GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2018-04-03 08:20:56 +0100
commit: cb427e23bf78d65407c78d868c4ef525dbfaa68f (patch)
tree: 595fd02db7d37d885ce1d309f50c6b9698ed4243 /monitor_wrap.c
parent: ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 9666bda4b..e749efc18 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2018-04-03 08:20:56 +0100
commit	cb427e23bf78d65407c78d868c4ef525dbfaa68f (patch)
tree	595fd02db7d37d885ce1d309f50c6b9698ed4243 /monitor_wrap.c
parent	ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 9666bda4b..e749efc18 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
943	}	943	}
944		944
945	int	945	int
946	mm_ssh_gssapi_userok(char *user)	946	mm_ssh_gssapi_userok(char user, struct passwd pw)
947	{	947	{
948	Buffer m;	948	Buffer m;
949	int authenticated = 0;	949	int authenticated = 0;
@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
960	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	960	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
961	return (authenticated);	961	return (authenticated);
962	}	962	}
		963
		964	OM_uint32
		965	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		966	{
		967	Buffer m;
		968	OM_uint32 major;
		969	u_int len;
		970
		971	buffer_init(&m);
		972	buffer_put_string(&m, data->value, data->length);
		973
		974	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		975	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		976
		977	major = buffer_get_int(&m);
		978	hash->value = buffer_get_string(&m, &len);
		979	hash->length = len;
		980
		981	buffer_free(&m);
		982
		983	return(major);
		984	}
		985
		986	int
		987	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		988	{
		989	Buffer m;
		990	int ok;
		991
		992	buffer_init(&m);
		993
		994	buffer_put_cstring(&m, store->filename ? store->filename : "");
		995	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		996	buffer_put_cstring(&m, store->envval ? store->envval : "");
		997
		998	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		999	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1000
		1001	ok = buffer_get_int(&m);
		1002
		1003	buffer_free(&m);
		1004
		1005	return (ok);
		1006	}
		1007
963	#endif /* GSSAPI */	1008	#endif /* GSSAPI */
964		1009