diff options
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 4d468a0e8..9cbc29605 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -47,6 +47,39 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | |||
47 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 47 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
48 | static void input_gssapi_errtok(int, u_int32_t, void *); | 48 | static void input_gssapi_errtok(int, u_int32_t, void *); |
49 | 49 | ||
50 | /* | ||
51 | * The 'gssapi_keyex' userauth mechanism. | ||
52 | */ | ||
53 | static int | ||
54 | userauth_gsskeyex(Authctxt *authctxt) | ||
55 | { | ||
56 | int authenticated = 0; | ||
57 | Buffer b; | ||
58 | gss_buffer_desc mic, gssbuf; | ||
59 | u_int len; | ||
60 | |||
61 | mic.value = packet_get_string(&len); | ||
62 | mic.length = len; | ||
63 | |||
64 | packet_check_eom(); | ||
65 | |||
66 | ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | ||
67 | "gssapi-keyex"); | ||
68 | |||
69 | gssbuf.value = buffer_ptr(&b); | ||
70 | gssbuf.length = buffer_len(&b); | ||
71 | |||
72 | /* gss_kex_context is NULL with privsep, so we can't check it here */ | ||
73 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, | ||
74 | &gssbuf, &mic)))) | ||
75 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
76 | |||
77 | buffer_free(&b); | ||
78 | xfree(mic.value); | ||
79 | |||
80 | return (authenticated); | ||
81 | } | ||
82 | |||
50 | /* | 83 | /* |
51 | * We only support those mechanisms that we know about (ie ones that we know | 84 | * We only support those mechanisms that we know about (ie ones that we know |
52 | * how to check local user kuserok and the like | 85 | * how to check local user kuserok and the like |
@@ -97,11 +130,13 @@ userauth_gssapi(Authctxt *authctxt) | |||
97 | 130 | ||
98 | if (!present) { | 131 | if (!present) { |
99 | xfree(doid); | 132 | xfree(doid); |
133 | authctxt->server_caused_failure = 1; | ||
100 | return (0); | 134 | return (0); |
101 | } | 135 | } |
102 | 136 | ||
103 | if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { | 137 | if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { |
104 | xfree(doid); | 138 | xfree(doid); |
139 | authctxt->server_caused_failure = 1; | ||
105 | return (0); | 140 | return (0); |
106 | } | 141 | } |
107 | 142 | ||
@@ -285,6 +320,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
285 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 320 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
286 | } | 321 | } |
287 | 322 | ||
323 | Authmethod method_gsskeyex = { | ||
324 | "gssapi-keyex", | ||
325 | userauth_gsskeyex, | ||
326 | &options.gss_authentication | ||
327 | }; | ||
328 | |||
288 | Authmethod method_gssapi = { | 329 | Authmethod method_gssapi = { |
289 | "gssapi-with-mic", | 330 | "gssapi-with-mic", |
290 | userauth_gssapi, | 331 | userauth_gssapi, |