GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-01-16 15:02:41 +0000
commit: 48fbb156bdc676fb6ba6817770e4e971fbf85b1f (patch)
tree: f35c67c09472bddc3337b1c74b0cb6a1d9b58670 /readconf.c
parent: 971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index fa3fab8f0..7902ef26b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -205,10 +207,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -961,10 +972,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-01-16 15:02:41 +0000
commit	48fbb156bdc676fb6ba6817770e4e971fbf85b1f (patch)
tree	f35c67c09472bddc3337b1c74b0cb6a1d9b58670 /readconf.c
parent	971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)

diff --git a/readconf.c b/readconf.c index fa3fab8f0..7902ef26b 100644 --- a/readconf.c +++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		163	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		164	oGssServerIdentity,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oControlPath, oControlMaster, oControlPersist,	166	oSendEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	167	oHashKnownHosts,
@@ -205,10 +207,19 @@ static struct {
205	{ "afstokenpassing", oUnsupported },	207	{ "afstokenpassing", oUnsupported },
206	#if defined(GSSAPI)	208	#if defined(GSSAPI)
207	{ "gssapiauthentication", oGssAuthentication },	209	{ "gssapiauthentication", oGssAuthentication },
		210	{ "gssapikeyexchange", oGssKeyEx },
208	{ "gssapidelegatecredentials", oGssDelegateCreds },	211	{ "gssapidelegatecredentials", oGssDelegateCreds },
		212	{ "gssapitrustdns", oGssTrustDns },
		213	{ "gssapiclientidentity", oGssClientIdentity },
		214	{ "gssapiserveridentity", oGssServerIdentity },
		215	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
209	#else	216	#else
210	{ "gssapiauthentication", oUnsupported },	217	{ "gssapiauthentication", oUnsupported },
		218	{ "gssapikeyexchange", oUnsupported },
211	{ "gssapidelegatecredentials", oUnsupported },	219	{ "gssapidelegatecredentials", oUnsupported },
		220	{ "gssapitrustdns", oUnsupported },
		221	{ "gssapiclientidentity", oUnsupported },
		222	{ "gssapirenewalforcesrekey", oUnsupported },
212	#endif	223	#endif
213	{ "fallbacktorsh", oDeprecated },	224	{ "fallbacktorsh", oDeprecated },
214	{ "usersh", oDeprecated },	225	{ "usersh", oDeprecated },
@@ -961,10 +972,30 @@ parse_time:
961	intptr = &options->gss_authentication;	972	intptr = &options->gss_authentication;
962	goto parse_flag;	973	goto parse_flag;
963		974
		975	case oGssKeyEx:
		976	intptr = &options->gss_keyex;
		977	goto parse_flag;
		978
964	case oGssDelegateCreds:	979	case oGssDelegateCreds:
965	intptr = &options->gss_deleg_creds;	980	intptr = &options->gss_deleg_creds;
966	goto parse_flag;	981	goto parse_flag;
967		982
		983	case oGssTrustDns:
		984	intptr = &options->gss_trust_dns;
		985	goto parse_flag;
		986
		987	case oGssClientIdentity:
		988	charptr = &options->gss_client_identity;
		989	goto parse_string;
		990
		991	case oGssServerIdentity:
		992	charptr = &options->gss_server_identity;
		993	goto parse_string;
		994
		995	case oGssRenewalRekey:
		996	intptr = &options->gss_renewal_rekey;
		997	goto parse_flag;
		998
968	case oBatchMode:	999	case oBatchMode:
969	intptr = &options->batch_mode;	1000	intptr = &options->batch_mode;
970	goto parse_flag;	1001	goto parse_flag;
@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
1776	options->pubkey_authentication = -1;	1807	options->pubkey_authentication = -1;
1777	options->challenge_response_authentication = -1;	1808	options->challenge_response_authentication = -1;
1778	options->gss_authentication = -1;	1809	options->gss_authentication = -1;
		1810	options->gss_keyex = -1;
1779	options->gss_deleg_creds = -1;	1811	options->gss_deleg_creds = -1;
		1812	options->gss_trust_dns = -1;
		1813	options->gss_renewal_rekey = -1;
		1814	options->gss_client_identity = NULL;
		1815	options->gss_server_identity = NULL;
1780	options->password_authentication = -1;	1816	options->password_authentication = -1;
1781	options->kbd_interactive_authentication = -1;	1817	options->kbd_interactive_authentication = -1;
1782	options->kbd_interactive_devices = NULL;	1818	options->kbd_interactive_devices = NULL;
@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
1920	options->challenge_response_authentication = 1;	1956	options->challenge_response_authentication = 1;
1921	if (options->gss_authentication == -1)	1957	if (options->gss_authentication == -1)
1922	options->gss_authentication = 0;	1958	options->gss_authentication = 0;
		1959	if (options->gss_keyex == -1)
		1960	options->gss_keyex = 0;
1923	if (options->gss_deleg_creds == -1)	1961	if (options->gss_deleg_creds == -1)
1924	options->gss_deleg_creds = 0;	1962	options->gss_deleg_creds = 0;
		1963	if (options->gss_trust_dns == -1)
		1964	options->gss_trust_dns = 0;
		1965	if (options->gss_renewal_rekey == -1)
		1966	options->gss_renewal_rekey = 0;
1925	if (options->password_authentication == -1)	1967	if (options->password_authentication == -1)
1926	options->password_authentication = 1;	1968	options->password_authentication = 1;
1927	if (options->kbd_interactive_authentication == -1)	1969	if (options->kbd_interactive_authentication == -1)