* Add remaining pieces of Kerberos support (closes: #275472):

- Add GSSAPI key exchange support from http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen Frost).
author: Colin Watson <cjwatson@debian.org> 2005-09-14 15:20:11 +0000
committer: Colin Watson <cjwatson@debian.org> 2005-09-14 15:20:11 +0000
commit: f88d86e05895671b9d036c26566a41752ec86c31 (patch)
tree: 383ab296992965df981866a84ad9cbd5f18866e3 /sshd.c
parent: 2a6f54a2f2f0efe713ee5f6eb9e2099aef0ed516 (diff)
1 files changed, 53 insertions, 5 deletions
diff --git a/sshd.c b/sshd.c
index 86468318e..967f5e7f0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1122,10 +1122,12 @@ main(int ac, char **av)
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
+#ifndef GSSAPI
        if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
                logit("Disabling protocol version 2. Could not load host key");
                options.protocol &= ~SSH_PROTO_2;
        }
+#endif
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
@@ -2011,13 +2013,59 @@ do_ssh2_kex(void)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
        /* start key exchange */
-        kex = kex_setup(myproposal);
+  
-        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+#ifdef GSSAPI
+        {
+        char *orig;
+        char *gss = NULL;
+        char *newstr = NULL;
+        orig = myproposal[PROPOSAL_KEX_ALGS];
+        /* 
+         * If we don't have a host key, then there's no point advertising
+         * the other key exchange algorithms
+         */
+        if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
+                orig = NULL;
+        gss = ssh_gssapi_server_mechanisms();
+        if (gss && orig) {
+                int len = strlen(orig) + strlen(gss) + 2;
+                newstr = xmalloc(len);
+                snprintf(newstr, len, "%s,%s", gss, orig);
+        } else if (gss) {
+                newstr = gss;
+        } else if (orig) {
+                newstr = orig;
+        }
+        /* 
+         * If we've got GSSAPI mechanisms, then we've got the 'null' host
+         * key alg, but we can't tell people about it unless its the only
+         * host key algorithm we support
+         */
+        if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+        if (newstr)
+                myproposal[PROPOSAL_KEX_ALGS] = newstr;
+        else
+                fatal("No supported key exchange algorithms");
+        }
+#endif
+        /* start key exchange */
+        kex = kex_setup(myproposal);
+        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
-        kex->server = 1;
+#ifdef GSSAPI
-        kex->client_version_string=client_version_string;
+        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-        kex->server_version_string=server_version_string;
+#endif
+        kex->server = 1;
+        kex->client_version_string=client_version_string;
+        kex->server_version_string=server_version_string;
        kex->load_host_key=&get_hostkey_by_type;
        kex->host_key_index=&get_hostkey_index;
author	Colin Watson <cjwatson@debian.org>	2005-09-14 15:20:11 +0000
committer	Colin Watson <cjwatson@debian.org>	2005-09-14 15:20:11 +0000
commit	f88d86e05895671b9d036c26566a41752ec86c31 (patch)
tree	383ab296992965df981866a84ad9cbd5f18866e3 /sshd.c
parent	2a6f54a2f2f0efe713ee5f6eb9e2099aef0ed516 (diff)

diff --git a/sshd.c b/sshd.c index 86468318e..967f5e7f0 100644 --- a/sshd.c +++ b/sshd.c
@@ -1122,10 +1122,12 @@ main(int ac, char **av)
1122	logit("Disabling protocol version 1. Could not load host key");	1122	logit("Disabling protocol version 1. Could not load host key");
1123	options.protocol &= ~SSH_PROTO_1;	1123	options.protocol &= ~SSH_PROTO_1;
1124	}	1124	}
		1125	#ifndef GSSAPI
1125	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {	1126	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1126	logit("Disabling protocol version 2. Could not load host key");	1127	logit("Disabling protocol version 2. Could not load host key");
1127	options.protocol &= ~SSH_PROTO_2;	1128	options.protocol &= ~SSH_PROTO_2;
1128	}	1129	}
		1130	#endif
1129	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {	1131	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {
1130	logit("sshd: no hostkeys available -- exiting.");	1132	logit("sshd: no hostkeys available -- exiting.");
1131	exit(1);	1133	exit(1);
@@ -2011,13 +2013,59 @@ do_ssh2_kex(void)
2011	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();	2013	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2012		2014
2013	/* start key exchange */	2015	/* start key exchange */
2014	kex = kex_setup(myproposal);	2016
2015	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	2017	#ifdef GSSAPI
		2018	{
		2019	char *orig;
		2020	char *gss = NULL;
		2021	char *newstr = NULL;
		2022	orig = myproposal[PROPOSAL_KEX_ALGS];
		2023
		2024	/*
		2025	* If we don't have a host key, then there's no point advertising
		2026	* the other key exchange algorithms
		2027	*/
		2028
		2029	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
		2030	orig = NULL;
		2031
		2032	gss = ssh_gssapi_server_mechanisms();
		2033
		2034	if (gss && orig) {
		2035	int len = strlen(orig) + strlen(gss) + 2;
		2036	newstr = xmalloc(len);
		2037	snprintf(newstr, len, "%s,%s", gss, orig);
		2038	} else if (gss) {
		2039	newstr = gss;
		2040	} else if (orig) {
		2041	newstr = orig;
		2042	}
		2043	/*
		2044	* If we've got GSSAPI mechanisms, then we've got the 'null' host
		2045	* key alg, but we can't tell people about it unless its the only
		2046	* host key algorithm we support
		2047	*/
		2048	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
		2049	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
		2050
		2051	if (newstr)
		2052	myproposal[PROPOSAL_KEX_ALGS] = newstr;
		2053	else
		2054	fatal("No supported key exchange algorithms");
		2055	}
		2056	#endif
		2057
		2058	/* start key exchange */
		2059	kex = kex_setup(myproposal);
		2060	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
2016	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	2061	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
2017	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	2062	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2018	kex->server = 1;	2063	#ifdef GSSAPI
2019	kex->client_version_string=client_version_string;	2064	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
2020	kex->server_version_string=server_version_string;	2065	#endif
		2066	kex->server = 1;
		2067	kex->client_version_string=client_version_string;
		2068	kex->server_version_string=server_version_string;
2021	kex->load_host_key=&get_hostkey_by_type;	2069	kex->load_host_key=&get_hostkey_by_type;
2022	kex->host_key_index=&get_hostkey_index;	2070	kex->host_key_index=&get_hostkey_index;
2023		2071