GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-08-19 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-08-19 16:33:29 +0100
commit: 06879e71614170580ffa7568ec5c009f60a9d084 (patch)
tree: 2264e498417b1968891c6f8a3c3b560b2b3a4761 /sshd.c
parent: baccdb349b31c47cd76fb63211f754ed33a9707e (diff)
1 files changed, 110 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index e1c767c14..cf38baebf 100644
--- a/sshd.c
+++ b/sshd.c
@@ -125,6 +125,10 @@
 #include "version.h"
 #include "ssherr.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -1815,10 +1819,13 @@ main(int ac, char **av)
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
+#ifndef GSSAPI
+        /* The GSSAPI key exchange can run without a host key */
        if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
                logit("Disabling protocol version 2. Could not load host key");
                options.protocol &= ~SSH_PROTO_2;
        }
+#endif
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
@@ -2132,6 +2139,60 @@ main(int ac, char **av)
            remote_ip, remote_port,
            get_local_ipaddr(sock_in), get_local_port());
+#ifdef USE_SECURITY_SESSION_API
+        /*
+         * Create a new security session for use by the new user login if
+         * the current session is the root session or we are not launched
+         * by inetd (eg: debugging mode or server mode).  We do not
+         * necessarily need to create a session if we are launched from
+         * inetd because Panther xinetd will create a session for us.
+         *
+         * The only case where this logic will fail is if there is an
+         * inetd running in a non-root session which is not creating
+         * new sessions for us.  Then all the users will end up in the
+         * same session (bad).
+         *
+         * When the client exits, the session will be destroyed for us
+         * automatically.
+         *
+         * We must create the session before any credentials are stored
+         * (including AFS pags, which happens a few lines below).
+         */
+        {
+                OSStatus err = 0;
+                SecuritySessionId sid = 0;
+                SessionAttributeBits sattrs = 0;
+                err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
+                if (err)
+                        error("SessionGetInfo() failed with error %.8X",
+                            (unsigned) err);
+                else
+                        debug("Current Session ID is %.8X / Session Attributes are %.8X",
+                            (unsigned) sid, (unsigned) sattrs);
+                if (inetd_flag && !(sattrs & sessionIsRoot))
+                        debug("Running in inetd mode in a non-root session... "
+                            "assuming inetd created the session for us.");
+                else {
+                        debug("Creating new security session...");
+                        err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
+                        if (err)
+                                error("SessionCreate() failed with error %.8X",
+                                    (unsigned) err);
+                        err = SessionGetInfo(callerSecuritySession, &sid, 
+                            &sattrs);
+                        if (err)
+                                error("SessionGetInfo() failed with error %.8X",
+                                    (unsigned) err);
+                        else
+                                debug("New Session ID is %.8X / Session Attributes are %.8X",
+                                    (unsigned) sid, (unsigned) sattrs);
+                }
+        }
+#endif
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
@@ -2561,6 +2622,48 @@ do_ssh2_kex(void)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
            list_hostkey_types());
+#ifdef GSSAPI
+        {
+        char *orig;
+        char *gss = NULL;
+        char *newstr = NULL;
+        orig = myproposal[PROPOSAL_KEX_ALGS];
+        /* 
+         * If we don't have a host key, then there's no point advertising
+         * the other key exchange algorithms
+         */
+        if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
+                orig = NULL;
+        if (options.gss_keyex)
+                gss = ssh_gssapi_server_mechanisms();
+        else
+                gss = NULL;
+        if (gss && orig)
+                xasprintf(&newstr, "%s,%s", gss, orig);
+        else if (gss)
+                newstr = gss;
+        else if (orig)
+                newstr = orig;
+        /* 
+         * If we've got GSSAPI mechanisms, then we've got the 'null' host
+         * key alg, but we can't tell people about it unless its the only
+         * host key algorithm we support
+         */
+        if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
+        if (newstr)
+                myproposal[PROPOSAL_KEX_ALGS] = newstr;
+        else
+                fatal("No supported key exchange algorithms");
+        }
+#endif
        /* start key exchange */
        if ((r = kex_setup(active_state, myproposal)) != 0)
                fatal("kex_setup: %s", ssh_err(r));
@@ -2575,6 +2678,13 @@ do_ssh2_kex(void)
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-08-19 16:33:29 +0100
commit	06879e71614170580ffa7568ec5c009f60a9d084 (patch)
tree	2264e498417b1968891c6f8a3c3b560b2b3a4761 /sshd.c
parent	baccdb349b31c47cd76fb63211f754ed33a9707e (diff)

diff --git a/sshd.c b/sshd.c index e1c767c14..cf38baebf 100644 --- a/sshd.c +++ b/sshd.c
@@ -125,6 +125,10 @@
125	#include "version.h"	125	#include "version.h"
126	#include "ssherr.h"	126	#include "ssherr.h"
127		127
		128	#ifdef USE_SECURITY_SESSION_API
		129	#include <Security/AuthSession.h>
		130	#endif
		131
128	#ifndef O_NOCTTY	132	#ifndef O_NOCTTY
129	#define O_NOCTTY 0	133	#define O_NOCTTY 0
130	#endif	134	#endif
@@ -1815,10 +1819,13 @@ main(int ac, char **av)
1815	logit("Disabling protocol version 1. Could not load host key");	1819	logit("Disabling protocol version 1. Could not load host key");
1816	options.protocol &= ~SSH_PROTO_1;	1820	options.protocol &= ~SSH_PROTO_1;
1817	}	1821	}
		1822	#ifndef GSSAPI
		1823	/* The GSSAPI key exchange can run without a host key */
1818	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {	1824	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
1819	logit("Disabling protocol version 2. Could not load host key");	1825	logit("Disabling protocol version 2. Could not load host key");
1820	options.protocol &= ~SSH_PROTO_2;	1826	options.protocol &= ~SSH_PROTO_2;
1821	}	1827	}
		1828	#endif
1822	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {	1829	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {
1823	logit("sshd: no hostkeys available -- exiting.");	1830	logit("sshd: no hostkeys available -- exiting.");
1824	exit(1);	1831	exit(1);
@@ -2132,6 +2139,60 @@ main(int ac, char **av)
2132	remote_ip, remote_port,	2139	remote_ip, remote_port,
2133	get_local_ipaddr(sock_in), get_local_port());	2140	get_local_ipaddr(sock_in), get_local_port());
2134		2141
		2142	#ifdef USE_SECURITY_SESSION_API
		2143	/*
		2144	* Create a new security session for use by the new user login if
		2145	* the current session is the root session or we are not launched
		2146	* by inetd (eg: debugging mode or server mode). We do not
		2147	* necessarily need to create a session if we are launched from
		2148	* inetd because Panther xinetd will create a session for us.
