[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gserver bug: :gserver:user@host:/path ignores "user" part...
From: |
Marc W. Mengel |
Subject: |
gserver bug: :gserver:user@host:/path ignores "user" part... |
Date: |
Thu, 08 Jun 2006 15:53:07 -0500 |
User-agent: |
Mozilla Thunderbird 1.0.8-1.4.1.SL3 (X11/20060421) |
When using cvs with a CVSROOT of :gserver:user@host:/path, the gss-api
code ignores the "user" part. It should check, and log in as, the
mentioned user, as rsh, ssh, etc. do.
Patch attached.
*** ChangeLog Fri Mar 23 22:37:44 2001
--- ChangeLog Tue Jun 4 09:52:51 2002
***************
*** 0 ****
--- 1,8 ----
+ 2002-06-03 Marc W. Mengel <mengel@fnal.gov>
+
+ * src/client.c: send GSSAPI-U(ser) auth string and user name
+ if gserver:user@host is used
+
+ * src/server.c: handle GSSAPI-U(ser) auth string, looking in
+ that account's .k5login for allowed principals
+
Index: src/client.c
===================================================================
RCS file: /cvs/oss/cvs/src/cvs/src/client.c,v
retrieving revision 1.1.1.3
retrieving revision 1.4
diff -c -r1.1.1.3 -r1.4
*** src/client.c 2001/08/17 20:31:22 1.1.1.3
--- src/client.c 2001/10/03 14:42:38 1.4
***************
*** 4199,4209 ****
gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
OM_uint32 stat_min, stat_maj;
gss_name_t server_name;
! str = "BEGIN GSSAPI REQUEST\012";
if (send (sock, str, strlen (str), 0) < 0)
error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
sprintf (buf, "cvs@%s", hostinfo->h_name);
tok_in.length = strlen (buf);
--- 4199,4223 ----
gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
OM_uint32 stat_min, stat_maj;
gss_name_t server_name;
+ char *username;
! if ( current_parsed_root->username != NULL ) {
! str = "BEGIN GSSAPI-U REQUEST\012";
! /* fprintf(stderr,"development test of GSSAPI-U username=%s\n",
current_parsed_root->username); */
! } else {
! str = "BEGIN GSSAPI REQUEST\012";
! }
if (send (sock, str, strlen (str), 0) < 0)
error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+
+ if ( current_parsed_root->username != NULL ) {
+ str = current_parsed_root->username;
+ if (send (sock, str, strlen (str), 0) < 0)
+ error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+ if (send (sock, "\012", 1, 0) < 0)
+ error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+ }
sprintf (buf, "cvs@%s", hostinfo->h_name);
tok_in.length = strlen (buf);
Index: src/server.c
===================================================================
RCS file: /cvs/oss/cvs/src/cvs/src/server.c,v
retrieving revision 1.1.1.4
retrieving revision 1.12
diff -b -c -r1.1.1.4 -r1.12
*** src/server.c 6 Jan 2004 21:48:10 -0000 1.1.1.4
--- src/server.c 7 Jan 2004 17:44:46 -0000 1.12
***************
*** 33,39 ****
/* We need this to wrap data. */
static gss_ctx_id_t gcontext;
! static void gserver_authenticate_connection PROTO((void));
/* Whether we are already wrapping GSSAPI communication. */
static int cvs_gssapi_wrapping;
--- 33,39 ----
/* We need this to wrap data. */
static gss_ctx_id_t gcontext;
! static void gserver_authenticate_connection PROTO((char *));
/* Whether we are already wrapping GSSAPI communication. */
static int cvs_gssapi_wrapping;
***************
*** 5651,5657 ****
{
#ifdef HAVE_GSSAPI
free (tmp);
! gserver_authenticate_connection ();
return;
#else
error (1, 0, "GSSAPI authentication not supported by this server");
--- 5652,5674 ----
{
#ifdef HAVE_GSSAPI
free (tmp);
! gserver_authenticate_connection ((char *)0);
! return;
! #else
! error (1, 0, "GSSAPI authentication not supported by this server");
! #endif
! }
! else if (strcmp (tmp, "BEGIN GSSAPI-U REQUEST\n") == 0)
! {
! #ifdef HAVE_GSSAPI
! free (tmp);
! getline_safe (&username, &username_allocated, stdin, PATH_MAX);
! strip_trailing_newlines (username);
! gserver_authenticate_connection (username);
! if (username_allocated) {
! free(username);
! username_allocated = 0;
! }
return;
#else
error (1, 0, "GSSAPI authentication not supported by this server");
***************
*** 5847,5853 ****
the same way. */
static void
! gserver_authenticate_connection ()
{
char hostname[MAXHOSTNAMELEN];
struct hostent *hp;
--- 5864,5870 ----
the same way. */
static void
! gserver_authenticate_connection ( char *username )
{
char hostname[MAXHOSTNAMELEN];
struct hostent *hp;
***************
*** 5924,5935 ****
&mechid) != GSS_S_COMPLETE
|| krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
|| krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
! || krb5_kuserok (kc, p, buf) != TRUE)
{
error (1, 0, "access denied");
}
krb5_free_principal (kc, p);
krb5_free_context (kc);
}
if (tok_out.length != 0)
--- 5941,5960 ----
&mechid) != GSS_S_COMPLETE
|| krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
|| krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
! || krb5_kuserok (kc, p, (username ? username : buf)) != TRUE)
{
error (1, 0, "access denied");
}
krb5_free_principal (kc, p);
krb5_free_context (kc);
+
+ #ifdef AUTH_SERVER_SUPPORT
+ /* Update our CVS_Username to be our kerberos principal */
+ if (CVS_Username != NULL)
+ free(CVS_Username);
+ CVS_Username = xstrdup (buf);
+ #endif
+
}
if (tok_out.length != 0)
***************
*** 5944,5950 ****
error (1, errno, "fwrite failed");
}
! switch_to_user ("GSSAPI", buf);
printf ("I LOVE YOU\n");
fflush (stdout);
--- 5969,5975 ----
error (1, errno, "fwrite failed");
}
! switch_to_user (buf , username ? username : buf);
printf ("I LOVE YOU\n");
fflush (stdout);
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- gserver bug: :gserver:user@host:/path ignores "user" part...,
Marc W. Mengel <=