Ticket History #506: GSSFTP and Forwarded Tickets

From b17783@pembroke.ctd.anl.gov Mon Nov 24 13:48:12 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id NAA02151 for <bugs@RT-11.MIT.EDU>; Mon, 24 Nov 1997 13:48:03 -0500
Received: from pembroke.ctd.anl.gov by MIT.EDU with SMTP
id AA03655; Mon, 24 Nov 97 13:48:05 EST
Received: (from b17783@localhost) by pembroke.ctd.anl.gov (AIX4.2/UCB 8.7/8.7) id MAA33722; Mon, 24 Nov 1997 12:47:57 -0600 (CST)
Message-Id: <199711241847.MAA33722@pembroke.ctd.anl.gov>
Date: Mon, 24 Nov 1997 12:47:57 -0600 (CST)
From: deengert@anl.gov
Reply-To: deengert@anl.gov
To: krb5-bugs@MIT.EDU
Subject: GSSFTP and Forwarded Tickets
X-Send-Pr-Version: 3.99


Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
All

System: AIX pembroke 2 4 000300234600



Suggested implementation of the -forward flag in the
gssftp ftp and ftpd. The gssapi accept_sec_context.c was
changed to save the forwarded ticket, and set
the KRB5CCNAME environment variable.

ftpd has changes to call krb5_dfs_pag and krb5_afs_pag
which will use the forwarded ticket to get a DCE context
for DFS, and/or an AFS token.


*** ./appl/gssftp/ftp/,ftp.c Fri Oct 31 14:42:56 1997
--- ./appl/gssftp/ftp/ftp.c Fri Nov 14 10:57:19 1997
***************
*** 1964,1970 ****
&gcontext,
target_name,
GSS_C_NULL_OID,
! GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
0,
&chan, /* channel bindings */
token_ptr,
--- 1964,1971 ----
&gcontext,
target_name,
GSS_C_NULL_OID,
! (forward ? GSS_C_DELEG_FLAG : 0 )
! | GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
0,
&chan, /* channel bindings */
token_ptr,
*** ./appl/gssftp/ftp/,ftp_var.h Fri Oct 31 14:42:56 1997
--- ./appl/gssftp/ftp/ftp_var.h Fri Nov 14 11:10:32 1997
***************
*** 44,49 ****
--- 44,50 ----
/*
* Options and other state info.
*/
+ extern int forward; /* forward GSSAPI context */
extern int trace; /* trace packets exchanged */
extern int hash; /* print # for each buffer transferred */
extern int sendport; /* use PORT cmd for each data connection */
*** ./appl/gssftp/ftp/,main.c Fri Oct 31 14:42:56 1997
--- ./appl/gssftp/ftp/main.c Fri Nov 14 11:11:13 1997
***************
*** 138,143 ****
--- 138,150 ----
doglob = 0;
break;

+ case 'f':
+ if (!strncmp(cp-1,"-forward",8)) {
+ forward = 1;
+ goto nextopt;
+ }
+ break;
+
default:
fprintf(stdout,
"ftp: %c: unknown option\n", *cp);
*** ./appl/gssftp/ftpd/,ftpd.c Fri Oct 31 14:42:58 1997
--- ./appl/gssftp/ftpd/ftpd.c Fri Nov 14 11:12:17 1997
***************
*** 326,331 ****
--- 326,336 ----
argc--, argv++;
}

+ #if defined(ANL_DFS_PAG) || defined(ANL_AFS_PAG)
+ /* Dont want to pickup cache by accident */
+ unsetenv("KRB5CCNAME");
+ #endif
+
if (port != -1) {
struct sockaddr_in sin;
int s, ns, sz;
***************
*** 2331,2336 ****
--- 2336,2343 ----
krb5_context kc;
krb5_principal p;
krb5_error_code kerr;
+ char * ccname;
+ int forwarded;

kerr = krb5_init_context(&kc);
if (kerr)
***************
*** 2339,2346 ****
kerr = krb5_parse_name(kc, client_name->value, &p);
if (kerr) { retval = -1; goto fail; }
k5ret = krb5_kuserok(kc, p, name);
! if (k5ret == TRUE)
retval = 0;
else
retval = 1;
krb5_free_principal(kc, p);
--- 2346,2379 ----
kerr = krb5_parse_name(kc, client_name->value, &p);
if (kerr) { retval = -1; goto fail; }
k5ret = krb5_kuserok(kc, p, name);
! if (k5ret == TRUE) {
!
! #if defined(ANL_DFS_PAG) || defined(ANL_AFS_PAG)
!
! /* We might have a forwarded TGT, but gssapi does not
! * tell us, other changes now set the KRB5CCNAME in
! * accept_sec_context.c So we can now test if there
! * is one, and chown from root to the user.
! * This also assumes that the GSSAPI domain/realm/cell
! * principal really matches the K5/DCE principal
! * if not, then we should not do this.
! */
! forwarded = 0;
! if ((ccname = getenv("KRB5CCNAME"))
! && (!strncmp(ccname,"FILE:",5))) {
! chown(ccname+5, pw->pw_uid, pw->pw_gid);
! forwarded = 1;
! }
! #endif
! #ifdef ANL_DFS_PAG
! krb5_dfs_pag(kc, forwarded, p, name);
! #endif
! #ifdef ANL_AFS_PAG
! krb5_afs_pag(kc);
! #endif
!
retval = 0;
+ }
else
retval = 1;
krb5_free_principal(kc, p);
*** ./lib/gssapi/krb5/,accept_sec_context.c Fri Oct 31 14:45:22 1997
--- ./lib/gssapi/krb5/accept_sec_context.c Thu Nov 20 10:35:36 1997
***************
*** 22,27 ****
--- 22,28 ----

#include "gssapiP_krb5.h"
#include <memory.h>
+ #include <sys/stat.h>

/*
* $Id: accept_sec_context.c,v 1.34.2.3 1996/11/21 03:13:03 marc Exp $
***************
*** 65,77 ****
krb5_creds ** creds;
krb5_error_code retval;
krb5_ccache ccache;

if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)))
return(retval);

! if ((retval = krb5_cc_default(context, &ccache)))
! goto cleanup;
!
if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
goto cleanup;

--- 66,94 ----
krb5_creds ** creds;
krb5_error_code retval;
krb5_ccache ccache;
+ int i;
+ char ccname[100];
+ struct stat stx;

if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)))
return(retval);

! /* Set the KRB5CCNAME ENV variable to keep sessions
! * seperate. Use the process id of this process which is
! * the rlogind or rshd. Set the environment variable as well.
! */
!
! i = 0;
! do {
! sprintf(ccname,"FILE:/tmp/krb5cc_p%d.%d",getpid(),i++);
! }
! while(stat(ccname+5,&stx) == 0);
!
! krb5_setenv("KRB5CCNAME", ccname, 1);
!
! if (retval = krb5_cc_resolve(context, ccname, &ccache))
! goto cleanup;
!
if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
goto cleanup;

Using forwarded tickets with gssftp