upstream commit
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
This commit is contained in:
parent
aa72196a00
commit
d7c31da4d4
40
gss-serv.c
40
gss-serv.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
|
/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
|
@ -44,9 +44,12 @@
|
||||||
#include "channels.h"
|
#include "channels.h"
|
||||||
#include "session.h"
|
#include "session.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
#include "servconf.h"
|
||||||
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
|
extern ServerOptions options;
|
||||||
|
|
||||||
static ssh_gssapi_client gssapi_client =
|
static ssh_gssapi_client gssapi_client =
|
||||||
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
||||||
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
|
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
|
||||||
|
@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||||
char lname[NI_MAXHOST];
|
char lname[NI_MAXHOST];
|
||||||
gss_OID_set oidset;
|
gss_OID_set oidset;
|
||||||
|
|
||||||
gss_create_empty_oid_set(&status, &oidset);
|
if (options.gss_strict_acceptor) {
|
||||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
gss_create_empty_oid_set(&status, &oidset);
|
||||||
|
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||||
|
|
||||||
if (gethostname(lname, sizeof(lname))) {
|
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||||
gss_release_oid_set(&status, &oidset);
|
gss_release_oid_set(&status, &oidset);
|
||||||
return (-1);
|
return (-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||||
|
gss_release_oid_set(&status, &oidset);
|
||||||
|
return (ctx->major);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||||
|
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
|
||||||
|
NULL, NULL)))
|
||||||
|
ssh_gssapi_error(ctx);
|
||||||
|
|
||||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
|
||||||
gss_release_oid_set(&status, &oidset);
|
gss_release_oid_set(&status, &oidset);
|
||||||
return (ctx->major);
|
return (ctx->major);
|
||||||
|
} else {
|
||||||
|
ctx->name = GSS_C_NO_NAME;
|
||||||
|
ctx->creds = GSS_C_NO_CREDENTIAL;
|
||||||
}
|
}
|
||||||
|
return GSS_S_COMPLETE;
|
||||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
|
||||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
|
||||||
ssh_gssapi_error(ctx);
|
|
||||||
|
|
||||||
gss_release_oid_set(&status, &oidset);
|
|
||||||
return (ctx->major);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Privileged */
|
/* Privileged */
|
||||||
|
|
14
servconf.c
14
servconf.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */
|
/* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
|
@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
|
options->gss_strict_acceptor = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
|
@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_cleanup_creds == -1)
|
if (options->gss_cleanup_creds == -1)
|
||||||
options->gss_cleanup_creds = 1;
|
options->gss_cleanup_creds = 1;
|
||||||
|
if (options->gss_strict_acceptor == -1)
|
||||||
|
options->gss_strict_acceptor = 0;
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
|
@ -397,7 +400,8 @@ typedef enum {
|
||||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
|
sAcceptEnv, sPermitTunnel,
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
sHostCertificate,
|
sHostCertificate,
|
||||||
|
@ -469,9 +473,11 @@ static struct {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||||
#else
|
#else
|
||||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
|
@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||||
intptr = &options->gss_cleanup_creds;
|
intptr = &options->gss_cleanup_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
|
case sGssStrictAcceptor:
|
||||||
|
intptr = &options->gss_strict_acceptor;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */
|
/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
@ -118,6 +118,7 @@ typedef struct {
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
|
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||||
int password_authentication; /* If true, permit password
|
int password_authentication; /* If true, permit password
|
||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
|
||||||
.Dd $Mdocdate: May 21 2015 $
|
.Dd $Mdocdate: May 22 2015 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -622,6 +622,21 @@ on logout.
|
||||||
The default is
|
The default is
|
||||||
.Dq yes .
|
.Dq yes .
|
||||||
Note that this option applies to protocol version 2 only.
|
Note that this option applies to protocol version 2 only.
|
||||||
|
.It Cm GSSAPIStrictAcceptorCheck
|
||||||
|
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||||
|
a client authenticates against.
|
||||||
|
If set to
|
||||||
|
.Dq yes
|
||||||
|
then the client must authenticate against the
|
||||||
|
.Pa host
|
||||||
|
service on the current hostname.
|
||||||
|
If set to
|
||||||
|
.Dq no
|
||||||
|
then the client may authenticate against any service key stored in the
|
||||||
|
machine's default store.
|
||||||
|
This facility is provided to assist with operation on multi homed machines.
|
||||||
|
The default is
|
||||||
|
.Dq yes .
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a comma-separated pattern list.
|
as a comma-separated pattern list.
|
||||||
|
|
Loading…
Reference in New Issue