		2149	*
		2150	* The only case where this logic will fail is if there is an
		2151	* inetd running in a non-root session which is not creating
		2152	* new sessions for us. Then all the users will end up in the
		2153	* same session (bad).
		2154	*
		2155	* When the client exits, the session will be destroyed for us
		2156	* automatically.
		2157	*
		2158	* We must create the session before any credentials are stored
		2159	* (including AFS pags, which happens a few lines below).
		2160	*/
		2161	{
		2162	OSStatus err = 0;
		2163	SecuritySessionId sid = 0;
		2164	SessionAttributeBits sattrs = 0;
		2165
		2166	err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
		2167	if (err)
		2168	error("SessionGetInfo() failed with error %.8X",
		2169	(unsigned) err);
		2170	else
		2171	debug("Current Session ID is %.8X / Session Attributes are %.8X",
		2172	(unsigned) sid, (unsigned) sattrs);
		2173
		2174	if (inetd_flag && !(sattrs & sessionIsRoot))
		2175	debug("Running in inetd mode in a non-root session... "
		2176	"assuming inetd created the session for us.");
		2177	else {
		2178	debug("Creating new security session...");
		2179	err = SessionCreate(0, sessionHasTTY \| sessionIsRemote);
		2180	if (err)
		2181	error("SessionCreate() failed with error %.8X",
		2182	(unsigned) err);
		2183
		2184	err = SessionGetInfo(callerSecuritySession, &sid,
		2185	&sattrs);
		2186	if (err)
		2187	error("SessionGetInfo() failed with error %.8X",
		2188	(unsigned) err);
		2189	else
		2190	debug("New Session ID is %.8X / Session Attributes are %.8X",
		2191	(unsigned) sid, (unsigned) sattrs);
		2192	}
		2193	}
		2194	#endif
		2195
2135	/*	2196	/*
2136	* We don't want to listen forever unless the other side	2197	* We don't want to listen forever unless the other side
2137	* successfully authenticates itself. So we set up an alarm which is	2198	* successfully authenticates itself. So we set up an alarm which is
@@ -2561,6 +2622,48 @@ do_ssh2_kex(void)
2561	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(	2622	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2562	list_hostkey_types());	2623	list_hostkey_types());
2563		2624
		2625	#ifdef GSSAPI
		2626	{
		2627	char *orig;
		2628	char *gss = NULL;
		2629	char *newstr = NULL;
		2630	orig = myproposal[PROPOSAL_KEX_ALGS];
		2631
		2632	/*
		2633	* If we don't have a host key, then there's no point advertising
		2634	* the other key exchange algorithms
		2635	*/
		2636
		2637	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
		2638	orig = NULL;
		2639
		2640	if (options.gss_keyex)
		2641	gss = ssh_gssapi_server_mechanisms();
		2642	else
		2643	gss = NULL;
		2644
		2645	if (gss && orig)
		2646	xasprintf(&newstr, "%s,%s", gss, orig);
		2647	else if (gss)
		2648	newstr = gss;
		2649	else if (orig)
		2650	newstr = orig;
		2651
		2652	/*
		2653	* If we've got GSSAPI mechanisms, then we've got the 'null' host
		2654	* key alg, but we can't tell people about it unless its the only
		2655	* host key algorithm we support
		2656	*/
		2657	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
		2658	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
		2659
		2660	if (newstr)
		2661	myproposal[PROPOSAL_KEX_ALGS] = newstr;
		2662	else
		2663	fatal("No supported key exchange algorithms");
		2664	}
		2665	#endif
		2666
2564	/* start key exchange */	2667	/* start key exchange */
2565	if ((r = kex_setup(active_state, myproposal)) != 0)	2668	if ((r = kex_setup(active_state, myproposal)) != 0)
2566	fatal("kex_setup: %s", ssh_err(r));	2669	fatal("kex_setup: %s", ssh_err(r));
@@ -2575,6 +2678,13 @@ do_ssh2_kex(void)
2575	# endif	2678	# endif
2576	#endif	2679	#endif
2577	kex->kex[KEX_C25519_SHA256] = kexc25519_server;	2680	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
		2681	#ifdef GSSAPI
		2682	if (options.gss_keyex) {
		2683	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		2684	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		2685	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		2686	}
		2687	#endif
2578	kex->server = 1;	2688	kex->server = 1;
2579	kex->client_version_string=client_version_string;	2689	kex->client_version_string=client_version_string;
2580	kex->server_version_string=server_version_string;	2690	kex->server_version_string=server_version_string;