summaryrefslogtreecommitdiff
path: root/auth2-gss.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-gss.c')
-rw-r--r--auth2-gss.c41
1 files changed, 41 insertions, 0 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index 4d468a0e8..9cbc29605 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -47,6 +47,39 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
47static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 47static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
48static void input_gssapi_errtok(int, u_int32_t, void *); 48static void input_gssapi_errtok(int, u_int32_t, void *);
49 49
50/*
51 * The 'gssapi_keyex' userauth mechanism.
52 */
53static int
54userauth_gsskeyex(Authctxt *authctxt)
55{
56 int authenticated = 0;
57 Buffer b;
58 gss_buffer_desc mic, gssbuf;
59 u_int len;
60
61 mic.value = packet_get_string(&len);
62 mic.length = len;
63
64 packet_check_eom();
65
66 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
67 "gssapi-keyex");
68
69 gssbuf.value = buffer_ptr(&b);
70 gssbuf.length = buffer_len(&b);
71
72 /* gss_kex_context is NULL with privsep, so we can't check it here */
73 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
74 &gssbuf, &mic))))
75 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
76
77 buffer_free(&b);
78 xfree(mic.value);
79
80 return (authenticated);
81}
82
50/* 83/*
51 * We only support those mechanisms that we know about (ie ones that we know 84 * We only support those mechanisms that we know about (ie ones that we know
52 * how to check local user kuserok and the like 85 * how to check local user kuserok and the like
@@ -97,11 +130,13 @@ userauth_gssapi(Authctxt *authctxt)
97 130
98 if (!present) { 131 if (!present) {
99 xfree(doid); 132 xfree(doid);
133 authctxt->server_caused_failure = 1;
100 return (0); 134 return (0);
101 } 135 }
102 136
103 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 137 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
104 xfree(doid); 138 xfree(doid);
139 authctxt->server_caused_failure = 1;
105 return (0); 140 return (0);
106 } 141 }
107 142
@@ -285,6 +320,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
285 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 320 userauth_finish(authctxt, authenticated, "gssapi-with-mic");
286} 321}
287 322
323Authmethod method_gsskeyex = {
324 "gssapi-keyex",
325 userauth_gsskeyex,
326 &options.gss_authentication
327};
328
288Authmethod method_gssapi = { 329Authmethod method_gssapi = {
289 "gssapi-with-mic", 330 "gssapi-with-mic",
290 userauth_gssapi, 331 userauth_gssapi,