- final, working solution to hardcoded kerberos credential cache,

  now sshd honours default_cc_type and default_cc_name settings in krb5.conf

Changed files:
    openssh-heimdal.patch -> 1.16
    openssh.spec -> 1.358

diff --git a/openssh-heimdal.patch b/openssh-heimdal.patch
index 8139c2cf79f04b04871ae76a4231075aeb2ae914..1b7f6e9b4e21951f611109c58c53e561c2b9e2fb 100644 (file)
--- a/openssh-heimdal.patch
+++ b/openssh-heimdal.patch
@@ -17,8 +17,58 @@
                                       ]
                        )
                        AC_SEARCH_LIBS(dn_expand, resolv)
---- openssh-5.8p1/gss-serv-krb5.c~     2011-04-19 14:09:54.832721425 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c      2011-04-19 21:54:01.818248221 +0200
+diff -ur openssh-5.8p1-orig/auth-krb5.c openssh-5.8p1/auth-krb5.c
+--- openssh-5.8p1-orig/auth-krb5.c     2011-04-20 00:30:23.632652510 +0200
++++ openssh-5.8p1/auth-krb5.c  2011-04-20 00:34:06.218117429 +0200
+@@ -88,6 +88,8 @@
+ #ifndef HEIMDAL
+       krb5_creds creds;
+       krb5_principal server;
++#else
++      const char *ccache_type, *ccache_name;
+ #endif
+       krb5_error_code problem;
+       krb5_ccache ccache = NULL;
+@@ -129,7 +131,11 @@
+       if (problem)
+               goto out;
+ 
+-      problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
++      problem = krb5_cc_set_default_name(authctxt->krb5_ctx, NULL);
++      if (problem)
++              goto out;
++      problem = krb5_cc_new_unique(authctxt->krb5_ctx,
++          krb5_cc_default_name(authctxt->krb5_ctx), NULL,
+           &authctxt->krb5_fwd_ccache);
+       if (problem)
+               goto out;
+@@ -180,12 +186,23 @@
+               goto out;
+ #endif
+ 
++#ifdef HEIMDAL
++      ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
++      ccache_name = krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
++      if (strncmp(ccache_type, "FILE", 4) == 0) {
++              authctxt->krb5_ticket_file = (char *)ccache_name;
++      }
++      len = strlen(ccache_type) + strlen(ccache_name) + 2;
++      authctxt->krb5_ccname = xmalloc(len);
++      snprintf(authctxt->krb5_ccname, len, "%s:%s", ccache_type, ccache_name);
++#else
+       authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ 
+       len = strlen(authctxt->krb5_ticket_file) + 6;
+       authctxt->krb5_ccname = xmalloc(len);
+       snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+           authctxt->krb5_ticket_file);
++#endif
+ 
+ #ifdef USE_PAM
+       if (options.use_pam)
+diff -ur openssh-5.8p1-orig/gss-serv-krb5.c openssh-5.8p1/gss-serv-krb5.c
+--- openssh-5.8p1-orig/gss-serv-krb5.c 2011-04-20 00:30:23.632652510 +0200
++++ openssh-5.8p1/gss-serv-krb5.c      2011-04-20 00:34:06.218117429 +0200
 @@ -121,6 +121,9 @@
        krb5_principal princ;
        OM_uint32 maj_status, min_status;
@@ -29,18 +79,24 @@
  
        if (client->creds == NULL) {
                debug("No credentials stored");
-@@ -131,8 +132,8 @@
+@@ -131,8 +134,14 @@
                return;
  
  #ifdef HEIMDAL
 -      if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 -              logit("krb5_cc_gen_new(): %.100s",
-+      if ((problem = krb5_cc_new_unique(krb_context, NULL, NULL, &ccache))) {
++      if ((problem = krb5_cc_set_default_name(krb_context, NULL))) {
++              logit("krb5_cc_set_default_name(): %.100s",
++                  krb5_get_err_text(krb_context, problem));
++              return;
++      }
++      if ((problem = krb5_cc_new_unique(krb_context,
++                      krb5_cc_default_name(krb_context), NULL, &ccache))) {
 +              logit("krb5_cc_new_unique(): %.100s",
                    krb5_get_err_text(krb_context, problem));
                return;
        }
-@@ -169,11 +170,23 @@
+@@ -169,11 +178,23 @@
                return;
        }
  
@@ -64,47 +120,3 @@
  
  #ifdef USE_PAM
        if (options.use_pam)
---- openssh-5.8p1/auth-krb5.c.orig     2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c  2011-04-19 22:16:14.622268002 +0200
-@@ -74,6 +88,8 @@
- #ifndef HEIMDAL
-       krb5_creds creds;
-       krb5_principal server;
-+#else
-+      const char *ccache_type, *ccache_name;
- #endif
-       krb5_error_code problem;
-       krb5_ccache ccache = NULL;
-@@ -115,7 +130,7 @@
-       if (problem)
-               goto out;
- 
--      problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-+      problem = krb5_cc_new_unique(authctxt->krb5_ctx, NULL, NULL,
-           &authctxt->krb5_fwd_ccache);
-       if (problem)
-               goto out;
-@@ -166,12 +181,23 @@
-               goto out;
- #endif
- 
-+#ifdef HEIMDAL
-+      ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-+      ccache_name = krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-+      if (strncmp(ccache_type, "FILE", 4) == 0) {
-+              authctxt->krb5_ticket_file = (char *)ccache_name;
-+      }
-+      len = strlen(ccache_type) + strlen(ccache_name) + 2;
-+      authctxt->krb5_ccname = xmalloc(len);
-+      snprintf(authctxt->krb5_ccname, len, "%s:%s", ccache_type, ccache_name);
-+#else
-       authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
- 
-       len = strlen(authctxt->krb5_ticket_file) + 6;
-       authctxt->krb5_ccname = xmalloc(len);
-       snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-           authctxt->krb5_ticket_file);
-+#endif
- 
- #ifdef USE_PAM
-       if (options.use_pam)

diff --git a/openssh.spec b/openssh.spec
index 695977d68485edf59a86577bac2e1c1e35a755e8..22b01db79c1a13eb87e8dc7935b3bb4fe07d7fba 100644 (file)
--- a/openssh.spec
+++ b/openssh.spec
@@ -29,7 +29,7 @@ Summary(ru.UTF-8):    OpenSSH - свободная реализация прото
 Summary(uk.UTF-8):     OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:          openssh
 Version:       5.8p1
-Release:       4.1
+Release:       5
 Epoch:         2
 License:       BSD
 Group:         Applications/Networking