delete_ctx(&ctxt);

 		xfree(doid);

+		authctxt->server_caused_failure = 1;

 		return (0);

 	}

@@ -242,7 +278,8 @@

 	packet_check_eom();

-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+	    authctxt->pw));

 	authctxt->postponed = 0;

 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

@@ -277,7 +314,8 @@

 	gssbuf.length = buffer_len(&b);

 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))

-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+		authenticated = 

+		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));

 	else

 		logit("GSSAPI MIC check failed");

@@ -291,6 +329,12 @@

 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);

 	userauth_finish(authctxt, authenticated, "gssapi-with-mic");

 }

+

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

Index: auth2.c

===================================================================

RCS file: /cvs/openssh/auth2.c,v

retrieving revision 1.149

diff -u -r1.149 auth2.c

--- auth2.c	5 Nov 2008 05:20:46 -0000	1.149

+++ auth2.c	26 Jul 2009 12:21:54 -0000

@@ -69,6 +69,7 @@

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

 #ifdef JPAKE

@@ -79,6 +80,7 @@

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 #ifdef JPAKE

@@ -274,6 +276,7 @@

 #endif

 	authctxt->postponed = 0;

+	authctxt->server_caused_failure = 0;

 	/* try to authenticate user */

 	m = authmethod_lookup(method);

@@ -346,7 +349,8 @@

 	} else {

 		/* Allow initial try of "none" auth without failure penalty */

-		if (authctxt->attempt > 1 || strcmp(method, "none") != 0)

+		if (!authctxt->server_caused_failure &&

+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))

 			authctxt->failures++;

 		if (authctxt->failures >= options.max_authtries) {

 #ifdef SSH_AUDIT_EVENTS

Index: clientloop.c

===================================================================

RCS file: /cvs/openssh/clientloop.c,v

retrieving revision 1.197

diff -u -r1.197 clientloop.c

--- clientloop.c	14 Feb 2009 05:28:21 -0000	1.197

+++ clientloop.c	26 Jul 2009 12:21:56 -0000

@@ -110,6 +110,10 @@

 #include "match.h"

 #include "msg.h"

+#ifdef GSSAPI

+#include "ssh-gss.h"

+#endif

+

 /* import options */

 extern Options options;

@@ -1429,6 +1433,13 @@

 		/* Do channel operations unless rekeying in progress. */

 		if (!rekeying) {

 			channel_after_select(readset, writeset);

+

+			if (options.gss_renewal_rekey &&

+			    ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {

+				debug("credentials updated - forcing rekey");

+				need_rekeying = 1;

+			}

+

 			if (need_rekeying || packet_need_rekeying()) {

 				debug("need rekeying");

 				xxx_kex->done = 0;

Index: configure.ac

===================================================================

RCS file: /cvs/openssh/configure.ac,v

retrieving revision 1.415

diff -u -r1.415 configure.ac

--- configure.ac	16 Feb 2009 04:37:03 -0000	1.415

+++ configure.ac	26 Jul 2009 12:22:00 -0000

@@ -473,6 +473,30 @@

 	    [Use tunnel device compatibility to OpenBSD])

 	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,

 	    [Prepend the address family to IP tunnel traffic])

+	AC_MSG_CHECKING(if we have the Security Authorization Session API)

+	AC_TRY_COMPILE([#include <Security/AuthSession.h>],

+		[SessionCreate(0, 0);],

+		[ac_cv_use_security_session_api="yes"

+		 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 

+			[platform has the Security Authorization Session API])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)],

+		[ac_cv_use_security_session_api="no"

+		 AC_MSG_RESULT(no)])

+	AC_MSG_CHECKING(if we have an in-memory credentials cache)

+	AC_TRY_COMPILE(

+		[#include <Kerberos/Kerberos.h>],

+		[cc_context_t c;

+		 (void) cc_initialize (&c, 0, NULL, NULL);],

+		[AC_DEFINE(USE_CCAPI, 1, 

+			[platform uses an in-memory credentials cache])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)

+		 if test "x$ac_cv_use_security_session_api" = "xno"; then

+			AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)

