418 - |
418 - |
419 #endif |
419 #endif |
420 diff -pur old/kex.c new/kex.c |
420 diff -pur old/kex.c new/kex.c |
421 --- old/kex.c |
421 --- old/kex.c |
422 +++ new/kex.c |
422 +++ new/kex.c |
423 @@ -55,6 +55,10 @@ |
423 @@ -54,6 +54,10 @@ |
424 #include "sshbuf.h" |
424 #include "sshbuf.h" |
425 #include "digest.h" |
425 #include "digest.h" |
426 |
426 |
427 +#ifdef GSSAPI |
427 +#ifdef GSSAPI |
428 +#include "ssh-gss.h" |
428 +#include "ssh-gss.h" |
429 +#endif |
429 +#endif |
430 + |
430 + |
431 #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
431 #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
432 # if defined(HAVE_EVP_SHA256) |
432 # if defined(HAVE_EVP_SHA256) |
433 # define evp_ssh_sha256 EVP_sha256 |
433 # define evp_ssh_sha256 EVP_sha256 |
434 @@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = { |
434 @@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = { |
435 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
435 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
436 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
436 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
437 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
437 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
438 +#ifdef GSSAPI |
438 +#ifdef GSSAPI |
439 + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, |
439 + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, |
453 } |
453 } |
454 return NULL; |
454 return NULL; |
455 diff -pur old/kex.h new/kex.h |
455 diff -pur old/kex.h new/kex.h |
456 --- old/kex.h |
456 --- old/kex.h |
457 +++ new/kex.h |
457 +++ new/kex.h |
458 @@ -93,6 +93,9 @@ enum kex_exchange { |
458 @@ -92,6 +92,9 @@ enum kex_exchange { |
459 KEX_DH_GEX_SHA256, |
459 KEX_DH_GEX_SHA256, |
460 KEX_ECDH_SHA2, |
460 KEX_ECDH_SHA2, |
461 KEX_C25519_SHA256, |
461 KEX_C25519_SHA256, |
462 + KEX_GSS_GRP1_SHA1, |
462 + KEX_GSS_GRP1_SHA1, |
463 + KEX_GSS_GRP14_SHA1, |
463 + KEX_GSS_GRP14_SHA1, |
464 + KEX_GSS_GEX_SHA1, |
464 + KEX_GSS_GEX_SHA1, |
465 KEX_MAX |
465 KEX_MAX |
466 }; |
466 }; |
467 |
467 |
468 @@ -139,6 +142,10 @@ struct kex { |
468 @@ -140,6 +143,10 @@ struct kex { |
469 u_int flags; |
469 u_int flags; |
470 int hash_alg; |
470 int hash_alg; |
471 int ec_nid; |
471 int ec_nid; |
472 +#ifdef GSSAPI |
472 +#ifdef GSSAPI |
473 + int gss_deleg_creds; |
473 + int gss_deleg_creds; |
474 + char *gss_host; |
474 + char *gss_host; |
475 +#endif |
475 +#endif |
476 char *client_version_string; |
476 char *client_version_string; |
477 char *server_version_string; |
477 char *server_version_string; |
478 char *failed_choice; |
478 char *failed_choice; |
479 @@ -186,6 +193,10 @@ int kexecdh_client(struct ssh *); |
479 @@ -189,6 +196,10 @@ int kexecdh_client(struct ssh *); |
480 int kexecdh_server(struct ssh *); |
480 int kexecdh_server(struct ssh *); |
481 int kexc25519_client(struct ssh *); |
481 int kexc25519_client(struct ssh *); |
482 int kexc25519_server(struct ssh *); |
482 int kexc25519_server(struct ssh *); |
483 +#ifdef GSSAPI |
483 +#ifdef GSSAPI |
484 +int kexgss_client(struct ssh *); |
484 +int kexgss_client(struct ssh *); |
488 int kex_dh_hash(const char *, const char *, |
488 int kex_dh_hash(const char *, const char *, |
489 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
489 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
490 diff -pur old/monitor.c new/monitor.c |
490 diff -pur old/monitor.c new/monitor.c |
491 --- old/monitor.c |
491 --- old/monitor.c |
492 +++ new/monitor.c |
492 +++ new/monitor.c |
493 @@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer |
493 @@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer |
494 int mm_answer_gss_accept_ctx(int, Buffer *); |
494 int mm_answer_gss_accept_ctx(int, Buffer *); |
495 int mm_answer_gss_userok(int, Buffer *); |
495 int mm_answer_gss_userok(int, Buffer *); |
496 int mm_answer_gss_checkmic(int, Buffer *); |
496 int mm_answer_gss_checkmic(int, Buffer *); |
497 +int mm_answer_gss_sign(int, Buffer *); |
497 +int mm_answer_gss_sign(int, Buffer *); |
498 #endif |
498 #endif |
499 |
499 |
500 #ifdef SSH_AUDIT_EVENTS |
500 #ifdef SSH_AUDIT_EVENTS |
501 @@ -244,11 +245,17 @@ struct mon_table mon_dispatch_proto20[] |
501 @@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[] |
