summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c47
1 files changed, 47 insertions, 0 deletions
diff --git a/servconf.c b/servconf.c
index f08e37477..ded8f4a87 100644
--- a/servconf.c
+++ b/servconf.c
@@ -70,6 +70,7 @@
70#include "auth.h" 70#include "auth.h"
71#include "myproposal.h" 71#include "myproposal.h"
72#include "digest.h" 72#include "digest.h"
73#include "ssh-gss.h"
73 74
74static void add_listen_addr(ServerOptions *, const char *, 75static void add_listen_addr(ServerOptions *, const char *,
75 const char *, int); 76 const char *, int);
@@ -134,8 +135,11 @@ initialize_server_options(ServerOptions *options)
134 options->kerberos_ticket_cleanup = -1; 135 options->kerberos_ticket_cleanup = -1;
135 options->kerberos_get_afs_token = -1; 136 options->kerberos_get_afs_token = -1;
136 options->gss_authentication=-1; 137 options->gss_authentication=-1;
138 options->gss_keyex = -1;
137 options->gss_cleanup_creds = -1; 139 options->gss_cleanup_creds = -1;
138 options->gss_strict_acceptor = -1; 140 options->gss_strict_acceptor = -1;
141 options->gss_store_rekey = -1;
142 options->gss_kex_algorithms = NULL;
139 options->password_authentication = -1; 143 options->password_authentication = -1;
140 options->kbd_interactive_authentication = -1; 144 options->kbd_interactive_authentication = -1;
141 options->challenge_response_authentication = -1; 145 options->challenge_response_authentication = -1;
@@ -376,10 +380,18 @@ fill_default_server_options(ServerOptions *options)
376 options->kerberos_get_afs_token = 0; 380 options->kerberos_get_afs_token = 0;
377 if (options->gss_authentication == -1) 381 if (options->gss_authentication == -1)
378 options->gss_authentication = 0; 382 options->gss_authentication = 0;
383 if (options->gss_keyex == -1)
384 options->gss_keyex = 0;
379 if (options->gss_cleanup_creds == -1) 385 if (options->gss_cleanup_creds == -1)
380 options->gss_cleanup_creds = 1; 386 options->gss_cleanup_creds = 1;
381 if (options->gss_strict_acceptor == -1) 387 if (options->gss_strict_acceptor == -1)
382 options->gss_strict_acceptor = 1; 388 options->gss_strict_acceptor = 1;
389 if (options->gss_store_rekey == -1)
390 options->gss_store_rekey = 0;
391#ifdef GSSAPI
392 if (options->gss_kex_algorithms == NULL)
393 options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
394#endif
383 if (options->password_authentication == -1) 395 if (options->password_authentication == -1)
384 options->password_authentication = 1; 396 options->password_authentication = 1;
385 if (options->kbd_interactive_authentication == -1) 397 if (options->kbd_interactive_authentication == -1)
@@ -523,6 +535,7 @@ typedef enum {
523 sHostKeyAlgorithms, 535 sHostKeyAlgorithms,
524 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 536 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
525 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 537 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
538 sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
526 sAcceptEnv, sSetEnv, sPermitTunnel, 539 sAcceptEnv, sSetEnv, sPermitTunnel,
527 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 540 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
528 sUsePrivilegeSeparation, sAllowAgentForwarding, 541 sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -600,12 +613,22 @@ static struct {
600#ifdef GSSAPI 613#ifdef GSSAPI
601 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 614 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
602 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 615 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
616 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
603 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 617 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
618 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
619 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
620 { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
604#else 621#else
605 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 622 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
606 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 623 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
624 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
607 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 625 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
626 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
627 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
628 { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
608#endif 629#endif
630 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
631 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
609 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 632 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
610 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 633 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
611 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 634 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1557,6 +1580,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1557 intptr = &options->gss_authentication; 1580 intptr = &options->gss_authentication;
1558 goto parse_flag; 1581 goto parse_flag;
1559 1582
1583 case sGssKeyEx:
1584 intptr = &options->gss_keyex;
1585 goto parse_flag;
1586
1560 case sGssCleanupCreds: 1587 case sGssCleanupCreds:
1561 intptr = &options->gss_cleanup_creds; 1588 intptr = &options->gss_cleanup_creds;
1562 goto parse_flag; 1589 goto parse_flag;
@@ -1565,6 +1592,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
1565 intptr = &options->gss_strict_acceptor; 1592 intptr = &options->gss_strict_acceptor;
1566 goto parse_flag; 1593 goto parse_flag;
1567 1594
1595 case sGssStoreRekey:
1596 intptr = &options->gss_store_rekey;
1597 goto parse_flag;
1598
1599 case sGssKexAlgorithms:
1600 arg = strdelim(&cp);
1601 if (!arg || *arg == '\0')
1602 fatal("%.200s line %d: Missing argument.",
1603 filename, linenum);
1604 if (!kex_gss_names_valid(arg))
1605 fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
1606 filename, linenum, arg ? arg : "<NONE>");
1607 if (*activep && options->gss_kex_algorithms == NULL)
1608 options->gss_kex_algorithms = xstrdup(arg);
1609 break;
1610
1568 case sPasswordAuthentication: 1611 case sPasswordAuthentication:
1569 intptr = &options->password_authentication; 1612 intptr = &options->password_authentication;
1570 goto parse_flag; 1613 goto parse_flag;
@@ -2808,6 +2851,10 @@ dump_config(ServerOptions *o)
2808#ifdef GSSAPI 2851#ifdef GSSAPI
2809 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2852 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2810 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 2853 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2854 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
2855 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
2856 dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
2857 dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
2811#endif 2858#endif
2812 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2859 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2813 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2860 dump_cfg_fmtint(sKbdInteractiveAuthentication,
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 15:40:40 +0000