diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 362 |
1 files changed, 254 insertions, 108 deletions
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); | 28 | RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $"); |
29 | 29 | ||
30 | #include <openssl/dh.h> | 30 | #include <openssl/dh.h> |
31 | 31 | ||
@@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); | |||
59 | #include "ssh2.h" | 59 | #include "ssh2.h" |
60 | #include "mpaux.h" | 60 | #include "mpaux.h" |
61 | 61 | ||
62 | #ifdef GSSAPI | ||
63 | #include "ssh-gss.h" | ||
64 | static Gssctxt *gsscontext = NULL; | ||
65 | #endif | ||
66 | |||
62 | /* Imports */ | 67 | /* Imports */ |
63 | extern ServerOptions options; | 68 | extern ServerOptions options; |
64 | extern u_int utmp_len; | 69 | extern u_int utmp_len; |
@@ -93,7 +98,7 @@ struct { | |||
93 | u_int olen; | 98 | u_int olen; |
94 | } child_state; | 99 | } child_state; |
95 | 100 | ||
96 | /* Functions on the montior that answer unprivileged requests */ | 101 | /* Functions on the monitor that answer unprivileged requests */ |
97 | 102 | ||
98 | int mm_answer_moduli(int, Buffer *); | 103 | int mm_answer_moduli(int, Buffer *); |
99 | int mm_answer_sign(int, Buffer *); | 104 | int mm_answer_sign(int, Buffer *); |
@@ -118,13 +123,17 @@ int mm_answer_sessid(int, Buffer *); | |||
118 | 123 | ||
119 | #ifdef USE_PAM | 124 | #ifdef USE_PAM |
120 | int mm_answer_pam_start(int, Buffer *); | 125 | int mm_answer_pam_start(int, Buffer *); |
126 | int mm_answer_pam_account(int, Buffer *); | ||
127 | int mm_answer_pam_init_ctx(int, Buffer *); | ||
128 | int mm_answer_pam_query(int, Buffer *); | ||
129 | int mm_answer_pam_respond(int, Buffer *); | ||
130 | int mm_answer_pam_free_ctx(int, Buffer *); | ||
121 | #endif | 131 | #endif |
122 | 132 | ||
123 | #ifdef KRB4 | 133 | #ifdef GSSAPI |
124 | int mm_answer_krb4(int, Buffer *); | 134 | int mm_answer_gss_setup_ctx(int, Buffer *); |
125 | #endif | 135 | int mm_answer_gss_accept_ctx(int, Buffer *); |
126 | #ifdef KRB5 | 136 | int mm_answer_gss_userok(int, Buffer *); |
127 | int mm_answer_krb5(int, Buffer *); | ||
128 | #endif | 137 | #endif |
129 | 138 | ||
130 | static Authctxt *authctxt; | 139 | static Authctxt *authctxt; |
@@ -137,7 +146,7 @@ static int key_blobtype = MM_NOKEY; | |||
137 | static char *hostbased_cuser = NULL; | 146 | static char *hostbased_cuser = NULL; |
138 | static char *hostbased_chost = NULL; | 147 | static char *hostbased_chost = NULL; |
139 | static char *auth_method = "unknown"; | 148 | static char *auth_method = "unknown"; |
140 | static int session_id2_len = 0; | 149 | static u_int session_id2_len = 0; |
141 | static u_char *session_id2 = NULL; | 150 | static u_char *session_id2 = NULL; |
142 | static pid_t monitor_child_pid; | 151 | static pid_t monitor_child_pid; |
143 | 152 | ||
@@ -164,6 +173,11 @@ struct mon_table mon_dispatch_proto20[] = { | |||
164 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 173 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
165 | #ifdef USE_PAM | 174 | #ifdef USE_PAM |
166 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 175 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
176 | {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, | ||
177 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, | ||
178 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, | ||
179 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, | ||
180 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, | ||
167 | #endif | 181 | #endif |