502 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
502 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
503 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
503 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
504 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
504 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
505 + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, |
505 + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, |
506 #endif |
506 #endif |
514 + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
514 + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
515 +#endif |
515 +#endif |
516 #ifdef WITH_OPENSSL |
516 #ifdef WITH_OPENSSL |
517 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
517 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
518 #endif |
518 #endif |
519 @@ -363,6 +370,10 @@ monitor_child_preauth(Authctxt *_authctx |
519 @@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx |
520 /* Permit requests for moduli and signatures */ |
520 /* Permit requests for moduli and signatures */ |
521 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
521 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
522 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
522 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
523 +#ifdef GSSAPI |
523 +#ifdef GSSAPI |
524 + /* and for the GSSAPI key exchange */ |
524 + /* and for the GSSAPI key exchange */ |
525 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
525 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
526 +#endif |
526 +#endif |
527 } else { |
527 } else { |
528 mon_dispatch = mon_dispatch_proto15; |
528 mon_dispatch = mon_dispatch_proto15; |
529 |
529 |
530 @@ -502,6 +513,10 @@ monitor_child_postauth(struct monitor *p |
530 @@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p |
531 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
531 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
532 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
532 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
533 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
533 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
534 +#ifdef GSSAPI |
534 +#ifdef GSSAPI |
535 + /* and for the GSSAPI key exchange */ |
535 + /* and for the GSSAPI key exchange */ |
536 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
536 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); |
537 +#endif |
537 +#endif |
538 } else { |
538 } else { |
539 mon_dispatch = mon_dispatch_postauth15; |
539 mon_dispatch = mon_dispatch_postauth15; |
540 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
540 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
541 @@ -1927,6 +1942,13 @@ monitor_apply_keystate(struct monitor *p |
541 @@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p |
542 # endif |
542 # endif |
543 #endif /* WITH_OPENSSL */ |
543 #endif /* WITH_OPENSSL */ |
544 kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
544 kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
545 +#ifdef GSSAPI |
545 +#ifdef GSSAPI |
546 + if (options.gss_keyex) { |
546 + if (options.gss_keyex) { |
550 + } |
550 + } |
551 +#endif |
551 +#endif |
552 kex->load_host_public_key=&get_hostkey_public_by_type; |
552 kex->load_host_public_key=&get_hostkey_public_by_type; |
553 kex->load_host_private_key=&get_hostkey_private_by_type; |
553 kex->load_host_private_key=&get_hostkey_private_by_type; |
554 kex->host_key_index=&get_hostkey_index; |
554 kex->host_key_index=&get_hostkey_index; |
555 @@ -2026,6 +2048,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer |
555 @@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer |
556 OM_uint32 major; |
556 OM_uint32 major; |
557 u_int len; |
557 u_int len; |
558 |
558 |
559 + if (!options.gss_authentication && !options.gss_keyex) |
559 + if (!options.gss_authentication && !options.gss_keyex) |
560 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
560 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
561 + |
561 + |
562 goid.elements = buffer_get_string(m, &len); |
562 goid.elements = buffer_get_string(m, &len); |
563 goid.length = len; |
563 goid.length = len; |
564 |
564 |
565 @@ -2053,6 +2078,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe |
565 @@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe |
566 OM_uint32 flags = 0; /* GSI needs this */ |
566 OM_uint32 flags = 0; /* GSI needs this */ |
567 u_int len; |
567 u_int len; |
568 |
568 |
569 + if (!options.gss_authentication && !options.gss_keyex) |
569 + if (!options.gss_authentication && !options.gss_keyex) |
570 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
570 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
571 + |
571 + |
572 in.value = buffer_get_string(m, &len); |
572 in.value = buffer_get_string(m, &len); |
573 in.length = len; |
573 in.length = len; |
574 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
574 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
575 @@ -2070,6 +2098,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe |
575 @@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe |
576 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
576 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
577 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
577 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
578 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
578 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
579 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); |
579 + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); |
580 } |
580 } |
581 return (0); |
581 return (0); |
582 } |
582 } |
583 @@ -2081,6 +2110,9 @@ mm_answer_gss_checkmic(int sock, Buffer |
583 @@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer |
584 OM_uint32 ret; |
584 OM_uint32 ret; |
585 u_int len; |
585 u_int len; |
586 |
586 |
587 + if (!options.gss_authentication && !options.gss_keyex) |
587 + if (!options.gss_authentication && !options.gss_keyex) |
588 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
588 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
589 + |
589 + |
590 gssbuf.value = buffer_get_string(m, &len); |
590 gssbuf.value = buffer_get_string(m, &len); |
591 gssbuf.length = len; |
591 gssbuf.length = len; |
592 mic.value = buffer_get_string(m, &len); |
592 mic.value = buffer_get_string(m, &len); |
593 @@ -2107,6 +2139,9 @@ mm_answer_gss_userok(int sock, Buffer *m |
593 @@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m |
594 { |
594 { |
595 int authenticated; |
595 int authenticated; |
596 |
596 |
597 + if (!options.gss_authentication && !options.gss_keyex) |
597 + if (!options.gss_authentication && !options.gss_keyex) |
598 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
598 + fatal("In GSSAPI monitor when GSSAPI is disabled"); |
599 + |
599 + |
600 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); |
600 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); |
601 |
601 |
602 buffer_clear(m); |
602 buffer_clear(m); |
603 @@ -2120,5 +2155,47 @@ mm_answer_gss_userok(int sock, Buffer *m |
603 @@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m |
604 /* Monitor loop will terminate if authenticated */ |
604 /* Monitor loop will terminate if authenticated */ |
605 return (authenticated); |
605 return (authenticated); |
606 } |
606 } |
607 + |
607 + |
608 +int |
608 +int |
705 |
705 |
706 #ifdef USE_PAM |
706 #ifdef USE_PAM |
707 diff -pur old/readconf.c new/readconf.c |
707 diff -pur old/readconf.c new/readconf.c |
708 --- old/readconf.c |
708 --- old/readconf.c |
709 +++ new/readconf.c |
709 +++ new/readconf.c |
710 @@ -147,6 +147,7 @@ typedef enum { |
710 @@ -148,6 +148,7 @@ typedef enum { |
711 oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
711 oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
712 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
712 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
713 oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
713 oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
714 + oGssKeyEx, |
714 + oGssKeyEx, |
715 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
715 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
716 oSendEnv, oControlPath, oControlMaster, oControlPersist, |
716 oSendEnv, oControlPath, oControlMaster, oControlPersist, |
717 oHashKnownHosts, |
717 oHashKnownHosts, |
718 @@ -198,11 +199,15 @@ static struct { |
718 @@ -199,11 +200,15 @@ static struct { |
