diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 237 |
1 files changed, 86 insertions, 151 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index b3c437194..3f616af7d 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001 | 1 | From 5d3dc7ea4c96cab9483d5389a3b04163771fdee2 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -31,7 +31,7 @@ Patch-Name: gssapi.patch | |||
31 | configure.ac | 24 ++++ | 31 | configure.ac | 24 ++++ |
32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- | 32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
33 | gss-serv-krb5.c | 85 ++++++++++++-- | 33 | gss-serv-krb5.c | 85 ++++++++++++-- |
34 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | 34 | gss-serv.c | 185 +++++++++++++++++++++++++++--- |
35 | kex.c | 16 +++ | 35 | kex.c | 16 +++ |
36 | kex.h | 14 +++ | 36 | kex.h | 14 +++ |
37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
@@ -42,18 +42,18 @@ Patch-Name: gssapi.patch | |||
42 | monitor_wrap.h | 4 +- | 42 | monitor_wrap.h | 4 +- |
43 | readconf.c | 42 +++++++ | 43 | readconf.c | 42 +++++++ |
44 | readconf.h | 5 + | 44 | readconf.h | 5 + |
45 | servconf.c | 38 ++++++- | 45 | servconf.c | 28 ++++- |
46 | servconf.h | 3 + | 46 | servconf.h | 2 + |
47 | ssh-gss.h | 41 ++++++- | 47 | ssh-gss.h | 41 ++++++- |
48 | ssh_config | 2 + | 48 | ssh_config | 2 + |
49 | ssh_config.5 | 34 +++++- | 49 | ssh_config.5 | 34 +++++- |
50 | sshconnect2.c | 124 +++++++++++++++++++- | 50 | sshconnect2.c | 124 +++++++++++++++++++- |
51 | sshd.c | 110 ++++++++++++++++++ | 51 | sshd.c | 110 ++++++++++++++++++ |
52 | sshd_config | 2 + | 52 | sshd_config | 2 + |
53 | sshd_config.5 | 28 +++++ | 53 | sshd_config.5 | 11 ++ |
54 | sshkey.c | 3 +- | 54 | sshkey.c | 3 +- |
55 | sshkey.h | 1 + | 55 | sshkey.h | 1 + |
56 | 32 files changed, 2005 insertions(+), 60 deletions(-) | 56 | 32 files changed, 1955 insertions(+), 46 deletions(-) |
57 | create mode 100644 ChangeLog.gssapi | 57 | create mode 100644 ChangeLog.gssapi |
58 | create mode 100644 kexgssc.c | 58 | create mode 100644 kexgssc.c |
59 | create mode 100644 kexgsss.c | 59 | create mode 100644 kexgsss.c |
@@ -359,7 +359,7 @@ index 7177962..3f49bdc 100644 | |||
359 | #endif | 359 | #endif |
360 | &method_passwd, | 360 | &method_passwd, |
361 | diff --git a/clientloop.c b/clientloop.c | 361 | diff --git a/clientloop.c b/clientloop.c |
362 | index a9c8a90..7df9413 100644 | 362 | index dc0e557..77d5498 100644 |
363 | --- a/clientloop.c | 363 | --- a/clientloop.c |
364 | +++ b/clientloop.c | 364 | +++ b/clientloop.c |
365 | @@ -114,6 +114,10 @@ | 365 | @@ -114,6 +114,10 @@ |
@@ -373,7 +373,7 @@ index a9c8a90..7df9413 100644 | |||
373 | /* import options */ | 373 | /* import options */ |
374 | extern Options options; | 374 | extern Options options; |
375 | 375 | ||
376 | @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 376 | @@ -1609,6 +1613,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
377 | /* Do channel operations unless rekeying in progress. */ | 377 | /* Do channel operations unless rekeying in progress. */ |
378 | if (!rekeying) { | 378 | if (!rekeying) { |
379 | channel_after_select(readset, writeset); | 379 | channel_after_select(readset, writeset); |
@@ -414,10 +414,10 @@ index 7e7e38e..6c7de98 100644 | |||
414 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 414 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
415 | 415 | ||
416 | diff --git a/configure.ac b/configure.ac | 416 | diff --git a/configure.ac b/configure.ac |
417 | index b4d6598..216a9fd 100644 | 417 | index bb0095f..df21693 100644 |
418 | --- a/configure.ac | 418 | --- a/configure.ac |
419 | +++ b/configure.ac | 419 | +++ b/configure.ac |
420 | @@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 420 | @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
421 | [Use tunnel device compatibility to OpenBSD]) | 421 | [Use tunnel device compatibility to OpenBSD]) |
422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
423 | [Prepend the address family to IP tunnel traffic]) | 423 | [Prepend the address family to IP tunnel traffic]) |
@@ -449,7 +449,7 @@ index b4d6598..216a9fd 100644 | |||
449 | AC_CHECK_DECL([AU_IPv4], [], | 449 | AC_CHECK_DECL([AU_IPv4], [], |
450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
451 | diff --git a/gss-genr.c b/gss-genr.c | 451 | diff --git a/gss-genr.c b/gss-genr.c |
452 | index 60ac65f..5610f0b 100644 | 452 | index d617d60..b4eca3f 100644 |
453 | --- a/gss-genr.c | 453 | --- a/gss-genr.c |
454 | +++ b/gss-genr.c | 454 | +++ b/gss-genr.c |
455 | @@ -1,7 +1,7 @@ | 455 | @@ -1,7 +1,7 @@ |
@@ -461,7 +461,7 @@ index 60ac65f..5610f0b 100644 | |||
461 | * | 461 | * |
462 | * Redistribution and use in source and binary forms, with or without | 462 | * Redistribution and use in source and binary forms, with or without |
463 | * modification, are permitted provided that the following conditions | 463 | * modification, are permitted provided that the following conditions |
464 | @@ -40,12 +40,167 @@ | 464 | @@ -41,12 +41,167 @@ |
465 | #include "buffer.h" | 465 | #include "buffer.h" |
466 | #include "log.h" | 466 | #include "log.h" |
467 | #include "ssh2.h" | 467 | #include "ssh2.h" |
@@ -629,7 +629,7 @@ index 60ac65f..5610f0b 100644 | |||
629 | /* Check that the OID in a data stream matches that in the context */ | 629 | /* Check that the OID in a data stream matches that in the context */ |
