|
Line
Link Here
|
| 0 |
-- a/gss-serv.c |
0 |
++ b/gss-serv.c |
|
Lines 41-49
Link Here
|
| 41 |
#include "channels.h" |
41 |
#include "channels.h" |
| 42 |
#include "session.h" |
42 |
#include "session.h" |
| 43 |
#include "misc.h" |
43 |
#include "misc.h" |
|
|
44 |
#include "servconf.h" |
| 44 |
|
45 |
|
| 45 |
#include "ssh-gss.h" |
46 |
#include "ssh-gss.h" |
| 46 |
|
47 |
|
|
|
48 |
extern ServerOptions options; |
| 49 |
|
| 47 |
static ssh_gssapi_client gssapi_client = |
50 |
static ssh_gssapi_client gssapi_client = |
| 48 |
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
51 |
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
| 49 |
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
52 |
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
|
Lines 77-101
ssh_gssapi_acquire_cred(Gssctxt *ctx)
Link Here
|
| 77 |
char lname[NI_MAXHOST]; |
80 |
char lname[NI_MAXHOST]; |
| 78 |
gss_OID_set oidset; |
81 |
gss_OID_set oidset; |
| 79 |
|
82 |
|
| 80 |
gss_create_empty_oid_set(&status, &oidset); |
83 |
if (options.gss_strict_acceptor) { |
| 81 |
gss_add_oid_set_member(&status, ctx->oid, &oidset); |
84 |
gss_create_empty_oid_set(&status, &oidset); |
| 82 |
|
85 |
gss_add_oid_set_member(&status, ctx->oid, &oidset); |
| 83 |
if (gethostname(lname, sizeof(lname))) { |
86 |
|
| 84 |
gss_release_oid_set(&status, &oidset); |
87 |
if (gethostname(lname, MAXHOSTNAMELEN)) { |
| 85 |
return (-1); |
88 |
gss_release_oid_set(&status, &oidset); |
| 86 |
} |
89 |
return (-1); |
|
|
90 |
} |
| 91 |
|
| 92 |
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
| 93 |
gss_release_oid_set(&status, &oidset); |
| 94 |
return (ctx->major); |
| 95 |
} |
| 96 |
|
| 97 |
if ((ctx->major = gss_acquire_cred(&ctx->minor, |
| 98 |
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, |
| 99 |
NULL, NULL))) |
| 100 |
ssh_gssapi_error(ctx); |
| 87 |
|
101 |
|
| 88 |
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
|
|
| 89 |
gss_release_oid_set(&status, &oidset); |
102 |
gss_release_oid_set(&status, &oidset); |
| 90 |
return (ctx->major); |
103 |
return (ctx->major); |
|
|
104 |
} else { |
| 105 |
ctx->name = GSS_C_NO_NAME; |
| 106 |
ctx->creds = GSS_C_NO_CREDENTIAL; |
| 91 |
} |
107 |
} |
| 92 |
|
108 |
return GSS_S_COMPLETE; |
| 93 |
if ((ctx->major = gss_acquire_cred(&ctx->minor, |
|
|
| 94 |
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
| 95 |
ssh_gssapi_error(ctx); |
| 96 |
|
| 97 |
gss_release_oid_set(&status, &oidset); |
| 98 |
return (ctx->major); |
| 99 |
} |
109 |
} |
| 100 |
|
110 |
|
| 101 |
/* Privileged */ |
111 |
/* Privileged */ |
| 102 |
-- a/servconf.c |
112 |
++ b/servconf.c |
|
Lines 86-91
initialize_server_options(ServerOptions
Link Here
|
| 86 |
options->kerberos_get_afs_token = -1; |
86 |
options->kerberos_get_afs_token = -1; |
| 87 |
options->gss_authentication=-1; |
87 |
options->gss_authentication=-1; |
| 88 |
options->gss_cleanup_creds = -1; |
88 |
options->gss_cleanup_creds = -1; |
|
|
89 |
options->gss_strict_acceptor = -1; |
| 89 |
options->password_authentication = -1; |
90 |
options->password_authentication = -1; |
| 90 |
options->kbd_interactive_authentication = -1; |
91 |
options->kbd_interactive_authentication = -1; |
| 91 |
options->challenge_response_authentication = -1; |
92 |
options->challenge_response_authentication = -1; |
|
Lines 200-205
fill_default_server_options(ServerOption
Link Here
|
| 200 |
options->gss_authentication = 0; |
201 |
options->gss_authentication = 0; |
| 201 |
if (options->gss_cleanup_creds == -1) |
202 |
if (options->gss_cleanup_creds == -1) |
| 202 |
options->gss_cleanup_creds = 1; |
203 |
options->gss_cleanup_creds = 1; |
|
|
204 |
if (options->gss_strict_acceptor == -1) |
| 205 |
options->gss_strict_acceptor = 0; |
| 203 |
if (options->password_authentication == -1) |
206 |
if (options->password_authentication == -1) |
| 204 |
options->password_authentication = 1; |
207 |
options->password_authentication = 1; |
| 205 |
if (options->kbd_interactive_authentication == -1) |
208 |
if (options->kbd_interactive_authentication == -1) |
|
Lines 277-283
typedef enum {
Link Here
|
| 277 |
sBanner, sUseDNS, sHostbasedAuthentication, |
280 |
sBanner, sUseDNS, sHostbasedAuthentication, |
| 278 |
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
281 |
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
| 279 |
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
282 |
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
| 280 |
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
283 |
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
|
|
