diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-05-22 20:02:17 +1000 |
commit | d7c31da4d42c115843edee2074d7d501f8804420 (patch) | |
tree | 9d41af43b92f502fcce33c184064daa712d941cc /servconf.c | |
parent | aa72196a00be6e0b666215edcffbc10af234cb0e (diff) |
upstream commit
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c index 5acaf61b1..eb32db0fa 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options) | |||
116 | options->kerberos_get_afs_token = -1; | 116 | options->kerberos_get_afs_token = -1; |
117 | options->gss_authentication=-1; | 117 | options->gss_authentication=-1; |
118 | options->gss_cleanup_creds = -1; | 118 | options->gss_cleanup_creds = -1; |
119 | options->gss_strict_acceptor = -1; | ||
119 | options->password_authentication = -1; | 120 | options->password_authentication = -1; |
120 | options->kbd_interactive_authentication = -1; | 121 | options->kbd_interactive_authentication = -1; |
121 | options->challenge_response_authentication = -1; | 122 | options->challenge_response_authentication = -1; |
@@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options) | |||
276 | options->gss_authentication = 0; | 277 | options->gss_authentication = 0; |
277 | if (options->gss_cleanup_creds == -1) | 278 | if (options->gss_cleanup_creds == -1) |
278 | options->gss_cleanup_creds = 1; | 279 | options->gss_cleanup_creds = 1; |
280 | if (options->gss_strict_acceptor == -1) | ||
281 | options->gss_strict_acceptor = 0; | ||
279 | if (options->password_authentication == -1) | 282 | if (options->password_authentication == -1) |
280 | options->password_authentication = 1; | 283 | options->password_authentication = 1; |
281 | if (options->kbd_interactive_authentication == -1) | 284 | if (options->kbd_interactive_authentication == -1) |
@@ -397,7 +400,8 @@ typedef enum { | |||
397 | sBanner, sUseDNS, sHostbasedAuthentication, | 400 | sBanner, sUseDNS, sHostbasedAuthentication, |
398 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 401 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
399 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 402 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
400 | sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 403 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
404 | sAcceptEnv, sPermitTunnel, | ||
401 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 405 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
402 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 406 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
403 | sHostCertificate, | 407 | sHostCertificate, |
@@ -469,9 +473,11 @@ static struct { | |||
469 | #ifdef GSSAPI | 473 | #ifdef GSSAPI |
470 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 474 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
471 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 475 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
476 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
472 | #else | 477 | #else |
473 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 478 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
474 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 479 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
480 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
475 | #endif | 481 | #endif |
476 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 482 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
477 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 483 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
@@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1212 | intptr = &options->gss_cleanup_creds; | 1218 | intptr = &options->gss_cleanup_creds; |
1213 | goto parse_flag; | 1219 | goto parse_flag; |
1214 | 1220 | ||
1221 | case sGssStrictAcceptor: | ||
1222 | intptr = &options->gss_strict_acceptor; | ||
1223 | goto parse_flag; | ||
1224 | |||
1215 | case sPasswordAuthentication: | 1225 | case sPasswordAuthentication: |
1216 | intptr = &options->password_authentication; | 1226 | intptr = &options->password_authentication; |
1217 | goto parse_flag; | 1227 | goto parse_flag; |