-/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
+#include "schnorr.h"
#include "jpake.h"
#ifdef GSSAPI
extern int tty_flag;
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
/*
* SSH2 key exchange
*/
#ifdef GSSAPI
{"gssapi-keyex",
userauth_gsskeyex,
+ NULL,
&options.gss_authentication,
NULL},
{"gssapi-with-mic",
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
- const char *gss_host;
+ char *gss_host = NULL;
+
+ if (!options.gss_authentication) {
+ verbose("GSSAPI authentication disabled.");
+ return 0;
+ }
if (options.gss_trust_dns)
- gss_host = get_canonical_hostname(1);
+ gss_host = (char *)get_canonical_hostname(1);
else
- gss_host = authctxt->host;
+ gss_host = (char *)authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
if (status == GSS_S_COMPLETE) {
/* send either complete or MIC, depending on mechanism */
- if (!(flags & GSS_C_INTEG_FLAG)) {
+ if (strcmp(authctxt->method->name,"gssapi")==0 ||
+ (!(flags & GSS_C_INTEG_FLAG))) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
packet_send();
} else {
xfree(lang);
}
+#ifdef GSI
+extern
+const gss_OID_desc * const gss_mech_globus_gssapi_openssl;
+#define is_gsi_oid(oid) \
+ (oid->length == gss_mech_globus_gssapi_openssl->length && \
+ (memcmp(oid->elements, gss_mech_globus_gssapi_openssl->elements, \
+ oid->length) == 0))
+#endif
+
int
userauth_gsskeyex(Authctxt *authctxt)
{
return (0);
}
- ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
- "gssapi-keyex");
+#ifdef GSI
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
+ } else {
+#endif
+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex");
+#ifdef GSI
+ }
+#endif
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
}
packet_start(SSH2_MSG_USERAUTH_REQUEST);
+#ifdef GSI
+ if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+ packet_put_cstring("");
+ } else {
+#endif
packet_put_cstring(authctxt->server_user);
+#ifdef GSI
+ }
+#endif
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);