diff options
Diffstat (limited to 'auth2-gss.c')
| -rw-r--r-- | auth2-gss.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index c77c841a3..50bdc6452 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
| @@ -52,6 +52,39 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | |||
| 52 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 52 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
| 53 | static void input_gssapi_errtok(int, u_int32_t, void *); | 53 | static void input_gssapi_errtok(int, u_int32_t, void *); |
| 54 | 54 | ||
| 55 | /* | ||
| 56 | * The 'gssapi_keyex' userauth mechanism. | ||
| 57 | */ | ||
| 58 | static int | ||
| 59 | userauth_gsskeyex(Authctxt *authctxt) | ||
| 60 | { | ||
| 61 | int authenticated = 0; | ||
| 62 | Buffer b; | ||
| 63 | gss_buffer_desc mic, gssbuf; | ||
| 64 | u_int len; | ||
| 65 | |||
| 66 | mic.value = packet_get_string(&len); | ||
| 67 | mic.length = len; | ||
| 68 | |||
| 69 | packet_check_eom(); | ||
| 70 | |||
| 71 | ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | ||
| 72 | "gssapi-keyex"); | ||
| 73 | |||
| 74 | gssbuf.value = buffer_ptr(&b); | ||
| 75 | gssbuf.length = buffer_len(&b); | ||
| 76 | |||
| 77 | /* gss_kex_context is NULL with privsep, so we can't check it here */ | ||
| 78 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, | ||
| 79 | &gssbuf, &mic)))) | ||
| 80 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
| 81 | |||
| 82 | buffer_free(&b); | ||
| 83 | xfree(mic.value); | ||
| 84 | |||
| 85 | return (authenticated); | ||
| 86 | } | ||
| 87 | |||
| 55 | /* | 88 | /* |
| 56 | * We only support those mechanisms that we know about (ie ones that we know | 89 | * We only support those mechanisms that we know about (ie ones that we know |
| 57 | * how to check local user kuserok and the like) | 90 | * how to check local user kuserok and the like) |
| @@ -102,6 +135,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 102 | 135 | ||
| 103 | if (!present) { | 136 | if (!present) { |
| 104 | xfree(doid); | 137 | xfree(doid); |
| 138 | authctxt->server_caused_failure = 1; | ||
| 105 | return (0); | 139 | return (0); |
| 106 | } | 140 | } |
| 107 | 141 | ||
| @@ -109,6 +143,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 109 | if (ctxt != NULL) | 143 | if (ctxt != NULL) |
| 110 | ssh_gssapi_delete_ctx(&ctxt); | 144 | ssh_gssapi_delete_ctx(&ctxt); |
| 111 | xfree(doid); | 145 | xfree(doid); |
| 146 | authctxt->server_caused_failure = 1; | ||
| 112 | return (0); | 147 | return (0); |
| 113 | } | 148 | } |
| 114 | 149 | ||
| @@ -292,6 +327,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
| 292 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 327 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
| 293 | } | 328 | } |
| 294 | 329 | ||
| 330 | Authmethod method_gsskeyex = { | ||
| 331 | "gssapi-keyex", | ||
| 332 | userauth_gsskeyex, | ||
| 333 | &options.gss_authentication | ||
| 334 | }; | ||
| 335 | |||
| 295 | Authmethod method_gssapi = { | 336 | Authmethod method_gssapi = { |
| 296 | "gssapi-with-mic", | 337 | "gssapi-with-mic", |
| 297 | userauth_gssapi, | 338 | userauth_gssapi, |