diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 108 |
1 files changed, 107 insertions, 1 deletions
@@ -180,6 +180,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
180 | int mm_answer_gss_accept_ctx(int, Buffer *); | 180 | int mm_answer_gss_accept_ctx(int, Buffer *); |
181 | int mm_answer_gss_userok(int, Buffer *); | 181 | int mm_answer_gss_userok(int, Buffer *); |
182 | int mm_answer_gss_checkmic(int, Buffer *); | 182 | int mm_answer_gss_checkmic(int, Buffer *); |
183 | int mm_answer_gss_sign(int, Buffer *); | ||
184 | int mm_answer_gss_updatecreds(int, Buffer *); | ||
183 | #endif | 185 | #endif |
184 | 186 | ||
185 | #ifdef SSH_AUDIT_EVENTS | 187 | #ifdef SSH_AUDIT_EVENTS |
@@ -252,6 +254,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
252 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 254 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
253 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 255 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
254 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 256 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
257 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
255 | #endif | 258 | #endif |
256 | #ifdef JPAKE | 259 | #ifdef JPAKE |
257 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 260 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
@@ -264,6 +267,12 @@ struct mon_table mon_dispatch_proto20[] = { | |||
264 | }; | 267 | }; |
265 | 268 | ||
266 | struct mon_table mon_dispatch_postauth20[] = { | 269 | struct mon_table mon_dispatch_postauth20[] = { |
270 | #ifdef GSSAPI | ||
271 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
272 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
273 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
274 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
275 | #endif | ||
267 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 276 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
268 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 277 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
269 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 278 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -372,6 +381,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
372 | /* Permit requests for moduli and signatures */ | 381 | /* Permit requests for moduli and signatures */ |
373 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 382 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
374 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 383 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
384 | #ifdef GSSAPI | ||
385 | /* and for the GSSAPI key exchange */ | ||
386 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
387 | #endif | ||
375 | } else { | 388 | } else { |
376 | mon_dispatch = mon_dispatch_proto15; | 389 | mon_dispatch = mon_dispatch_proto15; |
377 | 390 | ||
@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
487 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 500 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
488 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 501 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
489 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 502 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
503 | #ifdef GSSAPI | ||
504 | /* and for the GSSAPI key exchange */ | ||
505 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
506 | #endif | ||
490 | } else { | 507 | } else { |
491 | mon_dispatch = mon_dispatch_postauth15; | 508 | mon_dispatch = mon_dispatch_postauth15; |
492 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 509 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1836,6 +1853,13 @@ mm_get_kex(Buffer *m) | |||
1836 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1853 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1837 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1854 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1838 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1855 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
1856 | #ifdef GSSAPI | ||
1857 | if (options.gss_keyex) { | ||
1858 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1859 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1860 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1861 | } | ||
1862 | #endif | ||
1839 | kex->server = 1; | 1863 | kex->server = 1; |
1840 | kex->hostkey_type = buffer_get_int(m); | 1864 | kex->hostkey_type = buffer_get_int(m); |
1841 | kex->kex_type = buffer_get_int(m); | 1865 | kex->kex_type = buffer_get_int(m); |
@@ -2042,6 +2066,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | |||
2042 | OM_uint32 major; | 2066 | OM_uint32 major; |
2043 | u_int len; | 2067 | u_int len; |
2044 | 2068 | ||
2069 | if (!options.gss_authentication && !options.gss_keyex) | ||
2070 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2071 | |||
2045 | goid.elements = buffer_get_string(m, &len); | 2072 | goid.elements = buffer_get_string(m, &len); |
