Attachment #1182 for bug #928

Lines 43-51 Link Here

(-)openssh/gss-serv.c.preaccept (-14 / +24 lines)
43	#include "channels.h"	43	#include "channels.h"
44	#include "session.h"	44	#include "session.h"
45	#include "misc.h"	45	#include "misc.h"
		46	#include "servconf.h"
46		47
47	#include "ssh-gss.h"	48	#include "ssh-gss.h"
48		49
		50	extern ServerOptions options;
		51
49	static ssh_gssapi_client gssapi_client =	52	static ssh_gssapi_client gssapi_client =
50	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	53	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
51	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};	54	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
Lines 111-135 Link Here
111	char lname[MAXHOSTNAMELEN];	114	char lname[MAXHOSTNAMELEN];
112	gss_OID_set oidset;	115	gss_OID_set oidset;
113		116
114	gss_create_empty_oid_set(&status, &oidset);	117	if (options.gss_strict_acceptor) {
115	gss_add_oid_set_member(&status, ctx->oid, &oidset);	118	gss_create_empty_oid_set(&status, &oidset);
		119	gss_add_oid_set_member(&status, ctx->oid, &oidset);
		120
		121	if (gethostname(lname, MAXHOSTNAMELEN)) {
		122	gss_release_oid_set(&status, &oidset);
		123	return (-1);
		124	}
116		125
117	if (gethostname(lname, MAXHOSTNAMELEN)) {	126	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
118	gss_release_oid_set(&status, &oidset);	127	gss_release_oid_set(&status, &oidset);
119	return (-1);	128	return (ctx->major);
120	}	129	}
		130
		131	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		132	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		133	NULL, NULL)))
		134	ssh_gssapi_error(ctx);
121		135
122	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
123	gss_release_oid_set(&status, &oidset);	136	gss_release_oid_set(&status, &oidset);
124	return (ctx->major);	137	return (ctx->major);
		138	} else {
		139	ctx->name = GSS_C_NO_NAME;
		140	ctx->creds = GSS_C_NO_CREDENTIAL;
125	}	141	}
126		142	return GSS_S_COMPLETE;
127	if ((ctx->major = gss_acquire_cred(&ctx->minor,
128	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
129	ssh_gssapi_error(ctx);
130
131	gss_release_oid_set(&status, &oidset);
132	return (ctx->major);
133	}	143	}
134		144
135		145

Lines 88-93 Link Here

(-)openssh/servconf.h.preaccept (+1 lines)
88	* authenticated with Kerberos. */	88	* authenticated with Kerberos. */
89	int gss_authentication; /* If true, permit GSSAPI authentication */	89	int gss_authentication; /* If true, permit GSSAPI authentication */
90	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	90	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
		91	int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
91	int password_authentication; /* If true, permit password	92	int password_authentication; /* If true, permit password
92	* authentication. */	93	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	94	int kbd_interactive_authentication; /* If true, permit */

Lines 68-73 Link Here

(-)openssh/sshd_config.preaccept (+1 lines)
68	# GSSAPI options	68	# GSSAPI options
69	#GSSAPIAuthentication no	69	#GSSAPIAuthentication no
70	#GSSAPICleanupCredentials yes	70	#GSSAPICleanupCredentials yes
		71	#GSSAPIStrictAcceptorCheck yes
71		72
72	# Set this to 'yes' to enable PAM authentication, account processing,	73	# Set this to 'yes' to enable PAM authentication, account processing,
73	# and session processing. If this is enabled, PAM authentication will	74	# and session processing. If this is enabled, PAM authentication will

