1 files changed, 87 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index 02f2dc869..5db4d52da 100644
--- a/monitor.c
+++ b/monitor.c
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -163,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -204,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -232,11 +235,17 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -341,6 +350,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -417,6 +430,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -656,6 +673,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        else {
                /* Allow service/style information on the auth context */
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
        }
@@ -689,14 +707,37 @@ mm_answer_authserv(int sock, Buffer *m)
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
-        debug3("%s: service=%s, style=%s",
+        authctxt->role = buffer_get_string(m, NULL);
-            __func__, authctxt->service, authctxt->style);
+        debug3("%s: service=%s, style=%s, role=%s",
+            __func__, authctxt->service, authctxt->style, authctxt->role);
        if (strlen(authctxt->style) == 0) {
                xfree(authctxt->style);
                authctxt->style = NULL;
        }
+        if (strlen(authctxt->role) == 0) {
+                xfree(authctxt->role);
+                authctxt->role = NULL;
+        }
+        return (0);
+}
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+        monitor_permit_authentications(1);
+        authctxt->role = buffer_get_string(m, NULL);
+        debug3("%s: role=%s",
+            __func__, authctxt->role);
+        if (strlen(authctxt->role) == 0) {
+                xfree(authctxt->role);
+                authctxt->role = NULL;
+        }
        return (0);
 }
@@ -1663,6 +1704,11 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1904,6 +1950,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1954,4 +2001,42 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        return (0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index 02f2dc869..5db4d52da 100644 --- a/monitor.c +++ b/monitor.c
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
133	int mm_answer_pwnamallow(int, Buffer *);	133	int mm_answer_pwnamallow(int, Buffer *);
134	int mm_answer_auth2_read_banner(int, Buffer *);	134	int mm_answer_auth2_read_banner(int, Buffer *);
135	int mm_answer_authserv(int, Buffer *);	135	int mm_answer_authserv(int, Buffer *);
		136	int mm_answer_authrole(int, Buffer *);
136	int mm_answer_authpassword(int, Buffer *);	137	int mm_answer_authpassword(int, Buffer *);
137	int mm_answer_bsdauthquery(int, Buffer *);	138	int mm_answer_bsdauthquery(int, Buffer *);
138	int mm_answer_bsdauthrespond(int, Buffer *);	139	int mm_answer_bsdauthrespond(int, Buffer *);
@@ -163,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
163	int mm_answer_gss_accept_ctx(int, Buffer *);	164	int mm_answer_gss_accept_ctx(int, Buffer *);
164	int mm_answer_gss_userok(int, Buffer *);	165	int mm_answer_gss_userok(int, Buffer *);
165	int mm_answer_gss_checkmic(int, Buffer *);	166	int mm_answer_gss_checkmic(int, Buffer *);
		167	int mm_answer_gss_sign(int, Buffer *);
166	#endif	168	#endif
167		169
168	#ifdef SSH_AUDIT_EVENTS	170	#ifdef SSH_AUDIT_EVENTS
@@ -204,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] = {
204	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	206	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
205	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	207	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
206	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	208	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
		209	{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
207	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	210	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
208	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	211	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
209	#ifdef USE_PAM	212	#ifdef USE_PAM
@@ -232,11 +235,17 @@ struct mon_table mon_dispatch_proto20[] = {
232	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	235	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
233	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	236	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
234	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	237	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		238	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
235	#endif	239	#endif
236	{0, 0, NULL}	240	{0, 0, NULL}
237	};	241	};
238		242
239	struct mon_table mon_dispatch_postauth20[] = {	243	struct mon_table mon_dispatch_postauth20[] = {
		244	#ifdef GSSAPI
		245	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		246	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		247	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		248	#endif
240	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	249	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
241	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	250	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
242	{MONITOR_REQ_PTY, 0, mm_answer_pty},	251	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -341,6 +350,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
341	/* Permit requests for moduli and signatures */	350	/* Permit requests for moduli and signatures */
342	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	351	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
343	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	352	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		353	#ifdef GSSAPI
