1 files changed, 106 insertions, 9 deletions
diff --git a/monitor.c b/monitor.c
index c68e1b0d9..868fb0d2d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
 #ifdef WITH_OPENSSL
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
        /* Permit requests for moduli and signatures */
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor)
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        if (auth_opts->permit_pty_flag) {
                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
 # endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+                if (options.gss_keyex) {
+                        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+                }
+#endif
                kex->load_host_public_key=&get_hostkey_public_by_type;
                kex->load_host_private_key=&get_hostkey_private_by_type;
                kex->host_key_index=&get_hostkey_index;
@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        in.value = buffer_get_string(m, &len);
        in.length = len;
@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
        int authenticated;
        const char *displayname;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        free(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        free(store.filename);
+        free(store.envvar);
+        free(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index c68e1b0d9..868fb0d2d 100644 --- a/monitor.c +++ b/monitor.c
@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
158	int mm_answer_gss_accept_ctx(int, Buffer *);	158	int mm_answer_gss_accept_ctx(int, Buffer *);
159	int mm_answer_gss_userok(int, Buffer *);	159	int mm_answer_gss_userok(int, Buffer *);
160	int mm_answer_gss_checkmic(int, Buffer *);	160	int mm_answer_gss_checkmic(int, Buffer *);
		161	int mm_answer_gss_sign(int, Buffer *);
		162	int mm_answer_gss_updatecreds(int, Buffer *);
161	#endif	163	#endif
162		164
163	#ifdef SSH_AUDIT_EVENTS	165	#ifdef SSH_AUDIT_EVENTS
@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = {
232	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},	234	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
233	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},	235	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},
234	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},	236	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
		237	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
235	#endif	238	#endif
236	{0, 0, NULL}	239	{0, 0, NULL}
237	};	240	};
238		241
239	struct mon_table mon_dispatch_postauth20[] = {	242	struct mon_table mon_dispatch_postauth20[] = {
		243	#ifdef GSSAPI
		244	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		245	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		246	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		247	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		248	#endif
240	#ifdef WITH_OPENSSL	249	#ifdef WITH_OPENSSL
241	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	250	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
242	#endif	251	#endif
@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
306	/* Permit requests for moduli and signatures */	315	/* Permit requests for moduli and signatures */
307	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	316	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
308	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	317	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		318	#ifdef GSSAPI
		319	/* and for the GSSAPI key exchange */
		320	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		321	#endif
309		322
310	/* The first few requests do not require asynchronous access */	323	/* The first few requests do not require asynchronous access */
311	while (!authenticated) {	324	while (!authenticated) {
@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor)
415	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	428	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
416	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	429	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
417	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	430	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		431	#ifdef GSSAPI
		432	/* and for the GSSAPI key exchange */
		433	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		434	#endif
418		435
419	if (auth_opts->permit_pty_flag) {	436	if (auth_opts->permit_pty_flag) {
420	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);	437	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
1652	# endif	1669	# endif
1653	#endif /* WITH_OPENSSL */	1670	#endif /* WITH_OPENSSL */
1654	kex->kex[KEX_C25519_SHA256] = kexc25519_server;	1671	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
		1672	#ifdef GSSAPI
		1673	if (options.gss_keyex) {
		1674	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1675	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1676	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1677	}
		1678	#endif
1655	kex->load_host_public_key=&get_hostkey_public_by_type;	1679	kex->load_host_public_key=&get_hostkey_public_by_type;
1656	kex->load_host_private_key=&get_hostkey_private_by_type;	1680	kex->load_host_private_key=&get_hostkey_private_by_type;
