GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-08-07 12:18:35 +0100
commit: eecddf8b72fcad83ccca43b1badb03782704f6b7 (patch)
tree: fd0046825c8d42bd267afa7839d5603b130cf847 /readconf.c
parent: a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index c177202b1..e019195e7 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -205,10 +207,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -962,10 +973,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1777,7 +1808,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1921,8 +1957,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-08-07 12:18:35 +0100
commit	eecddf8b72fcad83ccca43b1badb03782704f6b7 (patch)
tree	fd0046825c8d42bd267afa7839d5603b130cf847 /readconf.c
parent	a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)

diff --git a/readconf.c b/readconf.c index c177202b1..e019195e7 100644 --- a/readconf.c +++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		163	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		164	oGssServerIdentity,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oControlPath, oControlMaster, oControlPersist,	166	oSendEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	167	oHashKnownHosts,
@@ -205,10 +207,19 @@ static struct {
205	{ "afstokenpassing", oUnsupported },	207	{ "afstokenpassing", oUnsupported },
206	#if defined(GSSAPI)	208	#if defined(GSSAPI)
207	{ "gssapiauthentication", oGssAuthentication },	209	{ "gssapiauthentication", oGssAuthentication },
		210	{ "gssapikeyexchange", oGssKeyEx },
208	{ "gssapidelegatecredentials", oGssDelegateCreds },	211	{ "gssapidelegatecredentials", oGssDelegateCreds },
		212	{ "gssapitrustdns", oGssTrustDns },
		213	{ "gssapiclientidentity", oGssClientIdentity },
		214	{ "gssapiserveridentity", oGssServerIdentity },
		215	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
209	#else	216	#else
210	{ "gssapiauthentication", oUnsupported },	217	{ "gssapiauthentication", oUnsupported },
		218	{ "gssapikeyexchange", oUnsupported },
211	{ "gssapidelegatecredentials", oUnsupported },	219	{ "gssapidelegatecredentials", oUnsupported },
		220	{ "gssapitrustdns", oUnsupported },
		221	{ "gssapiclientidentity", oUnsupported },
		222	{ "gssapirenewalforcesrekey", oUnsupported },
212	#endif	223	#endif
213	{ "fallbacktorsh", oDeprecated },	224	{ "fallbacktorsh", oDeprecated },
214	{ "usersh", oDeprecated },	225	{ "usersh", oDeprecated },
@@ -962,10 +973,30 @@ parse_time:
962	intptr = &options->gss_authentication;	973	intptr = &options->gss_authentication;
963	goto parse_flag;	974	goto parse_flag;
964		975
		976	case oGssKeyEx:
		977	intptr = &options->gss_keyex;
		978	goto parse_flag;
		979
965	case oGssDelegateCreds:	980	case oGssDelegateCreds:
966	intptr = &options->gss_deleg_creds;	981	intptr = &options->gss_deleg_creds;
967	goto parse_flag;	982	goto parse_flag;
968		983
		984	case oGssTrustDns:
		985	intptr = &options->gss_trust_dns;
		986	goto parse_flag;
		987
		988	case oGssClientIdentity:
		989	charptr = &options->gss_client_identity;
		990	goto parse_string;
		991
		992	case oGssServerIdentity:
		993	charptr = &options->gss_server_identity;
		994	goto parse_string;
		995
		996	case oGssRenewalRekey:
		997	intptr = &options->gss_renewal_rekey;
		998	goto parse_flag;
		999
969	case oBatchMode:	1000	case oBatchMode:
970	intptr = &options->batch_mode;	1001	intptr = &options->batch_mode;
971	goto parse_flag;	1002	goto parse_flag;
@@ -1777,7 +1808,12 @@ initialize_options(Options * options)
1777	options->pubkey_authentication = -1;	1808	options->pubkey_authentication = -1;
1778	options->challenge_response_authentication = -1;	1809	options->challenge_response_authentication = -1;
1779	options->gss_authentication = -1;	1810	options->gss_authentication = -1;
		1811	options->gss_keyex = -1;
1780	options->gss_deleg_creds = -1;	1812	options->gss_deleg_creds = -1;
		1813	options->gss_trust_dns = -1;
		1814	options->gss_renewal_rekey = -1;
		1815	options->gss_client_identity = NULL;
		1816	options->gss_server_identity = NULL;
1781	options->password_authentication = -1;	1817	options->password_authentication = -1;
1782	options->kbd_interactive_authentication = -1;	1818	options->kbd_interactive_authentication = -1;
1783	options->kbd_interactive_devices = NULL;	1819	options->kbd_interactive_devices = NULL;
@@ -1921,8 +1957,14 @@ fill_default_options(Options * options)
1921	options->challenge_response_authentication = 1;	1957	options->challenge_response_authentication = 1;
1922	if (options->gss_authentication == -1)	1958	if (options->gss_authentication == -1)
1923	options->gss_authentication = 0;	1959	options->gss_authentication = 0;
		1960	if (options->gss_keyex == -1)
		1961	options->gss_keyex = 0;
1924	if (options->gss_deleg_creds == -1)	1962	if (options->gss_deleg_creds == -1)
1925	options->gss_deleg_creds = 0;	1963	options->gss_deleg_creds = 0;
		1964	if (options->gss_trust_dns == -1)
		1965	options->gss_trust_dns = 0;
		1966	if (options->gss_renewal_rekey == -1)
		1967	options->gss_renewal_rekey = 0;
1926	if (options->password_authentication == -1)	1968	if (options->password_authentication == -1)
1927	options->password_authentication = 1;	1969	options->password_authentication = 1;
1928	if (options->kbd_interactive_authentication == -1)	1970	if (options->kbd_interactive_authentication == -1)