summaryrefslogtreecommitdiff
path: root/ssh-gss.h
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2020-02-21 12:01:36 +0000
commit34aff3aa136e5a65f441b25811dd466488fda087 (patch)
treee2170faeed03d67545255d3d3c9d62280414c0b2 /ssh-gss.h
parentf0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
Diffstat (limited to 'ssh-gss.h')
-rw-r--r--ssh-gss.h50
1 files changed, 46 insertions, 4 deletions
diff --git a/ssh-gss.h b/ssh-gss.h
index 36180d07a..70dd36658 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,6 +1,6 @@
1/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ 1/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 3 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -61,10 +61,30 @@
61 61
62#define SSH_GSS_OIDTYPE 0x06 62#define SSH_GSS_OIDTYPE 0x06
63 63
64#define SSH2_MSG_KEXGSS_INIT 30
65#define SSH2_MSG_KEXGSS_CONTINUE 31
66#define SSH2_MSG_KEXGSS_COMPLETE 32
67#define SSH2_MSG_KEXGSS_HOSTKEY 33
68#define SSH2_MSG_KEXGSS_ERROR 34
69#define SSH2_MSG_KEXGSS_GROUPREQ 40
70#define SSH2_MSG_KEXGSS_GROUP 41
71#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
72#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
73#define KEX_GSS_GRP14_SHA256_ID "gss-group14-sha256-"
74#define KEX_GSS_GRP16_SHA512_ID "gss-group16-sha512-"
75#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
76#define KEX_GSS_NISTP256_SHA256_ID "gss-nistp256-sha256-"
77#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
78
79#define GSS_KEX_DEFAULT_KEX \
80 KEX_GSS_GEX_SHA1_ID "," \
81 KEX_GSS_GRP14_SHA1_ID
82
64typedef struct { 83typedef struct {
65 char *filename; 84 char *filename;
66 char *envvar; 85 char *envvar;
67 char *envval; 86 char *envval;
87 struct passwd *owner;
68 void *data; 88 void *data;
69} ssh_gssapi_ccache; 89} ssh_gssapi_ccache;
70 90
@@ -72,8 +92,11 @@ typedef struct {
72 gss_buffer_desc displayname; 92 gss_buffer_desc displayname;
73 gss_buffer_desc exportedname; 93 gss_buffer_desc exportedname;
74 gss_cred_id_t creds; 94 gss_cred_id_t creds;
95 gss_name_t name;
75 struct ssh_gssapi_mech_struct *mech; 96 struct ssh_gssapi_mech_struct *mech;
76 ssh_gssapi_ccache store; 97 ssh_gssapi_ccache store;
98 int used;
99 int updated;
77} ssh_gssapi_client; 100} ssh_gssapi_client;
78 101
79typedef struct ssh_gssapi_mech_struct { 102typedef struct ssh_gssapi_mech_struct {
@@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct {
84 int (*userok) (ssh_gssapi_client *, char *); 107 int (*userok) (ssh_gssapi_client *, char *);
85 int (*localname) (ssh_gssapi_client *, char **); 108 int (*localname) (ssh_gssapi_client *, char **);
86 void (*storecreds) (ssh_gssapi_client *); 109 void (*storecreds) (ssh_gssapi_client *);
110 int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
87} ssh_gssapi_mech; 111} ssh_gssapi_mech;
88 112
89typedef struct { 113typedef struct {
@@ -94,10 +118,11 @@ typedef struct {
94 gss_OID oid; /* client */ 118 gss_OID oid; /* client */
95 gss_cred_id_t creds; /* server */ 119 gss_cred_id_t creds; /* server */
96 gss_name_t client; /* server */ 120 gss_name_t client; /* server */
97 gss_cred_id_t client_creds; /* server */ 121 gss_cred_id_t client_creds; /* both */
98} Gssctxt; 122} Gssctxt;
99 123
100extern ssh_gssapi_mech *supported_mechs[]; 124extern ssh_gssapi_mech *supported_mechs[];
125extern Gssctxt *gss_kex_context;
101 126
102int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 127int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
103void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 128void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
109 134
110struct sshbuf; 135struct sshbuf;
111int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); 136int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
137int ssh_gssapi_sshpkt_get_buffer_desc(struct ssh *, gss_buffer_desc *);
112 138
113OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); 139OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
114OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, 140OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
123OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 149OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
124void ssh_gssapi_buildmic(struct sshbuf *, const char *, 150void ssh_gssapi_buildmic(struct sshbuf *, const char *,
125 const char *, const char *); 151 const char *, const char *);
126int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); 152int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
153OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
154int ssh_gssapi_credentials_updated(Gssctxt *);
127 155
128/* In the server */ 156/* In the server */
157typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
158 const char *);
159char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
160char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
161 const char *, const char *);
162gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
163int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
164 const char *);
129OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 165OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
130int ssh_gssapi_userok(char *name); 166int ssh_gssapi_userok(char *name, struct passwd *, int kex);
131OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); 167OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
132void ssh_gssapi_do_child(char ***, u_int *); 168void ssh_gssapi_do_child(char ***, u_int *);
133void ssh_gssapi_cleanup_creds(void); 169void ssh_gssapi_cleanup_creds(void);
134void ssh_gssapi_storecreds(void); 170void ssh_gssapi_storecreds(void);
135const char *ssh_gssapi_displayname(void); 171const char *ssh_gssapi_displayname(void);
136 172
173char *ssh_gssapi_server_mechanisms(void);
174int ssh_gssapi_oid_table_ok(void);
175
176int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
177void ssh_gssapi_rekey_creds(void);
178
137#endif /* GSSAPI */ 179#endif /* GSSAPI */
138 180
139#endif /* _SSH_GSS_H */ 181#endif /* _SSH_GSS_H */