diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 89 |
1 files changed, 87 insertions, 2 deletions
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *); | |||
133 | int mm_answer_pwnamallow(int, Buffer *); | 133 | int mm_answer_pwnamallow(int, Buffer *); |
134 | int mm_answer_auth2_read_banner(int, Buffer *); | 134 | int mm_answer_auth2_read_banner(int, Buffer *); |
135 | int mm_answer_authserv(int, Buffer *); | 135 | int mm_answer_authserv(int, Buffer *); |
136 | int mm_answer_authrole(int, Buffer *); | ||
136 | int mm_answer_authpassword(int, Buffer *); | 137 | int mm_answer_authpassword(int, Buffer *); |
137 | int mm_answer_bsdauthquery(int, Buffer *); | 138 | int mm_answer_bsdauthquery(int, Buffer *); |
138 | int mm_answer_bsdauthrespond(int, Buffer *); | 139 | int mm_answer_bsdauthrespond(int, Buffer *); |
@@ -163,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
163 | int mm_answer_gss_accept_ctx(int, Buffer *); | 164 | int mm_answer_gss_accept_ctx(int, Buffer *); |
164 | int mm_answer_gss_userok(int, Buffer *); | 165 | int mm_answer_gss_userok(int, Buffer *); |
165 | int mm_answer_gss_checkmic(int, Buffer *); | 166 | int mm_answer_gss_checkmic(int, Buffer *); |
167 | int mm_answer_gss_sign(int, Buffer *); | ||
166 | #endif | 168 | #endif |
167 | 169 | ||
168 | #ifdef SSH_AUDIT_EVENTS | 170 | #ifdef SSH_AUDIT_EVENTS |
@@ -204,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
204 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 206 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
205 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 207 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
206 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 208 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
209 | {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
207 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 210 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
208 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 211 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
209 | #ifdef USE_PAM | 212 | #ifdef USE_PAM |
@@ -232,11 +235,17 @@ struct mon_table mon_dispatch_proto20[] = { | |||
232 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 235 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
233 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 236 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
234 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 237 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
238 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
235 | #endif | 239 | #endif |
236 | {0, 0, NULL} | 240 | {0, 0, NULL} |
237 | }; | 241 | }; |
238 | 242 | ||
239 | struct mon_table mon_dispatch_postauth20[] = { | 243 | struct mon_table mon_dispatch_postauth20[] = { |
244 | #ifdef GSSAPI | ||
245 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
246 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
247 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
248 | #endif | ||
240 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 249 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
241 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 250 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
242 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 251 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
@@ -341,6 +350,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
341 | /* Permit requests for moduli and signatures */ | 350 | /* Permit requests for moduli and signatures */ |
342 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 351 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
343 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 352 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
353 | #ifdef GSSAPI | ||
354 | /* and for the GSSAPI key exchange */ | ||
355 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
356 | #endif | ||
344 | } else { | 357 | } else { |
345 | mon_dispatch = mon_dispatch_proto15; | 358 | mon_dispatch = mon_dispatch_proto15; |
346 | 359 | ||
@@ -418,6 +431,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
418 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 431 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
419 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 432 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
420 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 433 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
434 | #ifdef GSSAPI | ||
435 | /* and for the GSSAPI key exchange */ | ||
436 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
437 | #endif | ||
421 | } else { | 438 | } else { |
422 | mon_dispatch = mon_dispatch_postauth15; | 439 | mon_dispatch = mon_dispatch_postauth15; |
423 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 440 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -657,6 +674,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
657 | else { | 674 | else { |
