Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

patch for OSX

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


Nick.Williams at morganstanley

Mar 28, 2012, 5:01 AM

Post #1 of 4 (494 views)
Permalink
patch for OSX

Attached is a patch to make sshd work on OSX when using plain ol' Kerberos authentication as opposed to opendirectory authentication.

Cheers,
Nick

--------------------------------------------------------------------------
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.


dtucker at zip

Mar 29, 2012, 5:59 PM

Post #2 of 4 (458 views)
Permalink
Re: patch for OSX [In reply to]

On Wed, Mar 28, 2012 at 01:01:51PM +0100, Williams, Nick wrote:
> Attached is a patch to make sshd work on OSX when using plain ol'
> Kerberos authentication as opposed to opendirectory authentication.

Unfortunately your diff didn't make it to the list (it strips any
attachments that aren't plain text). Please resend as text or inline,
or open a bug at https://bugzilla.mindrot.org and attach it there.

Thanks.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Nick.Williams at morganstanley

Apr 1, 2012, 4:45 AM

Post #3 of 4 (475 views)
Permalink
RE: patch for OSX [In reply to]

Bah, sorry about that. Inline...

From 4d0c46a8f89bbd3778e4e664cfb94476bc5a770c Mon Sep 17 00:00:00 2001
From: Nick Williams <Nick.Williams [at] morganstanley>
Date: Wed, 28 Mar 2012 12:48:27 +0100
Subject: [PATCH] fix for incorrect boolean logic in OD code (OSX)

The opendirectory lookups in gss-serv-krb5.c, used for OS X had
reversed boolean logic meaning that the code will fail if ever
the OD lookup or the group membership calls returned success.
Obviously this is wrong, but even more so the log messages were
a bit sparse so it was hard to see why the PAM call was being
rejected. This commit fixes the logic and adds in some extra log
messages in the case of failure.
---
gss-serv-krb5.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index ae4ee1c..879c76a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -91,26 +91,29 @@ od_kuserok(krb5_context context, krb5_principal principal, const char *luser)
uuid_t krb_uuid, un_uuid;

ret = krb5_unparse_name(context, principal, &kprinc);
- if (!ret) {
+ if (ret) {
logit("od_kuserok - krb5_unparse_name failed: %d", ret);
goto error;
}

ret = mbr_identifier_to_uuid(ID_TYPE_USERNAME, luser, strlen(luser), un_uuid);
- if (!ret) {
- logit("od_kuserok - mbr_identifier_to_uuid: %d", ret);
+ if (ret) {
+ logit("od_kuserok - mbr_identifier_to_uuid(%s) failed: %d", luser, ret);
goto error;
}

ret = mbr_identifier_to_uuid(ID_TYPE_KERBEROS, kprinc, strlen(kprinc), krb_uuid);
- if (!ret) {
+ if (ret) {
+ logit("od_kuserok - mbr_id_to_uuid(%s) failed: %d", kprinc, ret);
goto error;
}

ret = uuid_compare(krb_uuid, un_uuid);
if (0 == ret) {
retval = TRUE;
- }
+ } else {
+ logit("od_kuserok - uuids do not match, refusing");
+ }

error:
if (kprinc)
--
1.7.10-rc2


> -----Original Message-----
> From: Darren Tucker [mailto:dtucker [at] zip]
> Sent: 30 March 2012 01:59
> To: Williams, Nick (Enterprise Infrastructure)
> Cc: openssh-unix-dev [at] mindrot
> Subject: Re: patch for OSX
>
> On Wed, Mar 28, 2012 at 01:01:51PM +0100, Williams, Nick wrote:
> > Attached is a patch to make sshd work on OSX when using plain ol'
> > Kerberos authentication as opposed to opendirectory authentication.
>
> Unfortunately your diff didn't make it to the list (it strips any
> attachments that aren't plain text). Please resend as text or inline,
> or open a bug at https://bugzilla.mindrot.org and attach it there.
>
> Thanks.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--------------------------------------------------------------------------
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

Apr 21, 2012, 5:13 PM

Post #4 of 4 (446 views)
Permalink
Re: patch for OSX [In reply to]

Nick had problems sending the patch to the list, so I'm just passing
this along. I'm not sure that the patch is correct, but the man page
for krb5_unparse_name does say "If no errors occur, the return value is
0. Otherwise, a Kerberos error code is returned."

------------------------------------

Gah, email filters stripping usefulness! Sorry. I've removed the GIT patch headers just to get the diff through ;-). Let me know if this works.

Cheers,
Nick

The opendirectory lookups in gss-serv-krb5.c, used for OS X had
reversed boolean logic meaning that the code will fail if ever
the OD lookup or the group membership calls returned success.
Obviously this is wrong, but even more so the log messages were
a bit sparse so it was hard to see why the PAM call was being
rejected. This commit fixes the logic and adds in some extra log
messages in the case of failure.
---
gss-serv-krb5.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index ae4ee1c..879c76a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -91,26 +91,29 @@ od_kuserok(krb5_context context, krb5_principal principal, const char *luser)
uuid_t krb_uuid, un_uuid;

ret = krb5_unparse_name(context, principal, &kprinc);
- if (!ret) {
+ if (ret) {
logit("od_kuserok - krb5_unparse_name failed: %d", ret);
goto error;
}

ret = mbr_identifier_to_uuid(ID_TYPE_USERNAME, luser, strlen(luser), un_uuid);
- if (!ret) {
- logit("od_kuserok - mbr_identifier_to_uuid: %d", ret);
+ if (ret) {
+ logit("od_kuserok - mbr_identifier_to_uuid(%s) failed: %d", luser, ret);
goto error;
}

ret = mbr_identifier_to_uuid(ID_TYPE_KERBEROS, kprinc, strlen(kprinc), krb_uuid);
- if (!ret) {
+ if (ret) {
+ logit("od_kuserok - mbr_id_to_uuid(%s) failed: %d", kprinc, ret);
goto error;
}

ret = uuid_compare(krb_uuid, un_uuid);
if (0 == ret) {
retval = TRUE;
- }
+ } else {
+ logit("od_kuserok - uuids do not match, refusing");
+ }

error:
if (kprinc)
--
1.7.10-rc2




--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.