Bugzilla – Attachment 2965 Details for
Bug 2696
Allow to restrict access to service using authentication indicators
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
allow specify auth-indicators
openssh_gssapi_auth_indicators.patch (text/plain), 9.89 KB, created by
Jakub Jelen
on 2017-03-22 01:12:40 AEDT
(
hide
)
Description:
allow specify auth-indicators
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2017-03-22 01:12:40 AEDT
Size:
9.89 KB
patch
obsolete
>From db80835c33c03f34443142fb221ecbbce1435486 Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Tue, 21 Mar 2017 14:50:03 +0100 >Subject: [PATCH] Allow to specify GSSAPI authentication indicators > >--- > auth2-gss.c | 7 +++++-- > gss-serv.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- > monitor.c | 2 +- > monitor_wrap.c | 2 +- > monitor_wrap.h | 2 +- > servconf.c | 16 +++++++++++++++- > servconf.h | 1 + > ssh-gss.h | 2 +- > sshd_config.5 | 7 +++++++ > 9 files changed, 88 insertions(+), 8 deletions(-) > >diff --git a/auth2-gss.c b/auth2-gss.c >index 1ca8357..6531c2b 100644 >--- a/auth2-gss.c >+++ b/auth2-gss.c >@@ -238,7 +238,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) > > packet_check_eom(); > >- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); >+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, >+ authctxt->methoddata)); > > authctxt->postponed = 0; > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); >@@ -252,6 +253,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) > static int > input_gssapi_mic(int type, u_int32_t plen, void *ctxt) > { >+ logit("%s: called", __func__); > Authctxt *authctxt = ctxt; > Gssctxt *gssctxt; > int authenticated = 0; >@@ -274,7 +276,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) > gssbuf.length = buffer_len(&b); > > if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) >- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); >+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, >+ authctxt->methoddata)); > else > logit("GSSAPI MIC check failed"); > >diff --git a/gss-serv.c b/gss-serv.c >index 53993d6..3f25dc0 100644 >--- a/gss-serv.c >+++ b/gss-serv.c >@@ -33,6 +33,7 @@ > #include <stdarg.h> > #include <string.h> > #include <unistd.h> >+#include <gssapi/gssapi_ext.h> > > #include "openbsd-compat/sys-queue.h" > #include "xmalloc.h" >@@ -355,12 +356,66 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) > } > } > >+/* Handle authentication indicators */ >+int >+verify_authentication_indicators(Gssctxt *gssctxt) >+{ >+ gss_buffer_desc attr; >+ attr.value = "auth-indicators"; >+ attr.length = strlen(attr.value); >+ int authenticated = 0, complete = 0, more = -1; >+ gss_buffer_desc value = {0, NULL}; >+ gss_buffer_desc display_value = {0, NULL}; >+ char *p, *ap = options.gss_required_auth_indicators; >+ OM_uint32 min_status, maj_status; >+ int accept = 0; >+ >+ debug3("%s: entering", __func__); >+ >+ /* when not specified, allow the access*/ >+ if (options.gss_required_auth_indicators == NULL) >+ return 1; >+ >+ debug3("%s: Need GSSAPI Auth Indicators (%s)", __func__, >+ options.gss_required_auth_indicators); >+ do { >+ maj_status = gss_get_name_attribute(&min_status, >+ gssctxt->client, &attr, &authenticated, >+ &complete, &value, &display_value, &more); >+ >+ debug3("%s: gss_get_name_attribute = 0x%.8X", __func__, maj_status); >+ /* no auth indicators in the ticket: reject access */ >+ if (maj_status != GSS_S_COMPLETE) >+ break; >+ >+ debug3("%s: Ticket authentication indicator value = %s", >+ __func__, (char *)value.value); >+ for (p = strtok(ap, " "); p; p = strtok(NULL, " ")) { >+ if (strcmp(p, value.value) == 0) { >+ logit("%s: found match %s", __func__, >+ (char *)value.value); >+ accept = 1; >+ break; >+ } >+ } >+ gss_release_buffer(&min_status, &value); >+ gss_release_buffer(&min_status, &display_value); >+ } while (more != 0); >+ >+ return accept; >+} >+ > /* Privileged */ > int >-ssh_gssapi_userok(char *user) >+ssh_gssapi_userok(char *user, Gssctxt *ctxt) > { > OM_uint32 lmin; > >+ if (verify_authentication_indicators(ctxt) == 0) { >+ logit("GSSAPI authentication rejected: missing authentication indicators"); >+ return 0; >+ } >+ > if (gssapi_client.exportedname.length == 0 || > gssapi_client.exportedname.value == NULL) { > debug("No suitable client data"); >diff --git a/monitor.c b/monitor.c >index 96d22b7..2ae181a 100644 >--- a/monitor.c >+++ b/monitor.c >@@ -1778,7 +1778,7 @@ mm_answer_gss_userok(int sock, Buffer *m) > if (!options.gss_authentication) > fatal("%s: GSSAPI authentication not enabled", __func__); > >- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); >+ authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user, gsscontext); > > buffer_clear(m); > buffer_put_int(m, authenticated); >diff --git a/monitor_wrap.c b/monitor_wrap.c >index 64ff928..5e19afa 100644 >--- a/monitor_wrap.c >+++ b/monitor_wrap.c >@@ -924,7 +924,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) > } > > int >-mm_ssh_gssapi_userok(char *user) >+mm_ssh_gssapi_userok(char *user, Gssctxt *ctxt) > { > Buffer m; > int authenticated = 0; >diff --git a/monitor_wrap.h b/monitor_wrap.h >index db5902f..bf0c0df 