summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-01-04 15:06:57 +0000
commit48424483cbf2232ba849038e02675b2db1ea3a88 (patch)
treea21f027e0d814ba92e1e918dafdb845654589c1f /readconf.c
parent651211fd4a199b299540c00c54a46e27fadb04be (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-01-04 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c42
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 1d03bdf72..43b7570a4 100644
--- a/readconf.c
+++ b/readconf.c
@@ -147,6 +147,8 @@ typedef enum {
147 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 147 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
148 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 148 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
149 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 149 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
150 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
151 oGssServerIdentity,
150 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 152 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
151 oSendEnv, oControlPath, oControlMaster, oControlPersist, 153 oSendEnv, oControlPath, oControlMaster, oControlPersist,
152 oHashKnownHosts, 154 oHashKnownHosts,
@@ -192,10 +194,19 @@ static struct {
192 { "afstokenpassing", oUnsupported }, 194 { "afstokenpassing", oUnsupported },
193#if defined(GSSAPI) 195#if defined(GSSAPI)
194 { "gssapiauthentication", oGssAuthentication }, 196 { "gssapiauthentication", oGssAuthentication },
197 { "gssapikeyexchange", oGssKeyEx },
195 { "gssapidelegatecredentials", oGssDelegateCreds }, 198 { "gssapidelegatecredentials", oGssDelegateCreds },
199 { "gssapitrustdns", oGssTrustDns },
200 { "gssapiclientidentity", oGssClientIdentity },
201 { "gssapiserveridentity", oGssServerIdentity },
202 { "gssapirenewalforcesrekey", oGssRenewalRekey },
196#else 203#else
197 { "gssapiauthentication", oUnsupported }, 204 { "gssapiauthentication", oUnsupported },
205 { "gssapikeyexchange", oUnsupported },
198 { "gssapidelegatecredentials", oUnsupported }, 206 { "gssapidelegatecredentials", oUnsupported },
207 { "gssapitrustdns", oUnsupported },
208 { "gssapiclientidentity", oUnsupported },
209 { "gssapirenewalforcesrekey", oUnsupported },
199#endif 210#endif
200 { "fallbacktorsh", oDeprecated }, 211 { "fallbacktorsh", oDeprecated },
201 { "usersh", oDeprecated }, 212 { "usersh", oDeprecated },
@@ -894,10 +905,30 @@ parse_time:
894 intptr = &options->gss_authentication; 905 intptr = &options->gss_authentication;
895 goto parse_flag; 906 goto parse_flag;
896 907
908 case oGssKeyEx:
909 intptr = &options->gss_keyex;
910 goto parse_flag;
911
897 case oGssDelegateCreds: 912 case oGssDelegateCreds:
898 intptr = &options->gss_deleg_creds; 913 intptr = &options->gss_deleg_creds;
899 goto parse_flag; 914 goto parse_flag;
900 915
916 case oGssTrustDns:
917 intptr = &options->gss_trust_dns;
918 goto parse_flag;
919
920 case oGssClientIdentity:
921 charptr = &options->gss_client_identity;
922 goto parse_string;
923
924 case oGssServerIdentity:
925 charptr = &options->gss_server_identity;
926 goto parse_string;
927
928 case oGssRenewalRekey:
929 intptr = &options->gss_renewal_rekey;
930 goto parse_flag;
931
901 case oBatchMode: 932 case oBatchMode:
902 intptr = &options->batch_mode; 933 intptr = &options->batch_mode;
903 goto parse_flag; 934 goto parse_flag;
@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
1601 options->pubkey_authentication = -1; 1632 options->pubkey_authentication = -1;
1602 options->challenge_response_authentication = -1; 1633 options->challenge_response_authentication = -1;
1603 options->gss_authentication = -1; 1634 options->gss_authentication = -1;
1635 options->gss_keyex = -1;
1604 options->gss_deleg_creds = -1; 1636 options->gss_deleg_creds = -1;
1637 options->gss_trust_dns = -1;
1638 options->gss_renewal_rekey = -1;
1639 options->gss_client_identity = NULL;
1640 options->gss_server_identity = NULL;
1605 options->password_authentication = -1; 1641 options->password_authentication = -1;
1606 options->kbd_interactive_authentication = -1; 1642 options->kbd_interactive_authentication = -1;
1607 options->kbd_interactive_devices = NULL; 1643 options->kbd_interactive_devices = NULL;
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
1729 options->challenge_response_authentication = 1; 1765 options->challenge_response_authentication = 1;
1730 if (options->gss_authentication == -1) 1766 if (options->gss_authentication == -1)
1731 options->gss_authentication = 0; 1767 options->gss_authentication = 0;
1768 if (options->gss_keyex == -1)
1769 options->gss_keyex = 0;
1732 if (options->gss_deleg_creds == -1) 1770 if (options->gss_deleg_creds == -1)
1733 options->gss_deleg_creds = 0; 1771 options->gss_deleg_creds = 0;
1772 if (options->gss_trust_dns == -1)
1773 options->gss_trust_dns = 0;
1774 if (options->gss_renewal_rekey == -1)
1775 options->gss_renewal_rekey = 0;
1734 if (options->password_authentication == -1) 1776 if (options->password_authentication == -1)
1735 options->password_authentication = 1; 1777 options->password_authentication = 1;
1736 if (options->kbd_interactive_authentication == -1) 1778 if (options->kbd_interactive_authentication == -1)