source: branches/fc13-dev/server/common/patches/openssh-5.0p1-multihomed.patch @ 1626

Last change on this file since 1626 was 1626, checked in by ezyang, 12 years ago
Update SSH multihomed patch for F13, remove old 4.5p1 multihomed patch.
File size: 2.1 KB
RevLine 
[760]1# OpenSSH multihomed patch
2#
3# Anders Kaseorg <andersk@mit.edu>
4# ported from 4.5 to 5.0 by Joe Presbrey <presbrey@mit.edu>
5diff -ur openssh-5.0p1.orig/gss-serv.c openssh-5.0p1/gss-serv.c
6--- openssh-5.0p1.orig/gss-serv.c       2008-05-20 00:00:00.000000000 -0400
7+++ openssh-5.0p1/gss-serv.c    2008-05-20 00:00:00.000000000 -0400
[1626]8@@ -83,23 +83,12 @@
[760]9 ssh_gssapi_acquire_cred(Gssctxt *ctx)
10 {
11        OM_uint32 status;
12-       char lname[MAXHOSTNAMELEN];
13        gss_OID_set oidset;
14 
[1626]15        if (options.gss_strict_acceptor) {
16                gss_create_empty_oid_set(&status, &oidset);
17                gss_add_oid_set_member(&status, ctx->oid, &oidset);
[760]18 
[1626]19-               if (gethostname(lname, MAXHOSTNAMELEN)) {
20-                       gss_release_oid_set(&status, &oidset);
21-                       return (-1);
22-               }
[760]23-
[1626]24-               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
25-                       gss_release_oid_set(&status, &oidset);
26-                       return (ctx->major);
27-               }
[760]28-
[1626]29                if ((ctx->major = gss_acquire_cred(&ctx->minor,
30                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
31                    NULL, NULL)))
[760]32@@ -102,6 +102,8 @@
33 {
34        OM_uint32 status;
35        gss_OID mech;
36+       gss_name_t acceptor_name = GSS_C_NO_NAME;
37+       gss_buffer_desc acceptor_name_buffer = GSS_C_EMPTY_BUFFER;
38 
39        ctx->major = gss_accept_sec_context(&ctx->minor,
40            &ctx->context, ctx->creds, recv_tok,
41@@ -116,6 +118,22 @@
42        else
43                debug("Got no client credentials");
44 
45+       ctx->major = gss_inquire_context(&ctx->minor, ctx->context, NULL, &acceptor_name, NULL, NULL, NULL, NULL, NULL);
46+
47+       if (GSS_ERROR(ctx->major)) {
48+               ssh_gssapi_error(ctx);
49+       } else {
50+               ctx->major = gss_display_name(&ctx->minor, acceptor_name, &acceptor_name_buffer, NULL);
51+
52+               if (GSS_ERROR(ctx->major)) {
53+                       ssh_gssapi_error(ctx);
54+               } else if (acceptor_name_buffer.length < 5 || strncmp(acceptor_name_buffer.value, "host@", 5) != 0 && strncmp(acceptor_name_buffer.value, "host/", 5) != 0) {
55+                       debug("Accepting credential '%s' was not for the host service.", acceptor_name_buffer.value);
56+                       ctx->major = GSS_S_BAD_NAME;
57+               }
58+       }
59+       gss_release_buffer(&status, &acceptor_name_buffer);
60+       gss_release_name(&status, &acceptor_name);
61        status = ctx->major;
62 
63        /* Now, if we're complete and we have the right flags, then
Note: See TracBrowser for help on using the repository browser.