1 files changed, 70 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 2afcbaeca..fb585e248 100644
--- a/readconf.c
+++ b/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 /* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, oGssKexAlgorithms,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
@@ -1053,10 +1068,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1935,7 +1982,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -2083,8 +2136,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
        dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);

diff --git a/readconf.c b/readconf.c index 2afcbaeca..fb585e248 100644 --- a/readconf.c +++ b/readconf.c
@@ -67,6 +67,7 @@
67	#include "uidswap.h"	67	#include "uidswap.h"
68	#include "myproposal.h"	68	#include "myproposal.h"
69	#include "digest.h"	69	#include "digest.h"
		70	#include "ssh-gss.h"
70		71
71	/* Format of the configuration file:	72	/* Format of the configuration file:
72		73
@@ -160,6 +161,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	161	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	162	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	163	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		164	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		165	oGssServerIdentity, oGssKexAlgorithms,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	166	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	167	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	168	oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
204	/* Sometimes-unsupported options */	207	/* Sometimes-unsupported options */
205	#if defined(GSSAPI)	208	#if defined(GSSAPI)
206	{ "gssapiauthentication", oGssAuthentication },	209	{ "gssapiauthentication", oGssAuthentication },
		210	{ "gssapikeyexchange", oGssKeyEx },
207	{ "gssapidelegatecredentials", oGssDelegateCreds },	211	{ "gssapidelegatecredentials", oGssDelegateCreds },
		212	{ "gssapitrustdns", oGssTrustDns },
		213	{ "gssapiclientidentity", oGssClientIdentity },
		214	{ "gssapiserveridentity", oGssServerIdentity },
		215	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
		216	{ "gssapikexalgorithms", oGssKexAlgorithms },
208	# else	217	# else
209	{ "gssapiauthentication", oUnsupported },	218	{ "gssapiauthentication", oUnsupported },
		219	{ "gssapikeyexchange", oUnsupported },
210	{ "gssapidelegatecredentials", oUnsupported },	220	{ "gssapidelegatecredentials", oUnsupported },
		221	{ "gssapitrustdns", oUnsupported },
		222	{ "gssapiclientidentity", oUnsupported },
		223	{ "gssapiserveridentity", oUnsupported },
		224	{ "gssapirenewalforcesrekey", oUnsupported },
		225	{ "gssapikexalgorithms", oUnsupported },
211	#endif	226	#endif
212	#ifdef ENABLE_PKCS11	227	#ifdef ENABLE_PKCS11
213	{ "pkcs11provider", oPKCS11Provider },	228	{ "pkcs11provider", oPKCS11Provider },
@@ -1053,10 +1068,42 @@ parse_time:
1053	intptr = &options->gss_authentication;	1068	intptr = &options->gss_authentication;
1054	goto parse_flag;	1069	goto parse_flag;
1055		1070
		1071	case oGssKeyEx:
		1072	intptr = &options->gss_keyex;
		1073	goto parse_flag;
		1074
1056	case oGssDelegateCreds:	1075	case oGssDelegateCreds:
1057	intptr = &options->gss_deleg_creds;	1076	intptr = &options->gss_deleg_creds;
1058	goto parse_flag;	1077	goto parse_flag;
1059		1078
		1079	case oGssTrustDns:
		1080	intptr = &options->gss_trust_dns;
		1081	goto parse_flag;
		1082
		1083	case oGssClientIdentity:
		1084	charptr = &options->gss_client_identity;
		1085	goto parse_string;
		1086
		1087	case oGssServerIdentity:
		1088	charptr = &options->gss_server_identity;
		1089	goto parse_string;
		1090
		1091	case oGssRenewalRekey:
		1092	intptr = &options->gss_renewal_rekey;
		1093	goto parse_flag;
		1094
		1095	case oGssKexAlgorithms:
		1096	arg = strdelim(&s);
		1097	if (!arg \|\| *arg == '\0')
		1098	fatal("%.200s line %d: Missing argument.",
		1099	filename, linenum);
		1100	if (!kex_gss_names_valid(arg))
		1101	fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
		1102	filename, linenum, arg ? arg : "<NONE>");
		1103	if (*activep && options->gss_kex_algorithms == NULL)
		1104	options->gss_kex_algorithms = xstrdup(arg);
		1105	break;
		1106
1060	case oBatchMode:	1107	case oBatchMode:
1061	intptr = &options->batch_mode;	1108	intptr = &options->batch_mode;
1062	goto parse_flag;	1109	goto parse_flag;
@@ -1935,7 +1982,13 @@ initialize_options(Options * options)
1935	options->pubkey_authentication = -1;	1982	options->pubkey_authentication = -1;
1936	options->challenge_response_authentication = -1;	1983	options->challenge_response_authentication = -1;
1937	options->gss_authentication = -1;	1984	options->gss_authentication = -1;
		1985	options->gss_keyex = -1;
1938	options->gss_deleg_creds = -1;	1986	options->gss_deleg_creds = -1;
		1987	options->gss_trust_dns = -1;
		1988	options->gss_renewal_rekey = -1;
		1989	options->gss_client_identity = NULL;
		1990	options->gss_server_identity = NULL;
		1991	options->gss_kex_algorithms = NULL;
1939	options->password_authentication = -1;	1992	options->password_authentication = -1;
1940	options->kbd_interactive_authentication = -1;	1993	options->kbd_interactive_authentication = -1;
1941	options->kbd_interactive_devices = NULL;	1994	options->kbd_interactive_devices = NULL;
@@ -2083,8 +2136,18 @@ fill_default_options(Options * options)
2083	options->challenge_response_authentication = 1;	2136	options->challenge_response_authentication = 1;
2084	if (options->gss_authentication == -1)	2137	if (options->gss_authentication == -1)
2085	options->gss_authentication = 0;	2138	options->gss_authentication = 0;
		2139	if (options->gss_keyex == -1)
		2140	options->gss_keyex = 0;
2086	if (options->gss_deleg_creds == -1)	2141	if (options->gss_deleg_creds == -1)
2087	options->gss_deleg_creds = 0;	2142	options->gss_deleg_creds = 0;
		2143	if (options->gss_trust_dns == -1)
		2144	options->gss_trust_dns = 0;
		2145	if (options->gss_renewal_rekey == -1)
		2146	options->gss_renewal_rekey = 0;
		2147	#ifdef GSSAPI
		2148	if (options->gss_kex_algorithms == NULL)
		2149	options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
		2150	#endif
2088	if (options->password_authentication == -1)	2151	if (options->password_authentication == -1)
2089	options->password_authentication = 1;	2152	options->password_authentication = 1;
2090	if (options->kbd_interactive_authentication == -1)	2153	if (options->kbd_interactive_authentication == -1)
@@ -2726,7 +2789,14 @@ dump_client_config(Options o, const char host)
2726	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);	2789	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
2727	#ifdef GSSAPI	2790	#ifdef GSSAPI
2728	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);	2791	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
		2792	dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
2729	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);	2793	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
		2794	dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
		2795	dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
		2796	dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
		2797	dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
		2798	dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
		2799	o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
2730	#endif /* GSSAPI */	2800	#endif /* GSSAPI */
2731	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2801	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2732	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2802	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);