diff -u -r -N --exclude configure --exclude config.h.in src.old/AuthSession.h src/AuthSession.h --- src.old/AuthSession.h Wed Dec 31 18:00:00 1969 +++ src/AuthSession.h Sat Jan 11 17:07:53 2003 @@ -0,0 +1,171 @@ +/* + * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved. + * + * The contents of this file constitute Original Code as defined in and are + * subject to the Apple Public Source License Version 1.2 (the 'License'). + * You may not use this file except in compliance with the License. Please obtain + * a copy of the License at http://www.apple.com/publicsource and read it before + * using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS + * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT + * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the + * specific language governing rights and limitations under the License. + */ + + +/* + * AuthSession.h + * AuthSession - APIs for managing login, authorization, and security Sessions. + */ +#if !defined(__AuthSession__) +#define __AuthSession__ 1 + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +/*! + @header AuthSession + + The Session API provides specialized applications access to Session management and inquiry + functions. This is a specialized API that should not be of interest to most people. + + If you do not know what "Session" means in the context of MacOS Authorization and security, + please check with your documentation and come back when you have figured it out - we won't + explain it here. + + This API is tentative, preliminary, incomplete, internal, and subject to change. + You have been warned. +*/ + + +/*! + @typedef SecuritySessionId + These are externally visible identifiers for authorization sessions. + Different sessions have different identifiers; beyond that, you can't + tell anything from these values. + SessionIds can be compared for equality as you'd expect, but you should be careful + to use attribute bits wherever appropriate. For example, don't rely on there being + "the" graphical login session - some day, we may have more than one... +*/ +typedef UInt32 SecuritySessionId; + + +/*! + @enum SecuritySessionId + Here are some special values for SecuritySessionId. You may specify those + on input to SessionAPI functions. They will never be returned from such + functions. +*/ +enum { + noSecuritySession = 0, /* definitely not a valid SecuritySessionId */ + callerSecuritySession = -1 /* the Session I (the caller) am in */ +}; + + +/*! + @enum SessionAttributeBits + Each Session has a set of attribute bits. You can get those from the + SessionGetInfo API function. + */ +typedef UInt32 SessionAttributeBits; + +enum { + sessionIsRoot = 0x0001, /* is the root session (startup/system programs) */ + sessionHasGraphicAccess = 0x0010, /* graphic subsystem (CoreGraphics et al) available */ + sessionHasTTY = 0x0020, /* /dev/tty is available */ + sessionIsRemote = 0x1000, /* session was established over the network */ + + sessionWasInitialized = 0x8000 /* session has been set up by its leader */ +}; + + +/*! + @enum SessionCreationFlags + These flags control how a new session is created by SessionCreate. + They have no permanent meaning beyond that. + */ +typedef UInt32 SessionCreationFlags; + +enum { + sessionKeepCurrentBootstrap = 0x8000 /* caller has allocated sub-bootstrap (expert use only) */ +}; + + +/*! + @enum SessionStatus + Error codes returned by AuthSession API. + Note that the AuthSession APIs can also return Authorization API error codes. +*/ +enum { + errSessionSuccess = 0, /* all is well */ + errSessionInvalidId = -60500, /* invalid session id specified */ + errSessionInvalidAttributes = -60501, /* invalid set of requested attribute bits */ + errSessionAuthorizationDenied = -60502, /* you are not allowed to do this */ + + errSessionInternal = errAuthorizationInternal, /* internal error */ + errSessionInvalidFlags = errAuthorizationInvalidFlags /* invalid flags/options */ +}; + + +/*! + @function SessionGetInfo + Obtain information about a session. + + @param session (input) The Session you are asking about. Can be one of the + special constants defined above. + + @param sessionId (output/optional) The actual SecuritySessionId for the session you asked about. + Will never be one of those constants. + + @param attributes (output/optional) Receives the attribute bits for the session. + + @result An OSStatus indicating success (noErr) or an error cause. + + errSessionInvalidId -60500 Invalid session id specified + +*/ +OSStatus SessionGetInfo(SecuritySessionId session, + SecuritySessionId *sessionId, + SessionAttributeBits *attributes); + + +/*! + @function SessionCreate + This (very specialized) function creates and/or initializes a security session. + It always sets up the session that the calling process belongs to - you cannot + create a session for someone else. + By default, a new bootstrap subset port is created for the calling process. The process + acquires this new port as its bootstrap port, which all its children will inherit. + If you happen to have created the subset port on your own, you can pass the + sessionKeepCurrentBootstrap flag, and SessionCreate will use it. Note however that + you cannot supersede a prior SessionCreate call that way; only a single SessionCreate + call is allowed for each Session (however made). + + @param flags Flags controlling how the session is created. + + @param attributes The set of attribute bits to set for the new session. + Not all bits can be set this way. + + @result An OSStatus indicating success (noErr) or an error cause. + + errSessionInvalidAttributes -60501 Attempt to set invalid attribute bits + errSessionAuthorizationDenied -60502 Attempt to re-initialize a session + errSessionInvalidFlags -60011 Attempt to specify unsupported flag bits + +*/ +OSStatus SessionCreate(SessionCreationFlags flags, + SessionAttributeBits attributes); + + +#if defined(__cplusplus) +} +#endif + +#endif /* ! __AuthSession__ */ diff -u -r -N --exclude configure --exclude config.h.in src.old/acconfig.h src/acconfig.h --- src.old/acconfig.h Sat Jan 11 17:07:57 2003 +++ src/acconfig.h Sat Jan 11 17:07:53 2003 @@ -304,6 +304,21 @@ /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT +/* Don't use krb5_init_ets() -- it's not present (MIT only) */ +#undef DONT_KRB5_INIT_ETS + +/* Our Kerberos 5 credentials cache uses the Ccache API (MIT only) */ +#undef HAVE_API_CCACHE + +/* OS X workaround */ +#undef HAVE_SECURITYSERVER + +/* OS X workaround */ +#undef _POSIX_SAVED_IDS + +/* OS X workaround */ +#undef HAVE_ONLY_MKSTEMP + /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO diff -u -r -N --exclude configure --exclude config.h.in src.old/auth-krb5.c src/auth-krb5.c --- src.old/auth-krb5.c Sat Jan 11 17:07:57 2003 +++ src/auth-krb5.c Sat Jan 11 17:07:53 2003 @@ -42,9 +42,14 @@ #ifdef KRB5 #include #ifndef HEIMDAL +#include #define krb5_get_err_text(context,code) error_message(code) #endif /* !HEIMDAL */ +#if defined(HAVE_API_CCACHE) +#include "ssh-gss.h" +#endif + extern ServerOptions options; static int @@ -181,12 +186,12 @@ #ifdef HEIMDAL problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); -#else +#elif !defined(HAVE_API_CCACHE) { char ccname[40]; int tmpfd; - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); + snprintf(ccname,sizeof(ccname)-1,"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { log("mkstemp(): %.100s", strerror(errno)); @@ -203,6 +208,7 @@ problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); } #endif +#if !defined(HAVE_API_CCACHE) if (problem) goto fail; @@ -210,6 +216,7 @@ authctxt->krb5_user); if (problem) goto fail; +#endif #ifdef HEIMDAL problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, @@ -221,15 +228,31 @@ tgt, &creds, NULL); if (problem) goto fail; +#if defined(HAVE_API_CCACHE) + memcpy(&gssapi_client_krb5_creds,*creds,sizeof(krb5_creds)); + problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, + (char **)(&gssapi_client_name.value)); + if (problem) + goto fail; + gssapi_client_name.length = strlen(gssapi_client_name.value); + snprintf(gssapi_client_krb5_ccname,sizeof(gssapi_client_krb5_ccname)-1, + "Credentials from passed TGT"); + //strncpy(gssapi_client_krb5_ccname,API_CCACHE_DFLT_NAME, + // sizeof(gssapi_client_krb5_ccname)-1); + gssapi_client_type = GSS_KERBEROS; +#else problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); if (problem) goto fail; #endif +#endif +#if !defined(HAVE_API_CCACHE) authctxt->krb5_fwd_ccache = ccache; ccache = NULL; authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); +#endif problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, &pname); @@ -260,9 +283,11 @@ #ifndef HEIMDAL krb5_creds creds; krb5_principal server; +#if !defined(HAVE_API_CCACHE) char ccname[40]; int tmpfd; -#endif +#endif +#endif krb5_error_code problem; if (authctxt->pw == NULL) @@ -280,7 +305,7 @@ goto out; #ifdef HEIMDAL - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &authctxt->krb5_fwd_ccache); if (problem) goto out; @@ -293,6 +318,14 @@ restore_uid(); problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->krb5_fwd_ccache, password, 1, NULL); + if (!problem) { + authctxt->krb5_ticket_file = (char *) krb5_cc_get_name(authctxt->krb5_ctx, + authctxt->krb5_fwd_ccache); + /* krb5_verify_user() changes the ownership of authctxt-> + krb5_fwd_ccache, so we need to change it back */ + problem = chown(authctxt->krb5_ticket_file, + authctxt->pw->pw_uid,authctxt->pw->pw_gid); + } temporarily_use_uid(authctxt->pw); if (problem) @@ -323,7 +356,20 @@ goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); +#if defined(HAVE_API_CCACHE) + memcpy(&gssapi_client_krb5_creds,&creds,sizeof(krb5_creds)); + problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, + (char **)(&gssapi_client_name.value)); + if (problem) + goto out; + gssapi_client_name.length = strlen(gssapi_client_name.value); + snprintf(gssapi_client_krb5_ccname,sizeof(gssapi_client_krb5_ccname)-1, + "Credentials from password"); + //strncpy(gssapi_client_krb5_ccname,API_CCACHE_DFLT_NAME, + // sizeof(gssapi_client_krb5_ccname)-1); + gssapi_client_type = GSS_KERBEROS; +#else + snprintf(ccname,sizeof(ccname)-1,"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { log("mkstemp(): %.100s", strerror(errno)); @@ -352,9 +398,11 @@ &creds); if (problem) goto out; -#endif authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); +#endif /* #if defined(HAVE_API_CCACHE) */ + +#endif /* #ifdef HEIMDAL */ out: restore_uid(); diff -u -r -N --exclude configure --exclude config.h.in src.old/configure.ac src/configure.ac --- src.old/configure.ac Sat Jan 11 17:07:57 2003 +++ src/configure.ac Sat Jan 11 21:01:57 2003 @@ -108,6 +108,13 @@ [AC_MSG_RESULT(buggy) AC_DEFINE(BROKEN_GETADDRINFO)], [AC_MSG_RESULT(assume it is working)]) + LDFLAGS="$LDFLAGS -framework Security -bind_at_load" + AC_DEFINE(HAVE_SETLOGIN) + AC_DEFINE(DONT_KRB5_INIT_ETS) # MIT only + AC_DEFINE(HAVE_API_CCACHE) # MIT only + AC_DEFINE(HAVE_SECURITYSERVER) + AC_DEFINE(_POSIX_SAVED_IDS) + AC_DEFINE(HAVE_ONLY_MKSTEMP) ;; *-*-hpux10.26) if test -z "$GCC"; then @@ -1810,26 +1817,26 @@ else KRB5ROOT=${withval} fi - CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" - LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + CPPFLAGS="-I${KRB5ROOT}/include $CPPFLAGS" + LDFLAGS="-L${KRB5ROOT}/lib $LDFLAGS" AC_DEFINE(KRB5) KRB5_MSG="yes" AC_MSG_CHECKING(whether we are using Heimdal) - AC_TRY_COMPILE([ #include ], + AC_TRY_COMPILE([ #include "${KRB5ROOT}/include/krb5.h" ], [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) AC_DEFINE(HEIMDAL) - K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" + K5LIBS="${KRB5ROOT}/lib/libkrb5.a ${KRB5ROOT}/lib/libcom_err.a -lasn1 -lroken" ], [ AC_MSG_RESULT(no) K5LIBS="-lkrb5 -lk5crypto -lcom_err" ] ) if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + LDFLAGS="-R${KRB5ROOT}/lib $LDFLAGS" fi if test ! -z "$blibpath" ; then - blibpath="$blibpath:${KRB5ROOT}/lib" + blibpath="${KRB5ROOT}/lib:$blibpath" fi AC_CHECK_LIB(resolv, dn_expand, , ) @@ -1846,7 +1853,7 @@ AC_CHECK_HEADER(gssapi.h, , [ unset ac_cv_header_gssapi_h - CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + CPPFLAGS="-I${KRB5ROOT}/include/gssapi $CPPFLAGS" AC_CHECK_HEADERS(gssapi.h, , AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) ) @@ -1854,7 +1861,7 @@ ) oldCPP="$CPPFLAGS" - CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + CPPFLAGS="-I${KRB5ROOT}/include/gssapi $CPPFLAGS" AC_CHECK_HEADER(gssapi_krb5.h, , [ CPPFLAGS="$oldCPP" ]) diff -u -r -N --exclude configure --exclude config.h.in src.old/defines.h src/defines.h --- src.old/defines.h Sat Jan 11 17:07:57 2003 +++ src/defines.h Sat Jan 11 17:07:53 2003 @@ -3,6 +3,10 @@ /* $Id: defines.h,v 1.96 2002/09/26 00:38:48 tim Exp $ */ +#if defined(HEIMDAL) +# undef DONT_KRB5_INIT_ETS +# undef HAVE_API_CCACHE +#endif /* Constants */ @@ -438,6 +442,10 @@ # define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member) #else # define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member) +#endif + +#if defined(DONT_KRB5_INIT_ETS) +# define krb5_init_ets(table) #endif #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) diff -u -r -N --exclude configure --exclude config.h.in src.old/gss-genr.c src/gss-genr.c --- src.old/gss-genr.c Sat Jan 11 17:07:57 2003 +++ src/gss-genr.c Sat Jan 11 17:07:54 2003 @@ -49,6 +49,10 @@ gss_buffer_desc gssapi_client_name = {0,NULL}; /* Name of our client */ gss_cred_id_t gssapi_client_creds = GSS_C_NO_CREDENTIAL; /* Their credentials */ enum ssh_gss_id gssapi_client_type = GSS_LAST_ENTRY; +#if defined(HAVE_API_CCACHE) +char gssapi_client_krb5_ccname[40] = {0}; +krb5_creds gssapi_client_krb5_creds = {0}; +#endif /* The mechanism name used in the list below is defined in the internet * draft as the Base 64 encoding of the MD5 hash of the ASN.1 DER encoding diff -u -r -N --exclude configure --exclude config.h.in src.old/gss-serv.c src/gss-serv.c --- src.old/gss-serv.c Sat Jan 11 17:07:58 2003 +++ src/gss-serv.c Sat Jan 11 17:07:54 2003 @@ -66,6 +66,7 @@ #include #else #include +#include #define krb5_get_err_text(context,code) error_message(code) #endif @@ -138,21 +139,72 @@ krb5_principal princ; char ccname[35]; static char name[40]; +#if defined(HAVE_API_CCACHE) + cc_context_t cc_context = NULL; + cc_ccache_t cc_cache = NULL; + cc_ccache_iterator_t ccacheIterator = NULL; + cc_string_t cc_name = NULL; + cc_int32 cc_err; +#else int tmpfd; +#endif OM_uint32 maj_status,min_status; + if (ssh_gssapi_krb5_init() == 0) + return; +#if defined(HAVE_API_CCACHE) + cc_err = cc_initialize(&cc_context, ccapi_version_4, NULL, NULL); + if (cc_err != ccNoError) { + log("cc_initialize returned error = %d", cc_err); + return; + } + cc_err = cc_context_new_ccache_iterator(cc_context, &ccacheIterator); + if (cc_err != ccNoError) { + log("cc_ccache_new_ccache_iterator returned error = %d", cc_err); + return; + } + for (;;) { + cc_err = cc_ccache_iterator_next(ccacheIterator, &cc_cache); + if ((cc_err != ccNoError) && (cc_err != ccIteratorEnd)) { + log("cc_ccache_iterator_next returned error = %d", cc_err); + return; + } else if (cc_err == ccIteratorEnd) { + break; + } + cc_err = cc_ccache_get_name(cc_cache, &cc_name); + if (cc_err == ccNoError) { + log("destroying previous credentials