summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-02-29 12:31:33 +0000
commit374db1757fc18bd6647539b80977e6907a2cecd4 (patch)
tree9fd8227bdf3548c6fcce1e72b7edf3ebaf71d050 /readconf.c
parentc52a95cc4754e6630c96fe65ae0c65eb41d2c590 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-01-04 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c42
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 69d4553af..d2a3d4b1a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,8 @@ typedef enum {
148 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 148 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
149 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 149 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
150 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 150 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
151 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
152 oGssServerIdentity,
151 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 153 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
152 oSendEnv, oControlPath, oControlMaster, oControlPersist, 154 oSendEnv, oControlPath, oControlMaster, oControlPersist,
153 oHashKnownHosts, 155 oHashKnownHosts,
@@ -193,10 +195,19 @@ static struct {
193 { "afstokenpassing", oUnsupported }, 195 { "afstokenpassing", oUnsupported },
194#if defined(GSSAPI) 196#if defined(GSSAPI)
195 { "gssapiauthentication", oGssAuthentication }, 197 { "gssapiauthentication", oGssAuthentication },
198 { "gssapikeyexchange", oGssKeyEx },
196 { "gssapidelegatecredentials", oGssDelegateCreds }, 199 { "gssapidelegatecredentials", oGssDelegateCreds },
200 { "gssapitrustdns", oGssTrustDns },
201 { "gssapiclientidentity", oGssClientIdentity },
202 { "gssapiserveridentity", oGssServerIdentity },
203 { "gssapirenewalforcesrekey", oGssRenewalRekey },
197#else 204#else
198 { "gssapiauthentication", oUnsupported }, 205 { "gssapiauthentication", oUnsupported },
206 { "gssapikeyexchange", oUnsupported },
199 { "gssapidelegatecredentials", oUnsupported }, 207 { "gssapidelegatecredentials", oUnsupported },
208 { "gssapitrustdns", oUnsupported },
209 { "gssapiclientidentity", oUnsupported },
210 { "gssapirenewalforcesrekey", oUnsupported },
200#endif 211#endif
201 { "fallbacktorsh", oDeprecated }, 212 { "fallbacktorsh", oDeprecated },
202 { "usersh", oDeprecated }, 213 { "usersh", oDeprecated },
@@ -926,10 +937,30 @@ parse_time:
926 intptr = &options->gss_authentication; 937 intptr = &options->gss_authentication;
927 goto parse_flag; 938 goto parse_flag;
928 939
940 case oGssKeyEx:
941 intptr = &options->gss_keyex;
942 goto parse_flag;
943
929 case oGssDelegateCreds: 944 case oGssDelegateCreds:
930 intptr = &options->gss_deleg_creds; 945 intptr = &options->gss_deleg_creds;
931 goto parse_flag; 946 goto parse_flag;
932 947
948 case oGssTrustDns:
949 intptr = &options->gss_trust_dns;
950 goto parse_flag;
951
952 case oGssClientIdentity:
953 charptr = &options->gss_client_identity;
954 goto parse_string;
955
956 case oGssServerIdentity:
957 charptr = &options->gss_server_identity;
958 goto parse_string;
959
960 case oGssRenewalRekey:
961 intptr = &options->gss_renewal_rekey;
962 goto parse_flag;
963
933 case oBatchMode: 964 case oBatchMode:
934 intptr = &options->batch_mode; 965 intptr = &options->batch_mode;
935 goto parse_flag; 966 goto parse_flag;
@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
1648 options->pubkey_authentication = -1; 1679 options->pubkey_authentication = -1;
1649 options->challenge_response_authentication = -1; 1680 options->challenge_response_authentication = -1;
1650 options->gss_authentication = -1; 1681 options->gss_authentication = -1;
1682 options->gss_keyex = -1;
1651 options->gss_deleg_creds = -1; 1683 options->gss_deleg_creds = -1;
1684 options->gss_trust_dns = -1;
1685 options->gss_renewal_rekey = -1;
1686 options->gss_client_identity = NULL;
1687 options->gss_server_identity = NULL;
1652 options->password_authentication = -1; 1688 options->password_authentication = -1;
1653 options->kbd_interactive_authentication = -1; 1689 options->kbd_interactive_authentication = -1;
1654 options->kbd_interactive_devices = NULL; 1690 options->kbd_interactive_devices = NULL;
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
1777 options->challenge_response_authentication = 1; 1813 options->challenge_response_authentication = 1;
1778 if (options->gss_authentication == -1) 1814 if (options->gss_authentication == -1)
1779 options->gss_authentication = 0; 1815 options->gss_authentication = 0;
1816 if (options->gss_keyex == -1)
1817 options->gss_keyex = 0;
1780 if (options->gss_deleg_creds == -1) 1818 if (options->gss_deleg_creds == -1)
1781 options->gss_deleg_creds = 0; 1819 options->gss_deleg_creds = 0;
1820 if (options->gss_trust_dns == -1)
1821 options->gss_trust_dns = 0;
1822 if (options->gss_renewal_rekey == -1)
1823 options->gss_renewal_rekey = 0;
1782 if (options->password_authentication == -1) 1824 if (options->password_authentication == -1)
1783 options->password_authentication = 1; 1825 options->password_authentication = 1;
1784 if (options->kbd_interactive_authentication == -1) 1826 if (options->kbd_interactive_authentication == -1)