diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 64 |
1 files changed, 62 insertions, 2 deletions
@@ -141,6 +141,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
141 | int mm_answer_gss_accept_ctx(int, Buffer *); | 141 | int mm_answer_gss_accept_ctx(int, Buffer *); |
142 | int mm_answer_gss_userok(int, Buffer *); | 142 | int mm_answer_gss_userok(int, Buffer *); |
143 | int mm_answer_gss_checkmic(int, Buffer *); | 143 | int mm_answer_gss_checkmic(int, Buffer *); |
144 | int mm_answer_gss_sign(int, Buffer *); | ||
144 | #endif | 145 | #endif |
145 | 146 | ||
146 | #ifdef SSH_AUDIT_EVENTS | 147 | #ifdef SSH_AUDIT_EVENTS |
@@ -209,11 +210,17 @@ struct mon_table mon_dispatch_proto20[] = { | |||
209 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 210 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
210 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 211 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
211 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 212 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
213 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
212 | #endif | 214 | #endif |
213 | {0, 0, NULL} | 215 | {0, 0, NULL} |
214 | }; | 216 | }; |
215 | 217 | ||
216 | struct mon_table mon_dispatch_postauth20[] = { | 218 | struct mon_table mon_dispatch_postauth20[] = { |
219 | #ifdef GSSAPI | ||
220 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
221 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
222 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
223 | #endif | ||
217 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 224 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
218 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 225 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
219 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 226 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -318,6 +325,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
318 | /* Permit requests for moduli and signatures */ | 325 | /* Permit requests for moduli and signatures */ |
319 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 326 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
320 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 327 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
328 | #ifdef GSSAPI | ||
329 | /* and for the GSSAPI key exchange */ | ||
330 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
331 | #endif | ||
321 | } else { | 332 | } else { |
322 | mon_dispatch = mon_dispatch_proto15; | 333 | mon_dispatch = mon_dispatch_proto15; |
323 | 334 | ||
@@ -391,6 +402,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
391 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 402 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
392 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 403 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
393 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 404 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
405 | #ifdef GSSAPI | ||
406 | /* and for the GSSAPI key exchange */ | ||
407 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
408 | #endif | ||
394 | } else { | 409 | } else { |
395 | mon_dispatch = mon_dispatch_postauth15; | 410 | mon_dispatch = mon_dispatch_postauth15; |
396 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 411 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -659,14 +674,20 @@ mm_answer_authserv(int sock, Buffer *m) | |||
659 | 674 | ||
660 | authctxt->service = buffer_get_string(m, NULL); | 675 | authctxt->service = buffer_get_string(m, NULL); |
661 | authctxt->style = buffer_get_string(m, NULL); | 676 | authctxt->style = buffer_get_string(m, NULL); |
662 | debug3("%s: service=%s, style=%s", | 677 | authctxt->role = buffer_get_string(m, NULL); |
663 | __func__, authctxt->service, authctxt->style); | 678 | debug3("%s: service=%s, style=%s, role=%s", |
679 | __func__, authctxt->service, authctxt->style, authctxt->role); | ||
664 | 680 | ||
665 | if (strlen(authctxt->style) == 0) { | 681 | if (strlen(authctxt->style) == 0) { |
666 | xfree(authctxt->style); | 682 | xfree(authctxt->style); |
667 | authctxt->style = NULL; | 683 | authctxt->style = NULL; |
668 | } | 684 | } |
669 | 685 | ||
686 | if (strlen(authctxt->role) == 0) { | ||
687 | xfree(authctxt->role); | ||
688 | authctxt->role = NULL; | ||
689 | } | ||
690 | |||
670 | return (0); | 691 | return (0); |
671 | } | 692 | } |
672 | 693 | ||
@@ -1621,6 +1642,9 @@ mm_get_kex(Buffer *m) | |||
1621 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 1642 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
1622 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1643 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1623 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1644 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1645 | #ifdef GSSAPI | ||
1646 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1647 | #endif | ||
1624 | kex->server = 1; | 1648 | kex->server = 1; |
1625 | kex->hostkey_type = buffer_get_int(m); | 1649 | kex->hostkey_type = buffer_get_int(m); |
1626 | kex->kex_type = buffer_get_int(m); | 1650 | kex->kex_type = buffer_get_int(m); |
@@ -1863,6 +1887,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1863 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1887 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1864 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1888 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1865 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1889 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1890 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1866 | } | 1891 | } |
1867 | return (0); | 1892 | return (0); |
1868 | } | 1893 | } |
@@ -1913,4 +1938,39 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1913 | /* Monitor loop will terminate if authenticated */ | 1938 | /* Monitor loop will terminate if authenticated */ |
1914 | return (authenticated); | 1939 | return (authenticated); |
1915 | } | 1940 | } |
1941 | |||
1942 | int | ||
1943 | mm_answer_gss_sign(int socket, Buffer *m) | ||
1944 | { | ||
1945 | gss_buffer_desc data, hash; | ||
1946 | OM_uint32 major, minor; | ||
1947 | |||
1948 | data.value = buffer_get_string(m, &data.length); | ||
1949 | if (data.length != 20) | ||
1950 | fatal("%s: data length incorrect: %d", __func__, data.length); | ||
1951 | |||
1952 | /* Save the session ID on the first time around */ | ||
1953 | if (session_id2_len == 0) { | ||
1954 | session_id2_len = data.length; | ||
1955 | session_id2 = xmalloc(session_id2_len); | ||
1956 | memcpy(session_id2, data.value, session_id2_len); | ||
1957 | } | ||
1958 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
1959 | |||
1960 | xfree(data.value); | ||
1961 | |||
1962 | buffer_clear(m); | ||
1963 | buffer_put_int(m, major); | ||
1964 | buffer_put_string(m, hash.value, hash.length); | ||
1965 | |||
1966 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
1967 | |||
1968 | gss_release_buffer(&minor, &hash); | ||
1969 | |||
1970 | /* Turn on getpwnam permissions */ | ||
1971 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
1972 | |||
1973 | return (0); | ||
1974 | } | ||
1975 | |||
1916 | #endif /* GSSAPI */ | 1976 | #endif /* GSSAPI */ |