GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 12:01:36 +0000
commit: 34aff3aa136e5a65f441b25811dd466488fda087 (patch)
tree: e2170faeed03d67545255d3d3c9d62280414c0b2 /readconf.c
parent: f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)
1 files changed, 70 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index f3cac6b3a..da8022dd0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 /* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, oGssKexAlgorithms,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
@@ -1029,10 +1044,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
        dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 12:01:36 +0000
commit	34aff3aa136e5a65f441b25811dd466488fda087 (patch)
tree	e2170faeed03d67545255d3d3c9d62280414c0b2 /readconf.c
parent	f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)

diff --git a/readconf.c b/readconf.c index f3cac6b3a..da8022dd0 100644 --- a/readconf.c +++ b/readconf.c
@@ -67,6 +67,7 @@
67	#include "uidswap.h"	67	#include "uidswap.h"
68	#include "myproposal.h"	68	#include "myproposal.h"
69	#include "digest.h"	69	#include "digest.h"
		70	#include "ssh-gss.h"
70		71
71	/* Format of the configuration file:	72	/* Format of the configuration file:
72		73
@@ -160,6 +161,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	161	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	162	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	163	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		164	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		165	oGssServerIdentity, oGssKexAlgorithms,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	166	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	167	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	168	oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
204	/* Sometimes-unsupported options */	207	/* Sometimes-unsupported options */
205	#if defined(GSSAPI)	208	#if defined(GSSAPI)
206	{ "gssapiauthentication", oGssAuthentication },	209	{ "gssapiauthentication", oGssAuthentication },
		210	{ "gssapikeyexchange", oGssKeyEx },
207	{ "gssapidelegatecredentials", oGssDelegateCreds },	211	{ "gssapidelegatecredentials", oGssDelegateCreds },
		212	{ "gssapitrustdns", oGssTrustDns },
		213	{ "gssapiclientidentity", oGssClientIdentity },
		214	{ "gssapiserveridentity", oGssServerIdentity },
		215	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
		216	{ "gssapikexalgorithms", oGssKexAlgorithms },
208	# else	217	# else
209	{ "gssapiauthentication", oUnsupported },	218	{ "gssapiauthentication", oUnsupported },
		219	{ "gssapikeyexchange", oUnsupported },
210	{ "gssapidelegatecredentials", oUnsupported },	220	{ "gssapidelegatecredentials", oUnsupported },
		221	{ "gssapitrustdns", oUnsupported },
		222	{ "gssapiclientidentity", oUnsupported },
		223	{ "gssapiserveridentity", oUnsupported },
		224	{ "gssapirenewalforcesrekey", oUnsupported },
		225	{ "gssapikexalgorithms", oUnsupported },
211	#endif	226	#endif
212	#ifdef ENABLE_PKCS11	227	#ifdef ENABLE_PKCS11
213	{ "pkcs11provider", oPKCS11Provider },	228	{ "pkcs11provider", oPKCS11Provider },
@@ -1029,10 +1044,42 @@ parse_time:
1029	intptr = &options->gss_authentication;	1044	intptr = &options->gss_authentication;
1030	goto parse_flag;	1045	goto parse_flag;
1031		1046
		1047	case oGssKeyEx:
		1048	intptr = &options->gss_keyex;
		1049	goto parse_flag;
		1050
1032	case oGssDelegateCreds:	1051	case oGssDelegateCreds:
1033	intptr = &options->gss_deleg_creds;	1052	intptr = &options->gss_deleg_creds;
1034	goto parse_flag;	1053	goto parse_flag;
1035		1054
		1055	case oGssTrustDns:
		1056	intptr = &options->gss_trust_dns;
		1057	goto parse_flag;
		1058
		1059	case oGssClientIdentity:
		1060	charptr = &options->gss_client_identity;
		1061	goto parse_string;
		1062
		1063	case oGssServerIdentity:
		1064	charptr = &options->gss_server_identity;
		1065	goto parse_string;
		1066
		1067	case oGssRenewalRekey:
		1068	intptr = &options->gss_renewal_rekey;
		1069	goto parse_flag;
		1070
		1071	case oGssKexAlgorithms:
		1072	arg = strdelim(&s);
		1073	if (!arg \|\| *arg == '\0')
		1074	fatal("%.200s line %d: Missing argument.",
		1075	filename, linenum);
		1076	if (!kex_gss_names_valid(arg))
		1077	fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
		1078	filename, linenum, arg ? arg : "<NONE>");
		1079	if (*activep && options->gss_kex_algorithms == NULL)
		1080	options->gss_kex_algorithms = xstrdup(arg);
		1081	break;
		1082
1036	case oBatchMode:	1083	case oBatchMode:
1037	intptr = &options->batch_mode;	1084	intptr = &options->batch_mode;
1038	goto parse_flag;	1085	goto parse_flag;
@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
1911	options->pubkey_authentication = -1;	1958	options->pubkey_authentication = -1;
1912	options->challenge_response_authentication = -1;	1959	options->challenge_response_authentication = -1;
1913	options->gss_authentication = -1;	1960	options->gss_authentication = -1;
		1961	options->gss_keyex = -1;
1914	options->gss_deleg_creds = -1;	1962	options->gss_deleg_creds = -1;
		1963	options->gss_trust_dns = -1;
		1964	options->gss_renewal_rekey = -1;
		1965	options->gss_client_identity = NULL;
		1966	options->gss_server_identity = NULL;
		1967	options->gss_kex_algorithms = NULL;
1915	options->password_authentication = -1;	1968	options->password_authentication = -1;
1916	options->kbd_interactive_authentication = -1;	1969	options->kbd_interactive_authentication = -1;
1917	options->kbd_interactive_devices = NULL;	1970	options->kbd_interactive_devices = NULL;
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
2059	options->challenge_response_authentication = 1;	2112	options->challenge_response_authentication = 1;
2060	if (options->gss_authentication == -1)	2113	if (options->gss_authentication == -1)
2061	options->gss_authentication = 0;	2114	options->gss_authentication = 0;
		2115	if (options->gss_keyex == -1)
		2116	options->gss_keyex = 0;
2062	if (options->gss_deleg_creds == -1)	2117	if (options->gss_deleg_creds == -1)
2063	options->gss_deleg_creds = 0;	2118	options->gss_deleg_creds = 0;
		2119	if (options->gss_trust_dns == -1)
		2120	options->gss_trust_dns = 0;
		2121	if (options->gss_renewal_rekey == -1)
		2122	options->gss_renewal_rekey = 0;
		2123	#ifdef GSSAPI
		2124	if (options->gss_kex_algorithms == NULL)
		2125	options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
		2126	#endif
2064	if (options->password_authentication == -1)	2127	if (options->password_authentication == -1)
2065	options->password_authentication = 1;	2128	options->password_authentication = 1;
2066	if (options->kbd_interactive_authentication == -1)	2129	if (options->kbd_interactive_authentication == -1)
@@ -2702,7 +2765,14 @@ dump_client_config(Options o, const char host)
2702	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);	2765	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
2703	#ifdef GSSAPI	2766	#ifdef GSSAPI
2704	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);	2767	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
		2768	dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
2705	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);	2769	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
		2770	dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
		2771	dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
		2772	dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
		2773	dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
		2774	dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
		2775	o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
2706	#endif /* GSSAPI */	2776	#endif /* GSSAPI */
2707	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2777	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2708	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2778	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);