diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 115 |
1 files changed, 106 insertions, 9 deletions
@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | |||
158 | int mm_answer_gss_accept_ctx(int, Buffer *); | 158 | int mm_answer_gss_accept_ctx(int, Buffer *); |
159 | int mm_answer_gss_userok(int, Buffer *); | 159 | int mm_answer_gss_userok(int, Buffer *); |
160 | int mm_answer_gss_checkmic(int, Buffer *); | 160 | int mm_answer_gss_checkmic(int, Buffer *); |
161 | int mm_answer_gss_sign(int, Buffer *); | ||
162 | int mm_answer_gss_updatecreds(int, Buffer *); | ||
161 | #endif | 163 | #endif |
162 | 164 | ||
163 | #ifdef SSH_AUDIT_EVENTS | 165 | #ifdef SSH_AUDIT_EVENTS |
@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = { | |||
232 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | 234 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, |
233 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, | 235 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, |
234 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, | 236 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, |
237 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
235 | #endif | 238 | #endif |
236 | {0, 0, NULL} | 239 | {0, 0, NULL} |
237 | }; | 240 | }; |
238 | 241 | ||
239 | struct mon_table mon_dispatch_postauth20[] = { | 242 | struct mon_table mon_dispatch_postauth20[] = { |
243 | #ifdef GSSAPI | ||
244 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
245 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
246 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
247 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
248 | #endif | ||
240 | #ifdef WITH_OPENSSL | 249 | #ifdef WITH_OPENSSL |
241 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 250 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
242 | #endif | 251 | #endif |
@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
306 | /* Permit requests for moduli and signatures */ | 315 | /* Permit requests for moduli and signatures */ |
307 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 316 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
308 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 317 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
318 | #ifdef GSSAPI | ||
319 | /* and for the GSSAPI key exchange */ | ||
320 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
321 | #endif | ||
309 | 322 | ||
310 | /* The first few requests do not require asynchronous access */ | 323 | /* The first few requests do not require asynchronous access */ |
311 | while (!authenticated) { | 324 | while (!authenticated) { |
@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor) | |||
415 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 428 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
416 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 429 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
417 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 430 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
431 | #ifdef GSSAPI | ||
432 | /* and for the GSSAPI key exchange */ | ||
433 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
434 | #endif | ||
418 | 435 | ||
419 | if (auth_opts->permit_pty_flag) { | 436 | if (auth_opts->permit_pty_flag) { |
420 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 437 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1652 | # endif | 1669 | # endif |
1653 | #endif /* WITH_OPENSSL */ | 1670 | #endif /* WITH_OPENSSL */ |
1654 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 1671 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
1672 | #ifdef GSSAPI | ||
1673 | if (options.gss_keyex) { | ||
1674 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1675 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1676 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
1677 | } | ||
1678 | #endif | ||
1655 | kex->load_host_public_key=&get_hostkey_public_by_type; | 1679 | kex->load_host_public_key=&get_hostkey_public_by_type; |
1656 | kex->load_host_private_key=&get_hostkey_private_by_type; | 1680 | kex->load_host_private_key=&get_hostkey_private_by_type; |
1657 | kex->host_key_index=&get_hostkey_index; | 1681 | kex->host_key_index=&get_hostkey_index; |
@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | |||
1740 | OM_uint32 major; | 1764 | OM_uint32 major; |
1741 | u_int len; | 1765 | u_int len; |
1742 | 1766 | ||
1743 | if (!options.gss_authentication) | 1767 | if (!options.gss_authentication && !options.gss_keyex) |
1744 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1768 | fatal("%s: GSSAPI not enabled", __func__); |
1745 | 1769 | ||
1746 | goid.elements = buffer_get_string(m, &len); | 1770 | goid.elements = buffer_get_string(m, &len); |
1747 | goid.length = len; | 1771 | goid.length = len; |
@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1770 | OM_uint32 flags = 0; /* GSI needs this */ | 1794 | OM_uint32 flags = 0; /* GSI needs this */ |
