Commit 4e8aa4da authored by Colin Watson's avatar Colin Watson

import openssh-5.6p1-gsskex-all-20110101.patch

parent 31e30b83
20110101
- Finally update for OpenSSH 5.6p1
- Add GSSAPIServerIdentity option from Jim Basney
20100308
- [ Makefile.in, key.c, key.h ]
Updates for OpenSSH 5.4p1
- [ servconf.c ]
Include GSSAPI options in the sshd -T configuration dump, and flag
some older configuration options as being unsupported. Thanks to Colin
Watson.
-
20100124
- [ sshconnect2.c ]
Adapt to deal with additional element in Authmethod structure. Thanks to
Colin Wilson
- [ clientloop.c ]
Protect credentials updated code with suitable #ifdefs. Thanks to Colin
Wilson
Colin Watson
20090615
- [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
......
......@@ -73,8 +73,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
ssh-pkcs11.o kexgssc.o
entropy.o gss-genr.o umac.o jpake.o schnorr.o kexgssc.o \
ssh-pkcs11.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
......
......@@ -851,6 +851,8 @@ key_ssh_name(const Key *k)
return "ssh-rsa-cert-v01@openssh.com";
case KEY_DSA_CERT:
return "ssh-dss-cert-v01@openssh.com";
case KEY_NULL:
return "null";
}
return "ssh-unknown";
}
......
......@@ -128,6 +128,7 @@ typedef enum {
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
oGssServerIdentity,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
......@@ -171,6 +172,7 @@ static struct {
{ "gssapidelegatecredentials", oGssDelegateCreds },
{ "gssapitrustdns", oGssTrustDns },
{ "gssapiclientidentity", oGssClientIdentity },
{ "gssapiserveridentity", oGssServerIdentity },
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
#else
{ "gssapiauthentication", oUnsupported },
......@@ -499,6 +501,10 @@ parse_flag:
charptr = &options->gss_client_identity;
goto parse_string;
case oGssServerIdentity:
charptr = &options->gss_server_identity;
goto parse_string;
case oGssRenewalRekey:
intptr = &options->gss_renewal_rekey;
goto parse_flag;
......@@ -1088,6 +1094,7 @@ initialize_options(Options * options)
options->gss_trust_dns = -1;
options->gss_renewal_rekey = -1;
options->gss_client_identity = NULL;
options->gss_server_identity = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
......
......@@ -51,6 +51,7 @@ typedef struct {
int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int gss_renewal_rekey; /* Credential renewal forces rekey */
char *gss_client_identity; /* Principal to initiate GSSAPI with */
char *gss_server_identity; /* GSSAPI target principal */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
......
......@@ -381,16 +381,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
......@@ -1684,7 +1688,10 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
......
......@@ -519,6 +519,11 @@ Note that this option applies to protocol version 2 only.
If set, specifies the GSSAPI client identity that ssh should use when
connecting to the server. The default is unset, which means that the default
identity will be used.
.It Cm GSSAPIServerIdentity
If set, specifies the GSSAPI server identity that ssh should expect when
connecting to the server. The default is unset, which means that the
expected GSSAPI server identity will be determined from the target
hostname.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
......
......@@ -197,7 +197,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
kex->gss_deleg_creds = options.gss_deleg_creds;
kex->gss_trust_dns = options.gss_trust_dns;
kex->gss_client = options.gss_client_identity;
kex->gss_host = gss_host;
if (options.gss_server_identity) {
kex->gss_host = options.gss_server_identity;
} else {
kex->gss_host = gss_host;
}
}
#endif
......@@ -624,7 +628,9 @@ userauth_gssapi(Authctxt *authctxt)
int ok = 0;
const char *gss_host;
if (options.gss_trust_dns)
if (options.gss_server_identity)
gss_host = options.gss_server_identity;
else if (options.gss_trust_dns)
gss_host = get_canonical_hostname(1);
else
gss_host = authctxt->host;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment