summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-08-07 12:18:35 +0100
commiteecddf8b72fcad83ccca43b1badb03782704f6b7 (patch)
treefd0046825c8d42bd267afa7839d5603b130cf847 /servconf.c
parenta8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c28
1 files changed, 27 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 873b0d02a..9b0628181 100644
--- a/servconf.c
+++ b/servconf.c
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
117 options->kerberos_ticket_cleanup = -1; 117 options->kerberos_ticket_cleanup = -1;
118 options->kerberos_get_afs_token = -1; 118 options->kerberos_get_afs_token = -1;
119 options->gss_authentication=-1; 119 options->gss_authentication=-1;
120 options->gss_keyex = -1;
120 options->gss_cleanup_creds = -1; 121 options->gss_cleanup_creds = -1;
121 options->gss_strict_acceptor = -1; 122 options->gss_strict_acceptor = -1;
123 options->gss_store_rekey = -1;
122 options->password_authentication = -1; 124 options->password_authentication = -1;
123 options->kbd_interactive_authentication = -1; 125 options->kbd_interactive_authentication = -1;
124 options->challenge_response_authentication = -1; 126 options->challenge_response_authentication = -1;
@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options)
287 options->kerberos_get_afs_token = 0; 289 options->kerberos_get_afs_token = 0;
288 if (options->gss_authentication == -1) 290 if (options->gss_authentication == -1)
289 options->gss_authentication = 0; 291 options->gss_authentication = 0;
292 if (options->gss_keyex == -1)
293 options->gss_keyex = 0;
290 if (options->gss_cleanup_creds == -1) 294 if (options->gss_cleanup_creds == -1)
291 options->gss_cleanup_creds = 1; 295 options->gss_cleanup_creds = 1;
292 if (options->gss_strict_acceptor == -1) 296 if (options->gss_strict_acceptor == -1)
293 options->gss_strict_acceptor = 0; 297 options->gss_strict_acceptor = 1;
298 if (options->gss_store_rekey == -1)
299 options->gss_store_rekey = 0;
294 if (options->password_authentication == -1) 300 if (options->password_authentication == -1)
295 options->password_authentication = 1; 301 options->password_authentication = 1;
296 if (options->kbd_interactive_authentication == -1) 302 if (options->kbd_interactive_authentication == -1)
@@ -427,6 +433,7 @@ typedef enum {
427 sHostKeyAlgorithms, 433 sHostKeyAlgorithms,
428 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 434 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
429 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 435 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
436 sGssKeyEx, sGssStoreRekey,
430 sAcceptEnv, sPermitTunnel, 437 sAcceptEnv, sPermitTunnel,
431 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 438 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
432 sUsePrivilegeSeparation, sAllowAgentForwarding, 439 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -500,12 +507,20 @@ static struct {
500#ifdef GSSAPI 507#ifdef GSSAPI
501 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 508 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
502 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 509 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
510 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
503 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 511 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
512 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
513 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
504#else 514#else
505 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 515 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
506 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 516 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
517 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
507 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 518 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
519 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
520 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
508#endif 521#endif
522 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
523 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
509 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 524 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
510 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 525 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
511 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 526 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1251,6 +1266,10 @@ process_server_config_line(ServerOptions *options, char *line,
1251 intptr = &options->gss_authentication; 1266 intptr = &options->gss_authentication;
1252 goto parse_flag; 1267 goto parse_flag;
1253 1268
1269 case sGssKeyEx:
1270 intptr = &options->gss_keyex;
1271 goto parse_flag;
1272
1254 case sGssCleanupCreds: 1273 case sGssCleanupCreds:
1255 intptr = &options->gss_cleanup_creds; 1274 intptr = &options->gss_cleanup_creds;
1256 goto parse_flag; 1275 goto parse_flag;
@@ -1259,6 +1278,10 @@ process_server_config_line(ServerOptions *options, char *line,
1259 intptr = &options->gss_strict_acceptor; 1278 intptr = &options->gss_strict_acceptor;
1260 goto parse_flag; 1279 goto parse_flag;
1261 1280
1281 case sGssStoreRekey:
1282 intptr = &options->gss_store_rekey;
1283 goto parse_flag;
1284
1262 case sPasswordAuthentication: 1285 case sPasswordAuthentication:
1263 intptr = &options->password_authentication; 1286 intptr = &options->password_authentication;
1264 goto parse_flag; 1287 goto parse_flag;
@@ -2308,7 +2331,10 @@ dump_config(ServerOptions *o)
2308#endif 2331#endif
2309#ifdef GSSAPI 2332#ifdef GSSAPI
2310 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2333 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2334 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2311 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2335 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2336 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2337 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2312#endif 2338#endif
2313 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2339 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2314 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2340 dump_cfg_fmtint(sKbdInteractiveAuthentication,