Attachment #1177 for bug #1008




	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
	oGssTrustDns, 
	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,

#if defined(GSSAPI)
	{ "gssapiauthentication", oGssAuthentication },
	{ "gssapidelegatecredentials", oGssDelegateCreds },
	{ "gssapitrustdns", oGssTrustDns },
#else
	{ "gssapiauthentication", oUnsupported },
	{ "gssapidelegatecredentials", oUnsupported },
	{ "gssapitrustdns", oUnsupported },
#endif
	{ "fallbacktorsh", oDeprecated },
	{ "usersh", oDeprecated },

		intptr = &options->gss_deleg_creds;
		goto parse_flag;

	case oGssTrustDns:
		intptr = &options->gss_trust_dns;
		goto parse_flag;

	case oBatchMode:
		intptr = &options->batch_mode;
		goto parse_flag;

	options->challenge_response_authentication = -1;
	options->gss_authentication = -1;
	options->gss_deleg_creds = -1;
	options->gss_trust_dns = -1;
	options->password_authentication = -1;
	options->kbd_interactive_authentication = -1;
	options->kbd_interactive_devices = NULL;

		options->gss_authentication = 0;
	if (options->gss_deleg_creds == -1)
		options->gss_deleg_creds = 0;
	if (options->gss_trust_dns == -1)
		options->gss_trust_dns = 0;
	if (options->password_authentication == -1)
		options->password_authentication = 1;
	if (options->kbd_interactive_authentication == -1)

Lines 45-50 Link Here

(-)readconf.h (+1 lines)
45	/* Try S/Key or TIS, authentication. */	45	/* Try S/Key or TIS, authentication. */
46	int gss_authentication; /* Try GSS authentication */	46	int gss_authentication; /* Try GSS authentication */
47	int gss_deleg_creds; /* Delegate GSS credentials */	47	int gss_deleg_creds; /* Delegate GSS credentials */
		48	int gss_trust_dns; /* Trust DNS for GSS canonicalization */
48	int password_authentication; /* Try password	49	int password_authentication; /* Try password
49	* authentication. */	50	* authentication. */
50	int kbd_interactive_authentication; /* Try keyboard-interactive auth. */	51	int kbd_interactive_authentication; /* Try keyboard-interactive auth. */




Forward (delegate) credentials to the server.
The default is
.Dq no .
Note that this option applies to protocol version 2 connections using GSSAPI.
.It Cm GSSAPITrustDns
Set to 
.Dq yes to indicate that the DNS is trusted to securely canonicalize
the name of the host being connected to. If 
.Dq no, the hostname entered on the
command line will be passed untouched to the GSSAPI library.
The default is
.Dq no .
This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1

Lines 499-504 Link Here

(-)sshconnect2.c (-1 / +7 lines)
499	static u_int mech = 0;	499	static u_int mech = 0;
500	OM_uint32 min;	500	OM_uint32 min;
501	int ok = 0;	501	int ok = 0;
		502	const char *gss_host;
		503
		504	if (options.gss_trust_dns)
		505	gss_host = get_canonical_hostname(1);
		506	else
		507	gss_host = authctxt->host;
502		508
503	/* Try one GSSAPI method at a time, rather than sending them all at	509	/* Try one GSSAPI method at a time, rather than sending them all at
504	* once. */	510	* once. */
Lines 511-517 Link Here
511	/* My DER encoding requires length<128 */	517	/* My DER encoding requires length<128 */
512	if (gss_supported->elements[mech].length < 128 &&	518	if (gss_supported->elements[mech].length < 128 &&
513	ssh_gssapi_check_mechanism(&gssctxt,	519	ssh_gssapi_check_mechanism(&gssctxt,
514	&gss_supported->elements[mech], authctxt->host)) {	520	&gss_supported->elements[mech], gss_host)) {
515	ok = 1; /* Mechanism works */	521	ok = 1; /* Mechanism works */
516	} else {	522	} else {
517	mech++;	523	mech++;

