diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 139 |
1 files changed, 128 insertions, 11 deletions
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); | |||
148 | int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); | 148 | int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); |
149 | int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); | 149 | int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); |
150 | int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); | 150 | int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); |
151 | int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *); | ||
152 | int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *); | ||
151 | #endif | 153 | #endif |
152 | 154 | ||
153 | #ifdef SSH_AUDIT_EVENTS | 155 | #ifdef SSH_AUDIT_EVENTS |
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = { | |||
220 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | 222 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, |
221 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, | 223 | {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, |
222 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, | 224 | {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, |
225 | {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
223 | #endif | 226 | #endif |
224 | {0, 0, NULL} | 227 | {0, 0, NULL} |
225 | }; | 228 | }; |
226 | 229 | ||
227 | struct mon_table mon_dispatch_postauth20[] = { | 230 | struct mon_table mon_dispatch_postauth20[] = { |
231 | #ifdef GSSAPI | ||
232 | {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
233 | {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
234 | {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
235 | {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
236 | #endif | ||
228 | #ifdef WITH_OPENSSL | 237 | #ifdef WITH_OPENSSL |
229 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 238 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
230 | #endif | 239 | #endif |
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) | |||
293 | /* Permit requests for moduli and signatures */ | 302 | /* Permit requests for moduli and signatures */ |
294 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 303 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
295 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 304 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
305 | #ifdef GSSAPI | ||
306 | /* and for the GSSAPI key exchange */ | ||
307 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
308 | #endif | ||
296 | 309 | ||
297 | /* The first few requests do not require asynchronous access */ | 310 | /* The first few requests do not require asynchronous access */ |
298 | while (!authenticated) { | 311 | while (!authenticated) { |
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) | |||
406 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 419 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
407 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 420 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
408 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 421 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
422 | #ifdef GSSAPI | ||
423 | /* and for the GSSAPI key exchange */ | ||
424 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
425 | #endif | ||
409 | 426 | ||
410 | if (auth_opts->permit_pty_flag) { | 427 | if (auth_opts->permit_pty_flag) { |
411 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 428 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
@@ -1725,6 +1742,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) | |||
1725 | # ifdef OPENSSL_HAS_ECC | 1742 | # ifdef OPENSSL_HAS_ECC |
1726 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 1743 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
1727 | # endif | 1744 | # endif |
1745 | # ifdef GSSAPI | ||
1746 | if (options.gss_keyex) { | ||
1747 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
1748 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
1749 | kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; | ||
1750 | kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; | ||
1751 | kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; | ||
1752 | kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; | ||
1753 | kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; | ||
1754 | } | ||
1755 | # endif | ||
1728 | #endif /* WITH_OPENSSL */ | 1756 | #endif /* WITH_OPENSSL */ |
1729 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 1757 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
1730 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 1758 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
@@ -1818,8 +1846,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1818 | u_char *p; | 1846 | u_char *p; |
1819 | int r; | 1847 | int r; |
1820 | 1848 | ||
1821 | if (!options.gss_authentication) | 1849 | if (!options.gss_authentication && !options.gss_keyex) |
1822 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1850 | fatal("%s: GSSAPI not enabled", __func__); |
1823 | 1851 | ||
1824 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | 1852 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) |
1825 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1853 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
@@ -1851,8 +1879,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1851 | OM_uint32 flags = 0; /* GSI needs this */ | 1879 | OM_uint32 flags = 0; /* GSI needs this */ |
1852 | int r; | 1880 | int r; |
1853 | 1881 | ||
1854 | if (!options.gss_authentication) | 1882 | if (!options.gss_authentication && !options.gss_keyex) |
1855 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1883 | fatal("%s: GSSAPI not enabled", __func__); |
1856 | 1884 | ||
1857 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) | 1885 | if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) |
1858 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 1886 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
