Bugzilla – Attachment 1177 Details for
Bug 1008
GSSAPI authentication fails with Round Robin DNS hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add option to do GSSAPI canonicalization in the client, rather than the library
openssh-trustdns.patch (text/plain), 4.31 KB, created by
Simon Wilkinson
on 2006-08-19 22:26:57 AEST
(
hide
)
Description:
Add option to do GSSAPI canonicalization in the client, rather than the library
Filename:
MIME Type:
Creator:
Simon Wilkinson
Created:
2006-08-19 22:26:57 AEST
Size:
4.31 KB
patch
obsolete
>Index: readconf.c >=================================================================== >RCS file: /cvs/openssh/readconf.c,v >retrieving revision 1.135 >diff -u -r1.135 readconf.c >--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 >+++ readconf.c 19 Aug 2006 11:59:52 -0000 >@@ -126,6 +126,7 @@ > oClearAllForwardings, oNoHostAuthenticationForLocalhost, > oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, > oAddressFamily, oGssAuthentication, oGssDelegateCreds, >+ oGssTrustDns, > oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, > oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, > oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, >@@ -163,9 +164,11 @@ > #if defined(GSSAPI) > { "gssapiauthentication", oGssAuthentication }, > { "gssapidelegatecredentials", oGssDelegateCreds }, >+ { "gssapitrustdns", oGssTrustDns }, > #else > { "gssapiauthentication", oUnsupported }, > { "gssapidelegatecredentials", oUnsupported }, >+ { "gssapitrustdns", oUnsupported }, > #endif > { "fallbacktorsh", oDeprecated }, > { "usersh", oDeprecated }, >@@ -444,6 +447,10 @@ > intptr = &options->gss_deleg_creds; > goto parse_flag; > >+ case oGssTrustDns: >+ intptr = &options->gss_trust_dns; >+ goto parse_flag; >+ > case oBatchMode: > intptr = &options->batch_mode; > goto parse_flag; >@@ -1010,6 +1017,7 @@ > options->challenge_response_authentication = -1; > options->gss_authentication = -1; > options->gss_deleg_creds = -1; >+ options->gss_trust_dns = -1; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->kbd_interactive_devices = NULL; >@@ -1100,6 +1108,8 @@ > options->gss_authentication = 0; > if (options->gss_deleg_creds == -1) > options->gss_deleg_creds = 0; >+ if (options->gss_trust_dns == -1) >+ options->gss_trust_dns = 0; > if (options->password_authentication == -1) > options->password_authentication = 1; > if (options->kbd_interactive_authentication == -1) >Index: readconf.h >=================================================================== >RCS file: /cvs/openssh/readconf.h,v >retrieving revision 1.63 >diff -u -r1.63 readconf.h >--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 >+++ readconf.h 19 Aug 2006 11:59:52 -0000 >@@ -45,6 +45,7 @@ > /* Try S/Key or TIS, authentication. */ > int gss_authentication; /* Try GSS authentication */ > int gss_deleg_creds; /* Delegate GSS credentials */ >+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ > int password_authentication; /* Try password > * authentication. */ > int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ >Index: ssh_config.5 >=================================================================== >RCS file: /cvs/openssh/ssh_config.5,v >retrieving revision 1.97 >diff -u -r1.97 ssh_config.5 >--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 >+++ ssh_config.5 19 Aug 2006 11:59:53 -0000 >@@ -483,7 +483,16 @@ > Forward (delegate) credentials to the server. > The default is > .Dq no . >-Note that this option applies to protocol version 2 only. >+Note that this option applies to protocol version 2 connections using GSSAPI. >+.It Cm GSSAPITrustDns >+Set to >+.Dq yes to indicate that the DNS is trusted to securely canonicalize >+the name of the host being connected to. If >+.Dq no, the hostname entered on the >+command line will be passed untouched to the GSSAPI library. >+The default is >+.Dq no . >+This option only applies to protocol version 2 connections using GSSAPI. > .It Cm HashKnownHosts > Indicates that > .Xr ssh 1 >Index: sshconnect2.c >=================================================================== >RCS file: /cvs/openssh/sshconnect2.c,v >retrieving revision 1.151 >diff -u -r1.151 sshconnect2.c >--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 >+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 >@@ -499,6 +499,12 @@ > static u_int mech = 0; > OM_uint32 min; > int ok = 0; >+ const char *gss_host; >+ >+ if (options.gss_trust_dns) >+ gss_host = get_canonical_hostname(1); >+ else >+ gss_host = authctxt->host; > > /* Try one GSSAPI method at a time, rather than sending them all at > * once. */ >@@ -511,7 +517,7 @@ > /* My DER encoding requires length<128 */ > if (gss_supported->elements[mech].length < 128 && > ssh_gssapi_check_mechanism(&gssctxt, >- &gss_supported->elements[mech], authctxt->host)) { >+ &gss_supported->elements[mech], gss_host)) { > ok = 1; /* Mechanism works */ > } else { > mech++;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1177">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1008
: 1177 |
1202