719 { "gssauthentication", oGssAuthentication }, /* alias */ |
719 { "gssauthentication", oGssAuthentication }, /* alias */ |
720 { "gssapidelegatecredentials", oGssDelegateCreds }, |
720 { "gssapidelegatecredentials", oGssDelegateCreds }, |
721 { "gssdelegatecreds", oGssDelegateCreds }, /* alias */ |
721 { "gssdelegatecreds", oGssDelegateCreds }, /* alias */ |
722 + { "gssapikeyexchange", oGssKeyEx }, |
722 + { "gssapikeyexchange", oGssKeyEx }, |
723 + { "gsskeyex", oGssKeyEx }, /* alias */ |
723 + { "gsskeyex", oGssKeyEx }, /* alias */ |
729 + { "gssapikeyexchange", oUnsupported }, |
729 + { "gssapikeyexchange", oUnsupported }, |
730 + { "gsskeyex", oUnsupported }, |
730 + { "gsskeyex", oUnsupported }, |
731 #endif |
731 #endif |
732 { "fallbacktorsh", oDeprecated }, |
732 { "fallbacktorsh", oDeprecated }, |
733 { "usersh", oDeprecated }, |
733 { "usersh", oDeprecated }, |
734 @@ -933,6 +938,10 @@ parse_time: |
734 @@ -965,6 +970,10 @@ parse_time: |
735 intptr = &options->gss_authentication; |
735 intptr = &options->gss_authentication; |
736 goto parse_flag; |
736 goto parse_flag; |
737 |
737 |
738 + case oGssKeyEx: |
738 + case oGssKeyEx: |
739 + intptr = &options->gss_keyex; |
739 + intptr = &options->gss_keyex; |
740 + goto parse_flag; |
740 + goto parse_flag; |
741 + |
741 + |
742 case oGssDelegateCreds: |
742 case oGssDelegateCreds: |
743 intptr = &options->gss_deleg_creds; |
743 intptr = &options->gss_deleg_creds; |
744 goto parse_flag; |
744 goto parse_flag; |
745 @@ -1647,6 +1656,7 @@ initialize_options(Options * options) |
745 @@ -1694,6 +1703,7 @@ initialize_options(Options * options) |
746 options->pubkey_authentication = -1; |
746 options->pubkey_authentication = -1; |
747 options->challenge_response_authentication = -1; |
747 options->challenge_response_authentication = -1; |
748 options->gss_authentication = -1; |
748 options->gss_authentication = -1; |
749 + options->gss_keyex = -1; |
749 + options->gss_keyex = -1; |
750 options->gss_deleg_creds = -1; |
750 options->gss_deleg_creds = -1; |
751 options->password_authentication = -1; |
751 options->password_authentication = -1; |
752 options->kbd_interactive_authentication = -1; |
752 options->kbd_interactive_authentication = -1; |
753 @@ -1786,6 +1796,12 @@ fill_default_options(Options * options) |
753 @@ -1834,6 +1844,12 @@ fill_default_options(Options * options) |
754 #else |
754 #else |
755 options->gss_authentication = 0; |
755 options->gss_authentication = 0; |
756 #endif |
756 #endif |
757 + if (options->gss_keyex == -1) |
757 + if (options->gss_keyex == -1) |
758 +#ifdef OPTION_DEFAULT_VALUE |
758 +#ifdef OPTION_DEFAULT_VALUE |
796 + options->gss_keyex = 0; |
796 + options->gss_keyex = 0; |
797 +#endif |
797 +#endif |
798 if (options->gss_cleanup_creds == -1) |
798 if (options->gss_cleanup_creds == -1) |
799 options->gss_cleanup_creds = 1; |
799 options->gss_cleanup_creds = 1; |
800 if (options->gss_strict_acceptor == -1) |
800 if (options->gss_strict_acceptor == -1) |
801 @@ -442,6 +449,7 @@ typedef enum { |
801 @@ -449,6 +456,7 @@ typedef enum { |
802 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
802 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
803 sHostKeyAlgorithms, |
803 sHostKeyAlgorithms, |
804 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
804 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
805 + sGssKeyEx, |
805 + sGssKeyEx, |
806 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
806 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
807 sAcceptEnv, sPermitTunnel, |
807 sAcceptEnv, sPermitTunnel, |
808 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
808 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
809 @@ -519,6 +527,8 @@ static struct { |
809 @@ -526,6 +534,8 @@ static struct { |
810 #ifdef GSSAPI |
810 #ifdef GSSAPI |
811 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
811 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
812 { "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */ |
812 { "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */ |
813 + { "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL }, |
813 + { "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL }, |
814 + { "gsskeyex", sGssKeyEx, SSHCFG_ALL }, /* alias */ |
