summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 02:40:08 +0000
commitcd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch)
treedf7a424d9301b69af906b50d550bfce6e6e2c5f3 /servconf.c
parent9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-02-10 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c38
1 files changed, 37 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 9bcd05bf2..29209e452 100644
--- a/servconf.c
+++ b/servconf.c
@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
108 options->kerberos_ticket_cleanup = -1; 108 options->kerberos_ticket_cleanup = -1;
109 options->kerberos_get_afs_token = -1; 109 options->kerberos_get_afs_token = -1;
110 options->gss_authentication=-1; 110 options->gss_authentication=-1;
111 options->gss_keyex = -1;
111 options->gss_cleanup_creds = -1; 112 options->gss_cleanup_creds = -1;
113 options->gss_strict_acceptor = -1;
114 options->gss_store_rekey = -1;
112 options->password_authentication = -1; 115 options->password_authentication = -1;
113 options->kbd_interactive_authentication = -1; 116 options->kbd_interactive_authentication = -1;
114 options->challenge_response_authentication = -1; 117 options->challenge_response_authentication = -1;
@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
245 options->kerberos_get_afs_token = 0; 248 options->kerberos_get_afs_token = 0;
246 if (options->gss_authentication == -1) 249 if (options->gss_authentication == -1)
247 options->gss_authentication = 0; 250 options->gss_authentication = 0;
251 if (options->gss_keyex == -1)
252 options->gss_keyex = 0;
248 if (options->gss_cleanup_creds == -1) 253 if (options->gss_cleanup_creds == -1)
249 options->gss_cleanup_creds = 1; 254 options->gss_cleanup_creds = 1;
255 if (options->gss_strict_acceptor == -1)
256 options->gss_strict_acceptor = 1;
257 if (options->gss_store_rekey == -1)
258 options->gss_store_rekey = 0;
250 if (options->password_authentication == -1) 259 if (options->password_authentication == -1)
251 options->password_authentication = 1; 260 options->password_authentication = 1;
252 if (options->kbd_interactive_authentication == -1) 261 if (options->kbd_interactive_authentication == -1)
@@ -343,7 +352,9 @@ typedef enum {
343 sBanner, sUseDNS, sHostbasedAuthentication, 352 sBanner, sUseDNS, sHostbasedAuthentication,
344 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 353 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
345 sClientAliveCountMax, sAuthorizedKeysFile, 354 sClientAliveCountMax, sAuthorizedKeysFile,
346 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 355 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
356 sGssKeyEx, sGssStoreRekey,
357 sAcceptEnv, sPermitTunnel,
347 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 358 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
348 sUsePrivilegeSeparation, sAllowAgentForwarding, 359 sUsePrivilegeSeparation, sAllowAgentForwarding,
349 sZeroKnowledgePasswordAuthentication, sHostCertificate, 360 sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -410,10 +421,20 @@ static struct {
410#ifdef GSSAPI 421#ifdef GSSAPI
411 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 422 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
412 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 423 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
424 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
425 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
426 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
427 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
413#else 428#else
414 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 429 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
415 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 430 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
431 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
432 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
433 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
434 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
416#endif 435#endif
436 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
437 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
417 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 438 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
418 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 439 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
419 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 440 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line,
1094 intptr = &options->gss_authentication; 1115 intptr = &options->gss_authentication;
1095 goto parse_flag; 1116 goto parse_flag;
1096 1117
1118 case sGssKeyEx:
1119 intptr = &options->gss_keyex;
1120 goto parse_flag;
1121
1097 case sGssCleanupCreds: 1122 case sGssCleanupCreds:
1098 intptr = &options->gss_cleanup_creds; 1123 intptr = &options->gss_cleanup_creds;
1099 goto parse_flag; 1124 goto parse_flag;
1100 1125
1126 case sGssStrictAcceptor:
1127 intptr = &options->gss_strict_acceptor;
1128 goto parse_flag;
1129
1130 case sGssStoreRekey:
1131 intptr = &options->gss_store_rekey;
1132 goto parse_flag;
1133
1101 case sPasswordAuthentication: 1134 case sPasswordAuthentication:
1102 intptr = &options->password_authentication; 1135 intptr = &options->password_authentication;
1103 goto parse_flag; 1136 goto parse_flag;
@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
2008#endif 2041#endif
2009#ifdef GSSAPI 2042#ifdef GSSAPI
2010 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2043 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2044 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2011 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2045 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2046 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2047 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2012#endif 2048#endif
2013#ifdef JPAKE 2049#ifdef JPAKE
2014 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2050 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,