summaryrefslogtreecommitdiff
path: root/kex.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2018-08-24 17:49:04 +0100
commite6c7c11ac2576ac62334616bd4408bf64140bba7 (patch)
tree0625a34b2eafa6425602cb8c7185fbddc2d05fd7 /kex.c
parente6547182a54f0f268ee36e7c99319eeddffbaff2 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2018-08-24 Patch-Name: gssapi.patch
Diffstat (limited to 'kex.c')
-rw-r--r--kex.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/kex.c b/kex.c
index 25f9f66f6..fb5bfaea5 100644
--- a/kex.c
+++ b/kex.c
@@ -54,6 +54,10 @@
54#include "sshbuf.h" 54#include "sshbuf.h"
55#include "digest.h" 55#include "digest.h"
56 56
57#ifdef GSSAPI
58#include "ssh-gss.h"
59#endif
60
57/* prototype */ 61/* prototype */
58static int kex_choose_conf(struct ssh *); 62static int kex_choose_conf(struct ssh *);
59static int kex_input_newkeys(int, u_int32_t, struct ssh *); 63static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
105#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ 109#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
106 { NULL, -1, -1, -1}, 110 { NULL, -1, -1, -1},
107}; 111};
112static const struct kexalg kexalg_prefixes[] = {
113#ifdef GSSAPI
114 { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
115 { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
116 { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
117#endif
118 { NULL, -1, -1, -1 },
119};
108 120
109char * 121char *
110kex_alg_list(char sep) 122kex_alg_list(char sep)
@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name)
137 if (strcmp(k->name, name) == 0) 149 if (strcmp(k->name, name) == 0)
138 return k; 150 return k;
139 } 151 }
152 for (k = kexalg_prefixes; k->name != NULL; k++) {
153 if (strncmp(k->name, name, strlen(k->name)) == 0)
154 return k;
155 }
140 return NULL; 156 return NULL;
141} 157}
142 158
@@ -653,6 +669,9 @@ kex_free(struct kex *kex)
653 sshbuf_free(kex->peer); 669 sshbuf_free(kex->peer);
654 sshbuf_free(kex->my); 670 sshbuf_free(kex->my);
655 free(kex->session_id); 671 free(kex->session_id);
672#ifdef GSSAPI
673 free(kex->gss_host);
674#endif /* GSSAPI */
656 free(kex->client_version_string); 675 free(kex->client_version_string);
657 free(kex->server_version_string); 676 free(kex->server_version_string);
658 free(kex->failed_choice); 677 free(kex->failed_choice);