summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2009-12-29 20:42:47 +0000
committerColin Watson <cjwatson@debian.org>2009-12-29 20:42:47 +0000
commit9ad7b718d42e43f3a285fcbc8f91193931fce324 (patch)
tree95afe9b315fb73da54752d5bb71c682485b2d370 /sshconnect2.c
parent5d05471f6657646d1d6500c7c43134462c407ee6 (diff)
import openssh-4.0p1-gssapikex.patch
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c80
1 files changed, 80 insertions, 0 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 68d56d020..b69602c0c 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -84,9 +84,26 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
84{ 84{
85 Kex *kex; 85 Kex *kex;
86 86
87#ifdef GSSAPI
88 char *orig, *gss;
89 int len;
90#endif
91
87 xxx_host = host; 92 xxx_host = host;
88 xxx_hostaddr = hostaddr; 93 xxx_hostaddr = hostaddr;
89 94
95#ifdef GSSAPI
96 orig = myproposal[PROPOSAL_KEX_ALGS];
97 gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1));
98 debug("Offering GSSAPI proposal: %s",gss);
99 if (gss) {
100 len = strlen(orig) + strlen(gss) + 2;
101 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
102 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss,
103 orig);
104 }
105#endif
106
90 if (options.ciphers == (char *)-1) { 107 if (options.ciphers == (char *)-1) {
91 logit("No valid ciphers for protocol version 2 given, using defaults."); 108 logit("No valid ciphers for protocol version 2 given, using defaults.");
92 options.ciphers = NULL; 109 options.ciphers = NULL;
@@ -114,6 +131,16 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
114 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 131 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
115 options.hostkeyalgorithms; 132 options.hostkeyalgorithms;
116 133
134#ifdef GSSAPI
135 if (gss) {
136 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
137 len = strlen(orig) + sizeof(",null");
138 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xmalloc(len);
139 snprintf(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], len,
140 "%s,null", orig);
141 }
142#endif
143
117 if (options.rekey_limit) 144 if (options.rekey_limit)
118 packet_set_rekey_limit(options.rekey_limit); 145 packet_set_rekey_limit(options.rekey_limit);
119 146
@@ -122,10 +149,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
122 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; 149 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
123 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; 150 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
124 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 151 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
152#ifdef GSSAPI
153 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
154#endif
125 kex->client_version_string=client_version_string; 155 kex->client_version_string=client_version_string;
126 kex->server_version_string=server_version_string; 156 kex->server_version_string=server_version_string;
127 kex->verify_host_key=&verify_host_key_callback; 157 kex->verify_host_key=&verify_host_key_callback;
128 158
159#ifdef GSSAPI
160 kex->gss_deleg_creds = options.gss_deleg_creds;
161#endif
162
129 xxx_kex = kex; 163 xxx_kex = kex;
130 164
131 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 165 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -208,6 +242,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
208void input_gssapi_hash(int type, u_int32_t, void *); 242void input_gssapi_hash(int type, u_int32_t, void *);
209void input_gssapi_error(int, u_int32_t, void *); 243void input_gssapi_error(int, u_int32_t, void *);
210void input_gssapi_errtok(int, u_int32_t, void *); 244void input_gssapi_errtok(int, u_int32_t, void *);
245int userauth_gsskeyx(Authctxt *authctxt);
211#endif 246#endif
212 247
213void userauth(Authctxt *, char *); 248void userauth(Authctxt *, char *);
@@ -223,6 +258,10 @@ static char *authmethods_get(void);
223 258
224Authmethod authmethods[] = { 259Authmethod authmethods[] = {
225#ifdef GSSAPI 260#ifdef GSSAPI
261 {"gssapi-keyx",
262 userauth_gsskeyx,
263 &options.gss_authentication,
264 NULL},
226 {"gssapi-with-mic", 265 {"gssapi-with-mic",
227 userauth_gssapi, 266 userauth_gssapi,
228 &options.gss_authentication, 267 &options.gss_authentication,
@@ -704,6 +743,47 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
704 xfree(msg); 743 xfree(msg);
705 xfree(lang); 744 xfree(lang);
706} 745}
746
747int
748userauth_gsskeyx(Authctxt *authctxt)
749{
750 Buffer b;
751 gss_buffer_desc gssbuf, mic;
752 OM_uint32 ms;
753
754 static int attempt = 0;
755 if (attempt++ >= 1)
756 return (0);
757
758 if (gss_kex_context == NULL) {
759 debug("No valid Key exchange context");
760 return (0);
761 }
762
763 ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
764 "gssapi-keyex");
765
766 gssbuf.value = buffer_ptr(&b);
767 gssbuf.length = buffer_len(&b);
768
769 if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
770 buffer_free(&b);
771 return (0);
772 }
773
774 packet_start(SSH2_MSG_USERAUTH_REQUEST);
775 packet_put_cstring(authctxt->server_user);
776 packet_put_cstring(authctxt->service);
777 packet_put_cstring(authctxt->method->name);
778 packet_put_string(mic.value, mic.length);
779 packet_send();
780
781 buffer_free(&b);
782 gss_release_buffer(&ms, &mic);
783
784 return (1);
785}
786
707#endif /* GSSAPI */ 787#endif /* GSSAPI */
708 788
709int 789int