168 | #ifdef BSD_AUTH | 182 | #ifdef BSD_AUTH |
169 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, | 183 | {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, |
@@ -175,6 +189,11 @@ struct mon_table mon_dispatch_proto20[] = { | |||
175 | #endif | 189 | #endif |
176 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 190 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, |
177 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, | 191 | {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, |
192 | #ifdef GSSAPI | ||
193 | {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, | ||
194 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | ||
195 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | ||
196 | #endif | ||
178 | {0, 0, NULL} | 197 | {0, 0, NULL} |
179 | }; | 198 | }; |
180 | 199 | ||
@@ -206,12 +225,11 @@ struct mon_table mon_dispatch_proto15[] = { | |||
206 | #endif | 225 | #endif |
207 | #ifdef USE_PAM | 226 | #ifdef USE_PAM |
208 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, | 227 | {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, |
209 | #endif | 228 | {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, |
210 | #ifdef KRB4 | 229 | {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, |
211 | {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, | 230 | {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, |
212 | #endif | 231 | {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, |
213 | #ifdef KRB5 | 232 | {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, |
214 | {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, | ||
215 | #endif | 233 | #endif |
216 | {0, 0, NULL} | 234 | {0, 0, NULL} |
217 | }; | 235 | }; |
@@ -287,8 +305,16 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
287 | !auth_root_allowed(auth_method)) | 305 | !auth_root_allowed(auth_method)) |
288 | authenticated = 0; | 306 | authenticated = 0; |
289 | #ifdef USE_PAM | 307 | #ifdef USE_PAM |
290 | if (!do_pam_account(authctxt->pw->pw_name, NULL)) | 308 | /* PAM needs to perform account checks after auth */ |
291 | authenticated = 0; | 309 | if (options.use_pam) { |
310 | Buffer m; | ||
311 | |||
312 | buffer_init(&m); | ||
313 | mm_request_receive_expect(pmonitor->m_sendfd, | ||
314 | MONITOR_REQ_PAM_ACCOUNT, &m); | ||
315 | authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); | ||
316 | buffer_free(&m); | ||
317 | } | ||
292 | #endif | 318 | #endif |
293 | } | 319 | } |
294 | 320 | ||
@@ -337,7 +363,6 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
337 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 363 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
338 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 364 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
339 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 365 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
340 | |||
341 | } else { | 366 | } else { |
342 | mon_dispatch = mon_dispatch_postauth15; | 367 | mon_dispatch = mon_dispatch_postauth15; |
343 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 368 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -573,7 +598,8 @@ mm_answer_pwnamallow(int socket, Buffer *m) | |||
573 | } | 598 | } |
574 | 599 | ||
575 | #ifdef USE_PAM | 600 | #ifdef USE_PAM |
576 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); | 601 | if (options.use_pam) |
602 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); | ||
577 | #endif | 603 | #endif |
578 | 604 | ||
579 | return (0); | 605 | return (0); |
