gssapi: retrieve forwarded (delegated) tickets

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-03-04 18:48:39 +01:00 · 2013-03-04 18:48:39 +01:00 · 65eccf1969
--- a/examples/samplesshd-cb.c
+++ b/examples/samplesshd-cb.c
@ -61,8 +61,15 @@ static int auth_password(ssh_session session, const char *user,
 }

 static int auth_gssapi_mic(ssh_session session, const char *user, void *userdata){
+	ssh_gssapi_creds creds = ssh_gssapi_get_creds(session);
+
 	(void)userdata;
+
 	printf("Authenticating used %s with gssapi\n",user);
+	if (creds != NULL)
+		printf("Received some gssapi credentials\n");
+	else
+		printf("Not received any forwardable creds\n");
 	printf("authenticated\n");
 	authenticated = 1;
 	return SSH_AUTH_SUCCESS;
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@ -115,6 +115,7 @@ typedef struct ssh_scp_struct* ssh_scp;
 typedef struct ssh_session_struct* ssh_session;
 typedef struct ssh_string_struct* ssh_string;
 typedef struct ssh_event_struct* ssh_event;
+typedef void* ssh_gssapi_creds;

 /* Socket type */
 #ifdef _WIN32
--- a/include/libssh/server.h
+++ b/include/libssh/server.h
@ -238,6 +238,8 @@ LIBSSH_API int ssh_bind_accept(ssh_bind ssh_bind_o, ssh_session session);
 LIBSSH_API int ssh_bind_accept_fd(ssh_bind ssh_bind_o, ssh_session session,
        socket_t fd);

+LIBSSH_API ssh_gssapi_creds ssh_gssapi_get_creds(ssh_session session);
+
 /**
 * @brief Handles the key exchange and set up encryption
 *
--- a/src/gssapi.c
+++ b/src/gssapi.c
@ -26,6 +26,7 @@
 #include "libssh/crypto.h"
 #include "libssh/callbacks.h"
 #include "libssh/string.h"
+#include "libssh/server.h"

 #include <gssapi.h>

@ -402,7 +403,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic){
 	return SSH_PACKET_USED;
 }

-#endif
+/** @brief returns the client credentials of the connected client.
+ * If the client has given a forwardable token, the SSH server will
+ * retrieve it.
+ * @returns gssapi credentials handle.
+ * @returns NULL if no forwardable token is available.
+ */
+LIBSSH_API ssh_gssapi_creds ssh_gssapi_get_creds(ssh_session session){
+	if (!session || !session->gssapi || session->gssapi->client_creds == GSS_C_NO_CREDENTIAL)
+		return NULL;
+	return (ssh_gssapi_creds)session->gssapi->client_creds;
+}
+
+#endif /* SERVER */

 static int ssh_gssapi_send_auth_mic(ssh_session session, ssh_string *oid_set, int n_oid){
 	ssh_string str;