diff options
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 80 |
1 files changed, 46 insertions, 34 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 3b5036dfd..fd411d3a7 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -48,17 +48,18 @@ | |||
48 | 48 | ||
49 | extern ServerOptions options; | 49 | extern ServerOptions options; |
50 | 50 | ||
51 | static int input_gssapi_token(int type, u_int32_t plen, void *ctxt); | 51 | static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh); |
52 | static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 52 | static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); |
53 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 53 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); |
54 | static int input_gssapi_errtok(int, u_int32_t, void *); | 54 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
55 | 55 | ||
56 | /* | 56 | /* |
57 | * The 'gssapi_keyex' userauth mechanism. | 57 | * The 'gssapi_keyex' userauth mechanism. |
58 | */ | 58 | */ |
59 | static int | 59 | static int |
60 | userauth_gsskeyex(Authctxt *authctxt) | 60 | userauth_gsskeyex(struct ssh *ssh) |
61 | { | 61 | { |
62 | Authctxt *authctxt = ssh->authctxt; | ||
62 | int authenticated = 0; | 63 | int authenticated = 0; |
63 | Buffer b; | 64 | Buffer b; |
64 | gss_buffer_desc mic, gssbuf; | 65 | gss_buffer_desc mic, gssbuf; |
@@ -92,8 +93,9 @@ userauth_gsskeyex(Authctxt *authctxt) | |||
92 | * how to check local user kuserok and the like) | 93 | * how to check local user kuserok and the like) |
93 | */ | 94 | */ |
94 | static int | 95 | static int |
95 | userauth_gssapi(Authctxt *authctxt) | 96 | userauth_gssapi(struct ssh *ssh) |
96 | { | 97 | { |
98 | Authctxt *authctxt = ssh->authctxt; | ||
97 | gss_OID_desc goid = {0, NULL}; | 99 | gss_OID_desc goid = {0, NULL}; |
98 | Gssctxt *ctxt = NULL; | 100 | Gssctxt *ctxt = NULL; |
99 | int mechs; | 101 | int mechs; |
@@ -153,17 +155,17 @@ userauth_gssapi(Authctxt *authctxt) | |||
153 | packet_send(); | 155 | packet_send(); |
154 | free(doid); | 156 | free(doid); |
155 | 157 | ||
156 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); | 158 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); |
157 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); | 159 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); |
158 | authctxt->postponed = 1; | 160 | authctxt->postponed = 1; |
159 | 161 | ||
160 | return (0); | 162 | return (0); |
161 | } | 163 | } |
162 | 164 | ||
163 | static int | 165 | static int |
164 | input_gssapi_token(int type, u_int32_t plen, void *ctxt) | 166 | input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) |
165 | { | 167 | { |
166 | Authctxt *authctxt = ctxt; | 168 | Authctxt *authctxt = ssh->authctxt; |
167 | Gssctxt *gssctxt; | 169 | Gssctxt *gssctxt; |
168 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 170 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
169 | gss_buffer_desc recv_tok; | 171 | gss_buffer_desc recv_tok; |
@@ -191,8 +193,8 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
191 | packet_send(); | 193 | packet_send(); |
192 | } | 194 | } |
193 | authctxt->postponed = 0; | 195 | authctxt->postponed = 0; |
194 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 196 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
195 | userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); | 197 | userauth_finish(ssh, 0, "gssapi-with-mic", NULL); |
196 | } else { | 198 | } else { |
197 | if (send_tok.length != 0) { | 199 | if (send_tok.length != 0) { |
198 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 200 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
@@ -200,12 +202,12 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
200 | packet_send(); | 202 | packet_send(); |
201 | } | 203 | } |
202 | if (maj_status == GSS_S_COMPLETE) { | 204 | if (maj_status == GSS_S_COMPLETE) { |
203 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 205 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
204 | if (flags & GSS_C_INTEG_FLAG) | 206 | if (flags & GSS_C_INTEG_FLAG) |
205 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, | 207 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, |
206 | &input_gssapi_mic); | 208 | &input_gssapi_mic); |
207 | else | 209 | else |
208 | dispatch_set( | 210 | ssh_dispatch_set(ssh, |
209 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | 211 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, |
210 | &input_gssapi_exchange_complete); | 212 | &input_gssapi_exchange_complete); |
211 | } | 213 | } |
@@ -216,9 +218,9 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
216 | } | 218 | } |
217 | 219 | ||
218 | static int | 220 | static int |
219 | input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | 221 | input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) |