Lines 91-96 Link Here

(-)openssh/servconf.c.preaccept (-1 / +11 lines)
91	options->kerberos_get_afs_token = -1;	91	options->kerberos_get_afs_token = -1;
92	options->gss_authentication=-1;	92	options->gss_authentication=-1;
93	options->gss_cleanup_creds = -1;	93	options->gss_cleanup_creds = -1;
		94	options->gss_strict_acceptor = -1;
94	options->password_authentication = -1;	95	options->password_authentication = -1;
95	options->kbd_interactive_authentication = -1;	96	options->kbd_interactive_authentication = -1;
96	options->challenge_response_authentication = -1;	97	options->challenge_response_authentication = -1;
Lines 206-211 Link Here
206	options->gss_authentication = 0;	207	options->gss_authentication = 0;
207	if (options->gss_cleanup_creds == -1)	208	if (options->gss_cleanup_creds == -1)
208	options->gss_cleanup_creds = 1;	209	options->gss_cleanup_creds = 1;
		210	if (options->gss_strict_acceptor == -1)
		211	options->gss_strict_acceptor = 0;
209	if (options->password_authentication == -1)	212	if (options->password_authentication == -1)
210	options->password_authentication = 1;	213	options->password_authentication = 1;
211	if (options->kbd_interactive_authentication == -1)	214	if (options->kbd_interactive_authentication == -1)
Lines 290-296 Link Here
290	sBanner, sUseDNS, sHostbasedAuthentication,	293	sBanner, sUseDNS, sHostbasedAuthentication,
291	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	294	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
292	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	295	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
293	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	296	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
		297	sAcceptEnv, sPermitTunnel,
294	sMatch, sPermitOpen, sForceCommand,	298	sMatch, sPermitOpen, sForceCommand,
295	sUsePrivilegeSeparation,	299	sUsePrivilegeSeparation,
296	sDeprecated, sUnsupported	300	sDeprecated, sUnsupported
Lines 351-359 Link Here
351	#ifdef GSSAPI	355	#ifdef GSSAPI
352	{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },	356	{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
353	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	357	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
		358	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
354	#else	359	#else
355	{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },	360	{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
356	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	361	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
		362	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
357	#endif	363	#endif
358	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },	364	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },	365	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
Lines 876-881 Link Here
876	intptr = &options->gss_cleanup_creds;	882	intptr = &options->gss_cleanup_creds;
877	goto parse_flag;	883	goto parse_flag;
878		884
		885	case sGssStrictAcceptor:
		886	intptr = &options->gss_strict_acceptor;
		887	goto parse_flag;
		888
879	case sPasswordAuthentication:	889	case sPasswordAuthentication:
880	intptr = &options->password_authentication;	890	intptr = &options->password_authentication;
881	goto parse_flag;	891	goto parse_flag;




The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor 
a client authenticates against. If
.Dq yes
then the client must authenticate against the
.Pa host
service on the current hostname. If 
.Dq no
then the client may authenticate against any service key stored in the 
machine's default store. This facility is provided to assist with operation 
on multi homed machines. 
The default is
.Dq yes .
Note that this option applies only to protocol version 2 GSSAPI connections,
and setting it to 
.Dq no
may only work with recent Kerberos GSSAPI libraries.
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed

Return to bug 928

Lines 326-331 Link Here

(-)openssh/sshd_config.5.preaccept (+17 lines)
326	The default is	326	The default is
327	.Dq yes .	327	.Dq yes .
328	Note that this option applies to protocol version 2 only.	328	Note that this option applies to protocol version 2 only.
		329	.It Cm GSSAPIStrictAcceptorCheck
		330	Determines whether to be strict about the identity of the GSSAPI acceptor
		331	a client authenticates against. If
		332	.Dq yes
		333	then the client must authenticate against the
		334	.Pa host
		335	service on the current hostname. If
		336	.Dq no
		337	then the client may authenticate against any service key stored in the
		338	machine's default store. This facility is provided to assist with operation
		339	on multi homed machines.
		340	The default is
		341	.Dq yes .
		342	Note that this option applies only to protocol version 2 GSSAPI connections,
		343	and setting it to
		344	.Dq no
		345	may only work with recent Kerberos GSSAPI libraries.
329	.It Cm HostbasedAuthentication	346	.It Cm HostbasedAuthentication
330	Specifies whether rhosts or /etc/hosts.equiv authentication together	347	Specifies whether rhosts or /etc/hosts.equiv authentication together
331	with successful public key client host authentication is allowed	348	with successful public key client host authentication is allowed