GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-06-05 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-06-05 07:06:44 +0100
commit: 7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree: c964917d8395ef5605cff9513aad4458b222beae /readconf.c
parent: 102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
1 files changed, 70 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index ec497e79f..4d699e5f1 100644
--- a/readconf.c
+++ b/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 /* Format of the configuration file:
@@ -162,6 +163,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, oGssKexAlgorithms,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -202,10 +205,22 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
@@ -983,10 +998,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1854,7 +1901,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -2000,8 +2053,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
        dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-06-05 07:06:44 +0100
commit	7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree	c964917d8395ef5605cff9513aad4458b222beae /readconf.c
parent	102062f825fb26a74295a1c089c00c4c4c76b68a (diff)

diff --git a/readconf.c b/readconf.c index ec497e79f..4d699e5f1 100644 --- a/readconf.c +++ b/readconf.c
@@ -67,6 +67,7 @@
67	#include "uidswap.h"	67	#include "uidswap.h"
68	#include "myproposal.h"	68	#include "myproposal.h"
69	#include "digest.h"	69	#include "digest.h"
		70	#include "ssh-gss.h"
70		71
71	/* Format of the configuration file:	72	/* Format of the configuration file:
72		73
@@ -162,6 +163,8 @@ typedef enum {
162	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	163	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
163	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	164	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
164	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	165	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		166	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		167	oGssServerIdentity, oGssKexAlgorithms,
165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	168	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
166	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	169	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
167	oHashKnownHosts,	170	oHashKnownHosts,
@@ -202,10 +205,22 @@ static struct {
202	/* Sometimes-unsupported options */	205	/* Sometimes-unsupported options */
203	#if defined(GSSAPI)	206	#if defined(GSSAPI)
204	{ "gssapiauthentication", oGssAuthentication },	207	{ "gssapiauthentication", oGssAuthentication },
		208	{ "gssapikeyexchange", oGssKeyEx },
205	{ "gssapidelegatecredentials", oGssDelegateCreds },	209	{ "gssapidelegatecredentials", oGssDelegateCreds },
		210	{ "gssapitrustdns", oGssTrustDns },
		211	{ "gssapiclientidentity", oGssClientIdentity },
		212	{ "gssapiserveridentity", oGssServerIdentity },
		213	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
		214	{ "gssapikexalgorithms", oGssKexAlgorithms },
206	# else	215	# else
207	{ "gssapiauthentication", oUnsupported },	216	{ "gssapiauthentication", oUnsupported },
		217	{ "gssapikeyexchange", oUnsupported },
208	{ "gssapidelegatecredentials", oUnsupported },	218	{ "gssapidelegatecredentials", oUnsupported },
		219	{ "gssapitrustdns", oUnsupported },
		220	{ "gssapiclientidentity", oUnsupported },
		221	{ "gssapiserveridentity", oUnsupported },
		222	{ "gssapirenewalforcesrekey", oUnsupported },
		223	{ "gssapikexalgorithms", oUnsupported },
209	#endif	224	#endif
210	#ifdef ENABLE_PKCS11	225	#ifdef ENABLE_PKCS11
211	{ "pkcs11provider", oPKCS11Provider },	226	{ "pkcs11provider", oPKCS11Provider },
@@ -983,10 +998,42 @@ parse_time:
983	intptr = &options->gss_authentication;	998	intptr = &options->gss_authentication;
984	goto parse_flag;	999	goto parse_flag;
985		1000
		1001	case oGssKeyEx:
		1002	intptr = &options->gss_keyex;
		1003	goto parse_flag;
		1004
986	case oGssDelegateCreds:	1005	case oGssDelegateCreds:
987	intptr = &options->gss_deleg_creds;	1006	intptr = &options->gss_deleg_creds;
988	goto parse_flag;	1007	goto parse_flag;
989		1008
		1009	case oGssTrustDns:
		1010	intptr = &options->gss_trust_dns;
