diff options
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 62 |
1 files changed, 58 insertions, 4 deletions
@@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh) | |||
816 | } | 816 | } |
817 | debug3("%s: sent %u hostkeys", __func__, nkeys); | 817 | debug3("%s: sent %u hostkeys", __func__, nkeys); |
818 | if (nkeys == 0) | 818 | if (nkeys == 0) |
819 | fatal("%s: no hostkeys", __func__); | 819 | debug3("%s: no hostkeys", __func__); |
820 | if ((r = sshpkt_send(ssh)) != 0) | 820 | else if ((r = sshpkt_send(ssh)) != 0) |
821 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 821 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
822 | sshbuf_free(buf); | 822 | sshbuf_free(buf); |
823 | } | 823 | } |
@@ -1901,7 +1901,8 @@ main(int ac, char **av) | |||
1901 | free(fp); | 1901 | free(fp); |
1902 | } | 1902 | } |
1903 | accumulate_host_timing_secret(cfg, NULL); | 1903 | accumulate_host_timing_secret(cfg, NULL); |
1904 | if (!sensitive_data.have_ssh2_key) { | 1904 | /* The GSSAPI key exchange can run without a host key */ |
1905 | if (!sensitive_data.have_ssh2_key && !options.gss_keyex) { | ||
1905 | logit("sshd: no hostkeys available -- exiting."); | 1906 | logit("sshd: no hostkeys available -- exiting."); |
1906 | exit(1); | 1907 | exit(1); |
1907 | } | 1908 | } |
@@ -2393,6 +2394,48 @@ do_ssh2_kex(struct ssh *ssh) | |||
2393 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2394 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2394 | list_hostkey_types()); | 2395 | list_hostkey_types()); |
2395 | 2396 | ||
2397 | #if defined(GSSAPI) && defined(WITH_OPENSSL) | ||
2398 | { | ||
2399 | char *orig; | ||
2400 | char *gss = NULL; | ||
2401 | char *newstr = NULL; | ||
2402 | orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
2403 | |||
2404 | /* | ||
2405 | * If we don't have a host key, then there's no point advertising | ||
2406 | * the other key exchange algorithms | ||
2407 | */ | ||
2408 | |||
2409 | if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) | ||
2410 | orig = NULL; | ||
2411 | |||
2412 | if (options.gss_keyex) | ||
2413 | gss = ssh_gssapi_server_mechanisms(); | ||
2414 | else | ||
2415 | gss = NULL; | ||
2416 | |||
2417 | if (gss && orig) | ||
2418 | xasprintf(&newstr, "%s,%s", gss, orig); | ||
2419 | else if (gss) | ||
2420 | newstr = gss; | ||
2421 | else if (orig) | ||
2422 | newstr = orig; | ||
2423 | |||
2424 | /* | ||
2425 | * If we've got GSSAPI mechanisms, then we've got the 'null' host | ||
2426 | * key alg, but we can't tell people about it unless its the only | ||
2427 | * host key algorithm we support | ||
2428 | */ | ||
2429 | if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) | ||
2430 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; | ||
2431 | |||
2432 | if (newstr) | ||
2433 | myproposal[PROPOSAL_KEX_ALGS] = newstr; | ||
2434 | else | ||
2435 | fatal("No supported key exchange algorithms"); | ||
2436 | } | ||
2437 | #endif | ||
2438 | |||
2396 | /* start key exchange */ | 2439 | /* start key exchange */ |
2397 | if ((r = kex_setup(ssh, myproposal)) != 0) | 2440 | if ((r = kex_setup(ssh, myproposal)) != 0) |
2398 | fatal("kex_setup: %s", ssh_err(r)); | 2441 | fatal("kex_setup: %s", ssh_err(r)); |
@@ -2408,7 +2451,18 @@ do_ssh2_kex(struct ssh *ssh) | |||
2408 | # ifdef OPENSSL_HAS_ECC | 2451 | # ifdef OPENSSL_HAS_ECC |
2409 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 2452 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
2410 | # endif | 2453 | # endif |
2411 | #endif | 2454 | # ifdef GSSAPI |
2455 | if (options.gss_keyex) { | ||
2456 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
2457 | kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
2458 | kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; | ||
2459 | kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; | ||
2460 | kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; | ||
2461 | kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; | ||
2462 | kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; | ||
2463 | } | ||
2464 | # endif | ||
2465 | #endif /* WITH_OPENSSL */ | ||
2412 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; | 2466 | kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
2413 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; | 2467 | kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; |
2414 | kex->load_host_public_key=&get_hostkey_public_by_type; | 2468 | kex->load_host_public_key=&get_hostkey_public_by_type; |