GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-03-19 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-20 00:24:48 +0000
commit: 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd (patch)
tree: 3a19744ef1cf261141a522e13f75abbb3b7dba4b /monitor_wrap.c
parent: 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 1a47e4174..60b987dce 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-20 00:24:48 +0000
commit	9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd (patch)
tree	3a19744ef1cf261141a522e13f75abbb3b7dba4b /monitor_wrap.c
parent	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 1a47e4174..60b987dce 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1271	}	1271	}
1272		1272
1273	int	1273	int
1274	mm_ssh_gssapi_userok(char *user)	1274	mm_ssh_gssapi_userok(char user, struct passwd pw)
1275	{	1275	{
1276	Buffer m;	1276	Buffer m;
1277	int authenticated = 0;	1277	int authenticated = 0;
@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user)
1288	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1288	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1289	return (authenticated);	1289	return (authenticated);
1290	}	1290	}
		1291
		1292	OM_uint32
		1293	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		1294	{
		1295	Buffer m;
		1296	OM_uint32 major;
		1297	u_int len;
		1298
		1299	buffer_init(&m);
		1300	buffer_put_string(&m, data->value, data->length);
		1301
		1302	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		1303	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		1304
		1305	major = buffer_get_int(&m);
		1306	hash->value = buffer_get_string(&m, &len);
		1307	hash->length = len;
		1308
		1309	buffer_free(&m);
		1310
		1311	return(major);
		1312	}
		1313
		1314	int
		1315	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1316	{
		1317	Buffer m;
		1318	int ok;
		1319
		1320	buffer_init(&m);
		1321
		1322	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1323	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1324	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1325
		1326	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1327	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1328
		1329	ok = buffer_get_int(&m);
		1330
		1331	buffer_free(&m);
		1332
		1333	return (ok);
		1334	}
		1335
1291	#endif /* GSSAPI */	1336	#endif /* GSSAPI */
1292		1337