1 files changed, 70 insertions, 0 deletions
diff --git a/readconf.c b/readconf.c
index 554efd7c9..57dae55d1 100644
--- a/readconf.c
+++ b/readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 /* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+        oGssServerIdentity, oGssKexAlgorithms,
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
+        { "gssapikeyexchange", oGssKeyEx },
        { "gssapidelegatecredentials", oGssDelegateCreds },
+        { "gssapitrustdns", oGssTrustDns },
+        { "gssapiclientidentity", oGssClientIdentity },
+        { "gssapiserveridentity", oGssServerIdentity },
+        { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
        { "gssapiauthentication", oUnsupported },
+        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
+        { "gssapitrustdns", oUnsupported },
+        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
+        { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
@@ -1068,10 +1083,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
+        case oGssKeyEx:
+                intptr = &options->gss_keyex;
+                goto parse_flag;
        case oGssDelegateCreds:
                intptr = &options->gss_deleg_creds;
                goto parse_flag;
+        case oGssTrustDns:
+                intptr = &options->gss_trust_dns;
+                goto parse_flag;
+        case oGssClientIdentity:
+                charptr = &options->gss_client_identity;
+                goto parse_string;
+        case oGssServerIdentity:
+                charptr = &options->gss_server_identity;
+                goto parse_string;
+        case oGssRenewalRekey:
+                intptr = &options->gss_renewal_rekey;
+                goto parse_flag;
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -1976,7 +2023,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
+        options->gss_keyex = -1;
        options->gss_deleg_creds = -1;
+        options->gss_trust_dns = -1;
+        options->gss_renewal_rekey = -1;
+        options->gss_client_identity = NULL;
+        options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -2125,8 +2178,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
+        if (options->gss_keyex == -1)
+                options->gss_keyex = 0;
        if (options->gss_deleg_creds == -1)
                options->gss_deleg_creds = 0;
+        if (options->gss_trust_dns == -1)
+                options->gss_trust_dns = 0;
+        if (options->gss_renewal_rekey == -1)
+                options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -2776,7 +2839,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
        dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);

diff --git a/readconf.c b/readconf.c index 554efd7c9..57dae55d1 100644 --- a/readconf.c +++ b/readconf.c
@@ -67,6 +67,7 @@
67	#include "uidswap.h"	67	#include "uidswap.h"
68	#include "myproposal.h"	68	#include "myproposal.h"
69	#include "digest.h"	69	#include "digest.h"
		70	#include "ssh-gss.h"
70		71
71	/* Format of the configuration file:	72	/* Format of the configuration file:
72		73
@@ -160,6 +161,8 @@ typedef enum {
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	161	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	162	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	163	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		164	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
		165	oGssServerIdentity, oGssKexAlgorithms,
163	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	166	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
164	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,	167	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
165	oHashKnownHosts,	168	oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
204	/* Sometimes-unsupported options */	207	/* Sometimes-unsupported options */
205	#if defined(GSSAPI)	208	#if defined(GSSAPI)
206	{ "gssapiauthentication", oGssAuthentication },	209	{ "gssapiauthentication", oGssAuthentication },
		210	{ "gssapikeyexchange", oGssKeyEx },
207	{ "gssapidelegatecredentials", oGssDelegateCreds },	211	{ "gssapidelegatecredentials", oGssDelegateCreds },
		212	{ "gssapitrustdns", oGssTrustDns },
		213	{ "gssapiclientidentity", oGssClientIdentity },
		214	{ "gssapiserveridentity", oGssServerIdentity },
		215	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
		216	{ "gssapikexalgorithms", oGssKexAlgorithms },
208	# else	217	# else
209	{ "gssapiauthentication", oUnsupported },	218	{ "gssapiauthentication", oUnsupported },
		219	{ "gssapikeyexchange", oUnsupported },
210	{ "gssapidelegatecredentials", oUnsupported },	220	{ "gssapidelegatecredentials", oUnsupported },
		221	{ "gssapitrustdns", oUnsupported },
		222	{ "gssapiclientidentity", oUnsupported },
		223	{ "gssapiserveridentity", oUnsupported },
		224	{ "gssapirenewalforcesrekey", oUnsupported },
		225	{ "gssapikexalgorithms", oUnsupported },
