summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c47
1 files changed, 47 insertions, 0 deletions
diff --git a/servconf.c b/servconf.c
index e76f9c39e..f63eb0b94 100644
--- a/servconf.c
+++ b/servconf.c
@@ -64,6 +64,7 @@
64#include "auth.h" 64#include "auth.h"
65#include "myproposal.h" 65#include "myproposal.h"
66#include "digest.h" 66#include "digest.h"
67#include "ssh-gss.h"
67 68
68static void add_listen_addr(ServerOptions *, const char *, 69static void add_listen_addr(ServerOptions *, const char *,
69 const char *, int); 70 const char *, int);
@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions *options)
124 options->kerberos_ticket_cleanup = -1; 125 options->kerberos_ticket_cleanup = -1;
125 options->kerberos_get_afs_token = -1; 126 options->kerberos_get_afs_token = -1;
126 options->gss_authentication=-1; 127 options->gss_authentication=-1;
128 options->gss_keyex = -1;
127 options->gss_cleanup_creds = -1; 129 options->gss_cleanup_creds = -1;
128 options->gss_strict_acceptor = -1; 130 options->gss_strict_acceptor = -1;
131 options->gss_store_rekey = -1;
132 options->gss_kex_algorithms = NULL;
129 options->password_authentication = -1; 133 options->password_authentication = -1;
130 options->kbd_interactive_authentication = -1; 134 options->kbd_interactive_authentication = -1;
131 options->challenge_response_authentication = -1; 135 options->challenge_response_authentication = -1;
@@ -351,10 +355,18 @@ fill_default_server_options(ServerOptions *options)
351 options->kerberos_get_afs_token = 0; 355 options->kerberos_get_afs_token = 0;
352 if (options->gss_authentication == -1) 356 if (options->gss_authentication == -1)
353 options->gss_authentication = 0; 357 options->gss_authentication = 0;
358 if (options->gss_keyex == -1)
359 options->gss_keyex = 0;
354 if (options->gss_cleanup_creds == -1) 360 if (options->gss_cleanup_creds == -1)
355 options->gss_cleanup_creds = 1; 361 options->gss_cleanup_creds = 1;
356 if (options->gss_strict_acceptor == -1) 362 if (options->gss_strict_acceptor == -1)
357 options->gss_strict_acceptor = 1; 363 options->gss_strict_acceptor = 1;
364 if (options->gss_store_rekey == -1)
365 options->gss_store_rekey = 0;
366#ifdef GSSAPI
367 if (options->gss_kex_algorithms == NULL)
368 options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
369#endif
358 if (options->password_authentication == -1) 370 if (options->password_authentication == -1)
359 options->password_authentication = 1; 371 options->password_authentication = 1;
360 if (options->kbd_interactive_authentication == -1) 372 if (options->kbd_interactive_authentication == -1)
@@ -498,6 +510,7 @@ typedef enum {
498 sHostKeyAlgorithms, 510 sHostKeyAlgorithms,
499 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 511 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
500 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 512 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
513 sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
501 sAcceptEnv, sSetEnv, sPermitTunnel, 514 sAcceptEnv, sSetEnv, sPermitTunnel,
502 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 515 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
503 sUsePrivilegeSeparation, sAllowAgentForwarding, 516 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -572,12 +585,22 @@ static struct {
572#ifdef GSSAPI 585#ifdef GSSAPI
573 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 586 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
574 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 587 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
588 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
575 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 589 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
590 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
591 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
592 { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
576#else 593#else
577 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 594 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
578 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 595 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
596 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
579 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 597 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
598 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
599 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
600 { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
580#endif 601#endif
602 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
603 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
581 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 604 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
582 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 605 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
583 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 606 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line,
1488 intptr = &options->gss_authentication; 1511 intptr = &options->gss_authentication;
1489 goto parse_flag; 1512 goto parse_flag;
1490 1513
1514 case sGssKeyEx:
1515 intptr = &options->gss_keyex;
1516 goto parse_flag;
1517
1491 case sGssCleanupCreds: 1518 case sGssCleanupCreds:
1492 intptr = &options->gss_cleanup_creds; 1519 intptr = &options->gss_cleanup_creds;
1493 goto parse_flag; 1520 goto parse_flag;
@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line,
1496 intptr = &options->gss_strict_acceptor; 1523 intptr = &options->gss_strict_acceptor;
1497 goto parse_flag; 1524 goto parse_flag;
1498 1525
1526 case sGssStoreRekey:
1527 intptr = &options->gss_store_rekey;
1528 goto parse_flag;
1529
1530 case sGssKexAlgorithms:
1531 arg = strdelim(&cp);
1532 if (!arg || *arg == '\0')
1533 fatal("%.200s line %d: Missing argument.",
1534 filename, linenum);
1535 if (!kex_gss_names_valid(arg))
1536 fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
1537 filename, linenum, arg ? arg : "<NONE>");
1538 if (*activep && options->gss_kex_algorithms == NULL)
1539 options->gss_kex_algorithms = xstrdup(arg);
1540 break;
1541
1499 case sPasswordAuthentication: 1542 case sPasswordAuthentication:
1500 intptr = &options->password_authentication; 1543 intptr = &options->password_authentication;
1501 goto parse_flag; 1544 goto parse_flag;
@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
2585#ifdef GSSAPI 2628#ifdef GSSAPI
2586 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2629 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2587 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2630 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2631 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2632 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2633 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2634 dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
2588#endif 2635#endif
2589 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2636 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2590 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2637 dump_cfg_fmtint(sKbdInteractiveAuthentication,
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-18 01:21:45 +0000