Attachment 2571 Details for Bug 928 – openssh-6.8_p1-sshd-gssapi-multihomed.patch

[patch] openssh-6.8_p1-sshd-gssapi-multihomed.patch

openssh-6.8_p1-sshd-gssapi-multihomed.patch (text/plain), 5.34 KB, created by Mike Frysinger on 2015-03-19 04:16:29 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Mike Frysinger

Created: 2015-03-19 04:16:29 AEDT

Size: 5.34 KB

patch

obsolete

>https://bugs.gentoo.org/378361
>https://bugzilla.mindrot.org/show_bug.cgi?id=928
>
>--- a/gss-serv.c
>+++ b/gss-serv.c
>@@ -41,9 +41,12 @@
> #include "channels.h"
> #include "session.h"
> #include "misc.h"
>+#include "servconf.h"
> 
> #include "ssh-gss.h"
> 
>+extern ServerOptions options;
>+
> static ssh_gssapi_client gssapi_client =
>     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
>     GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
>@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
> 	char lname[NI_MAXHOST];
> 	gss_OID_set oidset;
> 
>-	gss_create_empty_oid_set(&status, &oidset);
>-	gss_add_oid_set_member(&status, ctx->oid, &oidset);
>-
>-	if (gethostname(lname, sizeof(lname))) {
>-		gss_release_oid_set(&status, &oidset);
>-		return (-1);
>-	}
>+	if (options.gss_strict_acceptor) {
>+		gss_create_empty_oid_set(&status, &oidset);
>+		gss_add_oid_set_member(&status, ctx->oid, &oidset);
>+
>+		if (gethostname(lname, MAXHOSTNAMELEN)) {
>+			gss_release_oid_set(&status, &oidset);
>+			return (-1);
>+		}
>+
>+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
>+			gss_release_oid_set(&status, &oidset);
>+			return (ctx->major);
>+		}
>+
>+		if ((ctx->major = gss_acquire_cred(&ctx->minor,
>+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
>+		    NULL, NULL)))
>+			ssh_gssapi_error(ctx);
> 
>-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
> 		gss_release_oid_set(&status, &oidset);
> 		return (ctx->major);
>+	} else {
>+		ctx->name = GSS_C_NO_NAME;
>+		ctx->creds = GSS_C_NO_CREDENTIAL;
> 	}
>-
>-	if ((ctx->major = gss_acquire_cred(&ctx->minor,
>-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
>-		ssh_gssapi_error(ctx);
>-
>-	gss_release_oid_set(&status, &oidset);
>-	return (ctx->major);
>+	return GSS_S_COMPLETE;
> }
> 
> /* Privileged */
>--- a/servconf.c
>+++ b/servconf.c
>@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
> 	options->kerberos_get_afs_token = -1;
> 	options->gss_authentication=-1;
> 	options->gss_cleanup_creds = -1;
>+	options->gss_strict_acceptor = -1;
> 	options->password_authentication = -1;
> 	options->kbd_interactive_authentication = -1;
> 	options->challenge_response_authentication = -1;
>@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
> 		options->gss_authentication = 0;
> 	if (options->gss_cleanup_creds == -1)
> 		options->gss_cleanup_creds = 1;
>+	if (options->gss_strict_acceptor == -1)
>+		options->gss_strict_acceptor = 0;
> 	if (options->password_authentication == -1)
> 		options->password_authentication = 1;
> 	if (options->kbd_interactive_authentication == -1)
>@@ -277,7 +280,8 @@ typedef enum {
> 	sBanner, sUseDNS, sHostbasedAuthentication,
> 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
> 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
>-	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
>+	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
>+	sAcceptEnv, sPermitTunnel,
> 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
> 	sUsePrivilegeSeparation, sAllowAgentForwarding,
> 	sHostCertificate,
>@@ -327,9 +331,11 @@ static struct {
> #ifdef GSSAPI
> 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
> 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
>+	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
> #else
> 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
> 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
>+	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
> #endif
> 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
> 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
>@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
> 
> 	case sGssCleanupCreds:
> 		intptr = &options->gss_cleanup_creds;
>+		goto parse_flag;
>+
>+	case sGssStrictAcceptor:
>+		intptr = &options->gss_strict_acceptor;
> 		goto parse_flag;
> 
> 	case sPasswordAuthentication:
>--- a/servconf.h
>+++ b/servconf.h
>@@ -92,6 +92,7 @@ typedef struct {
> 						 * authenticated with Kerberos. */
> 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
> 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
>+	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
> 	int     password_authentication;	/* If true, permit password
> 						 * authentication. */
> 	int     kbd_interactive_authentication;	/* If true, permit */
>--- a/sshd_config
>+++ b/sshd_config
>@@ -69,6 +69,7 @@
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>+#GSSAPIStrictAcceptorCheck yes
> 
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -386,6 +386,21 @@ on logout.
> The default is
> .Dq yes .
> Note that this option applies to protocol version 2 only.
>+.It Cm GSSAPIStrictAcceptorCheck
>+Determines whether to be strict about the identity of the GSSAPI acceptor
>+a client authenticates against.
>+If set to
>+.Dq yes
>+then the client must authenticate against the
>+.Pa host
>+service on the current hostname.
>+If set to
>+.Dq no
>+then the client may authenticate against any service key stored in the
>+machine's default store.
>+This facility is provided to assist with operation on multi homed machines.
>+The default is
>+.Dq yes .
> .It Cm HostbasedAcceptedKeyTypes
> Specifies the key types that will be accepted for hostbased authentication
> as a comma-separated pattern list.

Actions: View | Diff

Attachments on bug 928: 715 | 1182 | 1775 | 2571