diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 124 |
1 files changed, 120 insertions, 4 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 58015c0d3..1aa8523e1 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
160 | { | 160 | { |
161 | Kex *kex; | 161 | Kex *kex; |
162 | 162 | ||
163 | #ifdef GSSAPI | ||
164 | char *orig = NULL, *gss = NULL; | ||
165 | char *gss_host = NULL; | ||
166 | #endif | ||
167 | |||
163 | xxx_host = host; | 168 | xxx_host = host; |
164 | xxx_hostaddr = hostaddr; | 169 | xxx_hostaddr = hostaddr; |
165 | 170 | ||
171 | #ifdef GSSAPI | ||
172 | if (options.gss_keyex) { | ||
173 | /* Add the GSSAPI mechanisms currently supported on this | ||
174 | * client to the key exchange algorithm proposal */ | ||
175 | orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
176 | |||
177 | if (options.gss_trust_dns) | ||
178 | gss_host = (char *)get_canonical_hostname(1); | ||
179 | else | ||
180 | gss_host = host; | ||
181 | |||
182 | gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); | ||
183 | if (gss) { | ||
184 | debug("Offering GSSAPI proposal: %s", gss); | ||
185 | xasprintf(&myproposal[PROPOSAL_KEX_ALGS], | ||
186 | "%s,%s", gss, orig); | ||
187 | } | ||
188 | } | ||
189 | #endif | ||
190 | |||
166 | if (options.ciphers == (char *)-1) { | 191 | if (options.ciphers == (char *)-1) { |
167 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 192 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
168 | options.ciphers = NULL; | 193 | options.ciphers = NULL; |
@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
197 | if (options.kex_algorithms != NULL) | 222 | if (options.kex_algorithms != NULL) |
198 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 223 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
199 | 224 | ||
225 | #ifdef GSSAPI | ||
226 | /* If we've got GSSAPI algorithms, then we also support the | ||
227 | * 'null' hostkey, as a last resort */ | ||
228 | if (options.gss_keyex && gss) { | ||
229 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | ||
230 | xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], | ||
231 | "%s,null", orig); | ||
232 | xfree(gss); | ||
233 | } | ||
234 | #endif | ||
235 | |||
200 | if (options.rekey_limit) | 236 | if (options.rekey_limit) |
201 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 237 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
202 | 238 | ||
@@ -207,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
207 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 243 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
208 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 244 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
209 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 245 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
246 | #ifdef GSSAPI | ||
247 | if (options.gss_keyex) { | ||
248 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | ||
249 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; | ||
250 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
251 | } | ||
252 | #endif | ||
210 | kex->client_version_string=client_version_string; | 253 | kex->client_version_string=client_version_string; |
211 | kex->server_version_string=server_version_string; | 254 | kex->server_version_string=server_version_string; |
212 | kex->verify_host_key=&verify_host_key_callback; | 255 | kex->verify_host_key=&verify_host_key_callback; |
213 | 256 | ||
257 | #ifdef GSSAPI | ||
258 | if (options.gss_keyex) { | ||
259 | kex->gss_deleg_creds = options.gss_deleg_creds; | ||
260 | kex->gss_trust_dns = options.gss_trust_dns; | ||
261 | kex->gss_client = options.gss_client_identity; | ||
262 | if (options.gss_server_identity) { | ||
263 | kex->gss_host = options.gss_server_identity; | ||
264 | } else { | ||
265 | kex->gss_host = gss_host; | ||
266 | } | ||
267 | } | ||
268 | #endif | ||
269 | |||
214 | xxx_kex = kex; | 270 | xxx_kex = kex; |
215 | 271 | ||
216 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 272 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | |||
306 | void input_gssapi_hash(int type, u_int32_t, void *); | 362 | void input_gssapi_hash(int type, u_int32_t, void *); |
307 | void input_gssapi_error(int, u_int32_t, void *); | 363 | void input_gssapi_error(int, u_int32_t, void *); |
308 | void input_gssapi_errtok(int, u_int32_t, void *); | 364 | void input_gssapi_errtok(int, u_int32_t, void *); |
365 | int userauth_gsskeyex(Authctxt *authctxt); | ||