+		fi],

+		[AC_MSG_RESULT(no)]

+	)

 	m4_pattern_allow(AU_IPv)

 	AC_CHECK_DECL(AU_IPv4, [], 

 	    AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])

Index: gss-genr.c

===================================================================

RCS file: /cvs/openssh/gss-genr.c,v

retrieving revision 1.21

diff -u -r1.21 gss-genr.c

--- gss-genr.c	12 Jun 2007 13:44:36 -0000	1.21

+++ gss-genr.c	26 Jul 2009 12:22:01 -0000

@@ -1,7 +1,7 @@

 /* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */

 /*

- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -39,12 +39,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host, const char *client) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host, client));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *host, const char *client) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			xfree(gss_enc2oid[i].encoded);

+		xfree(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf;;

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf;;

+

+	if (strlen(mechs) == 0) {

+		xfree(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+

+	while (gss_enc2oid[i].encoded != NULL &&

+	    strcmp(name, gss_enc2oid[i].encoded) != 0)

+		i++;

+

+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)

+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);

+

+	return gss_enc2oid[i].oid;

+}

+

 /* Check that the OID in a data stream matches that in the context */

 int

 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)

@@ -197,7 +352,7 @@

 	}

 	ctx->major = gss_init_sec_context(&ctx->minor,

-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,

+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,

 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,

 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

@@ -227,8 +382,42 @@

 }

 OM_uint32

+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)

+{

+	gss_buffer_desc gssbuf;

+	gss_name_t gssname;

+	OM_uint32 status;

+	gss_OID_set oidset;

+

+	gssbuf.value = (void *) name;

+	gssbuf.length = strlen(gssbuf.value);

+

+	gss_create_empty_oid_set(&status, &oidset);

+	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+

+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,

+	    GSS_C_NT_USER_NAME, &gssname);

+

+	if (!ctx->major)

+		ctx->major = gss_acquire_cred(&ctx->minor, 

+		    gssname, 0, oidset, GSS_C_INITIATE, 

+		    &ctx->client_creds, NULL, NULL);

+

+	gss_release_name(&status, &gssname);

+	gss_release_oid_set(&status, &oidset);

+

+	if (ctx->major)

+		ssh_gssapi_error(ctx);

+

+	return(ctx->major);

+}

+

+OM_uint32

 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 {

+	if (ctx == NULL) 

+		return -1;

+

 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,

 	    GSS_C_QOP_DEFAULT, buffer, hash)))

 		ssh_gssapi_error(ctx);

@@ -236,6 +425,19 @@

 	return (ctx->major);

 }

+/* Priviledged when used by server */

+OM_uint32

+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+{

+	if (ctx == NULL)

+		return -1;

+

+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

+	    gssbuf, gssmic, NULL);

+

+	return (ctx->major);

+}

+

 void

 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

     const char *context)

@@ -249,11 +451,16 @@

 }

 int

-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 

+    const char *client)

 {

 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;

 	OM_uint32 major, minor;

 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};

+	Gssctxt *intctx = NULL;

+

+	if (ctx == NULL)

+		ctx = &intct;;

 	/* RFC 4462 says we MUST NOT do SPNEGO */

 	if (oid->length == spnego_oid.length && 

@@ -263,6 +470,10 @@

 	ssh_gssapi_build_ctx(ctx);

 	ssh_gssapi_set_oid(*ctx, oid);

 	major = ssh_gssapi_import_name(*ctx, host);

+

+	if (!GSS_ERROR(major) && client)

+		major = ssh_gssapi_client_identity(*ctx, client);

+

 	if (!GSS_ERROR(major)) {

 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 

 		    NULL);

@@ -272,10 +483,67 @@

 			    GSS_C_NO_BUFFER);

 	}

-	if (GSS_ERROR(major)) 

+	if (GSS_ERROR(major) || intctx != NULL) 

 		ssh_gssapi_delete_ctx(ctx);

 	return (!GSS_ERROR(major));

+}

+

+int

+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {

+	static gss_name_t saved_name = GSS_C_NO_NAME;

+	static OM_uint32 saved_lifetime = 0;

+	static gss_OID saved_mech = GSS_C_NO_OID;

+	static gss_name_t name;

+	static OM_uint32 last_call = 0;

+	OM_uint32 lifetime, now, major, minor;

+	int equal;

+	gss_cred_usage_t usage = GSS_C_INITIATE;

+	

+	now = time(NULL);

+

+	if (ctxt) {

+		debug("Rekey has happened - updating saved versions");

+

+		if (saved_name != GSS_C_NO_NAME)

+			gss_release_name(&minor, &saved_name);

+

+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,

+		    &saved_name, &saved_lifetime, NULL, NULL);

+

+		if (!GSS_ERROR(major)) {

+			saved_mech = ctxt->oid;

+		        saved_lifetime+= now;

+		} else {

+			/* Handle the error */

+		}

+		return 0;

+	}

+

+	if (now - last_call < 10)

+		return 0;

+

+	last_call = now;

+

+	if (saved_mech == GSS_C_NO_OID)

+		return 0;

+	

+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 

+	    &name, &lifetime, NULL, NULL);

+	if (major == GSS_S_CREDENTIALS_EXPIRED)

+		return 0;

+	else if (GSS_ERROR(major))

+		return 0;

+

+	major = gss_compare_name(&minor, saved_name, name, &equal);

+	gss_release_name(&minor, &name);

+	if (GSS_ERROR(major))

+		return 0;

+

+	if (equal && (saved_lifetime < lifetime + now - 10))

+		return 1;

+

+	return 0;

 }

 #endif /* GSSAPI */

Index: gss-serv-krb5.c

===================================================================

RCS file: /cvs/openssh/gss-serv-krb5.c,v

retrieving revision 1.17

diff -u -r1.17 gss-serv-krb5.c

--- gss-serv-krb5.c	1 Sep 2006 05:38:36 -0000	1.17

+++ gss-serv-krb5.c	26 Jul 2009 12:22:01 -0000

@@ -1,7 +1,7 @@

 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */

 /*

- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -120,6 +120,7 @@

 	krb5_principal princ;

 	OM_uint32 maj_status, min_status;

 	int len;

+	const char *new_ccname;

 	if (client->creds == NULL) {

 		debug("No credentials stored");

@@ -168,11 +169,16 @@

 		return;

 	}

-	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));

+	new_ccname = krb5_cc_get_name(krb_context, ccache);

+

 	client->store.envvar = "KRB5CCNAME";

-	len = strlen(client->store.filename) + 6;

-	client->store.envval = xmalloc(len);

-	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);

+#ifdef USE_CCAPI

+	xasprintf(&client->store.envval, "API:%s", new_ccname);

+	client->store.filename = NULL;

+#else

+	xasprintf(&client->store.envval, "FILE:%s", new_ccname);

+	client->store.filename = xstrdup(new_ccname);

+#endif

 #ifdef USE_PAM

 	if (options.use_pam)

@@ -184,6 +190,71 @@

 	return;

 }

+int

+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 

+    ssh_gssapi_client *client)

+{

+	krb5_ccache ccache = NULL;

+	krb5_principal principal = NULL;

+	char *name = NULL;

+	krb5_error_code problem;

+	OM_uint32 maj_status, min_status;

+

+   	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {

+                logit("krb5_cc_resolve(): %.100s",

+                    krb5_get_err_text(krb_context, problem));

+                return 0;

+       	}

+	

+	/* Find out who the principal in this cache is */

+	if ((problem = krb5_cc_get_principal(krb_context, ccache, 

+	    &principal))) {

+		logit("krb5_cc_get_principal(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {

+		logit("krb5_unparse_name(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+

+	if (strcmp(name,client->exportedname.value)!=0) {

+		debug("Name in local credentials cache differs. Not storing");

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		krb5_free_unparsed_name(krb_context, name);

+		return 0;

+	}

+	krb5_free_unparsed_name(krb_context, name);

+

+	/* Name matches, so lets get on with it! */

+

+	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {

+		logit("krb5_cc_initialize(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	krb5_free_principal(krb_context, principal);

+