GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-03-29 01:38:38 +0100
commit: d51c7ac3328464dec21514fb398ab5c140a0664f (patch)
tree: 4f1a2aa08e99303f62c71cba0b38899f050d1b3d /readconf.c
parent: 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff)
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 9d59493f0..00d9cc302 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -196,10 +198,20 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "smartcarddevice", oPKCS11Provider },
@@ -973,10 +985,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-03-29 01:38:38 +0100
commit	d51c7ac3328464dec21514fb398ab5c140a0664f (patch)
tree	4f1a2aa08e99303f62c71cba0b38899f050d1b3d /readconf.c
parent	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff)

diff --git a/readconf.c b/readconf.c index 9d59493f0..00d9cc302 100644 --- a/readconf.c +++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		163	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		164	oGssServerIdentity,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oControlPath, oControlMaster, oControlPersist,	166	oSendEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	167	oHashKnownHosts,
@@ -196,10 +198,20 @@ static struct {
196	/* Sometimes-unsupported options */	198	/* Sometimes-unsupported options */
197	#if defined(GSSAPI)	199	#if defined(GSSAPI)
198	{ "gssapiauthentication", oGssAuthentication },	200	{ "gssapiauthentication", oGssAuthentication },
		201	{ "gssapikeyexchange", oGssKeyEx },
199	{ "gssapidelegatecredentials", oGssDelegateCreds },	202	{ "gssapidelegatecredentials", oGssDelegateCreds },
		203	{ "gssapitrustdns", oGssTrustDns },
		204	{ "gssapiclientidentity", oGssClientIdentity },
		205	{ "gssapiserveridentity", oGssServerIdentity },
		206	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
200	# else	207	# else
201	{ "gssapiauthentication", oUnsupported },	208	{ "gssapiauthentication", oUnsupported },
		209	{ "gssapikeyexchange", oUnsupported },
202	{ "gssapidelegatecredentials", oUnsupported },	210	{ "gssapidelegatecredentials", oUnsupported },
		211	{ "gssapitrustdns", oUnsupported },
		212	{ "gssapiclientidentity", oUnsupported },
		213	{ "gssapiserveridentity", oUnsupported },
		214	{ "gssapirenewalforcesrekey", oUnsupported },
203	#endif	215	#endif
204	#ifdef ENABLE_PKCS11	216	#ifdef ENABLE_PKCS11
205	{ "smartcarddevice", oPKCS11Provider },	217	{ "smartcarddevice", oPKCS11Provider },
@@ -973,10 +985,30 @@ parse_time:
973	intptr = &options->gss_authentication;	985	intptr = &options->gss_authentication;
974	goto parse_flag;	986	goto parse_flag;
975		987
		988	case oGssKeyEx:
		989	intptr = &options->gss_keyex;
		990	goto parse_flag;
		991
976	case oGssDelegateCreds:	992	case oGssDelegateCreds:
977	intptr = &options->gss_deleg_creds;	993	intptr = &options->gss_deleg_creds;
978	goto parse_flag;	994	goto parse_flag;
979		995
		996	case oGssTrustDns:
		997	intptr = &options->gss_trust_dns;
		998	goto parse_flag;
		999
		1000	case oGssClientIdentity:
		1001	charptr = &options->gss_client_identity;
		1002	goto parse_string;
		1003
		1004	case oGssServerIdentity:
		1005	charptr = &options->gss_server_identity;
		1006	goto parse_string;
		1007
		1008	case oGssRenewalRekey:
		1009	intptr = &options->gss_renewal_rekey;
		1010	goto parse_flag;
		1011
980	case oBatchMode:	1012	case oBatchMode:
981	intptr = &options->batch_mode;	1013	intptr = &options->batch_mode;
982	goto parse_flag;	1014	goto parse_flag;
@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
1798	options->pubkey_authentication = -1;	1830	options->pubkey_authentication = -1;
1799	options->challenge_response_authentication = -1;	1831	options->challenge_response_authentication = -1;
1800	options->gss_authentication = -1;	1832	options->gss_authentication = -1;
		1833	options->gss_keyex = -1;
1801	options->gss_deleg_creds = -1;	1834	options->gss_deleg_creds = -1;
		1835	options->gss_trust_dns = -1;
		1836	options->gss_renewal_rekey = -1;
		1837	options->gss_client_identity = NULL;
		1838	options->gss_server_identity = NULL;
1802	options->password_authentication = -1;	1839	options->password_authentication = -1;
1803	options->kbd_interactive_authentication = -1;	1840	options->kbd_interactive_authentication = -1;
1804	options->kbd_interactive_devices = NULL;	1841	options->kbd_interactive_devices = NULL;
@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
1942	options->challenge_response_authentication = 1;	1979	options->challenge_response_authentication = 1;
1943	if (options->gss_authentication == -1)	1980	if (options->gss_authentication == -1)
1944	options->gss_authentication = 0;	1981	options->gss_authentication = 0;
		1982	if (options->gss_keyex == -1)
		1983	options->gss_keyex = 0;
1945	if (options->gss_deleg_creds == -1)	1984	if (options->gss_deleg_creds == -1)
1946	options->gss_deleg_creds = 0;	1985	options->gss_deleg_creds = 0;
		1986	if (options->gss_trust_dns == -1)
		1987	options->gss_trust_dns = 0;
		1988	if (options->gss_renewal_rekey == -1)
		1989	options->gss_renewal_rekey = 0;
1947	if (options->password_authentication == -1)	1990	if (options->password_authentication == -1)
1948	options->password_authentication = 1;	1991	options->password_authentication = 1;
1949	if (options->kbd_interactive_authentication == -1)	1992	if (options->kbd_interactive_authentication == -1)