diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 108 |
1 files changed, 107 insertions, 1 deletions
@@ -172,6 +172,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
172 | int mm_answer_gss_accept_ctx(int, Buffer *); | 172 | int mm_answer_gss_accept_ctx(int, Buffer *); |
173 | int mm_answer_gss_userok(int, Buffer *); | 173 | int mm_answer_gss_userok(int, Buffer *); |
174 | int mm_answer_gss_checkmic(int, Buffer *); | 174 | int mm_answer_gss_checkmic(int, Buffer *); |
175 | int mm_answer_gss_sign(int, Buffer *); | ||
176 | int mm_answer_gss_updatecreds(int, Buffer *); | ||
175 | #endif | 177 | #endif |
176 | 178 | ||
177 | #ifdef SSH_AUDIT_EVENTS | 179 | #ifdef SSH_AUDIT_EVENTS |
@@ -241,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
241 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 243 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
242 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 244 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
243 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 245 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
246 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
244 | #endif | 247 | #endif |
245 | #ifdef JPAKE | 248 | #ifdef JPAKE |
246 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 249 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
@@ -253,6 +256,12 @@ struct mon_table mon_dispatch_proto20[] = { | |||
253 | }; | 256 | }; |
254 | 257 | ||
255 | struct mon_table mon_dispatch_postauth20[] = { | 258 | struct mon_table mon_dispatch_postauth20[] = { |
259 | #ifdef GSSAPI | ||
260 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
261 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
262 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
263 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
264 | #endif | ||
256 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 265 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
257 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 266 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
258 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 267 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -357,6 +366,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
357 | /* Permit requests for moduli and signatures */ | 366 | /* Permit requests for moduli and signatures */ |
358 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 367 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
359 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 368 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
369 | #ifdef GSSAPI | ||
370 | /* and for the GSSAPI key exchange */ | ||
371 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
372 | #endif | ||
360 | } else { | 373 | } else { |
361 | mon_dispatch = mon_dispatch_proto15; | 374 | mon_dispatch = mon_dispatch_proto15; |
362 | 375 | ||
@@ -443,6 +456,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
443 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 456 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
444 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 457 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
445 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 458 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
459 | #ifdef GSSAPI | ||
460 | /* and for the GSSAPI key exchange */ | ||
461 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
462 | #endif | ||
446 | } else { | 463 | } else { |
447 | mon_dispatch = mon_dispatch_postauth15; | 464 | mon_dispatch = mon_dispatch_postauth15; |
448 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 465 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1706,6 +1723,13 @@ mm_get_kex(Buffer *m) | |||
1706 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1723 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1707 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1724 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1708 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1725 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1726 | #ifdef GSSAPI | ||
1727 | if (options.gss_keyex) { | ||
1728 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1729 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1730 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1731 | } | ||
1732 | #endif | ||
1709 | kex->server = 1; | 1733 | kex->server = 1; |
1710 | kex->hostkey_type = buffer_get_int(m); | 1734 | kex->hostkey_type = buffer_get_int(m); |
1711 | kex->kex_type = buffer_get_int(m); | 1735 | kex->kex_type = buffer_get_int(m); |
@@ -1911,6 +1935,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | |||
1911 | OM_uint32 major; | 1935 | OM_uint32 major; |
1912 | u_int len; | 1936 | u_int len; |
1913 | 1937 | ||
1938 | if (!options.gss_authentication && !options.gss_keyex) | ||
1939 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
1940 | |||
1914 | goid.elements = buffer_get_string(m, &len); | 1941 | goid.elements = buffer_get_string(m, &len); |
1915 | goid.length = len; | 1942 | goid.length = len; |
