/* All this effort to report an error ... */ void ssh_gssapi_error(Gssctxt *ctxt) { char *s; s = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("%s", s); free(s); }
void input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) { OM_uint32 min_status; Authctxt *authctxt = ctxt; Gssctxt *gssctxt; gss_buffer_desc send_tok, recv_tok; if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); gssctxt = authctxt->methoddata; recv_tok.value=packet_get_string(&recv_tok.length); /* Stick it into GSSAPI and see what it says */ (void) ssh_gssapi_init_ctx(gssctxt, authctxt->host, options.gss_deleg_creds, &recv_tok, &send_tok); xfree(recv_tok.value); (void) gss_release_buffer(&min_status, &send_tok); debug("Server sent a GSS-API error token during GSS userauth -- %s", ssh_gssapi_last_error(gssctxt, NULL, NULL)); packet_check_eom(); /* We can't send a packet to the server */ /* The draft says that we should wait for the server to fail * before starting the next authentication. So, we clear the * state, but don't do anything else */ clear_auth_state(authctxt); return; }
/* All this effort to report an error ... */ void ssh_gssapi_error(Gssctxt *ctxt) { debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL)); }
void ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs) { gss_OID_set indicated = GSS_C_NULL_OID_SET; gss_OID_set acquired, supported; gss_OID mech; gss_cred_id_t creds; Gssctxt *ctxt = NULL; gss_buffer_desc tok; OM_uint32 maj, min; int i; char *errmsg; if (!mechs) return; *mechs = GSS_C_NULL_OID_SET; maj = gss_indicate_mechs(&min, &indicated); if (GSS_ERROR(maj)) { debug("No GSS-API mechanisms are installed"); return; } maj = gss_create_empty_oid_set(&min, &supported); if (GSS_ERROR(maj)) { errmsg = ssh_gssapi_last_error(NULL, &maj, &min); debug("Failed to allocate resources (%s) for GSS-API", errmsg); xfree(errmsg); (void) gss_release_oid_set(&min, &indicated); return; } maj = gss_acquire_cred(&min, GSS_C_NO_NAME, 0, indicated, GSS_C_INITIATE, &creds, &acquired, NULL); if (GSS_ERROR(maj)) { errmsg = ssh_gssapi_last_error(NULL, &maj, &min); debug("Failed to acquire GSS-API credentials for any " "mechanisms (%s)", errmsg); xfree(errmsg); (void) gss_release_oid_set(&min, &indicated); (void) gss_release_oid_set(&min, &supported); return; } (void) gss_release_cred(&min, &creds); for (i = 0; i < acquired->count; i++) { mech = &acquired->elements[i]; if (ssh_gssapi_is_spnego(mech)) continue; ssh_gssapi_build_ctx(&ctxt, 1, mech); if (!ctxt) continue; /* * This is useful for mechs like Kerberos, which can * detect unknown target princs here, but not for * mechs like SPKM, which cannot detect unknown princs * until context tokens are actually exchanged. * * 'Twould be useful to have a test that could save us * the bother of trying this for SPKM and the such... */ maj = ssh_gssapi_init_ctx(ctxt, server_host, 0, NULL, &tok); if (GSS_ERROR(maj)) { errmsg = ssh_gssapi_last_error(ctxt, NULL, NULL); debug("Skipping GSS-API mechanism %s (%s)", ssh_gssapi_oid_to_name(mech), errmsg); xfree(errmsg); continue; } (void) gss_release_buffer(&min, &tok); maj = gss_add_oid_set_member(&min, mech, &supported); if (GSS_ERROR(maj)) { errmsg = ssh_gssapi_last_error(NULL, &maj, &min); debug("Failed to allocate resources (%s) for GSS-API", errmsg); xfree(errmsg); } } *mechs = supported; }