630 | int | 630 | int |
631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
632 | @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 632 | @@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
633 | } | 633 | } |
634 | 634 | ||
635 | ctx->major = gss_init_sec_context(&ctx->minor, | 635 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -638,7 +638,7 @@ index 60ac65f..5610f0b 100644 | |||
638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
640 | 640 | ||
641 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 641 | @@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
642 | } | 642 | } |
643 | 643 | ||
644 | OM_uint32 | 644 | OM_uint32 |
@@ -681,7 +681,7 @@ index 60ac65f..5610f0b 100644 | |||
681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
682 | GSS_C_QOP_DEFAULT, buffer, hash))) | 682 | GSS_C_QOP_DEFAULT, buffer, hash))) |
683 | ssh_gssapi_error(ctx); | 683 | ssh_gssapi_error(ctx); |
684 | @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 684 | @@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
685 | return (ctx->major); | 685 | return (ctx->major); |
686 | } | 686 | } |
687 | 687 | ||
@@ -701,7 +701,7 @@ index 60ac65f..5610f0b 100644 | |||
701 | void | 701 | void |
702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
703 | const char *context) | 703 | const char *context) |
704 | @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 704 | @@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
705 | } | 705 | } |
706 | 706 | ||
707 | int | 707 | int |
@@ -719,7 +719,7 @@ index 60ac65f..5610f0b 100644 | |||
719 | 719 | ||
720 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 720 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
721 | if (oid->length == spnego_oid.length && | 721 | if (oid->length == spnego_oid.length && |
722 | @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 722 | @@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
723 | ssh_gssapi_build_ctx(ctx); | 723 | ssh_gssapi_build_ctx(ctx); |
724 | ssh_gssapi_set_oid(*ctx, oid); | 724 | ssh_gssapi_set_oid(*ctx, oid); |
725 | major = ssh_gssapi_import_name(*ctx, host); | 725 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -730,7 +730,7 @@ index 60ac65f..5610f0b 100644 | |||
730 | if (!GSS_ERROR(major)) { | 730 | if (!GSS_ERROR(major)) { |
731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
732 | NULL); | 732 | NULL); |
733 | @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 733 | @@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
734 | GSS_C_NO_BUFFER); | 734 | GSS_C_NO_BUFFER); |
735 | } | 735 | } |
736 | 736 | ||
@@ -925,11 +925,11 @@ index 795992d..fd8b371 100644 | |||
925 | 925 | ||
926 | #endif /* KRB5 */ | 926 | #endif /* KRB5 */ |
927 | diff --git a/gss-serv.c b/gss-serv.c | 927 | diff --git a/gss-serv.c b/gss-serv.c |
928 | index e7b8c52..539862d 100644 | 928 | index 53993d6..2f6baf7 100644 |
929 | --- a/gss-serv.c | 929 | --- a/gss-serv.c |
930 | +++ b/gss-serv.c | 930 | +++ b/gss-serv.c |
931 | @@ -1,7 +1,7 @@ | 931 | @@ -1,7 +1,7 @@ |
932 | /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ | 932 | /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */ |
933 | 933 | ||
934 | /* | 934 | /* |
935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -937,11 +937,10 @@ index e7b8c52..539862d 100644 | |||
937 | * | 937 | * |
938 | * Redistribution and use in source and binary forms, with or without | 938 | * Redistribution and use in source and binary forms, with or without |
939 | * modification, are permitted provided that the following conditions | 939 | * modification, are permitted provided that the following conditions |
940 | @@ -44,15 +44,21 @@ | 940 | @@ -45,17 +45,22 @@ |
941 | #include "channels.h" | ||
942 | #include "session.h" | 941 | #include "session.h" |
943 | #include "misc.h" | 942 | #include "misc.h" |
944 | +#include "servconf.h" | 943 | #include "servconf.h" |
945 | +#include "uidswap.h" | 944 | +#include "uidswap.h" |
946 | 945 | ||
947 | #include "ssh-gss.h" | 946 | #include "ssh-gss.h" |
@@ -949,6 +948,8 @@ index e7b8c52..539862d 100644 | |||
949 | + | 948 | + |
950 | +extern ServerOptions options; | 949 | +extern ServerOptions options; |
951 | 950 | ||
951 | extern ServerOptions options; | ||
952 | |||
952 | static ssh_gssapi_client gssapi_client = | 953 | static ssh_gssapi_client gssapi_client = |
953 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | 954 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
954 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; | 955 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
@@ -961,54 +962,7 @@ index e7b8c52..539862d 100644 | |||
961 | 962 | ||
962 | #ifdef KRB5 | 963 | #ifdef KRB5 |
963 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 964 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
964 | @@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 965 | @@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
965 | char lname[NI_MAXHOST]; | ||
966 | gss_OID_set oidset; | ||
967 | |||
968 | - gss_create_empty_oid_set(&status, &oidset); | ||
969 | - gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
970 | + if (options.gss_strict_acceptor) { | ||
971 | + gss_create_empty_oid_set(&status, &oidset); | ||
972 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
973 | |||
