diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 7ee71763a..3fb5df233 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -87,6 +87,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
87 | #ifdef GSSAPI | 87 | #ifdef GSSAPI |
88 | char *orig, *gss = NULL; | 88 | char *orig, *gss = NULL; |
89 | int len; | 89 | int len; |
90 | char *gss_host; | ||
90 | #endif | 91 | #endif |
91 | 92 | ||
92 | xxx_host = host; | 93 | xxx_host = host; |
@@ -94,10 +95,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
94 | 95 | ||
95 | #ifdef GSSAPI | 96 | #ifdef GSSAPI |
96 | if (options.gss_authentication) { | 97 | if (options.gss_authentication) { |
98 | /* Add the GSSAPI mechanisms currently supported on this | ||
99 | * client to the key exchange algorithm proposal */ | ||
97 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 100 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
98 | gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); | 101 | if (options.gss_trust_dns) |
99 | debug("Offering GSSAPI proposal: %s",gss); | 102 | gss_host = (char *)get_canonical_hostname(1); |
103 | else | ||
104 | gss_host = host; | ||
105 | |||
106 | gss = ssh_gssapi_client_mechanisms(gss_host); | ||
100 | if (gss) { | 107 | if (gss) { |
108 | debug("Offering GSSAPI proposal: %s", gss); | ||
101 | len = strlen(orig) + strlen(gss) + 2; | 109 | len = strlen(orig) + strlen(gss) + 2; |
102 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); | 110 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); |
103 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", | 111 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", |
@@ -134,6 +142,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
134 | options.hostkeyalgorithms; | 142 | options.hostkeyalgorithms; |
135 | 143 | ||
136 | #ifdef GSSAPI | 144 | #ifdef GSSAPI |
145 | /* If we've got GSSAPI algorithms, then we also support the | ||
146 | * 'null' hostkey, as a last resort */ | ||
137 | if (gss) { | 147 | if (gss) { |
138 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 148 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
139 | len = strlen(orig) + sizeof(",null"); | 149 | len = strlen(orig) + sizeof(",null"); |
@@ -152,8 +162,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
152 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | 162 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; |
153 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 163 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
154 | #ifdef GSSAPI | 164 | #ifdef GSSAPI |
155 | if (options.gss_authentication) | 165 | if (options.gss_authentication) { |
156 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 166 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
167 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
168 | } | ||
157 | #endif | 169 | #endif |
158 | kex->client_version_string=client_version_string; | 170 | kex->client_version_string=client_version_string; |
159 | kex->server_version_string=server_version_string; | 171 | kex->server_version_string=server_version_string; |
@@ -161,6 +173,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
161 | 173 | ||
162 | #ifdef GSSAPI | 174 | #ifdef GSSAPI |
163 | kex->gss_deleg_creds = options.gss_deleg_creds; | 175 | kex->gss_deleg_creds = options.gss_deleg_creds; |
176 | kex->gss_trust_dns = options.gss_trust_dns; | ||
177 | kex->gss_host = gss_host; | ||
164 | #endif | 178 | #endif |
165 | 179 | ||
166 | xxx_kex = kex; | 180 | xxx_kex = kex; |
@@ -245,7 +259,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | |||
245 | void input_gssapi_hash(int type, u_int32_t, void *); | 259 | void input_gssapi_hash(int type, u_int32_t, void *); |
246 | void input_gssapi_error(int, u_int32_t, void *); | 260 | void input_gssapi_error(int, u_int32_t, void *); |
247 | void input_gssapi_errtok(int, u_int32_t, void *); | 261 | void input_gssapi_errtok(int, u_int32_t, void *); |
248 | int userauth_gsskeyx(Authctxt *authctxt); | 262 | int userauth_gsskeyex(Authctxt *authctxt); |
249 | #endif | 263 | #endif |
250 | 264 | ||
251 | void userauth(Authctxt *, char *); | 265 | void userauth(Authctxt *, char *); |
@@ -261,8 +275,8 @@ static char *authmethods_get(void); | |||
261 | 275 | ||
262 | Authmethod authmethods[] = { | 276 | Authmethod authmethods[] = { |
263 | #ifdef GSSAPI | 277 | #ifdef GSSAPI |
264 | {"gssapi-keyx", | 278 | {"gssapi-keyex", |
265 | userauth_gsskeyx, | 279 | userauth_gsskeyex, |
266 | &options.gss_authentication, | 280 | &options.gss_authentication, |
267 | NULL}, | 281 | NULL}, |
268 | {"gssapi-with-mic", | 282 | {"gssapi-with-mic", |
@@ -775,10 +789,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | |||
775 | } | 789 | } |
776 | 790 | ||
777 | int | 791 | int |
778 | userauth_gsskeyx(Authctxt *authctxt) | 792 | userauth_gsskeyex(Authctxt *authctxt) |
779 | { | 793 | { |
780 | Buffer b; | 794 | Buffer b; |
781 | gss_buffer_desc gssbuf, mic; | 795 | gss_buffer_desc gssbuf; |
796 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
782 | OM_uint32 ms; | 797 | OM_uint32 ms; |
783 | 798 | ||
784 | static int attempt = 0; | 799 | static int attempt = 0; |