summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c108
1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 44dff98c9..9079c9762 100644
--- a/monitor.c
+++ b/monitor.c
@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
181int mm_answer_gss_accept_ctx(int, Buffer *); 181int mm_answer_gss_accept_ctx(int, Buffer *);
182int mm_answer_gss_userok(int, Buffer *); 182int mm_answer_gss_userok(int, Buffer *);
183int mm_answer_gss_checkmic(int, Buffer *); 183int mm_answer_gss_checkmic(int, Buffer *);
184int mm_answer_gss_sign(int, Buffer *);
185int mm_answer_gss_updatecreds(int, Buffer *);
184#endif 186#endif
185 187
186#ifdef SSH_AUDIT_EVENTS 188#ifdef SSH_AUDIT_EVENTS
@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
253 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 255 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
254 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 256 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
255 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 257 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
258 {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
256#endif 259#endif
257#ifdef JPAKE 260#ifdef JPAKE
258 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 261 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
265}; 268};
266 269
267struct mon_table mon_dispatch_postauth20[] = { 270struct mon_table mon_dispatch_postauth20[] = {
271#ifdef GSSAPI
272 {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
273 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
274 {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
275 {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
276#endif
268 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 277 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
269 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 278 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
270 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 279 {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
373 /* Permit requests for moduli and signatures */ 382 /* Permit requests for moduli and signatures */
374 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 383 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
375 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 384 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
385#ifdef GSSAPI
386 /* and for the GSSAPI key exchange */
387 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
388#endif
376 } else { 389 } else {
377 mon_dispatch = mon_dispatch_proto15; 390 mon_dispatch = mon_dispatch_proto15;
378 391
@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
487 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 500 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
488 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 501 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
489 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 502 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
503#ifdef GSSAPI
504 /* and for the GSSAPI key exchange */
505 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
506#endif
490 } else { 507 } else {
491 mon_dispatch = mon_dispatch_postauth15; 508 mon_dispatch = mon_dispatch_postauth15;
492 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 509 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
1855 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1872 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1856 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1873 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1857 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1874 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
1875#ifdef GSSAPI
1876 if (options.gss_keyex) {
1877 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
1878 kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
1879 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
1880 }
1881#endif
1858 kex->server = 1; 1882 kex->server = 1;
1859 kex->hostkey_type = buffer_get_int(m); 1883 kex->hostkey_type = buffer_get_int(m);
1860 kex->kex_type = buffer_get_int(m); 1884 kex->kex_type = buffer_get_int(m);
@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2062 OM_uint32 major; 2086 OM_uint32 major;
2063 u_int len; 2087 u_int len;
2064 2088
2089 if (!options.gss_authentication && !options.gss_keyex)
2090 fatal("In GSSAPI monitor when GSSAPI is disabled");
2091
2065 goid.elements = buffer_get_string(m, &len); 2092 goid.elements = buffer_get_string(m, &len);
2066 goid.length = len; 2093 goid.length = len;
2067 2094
@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2089 OM_uint32 flags = 0; /* GSI needs this */ 2116 OM_uint32 flags = 0; /* GSI needs this */
2090 u_int len; 2117 u_int len;
2091 2118
2119 if (!options.gss_authentication && !options.gss_keyex)
2120 fatal("In GSSAPI monitor when GSSAPI is disabled");
2121
2092 in.value = buffer_get_string(m, &len); 2122 in.value = buffer_get_string(m, &len);
2093 in.length = len; 2123 in.length = len;
2094 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2124 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2106 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2136 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2107 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2137 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2108 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2138 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
2139 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
2109 } 2140 }
2110 return (0); 2141 return (0);
2111} 2142}
@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2117 OM_uint32 ret; 2148 OM_uint32 ret;
2118 u_int len; 2149 u_int len;
2119 2150
2151 if (!options.gss_authentication && !options.gss_keyex)
2152 fatal("In GSSAPI monitor when GSSAPI is disabled");
2153
2120 gssbuf.value = buffer_get_string(m, &len); 2154 gssbuf.value = buffer_get_string(m, &len);
2121 gssbuf.length = len; 2155 gssbuf.length = len;
2122 mic.value = buffer_get_string(m, &len); 2156 mic.value = buffer_get_string(m, &len);
@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2143{ 2177{
2144 int authenticated; 2178 int authenticated;
2145 2179
2146 authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); 2180 if (!options.gss_authentication && !options.gss_keyex)
2181 fatal("In GSSAPI monitor when GSSAPI is disabled");
2182
2183 authenticated = authctxt->valid &&
2184 ssh_gssapi_userok(authctxt->user, authctxt->pw);
2147 2185
2148 buffer_clear(m); 2186 buffer_clear(m);
2149 buffer_put_int(m, authenticated); 2187 buffer_put_int(m, authenticated);
@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2156 /* Monitor loop will terminate if authenticated */ 2194 /* Monitor loop will terminate if authenticated */
2157 return (authenticated); 2195 return (authenticated);
2158} 2196}
2197
2198int
2199mm_answer_gss_sign(int socket, Buffer *m)
2200{
2201 gss_buffer_desc data;
2202 gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
2203 OM_uint32 major, minor;
2204 u_int len;
2205
2206 if (!options.gss_authentication && !options.gss_keyex)
2207 fatal("In GSSAPI monitor when GSSAPI is disabled");
2208
2209 data.value = buffer_get_string(m, &len);
2210 data.length = len;
2211 if (data.length != 20)
2212 fatal("%s: data length incorrect: %d", __func__,
2213 (int) data.length);
2214
2215 /* Save the session ID on the first time around */
2216 if (session_id2_len == 0) {
2217 session_id2_len = data.length;
2218 session_id2 = xmalloc(session_id2_len);
2219 memcpy(session_id2, data.value, session_id2_len);
2220 }
2221 major = ssh_gssapi_sign(gsscontext, &data, &hash);
2222
2223 free(data.value);
2224
2225 buffer_clear(m);
2226 buffer_put_int(m, major);
2227 buffer_put_string(m, hash.value, hash.length);
2228
2229 mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
2230
2231 gss_release_buffer(&minor, &hash);
2232
2233 /* Turn on getpwnam permissions */
2234 monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
2235
2236 /* And credential updating, for when rekeying */
2237 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
2238
2239 return (0);
2240}
2241
2242int
2243mm_answer_gss_updatecreds(int socket, Buffer *m) {
2244 ssh_gssapi_ccache store;
2245 int ok;
2246
2247 store.filename = buffer_get_string(m, NULL);
2248 store.envvar = buffer_get_string(m, NULL);
2249 store.envval = buffer_get_string(m, NULL);
2250
2251 ok = ssh_gssapi_update_creds(&store);
2252
2253 free(store.filename);
2254 free(store.envvar);
2255 free(store.envval);
2256
2257 buffer_clear(m);
2258 buffer_put_int(m, ok);
2259
2260 mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
2261
2262 return(0);
2263}
2264
2159#endif /* GSSAPI */ 2265#endif /* GSSAPI */
2160 2266
2161#ifdef JPAKE 2267#ifdef JPAKE