GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-11-29 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-11-29 17:36:18 +0000
commit: 09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (patch)
tree: 238d7d86bfd8c0080d01fb55cef2ad37df46bd2e /monitor_wrap.c
parent: 651211fd4a199b299540c00c54a46e27fadb04be (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index eac421ba1..81ceddb8f 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-11-29 17:36:18 +0000
commit	09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (patch)
tree	238d7d86bfd8c0080d01fb55cef2ad37df46bd2e /monitor_wrap.c
parent	651211fd4a199b299540c00c54a46e27fadb04be (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index eac421ba1..81ceddb8f 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1068	}	1068	}
1069		1069
1070	int	1070	int
1071	mm_ssh_gssapi_userok(char *user)	1071	mm_ssh_gssapi_userok(char user, struct passwd pw)
1072	{	1072	{
1073	Buffer m;	1073	Buffer m;
1074	int authenticated = 0;	1074	int authenticated = 0;
@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user)
1085	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1085	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1086	return (authenticated);	1086	return (authenticated);
1087	}	1087	}
		1088
		1089	OM_uint32
		1090	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		1091	{
		1092	Buffer m;
		1093	OM_uint32 major;
		1094	u_int len;
		1095
		1096	buffer_init(&m);
		1097	buffer_put_string(&m, data->value, data->length);
		1098
		1099	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		1100	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		1101
		1102	major = buffer_get_int(&m);
		1103	hash->value = buffer_get_string(&m, &len);
		1104	hash->length = len;
		1105
		1106	buffer_free(&m);
		1107
		1108	return(major);
		1109	}
		1110
		1111	int
		1112	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1113	{
		1114	Buffer m;
		1115	int ok;
		1116
		1117	buffer_init(&m);
		1118
		1119	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1120	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1121	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1122
		1123	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1124	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1125
		1126	ok = buffer_get_int(&m);
		1127
		1128	buffer_free(&m);
		1129
		1130	return (ok);
		1131	}
		1132
1088	#endif /* GSSAPI */	1133	#endif /* GSSAPI */
1089		1134