Bugzilla – Attachment 1775 Details for
Bug 928
Kerberos/GSSAPI authentication does not work with multihomed hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
sshd-gssapi-multihomed.patch
sshd-gssapi-multihomed.patch (text/plain), 6.38 KB, created by
Darren Tucker
on 2010-01-11 17:11:06 AEDT
(
hide
)
Description:
sshd-gssapi-multihomed.patch
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2010-01-11 17:11:06 AEDT
Size:
6.38 KB
patch
obsolete
>Index: gss-serv.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v >retrieving revision 1.22 >diff -u -p -r1.22 gss-serv.c >--- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 >+++ gss-serv.c 11 Jan 2010 05:38:29 -0000 >@@ -41,9 +41,12 @@ > #include "channels.h" > #include "session.h" > #include "misc.h" >+#include "servconf.h" > > #include "ssh-gss.h" > >+extern ServerOptions options; >+ > static ssh_gssapi_client gssapi_client = > { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, > GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; >@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) > char lname[MAXHOSTNAMELEN]; > gss_OID_set oidset; > >- gss_create_empty_oid_set(&status, &oidset); >- gss_add_oid_set_member(&status, ctx->oid, &oidset); >- >- if (gethostname(lname, MAXHOSTNAMELEN)) { >- gss_release_oid_set(&status, &oidset); >- return (-1); >- } >+ if (options.gss_strict_acceptor) { >+ gss_create_empty_oid_set(&status, &oidset); >+ gss_add_oid_set_member(&status, ctx->oid, &oidset); >+ >+ if (gethostname(lname, MAXHOSTNAMELEN)) { >+ gss_release_oid_set(&status, &oidset); >+ return (-1); >+ } >+ >+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { >+ gss_release_oid_set(&status, &oidset); >+ return (ctx->major); >+ } >+ >+ if ((ctx->major = gss_acquire_cred(&ctx->minor, >+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, >+ NULL, NULL))) >+ ssh_gssapi_error(ctx); > >- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { > gss_release_oid_set(&status, &oidset); > return (ctx->major); >+ } else { >+ ctx->name = GSS_C_NO_NAME; >+ ctx->creds = GSS_C_NO_CREDENTIAL; > } >- >- if ((ctx->major = gss_acquire_cred(&ctx->minor, >- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) >- ssh_gssapi_error(ctx); >- >- gss_release_oid_set(&status, &oidset); >- return (ctx->major); >+ return GSS_S_COMPLETE; > } > > /* Privileged */ >Index: servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.201 >diff -u -p -r1.201 servconf.c >--- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 >+++ servconf.c 11 Jan 2010 05:34:56 -0000 >@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions > options->kerberos_get_afs_token = -1; > options->gss_authentication=-1; > options->gss_cleanup_creds = -1; >+ options->gss_strict_acceptor = -1; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption > options->gss_authentication = 0; > if (options->gss_cleanup_creds == -1) > options->gss_cleanup_creds = 1; >+ if (options->gss_strict_acceptor == -1) >+ options->gss_strict_acceptor = 0; > if (options->password_authentication == -1) > options->password_authentication = 1; > if (options->kbd_interactive_authentication == -1) >@@ -277,7 +280,8 @@ typedef enum { > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, >+ sAcceptEnv, sPermitTunnel, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sZeroKnowledgePasswordAuthentication, >@@ -327,9 +331,11 @@ static struct { > #ifdef GSSAPI > { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, > { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, >+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, > #else > { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, > #endif > { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, >@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions > > case sGssCleanupCreds: > intptr = &options->gss_cleanup_creds; >+ goto parse_flag; >+ >+ case sGssStrictAcceptor: >+ intptr = &options->gss_strict_acceptor; > goto parse_flag; > > case sPasswordAuthentication: >Index: servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.89 >diff -u -p -r1.89 servconf.h >--- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 >+++ servconf.h 11 Jan 2010 05:32:28 -0000 >@@ -92,6 +92,7 @@ typedef struct { > * authenticated with Kerberos. */ > int gss_authentication; /* If true, permit GSSAPI authentication */ > int gss_cleanup_creds; /* If true, destroy cred cache on logout */ >+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ > int password_authentication; /* If true, permit password > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ >Index: sshd_config >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd_config,v >retrieving revision 1.81 >diff -u -p -r1.81 sshd_config >--- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 >+++ sshd_config 11 Jan 2010 05:32:28 -0000 >@@ -69,6 +69,7 @@ > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes >+#GSSAPIStrictAcceptorCheck yes > > #AllowAgentForwarding yes > #AllowTcpForwarding yes >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v >retrieving revision 1.116 >diff -u -p -r1.116 sshd_config.5 >--- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 >+++ sshd_config.5 11 Jan 2010 05:37:20 -0000 >@@ -386,6 +386,21 @@ on logout. > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm GSSAPIStrictAcceptorCheck >+Determines whether to be strict about the identity of the GSSAPI acceptor >+a client authenticates against. >+If set to >+.Dq yes >+then the client must authenticate against the >+.Pa host >+service on the current hostname. >+If set to >+.Dq no >+then the client may authenticate against any service key stored in the >+machine's default store. >+This facility is provided to assist with operation on multi homed machines. >+The default is >+.Dq yes . > .It Cm HostbasedAuthentication > Specifies whether rhosts or /etc/hosts.equiv authentication together > with successful public key client host authentication is allowed
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1775">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 928
:
715
|
1182
| 1775 |
2571