Return to bug 1008

Lines 126-131 Link Here

(-)readconf.c (+10 lines)
126	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	126	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
127	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	127	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
128	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	128	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
		129	oGssTrustDns,
129	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	130	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
130	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,	131	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
131	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	132	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
Lines 163-171 Link Here
163	#if defined(GSSAPI)	164	#if defined(GSSAPI)
164	{ "gssapiauthentication", oGssAuthentication },	165	{ "gssapiauthentication", oGssAuthentication },
165	{ "gssapidelegatecredentials", oGssDelegateCreds },	166	{ "gssapidelegatecredentials", oGssDelegateCreds },
		167	{ "gssapitrustdns", oGssTrustDns },
166	#else	168	#else
167	{ "gssapiauthentication", oUnsupported },	169	{ "gssapiauthentication", oUnsupported },
168	{ "gssapidelegatecredentials", oUnsupported },	170	{ "gssapidelegatecredentials", oUnsupported },
		171	{ "gssapitrustdns", oUnsupported },
169	#endif	172	#endif
170	{ "fallbacktorsh", oDeprecated },	173	{ "fallbacktorsh", oDeprecated },
171	{ "usersh", oDeprecated },	174	{ "usersh", oDeprecated },
Lines 444-449 Link Here
444	intptr = &options->gss_deleg_creds;	447	intptr = &options->gss_deleg_creds;
445	goto parse_flag;	448	goto parse_flag;
446		449
		450	case oGssTrustDns:
		451	intptr = &options->gss_trust_dns;
		452	goto parse_flag;
		453
447	case oBatchMode:	454	case oBatchMode:
448	intptr = &options->batch_mode;	455	intptr = &options->batch_mode;
449	goto parse_flag;	456	goto parse_flag;
Lines 1010-1015 Link Here
1010	options->challenge_response_authentication = -1;	1017	options->challenge_response_authentication = -1;
1011	options->gss_authentication = -1;	1018	options->gss_authentication = -1;
1012	options->gss_deleg_creds = -1;	1019	options->gss_deleg_creds = -1;
		1020	options->gss_trust_dns = -1;
1013	options->password_authentication = -1;	1021	options->password_authentication = -1;
1014	options->kbd_interactive_authentication = -1;	1022	options->kbd_interactive_authentication = -1;
1015	options->kbd_interactive_devices = NULL;	1023	options->kbd_interactive_devices = NULL;
Lines 1100-1105 Link Here
1100	options->gss_authentication = 0;	1108	options->gss_authentication = 0;
1101	if (options->gss_deleg_creds == -1)	1109	if (options->gss_deleg_creds == -1)
1102	options->gss_deleg_creds = 0;	1110	options->gss_deleg_creds = 0;
		1111	if (options->gss_trust_dns == -1)
		1112	options->gss_trust_dns = 0;
1103	if (options->password_authentication == -1)	1113	if (options->password_authentication == -1)
1104	options->password_authentication = 1;	1114	options->password_authentication = 1;
1105	if (options->kbd_interactive_authentication == -1)	1115	if (options->kbd_interactive_authentication == -1)

Lines 483-489 Link Here

(-)ssh_config.5 (-1 / +10 lines)
483	Forward (delegate) credentials to the server.	483	Forward (delegate) credentials to the server.
484	The default is	484	The default is
485	.Dq no .	485	.Dq no .
486	Note that this option applies to protocol version 2 only.	486	Note that this option applies to protocol version 2 connections using GSSAPI.
		487	.It Cm GSSAPITrustDns
		488	Set to
		489	.Dq yes to indicate that the DNS is trusted to securely canonicalize
		490	the name of the host being connected to. If
		491	.Dq no, the hostname entered on the
		492	command line will be passed untouched to the GSSAPI library.
		493	The default is
		494	.Dq no .
		495	This option only applies to protocol version 2 connections using GSSAPI.
487	.It Cm HashKnownHosts	496	.It Cm HashKnownHosts
488	Indicates that	497	Indicates that
489	.Xr ssh 1	498	.Xr ssh 1