upstream commit
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
This commit is contained in:
parent
aa72196a00
commit
d7c31da4d4
40
gss-serv.c
40
gss-serv.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
|
@ -44,9 +44,12 @@
|
|||
#include "channels.h"
|
||||
#include "session.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
#include "ssh-gss.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
static ssh_gssapi_client gssapi_client =
|
||||
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
||||
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
|
||||
|
@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
|||
char lname[NI_MAXHOST];
|
||||
gss_OID_set oidset;
|
||||
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
if (options.gss_strict_acceptor) {
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
if (gethostname(lname, sizeof(lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
|
||||
NULL, NULL)))
|
||||
ssh_gssapi_error(ctx);
|
||||
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
} else {
|
||||
ctx->name = GSS_C_NO_NAME;
|
||||
ctx->creds = GSS_C_NO_CREDENTIAL;
|
||||
}
|
||||
|
||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
ssh_gssapi_error(ctx);
|
||||
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
return GSS_S_COMPLETE;
|
||||
}
|
||||
|
||||
/* Privileged */
|
||||
|
|
14
servconf.c
14
servconf.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
|
@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->gss_authentication = 0;
|
||||
if (options->gss_cleanup_creds == -1)
|
||||
options->gss_cleanup_creds = 1;
|
||||
if (options->gss_strict_acceptor == -1)
|
||||
options->gss_strict_acceptor = 0;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
|
@ -397,7 +400,8 @@ typedef enum {
|
|||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
|
@ -469,9 +473,11 @@ static struct {
|
|||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
|
@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
|||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
|
||||
case sGssStrictAcceptor:
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -118,6 +118,7 @@ typedef struct {
|
|||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $
|
||||
.Dd $Mdocdate: May 21 2015 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
|
||||
.Dd $Mdocdate: May 22 2015 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -622,6 +622,21 @@ on logout.
|
|||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
If set to
|
||||
.Dq yes
|
||||
then the client must authenticate against the
|
||||
.Pa host
|
||||
service on the current hostname.
|
||||
If set to
|
||||
.Dq no
|
||||
then the client may authenticate against any service key stored in the
|
||||
machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
|
|
Loading…
Reference in New Issue