220 | { | 222 | { |
221 | Authctxt *authctxt = ctxt; | 223 | Authctxt *authctxt = ssh->authctxt; |
222 | Gssctxt *gssctxt; | 224 | Gssctxt *gssctxt; |
223 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 225 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
224 | gss_buffer_desc recv_tok; | 226 | gss_buffer_desc recv_tok; |
@@ -241,8 +243,8 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
241 | free(recv_tok.value); | 243 | free(recv_tok.value); |
242 | 244 | ||
243 | /* We can't return anything to the client, even if we wanted to */ | 245 | /* We can't return anything to the client, even if we wanted to */ |
244 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 246 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
245 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 247 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
246 | 248 | ||
247 | /* The client will have already moved on to the next auth */ | 249 | /* The client will have already moved on to the next auth */ |
248 | 250 | ||
@@ -257,10 +259,11 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
257 | */ | 259 | */ |
258 | 260 | ||
259 | static int | 261 | static int |
260 | input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 262 | input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) |
261 | { | 263 | { |
262 | Authctxt *authctxt = ctxt; | 264 | Authctxt *authctxt = ssh->authctxt; |
263 | int authenticated; | 265 | int authenticated; |
266 | const char *displayname; | ||
264 | 267 | ||
265 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 268 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
266 | fatal("No authentication or GSSAPI context"); | 269 | fatal("No authentication or GSSAPI context"); |
@@ -275,24 +278,29 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
275 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | 278 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, |
276 | authctxt->pw)); | 279 | authctxt->pw)); |
277 | 280 | ||
281 | if ((!use_privsep || mm_is_monitor()) && | ||
282 | (displayname = ssh_gssapi_displayname()) != NULL) | ||
283 | auth2_record_info(authctxt, "%s", displayname); | ||
284 | |||
278 | authctxt->postponed = 0; | 285 | authctxt->postponed = 0; |
279 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 286 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
280 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 287 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
281 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 288 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
282 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 289 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 290 | userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); |
284 | return 0; | 291 | return 0; |
285 | } | 292 | } |
286 | 293 | ||
287 | static int | 294 | static int |
288 | input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 295 | input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) |
289 | { | 296 | { |
290 | Authctxt *authctxt = ctxt; | 297 | Authctxt *authctxt = ssh->authctxt; |
291 | Gssctxt *gssctxt; | 298 | Gssctxt *gssctxt; |
292 | int authenticated = 0; | 299 | int authenticated = 0; |
293 | Buffer b; | 300 | Buffer b; |
294 | gss_buffer_desc mic, gssbuf; | 301 | gss_buffer_desc mic, gssbuf; |
295 | u_int len; | 302 | u_int len; |
303 | const char *displayname; | ||
296 | 304 | ||
297 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 305 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
298 | fatal("No authentication or GSSAPI context"); | 306 | fatal("No authentication or GSSAPI context"); |
@@ -317,12 +325,16 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
317 | buffer_free(&b); | 325 | buffer_free(&b); |
318 | free(mic.value); | 326 | free(mic.value); |
319 | 327 | ||
328 | if ((!use_privsep || mm_is_monitor()) && | ||
329 | (displayname = ssh_gssapi_displayname()) != NULL) | ||
330 | auth2_record_info(authctxt, "%s", displayname); | ||
331 | |||
320 | authctxt->postponed = 0; | 332 | authctxt->postponed = 0; |
321 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 333 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
322 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 334 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
323 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 335 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
324 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 336 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
325 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 337 | userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); |
326 | return 0; | 338 | return 0; |
327 | } | 339 | } |
328 | 340 | ||