upstream commit

add knob to relax GSSAPI host credential check for
 multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
 (kerberos/GSSAPI is not compiled by default on OpenBSD)

Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
This commit is contained in:
djm@openbsd.org 2015-05-22 03:50:02 +00:00 committed by Damien Miller
parent aa72196a00
commit d7c31da4d4
4 changed files with 56 additions and 20 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
/* /*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -44,9 +44,12 @@
#include "channels.h" #include "channels.h"
#include "session.h" #include "session.h"
#include "misc.h" #include "misc.h"
#include "servconf.h"
#include "ssh-gss.h" #include "ssh-gss.h"
extern ServerOptions options;
static ssh_gssapi_client gssapi_client = static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@ -99,25 +102,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[NI_MAXHOST]; char lname[NI_MAXHOST];
gss_OID_set oidset; gss_OID_set oidset;
gss_create_empty_oid_set(&status, &oidset); if (options.gss_strict_acceptor) {
gss_add_oid_set_member(&status, ctx->oid, &oidset); gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
if (gethostname(lname, sizeof(lname))) { if (gethostname(lname, MAXHOSTNAMELEN)) {
gss_release_oid_set(&status, &oidset); gss_release_oid_set(&status, &oidset);
return (-1); return (-1);
} }
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
}
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
NULL, NULL)))
ssh_gssapi_error(ctx);
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset); gss_release_oid_set(&status, &oidset);
return (ctx->major); return (ctx->major);
} else {
ctx->name = GSS_C_NO_NAME;
ctx->creds = GSS_C_NO_CREDENTIAL;
} }
return GSS_S_COMPLETE;
if ((ctx->major = gss_acquire_cred(&ctx->minor,
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
ssh_gssapi_error(ctx);
gss_release_oid_set(&status, &oidset);
return (ctx->major);
} }
/* Privileged */ /* Privileged */

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.270 2015/05/21 06:43:30 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.271 2015/05/22 03:50:02 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
options->gss_cleanup_creds = -1; options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@ -276,6 +277,8 @@ fill_default_server_options(ServerOptions *options)
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_cleanup_creds == -1) if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1; options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 0;
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@ -397,7 +400,8 @@ typedef enum {
sBanner, sUseDNS, sHostbasedAuthentication, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate, sHostCertificate,
@ -469,9 +473,11 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
#else #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@ -1212,6 +1218,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
case sGssStrictAcceptor:
intptr = &options->gss_strict_acceptor;
goto parse_flag;
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.118 2015/05/21 06:43:31 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -118,6 +118,7 @@ typedef struct {
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */

View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
.Dd $Mdocdate: May 21 2015 $ .Dd $Mdocdate: May 22 2015 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -622,6 +622,21 @@ on logout.
The default is The default is
.Dq yes . .Dq yes .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
If set to
.Dq yes
then the client must authenticate against the
.Pa host
service on the current hostname.
If set to
.Dq no
then the client may authenticate against any service key stored in the
machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
.Dq yes .
.It Cm HostbasedAcceptedKeyTypes .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list. as a comma-separated pattern list.