diff options
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 03bc87eb4..79a22e600 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.321 2020/04/17 03:38:47 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -215,12 +215,18 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | |||
| 215 | * client to the key exchange algorithm proposal */ | 215 | * client to the key exchange algorithm proposal */ |
| 216 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 216 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
| 217 | 217 | ||
| 218 | if (options.gss_server_identity) | 218 | if (options.gss_server_identity) { |
| 219 | gss_host = xstrdup(options.gss_server_identity); | 219 | gss_host = xstrdup(options.gss_server_identity); |
| 220 | else if (options.gss_trust_dns) | 220 | } else if (options.gss_trust_dns) { |
| 221 | gss_host = remote_hostname(ssh); | 221 | gss_host = remote_hostname(ssh); |
| 222 | else | 222 | /* Fall back to specified host if we are using proxy command |
| 223 | * and can not use DNS on that socket */ | ||
| 224 | if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
| 225 | gss_host = xstrdup(host); | ||
| 226 | } | ||
| 227 | } else { | ||
| 223 | gss_host = xstrdup(host); | 228 | gss_host = xstrdup(host); |
| 229 | } | ||
| 224 | 230 | ||
| 225 | gss = ssh_gssapi_client_mechanisms(gss_host, | 231 | gss = ssh_gssapi_client_mechanisms(gss_host, |
| 226 | options.gss_client_identity, options.gss_kex_algorithms); | 232 | options.gss_client_identity, options.gss_kex_algorithms); |
| @@ -786,12 +792,18 @@ userauth_gssapi(struct ssh *ssh) | |||
| 786 | gss_OID mech = NULL; | 792 | gss_OID mech = NULL; |
| 787 | char *gss_host; | 793 | char *gss_host; |
| 788 | 794 | ||
| 789 | if (options.gss_server_identity) | 795 | if (options.gss_server_identity) { |
| 790 | gss_host = xstrdup(options.gss_server_identity); | 796 | gss_host = xstrdup(options.gss_server_identity); |
| 791 | else if (options.gss_trust_dns) | 797 | } else if (options.gss_trust_dns) { |
| 792 | gss_host = remote_hostname(ssh); | 798 | gss_host = remote_hostname(ssh); |
| 793 | else | 799 | /* Fall back to specified host if we are using proxy command |
| 800 | * and can not use DNS on that socket */ | ||
| 801 | if (strcmp(gss_host, "UNKNOWN") == 0) { | ||
| 802 | gss_host = authctxt->host; | ||
| 803 | } | ||
| 804 | } else { | ||
| 794 | gss_host = xstrdup(authctxt->host); | 805 | gss_host = xstrdup(authctxt->host); |
| 806 | } | ||
| 795 | 807 | ||
| 796 | /* Try one GSSAPI method at a time, rather than sending them all at | 808 | /* Try one GSSAPI method at a time, rather than sending them all at |
| 797 | * once. */ | 809 | * once. */ |
| @@ -1803,7 +1815,7 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1803 | found = 0; | 1815 | found = 0; |
| 1804 | TAILQ_FOREACH(id2, &files, next) { | 1816 | TAILQ_FOREACH(id2, &files, next) { |
| 1805 | if (id2->key == NULL || | 1817 | if (id2->key == NULL || |
| 1806 | (id2->key->flags & SSHKEY_FLAG_EXT) == 0) | 1818 | (id2->key->flags & SSHKEY_FLAG_EXT) != 0) |
| 1807 | continue; | 1819 | continue; |
| 1808 | if (sshkey_equal(id->key, id2->key)) { | 1820 | if (sshkey_equal(id->key, id2->key)) { |
| 1809 | TAILQ_REMOVE(&files, id, next); | 1821 | TAILQ_REMOVE(&files, id, next); |