diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 59 |
1 files changed, 59 insertions, 0 deletions
@@ -164,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
164 | int mm_answer_gss_accept_ctx(int, Buffer *); | 164 | int mm_answer_gss_accept_ctx(int, Buffer *); |
165 | int mm_answer_gss_userok(int, Buffer *); | 165 | int mm_answer_gss_userok(int, Buffer *); |
166 | int mm_answer_gss_checkmic(int, Buffer *); | 166 | int mm_answer_gss_checkmic(int, Buffer *); |
167 | int mm_answer_gss_sign(int, Buffer *); | ||
167 | #endif | 168 | #endif |
168 | 169 | ||
169 | #ifdef SSH_AUDIT_EVENTS | 170 | #ifdef SSH_AUDIT_EVENTS |
@@ -233,11 +234,17 @@ struct mon_table mon_dispatch_proto20[] = { | |||
233 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 234 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
234 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 235 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
235 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 236 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
237 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
236 | #endif | 238 | #endif |
237 | {0, 0, NULL} | 239 | {0, 0, NULL} |
238 | }; | 240 | }; |
239 | 241 | ||
240 | struct mon_table mon_dispatch_postauth20[] = { | 242 | struct mon_table mon_dispatch_postauth20[] = { |
243 | #ifdef GSSAPI | ||
244 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
245 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
246 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
247 | #endif | ||
241 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 248 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
242 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 249 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
243 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 250 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -342,6 +349,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
342 | /* Permit requests for moduli and signatures */ | 349 | /* Permit requests for moduli and signatures */ |
343 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 350 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
344 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 351 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
352 | #ifdef GSSAPI | ||
353 | /* and for the GSSAPI key exchange */ | ||
354 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
355 | #endif | ||
345 | } else { | 356 | } else { |
346 | mon_dispatch = mon_dispatch_proto15; | 357 | mon_dispatch = mon_dispatch_proto15; |
347 | 358 | ||
@@ -419,6 +430,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
419 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 430 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
420 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 431 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
421 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 432 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
433 | #ifdef GSSAPI | ||
434 | /* and for the GSSAPI key exchange */ | ||
435 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
436 | #endif | ||
422 | } else { | 437 | } else { |
423 | mon_dispatch = mon_dispatch_postauth15; | 438 | mon_dispatch = mon_dispatch_postauth15; |
424 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 439 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -1675,6 +1690,11 @@ mm_get_kex(Buffer *m) | |||
1675 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1690 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1676 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1691 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1677 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1692 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1693 | #ifdef GSSAPI | ||
1694 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1695 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1696 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1697 | #endif | ||
1678 | kex->server = 1; | 1698 | kex->server = 1; |
1679 | kex->hostkey_type = buffer_get_int(m); | 1699 | kex->hostkey_type = buffer_get_int(m); |
1680 | kex->kex_type = buffer_get_int(m); | 1700 | kex->kex_type = buffer_get_int(m); |
@@ -1918,6 +1938,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1918 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1938 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1919 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1939 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1920 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1940 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1941 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1921 | } | 1942 | } |
1922 | return (0); | 1943 | return (0); |
1923 | } | 1944 | } |
@@ -1968,4 +1989,42 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1968 | /* Monitor loop will terminate if authenticated */ | 1989 | /* Monitor loop will terminate if authenticated */ |
1969 | return (authenticated); | 1990 | return (authenticated); |
1970 | } | 1991 | } |
1992 | |||
1993 | int | ||
1994 | mm_answer_gss_sign(int socket, Buffer *m) | ||
1995 | { | ||
1996 | gss_buffer_desc data; | ||
1997 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
1998 | OM_uint32 major, minor; | ||
1999 | u_int len; | ||
2000 | |||
2001 | data.value = buffer_get_string(m, &len); | ||
2002 | data.length = len; | ||
2003 | if (data.length != 20) | ||
2004 | fatal("%s: data length incorrect: %d", __func__, data.length); | ||
2005 | |||
2006 | /* Save the session ID on the first time around */ | ||
2007 | if (session_id2_len == 0) { | ||
2008 | session_id2_len = data.length; | ||
2009 | session_id2 = xmalloc(session_id2_len); | ||
2010 | memcpy(session_id2, data.value, session_id2_len); | ||
2011 | } | ||
2012 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2013 | |||
2014 | xfree(data.value); | ||
2015 | |||
2016 | buffer_clear(m); | ||
2017 | buffer_put_int(m, major); | ||
2018 | buffer_put_string(m, hash.value, hash.length); | ||
2019 | |||
2020 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2021 | |||
2022 | gss_release_buffer(&minor, &hash); | ||
2023 | |||
2024 | /* Turn on getpwnam permissions */ | ||
2025 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2026 | |||
2027 | return (0); | ||
2028 | } | ||
2029 | |||
1971 | #endif /* GSSAPI */ | 2030 | #endif /* GSSAPI */ |