From 506c1ed7b8115afe5ccd4d6edef31bc161cfd689 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Sat, 9 Dec 2023 14:18:08 +0100 Subject: [PATCH] Use gss_userok() instead of krb5_kuserok(). --- gss-serv-krb5.c | 35 ----------------------------------- gss-serv.c | 32 +++++++++++++++++--------------- ssh-gss.h | 2 +- 3 files changed, 18 insertions(+), 51 deletions(-) diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index a151bc1e4ad2..b6bc679941ee 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -76,40 +76,6 @@ ssh_gssapi_krb5_init(void) return 1; } -/* Check if this user is OK to login. This only works with krb5 - other - * GSSAPI mechanisms will need their own. - * Returns true if the user is OK to log in, otherwise returns 0 - */ - -static int -ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) -{ - krb5_principal princ; - int retval; - const char *errmsg; - - if (ssh_gssapi_krb5_init() == 0) - return 0; - - if ((retval = krb5_parse_name(krb_context, client->exportedname.value, - &princ))) { - errmsg = krb5_get_error_message(krb_context, retval); - logit("krb5_parse_name(): %.100s", errmsg); - krb5_free_error_message(krb_context, errmsg); - return 0; - } - if (krb5_kuserok(krb_context, princ, name)) { - retval = 1; - logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", - name, (char *)client->displayname.value); - } else - retval = 0; - - krb5_free_principal(krb_context, princ); - return retval; -} - - /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ @@ -201,7 +167,6 @@ ssh_gssapi_mech gssapi_kerberos_mech = { "Kerberos", {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, NULL, - &ssh_gssapi_krb5_userok, NULL, &ssh_gssapi_krb5_storecreds }; diff --git a/gss-serv.c b/gss-serv.c index 00e3d118bd1f..56404007d79f 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -309,9 +309,11 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) return (ctx->major); } - /* We can't copy this structure, so we just move the pointer to it */ + /* We can't copy these structures, so we just move the pointer to it */ client->creds = ctx->client_creds; ctx->client_creds = GSS_C_NO_CREDENTIAL; + client->client = ctx->client; + ctx->client = GSS_C_NO_NAME; return (ctx->major); } @@ -365,20 +367,20 @@ ssh_gssapi_userok(char *user) debug("No suitable client data"); return 0; } - if (gssapi_client.mech && gssapi_client.mech->userok) - if ((*gssapi_client.mech->userok)(&gssapi_client, user)) - return 1; - else { - /* Destroy delegated credentials if userok fails */ - gss_release_buffer(&lmin, &gssapi_client.displayname); - gss_release_buffer(&lmin, &gssapi_client.exportedname); - gss_release_cred(&lmin, &gssapi_client.creds); - explicit_bzero(&gssapi_client, - sizeof(ssh_gssapi_client)); - return 0; - } - else - debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); + + if (gss_userok(gssapi_client.client, user)) + return 1; + else { + /* Destroy delegated credentials if userok fails */ + gss_release_buffer(&lmin, &gssapi_client.displayname); + gss_release_buffer(&lmin, &gssapi_client.exportedname); + gss_release_cred(&lmin, &gssapi_client.creds); + gss_release_name(&lmin, &gssapi_client.client); + explicit_bzero(&gssapi_client, + sizeof(ssh_gssapi_client)); + return 0; + } + return (0); } diff --git a/ssh-gss.h b/ssh-gss.h index a8af117d2ef2..7c3740b072eb 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -71,6 +71,7 @@ typedef struct { typedef struct { gss_buffer_desc displayname; gss_buffer_desc exportedname; + gss_name_t client; gss_cred_id_t creds; struct ssh_gssapi_mech_struct *mech; ssh_gssapi_ccache store; @@ -81,7 +82,6 @@ typedef struct ssh_gssapi_mech_struct { char *name; gss_OID_desc oid; int (*dochild) (ssh_gssapi_client *); - int (*userok) (ssh_gssapi_client *, char *); int (*localname) (ssh_gssapi_client *, char **); void (*storecreds) (ssh_gssapi_client *); } ssh_gssapi_mech;