[760] | 1 | # OpenSSH multihomed patch |
---|
| 2 | # |
---|
| 3 | # Anders Kaseorg <andersk@mit.edu> |
---|
| 4 | # ported from 4.5 to 5.0 by Joe Presbrey <presbrey@mit.edu> |
---|
| 5 | diff -ur openssh-5.0p1.orig/gss-serv.c openssh-5.0p1/gss-serv.c |
---|
| 6 | --- openssh-5.0p1.orig/gss-serv.c 2008-05-20 00:00:00.000000000 -0400 |
---|
| 7 | +++ openssh-5.0p1/gss-serv.c 2008-05-20 00:00:00.000000000 -0400 |
---|
| 8 | @@ -77,22 +77,11 @@ |
---|
| 9 | ssh_gssapi_acquire_cred(Gssctxt *ctx) |
---|
| 10 | { |
---|
| 11 | OM_uint32 status; |
---|
| 12 | - char lname[MAXHOSTNAMELEN]; |
---|
| 13 | gss_OID_set oidset; |
---|
| 14 | |
---|
| 15 | gss_create_empty_oid_set(&status, &oidset); |
---|
| 16 | gss_add_oid_set_member(&status, ctx->oid, &oidset); |
---|
| 17 | |
---|
| 18 | - if (gethostname(lname, MAXHOSTNAMELEN)) { |
---|
| 19 | - gss_release_oid_set(&status, &oidset); |
---|
| 20 | - return (-1); |
---|
| 21 | - } |
---|
| 22 | - |
---|
| 23 | - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
---|
| 24 | - gss_release_oid_set(&status, &oidset); |
---|
| 25 | - return (ctx->major); |
---|
| 26 | - } |
---|
| 27 | - |
---|
| 28 | if ((ctx->major = gss_acquire_cred(&ctx->minor, |
---|
| 29 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
---|
| 30 | ssh_gssapi_error(ctx); |
---|
| 31 | @@ -102,6 +102,8 @@ |
---|
| 32 | { |
---|
| 33 | OM_uint32 status; |
---|
| 34 | gss_OID mech; |
---|
| 35 | + gss_name_t acceptor_name = GSS_C_NO_NAME; |
---|
| 36 | + gss_buffer_desc acceptor_name_buffer = GSS_C_EMPTY_BUFFER; |
---|
| 37 | |
---|
| 38 | ctx->major = gss_accept_sec_context(&ctx->minor, |
---|
| 39 | &ctx->context, ctx->creds, recv_tok, |
---|
| 40 | @@ -116,6 +118,22 @@ |
---|
| 41 | else |
---|
| 42 | debug("Got no client credentials"); |
---|
| 43 | |
---|
| 44 | + ctx->major = gss_inquire_context(&ctx->minor, ctx->context, NULL, &acceptor_name, NULL, NULL, NULL, NULL, NULL); |
---|
| 45 | + |
---|
| 46 | + if (GSS_ERROR(ctx->major)) { |
---|
| 47 | + ssh_gssapi_error(ctx); |
---|
| 48 | + } else { |
---|
| 49 | + ctx->major = gss_display_name(&ctx->minor, acceptor_name, &acceptor_name_buffer, NULL); |
---|
| 50 | + |
---|
| 51 | + if (GSS_ERROR(ctx->major)) { |
---|
| 52 | + ssh_gssapi_error(ctx); |
---|
| 53 | + } else if (acceptor_name_buffer.length < 5 || strncmp(acceptor_name_buffer.value, "host@", 5) != 0 && strncmp(acceptor_name_buffer.value, "host/", 5) != 0) { |
---|
| 54 | + debug("Accepting credential '%s' was not for the host service.", acceptor_name_buffer.value); |
---|
| 55 | + ctx->major = GSS_S_BAD_NAME; |
---|
| 56 | + } |
---|
| 57 | + } |
---|
| 58 | + gss_release_buffer(&status, &acceptor_name_buffer); |
---|
| 59 | + gss_release_name(&status, &acceptor_name); |
---|
| 60 | status = ctx->major; |
---|
| 61 | |
---|
| 62 | /* Now, if we're complete and we have the right flags, then |
---|