974 | - if (gethostname(lname, sizeof(lname))) { | ||
975 | - gss_release_oid_set(&status, &oidset); | ||
976 | - return (-1); | ||
977 | - } | ||
978 | + if (gethostname(lname, sizeof(lname))) { | ||
979 | + gss_release_oid_set(&status, &oidset); | ||
980 | + return (-1); | ||
981 | + } | ||
982 | + | ||
983 | + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
984 | + gss_release_oid_set(&status, &oidset); | ||
985 | + return (ctx->major); | ||
986 | + } | ||
987 | + | ||
988 | + if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
989 | + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
990 | + NULL, NULL))) | ||
991 | + ssh_gssapi_error(ctx); | ||
992 | |||
993 | - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
994 | gss_release_oid_set(&status, &oidset); | ||
995 | return (ctx->major); | ||
996 | + } else { | ||
997 | + ctx->name = GSS_C_NO_NAME; | ||
998 | + ctx->creds = GSS_C_NO_CREDENTIAL; | ||
999 | } | ||
1000 | - | ||
1001 | - if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
1002 | - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
1003 | - ssh_gssapi_error(ctx); | ||
1004 | - | ||
1005 | - gss_release_oid_set(&status, &oidset); | ||
1006 | - return (ctx->major); | ||
1007 | + return GSS_S_COMPLETE; | ||
1008 | } | ||
1009 | |||
1010 | /* Privileged */ | ||
1011 | @@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | ||
1012 | } | 966 | } |
1013 | 967 | ||
1014 | /* Unprivileged */ | 968 | /* Unprivileged */ |
@@ -1038,7 +992,7 @@ index e7b8c52..539862d 100644 | |||
1038 | void | 992 | void |
1039 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 993 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1040 | { | 994 | { |
1041 | @@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 995 | @@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1042 | gss_OID_set supported; | 996 | gss_OID_set supported; |
1043 | 997 | ||
1044 | gss_create_empty_oid_set(&min_status, oidset); | 998 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1049,7 +1003,7 @@ index e7b8c52..539862d 100644 | |||
1049 | 1003 | ||
1050 | while (supported_mechs[i]->name != NULL) { | 1004 | while (supported_mechs[i]->name != NULL) { |
1051 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1005 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1052 | @@ -267,8 +305,48 @@ OM_uint32 | 1006 | @@ -277,8 +307,48 @@ OM_uint32 |
1053 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1007 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1054 | { | 1008 | { |
1055 | int i = 0; | 1009 | int i = 0; |
@@ -1074,8 +1028,7 @@ index e7b8c52..539862d 100644 | |||
1074 | + | 1028 | + |
1075 | + ctx->major = gss_compare_name(&ctx->minor, client->name, | 1029 | + ctx->major = gss_compare_name(&ctx->minor, client->name, |
1076 | + new_name, &equal); | 1030 | + new_name, &equal); |
1077 | 1031 | + | |
1078 | - gss_buffer_desc ename; | ||
1079 | + if (GSS_ERROR(ctx->major)) { | 1032 | + if (GSS_ERROR(ctx->major)) { |
1080 | + ssh_gssapi_error(ctx); | 1033 | + ssh_gssapi_error(ctx); |
1081 | + return (ctx->major); | 1034 | + return (ctx->major); |
@@ -1085,7 +1038,8 @@ index e7b8c52..539862d 100644 | |||
1085 | + debug("Rekeyed credentials have different name"); | 1038 | + debug("Rekeyed credentials have different name"); |
1086 | + return GSS_S_COMPLETE; | 1039 | + return GSS_S_COMPLETE; |
1087 | + } | 1040 | + } |
1088 | + | 1041 | |
1042 | - gss_buffer_desc ename; | ||
1089 | + debug("Marking rekeyed credentials for export"); | 1043 | + debug("Marking rekeyed credentials for export"); |
1090 | + | 1044 | + |
1091 | + gss_release_name(&ctx->minor, &client->name); | 1045 | + gss_release_name(&ctx->minor, &client->name); |
@@ -1099,7 +1053,7 @@ index e7b8c52..539862d 100644 | |||
1099 | 1053 | ||
1100 | client->mech = NULL; | 1054 | client->mech = NULL; |
1101 | 1055 | ||
1102 | @@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1056 | @@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1103 | if (client->mech == NULL) | 1057 | if (client->mech == NULL) |
1104 | return GSS_S_FAILURE; | 1058 | return GSS_S_FAILURE; |
1105 | 1059 | ||
@@ -1113,7 +1067,7 @@ index e7b8c52..539862d 100644 | |||
1113 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1067 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1114 | &client->displayname, NULL))) { | 1068 | &client->displayname, NULL))) { |
1115 | ssh_gssapi_error(ctx); | 1069 | ssh_gssapi_error(ctx); |
1116 | @@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1070 | @@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1117 | return (ctx->major); | 1071 | return (ctx->major); |
1118 | } | 1072 | } |
1119 | 1073 | ||
@@ -1122,7 +1076,7 @@ index e7b8c52..539862d 100644 | |||
1122 | /* We can't copy this structure, so we just move the pointer to it */ | 1076 | /* We can't copy this structure, so we just move the pointer to it */ |
1123 | client->creds = ctx->client_creds; | 1077 | client->creds = ctx->client_creds; |
1124 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1078 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1125 | @@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | 1079 | @@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1126 | 1080 | ||
1127 | /* Privileged */ | 1081 | /* Privileged */ |
1128 | int | 1082 | int |
@@ -1131,7 +1085,7 @@ index e7b8c52..539862d 100644 | |||
1131 | { | 1085 | { |
