summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:16:58 +0000
commit950be7e1b1a01ee9b25e2a72726a6370b8acacb6 (patch)
tree64829a84f903d7e2d3270c43e3f80df7db2a6a10 /servconf.c
parentee196dab7c5f97f0b80c8099343a375bead92010 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2013-11-09 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c38
1 files changed, 37 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 747edde6c..c938ae399 100644
--- a/servconf.c
+++ b/servconf.c
@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options)
107 options->kerberos_ticket_cleanup = -1; 107 options->kerberos_ticket_cleanup = -1;
108 options->kerberos_get_afs_token = -1; 108 options->kerberos_get_afs_token = -1;
109 options->gss_authentication=-1; 109 options->gss_authentication=-1;
110 options->gss_keyex = -1;
110 options->gss_cleanup_creds = -1; 111 options->gss_cleanup_creds = -1;
112 options->gss_strict_acceptor = -1;
113 options->gss_store_rekey = -1;
111 options->password_authentication = -1; 114 options->password_authentication = -1;
112 options->kbd_interactive_authentication = -1; 115 options->kbd_interactive_authentication = -1;
113 options->challenge_response_authentication = -1; 116 options->challenge_response_authentication = -1;
@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options)
240 options->kerberos_get_afs_token = 0; 243 options->kerberos_get_afs_token = 0;
241 if (options->gss_authentication == -1) 244 if (options->gss_authentication == -1)
242 options->gss_authentication = 0; 245 options->gss_authentication = 0;
246 if (options->gss_keyex == -1)
247 options->gss_keyex = 0;
243 if (options->gss_cleanup_creds == -1) 248 if (options->gss_cleanup_creds == -1)
244 options->gss_cleanup_creds = 1; 249 options->gss_cleanup_creds = 1;
250 if (options->gss_strict_acceptor == -1)
251 options->gss_strict_acceptor = 1;
252 if (options->gss_store_rekey == -1)
253 options->gss_store_rekey = 0;
245 if (options->password_authentication == -1) 254 if (options->password_authentication == -1)
246 options->password_authentication = 1; 255 options->password_authentication = 1;
247 if (options->kbd_interactive_authentication == -1) 256 if (options->kbd_interactive_authentication == -1)
@@ -338,7 +347,9 @@ typedef enum {
338 sBanner, sUseDNS, sHostbasedAuthentication, 347 sBanner, sUseDNS, sHostbasedAuthentication,
339 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 348 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
340 sClientAliveCountMax, sAuthorizedKeysFile, 349 sClientAliveCountMax, sAuthorizedKeysFile,
341 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 350 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
351 sGssKeyEx, sGssStoreRekey,
352 sAcceptEnv, sPermitTunnel,
342 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 353 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
343 sUsePrivilegeSeparation, sAllowAgentForwarding, 354 sUsePrivilegeSeparation, sAllowAgentForwarding,
344 sZeroKnowledgePasswordAuthentication, sHostCertificate, 355 sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -405,10 +416,20 @@ static struct {
405#ifdef GSSAPI 416#ifdef GSSAPI
406 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 417 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
407 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 418 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
419 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
420 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
421 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
422 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
408#else 423#else
409 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 424 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
410 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 425 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
426 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
427 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
428 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
429 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
411#endif 430#endif
431 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
432 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
412 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 433 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
413 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 434 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
414 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 435 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line,
1073 intptr = &options->gss_authentication; 1094 intptr = &options->gss_authentication;
1074 goto parse_flag; 1095 goto parse_flag;
1075 1096
1097 case sGssKeyEx:
1098 intptr = &options->gss_keyex;
1099 goto parse_flag;
1100
1076 case sGssCleanupCreds: 1101 case sGssCleanupCreds:
1077 intptr = &options->gss_cleanup_creds; 1102 intptr = &options->gss_cleanup_creds;
1078 goto parse_flag; 1103 goto parse_flag;
1079 1104
1105 case sGssStrictAcceptor:
1106 intptr = &options->gss_strict_acceptor;
1107 goto parse_flag;
1108
1109 case sGssStoreRekey:
1110 intptr = &options->gss_store_rekey;
1111 goto parse_flag;
1112
1080 case sPasswordAuthentication: 1113 case sPasswordAuthentication:
1081 intptr = &options->password_authentication; 1114 intptr = &options->password_authentication;
1082 goto parse_flag; 1115 goto parse_flag;
@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o)
1983#endif 2016#endif
1984#ifdef GSSAPI 2017#ifdef GSSAPI
1985 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2018 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2019 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
1986 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2020 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2021 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2022 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
1987#endif 2023#endif
1988#ifdef JPAKE 2024#ifdef JPAKE
1989 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2025 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,