814 + { "gsskeyex", sGssKeyEx, SSHCFG_ALL }, /* alias */ |
815 #ifdef USE_GSS_STORE_CRED |
815 #ifdef USE_GSS_STORE_CRED |
816 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
816 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
817 #else /* USE_GSS_STORE_CRED */ |
817 #else /* USE_GSS_STORE_CRED */ |
818 @@ -528,6 +538,8 @@ static struct { |
818 @@ -535,6 +545,8 @@ static struct { |
819 #else |
819 #else |
820 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
820 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
821 { "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */ |
821 { "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */ |
822 + { "gssapikeyexchange", sUnsupported,, SSHCFG_ALL }, |
822 + { "gssapikeyexchange", sUnsupported,, SSHCFG_ALL }, |
823 + { "gsskeyex", sUnsupported,, SSHCFG_ALL }, |
823 + { "gsskeyex", sUnsupported,, SSHCFG_ALL }, |
824 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
824 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
825 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
825 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
826 #endif |
826 #endif |
827 @@ -1311,6 +1323,10 @@ process_server_config_line(ServerOptions |
827 @@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions |
828 intptr = &options->gss_authentication; |
828 intptr = &options->gss_authentication; |
829 goto parse_flag; |
829 goto parse_flag; |
830 |
830 |
831 + case sGssKeyEx: |
831 + case sGssKeyEx: |
832 + intptr = &options->gss_keyex; |
832 + intptr = &options->gss_keyex; |
833 + goto parse_flag; |
833 + goto parse_flag; |
834 + |
834 + |
835 case sGssCleanupCreds: |
835 case sGssCleanupCreds: |
836 intptr = &options->gss_cleanup_creds; |
836 intptr = &options->gss_cleanup_creds; |
837 goto parse_flag; |
837 goto parse_flag; |
838 @@ -2357,6 +2373,7 @@ dump_config(ServerOptions *o) |
838 @@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o) |
839 #endif |
839 #endif |
840 #ifdef GSSAPI |
840 #ifdef GSSAPI |
841 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
841 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
842 + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); |
842 + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); |
843 #ifndef USE_GSS_STORE_CRED |
843 #ifndef USE_GSS_STORE_CRED |
921 Forward (delegate) credentials to the server. |
921 Forward (delegate) credentials to the server. |
922 The default is |
922 The default is |
923 diff -pur old/sshconnect2.c new/sshconnect2.c |
923 diff -pur old/sshconnect2.c new/sshconnect2.c |
924 --- old/sshconnect2.c |
924 --- old/sshconnect2.c |
925 +++ new/sshconnect2.c |
925 +++ new/sshconnect2.c |
926 @@ -163,12 +163,37 @@ ssh_kex2(char *host, struct sockaddr *ho |
926 @@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho |
927 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; |
927 char *s; |
928 struct kex *kex; |
928 struct kex *kex; |
929 int r; |
929 int r; |
930 +#ifdef GSSAPI |
930 +#ifdef GSSAPI |
931 + char *orig = NULL, *gss = NULL; |
931 + char *orig = NULL, *gss = NULL; |
932 + char *gss_host = NULL; |
932 + char *gss_host = NULL; |
933 +#endif |
933 +#endif |
934 + |
|
935 |
934 |
936 xxx_host = host; |
935 xxx_host = host; |
937 xxx_hostaddr = hostaddr; |
936 xxx_hostaddr = hostaddr; |
938 |
937 |
|
938 - if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) |
939 + if (options.kex_algorithms != NULL) |
939 + if (options.kex_algorithms != NULL) |
940 + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
940 + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
941 + |
941 + |
942 +#ifdef GSSAPI |
942 +#ifdef GSSAPI |
943 + if (options.gss_keyex) { |
943 + if (options.gss_keyex) { |
954 + "%s,%s", gss, orig); |
954 + "%s,%s", gss, orig); |
955 + } |
955 + } |
956 + } |
956 + } |
957 +#endif |
957 +#endif |
958 + |
958 + |
959 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
959 + if (!(s = kex_names_cat(myproposal[PROPOSAL_KEX_ALGS], "ext-info-c"))) |
960 - options.kex_algorithms); |
960 fatal("%s: kex_names_cat", __func__); |
961 + myproposal[PROPOSAL_KEX_ALGS]); |
961 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); |
962 myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
962 myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
