Make sure the kerberos cleanup procedures are properly invoked

2019-03-04 16:23:36 +01:00 · 2019-03-04 16:23:36 +01:00 · 3722267e80
commit 3722267e80
parent ae07017120
1 changed files with 56 additions and 56 deletions
--- a/openssh-7.7p1-gssapi-new-unique.patch
+++ b/openssh-7.7p1-gssapi-new-unique.patch
@ -113,29 +113,12 @@ index a5a81ed2..63f877f2 100644
 	if (authctxt->krb5_user) {
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 		authctxt->krb5_user = NULL;
-@@ -237,36 +287,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
 	}
 }
 
 -#ifndef HEIMDAL
-krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-	int tmpfd, ret, oerrno;
-	char ccname[40];
-	mode_t old_umask;
- 
-	ret = snprintf(ccname, sizeof(ccname),
-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
-		return ENOMEM;
-
-	old_umask = umask(0177);
-	tmpfd = mkstemp(ccname + strlen("FILE:"));
-	oerrno = errno;
-	umask(old_umask);
-	if (tmpfd == -1) {
-		logit("mkstemp(): %.100s", strerror(oerrno));
-		return oerrno;
+
 +#if !defined(HEIMDAL)
 +int
 +ssh_asprintf_append(char **dsc, const char *fmt, ...) {
@ -200,9 +183,8 @@ index a5a81ed2..63f877f2 100644
 +			/* unknown token, fallback to the default */
 +			goto cleanup;
 +		}
- 	}
- 
-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+	}
+
 +	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
 +		goto cleanup;
 +
@ -216,7 +198,10 @@ index a5a81ed2..63f877f2 100644
 +	return -1;
 +}
 +
-+krb5_error_code
+ krb5_error_code
+-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+-	int tmpfd, ret, oerrno;
+-	char ccname[40];
 +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
 +	profile_t p;
 +	int ret = 0;
@ -241,9 +226,22 @@ index a5a81ed2..63f877f2 100644
 +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
 +	int tmpfd, ret, oerrno, type_len;
 +	char *ccname = NULL;
-+	mode_t old_umask;
+ 	mode_t old_umask;
 +	char *type = NULL, *colon = NULL;
-+
+ 
+-	ret = snprintf(ccname, sizeof(ccname),
+-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
+-		return ENOMEM;
+-
+-	old_umask = umask(0177);
+-	tmpfd = mkstemp(ccname + strlen("FILE:"));
+-	oerrno = errno;
+-	umask(old_umask);
+-	if (tmpfd == -1) {
+-		logit("mkstemp(): %.100s", strerror(oerrno));
+-		return oerrno;
+-	}
 +	debug3("%s: called", __func__);
 +	if (need_environment)
 +		*need_environment = 0;
@ -258,7 +256,8 @@ index a5a81ed2..63f877f2 100644
 +		    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
 +		if (ret < 0)
 +			return ENOMEM;
-+
+ 
+-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 +		old_umask = umask(0177);
 +		tmpfd = mkstemp(ccname + strlen("FILE:"));
 		oerrno = errno;
@ -345,11 +344,10 @@ index 29491df9..fdab5040 100644
 +krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
 #endif
 #endif
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 795992d9..0623a107 100644
--- a/gss-serv-krb5.c
-+++ b/gss-serv-krb5.c
-@@ -114,7 +114,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
+--- openssh-7.9p1/gss-serv-krb5.c.ccache_name	2019-03-01 15:17:42.708611802 +0100
+++ openssh-7.9p1/gss-serv-krb5.c	2019-03-01 15:17:42.713611844 +0100
+@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
 
@ -358,12 +356,9 @@ index 795992d9..0623a107 100644
 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 {
 	krb5_ccache ccache;
-@@ -121,16 +121,17 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
- 	krb5_error_code problem;
- 	krb5_principal princ;
+@@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	OM_uint32 maj_status, min_status;
-	const char *new_ccname, *new_cctype;
-+	int len;
+ 	const char *new_ccname, *new_cctype;
 	const char *errmsg;
 +	int set_env = 0;
 
