summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c31
1 files changed, 23 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 7ee71763a..3fb5df233 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -87,6 +87,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
87#ifdef GSSAPI 87#ifdef GSSAPI
88 char *orig, *gss = NULL; 88 char *orig, *gss = NULL;
89 int len; 89 int len;
90 char *gss_host;
90#endif 91#endif
91 92
92 xxx_host = host; 93 xxx_host = host;
@@ -94,10 +95,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
94 95
95#ifdef GSSAPI 96#ifdef GSSAPI
96 if (options.gss_authentication) { 97 if (options.gss_authentication) {
98 /* Add the GSSAPI mechanisms currently supported on this
99 * client to the key exchange algorithm proposal */
97 orig = myproposal[PROPOSAL_KEX_ALGS]; 100 orig = myproposal[PROPOSAL_KEX_ALGS];
98 gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); 101 if (options.gss_trust_dns)
99 debug("Offering GSSAPI proposal: %s",gss); 102 gss_host = (char *)get_canonical_hostname(1);
103 else
104 gss_host = host;
105
106 gss = ssh_gssapi_client_mechanisms(gss_host);
100 if (gss) { 107 if (gss) {
108 debug("Offering GSSAPI proposal: %s", gss);
101 len = strlen(orig) + strlen(gss) + 2; 109 len = strlen(orig) + strlen(gss) + 2;
102 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); 110 myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
103 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", 111 snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s",
@@ -134,6 +142,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
134 options.hostkeyalgorithms; 142 options.hostkeyalgorithms;
135 143
136#ifdef GSSAPI 144#ifdef GSSAPI
145 /* If we've got GSSAPI algorithms, then we also support the
146 * 'null' hostkey, as a last resort */
137 if (gss) { 147 if (gss) {
138 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; 148 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
139 len = strlen(orig) + sizeof(",null"); 149 len = strlen(orig) + sizeof(",null");
@@ -152,8 +162,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
152 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; 162 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
153 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 163 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
154#ifdef GSSAPI 164#ifdef GSSAPI
155 if (options.gss_authentication) 165 if (options.gss_authentication) {
156 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 166 kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
167 kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
168 }
157#endif 169#endif
158 kex->client_version_string=client_version_string; 170 kex->client_version_string=client_version_string;
159 kex->server_version_string=server_version_string; 171 kex->server_version_string=server_version_string;
@@ -161,6 +173,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
161 173
162#ifdef GSSAPI 174#ifdef GSSAPI
163 kex->gss_deleg_creds = options.gss_deleg_creds; 175 kex->gss_deleg_creds = options.gss_deleg_creds;
176 kex->gss_trust_dns = options.gss_trust_dns;
177 kex->gss_host = gss_host;
164#endif 178#endif
165 179
166 xxx_kex = kex; 180 xxx_kex = kex;
@@ -245,7 +259,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
245void input_gssapi_hash(int type, u_int32_t, void *); 259void input_gssapi_hash(int type, u_int32_t, void *);
246void input_gssapi_error(int, u_int32_t, void *); 260void input_gssapi_error(int, u_int32_t, void *);
247void input_gssapi_errtok(int, u_int32_t, void *); 261void input_gssapi_errtok(int, u_int32_t, void *);
248int userauth_gsskeyx(Authctxt *authctxt); 262int userauth_gsskeyex(Authctxt *authctxt);
249#endif 263#endif
250 264
251void userauth(Authctxt *, char *); 265void userauth(Authctxt *, char *);
@@ -261,8 +275,8 @@ static char *authmethods_get(void);
261 275
262Authmethod authmethods[] = { 276Authmethod authmethods[] = {
263#ifdef GSSAPI 277#ifdef GSSAPI
264 {"gssapi-keyx", 278 {"gssapi-keyex",
265 userauth_gsskeyx, 279 userauth_gsskeyex,
266 &options.gss_authentication, 280 &options.gss_authentication,
267 NULL}, 281 NULL},
268 {"gssapi-with-mic", 282 {"gssapi-with-mic",
@@ -775,10 +789,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
775} 789}
776 790
777int 791int
778userauth_gsskeyx(Authctxt *authctxt) 792userauth_gsskeyex(Authctxt *authctxt)
779{ 793{
780 Buffer b; 794 Buffer b;
781 gss_buffer_desc gssbuf, mic; 795 gss_buffer_desc gssbuf;
796 gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
782 OM_uint32 ms; 797 OM_uint32 ms;
783 798
784 static int attempt = 0; 799 static int attempt = 0;