963 compat_cipher_proposal(options.ciphers); |
963 @@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho |
964 myproposal[PROPOSAL_ENC_ALGS_STOC] = |
|
965 @@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *ho |
|
966 order_hostkeyalgs(host, hostaddr, port)); |
964 order_hostkeyalgs(host, hostaddr, port)); |
967 } |
965 } |
968 |
966 |
969 +#ifdef GSSAPI |
967 +#ifdef GSSAPI |
970 + /* If we've got GSSAPI algorithms, then we also support the |
968 + /* If we've got GSSAPI algorithms, then we also support the |
1001 + } |
999 + } |
1002 +#endif |
1000 +#endif |
1003 |
1001 |
1004 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
1002 dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
1005 |
1003 |
1006 @@ -310,6 +359,7 @@ int input_gssapi_token(int type, u_int32 |
1004 @@ -315,6 +363,7 @@ int input_gssapi_token(int type, u_int32 |
1007 int input_gssapi_hash(int type, u_int32_t, void *); |
1005 int input_gssapi_hash(int type, u_int32_t, void *); |
1008 int input_gssapi_error(int, u_int32_t, void *); |
1006 int input_gssapi_error(int, u_int32_t, void *); |
1009 int input_gssapi_errtok(int, u_int32_t, void *); |
1007 int input_gssapi_errtok(int, u_int32_t, void *); |
1010 +int userauth_gsskeyex(Authctxt *authctxt); |
1008 +int userauth_gsskeyex(Authctxt *authctxt); |
1011 #endif |
1009 #endif |
1012 |
1010 |
1013 void userauth(Authctxt *, char *); |
1011 void userauth(Authctxt *, char *); |
1014 @@ -325,6 +375,11 @@ static char *authmethods_get(void); |
1012 @@ -330,6 +379,11 @@ static char *authmethods_get(void); |
1015 |
1013 |
1016 Authmethod authmethods[] = { |
1014 Authmethod authmethods[] = { |
1017 #ifdef GSSAPI |
1015 #ifdef GSSAPI |
1018 + {"gssapi-keyex", |
1016 + {"gssapi-keyex", |
1019 + userauth_gsskeyex, |
1017 + userauth_gsskeyex, |
1176 kex->client_version_string=client_version_string; |
1174 kex->client_version_string=client_version_string; |
1177 kex->server_version_string=server_version_string; |
1175 kex->server_version_string=server_version_string; |
1178 diff -pur old/sshd_config.5 new/sshd_config.5 |
1176 diff -pur old/sshd_config.5 new/sshd_config.5 |
1179 --- old/sshd_config.5 |
1177 --- old/sshd_config.5 |
1180 +++ new/sshd_config.5 |
1178 +++ new/sshd_config.5 |
1181 @@ -621,6 +621,12 @@ Specifies whether user authentication ba |
1179 @@ -623,6 +623,11 @@ The default is |
|
1180 Specifies whether user authentication based on GSSAPI is allowed. |
1182 The default on Solaris is |
1181 The default on Solaris is |
1183 .Dq yes . |
1182 .Dq yes . |
1184 Note that this option applies to protocol version 2 only. |
|
1185 +.It Cm GSSAPIKeyExchange |
1183 +.It Cm GSSAPIKeyExchange |
1186 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
1184 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange |
1187 +doesn't rely on ssh keys to verify host identity. |
1185 +doesn't rely on ssh keys to verify host identity. |
1188 +The default on Solaris is |
1186 +The default on Solaris is |
1189 +.Dq yes . |
1187 +.Dq yes . |
1190 +Note that this option applies to protocol version 2 only. |
|
1191 .It Cm GSSAPICleanupCredentials |
1188 .It Cm GSSAPICleanupCredentials |
1192 Specifies whether to automatically destroy the user's credentials cache |
1189 Specifies whether to automatically destroy the user's credentials cache |
1193 on logout. |
1190 on logout. |
1194 diff -pur old/sshkey.c new/sshkey.c |
1191 diff -pur old/sshkey.c new/sshkey.c |
1195 --- old/sshkey.c |
1192 --- old/sshkey.c |
1196 +++ new/sshkey.c |
1193 +++ new/sshkey.c |
1197 @@ -112,6 +112,7 @@ static const struct keytype keytypes[] = |
1194 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] = |
1198 # endif /* OPENSSL_HAS_NISTP521 */ |
1195 # endif /* OPENSSL_HAS_NISTP521 */ |
1199 # endif /* OPENSSL_HAS_ECC */ |
1196 # endif /* OPENSSL_HAS_ECC */ |
1200 #endif /* WITH_OPENSSL */ |
1197 #endif /* WITH_OPENSSL */ |
1201 + { "null", "null", KEY_NULL, 0, 0 }, |
1198 + { "null", "null", KEY_NULL, 0, 0 }, |
1202 { NULL, NULL, -1, -1, 0 } |
1199 { NULL, NULL, -1, -1, 0, 0 } |
1203 }; |
1200 }; |
1204 |
1201 |
1205 diff -pur old/sshkey.h new/sshkey.h |
1202 diff -pur old/sshkey.h new/sshkey.h |
1206 --- old/sshkey.h |
1203 --- old/sshkey.h |
1207 +++ new/sshkey.h |
1204 +++ new/sshkey.h |