1 files changed, 70 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index f78b4d6fe..3c68d1a88 100644
--- a/readconf.c
+++ b/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 /* Format of the configuration file:
@@ -162,6 +163,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, oGssKexAlgorithms,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -202,10 +205,22 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
@@ -988,10 +1003,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1863,7 +1910,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -2009,8 +2062,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
        dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);

diff --git a/readconf.c b/readconf.c index f78b4d6fe..3c68d1a88 100644 --- a/readconf.c +++ b/readconf.c
@@ -67,6 +67,7 @@
67	#include "uidswap.h"	67	#include "uidswap.h"
68	#include "myproposal.h"	68	#include "myproposal.h"
69	#include "digest.h"	69	#include "digest.h"
		70	#include "ssh-gss.h"
70		71
71	/* Format of the configuration file:	72	/* Format of the configuration file:
72		73
@@ -162,6 +163,8 @@ typedef enum {
162	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	163	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
163	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	164	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
164	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	165	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		166	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		167	oGssServerIdentity, oGssKexAlgorithms,
165	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	168	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
166	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	169	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
167	oHashKnownHosts,	170	oHashKnownHosts,
@@ -202,10 +205,22 @@ static struct {
202	/* Sometimes-unsupported options */	205	/* Sometimes-unsupported options */
203	#if defined(GSSAPI)	206	#if defined(GSSAPI)
204	{ "gssapiauthentication", oGssAuthentication },	207	{ "gssapiauthentication", oGssAuthentication },
		208	{ "gssapikeyexchange", oGssKeyEx },
205	{ "gssapidelegatecredentials", oGssDelegateCreds },	209	{ "gssapidelegatecredentials", oGssDelegateCreds },
		210	{ "gssapitrustdns", oGssTrustDns },
		211	{ "gssapiclientidentity", oGssClientIdentity },
		212	{ "gssapiserveridentity", oGssServerIdentity },
		213	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
		214	{ "gssapikexalgorithms", oGssKexAlgorithms },
206	# else	215	# else
207	{ "gssapiauthentication", oUnsupported },	216	{ "gssapiauthentication", oUnsupported },
		217	{ "gssapikeyexchange", oUnsupported },
208	{ "gssapidelegatecredentials", oUnsupported },	218	{ "gssapidelegatecredentials", oUnsupported },
		219	{ "gssapitrustdns", oUnsupported },
		220	{ "gssapiclientidentity", oUnsupported },
		221	{ "gssapiserveridentity", oUnsupported },
		222	{ "gssapirenewalforcesrekey", oUnsupported },
		223	{ "gssapikexalgorithms", oUnsupported },
209	#endif	224	#endif
210	#ifdef ENABLE_PKCS11	225	#ifdef ENABLE_PKCS11
211	{ "pkcs11provider", oPKCS11Provider },	226	{ "pkcs11provider", oPKCS11Provider },
@@ -988,10 +1003,42 @@ parse_time:
988	intptr = &options->gss_authentication;	1003	intptr = &options->gss_authentication;
989	goto parse_flag;	1004	goto parse_flag;
990		1005
		1006	case oGssKeyEx:
		1007	intptr = &options->gss_keyex;
		1008	goto parse_flag;
		1009
991	case oGssDelegateCreds:	1010	case oGssDelegateCreds:
992	intptr = &options->gss_deleg_creds;	1011	intptr = &options->gss_deleg_creds;
993	goto parse_flag;	1012	goto parse_flag;
994		1013
		1014	case oGssTrustDns:
		1015	intptr = &options->gss_trust_dns;
		1016	goto parse_flag;
		1017
		1018	case oGssClientIdentity:
		1019	charptr = &options->gss_client_identity;
		1020	goto parse_string;
		1021
		1022	case oGssServerIdentity:
		1023	charptr = &options->gss_server_identity;
		1024	goto parse_string;
		1025
		1026	case oGssRenewalRekey:
		1027	intptr = &options->gss_renewal_rekey;
		1028	goto parse_flag;
		1029
		1030	case oGssKexAlgorithms:
		1031	arg = strdelim(&s);
		1032	if (!arg \|\| *arg == '\0')
		1033	fatal("%.200s line %d: Missing argument.",
		1034	filename, linenum);
		1035	if (!kex_gss_names_valid(arg))
		1036	fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
		1037	filename, linenum, arg ? arg : "<NONE>");
		1038	if (*activep && options->gss_kex_algorithms == NULL)
		1039	options->gss_kex_algorithms = xstrdup(arg);
		1040	break;
		1041
995	case oBatchMode:	1042	case oBatchMode:
996	intptr = &options->batch_mode;	1043	intptr = &options->batch_mode;
997	goto parse_flag;	1044	goto parse_flag;
@@ -1863,7 +1910,13 @@ initialize_options(Options * options)
1863	options->pubkey_authentication = -1;	1910	options->pubkey_authentication = -1;
1864	options->challenge_response_authentication = -1;	1911	options->challenge_response_authentication = -1;
1865	options->gss_authentication = -1;	1912	options->gss_authentication = -1;
		1913	options->gss_keyex = -1;
1866	options->gss_deleg_creds = -1;	1914	options->gss_deleg_creds = -1;
		1915	options->gss_trust_dns = -1;
		1916	options->gss_renewal_rekey = -1;
		1917	options->gss_client_identity = NULL;
		1918	options->gss_server_identity = NULL;
		1919	options->gss_kex_algorithms = NULL;
1867	options->password_authentication = -1;	1920	options->password_authentication = -1;
1868	options->kbd_interactive_authentication = -1;	1921	options->kbd_interactive_authentication = -1;
1869	options->kbd_interactive_devices = NULL;	1922	options->kbd_interactive_devices = NULL;
@@ -2009,8 +2062,18 @@ fill_default_options(Options * options)
2009	options->challenge_response_authentication = 1;	2062	options->challenge_response_authentication = 1;
2010	if (options->gss_authentication == -1)	2063	if (options->gss_authentication == -1)
2011	options->gss_authentication = 0;	2064	options->gss_authentication = 0;
		2065	if (options->gss_keyex == -1)
		2066	options->gss_keyex = 0;
2012	if (options->gss_deleg_creds == -1)	2067	if (options->gss_deleg_creds == -1)
2013	options->gss_deleg_creds = 0;	2068	options->gss_deleg_creds = 0;
		2069	if (options->gss_trust_dns == -1)
		2070	options->gss_trust_dns = 0;
		2071	if (options->gss_renewal_rekey == -1)
		2072	options->gss_renewal_rekey = 0;
		2073	#ifdef GSSAPI
		2074	if (options->gss_kex_algorithms == NULL)
		2075	options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
		2076	#endif
2014	if (options->password_authentication == -1)	2077	if (options->password_authentication == -1)
2015	options->password_authentication = 1;	2078	options->password_authentication = 1;
2016	if (options->kbd_interactive_authentication == -1)	2079	if (options->kbd_interactive_authentication == -1)
@@ -2625,7 +2688,14 @@ dump_client_config(Options o, const char host)
2625	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);	2688	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
2626	#ifdef GSSAPI	2689	#ifdef GSSAPI
2627	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);	2690	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
		2691	dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
2628	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);	2692	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
		2693	dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
		2694	dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
		2695	dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
		2696	dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
		2697	dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
		2698	o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
2629	#endif /* GSSAPI */	2699	#endif /* GSSAPI */
2630	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2700	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2631	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2701	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);