1916 | 1943 | ||
@@ -1938,6 +1965,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1938 | OM_uint32 flags = 0; /* GSI needs this */ | 1965 | OM_uint32 flags = 0; /* GSI needs this */ |
1939 | u_int len; | 1966 | u_int len; |
1940 | 1967 | ||
1968 | if (!options.gss_authentication && !options.gss_keyex) | ||
1969 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
1970 | |||
1941 | in.value = buffer_get_string(m, &len); | 1971 | in.value = buffer_get_string(m, &len); |
1942 | in.length = len; | 1972 | in.length = len; |
1943 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 1973 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
@@ -1955,6 +1985,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1955 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1985 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1956 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1986 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1957 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1987 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1988 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1958 | } | 1989 | } |
1959 | return (0); | 1990 | return (0); |
1960 | } | 1991 | } |
@@ -1966,6 +1997,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | |||
1966 | OM_uint32 ret; | 1997 | OM_uint32 ret; |
1967 | u_int len; | 1998 | u_int len; |
1968 | 1999 | ||
2000 | if (!options.gss_authentication && !options.gss_keyex) | ||
2001 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2002 | |||
1969 | gssbuf.value = buffer_get_string(m, &len); | 2003 | gssbuf.value = buffer_get_string(m, &len); |
1970 | gssbuf.length = len; | 2004 | gssbuf.length = len; |
1971 | mic.value = buffer_get_string(m, &len); | 2005 | mic.value = buffer_get_string(m, &len); |
@@ -1992,7 +2026,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1992 | { | 2026 | { |
1993 | int authenticated; | 2027 | int authenticated; |
1994 | 2028 | ||
1995 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 2029 | if (!options.gss_authentication && !options.gss_keyex) |
2030 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2031 | |||
2032 | authenticated = authctxt->valid && | ||
2033 | ssh_gssapi_userok(authctxt->user, authctxt->pw); | ||
1996 | 2034 | ||
1997 | buffer_clear(m); | 2035 | buffer_clear(m); |
1998 | buffer_put_int(m, authenticated); | 2036 | buffer_put_int(m, authenticated); |
@@ -2005,6 +2043,74 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
2005 | /* Monitor loop will terminate if authenticated */ | 2043 | /* Monitor loop will terminate if authenticated */ |
2006 | return (authenticated); | 2044 | return (authenticated); |
2007 | } | 2045 | } |
2046 | |||
2047 | int | ||
2048 | mm_answer_gss_sign(int socket, Buffer *m) | ||
2049 | { | ||
2050 | gss_buffer_desc data; | ||
2051 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
2052 | OM_uint32 major, minor; | ||
2053 | u_int len; | ||
2054 | |||
2055 | if (!options.gss_authentication && !options.gss_keyex) | ||
2056 | fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2057 | |||
2058 | data.value = buffer_get_string(m, &len); | ||
2059 | data.length = len; | ||
2060 | if (data.length != 20) | ||
2061 | fatal("%s: data length incorrect: %d", __func__, | ||
2062 | (int) data.length); | ||
2063 | |||
2064 | /* Save the session ID on the first time around */ | ||
2065 | if (session_id2_len == 0) { | ||
2066 | session_id2_len = data.length; | ||
2067 | session_id2 = xmalloc(session_id2_len); | ||
2068 | memcpy(session_id2, data.value, session_id2_len); | ||
2069 | } | ||
2070 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2071 | |||
2072 | xfree(data.value); | ||
2073 | |||
2074 | buffer_clear(m); | ||
2075 | buffer_put_int(m, major); | ||
2076 | buffer_put_string(m, hash.value, hash.length); | ||
2077 | |||
2078 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2079 | |||
2080 | gss_release_buffer(&minor, &hash); | ||
2081 | |||
2082 | /* Turn on getpwnam permissions */ | ||
2083 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2084 | |||
2085 | /* And credential updating, for when rekeying */ | ||
2086 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
2087 | |||
2088 | return (0); | ||
2089 | } | ||
2090 | |||
2091 | int | ||
2092 | mm_answer_gss_updatecreds(int socket, Buffer *m) { | ||
2093 | ssh_gssapi_ccache store; | ||
2094 | int ok; | ||
2095 | |||
2096 | store.filename = buffer_get_string(m, NULL); | ||
2097 | store.envvar = buffer_get_string(m, NULL); | ||
2098 | store.envval = buffer_get_string(m, NULL); | ||
2099 | |||
2100 | ok = ssh_gssapi_update_creds(&store); | ||
2101 | |||
2102 | xfree(store.filename); | ||
2103 | xfree(store.envvar); | ||
2104 | xfree(store.envval); | ||
2105 | |||
2106 | buffer_clear(m); | ||
2107 | buffer_put_int(m, ok); | ||
2108 | |||
2109 | mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
2110 | |||
2111 | return(0); | ||
2112 | } | ||
2113 | |||
2008 | #endif /* GSSAPI */ | 2114 | #endif /* GSSAPI */ |
2009 | 2115 | ||
2010 | #ifdef JPAKE | 2116 | #ifdef JPAKE |