packages: openssh/openssh-heimdal.patch, openssh/openssh.spec - final, work...

baggins baggins at pld-linux.org
Wed Apr 20 00:45:25 CEST 2011 

Author: baggins                      Date: Tue Apr 19 22:45:25 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- final, working solution to hardcoded kerberos credential cache,
  now sshd honours default_cc_type and default_cc_name settings in krb5.conf

---- Files affected:
packages/openssh:
   openssh-heimdal.patch (1.15 -> 1.16) , openssh.spec (1.357 -> 1.358) 

---- Diffs:

================================================================
Index: packages/openssh/openssh-heimdal.patch
diff -u packages/openssh/openssh-heimdal.patch:1.15 packages/openssh/openssh-heimdal.patch:1.16
--- packages/openssh/openssh-heimdal.patch:1.15	Tue Apr 19 22:37:18 2011
+++ packages/openssh/openssh-heimdal.patch	Wed Apr 20 00:45:20 2011
@@ -17,8 +17,58 @@
  				       ]
  			)
  			AC_SEARCH_LIBS(dn_expand, resolv)
---- openssh-5.8p1/gss-serv-krb5.c~	2011-04-19 14:09:54.832721425 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c	2011-04-19 21:54:01.818248221 +0200
+diff -ur openssh-5.8p1-orig/auth-krb5.c openssh-5.8p1/auth-krb5.c
+--- openssh-5.8p1-orig/auth-krb5.c	2011-04-20 00:30:23.632652510 +0200
++++ openssh-5.8p1/auth-krb5.c	2011-04-20 00:34:06.218117429 +0200
+@@ -88,6 +88,8 @@
+ #ifndef HEIMDAL
+ 	krb5_creds creds;
+ 	krb5_principal server;
++#else
++	const char *ccache_type, *ccache_name;
+ #endif
+ 	krb5_error_code problem;
+ 	krb5_ccache ccache = NULL;
+@@ -129,7 +131,11 @@
+ 	if (problem)
+ 		goto out;
+ 
+-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
++	problem = krb5_cc_set_default_name(authctxt->krb5_ctx, NULL);
++	if (problem)
++		goto out;
++	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
++	    krb5_cc_default_name(authctxt->krb5_ctx), NULL,
+ 	    &authctxt->krb5_fwd_ccache);
+ 	if (problem)
+ 		goto out;
+@@ -180,12 +186,23 @@
+ 		goto out;
+ #endif
+ 
++#ifdef HEIMDAL
++	ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
++	ccache_name = krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
++	if (strncmp(ccache_type, "FILE", 4) == 0) {
++		authctxt->krb5_ticket_file = (char *)ccache_name;
++	}
++	len = strlen(ccache_type) + strlen(ccache_name) + 2;
++	authctxt->krb5_ccname = xmalloc(len);
++	snprintf(authctxt->krb5_ccname, len, "%s:%s", ccache_type, ccache_name);
++#else
+ 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ 
+ 	len = strlen(authctxt->krb5_ticket_file) + 6;
+ 	authctxt->krb5_ccname = xmalloc(len);
+ 	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+ 	    authctxt->krb5_ticket_file);
++#endif
+ 
+ #ifdef USE_PAM
+ 	if (options.use_pam)
+diff -ur openssh-5.8p1-orig/gss-serv-krb5.c openssh-5.8p1/gss-serv-krb5.c
+--- openssh-5.8p1-orig/gss-serv-krb5.c	2011-04-20 00:30:23.632652510 +0200
++++ openssh-5.8p1/gss-serv-krb5.c	2011-04-20 00:34:06.218117429 +0200
 @@ -121,6 +121,9 @@
  	krb5_principal princ;
  	OM_uint32 maj_status, min_status;
@@ -29,18 +79,24 @@
  
  	if (client->creds == NULL) {
  		debug("No credentials stored");
-@@ -131,8 +132,8 @@
+@@ -131,8 +134,14 @@
  		return;
  
