diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-05-22 20:02:17 +1000 |
| commit | d7c31da4d42c115843edee2074d7d501f8804420 (patch) | |
| tree | 9d41af43b92f502fcce33c184064daa712d941cc /servconf.c | |
| parent | aa72196a00be6e0b666215edcffbc10af234cb0e (diff) | |
upstream commit
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c index 5acaf61b1..eb32db0fa 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options) | |||
| 116 | options->kerberos_get_afs_token = -1; | 116 | options->kerberos_get_afs_token = -1; |
| 117 | options->gss_authentication=-1; | 117 | options->gss_authentication=-1; |
| 118 | options->gss_cleanup_creds = -1; | 118 | options->gss_cleanup_creds = -1; |
| 119 | options->gss_strict_acceptor = -1; | ||
| 119 | options->password_authentication = -1; | 120 | options->password_authentication = -1; |
| 120 | options->kbd_interactive_authentication = -1; | 121 | options->kbd_interactive_authentication = -1; |
| 121 | options->challenge_response_authentication = -1; | 122 | options->challenge_response_authentication = -1; |
| @@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 276 | options->gss_authentication = 0; | 277 | options->gss_authentication = 0; |
| 277 | if (options->gss_cleanup_creds == -1) | 278 | if (options->gss_cleanup_creds == -1) |
| 278 | options->gss_cleanup_creds = 1; | 279 | options->gss_cleanup_creds = 1; |
| 280 | if (options->gss_strict_acceptor == -1) | ||
| 281 | options->gss_strict_acceptor = 0; | ||
| 279 | if (options->password_authentication == -1) | 282 | if (options->password_authentication == -1) |
| 280 | options->password_authentication = 1; | 283 | options->password_authentication = 1; |
| 281 | if (options->kbd_interactive_authentication == -1) | 284 | if (options->kbd_interactive_authentication == -1) |
| @@ -397,7 +400,8 @@ typedef enum { | |||
| 397 | sBanner, sUseDNS, sHostbasedAuthentication, | 400 | sBanner, sUseDNS, sHostbasedAuthentication, |
| 398 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 401 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
| 399 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 402 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
| 400 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 403 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
| 404 | sAcceptEnv, sPermitTunnel, | ||
| 401 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 405 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 402 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 406 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 403 | sHostCertificate, | 407 | sHostCertificate, |
| @@ -469,9 +473,11 @@ static struct { | |||
| 469 | #ifdef GSSAPI | 473 | #ifdef GSSAPI |
| 470 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 474 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
| 471 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 475 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
| 476 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
| 472 | #else | 477 | #else |
| 473 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 478 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
| 474 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 479 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
| 480 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
| 475 | #endif | 481 | #endif |
| 476 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 482 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
| 477 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 483 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
| @@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1212 | intptr = &options->gss_cleanup_creds; | 1218 | intptr = &options->gss_cleanup_creds; |
| 1213 | goto parse_flag; | 1219 | goto parse_flag; |
| 1214 | 1220 | ||
| 1221 | case sGssStrictAcceptor: | ||
| 1222 | intptr = &options->gss_strict_acceptor; | ||
| 1223 | goto parse_flag; | ||
| 1224 | |||
| 1215 | case sPasswordAuthentication: | 1225 | case sPasswordAuthentication: |
| 1216 | intptr = &options->password_authentication; | 1226 | intptr = &options->password_authentication; |
| 1217 | goto parse_flag; | 1227 | goto parse_flag; |