diff options
author | Simon Wilkinson <simon@sxw.org.uk> | 2014-02-09 16:09:48 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-03-20 00:24:48 +0000 |
commit | 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd (patch) | |
tree | 3a19744ef1cf261141a522e13f75abbb3b7dba4b /ssh-gss.h | |
parent | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff) |
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-03-19
Patch-Name: gssapi.patch
Diffstat (limited to 'ssh-gss.h')
-rw-r--r-- | ssh-gss.h | 41 |
1 files changed, 37 insertions, 4 deletions
@@ -1,6 +1,6 @@ | |||
1 | /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ | 1 | /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 3 | * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
4 | * | 4 | * |
5 | * Redistribution and use in source and binary forms, with or without | 5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions | 6 | * modification, are permitted provided that the following conditions |
@@ -61,10 +61,22 @@ | |||
61 | 61 | ||
62 | #define SSH_GSS_OIDTYPE 0x06 | 62 | #define SSH_GSS_OIDTYPE 0x06 |
63 | 63 | ||
64 | #define SSH2_MSG_KEXGSS_INIT 30 | ||
65 | #define SSH2_MSG_KEXGSS_CONTINUE 31 | ||
66 | #define SSH2_MSG_KEXGSS_COMPLETE 32 | ||
67 | #define SSH2_MSG_KEXGSS_HOSTKEY 33 | ||
68 | #define SSH2_MSG_KEXGSS_ERROR 34 | ||
69 | #define SSH2_MSG_KEXGSS_GROUPREQ 40 | ||
70 | #define SSH2_MSG_KEXGSS_GROUP 41 | ||
71 | #define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" | ||
72 | #define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" | ||
73 | #define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" | ||
74 | |||
64 | typedef struct { | 75 | typedef struct { |
65 | char *filename; | 76 | char *filename; |
66 | char *envvar; | 77 | char *envvar; |
67 | char *envval; | 78 | char *envval; |
79 | struct passwd *owner; | ||
68 | void *data; | 80 | void *data; |
69 | } ssh_gssapi_ccache; | 81 | } ssh_gssapi_ccache; |
70 | 82 | ||
@@ -72,8 +84,11 @@ typedef struct { | |||
72 | gss_buffer_desc displayname; | 84 | gss_buffer_desc displayname; |
73 | gss_buffer_desc exportedname; | 85 | gss_buffer_desc exportedname; |
74 | gss_cred_id_t creds; | 86 | gss_cred_id_t creds; |
87 | gss_name_t name; | ||
75 | struct ssh_gssapi_mech_struct *mech; | 88 | struct ssh_gssapi_mech_struct *mech; |
76 | ssh_gssapi_ccache store; | 89 | ssh_gssapi_ccache store; |
90 | int used; | ||
91 | int updated; | ||
77 | } ssh_gssapi_client; | 92 | } ssh_gssapi_client; |
78 | 93 | ||
79 | typedef struct ssh_gssapi_mech_struct { | 94 | typedef struct ssh_gssapi_mech_struct { |
@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct { | |||
84 | int (*userok) (ssh_gssapi_client *, char *); | 99 | int (*userok) (ssh_gssapi_client *, char *); |
85 | int (*localname) (ssh_gssapi_client *, char **); | 100 | int (*localname) (ssh_gssapi_client *, char **); |
86 | void (*storecreds) (ssh_gssapi_client *); | 101 | void (*storecreds) (ssh_gssapi_client *); |
102 | int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); | ||
87 | } ssh_gssapi_mech; | 103 | } ssh_gssapi_mech; |
88 | 104 | ||
89 | typedef struct { | 105 | typedef struct { |
@@ -94,10 +110,11 @@ typedef struct { | |||
94 | gss_OID oid; /* client */ | 110 | gss_OID oid; /* client */ |
95 | gss_cred_id_t creds; /* server */ | 111 | gss_cred_id_t creds; /* server */ |
96 | gss_name_t client; /* server */ | 112 | gss_name_t client; /* server */ |
97 | gss_cred_id_t client_creds; /* server */ | 113 | gss_cred_id_t client_creds; /* both */ |
98 | } Gssctxt; | 114 | } Gssctxt; |
99 | 115 | ||
100 | extern ssh_gssapi_mech *supported_mechs[]; | 116 | extern ssh_gssapi_mech *supported_mechs[]; |
117 | extern Gssctxt *gss_kex_context; | ||
101 | 118 | ||
102 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 119 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
103 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 120 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
@@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **); | |||
119 | void ssh_gssapi_delete_ctx(Gssctxt **); | 136 | void ssh_gssapi_delete_ctx(Gssctxt **); |
120 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 137 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
121 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 138 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
122 | int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); | 139 | int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); |
140 | OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); | ||
141 | int ssh_gssapi_credentials_updated(Gssctxt *); | ||
123 | 142 | ||
124 | /* In the server */ | 143 | /* In the server */ |
144 | typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, | ||
145 | const char *); | ||
146 | char *ssh_gssapi_client_mechanisms(const char *, const char *); | ||
147 | char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, | ||
148 | const char *); | ||
149 | gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); | ||
150 | int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, | ||
151 | const char *); | ||
125 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 152 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
126 | int ssh_gssapi_userok(char *name); | 153 | int ssh_gssapi_userok(char *name, struct passwd *); |
127 | OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | 154 | OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); |
128 | void ssh_gssapi_do_child(char ***, u_int *); | 155 | void ssh_gssapi_do_child(char ***, u_int *); |
129 | void ssh_gssapi_cleanup_creds(void); | 156 | void ssh_gssapi_cleanup_creds(void); |
130 | void ssh_gssapi_storecreds(void); | 157 | void ssh_gssapi_storecreds(void); |
131 | 158 | ||
159 | char *ssh_gssapi_server_mechanisms(void); | ||
160 | int ssh_gssapi_oid_table_ok(void); | ||
161 | |||
162 | int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); | ||
163 | void ssh_gssapi_rekey_creds(void); | ||
164 | |||
132 | #endif /* GSSAPI */ | 165 | #endif /* GSSAPI */ |
133 | 166 | ||
134 | #endif /* _SSH_GSS_H */ | 167 | #endif /* _SSH_GSS_H */ |