summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2018-08-24 17:49:04 +0100
commite6c7c11ac2576ac62334616bd4408bf64140bba7 (patch)
tree0625a34b2eafa6425602cb8c7185fbddc2d05fd7 /readconf.c
parente6547182a54f0f268ee36e7c99319eeddffbaff2 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2018-08-24 Patch-Name: gssapi.patch
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c43
1 files changed, 43 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index db5f2d547..4ad3c75fe 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,8 @@ typedef enum {
161 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 161 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
162 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 162 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
163 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 163 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
164 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
165 oGssServerIdentity,
164 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 166 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
165 oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, 167 oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
166 oHashKnownHosts, 168 oHashKnownHosts,
@@ -201,10 +203,20 @@ static struct {
201 /* Sometimes-unsupported options */ 203 /* Sometimes-unsupported options */
202#if defined(GSSAPI) 204#if defined(GSSAPI)
203 { "gssapiauthentication", oGssAuthentication }, 205 { "gssapiauthentication", oGssAuthentication },
206 { "gssapikeyexchange", oGssKeyEx },
204 { "gssapidelegatecredentials", oGssDelegateCreds }, 207 { "gssapidelegatecredentials", oGssDelegateCreds },
208 { "gssapitrustdns", oGssTrustDns },
209 { "gssapiclientidentity", oGssClientIdentity },
210 { "gssapiserveridentity", oGssServerIdentity },
211 { "gssapirenewalforcesrekey", oGssRenewalRekey },
205# else 212# else
206 { "gssapiauthentication", oUnsupported }, 213 { "gssapiauthentication", oUnsupported },
214 { "gssapikeyexchange", oUnsupported },
207 { "gssapidelegatecredentials", oUnsupported }, 215 { "gssapidelegatecredentials", oUnsupported },
216 { "gssapitrustdns", oUnsupported },
217 { "gssapiclientidentity", oUnsupported },
218 { "gssapiserveridentity", oUnsupported },
219 { "gssapirenewalforcesrekey", oUnsupported },
208#endif 220#endif
209#ifdef ENABLE_PKCS11 221#ifdef ENABLE_PKCS11
210 { "smartcarddevice", oPKCS11Provider }, 222 { "smartcarddevice", oPKCS11Provider },
@@ -973,10 +985,30 @@ parse_time:
973 intptr = &options->gss_authentication; 985 intptr = &options->gss_authentication;
974 goto parse_flag; 986 goto parse_flag;
975 987
988 case oGssKeyEx:
989 intptr = &options->gss_keyex;
990 goto parse_flag;
991
976 case oGssDelegateCreds: 992 case oGssDelegateCreds:
977 intptr = &options->gss_deleg_creds; 993 intptr = &options->gss_deleg_creds;
978 goto parse_flag; 994 goto parse_flag;
979 995
996 case oGssTrustDns:
997 intptr = &options->gss_trust_dns;
998 goto parse_flag;
999
1000 case oGssClientIdentity:
1001 charptr = &options->gss_client_identity;
1002 goto parse_string;
1003
1004 case oGssServerIdentity:
1005 charptr = &options->gss_server_identity;
1006 goto parse_string;
1007
1008 case oGssRenewalRekey:
1009 intptr = &options->gss_renewal_rekey;
1010 goto parse_flag;
1011
980 case oBatchMode: 1012 case oBatchMode:
981 intptr = &options->batch_mode; 1013 intptr = &options->batch_mode;
982 goto parse_flag; 1014 goto parse_flag;
@@ -1817,7 +1849,12 @@ initialize_options(Options * options)
1817 options->pubkey_authentication = -1; 1849 options->pubkey_authentication = -1;
1818 options->challenge_response_authentication = -1; 1850 options->challenge_response_authentication = -1;
1819 options->gss_authentication = -1; 1851 options->gss_authentication = -1;
1852 options->gss_keyex = -1;
1820 options->gss_deleg_creds = -1; 1853 options->gss_deleg_creds = -1;
1854 options->gss_trust_dns = -1;
1855 options->gss_renewal_rekey = -1;
1856 options->gss_client_identity = NULL;
1857 options->gss_server_identity = NULL;
1821 options->password_authentication = -1; 1858 options->password_authentication = -1;
1822 options->kbd_interactive_authentication = -1; 1859 options->kbd_interactive_authentication = -1;
1823 options->kbd_interactive_devices = NULL; 1860 options->kbd_interactive_devices = NULL;
@@ -1962,8 +1999,14 @@ fill_default_options(Options * options)
1962 options->challenge_response_authentication = 1; 1999 options->challenge_response_authentication = 1;
1963 if (options->gss_authentication == -1) 2000 if (options->gss_authentication == -1)
1964 options->gss_authentication = 0; 2001 options->gss_authentication = 0;
2002 if (options->gss_keyex == -1)
2003 options->gss_keyex = 0;
1965 if (options->gss_deleg_creds == -1) 2004 if (options->gss_deleg_creds == -1)
1966 options->gss_deleg_creds = 0; 2005 options->gss_deleg_creds = 0;
2006 if (options->gss_trust_dns == -1)
2007 options->gss_trust_dns = 0;
2008 if (options->gss_renewal_rekey == -1)
2009 options->gss_renewal_rekey = 0;
1967 if (options->password_authentication == -1) 2010 if (options->password_authentication == -1)
1968 options->password_authentication = 1; 2011 options->password_authentication = 1;
1969 if (options->kbd_interactive_authentication == -1) 2012 if (options->kbd_interactive_authentication == -1)