658 | /* Allow service/style information on the auth context */ | 675 | /* Allow service/style information on the auth context */ |
659 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 676 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
677 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
660 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 678 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
661 | } | 679 | } |
662 | 680 | ||
@@ -690,14 +708,37 @@ mm_answer_authserv(int sock, Buffer *m) | |||
690 | 708 | ||
691 | authctxt->service = buffer_get_string(m, NULL); | 709 | authctxt->service = buffer_get_string(m, NULL); |
692 | authctxt->style = buffer_get_string(m, NULL); | 710 | authctxt->style = buffer_get_string(m, NULL); |
693 | debug3("%s: service=%s, style=%s", | 711 | authctxt->role = buffer_get_string(m, NULL); |
694 | __func__, authctxt->service, authctxt->style); | 712 | debug3("%s: service=%s, style=%s, role=%s", |
713 | __func__, authctxt->service, authctxt->style, authctxt->role); | ||
695 | 714 | ||
696 | if (strlen(authctxt->style) == 0) { | 715 | if (strlen(authctxt->style) == 0) { |
697 | xfree(authctxt->style); | 716 | xfree(authctxt->style); |
698 | authctxt->style = NULL; | 717 | authctxt->style = NULL; |
699 | } | 718 | } |
700 | 719 | ||
720 | if (strlen(authctxt->role) == 0) { | ||
721 | xfree(authctxt->role); | ||
722 | authctxt->role = NULL; | ||
723 | } | ||
724 | |||
725 | return (0); | ||
726 | } | ||
727 | |||
728 | int | ||
729 | mm_answer_authrole(int sock, Buffer *m) | ||
730 | { | ||
731 | monitor_permit_authentications(1); | ||
732 | |||
733 | authctxt->role = buffer_get_string(m, NULL); | ||
734 | debug3("%s: role=%s", | ||
735 | __func__, authctxt->role); | ||
736 | |||
737 | if (strlen(authctxt->role) == 0) { | ||
738 | xfree(authctxt->role); | ||
739 | authctxt->role = NULL; | ||
740 | } | ||
741 | |||
701 | return (0); | 742 | return (0); |
702 | } | 743 | } |
703 | 744 | ||
@@ -1664,6 +1705,11 @@ mm_get_kex(Buffer *m) | |||
1664 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 1705 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; |
1665 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 1706 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
1666 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 1707 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
1708 | #ifdef GSSAPI | ||
1709 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1710 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1711 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1712 | #endif | ||
1667 | kex->server = 1; | 1713 | kex->server = 1; |
1668 | kex->hostkey_type = buffer_get_int(m); | 1714 | kex->hostkey_type = buffer_get_int(m); |
1669 | kex->kex_type = buffer_get_int(m); | 1715 | kex->kex_type = buffer_get_int(m); |
@@ -1905,6 +1951,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1905 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1951 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1906 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1952 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1907 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1953 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1954 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1908 | } | 1955 | } |
1909 | return (0); | 1956 | return (0); |
1910 | } | 1957 | } |
@@ -1955,4 +2002,42 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1955 | /* Monitor loop will terminate if authenticated */ | 2002 | /* Monitor loop will terminate if authenticated */ |
1956 | return (authenticated); | 2003 | return (authenticated); |
1957 | } | 2004 | } |
2005 | |||
2006 | int | ||
2007 | mm_answer_gss_sign(int socket, Buffer *m) | ||
2008 | { | ||
2009 | gss_buffer_desc data; | ||
2010 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
2011 | OM_uint32 major, minor; | ||
2012 | u_int len; | ||
2013 | |||
2014 | data.value = buffer_get_string(m, &len); | ||
2015 | data.length = len; | ||
2016 | if (data.length != 20) | ||
2017 | fatal("%s: data length incorrect: %d", __func__, data.length); | ||
2018 | |||
2019 | /* Save the session ID on the first time around */ | ||
2020 | if (session_id2_len == 0) { | ||
2021 | session_id2_len = data.length; | ||
2022 | session_id2 = xmalloc(session_id2_len); | ||
2023 | memcpy(session_id2, data.value, session_id2_len); | ||
2024 | } | ||
2025 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2026 | |||
2027 | xfree(data.value); | ||
2028 | |||
2029 | buffer_clear(m); | ||
2030 | buffer_put_int(m, major); | ||
2031 | buffer_put_string(m, hash.value, hash.length); | ||
2032 | |||
2033 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2034 | |||
2035 | gss_release_buffer(&minor, &hash); | ||
2036 | |||
2037 | /* Turn on getpwnam permissions */ | ||
2038 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2039 | |||
2040 | return (0); | ||
2041 | } | ||
2042 | |||
1958 | #endif /* GSSAPI */ | 2043 | #endif /* GSSAPI */ |