1132 | OM_uint32 lmin; | 1086 | OM_uint32 lmin; |
1133 | 1087 | ||
1134 | @@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user) | 1088 | @@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user) |
1135 | return 0; | 1089 | return 0; |
1136 | } | 1090 | } |
1137 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1091 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1145,7 +1099,7 @@ index e7b8c52..539862d 100644 | |||
1145 | /* Destroy delegated credentials if userok fails */ | 1099 | /* Destroy delegated credentials if userok fails */ |
1146 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1100 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1147 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1101 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1148 | @@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user) | 1102 | @@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user) |
1149 | return (0); | 1103 | return (0); |
1150 | } | 1104 | } |
1151 | 1105 | ||
@@ -1243,7 +1197,7 @@ index e7b8c52..539862d 100644 | |||
1243 | 1197 | ||
1244 | #endif | 1198 | #endif |
1245 | diff --git a/kex.c b/kex.c | 1199 | diff --git a/kex.c b/kex.c |
1246 | index 8c2b001..be938ad 100644 | 1200 | index dbc55ef..4d8e6f5 100644 |
1247 | --- a/kex.c | 1201 | --- a/kex.c |
1248 | +++ b/kex.c | 1202 | +++ b/kex.c |
1249 | @@ -55,6 +55,10 @@ | 1203 | @@ -55,6 +55,10 @@ |
@@ -1966,7 +1920,7 @@ index 0000000..0847469 | |||
1966 | +} | 1920 | +} |
1967 | +#endif /* GSSAPI */ | 1921 | +#endif /* GSSAPI */ |
1968 | diff --git a/monitor.c b/monitor.c | 1922 | diff --git a/monitor.c b/monitor.c |
1969 | index bab6ce8..a2027e5 100644 | 1923 | index b410965..bdc2972 100644 |
1970 | --- a/monitor.c | 1924 | --- a/monitor.c |
1971 | +++ b/monitor.c | 1925 | +++ b/monitor.c |
1972 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1926 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
@@ -2019,7 +1973,7 @@ index bab6ce8..a2027e5 100644 | |||
2019 | } else { | 1973 | } else { |
2020 | mon_dispatch = mon_dispatch_postauth15; | 1974 | mon_dispatch = mon_dispatch_postauth15; |
2021 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 1975 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2022 | @@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | 1976 | @@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2023 | # endif | 1977 | # endif |
2024 | #endif /* WITH_OPENSSL */ | 1978 | #endif /* WITH_OPENSSL */ |
2025 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1979 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2033,7 +1987,7 @@ index bab6ce8..a2027e5 100644 | |||
2033 | kex->load_host_public_key=&get_hostkey_public_by_type; | 1987 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2034 | kex->load_host_private_key=&get_hostkey_private_by_type; | 1988 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2035 | kex->host_key_index=&get_hostkey_index; | 1989 | kex->host_key_index=&get_hostkey_index; |
2036 | @@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 1990 | @@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2037 | OM_uint32 major; | 1991 | OM_uint32 major; |
2038 | u_int len; | 1992 | u_int len; |
2039 | 1993 | ||
@@ -2043,7 +1997,7 @@ index bab6ce8..a2027e5 100644 | |||
2043 | goid.elements = buffer_get_string(m, &len); | 1997 | goid.elements = buffer_get_string(m, &len); |
2044 | goid.length = len; | 1998 | goid.length = len; |
2045 | 1999 | ||
2046 | @@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2000 | @@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2047 | OM_uint32 flags = 0; /* GSI needs this */ | 2001 | OM_uint32 flags = 0; /* GSI needs this */ |
2048 | u_int len; | 2002 | u_int len; |
2049 | 2003 | ||
@@ -2053,7 +2007,7 @@ index bab6ce8..a2027e5 100644 | |||
2053 | in.value = buffer_get_string(m, &len); | 2007 | in.value = buffer_get_string(m, &len); |
2054 | in.length = len; | 2008 | in.length = len; |
2055 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2009 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2056 | @@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2010 | @@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2057 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2011 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2058 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2012 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2059 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2013 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2061,7 +2015,7 @@ index bab6ce8..a2027e5 100644 | |||
2061 | } | 2015 | } |
2062 | return (0); | 2016 | return (0); |
2063 | } | 2017 | } |
2064 | @@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2018 | @@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2065 | OM_uint32 ret; | 2019 | OM_uint32 ret; |
2066 | u_int len; | 2020 | u_int len; |
2067 | 2021 | ||
@@ -2071,7 +2025,7 @@ index bab6ce8..a2027e5 100644 | |||
2071 | gssbuf.value = buffer_get_string(m, &len); | 2025 | gssbuf.value = buffer_get_string(m, &len); |
2072 | gssbuf.length = len; | 2026 | gssbuf.length = len; |
2073 | mic.value = buffer_get_string(m, &len); | 2027 | mic.value = buffer_get_string(m, &len); |
2074 | @@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2028 | @@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2075 | { | 2029 | { |
