Attachment #2965 for bug #2696

View | Details | Raw Unified | Return to bug 2696
Collapse All | Expand All





	packet_check_eom();

	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
	    authctxt->methoddata));

	authctxt->postponed = 0;
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

static int
input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
{
	logit("%s: called", __func__);
	Authctxt *authctxt = ctxt;
	Gssctxt *gssctxt;
	int authenticated = 0;

	gssbuf.length = buffer_len(&b);

	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		    authctxt->methoddata));
	else
		logit("GSSAPI MIC check failed");





#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <gssapi/gssapi_ext.h>

#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"

	}
}

/* Handle authentication indicators */
int
verify_authentication_indicators(Gssctxt *gssctxt)
{
	gss_buffer_desc attr;
	attr.value = "auth-indicators";
	attr.length = strlen(attr.value);
	int authenticated = 0, complete = 0, more = -1;
	gss_buffer_desc value = {0, NULL};
	gss_buffer_desc display_value = {0, NULL};
	char *p, *ap = options.gss_required_auth_indicators;
	OM_uint32 min_status, maj_status;
	int accept = 0;

	debug3("%s: entering", __func__);

	/* when not specified, allow the access*/
	if (options.gss_required_auth_indicators == NULL)
		return 1;

	debug3("%s: Need GSSAPI Auth Indicators (%s)", __func__,
	    options.gss_required_auth_indicators);
	do {
		maj_status = gss_get_name_attribute(&min_status,
		    gssctxt->client, &attr, &authenticated,
		    &complete, &value, &display_value, &more);

		debug3("%s: gss_get_name_attribute = 0x%.8X", __func__, maj_status);
		/* no auth indicators in the ticket: reject access  */
		if (maj_status != GSS_S_COMPLETE)
			break;

		debug3("%s: Ticket authentication indicator value = %s",
		    __func__, (char *)value.value);
		for (p = strtok(ap, " "); p; p = strtok(NULL, " ")) {
			if (strcmp(p, value.value) == 0) {
				logit("%s: found match %s", __func__,
					(char *)value.value);
				accept = 1;
				break;
			}
		}
		gss_release_buffer(&min_status, &value);
		gss_release_buffer(&min_status, &display_value);
	} while (more != 0);

	return accept;
}

/* Privileged */
int
ssh_gssapi_userok(char *user, Gssctxt *ctxt)
{
	OM_uint32 lmin;

	if (verify_authentication_indicators(ctxt) == 0) {
		logit("GSSAPI authentication rejected: missing authentication indicators");
		return 0;
	}

	if (gssapi_client.exportedname.length == 0 ||
	    gssapi_client.exportedname.value == NULL) {
		debug("No suitable client data");

Lines 1778-1784 mm_answer_gss_userok(int sock, Buffer *m) Link Here

(-)a/monitor.c (-1 / +1 lines)
1778	if (!options.gss_authentication)	1778	if (!options.gss_authentication)
1779	fatal("%s: GSSAPI authentication not enabled", __func__);	1779	fatal("%s: GSSAPI authentication not enabled", __func__);
1780		1780
1781	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	1781	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user, gsscontext);
1782		1782
1783	buffer_clear(m);	1783	buffer_clear(m);
1784	buffer_put_int(m, authenticated);	1784	buffer_put_int(m, authenticated);

Lines 924-930 mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) Link Here

(-)a/monitor_wrap.c (-1 / +1 lines)
924	}	924	}
925		925
926	int	926	int
927	mm_ssh_gssapi_userok(char *user)	927	mm_ssh_gssapi_userok(char user, Gssctxt ctxt)
928	{	928	{
929	Buffer m;	929	Buffer m;
930	int authenticated = 0;	930	int authenticated = 0;

Lines 55-61 int mm_key_verify(Key , u_char , u_int, u_char *, u_int); Link Here

(-)a/monitor_wrap.h (-1 / +1 lines)
55	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	55	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
56	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,	56	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
57	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);	57	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);
58	int mm_ssh_gssapi_userok(char *user);	58	int mm_ssh_gssapi_userok(char user, Gssctxt ctxt);
59	OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	59	OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
60	#endif	60	#endif
61		61




	options->gss_authentication=-1;
	options->gss_cleanup_creds = -1;
	options->gss_strict_acceptor = -1;
	options->gss_required_auth_indicators = NULL;
	options->password_authentication = -1;
	options->kbd_interactive_authentication = -1;
	options->challenge_response_authentication = -1;

