summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2017-10-04 13:54:43 +0100
commit4e70490950e5c5134df48848affaf73685bf0284 (patch)
tree59de097e770693fb1f81268e85f7802df32cb58e /readconf.c
parent62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c43
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index f63894f9c..99e03ee1f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 160 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 161 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 162 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
163 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
164 oGssServerIdentity,
163 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 165 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164 oSendEnv, oControlPath, oControlMaster, oControlPersist, 166 oSendEnv, oControlPath, oControlMaster, oControlPersist,
165 oHashKnownHosts, 167 oHashKnownHosts,
@@ -199,10 +201,20 @@ static struct {
199 /* Sometimes-unsupported options */ 201 /* Sometimes-unsupported options */
200#if defined(GSSAPI) 202#if defined(GSSAPI)
201 { "gssapiauthentication", oGssAuthentication }, 203 { "gssapiauthentication", oGssAuthentication },
204 { "gssapikeyexchange", oGssKeyEx },
202 { "gssapidelegatecredentials", oGssDelegateCreds }, 205 { "gssapidelegatecredentials", oGssDelegateCreds },
206 { "gssapitrustdns", oGssTrustDns },
207 { "gssapiclientidentity", oGssClientIdentity },
208 { "gssapiserveridentity", oGssServerIdentity },
209 { "gssapirenewalforcesrekey", oGssRenewalRekey },
203# else 210# else
204 { "gssapiauthentication", oUnsupported }, 211 { "gssapiauthentication", oUnsupported },
212 { "gssapikeyexchange", oUnsupported },
205 { "gssapidelegatecredentials", oUnsupported }, 213 { "gssapidelegatecredentials", oUnsupported },
214 { "gssapitrustdns", oUnsupported },
215 { "gssapiclientidentity", oUnsupported },
216 { "gssapiserveridentity", oUnsupported },
217 { "gssapirenewalforcesrekey", oUnsupported },
206#endif 218#endif
207#ifdef ENABLE_PKCS11 219#ifdef ENABLE_PKCS11
208 { "smartcarddevice", oPKCS11Provider }, 220 { "smartcarddevice", oPKCS11Provider },
@@ -976,10 +988,30 @@ parse_time:
976 intptr = &options->gss_authentication; 988 intptr = &options->gss_authentication;
977 goto parse_flag; 989 goto parse_flag;
978 990
991 case oGssKeyEx:
992 intptr = &options->gss_keyex;
993 goto parse_flag;
994
979 case oGssDelegateCreds: 995 case oGssDelegateCreds:
980 intptr = &options->gss_deleg_creds; 996 intptr = &options->gss_deleg_creds;
981 goto parse_flag; 997 goto parse_flag;
982 998
999 case oGssTrustDns:
1000 intptr = &options->gss_trust_dns;
1001 goto parse_flag;
1002
1003 case oGssClientIdentity:
1004 charptr = &options->gss_client_identity;
1005 goto parse_string;
1006
1007 case oGssServerIdentity:
1008 charptr = &options->gss_server_identity;
1009 goto parse_string;
1010
1011 case oGssRenewalRekey:
1012 intptr = &options->gss_renewal_rekey;
1013 goto parse_flag;
1014
983 case oBatchMode: 1015 case oBatchMode:
984 intptr = &options->batch_mode; 1016 intptr = &options->batch_mode;
985 goto parse_flag; 1017 goto parse_flag;
@@ -1790,7 +1822,12 @@ initialize_options(Options * options)
1790 options->pubkey_authentication = -1; 1822 options->pubkey_authentication = -1;
1791 options->challenge_response_authentication = -1; 1823 options->challenge_response_authentication = -1;
1792 options->gss_authentication = -1; 1824 options->gss_authentication = -1;
1825 options->gss_keyex = -1;
1793 options->gss_deleg_creds = -1; 1826 options->gss_deleg_creds = -1;
1827 options->gss_trust_dns = -1;
1828 options->gss_renewal_rekey = -1;
1829 options->gss_client_identity = NULL;
1830 options->gss_server_identity = NULL;
1794 options->password_authentication = -1; 1831 options->password_authentication = -1;
1795 options->kbd_interactive_authentication = -1; 1832 options->kbd_interactive_authentication = -1;
1796 options->kbd_interactive_devices = NULL; 1833 options->kbd_interactive_devices = NULL;
@@ -1930,8 +1967,14 @@ fill_default_options(Options * options)
1930 options->challenge_response_authentication = 1; 1967 options->challenge_response_authentication = 1;
1931 if (options->gss_authentication == -1) 1968 if (options->gss_authentication == -1)
1932 options->gss_authentication = 0; 1969 options->gss_authentication = 0;
1970 if (options->gss_keyex == -1)
1971 options->gss_keyex = 0;
1933 if (options->gss_deleg_creds == -1) 1972 if (options->gss_deleg_creds == -1)
1934 options->gss_deleg_creds = 0; 1973 options->gss_deleg_creds = 0;
1974 if (options->gss_trust_dns == -1)
1975 options->gss_trust_dns = 0;
1976 if (options->gss_renewal_rekey == -1)
1977 options->gss_renewal_rekey = 0;
1935 if (options->password_authentication == -1) 1978 if (options->password_authentication == -1)
1936 options->password_authentication = 1; 1979 options->password_authentication = 1;
1937 if (options->kbd_interactive_authentication == -1) 1980 if (options->kbd_interactive_authentication == -1)