@ -379,7 +374,7 @@ index 795992d9..0623a107 100644
 
 #ifdef HEIMDAL
 # ifdef HAVE_KRB5_CC_NEW_UNIQUE
-@@ -144,14 +145,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 		krb5_get_err_text(krb_context, problem));
 # endif
 		krb5_free_error_message(krb_context, errmsg);
@ -398,7 +393,7 @@ index 795992d9..0623a107 100644
 	}
 #endif	/* #ifdef HEIMDAL */
 
-@@ -160,7 +161,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 		errmsg = krb5_get_error_message(krb_context, problem);
 		logit("krb5_parse_name(): %.100s", errmsg);
 		krb5_free_error_message(krb_context, errmsg);
@ -407,7 +402,7 @@ index 795992d9..0623a107 100644
 	}
 
 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
-@@ -169,7 +170,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 		krb5_free_error_message(krb_context, errmsg);
 		krb5_free_principal(krb_context, princ);
 		krb5_cc_destroy(krb_context, ccache);
@ -416,7 +411,7 @@ index 795992d9..0623a107 100644
 	}
 
 	krb5_free_principal(krb_context, princ);
-@@ -178,37 +179,27 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -331,29 +332,19 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	    client->creds, ccache))) {
 		logit("gss_krb5_copy_ccache() failed");
 		krb5_cc_destroy(krb_context, ccache);
@ -424,8 +419,8 @@ index 795992d9..0623a107 100644
 +		return 0;
 	}
 
-	new_cctype = krb5_cc_get_type(krb_context, ccache);
-	new_ccname = krb5_cc_get_name(krb_context, ccache);
+ 	new_cctype = krb5_cc_get_type(krb_context, ccache);
+ 	new_ccname = krb5_cc_get_name(krb_context, ccache);
 -
 -	client->store.envvar = "KRB5CCNAME";
 -#ifdef USE_CCAPI
@ -433,21 +428,17 @@ index 795992d9..0623a107 100644
 -#else
 -	if (new_ccname[0] == ':')
 -		new_ccname++;
-	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
+ 	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
 -	if (strcmp(new_cctype, "DIR") == 0) {
 -		char *p;
 -		p = strrchr(client->store.envval, '/');
 -		if (p)
 -			*p = '\0';
-	}
-#endif
+
 +	if (set_env) {
-+		const char *filename = krb5_cc_get_name(krb_context, ccache);
 +		client->store.envvar = "KRB5CCNAME";
-+		len = strlen(filename) + 6;
-+		client->store.envval = xmalloc(len);
-+		snprintf(client->store.envval, len, "FILE:%s", filename);
-+	}
+ 	}
+-#endif
 
 #ifdef USE_PAM
 -	if (options.use_pam)
@ -455,7 +446,7 @@ index 795992d9..0623a107 100644
 		do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
 
- 	krb5_cc_close(krb_context, ccache);
+@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 
 	client->store.data = krb_context;
 
@ -486,11 +477,20 @@ index 6cae720e..16e55cbc 100644
 }
 
 /* This allows GSSAPI methods to do things to the childs environment based
-diff --git a/servconf.c b/servconf.c
-index cb578658..a6e01df2 100644
--- a/servconf.c
-+++ b/servconf.c
-@@ -122,6 +122,7 @@ initialize_server_options(ServerOptions *options)
+@@ -496,8 +498,7 @@ ssh_gssapi_rekey_creds() {
+ 	char *envstr;
+ #endif
+ 
+-	if (gssapi_client.store.envval == NULL &&
+-	    gssapi_client.store.envvar == NULL)
+	if (gssapi_client.store.envval == NULL)
+ 		return;
+  
+ 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
+diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
+--- openssh-7.9p1/servconf.c.ccache_name	2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c	2019-03-01 15:17:42.713611844 +0100
+@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;