	CLEAR_ON_NONE(options->authorized_principals_file);
	CLEAR_ON_NONE(options->adm_forced_command);
	CLEAR_ON_NONE(options->chroot_directory);
	CLEAR_ON_NONE(options->gss_required_auth_indicators);
	for (i = 0; i < options->num_host_key_files; i++)
		CLEAR_ON_NONE(options->host_key_files[i]);
	for (i = 0; i < options->num_host_cert_files; i++)

	sHostKeyAlgorithms,
	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
	sGssRequiredAuthIndicators, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sHostCertificate, sInclude,

	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
	{ "gssapirequiredauthindicators", sGssRequiredAuthIndicators, SSHCFG_GLOBAL },
#else
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
	{ "gssapirequiredauthindicators", sUnsupported, SSHCFG_GLOBAL },
#endif
	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },

		intptr = &options->gss_strict_acceptor;
		goto parse_flag;

	case sGssRequiredAuthIndicators:
		if (cp == NULL || *cp == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		len = strspn(cp, WHITESPACE "=");
		if (*activep && options->gss_required_auth_indicators == NULL)
			options->gss_required_auth_indicators = xstrdup(cp + len);
		break;

	case sPasswordAuthentication:
		intptr = &options->password_authentication;
		goto parse_flag;

	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
#endif
	dump_cfg_string(sGssRequiredAuthIndicators, o->gss_required_auth_indicators);
	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
	dump_cfg_fmtint(sKbdInteractiveAuthentication,
	    o->kbd_interactive_authentication);

Lines 114-119 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
114	int gss_authentication; /* If true, permit GSSAPI authentication */	114	int gss_authentication; /* If true, permit GSSAPI authentication */
115	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	115	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
116	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */	116	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
		117	char gss_required_auth_indicators; / GSSAPI required auth-indicators names */
117	int password_authentication; /* If true, permit password	118	int password_authentication; /* If true, permit password
118	* authentication. */	119	* authentication. */
119	int kbd_interactive_authentication; /* If true, permit */	120	int kbd_interactive_authentication; /* If true, permit */

Lines 123-129 int ssh_gssapi_check_mechanism(Gssctxt *, gss_OID, const char ); Link Here

(-)a/ssh-gss.h (-1 / +1 lines)
123		123
124	/* In the server */	124	/* In the server */
125	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	125	OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
126	int ssh_gssapi_userok(char *name);	126	int ssh_gssapi_userok(char name, Gssctxt ctxt);
127	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);	127	OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
128	void ssh_gssapi_do_child(char **, u_int );	128	void ssh_gssapi_do_child(char **, u_int );
129	void ssh_gssapi_cleanup_creds(void);	129	void ssh_gssapi_cleanup_creds(void);

Lines 632-637 Specifies whether to automatically destroy the user's credentials cache Link Here

(-)a/sshd_config.5 (-1 / +7 lines)
632	on logout.	632	on logout.
633	The default is	633	The default is
634	.Cm yes .	634	.Cm yes .
		635	.It Cm GSSAPIRequiredAuthIndicators
		636	Allow GSSSAPI authentication only for tickets having set auth-indicator
		637	to these values. Accepts space separated list of accepted authentication
		638	indicators for this service.
		639	The default is
		640	.Cm none
		641	meaining no authentication indicators are needed to be present in the tickets.
635	.It Cm GSSAPIStrictAcceptorCheck	642	.It Cm GSSAPIStrictAcceptorCheck
636	Determines whether to be strict about the identity of the GSSAPI acceptor	643	Determines whether to be strict about the identity of the GSSAPI acceptor
637	a client authenticates against.	644	a client authenticates against.
638	-