1771 | u_int len; | 1795 | u_int len; |
1772 | 1796 | ||
1773 | if (!options.gss_authentication) | 1797 | if (!options.gss_authentication && !options.gss_keyex) |
1774 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1798 | fatal("%s: GSSAPI not enabled", __func__); |
1775 | 1799 | ||
1776 | in.value = buffer_get_string(m, &len); | 1800 | in.value = buffer_get_string(m, &len); |
1777 | in.length = len; | 1801 | in.length = len; |
@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | |||
1790 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1814 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1791 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1815 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1792 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1816 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1817 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1793 | } | 1818 | } |
1794 | return (0); | 1819 | return (0); |
1795 | } | 1820 | } |
@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | |||
1801 | OM_uint32 ret; | 1826 | OM_uint32 ret; |
1802 | u_int len; | 1827 | u_int len; |
1803 | 1828 | ||
1804 | if (!options.gss_authentication) | 1829 | if (!options.gss_authentication && !options.gss_keyex) |
1805 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1830 | fatal("%s: GSSAPI not enabled", __func__); |
1806 | 1831 | ||
1807 | gssbuf.value = buffer_get_string(m, &len); | 1832 | gssbuf.value = buffer_get_string(m, &len); |
1808 | gssbuf.length = len; | 1833 | gssbuf.length = len; |
@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1831 | int authenticated; | 1856 | int authenticated; |
1832 | const char *displayname; | 1857 | const char *displayname; |
1833 | 1858 | ||
1834 | if (!options.gss_authentication) | 1859 | if (!options.gss_authentication && !options.gss_keyex) |
1835 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1860 | fatal("%s: GSSAPI not enabled", __func__); |
1836 | 1861 | ||
1837 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 1862 | authenticated = authctxt->valid && |
1863 | ssh_gssapi_userok(authctxt->user, authctxt->pw); | ||
1838 | 1864 | ||
1839 | buffer_clear(m); | 1865 | buffer_clear(m); |
1840 | buffer_put_int(m, authenticated); | 1866 | buffer_put_int(m, authenticated); |
@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m) | |||
1850 | /* Monitor loop will terminate if authenticated */ | 1876 | /* Monitor loop will terminate if authenticated */ |
1851 | return (authenticated); | 1877 | return (authenticated); |
1852 | } | 1878 | } |
1879 | |||
1880 | int | ||
1881 | mm_answer_gss_sign(int socket, Buffer *m) | ||
1882 | { | ||
1883 | gss_buffer_desc data; | ||
1884 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
1885 | OM_uint32 major, minor; | ||
1886 | u_int len; | ||
1887 | |||
1888 | if (!options.gss_authentication && !options.gss_keyex) | ||
1889 | fatal("%s: GSSAPI not enabled", __func__); | ||
1890 | |||
1891 | data.value = buffer_get_string(m, &len); | ||
1892 | data.length = len; | ||
1893 | if (data.length != 20) | ||
1894 | fatal("%s: data length incorrect: %d", __func__, | ||
1895 | (int) data.length); | ||
1896 | |||
1897 | /* Save the session ID on the first time around */ | ||
1898 | if (session_id2_len == 0) { | ||
1899 | session_id2_len = data.length; | ||
1900 | session_id2 = xmalloc(session_id2_len); | ||
1901 | memcpy(session_id2, data.value, session_id2_len); | ||
1902 | } | ||
1903 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
1904 | |||
1905 | free(data.value); | ||
1906 | |||
1907 | buffer_clear(m); | ||
1908 | buffer_put_int(m, major); | ||
1909 | buffer_put_string(m, hash.value, hash.length); | ||
1910 | |||
1911 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
1912 | |||
1913 | gss_release_buffer(&minor, &hash); | ||
1914 | |||
1915 | /* Turn on getpwnam permissions */ | ||
1916 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
1917 | |||
1918 | /* And credential updating, for when rekeying */ | ||
1919 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
1920 | |||
1921 | return (0); | ||
1922 | } | ||
1923 | |||
1924 | int | ||
1925 | mm_answer_gss_updatecreds(int socket, Buffer *m) { | ||
1926 | ssh_gssapi_ccache store; | ||
1927 | int ok; | ||
1928 | |||
1929 | if (!options.gss_authentication && !options.gss_keyex) | ||
1930 | fatal("%s: GSSAPI not enabled", __func__); | ||
1931 | |||
1932 | store.filename = buffer_get_string(m, NULL); | ||
1933 | store.envvar = buffer_get_string(m, NULL); | ||
1934 | store.envval = buffer_get_string(m, NULL); | ||
1935 | |||
1936 | ok = ssh_gssapi_update_creds(&store); | ||
1937 | |||
1938 | free(store.filename); | ||
1939 | free(store.envvar); | ||
1940 | free(store.envval); | ||
1941 | |||
1942 | buffer_clear(m); | ||
1943 | buffer_put_int(m, ok); | ||
1944 | |||
1945 | mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
1946 | |||
1947 | return(0); | ||
1948 | } | ||
1949 | |||
1853 | #endif /* GSSAPI */ | 1950 | #endif /* GSSAPI */ |
1854 | 1951 | ||