GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-01-04 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-02-29 12:31:33 +0000
commit: 374db1757fc18bd6647539b80977e6907a2cecd4 (patch)
tree: 9fd8227bdf3548c6fcce1e72b7edf3ebaf71d050 /readconf.c
parent: c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 69d4553af..d2a3d4b1a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -193,10 +195,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -926,10 +937,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-02-29 12:31:33 +0000
commit	374db1757fc18bd6647539b80977e6907a2cecd4 (patch)
tree	9fd8227bdf3548c6fcce1e72b7edf3ebaf71d050 /readconf.c
parent	c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (diff)

diff --git a/readconf.c b/readconf.c index 69d4553af..d2a3d4b1a 100644 --- a/readconf.c +++ b/readconf.c
@@ -148,6 +148,8 @@ typedef enum {
148	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	148	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
149	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	149	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
150	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	150	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		151	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		152	oGssServerIdentity,
151	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	153	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
152	oSendEnv, oControlPath, oControlMaster, oControlPersist,	154	oSendEnv, oControlPath, oControlMaster, oControlPersist,
153	oHashKnownHosts,	155	oHashKnownHosts,
@@ -193,10 +195,19 @@ static struct {
193	{ "afstokenpassing", oUnsupported },	195	{ "afstokenpassing", oUnsupported },
194	#if defined(GSSAPI)	196	#if defined(GSSAPI)
195	{ "gssapiauthentication", oGssAuthentication },	197	{ "gssapiauthentication", oGssAuthentication },
		198	{ "gssapikeyexchange", oGssKeyEx },
196	{ "gssapidelegatecredentials", oGssDelegateCreds },	199	{ "gssapidelegatecredentials", oGssDelegateCreds },
		200	{ "gssapitrustdns", oGssTrustDns },
		201	{ "gssapiclientidentity", oGssClientIdentity },
		202	{ "gssapiserveridentity", oGssServerIdentity },
		203	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
197	#else	204	#else
198	{ "gssapiauthentication", oUnsupported },	205	{ "gssapiauthentication", oUnsupported },
		206	{ "gssapikeyexchange", oUnsupported },
199	{ "gssapidelegatecredentials", oUnsupported },	207	{ "gssapidelegatecredentials", oUnsupported },
		208	{ "gssapitrustdns", oUnsupported },
		209	{ "gssapiclientidentity", oUnsupported },
		210	{ "gssapirenewalforcesrekey", oUnsupported },
200	#endif	211	#endif
201	{ "fallbacktorsh", oDeprecated },	212	{ "fallbacktorsh", oDeprecated },
202	{ "usersh", oDeprecated },	213	{ "usersh", oDeprecated },
@@ -926,10 +937,30 @@ parse_time:
926	intptr = &options->gss_authentication;	937	intptr = &options->gss_authentication;
927	goto parse_flag;	938	goto parse_flag;
928		939
		940	case oGssKeyEx:
		941	intptr = &options->gss_keyex;
		942	goto parse_flag;
		943
929	case oGssDelegateCreds:	944	case oGssDelegateCreds:
930	intptr = &options->gss_deleg_creds;	945	intptr = &options->gss_deleg_creds;
931	goto parse_flag;	946	goto parse_flag;
932		947
		948	case oGssTrustDns:
		949	intptr = &options->gss_trust_dns;
		950	goto parse_flag;
		951
		952	case oGssClientIdentity:
		953	charptr = &options->gss_client_identity;
		954	goto parse_string;
		955
		956	case oGssServerIdentity:
		957	charptr = &options->gss_server_identity;
		958	goto parse_string;
		959
		960	case oGssRenewalRekey:
		961	intptr = &options->gss_renewal_rekey;
		962	goto parse_flag;
		963
933	case oBatchMode:	964	case oBatchMode:
934	intptr = &options->batch_mode;	965	intptr = &options->batch_mode;
935	goto parse_flag;	966	goto parse_flag;
@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
1648	options->pubkey_authentication = -1;	1679	options->pubkey_authentication = -1;
1649	options->challenge_response_authentication = -1;	1680	options->challenge_response_authentication = -1;
1650	options->gss_authentication = -1;	1681	options->gss_authentication = -1;
		1682	options->gss_keyex = -1;
1651	options->gss_deleg_creds = -1;	1683	options->gss_deleg_creds = -1;
		1684	options->gss_trust_dns = -1;
		1685	options->gss_renewal_rekey = -1;
		1686	options->gss_client_identity = NULL;
		1687	options->gss_server_identity = NULL;
1652	options->password_authentication = -1;	1688	options->password_authentication = -1;
1653	options->kbd_interactive_authentication = -1;	1689	options->kbd_interactive_authentication = -1;
1654	options->kbd_interactive_devices = NULL;	1690	options->kbd_interactive_devices = NULL;
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
1777	options->challenge_response_authentication = 1;	1813	options->challenge_response_authentication = 1;
1778	if (options->gss_authentication == -1)	1814	if (options->gss_authentication == -1)
1779	options->gss_authentication = 0;	1815	options->gss_authentication = 0;
		1816	if (options->gss_keyex == -1)
		1817	options->gss_keyex = 0;
1780	if (options->gss_deleg_creds == -1)	1818	if (options->gss_deleg_creds == -1)
1781	options->gss_deleg_creds = 0;	1819	options->gss_deleg_creds = 0;
		1820	if (options->gss_trust_dns == -1)
		1821	options->gss_trust_dns = 0;
		1822	if (options->gss_renewal_rekey == -1)
		1823	options->gss_renewal_rekey = 0;
1782	if (options->password_authentication == -1)	1824	if (options->password_authentication == -1)
1783	options->password_authentication = 1;	1825	options->password_authentication = 1;
1784	if (options->kbd_interactive_authentication == -1)	1826	if (options->kbd_interactive_authentication == -1)