summaryrefslogtreecommitdiff
path: root/gss-serv.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-05-22 03:50:02 +0000
committerDamien Miller <djm@mindrot.org>2015-05-22 20:02:17 +1000
commitd7c31da4d42c115843edee2074d7d501f8804420 (patch)
tree9d41af43b92f502fcce33c184064daa712d941cc /gss-serv.c
parentaa72196a00be6e0b666215edcffbc10af234cb0e (diff)
upstream commit
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Diffstat (limited to 'gss-serv.c')
-rw-r--r--gss-serv.c40
1 files changed, 25 insertions, 15 deletions
diff --git a/gss-serv.c b/gss-serv.c
index e7b8c5223..53993d674 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -44,9 +44,12 @@
44#include "channels.h" 44#include "channels.h"
45#include "session.h" 45#include "session.h"
46#include "misc.h" 46#include "misc.h"
47#include "servconf.h"
47 48
48#include "ssh-gss.h" 49#include "ssh-gss.h"
49 50
51extern ServerOptions options;
52
50static ssh_gssapi_client gssapi_client = 53static ssh_gssapi_client gssapi_client =
51 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 54 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
52 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; 55 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
99 char lname[NI_MAXHOST]; 102 char lname[NI_MAXHOST];
100 gss_OID_set oidset; 103 gss_OID_set oidset;
101 104
102 gss_create_empty_oid_set(&status, &oidset); 105 if (options.gss_strict_acceptor) {
103 gss_add_oid_set_member(&status, ctx->oid, &oidset); 106 gss_create_empty_oid_set(&status, &oidset);
107 gss_add_oid_set_member(&status, ctx->oid, &oidset);
104 108
105 if (gethostname(lname, sizeof(lname))) { 109 if (gethostname(lname, MAXHOSTNAMELEN)) {
106 gss_release_oid_set(&status, &oidset); 110 gss_release_oid_set(&status, &oidset);
107 return (-1); 111 return (-1);
108 } 112 }
113
114 if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
115 gss_release_oid_set(&status, &oidset);
116 return (ctx->major);
117 }
118
119 if ((ctx->major = gss_acquire_cred(&ctx->minor,
120 ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
121 NULL, NULL)))
122 ssh_gssapi_error(ctx);
109 123
110 if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
111 gss_release_oid_set(&status, &oidset); 124 gss_release_oid_set(&status, &oidset);
112 return (ctx->major); 125 return (ctx->major);
126 } else {
127 ctx->name = GSS_C_NO_NAME;
128 ctx->creds = GSS_C_NO_CREDENTIAL;
113 } 129 }
114 130 return GSS_S_COMPLETE;
115 if ((ctx->major = gss_acquire_cred(&ctx->minor,
116 ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
117 ssh_gssapi_error(ctx);
118
119 gss_release_oid_set(&status, &oidset);
120 return (ctx->major);
121} 131}
122 132
123/* Privileged */ 133/* Privileged */