xxx_hostaddr = hostaddr;
#ifdef GSSAPI
+ if (options.gss_keyex) {
/* Add the GSSAPI mechanisms currently supported on this client to
* the key exchange algorithm proposal */
orig = myproposal[PROPOSAL_KEX_ALGS];
myproposal[PROPOSAL_KEX_ALGS]=xmalloc(len);
snprintf(myproposal[PROPOSAL_KEX_ALGS],len,"%s,%s",gss,orig);
}
+ }
#endif
if (options.ciphers == (char *)-1) {
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
- if (gss) {
+ if (options.gss_keyex && gss) {
orig=myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
len = strlen(orig)+sizeof(",null");
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]=xmalloc(len);
int
userauth_gssapi(Authctxt *authctxt)
{
- int i;
Gssctxt *gssctxt;
- static int tries=0;
-
- /* For now, we only make one attempt at this. We could try offering
- * the server different GSSAPI OIDs until we get bored, I suppose.
- */
- if (tries++>0) return 0;
+ static int mech=0;
if (datafellows & SSH_OLD_GSSAPI) return 0;
+ /* Try each mechanism in turn. Give up if we've tried all
+ supported mechanisms.
+ */
+ if (mech==GSS_LAST_ENTRY) return 0;
+
/* Initialise as much of our context as we can, so failures can be
* trapped before sending any packets.
*/
* This may not be the case - we should use something along
* the lines of the code in gss_genr to remove the ones that
* aren't supported */
- packet_put_int(GSS_LAST_ENTRY);
- for (i=0;i<GSS_LAST_ENTRY;i++) {
- packet_put_string(supported_mechs[i].oid.elements,
- supported_mechs[i].oid.length);
- }
+
+ /* Try one GSSAPI mechanism at a time. */
+ packet_put_int(1);
+ packet_put_string(supported_mechs[mech].oid.elements,
+ supported_mechs[mech].oid.length);
packet_send();
packet_write_wait();
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE,&input_gssapi_response);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,&input_gssapi_token);
+ mech++; /* Move to next mechanism for next time. */
+
return 1;
}
u_int slen;
if (authctxt == NULL)
- fatal("input_gssapi_response: no authentication context");
+ fatal("input_gssapi_token: no authentication context");
gssctxt = authctxt->methoddata;
recv_tok.value=packet_get_string(&slen);