diff options
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 62 |
1 files changed, 58 insertions, 4 deletions
@@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) | |||
816 | } | 816 | } |
817 | debug3("%s: sent %u hostkeys", __func__, nkeys); | 817 | debug3("%s: sent %u hostkeys", __func__, nkeys); |
818 | if (nkeys == 0) | 818 | if (nkeys == 0) |
819 | fatal("%s: no hostkeys", __func__); | 819 | debug3("%s: no hostkeys", __func__); |
820 | if ((r = sshpkt_send(ssh)) != 0) | 820 | else if ((r = sshpkt_send(ssh)) != 0) |
821 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 821 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
822 | sshbuf_free(buf); | 822 | sshbuf_free(buf); |
823 | } | 823 | } |
@@ -1851,7 +1851,8 @@ main(int ac, char **av) | |||
1851 | free(fp); | 1851 | free(fp); |
1852 | } | 1852 | } |
1853 | accumulate_host_timing_secret(cfg, NULL); | 1853 | accumulate_host_timing_secret(cfg, NULL); |
1854 | if (!sensitive_data.have_ssh2_key) { | 1854 | /* The GSSAPI key exchange can run without a host key */ |
1855 | if (!sensitive_data.have_ssh2_key && !options.gss_keyex) { | ||
1855 | logit("sshd: no hostkeys available -- exiting."); | 1856 | logit("sshd: no hostkeys available -- exiting."); |
1856 | exit(1); | 1857 | exit(1); |
1857 | } | 1858 | } |
@@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh) | |||
2342 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2343 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2343 | list_hostkey_types()); | 2344 | list_hostkey_types()); |
2344 | 2345 | ||
2346 | #if defined(GSSAPI) && defined(WITH_OPENSSL) | ||
2347 | { | ||
2348 | char *orig; | ||
2349 | char *gss = NULL; | ||
2350 | char *newstr = NULL; | ||
2351 | orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
2352 | |||
2353 | /* | ||
2354 | * If we don't have a host key, then there's no point advertising | ||
2355 | * the other key exchange algorithms | ||
2356 | */ | ||
2357 | |||
2358 | if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) | ||
2359 | orig = NULL; | ||
2360 | |||
2361 | if (options.gss_keyex) | ||
2362 | gss = ssh_gssapi_server_mechanisms(); | ||
2363 | else | ||
2364 | gss = NULL; | ||
2365 | |||
2366 | if (gss && orig) | ||
2367 | xasprintf(&newstr, "%s,%s", gss, orig); | ||
2368 | else if (gss) | ||
2369 | newstr = gss; | ||
2370 | else if (orig) | ||
2371 | newstr = orig; | ||
2372 | |||
2373 | /* | ||
2374 | * If we've got GSSAPI mechanisms, then we've got the 'null' host | ||
2375 | * key alg, but we can't tell people about it unless its the only | ||
2376 | * host key algorithm we support | ||
2377 | */ | ||
2378 | if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) | ||
2379 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; | ||
2380 | |||
2381 | if (newstr) | ||
2382 | myproposal[PROPOSAL_KEX_ALGS] = newstr; | ||
2383 | else | ||
2384 | fatal("No supported key exchange algorithms"); | ||
2385 | } | ||
2386 | #endif | ||
2387 | |||
2345 | /* start key exchange */ | 2388 | /* start key exchange */ |
2346 | if ((r = kex_setup(ssh, myproposal)) != 0) | 2389 | if ((r = kex_setup(ssh, myproposal)) != 0) |
2347 | fatal("kex_setup: %s", ssh_err(r)); | 2390 | fatal("kex_setup: %s", ssh_err(r)); |
@@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh) | |||
2357 | # ifdef OPENSSL_HAS_ECC | 2400 | # ifdef OPENSSL_HAS_ECC |
2358 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 2401 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
2359 | # endif | 2402 | # endif |
2360 | #endif | 2403 | # ifdef GSSAPI |
2404 | if (options.gss_keyex) { | ||
2405 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
2406 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
2407 | kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; | ||
2408 | kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; | ||
2409 | kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; | ||
2410 | kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; | ||
2411 | kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; | ||
2412 | } | ||
2413 | # endif | ||
2414 | #endif /* WITH_OPENSSL */ | ||
2361 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 2415 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
2362 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 2416 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
2363 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2417 | kex->load_host_public_key=&get_hostkey_public_by_type; |