2076 | int authenticated; | 2030 | int authenticated; |
2077 | 2031 | ||
@@ -2084,7 +2038,7 @@ index bab6ce8..a2027e5 100644 | |||
2084 | 2038 | ||
2085 | buffer_clear(m); | 2039 | buffer_clear(m); |
2086 | buffer_put_int(m, authenticated); | 2040 | buffer_put_int(m, authenticated); |
2087 | @@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2041 | @@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2088 | /* Monitor loop will terminate if authenticated */ | 2042 | /* Monitor loop will terminate if authenticated */ |
2089 | return (authenticated); | 2043 | return (authenticated); |
2090 | } | 2044 | } |
@@ -2173,10 +2127,10 @@ index 93b8b66..bc50ade 100644 | |||
2173 | 2127 | ||
2174 | struct mm_master; | 2128 | struct mm_master; |
2175 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2129 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2176 | index b379f05..b667218 100644 | 2130 | index e6217b3..71e7c08 100644 |
2177 | --- a/monitor_wrap.c | 2131 | --- a/monitor_wrap.c |
2178 | +++ b/monitor_wrap.c | 2132 | +++ b/monitor_wrap.c |
2179 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2133 | @@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2180 | } | 2134 | } |
2181 | 2135 | ||
2182 | int | 2136 | int |
@@ -2185,7 +2139,7 @@ index b379f05..b667218 100644 | |||
2185 | { | 2139 | { |
2186 | Buffer m; | 2140 | Buffer m; |
2187 | int authenticated = 0; | 2141 | int authenticated = 0; |
2188 | @@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) | 2142 | @@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user) |
2189 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2143 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2190 | return (authenticated); | 2144 | return (authenticated); |
2191 | } | 2145 | } |
@@ -2237,7 +2191,7 @@ index b379f05..b667218 100644 | |||
2237 | #endif /* GSSAPI */ | 2191 | #endif /* GSSAPI */ |
2238 | 2192 | ||
2239 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2193 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2240 | index e18784a..0c770e8 100644 | 2194 | index de4a08f..9758290 100644 |
2241 | --- a/monitor_wrap.h | 2195 | --- a/monitor_wrap.h |
2242 | +++ b/monitor_wrap.h | 2196 | +++ b/monitor_wrap.h |
2243 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2197 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
@@ -2253,7 +2207,7 @@ index e18784a..0c770e8 100644 | |||
2253 | 2207 | ||
2254 | #ifdef USE_PAM | 2208 | #ifdef USE_PAM |
2255 | diff --git a/readconf.c b/readconf.c | 2209 | diff --git a/readconf.c b/readconf.c |
2256 | index 42a2961..254dbce 100644 | 2210 | index db7d0bb..68dac76 100644 |
2257 | --- a/readconf.c | 2211 | --- a/readconf.c |
2258 | +++ b/readconf.c | 2212 | +++ b/readconf.c |
2259 | @@ -147,6 +147,8 @@ typedef enum { | 2213 | @@ -147,6 +147,8 @@ typedef enum { |
@@ -2362,21 +2316,21 @@ index 576b9e3..ef39c4c 100644 | |||
2362 | * authentication. */ | 2316 | * authentication. */ |
2363 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2317 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2364 | diff --git a/servconf.c b/servconf.c | 2318 | diff --git a/servconf.c b/servconf.c |
2365 | index 3185462..f68c0d0 100644 | 2319 | index df93fc4..2f7f41e 100644 |
2366 | --- a/servconf.c | 2320 | --- a/servconf.c |
2367 | +++ b/servconf.c | 2321 | +++ b/servconf.c |
2368 | @@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options) | 2322 | @@ -115,8 +115,10 @@ initialize_server_options(ServerOptions *options) |
2369 | options->kerberos_ticket_cleanup = -1; | 2323 | options->kerberos_ticket_cleanup = -1; |
2370 | options->kerberos_get_afs_token = -1; | 2324 | options->kerberos_get_afs_token = -1; |
2371 | options->gss_authentication=-1; | 2325 | options->gss_authentication=-1; |
2372 | + options->gss_keyex = -1; | 2326 | + options->gss_keyex = -1; |
2373 | options->gss_cleanup_creds = -1; | 2327 | options->gss_cleanup_creds = -1; |
2374 | + options->gss_strict_acceptor = -1; | 2328 | options->gss_strict_acceptor = -1; |
2375 | + options->gss_store_rekey = -1; | 2329 | + options->gss_store_rekey = -1; |
2376 | options->password_authentication = -1; | 2330 | options->password_authentication = -1; |
2377 | options->kbd_interactive_authentication = -1; | 2331 | options->kbd_interactive_authentication = -1; |
2378 | options->challenge_response_authentication = -1; | 2332 | options->challenge_response_authentication = -1; |
2379 | @@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options) | 2333 | @@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options) |
2380 | options->kerberos_get_afs_token = 0; | 2334 | options->kerberos_get_afs_token = 0; |
2381 | if (options->gss_authentication == -1) | 2335 | if (options->gss_authentication == -1) |
2382 | options->gss_authentication = 0; | 2336 | options->gss_authentication = 0; |
@@ -2384,37 +2338,35 @@ index 3185462..f68c0d0 100644 | |||
2384 | + options->gss_keyex = 0; | 2338 | + options->gss_keyex = 0; |
2385 | if (options->gss_cleanup_creds == -1) | 2339 | if (options->gss_cleanup_creds == -1) |
2386 | options->gss_cleanup_creds = 1; | 2340 | options->gss_cleanup_creds = 1; |
2387 | + if (options->gss_strict_acceptor == -1) | 2341 | if (options->gss_strict_acceptor == -1) |
2342 | - options->gss_strict_acceptor = 0; | ||
2388 | + options->gss_strict_acceptor = 1; | 2343 | + options->gss_strict_acceptor = 1; |