Return to bug 2696

Lines 238-244 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here

(-)a/auth2-gss.c (-2 / +5 lines)
238		238
239	packet_check_eom();	239	packet_check_eom();
240		240
241	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	241	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		242	authctxt->methoddata));
242		243
243	authctxt->postponed = 0;	244	authctxt->postponed = 0;
244	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);	245	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
Lines 252-257 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) Link Here
252	static int	253	static int
253	input_gssapi_mic(int type, u_int32_t plen, void *ctxt)	254	input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
254	{	255	{
		256	logit("%s: called", __func__);
255	Authctxt *authctxt = ctxt;	257	Authctxt *authctxt = ctxt;
256	Gssctxt *gssctxt;	258	Gssctxt *gssctxt;
257	int authenticated = 0;	259	int authenticated = 0;
Lines 274-280 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Link Here
274	gssbuf.length = buffer_len(&b);	276	gssbuf.length = buffer_len(&b);
275		277
276	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))	278	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
277	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	279	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		280	authctxt->methoddata));
278	else	281	else
279	logit("GSSAPI MIC check failed");	282	logit("GSSAPI MIC check failed");
280		283

Lines 33-38 Link Here

(-)a/gss-serv.c (-1 / +56 lines)
33	#include <stdarg.h>	33	#include <stdarg.h>
34	#include <string.h>	34	#include <string.h>
35	#include <unistd.h>	35	#include <unistd.h>
		36	#include <gssapi/gssapi_ext.h>
36		37
37	#include "openbsd-compat/sys-queue.h"	38	#include "openbsd-compat/sys-queue.h"
38	#include "xmalloc.h"	39	#include "xmalloc.h"
Lines 355-366 ssh_gssapi_do_child(char **envp, u_int envsizep) Link Here
355	}	356	}
356	}	357	}
357		358
		359	/* Handle authentication indicators */
		360	int
		361	verify_authentication_indicators(Gssctxt *gssctxt)
		362	{
		363	gss_buffer_desc attr;
		364	attr.value = "auth-indicators";
		365	attr.length = strlen(attr.value);
		366	int authenticated = 0, complete = 0, more = -1;
		367	gss_buffer_desc value = {0, NULL};
		368	gss_buffer_desc display_value = {0, NULL};
		369	char p, ap = options.gss_required_auth_indicators;
		370	OM_uint32 min_status, maj_status;
		371	int accept = 0;
		372
		373	debug3("%s: entering", __func__);
		374
		375	/* when not specified, allow the access*/
		376	if (options.gss_required_auth_indicators == NULL)
		377	return 1;
		378
		379	debug3("%s: Need GSSAPI Auth Indicators (%s)", __func__,
		380	options.gss_required_auth_indicators);
		381	do {
		382	maj_status = gss_get_name_attribute(&min_status,
		383	gssctxt->client, &attr, &authenticated,
		384	&complete, &value, &display_value, &more);
		385
		386	debug3("%s: gss_get_name_attribute = 0x%.8X", __func__, maj_status);
		387	/* no auth indicators in the ticket: reject access */
		388	if (maj_status != GSS_S_COMPLETE)
		389	break;
		390
		391	debug3("%s: Ticket authentication indicator value = %s",
		392	__func__, (char *)value.value);
		393	for (p = strtok(ap, " "); p; p = strtok(NULL, " ")) {
		394	if (strcmp(p, value.value) == 0) {
		395	logit("%s: found match %s", __func__,
		396	(char *)value.value);
		397	accept = 1;
		398	break;
		399	}
		400	}
		401	gss_release_buffer(&min_status, &value);
		402	gss_release_buffer(&min_status, &display_value);
		403	} while (more != 0);
		404
		405	return accept;
		406	}
		407
358	/* Privileged */	408	/* Privileged */
359	int	409	int
360	ssh_gssapi_userok(char *user)	410	ssh_gssapi_userok(char user, Gssctxt ctxt)
361	{	411	{
362	OM_uint32 lmin;	412	OM_uint32 lmin;
363		413
		414	if (verify_authentication_indicators(ctxt) == 0) {
		415	logit("GSSAPI authentication rejected: missing authentication indicators");
		416	return 0;
		417	}
		418
364	if (gssapi_client.exportedname.length == 0 \|\|	419	if (gssapi_client.exportedname.length == 0 \|\|
365	gssapi_client.exportedname.value == NULL) {	420	gssapi_client.exportedname.value == NULL) {
366	debug("No suitable client data");	421	debug("No suitable client data");

