openssh-3.6.1p2-gssapi-20030430.diff from Simon

[gssapi-openssh.git] / openssh / sshd.c

diff --git a/openssh/sshd.c b/openssh/sshd.c
index 0f2b2a3ce597496363d99d3b2d873be10981bced..2e0fee561ac2cea2c202f9e192f3a2ca91b0d607 100644 (file)
--- a/openssh/sshd.c
+++ b/openssh/sshd.c
@@ -85,6 +85,10 @@ RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
 
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
@@ -1013,10 +1017,13 @@ main(int ac, char **av)
                log("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
+#ifndef GSSAPI
+       /* The GSSAPI key exchange can run without a host key */
        if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
                log("Disabling protocol version 2. Could not load host key");
                options.protocol &= ~SSH_PROTO_2;
        }
+#endif
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                log("sshd: no hostkeys available -- exiting.");
                exit(1);
@@ -1816,10 +1823,52 @@ do_ssh2_kex(void)
        }
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
+#ifdef GSSAPI
+       { 
+       char *orig;
+       char *gss = NULL;
+       char *newstr = NULL;
+               orig = myproposal[PROPOSAL_KEX_ALGS];
+
+       /* If we don't have a host key, then all of the algorithms
+        * currently in myproposal are useless */
+       if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])==0)
+               orig= NULL;
+               
+        if (options.gss_keyex)
+               gss = ssh_gssapi_server_mechanisms();
+        else
+               gss = NULL;
+        
+       if (gss && orig) {
+               int len = strlen(orig) + strlen(gss) +2;
+               newstr=xmalloc(len);
+               snprintf(newstr,len,"%s,%s",gss,orig);
+       } else if (gss) {
+               newstr=gss;
+       } else if (orig) {
+               newstr=orig;
+       }
+        /* If we've got GSSAPI mechanisms, then we've also got the 'null'
+          host key algorithm, but we're not allowed to advertise it, unless
+          its the only host key algorithm we're supporting */
+       if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) {
+               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]="null";
+       }
+       if (newstr)
+               myproposal[PROPOSAL_KEX_ALGS]=newstr;
+       else
+               fatal("No supported key exchange algorithms");
+        }
+#endif
+
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+#ifdef GSSAPI
+        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+#endif         
        kex->server = 1;
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;