GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2017-10-04 13:54:43 +0100
commit: 4e70490950e5c5134df48848affaf73685bf0284 (patch)
tree: 59de097e770693fb1f81268e85f7802df32cb58e /readconf.c
parent: 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff)
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index f63894f9c..99e03ee1f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -199,10 +201,20 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "smartcarddevice", oPKCS11Provider },
@@ -976,10 +988,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1790,7 +1822,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1930,8 +1967,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2017-10-04 13:54:43 +0100
commit	4e70490950e5c5134df48848affaf73685bf0284 (patch)
tree	59de097e770693fb1f81268e85f7802df32cb58e /readconf.c
parent	62f54f20bf351468e0124f63cc2902ee40d9b0e9 (diff)

diff --git a/readconf.c b/readconf.c index f63894f9c..99e03ee1f 100644 --- a/readconf.c +++ b/readconf.c
@@ -160,6 +160,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		163	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		164	oGssServerIdentity,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oControlPath, oControlMaster, oControlPersist,	166	oSendEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	167	oHashKnownHosts,
@@ -199,10 +201,20 @@ static struct {
199	/* Sometimes-unsupported options */	201	/* Sometimes-unsupported options */
200	#if defined(GSSAPI)	202	#if defined(GSSAPI)
201	{ "gssapiauthentication", oGssAuthentication },	203	{ "gssapiauthentication", oGssAuthentication },
		204	{ "gssapikeyexchange", oGssKeyEx },
202	{ "gssapidelegatecredentials", oGssDelegateCreds },	205	{ "gssapidelegatecredentials", oGssDelegateCreds },
		206	{ "gssapitrustdns", oGssTrustDns },
		207	{ "gssapiclientidentity", oGssClientIdentity },
		208	{ "gssapiserveridentity", oGssServerIdentity },
		209	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
203	# else	210	# else
204	{ "gssapiauthentication", oUnsupported },	211	{ "gssapiauthentication", oUnsupported },
		212	{ "gssapikeyexchange", oUnsupported },
205	{ "gssapidelegatecredentials", oUnsupported },	213	{ "gssapidelegatecredentials", oUnsupported },
		214	{ "gssapitrustdns", oUnsupported },
		215	{ "gssapiclientidentity", oUnsupported },
		216	{ "gssapiserveridentity", oUnsupported },
		217	{ "gssapirenewalforcesrekey", oUnsupported },
206	#endif	218	#endif
207	#ifdef ENABLE_PKCS11	219	#ifdef ENABLE_PKCS11
208	{ "smartcarddevice", oPKCS11Provider },	220	{ "smartcarddevice", oPKCS11Provider },
@@ -976,10 +988,30 @@ parse_time:
976	intptr = &options->gss_authentication;	988	intptr = &options->gss_authentication;
977	goto parse_flag;	989	goto parse_flag;
978		990
		991	case oGssKeyEx:
		992	intptr = &options->gss_keyex;
		993	goto parse_flag;
		994
979	case oGssDelegateCreds:	995	case oGssDelegateCreds:
980	intptr = &options->gss_deleg_creds;	996	intptr = &options->gss_deleg_creds;
981	goto parse_flag;	997	goto parse_flag;
982		998
		999	case oGssTrustDns:
		1000	intptr = &options->gss_trust_dns;
		1001	goto parse_flag;
		1002
		1003	case oGssClientIdentity:
		1004	charptr = &options->gss_client_identity;
		1005	goto parse_string;
		1006
		1007	case oGssServerIdentity:
		1008	charptr = &options->gss_server_identity;
		1009	goto parse_string;
		1010
		1011	case oGssRenewalRekey:
		1012	intptr = &options->gss_renewal_rekey;
		1013	goto parse_flag;
		1014
983	case oBatchMode:	1015	case oBatchMode:
984	intptr = &options->batch_mode;	1016	intptr = &options->batch_mode;
985	goto parse_flag;	1017	goto parse_flag;
@@ -1790,7 +1822,12 @@ initialize_options(Options * options)
1790	options->pubkey_authentication = -1;	1822	options->pubkey_authentication = -1;
1791	options->challenge_response_authentication = -1;	1823	options->challenge_response_authentication = -1;
1792	options->gss_authentication = -1;	1824	options->gss_authentication = -1;
		1825	options->gss_keyex = -1;
1793	options->gss_deleg_creds = -1;	1826	options->gss_deleg_creds = -1;
		1827	options->gss_trust_dns = -1;
		1828	options->gss_renewal_rekey = -1;
		1829	options->gss_client_identity = NULL;
		1830	options->gss_server_identity = NULL;
1794	options->password_authentication = -1;	1831	options->password_authentication = -1;
1795	options->kbd_interactive_authentication = -1;	1832	options->kbd_interactive_authentication = -1;
1796	options->kbd_interactive_devices = NULL;	1833	options->kbd_interactive_devices = NULL;
@@ -1930,8 +1967,14 @@ fill_default_options(Options * options)
1930	options->challenge_response_authentication = 1;	1967	options->challenge_response_authentication = 1;
1931	if (options->gss_authentication == -1)	1968	if (options->gss_authentication == -1)
1932	options->gss_authentication = 0;	1969	options->gss_authentication = 0;
		1970	if (options->gss_keyex == -1)
		1971	options->gss_keyex = 0;
1933	if (options->gss_deleg_creds == -1)	1972	if (options->gss_deleg_creds == -1)
1934	options->gss_deleg_creds = 0;	1973	options->gss_deleg_creds = 0;
		1974	if (options->gss_trust_dns == -1)
		1975	options->gss_trust_dns = 0;
		1976	if (options->gss_renewal_rekey == -1)
		1977	options->gss_renewal_rekey = 0;
1935	if (options->password_authentication == -1)	1978	if (options->password_authentication == -1)
1936	options->password_authentication = 1;	1979	options->password_authentication = 1;
1937	if (options->kbd_interactive_authentication == -1)	1980	if (options->kbd_interactive_authentication == -1)