2389 | + if (options->gss_store_rekey == -1) | 2344 | + if (options->gss_store_rekey == -1) |
2390 | + options->gss_store_rekey = 0; | 2345 | + options->gss_store_rekey = 0; |
2391 | if (options->password_authentication == -1) | 2346 | if (options->password_authentication == -1) |
2392 | options->password_authentication = 1; | 2347 | options->password_authentication = 1; |
2393 | if (options->kbd_interactive_authentication == -1) | 2348 | if (options->kbd_interactive_authentication == -1) |
2394 | @@ -391,7 +400,9 @@ typedef enum { | 2349 | @@ -401,6 +407,7 @@ typedef enum { |
2395 | sBanner, sUseDNS, sHostbasedAuthentication, | ||
2396 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 2350 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
2397 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 2351 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2398 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 2352 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2399 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | ||
2400 | + sGssKeyEx, sGssStoreRekey, | 2353 | + sGssKeyEx, sGssStoreRekey, |
2401 | + sAcceptEnv, sPermitTunnel, | 2354 | sAcceptEnv, sPermitTunnel, |
2402 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2355 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2403 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2356 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2404 | sHostCertificate, | 2357 | @@ -473,12 +480,20 @@ static struct { |
2405 | @@ -462,10 +473,20 @@ static struct { | ||
2406 | #ifdef GSSAPI | 2358 | #ifdef GSSAPI |
2407 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2359 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2408 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2360 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
2409 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2361 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, |
2410 | + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 2362 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
2411 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 2363 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
2412 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | 2364 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, |
2413 | #else | 2365 | #else |
2414 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 2366 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
2415 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 2367 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
2416 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | 2368 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, |
2417 | + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 2369 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
2418 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 2370 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
2419 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | 2371 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, |
2420 | #endif | 2372 | #endif |
@@ -2423,7 +2375,7 @@ index 3185462..f68c0d0 100644 | |||
2423 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2375 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2424 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2376 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2425 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2377 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2426 | @@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2378 | @@ -1214,6 +1229,10 @@ process_server_config_line(ServerOptions *options, char *line, |
2427 | intptr = &options->gss_authentication; | 2379 | intptr = &options->gss_authentication; |
2428 | goto parse_flag; | 2380 | goto parse_flag; |
2429 | 2381 | ||
@@ -2434,11 +2386,10 @@ index 3185462..f68c0d0 100644 | |||
2434 | case sGssCleanupCreds: | 2386 | case sGssCleanupCreds: |
2435 | intptr = &options->gss_cleanup_creds; | 2387 | intptr = &options->gss_cleanup_creds; |
2436 | goto parse_flag; | 2388 | goto parse_flag; |
2389 | @@ -1222,6 +1241,10 @@ process_server_config_line(ServerOptions *options, char *line, | ||
2390 | intptr = &options->gss_strict_acceptor; | ||
2391 | goto parse_flag; | ||
2437 | 2392 | ||
2438 | + case sGssStrictAcceptor: | ||
2439 | + intptr = &options->gss_strict_acceptor; | ||
2440 | + goto parse_flag; | ||
2441 | + | ||
2442 | + case sGssStoreRekey: | 2393 | + case sGssStoreRekey: |
2443 | + intptr = &options->gss_store_rekey; | 2394 | + intptr = &options->gss_store_rekey; |
2444 | + goto parse_flag; | 2395 | + goto parse_flag; |
@@ -2446,7 +2397,7 @@ index 3185462..f68c0d0 100644 | |||
2446 | case sPasswordAuthentication: | 2397 | case sPasswordAuthentication: |
2447 | intptr = &options->password_authentication; | 2398 | intptr = &options->password_authentication; |
2448 | goto parse_flag; | 2399 | goto parse_flag; |
2449 | @@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o) | 2400 | @@ -2229,7 +2252,10 @@ dump_config(ServerOptions *o) |
2450 | #endif | 2401 | #endif |
2451 | #ifdef GSSAPI | 2402 | #ifdef GSSAPI |
2452 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2403 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2458,16 +2409,16 @@ index 3185462..f68c0d0 100644 | |||
