GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:35 +0100
commit: eecddf8b72fcad83ccca43b1badb03782704f6b7 (patch)
tree: fd0046825c8d42bd267afa7839d5603b130cf847 /monitor_wrap.c
parent: a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
1 files changed, 46 insertions, 1 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 99dc13b61..5a9f1b52d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user)
        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
        return (authenticated);
 }
+OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
+        Buffer m;
+        OM_uint32 major;
+        u_int len;
+        buffer_init(&m);
+        buffer_put_string(&m, data->value, data->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
+        major = buffer_get_int(&m);
+        hash->value = buffer_get_string(&m, &len);
+        hash->length = len;
+        buffer_free(&m);
+        return(major);
+}
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:35 +0100
commit	eecddf8b72fcad83ccca43b1badb03782704f6b7 (patch)
tree	fd0046825c8d42bd267afa7839d5603b130cf847 /monitor_wrap.c
parent	a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 99dc13b61..5a9f1b52d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1073	}	1073	}
1074		1074
1075	int	1075	int
1076	mm_ssh_gssapi_userok(char *user)	1076	mm_ssh_gssapi_userok(char user, struct passwd pw)
1077	{	1077	{
1078	Buffer m;	1078	Buffer m;
1079	int authenticated = 0;	1079	int authenticated = 0;
@@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user)
1090	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");	1090	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
1091	return (authenticated);	1091	return (authenticated);
1092	}	1092	}
		1093
		1094	OM_uint32
		1095	mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
		1096	{
		1097	Buffer m;
		1098	OM_uint32 major;
		1099	u_int len;
		1100
		1101	buffer_init(&m);
		1102	buffer_put_string(&m, data->value, data->length);
		1103
		1104	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
		1105	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
		1106
		1107	major = buffer_get_int(&m);
		1108	hash->value = buffer_get_string(&m, &len);
		1109	hash->length = len;
		1110
		1111	buffer_free(&m);
		1112
		1113	return(major);
		1114	}
		1115
		1116	int
		1117	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1118	{
		1119	Buffer m;
		1120	int ok;
		1121
		1122	buffer_init(&m);
		1123
		1124	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1125	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1126	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1127
		1128	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1129	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1130
		1131	ok = buffer_get_int(&m);
		1132
		1133	buffer_free(&m);
		1134
		1135	return (ok);
		1136	}
		1137
1093	#endif /* GSSAPI */	1138	#endif /* GSSAPI */
1094		1139