4 files changed, 56 insertions, 20 deletions
diff --git a/gss-serv.c b/gss-serv.c
index e7b8c5223..53993d674 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -44,9 +44,12 @@
 #include "channels.h"
 #include "session.h"
 #include "misc.h"
+#include "servconf.h"
 #include "ssh-gss.h"
+extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
        char lname[NI_MAXHOST];
        gss_OID_set oidset;
-        gss_create_empty_oid_set(&status, &oidset);
+        if (options.gss_strict_acceptor) {
-        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
-        if (gethostname(lname, sizeof(lname))) {
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
-                gss_release_oid_set(&status, &oidset);
+                        gss_release_oid_set(&status, &oidset);
-                return (-1);
+                        return (-1);
-        }
+                }
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
-        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
                gss_release_oid_set(&status, &oidset);
                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
        }
+        return GSS_S_COMPLETE;
-        if ((ctx->major = gss_acquire_cred(&ctx->minor,
-            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-                ssh_gssapi_error(ctx);
-        gss_release_oid_set(&status, &oidset);
-        return (ctx->major);
 }
 /* Privileged */
diff --git a/servconf.c b/servconf.c
index 5acaf61b1..eb32db0fa 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
        options->gss_cleanup_creds = -1;
+        options->gss_strict_acceptor = -1;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options)
                options->gss_authentication = 0;
        if (options->gss_cleanup_creds == -1)
                options->gss_cleanup_creds = 1;
+        if (options->gss_strict_acceptor == -1)
+                options->gss_strict_acceptor = 0;
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -397,7 +400,8 @@ typedef enum {
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-        sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+        sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sHostCertificate,
@@ -469,9 +473,11 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
+        case sGssStrictAcceptor:
+                intptr = &options->gss_strict_acceptor;
+                goto parse_flag;
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
diff --git a/servconf.h b/servconf.h
index dc2a5f6a6..606d80c9d 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -118,6 +118,7 @@ typedef struct {
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
        int     password_authentication;        /* If true, permit password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */
diff --git a/sshd_config.5 b/sshd_config.5
index 884e767b8..76179adff 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
-.Dd $Mdocdate: May 21 2015 $
+.Dd $Mdocdate: May 22 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -622,6 +622,21 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against.
+If set to
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname.
+If set to
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store.
+This facility is provided to assist with operation on multi homed machines.
+The default is
+.Dq yes .
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.

diff --git a/gss-serv.c b/gss-serv.c index e7b8c5223..53993d674 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -44,9 +44,12 @@
44	#include "channels.h"	44	#include "channels.h"
45	#include "session.h"	45	#include "session.h"
46	#include "misc.h"	46	#include "misc.h"
		47	#include "servconf.h"
47		48
48	#include "ssh-gss.h"	49	#include "ssh-gss.h"
49		50
		51	extern ServerOptions options;
		52
50	static ssh_gssapi_client gssapi_client =	53	static ssh_gssapi_client gssapi_client =
51	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	54	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
52	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};	55	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
99	char lname[NI_MAXHOST];	102	char lname[NI_MAXHOST];
100	gss_OID_set oidset;	103	gss_OID_set oidset;
101		104
102	gss_create_empty_oid_set(&status, &oidset);	105	if (options.gss_strict_acceptor) {
103	gss_add_oid_set_member(&status, ctx->oid, &oidset);	106	gss_create_empty_oid_set(&status, &oidset);
		107	gss_add_oid_set_member(&status, ctx->oid, &oidset);
104		108
105	if (gethostname(lname, sizeof(lname))) {	109	if (gethostname(lname, MAXHOSTNAMELEN)) {
106	gss_release_oid_set(&status, &oidset);	110	gss_release_oid_set(&status, &oidset);
107	return (-1);	111	return (-1);
108	}	112	}
		113
		114	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
		115	gss_release_oid_set(&status, &oidset);
		116	return (ctx->major);
		117	}
		118
		119	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		120	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		121	NULL, NULL)))
		122	ssh_gssapi_error(ctx);
109		123
110	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
111	gss_release_oid_set(&status, &oidset);	124	gss_release_oid_set(&status, &oidset);
112	return (ctx->major);	125	return (ctx->major);
		126	} else {
		127	ctx->name = GSS_C_NO_NAME;
		128	ctx->creds = GSS_C_NO_CREDENTIAL;
113	}	129	}
114		130	return GSS_S_COMPLETE;
115	if ((ctx->major = gss_acquire_cred(&ctx->minor,
116	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
117	ssh_gssapi_error(ctx);
118
119	gss_release_oid_set(&status, &oidset);
120	return (ctx->major);
121	}	131	}
122		132
123	/* Privileged */	133	/* Privileged */