@@ -623,7 +649,7 @@ mm_answer_authpassword(int socket, Buffer *m) | |||
623 | passwd = buffer_get_string(m, &plen); | 649 | passwd = buffer_get_string(m, &plen); |
624 | /* Only authenticate if the context is valid */ | 650 | /* Only authenticate if the context is valid */ |
625 | authenticated = options.password_authentication && | 651 | authenticated = options.password_authentication && |
626 | auth_password(authctxt, passwd) && authctxt->valid; | 652 | auth_password(authctxt, passwd); |
627 | memset(passwd, 0, strlen(passwd)); | 653 | memset(passwd, 0, strlen(passwd)); |
628 | xfree(passwd); | 654 | xfree(passwd); |
629 | 655 | ||
@@ -756,14 +782,133 @@ mm_answer_pam_start(int socket, Buffer *m) | |||
756 | { | 782 | { |
757 | char *user; | 783 | char *user; |
758 | 784 | ||
785 | if (!options.use_pam) | ||
786 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | ||
787 | |||
759 | user = buffer_get_string(m, NULL); | 788 | user = buffer_get_string(m, NULL); |
760 | 789 | ||
761 | start_pam(user); | 790 | start_pam(user); |
762 | 791 | ||
763 | xfree(user); | 792 | xfree(user); |
764 | 793 | ||
794 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1); | ||
795 | |||
796 | return (0); | ||
797 | } | ||
798 | |||
799 | int | ||
800 | mm_answer_pam_account(int socket, Buffer *m) | ||
801 | { | ||
802 | u_int ret; | ||
803 | |||
804 | if (!options.use_pam) | ||
805 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | ||
806 | |||
807 | ret = do_pam_account(); | ||
808 | |||
809 | buffer_put_int(m, ret); | ||
810 | |||
811 | mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m); | ||
812 | |||
813 | return (ret); | ||
814 | } | ||
815 | |||
816 | static void *sshpam_ctxt, *sshpam_authok; | ||
817 | extern KbdintDevice sshpam_device; | ||
818 | |||
819 | int | ||
820 | mm_answer_pam_init_ctx(int socket, Buffer *m) | ||
821 | { | ||
822 | |||
823 | debug3("%s", __func__); | ||
824 | authctxt->user = buffer_get_string(m, NULL); | ||
825 | sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); | ||
826 | sshpam_authok = NULL; | ||
827 | buffer_clear(m); | ||
828 | if (sshpam_ctxt != NULL) { | ||
829 | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); | ||
830 | buffer_put_int(m, 1); | ||
831 | } else { | ||
832 | buffer_put_int(m, 0); | ||
833 | } | ||
834 | mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m); | ||
835 | return (0); | ||
836 | } | ||
837 | |||
838 | int | ||
839 | mm_answer_pam_query(int socket, Buffer *m) | ||
840 | { | ||
841 | char *name, *info, **prompts; | ||
842 | u_int num, *echo_on; | ||
843 | int i, ret; | ||
844 | |||
845 | debug3("%s", __func__); | ||
846 | sshpam_authok = NULL; | ||
847 | ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); | ||
848 | if (ret == 0 && num == 0) | ||
849 | sshpam_authok = sshpam_ctxt; | ||
850 | if (num > 1 || name == NULL || info == NULL) | ||
851 | ret = -1; | ||
852 | buffer_clear(m); | ||
853 | buffer_put_int(m, ret); | ||
854 | buffer_put_cstring(m, name); | ||
855 | xfree(name); | ||
856 | buffer_put_cstring(m, info); | ||
857 | xfree(info); | ||
858 | buffer_put_int(m, num); | ||
859 | for (i = 0; i < num; ++i) { | ||
860 | buffer_put_cstring(m, prompts[i]); | ||
861 | xfree(prompts[i]); | ||
862 | buffer_put_int(m, echo_on[i]); | ||
863 | } | ||
864 | if (prompts != NULL) | ||
865 | xfree(prompts); | ||
866 | if (echo_on != NULL) | ||
867 | xfree(echo_on); | ||
868 | mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m); | ||
869 | return (0); | ||
870 | } | ||