@@ -1872,6 +1900,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1872 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1900 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1873 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1901 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1874 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 1902 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
1903 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
1875 | } | 1904 | } |
1876 | return (0); | 1905 | return (0); |
1877 | } | 1906 | } |
@@ -1883,8 +1912,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1883 | OM_uint32 ret; | 1912 | OM_uint32 ret; |
1884 | int r; | 1913 | int r; |
1885 | 1914 | ||
1886 | if (!options.gss_authentication) | 1915 | if (!options.gss_authentication && !options.gss_keyex) |
1887 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1916 | fatal("%s: GSSAPI not enabled", __func__); |
1888 | 1917 | ||
1889 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || | 1918 | if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || |
1890 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) | 1919 | (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) |
@@ -1910,13 +1939,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1910 | int | 1939 | int |
1911 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | 1940 | mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) |
1912 | { | 1941 | { |
1913 | int r, authenticated; | 1942 | int r, authenticated, kex; |
1914 | const char *displayname; | 1943 | const char *displayname; |
1915 | 1944 | ||
1916 | if (!options.gss_authentication) | 1945 | if (!options.gss_authentication && !options.gss_keyex) |
1917 | fatal("%s: GSSAPI authentication not enabled", __func__); | 1946 | fatal("%s: GSSAPI not enabled", __func__); |
1918 | 1947 | ||
1919 | authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | 1948 | if ((r = sshbuf_get_u32(m, &kex)) != 0) |
1949 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1950 | |||
1951 | authenticated = authctxt->valid && | ||
1952 | ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); | ||
1920 | 1953 | ||
1921 | sshbuf_reset(m); | 1954 | sshbuf_reset(m); |
1922 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) | 1955 | if ((r = sshbuf_put_u32(m, authenticated)) != 0) |
@@ -1925,7 +1958,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1925 | debug3("%s: sending result %d", __func__, authenticated); | 1958 | debug3("%s: sending result %d", __func__, authenticated); |
1926 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); | 1959 | mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); |
1927 | 1960 | ||
1928 | auth_method = "gssapi-with-mic"; | 1961 | if (kex) { |
1962 | auth_method = "gssapi-keyex"; | ||
1963 | } else { | ||
1964 | auth_method = "gssapi-with-mic"; | ||
1965 | } | ||
1929 | 1966 | ||
1930 | if ((displayname = ssh_gssapi_displayname()) != NULL) | 1967 | if ((displayname = ssh_gssapi_displayname()) != NULL) |
1931 | auth2_record_info(authctxt, "%s", displayname); | 1968 | auth2_record_info(authctxt, "%s", displayname); |
@@ -1933,5 +1970,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) | |||
1933 | /* Monitor loop will terminate if authenticated */ | 1970 | /* Monitor loop will terminate if authenticated */ |
1934 | return (authenticated); | 1971 | return (authenticated); |
1935 | } | 1972 | } |
1973 | |||
1974 | int | ||
1975 | mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m) | ||
1976 | { | ||
1977 | gss_buffer_desc data; | ||
1978 | gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
1979 | OM_uint32 major, minor; | ||
1980 | size_t len; | ||
1981 | u_char *p = NULL; | ||
1982 | int r; | ||
1983 | |||
1984 | if (!options.gss_authentication && !options.gss_keyex) | ||
1985 | fatal("%s: GSSAPI not enabled", __func__); | ||
1986 | |||
1987 | if ((r = sshbuf_get_string(m, &p, &len)) != 0) | ||
1988 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
1989 | data.value = p; | ||
1990 | data.length = len; | ||
1991 | /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */ | ||
1992 | if (data.length != 20 && data.length != 32 && data.length != 64) | ||
1993 | fatal("%s: data length incorrect: %d", __func__, | ||
1994 | (int) data.length); | ||
1995 | |||
1996 | /* Save the session ID on the first time around */ | ||
1997 | if (session_id2_len == 0) { | ||
1998 | session_id2_len = data.length; | ||
1999 | session_id2 = xmalloc(session_id2_len); | ||
2000 | memcpy(session_id2, data.value, session_id2_len); | ||
2001 | } | ||
2002 | major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2003 | |||
2004 | free(data.value); | ||
2005 | |||
2006 | sshbuf_reset(m); | ||
2007 | |||
2008 | if ((r = sshbuf_put_u32(m, major)) != 0 || | ||
2009 | (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) | ||
2010 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
2011 | |||
2012 | mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2013 | |||
2014 | gss_release_buffer(&minor, &hash); | ||
2015 | |||
2016 | /* Turn on getpwnam permissions */ | ||
2017 | monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2018 | |||
2019 | /* And credential updating, for when rekeying */ | ||
2020 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
2021 | |||
2022 | return (0); | ||
2023 | } | ||
2024 | |||
2025 | int | ||
2026 | mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) { | ||
2027 | ssh_gssapi_ccache store; | ||
2028 | int r, ok; | ||
2029 | |||
2030 | if (!options.gss_authentication && !options.gss_keyex) | ||
2031 | fatal("%s: GSSAPI not enabled", __func__); | ||
2032 | |||
2033 | if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 || | ||
2034 | (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 || | ||
2035 | (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0) | ||
2036 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
2037 | |||
2038 | ok = ssh_gssapi_update_creds(&store); | ||
2039 | |||
2040 | free(store.filename); | ||
2041 | free(store.envvar); | ||
2042 | free(store.envval); | ||
2043 | |||
2044 | sshbuf_reset(m); | ||
2045 | if ((r = sshbuf_put_u32(m, ok)) != 0) | ||
2046 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
2047 | |||
2048 | mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
2049 | |||
2050 | return(0); | ||
2051 | } | ||
2052 | |||
1936 | #endif /* GSSAPI */ | 2053 | #endif /* GSSAPI */ |
1937 | 2054 | ||