summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-01-14 15:07:15 +0000
commit6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 (patch)
tree2f8cd5a92310d9ed3b7020366f3030fc0d1b53a4 /servconf.c
parenteeff4de96f5d7365750dc56912c2c62b5c28db6b (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-01-04 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c28
1 files changed, 27 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 6c7a91e6b..cfe7029e6 100644
--- a/servconf.c
+++ b/servconf.c
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
117 options->kerberos_ticket_cleanup = -1; 117 options->kerberos_ticket_cleanup = -1;
118 options->kerberos_get_afs_token = -1; 118 options->kerberos_get_afs_token = -1;
119 options->gss_authentication=-1; 119 options->gss_authentication=-1;
120 options->gss_keyex = -1;
120 options->gss_cleanup_creds = -1; 121 options->gss_cleanup_creds = -1;
121 options->gss_strict_acceptor = -1; 122 options->gss_strict_acceptor = -1;
123 options->gss_store_rekey = -1;
122 options->password_authentication = -1; 124 options->password_authentication = -1;
123 options->kbd_interactive_authentication = -1; 125 options->kbd_interactive_authentication = -1;
124 options->challenge_response_authentication = -1; 126 options->challenge_response_authentication = -1;
@@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options)
275 options->kerberos_get_afs_token = 0; 277 options->kerberos_get_afs_token = 0;
276 if (options->gss_authentication == -1) 278 if (options->gss_authentication == -1)
277 options->gss_authentication = 0; 279 options->gss_authentication = 0;
280 if (options->gss_keyex == -1)
281 options->gss_keyex = 0;
278 if (options->gss_cleanup_creds == -1) 282 if (options->gss_cleanup_creds == -1)
279 options->gss_cleanup_creds = 1; 283 options->gss_cleanup_creds = 1;
280 if (options->gss_strict_acceptor == -1) 284 if (options->gss_strict_acceptor == -1)
281 options->gss_strict_acceptor = 0; 285 options->gss_strict_acceptor = 1;
286 if (options->gss_store_rekey == -1)
287 options->gss_store_rekey = 0;
282 if (options->password_authentication == -1) 288 if (options->password_authentication == -1)
283 options->password_authentication = 1; 289 options->password_authentication = 1;
284 if (options->kbd_interactive_authentication == -1) 290 if (options->kbd_interactive_authentication == -1)
@@ -412,6 +418,7 @@ typedef enum {
412 sHostKeyAlgorithms, 418 sHostKeyAlgorithms,
413 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 419 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
414 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 420 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
421 sGssKeyEx, sGssStoreRekey,
415 sAcceptEnv, sPermitTunnel, 422 sAcceptEnv, sPermitTunnel,
416 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 423 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
417 sUsePrivilegeSeparation, sAllowAgentForwarding, 424 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -485,12 +492,20 @@ static struct {
485#ifdef GSSAPI 492#ifdef GSSAPI
486 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 493 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
487 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 494 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
495 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
488 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 496 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
497 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
498 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
489#else 499#else
490 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 500 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
491 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 501 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
502 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
492 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 503 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
504 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
505 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
493#endif 506#endif
507 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
508 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
494 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 509 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
495 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 510 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
496 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 511 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line,
1231 intptr = &options->gss_authentication; 1246 intptr = &options->gss_authentication;
1232 goto parse_flag; 1247 goto parse_flag;
1233 1248
1249 case sGssKeyEx:
1250 intptr = &options->gss_keyex;
1251 goto parse_flag;
1252
1234 case sGssCleanupCreds: 1253 case sGssCleanupCreds:
1235 intptr = &options->gss_cleanup_creds; 1254 intptr = &options->gss_cleanup_creds;
1236 goto parse_flag; 1255 goto parse_flag;
@@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line,
1239 intptr = &options->gss_strict_acceptor; 1258 intptr = &options->gss_strict_acceptor;
1240 goto parse_flag; 1259 goto parse_flag;
1241 1260
1261 case sGssStoreRekey:
1262 intptr = &options->gss_store_rekey;
1263 goto parse_flag;
1264
1242 case sPasswordAuthentication: 1265 case sPasswordAuthentication:
1243 intptr = &options->password_authentication; 1266 intptr = &options->password_authentication;
1244 goto parse_flag; 1267 goto parse_flag;
@@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o)
2246#endif 2269#endif
2247#ifdef GSSAPI 2270#ifdef GSSAPI
2248 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2271 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2272 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2249 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2273 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2274 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2275 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2250#endif 2276#endif
2251 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2277 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2252 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2278 dump_cfg_fmtint(sKbdInteractiveAuthentication,