summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2017-03-29 01:38:38 +0100
commitd51c7ac3328464dec21514fb398ab5c140a0664f (patch)
tree4f1a2aa08e99303f62c71cba0b38899f050d1b3d /readconf.c
parent6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c43
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 9d59493f0..00d9cc302 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 160 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 161 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 162 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
163 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
164 oGssServerIdentity,
163 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 165 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164 oSendEnv, oControlPath, oControlMaster, oControlPersist, 166 oSendEnv, oControlPath, oControlMaster, oControlPersist,
165 oHashKnownHosts, 167 oHashKnownHosts,
@@ -196,10 +198,20 @@ static struct {
196 /* Sometimes-unsupported options */ 198 /* Sometimes-unsupported options */
197#if defined(GSSAPI) 199#if defined(GSSAPI)
198 { "gssapiauthentication", oGssAuthentication }, 200 { "gssapiauthentication", oGssAuthentication },
201 { "gssapikeyexchange", oGssKeyEx },
199 { "gssapidelegatecredentials", oGssDelegateCreds }, 202 { "gssapidelegatecredentials", oGssDelegateCreds },
203 { "gssapitrustdns", oGssTrustDns },
204 { "gssapiclientidentity", oGssClientIdentity },
205 { "gssapiserveridentity", oGssServerIdentity },
206 { "gssapirenewalforcesrekey", oGssRenewalRekey },
200# else 207# else
201 { "gssapiauthentication", oUnsupported }, 208 { "gssapiauthentication", oUnsupported },
209 { "gssapikeyexchange", oUnsupported },
202 { "gssapidelegatecredentials", oUnsupported }, 210 { "gssapidelegatecredentials", oUnsupported },
211 { "gssapitrustdns", oUnsupported },
212 { "gssapiclientidentity", oUnsupported },
213 { "gssapiserveridentity", oUnsupported },
214 { "gssapirenewalforcesrekey", oUnsupported },
203#endif 215#endif
204#ifdef ENABLE_PKCS11 216#ifdef ENABLE_PKCS11
205 { "smartcarddevice", oPKCS11Provider }, 217 { "smartcarddevice", oPKCS11Provider },
@@ -973,10 +985,30 @@ parse_time:
973 intptr = &options->gss_authentication; 985 intptr = &options->gss_authentication;
974 goto parse_flag; 986 goto parse_flag;
975 987
988 case oGssKeyEx:
989 intptr = &options->gss_keyex;
990 goto parse_flag;
991
976 case oGssDelegateCreds: 992 case oGssDelegateCreds:
977 intptr = &options->gss_deleg_creds; 993 intptr = &options->gss_deleg_creds;
978 goto parse_flag; 994 goto parse_flag;
979 995
996 case oGssTrustDns:
997 intptr = &options->gss_trust_dns;
998 goto parse_flag;
999
1000 case oGssClientIdentity:
1001 charptr = &options->gss_client_identity;
1002 goto parse_string;
1003
1004 case oGssServerIdentity:
1005 charptr = &options->gss_server_identity;
1006 goto parse_string;
1007
1008 case oGssRenewalRekey:
1009 intptr = &options->gss_renewal_rekey;
1010 goto parse_flag;
1011
980 case oBatchMode: 1012 case oBatchMode:
981 intptr = &options->batch_mode; 1013 intptr = &options->batch_mode;
982 goto parse_flag; 1014 goto parse_flag;
@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
1798 options->pubkey_authentication = -1; 1830 options->pubkey_authentication = -1;
1799 options->challenge_response_authentication = -1; 1831 options->challenge_response_authentication = -1;
1800 options->gss_authentication = -1; 1832 options->gss_authentication = -1;
1833 options->gss_keyex = -1;
1801 options->gss_deleg_creds = -1; 1834 options->gss_deleg_creds = -1;
1835 options->gss_trust_dns = -1;
1836 options->gss_renewal_rekey = -1;
1837 options->gss_client_identity = NULL;
1838 options->gss_server_identity = NULL;
1802 options->password_authentication = -1; 1839 options->password_authentication = -1;
1803 options->kbd_interactive_authentication = -1; 1840 options->kbd_interactive_authentication = -1;
1804 options->kbd_interactive_devices = NULL; 1841 options->kbd_interactive_devices = NULL;
@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
1942 options->challenge_response_authentication = 1; 1979 options->challenge_response_authentication = 1;
1943 if (options->gss_authentication == -1) 1980 if (options->gss_authentication == -1)
1944 options->gss_authentication = 0; 1981 options->gss_authentication = 0;
1982 if (options->gss_keyex == -1)
1983 options->gss_keyex = 0;
1945 if (options->gss_deleg_creds == -1) 1984 if (options->gss_deleg_creds == -1)
1946 options->gss_deleg_creds = 0; 1985 options->gss_deleg_creds = 0;
1986 if (options->gss_trust_dns == -1)
1987 options->gss_trust_dns = 0;
1988 if (options->gss_renewal_rekey == -1)
1989 options->gss_renewal_rekey = 0;
1947 if (options->password_authentication == -1) 1990 if (options->password_authentication == -1)
1948 options->password_authentication = 1; 1991 options->password_authentication = 1;
1949 if (options->kbd_interactive_authentication == -1) 1992 if (options->kbd_interactive_authentication == -1)