GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-10-07 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-10-07 14:26:43 +0100
commit: 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 (patch)
tree: a67e7472f48242904e6a45732508822af63fd331 /monitor_wrap.c
parent: 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 45dc16951..e476f0dbc 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-10-07 14:26:43 +0100
commit	1c1b6fa17982eb622e2c4e8f4a279f2113f57413 (patch)
tree	a67e7472f48242904e6a45732508822af63fd331 /monitor_wrap.c
parent	487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 45dc16951..e476f0dbc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1281	}	1281	}
1282		1282
1283	int	1283	int
1284	mm_ssh_gssapi_userok(char *user)	1284	mm_ssh_gssapi_userok(char user, struct passwd pw)
1285	{	1285	{
1286	Buffer m;	1286	Buffer m;
1287	int authenticated = 0;	1287	int authenticated = 0;
@@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user)
1298	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1298	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1299	return (authenticated);	1299	return (authenticated);
1300	}	1300	}
		1301
		1302	OM_uint32
		1303	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		1304	{
		1305	Buffer m;
		1306	OM_uint32 major;
		1307	u_int len;
		1308
		1309	buffer_init(&m);
		1310	buffer_put_string(&m, data->value, data->length);
		1311
		1312	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		1313	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		1314
		1315	major = buffer_get_int(&m);
		1316	hash->value = buffer_get_string(&m, &len);
		1317	hash->length = len;
		1318
		1319	buffer_free(&m);
		1320
		1321	return(major);
		1322	}
		1323
		1324	int
		1325	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1326	{
		1327	Buffer m;
		1328	int ok;
		1329
		1330	buffer_init(&m);
		1331
		1332	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1333	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1334	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1335
		1336	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1337	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1338
		1339	ok = buffer_get_int(&m);
		1340
		1341	buffer_free(&m);
		1342
		1343	return (ok);
		1344	}
		1345
1301	#endif /* GSSAPI */	1346	#endif /* GSSAPI */
1302		1347