284 |
sAcceptEnv, sPermitTunnel, |
| 281 |
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
285 |
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 282 |
sUsePrivilegeSeparation, sAllowAgentForwarding, |
286 |
sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 283 |
sHostCertificate, |
287 |
sHostCertificate, |
|
Lines 327-335
static struct {
Link Here
|
| 327 |
#ifdef GSSAPI |
331 |
#ifdef GSSAPI |
| 328 |
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
332 |
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
| 329 |
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
333 |
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
|
|
334 |
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
| 330 |
#else |
335 |
#else |
| 331 |
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
336 |
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
| 332 |
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
337 |
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
|
|
338 |
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
| 333 |
#endif |
339 |
#endif |
| 334 |
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
340 |
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
| 335 |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
341 |
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
|
Lines 850-855
process_server_config_line(ServerOptions
Link Here
|
| 850 |
|
856 |
|
| 851 |
case sGssCleanupCreds: |
857 |
case sGssCleanupCreds: |
| 852 |
intptr = &options->gss_cleanup_creds; |
858 |
intptr = &options->gss_cleanup_creds; |
|
|
859 |
goto parse_flag; |
| 860 |
|
| 861 |
case sGssStrictAcceptor: |
| 862 |
intptr = &options->gss_strict_acceptor; |
| 853 |
goto parse_flag; |
863 |
goto parse_flag; |
| 854 |
|
864 |
|
| 855 |
case sPasswordAuthentication: |
865 |
case sPasswordAuthentication: |
| 856 |
-- a/servconf.h |
866 |
++ b/servconf.h |
|
Lines 92-97
typedef struct {
Link Here
|
| 92 |
* authenticated with Kerberos. */ |
92 |
* authenticated with Kerberos. */ |
| 93 |
int gss_authentication; /* If true, permit GSSAPI authentication */ |
93 |
int gss_authentication; /* If true, permit GSSAPI authentication */ |
| 94 |
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
94 |
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
|
|
95 |
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
| 95 |
int password_authentication; /* If true, permit password |
96 |
int password_authentication; /* If true, permit password |
| 96 |
* authentication. */ |
97 |
* authentication. */ |
| 97 |
int kbd_interactive_authentication; /* If true, permit */ |
98 |
int kbd_interactive_authentication; /* If true, permit */ |
| 98 |
-- a/sshd_config |
99 |
++ b/sshd_config |
|
Lines 69-74
Link Here
|
| 69 |
# GSSAPI options |
69 |
# GSSAPI options |
| 70 |
#GSSAPIAuthentication no |
70 |
#GSSAPIAuthentication no |
| 71 |
#GSSAPICleanupCredentials yes |
71 |
#GSSAPICleanupCredentials yes |
|
|
72 |
#GSSAPIStrictAcceptorCheck yes |
| 72 |
|
73 |
|
| 73 |
# Set this to 'yes' to enable PAM authentication, account processing, |
74 |
# Set this to 'yes' to enable PAM authentication, account processing, |
| 74 |
# and session processing. If this is enabled, PAM authentication will |
75 |
# and session processing. If this is enabled, PAM authentication will |
| 75 |
-- a/sshd_config.5 |
76 |
++ b/sshd_config.5 |
|
Lines 386-391
on logout.
Link Here
|
| 386 |
The default is |
386 |
The default is |
| 387 |
.Dq yes . |
387 |
.Dq yes . |
| 388 |
Note that this option applies to protocol version 2 only. |
388 |
Note that this option applies to protocol version 2 only. |
|
|
389 |
.It Cm GSSAPIStrictAcceptorCheck |
| 390 |
Determines whether to be strict about the identity of the GSSAPI acceptor |
| 391 |
a client authenticates against. |
| 392 |
If set to |
| 393 |
.Dq yes |
| 394 |
then the client must authenticate against the |
| 395 |
.Pa host |
| 396 |
service on the current hostname. |
| 397 |
If set to |
| 398 |
.Dq no |
| 399 |
then the client may authenticate against any service key stored in the |
| 400 |
machine's default store. |
| 401 |
This facility is provided to assist with operation on multi homed machines. |
| 402 |
The default is |
| 403 |
.Dq yes . |
| 389 |
.It Cm HostbasedAcceptedKeyTypes |
404 |
.It Cm HostbasedAcceptedKeyTypes |
| 390 |
Specifies the key types that will be accepted for hostbased authentication |
405 |
Specifies the key types that will be accepted for hostbased authentication |
| 391 |
as a comma-separated pattern list. |
406 |
as a comma-separated pattern list. |