211	#endif	226	#endif
212	#ifdef ENABLE_PKCS11	227	#ifdef ENABLE_PKCS11
213	{ "pkcs11provider", oPKCS11Provider },	228	{ "pkcs11provider", oPKCS11Provider },
@@ -1068,10 +1083,42 @@ parse_time:
1068	intptr = &options->gss_authentication;	1083	intptr = &options->gss_authentication;
1069	goto parse_flag;	1084	goto parse_flag;
1070		1085
		1086	case oGssKeyEx:
		1087	intptr = &options->gss_keyex;
		1088	goto parse_flag;
		1089
1071	case oGssDelegateCreds:	1090	case oGssDelegateCreds:
1072	intptr = &options->gss_deleg_creds;	1091	intptr = &options->gss_deleg_creds;
1073	goto parse_flag;	1092	goto parse_flag;
1074		1093
		1094	case oGssTrustDns:
		1095	intptr = &options->gss_trust_dns;
		1096	goto parse_flag;
		1097
		1098	case oGssClientIdentity:
		1099	charptr = &options->gss_client_identity;
		1100	goto parse_string;
		1101
		1102	case oGssServerIdentity:
		1103	charptr = &options->gss_server_identity;
		1104	goto parse_string;
		1105
		1106	case oGssRenewalRekey:
		1107	intptr = &options->gss_renewal_rekey;
		1108	goto parse_flag;
		1109
		1110	case oGssKexAlgorithms:
		1111	arg = strdelim(&s);
		1112	if (!arg \|\| *arg == '\0')
		1113	fatal("%.200s line %d: Missing argument.",
		1114	filename, linenum);
		1115	if (!kex_gss_names_valid(arg))
		1116	fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
		1117	filename, linenum, arg ? arg : "<NONE>");
		1118	if (*activep && options->gss_kex_algorithms == NULL)
		1119	options->gss_kex_algorithms = xstrdup(arg);
		1120	break;
		1121
1075	case oBatchMode:	1122	case oBatchMode:
1076	intptr = &options->batch_mode;	1123	intptr = &options->batch_mode;
1077	goto parse_flag;	1124	goto parse_flag;
@@ -1976,7 +2023,13 @@ initialize_options(Options * options)
1976	options->pubkey_authentication = -1;	2023	options->pubkey_authentication = -1;
1977	options->challenge_response_authentication = -1;	2024	options->challenge_response_authentication = -1;
1978	options->gss_authentication = -1;	2025	options->gss_authentication = -1;
		2026	options->gss_keyex = -1;
1979	options->gss_deleg_creds = -1;	2027	options->gss_deleg_creds = -1;
		2028	options->gss_trust_dns = -1;
		2029	options->gss_renewal_rekey = -1;
		2030	options->gss_client_identity = NULL;
		2031	options->gss_server_identity = NULL;
		2032	options->gss_kex_algorithms = NULL;
1980	options->password_authentication = -1;	2033	options->password_authentication = -1;
1981	options->kbd_interactive_authentication = -1;	2034	options->kbd_interactive_authentication = -1;
1982	options->kbd_interactive_devices = NULL;	2035	options->kbd_interactive_devices = NULL;
@@ -2125,8 +2178,18 @@ fill_default_options(Options * options)
2125	options->challenge_response_authentication = 1;	2178	options->challenge_response_authentication = 1;
2126	if (options->gss_authentication == -1)	2179	if (options->gss_authentication == -1)
2127	options->gss_authentication = 0;	2180	options->gss_authentication = 0;
		2181	if (options->gss_keyex == -1)
		2182	options->gss_keyex = 0;
2128	if (options->gss_deleg_creds == -1)	2183	if (options->gss_deleg_creds == -1)
2129	options->gss_deleg_creds = 0;	2184	options->gss_deleg_creds = 0;
		2185	if (options->gss_trust_dns == -1)
		2186	options->gss_trust_dns = 0;
		2187	if (options->gss_renewal_rekey == -1)
		2188	options->gss_renewal_rekey = 0;
		2189	#ifdef GSSAPI
		2190	if (options->gss_kex_algorithms == NULL)
		2191	options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
		2192	#endif
2130	if (options->password_authentication == -1)	2193	if (options->password_authentication == -1)
2131	options->password_authentication = 1;	2194	options->password_authentication = 1;
2132	if (options->kbd_interactive_authentication == -1)	2195	if (options->kbd_interactive_authentication == -1)
@@ -2776,7 +2839,14 @@ dump_client_config(Options o, const char host)
2776	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);	2839	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
2777	#ifdef GSSAPI	2840	#ifdef GSSAPI
2778	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);	2841	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
		2842	dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
2779	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);	2843	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
		2844	dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
		2845	dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
		2846	dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
		2847	dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
		2848	dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
		2849	o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
2780	#endif /* GSSAPI */	2850	#endif /* GSSAPI */
2781	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);	2851	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2782	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);	2852	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);