bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gserver bug: :gserver:user@host:/path ignores "user" part...


From: Marc W. Mengel
Subject: gserver bug: :gserver:user@host:/path ignores "user" part...
Date: Thu, 08 Jun 2006 15:53:07 -0500
User-agent: Mozilla Thunderbird 1.0.8-1.4.1.SL3 (X11/20060421)

When using cvs with a CVSROOT of :gserver:user@host:/path, the gss-api
code ignores the "user" part.   It should check, and log in as, the
mentioned user, as rsh, ssh, etc. do.

Patch attached.

*** ChangeLog   Fri Mar 23 22:37:44 2001
--- ChangeLog   Tue Jun  4 09:52:51 2002
***************
*** 0 ****
--- 1,8 ----
+ 2002-06-03  Marc W. Mengel <mengel@fnal.gov>
+ 
+       * src/client.c: send GSSAPI-U(ser) auth string and user name
+               if gserver:user@host is used
+ 
+       * src/server.c: handle GSSAPI-U(ser) auth string, looking in
+               that account's .k5login for allowed principals
+ 
Index: src/client.c
===================================================================
RCS file: /cvs/oss/cvs/src/cvs/src/client.c,v
retrieving revision 1.1.1.3
retrieving revision 1.4
diff -c -r1.1.1.3 -r1.4
*** src/client.c        2001/08/17 20:31:22     1.1.1.3
--- src/client.c        2001/10/03 14:42:38     1.4
***************
*** 4199,4209 ****
      gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
      OM_uint32 stat_min, stat_maj;
      gss_name_t server_name;
  
!     str = "BEGIN GSSAPI REQUEST\012";
  
      if (send (sock, str, strlen (str), 0) < 0)
        error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
  
      sprintf (buf, "cvs@%s", hostinfo->h_name);
      tok_in.length = strlen (buf);
--- 4199,4223 ----
      gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
      OM_uint32 stat_min, stat_maj;
      gss_name_t server_name;
+     char *username;
  
!     if ( current_parsed_root->username != NULL ) {
!         str = "BEGIN GSSAPI-U REQUEST\012";
!       /* fprintf(stderr,"development test of GSSAPI-U username=%s\n", 
current_parsed_root->username); */
!     } else {
!         str = "BEGIN GSSAPI REQUEST\012";
!     }
  
      if (send (sock, str, strlen (str), 0) < 0)
        error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+ 
+     if ( current_parsed_root->username != NULL ) {
+       str = current_parsed_root->username;
+       if (send (sock, str, strlen (str), 0) < 0)
+           error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+       if (send (sock, "\012", 1, 0) < 0)
+           error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+     }
  
      sprintf (buf, "cvs@%s", hostinfo->h_name);
      tok_in.length = strlen (buf);
Index: src/server.c
===================================================================
RCS file: /cvs/oss/cvs/src/cvs/src/server.c,v
retrieving revision 1.1.1.4
retrieving revision 1.12
diff -b -c -r1.1.1.4 -r1.12
*** src/server.c        6 Jan 2004 21:48:10 -0000       1.1.1.4
--- src/server.c        7 Jan 2004 17:44:46 -0000       1.12
***************
*** 33,39 ****
  /* We need this to wrap data.  */
  static gss_ctx_id_t gcontext;
  
! static void gserver_authenticate_connection PROTO((void));
  
  /* Whether we are already wrapping GSSAPI communication.  */
  static int cvs_gssapi_wrapping;
--- 33,39 ----
  /* We need this to wrap data.  */
  static gss_ctx_id_t gcontext;
  
! static void gserver_authenticate_connection PROTO((char *));
  
  /* Whether we are already wrapping GSSAPI communication.  */
  static int cvs_gssapi_wrapping;
***************
*** 5651,5657 ****
      {
  #ifdef HAVE_GSSAPI
        free (tmp);
!       gserver_authenticate_connection ();
        return;
  #else
        error (1, 0, "GSSAPI authentication not supported by this server");
--- 5652,5674 ----
      {
  #ifdef HAVE_GSSAPI
        free (tmp);
!       gserver_authenticate_connection ((char *)0);
!       return;
! #else
!       error (1, 0, "GSSAPI authentication not supported by this server");
! #endif
!     }
!     else if (strcmp (tmp, "BEGIN GSSAPI-U REQUEST\n") == 0)
!     {
! #ifdef HAVE_GSSAPI
!       free (tmp);
!         getline_safe (&username, &username_allocated, stdin, PATH_MAX);
!         strip_trailing_newlines (username);
!       gserver_authenticate_connection (username);
!       if (username_allocated)  {
!          free(username);
!          username_allocated = 0;
!         }
        return;
  #else
        error (1, 0, "GSSAPI authentication not supported by this server");
***************
*** 5847,5853 ****
     the same way.  */
  
  static void
! gserver_authenticate_connection ()
  {
      char hostname[MAXHOSTNAMELEN];
      struct hostent *hp;
--- 5864,5870 ----
     the same way.  */
  
  static void
! gserver_authenticate_connection ( char *username )
  {
      char hostname[MAXHOSTNAMELEN];
      struct hostent *hp;
***************
*** 5924,5935 ****
                              &mechid) != GSS_S_COMPLETE
            || krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
            || krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
!           || krb5_kuserok (kc, p, buf) != TRUE)
        {
            error (1, 0, "access denied");
        }
        krb5_free_principal (kc, p);
        krb5_free_context (kc);
      }
  
      if (tok_out.length != 0)
--- 5941,5960 ----
                              &mechid) != GSS_S_COMPLETE
            || krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
            || krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
!           || krb5_kuserok (kc, p, (username ? username : buf)) != TRUE)
        {
            error (1, 0, "access denied");
        }
        krb5_free_principal (kc, p);
        krb5_free_context (kc);
+ 
+ #ifdef AUTH_SERVER_SUPPORT
+       /* Update our CVS_Username to be our kerberos principal */
+       if (CVS_Username != NULL)
+           free(CVS_Username);
+       CVS_Username = xstrdup (buf);
+ #endif
+ 
      }
  
      if (tok_out.length != 0)
***************
*** 5944,5950 ****
            error (1, errno, "fwrite failed");
      }
  
!     switch_to_user ("GSSAPI", buf);
  
      printf ("I LOVE YOU\n");
      fflush (stdout);
--- 5969,5975 ----
            error (1, errno, "fwrite failed");
      }
  
!     switch_to_user (buf , username ? username : buf);
  
      printf ("I LOVE YOU\n");
      fflush (stdout);


reply via email to

[Prev in Thread] Current Thread [Next in Thread]