2046 | goid.length = len; | 2073 | goid.length = len; |
2047 | 2074 | ||
@@ -2069,6 +2096,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
2069 | OM_uint32 flags = 0; /* GSI needs this */ | 2096 | OM_uint32 flags = 0; /* GSI needs this */ |
2070 | u_int len; | 2097 | u_int len; |
2071 | 2098 | ||
2099 | if (!options.gss_authentication && !options.gss_keyex) | ||
2100 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2101 | |||
2072 | in.value = buffer_get_string(m, &len); | 2102 | in.value = buffer_get_string(m, &len); |
2073 | in.length = len; | 2103 | in.length = len; |
2074 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2104 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
@@ -2086,6 +2116,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
2086 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2087 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2088 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2118 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
2119 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
2089 | } | 2120 | } |
2090 | return (0); | 2121 | return (0); |
2091 | } | 2122 | } |
@@ -2097,6 +2128,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | |||
2097 | OM_uint32 ret; | 2128 | OM_uint32 ret; |
2098 | u_int len; | 2129 | u_int len; |
2099 | 2130 | ||
2131 | if (!options.gss_authentication && !options.gss_keyex) | ||
2132 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2133 | |||
2100 | gssbuf.value = buffer_get_string(m, &len); | 2134 | gssbuf.value = buffer_get_string(m, &len); |
2101 | gssbuf.length = len; | 2135 | gssbuf.length = len; |
2102 | mic.value = buffer_get_string(m, &len); | 2136 | mic.value = buffer_get_string(m, &len); |
@@ -2123,7 +2157,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
2123 | { | 2157 | { |
2124 | int authenticated; | 2158 | int authenticated; |
2125 | 2159 | ||
2126 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 2160 | if (!options.gss_authentication && !options.gss_keyex) |
2161 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2162 | |||
2163 | authenticated = authctxt->valid && | ||
2164 | ssh_gssapi_userok(authctxt->user, authctxt->pw); | ||
2127 | 2165 | ||
2128 | buffer_clear(m); | 2166 | buffer_clear(m); |
2129 | buffer_put_int(m, authenticated); | 2167 | buffer_put_int(m, authenticated); |
@@ -2136,6 +2174,74 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
2136 | /* Monitor loop will terminate if authenticated */ | 2174 | /* Monitor loop will terminate if authenticated */ |
2137 | return (authenticated); | 2175 | return (authenticated); |
2138 | } | 2176 | } |
2177 | |||
2178 | int | ||
2179 | mm_answer_gss_sign(int socket, Buffer *m) | ||
2180 | { | ||
2181 | gss_buffer_desc data; | ||
2182 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
2183 | OM_uint32 major, minor; | ||
2184 | u_int len; | ||
2185 | |||
2186 | if (!options.gss_authentication && !options.gss_keyex) | ||
2187 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2188 | |||
2189 | data.value = buffer_get_string(m, &len); | ||
2190 | data.length = len; | ||
2191 | if (data.length != 20) | ||
2192 | fatal("%s: data length incorrect: %d", __func__, | ||
2193 | (int) data.length); | ||
2194 | |||
2195 | /* Save the session ID on the first time around */ | ||
2196 | if (session_id2_len == 0) { | ||
2197 | session_id2_len = data.length; | ||
2198 | session_id2 = xmalloc(session_id2_len); | ||
2199 | memcpy(session_id2, data.value, session_id2_len); | ||
2200 | } | ||
2201 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2202 | |||
2203 | xfree(data.value); | ||
2204 | |||
2205 | buffer_clear(m); | ||
2206 | buffer_put_int(m, major); | ||
2207 | buffer_put_string(m, hash.value, hash.length); | ||
2208 | |||
2209 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2210 | |||
2211 | gss_release_buffer(&minor, &hash); | ||
2212 | |||
2213 | /* Turn on getpwnam permissions */ | ||
2214 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2215 | |||
2216 | /* And credential updating, for when rekeying */ | ||
2217 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
2218 | |||
2219 | return (0); | ||
2220 | } | ||
2221 | |||
2222 | int | ||
2223 | mm_answer_gss_updatecreds(int socket, Buffer *m) { | ||
2224 | ssh_gssapi_ccache store; | ||
2225 | int ok; | ||
2226 | |||
2227 | store.filename = buffer_get_string(m, NULL); | ||
2228 | store.envvar = buffer_get_string(m, NULL); | ||
2229 | store.envval = buffer_get_string(m, NULL); | ||
2230 | |||
2231 | ok = ssh_gssapi_update_creds(&store); | ||
2232 | |||
2233 | xfree(store.filename); | ||
2234 | xfree(store.envvar); | ||
2235 | xfree(store.envval); | ||
2236 | |||
2237 | buffer_clear(m); | ||
2238 | buffer_put_int(m, ok); | ||
2239 | |||
2240 | mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
2241 | |||
2242 | return(0); | ||
2243 | } | ||
2244 | |||
2139 | #endif /* GSSAPI */ | 2245 | #endif /* GSSAPI */ |
2140 | 2246 | ||
2141 | #ifdef JPAKE | 2247 | #ifdef JPAKE |