diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 46 |
1 files changed, 31 insertions, 15 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index b69602c0c..aa0b6ec59 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); |
27 | 27 | ||
28 | #include "openbsd-compat/sys-queue.h" | 28 | #include "openbsd-compat/sys-queue.h" |
29 | 29 | ||
@@ -87,16 +87,24 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
87 | #ifdef GSSAPI | 87 | #ifdef GSSAPI |
88 | char *orig, *gss; | 88 | char *orig, *gss; |
89 | int len; | 89 | int len; |
90 | char *gss_host; | ||
90 | #endif | 91 | #endif |
91 | 92 | ||
92 | xxx_host = host; | 93 | xxx_host = host; |
93 | xxx_hostaddr = hostaddr; | 94 | xxx_hostaddr = hostaddr; |
94 | 95 | ||
95 | #ifdef GSSAPI | 96 | #ifdef GSSAPI |
97 | /* Add the GSSAPI mechanisms currently supported on this client to | ||
98 | * the key exchange algorithm proposal */ | ||
96 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 99 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
97 | gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); | 100 | if (options.gss_trust_dns) |
98 | debug("Offering GSSAPI proposal: %s",gss); | 101 | gss_host = (char *)get_canonical_hostname(1); |
102 | else | ||
103 | gss_host = host; | ||
104 | |||
105 | gss = ssh_gssapi_client_mechanisms(gss_host); | ||
99 | if (gss) { | 106 | if (gss) { |
107 | debug("Offering GSSAPI proposal: %s", gss); | ||
100 | len = strlen(orig) + strlen(gss) + 2; | 108 | len = strlen(orig) + strlen(gss) + 2; |
101 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); | 109 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); |
102 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss, | 110 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss, |
@@ -118,10 +126,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
118 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 126 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); |
119 | if (options.compression) { | 127 | if (options.compression) { |
120 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 128 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
121 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; | 129 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
122 | } else { | 130 | } else { |
123 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 131 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
124 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib"; | 132 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
125 | } | 133 | } |
126 | if (options.macs != NULL) { | 134 | if (options.macs != NULL) { |
127 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 135 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
@@ -132,6 +140,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
132 | options.hostkeyalgorithms; | 140 | options.hostkeyalgorithms; |
133 | 141 | ||
134 | #ifdef GSSAPI | 142 | #ifdef GSSAPI |
143 | /* If we've got GSSAPI algorithms, then we also support the | ||
144 | * 'null' hostkey, as a last resort */ | ||
135 | if (gss) { | 145 | if (gss) { |
136 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 146 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
137 | len = strlen(orig) + sizeof(",null"); | 147 | len = strlen(orig) + sizeof(",null"); |
@@ -151,6 +161,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
151 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 161 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
152 | #ifdef GSSAPI | 162 | #ifdef GSSAPI |
153 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 163 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
164 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
154 | #endif | 165 | #endif |
155 | kex->client_version_string=client_version_string; | 166 | kex->client_version_string=client_version_string; |
156 | kex->server_version_string=server_version_string; | 167 | kex->server_version_string=server_version_string; |
@@ -158,6 +169,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
158 | 169 | ||
159 | #ifdef GSSAPI | 170 | #ifdef GSSAPI |
160 | kex->gss_deleg_creds = options.gss_deleg_creds; | 171 | kex->gss_deleg_creds = options.gss_deleg_creds; |
