Attachment #715 for bug #928

Lines 37-42 Link Here

(-)openssh-3.9p1/gss-genr.c (-10 / +26 lines)
37		37
38	#include "ssh-gss.h"	38	#include "ssh-gss.h"
39		39
		40	#include "servconf.h"
		41	/* import */
		42	extern ServerOptions options;
		43
40	extern u_char *session_id2;	44	extern u_char *session_id2;
41	extern u_int session_id2_len;	45	extern u_int session_id2_len;
42		46
Lines 206-220 Link Here
206	{	210	{
207	gss_buffer_desc gssbuf;	211	gss_buffer_desc gssbuf;
208		212
209	gssbuf.length = sizeof("host@") + strlen(host);	213	if ( host ) {
210	gssbuf.value = xmalloc(gssbuf.length);	214	gssbuf.length = sizeof("host@") + strlen(host);
211	snprintf(gssbuf.value, gssbuf.length, "host@%s", host);	215	gssbuf.value = xmalloc(gssbuf.length);
		216	snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
		217
		218	if ((ctx->major = gss_import_name(&ctx->minor,
		219	&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
		220	ssh_gssapi_error(ctx);
212		221
213	if ((ctx->major = gss_import_name(&ctx->minor,	222	xfree(gssbuf.value);
214	&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))	223	}
215	ssh_gssapi_error(ctx);
216		224
217	xfree(gssbuf.value);
218	return (ctx->major);	225	return (ctx->major);
219	}	226	}
220		227
Lines 227-240 Link Here
227	ssh_gssapi_acquire_cred(Gssctxt *ctx)	234	ssh_gssapi_acquire_cred(Gssctxt *ctx)
228	{	235	{
229	OM_uint32 status;	236	OM_uint32 status;
230	char lname[MAXHOSTNAMELEN];	237	char *lname;
231	gss_OID_set oidset;	238	gss_OID_set oidset;
232		239
233	gss_create_empty_oid_set(&status, &oidset);	240	gss_create_empty_oid_set(&status, &oidset);
234	gss_add_oid_set_member(&status, ctx->oid, &oidset);	241	gss_add_oid_set_member(&status, ctx->oid, &oidset);
235		242
236	if (gethostname(lname, MAXHOSTNAMELEN))	243	if ( options.gss_import_hostname == GSS_IMPORT_HOSTNAME ) {
237	return (-1);	244	lname=xmalloc(MAXHOSTNAMELEN+1);
		245	if (gethostname(lname, MAXHOSTNAMELEN))
		246	return (-1);
		247	} else if ( options.gss_import_hostname == GSS_IMPORT_CONNECTION_IP ) {
		248	lname = get_local_name(packet_get_connection_in());
		249	} else {
		250	lname = NULL;
		251	}
		252
		253	debug("Import local hostname %s", lname?lname:"NULL");
238		254
239	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))	255	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
240	return (ctx->major);	256	return (ctx->major);

