summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2015-09-17 13:52:32 +0100
commit70b18066d3921277861e98902c9cf41a10ac6898 (patch)
tree0bfe9fa4fee0c290b5ff1bc1c2977048beecd37b /readconf.c
parent544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-09-17 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c42
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index db7d0bbbf..68dac7605 100644
--- a/readconf.c
+++ b/readconf.c
@@ -147,6 +147,8 @@ typedef enum {
147 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 147 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
148 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 148 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
149 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 149 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
150 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
151 oGssServerIdentity,
150 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 152 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
151 oSendEnv, oControlPath, oControlMaster, oControlPersist, 153 oSendEnv, oControlPath, oControlMaster, oControlPersist,
152 oHashKnownHosts, 154 oHashKnownHosts,
@@ -191,10 +193,19 @@ static struct {
191 { "afstokenpassing", oUnsupported }, 193 { "afstokenpassing", oUnsupported },
192#if defined(GSSAPI) 194#if defined(GSSAPI)
193 { "gssapiauthentication", oGssAuthentication }, 195 { "gssapiauthentication", oGssAuthentication },
196 { "gssapikeyexchange", oGssKeyEx },
194 { "gssapidelegatecredentials", oGssDelegateCreds }, 197 { "gssapidelegatecredentials", oGssDelegateCreds },
198 { "gssapitrustdns", oGssTrustDns },
199 { "gssapiclientidentity", oGssClientIdentity },
200 { "gssapiserveridentity", oGssServerIdentity },
201 { "gssapirenewalforcesrekey", oGssRenewalRekey },
195#else 202#else
196 { "gssapiauthentication", oUnsupported }, 203 { "gssapiauthentication", oUnsupported },
204 { "gssapikeyexchange", oUnsupported },
197 { "gssapidelegatecredentials", oUnsupported }, 205 { "gssapidelegatecredentials", oUnsupported },
206 { "gssapitrustdns", oUnsupported },
207 { "gssapiclientidentity", oUnsupported },
208 { "gssapirenewalforcesrekey", oUnsupported },
198#endif 209#endif
199 { "fallbacktorsh", oDeprecated }, 210 { "fallbacktorsh", oDeprecated },
200 { "usersh", oDeprecated }, 211 { "usersh", oDeprecated },
@@ -892,10 +903,30 @@ parse_time:
892 intptr = &options->gss_authentication; 903 intptr = &options->gss_authentication;
893 goto parse_flag; 904 goto parse_flag;
894 905
906 case oGssKeyEx:
907 intptr = &options->gss_keyex;
908 goto parse_flag;
909
895 case oGssDelegateCreds: 910 case oGssDelegateCreds:
896 intptr = &options->gss_deleg_creds; 911 intptr = &options->gss_deleg_creds;
897 goto parse_flag; 912 goto parse_flag;
898 913
914 case oGssTrustDns:
915 intptr = &options->gss_trust_dns;
916 goto parse_flag;
917
918 case oGssClientIdentity:
919 charptr = &options->gss_client_identity;
920 goto parse_string;
921
922 case oGssServerIdentity:
923 charptr = &options->gss_server_identity;
924 goto parse_string;
925
926 case oGssRenewalRekey:
927 intptr = &options->gss_renewal_rekey;
928 goto parse_flag;
929
899 case oBatchMode: 930 case oBatchMode:
900 intptr = &options->batch_mode; 931 intptr = &options->batch_mode;
901 goto parse_flag; 932 goto parse_flag;
@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
1601 options->pubkey_authentication = -1; 1632 options->pubkey_authentication = -1;
1602 options->challenge_response_authentication = -1; 1633 options->challenge_response_authentication = -1;
1603 options->gss_authentication = -1; 1634 options->gss_authentication = -1;
1635 options->gss_keyex = -1;
1604 options->gss_deleg_creds = -1; 1636 options->gss_deleg_creds = -1;
1637 options->gss_trust_dns = -1;
1638 options->gss_renewal_rekey = -1;
1639 options->gss_client_identity = NULL;
1640 options->gss_server_identity = NULL;
1605 options->password_authentication = -1; 1641 options->password_authentication = -1;
1606 options->kbd_interactive_authentication = -1; 1642 options->kbd_interactive_authentication = -1;
1607 options->kbd_interactive_devices = NULL; 1643 options->kbd_interactive_devices = NULL;
@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
1728 options->challenge_response_authentication = 1; 1764 options->challenge_response_authentication = 1;
1729 if (options->gss_authentication == -1) 1765 if (options->gss_authentication == -1)
1730 options->gss_authentication = 0; 1766 options->gss_authentication = 0;
1767 if (options->gss_keyex == -1)
1768 options->gss_keyex = 0;
1731 if (options->gss_deleg_creds == -1) 1769 if (options->gss_deleg_creds == -1)
1732 options->gss_deleg_creds = 0; 1770 options->gss_deleg_creds = 0;
1771 if (options->gss_trust_dns == -1)
1772 options->gss_trust_dns = 0;
1773 if (options->gss_renewal_rekey == -1)
1774 options->gss_renewal_rekey = 0;
1733 if (options->password_authentication == -1) 1775 if (options->password_authentication == -1)
1734 options->password_authentication = 1; 1776 options->password_authentication = 1;
1735 if (options->kbd_interactive_authentication == -1) 1777 if (options->kbd_interactive_authentication == -1)