871 | |||
872 | int | ||
873 | mm_answer_pam_respond(int socket, Buffer *m) | ||
874 | { | ||
875 | char **resp; | ||
876 | u_int num; | ||
877 | int i, ret; | ||
878 | |||
879 | debug3("%s", __func__); | ||
880 | sshpam_authok = NULL; | ||
881 | num = buffer_get_int(m); | ||
882 | if (num > 0) { | ||
883 | resp = xmalloc(num * sizeof(char *)); | ||
884 | for (i = 0; i < num; ++i) | ||
885 | resp[i] = buffer_get_string(m, NULL); | ||
886 | ret = (sshpam_device.respond)(sshpam_ctxt, num, resp); | ||
887 | for (i = 0; i < num; ++i) | ||
888 | xfree(resp[i]); | ||
889 | xfree(resp); | ||
890 | } else { | ||
891 | ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL); | ||
892 | } | ||
893 | buffer_clear(m); | ||
894 | buffer_put_int(m, ret); | ||
895 | mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m); | ||
896 | auth_method = "keyboard-interactive/pam"; | ||
897 | if (ret == 0) | ||
898 | sshpam_authok = sshpam_ctxt; | ||
765 | return (0); | 899 | return (0); |
766 | } | 900 | } |
901 | |||
902 | int | ||
903 | mm_answer_pam_free_ctx(int socket, Buffer *m) | ||
904 | { | ||
905 | |||
906 | debug3("%s", __func__); | ||
907 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
908 | buffer_clear(m); | ||
909 | mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m); | ||
910 | return (sshpam_authok == sshpam_ctxt); | ||
911 | } | ||
767 | #endif | 912 | #endif |
768 | 913 | ||
769 | static void | 914 | static void |
@@ -887,7 +1032,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) | |||
887 | fail++; | 1032 | fail++; |
888 | p = buffer_get_string(&b, NULL); | 1033 | p = buffer_get_string(&b, NULL); |
889 | if (strcmp(authctxt->user, p) != 0) { | 1034 | if (strcmp(authctxt->user, p) != 0) { |
890 | log("wrong user name passed to monitor: expected %s != %.100s", | 1035 | logit("wrong user name passed to monitor: expected %s != %.100s", |
891 | authctxt->user, p); | 1036 | authctxt->user, p); |
892 | fail++; | 1037 | fail++; |
893 | } | 1038 | } |
@@ -935,7 +1080,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, | |||
935 | fail++; | 1080 | fail++; |
936 | p = buffer_get_string(&b, NULL); | 1081 | p = buffer_get_string(&b, NULL); |
937 | if (strcmp(authctxt->user, p) != 0) { | 1082 | if (strcmp(authctxt->user, p) != 0) { |
938 | log("wrong user name passed to monitor: expected %s != %.100s", | 1083 | logit("wrong user name passed to monitor: expected %s != %.100s", |
939 | authctxt->user, p); | 1084 | authctxt->user, p); |
940 | fail++; | 1085 | fail++; |
941 | } | 1086 | } |
@@ -1045,14 +1190,14 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1045 | } | 1190 | } |
1046 | /* Record that there was a login on that tty from the remote host. */ | 1191 | /* Record that there was a login on that tty from the remote host. */ |
1047 | record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, | 1192 | record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, |
1048 | get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), | 1193 | get_remote_name_or_ip(utmp_len, options.use_dns), |
1049 | (struct sockaddr *)&from, fromlen); | 1194 | (struct sockaddr *)&from, fromlen); |
1050 | } | 1195 | } |
1051 | 1196 | ||
1052 | static void | 1197 | static void |
1053 | mm_session_close(Session *s) | 1198 | mm_session_close(Session *s) |
1054 | { | 1199 | { |
1055 | debug3("%s: session %d pid %d", __func__, s->self, s->pid); | 1200 | debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); |
1056 | if (s->ttyfd != -1) { | 1201 | if (s->ttyfd != -1) { |
