summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c47
1 files changed, 47 insertions, 0 deletions
diff --git a/servconf.c b/servconf.c
index 70f5f73f0..191575a16 100644
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,7 @@
69#include "auth.h" 69#include "auth.h"
70#include "myproposal.h" 70#include "myproposal.h"
71#include "digest.h" 71#include "digest.h"
72#include "ssh-gss.h"
72 73
73static void add_listen_addr(ServerOptions *, const char *, 74static void add_listen_addr(ServerOptions *, const char *,
74 const char *, int); 75 const char *, int);
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
133 options->kerberos_ticket_cleanup = -1; 134 options->kerberos_ticket_cleanup = -1;
134 options->kerberos_get_afs_token = -1; 135 options->kerberos_get_afs_token = -1;
135 options->gss_authentication=-1; 136 options->gss_authentication=-1;
137 options->gss_keyex = -1;
136 options->gss_cleanup_creds = -1; 138 options->gss_cleanup_creds = -1;
137 options->gss_strict_acceptor = -1; 139 options->gss_strict_acceptor = -1;
140 options->gss_store_rekey = -1;
141 options->gss_kex_algorithms = NULL;
138 options->password_authentication = -1; 142 options->password_authentication = -1;
139 options->kbd_interactive_authentication = -1; 143 options->kbd_interactive_authentication = -1;
140 options->challenge_response_authentication = -1; 144 options->challenge_response_authentication = -1;
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
375 options->kerberos_get_afs_token = 0; 379 options->kerberos_get_afs_token = 0;
376 if (options->gss_authentication == -1) 380 if (options->gss_authentication == -1)
377 options->gss_authentication = 0; 381 options->gss_authentication = 0;
382 if (options->gss_keyex == -1)
383 options->gss_keyex = 0;
378 if (options->gss_cleanup_creds == -1) 384 if (options->gss_cleanup_creds == -1)
379 options->gss_cleanup_creds = 1; 385 options->gss_cleanup_creds = 1;
380 if (options->gss_strict_acceptor == -1) 386 if (options->gss_strict_acceptor == -1)
381 options->gss_strict_acceptor = 1; 387 options->gss_strict_acceptor = 1;
388 if (options->gss_store_rekey == -1)
389 options->gss_store_rekey = 0;
390#ifdef GSSAPI
391 if (options->gss_kex_algorithms == NULL)
392 options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
393#endif
382 if (options->password_authentication == -1) 394 if (options->password_authentication == -1)
383 options->password_authentication = 1; 395 options->password_authentication = 1;
384 if (options->kbd_interactive_authentication == -1) 396 if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum {
531 sHostKeyAlgorithms, 543 sHostKeyAlgorithms,
532 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 544 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
533 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 545 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
546 sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
534 sAcceptEnv, sSetEnv, sPermitTunnel, 547 sAcceptEnv, sSetEnv, sPermitTunnel,
535 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 548 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
536 sUsePrivilegeSeparation, sAllowAgentForwarding, 549 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -607,12 +620,22 @@ static struct {
607#ifdef GSSAPI 620#ifdef GSSAPI
608 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 621 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
609 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 622 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
623 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
610 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 624 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
625 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
626 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
627 { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
611#else 628#else
612 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 629 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
613 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 630 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
631 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
614 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 632 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
633 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
634 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
635 { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
615#endif 636#endif
637 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
638 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
616 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 639 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
617 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 640 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
618 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 641 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1548 intptr = &options->gss_authentication; 1571 intptr = &options->gss_authentication;
1549 goto parse_flag; 1572 goto parse_flag;
1550 1573
1574 case sGssKeyEx:
1575 intptr = &options->gss_keyex;
1576 goto parse_flag;
1577
1551 case sGssCleanupCreds: 1578 case sGssCleanupCreds:
1552 intptr = &options->gss_cleanup_creds; 1579 intptr = &options->gss_cleanup_creds;
1553 goto parse_flag; 1580 goto parse_flag;
@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1556 intptr = &options->gss_strict_acceptor; 1583 intptr = &options->gss_strict_acceptor;
1557 goto parse_flag; 1584 goto parse_flag;
1558 1585
1586 case sGssStoreRekey:
1587 intptr = &options->gss_store_rekey;
1588 goto parse_flag;
1589
1590 case sGssKexAlgorithms:
1591 arg = strdelim(&cp);
1592 if (!arg || *arg == '\0')
1593 fatal("%.200s line %d: Missing argument.",
1594 filename, linenum);
1595 if (!kex_gss_names_valid(arg))
1596 fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
1597 filename, linenum, arg ? arg : "<NONE>");
1598 if (*activep && options->gss_kex_algorithms == NULL)
1599 options->gss_kex_algorithms = xstrdup(arg);
1600 break;
1601
1559 case sPasswordAuthentication: 1602 case sPasswordAuthentication:
1560 intptr = &options->password_authentication; 1603 intptr = &options->password_authentication;
1561 goto parse_flag; 1604 goto parse_flag;
@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
2777#ifdef GSSAPI 2820#ifdef GSSAPI
2778 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2821 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2779 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2822 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2823 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2824 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2825 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2826 dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
2780#endif 2827#endif
2781 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2828 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2782 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2829 dump_cfg_fmtint(sKbdInteractiveAuthentication,