		1011	goto parse_flag;
		1012
		1013	case oGssClientIdentity:
		1014	charptr = &options->gss_client_identity;
		1015	goto parse_string;
		1016
		1017	case oGssServerIdentity:
		1018	charptr = &options->gss_server_identity;
		1019	goto parse_string;
		1020
		1021	case oGssRenewalRekey:
		1022	intptr = &options->gss_renewal_rekey;
		1023	goto parse_flag;
		1024
		1025	case oGssKexAlgorithms:
		1026	arg = strdelim(&s);
		1027	if (!arg \|\| *arg == '\0')
		1028	fatal("%.200s line %d: Missing argument.",
		1029	filename, linenum);
		1030	if (!kex_gss_names_valid(arg))
		1031	fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
		1032	filename, linenum, arg ? arg : "<NONE>");
		1033	if (*activep && options->gss_kex_algorithms == NULL)
		1034	options->gss_kex_algorithms = xstrdup(arg);
		1035	break;
		1036
990	case oBatchMode:	1037	case oBatchMode:
991	intptr = &options->batch_mode;	1038	intptr = &options->batch_mode;
992	goto parse_flag;	1039	goto parse_flag;
@@ -1854,7 +1901,13 @@ initialize_options(Options * options)
1854	options->pubkey_authentication = -1;	1901	options->pubkey_authentication = -1;
1855	options->challenge_response_authentication = -1;	1902	options->challenge_response_authentication = -1;
1856	options->gss_authentication = -1;	1903	options->gss_authentication = -1;
		1904	options->gss_keyex = -1;
1857	options->gss_deleg_creds = -1;	1905	options->gss_deleg_creds = -1;
		1906	options->gss_trust_dns = -1;
		1907	options->gss_renewal_rekey = -1;
		1908	options->gss_client_identity = NULL;
		1909	options->gss_server_identity = NULL;
		1910	options->gss_kex_algorithms = NULL;
1858	options->password_authentication = -1;	1911	options->password_authentication = -1;
1859	options->kbd_interactive_authentication = -1;	1912	options->kbd_interactive_authentication = -1;
1860	options->kbd_interactive_devices = NULL;	1913	options->kbd_interactive_devices = NULL;
@@ -2000,8 +2053,18 @@ fill_default_options(Options * options)
2000	options->challenge_response_authentication = 1;	2053	options->challenge_response_authentication = 1;
2001	if (options->gss_authentication == -1)	2054	if (options->gss_authentication == -1)
2002	options->gss_authentication = 0;	2055	options->gss_authentication = 0;
		2056	if (options->gss_keyex == -1)
		2057	options->gss_keyex = 0;
2003	if (options->gss_deleg_creds == -1)	2058	if (options->gss_deleg_creds == -1)
2004	options->gss_deleg_creds = 0;	2059	options->gss_deleg_creds = 0;
		2060	if (options->gss_trust_dns == -1)
		2061	options->gss_trust_dns = 0;
		2062	if (options->gss_renewal_rekey == -1)
		2063	options->gss_renewal_rekey = 0;
		2064	#ifdef GSSAPI
		2065	if (options->gss_kex_algorithms == NULL)
		2066	options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
		2067	#endif
2005	if (options->password_authentication == -1)	2068	if (options->password_authentication == -1)
2006	options->password_authentication = 1;	2069	options->password_authentication = 1;
2007	if (options->kbd_interactive_authentication == -1)	2070	if (options->kbd_interactive_authentication == -1)
@@ -2616,7 +2679,14 @@ dump_client_config(Options o, const char host)
2616	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);	2679	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
2617	#ifdef GSSAPI	2680	#ifdef GSSAPI
2618	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);	2681	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
		2682	dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
2619	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);	2683	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
		2684	dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
		2685	dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
		2686	dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
		2687	dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
		2688	dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
		2689	o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
2620	#endif /* GSSAPI */	2690	#endif /* GSSAPI */
2621	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2691	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2622	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2692	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);