172 | kex->gss_trust_dns = options.gss_trust_dns; | ||
173 | kex->gss_host = gss_host; | ||
161 | #endif | 174 | #endif |
162 | 175 | ||
163 | xxx_kex = kex; | 176 | xxx_kex = kex; |
@@ -242,7 +255,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | |||
242 | void input_gssapi_hash(int type, u_int32_t, void *); | 255 | void input_gssapi_hash(int type, u_int32_t, void *); |
243 | void input_gssapi_error(int, u_int32_t, void *); | 256 | void input_gssapi_error(int, u_int32_t, void *); |
244 | void input_gssapi_errtok(int, u_int32_t, void *); | 257 | void input_gssapi_errtok(int, u_int32_t, void *); |
245 | int userauth_gsskeyx(Authctxt *authctxt); | 258 | int userauth_gsskeyex(Authctxt *authctxt); |
246 | #endif | 259 | #endif |
247 | 260 | ||
248 | void userauth(Authctxt *, char *); | 261 | void userauth(Authctxt *, char *); |
@@ -258,8 +271,8 @@ static char *authmethods_get(void); | |||
258 | 271 | ||
259 | Authmethod authmethods[] = { | 272 | Authmethod authmethods[] = { |
260 | #ifdef GSSAPI | 273 | #ifdef GSSAPI |
261 | {"gssapi-keyx", | 274 | {"gssapi-keyex", |
262 | userauth_gsskeyx, | 275 | userauth_gsskeyex, |
263 | &options.gss_authentication, | 276 | &options.gss_authentication, |
264 | NULL}, | 277 | NULL}, |
265 | {"gssapi-with-mic", | 278 | {"gssapi-with-mic", |
@@ -391,7 +404,7 @@ void | |||
391 | input_userauth_error(int type, u_int32_t seq, void *ctxt) | 404 | input_userauth_error(int type, u_int32_t seq, void *ctxt) |
392 | { | 405 | { |
393 | fatal("input_userauth_error: bad message during authentication: " | 406 | fatal("input_userauth_error: bad message during authentication: " |
394 | "type %d", type); | 407 | "type %d", type); |
395 | } | 408 | } |
396 | 409 | ||
397 | void | 410 | void |
@@ -521,7 +534,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
521 | { | 534 | { |
522 | Gssctxt *gssctxt = NULL; | 535 | Gssctxt *gssctxt = NULL; |
523 | static gss_OID_set gss_supported = NULL; | 536 | static gss_OID_set gss_supported = NULL; |
524 | static int mech = 0; | 537 | static u_int mech = 0; |
525 | OM_uint32 min; | 538 | OM_uint32 min; |
526 | int ok = 0; | 539 | int ok = 0; |
527 | 540 | ||
@@ -548,7 +561,8 @@ userauth_gssapi(Authctxt *authctxt) | |||
548 | } | 561 | } |
549 | } | 562 | } |
550 | 563 | ||
551 | if (!ok) return 0; | 564 | if (!ok) |
565 | return 0; | ||
552 | 566 | ||
553 | authctxt->methoddata=(void *)gssctxt; | 567 | authctxt->methoddata=(void *)gssctxt; |
554 | 568 | ||
@@ -583,7 +597,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
583 | Authctxt *authctxt = ctxt; | 597 | Authctxt *authctxt = ctxt; |
584 | Gssctxt *gssctxt = authctxt->methoddata; | 598 | Gssctxt *gssctxt = authctxt->methoddata; |
585 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 599 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
586 | gss_buffer_desc gssbuf, mic; | 600 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; |
601 | gss_buffer_desc gssbuf; | ||
587 | OM_uint32 status, ms, flags; | 602 | OM_uint32 status, ms, flags; |
588 | Buffer b; | 603 | Buffer b; |
589 | 604 | ||
@@ -717,7 +732,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
717 | 732 | ||
718 | /* Stick it into GSSAPI and see what it says */ | 733 | /* Stick it into GSSAPI and see what it says */ |
719 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, | 734 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, |
720 | &recv_tok, &send_tok, NULL); | 735 | &recv_tok, &send_tok, NULL); |
721 | 736 | ||
722 | xfree(recv_tok.value); | 737 | xfree(recv_tok.value); |
723 | gss_release_buffer(&ms, &send_tok); | 738 | gss_release_buffer(&ms, &send_tok); |
@@ -745,10 +760,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | |||
745 | } | 760 | } |
746 | 761 | ||
747 | int | 762 | int |
748 | userauth_gsskeyx(Authctxt *authctxt) | 763 | userauth_gsskeyex(Authctxt *authctxt) |
749 | { | 764 | { |
750 | Buffer b; | 765 | Buffer b; |
751 | gss_buffer_desc gssbuf, mic; | 766 | gss_buffer_desc gssbuf; |
767 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
752 | OM_uint32 ms; | 768 | OM_uint32 ms; |
753 | 769 | ||
754 | static int attempt = 0; | 770 | static int attempt = 0; |