1057 | debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); | 1202 | debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); |
1058 | fatal_remove_cleanup(session_pty_cleanup2, (void *)s); | 1203 | fatal_remove_cleanup(session_pty_cleanup2, (void *)s); |
@@ -1316,89 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m) | |||
1316 | return (success); | 1461 | return (success); |
1317 | } | 1462 | } |
1318 | 1463 | ||
1319 | #ifdef KRB4 | ||
1320 | int | ||
1321 | mm_answer_krb4(int socket, Buffer *m) | ||
1322 | { | ||
1323 | KTEXT_ST auth, reply; | ||
1324 | char *client, *p; | ||
1325 | int success; | ||
1326 | u_int alen; | ||
1327 | |||
1328 | reply.length = auth.length = 0; | ||
1329 | |||
1330 | p = buffer_get_string(m, &alen); | ||
1331 | if (alen >= MAX_KTXT_LEN) | ||
1332 | fatal("%s: auth too large", __func__); | ||
1333 | memcpy(auth.dat, p, alen); | ||
1334 | auth.length = alen; | ||
1335 | memset(p, 0, alen); | ||
1336 | xfree(p); | ||
1337 | |||
1338 | success = options.kerberos_authentication && | ||
1339 | authctxt->valid && | ||
1340 | auth_krb4(authctxt, &auth, &client, &reply); | ||
1341 | |||
1342 | memset(auth.dat, 0, alen); | ||
1343 | buffer_clear(m); | ||
1344 | buffer_put_int(m, success); | ||
1345 | |||
1346 | if (success) { | ||
1347 | buffer_put_cstring(m, client); | ||
1348 | buffer_put_string(m, reply.dat, reply.length); | ||
1349 | if (client) | ||
1350 | xfree(client); | ||
1351 | if (reply.length) | ||
1352 | memset(reply.dat, 0, reply.length); | ||
1353 | } | ||
1354 | |||
1355 | debug3("%s: sending result %d", __func__, success); | ||
1356 | mm_request_send(socket, MONITOR_ANS_KRB4, m); | ||
1357 | |||
1358 | auth_method = "kerberos"; | ||
1359 | |||
1360 | /* Causes monitor loop to terminate if authenticated */ | ||
1361 | return (success); | ||
1362 | } | ||
1363 | #endif | ||
1364 | |||
1365 | #ifdef KRB5 | ||
1366 | int | ||
1367 | mm_answer_krb5(int socket, Buffer *m) | ||
1368 | { | ||
1369 | krb5_data tkt, reply; | ||
1370 | char *client_user; | ||
1371 | u_int len; | ||
1372 | int success; | ||
1373 | |||
1374 | /* use temporary var to avoid size issues on 64bit arch */ | ||
1375 | tkt.data = buffer_get_string(m, &len); | ||
1376 | tkt.length = len; | ||
1377 | |||
1378 | success = options.kerberos_authentication && | ||
1379 | authctxt->valid && | ||
1380 | auth_krb5(authctxt, &tkt, &client_user, &reply); | ||
1381 | |||
1382 | if (tkt.length) | ||
1383 | xfree(tkt.data); | ||
1384 | |||
1385 | buffer_clear(m); | ||
1386 | buffer_put_int(m, success); | ||
1387 | |||
1388 | if (success) { | ||
1389 | buffer_put_cstring(m, client_user); | ||
1390 | buffer_put_string(m, reply.data, reply.length); | ||
1391 | if (client_user) | ||
1392 | xfree(client_user); | ||
1393 | if (reply.length) | ||
1394 | xfree(reply.data); | ||
1395 | } | ||
1396 | mm_request_send(socket, MONITOR_ANS_KRB5, m); | ||
1397 | |||
1398 | return success; | ||
1399 | } | ||
1400 | #endif | ||
1401 | |||
1402 | int | 1464 | int |
1403 | mm_answer_term(int socket, Buffer *req) | 1465 | mm_answer_term(int socket, Buffer *req) |
1404 | { | 1466 | { |
@@ -1514,6 +1576,8 @@ mm_get_keystate(struct monitor *pmonitor) | |||
1514 | Buffer m; | 1576 | Buffer m; |
1515 | u_char *blob, *p; | 1577 | u_char *blob, *p; |
1516 | u_int bloblen, plen; | 1578 | u_int bloblen, plen; |
1579 | u_int32_t seqnr, packets; | ||
1580 | u_int64_t blocks; | ||
1517 | 1581 | ||
1518 | debug3("%s: Waiting for new keys", __func__); | 1582 | debug3("%s: Waiting for new keys", __func__); |