309 | #endif | 366 | #endif |
310 | 367 | ||
311 | void userauth(Authctxt *, char *); | 368 | void userauth(Authctxt *, char *); |
@@ -321,6 +378,11 @@ static char *authmethods_get(void); | |||
321 | 378 | ||
322 | Authmethod authmethods[] = { | 379 | Authmethod authmethods[] = { |
323 | #ifdef GSSAPI | 380 | #ifdef GSSAPI |
381 | {"gssapi-keyex", | ||
382 | userauth_gsskeyex, | ||
383 | NULL, | ||
384 | &options.gss_authentication, | ||
385 | NULL}, | ||
324 | {"gssapi-with-mic", | 386 | {"gssapi-with-mic", |
325 | userauth_gssapi, | 387 | userauth_gssapi, |
326 | NULL, | 388 | NULL, |
@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) | |||
627 | static u_int mech = 0; | 689 | static u_int mech = 0; |
628 | OM_uint32 min; | 690 | OM_uint32 min; |
629 | int ok = 0; | 691 | int ok = 0; |
692 | const char *gss_host; | ||
693 | |||
694 | if (options.gss_server_identity) | ||
695 | gss_host = options.gss_server_identity; | ||
696 | else if (options.gss_trust_dns) | ||
697 | gss_host = get_canonical_hostname(1); | ||
698 | else | ||
699 | gss_host = authctxt->host; | ||
630 | 700 | ||
631 | /* Try one GSSAPI method at a time, rather than sending them all at | 701 | /* Try one GSSAPI method at a time, rather than sending them all at |
632 | * once. */ | 702 | * once. */ |
633 | 703 | ||
634 | if (gss_supported == NULL) | 704 | if (gss_supported == NULL) |
635 | gss_indicate_mechs(&min, &gss_supported); | 705 | if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { |
706 | gss_supported = NULL; | ||
707 | return 0; | ||
708 | } | ||
636 | 709 | ||
637 | /* Check to see if the mechanism is usable before we offer it */ | 710 | /* Check to see if the mechanism is usable before we offer it */ |
638 | while (mech < gss_supported->count && !ok) { | 711 | while (mech < gss_supported->count && !ok) { |
639 | /* My DER encoding requires length<128 */ | 712 | /* My DER encoding requires length<128 */ |
640 | if (gss_supported->elements[mech].length < 128 && | 713 | if (gss_supported->elements[mech].length < 128 && |
641 | ssh_gssapi_check_mechanism(&gssctxt, | 714 | ssh_gssapi_check_mechanism(&gssctxt, |
642 | &gss_supported->elements[mech], authctxt->host)) { | 715 | &gss_supported->elements[mech], gss_host, |
716 | options.gss_client_identity)) { | ||
643 | ok = 1; /* Mechanism works */ | 717 | ok = 1; /* Mechanism works */ |
644 | } else { | 718 | } else { |
645 | mech++; | 719 | mech++; |
@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | |||
736 | { | 810 | { |
737 | Authctxt *authctxt = ctxt; | 811 | Authctxt *authctxt = ctxt; |
738 | Gssctxt *gssctxt; | 812 | Gssctxt *gssctxt; |
739 | int oidlen; | 813 | u_int oidlen; |
740 | char *oidv; | 814 | u_char *oidv; |
741 | 815 | ||
742 | if (authctxt == NULL) | 816 | if (authctxt == NULL) |
743 | fatal("input_gssapi_response: no authentication context"); | 817 | fatal("input_gssapi_response: no authentication context"); |
@@ -847,6 +921,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | |||
847 | xfree(msg); | 921 | xfree(msg); |
848 | xfree(lang); | 922 | xfree(lang); |
849 | } | 923 | } |
924 | |||
925 | int | ||
926 | userauth_gsskeyex(Authctxt *authctxt) | ||
927 | { | ||
928 | Buffer b; | ||
929 | gss_buffer_desc gssbuf; | ||
930 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
931 | OM_uint32 ms; | ||
932 | |||
933 | static int attempt = 0; | ||
934 | if (attempt++ >= 1) | ||
935 | return (0); | ||
936 | |||
937 | if (gss_kex_context == NULL) { | ||
938 | debug("No valid Key exchange context"); | ||
939 | return (0); | ||
940 | } | ||
941 | |||
942 | ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, | ||
943 | "gssapi-keyex"); | ||
944 | |||
945 | gssbuf.value = buffer_ptr(&b); | ||
946 | gssbuf.length = buffer_len(&b); | ||
947 | |||
948 | if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { | ||
949 | buffer_free(&b); | ||
950 | return (0); | ||
951 | } | ||
952 | |||
953 | packet_start(SSH2_MSG_USERAUTH_REQUEST); | ||
954 | packet_put_cstring(authctxt->server_user); | ||
955 | packet_put_cstring(authctxt->service); | ||
956 | packet_put_cstring(authctxt->method->name); | ||
957 | packet_put_string(mic.value, mic.length); | ||
958 | packet_send(); | ||
959 | |||
960 | buffer_free(&b); | ||
961 | gss_release_buffer(&ms, &mic); | ||
962 | |||
963 | return (1); | ||
964 | } | ||
965 | |||
850 | #endif /* GSSAPI */ | 966 | #endif /* GSSAPI */ |
851 | 967 | ||
852 | int | 968 | int |