-/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
+#include "schnorr.h"
#include "jpake.h"
#ifdef GSSAPI
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
+extern Kex *xxx_kex;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
/* if it is set then prevent the switch to the null cipher */
else
gss_host = host;
- gss = ssh_gssapi_client_mechanisms(gss_host);
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
if (gss) {
debug("Offering GSSAPI proposal: %s", gss);
xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
"%s,null", orig);
+ xfree(gss);
}
#endif
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
#ifdef GSSAPI
- kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ }
#endif
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
#ifdef GSSAPI
- kex->gss_deleg_creds = options.gss_deleg_creds;
- kex->gss_trust_dns = options.gss_trust_dns;
- kex->gss_host = gss_host;
+ if (options.gss_keyex) {
+ kex->gss_deleg_creds = options.gss_deleg_creds;
+ kex->gss_trust_dns = options.gss_trust_dns;
+ kex->gss_client = options.gss_client_identity;
+ kex->gss_host = gss_host;
+ }
#endif
xxx_kex = kex;
void userauth_jpake_cleanup(Authctxt *);
#ifdef GSSAPI
-int userauth_external(Authctxt *authctxt);
int userauth_gssapi(Authctxt *authctxt);
-int userauth_gssapi_with_mic(Authctxt *authctxt);
-int userauth_gssapi_without_mic(Authctxt *authctxt);
void input_gssapi_response(int type, u_int32_t, void *);
void input_gssapi_token(int type, u_int32_t, void *);
void input_gssapi_hash(int type, u_int32_t, void *);
#ifdef GSSAPI
{"gssapi-keyex",
userauth_gsskeyex,
- &options.gss_authentication,
- NULL},
- {"external-keyx",
- userauth_external,
+ NULL,
&options.gss_authentication,
NULL},
{"gssapi-with-mic",
NULL,
&options.gss_authentication,
NULL},
- {"gssapi",
- userauth_gssapi,
- &options.gss_authentication,
- NULL},
#endif
{"hostbased",
userauth_hostbased,
* once. */
if (gss_supported == NULL)
- gss_indicate_mechs(&min, &gss_supported);
+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
+ gss_supported = NULL;
+ return 0;
+ }
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], gss_host)) {
+ &gss_supported->elements[mech], gss_host,
+ options.gss_client_identity)) {
ok = 1; /* Mechanism works */
} else {
mech++;
oid->length) == 0))
#endif
-int
-userauth_external(Authctxt *authctxt)
-{
- static int attempt = 0;
-
- if (attempt++ >= 1)
- return 0;
-
- /* The client MUST NOT try this method if initial key exchange
- was not performed using a GSSAPI-based key exchange
- method. */
- if (gss_kex_context == NULL) {
- debug2("gsskex not performed, skipping external-keyx");
- return 0;
- }
-
- debug2("userauth_external");
- packet_start(SSH2_MSG_USERAUTH_REQUEST);
-#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- packet_put_cstring("");
- } else {
-#endif
- packet_put_cstring(authctxt->server_user);
-#ifdef GSI
- }
-#endif
- packet_put_cstring(authctxt->service);
- packet_put_cstring(authctxt->method->name);
- packet_send();
- packet_write_wait();
- return 1;
-}
int
userauth_gsskeyex(Authctxt *authctxt)
{
}
#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
} else {
#endif
- ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
- "gssapi-keyex");
+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex");
#ifdef GSI
}
#endif
packet_start(SSH2_MSG_USERAUTH_REQUEST);
#ifdef GSI
- if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
- packet_put_cstring("");
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
} else {
#endif
packet_put_cstring(authctxt->server_user);