Lines 74-79 Link Here

(-)openssh-3.9p1/servconf.c (-1 / +28 lines)
74	options->kerberos_get_afs_token = -1;	74	options->kerberos_get_afs_token = -1;
75	options->gss_authentication=-1;	75	options->gss_authentication=-1;
76	options->gss_cleanup_creds = -1;	76	options->gss_cleanup_creds = -1;
		77	options->gss_import_hostname = -1;
77	options->password_authentication = -1;	78	options->password_authentication = -1;
78	options->kbd_interactive_authentication = -1;	79	options->kbd_interactive_authentication = -1;
79	options->challenge_response_authentication = -1;	80	options->challenge_response_authentication = -1;
Lines 187-192 Link Here
187	options->kerberos_get_afs_token = 0;	188	options->kerberos_get_afs_token = 0;
188	if (options->gss_authentication == -1)	189	if (options->gss_authentication == -1)
189	options->gss_authentication = 0;	190	options->gss_authentication = 0;
		191	if (options->gss_import_hostname == -1)
		192	options->gss_import_hostname = GSS_IMPORT_HOSTNAME;
190	if (options->gss_cleanup_creds == -1)	193	if (options->gss_cleanup_creds == -1)
191	options->gss_cleanup_creds = 1;	194	options->gss_cleanup_creds = 1;
192	if (options->password_authentication == -1)	195	if (options->password_authentication == -1)
Lines 270-276 Link Here
270	sBanner, sUseDNS, sHostbasedAuthentication,	273	sBanner, sUseDNS, sHostbasedAuthentication,
271	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	274	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	275	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273	sGssAuthentication, sGssCleanupCreds, sAcceptEnv,	276	sGssAuthentication, sGssCleanupCreds, sGssImportHostname, sAcceptEnv,
274	sUsePrivilegeSeparation,	277	sUsePrivilegeSeparation,
275	sDeprecated, sUnsupported	278	sDeprecated, sUnsupported
276	} ServerOpCodes;	279	} ServerOpCodes;
Lines 325-333 Link Here
325	#ifdef GSSAPI	328	#ifdef GSSAPI
326	{ "gssapiauthentication", sGssAuthentication },	329	{ "gssapiauthentication", sGssAuthentication },
327	{ "gssapicleanupcredentials", sGssCleanupCreds },	330	{ "gssapicleanupcredentials", sGssCleanupCreds },
		331	{ "gssapiimporthostname", sGssImportHostname},
328	#else	332	#else
329	{ "gssapiauthentication", sUnsupported },	333	{ "gssapiauthentication", sUnsupported },
330	{ "gssapicleanupcredentials", sUnsupported },	334	{ "gssapicleanupcredentials", sUnsupported },
		335	{ "gssapiimporthostname", sUnsupported},
331	#endif	336	#endif
332	{ "passwordauthentication", sPasswordAuthentication },	337	{ "passwordauthentication", sPasswordAuthentication },
333	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },	338	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
Lines 658-663 Link Here
658	intptr = &options->gss_cleanup_creds;	663	intptr = &options->gss_cleanup_creds;
659	goto parse_flag;	664	goto parse_flag;
660		665
		666	case sGssImportHostname:
		667	intptr = &options->gss_import_hostname;
		668	arg = strdelim(&cp);
		669	if (!arg \|\| *arg == '\0')
		670	fatal("%s line %d: missing hostname/"
		671	"connection-ip/gss-c-no-name "
		672	"argument.", filename, linenum);
		673	value = 0; /* silence compiler */
		674	if (strcmp(arg, "hostname") == 0)
		675	value = GSS_IMPORT_HOSTNAME;
		676	else if (strcmp(arg, "connection-ip") == 0)
		677	value = GSS_IMPORT_CONNECTION_IP;
		678	else if (strcmp(arg, "gss-c-no-name") == 0)
		679	value = GSS_IMPORT_NO_NAME;
		680	else
		681	fatal("%s line %d: Bad hostname/"
		682	"connection-ip/gss-c-no-name "
		683	"argument: %s", filename, linenum, arg);
		684	if (*intptr == -1)
		685	*intptr = value;
		686	break;
		687
661	case sPasswordAuthentication:	688	case sPasswordAuthentication:
662	intptr = &options->password_authentication;	689	intptr = &options->password_authentication;
663	goto parse_flag;	690	goto parse_flag;

Lines 37-42 Link Here

(-)openssh-3.9p1/servconf.h (+7 lines)
37		37
38	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */	38	#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
39		39
		40	/* gss_import_hostname flags */
		41	#define GSS_IMPORT_HOSTNAME 0
		42	#define GSS_IMPORT_CONNECTION_IP 1
		43	#define GSS_IMPORT_NO_NAME 2
		44
		45
40	typedef struct {	46	typedef struct {
41	u_int num_ports;	47	u_int num_ports;
42	u_int ports_from_cmdline;	48	u_int ports_from_cmdline;
Lines 88-93 Link Here
88	* authenticated with Kerberos. */	94	* authenticated with Kerberos. */
89	int gss_authentication; /* If true, permit GSSAPI authentication */	95	int gss_authentication; /* If true, permit GSSAPI authentication */
90	int gss_cleanup_creds; /* If true, destroy cred cache on logout */	96	int gss_cleanup_creds; /* If true, destroy cred cache on logout */
		97	int gss_import_hostname; /* Possible values 0,1,2 */
91	int password_authentication; /* If true, permit password	98	int password_authentication; /* If true, permit password
92	* authentication. */	99	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	100	int kbd_interactive_authentication; /* If true, permit */

Return to bug 928