  #ifdef HEIMDAL
 -	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 -		logit("krb5_cc_gen_new(): %.100s",
-+	if ((problem = krb5_cc_new_unique(krb_context, NULL, NULL, &ccache))) {
++	if ((problem = krb5_cc_set_default_name(krb_context, NULL))) {
++		logit("krb5_cc_set_default_name(): %.100s",
++		    krb5_get_err_text(krb_context, problem));
++		return;
++	}
++	if ((problem = krb5_cc_new_unique(krb_context,
++			krb5_cc_default_name(krb_context), NULL, &ccache))) {
 +		logit("krb5_cc_new_unique(): %.100s",
  		    krb5_get_err_text(krb_context, problem));
  		return;
  	}
-@@ -169,11 +170,23 @@
+@@ -169,11 +178,23 @@
  		return;
  	}
  
@@ -60,50 +116,6 @@
  	len = strlen(client->store.filename) + 6;
  	client->store.envval = xmalloc(len);
  	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
-+#endif
- 
- #ifdef USE_PAM
- 	if (options.use_pam)
---- openssh-5.8p1/auth-krb5.c.orig	2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c	2011-04-19 22:16:14.622268002 +0200
-@@ -74,6 +88,8 @@
- #ifndef HEIMDAL
- 	krb5_creds creds;
- 	krb5_principal server;
-+#else
-+	const char *ccache_type, *ccache_name;
- #endif
- 	krb5_error_code problem;
- 	krb5_ccache ccache = NULL;
-@@ -115,7 +130,7 @@
- 	if (problem)
- 		goto out;
- 
--	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-+	problem = krb5_cc_new_unique(authctxt->krb5_ctx, NULL, NULL,
- 	    &authctxt->krb5_fwd_ccache);
- 	if (problem)
- 		goto out;
-@@ -166,12 +181,23 @@
- 		goto out;
- #endif
- 
-+#ifdef HEIMDAL
-+	ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-+	ccache_name = krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-+	if (strncmp(ccache_type, "FILE", 4) == 0) {
-+		authctxt->krb5_ticket_file = (char *)ccache_name;
-+	}
-+	len = strlen(ccache_type) + strlen(ccache_name) + 2;
-+	authctxt->krb5_ccname = xmalloc(len);
-+	snprintf(authctxt->krb5_ccname, len, "%s:%s", ccache_type, ccache_name);
-+#else
- 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
- 
- 	len = strlen(authctxt->krb5_ticket_file) + 6;
- 	authctxt->krb5_ccname = xmalloc(len);
- 	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
- 	    authctxt->krb5_ticket_file);
 +#endif
  
  #ifdef USE_PAM

================================================================
Index: packages/openssh/openssh.spec
diff -u packages/openssh/openssh.spec:1.357 packages/openssh/openssh.spec:1.358
--- packages/openssh/openssh.spec:1.357	Tue Apr 19 22:19:14 2011
+++ packages/openssh/openssh.spec	Wed Apr 20 00:45:20 2011
@@ -30,7 +30,7 @@
 Summary(uk.UTF-8):	OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:		openssh
 Version:	5.8p1
-Release:	4.1
+Release:	5
 Epoch:		2
 License:	BSD
 Group:		Applications/Networking
@@ -764,6 +764,10 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.358  2011/04/19 22:45:20  baggins
+- final, working solution to hardcoded kerberos credential cache,
+  now sshd honours default_cc_type and default_cc_name settings in krb5.conf
+
 Revision 1.357  2011/04/19 20:19:14  baggins
 - don't hardcode credential cache type and name for heimdal (breaks KCM)
 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/openssh/openssh-heimdal.patch?r1=1.15&r2=1.16&f=u
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/openssh/openssh.spec?r1=1.357&r2=1.358&f=u

More information about the pld-cvs-commit mailing list