1519 | 1583 | ||
@@ -1543,8 +1607,14 @@ mm_get_keystate(struct monitor *pmonitor) | |||
1543 | xfree(blob); | 1607 | xfree(blob); |
1544 | 1608 | ||
1545 | /* Now get sequence numbers for the packets */ | 1609 | /* Now get sequence numbers for the packets */ |
1546 | packet_set_seqnr(MODE_OUT, buffer_get_int(&m)); | 1610 | seqnr = buffer_get_int(&m); |
1547 | packet_set_seqnr(MODE_IN, buffer_get_int(&m)); | 1611 | blocks = buffer_get_int64(&m); |
1612 | packets = buffer_get_int(&m); | ||
1613 | packet_set_state(MODE_OUT, seqnr, blocks, packets); | ||
1614 | seqnr = buffer_get_int(&m); | ||
1615 | blocks = buffer_get_int64(&m); | ||
1616 | packets = buffer_get_int(&m); | ||
1617 | packet_set_state(MODE_IN, seqnr, blocks, packets); | ||
1548 | 1618 | ||
1549 | skip: | 1619 | skip: |
1550 | /* Get the key context */ | 1620 | /* Get the key context */ |
@@ -1665,3 +1735,79 @@ monitor_reinit(struct monitor *mon) | |||
1665 | mon->m_recvfd = pair[0]; | 1735 | mon->m_recvfd = pair[0]; |
1666 | mon->m_sendfd = pair[1]; | 1736 | mon->m_sendfd = pair[1]; |
1667 | } | 1737 | } |
1738 | |||
1739 | #ifdef GSSAPI | ||
1740 | int | ||
1741 | mm_answer_gss_setup_ctx(int socket, Buffer *m) | ||
1742 | { | ||
1743 | gss_OID_desc oid; | ||
1744 | OM_uint32 major; | ||
1745 | u_int len; | ||
1746 | |||
1747 | oid.elements = buffer_get_string(m, &len); | ||
1748 | oid.length = len; | ||
1749 | |||
1750 | major = ssh_gssapi_server_ctx(&gsscontext, &oid); | ||
1751 | |||
1752 | xfree(oid.elements); | ||
1753 | |||
1754 | buffer_clear(m); | ||
1755 | buffer_put_int(m, major); | ||
1756 | |||
1757 | mm_request_send(socket,MONITOR_ANS_GSSSETUP, m); | ||
1758 | |||
1759 | /* Now we have a context, enable the step */ | ||
1760 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); | ||
1761 | |||
1762 | return (0); | ||
1763 | } | ||
1764 | |||
1765 | int | ||
1766 | mm_answer_gss_accept_ctx(int socket, Buffer *m) | ||
1767 | { | ||
1768 | gss_buffer_desc in; | ||
1769 | gss_buffer_desc out = GSS_C_EMPTY_BUFFER; | ||
1770 | OM_uint32 major,minor; | ||
1771 | OM_uint32 flags = 0; /* GSI needs this */ | ||
1772 | u_int len; | ||
1773 | |||
1774 | in.value = buffer_get_string(m, &len); | ||
1775 | in.length = len; | ||
1776 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | ||
1777 | xfree(in.value); | ||
1778 | |||
1779 | buffer_clear(m); | ||
1780 | buffer_put_int(m, major); | ||
1781 | buffer_put_string(m, out.value, out.length); | ||
1782 | buffer_put_int(m, flags); | ||
1783 | mm_request_send(socket, MONITOR_ANS_GSSSTEP, m); | ||
1784 | |||
1785 | gss_release_buffer(&minor, &out); | ||
1786 | |||
1787 | /* Complete - now we can do signing */ | ||
1788 | if (major==GSS_S_COMPLETE) { | ||
1789 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | ||
1790 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | ||
1791 | } | ||
1792 | return (0); | ||
1793 | } | ||
1794 | |||
1795 | int | ||
1796 | mm_answer_gss_userok(int socket, Buffer *m) | ||
1797 | { | ||
1798 | int authenticated; | ||
1799 | |||
1800 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | ||
1801 | |||
1802 | buffer_clear(m); | ||
1803 | buffer_put_int(m, authenticated); | ||
1804 | |||
1805 | debug3("%s: sending result %d", __func__, authenticated); | ||
1806 | mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); | ||
1807 | |||
1808 | auth_method="gssapi"; | ||
1809 | |||
1810 | /* Monitor loop will terminate if authenticated */ | ||
1811 | return (authenticated); | ||
1812 | } | ||
1813 | #endif /* GSSAPI */ | ||