diff options
| author | Colin Watson <cjwatson@debian.org> | 2006-05-12 09:46:51 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2006-05-12 09:46:51 +0000 |
| commit | 2a3e00306c9b3b4db71a777a7c3ccb70e470c675 (patch) | |
| tree | f00af0128b0ac750d739384f111000c1c97007e4 /sshconnect2.c | |
| parent | 2ee73b36b9a35daeaa4b065046882dc1f5f551b6 (diff) | |
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch
(closes: #352042).
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 7ee71763a..3fb5df233 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -87,6 +87,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 87 | #ifdef GSSAPI | 87 | #ifdef GSSAPI |
| 88 | char *orig, *gss = NULL; | 88 | char *orig, *gss = NULL; |
| 89 | int len; | 89 | int len; |
| 90 | char *gss_host; | ||
| 90 | #endif | 91 | #endif |
| 91 | 92 | ||
| 92 | xxx_host = host; | 93 | xxx_host = host; |
| @@ -94,10 +95,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 94 | 95 | ||
| 95 | #ifdef GSSAPI | 96 | #ifdef GSSAPI |
| 96 | if (options.gss_authentication) { | 97 | if (options.gss_authentication) { |
| 98 | /* Add the GSSAPI mechanisms currently supported on this | ||
| 99 | * client to the key exchange algorithm proposal */ | ||
| 97 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 100 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
| 98 | gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); | 101 | if (options.gss_trust_dns) |
| 99 | debug("Offering GSSAPI proposal: %s",gss); | 102 | gss_host = (char *)get_canonical_hostname(1); |
| 103 | else | ||
| 104 | gss_host = host; | ||
| 105 | |||
| 106 | gss = ssh_gssapi_client_mechanisms(gss_host); | ||
| 100 | if (gss) { | 107 | if (gss) { |
| 108 | debug("Offering GSSAPI proposal: %s", gss); | ||
| 101 | len = strlen(orig) + strlen(gss) + 2; | 109 | len = strlen(orig) + strlen(gss) + 2; |
| 102 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); | 110 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); |
| 103 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", | 111 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", |
| @@ -134,6 +142,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 134 | options.hostkeyalgorithms; | 142 | options.hostkeyalgorithms; |
| 135 | 143 | ||
| 136 | #ifdef GSSAPI | 144 | #ifdef GSSAPI |
| 145 | /* If we've got GSSAPI algorithms, then we also support the | ||
| 146 | * 'null' hostkey, as a last resort */ | ||
| 137 | if (gss) { | 147 | if (gss) { |
| 138 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 148 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
| 139 | len = strlen(orig) + sizeof(",null"); | 149 | len = strlen(orig) + sizeof(",null"); |
| @@ -152,8 +162,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 152 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | 162 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; |
| 153 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 163 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
| 154 | #ifdef GSSAPI | 164 | #ifdef GSSAPI |
| 155 | if (options.gss_authentication) | 165 | if (options.gss_authentication) { |
| 156 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 166 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
| 167 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
| 168 | } | ||
| 157 | #endif | 169 | #endif |
| 158 | kex->client_version_string=client_version_string; | 170 | kex->client_version_string=client_version_string; |
| 159 | kex->server_version_string=server_version_string; | 171 | kex->server_version_string=server_version_string; |
| @@ -161,6 +173,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 161 | 173 | ||
| 162 | #ifdef GSSAPI | 174 | #ifdef GSSAPI |
| 163 | kex->gss_deleg_creds = options.gss_deleg_creds; | 175 | kex->gss_deleg_creds = options.gss_deleg_creds; |
| 176 | kex->gss_trust_dns = options.gss_trust_dns; | ||
| 177 | kex->gss_host = gss_host; | ||
| 164 | #endif | 178 | #endif |
| 165 | 179 | ||
| 166 | xxx_kex = kex; | 180 | xxx_kex = kex; |
| @@ -245,7 +259,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | |||
| 245 | void input_gssapi_hash(int type, u_int32_t, void *); | 259 | void input_gssapi_hash(int type, u_int32_t, void *); |
| 246 | void input_gssapi_error(int, u_int32_t, void *); | 260 | void input_gssapi_error(int, u_int32_t, void *); |
| 247 | void input_gssapi_errtok(int, u_int32_t, void *); | 261 | void input_gssapi_errtok(int, u_int32_t, void *); |
| 248 | int userauth_gsskeyx(Authctxt *authctxt); | 262 | int userauth_gsskeyex(Authctxt *authctxt); |
| 249 | #endif | 263 | #endif |
| 250 | 264 | ||
| 251 | void userauth(Authctxt *, char *); | 265 | void userauth(Authctxt *, char *); |
| @@ -261,8 +275,8 @@ static char *authmethods_get(void); | |||
| 261 | 275 | ||
| 262 | Authmethod authmethods[] = { | 276 | Authmethod authmethods[] = { |
| 263 | #ifdef GSSAPI | 277 | #ifdef GSSAPI |
| 264 | {"gssapi-keyx", | 278 | {"gssapi-keyex", |
| 265 | userauth_gsskeyx, | 279 | userauth_gsskeyex, |
| 266 | &options.gss_authentication, | 280 | &options.gss_authentication, |
| 267 | NULL}, | 281 | NULL}, |
| 268 | {"gssapi-with-mic", | 282 | {"gssapi-with-mic", |
| @@ -775,10 +789,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | |||
| 775 | } | 789 | } |
| 776 | 790 | ||
| 777 | int | 791 | int |
| 778 | userauth_gsskeyx(Authctxt *authctxt) | 792 | userauth_gsskeyex(Authctxt *authctxt) |
| 779 | { | 793 | { |
| 780 | Buffer b; | 794 | Buffer b; |
| 781 | gss_buffer_desc gssbuf, mic; | 795 | gss_buffer_desc gssbuf; |
| 796 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
| 782 | OM_uint32 ms; | 797 | OM_uint32 ms; |
| 783 | 798 | ||
| 784 | static int attempt = 0; | 799 | static int attempt = 0; |