summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-03-21 12:06:07 +0000
commit8c27af53099b50387dda97c0aae36194197186f6 (patch)
treec2722bd6f5463d8bdbfe42159d0094074329e438 /servconf.c
parentf0329aac23c61e1a5197d6d57349a63f459bccb0 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-03-21 Patch-Name: gssapi.patch
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c28
1 files changed, 27 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index b19d30e18..b8af6dda7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
117 options->kerberos_ticket_cleanup = -1; 117 options->kerberos_ticket_cleanup = -1;
118 options->kerberos_get_afs_token = -1; 118 options->kerberos_get_afs_token = -1;
119 options->gss_authentication=-1; 119 options->gss_authentication=-1;
120 options->gss_keyex = -1;
120 options->gss_cleanup_creds = -1; 121 options->gss_cleanup_creds = -1;
121 options->gss_strict_acceptor = -1; 122 options->gss_strict_acceptor = -1;
123 options->gss_store_rekey = -1;
122 options->password_authentication = -1; 124 options->password_authentication = -1;
123 options->kbd_interactive_authentication = -1; 125 options->kbd_interactive_authentication = -1;
124 options->challenge_response_authentication = -1; 126 options->challenge_response_authentication = -1;
@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options)
287 options->kerberos_get_afs_token = 0; 289 options->kerberos_get_afs_token = 0;
288 if (options->gss_authentication == -1) 290 if (options->gss_authentication == -1)
289 options->gss_authentication = 0; 291 options->gss_authentication = 0;
292 if (options->gss_keyex == -1)
293 options->gss_keyex = 0;
290 if (options->gss_cleanup_creds == -1) 294 if (options->gss_cleanup_creds == -1)
291 options->gss_cleanup_creds = 1; 295 options->gss_cleanup_creds = 1;
292 if (options->gss_strict_acceptor == -1) 296 if (options->gss_strict_acceptor == -1)
293 options->gss_strict_acceptor = 0; 297 options->gss_strict_acceptor = 1;
298 if (options->gss_store_rekey == -1)
299 options->gss_store_rekey = 0;
294 if (options->password_authentication == -1) 300 if (options->password_authentication == -1)
295 options->password_authentication = 1; 301 options->password_authentication = 1;
296 if (options->kbd_interactive_authentication == -1) 302 if (options->kbd_interactive_authentication == -1)
@@ -419,6 +425,7 @@ typedef enum {
419 sHostKeyAlgorithms, 425 sHostKeyAlgorithms,
420 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 426 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
421 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 427 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
428 sGssKeyEx, sGssStoreRekey,
422 sAcceptEnv, sPermitTunnel, 429 sAcceptEnv, sPermitTunnel,
423 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 430 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
424 sUsePrivilegeSeparation, sAllowAgentForwarding, 431 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -492,12 +499,20 @@ static struct {
492#ifdef GSSAPI 499#ifdef GSSAPI
493 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 500 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
494 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 501 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
502 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
495 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 503 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
504 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
505 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
496#else 506#else
497 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 507 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
498 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 508 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
509 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
499 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 510 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
511 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
512 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
500#endif 513#endif
514 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
515 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
501 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 516 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
502 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 517 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
503 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 518 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line,
1242 intptr = &options->gss_authentication; 1257 intptr = &options->gss_authentication;
1243 goto parse_flag; 1258 goto parse_flag;
1244 1259
1260 case sGssKeyEx:
1261 intptr = &options->gss_keyex;
1262 goto parse_flag;
1263
1245 case sGssCleanupCreds: 1264 case sGssCleanupCreds:
1246 intptr = &options->gss_cleanup_creds; 1265 intptr = &options->gss_cleanup_creds;
1247 goto parse_flag; 1266 goto parse_flag;
@@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line,
1250 intptr = &options->gss_strict_acceptor; 1269 intptr = &options->gss_strict_acceptor;
1251 goto parse_flag; 1270 goto parse_flag;
1252 1271
1272 case sGssStoreRekey:
1273 intptr = &options->gss_store_rekey;
1274 goto parse_flag;
1275
1253 case sPasswordAuthentication: 1276 case sPasswordAuthentication:
1254 intptr = &options->password_authentication; 1277 intptr = &options->password_authentication;
1255 goto parse_flag; 1278 goto parse_flag;
@@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o)
2265#endif 2288#endif
2266#ifdef GSSAPI 2289#ifdef GSSAPI
2267 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2290 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2291 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2268 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2292 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2293 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2294 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2269#endif 2295#endif
2270 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2296 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2271 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2297 dump_cfg_fmtint(sKbdInteractiveAuthentication,