GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-03-19 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-20 00:24:48 +0000
commit: 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd (patch)
tree: 3a19744ef1cf261141a522e13f75abbb3b7dba4b /readconf.c
parent: 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index dc884c9b1..7613ff2d9 100644
--- a/readconf.c
+++ b/readconf.c
@@ -141,6 +141,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, 
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -183,10 +185,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
 #else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -841,10 +852,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-20 00:24:48 +0000
commit	9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd (patch)
tree	3a19744ef1cf261141a522e13f75abbb3b7dba4b /readconf.c
parent	796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff)

diff --git a/readconf.c b/readconf.c index dc884c9b1..7613ff2d9 100644 --- a/readconf.c +++ b/readconf.c
@@ -141,6 +141,8 @@ typedef enum {
141	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	141	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
142	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	142	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
143	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	143	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		144	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		145	oGssServerIdentity,
144	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	146	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
145	oSendEnv, oControlPath, oControlMaster, oControlPersist,	147	oSendEnv, oControlPath, oControlMaster, oControlPersist,
146	oHashKnownHosts,	148	oHashKnownHosts,
@@ -183,10 +185,19 @@ static struct {
183	{ "afstokenpassing", oUnsupported },	185	{ "afstokenpassing", oUnsupported },
184	#if defined(GSSAPI)	186	#if defined(GSSAPI)
185	{ "gssapiauthentication", oGssAuthentication },	187	{ "gssapiauthentication", oGssAuthentication },
		188	{ "gssapikeyexchange", oGssKeyEx },
186	{ "gssapidelegatecredentials", oGssDelegateCreds },	189	{ "gssapidelegatecredentials", oGssDelegateCreds },
		190	{ "gssapitrustdns", oGssTrustDns },
		191	{ "gssapiclientidentity", oGssClientIdentity },
		192	{ "gssapiserveridentity", oGssServerIdentity },
		193	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
187	#else	194	#else
188	{ "gssapiauthentication", oUnsupported },	195	{ "gssapiauthentication", oUnsupported },
		196	{ "gssapikeyexchange", oUnsupported },
189	{ "gssapidelegatecredentials", oUnsupported },	197	{ "gssapidelegatecredentials", oUnsupported },
		198	{ "gssapitrustdns", oUnsupported },
		199	{ "gssapiclientidentity", oUnsupported },
		200	{ "gssapirenewalforcesrekey", oUnsupported },
190	#endif	201	#endif
191	{ "fallbacktorsh", oDeprecated },	202	{ "fallbacktorsh", oDeprecated },
192	{ "usersh", oDeprecated },	203	{ "usersh", oDeprecated },
@@ -841,10 +852,30 @@ parse_time:
841	intptr = &options->gss_authentication;	852	intptr = &options->gss_authentication;
842	goto parse_flag;	853	goto parse_flag;
843		854
		855	case oGssKeyEx:
		856	intptr = &options->gss_keyex;
		857	goto parse_flag;
		858
844	case oGssDelegateCreds:	859	case oGssDelegateCreds:
845	intptr = &options->gss_deleg_creds;	860	intptr = &options->gss_deleg_creds;
846	goto parse_flag;	861	goto parse_flag;
847		862
		863	case oGssTrustDns:
		864	intptr = &options->gss_trust_dns;
		865	goto parse_flag;
		866
		867	case oGssClientIdentity:
		868	charptr = &options->gss_client_identity;
		869	goto parse_string;
		870
		871	case oGssServerIdentity:
		872	charptr = &options->gss_server_identity;
		873	goto parse_string;
		874
		875	case oGssRenewalRekey:
		876	intptr = &options->gss_renewal_rekey;
		877	goto parse_flag;
		878
848	case oBatchMode:	879	case oBatchMode:
849	intptr = &options->batch_mode;	880	intptr = &options->batch_mode;
850	goto parse_flag;	881	goto parse_flag;
@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
1497	options->pubkey_authentication = -1;	1528	options->pubkey_authentication = -1;
1498	options->challenge_response_authentication = -1;	1529	options->challenge_response_authentication = -1;
1499	options->gss_authentication = -1;	1530	options->gss_authentication = -1;
		1531	options->gss_keyex = -1;
1500	options->gss_deleg_creds = -1;	1532	options->gss_deleg_creds = -1;
		1533	options->gss_trust_dns = -1;
		1534	options->gss_renewal_rekey = -1;
		1535	options->gss_client_identity = NULL;
		1536	options->gss_server_identity = NULL;
1501	options->password_authentication = -1;	1537	options->password_authentication = -1;
1502	options->kbd_interactive_authentication = -1;	1538	options->kbd_interactive_authentication = -1;
1503	options->kbd_interactive_devices = NULL;	1539	options->kbd_interactive_devices = NULL;
@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
1616	options->challenge_response_authentication = 1;	1652	options->challenge_response_authentication = 1;
1617	if (options->gss_authentication == -1)	1653	if (options->gss_authentication == -1)
1618	options->gss_authentication = 0;	1654	options->gss_authentication = 0;
		1655	if (options->gss_keyex == -1)
		1656	options->gss_keyex = 0;
1619	if (options->gss_deleg_creds == -1)	1657	if (options->gss_deleg_creds == -1)
1620	options->gss_deleg_creds = 0;	1658	options->gss_deleg_creds = 0;
		1659	if (options->gss_trust_dns == -1)
		1660	options->gss_trust_dns = 0;
		1661	if (options->gss_renewal_rekey == -1)
		1662	options->gss_renewal_rekey = 0;
1621	if (options->password_authentication == -1)	1663	if (options->password_authentication == -1)
1622	options->password_authentication = 1;	1664	options->password_authentication = 1;
1623	if (options->kbd_interactive_authentication == -1)	1665	if (options->kbd_interactive_authentication == -1)