summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-03-19 16:39:52 +0000
commit429c595dbaff7f7c2b3a53fe4235211f6d788025 (patch)
tree085cf7273c133b74238c968c9c9f591f8fb0308e /readconf.c
parent9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-03-19 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c42
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 9c7e73d7d..cb8bcb2cf 100644
--- a/readconf.c
+++ b/readconf.c
@@ -140,6 +140,8 @@ typedef enum {
140 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 140 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
141 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 141 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
142 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 142 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
143 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
144 oGssServerIdentity,
143 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 145 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
144 oSendEnv, oControlPath, oControlMaster, oControlPersist, 146 oSendEnv, oControlPath, oControlMaster, oControlPersist,
145 oHashKnownHosts, 147 oHashKnownHosts,
@@ -182,10 +184,19 @@ static struct {
182 { "afstokenpassing", oUnsupported }, 184 { "afstokenpassing", oUnsupported },
183#if defined(GSSAPI) 185#if defined(GSSAPI)
184 { "gssapiauthentication", oGssAuthentication }, 186 { "gssapiauthentication", oGssAuthentication },
187 { "gssapikeyexchange", oGssKeyEx },
185 { "gssapidelegatecredentials", oGssDelegateCreds }, 188 { "gssapidelegatecredentials", oGssDelegateCreds },
189 { "gssapitrustdns", oGssTrustDns },
190 { "gssapiclientidentity", oGssClientIdentity },
191 { "gssapiserveridentity", oGssServerIdentity },
192 { "gssapirenewalforcesrekey", oGssRenewalRekey },
186#else 193#else
187 { "gssapiauthentication", oUnsupported }, 194 { "gssapiauthentication", oUnsupported },
195 { "gssapikeyexchange", oUnsupported },
188 { "gssapidelegatecredentials", oUnsupported }, 196 { "gssapidelegatecredentials", oUnsupported },
197 { "gssapitrustdns", oUnsupported },
198 { "gssapiclientidentity", oUnsupported },
199 { "gssapirenewalforcesrekey", oUnsupported },
189#endif 200#endif
190 { "fallbacktorsh", oDeprecated }, 201 { "fallbacktorsh", oDeprecated },
191 { "usersh", oDeprecated }, 202 { "usersh", oDeprecated },
@@ -839,10 +850,30 @@ parse_time:
839 intptr = &options->gss_authentication; 850 intptr = &options->gss_authentication;
840 goto parse_flag; 851 goto parse_flag;
841 852
853 case oGssKeyEx:
854 intptr = &options->gss_keyex;
855 goto parse_flag;
856
842 case oGssDelegateCreds: 857 case oGssDelegateCreds:
843 intptr = &options->gss_deleg_creds; 858 intptr = &options->gss_deleg_creds;
844 goto parse_flag; 859 goto parse_flag;
845 860
861 case oGssTrustDns:
862 intptr = &options->gss_trust_dns;
863 goto parse_flag;
864
865 case oGssClientIdentity:
866 charptr = &options->gss_client_identity;
867 goto parse_string;
868
869 case oGssServerIdentity:
870 charptr = &options->gss_server_identity;
871 goto parse_string;
872
873 case oGssRenewalRekey:
874 intptr = &options->gss_renewal_rekey;
875 goto parse_flag;
876
846 case oBatchMode: 877 case oBatchMode:
847 intptr = &options->batch_mode; 878 intptr = &options->batch_mode;
848 goto parse_flag; 879 goto parse_flag;
@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
1488 options->pubkey_authentication = -1; 1519 options->pubkey_authentication = -1;
1489 options->challenge_response_authentication = -1; 1520 options->challenge_response_authentication = -1;
1490 options->gss_authentication = -1; 1521 options->gss_authentication = -1;
1522 options->gss_keyex = -1;
1491 options->gss_deleg_creds = -1; 1523 options->gss_deleg_creds = -1;
1524 options->gss_trust_dns = -1;
1525 options->gss_renewal_rekey = -1;
1526 options->gss_client_identity = NULL;
1527 options->gss_server_identity = NULL;
1492 options->password_authentication = -1; 1528 options->password_authentication = -1;
1493 options->kbd_interactive_authentication = -1; 1529 options->kbd_interactive_authentication = -1;
1494 options->kbd_interactive_devices = NULL; 1530 options->kbd_interactive_devices = NULL;
@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
1594 options->challenge_response_authentication = 1; 1630 options->challenge_response_authentication = 1;
1595 if (options->gss_authentication == -1) 1631 if (options->gss_authentication == -1)
1596 options->gss_authentication = 0; 1632 options->gss_authentication = 0;
1633 if (options->gss_keyex == -1)
1634 options->gss_keyex = 0;
1597 if (options->gss_deleg_creds == -1) 1635 if (options->gss_deleg_creds == -1)
1598 options->gss_deleg_creds = 0; 1636 options->gss_deleg_creds = 0;
1637 if (options->gss_trust_dns == -1)
1638 options->gss_trust_dns = 0;
1639 if (options->gss_renewal_rekey == -1)
1640 options->gss_renewal_rekey = 0;
1599 if (options->password_authentication == -1) 1641 if (options->password_authentication == -1)
1600 options->password_authentication = 1; 1642 options->password_authentication = 1;
1601 if (options->kbd_interactive_authentication == -1) 1643 if (options->kbd_interactive_authentication == -1)