summaryrefslogtreecommitdiff
path: root/clientloop.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2018-10-20 22:54:00 +0100
commit72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (patch)
tree2a3b57ae5446f4273804064ccc42659adfc2a3b2 /clientloop.c
parent3d246f10429fc9a37b98eabef94fe8dc7c61002b (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2018-10-20 Patch-Name: gssapi.patch
Diffstat (limited to 'clientloop.c')
-rw-r--r--clientloop.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/clientloop.c b/clientloop.c
index 8d312cdaa..1464634b0 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -112,6 +112,10 @@
112#include "ssherr.h" 112#include "ssherr.h"
113#include "hostfile.h" 113#include "hostfile.h"
114 114
115#ifdef GSSAPI
116#include "ssh-gss.h"
117#endif
118
115/* import options */ 119/* import options */
116extern Options options; 120extern Options options;
117 121
@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
1370 break; 1374 break;
1371 1375
1372 /* Do channel operations unless rekeying in progress. */ 1376 /* Do channel operations unless rekeying in progress. */
1373 if (!ssh_packet_is_rekeying(ssh)) 1377 if (!ssh_packet_is_rekeying(ssh)) {
1374 channel_after_select(ssh, readset, writeset); 1378 channel_after_select(ssh, readset, writeset);
1375 1379
1380#ifdef GSSAPI
1381 if (options.gss_renewal_rekey &&
1382 ssh_gssapi_credentials_updated(NULL)) {
1383 debug("credentials updated - forcing rekey");
1384 need_rekeying = 1;
1385 }
1386#endif
1387 }
1388
1376 /* Buffer input from the connection. */ 1389 /* Buffer input from the connection. */
1377 client_process_net_input(readset); 1390 client_process_net_input(readset);
1378 1391