summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2017-01-16 15:02:41 +0000
commit48fbb156bdc676fb6ba6817770e4e971fbf85b1f (patch)
treef35c67c09472bddc3337b1c74b0cb6a1d9b58670 /servconf.c
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c28
1 files changed, 27 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 795ddbab7..14c81fa92 100644
--- a/servconf.c
+++ b/servconf.c
@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
113 options->kerberos_ticket_cleanup = -1; 113 options->kerberos_ticket_cleanup = -1;
114 options->kerberos_get_afs_token = -1; 114 options->kerberos_get_afs_token = -1;
115 options->gss_authentication=-1; 115 options->gss_authentication=-1;
116 options->gss_keyex = -1;
116 options->gss_cleanup_creds = -1; 117 options->gss_cleanup_creds = -1;
117 options->gss_strict_acceptor = -1; 118 options->gss_strict_acceptor = -1;
119 options->gss_store_rekey = -1;
118 options->password_authentication = -1; 120 options->password_authentication = -1;
119 options->kbd_interactive_authentication = -1; 121 options->kbd_interactive_authentication = -1;
120 options->challenge_response_authentication = -1; 122 options->challenge_response_authentication = -1;
@@ -267,10 +269,14 @@ fill_default_server_options(ServerOptions *options)
267 options->kerberos_get_afs_token = 0; 269 options->kerberos_get_afs_token = 0;
268 if (options->gss_authentication == -1) 270 if (options->gss_authentication == -1)
269 options->gss_authentication = 0; 271 options->gss_authentication = 0;
272 if (options->gss_keyex == -1)
273 options->gss_keyex = 0;
270 if (options->gss_cleanup_creds == -1) 274 if (options->gss_cleanup_creds == -1)
271 options->gss_cleanup_creds = 1; 275 options->gss_cleanup_creds = 1;
272 if (options->gss_strict_acceptor == -1) 276 if (options->gss_strict_acceptor == -1)
273 options->gss_strict_acceptor = 0; 277 options->gss_strict_acceptor = 1;
278 if (options->gss_store_rekey == -1)
279 options->gss_store_rekey = 0;
274 if (options->password_authentication == -1) 280 if (options->password_authentication == -1)
275 options->password_authentication = 1; 281 options->password_authentication = 1;
276 if (options->kbd_interactive_authentication == -1) 282 if (options->kbd_interactive_authentication == -1)
@@ -407,6 +413,7 @@ typedef enum {
407 sHostKeyAlgorithms, 413 sHostKeyAlgorithms,
408 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 414 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
409 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 415 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
416 sGssKeyEx, sGssStoreRekey,
410 sAcceptEnv, sPermitTunnel, 417 sAcceptEnv, sPermitTunnel,
411 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 418 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
412 sUsePrivilegeSeparation, sAllowAgentForwarding, 419 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -480,12 +487,20 @@ static struct {
480#ifdef GSSAPI 487#ifdef GSSAPI
481 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 488 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
482 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 489 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
490 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
483 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 491 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
492 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
493 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
484#else 494#else
485 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 495 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
486 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 496 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
497 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
487 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 498 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
499 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
500 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
488#endif 501#endif
502 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
503 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
489 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 504 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
490 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 505 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
491 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 506 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line,
1207 intptr = &options->gss_authentication; 1222 intptr = &options->gss_authentication;
1208 goto parse_flag; 1223 goto parse_flag;
1209 1224
1225 case sGssKeyEx:
1226 intptr = &options->gss_keyex;
1227 goto parse_flag;
1228
1210 case sGssCleanupCreds: 1229 case sGssCleanupCreds:
1211 intptr = &options->gss_cleanup_creds; 1230 intptr = &options->gss_cleanup_creds;
1212 goto parse_flag; 1231 goto parse_flag;
@@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line,
1215 intptr = &options->gss_strict_acceptor; 1234 intptr = &options->gss_strict_acceptor;
1216 goto parse_flag; 1235 goto parse_flag;
1217 1236
1237 case sGssStoreRekey:
1238 intptr = &options->gss_store_rekey;
1239 goto parse_flag;
1240
1218 case sPasswordAuthentication: 1241 case sPasswordAuthentication:
1219 intptr = &options->password_authentication; 1242 intptr = &options->password_authentication;
1220 goto parse_flag; 1243 goto parse_flag;
@@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o)
2248#endif 2271#endif
2249#ifdef GSSAPI 2272#ifdef GSSAPI
2250 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2273 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2274 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2251 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2275 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2276 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2277 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2252#endif 2278#endif
2253 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2279 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2254 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2280 dump_cfg_fmtint(sKbdInteractiveAuthentication,