100644 >--- a/monitor_wrap.h >+++ b/monitor_wrap.h >@@ -55,7 +55,7 @@ int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); > OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); > OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, > gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); >-int mm_ssh_gssapi_userok(char *user); >+int mm_ssh_gssapi_userok(char *user, Gssctxt *ctxt); > OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); > #endif > >diff --git a/servconf.c b/servconf.c >index 1455943..69d5cfa 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -129,6 +129,7 @@ initialize_server_options(ServerOptions *options) > options->gss_authentication=-1; > options->gss_cleanup_creds = -1; > options->gss_strict_acceptor = -1; >+ options->gss_required_auth_indicators = NULL; > options->password_authentication = -1; > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; >@@ -369,6 +370,7 @@ fill_default_server_options(ServerOptions *options) > CLEAR_ON_NONE(options->authorized_principals_file); > CLEAR_ON_NONE(options->adm_forced_command); > CLEAR_ON_NONE(options->chroot_directory); >+ CLEAR_ON_NONE(options->gss_required_auth_indicators); > for (i = 0; i < options->num_host_key_files; i++) > CLEAR_ON_NONE(options->host_key_files[i]); > for (i = 0; i < options->num_host_cert_files; i++) >@@ -428,7 +430,7 @@ typedef enum { > sHostKeyAlgorithms, > sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, > sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, >- sAcceptEnv, sPermitTunnel, >+ sGssRequiredAuthIndicators, sAcceptEnv, sPermitTunnel, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sHostCertificate, sInclude, >@@ -504,10 +506,12 @@ static struct { > { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, > { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, > { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, >+ { "gssapirequiredauthindicators", sGssRequiredAuthIndicators, SSHCFG_GLOBAL }, > #else > { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, > { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapirequiredauthindicators", sUnsupported, SSHCFG_GLOBAL }, > #endif > { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, > { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, >@@ -1262,6 +1266,15 @@ process_server_config_line_depth(ServerOptions *options, char *line, > intptr = &options->gss_strict_acceptor; > goto parse_flag; > >+ case sGssRequiredAuthIndicators: >+ if (cp == NULL || *cp == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ len = strspn(cp, WHITESPACE "="); >+ if (*activep && options->gss_required_auth_indicators == NULL) >+ options->gss_required_auth_indicators = xstrdup(cp + len); >+ break; >+ > case sPasswordAuthentication: > intptr = &options->password_authentication; > goto parse_flag; >@@ -2377,6 +2390,7 @@ dump_config(ServerOptions *o) > dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); > dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); > #endif >+ dump_cfg_string(sGssRequiredAuthIndicators, o->gss_required_auth_indicators); > dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); > dump_cfg_fmtint(sKbdInteractiveAuthentication, > o->kbd_interactive_authentication); >diff --git a/servconf.h b/servconf.h >index 7a125dd..8a62d3b 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -114,6 +114,7 @@ typedef struct { > int gss_authentication; /* If true, permit GSSAPI authentication */ > int gss_cleanup_creds; /* If true, destroy cred cache on logout */ > int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ >+ char *gss_required_auth_indicators; /* GSSAPI required auth-indicators names */ > int password_authentication; /* If true, permit password > * authentication. */ > int kbd_interactive_authentication; /* If true, permit */ >diff --git a/ssh-gss.h b/ssh-gss.h >index a99d7f0..6646276 100644 >--- a/ssh-gss.h >+++ b/ssh-gss.h >@@ -123,7 +123,7 @@ int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); > > /* In the server */ > OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); >-int ssh_gssapi_userok(char *name); >+int ssh_gssapi_userok(char *name, Gssctxt *ctxt); > OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); > void ssh_gssapi_do_child(char ***, u_int *); > void ssh_gssapi_cleanup_creds(void); >diff --git a/sshd_config.5 b/sshd_config.5 >index 92c0f17..c4ab758 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -632,6 +632,13 @@ Specifies whether to automatically destroy the user's credentials cache > on logout. > The default is > .Cm yes . >+.It Cm GSSAPIRequiredAuthIndicators >+Allow GSSSAPI authentication only for tickets having set auth-indicator >+to these values. Accepts space separated list of accepted authentication >+indicators for this service. >+The default is >+.Cm none >+meaining no authentication indicators are needed to be present in the tickets. > .It Cm GSSAPIStrictAcceptorCheck > Determines whether to be strict about the identity of the GSSAPI acceptor > a client authenticates against. >-- >2.9.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2965">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2696
: 2965