diff --git a/servconf.c b/servconf.c index 5acaf61b1..eb32db0fa 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */	1	/* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
116	options->kerberos_get_afs_token = -1;	116	options->kerberos_get_afs_token = -1;
117	options->gss_authentication=-1;	117	options->gss_authentication=-1;
118	options->gss_cleanup_creds = -1;	118	options->gss_cleanup_creds = -1;
		119	options->gss_strict_acceptor = -1;
119	options->password_authentication = -1;	120	options->password_authentication = -1;
120	options->kbd_interactive_authentication = -1;	121	options->kbd_interactive_authentication = -1;
121	options->challenge_response_authentication = -1;	122	options->challenge_response_authentication = -1;
@@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options)
276	options->gss_authentication = 0;	277	options->gss_authentication = 0;
277	if (options->gss_cleanup_creds == -1)	278	if (options->gss_cleanup_creds == -1)
278	options->gss_cleanup_creds = 1;	279	options->gss_cleanup_creds = 1;
		280	if (options->gss_strict_acceptor == -1)
		281	options->gss_strict_acceptor = 0;
279	if (options->password_authentication == -1)	282	if (options->password_authentication == -1)
280	options->password_authentication = 1;	283	options->password_authentication = 1;
281	if (options->kbd_interactive_authentication == -1)	284	if (options->kbd_interactive_authentication == -1)
@@ -397,7 +400,8 @@ typedef enum {
397	sBanner, sUseDNS, sHostbasedAuthentication,	400	sBanner, sUseDNS, sHostbasedAuthentication,
398	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	401	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
399	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	402	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
400	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	403	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
		404	sAcceptEnv, sPermitTunnel,
401	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	405	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
402	sUsePrivilegeSeparation, sAllowAgentForwarding,	406	sUsePrivilegeSeparation, sAllowAgentForwarding,
403	sHostCertificate,	407	sHostCertificate,
@@ -469,9 +473,11 @@ static struct {
469	#ifdef GSSAPI	473	#ifdef GSSAPI
470	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },	474	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
471	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	475	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
		476	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
472	#else	477	#else
473	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },	478	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
474	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	479	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
		480	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
475	#endif	481	#endif
476	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },	482	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
477	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },	483	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions options, char line,
1212	intptr = &options->gss_cleanup_creds;	1218	intptr = &options->gss_cleanup_creds;
1213	goto parse_flag;	1219	goto parse_flag;
1214		1220
		1221	case sGssStrictAcceptor:
		1222	intptr = &options->gss_strict_acceptor;
		1223	goto parse_flag;
		1224
1215	case sPasswordAuthentication:	1225	case sPasswordAuthentication:
1216	intptr = &options->password_authentication;	1226	intptr = &options->password_authentication;
1217	goto parse_flag;	1227	goto parse_flag;


diff --git a/servconf.h b/servconf.h index dc2a5f6a6..606d80c9d 100644 --- a/servconf.h +++ b/servconf.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */	1	/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -118,6 +118,7 @@ typedef struct {
118	* authenticated with Kerberos. */	118	* authenticated with Kerberos. */
119	int gss_authentication; /* If true, permit GSSAPI authentication */	119	int gss_authentication; /* If true, permit GSSAPI authentication */
120	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	120	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
		121	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
121	int password_authentication; /* If true, permit password	122	int password_authentication; /* If true, permit password
122	* authentication. */	123	* authentication. */
123	int kbd_interactive_authentication; /* If true, permit */	124	int kbd_interactive_authentication; /* If true, permit */


diff --git a/sshd_config.5 b/sshd_config.5 index 884e767b8..76179adff 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
37	.Dd $Mdocdate: May 21 2015 $	37	.Dd $Mdocdate: May 22 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -622,6 +622,21 @@ on logout.
622	The default is	622	The default is
623	.Dq yes .	623	.Dq yes .
624	Note that this option applies to protocol version 2 only.	624	Note that this option applies to protocol version 2 only.
		625	.It Cm GSSAPIStrictAcceptorCheck
		626	Determines whether to be strict about the identity of the GSSAPI acceptor
		627	a client authenticates against.
		628	If set to
		629	.Dq yes
		630	then the client must authenticate against the
		631	.Pa host
		632	service on the current hostname.
		633	If set to
		634	.Dq no
		635	then the client may authenticate against any service key stored in the
		636	machine's default store.
		637	This facility is provided to assist with operation on multi homed machines.
		638	The default is
		639	.Dq yes .
625	.It Cm HostbasedAcceptedKeyTypes	640	.It Cm HostbasedAcceptedKeyTypes
626	Specifies the key types that will be accepted for hostbased authentication	641	Specifies the key types that will be accepted for hostbased authentication
627	as a comma-separated pattern list.	642	as a comma-separated pattern list.