GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2018-10-20 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2018-10-20 22:54:00 +0100
commit: 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (patch)
tree: 2a3b57ae5446f4273804064ccc42659adfc2a3b2 /readconf.c
parent: 3d246f10429fc9a37b98eabef94fe8dc7c61002b (diff)
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 433811521..36bc5e59a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -201,10 +203,20 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "smartcarddevice", oPKCS11Provider },
@@ -974,10 +986,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1842,7 +1874,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1988,8 +2025,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2018-10-20 22:54:00 +0100
commit	72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 (patch)
tree	2a3b57ae5446f4273804064ccc42659adfc2a3b2 /readconf.c
parent	3d246f10429fc9a37b98eabef94fe8dc7c61002b (diff)

diff --git a/readconf.c b/readconf.c index 433811521..36bc5e59a 100644 --- a/readconf.c +++ b/readconf.c
@@ -161,6 +161,8 @@ typedef enum {
161	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	161	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
162	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	162	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
163	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	163	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		164	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		165	oGssServerIdentity,
164	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	166	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
165	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	167	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
166	oHashKnownHosts,	168	oHashKnownHosts,
@@ -201,10 +203,20 @@ static struct {
201	/* Sometimes-unsupported options */	203	/* Sometimes-unsupported options */
202	#if defined(GSSAPI)	204	#if defined(GSSAPI)
203	{ "gssapiauthentication", oGssAuthentication },	205	{ "gssapiauthentication", oGssAuthentication },
		206	{ "gssapikeyexchange", oGssKeyEx },
204	{ "gssapidelegatecredentials", oGssDelegateCreds },	207	{ "gssapidelegatecredentials", oGssDelegateCreds },
		208	{ "gssapitrustdns", oGssTrustDns },
		209	{ "gssapiclientidentity", oGssClientIdentity },
		210	{ "gssapiserveridentity", oGssServerIdentity },
		211	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
205	# else	212	# else
206	{ "gssapiauthentication", oUnsupported },	213	{ "gssapiauthentication", oUnsupported },
		214	{ "gssapikeyexchange", oUnsupported },
207	{ "gssapidelegatecredentials", oUnsupported },	215	{ "gssapidelegatecredentials", oUnsupported },
		216	{ "gssapitrustdns", oUnsupported },
		217	{ "gssapiclientidentity", oUnsupported },
		218	{ "gssapiserveridentity", oUnsupported },
		219	{ "gssapirenewalforcesrekey", oUnsupported },
208	#endif	220	#endif
209	#ifdef ENABLE_PKCS11	221	#ifdef ENABLE_PKCS11
210	{ "smartcarddevice", oPKCS11Provider },	222	{ "smartcarddevice", oPKCS11Provider },
@@ -974,10 +986,30 @@ parse_time:
974	intptr = &options->gss_authentication;	986	intptr = &options->gss_authentication;
975	goto parse_flag;	987	goto parse_flag;
976		988
		989	case oGssKeyEx:
		990	intptr = &options->gss_keyex;
		991	goto parse_flag;
		992
977	case oGssDelegateCreds:	993	case oGssDelegateCreds:
978	intptr = &options->gss_deleg_creds;	994	intptr = &options->gss_deleg_creds;
979	goto parse_flag;	995	goto parse_flag;
980		996
		997	case oGssTrustDns:
		998	intptr = &options->gss_trust_dns;
		999	goto parse_flag;
		1000
		1001	case oGssClientIdentity:
		1002	charptr = &options->gss_client_identity;
		1003	goto parse_string;
		1004
		1005	case oGssServerIdentity:
		1006	charptr = &options->gss_server_identity;
		1007	goto parse_string;
		1008
		1009	case oGssRenewalRekey:
		1010	intptr = &options->gss_renewal_rekey;
		1011	goto parse_flag;
		1012
981	case oBatchMode:	1013	case oBatchMode:
982	intptr = &options->batch_mode;	1014	intptr = &options->batch_mode;
983	goto parse_flag;	1015	goto parse_flag;
@@ -1842,7 +1874,12 @@ initialize_options(Options * options)
1842	options->pubkey_authentication = -1;	1874	options->pubkey_authentication = -1;
1843	options->challenge_response_authentication = -1;	1875	options->challenge_response_authentication = -1;
1844	options->gss_authentication = -1;	1876	options->gss_authentication = -1;
		1877	options->gss_keyex = -1;
1845	options->gss_deleg_creds = -1;	1878	options->gss_deleg_creds = -1;
		1879	options->gss_trust_dns = -1;
		1880	options->gss_renewal_rekey = -1;
		1881	options->gss_client_identity = NULL;
		1882	options->gss_server_identity = NULL;
1846	options->password_authentication = -1;	1883	options->password_authentication = -1;
1847	options->kbd_interactive_authentication = -1;	1884	options->kbd_interactive_authentication = -1;
1848	options->kbd_interactive_devices = NULL;	1885	options->kbd_interactive_devices = NULL;
@@ -1988,8 +2025,14 @@ fill_default_options(Options * options)
1988	options->challenge_response_authentication = 1;	2025	options->challenge_response_authentication = 1;
1989	if (options->gss_authentication == -1)	2026	if (options->gss_authentication == -1)
1990	options->gss_authentication = 0;	2027	options->gss_authentication = 0;
		2028	if (options->gss_keyex == -1)
		2029	options->gss_keyex = 0;
1991	if (options->gss_deleg_creds == -1)	2030	if (options->gss_deleg_creds == -1)
1992	options->gss_deleg_creds = 0;	2031	options->gss_deleg_creds = 0;
		2032	if (options->gss_trust_dns == -1)
		2033	options->gss_trust_dns = 0;
		2034	if (options->gss_renewal_rekey == -1)
		2035	options->gss_renewal_rekey = 0;
1993	if (options->password_authentication == -1)	2036	if (options->password_authentication == -1)
1994	options->password_authentication = 1;	2037	options->password_authentication = 1;
1995	if (options->kbd_interactive_authentication == -1)	2038	if (options->kbd_interactive_authentication == -1)