summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-12-28 20:05:02 +0000
commit40ab38b3f501f3e21662f0294eef06789605c5f8 (patch)
tree739e0a31e245a718789908269c5af5807da13ef0 /auth.c
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-12-28 Patch-Name: gssapi.patch
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c96
1 files changed, 2 insertions, 94 deletions
diff --git a/auth.c b/auth.c
index 6ee6116df..c63906873 100644
--- a/auth.c
+++ b/auth.c
@@ -372,7 +372,8 @@ auth_root_allowed(const char *method)
372 case PERMIT_NO_PASSWD: 372 case PERMIT_NO_PASSWD:
373 if (strcmp(method, "publickey") == 0 || 373 if (strcmp(method, "publickey") == 0 ||
374 strcmp(method, "hostbased") == 0 || 374 strcmp(method, "hostbased") == 0 ||
375 strcmp(method, "gssapi-with-mic") == 0) 375 strcmp(method, "gssapi-with-mic") == 0 ||
376 strcmp(method, "gssapi-keyex") == 0)
376 return 1; 377 return 1;
377 break; 378 break;
378 case PERMIT_FORCED_ONLY: 379 case PERMIT_FORCED_ONLY:
@@ -795,99 +796,6 @@ fakepw(void)
795} 796}
796 797
797/* 798/*
798 * Returns the remote DNS hostname as a string. The returned string must not
799 * be freed. NB. this will usually trigger a DNS query the first time it is
800 * called.
801 * This function does additional checks on the hostname to mitigate some
802 * attacks on legacy rhosts-style authentication.
803 * XXX is RhostsRSAAuthentication vulnerable to these?
804 * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
805 */
806
807static char *
808remote_hostname(struct ssh *ssh)
809{
810 struct sockaddr_storage from;
811 socklen_t fromlen;
812 struct addrinfo hints, *ai, *aitop;
813 char name[NI_MAXHOST], ntop2[NI_MAXHOST];
814 const char *ntop = ssh_remote_ipaddr(ssh);
815
816 /* Get IP address of client. */
817 fromlen = sizeof(from);
818 memset(&from, 0, sizeof(from));
819 if (getpeername(ssh_packet_get_connection_in(ssh),
820 (struct sockaddr *)&from, &fromlen) < 0) {
821 debug("getpeername failed: %.100s", strerror(errno));
822 return strdup(ntop);
823 }
824
825 ipv64_normalise_mapped(&from, &fromlen);
826 if (from.ss_family == AF_INET6)
827 fromlen = sizeof(struct sockaddr_in6);
828
829 debug3("Trying to reverse map address %.100s.", ntop);
830 /* Map the IP address to a host name. */
831 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
832 NULL, 0, NI_NAMEREQD) != 0) {
833 /* Host name not found. Use ip address. */
834 return strdup(ntop);
835 }
836
837 /*
838 * if reverse lookup result looks like a numeric hostname,
839 * someone is trying to trick us by PTR record like following:
840 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
841 */
842 memset(&hints, 0, sizeof(hints));
843 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
844 hints.ai_flags = AI_NUMERICHOST;
845 if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
846 logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
847 name, ntop);
848 freeaddrinfo(ai);
849 return strdup(ntop);
850 }
851
852 /* Names are stored in lowercase. */
853 lowercase(name);
854
855 /*
856 * Map it back to an IP address and check that the given
857 * address actually is an address of this host. This is
858 * necessary because anyone with access to a name server can
859 * define arbitrary names for an IP address. Mapping from
860 * name to IP address can be trusted better (but can still be
861 * fooled if the intruder has access to the name server of
862 * the domain).
863 */
864 memset(&hints, 0, sizeof(hints));
865 hints.ai_family = from.ss_family;
866 hints.ai_socktype = SOCK_STREAM;
867 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
868 logit("reverse mapping checking getaddrinfo for %.700s "
869 "[%s] failed.", name, ntop);
870 return strdup(ntop);
871 }
872 /* Look for the address from the list of addresses. */
873 for (ai = aitop; ai; ai = ai->ai_next) {
874 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
875 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
876 (strcmp(ntop, ntop2) == 0))
877 break;
878 }
879 freeaddrinfo(aitop);
880 /* If we reached the end of the list, the address was not there. */
881 if (ai == NULL) {
882 /* Address not found for the host name. */
883 logit("Address %.100s maps to %.600s, but this does not "
884 "map back to the address.", ntop, name);
885 return strdup(ntop);
886 }
887 return strdup(name);
888}
889
890/*
891 * Return the canonical name of the host in the other side of the current 799 * Return the canonical name of the host in the other side of the current
892 * connection. The host name is cached, so it is efficient to call this 800 * connection. The host name is cached, so it is efficient to call this
893 * several times. 801 * several times.