Use gss_userok() instead of krb5_kuserok().

gss-serv-krb5.c

@@ -76,40 +76,6 @@ ssh_gssapi_krb5_init(void)
 	return 1;
 }
 
-/* Check if this user is OK to login. This only works with krb5 - other
- * GSSAPI mechanisms will need their own.
- * Returns true if the user is OK to log in, otherwise returns 0
- */
-
-static int
-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
-{
-	krb5_principal princ;
-	int retval;
-	const char *errmsg;
-
-	if (ssh_gssapi_krb5_init() == 0)
-		return 0;
-
-	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
-	    &princ))) {
-		errmsg = krb5_get_error_message(krb_context, retval);
-		logit("krb5_parse_name(): %.100s", errmsg);
-		krb5_free_error_message(krb_context, errmsg);
-		return 0;
-	}
-	if (krb5_kuserok(krb_context, princ, name)) {
-		retval = 1;
-		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-		    name, (char *)client->displayname.value);
-	} else
-		retval = 0;
-
-	krb5_free_principal(krb_context, princ);
-	return retval;
-}
-
-
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
 
@@ -201,7 +167,6 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
 	"Kerberos",
 	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
 	NULL,
-	&ssh_gssapi_krb5_userok,
 	NULL,
 	&ssh_gssapi_krb5_storecreds
 };

gss-serv.c

@@ -309,9 +309,11 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 		return (ctx->major);
 	}
 
-	/* We can't copy this structure, so we just move the pointer to it */
+	/* We can't copy these structures, so we just move the pointer to it */
 	client->creds = ctx->client_creds;
 	ctx->client_creds = GSS_C_NO_CREDENTIAL;
+	client->client = ctx->client;
+	ctx->client = GSS_C_NO_NAME;
 	return (ctx->major);
 }
 
@@ -365,20 +367,20 @@ ssh_gssapi_userok(char *user)
 		debug("No suitable client data");
 		return 0;
 	}
-	if (gssapi_client.mech && gssapi_client.mech->userok)
-		if ((*gssapi_client.mech->userok)(&gssapi_client, user))
-			return 1;
-		else {
-			/* Destroy delegated credentials if userok fails */
-			gss_release_buffer(&lmin, &gssapi_client.displayname);
-			gss_release_buffer(&lmin, &gssapi_client.exportedname);
-			gss_release_cred(&lmin, &gssapi_client.creds);
-			explicit_bzero(&gssapi_client,
-			    sizeof(ssh_gssapi_client));
-			return 0;
-		}
-	else
-		debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
+
+	if (gss_userok(gssapi_client.client, user))
+	  return 1;
+	else {
+	  /* Destroy delegated credentials if userok fails */
+	  gss_release_buffer(&lmin, &gssapi_client.displayname);
+	  gss_release_buffer(&lmin, &gssapi_client.exportedname);
+	  gss_release_cred(&lmin, &gssapi_client.creds);
+	  gss_release_name(&lmin, &gssapi_client.client);
+	  explicit_bzero(&gssapi_client,
+			 sizeof(ssh_gssapi_client));
+	  return 0;
+	}
+
 	return (0);
 }
 

ssh-gss.h

@@ -71,6 +71,7 @@ typedef struct {
 typedef struct {
 	gss_buffer_desc displayname;
 	gss_buffer_desc exportedname;
+	gss_name_t client;
 	gss_cred_id_t creds;
 	struct ssh_gssapi_mech_struct *mech;
 	ssh_gssapi_ccache store;
@@ -81,7 +82,6 @@ typedef struct ssh_gssapi_mech_struct {
 	char *name;
 	gss_OID_desc oid;
 	int (*dochild) (ssh_gssapi_client *);
-	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
 	void (*storecreds) (ssh_gssapi_client *);
 } ssh_gssapi_mech;