- markus@cvs.openbsd.org 2003/08/22 10:56:09

[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
author: Darren Tucker <dtucker@zip.com.au> 2003-08-26 11:49:55 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2003-08-26 11:49:55 +1000
commit: 0efd155c3c184f0eaa2e1eb244eaaf066e6906e0 (patch)
tree: 10f24586373d825d68cefd4a3746fe738cf0614a /monitor.c
parent: 30912f7259b771a1cf705c0bc47a6c3f3edffb43 (diff)
1 files changed, 90 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index 80b1a8fba..f90a90461 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.46 2003/08/22 10:56:09 markus Exp $");
 #include <openssl/dh.h>
@@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
 #include "ssh2.h"
 #include "mpaux.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+static Gssctxt *gsscontext = NULL;
+#endif
 /* Imports */
 extern ServerOptions options;
 extern u_int utmp_len;
@@ -128,6 +133,11 @@ int mm_answer_pam_free_ctx(int, Buffer *);
 #ifdef KRB5
 int mm_answer_krb5(int, Buffer *);
 #endif
+#ifdef GSSAPI
+int mm_answer_gss_setup_ctx(int, Buffer *);
+int mm_answer_gss_accept_ctx(int, Buffer *);
+int mm_answer_gss_userok(int, Buffer *);
+#endif
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
@@ -185,6 +195,11 @@ struct mon_table mon_dispatch_proto20[] = {
 #ifdef KRB5
    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
 #endif
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+#endif
    {0, 0, NULL}
 };
@@ -357,7 +372,6 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1769,3 +1783,77 @@ monitor_reinit(struct monitor *mon)
        mon->m_recvfd = pair[0];
        mon->m_sendfd = pair[1];
 }
+#ifdef GSSAPI
+int
+mm_answer_gss_setup_ctx(int socket, Buffer *m)
+{
+        gss_OID_desc oid;
+        OM_uint32 major;
+        u_int len;
+        oid.elements = buffer_get_string(m, &len);
+        oid.length = len;
+        major = ssh_gssapi_server_ctx(&gsscontext, &oid);
+        xfree(oid.elements);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        mm_request_send(socket,MONITOR_ANS_GSSSETUP, m);
+        /* Now we have a context, enable the step */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
+        return (0);
+}
+int
+mm_answer_gss_accept_ctx(int socket, Buffer *m)
+{
+        gss_buffer_desc in;
+        gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major,minor;
+        OM_uint32 flags = 0; /* GSI needs this */
+        in.value = buffer_get_string(m, &in.length);
+        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
+        xfree(in.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, out.value, out.length);
+        buffer_put_int(m, flags);
+        mm_request_send(socket, MONITOR_ANS_GSSSTEP, m);
+        gss_release_buffer(&minor, &out);
+        /* Complete - now we can do signing */
+        if (major==GSS_S_COMPLETE) {
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+        }
+        return (0);
+}
+int
+mm_answer_gss_userok(int socket, Buffer *m)
+{
+        int authenticated;
+        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        buffer_clear(m);
+        buffer_put_int(m, authenticated);
+        debug3("%s: sending result %d", __func__, authenticated);
+        mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
+        auth_method="gssapi";
+        /* Monitor loop will terminate if authenticated */
+        return (authenticated);
+}
+#endif /* GSSAPI */
author	Darren Tucker <dtucker@zip.com.au>	2003-08-26 11:49:55 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2003-08-26 11:49:55 +1000
commit	0efd155c3c184f0eaa2e1eb244eaaf066e6906e0 (patch)
tree	10f24586373d825d68cefd4a3746fe738cf0614a /monitor.c
parent	30912f7259b771a1cf705c0bc47a6c3f3edffb43 (diff)

diff --git a/monitor.c b/monitor.c index 80b1a8fba..f90a90461 100644 --- a/monitor.c +++ b/monitor.c
@@ -25,7 +25,7 @@
25	*/	25	*/
26		26
27	#include "includes.h"	27	#include "includes.h"
28	RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");	28	RCSID("$OpenBSD: monitor.c,v 1.46 2003/08/22 10:56:09 markus Exp $");
29		29
30	#include <openssl/dh.h>	30	#include <openssl/dh.h>
31		31
@@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $");
59	#include "ssh2.h"	59	#include "ssh2.h"
60	#include "mpaux.h"	60	#include "mpaux.h"
