summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c47
1 files changed, 47 insertions, 0 deletions
diff --git a/servconf.c b/servconf.c
index ffac5d2c7..ffdad31e7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -64,6 +64,7 @@
64#include "auth.h" 64#include "auth.h"
65#include "myproposal.h" 65#include "myproposal.h"
66#include "digest.h" 66#include "digest.h"
67#include "ssh-gss.h"
67 68
68static void add_listen_addr(ServerOptions *, const char *, 69static void add_listen_addr(ServerOptions *, const char *,
69 const char *, int); 70 const char *, int);
@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions *options)
124 options->kerberos_ticket_cleanup = -1; 125 options->kerberos_ticket_cleanup = -1;
125 options->kerberos_get_afs_token = -1; 126 options->kerberos_get_afs_token = -1;
126 options->gss_authentication=-1; 127 options->gss_authentication=-1;
128 options->gss_keyex = -1;
127 options->gss_cleanup_creds = -1; 129 options->gss_cleanup_creds = -1;
128 options->gss_strict_acceptor = -1; 130 options->gss_strict_acceptor = -1;
131 options->gss_store_rekey = -1;
132 options->gss_kex_algorithms = NULL;
129 options->password_authentication = -1; 133 options->password_authentication = -1;
130 options->kbd_interactive_authentication = -1; 134 options->kbd_interactive_authentication = -1;
131 options->challenge_response_authentication = -1; 135 options->challenge_response_authentication = -1;
@@ -351,10 +355,18 @@ fill_default_server_options(ServerOptions *options)
351 options->kerberos_get_afs_token = 0; 355 options->kerberos_get_afs_token = 0;
352 if (options->gss_authentication == -1) 356 if (options->gss_authentication == -1)
353 options->gss_authentication = 0; 357 options->gss_authentication = 0;
358 if (options->gss_keyex == -1)
359 options->gss_keyex = 0;
354 if (options->gss_cleanup_creds == -1) 360 if (options->gss_cleanup_creds == -1)
355 options->gss_cleanup_creds = 1; 361 options->gss_cleanup_creds = 1;
356 if (options->gss_strict_acceptor == -1) 362 if (options->gss_strict_acceptor == -1)
357 options->gss_strict_acceptor = 1; 363 options->gss_strict_acceptor = 1;
364 if (options->gss_store_rekey == -1)
365 options->gss_store_rekey = 0;
366#ifdef GSSAPI
367 if (options->gss_kex_algorithms == NULL)
368 options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
369#endif
358 if (options->password_authentication == -1) 370 if (options->password_authentication == -1)
359 options->password_authentication = 1; 371 options->password_authentication = 1;
360 if (options->kbd_interactive_authentication == -1) 372 if (options->kbd_interactive_authentication == -1)
@@ -498,6 +510,7 @@ typedef enum {
498 sHostKeyAlgorithms, 510 sHostKeyAlgorithms,
499 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 511 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
500 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 512 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
513 sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
501 sAcceptEnv, sSetEnv, sPermitTunnel, 514 sAcceptEnv, sSetEnv, sPermitTunnel,
502 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 515 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
503 sUsePrivilegeSeparation, sAllowAgentForwarding, 516 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -572,12 +585,22 @@ static struct {
572#ifdef GSSAPI 585#ifdef GSSAPI
573 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 586 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
574 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 587 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
588 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
575 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 589 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
590 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
591 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
592 { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
576#else 593#else
577 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 594 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
578 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 595 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
596 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
579 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 597 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
598 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
599 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
600 { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
580#endif 601#endif
602 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
603 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
581 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 604 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
582 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 605 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
583 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 606 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line,
1485 intptr = &options->gss_authentication; 1508 intptr = &options->gss_authentication;
1486 goto parse_flag; 1509 goto parse_flag;
1487 1510
1511 case sGssKeyEx:
1512 intptr = &options->gss_keyex;
1513 goto parse_flag;
1514
1488 case sGssCleanupCreds: 1515 case sGssCleanupCreds:
1489 intptr = &options->gss_cleanup_creds; 1516 intptr = &options->gss_cleanup_creds;
1490 goto parse_flag; 1517 goto parse_flag;
@@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line,
1493 intptr = &options->gss_strict_acceptor; 1520 intptr = &options->gss_strict_acceptor;
1494 goto parse_flag; 1521 goto parse_flag;
1495 1522
1523 case sGssStoreRekey:
1524 intptr = &options->gss_store_rekey;
1525 goto parse_flag;
1526
1527 case sGssKexAlgorithms:
1528 arg = strdelim(&cp);
1529 if (!arg || *arg == '\0')
1530 fatal("%.200s line %d: Missing argument.",
1531 filename, linenum);
1532 if (!kex_gss_names_valid(arg))
1533 fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
1534 filename, linenum, arg ? arg : "<NONE>");
1535 if (*activep && options->gss_kex_algorithms == NULL)
1536 options->gss_kex_algorithms = xstrdup(arg);
1537 break;
1538
1496 case sPasswordAuthentication: 1539 case sPasswordAuthentication:
1497 intptr = &options->password_authentication; 1540 intptr = &options->password_authentication;
1498 goto parse_flag; 1541 goto parse_flag;
@@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o)
2579#ifdef GSSAPI 2622#ifdef GSSAPI
2580 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2623 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2581 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2624 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2625 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2626 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2627 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2628 dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
2582#endif 2629#endif
2583 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2630 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2584 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2631 dump_cfg_fmtint(sKbdInteractiveAuthentication,
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 06:49:55 +0000