2458 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2409 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2459 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2410 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2460 | diff --git a/servconf.h b/servconf.h | 2411 | diff --git a/servconf.h b/servconf.h |
2461 | index 9922f0c..d2ed4d7 100644 | 2412 | index 606d80c..b99b270 100644 |
2462 | --- a/servconf.h | 2413 | --- a/servconf.h |
2463 | +++ b/servconf.h | 2414 | +++ b/servconf.h |
2464 | @@ -115,7 +115,10 @@ typedef struct { | 2415 | @@ -117,8 +117,10 @@ typedef struct { |
2465 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2416 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2466 | * authenticated with Kerberos. */ | 2417 | * authenticated with Kerberos. */ |
2467 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2418 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
2468 | + int gss_keyex; /* If true, permit GSSAPI key exchange */ | 2419 | + int gss_keyex; /* If true, permit GSSAPI key exchange */ |
2469 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | 2420 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
2470 | + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ | 2421 | int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
2471 | + int gss_store_rekey; | 2422 | + int gss_store_rekey; |
2472 | int password_authentication; /* If true, permit password | 2423 | int password_authentication; /* If true, permit password |
2473 | * authentication. */ | 2424 | * authentication. */ |
@@ -2589,10 +2540,10 @@ index 03a228f..228e5ab 100644 | |||
2589 | # CheckHostIP yes | 2540 | # CheckHostIP yes |
2590 | # AddressFamily any | 2541 | # AddressFamily any |
2591 | diff --git a/ssh_config.5 b/ssh_config.5 | 2542 | diff --git a/ssh_config.5 b/ssh_config.5 |
2592 | index 140d0ba..4476171 100644 | 2543 | index 268a627..b840261 100644 |
2593 | --- a/ssh_config.5 | 2544 | --- a/ssh_config.5 |
2594 | +++ b/ssh_config.5 | 2545 | +++ b/ssh_config.5 |
2595 | @@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2546 | @@ -744,11 +744,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2596 | The default is | 2547 | The default is |
2597 | .Dq no . | 2548 | .Dq no . |
2598 | Note that this option applies to protocol version 2 only. | 2549 | Note that this option applies to protocol version 2 only. |
@@ -2638,7 +2589,7 @@ index 140d0ba..4476171 100644 | |||
2638 | Indicates that | 2589 | Indicates that |
2639 | .Xr ssh 1 | 2590 | .Xr ssh 1 |
2640 | diff --git a/sshconnect2.c b/sshconnect2.c | 2591 | diff --git a/sshconnect2.c b/sshconnect2.c |
2641 | index ba56f64..faa8ec5 100644 | 2592 | index fcaed6b..44c89e6 100644 |
2642 | --- a/sshconnect2.c | 2593 | --- a/sshconnect2.c |
2643 | +++ b/sshconnect2.c | 2594 | +++ b/sshconnect2.c |
2644 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2595 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
@@ -2840,7 +2791,7 @@ index ba56f64..faa8ec5 100644 | |||
2840 | 2791 | ||
2841 | int | 2792 | int |
2842 | diff --git a/sshd.c b/sshd.c | 2793 | diff --git a/sshd.c b/sshd.c |
2843 | index e1c767c..cf38bae 100644 | 2794 | index 6f8c6f2..6b85e6c 100644 |
2844 | --- a/sshd.c | 2795 | --- a/sshd.c |
2845 | +++ b/sshd.c | 2796 | +++ b/sshd.c |
2846 | @@ -125,6 +125,10 @@ | 2797 | @@ -125,6 +125,10 @@ |
@@ -2854,7 +2805,7 @@ index e1c767c..cf38bae 100644 | |||
2854 | #ifndef O_NOCTTY | 2805 | #ifndef O_NOCTTY |
2855 | #define O_NOCTTY 0 | 2806 | #define O_NOCTTY 0 |
2856 | #endif | 2807 | #endif |
2857 | @@ -1815,10 +1819,13 @@ main(int ac, char **av) | 2808 | @@ -1823,10 +1827,13 @@ main(int ac, char **av) |
2858 | logit("Disabling protocol version 1. Could not load host key"); | 2809 | logit("Disabling protocol version 1. Could not load host key"); |
2859 | options.protocol &= ~SSH_PROTO_1; | 2810 | options.protocol &= ~SSH_PROTO_1; |
2860 | } | 2811 | } |
@@ -2868,9 +2819,9 @@ index e1c767c..cf38bae 100644 | |||
2868 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2819 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2869 | logit("sshd: no hostkeys available -- exiting."); | 2820 | logit("sshd: no hostkeys available -- exiting."); |
2870 | exit(1); | 2821 | exit(1); |
2871 | @@ -2132,6 +2139,60 @@ main(int ac, char **av) | 2822 | @@ -2141,6 +2148,60 @@ main(int ac, char **av) |
2872 | remote_ip, remote_port, | 2823 | remote_ip, remote_port, laddr, get_local_port()); |
2873 | get_local_ipaddr(sock_in), get_local_port()); | 2824 | free(laddr); |
2874 | 2825 | ||
2875 | +#ifdef USE_SECURITY_SESSION_API | 2826 | +#ifdef USE_SECURITY_SESSION_API |
2876 | + /* | 2827 | + /* |
@@ -2929,7 +2880,7 @@ index e1c767c..cf38bae 100644 | |||
2929 | /* | 2880 | /* |
2930 | * We don't want to listen forever unless the other side | 2881 | * We don't want to listen forever unless the other side |
2931 | * successfully authenticates itself. So we set up an alarm which is | 2882 | * successfully authenticates itself. So we set up an alarm which is |
2932 | @@ -2561,6 +2622,48 @@ do_ssh2_kex(void) | 2883 | @@ -2570,6 +2631,48 @@ do_ssh2_kex(void) |
2933 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2884 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2934 | list_hostkey_types()); | 2885 | list_hostkey_types()); |
2935 | 2886 | ||
@@ -2978,7 +2929,7 @@ index e1c767c..cf38bae 100644 | |||
2978 | /* start key exchange */ | 2929 | /* start key exchange */ |