61		61
		62	#ifdef GSSAPI
		63	#include "ssh-gss.h"
		64	static Gssctxt *gsscontext = NULL;
		65	#endif
		66
62	/* Imports */	67	/* Imports */
63	extern ServerOptions options;	68	extern ServerOptions options;
64	extern u_int utmp_len;	69	extern u_int utmp_len;
@@ -128,6 +133,11 @@ int mm_answer_pam_free_ctx(int, Buffer *);
128	#ifdef KRB5	133	#ifdef KRB5
129	int mm_answer_krb5(int, Buffer *);	134	int mm_answer_krb5(int, Buffer *);
130	#endif	135	#endif
		136	#ifdef GSSAPI
		137	int mm_answer_gss_setup_ctx(int, Buffer *);
		138	int mm_answer_gss_accept_ctx(int, Buffer *);
		139	int mm_answer_gss_userok(int, Buffer *);
		140	#endif
131		141
132	static Authctxt *authctxt;	142	static Authctxt *authctxt;
133	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */	143	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */
@@ -185,6 +195,11 @@ struct mon_table mon_dispatch_proto20[] = {
185	#ifdef KRB5	195	#ifdef KRB5
186	{MONITOR_REQ_KRB5, MON_ONCE\|MON_AUTH, mm_answer_krb5},	196	{MONITOR_REQ_KRB5, MON_ONCE\|MON_AUTH, mm_answer_krb5},
187	#endif	197	#endif
		198	#ifdef GSSAPI
		199	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
		200	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
		201	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
		202	#endif
188	{0, 0, NULL}	203	{0, 0, NULL}
189	};	204	};
190		205
@@ -357,7 +372,6 @@ monitor_child_postauth(struct monitor *pmonitor)
357	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	372	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
358	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	373	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
359	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	374	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
360
361	} else {	375	} else {
362	mon_dispatch = mon_dispatch_postauth15;	376	mon_dispatch = mon_dispatch_postauth15;
363	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	377	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1769,3 +1783,77 @@ monitor_reinit(struct monitor *mon)
1769	mon->m_recvfd = pair[0];	1783	mon->m_recvfd = pair[0];
1770	mon->m_sendfd = pair[1];	1784	mon->m_sendfd = pair[1];
1771	}	1785	}
		1786
		1787	#ifdef GSSAPI
		1788	int
		1789	mm_answer_gss_setup_ctx(int socket, Buffer *m)
		1790	{
		1791	gss_OID_desc oid;
		1792	OM_uint32 major;
		1793	u_int len;
		1794
		1795	oid.elements = buffer_get_string(m, &len);
		1796	oid.length = len;
		1797
		1798	major = ssh_gssapi_server_ctx(&gsscontext, &oid);
		1799
		1800	xfree(oid.elements);
		1801
		1802	buffer_clear(m);
		1803	buffer_put_int(m, major);
		1804
		1805	mm_request_send(socket,MONITOR_ANS_GSSSETUP, m);
		1806
		1807	/* Now we have a context, enable the step */
		1808	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
		1809
		1810	return (0);
		1811	}
		1812
		1813	int
		1814	mm_answer_gss_accept_ctx(int socket, Buffer *m)
		1815	{
		1816	gss_buffer_desc in;
		1817	gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
		1818	OM_uint32 major,minor;
		1819	OM_uint32 flags = 0; /* GSI needs this */
		1820
		1821	in.value = buffer_get_string(m, &in.length);
		1822	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
		1823	xfree(in.value);
		1824
		1825	buffer_clear(m);
		1826	buffer_put_int(m, major);
		1827	buffer_put_string(m, out.value, out.length);
		1828	buffer_put_int(m, flags);
		1829	mm_request_send(socket, MONITOR_ANS_GSSSTEP, m);
		1830
		1831	gss_release_buffer(&minor, &out);
		1832
		1833	/* Complete - now we can do signing */
		1834	if (major==GSS_S_COMPLETE) {
		1835	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
		1836	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
		1837	}
		1838	return (0);
		1839	}
		1840
		1841	int
		1842	mm_answer_gss_userok(int socket, Buffer *m)
		1843	{
		1844	int authenticated;
		1845
		1846	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
		1847
		1848	buffer_clear(m);
		1849	buffer_put_int(m, authenticated);
		1850
		1851	debug3("%s: sending result %d", __func__, authenticated);
		1852	mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
		1853
		1854	auth_method="gssapi";
		1855
		1856	/* Monitor loop will terminate if authenticated */
		1857	return (authenticated);
		1858	}
		1859	#endif /* GSSAPI */