GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-11-29 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-11-29 17:36:18 +0000
commit: 09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (patch)
tree: 238d7d86bfd8c0080d01fb55cef2ad37df46bd2e /readconf.c
parent: 651211fd4a199b299540c00c54a46e27fadb04be (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 1d03bdf72..43b7570a4 100644
--- a/readconf.c
+++ b/readconf.c
@@ -147,6 +147,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -192,10 +194,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -894,10 +905,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-11-29 17:36:18 +0000
commit	09c4d9b7d41ab3c9973f07e0109e931f57c59c43 (patch)
tree	238d7d86bfd8c0080d01fb55cef2ad37df46bd2e /readconf.c
parent	651211fd4a199b299540c00c54a46e27fadb04be (diff)

diff --git a/readconf.c b/readconf.c index 1d03bdf72..43b7570a4 100644 --- a/readconf.c +++ b/readconf.c
@@ -147,6 +147,8 @@ typedef enum {
147	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	147	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
148	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	148	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
149	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	149	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		150	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		151	oGssServerIdentity,
150	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	152	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
151	oSendEnv, oControlPath, oControlMaster, oControlPersist,	153	oSendEnv, oControlPath, oControlMaster, oControlPersist,
152	oHashKnownHosts,	154	oHashKnownHosts,
@@ -192,10 +194,19 @@ static struct {
192	{ "afstokenpassing", oUnsupported },	194	{ "afstokenpassing", oUnsupported },
193	#if defined(GSSAPI)	195	#if defined(GSSAPI)
194	{ "gssapiauthentication", oGssAuthentication },	196	{ "gssapiauthentication", oGssAuthentication },
		197	{ "gssapikeyexchange", oGssKeyEx },
195	{ "gssapidelegatecredentials", oGssDelegateCreds },	198	{ "gssapidelegatecredentials", oGssDelegateCreds },
		199	{ "gssapitrustdns", oGssTrustDns },
		200	{ "gssapiclientidentity", oGssClientIdentity },
		201	{ "gssapiserveridentity", oGssServerIdentity },
		202	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
196	#else	203	#else
197	{ "gssapiauthentication", oUnsupported },	204	{ "gssapiauthentication", oUnsupported },
		205	{ "gssapikeyexchange", oUnsupported },
198	{ "gssapidelegatecredentials", oUnsupported },	206	{ "gssapidelegatecredentials", oUnsupported },
		207	{ "gssapitrustdns", oUnsupported },
		208	{ "gssapiclientidentity", oUnsupported },
		209	{ "gssapirenewalforcesrekey", oUnsupported },
199	#endif	210	#endif
200	{ "fallbacktorsh", oDeprecated },	211	{ "fallbacktorsh", oDeprecated },
201	{ "usersh", oDeprecated },	212	{ "usersh", oDeprecated },
@@ -894,10 +905,30 @@ parse_time:
894	intptr = &options->gss_authentication;	905	intptr = &options->gss_authentication;
895	goto parse_flag;	906	goto parse_flag;
896		907
		908	case oGssKeyEx:
		909	intptr = &options->gss_keyex;
		910	goto parse_flag;
		911
897	case oGssDelegateCreds:	912	case oGssDelegateCreds:
898	intptr = &options->gss_deleg_creds;	913	intptr = &options->gss_deleg_creds;
899	goto parse_flag;	914	goto parse_flag;
900		915
		916	case oGssTrustDns:
		917	intptr = &options->gss_trust_dns;
		918	goto parse_flag;
		919
		920	case oGssClientIdentity:
		921	charptr = &options->gss_client_identity;
		922	goto parse_string;
		923
		924	case oGssServerIdentity:
		925	charptr = &options->gss_server_identity;
		926	goto parse_string;
		927
		928	case oGssRenewalRekey:
		929	intptr = &options->gss_renewal_rekey;
		930	goto parse_flag;
		931
901	case oBatchMode:	932	case oBatchMode:
902	intptr = &options->batch_mode;	933	intptr = &options->batch_mode;
903	goto parse_flag;	934	goto parse_flag;
@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
1601	options->pubkey_authentication = -1;	1632	options->pubkey_authentication = -1;
1602	options->challenge_response_authentication = -1;	1633	options->challenge_response_authentication = -1;
1603	options->gss_authentication = -1;	1634	options->gss_authentication = -1;
		1635	options->gss_keyex = -1;
1604	options->gss_deleg_creds = -1;	1636	options->gss_deleg_creds = -1;
		1637	options->gss_trust_dns = -1;
		1638	options->gss_renewal_rekey = -1;
		1639	options->gss_client_identity = NULL;
		1640	options->gss_server_identity = NULL;
1605	options->password_authentication = -1;	1641	options->password_authentication = -1;
1606	options->kbd_interactive_authentication = -1;	1642	options->kbd_interactive_authentication = -1;
1607	options->kbd_interactive_devices = NULL;	1643	options->kbd_interactive_devices = NULL;
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
1729	options->challenge_response_authentication = 1;	1765	options->challenge_response_authentication = 1;
1730	if (options->gss_authentication == -1)	1766	if (options->gss_authentication == -1)
1731	options->gss_authentication = 0;	1767	options->gss_authentication = 0;
		1768	if (options->gss_keyex == -1)
		1769	options->gss_keyex = 0;
1732	if (options->gss_deleg_creds == -1)	1770	if (options->gss_deleg_creds == -1)
1733	options->gss_deleg_creds = 0;	1771	options->gss_deleg_creds = 0;
		1772	if (options->gss_trust_dns == -1)
		1773	options->gss_trust_dns = 0;
		1774	if (options->gss_renewal_rekey == -1)
		1775	options->gss_renewal_rekey = 0;
1734	if (options->password_authentication == -1)	1776	if (options->password_authentication == -1)
1735	options->password_authentication = 1;	1777	options->password_authentication = 1;
1736	if (options->kbd_interactive_authentication == -1)	1778	if (options->kbd_interactive_authentication == -1)