cache in \"%s\"", cc_name->data); + } + cc_string_release(cc_name); + cc_err = cc_ccache_destroy(cc_cache); + if (cc_err != ccNoError) { + log("cc_ccache_destroy returned error = %d", cc_err); + return; + } + } + cc_ccache_iterator_release(ccacheIterator); + cc_context_release(cc_context); +#endif + +#if defined(HAVE_API_CCACHE) && !defined(HEIMDAL) + if ((gssapi_client_creds==NULL)&&(gssapi_client_krb5_creds.client==NULL)) { +#else if (gssapi_client_creds==NULL) { +#endif debug("No credentials stored"); return; } - if (ssh_gssapi_krb5_init() == 0) - return; - +#if defined(HAVE_API_CCACHE) && !defined(HEIMDAL) + if (gssapi_client_krb5_ccname[0] == 0) { + snprintf(ccname,sizeof(ccname)-1,"Forwarded credentials"); + //strncpy(ccname,API_CCACHE_DFLT_NAME,sizeof(ccname)-1); + } + else strncpy(ccname,gssapi_client_krb5_ccname,sizeof(ccname)-1); +#else if (options.gss_use_session_ccache) { - snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d_XXXXXX",geteuid()); - + snprintf(ccname,sizeof(ccname)-1,"/tmp/krb5cc_%d_XXXXXX",geteuid()); if ((tmpfd = mkstemp(ccname))==-1) { log("mkstemp(): %.100s", strerror(errno)); return; @@ -163,22 +215,48 @@ return; } } else { - snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d",geteuid()); + snprintf(ccname,sizeof(ccname)-1,"/tmp/krb5cc_%d",geteuid()); tmpfd = open(ccname, O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); if (tmpfd == -1) { log("open(): %.100s", strerror(errno)); return; } } +#endif - close(tmpfd); - snprintf(name, sizeof(name), "FILE:%s",ccname); +#if defined(HAVE_API_CCACHE) + cc_err = cc_initialize(&cc_context, ccapi_version_4, NULL, NULL); + if (cc_err != ccNoError) { + log("cc_initialize returned error = %d", cc_err); + return; + } + cc_err = cc_context_create_ccache(cc_context, ccname, cc_credentials_v5, + gssapi_client_name.value, &cc_cache); + if (cc_err != ccNoError) { + log("cc_context_create_ccache returned error = %d", cc_err); + return; + } + cc_err = cc_ccache_set_default(cc_cache); + if (cc_err != ccNoError) { + log("cc_ccache_set_default returned error = %d", cc_err); + return; + } + cc_context_release(cc_context); + cc_ccache_release(cc_cache); +#endif + +#if defined(HAVE_API_CCACHE) && !defined(HEIMDAL) + snprintf(name, sizeof(name)-1, "API:%s", ccname); +#else + close(tmpfd); + snprintf(name, sizeof(name)-1, "FILE:%s",ccname); +#endif - if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) { - log("krb5_cc_default(): %.100s", - krb5_get_err_text(krb_context,problem)); - return; - } + if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) { + log("krb5_cc_resolve(): %.100s", + krb5_get_err_text(krb_context,problem)); + return; + } if ((problem = krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { @@ -208,6 +286,7 @@ return; } #else + #ifndef HAVE_API_CCACHE if ((maj_status = gss_krb5_copy_ccache(&min_status, gssapi_client_creds, ccache))) { @@ -216,16 +295,40 @@ krb5_cc_destroy(krb_context,ccache); return; } + #else + if (gssapi_client_creds != NULL) { + if ((maj_status = gss_krb5_copy_ccache( + &min_status, + gssapi_client_creds, + ccache))) + { + log("gss_krb5_copy_ccache() failed"); + ssh_gssapi_error(maj_status,min_status); + krb5_cc_destroy(krb_context,ccache); + return; + } + } else if (gssapi_client_krb5_creds.client != NULL) { + if ((problem = krb5_cc_store_cred(krb_context, ccache, + &gssapi_client_krb5_creds))) + { + log("krb5_cc_store_cred(): %.100s", + krb5_get_err_text(krb_context,problem)); + krb5_cc_destroy(krb_context,ccache); + return; + } + } + #endif #endif krb5_cc_close(krb_context,ccache); - #ifdef USE_PAM do_pam_putenv("KRB5CCNAME",name); #endif +#if !defined(HAVE_API_CCACHE) gssapi_cred_store.filename=strdup(ccname); +#endif gssapi_cred_store.envvar="KRB5CCNAME"; gssapi_cred_store.envval=strdup(name); diff -u -r -N --exclude configure --exclude config.h.in src.old/openbsd-compat/bsd-misc.h src/openbsd-compat/bsd-misc.h --- src.old/openbsd-compat/bsd-misc.h Sat Jan 11 17:07:56 2003 +++ src/openbsd-compat/bsd-misc.h Sat Jan 11 17:07:52 2003 @@ -29,6 +29,11 @@ #include "config.h" +/* Resolve name conflict with libroken */ +#ifdef HEIMDAL +#define get_progname get_progname_x +#endif + char *get_progname(char *argv0); #ifndef HAVE_SETSID diff -u -r -N --exclude configure --exclude config.h.in src.old/openbsd-compat/mktemp.h src/openbsd-compat/mktemp.h --- src.old/openbsd-compat/mktemp.h Sat Jan 11 17:07:56 2003 +++ src/openbsd-compat/mktemp.h Sat Jan 11 17:07:52 2003 @@ -5,6 +5,11 @@ #include "config.h" #ifndef HAVE_MKDTEMP +/* Resolve name conflict in OS X, which has mkstemp() but + not the other two. */ +#if defined(HAVE_ONLY_MKSTEMP) +# define mkstemp mkstemp_x +#endif int mkstemps(char *path, int slen); int mkstemp(char *path); char *mkdtemp(char *path); diff -u -r -N --exclude configure --exclude config.h.in src.old/servconf.c src/servconf.c --- src.old/servconf.c Sat Jan 11 17:07:58 2003 +++ src/servconf.c Sat Jan 11 17:07:54 2003 @@ -16,13 +16,9 @@ #include #endif #if defined(KRB5) -#ifdef HEIMDAL -#include -#else /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V * keytab */ #define KEYFILE "/etc/krb5.keytab" -#endif #endif #ifdef AFS #include diff -u -r -N --exclude configure --exclude config.h.in src.old/session.c src/session.c --- src.old/session.c Sat Jan 11 17:07:58 2003 +++ src/session.c Sat Jan 11 17:07:54 2003 @@ -62,6 +62,13 @@ #include "ssh-gss.h" #endif +#if defined(HAVE_SECURITYSERVER) +#include +#include +#include +#include "AuthSession.h" +#endif + #ifdef HAVE_CYGWIN #include #include @@ -457,7 +464,7 @@ session_proctitle(s); -#if defined(GSSAPI) +#if defined(GSSAPI) && !defined(HAVE_API_CCACHE) temporarily_use_uid(s->pw); ssh_gssapi_storecreds(); restore_uid(); @@ -590,7 +597,7 @@ ptyfd = s->ptyfd; ttyfd = s->ttyfd; -#if defined(GSSAPI) +#if defined(GSSAPI) && !defined(HAVE_API_CCACHE) temporarily_use_uid(s->pw); ssh_gssapi_storecreds(); restore_uid(); @@ -1345,6 +1352,35 @@ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); +#endif + +#if defined(HAVE_SECURITYSERVER) + { + OSStatus err; + SecuritySessionId sec_session_id = 0; + SessionAttributeBits sec_session_attr = 0; + static char AuthSession = 0; + if (AuthSession == 0 ) { + err = SessionCreate(0,sessionHasTTY|sessionIsRemote); + if (err != 0) { + log("SessionCreate() failed with error %.8X",(unsigned)err); + } else { + log("SessionCreate() succeeded"); + AuthSession = 1; + } + } + err = SessionGetInfo(callerSecuritySession,&sec_session_id, + &sec_session_attr); + log("SessionGetInfo() returned %.8X",(unsigned)err); + log("sec_session_id is %.8X",(unsigned)sec_session_id); + log("sec_session_attr is %.8X",(unsigned)sec_session_attr); + } +#endif + +#if defined(GSSAPI) && defined(HAVE_API_CCACHE) + if (gssapi_client_type == GSS_LAST_ENTRY) + gssapi_client_type = GSS_KERBEROS; + ssh_gssapi_storecreds(); #endif env = do_setup_env(s, shell); diff -u -r -N --exclude configure --exclude config.h.in src.old/ssh-gss.h src/ssh-gss.h --- src.old/ssh-gss.h Sat Jan 11 17:07:58 2003 +++ src/ssh-gss.h Sat Jan 11 17:07:54 2003 @@ -34,6 +34,10 @@ #ifdef KRB5 #ifndef HEIMDAL +#if defined(HAVE_API_CCACHE) +#include +#include +#endif #include /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ @@ -87,6 +91,11 @@ extern gss_buffer_desc gssapi_client_name; extern gss_cred_id_t gssapi_client_creds; extern enum ssh_gss_id gssapi_client_type; +#if defined(HAVE_API_CCACHE) +extern char gssapi_client_krb5_ccname[40]; +extern krb5_creds gssapi_client_krb5_creds; +#define API_CCACHE_DFLT_NAME "Initial default ccache" +#endif char *ssh_gssapi_mechanisms(int server, char *host); gss_OID ssh_gssapi_id_kex(Gssctxt *ctx, char *name);