summaryrefslogtreecommitdiff
path: root/kex.h
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2017-01-16 15:02:41 +0000
commit48fbb156bdc676fb6ba6817770e4e971fbf85b1f (patch)
treef35c67c09472bddc3337b1c74b0cb6a1d9b58670 /kex.h
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
Diffstat (limited to 'kex.h')
-rw-r--r--kex.h14
1 files changed, 14 insertions, 0 deletions
diff --git a/kex.h b/kex.h
index 3794f2127..fd56171d2 100644
--- a/kex.h
+++ b/kex.h
@@ -99,6 +99,9 @@ enum kex_exchange {
99 KEX_DH_GEX_SHA256, 99 KEX_DH_GEX_SHA256,
100 KEX_ECDH_SHA2, 100 KEX_ECDH_SHA2,
101 KEX_C25519_SHA256, 101 KEX_C25519_SHA256,
102 KEX_GSS_GRP1_SHA1,
103 KEX_GSS_GRP14_SHA1,
104 KEX_GSS_GEX_SHA1,
102 KEX_MAX 105 KEX_MAX
103}; 106};
104 107
@@ -147,6 +150,12 @@ struct kex {
147 u_int flags; 150 u_int flags;
148 int hash_alg; 151 int hash_alg;
149 int ec_nid; 152 int ec_nid;
153#ifdef GSSAPI
154 int gss_deleg_creds;
155 int gss_trust_dns;
156 char *gss_host;
157 char *gss_client;
158#endif
150 char *client_version_string; 159 char *client_version_string;
151 char *server_version_string; 160 char *server_version_string;
152 char *failed_choice; 161 char *failed_choice;
@@ -197,6 +206,11 @@ int kexecdh_server(struct ssh *);
197int kexc25519_client(struct ssh *); 206int kexc25519_client(struct ssh *);
198int kexc25519_server(struct ssh *); 207int kexc25519_server(struct ssh *);
199 208
209#ifdef GSSAPI
210int kexgss_client(struct ssh *);
211int kexgss_server(struct ssh *);
212#endif
213
200int kex_dh_hash(int, const char *, const char *, 214int kex_dh_hash(int, const char *, const char *,
201 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, 215 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
202 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 216 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);