summaryrefslogtreecommitdiff
path: root/auth2-gss.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-gss.c')
-rw-r--r--auth2-gss.c80
1 files changed, 46 insertions, 34 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index 3b5036dfd..fd411d3a7 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -48,17 +48,18 @@
48 48
49extern ServerOptions options; 49extern ServerOptions options;
50 50
51static int input_gssapi_token(int type, u_int32_t plen, void *ctxt); 51static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh);
52static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 52static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
53static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 53static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
54static int input_gssapi_errtok(int, u_int32_t, void *); 54static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
55 55
56/* 56/*
57 * The 'gssapi_keyex' userauth mechanism. 57 * The 'gssapi_keyex' userauth mechanism.
58 */ 58 */
59static int 59static int
60userauth_gsskeyex(Authctxt *authctxt) 60userauth_gsskeyex(struct ssh *ssh)
61{ 61{
62 Authctxt *authctxt = ssh->authctxt;
62 int authenticated = 0; 63 int authenticated = 0;
63 Buffer b; 64 Buffer b;
64 gss_buffer_desc mic, gssbuf; 65 gss_buffer_desc mic, gssbuf;
@@ -92,8 +93,9 @@ userauth_gsskeyex(Authctxt *authctxt)
92 * how to check local user kuserok and the like) 93 * how to check local user kuserok and the like)
93 */ 94 */
94static int 95static int
95userauth_gssapi(Authctxt *authctxt) 96userauth_gssapi(struct ssh *ssh)
96{ 97{
98 Authctxt *authctxt = ssh->authctxt;
97 gss_OID_desc goid = {0, NULL}; 99 gss_OID_desc goid = {0, NULL};
98 Gssctxt *ctxt = NULL; 100 Gssctxt *ctxt = NULL;
99 int mechs; 101 int mechs;
@@ -153,17 +155,17 @@ userauth_gssapi(Authctxt *authctxt)
153 packet_send(); 155 packet_send();
154 free(doid); 156 free(doid);
155 157
156 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 158 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
157 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 159 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
158 authctxt->postponed = 1; 160 authctxt->postponed = 1;
159 161
160 return (0); 162 return (0);
161} 163}
162 164
163static int 165static int
164input_gssapi_token(int type, u_int32_t plen, void *ctxt) 166input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh)
165{ 167{
166 Authctxt *authctxt = ctxt; 168 Authctxt *authctxt = ssh->authctxt;
167 Gssctxt *gssctxt; 169 Gssctxt *gssctxt;
168 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 170 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
169 gss_buffer_desc recv_tok; 171 gss_buffer_desc recv_tok;
@@ -191,8 +193,8 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
191 packet_send(); 193 packet_send();
192 } 194 }
193 authctxt->postponed = 0; 195 authctxt->postponed = 0;
194 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 196 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
195 userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); 197 userauth_finish(ssh, 0, "gssapi-with-mic", NULL);
196 } else { 198 } else {
197 if (send_tok.length != 0) { 199 if (send_tok.length != 0) {
198 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 200 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -200,12 +202,12 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
200 packet_send(); 202 packet_send();
201 } 203 }
202 if (maj_status == GSS_S_COMPLETE) { 204 if (maj_status == GSS_S_COMPLETE) {
203 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 205 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
204 if (flags & GSS_C_INTEG_FLAG) 206 if (flags & GSS_C_INTEG_FLAG)
205 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, 207 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC,
206 &input_gssapi_mic); 208 &input_gssapi_mic);
207 else 209 else
208 dispatch_set( 210 ssh_dispatch_set(ssh,
209 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 211 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
210 &input_gssapi_exchange_complete); 212 &input_gssapi_exchange_complete);
211 } 213 }
@@ -216,9 +218,9 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
216} 218}
217 219
218static int 220static int
219input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) 221input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh)
220{ 222{
221 Authctxt *authctxt = ctxt; 223 Authctxt *authctxt = ssh->authctxt;
222 Gssctxt *gssctxt; 224 Gssctxt *gssctxt;
223 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 225 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
224 gss_buffer_desc recv_tok; 226 gss_buffer_desc recv_tok;
@@ -241,8 +243,8 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
241 free(recv_tok.value); 243 free(recv_tok.value);
242 244
243 /* We can't return anything to the client, even if we wanted to */ 245 /* We can't return anything to the client, even if we wanted to */
244 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 246 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
245 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 247 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
246 248
247 /* The client will have already moved on to the next auth */ 249 /* The client will have already moved on to the next auth */
248 250
@@ -257,10 +259,11 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
257 */ 259 */
258 260
259static int 261static int
260input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 262input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
261{ 263{
262 Authctxt *authctxt = ctxt; 264 Authctxt *authctxt = ssh->authctxt;
263 int authenticated; 265 int authenticated;
266 const char *displayname;
264 267
265 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 268 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
266 fatal("No authentication or GSSAPI context"); 269 fatal("No authentication or GSSAPI context");
@@ -275,24 +278,29 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
275 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, 278 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
276 authctxt->pw)); 279 authctxt->pw));
277 280
281 if ((!use_privsep || mm_is_monitor()) &&
282 (displayname = ssh_gssapi_displayname()) != NULL)
283 auth2_record_info(authctxt, "%s", displayname);
284
278 authctxt->postponed = 0; 285 authctxt->postponed = 0;
279 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 286 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
280 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 287 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
281 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 288 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
282 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 289 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 290 userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL);
284 return 0; 291 return 0;
285} 292}
286 293
287static int 294static int
288input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 295input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
289{ 296{
290 Authctxt *authctxt = ctxt; 297 Authctxt *authctxt = ssh->authctxt;
291 Gssctxt *gssctxt; 298 Gssctxt *gssctxt;
292 int authenticated = 0; 299 int authenticated = 0;
293 Buffer b; 300 Buffer b;
294 gss_buffer_desc mic, gssbuf; 301 gss_buffer_desc mic, gssbuf;
295 u_int len; 302 u_int len;
303 const char *displayname;
296 304
297 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 305 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
298 fatal("No authentication or GSSAPI context"); 306 fatal("No authentication or GSSAPI context");
@@ -317,12 +325,16 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
317 buffer_free(&b); 325 buffer_free(&b);
318 free(mic.value); 326 free(mic.value);
319 327
328 if ((!use_privsep || mm_is_monitor()) &&
329 (displayname = ssh_gssapi_displayname()) != NULL)
330 auth2_record_info(authctxt, "%s", displayname);
331
320 authctxt->postponed = 0; 332 authctxt->postponed = 0;
321 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 333 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
322 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 334 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
323 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 335 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
324 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 336 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
325 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 337 userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL);
326 return 0; 338 return 0;
327} 339}
328 340
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 05:09:27 +0000