add delegation. From Daniel Kouril <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8434 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-06-21 02:46:11 +00:00
parent 744b0becee
commit 50256e4bac
8 changed files with 95 additions and 7 deletions
--- a/appl/ftp/ftpd/ftpd_locl.h
+++ b/appl/ftp/ftpd/ftpd_locl.h
@@ -147,6 +147,10 @@
 #include <krb.h>
 #include <kafs.h>
 #endif
+ 
+#ifdef KRB5
+#include <krb5.h>
+#endif /* KRB5 */

 #ifdef OTP
 #include <otp.h>
--- a/appl/ftp/ftpd/gss_userok.c
+++ b/appl/ftp/ftpd/gss_userok.c
@@ -47,6 +47,7 @@ extern krb5_context gssapi_krb5_context;
 struct gss_data {
    gss_ctx_id_t context_hdl;
    char *client_name;
+    gss_cred_id_t delegated_cred_handle;
 };

 int gss_userok(void*, char*); /* to keep gcc happy */
@@ -58,12 +59,58 @@ gss_userok(void *app_data, char *username)
    if(gssapi_krb5_context) {
 	krb5_principal client;
 	krb5_error_code ret;
+        
 	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
 	if(ret)
 	    return 1;
 	ret = krb5_kuserok(gssapi_krb5_context, client, username);
+        if (!ret) {
+           krb5_free_principal(gssapi_krb5_context, client);
+           return 1;
+        }
+        
+        ret = 0;
+        
+        /* more of krb-depend stuff :-( */
+	/* gss_add_cred() ? */
+        if (data->delegated_cred_handle && 
+            data->delegated_cred_handle->ccache ) {
+            
+           krb5_ccache ccache = NULL; 
+           char* ticketfile;
+           struct passwd *pw;
+           
+           pw = getpwnam(username);
+           
+           asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT, pw->pw_uid);
+        
+           ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache);
+           if (ret)
+              goto fail;
+           
+           ret = krb5_cc_copy_cache(gssapi_krb5_context, 
+                     data->delegated_cred_handle->ccache, ccache);
+           if (ret)
+              goto fail;
+           
+           chown (ticketfile+5, pw->pw_uid, pw->pw_gid);
+           
+           if (k_hasafs()) {
+              krb5_afslog(gssapi_krb5_context, ccache, 0, 0);
+           }
+           setenv ("KRB5CCNAME", ticketfile, 1);
+           
+fail:
+           if (ccache)
+              krb5_cc_close(gssapi_krb5_context, ccache); 
+           krb5_cc_destroy(gssapi_krb5_context, 
+                           data->delegated_cred_handle->ccache);
+           data->delegated_cred_handle->ccache = NULL;
+           free(ticketfile);
+        }
+           
 	krb5_free_principal(gssapi_krb5_context, client);
-	return !ret;
+        return ret;
    }
    return 1;
 }