diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 92 |
1 files changed, 90 insertions, 2 deletions
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); | 28 | RCSID("$OpenBSD: monitor.c,v 1.46 2003/08/22 10:56:09 markus Exp $"); |
29 | 29 | ||
30 | #include <openssl/dh.h> | 30 | #include <openssl/dh.h> |
31 | 31 | ||
@@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.45 2003/07/22 13:35:22 markus Exp $"); | |||
59 | #include "ssh2.h" | 59 | #include "ssh2.h" |
60 | #include "mpaux.h" | 60 | #include "mpaux.h" |
61 | 61 | ||
62 | #ifdef GSSAPI | ||
63 | #include "ssh-gss.h" | ||
64 | static Gssctxt *gsscontext = NULL; | ||
65 | #endif | ||
66 | |||
62 | /* Imports */ | 67 | /* Imports */ |
63 | extern ServerOptions options; | 68 | extern ServerOptions options; |
64 | extern u_int utmp_len; | 69 | extern u_int utmp_len; |
@@ -128,6 +133,11 @@ int mm_answer_pam_free_ctx(int, Buffer *); | |||
128 | #ifdef KRB5 | 133 | #ifdef KRB5 |
129 | int mm_answer_krb5(int, Buffer *); | 134 | int mm_answer_krb5(int, Buffer *); |
130 | #endif | 135 | #endif |
136 | #ifdef GSSAPI | ||
137 | int mm_answer_gss_setup_ctx(int, Buffer *); | ||
138 | int mm_answer_gss_accept_ctx(int, Buffer *); | ||
139 | int mm_answer_gss_userok(int, Buffer *); | ||
140 | #endif | ||
131 | 141 | ||
132 | static Authctxt *authctxt; | 142 | static Authctxt *authctxt; |
133 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | 143 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ |
@@ -185,6 +195,11 @@ struct mon_table mon_dispatch_proto20[] = { | |||
185 | #ifdef KRB5 | 195 | #ifdef KRB5 |
186 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, | 196 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, |
187 | #endif | 197 | #endif |
198 | #ifdef GSSAPI | ||
199 | {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, | ||
200 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | ||
201 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | ||
202 | #endif | ||
188 | {0, 0, NULL} | 203 | {0, 0, NULL} |
189 | }; | 204 | }; |
190 | 205 | ||
@@ -357,7 +372,6 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
357 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 372 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
358 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 373 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
359 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 374 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
360 | |||
361 | } else { | 375 | } else { |
362 | mon_dispatch = mon_dispatch_postauth15; | 376 | mon_dispatch = mon_dispatch_postauth15; |
363 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 377 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1769,3 +1783,77 @@ monitor_reinit(struct monitor *mon) | |||
1769 | mon->m_recvfd = pair[0]; | 1783 | mon->m_recvfd = pair[0]; |
1770 | mon->m_sendfd = pair[1]; | 1784 | mon->m_sendfd = pair[1]; |
1771 | } | 1785 | } |
1786 | |||
1787 | #ifdef GSSAPI | ||
1788 | int | ||
1789 | mm_answer_gss_setup_ctx(int socket, Buffer *m) | ||
1790 | { | ||
1791 | gss_OID_desc oid; | ||
1792 | OM_uint32 major; | ||
1793 | u_int len; | ||
1794 | |||
1795 | oid.elements = buffer_get_string(m, &len); | ||
1796 | oid.length = len; | ||
1797 | |||
1798 | major = ssh_gssapi_server_ctx(&gsscontext, &oid); | ||
1799 | |||
1800 | xfree(oid.elements); | ||
1801 | |||
1802 | buffer_clear(m); | ||
1803 | buffer_put_int(m, major); | ||
1804 | |||
1805 | mm_request_send(socket,MONITOR_ANS_GSSSETUP, m); | ||
1806 | |||
1807 | /* Now we have a context, enable the step */ | ||
1808 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); | ||
1809 | |||
1810 | return (0); | ||
1811 | } | ||
1812 | |||
1813 | int | ||
1814 | mm_answer_gss_accept_ctx(int socket, Buffer *m) | ||
1815 | { | ||
1816 | gss_buffer_desc in; | ||
1817 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; | ||
1818 | OM_uint32 major,minor; | ||
1819 | OM_uint32 flags = 0; /* GSI needs this */ | ||
1820 | |||
1821 | in.value = buffer_get_string(m, &in.length); | ||
1822 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | ||
1823 | xfree(in.value); | ||
1824 | |||
1825 | buffer_clear(m); | ||
1826 | buffer_put_int(m, major); | ||
1827 | buffer_put_string(m, out.value, out.length); | ||
1828 | buffer_put_int(m, flags); | ||
1829 | mm_request_send(socket, MONITOR_ANS_GSSSTEP, m); | ||
1830 | |||
1831 | gss_release_buffer(&minor, &out); | ||
1832 | |||
1833 | /* Complete - now we can do signing */ | ||
1834 | if (major==GSS_S_COMPLETE) { | ||
1835 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | ||
1836 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | ||
1837 | } | ||
1838 | return (0); | ||
1839 | } | ||
1840 | |||
1841 | int | ||
1842 | mm_answer_gss_userok(int socket, Buffer *m) | ||
1843 | { | ||
1844 | int authenticated; | ||
1845 | |||
1846 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | ||
1847 | |||
1848 | buffer_clear(m); | ||
1849 | buffer_put_int(m, authenticated); | ||
1850 | |||
1851 | debug3("%s: sending result %d", __func__, authenticated); | ||
1852 | mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); | ||
1853 | |||
1854 | auth_method="gssapi"; | ||
1855 | |||
1856 | /* Monitor loop will terminate if authenticated */ | ||
1857 | return (authenticated); | ||
1858 | } | ||
1859 | #endif /* GSSAPI */ | ||