summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2005-09-14 15:20:11 +0000
committerColin Watson <cjwatson@debian.org>2005-09-14 15:20:11 +0000
commitf88d86e05895671b9d036c26566a41752ec86c31 (patch)
tree383ab296992965df981866a84ad9cbd5f18866e3 /sshconnect2.c
parent2a6f54a2f2f0efe713ee5f6eb9e2099aef0ed516 (diff)
* Add remaining pieces of Kerberos support (closes: #275472):
- Add GSSAPI key exchange support from http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen Frost).
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c80
1 files changed, 80 insertions, 0 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index ee7932d68..e40786f87 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -84,9 +84,26 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
84{ 84{
85 Kex *kex; 85 Kex *kex;
86 86
87#ifdef GSSAPI
88 char *orig, *gss;
89 int len;
90#endif
91
87 xxx_host = host; 92 xxx_host = host;
88 xxx_hostaddr = hostaddr; 93 xxx_hostaddr = hostaddr;
89 94
95#ifdef GSSAPI
96 orig = myproposal[PROPOSAL_KEX_ALGS];
97 gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1));
98 debug("Offering GSSAPI proposal: %s",gss);
99 if (gss) {
100 len = strlen(orig) + strlen(gss) + 2;
101 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
102 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss,
103 orig);
104 }
105#endif
106
90 if (options.ciphers == (char *)-1) { 107 if (options.ciphers == (char *)-1) {
91 logit("No valid ciphers for protocol version 2 given, using defaults."); 108 logit("No valid ciphers for protocol version 2 given, using defaults.");
92 options.ciphers = NULL; 109 options.ciphers = NULL;
@@ -114,6 +131,16 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
114 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 131 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
115 options.hostkeyalgorithms; 132 options.hostkeyalgorithms;
116 133
134#ifdef GSSAPI
135 if (gss) {
136 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
137 len = strlen(orig) + sizeof(",null");
138 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xmalloc(len);
139 snprintf(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], len,
140 "%s,null", orig);
141 }
142#endif
143
117 if (options.rekey_limit) 144 if (options.rekey_limit)
118 packet_set_rekey_limit(options.rekey_limit); 145 packet_set_rekey_limit(options.rekey_limit);
119 146
@@ -122,10 +149,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
122 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; 149 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
123 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; 150 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
124 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 151 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
152#ifdef GSSAPI
153 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
154#endif
125 kex->client_version_string=client_version_string; 155 kex->client_version_string=client_version_string;
126 kex->server_version_string=server_version_string; 156 kex->server_version_string=server_version_string;
127 kex->verify_host_key=&verify_host_key_callback; 157 kex->verify_host_key=&verify_host_key_callback;
128 158
159#ifdef GSSAPI
160 kex->gss_deleg_creds = options.gss_deleg_creds;
161#endif
162
129 xxx_kex = kex; 163 xxx_kex = kex;
130 164
131 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 165 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -208,6 +242,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
208void input_gssapi_hash(int type, u_int32_t, void *); 242void input_gssapi_hash(int type, u_int32_t, void *);
209void input_gssapi_error(int, u_int32_t, void *); 243void input_gssapi_error(int, u_int32_t, void *);
210void input_gssapi_errtok(int, u_int32_t, void *); 244void input_gssapi_errtok(int, u_int32_t, void *);
245int userauth_gsskeyx(Authctxt *authctxt);
211#endif 246#endif
212 247
213void userauth(Authctxt *, char *); 248void userauth(Authctxt *, char *);
@@ -223,6 +258,10 @@ static char *authmethods_get(void);
223 258
224Authmethod authmethods[] = { 259Authmethod authmethods[] = {
225#ifdef GSSAPI 260#ifdef GSSAPI
261 {"gssapi-keyx",
262 userauth_gsskeyx,
263 &options.gss_authentication,
264 NULL},
226 {"gssapi-with-mic", 265 {"gssapi-with-mic",
227 userauth_gssapi, 266 userauth_gssapi,
228 &options.gss_authentication, 267 &options.gss_authentication,
@@ -706,6 +745,47 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
706 xfree(msg); 745 xfree(msg);
707 xfree(lang); 746 xfree(lang);
708} 747}
748
749int
750userauth_gsskeyx(Authctxt *authctxt)
751{
752 Buffer b;
753 gss_buffer_desc gssbuf, mic;
754 OM_uint32 ms;
755
756 static int attempt = 0;
757 if (attempt++ >= 1)
758 return (0);
759
760 if (gss_kex_context == NULL) {
761 debug("No valid Key exchange context");
762 return (0);
763 }
764
765 ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
766 "gssapi-keyex");
767
768 gssbuf.value = buffer_ptr(&b);
769 gssbuf.length = buffer_len(&b);
770
771 if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
772 buffer_free(&b);
773 return (0);
774 }
775
776 packet_start(SSH2_MSG_USERAUTH_REQUEST);
777 packet_put_cstring(authctxt->server_user);
778 packet_put_cstring(authctxt->service);
779 packet_put_cstring(authctxt->method->name);
780 packet_put_string(mic.value, mic.length);
781 packet_send();
782
783 buffer_free(&b);
784 gss_release_buffer(&ms, &mic);
785
786 return (1);
787}
788
709#endif /* GSSAPI */ 789#endif /* GSSAPI */
710 790
711int 791int
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 16:39:38 +0000