Bugzilla – Attachment 2571 Details for
Bug 928
Kerberos/GSSAPI authentication does not work with multihomed hosts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
openssh-6.8_p1-sshd-gssapi-multihomed.patch
openssh-6.8_p1-sshd-gssapi-multihomed.patch (text/plain), 5.34 KB, created by
Mike Frysinger
on 2015-03-19 04:16:29 AEDT
(
hide
)
Description:
openssh-6.8_p1-sshd-gssapi-multihomed.patch
Filename:
MIME Type:
Creator:
Mike Frysinger
Created:
2015-03-19 04:16:29 AEDT
Size:
5.34 KB
patch
obsolete
>https://bugs.gentoo.org/378361 >https://bugzilla.mindrot.org/show_bug.cgi?id=928 > >--- a/gss-serv.c >+++ b/gss-serv.c >@@ -41,9 +41,12 @@ > #include "channels.h" > #include "session.h" > #include "misc.h" >+#include "servconf.h" > > #include "ssh-gss.h" > >+extern ServerOptions options; >+ > static ssh_gssapi_client gssapi_client = > { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, > GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; >@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) > char lname[NI_MAXHOST]; > gss_OID_set oidset; > >- gss_create_empty_oid_set(&status, &oidset); >- gss_add_oid_set_member(&status, ctx->oid, &oidset); >- >- if (gethostname(lname, sizeof(lname))) { >- gss_release_oid_set(&status, &oidset); >- return (-1); >- } >+ if (options.gss_strict_acceptor) { >+ gss_create_empty_oid_set(&status, &oidset); >+ gss_add_oid_set_member(&status, ctx->oid, &oidset); >+ >+ if (gethostname(lname, MAXHOSTNAMELEN)) { >+ gss_release_oid_set(&status, &oidset); >+ return (-1); >+ } >+ >+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { >+ gss_release_oid_set(&status, &oidset); >+ return (ctx->major); >+ } >+ >+ if ((ctx->major = gss_acquire_cred(&ctx->minor, >+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, >+ NULL, NULL))) >+ ssh_gssapi_error(ctx); > >- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { > gss_release_oid_set(&status, &oidset); > return (ctx->major); >+ } else { >+ ctx->name = GSS_C_NO_NAME; >+ ctx->creds = GSS_C_NO_CREDENTIAL; > } >- >- if ((ctx->major = gss_acquire_cred(&ctx->minor, >- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) >- ssh_gssapi_error(ctx); >- >- gss_release_oid_set(&status, &oidset); >- return (ctx->major); >+ return GSS_S_COMPLETE; > } > > /* Privileged */ >--- a/servconf.c >+++ b/servconf.c >@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions > options->kerberos_get_afs_token = -1; > options->gss_authentication=-1; > options->gss_cleanup_creds = -1; >+ options->gss_strict_acceptor = -1; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption > options->gss_authentication = 0; > if (options->gss_cleanup_creds == -1) > options->gss_cleanup_creds = 1; >+ if (options->gss_strict_acceptor == -1) >+ options->gss_strict_acceptor = 0; > if (options->password_authentication == -1) > options->password_authentication = 1; > if (options->kbd_interactive_authentication == -1) >@@ -277,7 +280,8 @@ typedef enum { > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, > sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, >- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, >+ sAcceptEnv, sPermitTunnel, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sHostCertificate, >@@ -327,9 +331,11 @@ static struct { > #ifdef GSSAPI > { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, > { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, >+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, > #else > { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, > #endif > { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, >@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions > > case sGssCleanupCreds: > intptr = &options->gss_cleanup_creds; >+ goto parse_flag; >+ >+ case sGssStrictAcceptor: >+ intptr = &options->gss_strict_acceptor; > goto parse_flag; > > case sPasswordAuthentication: >--- a/servconf.h >+++ b/servconf.h >@@ -92,6 +92,7 @@ typedef struct { > * authenticated with Kerberos. */ > int gss_authentication; /* If true, permit GSSAPI authentication */ > int gss_cleanup_creds; /* If true, destroy cred cache on logout */ >+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ > int password_authentication; /* If true, permit password > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ >--- a/sshd_config >+++ b/sshd_config >@@ -69,6 +69,7 @@ > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes >+#GSSAPIStrictAcceptorCheck yes > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -386,6 +386,21 @@ on logout. > The default is > .Dq yes . > Note that this option applies to protocol version 2 only. >+.It Cm GSSAPIStrictAcceptorCheck >+Determines whether to be strict about the identity of the GSSAPI acceptor >+a client authenticates against. >+If set to >+.Dq yes >+then the client must authenticate against the >+.Pa host >+service on the current hostname. >+If set to >+.Dq no >+then the client may authenticate against any service key stored in the >+machine's default store. >+This facility is provided to assist with operation on multi homed machines. >+The default is >+.Dq yes . > .It Cm HostbasedAcceptedKeyTypes > Specifies the key types that will be accepted for hostbased authentication > as a comma-separated pattern list.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 928
:
715
|
1182
|
1775
| 2571