diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 03bc87eb4..79a22e600 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.321 2020/04/17 03:38:47 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -215,12 +215,18 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | |||
215 | * client to the key exchange algorithm proposal */ | 215 | * client to the key exchange algorithm proposal */ |
216 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 216 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
217 | 217 | ||
218 | if (options.gss_server_identity) | 218 | if (options.gss_server_identity) { |
219 | gss_host = xstrdup(options.gss_server_identity); | 219 | gss_host = xstrdup(options.gss_server_identity); |
220 | else if (options.gss_trust_dns) | 220 | } else if (options.gss_trust_dns) { |
221 | gss_host = remote_hostname(ssh); | 221 | gss_host = remote_hostname(ssh); |
222 | else | 222 | /* Fall back to specified host if we are using proxy command |
223 | * and can not use DNS on that socket */ | ||
224 | if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
225 | gss_host = xstrdup(host); | ||
226 | } | ||
227 | } else { | ||
223 | gss_host = xstrdup(host); | 228 | gss_host = xstrdup(host); |
229 | } | ||
224 | 230 | ||
225 | gss = ssh_gssapi_client_mechanisms(gss_host, | 231 | gss = ssh_gssapi_client_mechanisms(gss_host, |
226 | options.gss_client_identity, options.gss_kex_algorithms); | 232 | options.gss_client_identity, options.gss_kex_algorithms); |
@@ -786,12 +792,18 @@ userauth_gssapi(struct ssh *ssh) | |||
786 | gss_OID mech = NULL; | 792 | gss_OID mech = NULL; |
787 | char *gss_host; | 793 | char *gss_host; |
788 | 794 | ||
789 | if (options.gss_server_identity) | 795 | if (options.gss_server_identity) { |
790 | gss_host = xstrdup(options.gss_server_identity); | 796 | gss_host = xstrdup(options.gss_server_identity); |
791 | else if (options.gss_trust_dns) | 797 | } else if (options.gss_trust_dns) { |
792 | gss_host = remote_hostname(ssh); | 798 | gss_host = remote_hostname(ssh); |
793 | else | 799 | /* Fall back to specified host if we are using proxy command |
800 | * and can not use DNS on that socket */ | ||
801 | if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
802 | gss_host = authctxt->host; | ||
803 | } | ||
804 | } else { | ||
794 | gss_host = xstrdup(authctxt->host); | 805 | gss_host = xstrdup(authctxt->host); |
806 | } | ||
795 | 807 | ||
796 | /* Try one GSSAPI method at a time, rather than sending them all at | 808 | /* Try one GSSAPI method at a time, rather than sending them all at |
797 | * once. */ | 809 | * once. */ |
@@ -1803,7 +1815,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
1803 | found = 0; | 1815 | found = 0; |
1804 | TAILQ_FOREACH(id2, &files, next) { | 1816 | TAILQ_FOREACH(id2, &files, next) { |
1805 | if (id2->key == NULL || | 1817 | if (id2->key == NULL || |
1806 | (id2->key->flags & SSHKEY_FLAG_EXT) == 0) | 1818 | (id2->key->flags & SSHKEY_FLAG_EXT) != 0) |
1807 | continue; | 1819 | continue; |
1808 | if (sshkey_equal(id->key, id2->key)) { | 1820 | if (sshkey_equal(id->key, id2->key)) { |
1809 | TAILQ_REMOVE(&files, id, next); | 1821 | TAILQ_REMOVE(&files, id, next); |