diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 108 |
1 files changed, 107 insertions, 1 deletions
@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
181 | int mm_answer_gss_accept_ctx(int, Buffer *); | 181 | int mm_answer_gss_accept_ctx(int, Buffer *); |
182 | int mm_answer_gss_userok(int, Buffer *); | 182 | int mm_answer_gss_userok(int, Buffer *); |
183 | int mm_answer_gss_checkmic(int, Buffer *); | 183 | int mm_answer_gss_checkmic(int, Buffer *); |
184 | int mm_answer_gss_sign(int, Buffer *); | ||
185 | int mm_answer_gss_updatecreds(int, Buffer *); | ||
184 | #endif | 186 | #endif |
185 | 187 | ||
186 | #ifdef SSH_AUDIT_EVENTS | 188 | #ifdef SSH_AUDIT_EVENTS |
@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
253 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 255 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
254 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 256 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
255 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 257 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
258 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
256 | #endif | 259 | #endif |
257 | #ifdef JPAKE | 260 | #ifdef JPAKE |
258 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 261 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = { | |||
265 | }; | 268 | }; |
266 | 269 | ||
267 | struct mon_table mon_dispatch_postauth20[] = { | 270 | struct mon_table mon_dispatch_postauth20[] = { |
271 | #ifdef GSSAPI | ||
272 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
273 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
274 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
275 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
276 | #endif | ||
268 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 277 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
269 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 278 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
270 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 279 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
373 | /* Permit requests for moduli and signatures */ | 382 | /* Permit requests for moduli and signatures */ |
374 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 383 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
375 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 384 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
385 | #ifdef GSSAPI | ||
386 | /* and for the GSSAPI key exchange */ | ||
387 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
388 | #endif | ||
376 | } else { | 389 | } else { |
377 | mon_dispatch = mon_dispatch_proto15; | 390 | mon_dispatch = mon_dispatch_proto15; |
378 | 391 | ||
@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
487 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 500 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
488 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 501 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
489 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 502 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
503 | #ifdef GSSAPI | ||
504 | /* and for the GSSAPI key exchange */ | ||
505 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
506 | #endif | ||
490 | } else { | 507 | } else { |
491 | mon_dispatch = mon_dispatch_postauth15; | 508 | mon_dispatch = mon_dispatch_postauth15; |
492 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 509 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m) | |||
1855 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1872 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1856 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1873 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1857 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 1874 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
1875 | #ifdef GSSAPI | ||
1876 | if (options.gss_keyex) { | ||
1877 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1878 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1879 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1880 | } | ||
1881 | #endif | ||
1858 | kex->server = 1; | 1882 | kex->server = 1; |
1859 | kex->hostkey_type = buffer_get_int(m); | 1883 | kex->hostkey_type = buffer_get_int(m); |
1860 | kex->kex_type = buffer_get_int(m); | 1884 | kex->kex_type = buffer_get_int(m); |
@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | |||
2062 | OM_uint32 major; | 2086 | OM_uint32 major; |
2063 | u_int len; | 2087 | u_int len; |
2064 | 2088 | ||
2089 | if (!options.gss_authentication && !options.gss_keyex) | ||
2090 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2091 | |||
2065 | goid.elements = buffer_get_string(m, &len); | 2092 | goid.elements = buffer_get_string(m, &len); |
2066 | goid.length = len; | 2093 | goid.length = len; |
2067 | 2094 | ||
@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
2089 | OM_uint32 flags = 0; /* GSI needs this */ | 2116 | OM_uint32 flags = 0; /* GSI needs this */ |
2090 | u_int len; | 2117 | u_int len; |
2091 | 2118 | ||
2119 | if (!options.gss_authentication && !options.gss_keyex) | ||
2120 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2121 | |||
2092 | in.value = buffer_get_string(m, &len); | 2122 | in.value = buffer_get_string(m, &len); |
2093 | in.length = len; | 2123 | in.length = len; |
2094 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2124 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
2106 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2136 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2107 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2137 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2108 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2138 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
2139 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
2109 | } | 2140 | } |
2110 | return (0); | 2141 | return (0); |
2111 | } | 2142 | } |
@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | |||
2117 | OM_uint32 ret; | 2148 | OM_uint32 ret; |
2118 | u_int len; | 2149 | u_int len; |
2119 | 2150 | ||
2151 | if (!options.gss_authentication && !options.gss_keyex) | ||
2152 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2153 | |||
2120 | gssbuf.value = buffer_get_string(m, &len); | 2154 | gssbuf.value = buffer_get_string(m, &len); |
2121 | gssbuf.length = len; | 2155 | gssbuf.length = len; |
2122 | mic.value = buffer_get_string(m, &len); | 2156 | mic.value = buffer_get_string(m, &len); |
@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
2143 | { | 2177 | { |
2144 | int authenticated; | 2178 | int authenticated; |
2145 | 2179 | ||
2146 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 2180 | if (!options.gss_authentication && !options.gss_keyex) |
2181 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2182 | |||
2183 | authenticated = authctxt->valid && | ||
2184 | ssh_gssapi_userok(authctxt->user, authctxt->pw); | ||
2147 | 2185 | ||
2148 | buffer_clear(m); | 2186 | buffer_clear(m); |
2149 | buffer_put_int(m, authenticated); | 2187 | buffer_put_int(m, authenticated); |
@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
2156 | /* Monitor loop will terminate if authenticated */ | 2194 | /* Monitor loop will terminate if authenticated */ |
2157 | return (authenticated); | 2195 | return (authenticated); |
2158 | } | 2196 | } |
2197 | |||
2198 | int | ||
2199 | mm_answer_gss_sign(int socket, Buffer *m) | ||
2200 | { | ||
2201 | gss_buffer_desc data; | ||
2202 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
2203 | OM_uint32 major, minor; | ||
2204 | u_int len; | ||
2205 | |||
2206 | if (!options.gss_authentication && !options.gss_keyex) | ||
2207 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2208 | |||
2209 | data.value = buffer_get_string(m, &len); | ||
2210 | data.length = len; | ||
2211 | if (data.length != 20) | ||
2212 | fatal("%s: data length incorrect: %d", __func__, | ||
2213 | (int) data.length); | ||
2214 | |||
2215 | /* Save the session ID on the first time around */ | ||
2216 | if (session_id2_len == 0) { | ||
2217 | session_id2_len = data.length; | ||
2218 | session_id2 = xmalloc(session_id2_len); | ||
2219 | memcpy(session_id2, data.value, session_id2_len); | ||
2220 | } | ||
2221 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2222 | |||
2223 | free(data.value); | ||
2224 | |||
2225 | buffer_clear(m); | ||
2226 | buffer_put_int(m, major); | ||
2227 | buffer_put_string(m, hash.value, hash.length); | ||
2228 | |||
2229 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2230 | |||
2231 | gss_release_buffer(&minor, &hash); | ||
2232 | |||
2233 | /* Turn on getpwnam permissions */ | ||
2234 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2235 | |||
2236 | /* And credential updating, for when rekeying */ | ||
2237 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
2238 | |||
2239 | return (0); | ||
2240 | } | ||
2241 | |||
2242 | int | ||
2243 | mm_answer_gss_updatecreds(int socket, Buffer *m) { | ||
2244 | ssh_gssapi_ccache store; | ||
2245 | int ok; | ||
2246 | |||
2247 | store.filename = buffer_get_string(m, NULL); | ||
2248 | store.envvar = buffer_get_string(m, NULL); | ||
2249 | store.envval = buffer_get_string(m, NULL); | ||
2250 | |||
2251 | ok = ssh_gssapi_update_creds(&store); | ||
2252 | |||
2253 | free(store.filename); | ||
2254 | free(store.envvar); | ||
2255 | free(store.envval); | ||
2256 | |||
2257 | buffer_clear(m); | ||
2258 | buffer_put_int(m, ok); | ||
2259 | |||
2260 | mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
2261 | |||
2262 | return(0); | ||
2263 | } | ||
2264 | |||
2159 | #endif /* GSSAPI */ | 2265 | #endif /* GSSAPI */ |
2160 | 2266 | ||
2161 | #ifdef JPAKE | 2267 | #ifdef JPAKE |