2979 | if ((r = kex_setup(active_state, myproposal)) != 0) | 2930 | if ((r = kex_setup(active_state, myproposal)) != 0) |
2980 | fatal("kex_setup: %s", ssh_err(r)); | 2931 | fatal("kex_setup: %s", ssh_err(r)); |
2981 | @@ -2575,6 +2678,13 @@ do_ssh2_kex(void) | 2932 | @@ -2584,6 +2687,13 @@ do_ssh2_kex(void) |
2982 | # endif | 2933 | # endif |
2983 | #endif | 2934 | #endif |
2984 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2935 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
@@ -2993,7 +2944,7 @@ index e1c767c..cf38bae 100644 | |||
2993 | kex->client_version_string=client_version_string; | 2944 | kex->client_version_string=client_version_string; |
2994 | kex->server_version_string=server_version_string; | 2945 | kex->server_version_string=server_version_string; |
2995 | diff --git a/sshd_config b/sshd_config | 2946 | diff --git a/sshd_config b/sshd_config |
2996 | index c9042ac..a71ad19 100644 | 2947 | index cf7d8e1..1dfd0f1 100644 |
2997 | --- a/sshd_config | 2948 | --- a/sshd_config |
2998 | +++ b/sshd_config | 2949 | +++ b/sshd_config |
2999 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2950 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -3006,10 +2957,10 @@ index c9042ac..a71ad19 100644 | |||
3006 | # Set this to 'yes' to enable PAM authentication, account processing, | 2957 | # Set this to 'yes' to enable PAM authentication, account processing, |
3007 | # and session processing. If this is enabled, PAM authentication will | 2958 | # and session processing. If this is enabled, PAM authentication will |
3008 | diff --git a/sshd_config.5 b/sshd_config.5 | 2959 | diff --git a/sshd_config.5 b/sshd_config.5 |
3009 | index 6dce0c7..0331496 100644 | 2960 | index 5ab4318..68424f1 100644 |
3010 | --- a/sshd_config.5 | 2961 | --- a/sshd_config.5 |
3011 | +++ b/sshd_config.5 | 2962 | +++ b/sshd_config.5 |
3012 | @@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2963 | @@ -616,6 +616,12 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3013 | The default is | 2964 | The default is |
3014 | .Dq no . | 2965 | .Dq no . |
3015 | Note that this option applies to protocol version 2 only. | 2966 | Note that this option applies to protocol version 2 only. |
@@ -3022,26 +2973,10 @@ index 6dce0c7..0331496 100644 | |||
3022 | .It Cm GSSAPICleanupCredentials | 2973 | .It Cm GSSAPICleanupCredentials |
3023 | Specifies whether to automatically destroy the user's credentials cache | 2974 | Specifies whether to automatically destroy the user's credentials cache |
3024 | on logout. | 2975 | on logout. |
2976 | @@ -637,6 +643,11 @@ machine's default store. | ||
2977 | This facility is provided to assist with operation on multi homed machines. | ||
3025 | The default is | 2978 | The default is |
3026 | .Dq yes . | 2979 | .Dq yes . |
3027 | Note that this option applies to protocol version 2 only. | ||
3028 | +.It Cm GSSAPIStrictAcceptorCheck | ||
3029 | +Determines whether to be strict about the identity of the GSSAPI acceptor | ||
3030 | +a client authenticates against. If | ||
3031 | +.Dq yes | ||
3032 | +then the client must authenticate against the | ||
3033 | +.Pa host | ||
3034 | +service on the current hostname. If | ||
3035 | +.Dq no | ||
3036 | +then the client may authenticate against any service key stored in the | ||
3037 | +machine's default store. This facility is provided to assist with operation | ||
3038 | +on multi homed machines. | ||
3039 | +The default is | ||
3040 | +.Dq yes . | ||
3041 | +Note that this option applies only to protocol version 2 GSSAPI connections, | ||
3042 | +and setting it to | ||
3043 | +.Dq no | ||
3044 | +may only work with recent Kerberos GSSAPI libraries. | ||
3045 | +.It Cm GSSAPIStoreCredentialsOnRekey | 2980 | +.It Cm GSSAPIStoreCredentialsOnRekey |
3046 | +Controls whether the user's GSSAPI credentials should be updated following a | 2981 | +Controls whether the user's GSSAPI credentials should be updated following a |
3047 | +successful connection rekeying. This option can be used to accepted renewed | 2982 | +successful connection rekeying. This option can be used to accepted renewed |
@@ -3051,7 +2986,7 @@ index 6dce0c7..0331496 100644 | |||
3051 | Specifies the key types that will be accepted for hostbased authentication | 2986 | Specifies the key types that will be accepted for hostbased authentication |
3052 | as a comma-separated pattern list. | 2987 | as a comma-separated pattern list. |
3053 | diff --git a/sshkey.c b/sshkey.c | 2988 | diff --git a/sshkey.c b/sshkey.c |
3054 | index 4768790..cd5992e 100644 | 2989 | index cfe5980..2c87d80 100644 |
3055 | --- a/sshkey.c | 2990 | --- a/sshkey.c |
3056 | +++ b/sshkey.c | 2991 | +++ b/sshkey.c |
3057 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { | 2992 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { |
@@ -3072,7 +3007,7 @@ index 4768790..cd5992e 100644 | |||
3072 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3007 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3073 | continue; | 3008 | continue; |
3074 | diff --git a/sshkey.h b/sshkey.h | 3009 | diff --git a/sshkey.h b/sshkey.h |
3075 | index 62c1c3e..9314e85 100644 | 3010 | index cdac0e2..b010b8e 100644 |
3076 | --- a/sshkey.h | 3011 | --- a/sshkey.h |
3077 | +++ b/sshkey.h | 3012 | +++ b/sshkey.h |
3078 | @@ -64,6 +64,7 @@ enum sshkey_types { | 3013 | @@ -64,6 +64,7 @@ enum sshkey_types { |