Lines 129-134 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +15 lines)
129	options->gss_authentication=-1;	129	options->gss_authentication=-1;
130	options->gss_cleanup_creds = -1;	130	options->gss_cleanup_creds = -1;
131	options->gss_strict_acceptor = -1;	131	options->gss_strict_acceptor = -1;
		132	options->gss_required_auth_indicators = NULL;
132	options->password_authentication = -1;	133	options->password_authentication = -1;
133	options->kbd_interactive_authentication = -1;	134	options->kbd_interactive_authentication = -1;
134	options->challenge_response_authentication = -1;	135	options->challenge_response_authentication = -1;
Lines 369-374 fill_default_server_options(ServerOptions *options) Link Here
369	CLEAR_ON_NONE(options->authorized_principals_file);	370	CLEAR_ON_NONE(options->authorized_principals_file);
370	CLEAR_ON_NONE(options->adm_forced_command);	371	CLEAR_ON_NONE(options->adm_forced_command);
371	CLEAR_ON_NONE(options->chroot_directory);	372	CLEAR_ON_NONE(options->chroot_directory);
		373	CLEAR_ON_NONE(options->gss_required_auth_indicators);
372	for (i = 0; i < options->num_host_key_files; i++)	374	for (i = 0; i < options->num_host_key_files; i++)
373	CLEAR_ON_NONE(options->host_key_files[i]);	375	CLEAR_ON_NONE(options->host_key_files[i]);
374	for (i = 0; i < options->num_host_cert_files; i++)	376	for (i = 0; i < options->num_host_cert_files; i++)
Lines 428-434 typedef enum { Link Here
428	sHostKeyAlgorithms,	430	sHostKeyAlgorithms,
429	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	431	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
430	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,	432	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
431	sAcceptEnv, sPermitTunnel,	433	sGssRequiredAuthIndicators, sAcceptEnv, sPermitTunnel,
432	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	434	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
433	sUsePrivilegeSeparation, sAllowAgentForwarding,	435	sUsePrivilegeSeparation, sAllowAgentForwarding,
434	sHostCertificate, sInclude,	436	sHostCertificate, sInclude,
Lines 504-513 static struct { Link Here
504	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },	506	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
505	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	507	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
506	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },	508	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
		509	{ "gssapirequiredauthindicators", sGssRequiredAuthIndicators, SSHCFG_GLOBAL },
507	#else	510	#else
508	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },	511	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
509	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	512	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
510	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },	513	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
		514	{ "gssapirequiredauthindicators", sUnsupported, SSHCFG_GLOBAL },
511	#endif	515	#endif
512	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },	516	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
513	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },	517	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
Lines 1262-1267 process_server_config_line_depth(ServerOptions options, char line, Link Here
1262	intptr = &options->gss_strict_acceptor;	1266	intptr = &options->gss_strict_acceptor;
1263	goto parse_flag;	1267	goto parse_flag;
1264		1268
		1269	case sGssRequiredAuthIndicators:
		1270	if (cp == NULL \|\| *cp == '\0')
		1271	fatal("%.200s line %d: Missing argument.",
		1272	filename, linenum);
		1273	len = strspn(cp, WHITESPACE "=");
		1274	if (*activep && options->gss_required_auth_indicators == NULL)
		1275	options->gss_required_auth_indicators = xstrdup(cp + len);
		1276	break;
		1277
1265	case sPasswordAuthentication:	1278	case sPasswordAuthentication:
1266	intptr = &options->password_authentication;	1279	intptr = &options->password_authentication;
1267	goto parse_flag;	1280	goto parse_flag;
Lines 2377-2382 dump_config(ServerOptions *o) Link Here
2377	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);	2390	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2378	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);	2391	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2379	#endif	2392	#endif
		2393	dump_cfg_string(sGssRequiredAuthIndicators, o->gss_required_auth_indicators);
2380	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);	2394	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2381	dump_cfg_fmtint(sKbdInteractiveAuthentication,	2395	dump_cfg_fmtint(sKbdInteractiveAuthentication,
2382	o->kbd_interactive_authentication);	2396	o->kbd_interactive_authentication);