		354	/* and for the GSSAPI key exchange */
		355	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		356	#endif
344	} else {	357	} else {
345	mon_dispatch = mon_dispatch_proto15;	358	mon_dispatch = mon_dispatch_proto15;
346		359
@@ -417,6 +430,10 @@ monitor_child_postauth(struct monitor *pmonitor)
417	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	430	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
418	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	431	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
419	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	432	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		433	#ifdef GSSAPI
		434	/* and for the GSSAPI key exchange */
		435	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		436	#endif
420	} else {	437	} else {
421	mon_dispatch = mon_dispatch_postauth15;	438	mon_dispatch = mon_dispatch_postauth15;
422	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	439	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -656,6 +673,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
656	else {	673	else {
657	/* Allow service/style information on the auth context */	674	/* Allow service/style information on the auth context */
658	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	675	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
		676	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
659	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	677	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
660	}	678	}
661		679
@@ -689,14 +707,37 @@ mm_answer_authserv(int sock, Buffer *m)
689		707
690	authctxt->service = buffer_get_string(m, NULL);	708	authctxt->service = buffer_get_string(m, NULL);
691	authctxt->style = buffer_get_string(m, NULL);	709	authctxt->style = buffer_get_string(m, NULL);
692	debug3("%s: service=%s, style=%s",	710	authctxt->role = buffer_get_string(m, NULL);
693	__func__, authctxt->service, authctxt->style);	711	debug3("%s: service=%s, style=%s, role=%s",
		712	__func__, authctxt->service, authctxt->style, authctxt->role);
694		713
695	if (strlen(authctxt->style) == 0) {	714	if (strlen(authctxt->style) == 0) {
696	xfree(authctxt->style);	715	xfree(authctxt->style);
697	authctxt->style = NULL;	716	authctxt->style = NULL;
698	}	717	}
699		718
		719	if (strlen(authctxt->role) == 0) {
		720	xfree(authctxt->role);
		721	authctxt->role = NULL;
		722	}
		723
		724	return (0);
		725	}
		726
		727	int
		728	mm_answer_authrole(int sock, Buffer *m)
		729	{
		730	monitor_permit_authentications(1);
		731
		732	authctxt->role = buffer_get_string(m, NULL);
		733	debug3("%s: role=%s",
		734	__func__, authctxt->role);
		735
		736	if (strlen(authctxt->role) == 0) {
		737	xfree(authctxt->role);
		738	authctxt->role = NULL;
		739	}
		740
700	return (0);	741	return (0);
701	}	742	}
702		743
@@ -1663,6 +1704,11 @@ mm_get_kex(Buffer *m)
1663	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1704	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1664	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1705	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1665	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1706	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1707	#ifdef GSSAPI
		1708	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1709	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1710	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1711	#endif
1666	kex->server = 1;	1712	kex->server = 1;
1667	kex->hostkey_type = buffer_get_int(m);	1713	kex->hostkey_type = buffer_get_int(m);
1668	kex->kex_type = buffer_get_int(m);	1714	kex->kex_type = buffer_get_int(m);
@@ -1904,6 +1950,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1904	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1950	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1905	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1951	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1906	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1952	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1953	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1907	}	1954	}
1908	return (0);	1955	return (0);
1909	}	1956	}
@@ -1954,4 +2001,42 @@ mm_answer_gss_userok(int sock, Buffer *m)
1954	/* Monitor loop will terminate if authenticated */	2001	/* Monitor loop will terminate if authenticated */
1955	return (authenticated);	2002	return (authenticated);
1956	}	2003	}
		2004
		2005	int
		2006	mm_answer_gss_sign(int socket, Buffer *m)
		2007	{
		2008	gss_buffer_desc data;
		2009	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2010	OM_uint32 major, minor;
		2011	u_int len;
		2012
		2013	data.value = buffer_get_string(m, &len);
		2014	data.length = len;
		2015	if (data.length != 20)
		2016	fatal("%s: data length incorrect: %d", __func__, data.length);
		2017
		2018	/* Save the session ID on the first time around */
		2019	if (session_id2_len == 0) {
		2020	session_id2_len = data.length;
		2021	session_id2 = xmalloc(session_id2_len);
		2022	memcpy(session_id2, data.value, session_id2_len);
		2023	}
		2024	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2025
		2026	xfree(data.value);
		2027
		2028	buffer_clear(m);
		2029	buffer_put_int(m, major);
		2030	buffer_put_string(m, hash.value, hash.length);
		2031
		2032	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2033
		2034	gss_release_buffer(&minor, &hash);
		2035
		2036	/* Turn on getpwnam permissions */
		2037	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2038
		2039	return (0);
		2040	}
		2041
1957	#endif /* GSSAPI */	2042	#endif /* GSSAPI */