summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c47
1 files changed, 47 insertions, 0 deletions
diff --git a/servconf.c b/servconf.c
index ba0a92c7b..f38ba9e44 100644
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,7 @@
69#include "auth.h" 69#include "auth.h"
70#include "myproposal.h" 70#include "myproposal.h"
71#include "digest.h" 71#include "digest.h"
72#include "ssh-gss.h"
72 73
73static void add_listen_addr(ServerOptions *, const char *, 74static void add_listen_addr(ServerOptions *, const char *,
74 const char *, int); 75 const char *, int);
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
133 options->kerberos_ticket_cleanup = -1; 134 options->kerberos_ticket_cleanup = -1;
134 options->kerberos_get_afs_token = -1; 135 options->kerberos_get_afs_token = -1;
135 options->gss_authentication=-1; 136 options->gss_authentication=-1;
137 options->gss_keyex = -1;
136 options->gss_cleanup_creds = -1; 138 options->gss_cleanup_creds = -1;
137 options->gss_strict_acceptor = -1; 139 options->gss_strict_acceptor = -1;
140 options->gss_store_rekey = -1;
141 options->gss_kex_algorithms = NULL;
138 options->password_authentication = -1; 142 options->password_authentication = -1;
139 options->kbd_interactive_authentication = -1; 143 options->kbd_interactive_authentication = -1;
140 options->challenge_response_authentication = -1; 144 options->challenge_response_authentication = -1;
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
375 options->kerberos_get_afs_token = 0; 379 options->kerberos_get_afs_token = 0;
376 if (options->gss_authentication == -1) 380 if (options->gss_authentication == -1)
377 options->gss_authentication = 0; 381 options->gss_authentication = 0;
382 if (options->gss_keyex == -1)
383 options->gss_keyex = 0;
378 if (options->gss_cleanup_creds == -1) 384 if (options->gss_cleanup_creds == -1)
379 options->gss_cleanup_creds = 1; 385 options->gss_cleanup_creds = 1;
380 if (options->gss_strict_acceptor == -1) 386 if (options->gss_strict_acceptor == -1)
381 options->gss_strict_acceptor = 1; 387 options->gss_strict_acceptor = 1;
388 if (options->gss_store_rekey == -1)
389 options->gss_store_rekey = 0;
390#ifdef GSSAPI
391 if (options->gss_kex_algorithms == NULL)
392 options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
393#endif
382 if (options->password_authentication == -1) 394 if (options->password_authentication == -1)
383 options->password_authentication = 1; 395 options->password_authentication = 1;
384 if (options->kbd_interactive_authentication == -1) 396 if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum {
531 sHostKeyAlgorithms, 543 sHostKeyAlgorithms,
532 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 544 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
533 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 545 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
546 sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
534 sAcceptEnv, sSetEnv, sPermitTunnel, 547 sAcceptEnv, sSetEnv, sPermitTunnel,
535 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 548 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
536 sUsePrivilegeSeparation, sAllowAgentForwarding, 549 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -607,12 +620,22 @@ static struct {
607#ifdef GSSAPI 620#ifdef GSSAPI
608 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 621 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
609 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 622 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
623 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
610 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 624 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
625 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
626 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
627 { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
611#else 628#else
612 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 629 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
613 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 630 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
631 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
614 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 632 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
633 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
634 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
635 { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
615#endif 636#endif
637 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
638 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
616 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 639 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
617 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 640 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
618 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 641 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1555 intptr = &options->gss_authentication; 1578 intptr = &options->gss_authentication;
1556 goto parse_flag; 1579 goto parse_flag;
1557 1580
1581 case sGssKeyEx:
1582 intptr = &options->gss_keyex;
1583 goto parse_flag;
1584
1558 case sGssCleanupCreds: 1585 case sGssCleanupCreds:
1559 intptr = &options->gss_cleanup_creds; 1586 intptr = &options->gss_cleanup_creds;
1560 goto parse_flag; 1587 goto parse_flag;
@@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1563 intptr = &options->gss_strict_acceptor; 1590 intptr = &options->gss_strict_acceptor;
1564 goto parse_flag; 1591 goto parse_flag;
1565 1592
1593 case sGssStoreRekey:
1594 intptr = &options->gss_store_rekey;
1595 goto parse_flag;
1596
1597 case sGssKexAlgorithms:
1598 arg = strdelim(&cp);
1599 if (!arg || *arg == '\0')
1600 fatal("%.200s line %d: Missing argument.",
1601 filename, linenum);
1602 if (!kex_gss_names_valid(arg))
1603 fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
1604 filename, linenum, arg ? arg : "<NONE>");
1605 if (*activep && options->gss_kex_algorithms == NULL)
1606 options->gss_kex_algorithms = xstrdup(arg);
1607 break;
1608
1566 case sPasswordAuthentication: 1609 case sPasswordAuthentication:
1567 intptr = &options->password_authentication; 1610 intptr = &options->password_authentication;
1568 goto parse_flag; 1611 goto parse_flag;
@@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o)
2791#ifdef GSSAPI 2834#ifdef GSSAPI
2792 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2835 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2793 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2836 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2837 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2838 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2839 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2840 dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
2794#endif 2841#endif
2795 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2842 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2796 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2843 dump_cfg_fmtint(sKbdInteractiveAuthentication,
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-19 09:23:09 +0000