Exemple #1
0
/* All this effort to report an error ... */
void
ssh_gssapi_error(Gssctxt *ctxt)
{
	char *s;

	s = ssh_gssapi_last_error(ctxt, NULL, NULL);
	debug("%s", s);
	free(s);
}
void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
{
	OM_uint32 min_status;
	Authctxt *authctxt = ctxt;
	Gssctxt *gssctxt;
	gss_buffer_desc send_tok, recv_tok;
	
	if (authctxt == NULL)
		fatal("input_gssapi_response: no authentication context");
	gssctxt = authctxt->methoddata;
	
	recv_tok.value=packet_get_string(&recv_tok.length);

	/* Stick it into GSSAPI and see what it says */
	(void) ssh_gssapi_init_ctx(gssctxt, authctxt->host,
					options.gss_deleg_creds,
					&recv_tok, &send_tok);

	xfree(recv_tok.value);
	(void) gss_release_buffer(&min_status, &send_tok);

	debug("Server sent a GSS-API error token during GSS userauth -- %s",
		ssh_gssapi_last_error(gssctxt, NULL, NULL));

	packet_check_eom();
	
	/* We can't send a packet to the server */

	/* The draft says that we should wait for the server to fail 
	 * before starting the next authentication. So, we clear the
	 * state, but don't do anything else
	 */
	clear_auth_state(authctxt);
	return;
}
Exemple #3
0
/* All this effort to report an error ... */
void
ssh_gssapi_error(Gssctxt *ctxt)
{
	debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
}
Exemple #4
0
void
ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs)
{
	gss_OID_set	indicated = GSS_C_NULL_OID_SET;
	gss_OID_set	acquired, supported;
	gss_OID		mech;
	gss_cred_id_t	creds;
	Gssctxt		*ctxt = NULL;
	gss_buffer_desc	tok;
	OM_uint32	maj, min;
	int		i;
	char		*errmsg;

	if (!mechs)
		return;
	*mechs = GSS_C_NULL_OID_SET;

	maj = gss_indicate_mechs(&min, &indicated);
	if (GSS_ERROR(maj)) {
		debug("No GSS-API mechanisms are installed");
		return;
	}

	maj = gss_create_empty_oid_set(&min, &supported);
	if (GSS_ERROR(maj)) {
		errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
		debug("Failed to allocate resources (%s) for GSS-API", errmsg);
		xfree(errmsg);
		(void) gss_release_oid_set(&min, &indicated);
		return;
	}
	maj = gss_acquire_cred(&min, GSS_C_NO_NAME, 0, indicated,
	    GSS_C_INITIATE, &creds, &acquired, NULL);

	if (GSS_ERROR(maj)) {
		errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
		debug("Failed to acquire GSS-API credentials for any "
		    "mechanisms (%s)", errmsg);
		xfree(errmsg);
		(void) gss_release_oid_set(&min, &indicated);
		(void) gss_release_oid_set(&min, &supported);
		return;
	}
	(void) gss_release_cred(&min, &creds);

	for (i = 0; i < acquired->count; i++) {
		mech = &acquired->elements[i];

		if (ssh_gssapi_is_spnego(mech))
			continue;

		ssh_gssapi_build_ctx(&ctxt, 1, mech);
		if (!ctxt)
			continue;

		/*
		 * This is useful for mechs like Kerberos, which can
		 * detect unknown target princs here, but not for
		 * mechs like SPKM, which cannot detect unknown princs
		 * until context tokens are actually exchanged.
		 *
		 * 'Twould be useful to have a test that could save us
		 * the bother of trying this for SPKM and the such...
		 */
		maj = ssh_gssapi_init_ctx(ctxt, server_host, 0, NULL, &tok);
		if (GSS_ERROR(maj)) {
			errmsg = ssh_gssapi_last_error(ctxt, NULL, NULL);
			debug("Skipping GSS-API mechanism %s (%s)",
			    ssh_gssapi_oid_to_name(mech), errmsg);
			xfree(errmsg);
			continue;
		}

		(void) gss_release_buffer(&min, &tok);

		maj = gss_add_oid_set_member(&min, mech, &supported);
		if (GSS_ERROR(maj)) {
			errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
			debug("Failed to allocate resources (%s) for GSS-API",
			    errmsg);
			xfree(errmsg);
		}
	}

	*mechs = supported;
}