diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-05-22 20:02:17 +1000 |
commit | d7c31da4d42c115843edee2074d7d501f8804420 (patch) | |
tree | 9d41af43b92f502fcce33c184064daa712d941cc /gss-serv.c | |
parent | aa72196a00be6e0b666215edcffbc10af234cb0e (diff) |
upstream commit
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Diffstat (limited to 'gss-serv.c')
-rw-r--r-- | gss-serv.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/gss-serv.c b/gss-serv.c index e7b8c5223..53993d674 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -44,9 +44,12 @@ | |||
44 | #include "channels.h" | 44 | #include "channels.h" |
45 | #include "session.h" | 45 | #include "session.h" |
46 | #include "misc.h" | 46 | #include "misc.h" |
47 | #include "servconf.h" | ||
47 | 48 | ||
48 | #include "ssh-gss.h" | 49 | #include "ssh-gss.h" |
49 | 50 | ||
51 | extern ServerOptions options; | ||
52 | |||
50 | static ssh_gssapi_client gssapi_client = | 53 | static ssh_gssapi_client gssapi_client = |
51 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | 54 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
52 | GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; | 55 | GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
@@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | |||
99 | char lname[NI_MAXHOST]; | 102 | char lname[NI_MAXHOST]; |
100 | gss_OID_set oidset; | 103 | gss_OID_set oidset; |
101 | 104 | ||
102 | gss_create_empty_oid_set(&status, &oidset); | 105 | if (options.gss_strict_acceptor) { |
103 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | 106 | gss_create_empty_oid_set(&status, &oidset); |
107 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
104 | 108 | ||
105 | if (gethostname(lname, sizeof(lname))) { | 109 | if (gethostname(lname, MAXHOSTNAMELEN)) { |
106 | gss_release_oid_set(&status, &oidset); | 110 | gss_release_oid_set(&status, &oidset); |
107 | return (-1); | 111 | return (-1); |
108 | } | 112 | } |
113 | |||
114 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
115 | gss_release_oid_set(&status, &oidset); | ||
116 | return (ctx->major); | ||
117 | } | ||
118 | |||
119 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
120 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
121 | NULL, NULL))) | ||
122 | ssh_gssapi_error(ctx); | ||
109 | 123 | ||
110 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
111 | gss_release_oid_set(&status, &oidset); | 124 | gss_release_oid_set(&status, &oidset); |
112 | return (ctx->major); | 125 | return (ctx->major); |
126 | } else { | ||
127 | ctx->name = GSS_C_NO_NAME; | ||
128 | ctx->creds = GSS_C_NO_CREDENTIAL; | ||
113 | } | 129 | } |
114 | 130 | return GSS_S_COMPLETE; | |
115 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
116 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
117 | ssh_gssapi_error(ctx); | ||
118 | |||
119 | gss_release_oid_set(&status, &oidset); | ||
120 | return (ctx->major); | ||
121 | } | 131 | } |
122 | 132 | ||
123 | /* Privileged */ | 133 | /* Privileged */ |