1657	kex->host_key_index=&get_hostkey_index;	1681	kex->host_key_index=&get_hostkey_index;
@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1740	OM_uint32 major;	1764	OM_uint32 major;
1741	u_int len;	1765	u_int len;
1742		1766
1743	if (!options.gss_authentication)	1767	if (!options.gss_authentication && !options.gss_keyex)
1744	fatal("%s: GSSAPI authentication not enabled", __func__);	1768	fatal("%s: GSSAPI not enabled", __func__);
1745		1769
1746	goid.elements = buffer_get_string(m, &len);	1770	goid.elements = buffer_get_string(m, &len);
1747	goid.length = len;	1771	goid.length = len;
@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1770	OM_uint32 flags = 0; /* GSI needs this */	1794	OM_uint32 flags = 0; /* GSI needs this */
1771	u_int len;	1795	u_int len;
1772		1796
1773	if (!options.gss_authentication)	1797	if (!options.gss_authentication && !options.gss_keyex)
1774	fatal("%s: GSSAPI authentication not enabled", __func__);	1798	fatal("%s: GSSAPI not enabled", __func__);
1775		1799
1776	in.value = buffer_get_string(m, &len);	1800	in.value = buffer_get_string(m, &len);
1777	in.length = len;	1801	in.length = len;
@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1790	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1814	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1791	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1815	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1792	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1816	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1817	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1793	}	1818	}
1794	return (0);	1819	return (0);
1795	}	1820	}
@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
1801	OM_uint32 ret;	1826	OM_uint32 ret;
1802	u_int len;	1827	u_int len;
1803		1828
1804	if (!options.gss_authentication)	1829	if (!options.gss_authentication && !options.gss_keyex)
1805	fatal("%s: GSSAPI authentication not enabled", __func__);	1830	fatal("%s: GSSAPI not enabled", __func__);
1806		1831
1807	gssbuf.value = buffer_get_string(m, &len);	1832	gssbuf.value = buffer_get_string(m, &len);
1808	gssbuf.length = len;	1833	gssbuf.length = len;
@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
1831	int authenticated;	1856	int authenticated;
1832	const char *displayname;	1857	const char *displayname;
1833		1858
1834	if (!options.gss_authentication)	1859	if (!options.gss_authentication && !options.gss_keyex)
1835	fatal("%s: GSSAPI authentication not enabled", __func__);	1860	fatal("%s: GSSAPI not enabled", __func__);
1836		1861
1837	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	1862	authenticated = authctxt->valid &&
		1863	ssh_gssapi_userok(authctxt->user, authctxt->pw);
1838		1864
1839	buffer_clear(m);	1865	buffer_clear(m);
1840	buffer_put_int(m, authenticated);	1866	buffer_put_int(m, authenticated);
@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
1850	/* Monitor loop will terminate if authenticated */	1876	/* Monitor loop will terminate if authenticated */
1851	return (authenticated);	1877	return (authenticated);
1852	}	1878	}
		1879
		1880	int
		1881	mm_answer_gss_sign(int socket, Buffer *m)
		1882	{
		1883	gss_buffer_desc data;
		1884	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		1885	OM_uint32 major, minor;
		1886	u_int len;
		1887
		1888	if (!options.gss_authentication && !options.gss_keyex)
		1889	fatal("%s: GSSAPI not enabled", __func__);
		1890
		1891	data.value = buffer_get_string(m, &len);
		1892	data.length = len;
		1893	if (data.length != 20)
		1894	fatal("%s: data length incorrect: %d", __func__,
		1895	(int) data.length);
		1896
		1897	/* Save the session ID on the first time around */
		1898	if (session_id2_len == 0) {
		1899	session_id2_len = data.length;
		1900	session_id2 = xmalloc(session_id2_len);
		1901	memcpy(session_id2, data.value, session_id2_len);
		1902	}
		1903	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		1904
		1905	free(data.value);
		1906
		1907	buffer_clear(m);
		1908	buffer_put_int(m, major);
		1909	buffer_put_string(m, hash.value, hash.length);
		1910
		1911	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		1912
		1913	gss_release_buffer(&minor, &hash);
		1914
		1915	/* Turn on getpwnam permissions */
		1916	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		1917
		1918	/* And credential updating, for when rekeying */
		1919	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		1920
		1921	return (0);
		1922	}
		1923
		1924	int
		1925	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		1926	ssh_gssapi_ccache store;
		1927	int ok;
		1928
		1929	if (!options.gss_authentication && !options.gss_keyex)
		1930	fatal("%s: GSSAPI not enabled", __func__);
		1931
		1932	store.filename = buffer_get_string(m, NULL);
		1933	store.envvar = buffer_get_string(m, NULL);
		1934	store.envval = buffer_get_string(m, NULL);
		1935
		1936	ok = ssh_gssapi_update_creds(&store);
		1937
		1938	free(store.filename);
		1939	free(store.envvar);
		1940	free(store.envval);
		1941
		1942	buffer_clear(m);
		1943	buffer_put_int(m, ok);
		1944
		1945	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		1946
		1947	return(0);
		1948	}
		1949
1853	#endif /* GSSAPI */	1950	#endif /* GSSAPI */
1854		1951